Showing 1 - 3 of 3

Files from h4x0r-dz

First Active	2024-03-14
Last Active	2024-08-31

Jenkins cli Ampersand Replacement Arbitrary File Read: Posted Aug 31, 2024; Authored by h00die, binganao, h4x0r-dz, Vozec, Yaniv Nizry | Site metasploit.com; This Metasploit module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4js parseArgument, which calls expandAtFiles to replace any @<filename> with the contents of a file. We are then able to retrieve the error message to read up to the first two lines of a file. Exploitation by hand can be done with the cli, see markdown documents for additional instructions. There are a few exploitation oddities: 1. The injection point for the help command requires 2 input arguments. When the expandAtFiles is called, each line of the FILE_PATH becomes an input argument. If a file only contains one line, it will throw an error: ERROR: You must authenticate to access this Jenkins. However, we can pad out the content by supplying a first argument. 2. There is a strange timing requirement where the download (or first) request must get to the server first, but the upload (or second) request must be very close behind it. From testing against the docker image, it was found values between .01 and 1.9 were viable. Due to the round trip time of the first request and response happening before request 2 would be received, it is necessary to use threading to ensure the requests happen within rapid succession. Files of value: * /var/jenkins_home/secret.key * /var/jenkins_home/secrets/master.key * /var/jenkins_home/secrets/initialAdminPassword * /etc/passwd * /etc/shadow * Project secrets and credentials * Source code, build artifacts.; tags | exploit, protocol; advisories | CVE-2024-23897; SHA-256 | 8799f2e8f0af3fd5eaa3690edb0e303a727a1d5ed7c421cade67b080436d71e9; Download | Favorite | View

Palo Alto OS Command Injection: Posted Apr 17, 2024; Authored by h4x0r-dz | Site github.com; Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.; tags | exploit; advisories | CVE-2024-3400; SHA-256 | d03a8781f559271cf9b0357b2f4175728dea72a07e8c80018aea6ad57dd5005c; Download | Favorite | View

Fortinet FortiOS Out-Of-Bounds Write: Posted Mar 14, 2024; Authored by h4x0r-dz | Site github.com; Fortinet FortiOS suffers from an out of bounds write vulnerability. Affected includes Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7.; tags | exploit; advisories | CVE-2024-21762; SHA-256 | 253e125f2c77fe6892c6503df7eeedff1bed043c4fb701d366058c149ab702b6; Download | Favorite | View