Posted on

Spring4Shell : Explained With POC

Hello, aspiring Ethical Hackers. In this article you will learn about Spring4shell, a new zero-day vulnerability that has been discovered in Spring Framework. Spring Framework is an open-source application framework for Java and is normally deployed with Apache Tomcat servers.

Vulnerability & Impact

There are two vulnerabilities affecting Spring Framework, one is in Spring Core and second is in Spring Cloud. The Spring Core RCE vulnerability impacts Java class objects.  The vulnerability in Spring Core has been given name Spring4shell in the lines of Log4shell as both vulnerabilities affect a library. Although, it took its name from Log4shell, it is not as dangerous as its namesake.

This vulnerability affects all versions of Spring Core Framework running on JDK versions 9 and after. This vulnerability is tracked as CVE-2022-22965. There is another RCE in Spring Cloud Function versions <=3.1.6 and <=3.2.2.

Proof Of Concept

It’s time to see the exploitation of Spring4shell practically. Let’s create a new directory named spring4shell.

Clone the repository shown in the image below. This repository contains both vulnerable docker image and exploit.

Build the Docker image vulnerable to spring4shell as shown below.

You can check if the target is set or not by visiting the URL in browser.

If you get the above message, the target is ready. Run the exploit. The python exploit uploads a java web shell on the target after exploiting vulnerability.

The exploit completed successfully. The web shell can be accessed at above highlighted address.

The POC is succesful,

Posted on 2 Comments

Easy Chat Server Buffer Overflow Exploit

Easy Chat Server is a Windows based software useful to set up a simple chat server. It is considered the simplest solution to set up a community chat room for a group or company. It is considered the simplest because it doesn’t require any other installation like Java. The latest version of Easy Chat server suffers from a buffer overflow vulnerability. This vulnerability is triggered during user registration to the easy chat server. Let’s see how we can exploit this vulnerability. During a pen test, while scanning the network, I happen to find a live system with open ports. Most important of this is that port 80 is open. Port 80 signifies a web server is running.

I decide to take a closer look at the system by running a verbose scan as shown below.

On port 80, a program called Easy Chat Server is running. I check Metasploit to find any exploits related to it. I found one related to versions 2.0 to 3.1 of Easy Chat Server. I am not sure of the version my target system is running. I load the easy chat server buffer overflow exploit and check its options.

I set the target IP and use the “check” command to see if this exploit will work but unfortunately this exploit doesn’t support check command. I decide to take my chances and execute the exploit using the “run” command.

Voila, I got the meterpreter session on our target. That’s all in Easy chat server buffer overflow exploit. Read about Serviio media server Command Execution exploit 

Posted on 1 Comment

Serviio Media Server Command Execution

Hello aspiring hackers. Today we will learn about the Serviio media server Command Execution Exploit. This exploit works on Serviio Media Server from versions 1.4.0 to 1.8.0 (1.8 is the present version, by the way). Serviio media server is a free media server which allows users to stream media files (music, video or images) to renderer devices like a TV set, Bluray player, gaming console or mobile phone on your connected home network. It is used by a number of organizations.

This media server has a console component which runs on port 23423 by default. This module exploits an unauthenticated remote command execution vulnerability in this console component. This is possible because the console service exposes a REST API whose endpoint does not sanitize user-supplied data in the ‘VIDEO’ parameter of the ‘checkStreamUrl’ method. This parameter is used in a call to cmd.exe which results in execution of arbitrary commands. Now let’s see how this exploit works.

So imagine a hacker while port scanning a specific port on multiple machines as shown below gets one positive result.

On performing a  verbose scan with OS detection enabled to probe further, it is indeed clear that a Serviio Media Server is running on this specific port and our target OS is Windows, so we can use our exploit.

Start Metasploit and load the module as shown below.

He sets the target IP and checks if the target is vulnerable (Remember we know the target is using Serviio Media server but have no idea if it is a vulnerable version).

Once the “check” command confirms that the target is vulnerable,  the other required options are set and the module is executed with “run” command. We directly get a meterpreter session with system privileges on our target. That’s asll in Serviio Media server Command Execution exploit. Want to learn how to hack Windows with HTA Webserver exploit.

Posted on

Zabbix Toggleids sql injection exploit

Hello everybody. Today we will see about Zabbix toggleids sql injection exploit. First things first, what’s Zabbix. It is an enterprise open source monitoring software for networks and applications designed to monitor and track the status of various network services, servers, and other network hardware.

Zabbix uses MySQL, PostgreSQL, SQLite, Oracle or IBM DB2 to store data. Its backend is written in C and the web frontend is written in PHP. It has a web based interface and can be installed in both Linux and Windows. It boasts of over 13,000 downloads per week.

Zabbix version 3.0.3 suffers from SQL injection which can be exploited to steal the credentials. Let’s see how this exploit works. Start Metasploit and load the module as shown below.

As you can see, we need to set only one option “RHOST” which is the IP address of the target running Zabbix. Once you set the target, check whether its vulnerable or not using the “check” command.

Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux.

How to stay safe?

There are patches available. Please update.

Posted on

Authorization bypass in Polycom

Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.

So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.

Set the target and check if it’s vulnerable as shown below using “check” command.

You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit.  The exploit works as shown below.

That was about authorization bypass in Polycom. Want to learn about sql injection. Want to learn Ethical Hacking in Real World Scenarios. Subscribe to our Digital Magazine.